A multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into Internet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability. BleepingComputer reports: The malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on compromised systems. FreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH, adding the infected devices to an IRC botnet controlled by its masters. The malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate network traffic, and deploy XMRig miners to mine for Monero cryptocurrency.

As Cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the malware's spreading capabilities since early May, when the botnet's activity has suddenly increased. "Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command and control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code," Cisco Talos security researcher Vanja Svajcer said. FreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands sent over IRC via the command-and-control server. For each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH credentials.

syn3rg shares a report from ZDNet: A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018. Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file.

At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded -- two in 2018, one in 2020, and another in 2021. Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication. At present, the team says that they do not know the malware's "true purpose" beyond a focus on compromising Linux systems.

There are 12 functions in total including exfiltrating and stealing data, file and plugin management -- including query/download/delete -- and reporting device information. However, the team cites a "lack of visibility" into the plugins that is preventing a more thorough examination of the malware's overall capabilities. In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.

Law enforcement officials in the Netherlands are in the process of delivering an Emotet update that will remove the malware from all infected computers on March 25, 2021, ZDNet has learned today. From a report: The update was made possible after law enforcement agencies from across eight countries orchestrated a coordinated takedown this week to seize servers and arrest individuals behind Emotet, considered today's largest malware botnet. While servers were located across multiple countries, Dutch officials said that two of three of Emotet's primary command and control (C&C) servers were located inside its borders. Dutch police officials said today they used their access to these two crucial servers to deploy a boobytrapped Emotet update to all infected hosts. According to public reports, also confirmed by ZDNet with two cyber-security firms that have historically tracked Emotet operations, this update contains a time-bomb-like code that will uninstall the Emotet malware on March 25, 2021, at 12:00, the local time of each computer.

An anonymous reader quotes a report from ZDNet: Analysts from security firm Trend Micro said in a report today that they've spotted a malware botnet that collects and steals Docker and AWS credentials. Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms. Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.

Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company's other IT systems to infect even more servers and deploy more crypto-miners. At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials. But in a report today, Trend Micro researchers said that the TeamTNT gang's malware code had received considerable updates since it was first spotted last summer. TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code. This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel. From a report: The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities. Device owners are advised to update systems as soon as time permits. Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.

Bernard Meyer, reporting for CyberNews: In a collaboration between CyberNews Sr. Information Security Researcher Mantas Sasnauskas and researchers James Clee and Roni Carta, suspicious backdoors have been discovered in a Chinese-made Jetstream router, sold exclusively at Walmart as their new line of "affordable" wifi routers. This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network. CyberNews reached out to Walmart for comment and to understand whether they were aware of the Jetstream backdoor, and what they plan to do to protect their customers. After we sent information about the affected Jetstream device, a Walmart spokesperson informed CyberNews: "Thank you for bringing this to our attention. We are looking into the issue to learn more. The item in question is currently out of stock and we do not have plans to replenish it."

Besides the Walmart-exclusive Jetstream router, the cybersecurity research team also discovered that low-cost Wavlink routers, normally sold on Amazon or eBay, have similar backdoors. The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks. We have also found evidence that these backdoors are being actively exploited, and there's been an attempt to add the devices to a Mirai botnet. Mirai is malware that infects devices connected to a network, turns them into remotely controlled bots as part of a botnet, and uses them in large-scale attacks. The most famous of these is the 2016 Dyn DNS cyberattack, which brought down major websites like Reddit, Netflix, CNN, GitHub, Twitter, Airbnb and more.

TrickBot survived an initial takedown attempt, but Microsoft and its partners are countering TrickBot operators after every move, taking down any new infrastructure the group is attempting to bring up online. From a report: Last week, a coalition of cyber-security firms led by Microsoft orchestrated a global takedown against TrickBot, one of today's largest malware botnets and cybercrime operations. Even if Microsoft brought down TrickBot infrastructure in the first few days, the botnet survived, and TrickBot operators brought new command and control (C&C) servers online in the hopes of continuing their cybercrime spree. But as several sources in the cyber-security industry told ZDNet last week, everyone expected TrickBot to fight back, and Microsoft promised to continue cracking down against the group in the weeks to come. In an update posted today on its takedown efforts, Microsoft confirmed a second wave of takedown actions against TrickBot. The OS maker said it has slowly chipped away at TrickBot infrastructure over the past week and has taken down 94% of the botnet's C&C servers, including the original servers and new ones brought online after the first takedown.

A coalition of technology companies used a federal court order unsealed Monday to begin dismantling one of the world's most dangerous botnets in an effort to preempt disruptive cyber-attacks before next month's U.S. presidential election. From a report: The takedown is a highly coordinated event, spearheaded by the software giant Microsoft and involving telecommunications providers in multiple countries. If the operation succeeds, it will disable a global network of infected computers created by a popular malicious software known as Trickbot. Beginning early Monday, Trickbot operators are expected to began losing communication with the millions of computers they had painstakingly infected over a period of months, even years. The loss of the botnet -- as a network of infected computers is known -- will make it more difficult for Russian-based cybercriminals and other digital marauders to do their work. It will likely take months or years for the criminals to recover, if at all.

By dramatically dismantling Trickbot's network, Microsoft and its partners believe they will likely head-off ransomware attacks that could compromise voting systems before the U.S. presidential election on Nov. 3, said Tom Burt, vice president of Microsoft's customer security and trust division. "They could tie-up voter registration roles, election night reporting results and generally be extremely disruptive," Burt said. "Taking out one of the most notorious malware groups, we hope, will reduce the risk of ransomware's impact on the election this year." Coordinated takedowns like the one Monday have become increasingly common in the last several years, although the legal and technical hurdles involved are substantial. In this case, Microsoft and its partners were able to obtain a federal court order founded on Trickbot's infringement of Microsoft's trademarks, but ultimately aimed at disconnecting communications channels the attackers use to control the malicious software.

The Washington Post reports: In recent weeks, the U.S. military has mounted an operation to temporarily disrupt what is described as the world's largest botnet — one used also to drop ransomware, which officials say is one of the top threats to the 2020 election.

U.S. Cyber Command's campaign against the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals, is not expected to permanently dismantle the network, said four U.S. officials, who spoke on the condition of anonymity because of the matter's sensitivity. But it is one way to distract them at least for a while as they seek to restore operations.
U.S. Cyber Command also "stuffed millions of bogus records about new victims into the Trickbot database — apparently to confuse or stymie the botnet's operators," reports security researcher Brian Krebs: Alex Holden, chief information security officer and president of Milwaukee-based Hold Security, has been monitoring Trickbot activity before and after the 10-day operation. Holden said while the attack on Trickbot appears to have cut its operators off from a large number of victim computers, the bad guys still have passwords, financial data and reams of other sensitive information stolen from more than 2.7 million systems around the world. Holden said the Trickbot operators have begun rebuilding their botnet, and continue to engage in deploying ransomware at new targets. "They are running normally and their ransomware operations are pretty much back in full swing," Holden said. "They are not slowing down because they still have a great deal of stolen data."

Holden added that since news of the disruption first broke a week ago, the Russian-speaking cybercriminals behind Trickbot have been discussing how to recoup their losses, and have been toying with the idea of massively increasing the amount of money demanded from future ransomware victims.

An anonymous reader quotes a report from Wired: FritzFrog has been used to try and infiltrate government agencies, banks, telecom companies, and universities across the US and Europe. Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world. The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.

The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including: In-memory payloads that never touch the disks of infected servers; At least 20 versions of the software binary since January; A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines; The ability to backdoor infected servers; and A list of login credential combinations used to suss out weak login passwords that's more "extensive" than those in previously seen botnets. Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that's effective, difficult to detect, and resilient to takedowns. The new code base -- combined with rapidly evolving versions and payloads that run only in memory -- make it hard for antivirus and other end-point protection to detect the malware.

The botnet has so far succeeded in infecting 500 servers belonging to "well-known universities in the US and Europe, and a railway company."Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a "malware server." (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it's possible that the "malware server" is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren't immediately available to clarify.)

An anonymous reader quotes a report from Wired: At the Black Hat security conference on Wednesday, [researchers at the Georgia Institute of Technology] will present their findings, which suggest that high-wattage IoT botnets -- made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats -- could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both. The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags.

"Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he's basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage." An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen. "The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack," the report adds.

"Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. [...] The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed."

The researchers say market manipulators could take home as much as $245 million a year, and cause as much as $350 million per year in economic damage.

An anonymous reader writes: An unknown vigilante hacker has been sabotaging the operations of the recently-revived Emotet botnet by replacing Emotet payloads with animated GIFs, effectively preventing victims from getting infected. The sabotage, which started on July 21, has grown from a simple joke to a serious issue impacting a large portion of the Emotet operation, reducing the biggest malware botnet today to a quarter of its daily capabilities.

Since the attack started, the vigilante has replaced Emotet payloads with this Blink 182 "WTF" GIF, a James Franco GIF, and the Hackerman GIF from the Kung Fury movie.
The article points out this is all possible because Emotet stashes its malware on Wordpress sites they've breached with web shells — all of which have the exact same password.

An anonymous reader quotes a report from BuzzFeed News: On April 2, Twitter took down a pro-United Arab Emirates network of accounts that was pushing propaganda about the coronavirus pandemic and criticizing Turkey's military intervention in Libya. Previously tied to marketing firms in the region, parts of this network were removed by Facebook and Twitter last year. The network was made up of roughly 9,000 accounts, according to disinformation research firm DFRLab and independent researcher Josh Russell. Although it promoted narratives in line with the political stances of the governments of the UAE, Saudi Arabia, and Egypt, its origins were unclear.

Many Twitter handles contained alphanumeric characters instead of names, and many did not post photos. Accounts that did have profile pictures often used images of Indian models. One video pushed by the fake accounts voiced support for the Chinese government during the peak of the coronavirus outbreak in China in February. The video remains online, but lost over 4,000 retweets and likes after the takedown. The video now has four retweets.

The bot network also amplified a video of a woman thanking the government of the UAE for transporting Yemeni students out of Wuhan, China. Today, that video, which is also still online, went from having nearly 4,500 retweets to having 70. Spreading propaganda about the coronavirus didn't seem to have been the network's focus. The accounts, some of which posed as journalists and news outlets, amplified an article about the UAE government's disapproval of the Libyan prime minister and boosted criticism of Turkey's support of militias in Libya.

"Red faces in Red Square, again," writes a Forbes cybersecurity correspondent: Last July, I reported on the hacking of SyTech, an FSB contractor working on internet surveillance tech. Now, reports have emerged from Russia of another shocking security breach within the FSB ecosystem. This one has exposed "a new weapon ordered by the security service," one that can be used to execute cyber attacks on IoT devices. The goal of the so-called "Fronton Program" is to exploit IoT security vulnerabilities en masse — remember, these technologies are fundamentally less secure than other connected devices in homes and offices...

The security contractors highlight retained default "factory" passwords as the obvious weakness, one that is easy to exploit... The intent of the program is not to access the owners of those devices, but rather to herd them together into a botnet that can be used to attack much larger targets — think major U.S. and European internet platforms, or the infrastructure within entire countries, such as those bordering Russia.
But the article also notes that targetted devices for the exploits include cameras, adding that compromising such devices in foreign countries by a nation-state agency "carries other surveillance risks as well." It also points out that the FSB "is the successor to the KGB and reports directly to Russia's President Vladimir Putin," and its responsibilities include electronic intelligence gathering overseas.

"The fact that these kind of tools are being contracted out for development given the current geopolitical climate should give us all serious pause for thought."

Russian hacker group Digital Revolution claims to have breached a contractor for the FSB -- Russia's national intelligence service -- and discovered details about a project intended for hacking Internet of Things (IoT) devices. From a report: The group published this week 12 technical documents, diagrams, and code fragments for a project called "Fronton." ZDNet has not seen the documents first hand since they are still password-protected; however, the hackers provided the files to BBC Russia earlier this week. According to screenshots shared by the hacker group, which ZDNet asked security researchers to analyze, and based on BBC Russia's report from earlier this week, we believe the Fronton project describes the basics of building an IoT botnet. The technical Fronton documents were put together following a procurement order placed by one of the FSB's internal departments, unit No. 64829, which is also known as the FSB Information Security Center.

Microsoft announced today a coordinated takedown of Necurs, one of the largest spam and malware botnets known to date, believed to have infected more than nine million computers worldwide. From a report: The takedown effort came after Microsoft and industry partners broke the Necurs DGA -- the botnet's domain generation algorithm, the component that generates random domain names. Necurs authors register DHA-generated domains weeks or months in advance and host the botnet's command-and-control (C&C) servers, where bots (infected computers) connect to receive new commands. "We were then able to accurately predict over six million unique domains that would be created in the next 25 months," said Tom Burt, Microsoft Vice President for Customer Security & Trust. Breaking the DGA allowed Microsoft and its industry partners to create a comprehensive list of future Necurs C&C server domains that they can now block and prevent the Necurs team from registering.

The sophistication of the Emotet malware's code base and its regularly evolving methods for tricking targets into clicking on malicious links has allowed it to spread widely. "Now, Emotet is adopting yet another way to spread: using already compromised devices to infect devices connected to nearby Wi-Fi networks," reports Ars Technica. From the report: Last month, Emotet operators were caught using an updated version that uses infected devices to enumerate all nearby Wi-Fi networks. It uses a programming interface called wlanAPI to profile the SSID, signal strength, and use of WPA or other encryption methods for password-protecting access. Then, the malware uses one of two password lists to guess commonly used default username and password combinations. After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," researchers from security firm Binary Defense wrote in a recently published post. "Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords." The Binary Defense post said the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later. While the module was created almost two years ago, Binary Defense didn't observe it being used in the wild until last month.

An anonymous reader quotes a report from Ars Technica: Internet routers running the Tomato alternative firmware are under active attack by a self-propagating exploit that searches for devices using default credentials. When credentials are found, the exploit then makes the routers part of a botnet that's used in a host of online attacks, researchers said on Tuesday. The Muhstik botnet came to light about two years ago when it started unleashed a string of exploits that attacked Linux servers and Internet-of-things devices. It opportunistically exploited a host of vulnerabilities, including the so-called critical Drupalgeddon2 vulnerability disclosed in early 2018 in the Drupal content management system. Muhstik has also been caught using vulnerabilities in routers that use Gigabit Passive Optical Network (GPON) or DD-WRT software. The botnet has also exploited previously patched vulnerabilities in other server applications, including the Webdav, WebLogic, Webuzo, and WordPress.

On Tuesday, researchers from Palo Alto Networks said they recently detected Muhstik targeting Internet routers running Tomato, an open-source package that serves as an alternative to firmware that ships by default with routers running Broadcom chips. The ability to work with virtual private networks and provide advanced quality of service control make Tomato popular with end users and in some cases router sellers. The exploits use already infected devices to scan the Internet for Tomato routers and, when found, to check if they use the default username and password of "admin:admin" or "root:admin" for remote administration. The exploit causes Tomato routers that haven't been locked down with a strong password to join an IRC server that's used to control the botnet. The infection also causes the routers to scan the Internet for servers or devices running WordPress, Webuzo, or WebLogic packages that are vulnerable.

Dutch police have taken down this week a bulletproof hosting provider that has sheltered tens of IoT botnets that have been responsible for hundreds of thousands of DDoS attacks around the world, ZDNet reports. From the report: Servers were seized, and two men were arrested yesterday at the offices of KV Solutions BV (KV hereinafter), a so-called bulletproof hosting provider, a term used to describe web hosting providers that ignore abuse reports and allow cybercrime operations to operate on their servers. For two years, the company has provided hosting infrastructure to internet criminals, and has been one of the most serious offender at that, hosting all sorts of badies, from phishing pages to vulnerability scanners, and from crypto-mining operations to malware repositories. But above all, the company has made a reputation in cyber-security circles for being a hotspot for DDoS botnets, with cyber-criminals renting KV servers to host their bot scanners, malware, and command-and-control (C&C) servers, knowing they'd be safe from "harm."

An anonymous reader quotes a report from Ars Technica: If you've noticed an uptick of spam that addresses you by name or quotes real emails you've sent or received in the past, you can probably blame Emotet. It's one of the world's most costly and destructive botnets -- and it just returned from a four-month hiatus. A post published on Tuesday by researchers from Cisco's Talos security team helps explain how Emotet continues to threaten so many of its targets.

Spam sent by Emotet often appears to come from a person the target has corresponded with in the past and quotes the bodies of previous email threads the two have participated in. Emotet gets this information by raiding the contact lists and email inboxes of infected computers. The botnet then sends a follow-up email to one or more of the same participants and quotes the body of the previous email. It then adds a malicious attachment. The result: malicious messages that are hard for both humans and spam filters to detect. The use of previously sent emails isn't new, since Emotet did the same thing before it went silent in early June. But with its return this week, the botnet is relying on the trick much more. About 25% of spam messages Emotet sent this week include previously sent emails, compared with about 8% of spam messages sent in April. "To make sending the spam easier, Emotet also steals the usernames and passwords for outgoing email servers," the report adds. "Those passwords are then turned over to infected machines that Emotet control servers have designated as spam emitters. The Talos researchers found almost 203,000 unique pairs that were collected over a 10-month period."

Malwarebytes says Emotet has brought back another tactic where it refers to targets by name in subject lines. "Once opened, the documents attached to the emails claim that, effective September 20, 2019, users can only read the contents after they have agreed to a licensing agreement for Microsoft Word," reports Ars Technica. "And to do that, according to a post from security firm Cofense, users must click on an Enable Content button that turns on macros in Word."

"After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations," Cofense researchers Alan Rainer and Max Gannon wrote. "When run, these executables launch a service that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if a (currently undetermined) criteria of geographical location and organization are met."