Posts

Windows and Linux devices are under attack by a new cryptomining worm

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360


Windows and Linux devices are under attack by a new cryptomining worm

Getty Images

A newly discovered cryptomining worm is stepping up its targeting of Windows and Linux devices with a batch of new exploits and capabilities, a researcher said.

Research company Juniper started monitoring what it’s calling the Sysrv botnet in December. One of the botnet’s malware components was a worm that spread from one vulnerable device to another without requiring any user action. It did this by scanning the Internet for vulnerable devices and, when found, infecting them using a list of exploits that has increased over time.

The malware also included a cryptominer that uses infected devices to create the Monero digital currency. There was a separate binary file for each component.

Constantly growing arsenal

By March, Sysrv developers had redesigned the malware to combine the worm and miner into a single binary. They also gave the script that loads the malware the ability to add SSH keys, most likely as a way to make it better able to survive reboots and to have more sophisticated capabilities. The worm was exploiting six vulnerabilities in software and frameworks used in enterprises, including Mongo Express, XXL-Job, XML-RPC, Saltstack, ThinkPHP, and Drupal Ajax.

“Based on the binaries we have seen and the time when we have seen them, we found that the threat actor is constantly updating its exploit arsenal,” Juniper researcher Paul Kimayong said in a Thursday blog post.

Juniper Research

Thursday’s post listed more than a dozen exploits that are under attack by the malware. They are:

Exploit Software
CVE-2021-3129 Laravel
CVE-2020-14882 Oracle Weblogic
CVE-2019-3396 Widget Connector macro in Atlassian Confluence Server
CVE-2019-10758 Mongo Express
CVE-2019-0193 Apache Solr
CVE-2017-9841 PHPUnit
CVE-2017-12149 Jboss Application Server
CVE-2017-11610 Supervisor (XML-RPC)
Apache Hadoop Unauthenticated Command Execution via YARN ResourceManager (No CVE) Apache Hadoop
Brute force Jenkins Jenkins
Jupyter Notebook Command Execution (No CVE) Jupyter Notebook Server
CVE-2019-7238 Sonatype Nexus Repository Manager
Tomcat Manager Unauth Upload…

Source…

Quick Heal Internet Security Test In Hindi!! Should you buy this or Not???



Rocke Group's Malware Now Has Worm Capabilities – Threatpost

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360



Rocke Group’s Malware Now Has Worm Capabilities  Threatpost

Source…

Gitpaste-12 worm botnet returns with 30+ vulnerability exploits

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360


gitpaste-12

Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits.

The first iteration of Gitpaste-12 shipped with reverse shell and crypto-mining capabilities and exploited over 12 known vulnerabilities, therefore the moniker.

This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.

Targets Linux, Android tools, and IoT devices

Researchers at Juniper Threat Labs observed the second iteration of Gitpaste-12 on November 10th 2020, present on a different GitHub repository.

Expanding on its predecessor, this new version of Gitpaste-12 comes equipped with over 30 vulnerability exploits, concerning Linux systems, IoT devices, and open-source components.

Initially, the researchers observed the new GitHub repository containing just 3 files.

“The wave of attacks used payloads from yet another GitHub repository, which contained a Linux cryptominer (‘ls’), a list of passwords for brute-force attempts (‘pass’) and a statically linked Python 3.9 interpreter of unknown provenance,” explains Asher Langton, a researcher at Juniper Threat Labs.

Now-removed GitHub repository sptv001 hosting gitpaste-12 second version
Now-removed GitHub repository that had been hosting Gitpaste-12 second iteration
Source: Juniper

Later, however, two more files were added to the repository by Gitpaste-12 authors at the time of Juniper’s research.

These included, a configuration file (“config.json”) for a Monero cryptominer, and a UPX-packed Linux privilege escalation exploit.

The Monero address contained within the config.json file is the same as that observed in the Gitpaste-12 iteration that came out this October:

41qALJpqLhUNCHZTMSMQyf4LQotae9MZnb4u53JzqvHEWyc2i8PEFUCZ4TGL9AGU34ihPU8QGbRzc4FB2nHMsVeMHaYkxus

In an illustration shown below, the initial infection begins with Gitpaste-12 sample downloading the payload from GitHub, and dropping a cryptominer, along with a backdoor on the infected host.

The worm further spreads itself to attack web apps, Android Debug Bridge connections, and IoT devices, including IP cameras and routers.

gitpaste-12 second version workflow
Gitpaste-12 second version workflow

Carries 31 vulnerability exploits: 24 unique ones

The newer version of Gitpaste-12 has…

Source…