Tag Archive for: Targets

Rust-Based Botnet P2Pinfect Targets MIPS Architecture

/in


The cross-platform botnet known as P2Pinfect has been observed taking a significant leap in sophistication. 

Since its emergence in July 2023, this Rust-based malware has been on the radar for its rapid expansion, according to a new advisory published today by Cado Security.

Initially exploiting Redis for entry into systems, P2Pinfect has now unveiled a new variant specifically crafted for Microprocessor without Interlocked Pipelined Stages (MIPS) architecture, indicating a strategic shift in its targets.

This latest move signifies an alarming escalation in the botnet’s tactics, showcasing a deliberate focus on routers, Internet of Things (IoT) devices and various embedded systems. The utilization of MIPS processors in these devices makes them particularly vulnerable to the P2Pinfect threat.

Read more on this threat: Novel Worm-Like Malware P2Pinfect Targets Redis Deployments

Researchers at Cado Security Labs stumbled upon this MIPS variant while investigating files uploaded via SFTP and SCP to an SSH honeypot. Unlike earlier iterations that primarily leveraged SSH servers for propagation, this variant stands out for attempting brute-force SSH access to embedded devices. 

Additionally, it was discovered that the malware could exploit Redis on MIPS devices using the OpenWRT package named redis-server.

Static analysis of the MIPS variant uncovered a 32-bit ELF binary with stripped debug information, as well as an embedded 64-bit Windows DLL. This DLL functions as a malicious loadable module for Redis, introducing a Virtual Machine evasion function to complicate analysis efforts further.

What also sets this variant apart is its adoption of a new evasion technique called TracerPid, which spawns a child process to detect dynamic analysis tools. Additionally, P2Pinfect seeks to disable Linux core dumps, presumably as an anti-forensic measure to safeguard crucial information from exposure.

According to Cado Security researchers, the evolution in tactics used by P2Pinfect, combined with its expanded target range and advanced evasion techniques, strongly indicates the involvement of a determined and sophisticated threat actor.

Source…

New P2PInfect bot targets routers and IoT devices

/in


New P2PInfect bot targets routers and IoT devices

Pierluigi Paganini
December 04, 2023

Cybersecurity researchers discovered a new variant of the P2PInfect botnet that targets routers and IoT devices.

Researchers at Cado Security Labs discovered a new variant of the P2Pinfect botnet that targets routers, IoT devices, and other embedded devices. This variant has been compiled for the Microprocessor without Interlocked Pipelined Stages (MIPS) architecture.

The new bot supports updated evasion mechanisms, can avoid execution in a Virtual Machine (VM) and a debugger and supports anti-forensics on Linux hosts.

In July 2023, Palo Alto Networks Unit 42 researchers first discovered the P2P worm P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms. 

The worm is written in the Rust programming language, it targets Redis instances by exploiting the Lua sandbox escape vulnerability CVE-2022-0543 (CVSS score 10.0).

In September, Cado Security Labs reported to have witnessed a 600x increase in P2Pinfect traffic since August 28th. According to the researchers, traffic experienced a 12.3% surge during the week leading up to the publication of their analysis.

P2Pinfect infections have been reported in China, the United States, Germany, the United Kingdom, Singapore, Hong Kong and Japan.

Experts linked the surge in botnet traffic with the growing number of variants detected in the wild, a circumstance that suggests that the authors are actively improving their bot.

“Cado Security Labs researchers have since encountered a new variant of the malware, specifically targeting embedded devices based on 32-bit MIPS processors, and attempting to bruteforce SSH access to these devices.” reads the report published by Cado Security. “It’s highly likely that by targeting MIPS, the P2Pinfect developers intend to infect routers and IoT devices with the malware. Use of MIPS processors is common for embedded devices and the architecture has been previously targeted by botnet malware, including high-profile…

Source…

Ransomware targets will pay one way or another

/in


A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in Paris

A lock icon, signifying an encrypted Internet connection, is seen on an Internet Explorer browser in a photo illustration in Paris April 15, 2014. REUTERS/Mal Langsdon Acquire Licensing Rights

NEW YORK, Nov 17 (Reuters Breakingviews) – A surge in online hacking presents corporate executives a new challenge, and a new set of costs to be borne. And in the wake of an attack on the U.S. arm of China’s biggest bank, a bid to stamp out ransom payments to cybercriminals looks far-fetched.

Joe Biden’s administration has drummed up support amongst 40 allies of the United States for a collective pledge to never pay ransoms in hopes that it will starve cybercriminals of their key funding source. The White House has even considered an outright ban on firms making ransom payments. In theory, it’s a great idea. If companies can’t pay ransom, there’s no point in asking for it.

In the real world things are more fragile. A unit of Industrial and Commercial Bank of China (601398.SS) last week fell victim to a ransomware attack that wasn’t just a problem for the Chinese lender’s employees and customers: As a bank that provides clearing for U.S. Treasuries, the attack added friction to one of the world’s most critical financial markets. ICBC’s self-identified attacker, a gang of digital extortionists called Lockbit, says ICBC paid up. If a critical firm – say a bank with even bigger U.S. operations – faced prolonged downtime, things could get nasty.

That doesn’t mean companies should just give in to criminals. Companies involved in recent attacks, from consumer goods maker Clorox (CLX.N) to casino operator Caesars Entertainment (CZR.O), have had different responses. But more firms are having to make the choice. Digital analytics firm Chainalysis reckons ransomware attackers siphoned at least $457 million from victims last year, likely a low estimate as companies don’t typically disclose much detail around such incidents.

The alternative is to be unhackable – which means spending ever more on defenses. But there are no guarantees. Ransomed firms that had backups of crucial company information got access to their data back within a week just 45% of the time, according to a

Source…

Winter Vivern: Zero-Day XSS Exploit Targets Roundcube Servers

/in


ESET Research has discovered a significant cybersecurity threat as the Winter Vivern group exploited a zero-day cross-site scripting (XSS) vulnerability in the Roundcube Webmail server. 

The new campaign, described in an advisory published today, targeted Roundcube Webmail servers of governmental entities and a think tank in Europe. ESET Research promptly reported the vulnerability to the Roundcube team on October 12, and the team acknowledged and patched it within a short timeframe, releasing security updates on October 16.

Winter Vivern, a cyber-espionage group known for targeting governments in Europe and Central Asia, has been active since at least 2020. To infiltrate its targets, the group employs various methods, including malicious documents, phishing websites and a custom PowerShell backdoor. It is suspected of being linked to MoustachedBouncer, a Belarus-aligned group.

Read more about this threat: ESET Unmasks Cyber-Espionage Group Targeting Embassies in Belarus

This is not the first time Winter Vivern has targeted Roundcube servers; in 2022, the group exploited CVE-2020-35730. Sednit, also known as APT28, has been targeting the same vulnerability as well.

The newly exploited XSS vulnerability, CVE-2023-5631, allows remote exploitation by sending a specially crafted email message. Even fully patched Roundcube instances were vulnerable due to a server-side script flaw in rcube_washtml.php, which the attackers exploited.

By sending this email, attackers could inject arbitrary JavaScript code into the victim’s Roundcube session, ultimately enabling them to access and exfiltrate email messages. ESET warned that Winter Vivern’s ability to exploit a zero-day vulnerability in Roundcube represents a concerning development in the realm of cyber-espionage.

Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online,” reads the advisory.

“Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and…

Source…