Category Archives: botnet

Radware Blog: Top 6 Threat Discoveries of 2018

Over the course of 2018, Radware’s Emergency Response Team (ERT) identified several cyberattacks and security threats across the globe. Below is a round-up of our top discoveries from the past year. For more detailed information on each attack, please visit DDoS Warriors. DemonBot Radware’s Threat Research Center has been monitoring and tracking a malicious agent […]

The post Top 6 Threat Discoveries of 2018 appeared first on Radware Blog.



Radware Blog

McAfee Blogs: Ghosts of Botnet’s Past, Present, and Future

‘Twas the morning of October 21st, and all through the house many IoT devices were stirring, including a connected mouse. Of course, this wasn’t the night before Christmas, but rather the morning of Dyn — the 2016 DDoS attack on the service provider that took the entire East Coast offline for a few hours. The root of the attack: botnets, AKA unsecured IoT devices that were enslaved by Mirai malware. And though this attack made history back in 2016, botnet attacks and the manipulation of vulnerable IoT devices have shown no signs of slowing since. To explore how these attacks have evolved over time, let’s examine the past, present, and future of botnets.

The Past

Any internet-connected device could potentially become a botnet. A botnet is an aggregation of connected devices, which could include computers, mobile devices, IoT devices, and more that have been infected and thereby under the control of one malware variant. The owners of these devices are typically unaware their technology has been infected and thereby under the control of the malware author.

This infection and enslavement process came to a powerful fruition on that fateful October morning, as thousands of devices were manipulated by Mirai malware and transformed into botnets for cybercriminals’ malicious scheme. Cybercriminals used this botnet army to construct one of the largest DDoS attacks in recent history on DNS provider Dyn, which temporarily knocked major sites such as Twitter, Github, and Etsy offline.

The Present

Now, the Dyn attack is arguably one of the most infamous in all of security history. But that doesn’t mean the attacks stop there. Fast forward to 2018, and botnets are still just as prominent, if not more. Earlier in the year, we saw Satori emerge, which even borrowed code from Mirai, as well as Hide N Seek (HNS), which has managed to build itself up to 24,000 bots since January 10th.

What’s more — DDoS attacks, which are largely driven by botnets, have also showed no signs of slowing this year. Just take the recent WordPress attack for example, which actually involved an army of over 20,000 botnets attacking sites across the web.

The Future

Botnets don’t just have a past and present — they likely have a future as well. That’s because cybercriminals favor the potency of this ‘infect and enslave’ tactic, so much so that they’re trying to spread it far and wide. Turns out, according to one report, you can even rent an IoT botnet, as one Dark Web advertisement displayed a 50,000-device botnet for rent for a two-week duration to conduct one-hour attacks a rate of $3000 – $4000.

The good news is — the cybersecurity industry is preparing for the future of botnet attacks as well. In fact, we’ve engineered technology designed to fight back against the nature of insecure IoT devices — such as our Secure Home Platform solution.

However, a lot of the botnet attacks can be stopped by users themselves if they implement strong security practices from start. This means changing the default passwords on any new IoT device you get, keeping any and all software up-to-date, always using a firewall to detect unusual behavior, and implementing comprehensive security software to ensure that all your computers and devices have protection.

If users everywhere implement the right processes and products from the start, botnet attacks may eventually become a thing of the past, and won’t ever be part of the present again.

To learn more about IoT device security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post Ghosts of Botnet’s Past, Present, and Future appeared first on McAfee Blogs.



McAfee Blogs

Ghosts of Botnet’s Past, Present, and Future

‘Twas the morning of October 21st, and all through the house many IoT devices were stirring, including a connected mouse. Of course, this wasn’t the night before Christmas, but rather the morning of Dyn — the 2016 DDoS attack on the service provider that took the entire East Coast offline for a few hours. The root of the attack: botnets, AKA unsecured IoT devices that were enslaved by Mirai malware. And though this attack made history back in 2016, botnet attacks and the manipulation of vulnerable IoT devices have shown no signs of slowing since. To explore how these attacks have evolved over time, let’s examine the past, present, and future of botnets.

The Past

Any internet-connected device could potentially become a botnet. A botnet is an aggregation of connected devices, which could include computers, mobile devices, IoT devices, and more that have been infected and thereby under the control of one malware variant. The owners of these devices are typically unaware their technology has been infected and thereby under the control of the malware author.

This infection and enslavement process came to a powerful fruition on that fateful October morning, as thousands of devices were manipulated by Mirai malware and transformed into botnets for cybercriminals’ malicious scheme. Cybercriminals used this botnet army to construct one of the largest DDoS attacks in recent history on DNS provider Dyn, which temporarily knocked major sites such as Twitter, Github, and Etsy offline.

The Present

Now, the Dyn attack is arguably one of the most infamous in all of security history. But that doesn’t mean the attacks stop there. Fast forward to 2018, and botnets are still just as prominent, if not more. Earlier in the year, we saw Satori emerge, which even borrowed code from Mirai, as well as Hide N Seek (HNS), which has managed to build itself up to 24,000 bots since January 10th.

What’s more — DDoS attacks, which are largely driven by botnets, have also showed no signs of slowing this year. Just take the recent WordPress attack for example, which actually involved an army of over 20,000 botnets attacking sites across the web.

The Future

Botnets don’t just have a past and present — they likely have a future as well. That’s because cybercriminals favor the potency of this ‘infect and enslave’ tactic, so much so that they’re trying to spread it far and wide. Turns out, according to one report, you can even rent an IoT botnet, as one Dark Web advertisement displayed a 50,000-device botnet for rent for a two-week duration to conduct one-hour attacks a rate of $3000 – $4000.

The good news is — the cybersecurity industry is preparing for the future of botnet attacks as well. In fact, we’ve engineered technology designed to fight back against the nature of insecure IoT devices — such as our Secure Home Platform solution.

However, a lot of the botnet attacks can be stopped by users themselves if they implement strong security practices from start. This means changing the default passwords on any new IoT device you get, keeping any and all software up-to-date, always using a firewall to detect unusual behavior, and implementing comprehensive security software to ensure that all your computers and devices have protection.

If users everywhere implement the right processes and products from the start, botnet attacks may eventually become a thing of the past, and won’t ever be part of the present again.

To learn more about IoT device security and our approach to it, be sure to follow us at @McAfee and @McAfee_Home.

The post Ghosts of Botnet’s Past, Present, and Future appeared first on McAfee Blogs.

Attackers increasingly exploiting vulnerabilities to enlarge their IoT botnets

Attackers looking to add IoT devices to their botnets are increasingly adding vulnerability exploitation to their attack arsenal, Netscout researchers warn. Instead on just relying on a list of common or default passwords or brute-forcing attacks, they are taking advantage of the fact that IoT devices are rarely updated and manufacturers take a lot of time to push out fixes for known flaws. Currently under exploitation In November 2018, the company detected many exploitation attempts … More

The post Attackers increasingly exploiting vulnerabilities to enlarge their IoT botnets appeared first on Help Net Security.

Can advancing cybersecurity techniques keep pace with new attack vectors in 2019?

A look back through a volatile 2018 has seen the cyber security landscape move towards an even more complex picture. This has been driven by the increased volume and diversity of threats and breaches, tools and network evolution. Security professionals have faced significant challenges in attack detection and mitigation, operating to the necessary policy and legal guidelines and growing teams with suitably-skilled personnel. None of these advances show any signs of slowing in 2019. However, … More

The post Can advancing cybersecurity techniques keep pace with new attack vectors in 2019? appeared first on Help Net Security.

November 2018: Most wanted malware exposed

Check Point has published its latest Global Threat Index for November 2018. The index reveals that the Emotet botnet has entered the Index’s top 10 ranking after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign. This involved sending malspam emails in the guise of Thanksgiving cards, containing email subjects such as happy “Thanksgiving day wishes”, “Thanksgiving wishes” and “the Thanksgiving day congratulation!” These emails contained malicious attachments, often with file names related … More

The post November 2018: Most wanted malware exposed appeared first on Help Net Security.

WordPress botnet composed of +20k installs targets other sites

Experts from security firm Wordfence discovered a Botnet of 20,000 WordPress Sites Infecting other WordPress installs.

Experts from security firm Wordfence uncovered a botnet composed of over 20,000 WordPress sites that is being used to compromise other websites running on the popular CMS and recruit them.  

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” reads the analysis published by WordFence.

“They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites.”

The botnet is used by attackers to carry out brute force attacks against other WordPress sites, according to Wordfence Defiant Threat Intelligence team, the botnet has already generated over 5 million authentication requests. The botnet attempts XML-RPC authentication to other WordPress sites in order to access privileged accounts.

The XML-RPC interface allows users to remotely post content to a WordPress site using the WordPress or other APIs, it is located in the root directory of a WordPress install at the xmlrpc.php file.

Unfortunately, the XML-RPC interface doesn’t implement a rate limiting on the number of API requests that it is possible to submit, a gift for brute-force attackers. 

A close look at the malicious infrastructure allowed the experts to discover that hackers used four command and control servers that issue commands to the bots through proxy servers at the Russian Best-Proxies.ru service.  Experts identified over 14,000 proxy servers used by the botmaster to anonymize the traffic.

Once a WordPress site is compromised it will start carrying out brute force attacks against the XML-RPC interface of other websites. 

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” continues the analysis.

“Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”

Brute force scripts used by the attackers accept POST input from the C2 servers, the request includes domains to target and word lists to use when performing the brute force attacks.

It is also possible to use new wordlists by providing URL to the script.

Wordfence reported its discovery to the authorities and is helping them to dismantle the WordPress botnet.

Pierluigi Paganini

(Security Affairs –WordPress Botnet, hacking)

The post WordPress botnet composed of +20k installs targets other sites appeared first on Security Affairs.

Security Affairs: WordPress botnet composed of +20k installs targets other sites

Experts from security firm Wordfence discovered a Botnet of 20,000 WordPress Sites Infecting other WordPress installs.

Experts from security firm Wordfence uncovered a botnet composed of over 20,000 WordPress sites that is being used to compromise other websites running on the popular CMS and recruit them.  

“The threat actors (hackers) use a group of four command and control (C2) servers to send requests to over 14,000 proxy servers provided by a Russian proxy provider called best-proxies[.]ru.” reads the analysis published by WordFence.

“They use these proxies to anonymize the C2 traffic. The requests pass through the proxy servers and are sent to over 20,000 infected WordPress sites. Those sites are running an attack script which attacks targeted WordPress sites.”

The botnet is used by attackers to carry out brute force attacks against other WordPress sites, according to Wordfence Defiant Threat Intelligence team, the botnet has already generated over 5 million authentication requests. The botnet attempts XML-RPC authentication to other WordPress sites in order to access privileged accounts.

The XML-RPC interface allows users to remotely post content to a WordPress site using the WordPress or other APIs, it is located in the root directory of a WordPress install at the xmlrpc.php file.

Unfortunately, the XML-RPC interface doesn’t implement a rate limiting on the number of API requests that it is possible to submit, a gift for brute-force attackers. 

A close look at the malicious infrastructure allowed the experts to discover that hackers used four command and control servers that issue commands to the bots through proxy servers at the Russian Best-Proxies.ru service.  Experts identified over 14,000 proxy servers used by the botmaster to anonymize the traffic.

Once a WordPress site is compromised it will start carrying out brute force attacks against the XML-RPC interface of other websites. 

“We also noted that the User-Agent strings associated with these requests matched those used by applications commonly seen interacting with the XML-RPC interface, like wp-iphone and wp-android,” continues the analysis.

“Since these applications typically store credentials locally, it was unusual to see a significant amount of failed logins from them, which drew our attention. We identified over 20,000 WordPress slave sites that were attacking other WordPress sites.”

Brute force scripts used by the attackers accept POST input from the C2 servers, the request includes domains to target and word lists to use when performing the brute force attacks.

It is also possible to use new wordlists by providing URL to the script.

Wordfence reported its discovery to the authorities and is helping them to dismantle the WordPress botnet.

Pierluigi Paganini

(Security Affairs –WordPress Botnet, hacking)

The post WordPress botnet composed of +20k installs targets other sites appeared first on Security Affairs.



Security Affairs

Hackers conducting botnet attacks through 20k hacked WordPress sites

By Uzair Amir

A newly published research from Defiant, a WordPress security firm, reveals that there is a botnet hunting for WordPress sites using over 20,000 already compromised WordPress sites. As the new sites are infected, these automatically become part of the bot army and start acting on the directions of the attackers to perform tasks like brute […]

This is a post from HackRead.com Read the original post: Hackers conducting botnet attacks through 20k hacked WordPress sites

From attacking IoT devices to Linux servers. Mirai is back!

From attacking IoT devices to Linux servers. Mirai is back!

One of the downsides of the inexorable march towards a highly connected society is the fact that cybersecurity risks are growing exponentially. As the number of Internet connected devices increases, so does the number of things that we are able to do digitally. But it also means that there is more risk of someone being able to access the information stored on our devices and harm us in some way, especially in a business environment.

In this sense, the Internet of Things (IoT) is one of the most recent targets for cyberattackers. This is for two reasons: firstly, because it is still in the early stages of being adopted by companies and users, and so fascination with these services may be overriding cybersecurity implementation. Secondly, because this exponential opening up of points of entry to information is turning every connected device into another trophy in the cybercriminals’ cabinets.

Until recently the IoT had a powerful enemy: Mirai, a botnet that remotely controlled connected devices, and which could carry out denial of services (DDoS) attacks, like the one seen in 2016 on Dyn, the provider for Twitter, Amazon and Netflix, among many other platforms.

Mirai, going after Linux

We all believed that Mirai’s attack threshold was limited to IoT devices. But it seems to be that its range of possibilities is much wider than could have been imagined. According to The Register, cybercriminals are beginning to turn to Mirai to open a new flank for cyberattacks: devices equipped with Linux.

It all seems to begin with Hadoop YARN, the open source software structure that is able to store an immense amount of data. According to the Netscout experts who have analyzed the matter, Hadoop contains a vulnerability that allows cybercriminals, with enough resources, to be able to access the system and retain the information on each device or network of devices.

How do these attacks work? Mirai exploits the interconnection between bots to indiscriminately get in on a large scale, with one clear objective: installing malware on all the devices that is can access. And though it seems to be a relatively small group of attackers, the fact is that, according to the experts, using Mirai on Linux is much simpler than using it on Internet of things devices. This means that these cyberattacks show a potential that leads us to believe that we could see an increase in this kind of attack in the short to medium term.

And this is no trifling matter: according to Pascal Greenens from Radware, the Hadoop vulnerability YARN is causing around 350,000 attempted attacks every day. This means that both companies’ and private users’ cybersecurity may be seriously at risk.

How to protect yourself against Mirai?

To avoid being fodder for these cyberattacks, companies must be aware of the dangers that they face, and put into place (or update) the defense strategies needed to avoid or mitigate damage.

1.- Cyber-resilience. We repeat this point quite often, but it is vital: a lack of cyber-resilience is one of the worst enemies of corporate cybersecurity. In a world that is constantly in motion, the strategies used by cybercriminals are always growing, becoming more sophisticated, and changing parameters, so every company must be up to speed with the new trends that are being used.

2.- Monitoring. The best way to avoid danger is to know what is happening in the company’s IT structure at every moment. Companies must therefore select technology solutions that perform this task. In this sense, Panda Adaptive Defense automatically monitors all processes that are running on the system, in real time. This means that it is capable of detecting anomalous situations and thus predicting cyberattacks before their definitive arrival, in order to stop them completely.

3.- Reaction protocol. At times, some companies can’t help being affected by the arrival of a cyberattack. In that case, if this moment comes, they must have an urgent action protocol in place that firstly closes all possible points of entry while the focus of the infection is located, and then totally removes the malware from the system to avoid intrusions or leaking of confidential data.

Combining these three actions is the best way to combat Mirai, both in the version that targets IoT devices and in the new form that it has adopted to attack Linux servers.

The post From attacking IoT devices to Linux servers. Mirai is back! appeared first on Panda Security Mediacenter.

Security Affairs: ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet.

In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users to install routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

“In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.” Akamai notes

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.”

The latest campaign observed by Akamai tracked as EternalSilence, is targeting millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (CVE-2017-7494) exploits.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.” continues Akamai.

“Unfortunately, Akamai researchers are not able to see what happens after the injections are have occurred , they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Experts observed millions of successful injections attempting to compromise millions of systems running SMB services, Akamai researchers speculate attackers are leveraging the Eternal family of exploits belonging to the NSA arsenal.

Hackers hijacked some 45,113 routers that expose a total of 1.7 million unique machines to the attackers.

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” states Akamai.

According to the experts, that attackers are being opportunistic, they are scanning the Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.

“Criminals are clever, and will take any advantage they can get when it comes to exploiting systems and services. So, while it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually.” concludes Akamai. “That these attacks likely  leverage two well-known vulnerabilities, which have been patched for some time, should come as no surprise.”

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools appeared first on Security Affairs.



Security Affairs

ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools

Over 270,000 connected devices run vulnerable implementations of UPnP, threat actors are attempting to recruit them in a multi-purpose botnet.

In April, Akamai reported that threat actors compromised 65,000 home routers by exploiting vulnerabilities in Universal Plug’N’Play (UPnP), experts tracked the botnet as UPnProxy.  Now the company provided an update to its initial analysis revealing a disconcerting scenario, UPnProxy is still up and running.

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

Experts recommend users to install routers update and patched firmware to mitigate the threat. According to Akamai, many UPnP vulnerabilities are still unpatched, the experts found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been compromised.

“In Akamai’s previous research, we highlighted the possibility that attackers could leverage UPnProxy to exploit systems living behind the compromised router. Unfortunately, data from this recent batch of injections suggests this is exactly what’s happening.” Akamai notes

“For home users, these attacks can lead to a number of complications, such as degraded service, malware infections, ransomware, and fraud. But for business users, these recent developments could mean systems that were never supposed to exist on the internet in the first place, could now be living there unknowingly, greatly increasing their chances of being compromised. Even more concerning, the services being exposed by this particular campaign have a history of exploitation related to crippling worms and ransomware campaigns targeting both Windows and Linux platforms.”

The latest campaign observed by Akamai tracked as EternalSilence, is targeting millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed (CVE-2017-7494) exploits.

“Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.” continues Akamai.

“Unfortunately, Akamai researchers are not able to see what happens after the injections are have occurred , they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.”

Experts observed millions of successful injections attempting to compromise millions of systems running SMB services, Akamai researchers speculate attackers are leveraging the Eternal family of exploits belonging to the NSA arsenal.

Hackers hijacked some 45,113 routers that expose a total of 1.7 million unique machines to the attackers.

“Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse,” states Akamai.

According to the experts, that attackers are being opportunistic, they are scanning the Internet for SSDP and pivoting to the TCP UPnP daemons or is targeting a set of devices that use static ports (TCP/2048) and paths (/etc/linuxigd/gatedesc.xml) for their UPnP daemons.

“Criminals are clever, and will take any advantage they can get when it comes to exploiting systems and services. So, while it is unfortunate to see UPnProxy being actively leveraged to attack systems previously shielded behind the NAT, it was bound to happen eventually.” concludes Akamai. “That these attacks likely  leverage two well-known vulnerabilities, which have been patched for some time, should come as no surprise.”

Pierluigi Paganini

(Security Affairs – UPnProxy, NSA hacking tools)

The post ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools appeared first on Security Affairs.

The 25th anniversary of the webcam: What did it bring us?

How did the webcam progress from a simple convenience to a worldwide security concern in 25 years?

November 2018 can be marked as the 25th anniversary of the webcam. This is a bit of an arbitrary choice, but if we consider a webcam that was installed at the University of Cambridge to keep an eye on the coffee level in the shared coffeemaker as the first one, then it’s been 25 years already. And those 25 years are measured from the moment the images were viewable over the Internet. (The images had been visible on the universities’ intranet since a few years before.)

Definition of a webcam

According to Wikipedia:

A webcam is a video camera that feeds or streams its image in real time to or through a computer to a computer network.

We deviate slightly from this definition by only considering cameras that are visible on the Internet.

The first official webcam

The first camera was actually installed in the late 1980’s so that employees could avoid walking all the way to the coffeemaker to find the pot empty, but it was made visible to the Internet in November 1993. Before that, it could only be seen on the local network. For none other than historic reasons, it is worth mentioning that this camera was in the “Trojan Room” of the Computer Science Department. The scientists used a digital camera with a video capture board and MSRPC2, a remote procedure call mechanism, to upload one frame per second.

The first commercial webcam

The first commercially produced webcam was the QuickCam by Connectix, which was marketed in 1994. It could only be used with an Apple Macintosh and recorded a whopping 15 frames per second. Nowadays, it’s hard to find a laptop that does not have a webcam installed. It has even reached the point where you can buy webcam covers to hide away from prying eyes.

band-aid

Or use a Band-Aid

Popular usage

The webcam quickly became popular when Internet speeds rose to the level that it was possible to chat face-to-face over long distances. But there are many other legitimate and popular ways to use a webcam:

  • Child or pet monitoring: Keep an eye on your loved ones when you are elsewhere.
  • Video conferences: Join a meeting that you can’t physically attend.
  • Earth cam: Watch the scenery around the world from behind your laptop.
  • Security camera or baby monitor: Be alerted when something happens at home or in the baby’s room.
  • Porn: Sell your explicit images or video feed to earn some extra cash. (Not that we recommend it…)
  • Surveillance: Keep an eye on suspects. (this can also be combined with facial recognition.)
  • Vlogging: Share information about your life or interests online via video.

Possible future uses

Some webcam developments are underway, but not quite ready to hit the stores yet:

  • Face login: similar to using your fingerprints to log on to a device. Show your face to the webcam, and if it recognizes you, it will let you in. Same as with using fingerprint readers, I’d like the device to ask for my secret password now and then—just in case a thief looks a bit like me. Windows already has Hello Face Authentication, but it requires near infrared imaging.
  • VR-like webcams: adding an extra dimension to your webcam, 3D could make your online chats even more realistic. 3D webcams are already available, but the technology to use it in person-to-person chat isn’t available yet.

Internet of Things concerns

The Internet of Things (IoT) has been a subject of our cybersecurity related concerns before, and we don’t expect those concerns to go away anytime soon. Webcams are among the top IoT problems because of their sheer numbers and their often weak security setup, such as easy-to-guess and hard-to-change default passwords.

If you want to be freaked out a little, here are some of the websites that let you take a peek through the eye of unprotected webcams:

Botnets

A botnet is a collection of centrally controlled devices and systems that accept commands from a remote administration. IoT devices, including webcams, are the stuff that the currently most powerful botnets are made of. The Mirai botnet, for example, has been responsible for some of the most effective DDoS attacks. Working for a central command has also made it possible for IoT botnets to be used in cryptomining.

Facial recognition

Facial recognition works by measuring distances between features on a face and comparing the resulting “faceprint” to a database. To get a dependable recognition rate, the tech must measure around 80 nodal points on the human face to create a faceprint and find a match.

Big Brother

The combination of publicly available security and surveillance cameras has brought Orwell’s vision of blanket surveillance to life. China is already using its massive network of closed-circuit television (CCTV) cameras and facial recognition technology to track its citizens. And if naming and shaming jaywalkers is the only activity they admit to, you can rest assured that it is far from the only thing that they are keeping track of.

Camfecting

Camfecting is a term used for hacking into a webcam’s data stream. Threat actors would be able to view or store the live feed from a webcam for their own purposes. An important thing to keep in mind is that if they have hacked your webcam, they are just as easily capable of turning off any warning light that would show you whether it’s active or not. The fear of camfecting is one reason for webcam covers (or post-it notes, Band-Aids, and other sticky stuff to cover the webcam’s eye). Stolen video images can lead to sextortion and other extortion practices.

Historic overview

Looking back, in 25 years we went from watching the level of supply in a coffeepot online to the state surveillance capabilities where we can be found and identified in a matter of minutes. And where we can’t be sure who is watching us or what the devices, we are using to look at others, are doing in the background. Are they sending the same images to the manufacturer? Or to some hacker? Should we be worried about those sextortion emails?  Probably not, but that still leaves us with lots of other things to worry about.

Different types

Webcams come in many different types, shapes, and sizes. While they perform many useful and convenient tasks, we need to be aware of the dangers and concerns that come with using them. The ones that we should be worried about most are the ones that are connected directly to the internet. The ones that are connected or even built into our computers and laptops are under control by the active security solutions. The IoT devices however, especially the ones that are fitted with no or default credentials, are a major concern in the fields of privacy and cybersecurity.

Use webcams to connect with friends and family, for meetings, and to keep an eye on your inventory, but don’t allow them to be the weak link in your home or business network.

The post The 25th anniversary of the webcam: What did it bring us? appeared first on Malwarebytes Labs.

FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

By Waqas

8 suspects behind 3VE have also been identified. Last year in August, the Federal Bureau of Investigation organized a secret meet-up between cybersecurity and digital advertising experts in its Manhattan federal building. This included Google and nearly 20 tech firms while there were nearly 30 attendees at the meeting. The agenda of the meeting was to […]

This is a post from HackRead.com Read the original post: FBI & Google shut down largest-ever Ad fraud scheme ‘3VE’

Eight Individuals Indicted for Perpetrating Digital Advertising Fraud

A federal indictment charged eight individuals with perpetrating widespread digital advertising fraud that cost businesses millions of dollars. On 27 November, a federal court in Brooklyn unsealed the indictment charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with wire fraud, aggravated identity theft and other […]… Read More

The post Eight Individuals Indicted for Perpetrating Digital Advertising Fraud appeared first on The State of Security.

L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet

By Waqas

There’s a new hacking tool circulating in the underground Dark Web forums that let cybercriminals target Microsoft Windows computers. It has become the newest universal go-to tool to attack a Windows machine because it presents an utterly lethal combination of data stealing, cryptomining, and snooping capabilities. Discovered by Ben Hunter, a security researcher at ENSILO, […]

This is a post from HackRead.com Read the original post: L0rdix malware on dark web steals data, mines crypto & enslaves PCs as botnet

Experts found first Mirai bot targeting Linux servers via Hadoop YARN flaw

Security experts from Netscout Asert discovered more than ten Mirai bot variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.

These Mirai variants are the first one that doesn’t target Internet of Things devices, the bot was specifically developed to target Linux servers.

The Hadoop YARN is vulnerability is a command injection flaw that could be exploited by attackers to remotely execute arbitrary shell commands on a vulnerable server.

The new versions don’t implement worm-like spreading abilities, instead, threat actors leverage exploits to spread the malware.

Netscout observed tens of thousands of exploit attempts daily targeting it honeypots, in November attackers attempted to deliver some 225 unique malicious payloads exploiting the Hadoop YARN vulnerability.

One of the variants spotted by the experts labeled itself as VPNFilter, even if it is not linked with the infamous VPNFilter bot that infected more than a half-million small and home office routers in May.

“ASERT has been monitoring exploit attempts for the Hadoop YARN vulnerability in our honeypot network and found a familiar, but surprising payload – Mirai. These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices.” reads the analysis published by the experts.

“Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86.”

The specific Mirai variant only delivers the x86 variant of the bot because much Hadoop YARN services are running on x86 Linux servers.

Other IoT Mirai variants first examine the victim device in order to deliver the proper executable (x86, x64, ARM, MIPS, ARC, etc.=

Vulnerable Linux servers are a privileged target for attackers that attempt to compromise them to carry out malicious activities by exploiting their hardware resources that are greater than IoT ones.

“The limited number of sources we’ve seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear – to install the malware on as many devices as possible.” concluded the experts.

“Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.”

Pierluigi Paganini

(Security Affairs – Mirai, Linux)

The post Experts found first Mirai bot targeting Linux servers via Hadoop YARN flaw appeared first on Security Affairs.

Beware: Zombie IoT Botnets

The ghosts and ghouls of October have come and gone, but the dangers lurking behind virtual walls have hardly disappeared. The threat of zombie bots is real, and it exists 365 days out of the year. Zombie bots, or devices that are taken over by hackers to disseminate different types of malware, viruses, or spam to other Internet-connected gadgets, are no longer limited to just home computers. As executed in the Mirai botnet attack, they’ve expanded into the world of IoT connected devices, too.

Adding to their complexity, zombie bots are not just limited to one feature or attack; they can be morphed into whatever their ‘master’ wants them to be. From logging keystrokes or searching through files to updating malware and downloading more malware onto an infected device, zombie botnets are ever-evolving.

To a hacker, zombie bots are more effective and infinitely stronger when they band together.  And so one by one, cybercriminals work to spread their malware of choice to devices to form an army of zombie bots, also known as a botnet. Massive botnets are used in distributed denial of service (DDoS) attacks, which are among the most intimidating types of attacks of which zombie botnet armies are capable. DDoS attacks are growing in number and severity; one report found that they’ve increased by 29% since Q2 2017, with the average attack size having increased by 543% to 26.37 Gbps.

The increase in DDoS attacks is attributed to large scale botnets comprised of insecure IoT devices. The adoption of IoT devices shows no signs of slowing down either. Today, there are currently 23.14 billion IoT devices worldwide. That number is predicted to grow exponentially just in the next 7 years to approximately 75.44 billion by 2025.

New variations of the Mirai and Gafgyt botnets exploit vulnerabilities found in IoT devices, including the security flaw that led to the massive Equifax breach of 2017. Just this past month, a botnet by the name of Chalubo was discovered by security researchers. By targeting poorly-secured IoT devices and servers, the Chalubo botnet compromises users’ devices for the purpose of executing a DDoS attack. Researchers also found that this botnet had copied a few code snippets from Mirai, demonstrating that cybercriminals have realized how effective this type of attack is.

So, why the rise in DDoS and other IoT botnet attacks? IoT devices like security cameras, smart lights, DVRs, and routers are particularly easy to remotely access because they often come with factory-set admin password setups, and many of us never change them to something more secure.  Our collective accumulation of connected devices shows no sign of slowing down, and without proper security in place, they are vulnerable to attacks. And what’s particularly troubling is that more often than not, zombie botnet armies operate in the shadows, unbeknownst to their owners.

Put simply, with more IoT devices in use, the risk of botnets increases, as does the need for awareness around this very real and potentially debilitating cyberthreat. While cybercriminals continue to try and leverage our own devices against us, the best way to protect your devices is through education and security best practices:

  • Keep your security software up-to-date. Whether it’s anti-virus, anti-spyware, or overall security, always keep your security solutions up-to-date. Software and firmware patches are ever-evolving and are made to combat newly discovered vulnerabilities, so be sure to update every time you’re prompted to.
  • Change your device’s factory security settings. When it comes to products, many manufacturers don’t think “security first.” That’s to say, your device can be vulnerable as soon as you open the box. By changing the factory settings you’re instantly upping your device’s security.
  • Proceed with caution when opening emails with file attachments or hyperlinks. One of the most common ways your device can become infected is by clicking on a bad link or attachment, through phishing or click fraud attempts. As a preventative safety measure, avoid engaging with suspicious messages altogether. You can often tell if the email is a hacking attempt if there is awkward language, improper spelling, or other signs. It’s a good idea to send spam directly to the trash.
  • Setup a separate IoT network. Consider setting up a second network for your IoT devices that doesn’t share access to your other devices and data. Check your router manufacturer’s website to learn how. Or, consider getting a router with built-in security features, making it easier to protect all the devices in your home from one access point.
  • Use a firewall. A firewall is a tool that monitors traffic between an Internet connection and devices to detect unusual or suspicious behavior. Even if a device is infected, a firewall can keep a potential attacker from accessing all the other devices on the same network. When looking for comprehensive security solution, to see if a Firewall is included to ensure that your devices are protected.

Interested in learning more about IoT and mobile security trends and information? Follow @McAfee_Home on Twitter, and ‘Like” us on Facebook.

The post Beware: Zombie IoT Botnets appeared first on McAfee Blogs.

HIstorical OSINT – Malicious Economies of Scale – The Emergence of Efficient Platforms for Exploitation – 2007

Dear blog readers it's been several years since I last posted a quality update following my 2010 disappearance. As it's been quite a significant period of time since I last posted a quality update I feel it's about time I post an quality update by detailing the Web Malware Exploitation market segment circa 2007 prior to my visit to the GCHQ as an independent contractor with the Honeynet Project.

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild Serves Scareware

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent blackhat SEO campaign successfully enticing hundreds of thousands globally into interacting with a multi-tude of rogue and malicious software also known as scareware. In this post I'll profile the campaign discuss in-depth the tactics techniques and procedures of the cybercriminals behind it and

Historical OSINT – A Diversified Portfolio of Fake Security Software Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another malicious and fraudulent domain portfolio serving a variety of fake security software also known as scareware potentially exposing hundreds of thousands of users to a variety of fake security software with the cybercriminals behind the campaign potentially earning fraudulent revenue largely relying on the utilization of an affiliate-network

Historical OSINT – A Diversified Portfolio of Fake Security Software

It's 2010 and I've recently stumbled upon a currently active and circulating malicious and fraudulent porfolio of fake security software also known as scareware potentially enticing hundreds of thousands of users to a multi-tude of malicious software with the cybercriminals behind the campaign potentially earning fraudulent revenue in the process of monetizing access to malware-infected hosts

Historical OSINT – Spamvertized Swine Flu Domains – Part Two

It's 2010 and I've recently came across to a currently active diverse portfolio of Swine Flu related domains further enticing users into interacting with rogue and malicious content. In this post I'll profile and expose a currently active malicious domains portfolio currently circulating in the wild successfully involved in an ongoing variety of Swine Flu malicious spam campaigns and will

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild Drops Scareware

It's 2010 and I've recently came across to a currently active malicious and fraudulent blackhat SEO campaign successfully enticing users into interacting with rogue and fraudulent scareware-serving malicious and fraudulent campaigns. In this post I'll provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign:

Historical OSINT – Yet Another Massive Blackhat SEO Campaign Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another diverse portfolio of blackhat SEO domains this time serving rogue security software also known as scareware to unsuspecting users with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an affiliate-network based type

Historical OSINT – Profiling a Portfolio of Active 419-Themed Scams

It's 2010 and I've recently decided to provide actionable intelligence on a variety of 419-themed scams in particular the actual malicious actors behind the campaigns with the idea to empower law enforcement and the community with the necessary data to track down and prosecute the malicious actors behind these campaigns. Related malicious and fraudulent emails known to have participated in the

Historical OSINT – Rogue Scareware Dropping Campaign Spotted in the Wild Courtesy of the Koobface Gang

It's 2010 and I've recently came across to a diverse portfolio of fake security software also known as scareware courtesy of the Koobface gang in what appears to be a direct connection between the gang's activities and the Russian Business Network. In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in-depth the tactics techniques and procedures of the

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild – Part Two

It's 2008 and I've recently came across to a massive black hat SEO campaign successfully enticing users into falling victim into fraudulent and malicious scareware-serving campaign. In this post I'll provide actionable intelligence on the infrastructure behind it. Related malicious domains and redirectors known to have participated in the campaign: hxxp://msh-co.com hxxp://incubatedesign.com

Historical OSINT – Massive Blackhat SEO Campaign Spotted in the Wild

It's 2008 and I recently came across to a pretty decent portfolio of rogue and fraudulent malicious scareware-serving domains successfully acquiring traffic through a variety of black hat SEO techniques in this particular case the airplane crash of the Polish president. Related malicious domains known to have participated in the campaign: hxxp://sarahscandies.com hxxp://armadasur.com hxxp://

Historical OSINT – Malware Domains Impersonating Google

It''s 2008 and I've recently stumbled upon a currently active typosquatted portfolio of malware-serving domains successfully impersonating Google further spreading malicious software to hundreds of thousands of unsuspecting users. In this post I'll provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign:

Historical OSINT – Massive Scareware Dropping Campaign Spotted in the Wild

It's 2008 and I've recently spotted a currently circulating malicious and fraudulent scareware-serving malicious domain portfolio which I'll expose in this post with the idea to share actionable threat intelligence with the security community further exposing and undermining the cybercrime ecosystem the way we know it potentially empowering security researchers and third-party vendors with the

HIstorical OSINT – Latvian ISPs, Scareware, and the Koobface Gang Connection

It's 2010 and we've recently stumbled upon yet another malicious and fraudulent campaign courtesy of the Koobface gang actively serving fake security software also known as scareware to a variety of users with the majority of malicious software conveniently parked within 79.135.152.101 - AS2588, LatnetServiss-AS LATNET ISP successfully hosting a diverse portfolio of fake security software. In

Historical OSINT – Massive Blackhat SEO Campaign Courtesy of the Koobface Gang Spotted in the Wild

It's 2010 and I've recently stumbled upon yet another massive blackhat SEO campaign courtesy of the Koobface gang successfully exposing hundreds of thousands of users to a multi-tude of malicious software. In this post I'll provide actionable intelligence on the infrastructure behind it and discuss in the depth the tactics techniques and procedures of the cybercriminals behind it. Sample

HIstorical OSINT – PhishTube Twitter Broadcast Impersonated Scareware Serving Twitter Accounts Circulating

It's 2010 and I've recently intercepted a currently circulating malicious and fraudulent malware-serving spam campaign successfully enticing hundreds of thousands of users globally into interacting with the rogue and malicious software found on the compromised hosts in combination with a currently active Twitter malware-serving campaign successfully enticing users into interacting with the rogue 

Historical OSINT – Chinese Government Sites Serving Malware

It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it. Compromised Chinese government Web site: hxxp://nynews.gov.cn Sample malicious domains known to have participated in the campaign: hxxp://game1983.com/

Historical OSINT – Calling Zeus Home

Remember ZeuS? The infamous crimeware-in-the-middle exploitation kit? In this post I'll provide historical OSINT on various ZeuS-themed malicious and fraudulent campaigns intercepted throughout 2008 and provide actionable intelligence on the infrastructure behind the campaign. Related malicious domains known to have participated in the campaign: hxxp://myxaxa.com/z/cfg.bin hxxp://dokymentu.info/

Historical OSINT – A Diverse Portfolio of Fake Security Software

In this post I'll profile a currently circulating circa 2008 malicious and fraudulent scareware-serving campaign successfully enticing users into interacting with rogue and fraudulent fake security software with the cybercriminals behind the campaign successfully earning fraudulent revenue in the process of monetizing access to malware-infected hosts largely relying on the utilization of an

It’s no Fun Being Right All the Time

Last week, I finally got around to writing about HideMyAss, and doing a spot of speculation about how other proxy anonymizers earn their coin. Almost immediately I hit "publish" I spotted this article pop up on Zdnet. Apparently/allegedly, Hola subsidise their income by turning your machine into a part-time member of a botnet.
Normally, I really enjoy being proved right - ask my long suffering colleagues. In this case though, I'd rather the news wasn't quite so worrying. A bit of advertising, click hijacking and so forth is liveable. Malware? You can get rid... but a botnet client means you might be part of something illegal, and you'd never know the difference.

Android/FakeToken.A

OTP forwarder dumped months ago.

Login:

Statistics:

Bots:

Bot:

Passwords:

Send a command:

Commands sent:

Apps:

Apps builder:

MD5s:
2d4770137ae0b91446fc2f99d9fdb2b0
f629adcfbcdd4622ad75337ec0b1a0ff
dd4ac55df6500352dd2cad340a36a40f
b9f9614775a54aa42f94eedbc4796446
1fababfd02ea09ae924cd0a7dbfb708c
bc8394bc9c6adbcfca3d450ee4ede44a
1cb87e1716c503bf499e529ee90e5b31
6db5cdd2648fcd445481cdfa2f2b065a
2ad6f8b8e4aaf88b024e1ddb99833b79
8bac185b6aff0bec4686b7f4cb1659c8

App settings:

Settings:

Second panel, a bit different, look like a 'test' one.
Statistics:

Phone:

Phone search:

Settings:

RSA Security talked also about it here