Tag Archive for: devices

Malware Alert: Windows Devices in Crosshairs of New Threat Byakugan!

/in


Windows devices are now under a new threat – a malware named Byakugan, stealing sensitive data and providing remote access to attackers.

What is Byakugan?

Byakugan is a sophisticated malware that specifically targets Windows devices. It’s built using node.js and includes a variety of libraries such as a screen monitor, miner, keystroke recorder, file manipulator, and browser info stealer. This allows the intruder to steal sensitive data including cookies, credit card details, downloads, and profiles filled automatically. To add salt to the wound, Byakugan can even mine cryptocurrencies using the victim’s CPU or GPU resources.

Distribution and Infection Method

The malware is primarily distributed via a phishing campaign, where victims are lured with a fake PDF file containing a malicious link. The infection starts when the victim clicks this deceptive link. The process continues as a file named require.exe is deposited followed by the downloading of an installer program into a temporary folder. A DLL file is then manipulated through DLL hijacking, to execute require.exe and download the malware’s main module.

The Main Module

The main module of this malware is downloaded from the site thinkforce.com. This server not only aids in distribution but also doubles as a control panel for the attacker, allowing further exploitation and manipulation of the infected device.

Past Incidents

Similar attacks have been carried out before. Adobe was previously targeted with an infostealer disguised as an Adobe Reader install program, prompting users to download what they thought was Adobe Reader, but in reality was a malicious file. Two harmful files were created and a Windows system file was run with admin rights. The malicious DLL file managed to bypass User Account Control (UAC) through DLL hijacking.

About Acrobat Reader DC by Adobe

Acrobat Reader DC by Adobe is a top-notch office tool that is widely used for reading, commenting, printing, and signing PDF documents. It’s a key competitor to Word but distinguishes itself with its superior efficiency and its seamless connection to Adobe’s cloud. It’s a free and highly recommended software for Windows, Android, and iOS users.

Source…

TheMoon Botnet Facilitates Faceless To Exploit EoL Devices

/in


In a digital landscape fraught with threats, vigilance is paramount. The cybercriminals are exploiting End-of-Life devices to perpetrate their malicious activities. Recently, Black Lotus Labs, the formidable threat intelligence arm of Lumen Technologies, has cast light upon a looming menace: TheMoon botnet

This insidious entity, lurking within the shadows of outdated small office/home office (SOHO) routers and IoT devices, has resurfaced in a revamped form, bolstering a cybercriminal infrastructure known as Faceless.

 

TheMoon Botnet Unveiled


In their relentless pursuit of cyber anonymity, criminal elements have coalesced around the MoonBotnet cyber threat, leveraging its capabilities to fuel the nefarious operations of Faceless. TheMoon botnet, quietly amassing over 40,000 bots across 88 countries in a mere two months, serves as the cornerstone of this proxy service, enabling malefactors to clandestinely channel malicious traffic through compromised devices.

Mark Dehus, Senior Director of Threat Intelligence at Lumen Black Lotus Labs, underscores the gravity of the situation, elucidating how these cybercriminals exploit outdated routers to orchestrate their felonious endeavors. This symbiotic relationship between TheMoon and Faceless underscores the urgency for businesses to fortify their digital perimeters. Thus, securing home routers is essential to safeguarding personal and sensitive information from cyber threats.

 

Illuminating the Modus Operandi


At its core, TheMoon botnet empowers Faceless users with the cloak of anonymity, allowing them to masquerade as legitimate entities while perpetrating cyber mischief. This anonymity, devoid of any customer identification requirements, emboldens malicious actors to orchestrate TheMoon botnet attacks on vulnerable devices, siphoning valuable data with reckless abandon.

Criminal proxies powered by TheMoon botnet pose a significant threat to cybersecurity worldwide. In the face of this burgeoning threat landscape, preemptive measures become imperative. Consumers and businesses alike must adopt a proactive stance in safeguarding their digital assets. To do this, they must:

  • Routinely reboot SOHO routers and promptly install…

Source…

Critical D-Link Security Flaws Leaves Thousands Of These Storage Devices Vulnerable To Hacks

/in


end of life d link nas vulnerability allow code execution

End-of-life hardware can be quite the problem at times, even crashing back into Earth’s atmosphere at supersonic speeds for that matter. Of course, we wouldn’t expect such travesties happening with the hardware you keep in your basement, or that NAS you tucked away your closet. However, older tech gear can have serious security vulnerabilities that might not get patched due to its end-of-life status with the manufacturer. This is precisely what some D-Link networked attached storage (NAS) owners are finding out after a critical vulnerability was discovered, affecting up to 10s of thousands of devices still connected to the internet.

Roughly two weeks ago, researchers discovered a chain of vulnerabilities in several D-Link NAS devices including “DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others.” The issues live with nas_sharing.cgi, which has a backdoor thanks to hardcoded credentials and command injection through the system parameter. These combined would allow for arbitrary code execution on the afflicted devices, allowing an attacker access to information, denial of service, or otherwise.

92k end of life d link nas vulnerability allow code execution

According to the researchers with NetSecFish, up to 92,000 D-Link devices are exposed to the internet and vulnerable to attackers. Shodan shows that there are significantly fewer exposed devices and fewer still that are tagged as end-of-life. Regardless, in response to the vulnerabilities, D-Link posted a notice explaining that the “exploit affects a legacy D-Link products and all hardware revisions, which have reached their End of Life (“EOL”)/End of Service Life (“EOS”) Life-Cycle.” As such, the recommendation for affected systems is to retire or replace them, as there will not be an update coming from the company.

Of course, you can also always ensure that the NAS devices are not exposed to the internet and simply use them internally, but there’s no guarantee that your data is safe. Thus, we would also recommend upgrading your storage server to something more current (16TB Buffalo NAS), to help prevent these types of security issues.

Source…

Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

/in


Apr 09, 2024NewsroomBotnet / Vulnerability

D-Link NAS Devices

Threat actors are actively scanning and exploiting a pair of security flaws that are said to affect as many as 92,000 internet-exposed D-Link network-attached storage (NAS) devices.

Tracked as CVE-2024-3272 (CVSS score: 9.8) and CVE-2024-3273 (CVSS score: 7.3), the vulnerabilities impact legacy D-Link products that have reached end-of-life (EoL) status. D-Link, in an advisory, said it does not plan to ship a patch and instead urges customers to replace them.

“The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hard-coded credentials, and a command injection vulnerability via the system parameter,” security researcher who goes by the name netsecfish said in late March 2024.

Cybersecurity

Successful exploitation of the flaws could lead to arbitrary command execution on the affected D-Link NAS devices, granting threat actors the ability to access sensitive information, alter system configurations, or even trigger a denial-of-service (DoS) condition.

The issues affect the following models –

  • DNS-320L
  • DNS-325
  • DNS-327L, and
  • DNS-340L

Threat intelligence firm GreyNoise said it observed attackers attempting to weaponize the flaws to deliver the Mirai botnet malware, thus making it possible to remotely commandeer the D-Link devices.

D-Link NAS Devices

In the absence of a fix, the Shadowserver Foundation is recommending that users either take these devices offline or have remote access to the appliance firewalled to mitigate potential threats.

Cybersecurity

The findings once again illustrate that Mirai botnets are continuously adapting and incorporating new vulnerabilities into their repertoire, with threat actors swiftly developing new variants that are designed to abuse these issues to breach as many devices as possible.

With network devices becoming common targets for financially motivated and nation-state-linked attackers, the development comes as Palo Alto Networks Unit 42 revealed that threat actors are increasingly switching to malware-initiated scanning attacks to flag vulnerabilities in target networks.

“Some scanning attacks originate from benign networks likely driven by malware on infected machines,”…

Source…