New zero-day attack bypasses antivirus, sandboxes, and spam filters using corrupted files. Learn how ANY.RUN’s sandbox detects and…

New zero-day attack bypasses antivirus, sandboxes, and spam filters using corrupted files. Learn how ANY.RUN’s sandbox detects and combats these advanced threats.

A new zero-day attack campaign has surfaced, leveraging corrupted files to slip past even the strongest security protection. Recently identified by cybersecurity researchers at ANY.RUN, this attack demonstrates how sophisticated modern cyber threats have become. 

By bypassing antivirus software, sandbox environments, and email spam filters, these malicious files reach their targets with alarming efficiency. Let’s dive deeper into the details of this attack, explore why it’s so effective, and uncover how it can be identified to prevent further damage.

****New Zero-Day Attack Overview****

According to ANY.RUN research, this zero-day attack campaign has been active since at least August 2024. The research has uncovered that attackers are employing a unique technique: deliberately corrupting files to evade detection. 

These corrupted files, often disguised as ZIP archives or Microsoft Office documents like DOCX, bypass traditional security measures by exploiting gaps in standard file-handling procedures.

Despite appearing damaged, the files remain fully functional, executing malicious code when opened in their intended programs. Here’s what makes this approach particularly dangerous:

*   **Antivirus evasion**: Traditional antivirus solutions struggle to scan corrupted files properly. As a result, many classify these files as clean or return a “not found” error.
*   **Sandbox resistance**: Many static analysis tools fail to process these files because their corrupted structure prevents accurate identification.
*   **Spam filter bypass**: Even Outlook’s robust spam filters can’t block these malicious emails, allowing the payload to slip straight into inboxes.

As a result, the corrupted files execute successfully on the victim’s operating system, remaining invisible to most defences.

However, ANY.RUN’s interactive sandbox was able to overcome these challenges and detect malicious activity. Unlike other security tools, the sandbox dynamically analyzes corrupted files by interacting with them in real time. This allows it to uncover their true behaviour and accurately identify them as threats.

Malicious activity detected by ANY.RUN sandbox

In the following analysis session, the sandbox successfully detects the threat and labels it as malicious activity, thanks to its automated interactivity feature. This advanced capability launches the corrupted files in their corresponding programs, allowing the sandbox to observe and identify malicious behaviour that traditional tools might overlook.

****How the Zero-Day Attack is Executed****

During this cyberattack campaign, attackers exploit user applications’ built-in recovery mechanisms to restore and execute damaged or corrupted files. Below you can find more details about these steps: 

The analysis session revealed a corrupted file delivered via email, slipping past traditional detection systems. Security tools struggled to process the file, leaving it undetected. 

However, ANY.RUN’s sandbox took a different approach by opening the file in its intended application. When built-in recovery features, like Microsoft Word’s repair mechanism, were activated, the malicious payload executed as expected. 

The sandbox’s interactivity enabled it to identify this behaviour and flag the file as malicious, demonstrating its effectiveness in detecting threats that evade traditional tools.

****Get Your Black Friday Deal from ANY.RUN****

Combat advanced cyber threats like corrupted file attacks with ANY.RUN’s interactive sandbox. Its Automated Interactivity launches and analyzes even the most elusive files, revealing malicious behaviours that traditional tools miss.

With ANY.RUN, you can uncover the full picture of complex cyberattacks and protect your systems effectively. This Black Friday, take advantage of exclusive offers and strengthen your protection. Hurry, offers end December 8:

*   **For individual users**: Get 2 licenses for the price of 1.
*   **For teams**: Enjoy up to 3 licenses + an annual basic plan for Threat Intelligence Lookup, ANY.RUN’s extensive threat intelligence database.

See all offers and test the service with a free trial today →

How Attackers Use Corrupted Files to Slip Past Security

A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields.

Source: Kim Kuperkova via Shutterstock

Attackers are targeting Magento e-commerce websites with a new card-skimming malware that can dynamically lift payment details from checkout pages of online transactions. The attack, discovered by a researcher from Web security firm Surcuri, comes as online retailers and shoppers are priming for this week's historically busy Black Friday online shopping day.

Sucuri security analyst Weston Henry discovered the attack in the form of a malicious JavaScript injection, which has multiple variants and target sites built on the popular e-commerce platform in two different ways, according to a blog post published on Nov. 26.

One way is by creating a fake credit card form to steal card details, the other is by extracting the data directly from the payment fields. "Its dynamic approach and encryption mechanisms make it challenging to detect," Sucuri security analyst Puja Srivastava explained in the post. The data is then encrypted and exfiltrated to a remote server controlled by the attacker.

Magento-based websites are a frequent target for cybercriminals due to their widespread usage for e-commerce and the valuable customer data they handle, including payment card or bank account details. And card-skimming — typically by a group of cybercriminals collectively known as Magecart — is a popular attack vector to steal such data from these sites.

Related:News Desk 2024: Can GenAI Write Secure Code?

**Cyber Victims Targeted During Shopper Checkout**

Henry discovered the malicious script during a routine inspection of a Magento-based site with Sucuri's SiteCheck. "The tool identified a resource originating from the blacklisted domain dynamicopenfonts.app," explained Sucuri security analyst Puja Srivastava in the post. Eventually, the resource was found in two locations on the site.  

One of the locations where it was found was within the <referenceContainer> directive of the XML file, which is designed to load a JavaScript resource just before the closing <body> tag.

Attackers obfuscated the contents of the external script to avoid detection, "making it challenging to identify at first glance," Srivastava noted.

Once executed, the script activates only on pages containing the word "checkout" but excluding the word "cart" in the URL, with the aim of extracting sensitive credit card information from specific fields on the checkout page.

After it's completed this malicious task, the malware collects additional user data through Magento’s APIs, including the user's name, address, email, phone number, and other billing information. "This data is retrieved via Magento's customer-data and quote models," Srivastava explained.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

**Magento Malware's Strong Anti-Detection Game**

Attackers behind the malware have taken care to use multiple anti-detection techniques to hide their malicious activity, the researchers found. While the malware is collecting the data, it first encodes it as JSON and then XOR-encrypts it with the key "script" to add an extra layer of obfuscation, the researchers found.

The encrypted data also is Base64-encoded before being sent via a beaconing technique to a remote server at staticfonts.com. Beaconing is a method whereby a script or program sends data silently from the client to a remote server without alerting the user or interrupting their activity.

While legitimate applications such as analysis tools also use beaconing, malicious actors favor the technology because it's a stealthy and hard-to-detect way to transmit stolen data, the researchers noted.

**How to Secure E-Commerce Sites From Cyberattack**

To protect e-commerce sites from stealthy card-skimmers — particularly on busy shopping days like Black Friday, which are a goldmine for cybercriminals — Sucuri recommends administrators conduct regular security audits, monitor unusual activity, and deploy a robust Web application firewall (WAF) to protect sites.

Related:'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

They also should ensure that sites are consistently updated with the latest security patches, as "outdated software is a primary target for attackers who exploit vulnerabilities in old plug-ins and themes," Srivastava wrote.

Administrators also should ensure they use strong, unique passwords on e-commerce sites to bolster security and avoid having them easily cracked by attackers. Finally, implementing file integrity monitoring to detect any unauthorized changes to website files also can serve as an early warning system.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Watch out for the Russian hackers from the infamous RomRom group, also known as Storm-0978, Tropical Scorpius, or UNC2596, and their use of a custom backdoor.

****SUMMARY****

*   **RomCom Exploits Double Zero-Day:** RomCom, a Russia-linked group used previously unknown vulnerabilities in Firefox and Windows in a sophisticated attack campaign.

*   **Attack Chain:** Visiting a malicious webpage triggered a Firefox flaw, and then a Windows bug allowed the installation of RomCom’s backdoor.

*   **Targeted Sectors:** RomCom targeted government, pharmaceutical, legal, and other sectors in Europe and North America for espionage and cybercrime.

*   **Quick Patches:** Mozilla and Microsoft rapidly released updates to fix the vulnerabilities, highlighting the importance of software updates.

*   **Sophisticated Threat:** The attack shows the advanced capabilities of state-sponsored cyber groups and the need for strong cybersecurity measures.

Cyber security researchers at ESET have exposed a malicious campaign by the Russia-linked **RomCom group**, which combined two previously unknown (zero-day) vulnerabilities to compromise targeted systems including Windows and Firefox.

The attack chain, first detected on October 8th, started with a vulnerability in Mozilla Firefox, Thunderbird, and Tor Browser (**CVE-2024-9680**, CVSS score 9.8). If a user with a vulnerable browser visited a customized webpage, malicious code could run within the browser’s restricted environment without any user interaction. This vulnerability, a “use-after-free” bug in the animation feature of Firefox, was quickly addressed by Mozilla within 24 hours of being notified by ESET.

However, the attack didn’t stop there. RomCom chained this browser vulnerability with another zero-day flaw in Windows (**CVE-2024-49039**, CVSS score 8.8) to bypass the browser’s security “sandbox.” This second vulnerability allowed the attackers to run code with the privileges of the logged-in user, taking control of the system. Microsoft released a fix for this issue on November 12th.

The exploit chain worked by first redirecting users to fake websites, which used domains designed to appear legitimate and included the names of other organizations, before sending them to a server hosting the exploit code.

These fake sites often used the prefix or suffix “redir” or “red” to a legitimate domain, and the redirection at the end of the attack took the victims to the legitimate website, hiding the attack. Once the exploit successfully ran, it installed **RomCom’s custom backdoor**, giving the attackers remote access and control over the infected machine.

Exploit flow (Via ESET)

ESET’s **investigation** shows that RomCom targeted various sectors, including government entities in Ukraine, the pharmaceutical industry in the US, and the legal sector in Germany, for both espionage and cybercrime purposes. The group, also known as **Storm-0978, Tropical Scorpius, or UNC2596**, is known for both opportunistic attacks and targeted espionage.

From October 10th to November 4th, ESET’s data showed that users visiting these malicious websites were primarily located in Europe and North America, with the number of victims ranging from one to as many as 250 in some countries.

This cyberattack campaign goes on to show the importance of quick vulnerability disclosure and patching. It also emphasises the need for users to remain alert and keep their software up to date to prevent exploitation of **zero-day vulnerabilities**.

1.  **Russian Cyber Offensive Shifts Focus to Ukraine’s Military**
2.  **Russian APT29 Use NSO Group-Style Exploits in Attacks, Google**
3.  **Russian Malware Targets Ukrainian Military Recruits via Telegram**
4.  **Russian Hackers Phish Critical Sectors with Microsoft, AWS Lures**
5.  **Russian Midnight Blizzard Breached UK Home Office via Microsoft**

Russian Hackers Exploit Firefox and Windows 0-Days to Deploy Backdoor

The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.

Source: Collection Chrisophel via Alamy Stock Photo

For a brief window of time in October, Russian hackers had the ability to launch arbitrary code against anyone in the world using Firefox or Tor.

On Oct. 8, researchers from ESET first spotted malicious files on a server managed by the Russian advanced persistent threat (APT) RomCom (aka Storm-0978, Tropical Scorpius, UNC2596). The files had gone online just five days earlier, on Oct. 3. Analysis showed that they leveraged two zero-day vulnerabilities: one affecting Mozilla software, the other Windows. The result: an exploit that spread the RomCom backdoor to anyone who visited an infected website, no clicks required.

Luckily, both issues were remediated quickly. "The attackers only had a really small window to try to compromise computers," explains Romain Dumont, malware researcher with ESET. "Yes, there was a zero-day vulnerability. But, still, it was patched really fast."

Dark Reading has reached out to Mozilla for comment on this story.

**A Zero-Day in Firefox & Tor**

The first of the two vulnerabilities, CVE-2024-9680, is a use-after-free opportunity in Firefox animation timelines — the browser mechanism that handles how animations play out based on user interactions with websites. Its power to afford attackers arbitrary command execution earned it a "critical" 9.8 rating from the Common Vulnerability Scoring System (CVSS). 

Related:Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday

Importantly, CVE-2024-9680 affects more than just Firefox. Mozilla's open source email client "Thunderbird" is also impacted, as is the ultrasecretive Tor browser, which is built from a modified version of Firefox's Extended Support Release (ESR) browser.

In October, RomCom deployed specially crafted websites that would instantly trigger CVE-2024-9680 without the need for any victim interaction. Victims would unknowingly download the RomCom backdoor from RomCom-controlled servers, then quickly be redirected to the original website they thought they were visiting all along.

These malicious domains were made to mimic the real sites associated with the ConnectWise and Devolutions IT services platforms, and Correctiv, a nonprofit newsroom for investigative journalism in Germany. That these organizations are both political and economic in nature might not surprise those familiar with RomCom, which has always conducted opportunistic cybercrime, but in more recent times has added politically motivated espionage to its agenda. Its activity in 2024 has included campaigns against the insurance and pharmaceutical sectors in the US, but also the defense, energy, and government sectors in Ukraine.

Related:News Desk 2024: Can GenAI Write Secure Code?

It's unclear by what means of social engineering RomCom might have spread these malicious sites.

**What We Know of RomCom's Campaign**

Not content with only running code in a victim's browser, however, RomCom also employed a second vulnerability, CVE-2024-49039. This high-severity 8.8 CVSS-rated bug in the Windows Task Scheduler allows for privilege escalation, thanks to an undocumented remote procedure calls (RPC) endpoint unintentionally accessible to low level users. In this case, RomCom used CVE-2024-49039 to escape the browser sandbox and onto a victim's machine at large.

The damage that might've been done with such a powerful exploit chain, and exactly who was affected by it last month, remains unknown. What's clear at this point is that the overwhelming majority of targets were located in North America and Europe — particularly the Czech Republic, France, Germany, Poland, Spain, Italy, and the US — plus scattered victims in New Zealand and French Guiana.

Also, notably, none of the victims tracked by ESET were compromised via Tor. "Tor has some predefined settings that differ from Firefox, so maybe it would not have worked," Damien Schaeffer, senior malware researcher at ESET speculates. He notes, too, that RomCom's primary targets appeared to be corporations, which rarely use Tor.

Related:Israel Defies VC Downturn With More Cybersecurity Investments

Both CVE-2024-9680 and CVE-2024-49039 have since been patched — the former on Oct. 9, just 25 hours after Mozilla was notified of the issue, and the latter on Nov. 12.

"By now, I hope, the problem is more or less done," Schaeffer says. Still, for any given organization, "It'll depend on their policies. If you have good patch management, this would have been fixed in one day or so. But it's up to people to fix their stuff."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'RomCom' APT Mounts Zero-Day, Zero-Click Browser Escapes in Firefox, Tor

The Russia-aligned threat actor known as RomCom has been linked to the zero-day exploitation of two security flaws, one in Mozilla Firefox and the other in Microsoft Windows, as part of attacks designed to deliver the eponymous backdoor on victim systems.
"In a successful attack, if a victim browses a web page containing the exploit, an adversary can run arbitrary code – without any user

RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012…

The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012 & CVE-2024-9474, enabling admin bypass and root access. Top targets: US & India.

Cybersecurity researchers at Shadowserver have revealed that approximately 2,000 **Palo Alto Networks** firewalls have been compromised. The breaches leverage two recently identified zero-day vulnerabilities in the company’s PAN-OS software. These vulnerabilities have been labeled as CVE-2024-0012 and CVE-2024-9474.

****The Vulnerabilities****

**CVE-2024-0012**: This vulnerability is an authentication bypass in the PAN-OS management web interface. It allows remote attackers to gain administrator privileges without authentication. This means attackers can tamper with firewall settings, making them more susceptible to further exploitation.

**CVE-2024-9474**: This flaw is a privilege escalation issue. Once exploited, it lets attackers execute commands with root privileges, giving them full control over the compromised firewall.

> Heads-up! Thanks to collaboration with the Saudi NCA we are now scanning & reporting Palo Alto Networks devices COMPROMISED as a result of a CVE-2024-0012/CVE-2024-9474 campaign. Found ~2000 instances compromised on 2024-11-20: dashboard.shadowserver.org/statistics/c… Top affected: US & India
> 
> — The Shadowserver Foundation (@shadowserver.bsky.social) November 21, 2024 at 9:45 AM

****Operation Lunar Peek – Ongoing Threat Activity****

Palo Alto Networks has **named** the initial exploitation of these vulnerabilities “Operation Lunar Peek.” Palo Alto Networks initially warned customers on November 8 about restricting access to their next-generation firewalls due to an unspecified remote code execution flaw.

Since then, the company has observed a notable increase in threat activity following the public release of technical insights by third-party researchers on November 19, 2024.

Unit 42, Palo Alto Networks threat intelligence team, assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which could lead to broader threat activity.

The company is currently investigating the ongoing attacks, which involve chaining these two vulnerabilities to target a limited number of device management web interfaces. The company has observed threat actors dropping malware and executing commands on compromised firewalls, indicating that a chain exploit is likely already in use.

****Recommendations for Users****

Palo Alto Networks has provided several recommendations to mitigate the risk:

*   **Monitor and Review:** Users should monitor for any suspicious or abnormal activity on devices with a management web interface exposed to the internet. After applying the patch, it is crucial to review firewall configurations and audit logs for any signs of unauthorized administrator activity.
*   **Patch Immediately:** Customers are advised to update their systems to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Detailed information about affected products and versions can be found in the Palo Alto Networks Security Advisories.
*   **Restrict Access:** To reduce the risk, Palo Alto Networks recommends restricting access to the management web interface to only trusted internal IP addresses. This is in line with their recommended best practice deployment guidelines.

****Expert Insights****

**Elad Luz**, Head of Research at Oasis Security, emphasizes the importance of immediate action even before patching. He advises affected customers to restrict access to the web management interface, preferably allowing only internal IPs. Luz also stresses the need to ensure that devices are free from any potential malware or malicious configurations after patching.

1.  Palo Alto Patches 0-Day Exploited by Python Backdoor
2.  Authentication bypass Flaw found in NATO approved firewall
3.  Critical RCE Vulnerability Puts 330,000 Fortinet Firewalls at Risk
4.  CISA Urges Patching of Palo Alto Networks’ Expedition Tool Flaw
5.  Backdoor account found in 100K+ Zyxel Firewalls, VPN Gateways

Operation Lunar Peek: More Than 2,000 Palo Alto Network Firewalls Hacked

Malware bypasses Microsoft Defender and 2FA, stealing $24K in cryptocurrency via a fake NFT game app. Learn how…

Malware bypasses Microsoft Defender and 2FA, stealing $24K in cryptocurrency via a fake NFT game app. Learn how it compromised devices and evaded security.

Cybersecurity researchers at SafetyDetectives revealed that Microsoft Defender, the default Windows antivirus, was deceived by malware, enabling the theft of cryptocurrency from an unsuspecting user. The issue was uncovered during the analysis of a seemingly harmless NFT game app, which was actually designed to steal cryptocurrency.

The application also compromised the device by bypassing **Google’s two-factor authentication** and stole over $24,000 in cryptocurrency. According to researchers, the malware, once installed, quietly operates in the background, gathering sensitive information and may even hijack the user’s Google account, which is protected by two-factor authentication (2FA). It achieves this by installing a malicious Chrome extension disguised as Google Keep, bypassing the 2FA security measures.

During the investigation, SafetyDetectives’ team tested Microsoft Defender against the malware-laced app, using Wireshark to monitor network traffic and detect the malware’s location.

Surprisingly, Microsoft Defender failed to stop the virus during its installation and execution, allowing the malware to gain access to system operations, download suspicious files, collect sensitive information, and even determine the user’s location.

The malware was programmed to shut down if the user was in Russia, Ukraine, or Belarus, likely due to its origin. The **fake Chrome extension** enabled the malware to access every website visited, steal login data, and monitor anything copied from the browser. The virus collected everything necessary to remotely control the system, and Microsoft Defender didn’t send an alert.

****Bitdefender and Malwarebytes to the Rescue****

To assess the effectiveness of other antivirus solutions, the team also tested Malwarebytes and Bitdefender. While neither antivirus was able to prevent the initial installation, they did intervene at later stages of the attack. Bitdefender blocked the malware’s attempt to access critical information, while Malwarebytes prevented the installation altogether. 

“While Malwarebytes stopped the breach faster than Bitdefender, neither is inherently better in dealing with this specific malware, as both were able to prevent critical compromise. Bitdefender may even have the benefit of having fewer false positives,” they explained in the **blog post**.

It could be that in recent years, Microsoft Exchange Server has been targeted by a **series** of zero-day vulnerabilities, some of which could have impacted Microsoft Defender’s ability to protect systems. Or supply chain attacks, like the **SolarWinds hack**, can compromise software updates and tools, potentially affecting the integrity of security solutions like Microsoft Defender.

Nevertheless, the investigation emphasizes the importance of investing in stronger antivirus software and exercising caution when downloading and installing applications, especially from unverified sources. Staying informed about cyber threats and taking proactive measures can significantly reduce the risk of malicious attacks.

1.  Microsoft Defender Flags Tor Browser as Malware
2.  Fake ChatGPT Extension Hijacks Facebook Accounts
3.  Malicious Extensions Bypass Google’s MV3 Restrictions
4.  Fake Sites Spread Malware as Malwarebytes, Bitdefender
5.  Phemedrone Exploits Windows Defender SmartScreen Flaw

Malware Bypasses Microsoft Defender and 2FA to Steal $24K in Crypto

Though the information regarding the exploits is limited, the company did report that Intel-based Mac systems have been targeted by cybercriminals looking to exploit CVE-2024-44308 and CVE-2024-44309.

Source: Shahid Jamil via Alamy Stock Photo

Apple has released security updates to address two zero-day vulnerabilities that are under active exploitation in the wild.

The bugs, tracked as CVE-2024-44308 (CVSS 6.8) and CVE-2024-44309 (CVSS 4.3), are, respectively, a vulnerability in JavaScriptCore that could lead to arbitrary code execution; and a cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack while processing malicious Web content.

The bugs affect Apple's iOS, iPadOS, macOS, visionOS, and the Safari Web browser; the company reports that it has addressed them with better checks and improved state management.

Clément Lecigne and Benoît Sevens at Google's Threat Analysis Group (TAG) first discovered and reported the vulnerabilities and, as is customary for the company, Apple did not provide any additional details of reported attacks nor did it offer indicators of compromise (IoCs).

"Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems," Apple stated its advisory for both zero-days, the lone piece of information regarding in-the-wild exploitation attempts.

Those using affected Apple ecosystem products should update to iOS 18.1.1, macOS Sequoia 15.1.1, and  iOS 17.7.2 as soon as possible to avoid compromise.

**About the Author**

Apple Urgently Patches Actively Exploited Zero-Days

An elusive, sophisticated cybercriminal group has used known and zero-day vulnerabilities to compromise more than 20,000 SOHO routers and other IoT devices so far, and then puts them up for sale on a residential proxy marketplace for state-sponsored cyber-espionage actors and others to use.

Source: Jiraroj Praditcharoenkul via Alamy Stock Photo

A cybercriminal group is exploiting vulnerabilities in Internet of Things (IoT) devices and then turning a tidy profit by putting them up for sale on a residential proxy marketplace, where they can be turned into proxy botnets by state-sponsored advance persistent threats (APTs) and other malicious actors.

The gang, tracked as "Water Barghest," has already compromised more than 20,000 IoT devices, including small office and home office (SOHO) routers used by businesses, by using automated scripts to identify and compromise vulnerable devices, according to new research from Trend Micro. The threat actor, which has operated for more than five years (largely under the radar due to a sophisticated automation strategy) discovers vulnerable IoT devices from public Internet-scanning databases such as Shodan, the researchers noted.

Once Water Barghest compromises devices, it deploys proprietary malware called Ngioweb to register the device as a proxy — i.e., a network that puts an intermediary between a client and a server. Water Barghest then lists the device for sale on a residential proxy marketplace for other threat actors to purchase.

The entire cybercriminal process to enslave a target takes as little as 10 minutes, "indicating a highly efficient and automated operation," Trend Micro researchers Feike Hacquebord and Fernando Mercês wrote in the post.

**Selling Proxy Devices as a Cybercrime Business Model**

There is indeed a significant incentive for both espionage-motivated and financially motivated actors to set up proxy botnets to help hide where their malicious activities originate; Russia's Sandworm, for example, recently used the VPNFilter botnet and Cyclops Blink in activities against Ukraine that were elusive for a time before being ultimately disrupted by the FBI, according to Trend Micro.

"These \[botnets\] can serve as an anonymization layer, which can provide plausibly geolocated IP addresses to scrape contents of websites, access stolen or compromised online assets, and launch cyberattacks," the researchers wrote.

Threat actors can find any IoT device that accepts incoming connections on the open Internet using public scanning services, making it easy for them to compromise ones with known vulnerabilities, or even zero-days, for future use in malicious activities, they wrote. This makes it easy for threat actors like Water Barghest to exploit them for financial gain and further abuse, they added.

**Uncovering the Elusive Botnet-for-Sale Cyber Operation**

Trend Micro discovered Water Barghest's operation during an investigation of the Department of Justice's disruption of a Russian military intelligence botnet that Russian state-sponsored threat group Fancy Bear (aka APT28) used for global cyber espionage.

The researchers examined EdgeRouter devices that had been used by Sandworm, and eventually uncovered Water Barghest's Ngioweb malware and botnet. The group's infrastructure had been up and running for more than five years but had been able to evade detection by security researchers and law enforcement "because of their careful operational security and high degree of automation," the researchers wrote.

"They quietly erased log files from their servers and made forensic analysis more difficult," they wrote. "They removed human error from their operations by automating almost everything. They also removed financial traceability by using cryptocurrency for anonymous payments."

Water Barghest automates each step of the 10-minute process, from initially finding vulnerable IoT devices to ultimately putting them for sale on a residential proxy marketplace. The group first acquires known exploits for flaws in devices, then uses search queries on one of the publicly available Internet-scanning databases to find vulnerable devices and their IP addresses. It then uses a set of data center IP addresses to try the exploits against potentially vulnerable IoT devices.

When one works, the compromised IoT devices download a script that iterates through Ngioweb malware samples compiled for different Linux architectures. When one of the samples runs successfully, Ngioweb will run in memory on the victim’s IoT device, registering it with a command-and-control (C2) server, and then eventually sending it to be listed on a Dark Web marketplace.

Water Barghest has about 17 identities on virtual private servers that continuously scan routers and IoT devices for known vulnerabilities and also upload Ngioweb malware to freshly compromised IoT devices. In this way, Water Barghest has been running a profitable business "for years, with the worker IP addresses changing slowly over time," according to the Trend Micro analysis.

**Protecting SOHO Routers: Limit Exposure to Public Internet**

Trend Micro expects that both the commercial market for residential proxy services and the underground market of proxies will grow in the coming years due to high demand from both APTs and financial cybercriminal groups alike. This growth will pose "a challenge for many enterprises and government organizations around the world" to protect against the anonymization layers behind which these groups hide, the researchers wrote.

While law enforcement has been effective in disrupting proxy botnets, it's better to go directly to the source to combat the problem, and that can be done by addressing the security of IoT devices. Indeed, these devices are notoriously hackable, posing a problem for organizations that must manage increasingly larger networks of them.

"It is important \[for organizations\] … to put mitigations in place to avoid their infrastructure being part of the problem itself," the researchers wrote. They can do this, they added, by limiting the exposure of these devices to incoming connections from the open Internet whenever it is not business-essential.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'Water Barghest' Sells Hijacked IoT Devices for Proxy Botnet Misuse

Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.
The flaws are listed below -

CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content
CVE-2024-44309 - A cookie management vulnerability in

Tag

#zero_day