Emotet, a nasty botnet and popularmalware family, has proven increasingly dangerous over the past year as its operators adopt new tactics. Now armed with the ability to drop additional payloads and arriving via business email compromise (BEC), it’s become a major threat to organizations.
Security watchers are wary of Emotet, which was among the first botnets to spread banking Trojans laterally within target organizations, making removal difficult. After ramping up in early 2018, Emotet increased again during the holiday season. Through the start of 2019, the malware continued to spread.
Read more about the rise and rise of the Emotet botnet on DarkReading.
Although Linux is a much more secure operating system compared to the more widely used Windows, it is not impervious to misconfigurations and malware infections. Over the past decade, the number of malware families targeting Linux has grown.
In a report published yesterday by cyber-security firm ESET, the company details 21 “new” Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. They are developed as second-stage tools to be deployed in more complex “botnet” schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.
Read more about the newly discovered Linux malware families on ZDNet.
The FBI, Google, and 20 tech industry partners have collaborated to take down a giant cyber-criminal network involved in generating fake ad views and clicks that have been used to defraud ad networks and advertisers for the past four years and make millions in illicit revenue for the scheme’s perpetrators.
Besides a coordinated intervention to take down several of the criminal scheme’s botnets, the US Department of Justice also announced a 13-count indictment against eight suspects believed to be behind this operation, three of whom are already under arrest and awaiting extradition to the US.
Read more about the dismantling of the massive ad fraud scheme on ZDNet.
A fresh botnet is spreading across the landscape, targeting router equipment. So far, hundreds of thousands of bot endpoints have already been identified, and they’re apparently being marshaled to send out massive amounts of spam.
The botnet first emerged in September, according to 360Netlab telemetry, which dubbed it BCMUPnP_Hunter. It’s so-named because of its penchant for infecting routers that have the BroadCom Universal Plug and Play (UPnP) feature enabled. The botnet takes advantage of a known vulnerability in that feature, which was discovered in 2013.
Read more about the BCMUPnP_Hunter botnet on Threatpost.
An IRC bot built using Pearl is targeting Internet of Things (IoT) devices and Linux servers, but can also affect Windows systems and Android devices, Trend Micro warns. Dubbed Shellbot, the malware is being distributed by a threat group called Outlaw, which recently compromised FTP servers of a Japanese art institution and a Bangladeshi government site. The hackers linked compromised servers to a high availability cluster to host an IRC bouncer and control the botnet.
The campaign Trend Micro’s security researchers investigated leveraged previously brute-forced or compromised hosts for distribution purposes. The bot was observed targeting Ubuntu and Android devices.
Two botnet gangs are fighting to take control over as many unsecured Android devices as they can to use their resources and mine cryptocurrency behind owners’ backs. The turf war between these two botnets –one named Fbot and the other named Trinity– has been going on for at least a month if we’re to combine the various clues from reports published by different cyber-security firms.
Both are in direct competition and are going after the same targets, namely Android devices on which vendors or owners have left the diagnostics port exposed online. This port is 5555, and it hosts a standard Android feature called the Android Debug Bridge (ADB). All Android devices support it but most come with it disabled.
Read more about the ongoing turf war between Fbot and Trinity on ZDNet.
For nearly a month, a new botnet, has been slowly growing in the shadows, feasting on unsecured Apache Hadoop servers, and planting bots on vulnerable servers to be used for future DDoS attacks.
While the botnet initially consisted of a few command and control servers, in a threat alert sent out today by cyber-security firm Radware, the company says the botnet, dubbed DemonBot, has now grown to number over 70 servers. The role of these servers is to scan the internet for Hadoop installations that use a misconfigured YARN module. Radware says DemonBot has grown tremendously in the past month, currently attempting over 1 million YARN exploits per day.
Read more about the rise of the DemonBot botnet on ZDNet.
Chalubo is a new botnet which is targeting poorly-secured Internet of Things (IoT) devices and servers for the purpose of distributed denial-of-service (DDoS) attacks. Researchers from cybersecurity firm Sophos said that the botnet is becoming “increasingly prolific” and is ramping up efforts to target Internet-facing SSH servers on Linux-based systems alongside IoT products.
The main Chalubo bot is not only adopting obfuscation techniques more commonly found in Windows-based malware but is also using code from Xor.DDoS and the infamous Mirai botnet.
Read more about the rise of the Chalubo botnet on ZDNet.
Roughly two years after the Mirai Internet of Things (IoT) bot took down the Internet for much of the eastern United States and parts of Europe, Netscout security researchers have found that the bot landscape has expanded considerably.
By setting honeypots across North America, South America, Europe, and Asia, researchers observed nearly 200,000 brute-force attacks from Sept. 1 through Sept. 30, according to Matt Bing, a security research analyst at Netscout. The team found 1,005 additional user name and password combinations beyond Mirai’s original default list of 60.
Read more about the findings of the new Netscout report on DarkReading.
SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology.
The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.
Read more about the various vulnerabilities affecting some 9 million Xiongmai devices on Help Net Security.