By Deeba Ahmed
The KmsdBot was known for targeting both Linux and Windows devices.
This is a post from HackRead.com Read the original post: A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

KmsdBot was a newly discovered cryptocurrency mining botnet killed accidentally by Akamai’s team of researchers while researching on KmsdBot. According to researchers, a syntax error caused it to stop sending commands, which destroyed the botnet.

**What is KmsdBot?**

Named by Akamai Security Intelligence Response Team (SIRT) in November 2022, KmsdBot is was a **crypto mining botnet** equipped with command-and-control abilities. It infected victims by exploiting weak credentials and SSH via brute force.

The Akamai team assessed and **reported** on the botnet after one of its honeypots got infected. The botnet targeted both **Linux and Windows devices** using a range of microarchitectures to deploy mining software and include the compromised hosts in its DDoS bot army. Its main targets included gaming and tech firms and luxury vehicle makers.

1.  **Dangerous WireX Android DDoS Botnet Killed by Security Giants**
2.  **Andromeda Botnet that infected millions of devices is dismantled**
3.  **Mirai botnet resurfaces with MooBot variant against D-Link devices**
4.  **Russian Rsocks Botnet Powered by Millions of IoT Devices dismantled**
5.  **FBI Disrupts Cyclops Blink Botnet Used by Russian Intelligence agency**

**Incident Details**

In a **blog post**, Larry W. Cashdollar, a researcher at Akamai, the commands sent to the botnet while assessing its operational mechanism within a controlled environment mistakenly led to the malware’s neutralization.

After a single “improperly formatted command,” Cashdollar explains, the bot stopped sending any command. This could be possible because of the absence of an internal error-checking feature built into its source code to verify the incoming commands. 

So, any instruction given without a space between the port and the target website caused the Go binary on the infected device to crash entirely and stop communicating with its C2 server. Hence, this **killed the botnet**.

Since the botnet doesn’t feature a persistence mechanism, the malware operators will need to re-infect the devices once again and rebuild the entire infrastructure from scratch.

“This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue. This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it,” Cashdollar explained.

A Syntax Error Led to Crashing of KmsdBot Cryptomining Botnet

No longer the realm of lone wolves, the world of cybercrime is increasingly strategic, commoditized, and collaborative.

Just as you keep up with the latest news, tools, and thought leadership in order to protect and secure your organization from cybercriminals, your adversaries are doing the same thing. They are connecting on forums, evaluating new software tools, talking with potential buyers, and searching for new ways to outsmart your security stack.

A peek into their world shows they have advanced capabilities that often outmaneuver well-funded security teams and corporate security tools, especially when pitted against legacy solutions like signature-based antiviruses. Many security operations centers (SOCs) fail to prioritize real threats, while wasting time trying to solve others that they can realistically never scale to meet.

Security defenders need to move beyond the mental image of the lone hooded figure sitting in a dimly lit basement as cigarette smoke wisps up from a dirty ashtray. Let's take stock of the world of cybercrime as it exists today: strategic, commoditized, and collaborative (especially if the criminals have money to spend).

**Strategic Intent Backs Every Attack**

Adversaries always have a business purpose; there’s a plan for every piece of malware. To begin, cybercriminals snoop around for access to your environment, looking for something they can steal and potentially resell to someone else. While an attacker may not know _exactly_ what they want to do once they gain access to your environment, they tend to recognize value when they see it.

They may perform reconnaissance by looking for misconfigurations or exposed ports to exploit, a process often made trivially easy by known CVE databases and free open-port scanners. Initial compromise can also be accomplished by stealing a user’s credentials to access the environment, a process that’s sometimes even easier, before moving laterally to identify key assets.

**The Cyber Weapons Black Market is Maturing**

Cybercriminals have developed a sophisticated underground marketplace. Tools have evolved from relatively inexpensive and low-tech products into those with advanced capabilities delivered via business models familiar to legitimate consumers, like software as a service (SaaS). Threat hunters are witnessing the commoditization of hacking tools.

Phishing kits, pre-packaged exploits, and website cloning tools used to be very common. Designed to mimic website login pages, such as Microsoft Office 365 or Netflix, these tools were quite effective at capturing users’ credentials for many years.

Over the past two decades, though, the security community responded to this type of activity with techniques like pattern recognition, URL crawling, and shared threat intelligence. Tools like VirusTotal have made it a common practice for the discovery of malicious files to be shared with the wider security community almost instantaneously. Naturally, adversaries are well aware of this and have adapted.

**A New Phishing Methodology**

Today’s adversaries have also learned to capitalize on the rise of multi-factor authentication (MFA) by hijacking the verification process.

One new type of phishing kit is called EvilProxy. Like kits of the past, it mimics website login pages to trick users into giving away their login credentials. Unlike phishing kits of the past that were sold as one-time purchases, this new methodology — sold by specialists in access compromise — operates via a rental model, whereby the seller rents out space on their own server for running phishing campaigns.

They host a proxy server that operates like a SaaS model. The service costs about $250 for 10 days of access. This allows the SaaS providers to make more money and enables them to collect statistics they can then publish on hacker forums to market their products and compete against other sellers.

New kits have built-in protections to defend their phishing environment from unexpected visitors. Since they obviously don’t want web crawlers indexing their sites, they use bot protection to block crawlers, nuanced virtualization detection technology to ward off security operations teams doing reconnaissance through a virtual machine (VM), and automation detection to prevent security researchers from crawling their kit websites from different angles.

**The “Adversary in the Middle” Scenario**

In the context of bypassing MFA, acting as a reverse proxy to the authentic login page content creates big problems for typical phishing detection. By sitting between the user and the target website, the reverse proxy server allows the adversary to gain access to the username, password, and session cookie that is set after MFA is completed. They can then replay the session back into a browser and act as the user on that destination.

To the user, everything looks normal. By using slight variations of names in the URLs, the cybercriminals can make the site seem completely legitimate, with everything working as it should. Meanwhile, they have gained unauthorized access through that user, which can then be exploited for their own purposes or auctioned off to the highest bidder.

**The Adversary’s Business Model**

In addition to new phishing methodologies, malware is sold openly on the Internet and operates in a sort of gray space, floating between legal and illegal. One such example is BreakingSecurity.net, which markets the software as a remote surveillance tool for enterprise.

Every piece of malware has a price point associated with it to drive an outcome. And these outcomes have a clear business intent, whether it’s to steal credentials, generate cryptocurrency, demand a ransom, or gain spy capabilities to snoop around a network infrastructure.

Nowadays the creators of these tools are partnering with the buyers through affiliate programs. Similar to a multi-level marketing scheme, they say to the affiliate buyer of the tool, “Come to me when you get in.” They even offer product guarantees and 24/7 support of the tool in exchange for splitting the profits. This allows them to scale and build a hierarchy. Other types of cybercriminal entrepreneurs sell pre-existing compromises to the highest bidder. There are multiple business models at play.

**Today’s Reality: Case for an Advanced Cloud Sandbox**

Security teams should understand what today’s adversaries do and how quickly their actions can play out. The advanced malware on the market now is even more severe than phishing. Whether it’s Maldocs that evade filters, ransomware, information stealers, remote access trojans (RATs), or post-exploitation tools that combine toolsets, threat actors are more advanced than ever before—and so are their business models.

Countermeasures based on standard sandboxes doesn’t provide much in the way of inline prevention. Detection that combines cloud and AI can stop the stealthiest threats inline, in real time, and at scale.

If you’re not evolving with adversaries, you're falling behind. Because today’s cybercriminals are as professional and on their game as you.

Read more _Partner Perspectives_ from Zscaler.

Of Exploits and Experts: The Professionalization of Cybercrime

Market drivers include new regulations, increasing automobile complexity, and new vehicle types.

**BOULDER, Colo., Dec. 1, 2022 /PRNewswire/ —** A new report from Guidehouse Insights explores the global market for automotive cybersecurity solutions.

Automotive cybersecurity is the protection of connected vehicle systems, including software and communication networks, from tampering of any kind. Underlying the need for automotive cybersecurity is the increasingly complex technology of modern vehicles. According to a new report from Guidehouse Insights, paralleling increasing sales of connected vehicles, the market for automotive cybersecurity solutions is expected to grow steadily over the next 10 years, with revenue reaching more than $445.4 billion by 2031.

"The outlook for the automotive cybersecurity market over the next 10 years is strong. With vehicles becoming more reliant on electronic-based features and greater connectivity, the need for protection is high and growing," writes report author Karen Marcus, research analyst with Guidehouse Insights. "Interconnected systems involve small computers, or electronic control units for specific functions, multiple communication protocols, internal and third-party software, automation features, and cloud connectivity. Each of these components alone and working together creates potential attack vectors that must be protected."

Automotive manufacturers and their suppliers are increasingly driven by new regulations that require them to integrate cybersecurity solutions as a condition of approval for new designs; often, they are working to update their processes and systems before regulations go into effect. Other market drivers include increasing automobile complexity, new vehicle types, and shared vehicle services. Barriers to growth include resistance from research and development teams, high rates of employee resignation, and a chip shortage, all of which impact the industry's ability to provide service as quickly or thoroughly as its leaders would like, according to the report.

The report, "Automotive Cybersecurity Market Overview," analyzes the global market for automotive cybersecurity solutions, examines the key technologies in vehicles that require protection, and looks at the competitive landscape. It provides market outlooks for annual vehicle sales and revenue across six world regions—North America, Western Europe, Eastern Europe, Asia Pacific, Latin America, and Middle East & Africa—during the ten-year analysis period 2022 to 2031. An executive summary of the report is available for free download on the Guidehouse Insights website.

**About Guidehouse Insights**

Guidehouse Insights, the dedicated market intelligence arm of Guidehouse, provides research, data, and benchmarking services for today's rapidly changing and highly regulated industries. Our insights are built on in-depth analysis of global clean technology markets. The team's research methodology combines supply-side industry analysis, end-user primary research, and demand assessment, paired with a deep examination of technology trends, to provide a comprehensive view of emerging resilient infrastructure systems. Additional information about Guidehouse Insights can be found at www.guidehouseinsights.com.

**About Guidehouse**

Guidehouse is a leading global provider of consulting services to the public sector and commercial markets, with broad capabilities in management, technology, and risk consulting. By combining our public and private sector expertise, we help clients address their most complex challenges and navigate significant regulatory pressures focusing on transformational change, business resiliency, and technology-driven innovation. Across a range of advisory, consulting, outsourcing, and digital services, we create scalable, innovative solutions that help our clients outwit complexity and position them for future growth and success. The company has over 15,000 professionals in over 55 locations globally. Guidehouse is a Veritas Capital portfolio company, led by seasoned professionals with proven and diverse expertise in traditional and emerging technologies, markets, and agenda-setting issues driving national and global economies. For more information, please visit www.guidehouse.com.

Guidehouse Insights Anticipates Market for Automotive Cybersecurity Solutions Will Grow to More Than $445 Billion by 2031

Know what you need to fix today and what you don’t.

**EVERGREEN, Colo., December 1, 2022** **—** Phylum, The Software Supply Chain Security Company, today announced the addition of Automated Vulnerability Reachability to its software supply chain security platform capabilities. With the ability to focus only on fixing what matters_, s_ecurity pros can end the deluge of false positives and developers can innovate with greater speed and confidence. This new introduction, combined with Phylum’s ability to block and prioritize open-source code risks, provides organizations with the most comprehensive software supply chain security available in the market.

Vulnerabilities represent a clear and present danger to the integrity of the software supply chain, but the massive amount of noise and false positives that come with traditional detection methods drain resources and leave organizations overwhelmed.

"Vulnerability management has been a frustrating and persistent challenge for security teams for well over a decade. Phylum has automated the answer to the question, 'Do I actually call the code triggering this vulnerability?' Addressing this question reduces customer false positive vulnerability issues by 90% or more and enables security teams to engage their development teams with supply chain issues that truly matter," said Peter Morgan, co-founder and president of Phylum.

Most vulnerability management approaches do not account for the nuances of open-source libraries. In library code, the parts of the library used are just as important as the package name and version, and not accounting for this data results in an astronomically high false positive rate. For example, an organization might use a package for signing build packages that contains a known Heartbleed vulnerability. But since the organization is only using it for code signing and not using the part of OpenSSL where that vulnerability exists, it isn't reachable. The Phylum Platform recognizes this nuance and informs the user accordingly.

Organizations that use Phylum save precious developer time, make more critical fixes and improve overall security posture by leveraging:

1.  Deep source analysis and call tracing that identifies which vulnerabilities impact projects, and which ones don’t.
2.  Graph-powered analysis that identifies inter-package call paths to prioritize the most impactful bugs that need fixing.
3.  Automated, continuous policy enforcement that provides alerts if vulnerability functions change due to new development needs.

Since software projects are made up of anywhere from 70%-90% of open-source code, Phylum first blocks software supply chain attacks trying to enter environments from open-source packages. This alleviates the burden of having to do extensive remediation once source code is built. Automated Vulnerability Reachability then continuously monitors the code in the event any development, package or author changes result in new vulnerabilities.

The Phylum Software Supply Chain Security Platform is purpose-built to address persistent and evolving software supply chain security challenges. Regardless of the maturity stage of an appsec program, Phylum is designed to address immediate needs and scale with an organization to meet future needs.

Automated Vulnerability Reachability will be available in Q1 2023 via SaaS and On-Prem. Book a demo here.

**About Phylum**  
Phylum is on a mission to secure the universe of code. Its platform automates software supply chain security to block new risks, prioritize existing issues and allow users to only use open-source code that they trust. The company is built by a team of career security researchers and developers with decades of experience in U.S. Intelligence Community and commercial sectors. Phylum is the winner of the Black Hat 2022 Innovation Spotlight Competition and was named a Top Infosec Innovator by Cyber Defense Magazine. Learn more at https://phylum.io, read The Phylum Research Blog, and follow us on LinkedIn and Twitter.

Phylum Expands Its Software Supply Chain Security Capabilities, Introduces Automated Vulnerability Reachability

New web targets for the discerning hacker

New web targets for the discerning hacker

Bug bounty platform HackerOne has launched a scheme to encourage customers to adopt a standard policy geared towards protecting hackers from potential legal problems.

The Gold Standard Safe Harbor (GSSH) is designed to be “short, broad, \[and\] easily-understood”, according to HackerOne.

Many bug bounty and vulnerability disclosure programs offer safe harbor agreements that allow hackers acting in good faith to do their thing. HackerOne’s standard policy is designed to collate best practices while reducing the administrative burden for hackers, who will have no need to scrutinize the terms and conditions of targets before looking for in-scope vulnerabilities.

European crowdsourced security platform Intigriti, meanwhile, has launched Bug Bounty Calculator, a tool designed to help bug bounty program owners pitch their payout rates at the appropriate level.

To generate reward suggestions program providers select their industry and describe their assets in terms of risk level, maturity level, and incentive curve.

Inti de Ceukelaire, head of hackers at Intigriti, explained why he built the tool: “Anyone can set up a bug bounty program, but if you aren’t sure what you’re doing, you may pay too much for vulnerabilities. Even worse, set your bounties too low and you may not attract any researchers at all.”

The maximum payout awards under a growing number of programs have reached $1 million and more. Earlier this week The Daily Swig took a closer look into these high potential reward programs and discovered that market forces, in particular a scarcity of skilled talent, are driving up the value of rewards offered.

Web 3.0 and crypto platforms, in particular, are competing to offer dazzlingly high potential rewards. However, experts questioned by The Daily Swig pointed out the rarity of firms in this arena actually paying out seven-figure sums, which suggests some are offering enormous potential bounties in an attempt to court publicity.

Against this are several examples of six-figure payouts by more established tech vendors such as Apple and Intel. However, HackerOne reports that the median payouts for critical vulnerabilities comes in at $3,000 – a figure worth bearing in mind by anyone tempted to quit their day job in pursuit of greater riches on the bug bounty circuit.

An example of an interesting flaw on the lower end of the scale dropped early in November when a researcher revealed that they had earned a $250 bug bounty payout after discovering a code injection flaw in Acronis’ cloud management console that could be abused for data theft.

On November 4, ‘Medi’ (under the alias ‘mr-medi’), published a technical analysis of the client-side path traversal flaw, which they described as the “favorite bug” they’d ever found.

**The latest bug bounty programs for December 2022**

The past month saw the arrival of several new bug bounty programs. Here’s a list of the latest entries:

**Abraxas (enhanced)**

**Program provider:  
**Bug Bounty Switzerland

**Program type:  
**Public

**Max reward:  
**CHF 30,000 ($26,167)

**Outline:  
**Abraxas, which provides IT services for the government and public sector in Switzerland, has tripled maximum payouts from 10,000 Swiss francs to 30,000 francs.

**Notes:  
**Program has a particular focus on vulnerabilities that could enable attackers to manipulate the outcome of Swiss elections.

Check out the Abraxas bug bounty page for more details

**Amber AI**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**AMBER AI, a “crypto-finance service provider”, is offering between $2,500 and $5,000 for the submission of valid critical bugs.

**Notes:  
**Vulnerabilities in AMBER AI’s core business services qualify for the highest payout tier but the web 3.0 business is also interested in a wide range of web security vulnerabilities such as SQL injection, CSRF, and denial-of-service issues.

Check out the AMBER AI bug bounty page for more details

**Expedia Group**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:  
**Expedia runs a portfolio of travel websites that offer hotel, flight booking, and more.

**Notes:  
**A range of targets are in scope including hotels.com. orbitz.com, and expedia.com.

Check out the Expedia Group bug bounty page for more details

**Magic Eden**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$2,500

**Outline:  
**Magic Eden styles itself as a community-centric NFT marketplace.

**Notes:  
**The bug bounty program is focused on smart contracts and on guarding against the freezing of funds, direct theft, denial of business function, or other attacks that interfere with the smooth operation of the marketplace.

Check out the Magic Eden bug bounty page for more details

**Teleport**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$5,000

**Outline:**

Teleport offers open source technology based around the zero trust model and designed for the administration of servers and cloud-based applications.

**Notes:  
**Vulnerabilities in both the on-premises software and cloud-based versions of Teleport’s technologies fall within the scope of the program.

Check out the Teleport bug bounty page for more details

**ThousandEyes**

**Program provider:  
**Bugcrowd

**Program type:  
**Public

**Max reward:  
**$4,500

**Outline:  
**ThousandEyes, which offers network intelligence software, has invited elite hackers to probe five targets for security flaws.

**Notes:  
**In-scope targets include ThousandEyes' website, application platform, customer-accessible API, and enterprise and agent software. The firm reopened its previously dormant bug bounty program in late November.

Check out the ThousandEyes bug bounty page for more details

**ZeroBounce**

**Program provider:  
**HackerOne

**Program type:  
**Public

**Max reward:  
**$3,000

**Outline:  
**ZeroBounce offers email marketing services, targeted towards the needs of enterprise customers.

**Notes:  
**A broad array of web security vulnerability (such as XSS) on the zerobounce.in domain and flaws in the associated API library (api.zerobounce.in) are within scope.

Check out the ThousandEyes bug bounty page for more details

PREVIOUS EDITION Bug Bounty Radar // The latest bug bounty programs for November 2022

Bug Bounty Radar // The latest bug bounty programs for December 2022

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the Schoolyard Bully Trojan.
Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.
The apps, which were available for download from the official Google Play Store, have now been

More than 300,000 users across 71 countries have been victimized by a new Android threat campaign called the **Schoolyard Bully Trojan**.

Mainly designed to steal Facebook credentials, the malware is camouflaged as legitimate education-themed applications to lure unsuspecting users into downloading them.

The apps, which were available for download from the official Google Play Store, have now been taken down. That said, they still continue to be available on third-party app stores.

"This trojan uses JavaScript injection to steal the Facebook credentials," Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant said in a report shared with The Hacker News.

It achieves this by launching Facebook's login page in a WebView, which also embeds within it malicious JavasCript code to exfiltrate the user's phone number, email address, and password to a configured command-and-control (C2) server.

The Schoolyard Bully Trojan further makes use of native libraries such as "libabc.so" so as to avoid detection by antivirus solutions.

While the malware singles out Vietnamese language applications, it has also been discovered in several other apps available in over 70 countries, underscoring the scale of the attacks.

The findings come more than a year after Zimperium unearthed similar activity aimed at compromising Facebook accounts through rogue Android apps as part of a campaign codenamed FlyTrap.

"Attackers can cause a lot of havoc by stealing Facebook passwords," Richard Melick, director of mobile threat intelligence at Zimperium, said. "If they can impersonate someone from their legitimate Facebook account, it becomes extremely easy to phish friends and other contacts into sending money or sensitive information."

"It's also very concerning how many people reuse the same passwords. If an attacker steals someone's Facebook password, there's a high probability that same email and password will work with banking or financial apps, corporate accounts and so much more."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Schoolyard Bully Trojan Apps Stole Facebook Credentials from Over 300,000 Android Users

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as KmsdBot has led to it being accidentally taken down.
KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.
The botnet strikes both Windows and Linux devices spanning a wide range of

An ongoing analysis into an up-and-coming cryptocurrency mining botnet known as **KmsdBot** has led to it being accidentally taken down.

KmsdBot, as christened by the Akamai Security Intelligence Response Team (SIRT), came to light mid-November 2022 for its ability to brute-force systems with weak SSH credentials.

The botnet strikes both Windows and Linux devices spanning a wide range of microarchitectures with the primary goal of deploying mining software and corralling the compromised hosts into a DDoS bot.

Some of the major targets included gaming firms, technology companies, and luxury car manufacturers.

Akamai researcher Larry W. Cashdollar, in a new update, explained how commands sent to the bot to understand its functionality in a controlled environment inadvertently neutralized the malware.

"Interestingly, after one single improperly formatted command, the bot stopped sending commands," Cashdollar said. "It's not every day you come across a botnet that the threat actors themselves crash their own handiwork."

This, in turn, was made possible due to the lack of an error-checking mechanism built into the source code to validate the received commands.

Specifically, an instruction issued without a space between the target website and the port caused the entire Go binary running on the infected machine to crash and stop interacting with its command-and-control server, effectively killing the botnet.

The fact that KmsdBot doesn't have a persistence mechanism also means that the malware operator will have to re-infect the machines again and re-build the infrastructure from scratch.

"This botnet has been going after some very large luxury brands and gaming companies, and yet, with one failed command it cannot continue," Cashdollar concluded. "This is a strong example of the fickle nature of technology and how even the exploiter can be exploited by it."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers 'Accidentally’ Crash KmsdBot Cryptocurrency Mining Botnet Network

Multiple Xiongmai NVR devices, including MBD6304T V4.02.R11.00000117.10001.131900.00000 and NBD6808T-PL V4.02.R11.C7431119.12001.130000.00000, allow authenticated users to execute arbitrary commands as root, as exploited in the wild starting in approximately 2019. A remote and authenticated attacker, possibly using the default admin:tlJwpbo6 credentials, can connect to port 34567 and execute arbitrary operating system commands via a crafted JSON file during an upgrade request. Since at least 2021, Xiongmai has applied patches to prevent attackers from using this mechanism to execute telnetd.

Tag

#intel