#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

botnet | Breaking Cybersecurity News | The Hacker News

Category — botnet
New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

New KV-Botnet Targeting Cisco, DrayTek, and Fortinet Devices for Stealthy Attacks

Dec 15, 2023 Botnet / Advanced Persistent Threat
A new botnet consisting of firewalls and routers from Cisco, DrayTek, Fortinet, and NETGEAR is being used as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called  Volt Typhoon . Dubbed  KV-botnet  by the Black Lotus Labs team at Lumen Technologies, the malicious network is an amalgamation of two complementary activity clusters that have been active since at least February 2022. "The campaign infects devices at the edge of networks, a segment that has emerged as a soft spot in the defensive array of many enterprises, compounded by the shift to remote work in recent years," the company  said . The two clusters – codenamed KV and JDY – are said to be distinct yet working in tandem to facilitate access to high-profile victims as well as establish covert infrastructure. Telemetry data suggests that the botnet is commandeered from IP addresses based in China. While the bots part of JDY engages in broader...
New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks

New NKAbuse Malware Exploits NKN Blockchain Tech for DDoS Attacks

Dec 15, 2023 Blockchain / Internet of Things
A novel multi-platform threat called  NKAbuse  has been discovered using a decentralized, peer-to-peer network connectivity protocol known as  NKN  (short for New Kind of Network) as a communications channel. "The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities," Russian cybersecurity company Kaspersky  said  in a Thursday report. NKN, which has over 62,000 nodes, is  described  as a "software overlay network built on top of today's Internet that enables users to share unused bandwidth and earn token rewards." It incorporates a blockchain layer on top of the existing TCP/IP stack. While threat actors are known to take advantage of emerging communication protocols for command-and-control (C2) purposes and evade detection, NKAbuse leverages blockchain technology to conduct distributed denial-of-service (DDoS) attacks and function as an imp...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

New Stealthy 'Krasue' Linux Trojan Targeting Telecom Firms in Thailand

Dec 07, 2023 Malware / Security Breach
A previously unknown Linux remote access trojan called Krasue has been observed targeting telecom companies in Thailand by threat actors to main covert access to victim networks at lease since 2021. Named after a  nocturnal female spirit  of Southeast Asian folklore, the malware is "able to conceal its own presence during the initialization phase," Group-IB  said  in a report shared with The Hacker News. The exact initial access vector used to deploy Krasue is currently not known, although it's suspected that it could be via vulnerability exploitation, credential brute-force attacks, or downloaded as part of a bogus software package or binary. The malware's core functionalities are realized through a rootkit that masquerades as an unsigned VMware driver and allows it to maintain persistence on the host without attracting any attention. The rootkit is derived from open-source projects such as Diamorphine, Suterusu, and Rooty. This has raised the possibility that...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Sierra:21 - Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks

Sierra:21 - Flaws in Sierra Wireless Routers Expose Critical Sectors to Cyber Attacks

Dec 06, 2023 Cyber Threat / Vulnerability
A collection of 21 security flaws have been discovered in Sierra Wireless AirLink cellular routers and open-source software components like  TinyXML  and  OpenNDS . Collectively tracked as  Sierra:21 , the issues expose over 86,000 devices across critical sectors like energy, healthcare, waste management, retail, emergency services, and vehicle tracking to cyber threats, according to Forescout Vedere Labs. A majority of these devices are located in the U.S., Canada, Australia, France, and Thailand. "These vulnerabilities may allow attackers to steal credentials, take control of a router by injecting malicious code, persist on the device and use it as an initial access point into critical networks," the industrial cybersecurity company  said  in a new analysis. Of the 21 vulnerabilities, one is rated critical, nine are rated high, and 11 are rated medium in severity. This includes remote code execution (RCE), cross-site scripting (XSS), denial-of-servi...
New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices

New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices

Dec 04, 2023 Malware / Botnet
Cybersecurity researchers have discovered a new variant of an emerging botnet called  P2PInfect  that's capable of targeting routers and IoT devices. The latest version, per Cado Security Labs, is compiled for Microprocessor without Interlocked Pipelined Stages ( MIPS ) architecture, broadening its capabilities and reach. "It's highly likely that by targeting MIPS, the P2PInfect developers intend to infect routers and IoT devices with the malware," security researcher Matt Muir  said  in a report shared with The Hacker News. P2PInfect, a Rust-based malware, was  first   disclosed  back in July 2023, targeting unpatched Redis instances by exploiting a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) for initial access. A subsequent analysis from the cloud security firm in September  revealed  a surge in P2PInfect activity, coinciding with the release of iterative variants of the malware. The new artifacts, b...
Russian Hacker Vladimir Dunaev Pleads Guilty for Creating TrickBot Malware

Russian Hacker Vladimir Dunaev Pleads Guilty for Creating TrickBot Malware

Dec 02, 2023 Cybercrime / Malware
A Russian national has been found guilty in connection with his role in developing and deploying a malware known as TrickBot, the U.S. Department of Justice (DoJ) announced. Vladimir Dunaev, 40, was  arrested  in South Korea in September 2021 and extradited to the U.S. a month later. "Dunaev developed browser modifications and malicious tools that aided in credential harvesting and data mining from infected computers, facilitated and enhanced the remote access used by TrickBot actors, and created a program code to prevent the TrickBot malware from being detected by legitimate security software," the DoJ  said . "During Dunaev's participation in the scheme, 10 victims in the Northern District of Ohio, including Avon schools and a North Canton real-estate company, were defrauded of more than $3.4 million via ransomware deployed by TrickBot." Dunaev, who pleaded guilty to committing computer fraud and identity theft and conspiracy to commit wire fraud and ban...
Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

Dec 01, 2023 Malware / Cyber Threat
The U.S. Department of Justice (DOJ) and the FBI recently collaborated in a multinational operation to dismantle the notorious Qakbot malware and botnet. While the operation was successful in disrupting this long-running threat, concerns have arisen as it appears that Qakbot may still pose a danger in a reduced form. This article discusses the aftermath of the takedown, provides mitigation strategies, and offers guidance on determining past infections. The Takedown and Its Limitations During the takedown operation, law enforcement secured court orders to remove Qakbot malware from infected devices remotely. It was discovered that the malware had infected a substantial number of devices, with 700,000 machines globally, including 200,000 computers in the U.S., being compromised at the time of the takedown. However, recent reports suggest that Qakbot is still active but in a diminished state. The absence of arrests during the takedown operation indicates that only the command-and-cont...
GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability

Nov 29, 2023 Malware / Threat Intelligence
The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called  GoTitan  as well as a .NET program known as  PrCtrl Rat  that's capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) that has been  weaponized  by various hacking crews, including the  Lazarus Group , in recent weeks. Following a successful breach, the threat actors have been observed to drop next-stage payloads from a remote server, one of which is GoTitan, a botnet designed for orchestrating distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS. "The attacker only provides binaries for x64 architectures, and the malware performs some checks before running," Fortinet Fortiguard Labs researcher Cara Lin  said  in a Tuesday analysis. "It als...
Russian Hackers Linked to 'Largest Ever Cyber Attack' on Danish Critical Infrastructure

Russian Hackers Linked to 'Largest Ever Cyber Attack' on Danish Critical Infrastructure

Nov 16, 2023 Cyber Warfare / Threat Intelligence
Russian threat actors have been possibly linked to what's been described as the "largest cyber attack against Danish critical infrastructure," in which 22 companies associated with the operation of the country's energy sector were targeted in May 2023.  "22 simultaneous, successful cyberattacks against Danish critical infrastructure are not commonplace," Denmark's SektorCERT  said  [PDF]. "The attackers knew in advance who they were going to target and got it right every time. Not once did a shot miss the target." The agency said it found evidence connecting one or more attacks to Russia's GRU military intelligence agency, which is also tracked under the name  Sandworm  and has a track record of orchestrating disruptive cyber assaults on industrial control systems. This assessment is based on artifacts communicating with IP addresses that have been traced to the hacking crew. The unprecedented and coordinated cyber attacks took place on...
Experts Expose Farnetwork's Ransomware-as-a-Service Business Model

Experts Expose Farnetwork's Ransomware-as-a-Service Business Model

Nov 08, 2023 Cyber Threat / Endpoint Security
Cybersecurity researchers have unmasked a prolific threat actor known as farnetwork, who has been linked to five different ransomware-as-a-service (RaaS) programs over the past four years in various capacities. Singapore-headquartered Group-IB, which attempted to infiltrate a private RaaS program that uses the  Nokoyawa   ransomware  strain, said it underwent a "job interview" process with the threat actor, learning several valuable insights into their background and role within those RaaS programs. "Throughout the threat actor's cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, threat intelligence analyst at Group-IB,  said . The latest disclosure comes nearly six months after the cyber...
New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics

New Jupyter Infostealer Version Emerges with Sophisticated Stealth Tactics

Nov 06, 2023 Data Security / Malvertising
An updated version of an information stealer malware known as  Jupyter  has resurfaced with "simple yet impactful changes" that aim to stealthily establish a persistent foothold on compromised systems. "The team has discovered new waves of Jupyter Infostealer attacks which leverage PowerShell command modifications and signatures of private keys in attempts to pass off the malware as a legitimately signed file," VMware Carbon Black researchers  said  in a report shared with The Hacker News. Jupyter Infostealer , also known as Polazert , SolarMarker, and Yellow Cockatoo, has a  track record  of leveraging manipulated search engine optimization (SEO) tactics and malvertising as an initial access vector to trick users searching for popular software into downloading it from dubious websites. It comes with capabilities to harvest credentials as well as establish encrypted command-and-control (C2) communication to exfiltrate data and execute arbitrary commands...
Mysterious Kill Switch Disrupts Mozi IoT Botnet Operations

Mysterious Kill Switch Disrupts Mozi IoT Botnet Operations

Nov 02, 2023 Malware / Botnet
The unexpected drop in malicious activity connected with the Mozi botnet in August 2023 was due to a kill switch that was distributed to the bots. "First, the drop manifested in India on August 8," ESET  said  in an analysis published this week. "A week later, on August 16, the same thing happened in China. While the mysterious control payload – aka kill switch – stripped Mozi bots of most functionality, they maintained persistence." Mozi is an Internet of Things (IoT) botnet that  emerged  from the source code of several known malware families, such as Gafgyt, Mirai, and IoT Reaper. First spotted in 2019, it's known to exploit weak and default remote access passwords as well as unpatched security vulnerabilities for initial access. In September 2021, researchers from cybersecurity firm Netlab  disclosed  the arrest of the botnet operators by Chinese authorities. But the  precipitous decline  in Mozi activity – from around 13,300 hosts on Au...
DDoS 2.0: IoT Sparks New DDoS Alert

DDoS 2.0: IoT Sparks New DDoS Alert

Sep 15, 2023 IoT Security / Cyber Threat
The  Internet of Things (IoT)  is transforming efficiency in various sectors like healthcare and logistics but has also introduced new security risks, particularly IoT-driven DDoS attacks. This article explores how these attacks work, why they're uniquely problematic, and how to mitigate them. What Is IoT? IoT (Internet of Things) refers to online, interconnected devices that collect and exchange data. This broad category of devices includes sensors, cameras, network routers, and advanced machinery, and their integration into everyday life and work processes results in an ecosystem that can automate operations, improve decision-making, and enhance user experience. IoT: A Breeding Ground for Botnets IoT's rapid adoption amplifies its vulnerability, as poorly secured devices become easy prey for attackers and may become part of a botnet. Controlled by attackers, botnets can scale and rapidly execute various attacks, including DDoS, data theft, ad fraud, cryptocurrency minin...
Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper

Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper

Sep 12, 2023 Endpoint Security / Malware
A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and RedLine Clipper, to gather a wide range of information from compromised Windows machines. "A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin  said . Clicking on the image leads to the delivery of a loader from a remote server that, in turn, is designed to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information. The loader, written in .NET, employs a technique called binary padding by adding null bytes to increase the file's size to 400 MB in an attempt to evade detection by security software. The activation of the loader triggers a multi-stage process to ...
FBI Dismantles QakBot Malware, Frees 700,000 Computers, Seizes $8.6 Million

FBI Dismantles QakBot Malware, Frees 700,000 Computers, Seizes $8.6 Million

Aug 30, 2023 Malware / Cyber Crime
A coordinated law enforcement effort codenamed  Operation Duck Hunt  has felled  QakBot , a notorious Windows malware family that's estimated to have compromised over 700,000 computers globally and facilitated financial fraud as well as ransomware. To that end, the U.S. Justice Department (DoJ)  said  the malware is "being deleted from victim computers, preventing it from doing any more harm," adding it seized more than $8.6 million in cryptocurrency in illicit profits. The cross-border exercise involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler. The dismantling has been hailed as "the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals." No arrests were announced. QakBot, also known as QBot and Pinkslipbot, started its life as a banking trojan in 2007 before morphing into a general-pu...
Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw

Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw

Aug 24, 2023 Cyber Attack / Vulnerability
Thousands of  Openfire XMPP servers  are unpatched against a recently disclosed high-severity flaw and are susceptible to a new exploit, according to a  new report  from VulnCheck. Tracked as  CVE-2023-32315  (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire's administrative console that could permit an unauthenticated attacker to access otherwise restricted pages reserved for privileged users. It affects all versions of the software released since April 2015, starting with version 3.10.0. It was remediated by its developer, Ignite Realtime, earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0. "Path traversal protections were already in place to protect against exactly this kind of attack, but didn't defend against certain non-standard URL encoding for UTF-16 characters that were not supported by the embedded web server that was in use at the time," the maintainers  said  in a detailed...
Expert Insights / Articles Videos
Cybersecurity Resources