DDoS attacks and botnets
Rakos botnet grows but remains dormant
The Rakos botnet grows but remains inactive, Morphus Labs’ Renato Marinho says.
Rakos adds 8.000 new zombie IoT each day, and continues to evolve: it now has a P2P structure. Some bots act as a (Command & Control) called Skaros, while other act as “slaves” -Checker- and launch SSH attacks to targets to add them to the botnet.
Today Rakos is composed by IoT devices as Raspberry PI (45%), OpenELEC on Raspberry PI (22%), Ubiquiti wireless access points (16%) and other.
As of now, the only remedy to the malware is to reboot the IoT device and use strong SSH credentials.
Marinho defines the botnet as “transient”: bots don’t remain as such indefinitely but only until a reboot. The force of the botnet lies in the number of bots available each day -almost 8.000- which is enough to launch an impactful DDoS attack.
Shodan launches new tool to find C&C servers
Shodan launches Malware Hunter, a tool specifically conceived to find Command and Control (C&C, sometimes C2) servers, ie servers belonging to a botnet that send commands to zombie members of the net and act as malware download center.
Malware Hunter works thanks to bots that scan the Network looking for computer configured to act as a C2 server; bots then use a predefined mode pretending to be an infected computer and communicate with the suspected C&C server: if it replies, Malware Hunter records data and makes it available with its powerful graphical tool.
Bondet botnet mines crypto currencies on Windows Server servers
Botnets are not just about DDoS attacks, spam campaigns or malware diffusion, sometimes they mine crypto values, just like in the case of Bondnet, the botnet developed by an hacker known as Bond007 and discovered by GuardiCore researchers.
The botnet is composed by almost 15.000 infected Windows servers, and 2.000 each day mine crypto currencies, mostly Monero but also ByteCoin, RieCoin and ZCash.
The hacker exploits vulnerabilities in phpMyAdmin, JBoss, Oracle Web Application Testing Suite, ElasticSearch, MSSQL, Apache Tomcat, Oracle Weblogic to gain access to the system. Then, with the help of DLL libraries and Visual Basic scripts, a RAT (Remote Access Trojan) is downloaded and installed providing a backdoor that is used to install a mining program and start mining crypto currencies.
GuardiCore provides a tool to remove the malware.
Interpol identifies 9000 C&C servers
Interpol announces the discovery of 9.000 C&C (Command & Control) servers in an area that encompasses Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam.
Servers acted as malware distribution centers, ransomware and spam diffusion and to launch DDoS attacks.
The operation was carried out in collaboration with private companies like Trend Micro, Kaspersky Lab, Cyber Defense Institute, Booz Allen Hamilton, British Telecom, Fortinet and Palo Alto Network
Emsisoft releases decryption tools for Amnesia and Cry128
Emsisoft released a decryption tool for the Amnesia ransomware, which appeared at the end of April. Amnesia brute forces an RDP connection to access the system and encrypt files.
A tool for Cry128 is available too; Cry128 is part of the CryptON family.
Emsisoft also released tools for CryptON and its variant Cry9..
Avast releases decryption tools for AES_NI and Wallet
Avast released two tools to decrypt files encrypted by the AES_NI ransomware, first appeared at the end of 2016, and Wallet, a Crysis variant.
Both tools are available at this address.
40 models of Asus routers are vulnerable to 5 exploits
Nightwatch Cybersecurity discovered that 4 different models of routers by Asus are vulnerable to 5 different exploits that allow to gain Wifi password, change settings without authentication, run code and steal information and data.
A list of affected models and details about the exploits is available at this address.
The good news is that Nightwatch Cybersecurity informed Asus with great advance, so that Asus could actually develop a firmware that fixes these vulnerabilities. The firmware is available here.
25 Linksys router models are available to exploits
Linksys announces that 25 models of routers of the WRT and EAxxxx families have vulnerabilities that can be exploited for various attacks, as noted by IOActive.
While waiting for the release of a new firmware, Linksys invites who owns such routers to enable automated updates, disable guest Wifi and change the default Administrator password.
Adobe releases patches for 7 Flash Player vulnerabilities
Adobe released a Flash Player update that fixes 7 vulnerabilities that could potentially help a hacker to gain control of the system where Flash Player is installed on.
The update is available for Windows, Linux and macOS; visit this dedicated page to discover if your installed version can be updated, or it’s already up to date.
Samba is vulnerable to a possible exploit
Samba is a suite of tools that enables the file and printing shares between Linux and Windows systems.
Its developers announced the discovery of a vulnerability present from version 3.5.0 onwards. The vulnerability, contained in a demon file, can be used with just a line of code for an exploit that runs code on the affected server.
A possible mitigation is adding the “nt pipe support=no” in the global configurations part of the smb.conf file followed by a restart of the service.
Samba is used by other vendors as well; Synology offers a fixing patch available at this address.
News from the vendors
New versions of Firefox and Chrome are available
Firefox and Chrome new versions are now available.
Chrome 58 contains 29 security updates that fix bugs, support on Android for Progressive Web Apps is added and domains that use cyrillic alphabet words that resemble the ones of the latin one are blocked: this measure prevents phishing attacks based on the ambiguity of letters that look the same. More on that here.
Firefox 53 definitely ceases the support for Windows XP and Vista; however Firefox 52 ESR will support both operating systems until the end of September 2017.
The main news is the introduction of two Compat Themes (Light and Dark) -actually already available with the Developer Edition- that resemble a lot Microsoft Edge in the aspect: a substantial improvement of the habitual Firefox UI.
Windows users now have a “Quantum Compositor” tool that increases stability of graphics.
The Firefox Site Permissions too is renewed in the graphics, and now it looks like Chrome’s, impossible not to be noticed.
Firefox 55, whose release is expected in August, will ask explicitly the user to enable Flash on sites that (still) support it, thus eliminating the “always active” option now included. This is another step towards the abandon of Flash in favour of HTML5, which offers less security threats and better performances with the same resources.
HP releases patch that removes keyloggers installed on some laptops
HP released through Windows Update a patch that removes a keylogger found on 28 models of laptop produced between 2015 and 2016, as told by Mike Nash, HP Vice President, to Axios.com.
The keylogger was discovered by Swiss cybersecurity company Modzero who identified the MicTray64.exe file in an audio driver audio package which records every key pressed by the user on log files. Such log files actually never exited the system, however their presence poses serious security concerns.
"It was something that was there in development process and should have been removed," Nash said.
Microsoft ceases support for SHA-1 SSL certificates in Edge and Internet Explorer.
After Chrome and Firefox, Microsoft’s browsers too cease the support to SSL certificates signed with the SHA-1 encryption algorithm, considered obsolete and insecure.
The update, which is distributed via Microsoft Update (May 2017 Patch Tuesday), labels websites with a SHA-1 cert as insecure; last February Google announced the first SHA-1 collision that shows how wrong is to believe this algorithm be secure and require a too high computational cost to hack it. Shattered offers a practical evidence of the collision.
Microsoft invites to migrated sites with SHA-1 to SHA-256, a secure and reliable encryption algorithm.