Tag: botnet | Page 4

Password-cracking botnet has taken over WordPress sites to attack using the visitor’s browser

March 10, 2024/in Internet Security

As reported by Ars Technica, cybersecurity researcher Denis Sinegubko has been monitoring ongoing website hacking activities for a long time. Now, he has identified a major pivot from crypto wallet drainers to brute-force password-cracking attacks on WordPress sites. Why is this happening, what does it mean, and what can you, as an end user, do? We’ll dive into all of the need-to-know information right away below.

First, let’s talk “Why.” Earlier in February, Sinegubko, writing for Sucuri’s blog, discussed an increase in “web3 crypto malware,” particularly malware used to inject crypto drainers into existing sites or use phishing sites for the same purpose.

These new attacks function differently, and are instead utilizing visitors’ PCs for en masse password cracking attempts. The likely reason for this divergence in approach is because it will take a very long time for the active “crypto drainers” to actually turn a profit, if they even manage to do so before getting blocked.

As Sinegubko says, “This is how thousands of visitors across hundreds of different websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites. And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests.”

While the original write-up provides the full gruesome details of the hack and how it works, the gist of what you need to know is quite simple.

Any infected WordPress site can have its visiting users (or their browsers) put to automated work on guessing author or admin passwords for other WordPress sites. Attackers are estimated to be guessing, with over 41,800 passwords for each impacted site. However, only one of the thousands of sites checked in the original Securi blog post was compromised with this method.

You don’t need to do too much as an end user to avoid this. Keep your passwords secure, and if you don’t trust the website you’re visiting, NoScript can be an essential solution to prevent these types of exploits. AdBlockers may or may not do the job as well, but NoScript is as harsh as the solutions get.

For WordPress admins and those concerned about this, verify that none of your…

Source…

Attack wrangles thousands of web users into a password-cracking botnet

March 8, 2024/in Internet Security

Attackers have transformed hundreds of hacked sites running WordPress software into command-and-control servers that force visitors’ browsers to perform password-cracking attacks.

A web search for the JavaScript that performs the attack showed it was hosted on 708 sites at the time this post went live on Ars, up from 500 two days ago. Denis Sinegubko, the researcher who spotted the campaign, said at the time that he had seen thousands of visitor computers running the script, which caused them to reach out to thousands of domains in an attempt to guess the passwords of usernames with accounts on them.

Visitors unwittingly recruited

“This is how thousands of visitors across hundreds of infected websites unknowingly and simultaneously try to bruteforce thousands of other third-party WordPress sites,” Sinegubko wrote. “And since the requests come from the browsers of real visitors, you can imagine this is a challenge to filter and block such requests.”

Like the hacked websites hosting the malicious JavaScript, all the targeted domains are running the WordPress content management system. The script—just 3 kilobits in size—reaches out to an attacker-controlled getTaskURL, which in turn provides the name of a specific user on a specific WordPress site, along with 100 common passwords. When this data is fed into the browser visiting the hacked site, it attempts to log into the targeted user account using the candidate passwords. The JavaScript operates in a loop, requesting tasks from the getTaskURL reporting the results to the completeTaskURL, and then performing the steps again and again.

A snippet of the hosted JavaScript appears below, and below that, the resulting task:

const getTaskUrl = 'hxxps://dynamic-linx[.]com/getTask.php';
const completeTaskUrl = 'hxxps://dynamic-linx[.]com/completeTask.php';
…

[871,"https://REDACTED","redacted","60","junkyard","johncena","jewish","jakejake","invincible","intern","indira","hawthorn","hawaiian","Source…

Meris Botnet Sets Record with Massive DDoS Attacks Across Global Servers

March 5, 2024/in Internet Security

In a startling display of cyber force, the Meris botnet has successfully executed the largest DDoS (Distributed Denial of Service) attacks in history this summer, targeting a wide range of countries including the United States, Russia, New Zealand, and the United Kingdom. This malicious network, comprising over 250,000 devices, overwhelmed some of the most robust servers worldwide, marking a significant moment in cyber warfare.

Research conducted by the Russian search engine Yandex, alongside insights from DDoS mitigation service Qrator Labs, has unveiled that Meris is a new breed of botnet. Its capacity to generate an unprecedented 21.8 million requests per second (RPS) during an attack on Yandex on September 5 highlights its potential to cripple almost any infrastructure, including highly resilient networks.

Unprecedented Scale and Impact

The Meris botnet’s capability to launch attacks of such magnitude lies in its unique focus on the number of requests per second, a method that sets it apart from traditional DDoS attacks which generally aim to saturate servers with massive amounts of data. This strategy has enabled Meris to take down significant infrastructures, as evidenced by the disruption caused to major companies in New Zealand, including banks like ANZ and Kiwibank, NZ Post, MetService, and even the New Zealand Police.

Technical Sophistication

Unlike typical ‘Internet of Things’ (IoT) devices often associated with botnets, the devices commandeered by Meris are high-performance and likely connected via Ethernet, contributing to the botnet’s formidable power. This revelation, coupled with the attackers’ technique of rotating devices to avoid revealing their full capacity, complicates efforts to mitigate the botnet’s impact.

Global Response and Mitigation

The emergence of Meris has prompted a global response, with entities like Cloudflare and Yandex at the forefront of efforts to counteract the botnet’s attacks. The record-breaking assault on Yandex, which surpassed previous incidents attributed to the Mirai botnet, underscores the escalating challenge of safeguarding digital infrastructure against such sophisticated…

Source…

That home router botnet the Feds took down? Moscow’s probably going to try again • The Register

March 3, 2024/in Internet Security

Authorities from eleven nations have delivered a sequel to the January takedown of a botnet run by Russia on compromised Ubiquiti Edge OS routers – in the form of a warning that Russia may try again, so owners of the devices should take precautions.

Revealed in February, the takedown was led by US authorities and at the time was said to have “disabled” a campaign staged by Russia’s GRU military intelligence unit. The crew cracked the SOHO routers and infected them with malware named Moobot – a variant of the infamous Mirai malware.

Moobot allowed GRU and its minions to install and run scripts to build a 1,000-strong botnet, which it used for power phishing, spying, credential harvesting, and data theft.

Given the triumphant tone of the takedown announcement, Ubiquiti users may have felt they were no longer at risk.

But on Tuesday the FBI issued a joint advisory [PDF] on behalf of the US, Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom. The document urges Ubiquiti owners to get patching.

“Owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises,” the document cautions.

Those actions are:

Perform a hardware factory reset;
Upgrade to the latest firmware version;
Change any default usernames and passwords;
Implement strategic firewall rules on WAN-side interfaces.

The advisory also offers more detail on how GRU – specifically 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium) – went about its dirty deeds.

At the time of the takedown, US authorities remarked that this botnet differed from past GRU efforts in that it used off-the-shelf malware. The advisory reveals that APT28 also wrote its own package for this heist.

Called MASEPIE, the malware was directed by the Ubiquiti-based botnet and is described as “a small Python backdoor capable of executing arbitrary commands on victim machines.”

“Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key,” the advisory…

Source…

Tag Archive for: botnet

Visitors unwittingly recruited

Unprecedented Scale and Impact

Technical Sophistication

Global Response and Mitigation