Tag: boxes | SpinSafe

Governments issue alerts after ‘sophisticated’ state-backed actor found exploiting flaws in Cisco security boxes • The Register

April 25, 2024/in Computer Security

A previously unknown and “sophisticated” nation-state group compromised Cisco firewalls as early as November 2023 for espionage purposes — and possibly attacked network devices made by other vendors including Microsoft, according to warnings from the networking giant and three Western governments.

These cyber-spy campaigns, dubbed “ArcaneDoor” by Cisco, were first spotted in early January and revealed on Wednesday. And they targeted VPN services used by governments and critical infrastructure networks around the globe, according to a joint advisory issued by the Canadian Centre for Cyber Security (Cyber Centre), the Australian Signals Directorate’s Cyber Security Centre, and the UK’s National Cyber Security Centre (NCSC).

A Cisco spokesperson declined to comment on which country the snooping crew – tracked as UAT4356 by Talos and as STORM-1849 by Microsoft – is affiliated with. The disclosures, however, come as both Russian and China-backed hacking groups have been found burrowing into critical infrastructure systems and government agencies, with China specifically targeting Cisco gear.

The mysterious nation-state group “utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” according to a Talos report published today.

The attacks exploit two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, and the networking giant issued fixes for both on Wednesday, plus a fix for a related flaw.

CVE-2024-20353 is a high-severity vulnerability in the management and VPN web servers for Cisco ASA and FTD devices, and could allow an unauthenticated, remote attacker to cause the machines to reload unexpectedly, resulting in a denial of service (DoS) attack. It received an 8.6 CVSS rating.

Two other flaws, CVE-2024-20359 and CVE-2024-20358 received a 6.0 CVSS score, and could allow an authenticated local attacker to execute arbitrary code with root-level privileges. Exploiting either, however, requires administrator-level privileges.

Cisco says it hasn’t yet…

Source…

‘Pandoraspear’ botnet hijacks smart TVs and boxes

January 24, 2024/in Internet Security

Cybercrime syndicate Bigpanzi stands accused of orchestrating a massive Distributed Denial of Service (DDoS) botnet named ‘Pandoraspear’.

Pandoraspear has reportedly infected potentially millions of smart TVs and set-top boxes, with at least 170,000 bots actively running during the campaign’s peak.

The infection mechanism primarily targets Android-based smart TVs and streaming hardware, exploiting users who visit dubious streaming sites on their smartphones. Upon accessing such sites, users unwittingly download malicious apps to their Android-based smart TVs—allowing cybercriminals to backdoor the devices and use their resources for various cybercrimes.

One alarming case in December 2023 involved the hijacking of regular broadcasts in the United Arab Emirates, where imagery from the conflict between Israel and Palestine replaced the original content. Security researchers from Chinese firm Qianxin have expressed concerns about the potential for these compromised devices to broadcast violent, terroristic, or pornographic content, posing a significant threat to social order.

The botnet, named ‘Pandoraspear,’ has inherited DDoS attack vectors from the infamous Mirai malware. Qianxin’s investigation revealed that the malware added 11 different Mirai-related DDoS attack vectors to its command list, showcasing the evolving nature of cybercrime tactics.

Bigpanzi – active since at least 2015 – has concentrated its efforts primarily in Brazil, particularly in São Paulo. The scale of the botnet became apparent when researchers seized control of two of the nine domains used for the botnet’s command and control infrastructure. However, the criminals responded by launching DDoS attacks to force the domains offline.

Despite the researchers’ efforts, much remains unknown about Bigpanzi, and tracing their activities is an ongoing challenge. The cybercrime syndicate appears to have shifted its DDoS operations to another botnet—indicating a strategic shift towards more lucrative cybercrimes, such as using it as a content delivery network.

As cybersecurity experts continue their investigation into Bigpanzi,…

Source…

‘Bigpanzi’ Botnet Campaign Targets Android TVs, Set-Top Boxes

January 20, 2024/in Internet Security

When asked about smart home devices, cybersecurity experts will generally say to be wary of them, or at least make sure they’re segmented from the home’s main network or on a VLAN. And, when asked about which devices gives them most pause, they will largely agree that smart TVs are the most insecure devices that can appear on a home’s network. Now, a Chinese cybersecurity firm is confirming those suspicions and is sounding the alarm on a large botnet campaign called “Bigpanzi” that is targeting Android OS smart TVs and set-top boxes and has been active since 2015.

QiAnXin, a cybersecurity service and anti-virus software firm says the hackers entice users to install free or cheap audiovisual apps for firmware updates and embed backdoor components to transform those devices into part of the Bigpanzi botnet to carry out further malicious activity, such as traffic proxying, DDoS attacks, OTT content provision and pirating traffic.

Unlike a typical botnet, Bigpanzi’s activities extend far beyond DDoS attacks, using Android TVs and set-top boxes to disseminate visual or audio content.

One example was a network attack on set-top boxes in the United Arab Emirates in which attackers substituted regular broadcasts with footage of the Israel-Palestine conflict, according to QiAnXin.

“The potential for Bigpanzi-controlled TVs and STBs to broadcast violent, terroristic, or pornographic content, or to employ increasingly convincing AI-generated videos for political propaganda, poses a significant threat to social order and stability,” company researchers write in a blog.

Researchers say the hacking group, which has successfully hidden themselves for eight years, infects user devices via pirated movie and TV apps on Android devices, backdoored generic OTA firmware on Android devices, and backdoored “SmartUpTool” firmware on eCos devices.

Researchers say the peak daily active bots in the campaign were around 170,000, primarily in Brazil. Nodes are primarily distributed across Brazil, amazing over 1.3 million distinct IPs since August, the company says.

While a botnet of that size is alarming enough,…

Source…

Thousands of Android TV boxes hit by dangerous new malware-dropping botnet

January 18, 2024/in Computer Security

A group of hackers has been secretly building a botnet of Android TV and eCos set-top boxes, and then monetizing the access to earn masses of wealth, researchers have warned.

Cybersecurity experts from Qianxin Xlabs dubbed the operation “Bigpanzi”, and claim there are some 170,000 daily active bots.

Given that not all endpoints are active at the same time, the botnet is expected to be much larger, with researchers claiming to have seen 1.3 million unique IP addresses since August 2023.

Tip of the iceberg

To infect the devices with malware, the criminals trick the victims into downloading malicious apps themselves, a separate report from Dr. Web says. The apps, which haven’t been named, drop two malware variants: pandoraspear, and pcdn. While one acts as a trojan and allows the attackers to hijack DNS settings and run commands, the other helps build a peer-to-peer (P2P) Content Distribution Network (CDN) and can mount Distributed Denial of Service (DDoS) attacks.

The campaign is active since 2015, the researchers claim, with most victims apparently being located in Brazil. “Over the past eight years, Bigpanzi has been operating covertly, silently amassing wealth from the shadows,” Xlabs said in its report. “With the progression of their operations, there has been a significant proliferation of samples, domain names, and IP addresses.”

“In the face of such a large and intricate network, our findings represent just the tip of the iceberg in terms of what Bigpanzi encompasses.”

There are a number of things Bigpanzi’s operators can do with infected devices. Most notably, they can turn the compromised set-top boxes into nodes and offer them as part of an illegal media streaming service. Furthermore, they can offer traffic proxy networks for hire, and mount DDoS attacks to whoever is happy to pay. Finally, they can use the botnet for OTT content provision.

Via BleepingComputer

More from TechRadar Pro

Source…

Tag Archive for: boxes