By Deeba Ahmed
In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras)…
This is a post from HackRead.com Read the original post: New PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.

Ransomware has become a significant threat in the industrial sector, causing widespread operational disruption. A new proof-of-concept ransomware attack devised by Forescout Technologies has concerned the infosec community even more because of the dire consequences for OT security.

**Proof-of-Concept Research Reveals Next Generation of Ransomware**

Operational Technology (OT) and Industrial Control System (ICS) networks have become the targets of interest among ransomware operators. Vedere Labs of Forescout Technologies claim that their new proof-of-concept attack can have challenging OT and IoT security implications.

In this PoC, the ransomware attack dubbed R4IoT uses vulnerable IoT devices (in this case, vulnerable security cameras) to gain access, IT for traversal, and OT, particularly PLCs for detonation.

The attack involves exploiting a flawed IP camera to compromise the IT infrastructure to gain access and shut down the OT hardware of the organization. It is worth noting that no new exploits were used in the attack, and just pre-existing flaws were enough to compromise such critical systems.

According to Vedere Labs, the only attack scenario that combines the IT, IoT, and OT ransomware in a single PoC. Researchers also released a video demonstration of the attack.

**Attack Details**

In the demonstration video, the researchers can be seen compromising mainstream network-connected security cameras, mainly from Hikvision and Axis, as these vendors provide 77% of the IP cameras currently used in enterprise networks. In fact, Forescout revealed in its report that over half a million devices are under threat because of using the default VLAN1 configuration.

Therefore, any vulnerability can be used against these devices to access an inadequately protected enterprise network. The video shows that threat actors first exploit the camera’s flaws and then execute a command to access a Windows device and later execute more commands to locate other devices/machines attached to the same camera.

**PoC Video**

As it can be seen in the video above, a simulated ransomware attack is used against a fictional hospital, and the Forescout team accessed an IP camera to access the hospital’s network and camera and searched for a programmable logic controller that controlled the facility’s heating, ventilation, and air conditioning (HVAC) system, escalated privileges to install ransomware and shut the system down.

The attacker will look for devices having weak credentials to establish an SSH tunnel by opening remote desktop protocol ports. They can now open a remote desktop session, disable network firewalls/antivirus solutions, and install malware. They can also gain privilege escalation, install ransomware and cryptocurrency miners, or launch malicious executables at OT systems.

Nevertheless, the head of security research at Forescout Vedere Lab Daniel dos Santos stated that the primary objective behind the demonstration of this PoC was to indicate how vulnerable organizational security was regarding OT networks and to highlight the evolving dangers and scope of ransomware attacks.

**More IoT Vulnerability News**

*   DNS rebinding attack puts half a billion IoT devices at risk
*   BotenaGo botnet malware targeting millions of IoT devices
*   New malware found targeting IoT devices, Android TV globally
*   Millions of IoT devices, baby monitors open to audio, video snooping
*   IoT botnet of heaters & ovens can cause massive widespread power outages

New PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Networks

We break down three ways DNS filtering can help save your business from cyberattacks.
The post 3 ways DNS filtering can save SMBs from cyberattacks appeared first on Malwarebytes Labs.

If you’re an SMB, chances are that you’re already well-aware of the fact that cyber threats can wreak havoc on your business. 

Everything from rootkits to ransomware threaten not just financial losses, but also significant network downtime and reputational damage as well. Couple this with the fact that many cyberthreats are web-based, and you might be stuck wondering how best to secure your business online. 

That’s where DNS filtering comes in. 

But first, DNS in a nutshell. So normally, every time your customer types in your web address, their computer makes a request to a DNS server. The DNS server, in turn, tells the computer where to go. If all goes well, then voila, your customer is at your website. 

A DNS filter stops you from accessing unsafe websites—including those posing a strong malware risk. But which web-based cyberthreats in particular does DNS filtering stop, you ask? 

In this post, we’ll break down three ways DNS filtering can help save your business from cyberattacks. 

**1\. Blocks phishing websites**

Let’s say someone at your company gets an email from their “bank” asking them to update their password.  

Not knowing it’s a fake, this employee clicks a link taking them to a malicious website that looks exactly like the original. Your employee then fills in some  sensitive info, maybe even downloads a malicious file — and bam, just like that, criminals now have access to your network, allowing them to install malware, steal data and spread ransomware. 

You might recognize this as one example of phishing, an attack where cybercriminals trick potential victims into sharing sensitive information or giving the perpetrator privileged access to a network. 

Luckily, by blocking the domain names of phishing sites, a DNS filter can nip attacks in the bud. 

Here’s how it works: DNS filtering references databases of known nefarious domain names. Databases of malicious websites can also be sorted into threat categories, such as spyware, typosquatting, cryptomining, and so on. From there, your organization can block malicious sites like these sites to secure their environment against phishing attacks.  

In other words, if you have a DNS filter, as soon as that same employee clicks a link to a malicious website —they’re prevented from visiting it. 

**2\. Secures you against machine-in-the-middle attacks **

Imagine you’re at a cafe chatting with a trusted friend, sharing private details about your lives with one another. You probably wouldn’t appreciate it if some random stranger was tuning into the conversation, listening carefully to every word. 

Such a scenario roughly analogous to what a machine-in-the-middle attack (MITM, also referred to as a man-in-the-middle attack) is — except in a MITM attack, the stakes are much higher. Cybercriminals in MITM attacks can steal your personal information, passwords, or banking details by intercepting the data sent between you and an application.  

One type of man-in-the-middle attack businesses should worry about is DNS spoofing. 

In a DNS spoofing attack, a hacker sits in the middle of this process. So when the computer of that same customer makes a request to a DNS server, asking where your website is, a hacker can instead redirect your computer to a malicious website! 

From there, hackers can phish sensitive customer or business information — as described above. These types of attacks are where DNS encryption, included in any good DNS filter, is essential. It secures the connection between your computer and the DNS resolver, so that cybercriminals not sit between you and and feed you spoofed DNS entries.

**3\. Detects potential DDoS attacks **

The last thing any business wants is to suffer from a Distributed Denial of Service (DDos) attack. 

You can think of a DDos attack as being kind of like a zombie invasion. Using an army of bots called a botnet, a cybercriminal can use thousands or even millions of “zombie” computers to flood your website, ultimately overloading it and bringing it down. 

The end result? Brand damage, angry customers — and often even lost revenue. 

One type of DDos attack is called a DNS flood, where the cybercriminal uses their army of bots to overwhelm a DNS server and prevent it from directing legitimate requests to your website. 

And, as is the case with most cyberthreats, the earlier you spot a potential DNS DDos attack, the better. Being able to continuously monitor DNS activity is a great way to catch the warning signs of a DNS DDoS attack — and with a DNS filter, you can do exactly that. 

**Protect your end users and your organization from web-based threats **

The web is full of dangerous corners.  

It’s a breeding ground for phishing attacks, spyware, common viruses and malware, not to mention ransomware. And as these attacks continue to increase in frequency and sophistication, it’s never been more important for SMBs to secure themselves online.  

But while having a DNS filter is great way to do that, many small and mid-size organizations don’t invest in one — leaving them exposed. 

The Malwarebytes DNS Filtering module for the Nebula platform helps block access to malicious websites and limit threats introduced by suspicious content. It blocks phishing sites, encrypts all DNS requests, and tracks website traffic to detect potential DDoS attacks. 

To top it all off, Malwarebytes DNS Filtering controls are available in the same platform used for powerful threat prevention and trusted remediation — including our Incident Response, Endpoint Protection, and Endpoint Detection and Response offerings.

3 ways DNS filtering can save SMBs from cyberattacks

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research.
"Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen," Israeli cybersecurity company

An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research.

"Now it is significantly harder to separate the wheat from the chaff and discover the real C&C servers among thousands of legitimate domains used by Xloader as a smokescreen," Israeli cybersecurity company Check Point said.

First spotted in the wild in October 2020, XLoader is a successor to Formbook and a cross-platform information stealer that's capable of plundering credentials from web browsers, capturing keystrokes and screenshots, and executing arbitrary commands and payloads.

More recently, the ongoing geopolitical conflict between Russia and Ukraine has proved to be a lucrative fodder for distributing XLoader by means of phishing emails aimed at high-ranking government officials in Ukraine.

The latest findings from Check Point build on a previous report from Zscaler in January 2022, which revealed the inner workings of the malware's C&C (or C2) network encryption and communication protocol, noting its use of decoy servers to conceal the legitimate server and evade malware analysis systems.

"The C2 communications occur with the decoy domains and the real C2 server, including sending stolen data from the victim," the researchers explained. "Thus, there is a possibility that a backup C2 can be hidden in the decoy C2 domains and be used as a fallback communication channel in the event that the primary C2 domain is taken down."

The stealthiness comes from the fact the domain name for the real C&C server is hidden alongside a configuration containing 64 decoy domains, from which 16 domains are randomly picked, followed by replacing two of those 16 with the fake C&C address and the authentic address.

What's changed in the newer versions of XLoader is that after the selection of 16 decoy domains from the configuration, the first eight domains are overwritten with new random values before each communication cycle while taking steps to skip the real domain.

Additionally, XLoader 2.5 replaces three of the domains in the created list with two decoy server addresses and the real C&C server domain. The ultimate goal is to prevent the detection of the real C&C server, based on the delays between accesses to the domains.

The fact that the malware authors have resorted to principles of probability theory to access the legitimate server once again demonstrates how threat actors constantly fine-tune their tactics to further their nefarious goals.

"These modifications achieve two goals at once: each node in the botnet maintains a steady knockback rate while fooling automated scripts and preventing the discovery of the real C&C servers," Check Point researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

Malware attacks against Linux systems are on the rise. And when it comes to bot malware, XorDDoS is the frontrunner.
The post Massive increase in XorDDoS Linux malware in last six months appeared first on Malwarebytes Labs.

Microsoft says it’s recorded a massive increase in XorDDoS activity (254 percent) in the last six months. XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD).

MMD believed the Linux Trojan originated in China. Based on a case study in 2015, Akamai strengthened the theory that the malware may be of Asian origin based on its targets.

Microsoft said that XorDDoS continues to home on Linux-based systems, demonstrating a significant pivot in malware targets. Since Linux is deployed on many IoT (Internet of Things) devices and cloud infrastructures, we are likely to see DDoS (distributed denial-of-system) attacks from botnets that have compromised such devices.

DDoS attacks—where normal Internet traffic to a targeted server, service, or network is overwhelmed with a flood of extra traffic from compromised machines—have become part of a greater attack scheme. Such powerful attacks are no longer conducted just to disrupt. DDoS attacks have become instrumental in successfully distracting organizations and security experts from figuring out threat actors’ end goal: Malware deployment or system infiltration. XorDDoS, in particular, has been used to compromise devices using Secure Shell (SSH) brute force attacks.

XorDDoS is as sophisticated as it gets. The only simple (yet effective) tactic it uses is to brute force its way to gain root access to various Linux architectures.

As Microsoft said in the report:

> “Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

XorDDos’s attack vector (Source: Microsoft)

**Security IoT devices**

If you have an IoT device at home, know there are ways to secure it. Note that you may need some assistance from the company who built your IoT device if you’re unfamiliar or unsure how to do any of the below.

*   Change your device’s default password to a strong one
*   Limit the number of IP addresses your IoT device connects to
*   Enable over-the-air (OTA) software updates
*   Use a network firewall
*   Use DNS filtering
*   Consider setting up a separate network for your IoT device(s)
*   When you’re not using your IoT device, turn it off.

If you plan to get an IoT device soon, buy from a well-known brand. You’re much more likely to get assistance from your supplier in beefing up your IoT device’s security.

Stay safe!

Massive increase in XorDDoS Linux malware in last six months

A DDoS campaign observed by Akamai from actors claiming to be REvil would represent a major pivot in tactics for the gang.

Concern has been raised that a coordinated distributed denial-of-service (DDoS) attack from a malicious actor could be associated with the notorious ransomware-as-a-service (RaaS) group REvil.  

According to a report from Akamai’s Security Intelligence Response Team (SIRT), the attack was aimed at one of Akamai’s hospitality customers. It consisted of a simple HTTP GET request, with a message demanding payment to a Bitcoin (BTC) wallet in exchange for stopping the attack. It also included an additional request for the company to stop operating in a specific country.

Given the request to stop operating in the geospecific location appeared to stem from a recent Supreme Court decision in that country, the attack took on a political flavor that Akamai analysts say would be a break with REvil’s earlier strategies.

“We haven’t seen them linked to hacktivism or political goals in any of the previously reported attacks,” according to Akamai.

On the technical front, the use of proxying capabilities and “fairly well” distributed IPs participating in the attack indicated that some level of coordination was required between the attacker and the proxying system, the Wednesday report notes.

And, due to the extensive use of MikroTik devices identified in the attacking sources, the report suggests the attack could be supported by the MikroTik-based Meris botnet, which also has links to REvil. That said, the low volume of requests per second (Rps) and relatively unsophisticated nature of the campaign are atypical of Meris attacks, the report notes.

**REvil Redux?**

Since being reportedly dismantled by the Russian government earlier this year, there have been hints that REvil – or at least some previous members of the gang – is putting itself back together.

In April, anti-malware firm Avast revealed that the company's software had blocked a ransomware sample that appeared to be generated using information that only previous members of the REvil group could have accessed. The discovery of the file came more than a week after cybersecurity firm Emsisoft revealed that the Web address of REvil's leak site now points to a new host, using both the REvil name and claiming to have compromised a US university and an oil company in India.

Then in March, security firm Imperva reported mitigating a ransom DDoS attack tied to the Meris botnet measuring 2.5 million requests per second (Mrps). It included a series of ransom notes received by the customer that also claimed it came from REvil.

While DDoS has been used in the past by some groups as an extra layer of pressure on ransomware victims to pay up, in both the March incident and this latest case, the attack is pure-play DDoS.

"We haven't seen ransomware linked to these campaigns. The only tie to ransomware is the naming of REvil in the extortion demands," says SIRT engineer Chad Seaman.  

But as to whether this latest incident means that REvil is truly back and testing out new techniques, Seaman is skeptical.

"I don't feel there are strong indicators here that this is indeed a resurgence of REvil,” he says. “Even in the prior reported campaigns, I don't believe there are strong indicators that positively attribute those attacks to REvil in reality."

For instance, the alert also pointed out that the BTC wallet does not have any previous connection to REvil. And the gang has maintained in the past that it is purely profit driven, after all.

Seaman says the threat is more likely to stem from a copycat group looking to leverage REvil’s notoriety.

**DDoS Extortion: A New Avenue for Fear**

He added that be it REvil or someone leveraging the name or reputation, the attack is clearly a play on fear in the hopes of easy money, so the most concerning takeaway from Akamai’s investigation is the fear and panic associated with the threat.

“This is the goal of these types of attacks: to scare the victim into paying, lending credibility to the threat using a scary name,” he explained. “When these campaigns spin up and start to get press, it's typically followed by a surge of copycats.”

From Seaman’s perspective, the publishing of reports like these requires a delicate balance of notifying the public of the threat without the threat turning into a wildfire of copycats.

“We're hoping to help raise awareness while ramping down the associated fear because if we don't get out in front of these types of campaigns and fear-based reporting outpaces sane analysis, it only serves to fuel the fire, not fight it,” he said.

DDoS Extortion Attack Flagged as Possible REvil Resurgence

Verizon's "2022 Data Breach Investigations Report" repeatedly makes the point that criminals are stealing credentials to carry out their attacks.

Credentials, phishing, exploiting vulnerabilities, and botnets "pervade all areas of the DBIR, and no organization is safe without a plan to handle them all," Verizon's team of researchers wrote in this year's "Data Breach Investigations Report."

Attackers don't have to bother with zero-day vulnerabilities or build out elaborate attack tools when they can just steal credentials and log right in. Whether the report is looking at Web application attacks, email scams such as business email compromise, or malware, the theme was consistent: Stolen credentials played a role. 

DBIR is chock-full of charts and visualizations, so it is difficult to pick just one -- though the chart about what types of data attackers are stealing is a particularly striking. For a long time, criminals were interested in personal data -- data that could be used for identity theft or other types of financial fraud. While that is still the case, that is not the complete story. Attackers are focusing heavily on obtaining stolen credentials, since those credentials make carrying out other attacks even easier and harder to detect. The report considers 180 different actions that lead to data breaches, and the use of stolen credentials is the most common.

"We've long held that credentials are the favorite data type of criminal actors because they are so useful for masquerading as legitimate users on the system," the report says.

Consider how ransomware gets onto the targeted system: 40% of ransomware incidents involve the use of desktop sharing software, such as remote desktop protocol. And the easiest way to access RDP is via weak passwords.

While third-party breaches represent just 1% of breaches in the 2022 dataset, about half of them involved the use of stolen credentials. 

Phishing and stolen credentials were the top two actions in data breaches involving social engineering attacks. The third is "pretexting," almost all of which are business email compromises. A quarter of BECs used stolen credentials against the victim organization, according to the report.

And finally, in the area of web application attacks, the vast majority of incidents use stolen credentials as their entry point. Over 80% of the breaches that was categorized under web application attacks in this year's DBIR can be attributed to stolen credentials. In comparison, the second most common action, exploiting vulnerabilities, is less than 20%.

"There’s been an almost 30% increase in stolen credentials since 2017, cementing it as one of the most tried-and-true methods to gain access to an organization for the last four years," the report says.

"Even if passwordless authentication isn't ready for prime time in your organization, the report findings can be used to help fund and implement multi-factor authentication," says Rick Holland, CISO and vice-president of strategy at Digital Shadows.

DBIR Makes a Case for Passwordless

By Waqas
The trove of data was leaked due to a misconfigured Elasticsearch server and in total it stored 870…
This is a post from HackRead.com Read the original post: Personal Data of Tens of Millions of Russians and Ukrainians Exposed Online

The trove of data was leaked due to a misconfigured Elasticsearch server and in total it stored 870 million records or 147 GB of data.

SafetyDetectives security team led by Anurag Sen shared details of a misconfigured Elasticsearch server that exposed the data of millions of loan applicants. The data mainly belonged to people from Ukraine, Kazakhstan, and Russia who had applied for microloans.

The server was detected randomly on December 5th, 2021, while checking certain IPs however the details of it have only been shared this week. The anonymous server was left unsecured and unprotected as it didn’t have any authentication protocols, which led to the leaking of more than 870 million records or 147GB of data.

**Owner Identity Yet Not Available**

SafetyDetectives couldn’t determine who owned the server. However, researchers noted that customer logs of numerous microloans providers’ websites were stored on the server, but most weren’t financial services like lenders or banks. Instead, these websites were of third parties that are intermediaries between the loan company and the applicant.

Most entries in the server’s logs were in the Russian language, while most data belonged to Russians. Therefore, researchers concluded that the server’s owner is a Russian entity.

**Details of Exposed Data**

According to SafetyDetectives researchers, different forms of personally identifiable information (PII) and sensitive user data got exposed in this leak, including details of users’ “internal passports” and other forms of data.

It is worth noting that In Russia and Ukraine, internal passports are used as the substitute for national IDs and are used within the country’s territories. According to SafetyDetectives’s blog post, the internal passport details contained in the exposed server include the following information of users:

*   Gender
*   Marital status
*   Date and place of birth
*   The physical address, including city and region
*   Full name with first name, last name, and patronymic name
*   Passport number with issue/expiry dates and serial number

Some of the exposed data, such as cities, names, addresses, and issued by locations, were written in Cyrillic script, which is primarily used in some parts of Asia and Europe.

In some instances, this information was decoded into certain symbols. Other PII details exposed by the unsecured server include the following:

*   Salary
*   Child count
*   Loan details
*   Mobile numbers
*   Email addresses
*   Employment status
*   Education information
*   Login OTP SMS codes
*   INN (tax identification numbers)

**How Many Users Impacted?**

Around 10 million users are expected to be affected by this exposure. Many server logs and passport numbers belonged to Russians, while most INNs belonged to Ukrainians. The server was located in Amsterdam, the Netherlands.

SafetyDetectives contacted the Russian CERT on December 14th, 2021, and the Dutch CERT on December 30th, 2021. However, both refused to help. The server’s hosting firm was contacted on January 13th, 2022, which secured the server the same day.

**Potential Dangers**

Considering the extent and nature of exposed data, the incident can have far-reaching implications. Such as bad actors can download the data and carry out identity theft, phishing scams, scam marketing campaigns, and microloans identity fraud.

**More Elasticsearch database Mess Ups**

1.  9,517 unsecured databases identified with 10 billion records globally
2.  New malware attack turns Elasticsearch databases into DDoS botnet
3.  Stripchat database mess up exposes 200M adult cam models, users’ data
4.  US and China Exposed Most Databases Among 308,000 Discovered in 2021
5.  Misconfigured ElasticSearch Servers Exposed 579GB of Users’ Website Activity

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Tag

#botnet