Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Endpoint Device. Show all posts

Hackers are Targeting Routers Across the Globe

 

When hackers identify an unsecured router, they penetrate it by installing malware that provides them persistence, the ability to launch distributed denial of service (DDoS) assaults, hide malicious data, and more. But what happens when the hackers discover a router that has already been infiltrated by a rival gang? 

Trend Micro cybersecurity researchers published a report that discovered one of two things: either one party allows the other to use the compromised infrastructure for a charge, or they both find a separate technique to break into the device and use it simultaneously. 

The researchers used Ubiquity's EdgeRouters as an example of internet routers that were exploited concurrently by a number of hacker groups, some of which were state-sponsored and others were financially motivated. 

“Cybercriminals and Advanced Persistent Threat (APT) actors share a common interest in proxy anonymization layers and Virtual Private Network (VPN) nodes to hide traces of their presence and make detection of malicious activities more difficult,” the researchers stated. “This shared interest results in malicious internet traffic blending financial and espionage motives.” 

When it comes to Ubiquity, Trend Micro analysts reported that the APT28 criminal leveraged the endpoints for "persistent espionage campaigns." APT28 is a Russian state-sponsored outfit also known as Fancy Bear or Pawn Storm. At the same time, they discovered a financially motivated group known as the Canadian Pharmacy Gang, which used the same infrastructure to launch pharmaceutical-related phishing activities. Finally, they discovered the Ngioweb malware being loaded directly into the RAM of these devices, which was attributed to the Ramnit group.

The main reason EdgeRouters were so often targeted was that their victims either left them completely undefended or with only weak security. They don't stand out much from other routers, which are all equally desirable targets for hackers. Trend Micro found that this is due to the fact that they have less stringent password demands, are rarely updated, and operate on powerful operating systems that can be utilised for a variety of purposes.

Attackers Employ TeamViewer to Gain Initial Access to Networks

 

Organisations have long utilised TeamViewer software to provide remote aid, collaboration, and access to endpoint devices. Like other authorised remote access technologies, it is often employed by attackers to gain initial access to target systems.

The most recent example is the pair of attempted ransomware deployment incidents that Huntress researchers recently came across. 

Unsuccessful ransomware deployment

The attacks that Huntress detected targeted two separate endpoint devices belonging to Huntress customers. Both incidents had failed attempts to install what seemed to be ransomware based on a leaked builder for LockBit 3.0 ransomware. 

Further investigation revealed that TeamViewer was the initial point of access for the attackers to both endpoints. The logs showed that the same threat actor was responsible for both occurrences, as the attacks originated from an endpoint with the same hostname.

After initially gaining access via TeamViewer, the threat actor used one of the computers for roughly seven minutes, and on the other, the attacker's session lasted for over ten minutes. 

How the attacker may have gained control of the TeamViewer instances in both incidents was not mentioned in Huntress' report. However, Huntress's senior threat intelligence analyst, Harlan Carvey, notes that a few of the TeamViewer logins seem to come from outdated systems. 

"The logs provide no indication of logins for several months or weeks before the threat actor's access," Carvery states. "In other instances, there are several legitimate logins, consistent with prior logins — username, workstation name, etc. — shortly before the threat actor's login.” 

Carvey believes that the threat actor may have been able to purchase access from an initial access broker (IAB) and that the credentials and connection information might have been stolen from other endpoints using a keyboard logger, infostealers, or other techniques. 

There have been other past instances when attackers employed TeamViewer in a similar manner. One was a campaign launched last May by a threat actor who wanted to install the XMRig crypto mining software on systems after gaining initial access through the tool. 

Another instance featured a data exfiltration campaign, which Huntress investigated in December. According to the incident logs, the threat actor established an initial foothold in the victim environment using TeamViewer. Much earlier, in 2020, Kaspersky reported on attacks against industrial control system setups that used remote access tools like RMS and TeamViewer for first access.