July 24, 2023

DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks

Description

In April 2023, a critical flaw (CVE-2023-28771) in Zyxel devices was discovered, allowing attackers to gain remote control of vulnerable systems. Multiple distributed denial-of-service (DDoS) botnets, including variants of Mirai like Dark.IoT and Katana, have been exploiting this flaw to launch DDoS attacks in various regions. Cloudflare reported an increase in sophisticated DDoS attacks, with threat actors using techniques like DNS laundering and virtual machine botnets to evade detection. Pro-Russian hacktivist groups such as KillNet, REvil, and Anonymous Sudan have been targeting U.S. and European entities, and their tactics and capabilities have evolved over time.

Infected Technology

Multiple firewall models of Zyxel devices

Source

https://thehackernews.com/2023/07/ddos-botnets-hijacking-zyxel-devices-to.html

Recommendation

• Deploy robust DDoS protection measures, such as cloud-based services or on-premises solutions, to detect and mitigate DDoS attacks, safeguarding the availability of essential services. • Implement network segmentation to isolate critical systems and data, limiting the impact of potential breaches and hindering lateral movement by attackers within the network.

CVE ID

CVE-2023-28771

Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps

Description

Cybercriminals exploit Android’s WebAPK technology to deceive users into installing malicious web apps that masquerade as legitimate services like PKO Bank Polski. Victims receive SMS messages prompting them to update their banking app, leading to a site using WebAPK to install the fake application. Once installed, the app tricks users into sharing sensitive credentials and 2FA tokens, allowing the theft of personal information. These attacks are challenging to detect due to the dynamically generated package names and checksums for each device. To mitigate the threat, blocking websites using WebAPK for phishing attacks is recommended. Additionally, cybercriminals are using specialized device spoofing tools to bypass anti-fraud controls and conduct unauthorized transactions via smartphones using banking malware like TimpDoor and Clientor.

Infected Technology

WebAPK

Source

https://thehackernews.com/2023/07/hackers-exploit-webapk-to-deceive.html

Recommendation

• Use secure communication channels for updates. • Implement strong 2FA mechanisms. • Download apps from official stores only. • Thoroughly review WebAPK security. • Employ dynamic threat analysis. • Block suspicious WebAPK websites.

Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities

Description

A new malware strain named BundleBot is using .NET single-file deployment techniques to evade detection. It is distributed through Facebook Ads and compromised accounts, often posing as legitimate program utilities, AI tools, or games. Victims are tricked into downloading a fake RAR archive that contains a self-contained application. The malware steals sensitive information from compromised hosts, including data from web browsers, Discord tokens, information from Telegram, and Facebook account details. Another campaign discovered by Malwarebytes involves rogue Google Chrome extensions impersonating Facebook Ads Manager to steal Facebook login information. The threat actors behind these activities are suspected to be of Vietnamese origin. Users are advised to be cautious and aware of deceptive tactics used by cybercriminals.

Infected Technology

Normal internet users

Source

https://thehackernews.com/2023/07/sophisticated-bundlebot-malware.html

Recommendation

• Keep Software Updated • Use Trusted Sources to download software and applications. • Be Cautious of Downloading Files

The AMI MegaRAC BMC software contains critical vulnerabilities that leave servers vulnerable to remote attacks

Description

Two security flaws have been disclosed in the AMI MegaRAC Baseboard Management Controller (BMC) software. If successfully exploited, these vulnerabilities could allow threat actors to remotely take control of vulnerable servers and deploy malware. The severity of these new vulnerabilities ranges from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions. They can be exploited by remote attackers who have access to Redfish remote management interfaces or from a compromised host operating system. When chained together, the two bugs carry a combined severity score of 10.0, enabling an adversary to bypass Redfish authentication and remotely execute arbitrary code on the BMC chip with the highest privileges. Additionally, these aforementioned flaws could be combined with CVE-2022-40258 to crack passwords for the admin accounts on the BMC chip.

Infected Technology

AMI MegaRAC (BMC) software

Source

https://thehackernews.com/2023/07/critical-flaws-in-ami-megarac-bmc.html

Recommendation

• Conduct regular security assessments. • Update plugin to the latest patch version.

CVE ID

CVE-2022-40258

Mallox Ransomware: Exploiting Weaknesses in MS SQL Servers

Description

In the ever-evolving landscape of cybersecurity threats, the Mallox ransomware has emerged as a formidable adversary, targeting organizations worldwide. This insidious ransomware strain utilizes sophisticated techniques to exploit vulnerabilities in Microsoft SQL (MS SQL) servers, causing significant disruptions and financial losses to its victims. As of July 2023, the threat posed by Mallox ransomware has escalated, warranting an in-depth analysis of its modus operandi and the technology it exploits.

The impact of a Mallox ransomware attack can be devastating for organizations. With MS SQL servers serving as repositories of sensitive data, such as customer information, financial records, and proprietary data, a successful attack can lead to data loss, reputational damage, legal consequences, and severe financial repercussions. The attackers typically demand exorbitant ransoms in cryptocurrencies, adding further financial strain to the already beleaguered victims. Additionally, the downtime caused by a ransomware attack can disrupt business operations, resulting in lost productivity and revenue.

Infected Technology

MS SQL

Source

https://thehackernews.com/2023/07/mallox-ransomware-exploits-weak-ms-sql.html

Recommendation

• Implement robust network segmentation to isolate MS SQL servers from other critical systems. This containment strategy can limit the lateral movement of ransomware within the network.

P2P Worm Attacking 307,000 Redis Instances on Linux and Windows Systems

Description

P2PInfect is a new P2P worm that is actively targeting the Redis servers on Linux and Windows OS, making it highly scalable and powerful compared to others.Palo Alto Networks Unit 42 researchers discovered this new cross-platform, Rust-based P2P worm that is actively targeting Redis, especially the cloud containers.On July 11, 2023, Unit 42 found the initial P2PInfect instance via HoneyCloud, their cloud-based honeypot detecting system. In Windows, P2PInfect has a Monitor process (in C:\Users\username\AppData\Local\Temp\cmd.exe) that ensures its running functionality on the infected host.Once initiated, the Monitor (cmd.exe) of P2PInfect downloads new versions from the P2P network, persisting them with random names in the original folder, and drops an encrypted configuration (.conf).Certain initial payload P2PInfect samples were UPX-packed, whereas the second-stage malware (miner and winminer) were not UPX-packed. P2PInfect uses CVE-2022-0543 for entry and sets up P2P communication to a larger network. It fetches more malicious binaries (scripts, scanning tools), joining the P2P network to infect future Redis servers.The vulnerability was exploited in past attacks (Muhstik, Redigo), causing DoS and brute-forcing. P2PInfect follows a similar pattern but differs significantly in post-exploit operations.

Infected Technology

• Linux Kernel from 6.1 to 6.4

Source

Redis Server on Windows and Linux OS

Recommendation

• Update to the latest version

CVE ID

CVE-2022-0543