Tag Archive for: botnet

That home router botnet the Feds took down? Moscow’s probably going to try again • The Register

/in


Authorities from eleven nations have delivered a sequel to the January takedown of a botnet run by Russia on compromised Ubiquiti Edge OS routers – in the form of a warning that Russia may try again, so owners of the devices should take precautions.

Revealed in February, the takedown was led by US authorities and at the time was said to have “disabled” a campaign staged by Russia’s GRU military intelligence unit. The crew cracked the SOHO routers and infected them with malware named Moobot – a variant of the infamous Mirai malware.

Moobot allowed GRU and its minions to install and run scripts to build a 1,000-strong botnet, which it used for power phishing, spying, credential harvesting, and data theft.

Given the triumphant tone of the takedown announcement, Ubiquiti users may have felt they were no longer at risk.

But on Tuesday the FBI issued a joint advisory [PDF] on behalf of the US, Belgium, Brazil, France, Germany, Latvia, Lithuania, Norway, Poland, South Korea, and the United Kingdom. The document urges Ubiquiti owners to get patching.

“Owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises,” the document cautions.

Those actions are:

  • Perform a hardware factory reset;
  • Upgrade to the latest firmware version;
  • Change any default usernames and passwords;
  • Implement strategic firewall rules on WAN-side interfaces.

The advisory also offers more detail on how GRU – specifically 85th Main Special Service Center (GTsSS), also known as APT28, Fancy Bear, and Forest Blizzard (Strontium) – went about its dirty deeds.

At the time of the takedown, US authorities remarked that this botnet differed from past GRU efforts in that it used off-the-shelf malware. The advisory reveals that APT28 also wrote its own package for this heist.

Called MASEPIE, the malware was directed by the Ubiquiti-based botnet and is described as “a small Python backdoor capable of executing arbitrary commands on victim machines.”

“Data sent to and from the EdgeRouters was encrypted using a randomly generated 16-character AES key,” the advisory…

Source…

Five Government-Provided Botnet and Malware Cleaning Tools

/in


The Indian Computer Emergency Response Team (CERT-In) recently celebrated “Cyber Swachhta Pakhwada” and as a part of this, the government issued an advisory for all users to keep their digital devices bot free.

The government operates ‘Cyber Swachhta Kendra’ (CSK) by CERT-In aims to create a secure cyberspace by “detecting botnet infections in India and to notify, enable cleaning and securing systems of end users so as to prevent further infections.”

What are botsBots are automated rogue software programs designed with malicious intent and are used to undertake harmful actions on the internet, such as data theft, spreading malware and initiating cyberattacks, among others.

“The ‘Cyber Swachhta Kendra’ (Botnet Cleaning and Malware Analysis Centre) is set up in accordance with the objectives of the ‘National Cyber Security Policy’, which envisages creating a secure cyber ecosystem in the country,” the CSK website says.

Apart from working in close coordination and collaboration with internet service providers and antivirus companies, the site also provides tools to users to secure their systems/devices. Here are the five tools that users can download to clean their devices.

Free bot removal tool for AndroideScan Antivirus: The antivirus company eScan Antivirus is providing the Smartphone Safety Toolkit. It can be downloaded from Google Play Store.

C-DAC Hyderabad: C-DAC Hyderabad has developed M-Kavach 2 with the support of MeitY. C-DAC Hyderabad is providing the Android Mobile Security Application. It can be downloaded from Google Play Store.

Expand

Free bot removal tool for Microsoft WindowseScan Antivirus eScanAV: The antivirus company eScan Antivirus is providing the free bot removal Tool.

K7 Security: it is an antivirus software

Quick Heal: This bot removal tool is provided by antivirus company Quick Heal

Source…

U.S. Government Disrupts Botnet People’s Republic Of China Used To Conceal Hacking Of Critical Infrastructure

/in


FBI News:

A December 2023 court-authorized operation has disrupted a botnet of hundreds of U.S.-based small office/home office (SOHO) routers hijacked by People’s Republic of China (PRC) state-sponsored hackers.

The hackers, known to the private sector as “Volt Typhoon”, used privately-owned SOHO routers infected with the “KV Botnet” malware to conceal the PRC origin of further hacking activities directed against U.S. and other foreign victims.

These further hacking activities included a campaign targeting critical infrastructure organizations in the United States and elsewhere that was the subject of a May 2023 FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and foreign partner advisory.

The same activity has been the subject of private sector partner advisories in May and December 2023, as well as an additional secure by design alert released recently by CISA.

The vast majority of routers that comprised the KV Botnet were Cisco and NetGear routers that were vulnerable because they had reached “end of life” status; that is, they were no longer supported through their manufacturer’s security patches or other software updates. The court-authorized operation deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.

“The Justice Department has disrupted a PRC-backed hacking group that attempted to target America’s critical infrastructure utilizing a botnet,” Attorney General Merrick B. Garland said. “The United States will continue to dismantle malicious cyber operations – including those sponsored by foreign governments – that undermine the security of the American people.”

“In wiping out the KV Botnet from hundreds of routers nationwide, the Department of Justice is using all its tools to disrupt national security threats – in real time,” Deputy Attorney General Lisa O. Monaco said.  “Today’s announcement also highlights our critical partnership with the private sector – victim reporting is key to fighting cybercrime, from home offices to our most critical…

Source…

U.S. Wages Cyber War on Russian Military Botnet

/in


The United States and its allies have struck a significant blow to a Russian military botnet network whose targets included numerous government and military entities and corporations.

A January 2024 court-authorized operation effectively neutralized a network of hundreds of small office/home office (SOHO) routers that the Armed Forces of the Russian Federation (GRU) Military Unit 26165 used to conceal and enable a variety of cybercrimes, according to a U.S. Department of Justice Office of Public Affairs news release. The GRU unit is also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit.

The GRU’s cybercrimes included vast spearphishing and similar credential harvesting campaigns against targets of interest to the Russian government, the Justice Department said.

Federal Bureau of Investigation (FBI) Director Christopher Wray spoke at the Munich Security Conference this week where he announced the impact of Operation Dying Ember on the Russian cyber operation.

“Operation Dying Ember, where working with our U.S. — and, again, worldwide law enforcement partners — we ran a court-authorized technical operation to kick the Russian GRU off well over a thousand home and small business routers and lock the door behind them, killing the GRU’s access to a botnet it was piggybacking to run cyber operations against countries around the world, including America and its allies in Europe,” Wray said.

He continued, “With these operations, and many more like them, we’ve set our sights on all the elements that we know from experience make criminal organizations tick: their people — a term we define broadly to include not just ransomware administrators and affiliates, but their facilitators, like bulletproof hosters and money launderers; their infrastructure; their servers, botnets, etc.; and their money, the cryptocurrency wallets they use to stash their ill-gotten gains, hire associates and lease infrastructure.

“Because we don’t just want to hit them — we want to hit them everywhere it hurts, and put them down, hard.”

Cyber Experts Weigh In

Tom Kellermann, senior vice president of Cyber Strategy at Contrast Security, who partners with MSSPs,…

Source…