Tag Archive for: botnet

Exploited TP-Link Vulnerability Spawns Botnet Threats

/in


Endpoint Security
,
Governance & Risk Management
,
Internet of Things Security

Attackers Exploit Old Flaw, Hijack TP-Link Archer Routers

Prajeet Nair (@prajeetspeaks) •
April 17, 2024    

Exploited TP-Link Vulnerability Spawns Botnet Threats
Botnet are searching for unpatched TP-Link Archer AX21 routers. (Image: Shutterstock)

Half a dozen different botnets are prowling the internet for TP-Link-brand Wi-Fi routers unpatched since last summer with the goal of commandeering them into joining distributed denial-of-service attacks.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

Chinese router manufacture TP-Link in June patched a command injection vulnerability in its Archer AX21 router, a residential model that retails for less than $100. Consumer-grade routers are notorious for uneven patching, either because manufacturers are slow to develop patches or consumers don’t apply them. “Once they’re connected to the internet, they don’t care anymore about the router,” one industry CISO told Oxford University academics researching a 2023 paper.

The vulnerability, tracked as CVE-2023-1389, allows attackers to insert malicious commands by calling the “locale” API on the web management interface. Attackers use set_country to insert remote code since the unpatched routers don’t sanitize that input.

Researchers at Fortinet said Tuesday they’ve observed multiple attacks over the past month focused on exploiting the vulnerability – including botnets Moobot, Miori, the Golang-based agent “AGoent,” a Gafgyt variant and an unnamed variant of the infamous Mirai…

Source…

10-Year-Old ‘RUBYCARP’ Romanian Hacker Group Surfaces with Botnet

/in


Apr 09, 2024NewsroomBotnet / Crypto Mining

Romanian Hacker Group

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

Cybersecurity

“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP’s tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.

Romanian Hacker Group

In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the company said. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”

The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named…

Source…

TheMoon Botnet Facilitates Faceless To Exploit EoL Devices

/in


In a digital landscape fraught with threats, vigilance is paramount. The cybercriminals are exploiting End-of-Life devices to perpetrate their malicious activities. Recently, Black Lotus Labs, the formidable threat intelligence arm of Lumen Technologies, has cast light upon a looming menace: TheMoon botnet

This insidious entity, lurking within the shadows of outdated small office/home office (SOHO) routers and IoT devices, has resurfaced in a revamped form, bolstering a cybercriminal infrastructure known as Faceless.

 

TheMoon Botnet Unveiled


In their relentless pursuit of cyber anonymity, criminal elements have coalesced around the MoonBotnet cyber threat, leveraging its capabilities to fuel the nefarious operations of Faceless. TheMoon botnet, quietly amassing over 40,000 bots across 88 countries in a mere two months, serves as the cornerstone of this proxy service, enabling malefactors to clandestinely channel malicious traffic through compromised devices.

Mark Dehus, Senior Director of Threat Intelligence at Lumen Black Lotus Labs, underscores the gravity of the situation, elucidating how these cybercriminals exploit outdated routers to orchestrate their felonious endeavors. This symbiotic relationship between TheMoon and Faceless underscores the urgency for businesses to fortify their digital perimeters. Thus, securing home routers is essential to safeguarding personal and sensitive information from cyber threats.

 

Illuminating the Modus Operandi


At its core, TheMoon botnet empowers Faceless users with the cloak of anonymity, allowing them to masquerade as legitimate entities while perpetrating cyber mischief. This anonymity, devoid of any customer identification requirements, emboldens malicious actors to orchestrate TheMoon botnet attacks on vulnerable devices, siphoning valuable data with reckless abandon.

Criminal proxies powered by TheMoon botnet pose a significant threat to cybersecurity worldwide. In the face of this burgeoning threat landscape, preemptive measures become imperative. Consumers and businesses alike must adopt a proactive stance in safeguarding their digital assets. To do this, they must:

  • Routinely reboot SOHO routers and promptly install…

Source…

Long-running RUBYCARP botnet operation examined

/in


BleepingComputer reports that intrusions involving known security flaws and brute force tactics have been deployed by Romanian threat operation RUBYCARP for at least a decade, with the group currently operating a botnet with more than 600 breached servers.

After several months of targeting Laravel apps impacted by the remote code execution flaw, tracked as CVE-2021-3129, RUBYCARP has transitioned to brute-force attacks against SSH servers to distribute a shellbot payload that would make the server a part of its botnet infrastructure, according to a report from the Sysdig Threat Research Team.

Moreover, cryptocurrency miners XMRig, NanoMiner, and C2Bash have been used by the threat group to exfiltrate cryptocurrency assets, said researchers. The findings also showed that aside from engaging in phishing attacks involving emails spoofing European financial and logistics entities to facilitate financial data theft, RUBYCARP has also entered the business of cyber weapon development and trade.

Source…