#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

botnet | Breaking Cybersecurity News | The Hacker News

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Crafting Shields: Defending Minecraft Servers Against DDoS Attacks

Mar 26, 2024 Online Gaming / DDoS Protection
Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game's reputation. Despite the prevalence of DDoS attacks on the game, the majority of incidents go unreported, leaving a gap in awareness and protection. This article explains what happens to a Minecraft server during a DDoS attack and how to protect against such attacks. For an in-depth version of the article,  check out this white paper . When Creepers Breach: What Happens When an Attack Is Successful When a Minecraft server is hit with a DDoS attack, players may have problems with logging in to servers, loading worlds, navigating biomes, using tools, and chatting. They can also experience general lags, disconnections, timeouts, or server crashes. These in-game disruptions can ruin the gaming experience for players while causing financial and reputational losses to
AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

Mar 21, 2024 Threat Intelligence / Vulnerability
Cybersecurity researchers have shed light on a tool referred to as  AndroxGh0st  that's used to target Laravel applications and steal sensitive data. "It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio," Juniper Threat Labs researcher Kashinath T Pattan  said . "Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment, and vulnerability scanning." AndroxGh0st has been detected in the wild since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio. Attack chains involving the Python malware are known to exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence. Earlier this January, U
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

Mar 18, 2024 Cyber Warfare / Malware
The Russia-linked threat actor known as  APT28  has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. "The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production," IBM X-Force  said  in a report published last week. The tech company is tracking the activity under the moniker  ITG05 , which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028. The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing I
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

Feb 28, 2024 Firmware Security / Vulnerability
In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was  felled by law enforcement  as part of an operation codenamed Dying Ember. The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as APT28 to facilitate covert cyber operations and drop custom malware for follow-on exploitation. APT28, affiliated with Russia's Main Directorate of the General Staff (GRU), is known to be active since at least 2007. APT28 actors have "used compromised EdgeRouters globally to harvest credentials, collect NTLMv2 digests, proxy network traffic, and host spear-phishing landing pages and custom tools," the authorities  said  [PDF]. The adversary's use of EdgeRouters dates back to 2022, with the attacks targeting aerospace and defense, education, energy and utilities, governments, hospita
A New Age of Hacktivism

A New Age of Hacktivism

Feb 22, 2024 Hacktivism / Information Warfare
In the past 2 years, we have observed a significant surge in hacktivism activity due to ongoing wars and geopolitical conflicts in various regions. Since the war against Ukraine began, we have witnessed a notable mobilization of non-state and state-backed actors alike, forming new groups or joining existing hacker collectives.  We understand hacktivism as a form of computer hacking that is done to further the goals of political or social  activism 1 . While  activism  describes a normal, non-disruptive use of the Internet in order to support a specific cause (online petitions, fundraising, coordinating activities),  hacktivism  includes operations that use hacking techniques with the intent to disrupt but not to cause serious harm (e.g., data theft, website defacements, redirects, Denial-of-Service attacks). Cyber operations that inherit a willingness or intent to cause harm to physical property, severe economic damage or loss of life would be referred to as  cyberterrorism, 2, 3  Th
New 'VietCredCare' Stealer Targeting Facebook Advertisers in Vietnam

New 'VietCredCare' Stealer Targeting Facebook Advertisers in Vietnam

Feb 21, 2024 Malware / Cyber Threat
Facebook advertisers in Vietnam are the target of a previously unknown information stealer dubbed  VietCredCare  at least since August 2022. The malware is "notable for its ability to automatically filter out Facebook session cookies and credentials stolen from compromised devices, and assess whether these accounts manage business profiles and if they maintain a positive Meta ad credit balance," Singapore-headquartered Group-IB  said  in a new report shared with The Hacker News. The end goal of the large-scale malware distribution scheme is to facilitate the takeover of corporate Facebook accounts by targeting Vietnamese individuals who manage the Facebook profiles of prominent businesses and organizations. Facebook accounts that have been successfully seized are then used by the threat actors behind the operation to post political content or to propagate phishing and affiliate scams for financial gain. VietCredCare is offered to other aspiring cybercriminals under the stealer-as
U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

U.S. Government Disrupts Russia-Linked Botnet Engaged in Cyber Espionage

Feb 16, 2024 Botnet / Network Security
The U.S. government on Thursday said it disrupted a botnet comprising hundreds of small office and home office (SOHO) routers in the country that was put to use by the Russia-linked APT28 actor to conceal its malicious activities. "These crimes included vast spear-phishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations," the U.S. Department of Justice (DoJ)  said  in a statement. APT28 , also tracked under the monikers BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is  assessed  to be linked to Unit 26165 of Russia's Main Directorate of the General Staff (GRU). It's known to be active since at least 2007. Court documents allege that the attackers pulled off their cyber espionage campaigns by relying on  MooBot , a Mirai
FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network

Feb 01, 2024 Cyber Attack / Botnet
The threat actor behind a peer-to-peer (P2P) botnet known as  FritzFrog  has made a return with a new variant that leverages the  Log4Shell vulnerability  to propagate internally within an already compromised network. "The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security company Akamai said in a report shared with The Hacker News. FritzFrog,  first documented  by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It's known to be active since January 2020. It has  since evolved  to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts, claiming more than 1,500 victims over the years. What's novel about the latest version is the use of the Log4Shell vulnerability a
U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers

Feb 01, 2024 Cyber Threat / Network Security
The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign. The existence of the botnet, dubbed  KV-botnet , was  first disclosed  by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was  reported  by Reuters earlier this week. "The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," the Department of Justice (DoJ)  said  in a press statement. Volt Typhoon  (aka DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is the moniker assigned to a China-based adversarial collect
HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

HeadCrab 2.0 Goes Fileless, Targeting Redis Servers for Crypto Mining

Feb 01, 2024 Cryptocurrency / Botnet
Cybersecurity researchers have detailed an updated version of the malware  HeadCrab  that's known to target Redis database servers across the world since early September 2021. The development, which comes exactly a year after the malware was first  publicly disclosed  by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve. The cloud security firm  said  that "the campaign has almost doubled the number of infected Redis servers," with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023. HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server. While the origins of th
Russian TrickBot Mastermind Gets 5-Year Prison Sentence for Cybercrime Spree

Russian TrickBot Mastermind Gets 5-Year Prison Sentence for Cybercrime Spree

Jan 26, 2024 Cyber Crime / Malware
40-year-old Russian national Vladimir Dunaev has been sentenced to five years and four months in prison for his role in creating and distributing the TrickBot malware, the U.S. Department of Justice (DoJ) said. The development comes nearly two months after  Dunaev pleaded guilty  to committing computer fraud and identity theft and conspiracy to commit wire fraud and bank fraud. "Hospitals, schools, and businesses were among the millions of TrickBot victims who suffered tens of millions of dollars in losses," DoJ  said . "While active, TrickBot malware, which acted as an initial intrusion vector into victim computer systems, was used to support various ransomware variants." Originating as a banking trojan in 2016, TrickBot evolved into a Swiss Army knife capable of delivering additional payloads, including ransomware. Following efforts to take down the botnet, it was absorbed into the Conti ransomware operation in 2022. The cybercrime crew's allegiance to
New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits

New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits

Jan 25, 2024 Threat Intelligence / Malware Research
A new Go-based malware loader called  CherryLoader  has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. Arctic Wolf Labs, which discovered the new attack tool in two recent intrusions, said the loader's icon and name masquerades as the legitimate CherryTree note-taking application to dupe potential victims into installing it. "CherryLoader was used to drop one of two privilege escalation tools,  PrintSpoofer  or  JuicyPotatoNG , which would then run a batch file to establish persistence on the victim device," researchers Hady Azzam, Christopher Prest, and Steven Campbell  said . In another novel twist, CherryLoader also packs modularized features that allow the threat actor to swap exploits without recompiling code. It's currently not known how the loader is distributed, but the attack chains examined by the cybersecurity firm show that CherryLoader ("cherrytree.exe") and i
Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

Jan 17, 2024 Botnet / Cloud Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI)  warned  that threat actors deploying the  AndroxGh0st  malware are creating a botnet for "victim identification and exploitation in target networks." A Python-based malware,  AndroxGh0st  was first documented by Lacework in December 2022, with the malware inspiring several  similar tools  like AlienFox, GreenBot (aka Maintance), Legion, and Predator. The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio. Some of the notable flaws weaponized by the attackers include  CVE-2017-9841  (PHPUnit),  CVE-2021-41773  (Apache HTTP Server), and  CVE-2018-15133  (Laravel Framework). "AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitat
Cybersecurity Resources