• chevron_right

      Thousands of phones and routers swept into proxy service, unbeknownst to users

      news.movim.eu / ArsTechnica · Tuesday, 26 March - 19:56 · 1 minute

    Thousands of phones and routers swept into proxy service, unbeknownst to users

    Enlarge (credit: Getty Images)

    Crooks are working overtime to anonymize their illicit online activities using thousands of devices of unsuspecting users, as evidenced by two unrelated reports published Tuesday.

    The first, from security firm Lumen Labs, reports that roughly 40,000 home and office routers have been drafted into a criminal enterprise that anonymizes illicit Internet activities, with another 1,000 new devices being added each day. The malware responsible is a variant of TheMoon , a malicious code family dating back to at least 2014. In its earliest days, TheMoon almost exclusively infected Linksys E1000 series routers. Over the years it branched out to targeting the Asus WRTs, Vivotek Network Cameras, and multiple D-Link models.

    In the years following its debut, TheMoon’s self-propagating behavior and growing ability to compromise a broad base of architectures enabled a growth curve that captured attention in security circles. More recently, the visibility of the Internet of Things botnet trailed off, leading many to assume it was inert. To the surprise of researchers in Lumen’s Black Lotus Lab, during a single 72-hour stretch earlier this month, TheMoon added 6,000 ASUS routers to its ranks, an indication that the botnet is as strong as it’s ever been.

    Read 9 remaining paragraphs | Comments

    • chevron_right

      New Sophisticated Malware

      news.movim.eu / Schneier · Tuesday, 3 May, 2022 - 21:19 · 1 minute

    Mandiant is reporting on a new botnet.

    The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims’ networks with unusual stealth. In cases where the group is ejected, it wastes no time reinfecting the victim environment and picking up where things left off. There are many keys to its stealth, including:

    • The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don’t support antivirus or endpoint detection. This makes detection through traditional means difficult.
    • Customized versions of the backdoor that use file names and creation dates that are similar to legitimate files used on a specific infected device.
    • A live-off-the-land approach that favors common Windows programming interfaces and tools over custom code with the goal of leaving as light a footprint as possible.
    • An unusual way a second-stage backdoor connects to attacker-controlled infrastructure by, in essence, acting as a TLS-encrypted server that proxies data through the SOCKS protocol .


    Unpacking this threat group is difficult. From outward appearances, their focus on corporate transactions suggests a financial interest. But UNC3524’s high-caliber tradecraft, proficiency with sophisticated IoT botnets, and ability to remain undetected for so long suggests something more.

    From Mandiant :

    Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate. The threat actor evaded detection by operating from devices in the victim environment’s blind spots, including servers running uncommon versions of Linux and network appliances running opaque OSes. These devices and appliances were running versions of operating systems that were unsupported by agent-based security tools, and often had an expected level of network traffic that allowed the attackers to blend in. The threat actor’s use of the QUIETEXIT tunneler allowed them to largely live off the land, without the need to bring in additional tools, further reducing the opportunity for detection. This allowed UNC3524 to remain undetected in victim environments for, in some cases, upwards of 18 months.

    • chevron_right

      Police Have Disrupted the Emotet Botnet

      Bruce Schneier · news.movim.eu / Schneier · Thursday, 28 January, 2021 - 16:09 · 1 minute

    A coordinated effort has captured the command-and-control servers of the Emotet botnet:

    Emotet establishes a backdoor onto Windows computer systems via automated phishing emails that distribute Word documents compromised with malware . Subjects of emails and documents in Emotet campaigns are regularly altered to provide the best chance of luring victims into opening emails and installing malware ­ regular themes include invoices, shipping notices and information about COVID-19 .

    Those behind the Emotet lease their army of infected machines out to other cyber criminals as a gateway for additional malware attacks, including remote access tools (RATs) and ransomware .


    A week of action by law enforcement agencies around the world gained control of Emotet’s infrastructure of hundreds of servers around the world and disrupted it from the inside.

    Machines infected by Emotet are now directed to infrastructure controlled by law enforcement, meaning cyber criminals can no longer exploit machines compromised and the malware can no longer spread to new targets, something which will cause significant disruption to cyber-criminal operations.


    The Emotet takedown is the result of over two years of coordinated work by law enforcement operations around the world, including the Dutch National Police, Germany’s Federal Crime Police, France’s National Police, the Lithuanian Criminal Police Bureau, the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, the UK’s National Crime Agency, and the National Police of Ukraine.

    • chevron_right

      New P2P botnet infects SSH servers all over the world

      Dan Goodin · news.movim.eu / ArsTechnica · Wednesday, 19 August, 2020 - 13:00

    Cartoon image of a desktop computer under attack from viruses.

    Enlarge (credit: Aurich Lawson)

    Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world.

    The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday . P2P botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.

    “What was intriguing about this campaign was that, at first sight, there was no apparent command and control (CNC) server being connected to,” Guardicore Labs researcher Ophir Harpaz wrote. “It was shortly after the beginning of the research when we understood no CNC existed in the first place.”

    Read 9 remaining paragraphs | Comments

    • chevron_right

      Two record DDoSes disclosed this week underscore their growing menace

      Dan Goodin · news.movim.eu / ArsTechnica · Thursday, 25 June, 2020 - 17:32 · 1 minute

    Two record DDoSes disclosed this week underscore their growing menace

    Enlarge (credit: Aurich Lawson / Getty)

    Distributed denial-of-service attacks—those floods of junk traffic that criminals use to disrupt or completely take down websites and services—have long been an Internet scourge, with events that regularly cripple news outlets and software repositories and in some cases bring huge parts on the Internet to a standstill for hours . Now there’s evidence that DDoSes, as they’re usually called, are growing more potent with two record-breaking attacks coming to light in the past week.

    DDoS operators hack thousands, hundreds of thousands and in some cases millions of Internet-connected devices and harness their bandwidth and processing power. The attackers use these ill-gotten resources to bombard sites with torrents of data packets with the goal of taking the targets down. More advanced attackers magnify their firepower by bouncing the malicious traffic off of third-party services that in some cases can amplify it by a factor of 51,000 , a feat that, at least theoretically, allows single home computer with a 100 megabit-per-second upload capacity to deliver a once-unimaginable 5 terabits per second of traffic.

    These types of DDoSes are known as volumetric attacks. The objective is to use machines distributed across the Internet to send orders of magnitude more traffic volume to a circuit than it can handle. A second class— known as packet-per-second focused attacks—forces machines to bombard network gear or applications inside the target’s data center with more data packets than they can process. The objective in both types of attacks is the same. With network or processing capacity fully consumed, legitimate users can no longer access the target’s resources, resulting in a denial of service.

    Read 15 remaining paragraphs | Comments