New Botnet ‘Goldoon’ Targets D-Link Devices

/in


Endpoint Security
,
Governance & Risk Management
,
Internet of Things Security

FortiGuard Labs Identifies Botnet Exploiting Decade-Old D-Link Vulnerability

Prajeet Nair (@prajeetspeaks) •
May 3, 2024    

New Botnet 'Goldoon' Targets D-Link Devices
D-Link DIR-645 routers such as this one are being used in a new botnet. (Image: D-Link)

Hackers are taking advantage of D-Link home routers left unpatched for a decade and turning them into a newly formed botnet researchers dubbed “Goldoon.”

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Researchers at FortiGuard Labs identified the botnet in April and discovering that hackers assembling it are using a 2015 vulnerability tracked as CVE-2015-2051 present in D-Link DIR-645 model, which first retailed in 2011. The remote code execution flaw was patched in 2015.

The vulnerability allows attackers to execute arbitrary commands remotely via the proprietary Home Network Administration Protocol. Attackers send an HTTP request with a malicious command. HNAP is a SOAP-based protocol that Cisco acquired in 2008; D-Link used it to connect routers to a setup wizard. Analysis by a hacker in 2015 says that the HNAP web server skipped authentication checks when parsing a HTTP with the header GetDeviceSettings, allowing for code injection.

Inconsistent application of patches in consumer-grade routers is a well-known issue that often stems from manufacturer delays in developing updates or consumer neglect in installing them. A U.S. 2018 study based on internet scans of 186 routers says that 83% of sampled routers…

Source…

Can you use a password manager for internet banking?

/in


Recently, there was a discussion thread on LinkedIn suggesting you can’t use a password manager for internet banking. Why exactly wasn’t quite clear, but it seemed to be an interpretation of “memorising” the passphrase versus writing it down.

This seemed odd, as password managers are everywhere, from web browsers to standalone apps, and built into operating systems. Security researchers recommend using password managers, and to be honest, with the ever-growing number of logins for services and apps, how could anyone survive without one? 

Furthermore, how would a bank know that you’re using a password manager?

It is an important point to clarify though, so I asked ASB. A spokesperson for the bank sent this response:

Under ASB’s Terms and Conditions, our customers must take responsibility for and protect their personal information and Security Credentials, such as PINs, log-in and password details. 

Security Credentials should remain confidential to each customer and should be memorised, must not be written down or disclosed to anyone else. If a customer suspects their Security Credentials have been disclosed to another person, this must be reported as soon as the customer is aware or suspects the information has been compromised.

CERT NZ recommends using a password manager to keep data safe and protect passwords. We are supportive of using reputable password managers that encrypt data, alongside the other safety measures outlined by CERT NZ.

That’s commonsense from both ASB and the government Computer Emergency Response Team (CERT).

If your bank grinds its gears over password manager use, it’s a sign they haven’t kept up with the times and should rethink their opposition to a tool that can enhance customer security.

How do password managers enhance security then? Any sensible service provider will set a password policy for access that requires a reasonably complex “Open Sesame” phrase that’s difficult to guess, or crack as information security pros call it. If they don’t, go somewhere else.

Now, if you want to make it harder for miscreants to guess your password, take a look at the below table:

As a related aside, a properly configured access system will slam…

Source…

REvil Affiliate Off to Jail for Ransomware Scheme

/in


Ukrainian national Yaroslav Vasinskyi, affiliate of the REvil ransomware-as-a-service group, was sentenced to more than 13 years in prison after pleading guilty to an 11-count indictment.

The charges against Vasinskyi, also known as Rabotnik, involved conspiracy to commit fraud, conspiracy to commit money laundering, and damage to protected computers. According to court documents, he conducted thousands of ransomware attacks using the Sodinokibi/REvil ransomware variants.

“Yaroslav Vasinskyi and his co-conspirators hacked into thousands of computers around the world and encrypted them with ransomware,” said Principal Deputy Assistant Attorney General Nicole M. Argentieri, head of the Justice Department’s Criminal Division. “Then they demanded over $700 million in ransom payments and threatened to publicly disclose victims’ data if they refused to pay.”

Alongside his sentencing, Vasinskyi has been ordered to pay roughly $16 million in restitution for the role he played in over 2,500 ransomware attacks — a fraction of the $700 million in ransom payments that was demanded of his victims.

Source…

Ukraine records increase in financially motivated attacks by Russian hackers

/in


Ukraine’s government is reporting an increase in financially motivated cyberattacks conducted by previously unidentified hackers associated with Russia. 

According to a recent report, these groups have grown more active in Ukrainian networks in the latter half of 2023, causing a shift in the ongoing cyberwar previously dominated by well-known Kremlin-supported hacker groups like Sandworm and Armageddon.

“The emergence of new actors suggests a deliberate strategy by Russia to diversify its cyberwarfare arsenal,” said Yevheniia Volivnyk, chief of Ukraine’s computer emergency response team (CERT-UA). “These groups may possess unique skill sets or specialize in specific operational objectives.”

The operations’ origins and participants are still unclear, according to Volivnyk, but previous experience and victimology suggest that they are also affiliated with the Russian “military machine” or are informally funded and coordinated by the Russian state command center.

Ukrainian cyber researchers said that these new groups distinguished themselves by using well-thought-out phishing attacks. The main goal is to distribute malicious remote-access software, such as RemcosRAT and RemoteUtilities, or data theft programs, including LummaStealer and MeduzaStealer.

During the period that CERT-UA analyzed, nearly 40 percent of reported incidents were related to financial theft. 

For example, from August to September, the group tracked as UAC-0006 attempted to steal tens of millions of hryvnias ($1 = about 40 Ukrainian hryvnias) from Ukrainian financial institutions and government organizations. This threat actor, mostly known for using Smokeloader malware in its attacks, is responsible for nearly 200 incidents targeting Ukraine in the second half of 2023, according to CERT-UA.

Better targeting 

The CERT-UA report covers all Russia-linked cyber activity for the second half of 2023. Overall, the number of incidents against Ukraine has been growing steadily over the past two years, and hackers are getting better at targeting, according to the agency.

They exploit the latest vulnerabilities and align their attacks with trending events and news to “increase the attention…

Source…