Tag: control | Page 9

Over 200,000 MicroTik Routers Worldwide Are Under the Control of Botnet Malware

March 23, 2022/in Computer Security

Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.

According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server.

“The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers,” Avast’s senior malware researcher, Martin Hron, said in a write-up, potentially linking it to what’s now called the Mēris botnet.

The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers (CVE-2018-14847), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were sinkholed in late September 2021.

“The CVE-2018-14847 vulnerability, which was publicized in 2018, and for which MikroTik issued a fix for, allowed the cybercriminals behind this botnet to enslave all of these routers, and to presumably rent them out as a service,” Hron said.

In attack chain observed by Avast in July 2021, vulnerable MikroTik routers were targeted to retrieve the first-stage payload from a domain named bestony[.]club, which was then used to fetch additional scripts from a second domain “globalmoby[.]xyz.”

Interesting enough, both the domains were linked to the same IP address: 116.202.93[.]14, leading to the discovery of seven more domains that were actively used in attacks, one of which (tik.anyget[.]ru) was used to serve Glupteba malware samples to targeted hosts.

“When requesting the URL https://tik.anyget[.]ru I was redirected to the https://routers.rip/site/login domain (which is again hidden by the Cloudflare proxy),” Hron said. “This is a control panel for the orchestration of enslaved MikroTik routers,” with the page displaying a live counter of devices connected into the botnet.

But after details of the Mēris botnet entered public domain in early September 2021, the C2 server is said to have abruptly stopped serving scripts before disappearing…

Source…

China claims it captured NSA’s ‘global internet control’ spy tool

March 17, 2022/in Internet Security

A Chinese state-run publication reported on Monday that the Chinese government has captured surveillance tools developed by the U.S. National Security Agency (NSA).

On Monday, The Global Times — a tabloid published by the ruling Chinese Communist Party — claimed it received an exclusive report from China’s National Computer Virus Emergency Response Center, describing its capture of an NSA-developed Trojan virus known as “NOPEN.” The Chinese outlet claimed the NSA hacking tool was “found to have controlled global internet equipment and stole large amounts of users’ information.”

The “NOPEN” virus software is able to target Unix/Linux systems, allowing hackers to remotely access targeted systems. From there, a hacker may use the software to steal files, access systems, redirect network activity or view a target’s communications. “NOPEN” is reportedly known for both its comprehensive control abilities as well as its ability to be concealed within targeted systems.

While the Chinese outlet emphasized the exclusivity of its new reporting, the software was actually leaked about six years ago.

“NOPEN” was among several hacking tools contained in leaks published by a hacker group known as the Shadow Brokers in the summer of 2016. The Shadow Brokers published hacking tools purportedly belonging to another hacking group known as the Equation Group. The Equation Group has been suspected of being connected to an NSA cyber-warfare and intelligence outfit, called the Tailored Access Operations unit.

Global Times’ new reporting that the Chinese government obtained the “NOPEN” hacking tool is not the first time China has been suspected of copying NSA hacking tools. More than a year prior, the cybersecurity firm Check Point Research published a report alleging the Chinese government had obtained another Equation Group hacking tool known as “EpMe” and replicated it for their own uses. The report alleged a suspect Chinese hacking group used an “EpMe” replica known as “Jian” against a U.S. target as early as 2013 – three years before the first Shadow Brokers published the first set of Equation Group hacking tools.

Global Times said the NSA used…

Source…

Steps Criminals Take To Assume Control Of A Network

January 18, 2022/in Internet Security

Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform.

getty

Cybercriminals are constantly evolving, innovating new ways to masquerade as trusted sources, breach defenses, and attack people, governments and organizations. While hacking tools and techniques evolve in line with increased experience and financial motivation, the fundamental techniques used by attackers have largely remained the same. Experts call these steps “The Cyber Kill Chain,” a term describing stages of a cyberattack.

To keep it simple, let’s break it down to four stages that explain how cybercriminals assume total control of a network.

Identifying A Target

Cybercriminals identify targets based on numerous factors. Everyday cyberattacks (or the shotgun approach) tend to indiscriminately target individuals or organizations, exploiting a vulnerability, a location, an industry or anyone who falls prey to a wide-spreading malware or phishing campaign. In other cases where stakes are higher and goals are specific (such as IP theft, financial fraud or reputation damage), attackers select victims after days or even months of surveillance, monitor public information, study social media profiles and conduct other analysis.

Accessing Credentials And/Or Researching Loopholes

Once cybercriminals set their targets, stealing credentials is one of the first things hackers do to get a foot in the door. Attackers typically have two choices:

1. Research credentials: They find a password dump (some 65% of people reuse passwords, or they make an educated guess after reviewing open-source intelligence sources).

2. Buy credentials: More than 15 billion passwords are up for sale on the dark web — or they steal them via phishing emails, exploiting a software vulnerability or eavesdropping on networks. Even if they don’t have your email address or password, there are a number of tools hackers can use to pull employee names, open ports and breach vulnerable software — or find data dumps such as spreadsheets. Short and weak passwords can be cracked easily. Attackers with sophisticated tools can crack seven-letter passwords in under a…

Source…

A Teen Took Control of Teslas by Hacking a Third-Party App

January 15, 2022/in Computer Security

On Friday, Russia did the previously unimaginable: It actually arrested a bunch of ransomware operators. Not only that, but members of the notorious group REvil, which has been behind some of the biggest attacks of the last several years, including IT management firm Kaseya and meat giant JBS. Russian president Vladimir Putin had previously given ransomware hackers a free pass. It’s not clear yet whether this was a calculated political move, a sign of a broader crackdown, or both, but it’s certainly a watershed moment.

As everyone scrambles to find Log4j in their systems—no easy task for even well-resourced companies—the FTC has set strict deadlines for patching the very bad, no good vulnerability in the ubiquitous logging library. It’ll be unlikely if not impossible for everyone to find it in time, which speaks more to the fragile and opaque nature of the open source software world than the FTC’s aggressive timeline.

Telecoms around the world have pushed back against Apple’s Private Relay, a not-quite-VPN that bounces your traffic through a couple of servers to give you extra anonymity. T-Mobile in the US recently blocked it for customers who had parental control filters. It’s unclear why they’ve taken those measures against Apple and not the many, many VPNs that work unfettered, but it may have to do with the potential scale of Apple customers who could sign up for the service.

In other Apple privacy news, iOS 15 brought with it a new report that shows you what sensors your apps are accessing and what domains they’re contacting. It’s a lot of information all at once; we helped break down how to read it.

North Korean hackers had a “banner year” in 2021, stealing nearly $400 million of cryptocurrency. And while Israeli spyware vendor NSO Group insists that it has controls in place to prevent abuses of its product, dozens of journalists and activists in El Salvador had their devices infected with Pegasus, NSO’s signature product, as recently as November.

And that’s not all! Each week we round up all the security news WIRED didn’t cover in depth. Click on the headlines to read the full stories.

A 19-year-old security researcher named David Colombo detailed this week how he…

Source…

Tag Archive for: control