Tag Archive for: surfaces

10-Year-Old ‘RUBYCARP’ Romanian Hacker Group Surfaces with Botnet

/in


Apr 09, 2024NewsroomBotnet / Crypto Mining

Romanian Hacker Group

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

“Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks,” the cloud security firm said. “This group communicates via public and private IRC networks.”

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

Cybersecurity

“These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details,” security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP’s tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.

Romanian Hacker Group

In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

“Once access is obtained, a backdoor is installed based on the popular Perl ShellBot,” the company said. “The victim’s server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet.”

The botnet is estimated to comprise over 600 hosts, with the IRC server (“chat.juicessh[.]pro”) created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named…

Source…

Tackling the many (sur)faces of a zero trust security framework

/in



Read Article

By Vijay Jayaraman – Director – System Engineering, India & SAARC, Citrix

For a business to thrive in today’s world, it is critical for it to have innovation and technology at its core. However, it is also important to understand that the more we try to diversify the technology we use and rely on it to carry out work, the more vulnerable we are to external threats and attacks. It is therefore important for every organization to not only use technology to ease processes but also create a robust security framework that safeguards the entire business.

So, what is the best way to protect your business from malicious threats?

Let’s take a look at our own homes. Everyone has a lock on their front door which provides a certain level of security. This security improves significantly once complemented with an alarm and video surveillance system that is capable of tracking movement through the house. But this won’t stop criminals from trying to break a window, deactivate the alarm system or even just monitor your every move to gather any sensitive information. Now, translating this to businesses – a zero-trust network architecture (ZTNA) is an important first step to enhance workplace security. As opposed to a VPN based security system, zero trust adds multiple layers and restricts access to the critical business resources whether they are on premise or on cloud. It employs multi-factor authentication, machine learning-based analysis, and continuous monitoring that ensures optimum security in the network.

However, just implementing this architecture is not enough. In many companies, it has been observed that most vulnerabilities reported are in applications and not in the network. Businesses, therefore, need to take additional steps for a comprehensive strategy that not only understands vulnerabilities in the network but in the applications as well. With applications moving away from being monolithic and progressing towards cloud-based micro service architectures, it becomes important for organizations to focus on in-house applications and on the new public cloud or hybrid cloud-based micro services.

While doing so, emerging technologies like Artificial…

Source…

Troubling New Disk-Level Encryption Ransomware Surfaces

/in


A new ransomware strain is implementing a troubling but so far relatively rarely used technique to encrypt data in a target environment.

Instead of encrypting files on endpoint systems like most ransomware families, the new malware, dubbed “DeepBlueMagic,” targets different disk drives on a target organization’s servers, researchers from Heimdal Security say.

The malware was observed using a legitimate third-party encryption tool called BestCrypt Volume Encryption from Jetico to start encryption on all drives — except the primary system drive (“C:”) — on an infected Windows Server 2012 R2 system.

Heimdal found the encryption tool, along with a rescue file (rescue.rsc) that Jetico’s software typically uses to recover damaged partitions, on the system drive of the infected machine. In this instance, however, the rescue file was encrypted as well and required a password to open it, according to Heimdal’s new report.

The security vendor was not able to determine how attackers might have gained initial access to the compromised system, nor was it able to obtain a sample of the original executable file because the ransomware deleted itself from the system.

Heimdal’s investigation showed that DeepBlueMagic had started the encryption process on the infected system’s D: drive and almost immediately stopped the process after initiation. This resulted in the drive being partially encrypted and turned into a RAW partition — that is, basically, a partition where the file system structure has been corrupted and therefore not recognized by the system.

“Any access attempt would have the Windows OS interface prompt the user to accept formatting the disk since the drive looks broken once encrypted,” Heimdal says in its report. Usually, the rescue file that Jetico’s encryption software uses could have been used to restore the partially encrypted drive, but in this case that was not possible because the rescue file had been encrypted as well.

As is the case with many ransomware strains these days, DeepBlueMagic is designed to disable any behavior-based threat detection tools that might be present on a targeted server — before the…

Source…

Latest OnePlus X update surfaces Android security patch level, currently on Jan. 1 release – Android Central

/in

Android Central

Latest OnePlus X update surfaces Android security patch level, currently on Jan. 1 release
Android Central
With the latest update to OxygenOS 2.2.0, the OnePlus X now properly displays its Android security patch level in the settings separate from the rest of the software information. The phone is currently on the January 1, 2016 release, which means at
OnePlus X Update Brings 'Android Security Patch Level' to SettingsAndroid Headlines – Android News

all 2 news articles »

“android security” – read more