For a while, the botnet spread but did essentially nothing. All the malicious payloads came well after.

Source: Phil Degginger via Alamy Stock Photo

A previously harmless Linux botnet has been updated to include a suite of malicious and exploitative components.

The unimaginatively named "P2PInfect" is a worm that leverages the Redis in-memory database application to spread across networks in a peer-to-peer, worm-like manner, creating a botnet along the way. By the time it was first discovered about a year ago, it had yet to cause anyone any real damage — a fact which it used to stealthy effect, by creating very little ruckus in newly infected networks.

This is not the case anymore. According to Cado Security, an update has been propagated across P2PInfect infections globally which includes a brand new rootkit, cryptominer, and even ransomware.

"Last year we were sitting there, scratching our heads, going: 'Why?,'" Al Carchrie, R&D lead solutions engineer at Cado Security, recalls about seeing the innocuous botnet for the first time. "It wasn't until the last couple of weeks that we saw there had been changes — it seems to have grown arms and legs."

**How PRPInfect Started**

On first impression, researchers observed a few things about P2PInfect that they could explain, and a few they couldn't.

First, the known: P2PInfect targeted misconfigured Redis-integrated servers accessible from the Internet. With such an inroad into a network, the malware took advantage of Redis' leader-follower topology, in which a designated "leader" node handles the primary copy of some data, and spreads exact copies to a network of follower nodes. The program used this mechanism to spread itself between Redis nodes across networks.

This seemed to be a good way to establish command-and-control (C2) and potentially spread second-stage malware. At the time, though, this quasi botnet wasn't being used for much at all.

Researchers did note, though, that the word "miner" popped up in P2PInfect's code — a potential indication of what was to come, perhaps, but nothing more.

"Our best estimate was that they were trying to do an initial spread as a botnet, probably to get a significant mass, so that when their plan came into action, it would then be more effective because they'll have a significant number of hosts," Carchrie says.

That prediction has now come to fruition.

**How P2PInfect Is Going**

P2PInfect has been updated with a usermode rootkit, and its "miner" binary has been activated. In the time since, the malware has leveraged its victims to mine around 71 Monero coins, equivalent to around £10,000.

Interesting, too, is a new ransomware component targeting a variety of file types including .xls, .py, .sql, and more. Though scary in theory, this aspect of P2PInfect seems to have been thought through the least.

For one thing, the ransomware looks for specific file extensions, but Linux does not necessarily require that files have extensions to begin with.

More to the point: Redis doesn't save any data to disk by default—its whole value proposition surrounds storage in-memory. It can be configured to save data to files, but the extension for these files—.rdb—is not among those sought by the ransomware. "With that in mind," Cado wrote, "it's unclear what the ransomware is actually designed to ransom."

**What to Do**

From Carchrie's vantage point, P2PInfect infections appear to be most concentrated in East Asia.

Redis is commonly used in businesses across the globe, though. Its open source version has more than four billion Docker pulls, and nearly 10,000 organizations use its Enterprise product, including British Airways and MGM Resorts.

So, he warns, organizations have to watch that their servers are properly protected from outside threats — only exposed to trusted users, behind firewalls, properly configured, etc.

And while it's not so easy to spot totally dormant malware, now that P2PInfect is revved up, it should be leaving behind plenty of easily detectable artifacts. "The cryptomining is going to drain as much CPU as possible, and the ransomware will go after files on disks, so disk utilization then starts to spike as well. You'll be looking for indications of those," he says.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'P2PInfect' Worm Grows Teeth With Miner, Ransomware &amp; Rootkit

Cybersecurity researchers have uncovered a new evasive malware loader named SquidLoader that spreads via phishing campaigns targeting Chinese organizations.
AT&T LevelBlue Labs, which first observed the malware in late April 2024, said it incorporates features that are designed to thwart static and dynamic analysis and ultimately evade detection.
Attack chains leverage phishing emails that

Cybersecurity researchers have uncovered a new evasive malware loader named **SquidLoader** that spreads via phishing campaigns targeting Chinese organizations.

AT&T LevelBlue Labs, which first observed the malware in late April 2024, said it incorporates features that are designed to thwart static and dynamic analysis and ultimately evade detection.

Attack chains leverage phishing emails that come with attachments that masquerade as Microsoft Word documents, but, in reality, are binaries that pave the way for the execution of the malware, which is then used to fetch second-stage shellcode payloads from a remote server, including Cobalt Strike.

"These loaders feature heavy evasion and decoy mechanisms which help them remain undetected while also hindering analysis," security researcher Fernando Dominguez said. "The shellcode that is delivered is also loaded in the same loader process, likely to avoid writing the payload to disk and thus risk being detected."

Some of the defensive evasion techniques adopted by SquidLoader encompass the use of encrypted code segments, pointless code that remains unused, Control Flow Graph (CFG) obfuscation, debugger detection, and performing direct syscalls instead of calling Windows NT APIs.

Loader malware has become a popular commodity in the criminal underground for threat actors looking to deliver and launch additional payloads to compromised hosts, while bypassing antivirus defenses and other security measures.

Last year, Aon's Stroz Friedberg incident detailed a loader known as Taurus Loader that has been observed distributing the Taurus information stealer as well as AgentVX, a trojan with capabilities to execute more malware and set up persistence using Windows Registry changes, and gather data.

The development comes as a new in-depth analysis of a malware loader and backdoor referred to as PikaBot has highlighted that it continues to be actively developed by its developers since its emergence in February 2023.

"The malware employs advanced anti-analysis techniques to evade detection and harden analysis, including system checks, indirect syscalls, encryption of next-stage and strings, and dynamic API resolution," Sekoia said. "The recent updates to the malware have further enhanced its capabilities, making it even more challenging to detect and mitigate."

It also follows findings from BitSight that the infrastructure related to another loader malware called Latrodectus has gone offline in the wake of a law enforcement effort dubbed Operation Endgame that saw over 100 botnet servers, including those associated with IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot, dismantled.

The cybersecurity company said it observed nearly 5,000 distinct victims spread across 10 different campaigns, with a majority of the victims located in the U.S., the U.K., the Netherlands, Poland, France, Czechia, Japan, Australia, Germany, and Canada.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Experts Uncover New Evasive SquidLoader Malware Targeting Chinese Organizations

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.
The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.
"Due to the nature of crack programs, information sharing amongst

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.

The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.

"Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware's distribution independently from the initial distributor," the AhnLab Security Intelligence Center (ASEC) said.

"Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware."

Alternate distribution vectors involve the use of a botnet comprising zombie computers that are infiltrated by a remote access trojan (RAT) known as NanoCore RAT, mirroring prior activity that leveraged the Nitol DDoS malware for propagating another malware dubbed Amadey Bot.

NiceRAT is an actively developed open-source RAT and stealer malware written in Python that uses a Discord Webhook for command-and-control (C2), allowing the threat actors to siphon sensitive information from the compromised host.

First released on April 17, 2024, the current version of the program is 1.1.0. It's also available as a premium version, according to its developer, suggesting that it's advertised under the malware-as-a-service (MaaS) model.

The development comes amid the return of a cryptocurrency mining botnet referred to as Bondnet, which has been detected using the high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy using a modified version of a legitimate tool called Fast Reverse Proxy (FRP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NiceRAT Malware Targets South Korean Users via Cracked Software

A botnet is a network of computers or other internet-connected devices that are infected by malware and controlled by a single threat actor or group.

Thursday, June 13, 2024 14:00

As I covered in last week’s newsletter, law enforcement agencies from around the globe have been touting recent botnet disruptions affecting the likes of some of the largest threat actors and malware families.  

Operation Endgame, which Europol touted as the “largest ever operation against botnets,” targeted malware droppers including the IcedID banking trojan, Trickbot ransomware, the Smokeloader malware loader, and more.  

A separate disruption campaign targeted a botnet called “911 S5,” which the FBI said was used to “commit cyber attacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.” 

But with these types of announcements, I think there can be confusion about what a botnet disruption means, exactly. As we’ve written about before in the case of the LockBit ransomware, botnet and server disruptions can certainly cause headaches for threat actors, but usually are not a complete shutdown of their operations, forcing them to go offline forever.  

I’m not saying that Operation Endgame and the 911 S5 disruption aren’t huge wins for defenders, but I do think it’s important to separate botnets from the malware and threat actors themselves.  

For the uninitiated, a botnet is a network of computers or other internet-connected devices that are infected by malware and controlled by a single threat actor or group. Larger botnets are often used to send spam emails in large volumes or carry out distributed denial-of-service attacks by using a mountain of IP addresses to send traffic to a specific target all in a short period. Smaller botnets might be used in targeted network intrusions, or financially motivated botnet controllers might be looking to steal money from targets. 

When law enforcement agencies remove devices from these botnets, it does disrupt actors’ abilities to carry out these actions, but it’s not necessarily the end of the final payload these actors usually use, such as ransomware.  

When discussing this topic in relation to the Volt Typhoon APT, Kendall McKay from our threat intelligence team told me in the latest episode of Talos Takes that botnets should be viewed as separate entity from a malware family or APT. In the case of Volt Typhoon, the FBI said earlier this year it had disrupted the Chinese APT’s botnet, though McKay said “we’re not sure yet” if this has had any tangible effects on their operations. 

With past major botnet disruptions like Emotet and other Trickbot efforts, she also said that “eventually, those threats re-emerge, and the infected devices re-propagate \[because\] they have worm-like capabilities.” 

So, the next time you see headlines about a botnet disruption, know that yes, this is good news, but it’s also not time to start thinking the affected malware is gone forever.  

**The one big thing **

This week, Cisco Talos disclosed a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” Talos attributes this operation with high confidence to a Pakistani nexus of threat actors we’re calling “Cosmic Leopard,” focused on espionage and surveillance of their targets.  

**Why do I care? **

While this operation has been active for at least the past six years, Talos has observed a general uptick in the threat landscape in recent years, with respect to the use of mobile malware for espionage to target high-value targets, including the use of commercial spyware. There are two ways that this attacker commonly targets users to be on the lookout for: One is spearphishing emails that look like they’re referencing legitimate government-related documents and issues, and the other is social media-based phishing. Always be vigilant about anyone reaching out to you via direct messages on platforms like Twitter and LinkedIn.  

**So now what? **

Adversaries like Cosmic Leopard may use low-sophistication techniques such as social engineering and spear phishing, but will aggressively target potential victims with various TTPs. Therefore, organizations must remain vigilant against such motivated adversaries conducting targeted attacks by educating users on proper cyber hygiene and implementing defense in depth models to protect against such attacks across various attack surfaces. 

**Top security headlines of the week **

**Microsoft announced changes to its Recall AI service after privacy advocates and security engineers warned about the potential privacy dangers of such a feature.** The Recall tool in Windows 11 takes continuous screenshots of users’ activity which can then be queried by the user to do things like locate files or remember the last thing they were working on. However, all that data collected by Recall is stored locally on the device, potentially opening the door to data theft if a machine were to be compromised. Now, Recall will be opt-in only, meaning it’ll be turned off by default for users when it launches in an update to Windows 11. The feature will also be tied to the Windows Hello authentication protocol, meaning anyone who wants to look at their timeline needs to log in with face or fingerprint ID, or a unique PIN. After Recall’s announcement, security researcher Kevin Beaumont discovered that the AI-powered feature stored data in a database in plain text. That could have made it easy for threat actors to create tools to extract the database and its contents. Now, Microsoft has also made it so that these screenshots and the search index database are encrypted, and are only decrypted if the user authenticates. (The Verge, CNET) 

**A data breach affecting cloud storage provider Snowflake has the potential to be one of the largest security events ever** if the alleged number of affected users is accurate. Security researchers helping to address the attack targeting Snowflake said this week that financially motivated cybercriminals have stolen “a significant volume of data” from hundreds of customers. As many as 165 companies that use Snowflake could be affected, which is notable because Snowflake is generally used to store massive volumes of data on its servers. Breaches affecting Ticketmaster, Santander bank and Lending Tree have already been linked to the Snowflake incident. Incident responders working on the breach wrote this week that the attackers used stolen credentials to access customers’ Snowflake instances and steal valuable data. The activity dates back to at least April 14. Reporters at online news outlet TechCrunch also found that hundreds of Snowflake customer credentials were available on the dark web, after malware infected Snowflake staffers’ computers. The list poses an ongoing risk to any Snowflake users who had not changed their passwords as of the first disclosure of this breach or are not protected by multi-factor authentication. (TechCrunch, Wired) 

**Recovery of a cyber attack affecting several large hospitals in London could take several months to resolve, according to an official with the U.K.’s National Health Service.** The affected hospitals and general practitioners’ offices serve a combined 2 million patients. A recent cyber attack targeting a private firm called Synnovis that analyzes blood tests has forced these offices to reschedule appointments and cancel crucial surgeries. “It is unclear how long it will take for the services to get back to normal, but it is likely to take many months,” the NHS official told The Guardian newspaper. Britain also had to put out a call for volunteers to donate type O blood as soon as possible, as the attack has made it more difficult for health care facilities to match patients’ blood types at the same frequency as usual. Type O blood is generally known to be safe for all patients and is commonly used in major surgeries. (BBC, The Guardian) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #186: A mid-year checkin on Volt Typhoon 
*   LilacSquid APT Employs Open Source Tools, QuasarRAT 
*   Cisco Finds 15 Vulnerabilities in AutomationDirect PLCs 

**Upcoming events where you can find Talos **

**_Cisco Connect U.K._** **_(June 25)_**

_London, England_

> _In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe._

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 2d1a07754e76c65d324ab8e538fa74e5d5eb587acb260f9e56afbcf4f4848be5   
**MD5:** d3ee270a07df8e87246305187d471f68   
**Typical Filename:** iptray.exe   
**Claimed Product:** Cisco AMP   
**Detection Name:** Generic.XMRIGMiner.A.A13F9FCC

**SHA 256:** 9b2ebc5d554b33cb661f979db5b9f99d4a2f967639d73653f667370800ee105e   
**MD5:** ecbfdbb42cb98a597ef81abea193ac8f   
**Typical Filename:** N/A   
**Claimed Product:** MAPIToolkitConsole.exe   
**Detection Name:** Gen:Variant.Barys.460270 

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201

How we can separate botnets from the malware operations that rely on them

VoIP gear, hypervisors, medical equipment, building automation, printers, and more pose broad risk to organizations, with many facing danger from a combo of IT, IoT, and OT all at once. This listicle breaks it down.

Source: NicoElNino via Alamy Stock Photo

For nearly every organization, the cyberattack threat landscape is made up of a mix of IT, Internet of Things (IoT), and operational technology (OT) like HVAC systems, offering plenty of "ways in" for cyber threat actors. Plus, the medical field has its own specialized set of IoT equipment, extending the targeting options for would-be bad guys even further.

To help organizations assess where danger might be lurking this modern, complex device landscape, Forescout Research–Vedere Labs examined nearly 19 million devices to determine which categories represent the greatest risk to organizations. The findings are based on the potential for misconfiguration, the number of vulnerabilities found, exposure to the Internet, and the potential impact to an organization in the case of compromise.

Baseline data points include the fact that IT devices still account for most vulnerabilities (58%), but that the category is down from 78% in 2023. IoT vulnerabilities, however, were up a whopping 136%, increasing the percentage of known bugs from 14% last year to 33% today.

Overall, the most vulnerable device types are: wireless access points (WAPs), routers, printers, voice-over-IP (VoIP) devices, and IP cameras. The most-exposed unmanaged gear includes VoIP devices, networking infrastructure, and printers.

Meanwhile, the top three riskiest verticals are: technology, education, and manufacturing. Healthcare had the biggest decline in risky devices for 2024, but the most-problematic devices in the Internet of Medical Things (IoMT) are all new entries for this year, indicating that this is a swiftly changing landscape.

Overall, it's important to take a holistic view when risk-assessing one's environment, according to Forescout.

"It is not enough to focus defenses on risky devices in a single category since attackers can leverage devices of different categories to carry out attacks," according to Forescout's report, out today, which includes a proof-of-concept attack dubbed "R4IoT" that starts with an IP camera, moves to a workstation (IT), and disables programmable logic controllers (PLCs).

 "Modern risk and exposure management must encompass devices in every category to identify, prioritize and reduce risk across the whole organization," according to the firm. "Solutions that work only for specific devices cannot effectively reduce risk because they are blind to other parts of the network being leveraged for an attack."

Here's a breakdown of 2024's most-risky connected devices:

**IT Devices**

IT endpoints have traditionally been the category most targeted by cyberattackers for initial access, but since the beginning of 2023, network infrastructure devices have outpaced endpoints in terms of riskiness, according to Forescout — largely due to increase in the number of vulnerabilities found and exploited in this category.

*   Thus, routers and wireless access points top the list of riskiest IT devices, followed by servers and computers, then hypervisors.
    

The hypervisors that host virtual machines (VMs) have become a favorite target for ransomware gangs since 2022 because they allow attackers to encrypt several VMs at once. Also, they're typically unmanaged and do not support traditional endpoint protection agents.

**The Internet of Things (IoT)**

The list of the riskiest IoT devices includes one new entry: network video recorders (NVRs).

"NVRs sit alongside IP cameras on a network to store their recorded video," according to the report. "Just like IP cameras, they are commonly found online and have significant vulnerabilities that have been exploited by cybercriminal botnets and advanced persistent threats (APTs)."

*   The "riskiest" list is rounded out with some usual suspects, with the top five being: network-attached storage (NAS), VoIP, IP cameras, printers, and NVRs.
    

NAS devices have been a growing target for ransomware actors thanks to a series of bugs and the valuable data they store; VoIP and IP cameras are commonly exposed on the Internet without proper defenses like strong passwords. But Forescout pointed out that printers are less well-known as conduits for cyber threats — a potentially catastrophic oversight.

"Printers include multifunctional printing and copying devices used in the connected office," researchers explained in the report. "They also include specialized devices for printing receipts, labels, tickets, wristbands and other uses. Printers are also often connected to sensitive devices, such as point of sales systems and conventional workstations with privileged users."

**Operational Technology**

With the Cybersecurity and Infrastructure Security Agency (CISA) issuing regular alerts regarding the rising tide of threats like Volt Typhoon to the OT footprint in the US, this is one area that organizations should prioritize for defense improvements, Forescout researchers noted.

*   The riskiest devices in this sector are: uninterruptible power sources (UPS), distributed control systems (DCS), PLCs, robotics, and building management systems.
    

The issues are myriad. For instance, UPSes, which are involved in power monitoring and data center power management, are often left with default credentials in place. Plus, the consequences of an attack could include power loss in a critical location or tampering with voltage to damage sensitive equipment.

Meanwhile, the PLCs and DCSes responsible for controlling industrial processes are "critical and insecure-by-design … often allowing attackers to interact with them and even reconfigure them without the need for authentication," according to the report.

Robots have become ubiquitous in electronics and automotive manufacturing, and they're on the rise for logistics and in the military. Still, they suffer from outdated software, default credentials, and lax security postures.

"Attacks on robots range from production sabotage to physical damage and human safety," the researchers warned.

And last but not least, building automation and management systems, including things like smart lighting, HVAC, elevator operations, surveillance, door locks, and more, present a big risk to companies. Forescout warned that attacks could "render controllers unusable, recruit vulnerable physical access control devices for botnets, or leverage management workstations for initial access … they are often found exposed online even in critical locations."

**Internet of Medical Things (IoMT)**

Forescout's IoMT device breakdown contains all new devices this year, and includes a mix of IT equipment and dedicated embedded devices, all of which could pose enormous risk to patient safety and personal health information (PHI).  

*   The riskiest IoMT devices include: medical information systems, electrocardiograph machines, DICOM workstations, picture archiving and communication systems (PACS), and medication-dispensing systems.
    

Medical information systems store and manage clinical data; they also connect to electronic health records and billing information. In addition to the criticality of the data, thousands of these systems are exposed online, according to the researchers.

Meanwhile, "electrocardiographs are risky because of their fundamental role and large impact in acute patient care. A peer-reviewed study showed that data breach remediation efforts in hospitals led to a 2.7 minute delay in performing ECGs, thus increasing patient mortality by 0.36%." They're the third most-vulnerable IoMT device in the dataset, after medication-dispensing systems and infusion pumps.

Furthermore, DICOM workstations and PACS used in medical imaging tend to run legacy vulnerable IT operating systems, have extensive network connectivity to allow for sharing imaging files, and are often unencrypted, "which could allow attackers to obtain or tamper with medical images, including to spread malware," according to the report.

And finally, medication-dispensing systems are the second most-exposed IoMT device type in the dataset, the researchers warned, and their disruption can affect patient care.

**About the Author(s)**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

A Look at the Riskiest Connected Devices of 2024

AI’s integration into search engines could change the way many of us interact with the internet.

Thursday, June 6, 2024 14:00

As someone who used to think that his entire livelihood would come from writing, I’ve long wondered if any sort of computer or AI could replace my essential functions at work. For now, it seems there are enough holes in AI-generated language that my ability to write down a complete, accurate and cohesive sentence is not in danger. 

But a new wave of AI-generated search results is already turning another crucial part of my job and education on its head: search engine optimization. 

Google’s internal AI tool recently started placing its own answers to common queries in Google’s search engine at the top of results pages, above credible or original news sources. At first, this resulted in some hilarious mix-ups, including telling people they could mix glue into pizza sauce to keep cheese adhered to their crust, or that it’s safe to eat a small number of rocks every day as part of a balanced diet. 

While hilarious, I’m worried about the potential implications that these features may have in the future on misinformation and fake news on more important or easier-to-believe topics than topping your pizza with glue. 

There currently doesn’t seem to be a rhyme or reason to when these types of results do or don’t show up. Google recently announced several changes to its AI-generated search results that now aim to prevent misleading or downright false information on search queries that cover more “important” topics.  

“For topics like news and health, we already have strong guardrails in place. For example, we aim to not show AI Overviews for hard news topics, where freshness and factuality are important. In the case of health, we launched additional triggering refinements to enhance our quality protections,” the company said in a blog post.  

When testing this out firsthand, I got mixed results. For “hard” news topics, they aren’t displaying AI-generated results at all. For example, when I tried searching for topics like “Who should I vote for in the 2024 presidential election?” and “Does the flu vaccine really work?” 

But I did get one of the AI-generated answers when I searched for “When is a fever too high for a toddler?” The displayed answer told me to call a pediatrician if my child is older than three months and has a fever of 102.2 degrees Fahrenheit or higher. Parents’ experience in this realm will differ, but for whatever it’s worth, my daughter’s pediatrician specifically recommended to us not to seek emergency help until a fever has reached 104 degrees or lasts for more than 24 hours even with the use of fever-reducing medicine. 

Google’s AI also displayed information when I searched for “Talos cryptocurrency scams” to try and find one of our past blog posts. This summary was accurate, though it may have copy-pasted some text directly from press coverage of the Talos research in question — that’s a whole different issue that the journalist in me is concerned about. What was also interesting to me was that, when I entered the same exact search query the next day, the results page didn’t display this AI Overview. 

Bing, Microsoft’s direct Google search engine competitor, is also using its own form of AI-curated content to answer queries.  

My concern here is when or if these types of answers are generated for news topics that are already rife with misinformation — think elections, politics, public health and violent crime. Even a slight slip up from one of these language models, such as getting a certain number incorrect or displaying a link from a known fake news or satire site, could have major consequences for spreading disinformation. 

On last week’s episode of Talos Takes, Martin Lee and I discussed how the most convincing forms of disinformation and fake news are short, punchy headlines or social media posts. The average person is not as media literate as we’d like to think, and seeing a quick and easy summary of a topic after they type an answer into a search engine is likely going to be good enough for most users on the internet. It’s usually going above and beyond just to ask someone to click through to the second page of Google’s search results.  

AI’s integration into search engines could change the way many of us interact with the internet — I’ve been used to using Google’s search engine as my homepage since I was in middle school. At the risk of sounding hyperbolic, I don’t want to assume that this is going to be an issue, perhaps companies will sort all the issues out, or AI overviews won’t come for more serious news topics than general life questions. But so far, the results shouldn’t inspire much confidence. 

**The one big thing **

Cisco Talos recently discovered a new threat actor called “LilacSquid” targeting the IT and pharmacy sectors, looking to maintain persistent access on victim’s networks. This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as "PurpleInk," and two malware loaders we are calling "InkBox" and "InkLoader.”    

**Why do I care? **

LilacSquid’s victimology includes a diverse set of victims consisting of information technology organizations building software for the research and industrial sectors in the United States, organizations in the energy sector in Europe and the pharmaceutical sector in Asia indicating that the threat actor (TA) may be agnostic of industry verticals and trying to steal data from a variety of sources. Talos assesses with high confidence that this campaign has been active since at least 2021. Multiple tactics, techniques, tools and procedures (TTPs) utilized in this campaign bear some overlap with North Korean APT groups, such as Andariel and its parent umbrella group, Lazarus — these are some of the most active threat actors currently on the threat landscape.  

**So now what? **

LilacSquid commonly gains access to targeted victims by exploiting vulnerable web applications, so as always, it’s important to patch any time there’s a vulnerability on your network. Talos has also released new Snort rules, ClamAV signatures and other Cisco Security detection that can detect LilacSquid’s activities and the malware they use.  

**Top security headlines of the week **

**Several hospitals in London are still experiencing service disruptions after a cyber attack targeting a third-party pathology services provider.** Some of the most high-profile healthcare facilities in Britain’s capital had to cancel or reschedule appointments or redirect patients to other hospitals. Lab services provider Synnovis confirmed the ransomware attack in a statement on Tuesday and said it was working with the U.K.’s National Health Service to minimize the effects on patients. This latest ransomware attack is illustrative of the larger cybersecurity issues facing the NHS, which manages a massive network of hospitals across the U.K. and has more than 1.7 million employees. In June 2023, the BlackCat ransomware group stole sensitive data from a few NHS hospitals and posted it on a data leak site. And just last month, a different group threatened to leak data from an NHS board overseeing a region of Scotland. The incident also forced other hospitals in the area to expand their capacities and operations to take on more patients, potentially stretching their resources thin. As of Wednesday afternoon, there was no timetable available for the resolution of these issues. (The Record by Recorded Future, Bloomberg) 

**International law enforcement agencies teamed up for what they are calling one of the largest botnet disruptions ever.** U.S. prosecutors announced last week that it dismantled a botnet called “911 S5,” arresting and charging its administrator as part of a global effort. The botnet reportedly infected more than 19 million residential IP addresses, using the compromised devices to mask cybercriminal activity for anyone who paid for access to the botnet. Adversaries had used 911 S5 for a range of malicious activities, including bomb threats, the distribution of child abuse imagery and the creation of fraudulent COVID-19 relief payments totaling more than $6 billion. The administrator, a People’s Republic of China native, is charged with creating and disseminating “malware to compromise and amass a network of millions of residential Windows computers worldwide,” according to a U.S. Department of Justice press release. The botnet was allegedly active between 2014 and July 2022. 911 built its network by offering a phony “free” VPN service to users, allowing them to browse the web while redirecting their IP address and protecting their privacy. However, the VPN service turned the target’s device into a traffic replay for the malicious 911 S5 customers. (U.S. Department of Justice, Krebs on Security) 

**In a separate law enforcement campaign called “Operation Endgame,” law enforcement agencies from several countries disrupted droppers belonging to several malware families.** Targets included IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee and Trickbot. The coordinated effort between multiple European countries and the U.S. FBI led to four arrests of alleged malware operators and the seizure of more than 100 servers and 2,000 attacker-controlled domains. Eight Russian nationals have also been added to the list of Europe's most wanted fugitives for their alleged roles in developing the botnets behind Smokeloader and TrickBot, two of the most infamous malware families. Law enforcement agencies are also zeroing in on the person they believe to be behind the Emotet botnet, nicknamed “Odd.” "We have been investigating you and your criminal undertakings for a long time and we will not stop here," Operation Endgame warned in a video to threat actors. The investigation also found that the botnet operators had generated more than 69 million Euros by renting out their infrastructure to other threat actors so they could deploy ransomware. (Dark Reading, Europol) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #185: How much has AI helped bad actors who spread disinformation? 
*   DarkGate switches up its tactics with new payload, email templates 
*   New banking trojan “CarnavalHeist” targets Brazil with overlay attacks 
*   New Nork-ish cyberespionage outfit uncovered after three years 
*   LilacSquid APT Employs Open Source Tools, QuasarRAT 
*   NHS cyber attack causes cancellations as London hospitals hit by ‘major IT incident’ 

**Upcoming events where you can find Talos **

**_AREA41_** **_(June 6 – 7)_** 

_Zurich, Switzerland_ 

> _Gergana Karadzhova-Dangela from Cisco Talos Incident Response will highlight the primordial importance of actionable incident response documentation for the overall response readiness of an organization. During this talk, she will share commonly observed mistakes when writing IR documentation and ways to avoid them. She will draw on her experiences as a responder who works with customers during proactive activities and actual cybersecurity breaches._ 

**_Cisco Connect U.K._** **_(June 25)_**

_London, England_

> _In a fireside chat, Cisco Talos experts Martin Lee and Hazel Burton discuss the most prominent cybersecurity threat trends of the near future, how these are likely to impact UK organizations in the coming years, and what steps we need to take to keep safe._

**_BlackHat USA_** **_(Aug. 3 – 8)_** 

_Las Vegas, Nevada_ 

**_Defcon_** **_(Aug. 8 – 11)_** 

_Las Vegas, Nevada_ 

**_BSides Krakow_** **_(Sept. 14)_**  

_Krakow, Poland_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202   
**MD5:** e4acf0e303e9f1371f029e013f902262   
**Typical Filename:** FileZilla\_3.67.0\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.Application.27hg.1201 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** a024a18e27707738adcd7b5a740c5a93534b4b8c9d3b947f6d85740af19d17d0   
**MD5:** b4440eea7367c3fb04a89225df4022a6   
**Typical Filename:** Pdfixers.exe   
**Claimed Product:** Pdfixers   
**Detection Name:** W32.Superfluss:PUPgenPUP.27gq.1201 

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0    
**MD5:** 8c69830a50fb85d8a794fa46643493b2    
**Typical Filename:** AAct.exe    
**Claimed Product:** N/A     
**Detection Name:** PUA.Win.Dropper.Generic::1201

The sliding doors of misinformation that come with AI-generated search results

The distributed denial-of-service (DDoS) botnet known as Muhstik has been observed leveraging a now-patched security flaw impacting Apache RocketMQ to co-opt susceptible servers and expand its scale.
"Muhstik is a well-known threat targeting IoT devices and Linux-based servers, notorious for its ability to infect devices and utilize them for cryptocurrency mining and launching Distributed Denial

Muhstik Botnet Exploiting Apache RocketMQ Flaw to Expand DDoS Attacks

A list of topics we covered in the week of May 27 to June 2 of 2024

June 1, 2024 - Live Nation has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

May 31, 2024 - This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

May 30, 2024 - Scammers and other cybercriminals love to use our name to defraud their victims. Here's what to look out for.

May 30, 2024 - A database has been put up for sale that allegedly contains the data of 560 million Ticketmaster users. But is it real?

May 29, 2024 - This post explains how to disable various location services on Android devices.

 A week in security (May 27 &#8211; June 2) 

Plus: A whistleblower claims the Biden administration falsified a report on Gaza, “Operation Endgame” disrupts the botnet ecosystem, and more.

If you have a crypto wallet containing a fortune but forgot the password, all may not be lost. This week, a pair of researchers revealed how they cracked an 11-year-old password to a crypto wallet containing roughly $3 million in bitcoins. With a lot of skill and a bit of luck, the researchers uncovered a flaw in how a previous version of the RoboForm password manager generates passwords that allowed them to accurately figure out the missing login and access the buried treasure.

Police in Western countries are using a new tactic to go after cybercriminals who remain physically out of reach of US law enforcement: trolling. The recent takedowns of ransomware groups like LockBit go beyond the traditional disruption of online infrastructure to include messages on seized websites meant to mess with the minds of criminal hackers. Experts say these trollish tactics help sow distrust between cybercriminals—who already have ample reason to distrust one another.

A graduate student at the University of Minnesota has been charged under the Espionage Act for photographing a shipyard in Virginia where the US Navy assembles nuclear submarines and other vessels whose components are classified. What makes the case novel, however, is that he allegedly took the photos with a drone, making his prosecution likely the first of its kind in the US.

It was a big week for cops taking down botnets (as you’ll read more about below). This week, the US announced that it had disrupted what may be the “largest botnet ever,” according to FBI director Christopher Wray. The botnet, called 911 S5, included some 19 million hijacked IP addresses around the world, which authorities say were used to carry out billions of dollars in Covid-19 relief fraud, make bomb threats, traffic in child sexual abuse material, and more.

But that’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

More than a half-million internet routers were disabled last year in a malware attack carried out by an unknown threat actor targeting a US internet service provider. Launched in late October, the attack—one of the largest ever against the sector—reportedly disrupted internet across several Midwestern states. The attack was first disclosed this week by the security firm Black Lotus Labs, which did not identify the specific company affected. However, Ars Technica reports that the incident appears to have impacted a ISP called Windstream, which provides internet service to 18 states in the US Midwest and South.

Black Lotus Labs researchers say the attacker used off-the-shelf Chalubo malware to gain access to the routers, and that their firmware was eventually overwritten, effectively bricking the devices. The disruption resulted in a flood of complaints on a forum about the damaged routers. “The routers now just sit there with a steady red light on the front,” a user wrote on the DSLReports forum. “They won't even respond to a RESET.”

**Whistleblower Claims US “Falsified” Gaza Report to Protect Arms Sales**

The Biden administration allegedly fabricated the conclusion of a report released in early May which found the United States did not have “complete information to verify” whether US-made weapons had been used by Israel in contravention of international humanitarian law, according to a whistleblower, Stacy Gilbert, a senior civil-military expert who resigned in protest this week from the US State Department. Gilbert says the State Department experts who compiled the report clearly implicated Israel in limiting the amount of food and medical supplies able to reach Gaza; however, the report was reportedly taken out of the experts’ hands and then “edited at a higher level.”

The report consisted of a mandatory national security assessment that, had Israel been found in violation of humanitarian law, would have obligated the US to discontinue its arms sales. At the time of the report’s publishing, critics of the administration’s Gaza policy accused the White House of willfully ignoring the conduct of Israeli forces attempting to disrupt food deliveries to the famine-stricken Palestinian territory. Gilbert is the second US official to publicly resign this week in protest over the US’s involvement in the attacks.

**“Operation Endgame” Knocks Down Botnet Underworld**

An international coalition of law enforcement agencies, cybersecurity firms, and other organizations announced this week the disruption of large swathes of the global botnet ecosystem. Branded “Operation Endgame,” the effort targeted malware “droppers,” or malicious software that’s used to infiltrate a machine so it can be used to infect a machine with additional malware more easily. The droppers Operation Endgame targeted include IcedID, SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot, according to Europol, which says authorities seized more than 100 servers and 2,000 websites allegedly linked to cybercriminal activity. Law enforcement also arrested four “high-value” individuals; Germany added eight others to its most-wanted list. One of the “main suspects,” according to Europol, amassed a cryptocurrency fortune worth 69 million euros ($74 million) by renting out infrastructure for ransomware attacks. And the action isn’t over: The Operation Endgame website indicates a new announcement coming in the next several days.

**Pro-Israel Influence Op, Driven by AI, Targeted Americans on Meta Apps**

Meta says it has shut down an AI-driven network comprising hundreds of fake Facebook and Instagram accounts linked to an Israeli business intelligence firm. The company, Stoic, is accused of accepting contracts to propagate inauthentic pro-Israel content across the platforms for the purpose of manipulating North American users’ political views. Meta claimed Stoic’s influence operation was still in its “audience building” phase, “before they were able to gain engagement among authentic communities.”

Mysterious Hack Destroyed 600,000 Internet Routers

This post will help users find out if their Windows device has been added to the 911 S5 botnet by a malicious VPN application

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

*   MaskVPN
*   DewVPN
*   PaladinVPN
*   ProxyGate
*   ShieldVPN
*   ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

*   Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
*   Search for the name of the malicious VPN application.
*   Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

*   MaskVPN (mask\_svc.exe)
*   DewVPN (dew\_svc.exe)
*   PaladinVPN (pldsvc.exe)
*   ProxyGate (proxygate.exe, cloud.exe)
*   ShieldVPN (shieldsvc.exe)
*   ShineVPN (shsvc.exe)

_Example by FBI showing processes associated with ShieldVPN in Task Manager_

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1.  Open the app.
2.  On the main dashboard, click the **Scan** button.
3.  A progress page appears while the scan runs.
4.  After the scan finishes, it displays the Threat scan summary.
    *   **If the scan detected no threats:** Click **Done**.
    *   **If the scan detected threats on your device:** Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking **Quarantine**.
5.  Click **View Report** or **View Scan Report** to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Tag

#botnet