Security Bulletin - April 2019

DDoS attacks and Botnets

Attacks on mobile software almost doubled in 2018
Kaspersky Labs has released an interesting report entitled "Mobile malware evolution 2018", available at this address, which takes stock of the spread of malware on mobile devices in the past year, offering a useful tool to try to understand the future trend and react now.
Among the results highlighted by the report, which was conducted on the basis of data collected by devices with installed Kaspersky applications, the most important regards the number of attacks recorded: from 66.4 million in 2017 to 116.5 in 2018; on the other hand, the number of compromised installation packages has decreased (5,321,142 in 2018, almost 500 thousand less than the previous year).
Compromised apps include droppers (drop-down trojans that bypass checks and "drop the actual malicious package), adware (invasive advertising), risktool (apps that can cause physical damage) and spyware, including home banking systems, given their increasingly widespread use.

StealthWorker uses Windows and Linux to puncture sites
Fortiner researchers have identified a botnet that uses StealthWorker, a malware discovered a few weeks earlier by Malwarebytes.
Compared to the first version that focused only on Windows, this version of the malware has as its goal Linux, thus becoming a multi-platform threat; not only: by analyzing the open directories available on the C2 servers (Command & Control) indicated in the Malwarebytes report, evidence has been found that even the Mips and ARM architectures - therefore IoT devices - are involved. In both cases an automatic execution is scheduled to survive the restarts that releases the malware payload. Each infected machine is used to attach CMS installations like Joomla, Magento, Drupal and WordPress with brute force login attempts, and if the attack succeeds, not only are the credentials sent to the C2 server, but the compromised host becomes a zombie, creating a real botnet.

Read more ...

Security Bulletin - July 2018

DDoS attacks and Botnets

The FortiNet Threat Landscape Report Q1 2018 report is now available

FortiNet has published the Threat Landscape Q1 2018 report, which analyzes data collected between January and March 2018.

The report shows that most (55%) of infections due to a botnet lasted less than a day, 18% less than two days and only less than 5% more than a week, a sign that botnets are constantly evolving.

The infection due to the Mirai botnet is the one that lasts longer: on average 5 and a half days; but Ghost is the prevailing botnet.

Although 268 different botnets have been identified, their number and activity is declining in the analyzed period; the activity of crypto-jacking, that is generation of cryptocurrencies, is the main one.

Read more ...

Security Bulletin - April 2018

DDoS attacks and Botnets

Mirai variant turns IoT devices into proxy servers

Fortinet has identified a variant botnet of Mirai, the famous botnet responsible for attacks to DynDNS and KrebsOnSecurity, in addition to DDoS attacks turns infected IoT devices into proxy servers.
The botnet, called Mirai OMG, installs a malware on the victim systems that generates two random ports, adds the appropriate firewall rules, then installs 3proxy, a minimal proxy server.
Fortinet has not detected botnet attacks, analyzed in a quiescent state, and the authors are supposed to sell access to IoT proxy servers.

Read more ...

Spectre and Meltdown: a recap

The first week of the new year was characterized by the appearance of two major flaws in processors, the so-called Meltdown and Spectre announced by Google ProjectZero in this post, which afflict most of computers and devices in use today. The impact has been outstanding in terms of media coverage, and the topic has been the subject of discussion not just among IT professionals.

Meltdown and Spectre briefly

Meltdown and Spectre are two distinct vulnerabilities that affect computer processors: not just servers, laptops and desktops but also micro-computers, specialized computers and IoT devices. They were discovered by four different research teams who reported them to CPU manufacturers, several months prior the publication of the news; but these vulnerabilities are not new, in fact they have existed for decades. No computer with a processor produced in the last 20 years is to be considered immune and safe; a dedicated tool for Linux and BSD is available and provides information on the system status, and a similar tool for Windows exists too.
We are not aware of known attacks: antivirus can detect the code responsible for an attack, but not the vulnerability itself.

Read more ...

GDPR: portability of data in the context of the new European regulation

Data portability in the new European Regulation 2016/679
A new civic duty for personal data controllers and a new right for data subjects: let’s see the content, the legal basis and the actual realization.

Why should one be interested in data portability and understand what it means?
The date of the 25 May 2018 comes closer. That day the GDPR will come into effect in all EU Countries. There are several news introduced by the new regulation that must be understood, regardless of being the physical person personal data refers to (as new rights are gained), or being the controller of data being received and processed (as new duties are gained). One of the main new features it the so-called “right to data portability” which is outlined by Article 20 and “Whereas” 68 and 73 of the GDPR, and illustrated by the Guidelines WP 242 adopted on 13 December 2016 (and last revised on 5 April 2017), the so-called document WP 242, written by the European Working Party “WP 29”.
The text of the GDPR can be accessed here, while the WP 242 document can be accessed here.

Read more ...

IT Security Bulletin - January 2018

In the next issue you will find an article dedicated to the recent Meltdown and Spectre vulnerabilities, which are not covered in this bulletin.

DDoS attacks and Botnets

Necurs botnet now distributes ransomware
Necurs is alive and kickin’ and is distributing malware with, at least, three different campaigns as MyOnlineSecurity reports.
The first campaign is about the Scarab ransomware and is spread through emails. A bogus email has copier@victim-domain as sender, “Scanned from HP” (or other brand) as object, the email body is blank but there’s an attachment which, obviously is the ransomware itself. Such email pretends to deliver documents scanned with a network printer.
The second campaign too is conveyed via email and is about another ransomware, Globeimposter. The sender is invoicing@random-company, a random alphanumeric string as object (ie, FL-610025 11.30.2017), and as the previous one it has no body content but an attachment.
The third campaign is similar and pretends to deliver an invoice from Amazon as an attachment. It’s not a ransomware, but a banking trojan indeed.

ProxyM botnet attacks websites
Dr.Web identified a botnet, called ProxyM, which is based on the Linux.ProxyM.1 malware and previously used for email spam campaigns (up to 400 messages per device per day).
The malware being distributed attacks Linux devices and creates a SOCKS proxy server; the attack mode has changed recently, and today ProxyM hacks websites. Infected hosts perform SQL Injection, XSS (Cross-Sie Scriptingt) and LFI (Local File Inclusion) attacks on websites like forums, game servers and generic sites, without a precise scheme. Dr.Web observed 10 to 40 thousands attacks per day.

Read more ...

Security Bulletin - October 2017

DDoS attacks and botnets

IoT_reaper: a new growing botnet

Netlab researchers identified a new botnet, which was named IoT_reaper.
The botnet is in its first phases and is rapidly growing: it hasn’t launched a single attack up to now but, as the name suggests, hoards vulnerable IoT devices adding them to it network. It is similar to Mirai, although there are some differences: this one only targets vulnerable devices and doesn’t try to hack a password (with a substantial saving in computational resources), it integrates parts of LUA code that allow more sophisticated attacks and its scans are not invasive, so they are hard to identify.
The botnet added more than 20 thousands devices in less than 2 weeks; devices exploited are D-Link, Netgear and Linksys among the others: the full list is in the article linked before. Luckily there are some patches available.

A botnet is scanning the Web for private SSH keys
In a post on its blog, Wordfence warns about a Web scanning activity that looks for private SSH keys left without precautions on web server.
It’s not clear which botnet is responsible for this scan, however Wordfence warns everyone running a site/server and connects with a key-based authentication system.

Read more ...

OWASP ZAP: a powerful tool to discover Websites vulnerabilities

OWASP Zed Attack Proxy (ZAP) is an integrated tool dedicated to penetration testing that allows to identify vulnerabilities in Web apps and Websites. It’s an easy and flexible solution that can be used regardless of the proficiency level: it’s suitable for anyone, from a developer at the beginning with pentesting to professionals in the field.

owasp zap cover

ZAP is composed by two macro-section. The first one is an automated vulnerability scanner that can identify problems and provides a report for developers, sysadmins and security pros with all the details of discovered vulnerabilities in order to fix them.
The second one allows ZAP to work as a proxy and inspect the traffic and all HTTP/S requests and events -- there’s also the interesting capability of modifying them to analyze behaviour that differentiate from the norm or analyze their triggers which can be harmful to the system.

Read more ...

Internet of Things, security and privacy: a few remarks on juridical aspects


What are the most relevant juridical implications derive from the use of IoT devices, in particular in terms of personal data? What are the profiles that must be kept into account when developing IoT solutions?

This magazine has described the Internet of Things in the “Word of the Day” column and in last issues we had an article dedicated to the protection of IoT devices.
The interest on the topic is easily justified: a recent study by Aruba Networks, “The Internet of Things: Today and Tomorrow”, highlighted that the economics advantages of a business due to the adoption of IoT devices appear to exceed the expectations, so we can forecast a boom of the trend in the near future, in particular in sectors like industrial, health, retail, “wearable computing” (ie wearable devices like glasses, dresses, watches, etc.. connected to the Network), Public Administration, domotics and where companies create a “smart workplace”.
Therefore, as a consequence of the ample variety of sectors and the general interest on the topic, a lot of complications and implications might arise in terms from the use of IoT devices, in so as far legal aspects are concerned.

Read more ...

Data Breach: a short and clear recap of new duties, responsibilities and fines after the New European Regulations GDPR

How a company should behave if suffering a Data Breach, according to the new General Data Protection Regulation (GDPR)? How should it do it and in which time? What are the liabilities and what sanction does it incur in if it does not behave accordingly?

We had a “Word of the Day” about Data Breaches recently, and our curiosity about the topic arose quickly on what a company should do, also from a juridical perspective, in case it is victim of an IT violation and what are its liabilities according to European Regulation 2016/679 which will become effective in a few months and it’s worth preparing for it. 

Read more ...

GFI LanGuard: network security scanner and patch management

Properly keeping an IT infrastructure updated is a costly and weary activity: GFI’s LanGuard is a product conceived to structure and automate management process in a complete safety.

An example how dangerous is to have non updates systems is clearly shown by the very recent wave of infections by WannaCry, the ransomware that -albeit being targeted to a restricted number of users (they could have been way more had some remedies not been found promptly)- attacked Microsoft-based infrastructures in more than 150 countries. The ransomware exploited the EternalBlue vulnerability, which is available only on non-patched version of the operating system. Yet imagine what the outcome would have been if it targeted all Windows systems.

Read more ...

Wordpress Security

According to W3Techs, WordPress is used in 28,1% of the existing Internet websites, and it accounts for 59% of those based on a CMS (Content Management System), and the adoption rate is ever increasing. These numbers alore are enough to understand the great diffusion of WordPress: its easy installation and customization make it suitable to several use cases, eCommerce shop included.
But such popularity brings a downside: it’s one of the most attractive platforms to hackers. Luckily damages of an hacking attack can be prevented and limited with techniques and best practices that we will discuss in this article.

Read more ...

Protecting IoT devices

How to protect IoT devices connected to the Internet and keep them secure

IoT is the acronym of Internet of Things, and this term defines a network where devices, sensors, objects, people and animals are equipped with a univocal ID and are capable of exchanging data through the Internet without needing a direct man-machine interaction. The idea was born from the convergence of wireless technologies and the availability of sensors and tools that are more and more small, evoluted and cheap.

This is what we wrote about IoT in our “Word of the Day” column.

On a practical side, IoT is made up by all devices connected to the Internet, and the list is very extended, as we can infer from a quick search on Shodan, the research engine for IoT devices.
A consequence of being connected to the Network is the chance of being hacked, which is not remote at all: the risk is about devices being infected and added to a botnet used for illegal stuff, like DDoS attacks, malware distribution, spam campaigns and things like these.

Read more ...

WannaCry: an analysis of a vicious ransomware attack

In the middle of May we witnessed an event that could have been described as a normal ransomware attack, yet it turned out to have an incredible impact: we’re talking about WannaCry.

In a few hours, this ransomware infected thousands of computers and knocked out several infrastructures before being limited. Let’s analyze what happened and why it was an attack particular in its genre and, under certain aspects, even disturbing.


Read more ...

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...


The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...


The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...


Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...


In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

Read also the others...

Download of the Day


Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...



Fiddler is a proxy server that can run locally to allow application debugging and control of data in...


Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.


DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...


SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1