Tag Archive for: servers

‘Lucifer’ Botnet Turns Up the Heat on Apache Hadoop Servers

/in


A threat actor is targeting organizations running Apache Hadoop and Apache Druid big data technologies with a new version of the Lucifer botnet, a known malware tool that combines cryptojacking and distributed denial of service (DDoS) capabilities.

The campaign is a departure for the botnet, and an analysis this week from Aqua Nautilus suggests that its operators are testing new infection routines as a precursor to a broader campaign.

Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in May 2020. At the time, the company described the threat as dangerous hybrid malware that an attacker could use to enable DDoS attacks, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto said it had observed attackers also using Lucifer to drop the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits on target systems.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto had warned at the time.

Now, it’s back and targeting Apache servers. Researchers from Aqua Nautilus who have been monitoring the campaign said in a blog this week they had counted more than 3,000 unique attacks targeting the company’s Apache Hadoop, Apache Druid, and Apache Flink honeypots in just the last month alone.

Lucifer’s 3 Unique Attack Phases

The campaign has been ongoing for at least six months, during which time the attackers have been attempting to exploit known misconfigurations and vulnerabilities in the open source platforms to deliver their payload.

The campaign so far has been comprised of three distinct phases, which the researchers said is likely an indication that the adversary is testing defense evasion techniques before a full-scale attack.

“The campaign began targeting our honeypots in July,” says Nitzan Yaakov, security data analyst at Aqua Nautilus. “During our investigation, we observed the attacker updating techniques and methods to achieve the main goal of the attack — mining cryptocurrency.”

During the first stage of the new campaign, Aqua researchers observed the attackers scanning the Internet for…

Source…

Meris Botnet Sets Record with Massive DDoS Attacks Across Global Servers

/in


In a startling display of cyber force, the Meris botnet has successfully executed the largest DDoS (Distributed Denial of Service) attacks in history this summer, targeting a wide range of countries including the United States, Russia, New Zealand, and the United Kingdom. This malicious network, comprising over 250,000 devices, overwhelmed some of the most robust servers worldwide, marking a significant moment in cyber warfare.

Research conducted by the Russian search engine Yandex, alongside insights from DDoS mitigation service Qrator Labs, has unveiled that Meris is a new breed of botnet. Its capacity to generate an unprecedented 21.8 million requests per second (RPS) during an attack on Yandex on September 5 highlights its potential to cripple almost any infrastructure, including highly resilient networks.

Unprecedented Scale and Impact

The Meris botnet’s capability to launch attacks of such magnitude lies in its unique focus on the number of requests per second, a method that sets it apart from traditional DDoS attacks which generally aim to saturate servers with massive amounts of data. This strategy has enabled Meris to take down significant infrastructures, as evidenced by the disruption caused to major companies in New Zealand, including banks like ANZ and Kiwibank, NZ Post, MetService, and even the New Zealand Police.

Technical Sophistication

Unlike typical ‘Internet of Things’ (IoT) devices often associated with botnets, the devices commandeered by Meris are high-performance and likely connected via Ethernet, contributing to the botnet’s formidable power. This revelation, coupled with the attackers’ technique of rotating devices to avoid revealing their full capacity, complicates efforts to mitigate the botnet’s impact.

Global Response and Mitigation

The emergence of Meris has prompted a global response, with entities like Cloudflare and Yandex at the forefront of efforts to counteract the botnet’s attacks. The record-breaking assault on Yandex, which surpassed previous incidents attributed to the Mirai botnet, underscores the escalating challenge of safeguarding digital infrastructure against such sophisticated…

Source…

Update ConnectWise ScreenConnect Servers Or Take Offline As Ransomware Is Deployed

/in


‘It’s odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it’s watching the internet burn and trying to respond and remediate the best we can. We’re watching the world burn,’ says John Hammond, principal security researcher at threat hunting firm Huntress.


The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice Thursday that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they cannot update to the latest version amid the ConnectWise ScreenConnect vulnerabilities that was reported early this week.

And exploits are already being seen in the wild.

“We’re seeing such a variety of different attempts,” John Hammond, principal security researcher at threat hunting firm Huntress, told CRN. “So many different threat actors are just taking advantage of these golden hours of exploitation.”

In a 30-page report released Friday, Ellicott City, Maryland-based Huntress has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation. Exploits being deployed include ransomware, cryptocurrency coin miners, Cobalt Strike and additional remote access.

One company, UnitedHealth Group’s Change Healthcare, was experiencing slowdowns at pharmacies due to a strain of LockBit malware related to ScreenConnect vulnerabilities, according to a report on SC Magazine.

In an 8-K filing with the U.S. Securities and Exchange Commission on Wednesday, United Healthcare Group, the parent company of Change HealthCare, “identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology system.

”During the disruption, certain networks and transactional services may not be accessible,” the filing stated.

[Related: Huntress On ‘Critical’ ConnectWise Vulnerabilities: ‘It Does Have A Certain Firestorm Potential’]

Source…

Ukrainian hackers take out hundreds of Russian space research servers and supercomputers

/in


The cyber warfare between Russia and Ukraine continues as hackers from the latter launch an attack and destroy the database and infrastructure of Russia’s Far Eastern Research Center of Space Hydrometeorology, “Planeta”.

According to Ukraine’s military intelligence agency, the attack resulted in two petabytes of data and 280 servers being destroyed. Additionally, a digital array valued at US$10 million was also lost in the attack, as well as disabling the research centre’s supercomputers beyond repair through the destruction of software.

“One such computing device together with software costs US$350,000. In the conditions of strict sanctions against Russia, to get such a software again it is impossible,” wrote Ukrainian Defence.

Data included satellite and meteorological data used by the Roscosmos space agency, Russian Defence, emergency situations ministries and other government departments.

Adding salt to the wound, airconditioning, emergency power, and humidification systems were also disabled.

“In total, dozens of strategic companies of the Russian Federation, which work on ‘defense’ and play a key role in supporting Russian occupation troops, will remain without critically important information and services for a long time,” the agency added.

“Glory to Ukraine!”

The attack is the latest in a series between Ukraine and Russia, with the latter recently disabling Ukraine’s largest telco, Kyivstar.

The attack, which occurred in December last year, resulted in service outages the telco originally said were the fault of a technical failure, before confirming a cyber attack.

The attack left Kyivstar’s over 25 million customer base, over half the country’s population, without mobile and home internet services.

A day after the incident, the attack was claimed by Russian hackers from the Solntsepek group, which said they wiped thousands of servers and 10,000 computers.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 thousand computers, more than 4 thousand servers, all cloud storage and backup systems,” said the group on Telegram.

“We attacked Kyivstar because the…

Source…