Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[magitsu]

https://twitter.com/x/status/1509925860421349384

 

[ctg]

Hardware manufacturer Zyxel has issued patches for a highly critical security flaw that gives malicious hackers the ability to take control of a wide range of firewalls and VPN products the company sells to businesses.

The flaw is an authentication bypass vulnerability that stems from a lack of a proper access-control mechanism in the CGI (common gateway interface) of affected devices, the company said. Access control refers to a set of policies that rely on passwords and other forms of authentication to ensure resources or data are available only to authorized people. The vulnerability is tracked as CVE-2022-0342.

“The flaw could allow an attacker to bypass the authentication and obtain administrative access of the device,” Zyxel said in an advisory. The severity rating is 9.8 out of a possible 10.

Zyxel patches critical vulnerability that can allow Firewall and VPN hijacks

Hackers can exploit authentication bypass flaw to gain administrative control.

arstechnica.com

 

[ctg]

An Indian bank that did not have a valid firewall license, had not employed phishing protection, lacked an intrusion detection system and eschewed use of any intrusion prevention system has, shockingly, been compromised by criminals who made off with millions of rupees.

The unfortunate institution is called the Andra Pradesh Mahesh Co-Operative Urban Bank. Its 45 branches and just under $400 million of deposits make it one of India's smaller banks.

It certainly thinks small about security – at least according to Hyderabad City Police, which last week detailed an attack on the Bank that started with over 200 phishing emails being sent across three days in November 2021. At least one of those mails succeeded in fooling staff, resulting in the installation of a Remote Access Trojan (RAT).

Another technology the bank had chosen not to adopt was virtual LANs, so once the RAT went to work the attackers gained entry to the Bank's systems and were able to roam widely – even in its core banking application.

Hyderabad Police's analysis of the attack found that Mahesh Bank had carelessly allowed its population of super-users to reach ten – some with identical passwords. The attackers compromised some of those accounts and gained access to databases containing customer information including account balances.


The attackers also created new bank accounts and moved customers' funds into those accounts. Over $1 million of such stolen funds were shifted to hundreds of other accounts at Mahesh Bank and other financial institutions.

To complete the heist, the attackers made withdrawals at 938 ATMs across India and made off with the cash.

Bank that lacked basic security suffers predictable fate

Crooks used RAT to hijack superusers at India's Mahesh Bank, stole millions

www.theregister.com

 

[ctg]

A new remote access trojan (RAT) dubbed "Borat" doesn't come with many laughs but offers bad actors a menu of cyberthreats to choose from.


RATs are typically used by cybercriminals to get full control of a victim's system, enabling them to access files and network resources and manipulate the mouse and keyboard. Borat does all this and also delivers features to enable hackers to run ransomware, distributed denial of service attacks (DDoS) and other online assaults and to install spyware, according to researchers at cybersecurity biz Cyble.


"The Borat RAT provides a dashboard to Threat Actors (TAs) to perform RAT activities and also has an option to compile the malware binary for performing DDoS and ransomware attacks on the victim's machine," the researchers wrote in a blog post, noting the malware is being made available for sale to hackers.

Borat – named after the character made famous by actor Sacha Baron Cohen in two comedy films – comes with the standard requisite of RAT features in a package that includes such functions as builder binary, server certificate and supporting modules.

It's the other options that make it more interesting. Bad actors can use the malware to deliver ransomware that will encrypt files on a victim's system and demand a ransom, including the ability to create a ransom note on the targeted machine. There also is code in Borat that will decrypt the files in the system once the ransom is paid.

Additionally, the RAT includes code for launching a DDoS attack, in which a website or server is overwhelmed by a wave of messages, slowing down responses and services to legitimate users and sometimes forcing the site to shut down. Often it takes paying the threat actor money to shut off the DDoS attack.

On top of that, there is a range of remote surveillance capabilities that enable hackers to spy on the system and its user, including a keylogger that monitors and stores keystrokes from a victim's machine. They keystrokes are saved in a file and later exfiltrated from the system.

Borat will determine if a connected microphone is included on the system and, if so, will record the audio from the computer, with the recorded audio stored in another file named "micaudio.wav." In similar fashion, if a webcam is found on the system, the malware can start recording from the camera.

In addition, there is a remote desktop function.

"This malware takes the remote desktop of the infected machine," the researchers wrote. "It then gives the Threat Actor (TA) the necessary rights to perform activities such as controlling the victim's machine, mouse, keyboard, and capturing the screen. Controlling the victim's machine can allow TAs to perform several activities such as deleting critical files, executing ransomware in the compromised machine, etc."

The RAT grabs information from the victim's machine, such as the name and version of the operating system and the model of the machine, and will steal cookies, bookmarks and saved login credentials from systems running Chrome and Chromium-based Microsoft Edge browsers.

Triple threat: Borat RAT pushes ransomware, DDoS, spyware

Thought Sacha Baron Cohen was a terrible threat actor? Get a load of this: encrypts/steals data, records audio/video and controls keyboard

www.theregister.com

 

[hansai]

Ilmaista kyber koulutusta verkko-opintona tarjolla Jyväskylän yliopistolla

Avoin yliopisto

Opiskelu JYU avoimessa yliopistossa on joustavaa ja kaikille avointa. Valtaosaa opinnoista voit opiskella verkon välityksellä. Voit aloittaa silloin, kun sinulle sopii, ja opiskella myös etäyhteyksin. Opintojen hinta on 15 euroa opintopistettä kohti.

www.avoin.jyu.fi

 

[ctg]

Ilmaista kyber koulutusta verkko-opintona tarjolla Jyväskylän yliopistolla

Mitä tuo tarkalleen sisältää? Sivulta saa hiukan nihkeän kuvan, mutta voisin ottaa jos olisin Suomessa.

 

[hansai]

Mitä tuo tarkalleen sisältää? Sivulta saa hiukan nihkeän kuvan, mutta voisin ottaa jos olisin Suomessa.

Kuvaus​

1) Mistä kyberturvallisuudessa on kysymys? Mikä erottaa sen tietoturvasta?
2) Millaisia kyberturvariskejä liittyy normaalin arkeenkodissa: tietojen kalastelu, virukset ja haittaohjelmat, kiristyshait-
taohjelmat, palvelunestohyökkäykset, haavoittuvuudet ja päivitykset, esineiden Internet.
3) Miten omaa tietoturvaa voi lisätä: verkon suojaaminen, oman tietokoneen suojaaminen, tunnusten ja salasanojen hallinta, yksityisyyden suojaaminen, mobiililaitteisiin liittyvät erityispiirteet, hyvät salasanat.
4) Sosiaalinen media, yksityisyys ja avointen lähteiden tiedustelu.

Osaamistavoitteet​

Opintojakson suoritettuaan osallistuja tuntee kyberturvallisuuteen ilmiönä liittyvät perusasiat niin yksilön, yhteisöjen kuin yhteiskunnankin tasolla. Hän tunnistaa kyberturvallisuuteen liittyviä mahdollisuuksia ja uhkia sekä osaa arvioida niiden vaikutusta eri tasoilla ja konteksteissa. Kurssin suoritettuaan opiskelija hallitsee kybermaailman käyttäytymissäännöt niin, että hän voi toimia kyberympäristössä vastuullisesti ja turvallisesti sekä opastaa myös lähiympäristöään tällaiseen käyttäytymiseen. Lisäksi hän osaa tärkeimmät tekniset ja muut suojaustoimenpiteet niin koti- kuin mobiiliympäristössäkin.

Kansalaisen kyberturvallisuus — Jyväskylän yliopiston opinto-opas

www.avoin.jyu.fi

 

[StepanRudanskij]

Saksan viranomaiset ottivat venäläisen darknet-markkinapaikan serverit haltuunsa Saksassa. Hydra meni ja 25 miljoonan edestä cryptoja.

 

[ctg]

Hydra, the world’s biggest cybercrime forum, is no more. Authorities in Germany have seized servers and other infrastructure used by the sprawling, billion-dollar enterprise along with a stash of about $25 million in bitcoin.

Hydra had been operating since at least 2015 and had seen a meteoric rise since then. In 2020, it had annual revenue of more than $1.37 billion, according to a 2021 report jointly published by security firm Flashpoint and blockchain analysis company Chainalysis. In 2016, the companies said Hydra had a revenue of just $9.4 million. German authorities said the site had 17 million customers and more than 19,000 seller accounts registered.

Available exclusively through the Tor network, Hydra was a bazaar that brokered sales of narcotics, fake documents, cryptocurrency-laundering services, and other digital goods. Flashpoint and Chainalysis identified 11 core operators but said the marketplace was so big that it likely was staffed by “several dozen people, with clearly delineated responsibilities.”

In a post published on Tuesday, Germany’s Central Office for Combating Cybercrime (known as ZIT) and the Federal Criminal Police Office (BKA) said they confiscated Hydra’s server infrastructure and 543 bitcoins, worth about $25 million.

People who attempt to visit the site can't access any of the previously available pages or resources. Instead, they see the following graphic bearing the seals of multiple law enforcement agencies, including the FBI and the Drug Enforcement Administration. The graphic declares that the site has been shut down.

Hydra, the world’s biggest cybercrime forum, shut down in police sting

Hydra market facilitated $5 billion in transactions for 17 million customers.

arstechnica.com

 

[ctg]

In court documents unsealed on Wednesday, an FBI agent wrote that the WatchGuard firewalls hacked by Sandworm were “vulnerable to an exploit that allows unauthorized remote access to the management panels of those devices.” It wasn't until after the court document was public that WatchGuard published this FAQ, which for the first time made reference to CVE-2022-23176, a vulnerability with a severity rating of 8.8 out of a possible 10.
“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” the description read. “This vulnerability impacts Fireware OS before 12.7.2_U1, 12.x before 12.1.3_U3, and 12.2.x through 12.5.x before 12.5.7_U3.”

The WatchGuard FAQ said that CVE-2022-23176 had been “fully addressed by security fixes that started rolling out in software updates in May 2021.” The FAQ went on to say that investigations by WatchGuard and outside security firm Mandiant “did not find evidence the threat actor exploited a different vulnerability.”

When WatchGuard released the May 2021 software updates, the company made only the most oblique of references to the vulnerability.

“These releases also include fixes to resolve internally detected security issues,” a company post stated. “These issues were found by our engineers and not actively found in the wild. For the sake of not guiding potential threat actors toward finding and exploiting these internally discovered issues, we are not sharing technical details about these flaws that they contained.”

According to Wednesday’s FAQ, FBI agents informed WatchGuard in November that about 1 percent of the firewalls it had sold had been infected by Cyclops Blink, a new strain of malware developed by Sandworm to replace a botnet the FBI dismantled in 2018. Three months after learning of the infections from the FBI, WatchGuard published the detection tool and the accompanying 4-Step Diagnosis and Remediation Plan for infected devices. The company obtained the CVE-2022-23176 designation a day later, on February 24.

Even after all of these steps, including obtaining the CVE, however, the company still didn't explicitly disclose the critical vulnerability that had been fixed in the May 2021 software updates. Security professionals, many of whom have spent weeks working to rid the Internet of vulnerable devices, blasted WatchGuard for the failure to explicitly disclose.

“As it turns out, threat actors *DID* find and exploit the issues,” Will Dormann, a vulnerability analyst at CERT, said in a private message. He was referring to the WatchGuard explanation from May that the company was withholding technical details to prevent the security issues from being exploited. “And without a CVE issued, more of their customers were exposed than needed to be.”

WatchGuard failed to explicitly disclose critical flaw exploited by Russian hackers

Silently fixed authentication bypass remained a secret even after it was under attack.

arstechnica.com

 

[ctg]

An exfiltration tool previously used exclusively by BlackMatter, Kaspersky said, is being used by ALPHV/Black Cat and “represents a new data point connecting BlackCat with past BlackMatter activity.” Previously, BlackMatter used the so-called Fendr tool to collect data before encrypting it on the victim’s server. The exfiltration supports a double extortion model that requires a payment not just for a decryption key but also for a pinky swear that criminals won’t make the data public.

“In the past, BlackMatter prioritized collection of sensitive information with Fendr to successfully support their double coercion scheme, just as BlackCat is now doing, and it demonstrates a practical but brazen example of malware re-use to execute their multi-layered blackmail,” Kaspersky researchers wrote. “The modification of this reused tool demonstrates a more sophisticated planning and development regimen for adapting requirements to target environments, characteristic of a more effective and experienced criminal program.”

Kaspersky said the ALPHV ransomware is unusual because it’s written in the Rust programming language. Another oddity: The individual ransomware executable is compiled specifically for the organization being targeted, often just hours before the intrusion, so that previously collected login credentials are hardcoded into the binary.

Thursday’s post said Kaspersky researchers had observed two AlPHV breaches, one on a cloud hosting provider in the Middle East and the other against an oil, gas, mining, and construction company in South America. It was during the second incident that Kaspersky detected the use of Fendr. Other breaches attributed to ALPHV include two German oil suppliers and luxury fashion brand Moncler.

A&T is the seventh US university or college to be hit by ransomware so far this year, according to Brett Callow, a security analyst at security firm Emsisoft. Callow also said that at least eight school districts have also been hit, disrupting operations at as many as 214 schools.

Ransomware sent North Carolina A&T University scrambling to restore services

ALPHV/Black Cat ransomware group has claimed at least 3 victims so far.

arstechnica.com

 

[ctg]

Cybersecurity service providers must for licenses to operate in Singapore, under new regulations launched by the country’s Cyber Security Agency (CSA) on Monday.

The new licensing framework requires vendors that offer penetration testing, and/or managed security operations centers (SOC) to get a licenses, in recognition that they access customers' systems and therefore pose a risk. The measures are effective immediately, although existing vendors have until October 11, 2022 to apply for the required licenses.

Those that fail to acquire the necessary licenses will face a fine up to SG$50,000 (US$36,600) and up to two years in jail.

Licensees will need to satisfy regulators that they are fit and proper people, and notify of any new staff they employ on gigs that involve rummaging around inside customer systems. Licenses will cost S$500 for individuals and S$1000 for businesses (365 and $730).

The CSA is having a half-off license sale, waiving 50 percent of fees for applications made prior to 11 April 2023, as an effort to support businesses impacted by COVID-19.

The regulatory org said the new framework would protect consumers and improve practitioner standards.

“In the event that the access is abused, the client’s operations could be disrupted,” said CSA in its canned statement. “In addition, these services are already widely available and adopted in the market, and hence have the potential to cause significant impact on the overall cybersecurity landscape.”

Singapore to license infosec service providers

Outfits that can rummage around inside customer systems need to prove they're up to the job - and accountable

www.theregister.com

 

[ctg]

Someone at least tried to use NSO Group's surveillance software to spy on European Commission officials last year, according to a Reuters report.

European Justice Commissioner Didier Reynders and at least four commission staffers were targeted, according to the news outlet, citing two EU officials and documentation.

The European Commission did not immediately respond to The Register's request for comment.

NSO is the Israeli cyber-surveillance firm that developed the infamous Pegasus software that, once in an infected phone or other device, can extract data and carry out other espionage. It can be installed on a victim's gadget without any user interaction: typically, they have to just receive a booby-trapped message. And once it's deployed, the NSO customer controlling that instance of Pegasus has access to everything on the victim's handheld, including text messages, phone calls, emails, passwords, and photos.

European officials reportedly targeted by NSO spyware

Pegasus software maker faces mounting lawsuits, investigations in the US and EU

www.theregister.com

 

[StepanRudanskij]

Huomattavaa tuossa uutisessa on se, että Freedome (=F-secure) säilytti lokit, joista käyttäjät pystytään yksilöimään.

Poliisi takavarikoi F-Securen vpn-palvelun lokitietoja – korkein oikeus totesi KRP:n toiminnan kielletyksi

Korkeimman oikeuden päätös rinnastaa vpn-käyttäjien lokitiedot tunnistamistiedoiksi, joita poliisi ei voi takavarikoida.

www.is.fi

 

[ctg]

Microsoft seized seven domains it claims were part of ongoing cyberattacks by what it said are state-sponsored Russian advanced persistent threat actors that targeted Ukrainian-related digital assets.

The company obtained court orders to take control of the domains it said were used by Strontium, also known as APT28, Sofacy, Fancy Bear and Sednit. In a blog post outlining the actions, Microsoft reported attackers used the domains to target Ukrainian media organizations, government institutions and foreign policy think tanks based in the U.S. and Europe.

“We obtained a court order authorizing us to take control of seven internet domains Strontium was using to conduct these attacks,” said Tom Burt, corporate vice president of Customer Security and Trust at Microsoft.

Sinkhole is a security term that refers to the redirection of internet traffic from domains, at the domain-server network level, by security researchers for analysis and mitigation. Microsoft did not specify how the domains were specifically being abused, beyond identifying those targeted.

“We have since re-directed these domains to a sinkhole controlled by Microsoft, enabling us to mitigate Strontium’s current use of these domains and enable victim notifications,” Burt said.

Researchers, said the APT was attempting to establish persistent, or long-term, access to a target’s system. This, they suggested, would facilitate a second stage attack that would likely include extraction of sensitive information such as credentials.

“This disruption is part of ongoing long-term investment, started in 2016, to take legal and technical action to seize infrastructure being used by Strontium. We have established a legal process that enables us to obtain rapid court decisions for this work,” Microsoft said.

Microsoft Takes Down Domains Used in Cyberattack Against Ukraine

Microsoft steps up defensive actions to ‘defend against an onslaught of cyberwarfare that has escalated since the invasion’ of Ukraine.

threatpost.com

 

[ctg]

More than half a decade has passed since the notorious Russian hackers known as Sandworm targeted an electrical transmission station north of Kyiv a week before Christmas in 2016, using a unique, automated piece of code to interact directly with the station's circuit breakers and turn off the lights to a fraction of Ukraine's capital. That unprecedented specimen of industrial control system malware has never been seen again—until now: In the midst of Russia's brutal invasion of Ukraine, Sandworm appears to be pulling out its old tricks.

On Tuesday, the Ukrainian Computer Emergency Response Team (CERT-UA) and the Slovakian cybersecurity firm ESET issued advisories that the Sandworm hacker group, confirmed to be Unit 74455 of Russia's GRU military intelligence agency, had targeted high-voltage electrical substations in Ukraine using a variation on a piece of malware known as Industroyer or Crash Override. The new malware, dubbed Industroyer2, can interact directly with equipment in electrical utilities to send commands to substation devices that control the flow of power, just like that earlier sample. It signals that Russia's most aggressive cyberattack team attempted a third blackout in Ukraine, years after its historic cyberattacks on the Ukrainian power grid in 2015 and 2016, still the only confirmed blackouts known to have been caused by hackers.

ESET and CERT-UA say the malware was planted on target systems within a regional Ukrainian energy firm on Friday. CERT-UA says that the attack was successfully detected in progress and stopped before any actual blackout could be triggered. But an earlier, private advisory from CERT-UA last week, first reported by MIT Technology Review Tuesday, stated that power had been temporarily switched off to nine electrical substations.

Both CERT-UA and ESET declined to name the affected utility. But more than 2 million people live in the area it serves, according to Farid Safarov, Ukraine's deputy minister of energy.

Russia’s Sandworm hackers attempted a third blackout in Ukraine

The attack was the first in five years to use Sandworm's Industroyer malware.

arstechnica.com

Both SSSCIP's Zhora and ESET say the new version of Industroyer had the ability to send commands to circuit breakers to trigger a blackout, just as the original did. ESET found, too, that the malware had the ability to send commands to protective relays, and its analysts reported clear similarities between components of the new Industroyer and the original, giving them “high confidence” that the new malware was created by the same authors. But the exact capabilities of the new grid-focused malware specimen remain far from clear.

Even so, the appearance of a new version of Industroyer signals that Sandworm's grid-hacking days are far from over—despite the group's apparent transition during the past five years to other forms of disruptive attacks, such as its release in 2017 of the self-spreading NotPetya malware that caused $10 billion in damage worldwide, the Olympic Destroyer cyberattack on the 2018 Winter Olympics, and a mass-scale cyberattack on Georgian websites and TV stations in 2019. "The fact that this group is still using and maintaining this tool and using it against industrial control systems is significant," says ESET's head of threat research, Jean-Ian Boutin. “It means that they are developing tools that will allow them to actually interfere with things like electricity and energy. So it's definitely a threat to other countries around the world as well.”

 

[ctg]

The US has seized the domain of what it calls "one of the world's largest hacker forums" and indicted its founder, the Department of Justice announced Tuesday. A notice on RaidForums.com says the domain was seized by the FBI, Secret Service, and Department of Justice. Europol and law enforcement agencies from Sweden, Romania, Portugal, Germany, and the UK were also involved.

RaidForums founder and chief administrator, Diogo Santos Coelho, a 21-year-old from Portugal, was arrested in the UK on January 31 and is in custody pending the outcome of extradition proceedings. The case in US District Court for the Eastern District of Virginia was unsealed Monday. Two accomplices were also arrested, according to Europol.

Founded in 2015, "RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing the sensitive personal and financial information of victims in the United States and elsewhere, including stolen bank routing and account numbers, credit card information, login credentials and social security numbers," the DOJ said. As a Vice article noted, the seizure announcement "caps off weeks of speculation of what may have happened to the site, which mysteriously became unresponsive around the end of February."

Security reporter Brian Krebs wrote that "the 'raid' in RaidForums is a nod to the community's humble beginnings in 2015, when it was primarily an online venue for organizing and supporting various forms of electronic harassment. But over the years as trading in hacked databases became big business, RaidForums emerged as the go-to place for English-speaking hackers to peddle their wares." The Krebs article said that "the FBI had been secretly operating the RaidForums website for weeks" before the seizure.

US seizes RaidForums, the “go-to” site for hackers selling stolen login details

RaidForums was one of the top sites to "buy and sell hacked or stolen databases."

arstechnica.com

 

[ctg]

decade ago security researcher Barnaby Jack famously wirelessly hacked a hospital insulin pump live on stage in front of hundreds of people to demonstrate how easily it could be compromised to deliver a lethal dose of medication. In the years that have passed, medical device security has gotten better, albeit with an occasional high-profile hiccup. But researchers are now finding vulnerabilities in newer hospital technologies that weren’t as ubiquitous a decade ago.

Enter autonomous hospital robots, the supposed-to-be-friendly self-controlled digital workhorses that can transport medications, bed linens, food, medications and laboratory specimens across a hospital campus. These robots, such as the ones built by robot maker Aethon, are equipped with the space to transport critical goods and security access to enter restricted parts of the hospital and ride elevators, all while cutting labor costs.

But researchers at Cynerio, a cybersecurity startup focused on securing hospital and healthcare systems, discovered a set of five never-before-seen vulnerabilities in Aethon robots, which they say allowed malicious hackers to remotely hijack and control these autonomous robots — and in some cases over the internet.

The five vulnerabilities, which Cynerio collectively call JekyllBot:5, aren’t with the robots themselves but with the base servers that are used to communicate with and control the robots that traverse the hallways of the hospitals and hotels. The bugs range from allowing hackers to create new users with high-level access in order to then log in and remotely control the robots and access restricted areas, snoop on patients or guests using the robot’s in-built cameras or otherwise cause mayhem.

Asher Brass, the lead researcher on the Aethon vulnerabilities, warned that the flaws required a “very low skill set for exploitation.”

Autonomous robots used in hundreds of hospitals at risk of remote hijacks | TechCrunch

The five flaws allowed anyone to view real-time robot camera feeds and remotely control the robots.

techcrunch.com

 

[ctg]

Lockbit ransomware operators spent nearly six months in a government agency's network, deleting logs and using Chrome to download hacking tools, before eventually deploying extortionware, according to Sophos threat researchers.

About a month before the unnamed US regional government agency began investigating the intrusion, the cybercriminals deleted most of the log data to cover their tracks.

But they didn't delete every log nor their browser search history, which meant they left some crumbs behind.

"Sophos was able to piece together the narrative of the attack from those unmolested logs, which provide an intimate look into the actions of a not particularly sophisticated, but still successful, attacker," the security shop's Andrew Brandt and Angela Gunn wrote this week in an analysis of the attack.

Other organizations can hopefully learn something from this intrusion to avoid a similar fate. For two things, using multi-factor authentication on accounts, and limiting remote-desktop access to, say, authenticated VPN connections, may have helped.

According to Sophos, the miscreants broke in via a remote desktop protocol (RDP) service: the firewall was configured to provide public access to an RDP server. As Sophos researchers noted, the point of entry is "nothing spectacular." It's not said exactly how the miscreants got in – via brute-forcing a weak password, using a stolen credential, tapping up a rogue insider, or exploiting a security bug, for example – but we're told the intruders managed to hijack a local administrator account on the server that also had Windows domain admin privileges, which would make exploring and compromising the network simple.

The ransomware gang left behind a record of various legit remote-access tools they installed on commandeered servers and desktops. At first, the miscreants showed a preference for ScreenConnect IT management suite, but then they switched to AnyDesk, which Brandt and Gunn noted was likely an attempt to evade countermeasures on the network.

The security researchers also found RDP scanning, exploit, and brute-force password tools, along with logs recording their successful uses. The gang appeared to want to set up multiple paths into the agency's machines to ensure the crew could connect back in if one or more access routes were closed.

Thus, identifying and acting on unexpected remote-desktop or remote-command connections could save your organization in future.

"Unusual remote access connections, even from legitimate accounts, can be a sign of possible intrusion," Sophos Director of Threat Research Christopher Budd noted in an email to The Register. "Also, unusual behavior from within the network, specifically downloading powerful legitimate tools that are frequently abused by attackers can be another sign."

Don't let ransomware gangs spend months in your network

Miscreants Googled for post-intrusion tools before downloading them onto servers, PCs

www.theregister.com

 

[ctg]

A prolific threat group known for deploying distributed denial-of-service (DDoS) and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware.

The group Keksec (also known as Nero and Freakout) is using the fast-evolving Enemybot to target routers from vendors like Seowon Intech and D-Link and is exploiting a remote code execution (RCE) vulnerability (CVE-2022-27226) discovered last month in iRZ mobile routers, according to a report this week by Fortinet's FortiGuard Labs team.

Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things (IoT) devices into a larger botnet that can be used to launch DDoS attacks.

However, FortiGuard researchers wrote that the bad actors may be considering extending the use of Enemybot into other areas beyond DDoS attacks, noting different samples of the code detected that add and remove exploits, leveraging the high-profile Log4j flaw and targeting a range of routers as well as Apache HTTP servers.

New Enemybot botnet blends Linux backdoor bot Gafgyt, Mirai

Keksec malware used for DDoS attacks, may spread to cryptomining, Fortinet says

www.theregister.com