Tag: devices | Page 5

NoaBot: Another Mirai Botnet Strikes at Linux Devices

January 13, 2024/in Internet Security

Akamai’s team of security experts has discovered a new cryptomining campaign, dubbed NoaBot, leveraging the SSH protocol to spread its malware.

Mirai is a self-propagating worm that can turn consumer devices running Linux on ARC processors into remotely controlled bots. For over seven years now, it’s been used to launch Distributed Denial of Service (DDoS) attacks and, of course, to spread cryptominer malware. That’s where the money is, after all.

Now, Akamai security researchers have discovered a new Mirai variation, NoaBot, that deploys a modified version of the XMRig cryptominer.

What makes this latest version interesting is that instead of relying on Telnet to spread its malware, it used SSH. It does this by initiating a connection, sending a simple “hi” message, and then terminating the connection. This quick scanning strategy aids in keeping a low profile.

It also comes with all the usual Mirai nastiness, such as a scanner module and an attacker module, hiding its process name, etc. NoaBot also seeks to install itself as a crontab entry so that it will run even after an infected device is rebooted. Once in place, it will also try to spread itself to other vulnerable systems.

In addition, it uses an obfuscated configuration and a custom mining pool to disguise itself from investigators. This approach effectively conceals the wallet address, complicating efforts to track the campaign’s profitability.

Interestingly, unlike Mirai, which is usually compiled with GCC, NoaBot is compiled with uClibc. This appears to change how antivirus engines detect the malware. While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures show as an SSH scanner or a generic trojan. The malware also comes statically compiled and stripped of any symbols making reverse engineering it harder.

The P2PInfect Connection

Oddly, there seems to be a link between NoaBot and the P2PInfect worm, This is a peer-to-peer, self-replicating worm written in Rust that targets Redis servers. What’s the point of this? Good question. I wish we had a good answer.

The Akamai security researchers speculate, “The threat actors seem quite tech-savvy, so it could…

Source…

Stealthy new botnet targets VPN devices and routers while staying disguised

January 4, 2024/in Internet Security

The US Government, together with several other countries, has issued a joint Cybersecurity Advisory notice warning of malicious work being carried out by a state-sponsored Chinese cyber actor known as Volt Typhoon.

The Chinese group has been observed targeting US critical infrastructure sectors, and other countries are believed to be at risk.

In fact, the attack uncovered by Microsoft earlier this year has captured the attention not only of the NSA, CISA, and FBI of the United States, but also officials in Australia, Canada, New Zealand, and the UK.

Chinese group stealthily targeting routers

According to Microsoft, the group, which has only been active since 2021, has previously targeted critical infrastructure on the Micronesian island Guam in the Western Pacific, which is an unincorporated territory of the US, as well as other American regions.

This particular campaign looks not to be especially focused, with sectors including communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education all under threat.

Volt Typhoon uses built-in network administration tools, otherwise known as living off the land, to evade endpoint detection by blending in with normal Windows system and network activities.

Microsoft summarized the steps: “They issue commands via the command line to (1) collect data, including credentials from local and network systems, (2) put the data into an archive file to stage it for exfiltration, and then (3) use the stolen valid credentials to maintain persistence.”

The threat actor was also noted to be blending into normal network activity by routing its traffic through compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN devices.

The security notice suggests that organizations harden domain controllers and monitor event logs, look for abnormal account activity, and investigate unusual IP addresses. Full details of the attack and mitigations can be found on the US Department of Defense’s website.

More from TechRadar Pro

Source…

How to Enable Private DNS on Android Devices

January 3, 2024/in Mobile Security

In today’s digital world, online privacy has become a crucial concern. While Android offers various security features, one often overlooked gem is the Private Domain Name System (DNS). This powerful tool encrypts your internet traffic, shielding your browsing activity from snooping eyes and boosting your overall online security.

Think of DNS as the internet’s phonebook, translating website names into computer-readable addresses. Traditionally, this process was unencrypted, leaving your browsing data exposed to your Internet Service Provider (ISP) or other third parties. Private DNS encrypts this communication, creating a secure tunnel for your internet requests, and adding a layer of privacy and protection.

Google has brought DNS over TLS support to Android by introducing the Private DNS feature. It’s available in Android 9 (Pie) and higher and encrypts all DNS traffic on the phone, including from apps.

The feature is enabled by default and uses a secure channel to connect to the DNS server if the server supports it. But if your ISP or cell service provider’s DNS doesn’t have encrypted DNS support, or you are simply not sure about it, you can use a third-party secure DNS server using the Private DNS feature.

The benefits of secure Private DNS include enhancement of privacy, improved security, and faster browsing. In this guide, we will show you how to activate this powerful feature on your Android device, step-by-step.

Email sent! Check your inbox to complete your signup.

…

Source…

New Android malware family has infected thousands of devices – here’s what we know

December 29, 2023/in Mobile Security

Cybersecurity researchers from McAfee hae uncovered over a dozen malicious apps lurking in the Google Play Store.

The researchers claim these apps were carrying a potent piece of malware, capable of stealing sensitive data from the infected Android devices and possibly even running ad fraud.

The apps were downloaded at least 330,000 times.

Accessibility Service

According to the researchers, the backdoor is called “Xamalicious”, and has so far been discovered in thee following apps:

– Essential Horoscope for Android – 100,000 installs

– 3D Skin Editor for PE Minecraft – 100,000 installs

– Logo Maker Pro – 100,000 installs

– Auto Click Repeater – 10,000 installs

– Count Easy Calorie Calculator – 10,000 installs

– Dots: One Line Connector – 10,000 installs

– Sound Volume Extender – 5,000 installs

After being labeled as malicious, Google removed these apps from its app repository.

While Google’s action is commendable, the move doesn’t protect users who already downloaded the apps in the past, with some reportedly having been available for download since mid-2020. They will have to remove those manually and use an anti-virus program or cleaner to remove up any loose ends.

The majority of the victims were found in the US, the UK, Germany, Spain, Australia, Brazil, Mexico, and Argentina.

To operate properly, the malware asks the victim to grant it Accessibility Service permissions, which is often a red flag and should help most people identify a malicious app from a legitimate one.

That being said, with Accessibility enabled, the malware is able to grab device and hardware information, including Android ID, brand, CPU, model, OS version, language, developer options status, SIM details, and firmware. Furthermore, it can identify the device’s physical location, ISP name, organization, and services. It also comes with a few features to help it determine if it’s installed on a genuine device or an emulator.

Finally, the malware can pull a second-stage payload from the C2 server.

Via BleepingComputer

More from TechRadar Pro

Source…

Tag Archive for: devices

The P2PInfect Connection

Sign up for Techloy