×
Botnet

Trickbot Strikes Back (gizmodo.com) 6

A notorious group of cybercriminals whose operations were almost totally dismantled last year seems to be back in business -- in yet another example of the seemingly intractable nature of cybercrime. Gizmodo reports: The Russian-speaking group known as "Trickbot" (which is also the name of the malware that they're responsible for creating and distributing), has built up its infrastructure and seems to be preparing for some nefarious new campaign, The Daily Beast first reported. The group, which has been connected to ransomware attacks and widespread theft of financial information, is an outgrowth of an older, Russia-based cybercrime group called "Dyre." After Dyre was initially broken up by Russian authorities back in 2015, the remaining members regrouped, creating new malware tools and working to employ them in even more expansive criminal enterprises. Trickbot, which today operates out of numerous places in Eastern Europe -- including Russia, Ukraine, Belarus, and others -- is perhaps best known for running one of the world's largest botnets. Botnets are large networks of "zombie" devices -- computers that have been infected with special kinds of malware that allow them to be collectively controlled by a hacker, typically for malicious purposes. In Trickbot's case, the group has used its million-plus botnet for an assortment of sordid activities, including helping to launch ransomware attacks throughout the world.

Last fall, the Pentagon's Cyber Command attempted to debilitate Trickbot, fearing that hackers connected to the group might attempt to interfere with the 2020 presidential election. CYBERCOM launched a series of "coordinated attacks" against Trickbot's servers, ultimately succeeding in disrupting its operations. However, it was clear that federal officials did not expect their efforts to be a long-term deterrent, with anonymous sources telling the Washington Post that the action was "not expected to permanently dismantle the network." Around the same time, Microsoft launched its own campaign that was also targeted at dismantling the group. The company tracked and analyzed the servers that were involved in operating the botnet, subsequently garnering a court order that allowed them to disable the IP addresses connected to those servers. Microsoft's operation even involved working together with ISPs to reportedly go "door to door" in Latin America, where they helped to replace routers that had been compromised by the criminal group. However, as is often the case with cybercrime, few of the culprits behind the malware's distribution were ever tracked down or faced charges.

Indeed, a recent report from security firm Fortinet seems to show that the group has allegedly helped create a new strain of ransomware, dubbed "Diavol." On top of this, another report from BitDefender shows that the group has built back up its infrastructure and that it has recently been seen gearing up for new attacks and malicious activity, with the firm ultimately noting that "Trickbot shows no sign of slowing down."

Data Storage

Another Exploit Hits WD My Book Live Owners (tomshardware.com) 50

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Tom's Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was also triggered, allowing hackers to remotely perform a factory reset without a password and to install a malicious binary file. A statement from Western Digital, updated today, reads: "My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device ... The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability [has] been assigned CVE-2021-35941."

Analysis of WD's firmware suggests code meant to prevent the issue had been commented out, preventing it from running, by WD itself, and an authentication type was not added to component_config.php which results in the drives not asking for authentication before performing the factory reset. The question then arises of why one hacker would use two different exploits, particularly an undocumented authentication bypass when they already had root access through the command injection vulnerability, with venerable tech site Ars Technica speculating that more than one group could be at work here, with one bunch of bad guys trying to take over, or sabotage, another's botnet.
Western Digital advises users to disconnect their device(s) from the internet. They are offering data recovery services beginning in July, and a trade-in program to switch the obsolete My Book Live drives for more modern My Cloud devices.
Security

FreakOut Malware Worms Its Way Into Vulnerable VMware Services (bleepingcomputer.com) 16

A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability. BleepingComputer reports: The malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems. FreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet controlled by its masters. The malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate network traffic, and deploy XMRig miners to mine for Monero cryptocurrency.

As cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the malware's spreading capabilities since early May, when the botnet's activity has suddenly increased. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," cisco Talos security researcher Vanja Svajcer said. FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server. For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials.

Security

New Malware Found Lurking In 64-Bit Linux Installs (zdnet.com) 85

syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.

At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.

There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.

Security

Authorities Plan To Mass-Uninstall Emotet From Infected Hosts on March 25 (zdnet.com) 26

Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021, ZDNet has learned today. From a report: The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today's largest malware botnet. While servers were located across multiple countries, Dutch officials said that two of three of Emotet's primary command and control (C&C) servers were located inside its borders. Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts. According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on March 25, 2021, at 12:00, the local time of each computer.
Botnet

A Crypto-Mining Botnet Is Now Stealing Docker and AWS Credentials (zdnet.com) 6

An anonymous reader quotes a report from ZDNet: Analysts from security firm Trend Micro said in a report today that they've spotted a malware botnet that collects and steals Docker and AWS credentials. Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms. Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.

Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company's other IT systems to infect even more servers and deploy more crypto-miners. At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials. But in a report today, Trend Micro researchers said that the TeamTNT gang's malware code had received considerable updates since it was first spotted last summer. TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.

Security

Backdoor Account Discovered in More Than 100,000 Zyxel Firewalls, VPN Gateways (zdnet.com) 74

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel. From a report: The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities. Device owners are advised to update systems as soon as time permits. Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.
Security

Walmart-exclusive Router and Others Sold on Amazon and eBay Contain Hidden Backdoors To Control Devices (cybernews.com) 94

Bernard Meyer, reporting for CyberNews: In a collaboration between CyberNews Sr. Information Security Researcher Mantas Sasnauskas and researchers James Clee and Roni Carta, suspicious backdoors have been discovered in a Chinese-made Jetstream router, sold exclusively at Walmart as their new line of "affordable" wifi routers. This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network. CyberNews reached out to Walmart for comment and to understand whether they were aware of the Jetstream backdoor, and what they plan to do to protect their customers. After we sent information about the affected Jetstream device, a Walmart spokesperson informed CyberNews: "Thank you for bringing this to our attention. We are looking into the issue to learn more. The item in question is currently out of stock and we do not have plans to replenish it."

Besides the Walmart-exclusive Jetstream router, the cybersecurity research team also discovered that low-cost Wavlink routers, normally sold on Amazon or eBay, have similar backdoors. The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks. We have also found evidence that these backdoors are being actively exploited, and there's been an attempt to add the devices to a Mirai botnet. Mirai is malware that infects devices connected to a network, turns them into remotely controlled bots as part of a botnet, and uses them in large-scale attacks. The most famous of these is the 2016 Dyn DNS cyberattack, which brought down major websites like Reddit, Netflix, CNN, GitHub, Twitter, Airbnb and more.

Botnet

Microsoft Says It Took Down 94% of TrickBot's Command and Control Servers (zdnet.com) 24

TrickBot survived an initial takedown attempt, but Microsoft and its partners are countering TrickBot operators after every move, taking down any new infrastructure the group is attempting to bring up online. From a report: Last week, a coalition of cyber-security firms led by Microsoft orchestrated a global takedown against TrickBot, one of today's largest malware botnets and cybercrime operations. Even if Microsoft brought down TrickBot infrastructure in the first few days, the botnet survived, and TrickBot operators brought new command and control (C&C) servers online in the hopes of continuing their cybercrime spree. But as several sources in the cyber-security industry told ZDNet last week, everyone expected TrickBot to fight back, and Microsoft promised to continue cracking down against the group in the weeks to come. In an update posted today on its takedown efforts, Microsoft confirmed a second wave of takedown actions against TrickBot. The OS maker said it has slowly chipped away at TrickBot infrastructure over the past week and has taken down 94% of the botnet's C&C servers, including the original servers and new ones brought online after the first takedown.
Microsoft

Microsoft Seeks To Defend U.S. Election in Botnet Takedown (bloomberg.com) 39

A coalition of technology companies used a federal court order unsealed Monday to begin dismantling one of the world's most dangerous botnets in an effort to preempt disruptive cyber-attacks before next month's U.S. presidential election. From a report: The takedown is a highly coordinated event, spearheaded by the software giant Microsoft and involving telecommunications providers in multiple countries. If the operation succeeds, it will disable a global network of infected computers created by a popular malicious software known as Trickbot. Beginning early Monday, Trickbot operators are expected to began losing communication with the millions of computers they had painstakingly infected over a period of months, even years. The loss of the botnet -- as a network of infected computers is known -- will make it more difficult for Russian-based cybercriminals and other digital marauders to do their work. It will likely take months or years for the criminals to recover, if at all.

By dramatically dismantling Trickbot's network, Microsoft and its partners believe they will likely head-off ransomware attacks that could compromise voting systems before the U.S. presidential election on Nov. 3, said Tom Burt, vice president of Microsoft's customer security and trust division. "They could tie-up voter registration roles, election night reporting results and generally be extremely disruptive," Burt said. "Taking out one of the most notorious malware groups, we hope, will reduce the risk of ransomware's impact on the election this year." Coordinated takedowns like the one Monday have become increasingly common in the last several years, although the legal and technical hurdles involved are substantial. In this case, Microsoft and its partners were able to obtain a federal court order founded on Trickbot's infringement of Microsoft's trademarks, but ultimately aimed at disconnecting communications channels the attackers use to control the malicious software.

Security

America's 'Cyber Command' Is Trying to Disrupt the World's Largest Botnet (krebsonsecurity.com) 37

The Washington Post reports: In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet — one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.

U.S. Cyber Command's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.

U.S. Cyber Command also "stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet's operators," reports security researcher Brian Krebs: Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world. Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets. "They are running normally and their ransomware operations are pretty much back in full swing," Holden said. "They are not slowing down because they still have a great deal of stolen data."

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

Botnet

A New Botnet Is Covertly Targeting Millions of Servers (wired.com) 27

An anonymous reader quotes a report from Wired: FritzFrog has been used to try and infiltrate government agencies, banks, telecom companies, and universities across the US and Europe. Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.

The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including: In-memory payloads that never touch the disks of infected servers; At least 20 versions of the software binary since January; A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines; The ability to backdoor infected servers; and A list of login credential combinations used to suss out weak login passwords that's more "extensive" than those in previously seen botnets. Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that's effective, difficult to detect, and resilient to takedowns. The new code base -- combined with rapidly evolving versions and payloads that run only in memory -- make it hard for antivirus and other end-point protection to detect the malware.

The botnet has so far succeeded in infecting 500 servers belonging to "well-known universities in the US and Europe, and a railway company."Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a "malware server." (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it's possible that the "malware server" is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren't immediately available to clarify.)

Botnet

Hackers Could Use IoT Botnets To Manipulate Energy Markets (wired.com) 39

An anonymous reader quotes a report from Wired: At the Black Hat security conference on Wednesday, [researchers at the Georgia Institute of Technology] will present their findings, which suggest that high-wattage IoT botnets -- made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats -- could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both. The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags.

"Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he's basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage." An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen.
"The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack," the report adds.

"Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. [...] The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed."

The researchers say market manipulators could take home as much as $245 million a year, and cause as much as $350 million per year in economic damage.
Security

Vigilante Sabotages Malware Botnet By Replacing Payloads With Animated GIFs (zdnet.com) 16

An anonymous reader writes: An unknown vigilante hacker has been sabotaging the operations of the recently-revived Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected. The sabotage, which started on July 21, has grown from a simple joke to a serious issue impacting a large portion of the Emotet operation, reducing the biggest malware botnet today to a quarter of its daily capabilities.

Since the attack started, the vigilante has replaced Emotet payloads with this Blink 182 "WTF" GIF, a James Franco GIF, and the Hackerman GIF from the Kung Fury movie.

The article points out this is all possible because Emotet stashes its malware on Wordpress sites they've breached with web shells — all of which have the exact same password.
China

Twitter Removes 9,000 Accounts Pushing Coronavirus Propaganda Praising the United Arab Emirates (buzzfeednews.com) 19

An anonymous reader quotes a report from BuzzFeed News: On April 2, Twitter took down a pro-United Arab Emirates network of accounts that was pushing propaganda about the coronavirus pandemic and criticizing Turkey's military intervention in Libya. Previously tied to marketing firms in the region, parts of this network were removed by Facebook and Twitter last year. The network was made up of roughly 9,000 accounts, according to disinformation research firm DFRLab and independent researcher Josh Russell. Although it promoted narratives in line with the political stances of the governments of the UAE, Saudi Arabia, and Egypt, its origins were unclear.

Many Twitter handles contained alphanumeric characters instead of names, and many did not post photos. Accounts that did have profile pictures often used images of Indian models. One video pushed by the fake accounts voiced support for the Chinese government during the peak of the coronavirus outbreak in China in February. The video remains online, but lost over 4,000 retweets and likes after the takedown. The video now has four retweets.

The bot network also amplified a video of a woman thanking the government of the UAE for transporting Yemeni students out of Wuhan, China. Today, that video, which is also still online, went from having nearly 4,500 retweets to having 70. Spreading propaganda about the coronavirus didn't seem to have been the network's focus. The accounts, some of which posed as journalists and news outlets, amplified an article about the UAE government's disapproval of the Libyan prime minister and boosted criticism of Turkey's support of militias in Libya.

Security

Forbes: Hack on Putin's Intelligence Agency Finds Weapon to Exploit IoT Vulnerabilities (forbes.com) 36

"Red faces in Red Square, again," writes a Forbes cybersecurity correspondent: Last July, I reported on the hacking of SyTech, an FSB contractor working on internet surveillance tech. Now, reports have emerged from Russia of another shocking security breach within the FSB ecosystem. This one has exposed "a new weapon ordered by the security service," one that can be used to execute cyber attacks on IoT devices. The goal of the so-called "Fronton Program" is to exploit IoT security vulnerabilities en masse — remember, these technologies are fundamentally less secure than other connected devices in homes and offices...

The security contractors highlight retained default "factory" passwords as the obvious weakness, one that is easy to exploit... The intent of the program is not to access the owners of those devices, but rather to herd them together into a botnet that can be used to attack much larger targets — think major U.S. and European internet platforms, or the infrastructure within entire countries, such as those bordering Russia.

But the article also notes that targetted devices for the exploits include cameras, adding that compromising such devices in foreign countries by a nation-state agency "carries other surveillance risks as well." It also points out that the FSB "is the successor to the KGB and reports directly to Russia's President Vladimir Putin," and its responsibilities include electronic intelligence gathering overseas.

"The fact that these kind of tools are being contracted out for development given the current geopolitical climate should give us all serious pause for thought."
Security

Hackers Breach FSB Contractor and Leak Details About IoT Hacking Project (zdnet.com) 11

Russian hacker group Digital Revolution claims to have breached a contractor for the FSB -- Russia's national intelligence service -- and discovered details about a project intended for hacking Internet of Things (IoT) devices. From a report: The group published this week 12 technical documents, diagrams, and code fragments for a project called "Fronton." ZDNet has not seen the documents first hand since they are still password-protected; however, the hackers provided the files to BBC Russia earlier this week. According to screenshots shared by the hacker group, which ZDNet asked security researchers to analyze, and based on BBC Russia's report from earlier this week, we believe the Fronton project describes the basics of building an IoT botnet. The technical Fronton documents were put together following a procurement order placed by one of the FSB's internal departments, unit No. 64829, which is also known as the FSB Information Security Center.
Botnet

Microsoft Orchestrates Coordinated Takedown of Necurs Botnet (zdnet.com) 15

Microsoft announced today a coordinated takedown of Necurs, one of the largest spam and malware botnets known to date, believed to have infected more than nine million computers worldwide. From a report: The takedown effort came after Microsoft and industry partners broke the Necurs DGA -- the botnet's domain generation algorithm, the component that generates random domain names. Necurs authors register DHA-generated domains weeks or months in advance and host the botnet's command-and-control (C&C) servers, where bots (infected computers) connect to receive new commands. "We were then able to accurately predict over six million unique domains that would be created in the next 25 months," said Tom Burt, Microsoft Vice President for Customer Security & Trust. Breaking the DGA allowed Microsoft and its industry partners to create a comprehensive list of future Necurs C&C server domains that they can now block and prevent the Necurs team from registering.
Botnet

One of the Most Destructive Botnets Can Now Spread To Nearby Wi-Fi Networks (arstechnica.com) 28

The sophistication of the Emotet malware's code base and its regularly evolving methods for tricking targets into clicking on malicious links has allowed it to spread widely. "Now, Emotet is adopting yet another way to spread: using already compromised devices to infect devices connected to nearby Wi-Fi networks," reports Ars Technica. From the report: Last month, Emotet operators were caught using an updated version that uses infected devices to enumerate all nearby Wi-Fi networks. It uses a programming interface called wlanAPI to profile the SSID, signal strength, and use of WPA or other encryption methods for password-protecting access. Then, the malware uses one of two password lists to guess commonly used default username and password combinations. After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," researchers from security firm Binary Defense wrote in a recently published post. "Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords." The Binary Defense post said the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later. While the module was created almost two years ago, Binary Defense didn't observe it being used in the wild until last month.

Security

Notorious Crime Gang Targets Internet Routers Using Tomato Firmware (arstechnica.com) 51

An anonymous reader quotes a report from Ars Technica: Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that's used in a host of online attacks, researchers said on Tuesday. The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers. The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of "admin:admin" or "root:admin" for remote administration. The exploit causes Tomato routers that haven't been locked down with a strong password to join an IRC server that's used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable.

Slashdot Top Deals