Tag Archive for: botnet

TheMoon Botnet Facilitates Faceless To Exploit EoL Devices

/in


In a digital landscape fraught with threats, vigilance is paramount. The cybercriminals are exploiting End-of-Life devices to perpetrate their malicious activities. Recently, Black Lotus Labs, the formidable threat intelligence arm of Lumen Technologies, has cast light upon a looming menace: TheMoon botnet

This insidious entity, lurking within the shadows of outdated small office/home office (SOHO) routers and IoT devices, has resurfaced in a revamped form, bolstering a cybercriminal infrastructure known as Faceless.

 

TheMoon Botnet Unveiled


In their relentless pursuit of cyber anonymity, criminal elements have coalesced around the MoonBotnet cyber threat, leveraging its capabilities to fuel the nefarious operations of Faceless. TheMoon botnet, quietly amassing over 40,000 bots across 88 countries in a mere two months, serves as the cornerstone of this proxy service, enabling malefactors to clandestinely channel malicious traffic through compromised devices.

Mark Dehus, Senior Director of Threat Intelligence at Lumen Black Lotus Labs, underscores the gravity of the situation, elucidating how these cybercriminals exploit outdated routers to orchestrate their felonious endeavors. This symbiotic relationship between TheMoon and Faceless underscores the urgency for businesses to fortify their digital perimeters. Thus, securing home routers is essential to safeguarding personal and sensitive information from cyber threats.

 

Illuminating the Modus Operandi


At its core, TheMoon botnet empowers Faceless users with the cloak of anonymity, allowing them to masquerade as legitimate entities while perpetrating cyber mischief. This anonymity, devoid of any customer identification requirements, emboldens malicious actors to orchestrate TheMoon botnet attacks on vulnerable devices, siphoning valuable data with reckless abandon.

Criminal proxies powered by TheMoon botnet pose a significant threat to cybersecurity worldwide. In the face of this burgeoning threat landscape, preemptive measures become imperative. Consumers and businesses alike must adopt a proactive stance in safeguarding their digital assets. To do this, they must:

  • Routinely reboot SOHO routers and promptly install…

Source…

Long-running RUBYCARP botnet operation examined

/in


BleepingComputer reports that intrusions involving known security flaws and brute force tactics have been deployed by Romanian threat operation RUBYCARP for at least a decade, with the group currently operating a botnet with more than 600 breached servers.

After several months of targeting Laravel apps impacted by the remote code execution flaw, tracked as CVE-2021-3129, RUBYCARP has transitioned to brute-force attacks against SSH servers to distribute a shellbot payload that would make the server a part of its botnet infrastructure, according to a report from the Sysdig Threat Research Team.

Moreover, cryptocurrency miners XMRig, NanoMiner, and C2Bash have been used by the threat group to exfiltrate cryptocurrency assets, said researchers. The findings also showed that aside from engaging in phishing attacks involving emails spoofing European financial and logistics entities to facilitate financial data theft, RUBYCARP has also entered the business of cyber weapon development and trade.

Source…

TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy

/in


Mar 29, 2024NewsroomNetwork Security / IoT Security

TheMoon Botnet

A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless.

TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024,” the Black Lotus Labs team at Lumen Technologies said.

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that’s offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.

Cybersecurity

In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.

That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.

Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.

TheMoon Botnet

The attacks entail dropping a loader that’s responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called “.sox” that’s used to proxy traffic from the bot to the internet on behalf of a user.

In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.

Cybersecurity

The targeting of EoL appliances to fabricate the botnet is no…

Source…

Research reveals a resurfaced botnet targeting end-of-life devices

/in


Research from the Black Lotus Labs team at Lumen Technologies has identified multi-year efforts to target end-of-life (EoL) and IoT devices. Small home and small office routers are a particular target of this campaign, which is associated with an updated version of malware known as TheMoon.

“As we’ve expanded the types of devices that have operating systems in them, we haven’t kept up with the lessons learned from desktop and server computing, namely that automatic updates are the norm. This problem is exacerbated by consumers using devices for much longer periods of time than manufacturers want,” says John Bambenek, President at Bambenek Consulting. “By using security updates as leverage for buying new products, the net result is infected devices that are used in cybercrime. Criminals have all the time in the world to be patient, they are already netting a strong cash flow and there are more infectable devices than they have time to exploit.”

TheMoon emerged in 2014 and has been operating quietly ever since. Between January and February of 2024, it has grown to more than 40,000 bots across 88 countries. Many of these bots are deployed as the foundation of a cybercriminal-focused proxy service called Faceless. 

Faceless is a malicious service, offering anonymity services to cybercriminals for a negligible price. Malicious actors utilizing Faceless services can divert their traffic to hide their origins. 

Jason Soroko, the Senior Vice President of Product at Sectigo, says, “Routers and other networking equipment that use passwords have been easy victims to pray and spray attacks for years. It is unfortunate that stronger forms of authentication are not common. What’s new here is the usage of proxy networks for C2 traffic obfuscation.  It shows that de-anonymizing Tor and VPN traffic is not only happening, but has been successfully used against attackers.”

Source…