#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Insider Risk Management

Cado Security | Breaking Cybersecurity News | The Hacker News

Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Exposed Docker APIs Under Attack in 'Commando Cat' Cryptojacking Campaign

Feb 01, 2024 Cryptojacking / Linux Security
Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called  Commando Cat . "The campaign deploys a benign container generated using the  Commando project ," Cado security researchers Nate Bill and Matt Muir  said  in a new report published today. "The attacker  escapes this container  and runs multiple payloads on the Docker host." The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on  another activity cluster  that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software. Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider
Qubitstrike Targets Jupyter Notebooks with Crypto Mining and Rootkit Campaign

Qubitstrike Targets Jupyter Notebooks with Crypto Mining and Rootkit Campaign

Oct 18, 2023 Rootkit / Cryptocurrency
A threat actor, presumably from Tunisia, has been linked to a new campaign targeting exposed Jupyter Notebooks in a two-fold attempt to illicitly mine cryptocurrency and breach cloud environments. Dubbed  Qubitstrike  by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise. "The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub," security researchers Matt Muir and Nate Bill  said  in a Wednesday write-up. In the attack chain documented by the cloud security firm, publicly accessible Jupyter instances are breached to execute commands to retrieve a shell script (mi.sh) hosted on Codeberg. The shell script, which acts as the primary payload, is responsible for executing a cryptocurrency miner, establishing persistence by means of a cron job, inserting an attacker-controlled key to the .ssh/a
Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge

Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge

Sep 21, 2023 Botnet / Cyber Threat
The peer-to-peer (P2) worm known as  P2PInfect  has witnessed a surge in activity since late August 2023, witnessing a 600x jump between September 12 and 19, 2023. "This increase in P2PInfect traffic has coincided with a growing number of variants seen in the wild, suggesting that the malware's developers are operating at an extremely high development cadence," Cado Security researcher Matt Muir said in a report published Wednesday. A majority of the compromises have been reported in China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. P2PInfect first came to light in July 2023 for its ability to breach poorly secured Redis instances. The threat actors behind the campaign have since resorted to different approaches for initial access, including the abuse of the database's replication feature to deliver the malware. Cado Security said it has observed an increase in initial access events attributable to P2PInfect in which the Redis SLAVEOF command
cyber security

Protecting Your Organization From Insider Threats - All You Need to Know

websiteWing SecuritySaaS Security
Get practical insights and strategies to manage inadequate offboarding and insider risks effectively.
New Guide: How to Scale Your vCISO Services Profitably

New Guide: How to Scale Your vCISO Services Profitably

May 09, 2024vCISO / Regulatory Compliance
Cybersecurity and compliance guidance are in high demand among SMEs. However, many of them cannot afford to hire a full-time CISO. A  v CISO can answer this need by offering on-demand access to top-tier cybersecurity expertise. This is also an opportunity for MSPs and MSSPs to grow their business and bottom line. MSPs and MSSPs that expand their offerings and provide vCISO services will cater to SME requirements and concerns. By answering this market gap, they can grow their customer base as well as upsell to existing clients. This will lead to recurring revenue and increased profitability. Developing and scaling vCISO services requires a well-thought-out plan. This will help guide you through the required processes, anticipate and overcome challenges and optimize resource use. To aid you, we introduce a comprehensive and actionable  guide: "How to Scale Your vCISO Services Profitably" . The guide was developed based on the experience of industry leader  Cynom i, who has helped hun
New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods

Jul 31, 2023 Cyber Threat / Botnet
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir  said  in a report shared with The Hacker News. "A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command." The Rust-based malware was  first documented  by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023. However, the latest discovery suggests th
Cryptojacking Group TeamTNT Suspected of Using Decoy Miner to Conceal Data Exfiltration

Cryptojacking Group TeamTNT Suspected of Using Decoy Miner to Conceal Data Exfiltration

Mar 16, 2023 Cryptojacking / Cyber Attack
The cryptojacking group known as  TeamTNT  is suspected to be behind a previously undiscovered strain of malware used to mine Monero cryptocurrency on compromised systems. That's according to Cado Security, which  found  the  sample  after Sysdig detailed a sophisticated attack known as  SCARLETEEL  aimed at containerized environments to ultimately steal proprietary data and software. Specifically, the early phase of the attack chain involved the use of a cryptocurrency miner, which the cloud security firm suspected was deployed as a decoy to conceal the detection of data exfiltration. The artifact – uploaded to VirusTotal late last month – "bear[s] several syntactic and semantic similarities to prior TeamTNT payloads, and includes a wallet ID that has previously been attributed to them," a new analysis from Cado Security has  revealed . TeamTNT , active since at least 2019, has been documented to repeatedly strike cloud and container environments to deploy cryptocur
New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

New Cryptojacking Campaign Leverages Misconfigured Redis Database Servers

Mar 02, 2023 Data Security / Cryptojacking
Misconfigured Redis database servers are the target of a novel cryptojacking campaign that leverages a legitimate and open source command-line file transfer service to implement its attack. "Underpinning this campaign was the use of transfer[.]sh," Cado Security  said  in a report shared with The Hacker News. "It's possible that it's an attempt at evading detections based on other common code hosting domains (such as pastebin[.]com)." The cloud cybersecurity firm said the command line interactivity associated with transfer[.]sh has made it an ideal tool for hosting and delivering malicious payloads. The attack chain commences with targeting insecure Redis deployments, followed by registering a  cron job  that leads to arbitrary code execution when parsed by the scheduler. The job is designed to retrieve a payload hosted at transfer[.]sh. It's worth noting that  similar   attack mechanisms  have been employed by other threat actors like TeamTNT and
Cybersecurity
Expert Insights
Cybersecurity Resources