DDoS attacks and Botnets

Attacks on mobile software almost doubled in 2018
Kaspersky Labs has released an interesting report entitled "Mobile malware evolution 2018", available at this address, which takes stock of the spread of malware on mobile devices in the past year, offering a useful tool to try to understand the future trend and react now.
Among the results highlighted by the report, which was conducted on the basis of data collected by devices with installed Kaspersky applications, the most important regards the number of attacks recorded: from 66.4 million in 2017 to 116.5 in 2018; on the other hand, the number of compromised installation packages has decreased (5,321,142 in 2018, almost 500 thousand less than the previous year).
Compromised apps include droppers (drop-down trojans that bypass checks and "drop the actual malicious package), adware (invasive advertising), risktool (apps that can cause physical damage) and spyware, including home banking systems, given their increasingly widespread use.

StealthWorker uses Windows and Linux to puncture sites
Fortiner researchers have identified a botnet that uses StealthWorker, a malware discovered a few weeks earlier by Malwarebytes.
Compared to the first version that focused only on Windows, this version of the malware has as its goal Linux, thus becoming a multi-platform threat; not only: by analyzing the open directories available on the C2 servers (Command & Control) indicated in the Malwarebytes report, evidence has been found that even the Mips and ARM architectures - therefore IoT devices - are involved. In both cases an automatic execution is scheduled to survive the restarts that releases the malware payload. Each infected machine is used to attach CMS installations like Joomla, Magento, Drupal and WordPress with brute force login attempts, and if the attack succeeds, not only are the credentials sent to the C2 server, but the compromised host becomes a zombie, creating a real botnet.

 Ransomware

New decryption tools for different ransomware available
If on the one hand the world of ransomware sees new threats every month, it is also true that thanks to the work of volunteers and researchers tools are developed to decipher the data encrypted by ransomware: if you do not have backups ready to restore, the advice is to keep the encrypted files waiting for a special tool. The untiring Michael Gillespie continues to work and now his ID-Ransomware ransomware identification service covers more than 700 ransomware families, F-Secure has released a tool for Mira, Emsisoft for PewDiePie, aurora, BigBobRoss (Avast has also released a tool for this ransomware) and Planetary, Bitdefender has created a tool for GandCrab (versions 1, 4 and 5).
The NoMoreRansom project dedicated page remains the reference point, and the MalwareHunter Team Ransomware ID service allows you to identify which ransomware encrypted your files among the 500 in the catalog.

 

Vulnerabilities

Clourborne is a vulnerability that installs backdoors in Cloud environments
Eclypsium researchers have identified a type of vulnerability renamed Cloudborne that allows you to install backdoors directly on physical servers used to manage virtual servers in Cloud environments; currently only IBM's SoftLayer technology is being studied, similar criticalities for other Cloud providers have not yet been analyzed.
The structure underlying the virtual part of a Cloud is naturally composed of physical servers, which have systems called BMC (Baseboard Management Control) - based on IPMI - which allow remote management of the server itself for the initial phases of installation and deployment; a vulnerability that affects BMC survives reboots and obviously will affect customers (even new ones) assigned to the server. The attacks obtainable include permanent DoS, server corruption, data theft, ransomware creation.
IBM has released a note mentioning the vulnerability and suggests a manual reset of the firmware before assigning the server to another client, although it is impractical to do this on a large scale.

Vulnerabilities get patched in Cisco and WebEx RV series routers
Cisco has released a patch for RV110W, RV130W and RV215W router vulnerabilities.
The vulnerabilities have Critical rank since I allow unauthenticated users to remotely execute commands on these routers; the person responsible for this is an incorrect management of the memory buffers; Updates are available in the cisco.com Software Center.
WebEx is the Cisco conferencing system; SecureAuth researchers have discovered a vulnerability that involves Webex and allows a local attacker (but in Active Directory environments the attack can be remote using remote management tools) without privileges to elevate privileges and launch arbitrary commands using a particular DLL library.
Cisco has released updated versions of the desktop app that correct this problem.

The risks of IoT in the medical field according to Check Point
Check Point researchers have published an interesting report on the risks of IoT in the medical field: not only the new devices associated with the current IoT boom, but also traditional machines connected to the network. The report is called "UltraHack: The Security Risks of Medical IoT".
The risks are more than current and involve a particularly sensitive sphere such as health. For example, the report cites an ultrasound machine running on Windows 2000, which has been without support for more than a decade; and of course it is vulnerable to attacks that allow you to read and modify the analysis results or infect it with a ransomware.
The suggested behaviors include an effective updating policy and a correct network segmentation and access policy.

News from the vendors

Microsoft Tuesday Patch

As every second Tuesday of the month, Microsoft has released the cumulative package of updates for Windows systems known as Patch Tuesday. It is installed automatically if automatic updates are enabled, otherwise it is available via Windows Update. Among the 64 problems being fixed (of which 15 marked as critical) in 12 different products, we mention those related to Office, Edge, Internet Explorer, Office and Office Services and Web Apps, ChakraCore, Adobe Flash Player, .NET Framework, ASP.NET , Skype for Business and Visual Studio. In no case have vulnerabilities been previously exploited for attacks.
Individual update packages can be selected and additional patch information can be found via the Security Update Guide.

About the Author

Lorenzo Bedin

Lorenzo graduated in Telecommunication Engineering and works as freelance IT consultant, after a period of training as systems analyst. Currently he provides hardware solutions, virtualized infrastructures and websites.

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1