Tag Archive for: Malware

‘TheMoon’ malware shows its dark side, grows to 40,000 bots from 88 countries

/in


A multi-year campaign leveraging an updated version of “TheMoon” malware has been targeting end-of-life (EoL) small business routers and IoT devices via a cybercriminal proxy service known as “Faceless.”

The Black Lotus Lab team at Lumen Technologies described in a March 26 blog post that they found that “TheMoon” malware, which first emerged in 2014, was operating quietly while growing to more than 40,000 bots from 88 countries by January and February of this year.

Black Lotus Labs first described “TheMoon” malware in 2019 and said it has entered a new phase. For their most recent post, the researchers identified at least one campaign by the Faceless criminal proxy service that began in the first week of March which targeted more than 6,000 ASUS routers in less than 72 hours.

The researchers said Faceless has been growing at a pace of 7,000 users per week and has become an ideal choice for cybercriminals seeking anonymity. The researchers said their telemetry found that this service has been used by operators of botnets such as SolarMarker and IcedID.  

“This is not the first instance of infected devices being enrolled into a proxy service, and it’s a growing trend,” wrote the researchers. “We suspect that with the increased attention paid to the cybercrime ecosystem by both law enforcement and intelligence organizations, criminals are looking for new methods to obfuscate their activity.”

John Gallagher, vice president of Viakoo Labs, said that IoT devices are designed to be “set-it-and-forget-it,” leading to their being favored by threat actors. So even if they are not EoL, they are likely unmanaged and not updated. 

“This is a much bigger issue for enterprises than consumers,” explained Gallagher. “The operators of IoT devices are often cost centers, and have an incentive to not replace equipment unless it isn’t functional anymore. So, enterprises offer vast fleets of IoT devices for threat actors to leverage for DDoS and other attack vectors.”

The result: Gallagher said we now have vast botnet armies of infected IoT devices because there has never been a focus (or incentive) around bot eradication. He said organizations are told to focus on bot…

Source…

Microsoft unmasks Russia-linked ‘GooseEgg’ malware

/in


Researchers at Microsoft say they have uncovered a malicious tool used by Russian state-sponsored hackers to steal credentials in compromised networks.

The malware, named GooseEgg, exploits a vulnerability labeled CVE-2022-38028 in the Windows Print Spooler service, which manages printing processes. The researchers say GooseEgg appears to be exclusive to a group it tracks as Forest Blizzard, which is associated with Russia’s military intelligence agency, the GRU. 

According to the report, Forest Blizzard  — as also known as Fancy Bear and APT28 — has been deploying the malware since at least June 2020 against state, nongovernmental, education and transportation organizations in Ukraine, Western Europe and North America.

“The use of GooseEgg in Forest Blizzard operations is a unique discovery that had not been previously reported by security providers,” researchers said.

Microsoft has observed that after obtaining access to a target device, Forest Blizzard uses GooseEgg to elevate privileges within the network. GooseEgg itself is a simple launcher application, but it allows attackers to undertake other actions such as remote code execution, installing a backdoor and laterally moving through compromised networks. 

The company patched the Print Spooler security flaw in 2022. “Customers who have not implemented these fixes yet are urged to do so as soon as possible for their organization’s security,” Microsoft said. 

In addition to CVE-2022-38028, Forest Blizzard exploits other bugs, such as CVE-2023-23397, which affects all versions of Microsoft Outlook software on Windows devices.

Earlier in December, Microsoft warned that Forest Blizzard has been attempting to use the Microsoft Outlook bug to gain unauthorized access to email accounts within Microsoft Exchange servers since as early as April 2022. 

The GRU hackers typically target strategic intelligence assets such as government, energy, transportation and nongovernmental organizations in the U.S., Europe, and the Middle East.

Microsoft has also observed Forest Blizzard targeting media organizations, information technology companies, sports organizations and educational institutions.

Get more…

Source…

Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

/in


Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan.

According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims.

Further research revealed that Androxgh0st operators are exploiting multiple CVEs, including CVE-2021-3129 and CVE-2024-1709 to deploy a web shell on vulnerable servers, granting remote control capabilities. Moreover, evidence suggests active web shells associated with CVE-2019-2725

Androxgh0st Malware Compromises Servers Worldwide, Building Botnets for Attacks
Image: Veriti

Androxgh0st Threat Actor Ramps Up Activity

Hackread.com has been tracking Androxgh0st operations since was first noticed in December 2022. The malware operator is known for deploying Adhublika ransomware and was previously observed communicating with an IP address associated with the Adhublika group.

Androxgh0st operators prefer exploiting Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence. 

However. their recent focus seems to be building botnets to exploit more systems. Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) advisory, warning about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access. 

Last year, Cado Security Ltd. revealed the details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family. Legion is designed to exploit email services for abuse.

The Way Forward

Veriti’s research goes onto show the importance of proactive exposure management and threat intelligence in cyber security. Organizations must regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioural analysis tools to prevent breaches and protect against similar vulnerabilities.

  1. Russian Hackers Hit…

Source…

TP-Link routers are still being bombarded with botnet and malware threats

/in


More than a year after a patch was released, hackers are still competing to compromise vulnerable TP-Link Wi-Fi routers.

A report from Fortinet claims half a dozen botnet operators are scanning for vulnerable TP-Link Archer AX21 (AX1800) routers after cybersecurity researchers discovered a high-severity unauthenticated command injection flaw in the endpoints early last year.

Source…