Tag: Operators | Page 3

Abcbot Botnet Linked to Operators of Xanthe Cryptomining malware

January 10, 2022/in Computer Security

New research into the infrastructure behind an emerging DDoS botnet named Abcbot has uncovered links with a cryptocurrency-mining botnet attack that came to light in December 2020.

Attacks involving Abcbot, first disclosed by Qihoo 360’s Netlab security team in November 2021, are triggered via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence.

The shell script in question is itself an iteration of an earlier version originally discovered by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud.

But in an interesting twist, continued analysis of the botnet by mapping all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples, has revealed Abcbot’s code and feature-level similarities to that of a cryptocurrency mining operation dubbed Xanthe that exploited incorrectly-configured Docker implementations to propagate the infection.

“The same threat actor is responsible for both Xanthe and Abcbot and is shifting its objective from mining cryptocurrency on compromised hosts to activities more traditionally associated with botnets, such as DDoS attacks,” Cado Security’s Matt Muir said in a report shared with The Hacker News.

The semantic overlaps between the two malware families range from how the source code is formatted to the names given to the routines, with some functions not only sporting identical names and implementation (e.g., “nameservercheck”) but also having the word “go” appended to the end of the function names (e.g., “filerungo”).

“This could indicate that the Abcbot version of the function has been iterated on several times, with new functionality added at each iteration,” Muir explained.

Furthermore, the deep-dive examination of the malware artifacts revealed the botnet’s capability to create as many as four users of their own by using generic, inconspicuous names like “autoupdater,” “logger,” “sysall,” and “system” to avoid detection, and adding them to the sudoers…

Source…

Ransomware attacks decrease, operators started rebranding

January 3, 2022/in Computer Security

Positive Technologies experts have analyzed the Q3 2021 cybersecurity threatscape and found a decrease in the number of unique cyberattacks. However, there’s been an increase in the share of attacks against individuals, and also a rise in attacks involving remote access malware.

ransomware attacks decrease

The number of attacks in Q3 decreased by 4.8% compared to the previous quarter—the first time since the end of 2018 that Positive Technologies has recorded a negative trend. The researchers believe one key reason for the change is the decrease in ransomware attacks and the fact that some major players have quit the stage. This is also why the share of attacks aimed at compromising corporate computers, servers, and network equipment has fallen, from 87% to 75%.

“This year we saw the peak of ransomware attacks in April when 120 attacks were recorded. There were 45 attacks in September, down 63% from the peak in April. The reason is that several large ransomware gangs stopped their operation, and law enforcement agencies started paying more attention to the problem of ransomware attacks (due to recent high-profile attacks),” said Ekaterina Kilyusheva, Head of Research and Analytics, Positive Technologies.

Researchers also noted a trend toward the rebranding of existing ransomware gangs: Some operators are rethinking their preference for the Ransomware as a Service (RaaS) scheme, which carries certain risks from unreliable partners.

Kilyusheva explains: In Q2, we predicted that one of the possible scenarios of ransomware transformation would be that groups abandon the RaaS model in its current form. It is much safer for ransomware operators to hire people who will deliver malware and search for vulnerabilities as permanent ‘employees.’ It will be safer for both parties, as more organized and efficient all-in-one forms of cooperation can be created. In Q3, we saw the first steps in this direction. An additional boost for this transformation is the development of the market of initial access.”

The research shows that although the share of malware attacks on organizations decreased by 22%, the attackers’ appetite for data also led to an increase in the use of remote access trojans. In…

Source…

Luno, Tokenize pledge tight security as hackers hit operators abroad

September 7, 2021/in Internet Security

In less than 2 weeks last month, almost RM2.9b worth of cryptocurrency assets were stolen by hackers from 2 leading exchanges abroad

by AFIQ AZIZ / Pic by TMR FILE PIX

THE hacking of digital asset exchanges (DAXs) abroad has put some fear in digital currency investors here their investments on local DAXs may equally be vulnerable to hackers if there are no comprehensive security measures in place.

In less than two weeks last month, almost US$700 million (RM2.9 billion) worth of cryptocurrency assets were stolen by hackers from two leading exchanges abroad.

China-based Poly Network, a smart contract-driven platform that facilitates transactions between various platforms, had US$600 million worth of crypto money stolen, before the hacker, or hackers, returned most of the stolen funds, saying the heist was just “for fun”. It was dubbed as the biggest cryptocurrency theft ever.

Then, the Japanese cryptocurrency exchange known as Liquid was hit in a cyberattack by hackers who made off with a reported US$97 million worth of digital coins.

Liquid has since stated some of its digital currency wallets had been “compromised”, and hackers had transferred the assets to four different wallets.

While the cryptocurrency market in Malaysia is far smaller compared to peers abroad, it is growing with the Securities Commission licensing four DAXs.

Luno’s infrastructure is also hosted on Amazon Web Services which o ers a secure environment for its services, Tang says

The leading DAX, Luno Malaysia Sdn Bhd, reported almost US$1 billion (RM4.2 billion) in total transactions as of June compared to US$300 million (RM1.23 billion) for the whole of 2020.

It currently stores more than RM1 billion of digital assets including bitcoin, ethereum, ripple and litecoin with 300,000 account holders.

In an email to The Malaysian Reserve (TMR), Luno Malaysia country manager Aaron Tang stated DAX keeps most of its customers’ private keys in physical bank vaults inside safety deposit boxes, called “deep freeze” storage to maximise the safety of its customer’s cryptocurrencies.

“Deep-freeze keys are ‘multi-sig’ keys, meaning multiple keys must always be present to authorise a…

Source…

Metro Watchdog Safety Report Flags Fatigued Train Operators – NBC4 Washington

September 1, 2021/in Mobile Security

Metro’s train and bus operators could be coming to the job tired and physically unfit to perform their duties, according to a report issued Tuesday by the transit agency’s top safety watchdog.

The Washington Metrorail Safety Commission flagged potential safety risks related to fatigued operators. Some of this could be because workers aren’t getting enough time off between shifts.

In 2004, a Metro train at the Woodley Park station on the Red Line rolled backward thousands of feet. It crashed into another train, injuring 20 people. Video footage shows twisted, mangled wreckage.

“It felt like an explosion. Everyone started running and screaming,” one man said.

In 2004, a Metro train operator who was tired, allowed his train to roll back and crash into another on the Red Line. Today, Metro’s chief safety watchdog says Metro still should do more to make sure workers are rested enough. Our @nbcwashington report from that day 2004 #wmata pic.twitter.com/OLBEwICSFa

— Adam Tuss (@AdamTuss) August 31, 2021

The train operator was found to have been tired and not alert, likely because of a lack of sleep.

Almost 17 years later, the report issued Tuesday says Metro still isn’t doing enough to ensure that employees are rested and physically fit for the job.

“There are opportunities to improve the program to ensure that [operators] are as well rested as they can be. Again, this is a systemic audit – and we look at the systems, trying to give Metro every opportunity to prevent a safety event like a crash before it happens,” safety commission spokesman Max Smith said.

In addition to the 2004 crash, the safety commission pointed to lesser-known examples of train operator fatigue, including when workers have fallen asleep at the switch.

Metro is reviewing the report and will respond with changes, a representative said.

The transit agency has 30 days to address the issues.

Source…

Tag Archive for: Operators