Search This Blog

Showing posts with label Network Attacks. Show all posts

Smominru Botnet Affecting Over 4,000 Windows Systems Every Day


Affecting Windows machines across the globe, Smominru has been labeled as one of the most rapidly spreading botnet malware, as per a report by data center and cloud security company, Guardicore Labs. The infection rate of this computer malware has been detected to be up to 47,000 machines per day and in the month of August alone, it compromised almost 90,000 computers, according to the report.

While attacking, Smominru compromises Windows PCs by using the NSA exploit, EternalBlue and brute-force on various services like RDP, TELNET, MS-SQL, and others. The malware is configured to steal the target's credentials and then install a cryptominer and Trojan module to compromise the network. After establishing a foothold, the malware moves laterally to affect as many systems as it potentially can inside the targeted organization.

Reportedly, the US, Russia, China, Taiwan, and Brazil witnessed the maximum number of attacks, however, other countries remain equally vulnerable to the computer malware which saw an upsurge in recent times. To exemplify, we can look at the largest network targeted and hence compromised by Smominru, which was a healthcare provider in Italy, it left a total of 65 hosts affected.

The unspecified and non-targeted nature of the attacks was notable as the compromised networks ranged from medical firms to higher-education institutions, the victims infected by the malware included cybersecurity companies as well.

It has been discovered that around 85% of the attacks are carried out on Windows 7 and Windows Server 2008 systems, while, some others are observed to be taking place on Windows XP, Windows Server 2012, and Windows Server 2003.

Seemingly, the failure of company administrators to timely patch their computer networks and servers is one of the primary reasons for the networks being compromised, although for a lot of organizations, the inability is a result of logistical scarcity, for others, it's simply due to negligence and not being regularly updated with the requirements of the sector.

Demand for teen hackers rises


Shivam Subudhi is 15 and lives in London. Three years ago, he was so inspired by the movies he was watching that featured hackers, he coded a simple port scanner revealing network doors that might let a hacker enter uninvited. "I decided to put my skills into practice for the first time," Subudhi says, "by pentesting my school network and website." Penetration testing is also known as ethical hacking and involves probing networks, systems, and sites looking for security vulnerabilities that could be exploited by an attacker. It was this activity that, unsurprisingly, brought Subudhi to the attention of the deputy headteacher. That teacher was also an IT enthusiast and introduced the budding hacker to the Cyber Discovery program; a £20 million ($24 million) U.K. government-backed scheme to teach kids how to be cybersecurity superheroes. Could your kid be next?

Teenage hackers sought by government Cyber Discovery program

Back in 2017, the U.K. government issued a tender to run a £20m Cyber Schools Programme as part of the National Cyber Security Strategy 2016-2021 created to reduce the cyber skills gap by encouraging young people to pursue a career in the profession. The SANS Institute bid for this contract was successful, having run similar programs in the U.S. and able to demonstrate the success of using a "gamified" learning model.

"SANS is by far the largest and most trusted provider of cybersecurity training in the world," James Lyne, CTO at the SANS Institute says, "so we have a wealth of experience, training content and expert instructors." In the first year the Cyber Discovery program saw some 23,000 youngsters from the U.K. aged between 14 and 18 taking part in the initial assessment phase, and around 12,000 qualifying to participate in the primary learning phases, "CyberStart Game" and "CyberStart Essentials." The following year, 29,000 took part and 14,000 qualified. Registration for the third year of Cyber Discovery is now open and Lyne anticipates a significant increase in participation, not least as the entry age has now dropped to 13.

Vulnerability in DHCP client let hackers take control of network

A critical remote code execution vulnerability that resides in the DHCP client allows attackers to take control of the system by sending malicious DHCP reply packets.

A Dynamic Host Configuration Protocol (DHCP) Client allows a device to act as a host requesting-configuration parameter, such as an IP address from a DHCP server and the DHCP client can be configured on Ethernet interfaces.

In order to join a client to the network, the packer required to have all the TCP/IP configuration information during DHCP Offer and DHCP Ack.

DHCP protocol works as a client-server model, and it is responsible to dynamically allocate the IP address if the user connects with internet also the DHCP server will be responsible for distributing the IP address to the DHCP client.

This vulnerability will execution the remote code on the system that connected with vulnerable DHCP client that tries to connect with a rogue DHCP server.

Vulnerability Details The remote code execution vulnerability exactly resides in the function of dhcpcore.dll called “DecodeDomainSearchListData” which is responsible for decodes the encoded search list option field value.

During the decoding process, the length of the decoded domain name list will be calculated by the function and allocate the memory and copy the decoded list.

According to McAfee research, A malicious user can create an encoded search list, such that when DecodeDomainSearchListData function decodes, the resulting length is zero. This will lead to heapalloc with zero memory, resulting in an out-of-bound write.

The vulnerability has been patched, and it can be tracked as CVE-2019-0547, The patch includes a check which ensures the size argument to HeapAlloc is not zero. If zero, the function exits.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

New MegaCortex ransomware targeting corporate networks

A new strain of ransomware called MegaCortex has been found targeting attacks against entities in the US, Canada, France, Netherlands, Ireland, and Italy. The ransomware uses both automated as well as manual components in an effort to infect as many victims as possible. It uses a complicated chain of events with some infections beginning with stolen credentials for domain controllers inside target networks.

The ransomware was reported by UK cyber-security firm Sophos after it detected a spike in ransomware attacks at the end of last week.

According to security researchers at Sophos, the cybercriminals operating the ransomware appear to be fans of the movie Matrix, as the ransom note “reads like it was written in the voice and cadence of Lawrence Fishburne’s character, Morpheus.”

The ransomware first began popping up in January. The ransomware has a few interesting attributes, including its use of a signed executable as part of the payload, and an offer of security consulting services from the malware author. Researchers said the ransomware often is present on networks that already are infected with the Emotet and Qakbot malware, but are not sure whether those tools are part of the delivery chain for MegaCortex.

Sophos said the ransomware appears to have been designed to target large enterprise networks as part of carefully planned targeted intrusions --in a tactic that is known as "big-game hunting."

“The malware also employs the use of a long batch file to terminate running programs and kill a large number of services, many of which appear to be related to security or protection, which is becoming a common theme among current-generation ransomware families,” Sophos researcher Andrew Brandt said in a report.

Ransomware, for the most part, targets individuals rather than enterprise networks. That has mainly to do with individuals being relatively easier targets than corporate machines, but some attackers have begun to move up the food chain. Corporate ransomware infections can be much more profitable and efficient, with larger payouts for criminals who can compromise an organization rather than dozens or hundreds of individual victims. MegaCortex seems to be part of that trend, targeting enterprises with a mix of techniques.

Morto ~ A new type of Worm spreading via RDP(Remote Desktop Protocol)

New type of worm is spreading via RDP (Remote Desktop Protocol). The worm is called Morto and it infects Windows workstations and servers. It uses a new spreading vector that we haven't seen before: RDP.

RDP stands for Remote Desktop Protocol. Windows has built-in support for this protocol via Windows Remote Desktop Connection. Once you enable a computer for remote use, you can use any other computer to access it.


When you connect to another computer with this tool, you can remotely use the computer, just like you'd use a local computer.

Once a machine gets infected, the Morto worm starts scanning the local network for machines that have Remote Desktop Connection enabled. This creates a lot of traffic for port 3389/TCP, which is the RDP port.

When Morto finds a Remote Desktop server, it tries logging in as Administrator and tries a series of passwords:

admin
password
server
test
user
pass
letmein
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin123
111
123
369
1111
12345
111111
123123
123321
123456
654321
666666
888888
1234567
12345678
123456789
1234567890

Once you are connected to a remote system, you can access the drives of that server via Windows shares like \\tsclient\c and \\tsclient\d for drives C: and D:, respectively. Monto uses this feature to copy itself to the target machine. It does this by creating a temporary drive under letter A: and copying a file called a.dll to it.

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt

Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net

Some MD5 hashes include:
0c5728b3c22276719561049653c71b84
14284844b9a5aaa680f6be466d71d95b
58fcbc7c8a5fc89f21393eb4c771131d

F-secure detects Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B

More discussion on the topic at Technet forums.