Search This Blog

Showing posts with label Botnet. Show all posts

Google Brings Up Nest for Advanced Protection Program, Will Provide Protection for High-Profile Targets like Politicians and Journalists


Due to a recent increase in device hacks, Google has decided to strengthen up its Nest security protections. The Nest smart home devices will provide account protection to the users that are always a high potential target. These can be journalists and politicians. The Advanced Protection Program was launched in 2017. When signing up for Google services, the program offered additional account protection features. The features were- restricting third-party access, providing malware protection, and offering security keys to prevent cyberattacks.


According to Google, the Nest has been launched because of top requests from the users. Smart home devices have become an easy target for hackers; it is because they are connected through the internet but lack basic safety protections. It has compelled the Government and the states to aid developers of these devices in increasing the security. If the hackers attack a smart home device and have access to it, they can control the camera, or infect the device using Botnet, which can turn off websites through junk traffick. However, Nest devices are considered to be the safest of all, but even they are vulnerable to hacking attacks.

After a series of cyberattacks against the nest devices were reported earlier this year, Google mandated Nest users to use the two-factor authentication. According to Google, the user accounts were not breached but said that the hackers could be using stolen passwords to target other Nest users in different breaches. We know that two-factor authentication provides an extra layer of security to the users, but according to Google, the new security improvements will be even better and more reliable.

According to the Washington Post, "tech companies have been aware of the threat of credential stuffing for years, but the way they think about it has evolved as it has become a bigger problem. There was once a sense that users should take responsibility for their security by refraining from using the same password on multiple websites. But as gigantic dumps of passwords have gotten more frequent, technology companies have found that it is not just a few inattentive customers who reuse the same passwords for different accounts — it's the majority of people online."

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations' Networks


Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.

Microsoft shuts down the infamous Necurs Botnet!

Microsoft announced on Tuesday that in collaboration with its industry parents, it has successfully shut down the famous botnet Necurs- responsible for distribution of most spam mails and malwares till date.


Microsoft in a blog post wrote that it has "significantly disrupted" the botnet by taking legal actions against it, after the struggle of eight long years of planning and tracking.

On March 5, with the United States court order, Microsoft was able to control the U. S network and infrastructure used by the botnet and stop it from distribution.

According to Tom Burt, Corporate Vice President, Customer Security & Trust, this action by Microsoft with the corporation of public-private partnership globally will be a big setback to hackers and cyber criminals and will prevent them from launching future attacks.

"This was accomplished by analyzing a technique used by Necurs to systematically generate new domains through an algorithm. We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” Burt explained.

"Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure. By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.”

The Necurs botnet was discovered in 2012 and it rose from there to the largest distributor of spam mails and malware. It is the largest spam bot till date affecting 9 million computers. It is used by criminals and hackers worldwide in launching attacks through mails and was responsible for spreading infamous attacks like GameOver Zeus trojan as well as the Dridex malware deployed by Evil Corp.

One Necurs infected computer could send 3.8 million spam emails to 40.6 million machines or individuals in just 58 days.

Microsoft is also working with various Internet service providers (ISPs) to clear the victims computers of any malware or strain linked to Necurs Botnet to completely eradicate the bottom and prevent any comebacks.

“This remediation effort is global in scale and involves collaboration with partners in industry, government and law enforcement via the Microsoft Cyber Threat Intelligence Program (CTIP),” added the post. “Through CTIP, Microsoft provides law enforcement, government Computer Emergency Response Teams (CERTs), ISPs and government agencies responsible for the enforcement of cyber laws and the protection of critical infrastructure with better insights into criminal cyber infrastructure located within their jurisdiction, as well as a view of compromised computers and victims impacted by such criminal infrastructure.”

Smominru Botnet Affecting Over 4,000 Windows Systems Every Day


Affecting Windows machines across the globe, Smominru has been labeled as one of the most rapidly spreading botnet malware, as per a report by data center and cloud security company, Guardicore Labs. The infection rate of this computer malware has been detected to be up to 47,000 machines per day and in the month of August alone, it compromised almost 90,000 computers, according to the report.

While attacking, Smominru compromises Windows PCs by using the NSA exploit, EternalBlue and brute-force on various services like RDP, TELNET, MS-SQL, and others. The malware is configured to steal the target's credentials and then install a cryptominer and Trojan module to compromise the network. After establishing a foothold, the malware moves laterally to affect as many systems as it potentially can inside the targeted organization.

Reportedly, the US, Russia, China, Taiwan, and Brazil witnessed the maximum number of attacks, however, other countries remain equally vulnerable to the computer malware which saw an upsurge in recent times. To exemplify, we can look at the largest network targeted and hence compromised by Smominru, which was a healthcare provider in Italy, it left a total of 65 hosts affected.

The unspecified and non-targeted nature of the attacks was notable as the compromised networks ranged from medical firms to higher-education institutions, the victims infected by the malware included cybersecurity companies as well.

It has been discovered that around 85% of the attacks are carried out on Windows 7 and Windows Server 2008 systems, while, some others are observed to be taking place on Windows XP, Windows Server 2012, and Windows Server 2003.

Seemingly, the failure of company administrators to timely patch their computer networks and servers is one of the primary reasons for the networks being compromised, although for a lot of organizations, the inability is a result of logistical scarcity, for others, it's simply due to negligence and not being regularly updated with the requirements of the sector.

A New Botnet Targeting to Infect Android Devices with Malware that Mines the Monero Cryptocurrency

Another botnet showed up over the weekend on Saturday, February 3 focused entirely on Android gadgets precisely being port 5555, which on gadgets running the Android OS is the port utilized by the operating system's native Android Debug Bridge (ADB), a troubleshooting interface which awards access to a portion of the operating system's most sensitive features.

The reason why being so that by checking for open troubleshoot ports it can infect victims with malware that mines the Monero cryptocurrency.

As per security researchers from Qihoo 360's Network Security Research Lab (Netlab) division, the ones who discovered the botnet, named ADB.miner , just gadgets, for example, cell phones, smart TVs, and television top boxes, running the Android OS have been tainted as of not long ago.

"The number of scan [sources] has doubled every 12 [hours]," said Yiming Gong, Director of the Network Security Research Lab at Qihoo 360. "We will see how big this botnet gets."


The botnet gives off an impression of being aggressive and continues growing every day, with 
infected devices filtering the Web for other victims. As of now, the Botnet seems to have infected around 7,400 devices as detected by Netlab.


Recently scanning for this port 5555, shot to the #4 spot in Netlab's most scanned ports as opposed to the previous account, as it wasn't even in the top 10.


Most IP addresses to checking for different devices (which means they are now infected) are situated in China (~40%) and South Korea (~30%). Yiming informed further that the botnet has generally infected  "television related" devices, instead of smartphones.
  
Netlab says ADB.miner utilized some of Mirai's port scanning code also marks the first time an Android malware strain has obtained code from Mirai, a strain of Linux-based malware that was previously focused on just systems administration i.e. Networking and IoT devices.

All the same, the researchers still haven't given any insights with respect to the ADB vulnerability  the attackers are using to take control over devices however cleared up that they don't think the bug is particular to a specific seller (vendor). This in all probability implies that the bug influences the centre of the Android ADB segment itself.