The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: botnet

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices
June 17, 2022Ravie Lakshmanan
The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K. The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service. Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking. "The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ  said  in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to ac

Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers

Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers
June 15, 2022Ravie Lakshmanan
A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. Dubbed  Panchan  by Akamai Security Research, the malware "utilizes its built-in concurrency features to maximize spreadability and execute malware modules" and "harvests SSH keys to perform lateral movement." The feature-packed botnet, which relies on a basic list of default SSH passwords to carry out a  dictionary attack  and expand its reach, primarily functions as a cryptojacker designed to hijack a computer's resources to mine cryptocurrencies. The cybersecurity and cloud service company noted it first spotted Panchan's activity on March 19, 2022, and attributed the malware to a likely Japanese threat actor based on the language used in the administrative panel baked into the binary to edit the mining configuration. Panchan is known to deploy and execute two miners, XMRig and nbhash, on the host

Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns

Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns
May 23, 2022Ravie Lakshmanan
Fronton, a distributed denial-of-service (DDoS) botnet that came to light in March 2020, is much more powerful than previously thought, per the latest research. "Fronton is a system developed for coordinated inauthentic behavior on a massive scale," threat intelligence firm Nisos said in a  report  published last week. "This system includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse. The system creates these events that it refers to as Инфоповоды, 'newsbreaks,' utilizing the botnet as a geographically distributed transport." The existence of Fronton, an IoT botnet, became public knowledge following revelations from  BBC Russia  and  ZDNet  in March 2020 after a Russian hacker group known as Digital Revolution published documents that it claimed were obtained after breaking into a subcontractor to the FSB, the Federal Security Service of the Russian Federation. Further investigat

Microsoft Warns Rise in XorDdos Malware Targeting Linux Devices

Microsoft Warns Rise in XorDdos Malware Targeting Linux Devices
May 20, 2022Ravie Lakshmanan
A Linux botnet malware known as XorDdos has witnessed a 254% surge in activity over the last six months, according to latest research from Microsoft. The trojan, so named for carrying out denial-of-service attacks on Linux systems and its use of XOR-based encryption for communications with its command-and-control (C2) server, is  known  to have been  active  since at least 2014. "XorDdos' modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures," Ratnesh Pandey, Yevgeny Kulakov, and Jonathan Bar Or of the Microsoft 365 Defender Research Team  said  in an exhaustive deep-dive of the malware. "Its SSH brute-force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets." Remote control over vulnerable IoT and other internet-connected devices is gained by means of secure shell (SSH) brute-force attacks, enabling the malware to form a botnet

New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners

New Sysrv Botnet Variant Hijacking Windows and Linux with Crypto Miners
May 17, 2022Ravie Lakshmanan
Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems. The tech giant, which has called the new version Sysrv-K , is said to weaponize an  array of exploits  to gain control of web servers. The cryptojacking botnet first emerged in December 2020. "Sysrv-K scans the internet to find web servers with various vulnerabilities to install itself," the company  said  in a series of tweets. "The vulnerabilities range from path traversal and remote file disclosure to arbitrary file download and remote code execution vulnerabilities." This also includes  CVE-2022-22947  (CVSS score: 10.0), a code injection vulnerability in Spring Cloud Gateway that could be exploited to allow arbitrary remote execution on a remote host via a maliciously crafted request. It's worth noting that the abuse of CVE-2022-22947 has prompted the U.S. Cyb

New BotenaGo Malware Variant Targeting Lilin Security Camera DVR Devices

New BotenaGo Malware Variant Targeting Lilin Security Camera DVR Devices
April 25, 2022Ravie Lakshmanan
A new variant of an IoT botnet called BotenaGo has emerged in the wild, specifically singling out Lilin security camera DVR devices to infect them with Mirai malware. Dubbed " Lilin Scanner " by Nozomi Networks, the  latest version  is designed to exploit a two-year-old critical  command injection vulnerability  in the DVR firmware that was patched by the Taiwanese company in February 2020. BotenaGo , first documented in November 2021 by AT&T Alien Labs, is written in Golang and features over 30 exploits for known vulnerabilities in web servers, routers and other kinds of IoT devices. The botnet's source code has since been uploaded to GitHub, making it ripe for abuse by other criminal actors. "With only 2,891 lines of code, BotenaGo has the potential to be the starting point for many new variants and new malware families using its source code," the researchers  said  this year. The new BotenaGo malware is the  latest  to exploit vulnerabilities in Lil

Watch Out! Cryptocurrency Miners Targeting Dockers, AWS and Alibaba Cloud

Watch Out! Cryptocurrency Miners Targeting Dockers, AWS and Alibaba Cloud
April 22, 2022Ravie Lakshmanan
LemonDuck, a cross-platform cryptocurrency mining botnet, is targeting Docker to mine cryptocurrency on Linux systems as part of an active malware campaign. "It runs an anonymous mining operation by the use of proxy pools, which hide the wallet addresses," CrowdStrike  said  in a new report. "It evades detection by targeting Alibaba Cloud's monitoring service and disabling it." Known to strike both Windows and Linux environments, LemonDuck is primarily engineered for abusing the system resources to mine Monero. But it's also capable of credential theft, lateral movement, and facilitating the deployment of additional payloads for follow-on activities. "It uses a wide range of spreading mechanisms — phishing emails, exploits, USB devices, brute force, among others — and it has shown that it can quickly take advantage of news, events, or the release of new exploits to run effective campaigns," Microsoft  detailed  in a technical write-up of the ma

New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt

New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt
April 14, 2022Ravie Lakshmanan
A threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month. "This botnet is mainly derived from  Gafgyt 's source code but has been observed to borrow several modules from  Mirai 's original source code," Fortinet FortiGuard Labs  said  in a report this week. The botnet has been attributed to an actor named Keksec (aka  Kek Security , Necro, and  FreakOut ), which has been linked to multiple botnets such as  Simps ,  Ryuk  (not to be confused with the ransomware of the same name), and  Samael , and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations. Primarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the malware specimen has highlighted Enemybot's obfuscation attemp

Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation

Microsoft Disrupts ZLoader Cybercrime Botnet in Global Operation
April 14, 2022Ravie Lakshmanan
Microsoft and a consortium of cybersecurity companies took legal and technical steps to disrupt the ZLoader botnet , seizing control of 65 domains that were used to control and communicate with the infected hosts. "ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money," Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit (DCU),  said . The operation, Microsoft said, was undertaken in collaboration with ESET, Lumen's Black Lotus Labs, Palo Alto Networks Unit 42, Avast, Financial Services Information Sharing and Analysis Center (FS-ISAC), and Health Information Sharing and Analysis Center (H-ISAC). As a result of the disruption, the domains are now redirected to a sinkhole, effectively preventing the botnet's criminal operators from contacting the compromised devices.

Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware

Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware
April 08, 2022Ravie Lakshmanan
The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware , particularly in the Singapore region since the start of April 2022. "The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using 'chmod ,'" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma said in a report published Friday. Tracked as CVE-2022-22965 (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices. The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation." This is

FBI Shut Down Russia-linked "Cyclops Blink" Botnet That Infected Thousands of Devices

FBI Shut Down Russia-linked "Cyclops Blink" Botnet That Infected Thousands of Devices
April 07, 2022Ravie Lakshmanan
The U.S. Department of Justice (DoJ) announced that it neutralized Cyclops Blink , a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control (C2) of the underlying botnet," the DoJ  said  in a statement Wednesday. In addition to disrupting its C2 infrastructure, the operation also closed the external management ports that the threat actor used to establish connections with the firewall appliances, effectively severing contact and preventing the hacking group from using the infected devices to commandeer the botnet. The March 22 court-authorized disruption of Cyclops Blink comes a little over a month after intelligence agencies in the U.K. and the U.S.  described  the botnet as a replacement fram

Beastmode DDoS Botnet Exploiting New TOTOLINK Bugs to Enslave More Routers

Beastmode DDoS Botnet Exploiting New TOTOLINK Bugs to Enslave More Routers
April 04, 2022Ravie Lakshmanan
A variant of the Mirai botnet called Beastmode has been observed adopting newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022 to infect unpatched devices and expand its reach potentially. "The Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits," Fortinet's FortiGuard Labs Research team  said . "Five new exploits were added within a month, with three targeting various models of TOTOLINK routers." The list of exploited vulnerabilities in TOTOLINK routers is as follows - CVE-2022-26210  (CVSS score: 9.8) - A command injection vulnerability that could be exploited to gain arbitrary code execution CVE-2022-26186  (CVSS score: 9.8) - A command injection vulnerability affecting TOTOLINK N600R and A7100RU routers, and CVE-2022-25075 to CVE-2022-25084  (CVSS scores: 9.8) - A command injection vulnerability impacting multiple TOTOLINK routers, leading to code execution The other e

Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability

Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability
March 27, 2022Ravie Lakshmanan
Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. The vulnerability relates to  CVE-2022-0543 , a  Lua sandbox escape flaw  in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine. The vulnerability is rated 10 out of 10 for severity. "Due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scripts could possibly escape the Lua sandbox and execute arbitrary code on the host," Ubuntu noted in an advisory released last month. According to  telemetry data  gathered by Juniper Threat Labs, the attacks leveraging the new flaw are said to have commenced on March 11, 2022, leading to the retrieval of a malicious shell script ("russia.sh") from a remote server, which is then utilized to fetch and execute the botnet binaries from another s

Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns

Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns
March 23, 2022Ravie Lakshmanan
Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years.  According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted  Glupteba botnet  as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. "The C2 server serves as a botnet-as-a-service controlling nearly 230,000 vulnerable MikroTik routers," Avast's senior malware researcher, Martin Hron,  said  in a write-up, potentially linking it to what's now called the Mēris botnet. The botnet is known to exploit a known vulnerability in the Winbox component of MikroTik routers ( CVE-2018-14847 ), enabling the attackers to gain unauthenticated, remote administrative access to any affected device. Parts of the Mēris botnet were  sinkholed  in late  September 2021 . "The  CVE-2018-

New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers

New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers
March 17, 2022Ravie Lakshmanan
ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink , almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. According to a  new report  published by Trend Micro, the botnet's "main purpose is to build an infrastructure for further attacks on high-value targets," given that none of the infected hosts "belong to critical organizations, or those that have an evident value on economic, political, or military espionage." Intelligence agencies from the U.K. and the U.S. have  characterized  Cyclops Blink as a replacement framework for  VPNFilter , another malware that has exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices. Both VPNFilter and Cyclops Blink have been attributed to a Russian state-sponsored actor tracked as Sandworm (aka Voodoo Bear), which has also been li

DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly

DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly
March 17, 2022Ravie Lakshmanan
The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g.,  EternalBlue  and  Hot Potato  Windows privilege escalation," Avast researcher Martin Chlumecký  said  in a report published Wednesday. "One worm module can generate and attack hundreds of thousands of private and public IP addresses per day; many victims are at risk since many machines still use unpatched systems or weak passwords." Active since 2016, the  DirtyMoe botnet  is used for carrying out cryptojacking and distributed denial-of-service (DDoS) attacks, and is deployed by means of external exploit kits like  Purple Fox  or injected installers of Telegram Messenger. Also employed as part of the attack sequence is a DirtyMoe service that triggers the launch of two additional processes, namely the Core and

New "B1txor20" Linux Botnet Uses DNS Tunnel and Exploits Log4J Flaw

New "B1txor20" Linux Botnet Uses DNS Tunnel and Exploits Log4J Flaw
March 16, 2022Ravie Lakshmanan
A previously undocumented backdoor has been observed targeting Linux systems with the goal of corralling the machines into a botnet and acting as a conduit for downloading and installing rootkits. Qihoo 360's Netlab security team called it  B1txor20  "based on its propagation using the file name 'b1t,' the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes." First observed propagating through the  Log4j vulnerability  on February 9, 2022, the malware leverages a technique called DNS tunneling to build communication channels with command-and-control (C2) servers by encoding data in DNS queries and responses. B1txor20, while also buggy in some ways, currently supports the ability to obtain a shell, execute arbitrary commands, install a rootkit, open a  SOCKS5 proxy , and functions to upload sensitive information back to the C2 server. Once a machine is successfully compromised, the malware utilizes the DNS tunnel to retrieve and execute co

Emotet Botnet's Latest Resurgence Spreads to Over 100,000 Computers

Emotet Botnet's Latest Resurgence Spreads to Over 100,000 Computers
March 09, 2022Ravie Lakshmanan
The insidious Emotet botnet, which staged a return in November 2021 after a 10-month-long hiatus, is once again exhibiting signs of steady growth, amassing a swarm of over 100,000 infected hosts for perpetrating its malicious activities. "While Emotet has not yet attained the same scale it once had, the botnet is showing a strong resurgence with a total of approximately 130,000 unique bots spread across 179 countries since November 2021," researchers from Lumen's Black Lotus Labs  said  in a report. Emotet, prior to its  takedown  in late January 2021 as part of a coordinated law enforcement operation dubbed "Ladybird," had infected no fewer than 1.6 million devices globally, acting as a conduit for cybercriminals to install other types of malware, such as banking trojans or ransomware, onto compromised systems. The malware  officially resurfaced  in November 2021  using TrickBot  as a delivery vehicle, with the latter  shuttering its attack infrastructure

Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure

Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure
February 24, 2022Ravie Lakshmanan
The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its  imminent retirement  amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years. "TrickBot is gone... It is official now as of Thursday, February 24, 2022. See you soon... or not," AdvIntel's CEO Vitali Kremez  tweeted . "TrickBot is gone as it has become inefficient for targeted intrusions." Attributed to a Russia-based criminal enterprise called  Wizard Spider , TrickBot started out as a financial trojan in late 2016 and is a derivative of another banking malware called  Dyre  that was dismantled in November 2015. Over the years, it morphed into a veritable Swiss Army knife of malicious capabilities, enabling threat actors to steal information via  web injects  and drop additional payloads. TrickBot's activities took a noticeable hit in October 20

U.S., U.K. Agencies Warn of New Russian Botnet Built from Hacked Firewall Devices

U.S., U.K. Agencies Warn of New Russian Botnet Built from Hacked Firewall Devices
February 24, 2022Ravie Lakshmanan
Intelligence agencies in the U.K. and the U.S. disclosed details of a new botnet malware called  Cyclops Blink  that's been attributed to the Russian-backed Sandworm hacking group and deployed in attacks dating back to 2019. "Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office (SOHO) routers, and network-attached storage (NAS) devices," the agencies  said . "In common with VPNFilter, Cyclops Blink deployment also appears indiscriminate and widespread." The  joint government advisory  comes from the U.K. National Cyber Security Centre (NCSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) in the U.S. Sandworm , aka Voodoo Bear, is the name assigned to a  highly advanced adversary  operating out of Russia that's known to be active since at least 2008.
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.