Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Botnet attack. Show all posts

Prometei Botnet: The Persistent Threat Targeting Global Systems

 

The Prometei botnet, active since at least 2016, continues to pose a persistent threat worldwide by exploiting unpatched software vulnerabilities. First identified in 2020, Prometei has since infected over 10,000 systems across diverse regions, including Brazil, Indonesia, Turkey, and Germany. Its resilience stems from its focus on widely used software gaps, particularly in systems with weak configurations, unmonitored security measures, or outdated patches. The Federal Office for Information Security in Germany has labeled it a medium-impact threat, given its extensive reach and ability to bypass security protocols. Prometei operates by exploiting vulnerabilities in widely used software, spreading particularly through unpatched or poorly configured Exchange servers. 

Critical Start’s Callie Guenther highlights Prometei’s strategy of leveraging regions with inadequate cybersecurity, making it highly effective in targeting various systems regardless of location. One notable aspect is its ability to spread through legacy vulnerabilities, such as the BlueKeep flaw in Remote Desktop Protocol (RDP), which has a critical CVSS score of 9.8. By targeting these known issues, Prometei can quickly access poorly maintained systems that remain unprotected. A Prometei attack often starts with a series of network login attempts, typically originating from locations associated with known botnet infrastructure. Once access is secured, the malware tests various system weaknesses, particularly outdated vulnerabilities like BlueKeep and EternalBlue. If successful, it can propagate through Server Message Block (SMB) systems or use ProxyLogon flaws to exploit Windows environments further. 

Prometei’s use of outdated exploits could be seen as less sophisticated; however, its approach is strategic, focusing on identifying vulnerable, under-maintained systems rather than tackling those with robust security protocols. Once established in a target system, Prometei employs several techniques to maintain control and evade detection. For example, it uses a domain generation algorithm (DGA) to enhance its command-and-control (C2) system, allowing continuous operation even if some domains are blocked. It further manipulates firewall settings to ensure its traffic is not obstructed, enabling it to persist even after system reboots. Among its advanced methods is the use of the WDigest protocol, which stores plaintext passwords in memory. 

Prometei forces systems to store passwords in plaintext, then exfiltrates them while bypassing detection by configuring Windows Defender to ignore specific files. The primary goal of Prometei appears to be cryptojacking, as it harnesses infected systems to mine the Monero cryptocurrency without the owners’ knowledge. Additionally, it installs an Apache web server as a web shell, creating a backdoor for attackers to upload more malicious files or execute commands. Prometei’s presence, according to Trend Micro’s Stephen Hilt, often signals deeper security concerns, as it can coexist with other malicious software, highlighting vulnerabilities that attackers may leverage for various purposes. Interestingly, Prometei avoids certain regions, specifically targeting systems outside former Soviet countries. Its command-and-control servers bypass exit nodes within these nations, avoiding accounts tagged as “Guest” or “Other user” in Russian.

Older versions of Prometei also included Russian-language settings, hinting at a potential connection to Russian-speaking developers. The botnet’s name, “Prometei,” references the Greek titan Prometheus, symbolizing a persistence that echoes the botnet’s own sustained presence in global cyber threats. Prometei exemplifies the persistent and evolving nature of modern botnets. Its success in exploiting well-known but unpatched vulnerabilities underscores the importance of maintaining updated security systems. For organizations worldwide, especially those with legacy systems or lax monitoring, Prometei serves as a critical reminder to reinforce defenses against cyber threats, as outdated security leaves systems vulnerable to malicious actors seeking to exploit any gap available.

FBI Takes Down Massive Global Army of Zombie Computer Device

 

In a significant victory against cybercrime, an international law enforcement team has successfully dismantled the massive "911 S5" botnet, which has been operational for almost a decade. This extensive network, believed to be the largest of its kind globally, involved approximately 19 million compromised computers. As part of the operation, authorities also apprehended a Chinese national linked to the botnet. 

The huge botnet, active in over 190 countries, was rented out to hackers for various illegal activities. FBI Director Christopher Wray pointed out its global impact, mentioning it facilitated financial fraud, identity theft, and even gave access to child exploitation materials. The Department of Justice added that the botnet was involved in bomb threats and cyberattacks, causing potential losses in billions of dollars. 

It was also connected to more than 613,000 IP addresses in the US. Authorities seized internet equipment and assets and took action against YunHe Wang, believed to be the botnet's leader, and his partners, according to Wray. 

What is Botnet Attack? 

Botnets are networks of compromised computers or connected devices, infected with malware by cybercriminals, who then exploit them for malicious purposes. These devices form a "zombie army," operating without the knowledge of their owners. 

Common Botnet Attacks 

Brute Force Attack: A brute force attack is employed by cybercriminals when they lack the target's password(s). This technique involves rapidly and repeatedly guessing passwords using specialized software. The malware interacts directly with the targeted service, providing real-time feedback on password attempts. Additionally, attackers may leverage leaked credentials or personal information to enhance their guessing efforts. 

Distributed Denial of Service (DDoS) Attacks: One of the most prevalent botnet attacks is the Distributed Denial of Service (DDoS) attack. This type of attack overwhelms a service with excessive web traffic, causing it to crash and disrupting normal operations. A notable example is the 2016 Mirai botnet attack, which targeted the domain name service provider Dyn, leading to significant outages and performance issues for major websites like Twitter and Soundcloud in various regions. 

Spam and Phishing Botnets: These attacks are often used to send out massive amounts of spam emails as part of phishing campaigns. These emails aim to deceive recipients into divulging sensitive information or login credentials. Phishing not only compromises individual accounts but can also help expand the botnet by infecting more devices. 

Device Bricking: These attacks involve infecting devices with malware that deletes their contents, often to cover up evidence of a primary attack. This process renders the devices completely inoperative, essentially turning them into "bricks." These attacks are typically carried out in multiple phases, ultimately leaving the affected devices useless. 

What Can You Do? 

Keep Software Updated: Regularly update system and device software, especially on lesser-used devices. Apply updates immediately upon release. 

Secure IoT Configurations: Change default login credentials and remove outdated, unused devices from the network to eliminate potential attack vectors. 

Limit Device Access: Restrict and monitor access to IoT devices. Segregate or air-gap IoT devices from critical systems to minimize attack impact. 

Enhance Authentication: Enable multi-factor authentication and limit the number of users with access to IoT devices.

FritzFrog’s Evolution: Exploiting Log4Shell Vulnerability Reveals Alarming Tactics

 

In a startling development, the notorious FritzFrog botnet, which first emerged in 2020, has undergone a significant transformation by exploiting the Log4Shell vulnerability. Unlike its traditional approach of focusing on internet-facing applications, this latest variant is now aggressively targeting all hosts within a victim's internal network, according to recent findings by Akamai researchers, a leading cybersecurity and content delivery network provider. 

Originally recognized for its use of brute-force attacks on SSH to compromise servers and deploy cryptominers, FritzFrog has adopted a new campaign named "Frog4Shell." This campaign leverages the Log4Shell vulnerability, a flaw in the widely used Log4j web tool, discovered in 2021. Despite extensive global patching efforts initiated by governments and security companies, the Log4Shell bug remains a persistent threat. 

Frog4Shell represents a paradigm shift in FritzFrog's tactics. The malware now goes beyond the conventional approach of compromising high-profile internet-facing applications. Instead, it meticulously scans and reads system files on compromised hosts to identify potential targets within internal networks, particularly vulnerable Java applications. 

This evolution is particularly concerning as it exposes neglected and unpatched internal machines, exploiting a circumstance often overlooked in previous security measures. Even if organizations have patched their high-profile internet-facing applications, FritzFrog's latest variant poses a risk to the entire internal network. 

Akamai, a leading cybersecurity and content delivery network provider, has observed over 20,000 FritzFrog attacks and identified more than 1,500 victims over the years. The malware's latest features include enhanced privilege escalation capabilities, evasion tools against cyber defences, and the potential for incorporating additional exploits in future versions. 

While approximately 37% of infected nodes are located in China, the exact location of the FritzFrog operator remains to be determined. This strategic ambiguity suggests an effort to mask the true identity or origin of the threat actor. 

As FritzFrog continues to evolve and adapt, organizations are urged to prioritize comprehensive patching strategies encompassing not only internet-facing assets but also internal hosts. The ongoing threat landscape underscores the importance of staying vigilant against sophisticated botnet tactics and proactively securing networks to mitigate potential risks associated with Log4Shell and the advanced exploits employed by FritzFrog. 

Mirai Botnet Variant 'Pandora' Hijacks Android TVs

 

Pandora, a variant of the Mirai botnet, has been identified targeting budget-friendly Android-based television sets and TV boxes. It utilizes these devices as part of a botnet to execute distributed denial-of-service (DDoS) attacks. Mirai is a type of harmful software that goes after everyday devices like smart cameras and home routers. It takes control of them and makes them part of a group of bots that can be controlled remotely. 

Cybercriminals use these groups, known as Mirai botnets, to launch big attacks on computer systems, called DDoS attacks. What sets Mirai apart is that it mainly affects connected smart home gadgets, like routers, thermostats, baby monitors, and even fridges. It does this by targeting the common Linux operating system that many of these Internet of Things (IoT) devices run on. Mirai exploits weaknesses in these smart devices and links them together into a network of compromised devices, which is called a botnet. 

According to the Doctor Web, compromises are prone to happen either through malicious firmware updates or when users install applications for viewing pirated video content. In the realm of alternative distribution methods, there is suspicion that users are being deceived into installing applications meant for streaming pirated movies and TV shows. 

These deceptive websites predominantly target Spanish-speaking users. The roster of apps includes Latino VOD (com.global.latinotvod), Tele Latino (com.spanish.latinomobile), UniTV (com.global.unitviptv) and YouCine TV (com.world.youcinetv). 

Upon installation of the application, it initiates a background service named "GoMediaService." This service is subsequently utilized to extract various files, including an interpreter running with elevated privileges and an installer for Pandora. In its function, Pandora is crafted to establish contact with a remote server. 

It proceeds to substitute the hosts' file on the system with a deceitful version and awaits further directives. These instructions involve executing DDoS attacks utilizing TCP and UDP protocols, along with initiating a reverse shell. 

The central focus of this campaign is directed towards affordable Android TV boxes, such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3. These devices are equipped with quad-core processors sourced from Allwinner and Amlogic, rendering them well-suited for launching DDoS assaults. 

Understanding Botnet Attacks and Effective Prevention Strategies 

Botnet attacks pose a significant cybersecurity risk, with their prevalence and complexity on the rise. As reported by CSO Online, the initial half of 2022 witnessed a staggering 67 million botnet connections originating from more than 600,000 distinct IP addresses. 

Common Botnet Attacks: 

• DDoS: Overwhelm with traffic
• Credential Theft: Steal login details 
• Spam & Phishing: Mass emails for deception 
• Ad Fraud: Fake user activity 
• Crypto Mining: Hijack processing power. 

In the face of botnet attacks as a significant cybersecurity threat, organizations have an array of prevention techniques at their disposal. These include: 

• Implementing advanced antivirus and antimalware solutions, and ensuring they remain up-to-date. 

• Consistently applying software and operating system updates, along with timely bug fixes. 

• Educating staff on identifying suspicious emails and attachments, and emphasizing the importance of refraining from clicking on them. 

• Strengthening security with robust passwords and employing multi-factor authentication to deter unauthorized access. 

• Enforcing comprehensive cybersecurity training programs for employees, equipping them with the knowledge to recognize and respond to botnet attacks effectively.