Tag Archive for: warn

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28’s MooBot Threat

/in


Feb 28, 2024NewsroomFirmware Security / Vulnerability

MooBot Threat

In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.

The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia’s Main Directorate of the General Staff (GRU), is known to be active since at least 2007.

APT28 actors have “used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools,” the authorities said [PDF].

The adversary’s use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation sectors in the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the U.A.E., and the U.S.

Cybersecurity

MooBot attacks entail targeting routers with default or weak credentials to deploy OpenSSH trojans, with APT28 acquiring this access to deliver bash script and other ELF binaries to collect credentials, proxy network traffic, host phishing pages, and other tooling.

This includes Python scripts to upload account credentials belonging to specifically targeted webmail users, which are collected via cross-site scripting and browser-in-the-browser (BitB) spear-phishing campaigns.

APT28 has also been linked to the exploitation of CVE-2023-23397 (CVSS score: 9.8), a now-patched critical privilege escalation flaw in Microsoft Outlook that could enable the theft of NT LAN Manager (NTLM) hashes and mount a relay attack without requiring any user interaction.

Another tool in its malware arsenal is MASEPIE, a Python backdoor capable of executing arbitrary commands on victim machines utilizing compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure.

“With…

Source…

Millions of hacked toothbrushes could be used in cyber attack, researchers warn

/in


Security researchers have warned that millions of hacked toothbrushes could be used in a massive cyber attack.

Internet-connected toothbrushes could be linked together in something known as a botnet, which would allow them to perform a distributed denial of service (DDoS) attack that overloads websites and servers with huge amounts of web traffic.

Major websites could be knocked offline as a result of the attack, according to Swiss newspaper Aargauer Zeitung, who first reported the threat, resulting in millions of dollars of lost revenue.

The issue was initially reported as an actual incident, but Fortinet has since clarified to The Independent that it was a hypothetical scenario.

“The topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs,” a spokesperson said.

“It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred.”

Fortinet warned of the dangers of smart devices, which can include web cams, baby monitors, doorbells and domestic appliances.

“Every device that is connected to the Internet is a potential target – or can be misused for an attack,” said Stefan Züger, head of system technology at Fortinet Switzerland. Mr Züger advised owners of smart technologies to take measures to protect themselves.

“Otherwise, sooner or later you will become a victim – or your own device will be misused for attacks,” he said.

The growing trend of internet-connected and AI-enabled devices was on display at the CES tech conference in Las Vegas last month, with everything from pillows to mirrors now embedded with the technology.

The continued rise in popularity of such devices has coincided with fresh security concerns about the risks they may pose if protections are not put in place.

A recent report from network performance firm Netscout noted an “unprecedented growth” in malicious botnets, with activity doubling in January.

Source…

U.S. officials warn of dire Chinese cyber threats in wake of FBI operation to disrupt botnet

/in


The FBI and U.S. Department of Justice used court-endorsed legal authorities to disrupt a botnet operated as part of Chinese-directed hacking operations that leveraged insecure home and office routers to target U.S. critical infrastructure, the DOJ said Wednesday.

A Chinese government hacking campaign, tracked publicly as “Volt Typhoon,” used privately owned Cisco and NetGear routers infected with “KV Botnet” malware in an attempt to conceal the activity, the agency said in a statement. The DOJ and FBI operation, the agency added, “deleted the KV Botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet.”

An unidentified FBI agent described the operation in court records released Monday, writing that the bureau issued a command to infected routers that would delete the KV Botnet malware from the devices without affecting any legitimate files or information on the routers.

A December 2023 analysis by Lumen, a telecommunications company, showed that the KV Botnet had been active since “at least February 2022,” and targeted edge devices, including routers, “a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years.”

Lumen observed an “uptick in exploitation of new bots” in August 2023, and then a “remodel” of the botnet infrastructure in mid-November 2023.

The disruption operation, first disclosed by Reuters on Monday, is the latest U.S. government action focused on Volt Typhoon, which first came to light in a May 2023 Microsoft advisory. That advisory was followed quickly by a joint advisory issued by the FBI, NSA, and the Cybersecurity and Infrastructure Security Agency that warned of Chinese hacking operations targeting U.S. critical infrastructure and other sensitive targets.

In the wake of the May 2023 disclosure, U.S. national security officials warned repeatedly that the Chinese operation was not an intelligence collection mission. Instead, officials said, it was a preparatory activity that the Chinese government could…

Source…

US grid rules preclude reliability, security benefits of cloud computing, experts warn

/in


Cloud technologies could provide significant cost, security and reliability benefits to the U.S. electric grid but critical infrastructure rules do not allow them to be used for certain larger assets, multiple speakers said Thursday at the Federal Energy Regulatory Commission’s annual reliability conference.

The Critical Infrastructure Protection rules, or CIP, are managed by the North American Electric Reliability Corp. and currently require grid asset owners to have certain control or knowledge of the devices operating their software. Cloud computing makes that difficult or impossible, experts agreed, in particular for what are known as high- or medium-impact grid assets.

Current NERC standards “do not provide clear guidance” on how regulated entities can implement new technologies that may not have been envisioned by the current CIP rules, Joseph Mosher, portfolio manager at EDF Renewables, told the commission. “Attempts to incorporate newer technology into the NERC CIP standards can be painful and time consuming,” he said.

Experts expressed concerns over the outdated CIP rules, at a time when grid officials say they face growing threats.

“One can definitely make the argument that the grid is less secure today than it would be” if cloud computing solutions were allowed, “and that gap is growing every day,” security consultant Tom Alrich said. “This is the biggest problem with NERC CIP today.”

A related problem — that important information about those systems can’t today be stored in the cloud — will be fixed beginning next year when two revised CIP standards come into effect, he said.

A sector under attack

The cyber threat to the electric power sector is growing, and grid officials say they must utilize new tools to counter it.

“The electricity sector is under constant attack by nation states and organized criminals. We see billions of attempts a day to survey our networks, identify vulnerabilities or gaps in protection, steal credentials or data, or exact a ransom,” Manny Cancel, senior vice president and CEO of the Electricity Information Sharing and Analysis Center, told regulators…

Source…