Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.
This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.
The attacks

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor.

This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis.

The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH.

Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab.

On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan\[.\]live") that, in turn, checks if it's running as the root user and tools like curl and wget are installed before downloading the XMRig miner.

Like other cryptojacking campaigns, it makes use of the libprocesshider rootkit to hide the malicious miner process from the user when running process enumerating tools like top and ps.

The shell script is also designed to fetch three other shell scripts – kube.lateral.sh, spread\_docker\_local.sh, and spread\_ssh.sh – from the same server for lateral movement to Docker, Kubernetes, and SSH endpoints on the network.

Spread\_docker\_local.sh "uses masscan and zgrab to scan the same LAN ranges \[...\] for nodes with ports 2375, 2376, 2377, 4244, and 4243 open," the researchers said. "These ports are associated with either Docker Engine or Docker Swarm."

"For any IPs discovered with the target ports open, the malware attempts to spawn a new container with the name alpine. This container is based on an image named upspin, hosted on Docker Hub by the user nmlmweb3."

The upspin image is designed to execute the aforementioned init.sh script, thus allowing the group's malware to propagate in a worm-like fashion to other Docker hosts.

What's more, the Docker image tag that's used to retrieve the image from Docker Hub is specified in a text file hosted on the C2 server, thereby allowing the threat actors to easily recover from potential takedowns by simply changing the file contents to point to a different container image.

The third shell script, spread\_ssh.sh, is capable of compromising SSH servers, as well as adding an SSH key and a new user named ftp that enables the threat actors to remotely connect to the hosts and maintain persistent access.

It also searches for various credential files related to SSH, Amazon Web Services (AWS), Google Cloud, and Samba in hard-coded file paths within the GitHub Codespaces environment (i.e., the "/home/codespace/" directory), and if found, uploads them to the C2 server.

In the final stage, both the Kubernetes and SSH lateral movement payloads execute another shell script called setup\_mr.sh that retrieves and launches the cryptocurrency miner.

Datadog said it also discovered three other scripts hosted on the C2 server -

*   ar.sh, a variant of init.sh that modifies iptables rules and clears logs and cron jobs to evade detection
*   TDGINIT.sh, which downloads scanning tools and drops a malicious container on each identified Docker host
*   pdflushs.sh, which installs a persistent backdoor by appending a threat-actor-controlled SSH key to the /root/.ssh/authorized\_keys file

TDGINIT.sh is also notable for its manipulation of Docker Swarm by forcing the host to leave any existing Swarm it may be part of and add it to a new Swarm under the attacker's control.

"This allows the threat actor to expand their control over multiple Docker instances in a coordinated fashion, effectively turning compromised systems into a botnet for further exploitation," the researchers said.

It's currently not clear who is behind the attack campaign, although the tactics, techniques, and procedures exhibited overlap with those of a known threat group known as TeamTNT.

"This campaign demonstrates that services such as Docker and Kubernetes remain fruitful for threat actors conducting cryptojacking at scale," Datadog said.

"The campaign relies on Docker API endpoints being exposed to the Internet without authentication. The malware's ability to propagate rapidly means that even if the chances of initial access are relatively slim, the rewards are high enough to keep cloud-focused malware groups motivated enough to continue conducting these attacks."

The development comes as Elastic Security Labs shed light on a sophisticated Linux malware campaign targeting vulnerable Apache servers to establish persistence via GSocket and deploy malware families such as Kaiji and RUDEDEVIL (aka Lucifer) that facilitate distributed denial-of-service (DDoS) and cryptocurrency mining, respectively.

"The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels," researchers Remco Sprooten and Ruben Groenewoud said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

Hacktivism-related DDoS attacks have risen 70% in the region, most often targeting the public sector, while stolen data and access offers dominate the Dark Web.

Source: Bernhard Klar via Alamy Stock Photo

Cyberattackers and hacktivists are increasingly targeting the United Arab Emirates, the Kingdom of Saudi Arabia, and other nations in the Gulf Cooperative Council (GCC) region. The region is likely a favored target because it's a hub for commerce and trade, full of rich economies; and because of regional nations' stance on certain geopolitical issues.

That's according to 18 months of Dark Web data compiled by Moscow-based threat research firm Positive Technologies. The report stated that the first half of the year, the number of distributed denial-of-service (DDoS) attacks in the region rose 70%, compared with the same period in the previous year.

Hacktivists use forums as both a way to call like-minded hackers to action and to publish evidence of their success against specific targets, says Anastasiya Chursina, a threat analyst with Positive Technologies.

"We believe that this trend may continue and the number of attacks carried out by hacktivists will go up," she says. "At the same time, the level of other attacks will increase, which will entail an increase in the number of risks and negative consequences for companies in the region."

Both Saudi Arabia and the UAE topped the chart of targeted nations in a March analysis of two years of attacks in the region. The UAE alone faces an average of 50,000 cyberattacks every day, the head of cybersecurity for the UAE government said earlier this year, while the country also has a rapidly growing attack surface.

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

More attacks are also being publicly disclosed: In July, pro-Palestinian hacktivist group BlackMeta targeted a bank in the United Arab Emirates with a DoS campaign that lasted more than 100 hours over six days. And in April, Saudi Arabia was added to the list of organizations targeted by the suspected China-linked group Solar Spider.

**More Cyber Threat Actors Coming Online?**

The increase of DoS attacks — rather than Web defacements or system breaches — may indicate an influx of new threat actors. The attackers' tactics of choice depend upon their skills and knowledge, and DDoS attacks can be accomplished by novice hackers, says Positive Technologies' Chursina.

"The main goal of hacktivists is to draw public attention to certain political, social, and religious issues," she says. "DDoS attacks are the most popular, as they do not require high professional knowledge and resources, and they can be performed by any novice hacker."

Positive Technologies' trove of forum posts and text messages totals 277 million items from 380 Telegram channels and Dark Web forums. For its GCC report, the company focused on six major nations in the region: the UAE, Saudi Arabia, Bahrain, Oman, Qatar, and Kuwait.

Related:Phishing Espionage Attack Targets US-Taiwan Defense Conference

Nearly two-thirds of discussions between GCC cyberthreat actors focus on the UAE and Saudi Arabia. Source: Positive Technologies

Stolen data and illicit access accounted for the topic of more than half (54%) of the posts, with the vast majority of of users selling or buying access. These posts focused on five sectors: trade, services, manufacturing, IT, and government agencies.

About 12% of the posts included a call to action for hacktivism or evidence of a successful hacktivist attack, according to the report. About 9% of hacktivist posts also advertised free credentials for use in attacks.

"Access giveaways represent a new trend for the region that first appeared in H2 2023," the report stated. "Most access giveaways (70%) contained the credentials of government agency employees."

**Cyber Domain Favored for Attacks, Espionage**

Cyberattacks have become the preferred battlefield for many groups — both nation-state and dissent organizations — in the region. The stakes are rapidly escalating as well, from Iran's increasing pace of cyber espionage to Israel's cyber-physical attacks using compromised supply chains to the compromise of naval information systems in the region.

With the UAE and Saudi Arabia increasingly invested in digitization, AI development, and shifting to a knowledge-based economy, organizations in the two nations — and the Middle East at large — need to focus on strengthening their cybersecurity posture, Positive Technologies says.

Related:As Geopolitical Tensions Mount, Iran's Cyber Operations Grow

"Dark Web forums are full of offers and services tailored to this region," the company's report stated. "The abundance of posts related to the sale of access, often low-cost, makes it easier for attackers to gain initial access to a company and carry out an attack without wasting time looking for new entry points into the infrastructure. Access giveaways are a new trend on the part of haсktivists allowing low-grade hackers to carry out attacks and raise public awareness about social and political issues."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

UAE, Saudi Arabia Become Plum Cyberattack Targets

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw…

A critical vulnerability in Kia vehicles allowed hackers to control cars remotely using only license plates. The flaw has been patched, but it highlights the growing threat of cyberattacks on connected cars.

A severe security vulnerability has been discovered in Kia vehicles, allowing hackers to remotely control key functions using only a license plate. Security researchers Neiko Rivera, Sam Curry, Justin Rhinehart, and Ian Carroll uncovered a set of vulnerabilities that could have been exploited to gain unauthorized access to Kia vehicles by exploiting the Kia dealership infrastructure,

The attack involved attackers remotely registering for a fake account and generating access tokens. These tokens would then be used in conjunction with another HTTP request to a dealer APIGW (API Gateway) endpoint and the vehicle’s VIN (vehicle identification number) to obtain the owner’s name, phone number, and email address, potentially adding themselves as an “invisible” second user on the car without the owner’s knowledge.

Researchers discovered that a victim’s vehicle could be accessed by executing four HTTP requests and internet-to-vehicle commands. These commands include generating a dealer token, fetching the victim’s email and phone number, modifying the owner’s previous access using a leaked email address and VIN, and adding an attacker as the primary owner of the vehicle. The victim would not receive any notification about modifications to their access permissions. Here’s a quick explanation of which functionalities are vulnerable:

*   **Remote Lock/Unlock: They could lock or unlock the doors.**
*   **Geolocate Vehicle: Hackers could pinpoint the car’s location.**
*   **Remote Start/Stop: They could start or turn off the engine remotely.**
*   **Remote Horn/Light: They could activate the car’s horn and lights.**
*   **Remote Camera: In some cases, they could even access the car’s cameras.**

A hypothetical attack scenario could allow a bad actor to enter a Kia vehicle’s license plate, retrieve the victim’s information, and execute commands after 30 seconds. The vulnerability allows hackers to remotely start or stop the engine, potentially stealing the vehicle, causing damage, or endangering occupants. It impacted a wide range of Kia vehicles, including models manufactured after 2013. This means that a significant number of cars were potentially at risk.

Kia addressed these issues in August 2024 following a responsible disclosure in July 2024. While no evidence of exploitation in the wild exists, researchers warn that car manufacturers could introduce similar vulnerabilities to Meta, allowing someone to take over a vehicle’s information. As cars become increasingly connected, manufacturers must prioritize security measures to protect their customers from potential threats.

This is not the first time a team involving ethical hackers like Sam Curry has compromised the security of internet-connected cars for good. In December 2022, hackers used application vulnerabilities to hack Honda and Nissa vehicles just by knowing their VIN.

Commenting on this, Akhil Mittal, senior security consulting manager at the Synopsys Software Integrity Group, said, “This Kia vulnerability isn’t just a technical flaw—it’s a red flag for the entire automotive industry. It shows how modern cars have become prime targets for cybercriminals, shifting from physical theft to digital exploitation. The idea that a hacker could unlock, track, or even start your car using just a license plate number sounds like science fiction, but it’s happening today.”

Akhil further explained that “Kia’s quick patch is encouraging, but it raises a bigger question: Is the auto industry ready for these high-tech threats? This wasn’t just about controlling a car—it exposed personal data, too. In a few simple steps, a hacker could access sensitive information, change ownership, and take control of the vehicle without the owner’s knowledge. With nearly all Kia models made after 2013 affected, it’s clear that modern cars are now connected devices and vulnerable to the same cybersecurity risks as our phones and computers.”

“Automakers must take cybersecurity as seriously as crash safety. Cars aren’t just machines anymore—they are smart devices loaded with data that needs protection. Regular software updates, stronger encryption, and better communication with drivers are critical. If the industry doesn’t act soon, these risks could become problems for everyday drivers,” he warned.

1.  How Hackers Can Remotely Unlock/Start Honda Cars
2.  Cybercriminals Exploit CAN Injection Hack to Steal Cars
3.  Globally Used Points.com Loyalty System Hacked for Good
4.  Tesla cars can be remotely hacked using drone, WIFI dongle
5.  Internet Connected Car Hacked and DDoSed via Smartphone

Hackers Could Remotely Control Kia Cars by Exploiting License Plates

MoneyGram faces a cyberattack that has caused global service disruptions for five days. Customers are unable to send…

MoneyGram faces a cyberattack that has caused global service disruptions for five days. Customers are unable to send or receive payments, as the company works to restore systems and investigate the issue.

MoneyGram, a global leader in money transfer services, has been experiencing widespread service disruptions following a cyberattack that impacted its systems on September 21, 2024. The company has confirmed that its network connectivity and key systems were taken offline to address the security breach.

While it is unclear whether the incident was a DDoS attack or ransomware, the prolonged outage has left many users unable to send or receive payments globally, leading to frustration among customers who depend on the service for their financial transactions.

At the time of writing this article, the MoneyGram website was down and showing this message (Screenshot credit: Hackread.com)

****Timeline of the Outage****

As seen by Hackread.com, the issue first came to light late on September 21, 2024, when MoneyGram acknowledged the network outage in a tweet. In its first tweet, the company announced the following incident:

> _“MoneyGram is experiencing a network outage impacting connectivity to a number of our systems. We are working diligently to better understand the nature and scope of the issue. We recognize the importance and urgency of this matter to our customers.”_
> 
> MoneyGram – 11:19 PM · Sep 21, 2024

At this stage, the extent of the problem was unclear, and customers were left in the dark about when services would resume. It wasn’t until September 23, two days later, that MoneyGram confirmed a cybersecurity incident was behind the outage.

> _“MoneyGram recently identified a cybersecurity issue affecting certain of our systems. Upon detection, we immediately launched an investigation and took protective steps to address it, including proactively taking systems offline which impacted network connectivity. We are working with leading external cybersecurity experts and coordinating with law enforcement.”_
> 
> MoneyGram – 2:06 PM · Sep 23, 2024

The company further explained that they had taken these preventive measures to protect their systems but acknowledged the inconvenience to their customers and partners.

****Customer Frustrations Grow****

By September 24, some key transactional systems were slowly being restored, but users were still facing major disruptions. Many reported being unable to send or receive payments, while others complained of pending transactions being stuck. At 3:38 PM, MoneyGram provided an update, stating:

> _“We continue to make progress in successfully restoring some of our key transactional systems. Our dedicated team is actively working around the clock on resuming normal business operations. Once all systems are fully operational, transactions that are currently pending will be made available to customers.”_
> 
> MoneyGram – 3:38 PM · Sep 24, 2024

Despite the ongoing work, many users expressed their frustration on social media, highlighting how the outage had affected their ability to access funds or complete urgent financial transactions.

****Partial Service Restoration Begins****

By September 25, more services were coming back online, but the company was still working to restore all of its systems fully. MoneyGram reported that many of its agent partners were back online and could send and receive money, providing some relief to customers with stuck payments.

> _“We continue to make progress and are resuming additional services. Many of our agent partners are now available for sending and receiving money, including fulfilling pending transactions. We are continuing to work diligently to resume our remaining services, including http://moneygram.com.”_
> 
> MoneyGram – 9:28 AM · Sep 25, 2024

Although progress was being made, some customers were still unable to use MoneyGram’s website and online services, further fueling frustration among users who rely on the platform for cross-border payments and remittances.

MoneyGram on Twitter (Screenshot credit: Hackread.com)

****Customer Impact and Response****

The outage, which is still ongoing, has left many users questioning MoneyGram’s ability to secure their financial transactions and data at this moment. The delay in service restoration, especially for time-sensitive transactions, has caused considerable inconvenience, particularly for individuals and businesses who rely on MoneyGram for international money transfers.

While MoneyGram has reassured customers that they are working with cybersecurity experts and law enforcement, the prolonged disruption and uncertainty have raised concerns about the company’s preparedness and ability to respond to cyberattacks.

****We will keep you posted****

MoneyGram has committed to keeping customers informed through social media updates, but as of now, the full extent of the data compromise remains unclear. Therefore, users are advised to monitor MoneyGram’s updates for further information about when full services will be restored and when pending transactions will be processed.

Meanwhile, Hackread.com is closely monitoring dark web leak sites associated with prominent ransomware gangs for any claims related to the MoneyGram cyberattack, in case it is confirmed to be a ransomware attack. Stay tuned.

1.  US Microchip Giant Hit by Cyberattack, Disrupting Operations
2.  AT&T Outage Disrupts Service for Millions of Users Across US
3.  Ransomware Attack Disrupts Services in 18 Romanian Hospitals
4.  Disruptions at 70% of Iran’s Gas Stations Blamed on Cyberattack
5.  Android Money Transfer XHelper App was a Money Laundering Network

MoneyGram Cyberattack: Global Service Disruptions Enter Day 5

Mastercard's $2.65 billion deal to acquire the threat intelligence provider will boost the credit-card company's AI-based cybersecurity protection capabilities.

Source: SOPA Images Limited via Alamy Stock Photo

The largest credit-card providers have made sizeable investments in advanced cybersecurity capabilities in recent years, but Mastercard is upping the ante with last week's agreement to buy Recorded Future from Insight Partners for $2.65 billion.

The deal, scheduled to close in the first quarter of 2025, would mark the second-largest acquisition in Mastercard's 58-year history. The price tag also nearly equals the $3 billion Mastercard is estimated to have previously spent on nine cybersecurity-related companies since launching its cybersecurity business unit in 2017, Strategy of Security analyst Cole Grolmus wrote on LinkedIn.

Recorded Future says it has 1,900 customers worldwide, including governments and half of the Fortune 100. According to a recent Frost & Sullivan report, the Recorded Future Intelligence Cloud hosts one of the largest threat repositories in the world. Recorded Future's Collective Insights integrates broadly with governance, risk, and compliance; third-party risk management; attack surface management; and other analytics tools, a May 2024 Forrester Research report noted.

"Combining Recorded Future's threat intelligence capabilities with Mastercard's extensive insight and knowledge of and partnership with merchants and financial institutions should provide greater protection to digital payment transactions," says Forrester principal research analyst Brian Wrozek. "This also gives Mastercard more direct control over a critical cybersecurity capability: threat intelligence."

Last year, Recorded Future added OpenAI's GPT model to the threat intelligence platform to enhance its real-time analytics capabilities. Using the pretrained transformer model, Recorded Future AI includes 10 years of threat analysis from its Insikt Group threat research subsidiary, which is integrated with the Recorded Future Intelligence Graph.

**Expanding Threat Intelligence Capabilities**

Mastercard has been investing in threat and risk intelligence capabilities for over a decade. In 2014, Mastercard launched SafetyNet, a tool to detect risks based on activity throughout its network. SafetyNet thwarted $20 billion in fraud attempts directed at its network in 2023, says Johan Gerber, Mastercard's EVP of security solutions.

"It's our AI-enabled Decision Intelligence \[solution\] that provides a score to banks, helping them identify and stop fraudulent transactions," he says.

Last year, Mastercard added AI-based risk management capabilities by acquiring Baffin Bay Networks, a threat protection provider based in Sweden. Mastercard integrated Baffin Bay's automated threat protection service to prevent attackers from penetrating or disabling cybersecurity systems through ransomware and distributed denial-of-service (DDoS) attacks.

Mastercard is not alone in its focus on threat and risk intelligence. Visa has invested more than $9 billion in cybersecurity over the past few years in new tools and services to help address fraud and account security in its payment services. The credit card company has embedded AI and analytics in more than 60 different services to stop and block payment fraud. The Visa Account Attack Intelligence (VAAI) offering uses generative AI components to identify and score enumeration attacks. The VAAI Score tool assigns each transaction with a risk score in real time to detect and prevent enumeration attacks in card-not-present transactions.

**Building on Mastercard's AI Capabilities**

Gerber says Recorded Future promises to build on Mastercard's AI-enabled Decision Intelligence capability, which gives scores to its member banks.

"Recorded Future has pioneered the use of AI in analyzing and reporting cyber threat intelligence," he says. "The ability to draw these trends from a wide range of sources will allow our customers to quickly access relevant insights and safeguard their critical operations and infrastructure. It allows us to quantify risk more accurately and simulate attacks based on the latest trends."

Gerber also sees the potential for adding Recorded Future's AI capabilities to RiskRecon, the third-party threat scanning and rating provider Mastercard acquired in 2020 that provides enterprise security monitoring and measures third-party and supply chain risk. Similarly, Recorded Future can boost two Mastercard service offerings launched in 2022: Cyber Front, which provides a threat simulation, and Cyber Quant, a service that identifies and prioritizes risks.

"The insights allow us to quantify risk more accurately," Gerber says. "Our customers will see benefits from the real-time threat insights that Recorded Future brings to the table."

Recorded Future will enhance the intelligence and security of all its products, he adds.

"It will help us create smarter models and anticipate emerging threats before cyberattacks can take place — in payments and beyond," Gerber notes.

Forrester's Wrozek says that Recorded Future promises to give Mastercard more direct control over critical threat intelligence, now a critical cybersecurity capability.

"This aligns perfectly with Mastercard's journey towards leading the defense of the global digital economy," he says.

Citing a 2024 Forrester survey, Wrozek notes that improving threat intelligence capabilities is consistently a top tactical security priority for companies, which typically purchase, on average, over half a dozen threat intelligence feeds.

"Companies need more threat intelligence to improve decision-making, expedite incident remediation, and shift from a reactive to a more proactive security posture," he says.

**About the Author**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Mastercard's Recorded Future Deal Furthers Its AI Security Goals

The FBI, in collaboration with U.S. government agencies, dismantled a Chinese state-backed botnet known as Flax Typhoon, comprising…

The FBI, in collaboration with U.S. government agencies, dismantled a Chinese state-backed botnet known as Flax Typhoon, comprising 260,000 compromised IoT devices. This operation neutralized a major cyber threat to U.S. infrastructure.

In a major blow to state-sponsored cyber malicious activity, the FBI, in cooperation with other U.S. government agencies, has successfully dismantled a massive botnet linked to Chinese government-backed hackers.

Known as **Flax Typhoon or Raptor Train**, the botnet comprised around 260,000 compromised Internet of Things (IoT) devices globally. The network was reportedly designed to steal sensitive information and disrupt critical services in the U.S. and other nations.

The compromised devices included a widespread network of IoT hardware such as cameras, routers, storage units, and video recorders. According to the joint advisory issued by the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA), the operation not only removed malware from these devices but also severed their links to the larger botnet, making the network powerless.

The takedown came just seven months after, **in February 2024**, the agency dismantled the KV Botnet, which was used by Volt Typhoon, another Chinese state-sponsored threat actor group.

**Scope of the Botnet**

The FBI operation reveals the global reach of the botnet. The United States accounted for nearly half of the compromised devices, reflecting the strategic focus on U.S. infrastructure. Other nations, including Vietnam, Germany, and Canada, also faced significant exposure, showing the worldwide threat posed by the botnet.

Country

Node Count

Percentage

United States

126,000

47.9%

Vietnam

21,100

8.0%

Germany

18,900

7.2%

Romania

9,600

3.7%

Hong Kong

9,400

3.6%

Canada

9,200

3.5%

South Africa

9,000

3.4%

United Kingdom

8,500

3.2%

India

5,800

2.2%

France

5,600

2.1%

Bangladesh

4,100

1.6%

Italy

4,000

1.5%

Lithuania

3,300

1.3%

Albania

2,800

1.1%

Netherlands

2,700

1.0%

China

2,600

1.0%

Australia

2,400

0.9%

Poland

2,100

0.8%

Spain

2,000

0.8%

The table shows Botnet Devices per Country

**Global Reach and Architecture**

The botnet’s impact extended across multiple continents, with North America being the most affected region. Europe and Asia also experienced significant infection rates, while Africa and Oceania had smaller shares. This geographical spread shows the **global vulnerability of IoT devices** and the strategic use of botnets in cyber warfare.

Continent

Node Count

Percentage

North America

135,300

51.3%

Europe

65,600

24.9%

Asia

50,400

19.1%

Africa

9,200

3.5%

Oceania

2,400

0.9%

South America

800

0.3%

The table shows Botnet Devices per Continent

The operation also exposed the types of processors used by the infected devices. The majority were based on the x86 architecture, followed by MIPS and ARM systems, highlighting how a wide array of devices, often lacking sufficient security protocols, can be easily hijacked and integrated into malicious networks.

The full list of vulnerabilities exploited by the botnet, Indicators of Compromise (IoC), and compromised vendors is **available here** (PDF).

**Implications for Global Cybersecurity**

The successful dismantling of the botnet not only neutralizes a major threat to U.S. infrastructure but also sends a strong message to other nation-state actors. Additionally, as IoT devices become an integral part of our daily lives, they will increasingly become lucrative targets for cybercriminals. To protect your IoT devices, follow these simple yet vital guidelines:

*   **Change Default Passwords**: Always update default usernames and passwords on IoT devices to strong, unique credentials.
*   **Regularly Update Firmware**: Ensure your IoT devices are running the latest firmware to patch any security vulnerabilities.
*   **Disable Unnecessary Features**: Turn off features or services you don’t need, such as remote access, to reduce potential entry points for attackers.
*   **Use a Separate Network**: Set up a dedicated network for IoT devices to isolate them from more sensitive devices like computers and smartphones.
*   **Enable Encryption**: If available, activate encryption settings to protect data transmitted by your IoT devices from being intercepted.

1.  **Mozi Botnet Takedown: Who Killed the IoT Zombie Botnet?**
2.  **Qakbot Botnet Disrupted, Infected 700,000 Computers Globally**
3.  **4 Arrested as Operation Endgame Disrupts Ransomware Botnets**
4.  **Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**
5.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**

FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).

The sophisticated botnet, dubbed **Raptor Train** by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023.

"Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date," the cybersecurity company said in a 81-page report shared with The Hacker News.

The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered architecture consisting of the following -

*   Tier 1: Compromised SOHO/IoT devices
*   Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
*   Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)

The way it works is, that bot tasks are initiated from Tier 3 "Sparrow" management nodes, which are then routed through the appropriate Tier 2 C2 servers, and subsequently sent to the bots themselves in Tier 1, which makes up a huge chunk of the botnet.

Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.

A majority of the Tier 1 nodes have been geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifespan of 17.44 days, indicating the threat actor's ability to reinfect the devices at will.

"In most cases, the operators did not build in a persistence mechanism that survives through a reboot," Lumen noted.

"The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an 'inherent' persistence."

The nodes are infected by an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via Tier 2 payload servers explicitly set up for this purpose. The ELF binary comes with capabilities to execute commands, upload and download files, and mount DDoS attacks.

Tier 2 nodes, on the other hand, are rotated about every 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea. The number C2 nodes has increased from approximately 1-5 between 2020 and 2022 to no less than 60 between June 2024 and August 2024.

These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate reconnaissance of targeted entities.

At least four different campaigns have been linked to the ever-evolving Raptor Train botnet since mid-2020, each of which are distinguished by the root domains used and the devices targeted -

*   Crossbill (from May 2020 to April 2022) - use of the C2 root domain k3121.com and associated subdomains
*   Finch (from July 2022 to June 2023) - use of the C2 root domain b2047.com and associated C2 subdomains
*   Canary (from May 2023 to August 2023) - use of the C2 root domain b2047.com and associated C2 subdomains, while relying on multi-stage droppers
*   Oriole (from June 2023 to September 2024) - use of the C2 root domain w8510.com and associated C2 subdomains

The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a multi-layered infection chain of its own to download a first-stage bash script, which connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.

The new bash script, in turn, attempts to download and execute a third-stage bash script from the payload server every 60 minutes.

"In fact, the w8510.com C2 domain for \[the Oriole\] campaign became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings," Lumen said.

"By at least August 7, 2024, it was also included in Cloudflare Radar's top 1 million domains. This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection."

No DDoS attacks emanating from the botnet have been detected to date, although evidence shows that it has been weaponized to target U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.

What's more, bots entangled within Raptor Train have likely carried out possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, suggesting widespread scanning efforts.

The links to Flax Typhoon – a hacking crew with a track record of targeting entities in Taiwan, Southeast Asia, North America, and Africa – stem from overlaps in the victimology footprint, Chinese language use, and other tactical similarities.

"This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time," Lumen said.

"This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New "Raptor Train" IoT Botnet Compromises Over 200,000 Devices Worldwide

Hacktivists love to target financial services companies, and their attacks are growing both larger and longer.

Source: Daniren via Alamy Stock Photo

Financial services organizations have faced nearly twice as many distributed denial of service (DDoS) attacks this year as any other industry, thanks in part to a rise in hacktivism.

According to a new report from Akamai, between Jan. 1 and June 30, there were nearly 3,000 Layer 3 and 4 DDoS attack events in the financial services sector (Layer 3 and 4 attacks occur at the network and transport layers of Internet communication). The next most-targeted industries — gaming, then high tech, then manufacturing — suffered around 1,000 to 1,500 events each.

A number of factors contribute to the sheer scale of the threat, experts say, including a general rise in DDoS across the board, a surge in hacktivist activity in association with high-profile geopolitical conflicts, emerging threats to application programming interfaces (APIs), and more.

And at the end of the day, it's just easy. "They don't have to find a vulnerability. They don't have to find that gap in your armor. They can just literally sit there and hit a button," says Richard Hummel, director of threat intelligence for Netscout.

**Hacktivism Drives DDoS**

On July 15, beginning at 10:05 a.m. local time, the full weight of a globally distributed botnet was turned against a major financial services company in Israel.

The vectors of attack were numerous: UDP flooding, UDP fragmentation, DNS reflection, PUSH and ACK floods, and more. At its peak, the flood of data registered at 789GB per second — equivalent to millions of documents, or hundreds of thousands of photos, streaming in with each passing moment.

The peak of the event lasted until around 1 p.m. local time, but activity persisted for around 24 hours. "This attack was very exceptional in terms of total duration," Akamai researchers wrote, after helping abate the attack. "This requires significant resources and is an indication of a very sophisticated aggressor."

Remarkably, despite that aggressor dedicating so much power to one attack, a number of other Israeli financial institutions experienced outages that same day, in what researchers assessed was likely a politically motivated campaign.

It wasn't the only politically motivated DDoS campaign that happened around this time, nor was it the worst. Those Israeli companies might have considered themselves lucky compared to a UAE bank, whose website was attacked by the pro-Palestinian group BlackMeta (aka DarkMeta). In a six-day romp, the group sent 10 waves of Web requests lasting between four and 20 hours each, averaging 4.5 million per second and peaking at 14.7 million.

DDoS has surged in correlation with the wars in Gaza and Ukraine, Akamai says, particularly against European banks with connections to Ukraine. Even if a financial institution doesn't consider itself political in any way, they nonetheless serve as a useful punching bag for hackers to achieve their dogmatic goals.

**Why Hacktivists Target Finserv**

Being so central to, and interconnected with, wider society, attacks against finance tend to cause more harm and panic than those against other industries.

Plus, more so than in the US, "in European countries or Asian countries, oftentimes government and finance go hand-in-hand, so you will often see that adversaries will walk the stack of what they perceive as government-affiliated," Hummel explains.

As an example, he points to Moldova, a country with manifold conflicts with Russia. "Moldova has been hammered over and over for the past six, seven months now by NoName057 and various other groups. They started with government targets, but then they started looking at finance, at commercial banking, education, public transportation. It's a natural extension."

And as if DDoS weren't already easy enough, in Europe, it's become easier in recent years thanks to Payment Services Directive 2 (PSD2), which came into effect in January 2016. Among other things, the European Union (EU) directive required that financial services providers offer open APIs to third-party services.

PSD2 was designed to better integrate the EU payments market but, Akamai points out, it also widened the surface through which attackers could attack affected companies. APIs offer yet another opening for more sophisticated, application-layer DDoS attacks, particularly when they're poorly accounted for.

"What we're finding is that many financial institutions don't know the expanse of their API ecosystem," says Cheryl Chiodi, industry strategy manager for financial services at Akamai. "There could be developers that were working on a project and left what we call a 'rogue' API, or 'shadow' APIs that are connected to the network but aren't really doing anything. And the cybercriminal can find those entry points and use them to do their infiltration of the network."

In its report, Akamai noted "sharp increases" in DDoS attacks targeting APIs. For this reason, Chiodi urges financial services companies to perform API discovery. "That then opens up the aperture, the visibility, so that you know what the API ecosystem \[in your organization\] is in the first place," she says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ukraine, Gaza Wars Inspire DDoS Surge Against Finservs

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact.

Mike Kosak, Senior Principal Intelligence Analyst, LastPass

September 16, 2024

4 Min Read

Source: Saphiens via Alamy Stock Photo

COMMENTARY

As the 2024 US presidential election approaches, cybersecurity is a frequent topic of conversation. From my time in the intelligence community supporting the Department of Defense, I'm familiar with government planning around elections. While the most discussed threats for 2024 are nation-state misinformation and disinformation, this election season, I'm also following cybersecurity threats to municipal election systems. 

The good news is the threat of an actual impactful disruption is low. As the US has funneled significant resources into securing elections over the past decade, US Cybersecurity and Infrastructure Security Agency (CISA) lead Jen Easterly said election infrastructure "has never been more secure." However, that doesn't mean threat actors aren't likely to attempt some sort of attacks, such as website defacements or distributed denial of service (DDoS) attacks against municipal election websites.

Here are the four threats against local election systems we will most likely hear about in 2024:

**Voting Machine Hacking**

The most high-profile threat to US elections is voting machine hacking. However, voting machines are rarely connected directly to the Internet, which aligns with current cybersecurity guidelines. This means the most realistic threat vector would require physical access to the machines, according to F5 Labs, a concern addressed through anti-tampering and physical security guidelines around the country. While cyber vulnerabilities within voting machines exist — as demonstrated annually at the DEFCON Voting Village hacking event — to date, there have been no reports of cyberattacks taking voting machines offline or changing votes, despite the clear value of such a capability to US adversaries.

**DDoS Attacks**

DDoS attacks are a less disruptive but more frequent threat to US elections. Election monitoring and information websites leveraging Google's Project Shield DDoS protection services experienced a 400% increase in weekly attacks during the 2022 midterms. While several companies like Cloudflare offer free DDoS protection services to election-related websites, some sites are still going down. Mississippi's election websites were briefly taken offline in 2022 by a DDoS attack claimed by a pro-Russia hacking group. However, the attack did not impact voting results or availability.

Given the increased profile of the presidential election, we can expect to see DDoS on a larger scale in 2024. However, as CISA and the FBI stated in a July 31 alert, these attacks would not prevent voters from casting their ballots.

**Ransomware**

The FBI and CISA released a similar alert on Aug. 15 related to ransomware disruptions, reassuring the public that any attack along these lines would not compromise the security or accuracy of voting. Ransomware groups will likely target municipalities — already a common target — in the run-up to the elections. 

For instance, a ransomware attack in April forced a Georgia county to temporarily disconnect from the state's voter registration system as a precautionary measure — highlighting disruptions that could occur around access to voter data or other election information. However, the FBI and CISA noted, "Any successful ransomware attack on election infrastructure tracked by FBI and CISA has remained localized and successfully managed with minimal disruption to election operations and no impact on the security and accuracy of ballot casting or tabulation processes or systems." Similar to DDoS attacks, no reporting suggests ransomware attacks have ever prevented a vote from being cast.

**Website Defacement and Email Access**

Website defacements are another common threat, where attackers take over election-related sites to alter data or images. These attacks can either aim to embarrass the site owner or subtly manipulate information, such as polling results or polling station hours.

In 2020, a threat actor briefly took over the campaign website for then President Trump, posting a derogatory message and seeking payment in return for not releasing data they claimed to have stolen. While these attacks may occur and could cause local disruptions, they would not impact the ability to vote or tally votes.

Hybrid cyber-physical threats, such as the increasing use of emails or spoofed phone numbers to deliver fake bomb threats or conduct swatting attacks, also present a concern, where false scenarios are reported to provoke a large police response. In 2018, a months-long campaign targeting US schools and businesses caused evacuations, police responses, and major disruptions. Similar attacks on election day could target polling stations, election offices, or ballot-counting sites.

Finally, threat actors (particularly nation-states) will continue to target email accounts of political operatives and organizations. The US intelligence community has already attributed social engineering attacks targeting both major US political parties to Iran. These attacks aimed to access sensitive or embarrassing information to influence the US election, highlighting the frequency of politically motivated social engineering attacks and the importance of secure, unique passwords and multifactor authentication. 

**Safeguarding the Vote**

While cyberattacks will undoubtedly target US election infrastructure over the next few months, it's important to place these events in the context of the protections put in place. Federal, state, local, and tribal governments, as well as international allies, have all been tracking these threats and implementing mitigations and contingencies to help ensure a secure and smooth election. 

While the 2024 election may see various cyber threats, existing security measures and coordination across all levels of government aim to minimize their impact. Voters should stay informed and rely on official sources to ensure their participation is not disrupted.

**About the Author**

Senior Principal Intelligence Analyst, LastPass

Mike Kosak is a former US Department of Defense (DoD) counterterrorism intelligence officer with more than 20 years of experience as a threat intelligence analyst. While with the DoD, he served in several senior intelligence officer roles, including leading the Pentagon office responsible for providing intelligence updates to the chairman of the Joint Chiefs of Staff, and was deployed to Iraq three times in support of Operation Iraqi Freedom. He also served as the acting senior command representative to the Joint Special Operations Command for the Defense Intelligence Agency. During his deployments, he led intelligence teams in support of both conventional and special forces. Following his government service, Kosak held private sector cyber intelligence positions at Bank of America, where he led the Strategic Cyber Intelligence and Threat Evaluation teams, and TIAA, where he led the Cyber Threat Intelligence team. He currently serves as the senior principal intelligence analyst at LastPass.

Cybersecurity &amp; the 2024 US Elections

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining.
The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver malware dubbed Hadooken, according to cloud security firm Aqua.
"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher

Enterprise Security / Vulnerability

Cybersecurity researchers have uncovered a new malware campaign targeting Linux environments to conduct illicit cryptocurrency mining.

The activity, which specifically singles out the Oracle Weblogic server, is designed to deliver malware dubbed **Hadooken**, according to cloud security firm Aqua.

"When Hadooken is executed, it drops a Tsunami malware and deploys a crypto miner," security researcher Assaf Moran said.

The attack chains exploit known security vulnerabilities and misconfigurations, such as weak credentials, to obtain an initial foothold and execute arbitrary code on susceptible instances.

This is accomplished by launching two nearly-identical payloads, one written in Python and the other, a shell script, both of which are responsible for retrieving the Hadooken malware from a remote server ("89.185.85\[.\]102" or "185.174.136\[.\]204").

"In addition, the shell script version attempts to iterate over various directories containing SSH data (such as user credentials, host information, and secrets) and uses this information to attack known servers," Morag said.

"It then moves laterally across the organization or connected environments to further spread the Hadooken malware. "

Hadooken comes embedded with two components, a cryptocurrency miner and a distributed denial-of-service (DDoS) botnet called Tsunami (aka Kaiten), which has a history of targeting Jenkins and Weblogic services deployed in Kubernetes clusters.

Furthermore, the malware is responsible for establishing persistence on the host by creating cron jobs to run the crypto miner periodically at varying frequencies.

Aqua noted that the IP address 89.185.85\[.\]102 is registered in Germany under the hosting company Aeza International LTD (AS210644), with a previous report from Uptycs in February 2024 linking it to an 8220 Gang cryptocurrency campaign by abusing flaws in Apache Log4j and Atlassian Confluence Server and Data Center.

The second IP address 185.174.136\[.\]204, while currently inactive, is also linked to Aeza Group Ltd. (AS216246). As highlighted by Qurium and EU DisinfoLab in July 2024, Aeza is a bulletproof hosting service provider with a presence in Moscow M9 and in two data centers in Frankfurt.

"The modus operandi of Aeza and its fast growth can be explained by the recruitment of young developers affiliated to bulletproof hosting providers in Russia offering shelter to cybercrime," the researchers said in the report.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos