Tag: botnet | SpinSafe

US indicts botnet operator | SC Media

April 25, 2024/in Internet Security

Moldovan botnet operator Alexander Lefterov, also known as Alipatime, Alipako, and Uptime, was indicted by the U.S. Department of Justice for his involvement in widespread attacks against U.S.-based computers, BleepingComputer reports.

Aside from leveraging malware to facilitate the exfiltration of credentials and the theft of cash from their victims through infiltrating financial, retail, and payment processing accounts, Lefterov and his co-conspirators also enabled other threat actors to target victims’ networks with ransomware and other malicious payloads by providing botnet access through a hidden virtual network computing server, according to the Justice Department.

Lefterov could be imprisoned for two to 10 years for each of the charges included in his nine-count indictment.

“Protecting Americans in cyber space is a top priority, and we will aggressively pursue anyone, no matter if they’re on U.S. soil or overseas, who believes our population is an easy target,” noted FBI Special Agent Kevin Rojek.

Source…

Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

April 21, 2024/in Computer Security

Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan.

According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims.

Further research revealed that Androxgh0st operators are exploiting multiple CVEs, including CVE-2021-3129 and CVE-2024-1709 to deploy a web shell on vulnerable servers, granting remote control capabilities. Moreover, evidence suggests active web shells associated with CVE-2019-2725.

Androxgh0st Malware Compromises Servers Worldwide, Building Botnets for Attacks — Image: Veriti

Androxgh0st Threat Actor Ramps Up Activity

Hackread.com has been tracking Androxgh0st operations since was first noticed in December 2022. The malware operator is known for deploying Adhublika ransomware and was previously observed communicating with an IP address associated with the Adhublika group.

Androxgh0st operators prefer exploiting Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence.

However. their recent focus seems to be building botnets to exploit more systems. Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) advisory, warning about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access.

Last year, Cado Security Ltd. revealed the details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family. Legion is designed to exploit email services for abuse.

The Way Forward

Veriti’s research goes onto show the importance of proactive exposure management and threat intelligence in cyber security. Organizations must regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioural analysis tools to prevent breaches and protect against similar vulnerabilities.

Russian Hackers Hit…

Source…

TP-Link routers are still being bombarded with botnet and malware threats

April 20, 2024/in Internet Security

More than a year after a patch was released, hackers are still competing to compromise vulnerable TP-Link Wi-Fi routers.

A report from Fortinet claims half a dozen botnet operators are scanning for vulnerable TP-Link Archer AX21 (AX1800) routers after cybersecurity researchers discovered a high-severity unauthenticated command injection flaw in the endpoints early last year.

The vulnerability, tracked as CVE-2023-1389, was patched a few months later, in March 2023.

Working in Russia’s interest

However, a year later, in March 2024, Fortinet discovered that attempts at leveraging this flaw rose beyond 40,000 and up to 50,000 a day. Apparently, multiple groups are doing it at the same time:

“Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent “AGoent,” and the Gafgyt Variant”, Fortinet said in its report.

Different Mirai variants, and a botnet named “Condi” have been identified as going after TP-Link routers since the vulnerability was first disclosed.

Mirai is considered one of the largest and most disruptive botnets out there.

Hackers are always on the lookout for vulnerable, internet-connected endpoints, such as smart home devices, smart speakers, routers, computers, and similar. When they find such devices, they infect them with malware that gives them the ability to run certain commands. The most popular use case is Distributed Denial of Service (DDoS) attacks, in which the compromised machines are tasked with sending meaningless traffic towards a single entity.

Due to the sheer number of traffic requests, the entity is unable to process them all – including legitimate traffic – and crashes, hence the name – denial of service.

To make sure your endpoints are not assimilated into a malicious botnet and used in DDoS attacks, apply the latest patches and firmware updates to all internet-connected devices and make sure they’re protected with a strong password.

Via BleepingComputer