#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

botnet | Breaking Cybersecurity News | The Hacker News

Feds Shut Down 'Longest-Running' Andromeda Botnet

Feds Shut Down 'Longest-Running' Andromeda Botnet

Dec 04, 2017
In a coordinated International cyber operation, Europol with the help of international law enforcement agencies has taken down what it called "one of the longest-running malware families in existence" known as Andromeda. Andromeda , also known as Win32/Gamarue, is an infamous HTTP-based modular botnet that has been around for several years now, and infecting computers with it's malicious intentions ever since. The primary goal of Andromeda bot is to distribute other malware families for mass global malware attacks. The botnet has been associated with at least 80 malware families, and in the last six months, it was detected (or blocked) on an average of more than 1 million machines per month. Last year, law enforcement agencies took down the criminal infrastructure of the infamous Avalanche botnet in a similar massive international cyber operation. Avalanche botnet was used as a delivery platform to spread other malware families, including Andromeda. While in
Hackers Exploiting Microsoft Servers to Mine Monero - Makes $63,000 In 3 Months

Hackers Exploiting Microsoft Servers to Mine Monero - Makes $63,000 In 3 Months

Sep 28, 2017
Mining cryptocurrencies can be a costly investment as it takes a monstrous amount of computing power, and thus hackers have started using malware that steals computing resources of computers it hijacks to make lots of dollars in digital currency. Security researchers at security firm ESET have spotted one such malware that infected hundreds of Windows web servers with a malicious cryptocurrency miner and helped cybercriminals made more than $63,000 worth of Monero (XMR) in just three months. According to a report published by ESET today, cybercriminals only made modifications to legitimate open source Monero mining software and exploited a known vulnerability in Microsoft IIS 6.0 to secretly install the miner on unpatched Windows servers. Although ESET's investigation does not identify the attackers, it reports that the attackers have been infecting unpatched Windows web servers with the cryptocurrency miner since at least May 2017 to mine 'Monero,' a Bitcoin-like
Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu
US Warns of 'DeltaCharlie' – A North Korean DDoS Botnet Malware

US Warns of 'DeltaCharlie' – A North Korean DDoS Botnet Malware

Jun 14, 2017
The United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. The joint report from the FBI and U.S. Department of Homeland Security (DHS) provided details on " DeltaCharlie ," a malware variant used by " Hidden Cobra " hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network. According to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. While the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace – the one allegedly linked to the devastating WannaCry ransomware menace that shut down hospitals and businesses worldwide. DeltaCharlie – DDoS Botnet M
cyber security

Automated remediation solutions are crucial for security

websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.
More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry

More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry

May 19, 2017
Since the Shadow Brokers released the zero-day software vulnerabilities and hacking tools – allegedly belonged to the NSA's elite hacking team Equation Group – several hacking groups and individual hackers have started using them in their own way. The April's data dump was believed to be the most damaging release by the Shadow Brokers till the date, as it publicly leaked lots of Windows hacking tools , including dangerous Windows SMB exploit. After the outbreak of WannaCry last week, security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability (CVE-2017-0143), called Eternalblue , which has already compromised hundreds of thousands of computers worldwide. I have been even confirmed by multiple sources in hacking and intelligence community that there are lots of groups and individuals who are actively exploiting Eternalblue for different motives. Moreover, the Eternalblue SMB exploit ( MS17-010 ) has now been ported to  Met
Weeks Before WannaCry, Cryptocurrency Mining Botnet Was Using Windows SMB Exploit

Weeks Before WannaCry, Cryptocurrency Mining Botnet Was Using Windows SMB Exploit

May 16, 2017
A security researcher has just discovered a stealthy cryptocurrency-mining malware that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks. According to Kafeine, a security researcher at Proofpoint , another group of cyber criminals was using the same EternalBlue exploit , created by the NSA and dumped last month by the Shadow Brokers, to infect hundreds of thousands of computers worldwide with a cryptocurrency mining malware called ' Adylkuzz .' This malicious campaign went unnoticed for weeks because unlike WannaCry , this malware does not install ransomware or notify victims, but instead, it quietly infects unpatched computers with malware that only mine ' Monero ,' a Bitcoin-like cryptocurrency. This Malware Saves Computers From Getting Hacked By WannaCry The Researcher believes Adylkuzz malware attack could be larger in scale than WannaCry ransomware attack because it has been designed to blo
Botnet Sending 5 Million Emails Per Hour to Spread Jaff Ransomware

Botnet Sending 5 Million Emails Per Hour to Spread Jaff Ransomware

May 12, 2017
A massive malicious email campaign that stems from the Necurs botnet is spreading a new ransomware at the rate of 5 million emails per hour and hitting computers across the globe. Dubbed "Jaff," the new file-encrypting ransomware is very similar to the infamous Locky ransomware in many ways, but it is demanding 1.79 Bitcoins (approx $3,150), which much higher than Locky, to unlock the encrypted files on an infected computer. According to security researchers at Forcepoint Security Lab, Jaff ransomware, written in C programming language, is being distributed with the help of Necurs botnet that currently controls over 6 million infected computers worldwide. Necurs botnet is sending emails to millions of users with an attached PDF document, which if clicked, opens up an embedded Word document with a malicious macro script to downloads and execute the Jaff ransomware, Malwarebytes says . Jaff is Spreading at the Rate of 5 Million per Hour The malicious email camp
An Army of Thousands of Hacked Servers Found Mining Cryptocurrencies

An Army of Thousands of Hacked Servers Found Mining Cryptocurrencies

May 05, 2017
A new botnet consisting of more than 15,000 compromised servers has been used to mine various cryptocurrencies, earning its master around $25,000 per month. Mining cryptocurrencies can be a costly investment, as it requires an enormous amount of computing power, but cybercriminals have found an easy money-making solution. Dubbed BondNet, the botnet was first spotted in December 2016 by GuardiCore researchers, who traced back the botnet malware developer, using online handle Bond007.01, to China. According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies — primarily Monero, but also ByteCoin, RieCoin, and ZCash — but they warn that the hacker could easily take full control of compromised servers for malicious purposes, like mounting Mirai-style DDoS attacks. BondNet Attacks only Windows Server Machines Since mining cryptocurrencies require large amounts of CPU/GPU power, the botnet master goes after Windows Server machin
Malware Hunter — Shodan's new tool to find Malware C&C Servers

Malware Hunter — Shodan's new tool to find Malware C&C Servers

May 02, 2017
Rapidly growing, insecure internet-connected devices are becoming albatross around the necks of individuals and organizations with malware authors routinely hacking them to form botnets that can be further used as weapons in DDoS and other cyber attacks. But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and Recorded Future. Shodan and Recorded Future have teamed up and launched Malware Hunter – a crawler that scans the Internet regularly to identify botnet command and control (C&C) servers for various malware and botnets. Command-and-control servers ( C&C servers ) are centralized machines that control the bots ( computers, smart appliances or smartphones ), typically infected with Remote Access Trojans or data-stealing malware, by sending commands and receiving data. Malware Hunter results have been integrated into Shodan – a search engine designed to gather and list information abo
Hajime ‘Vigilante Botnet’ Growing Rapidly; Hijacks 300,000 IoT Devices Worldwide

Hajime 'Vigilante Botnet' Growing Rapidly; Hijacks 300,000 IoT Devices Worldwide

Apr 27, 2017
Last week, we reported about a so-called 'vigilante hacker' who hacked into at least 10,000 vulnerable 'Internet of Things' devices, such as home routers and Internet-connected cameras, using a botnet malware in order to supposedly secure them. Now, that vigilante hacker has already trapped roughly 300,000 devices in an IoT botnet known as Hajime , according to a new report published Tuesday by Kaspersky Lab, and this number will rise with each day that passes by. The IoT botnet malware was emerged in October 2016, around the same time when the infamous Mirai botnet threatened the Internet last year with record-setting distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn. How the Hajime IoT Botnet Works Hajime botnet works much like Mirai by spreading itself via unsecured IoT devices that have open Telnet ports and uses default passwords and also uses the same list of username and password combinations that Mirai is programm
To Protect Your Devices, A Hacker Wants to Hack You Before Someone Else Does

To Protect Your Devices, A Hacker Wants to Hack You Before Someone Else Does

Apr 19, 2017
It should be noted that hacking a system for unauthorised access that does not belong to you is an illegal practice, no matter what's the actual intention behind it. Now I am pointing out this because reportedly someone, who has been labeled as a 'vigilante hacker' by media, is hacking into vulnerable 'Internet of Things' devices in order to supposedly secure them. This is not the first time when any hacker has shown vigilance, as we have seen lots of previous incidents in which hackers have used malware to compromise thousands of devices, but instead of hacking them, they forced owners to make them secure. Dubbed Hajime , the latest IoT botnet malware, used by the hacker, has already infected at least 10,000 home routers, Internet-connected cameras, and other smart devices. But reportedly, it's an attempt to wrestle their control from Mirai and other malicious threats. Mirai is an IoT botnet that threatened the Internet last year with record-sett
U.S. Takes Down Kelihos Botnet After Its Russian Operator Arrested in Spain

U.S. Takes Down Kelihos Botnet After Its Russian Operator Arrested in Spain

Apr 11, 2017
A Russian computer hacker arrested over the weekend in Barcelona was apparently detained for his role in a massive computer botnet, and not for last year's US presidential election hack as reported by the Russian media. Peter Yuryevich Levashov, 32-years-old Russian computer programmer, suspected of operating the Kelihos botnet — a global network of over 100,000 infected computers that was used to deliver spam, steal login passwords, and infect computers with ransomware and other types of malware since approximately 2010, the U.S. Justice Department announced Monday. As suspected earlier, Levashov, also known as Peter Severa, is the same man who has also been listed in the World's Top 10 Worst Spammers maintained by anti-spam group Spamhaus , which has given him the 7th position in the list. The arrest was made possible after the FBI learned just last month that Levashov was traveling with his family to Spain from his home in Russia, a country without any extraditi
Suspected Kelihos Botnet Operator Arrested in Spain

Suspected Kelihos Botnet Operator Arrested in Spain

Apr 10, 2017
Update (Tuesday, April 11):  The arrest of a Russian man in Spain was apparently for his role in Kelihos botnet responsible for sending hundreds of millions of spam emails worldwide. A Russian computer hacker and alleged spam kingpin was arrested in Barcelona, Spain, on Friday reportedly over suspicion of being involved in hacking attacks linked to alleged interference in last year's United States presidential election process . 36-year-old Peter Yuryevich Levashov  from St. Petersburg was detained by police in Barcelona after US authorities issued an international arrest warrant for his arrest. While the Russian embassy in Madrid announced Levashov's arrest on Sunday, it did not confirm the reason for his arrest. This is the second arrest made by the Spanish authorities since the US 2016 election. In January, the police detained Stanislav Lisov , 32, on suspicion of creating and operating the NeverQuest Banking Trojan and possibly influencing the presidential elec
Fraudsters Using GiftGhostBot Botnet to Steal Gift Card Balances

Fraudsters Using GiftGhostBot Botnet to Steal Gift Card Balances

Mar 25, 2017
Gift cards have once again caused quite a headache for retailers, as cyber criminals are using a botnet to break into and steal cash from money-loaded gift cards provided by major retailers around the globe. Dubbed GiftGhostBot , the new botnet specialized in gift card fraud is an advanced persistent bot (APB) that has been spotted in the wild by cyber security firm Distil Networks. GiftGhostBot has been seen attacking almost 1,000 websites worldwide and defrauding legitimate consumers of the money loaded on gift cards since Distil detected the attack late last month. According to the security firm, any website – from luxury retailers, supermarkets to coffee distributors – that allow their customers to buy products with gift cards could be targeted by the botnet. Operators of the GiftGhostBot botnet launch brute-force attacks against retailer's website to check potential gift card account numbers at a rate of about 1.7 Million numbers per hour, and request the balance f
Hackers threaten to take down Xbox Live and PSN on Christmas Day

Hackers threaten to take down Xbox Live and PSN on Christmas Day

Dec 24, 2016
Bad news for gamers! It's once again the time when most of you will get new PlayStations and XBoxes that continue to be among the most popular gifts for Christmas, but possibilities are you'll not be able to log into the online gaming console, just like what happens on every Christmas holidays. On 2014 Christmas holidays, the notorious hacker group Lizard Squad knocked the PlayStation Network and Xbox Live offline for many gamers by launching massive DDoS attacks against the gaming networks. This time a new hacking group, who managed to take down Tumblr this week for almost two hours, has warned gamers of launching another large-scale distributed denial-of-service (DDoS) attack against XBox Live and PlayStation networks. Calling itself R.I.U. Star Patrol , the hacking group, posted a video on YouTube , announcing that they're planning to take down Sony's PSN and Microsoft's Xbox Live on Christmas Day by launching coordinated DDoS attacks. "We do it because w
'MethBot' Ad Fraud Operators Making $5 Million Revenue Every Day

'MethBot' Ad Fraud Operators Making $5 Million Revenue Every Day

Dec 20, 2016
The biggest advertising fraud ever! A group of hackers is making between $3 Million to $5 Million per day from United States brands and media companies in the biggest digital ad fraud ever discovered. Online fraud-prevention firm White Ops uncovered this new Ad fraud campaign, dubbed " Methbot ," that automatically generates more than 300 Million fraudulent video ad impressions every day. The cyber criminal gang, dubbed AFT13, has developed Methbot robo-browser that spoofs all the necessary interactions needed to initiate, carry out and complete the ad transactions. The hackers, allegedly based in Russia, registered more than 6,000 domains and 250,267 distinct URLs impersonating brand and names of high-profile websites like ESPN, Vogue, CBS Sports, Fox News and the Huffington Post, and selling fake video ad slots. Cyber criminals behind Methbot are using servers hosted in Texas and Amsterdam to power more than 570,000 bots with forged IP addresses, mostly belong
More Insights On Alleged DDoS Attack Against Liberia Using Mirai Botnet

More Insights On Alleged DDoS Attack Against Liberia Using Mirai Botnet

Nov 05, 2016
On Thursday, we compiled a story based on research published by a British security expert reporting that some cyber criminals are apparently using Mirai Botnet to conduct DDoS attacks against the telecommunication companies in Liberia, a small African country. In his blog post , Kevin Beaumont claimed that a Liberian transit provider confirmed him about the DDoS attack of more than 500 Gbps targeting one undersea cable servicing Internet connectivity for the entire country. Later, some media outlets also confirmed that the DDoS attack caused Internet outage in some parts of the country, citing 'slow Internet' and 'total outage' experienced by some local sources and citizens. "The DDoS is killing our business. We have a challenge with the DDoS. We are hoping someone can stop it. It's killing our revenue. Our business has frequently been targeted" an employee with one Liberian mobile service provider told PC World . Network firm Level 3 confirmed Zack Whittaker
Friday's Massive DDoS Attack Came from Just 100,000 Hacked IoT Devices

Friday's Massive DDoS Attack Came from Just 100,000 Hacked IoT Devices

Oct 27, 2016
Guess how many devices participated in last Friday's massive DDoS attack against DNS provider Dyn that caused vast internet outage? Just 100,000 devices. I did not miss any zeros. Dyn disclosed on Wednesday that a botnet of an estimated 100,000 internet-connected devices was hijacked to flood its systems with unwanted requests and close down the Internet for millions of users. Dyn executive vice president Scott Hilton has issued a statement , saying all compromised devices have been infected with a notorious Mirai malware that has the ability to take over cameras, DVRs, and routers. "We're still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints," Hilton said. "We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets." Mirai malware scans for Internet of Things (IoT) devices that are still using their default passwords and then enslaves those
Cybersecurity Resources