Slashdot reader Cameyo shares a report from TechRepublic: Remote Desktop Protocol (RDP) is -- to the frustration of security professionals -- both remarkably insecure and indispensable in enterprise computing. The September 2019 Patch Tuesday round closed two remote code execution bugs in RDP, while the high-profile BlueKeep and DejaBlue vulnerabilities from earlier this year have sent IT professionals in a patching frenzy. With botnets brute-forcing over 1.5 million RDP servers worldwide, a dedicated RDP security tool is needed to protect enterprise networks against security breaches. Cameyo released on Wednesday an open-source RDP monitoring tool -- appropriately titled RDPmon -- for enterprises to identify and secure against RDP attacks in its environment. The tool provides a visualization of the total number of attempted RDP connections to servers, as well as a view of the currently running applications, the number of RDP users, and what programs those users are running, likewise providing insight to the existence of unapproved software. RDPmon operates entirely on-premise, the program data is not accessible to Cameyo.

Customers of Cameyo's paid platform can also utilize the RDP Port Shield feature, also released Wednesday, which opens RDP ports for authenticated users by setting IP address whitelists in Windows Firewall when users need to connect. RDP was designed with the intent to be run inside private networks, not accessible over the internet. Despite that, enterprise use of RDP over the internet is sufficiently widespread that RDP servers are a high-profile, attractive target for hackers. The report says Cameyo found that Windows public cloud machines on default settings -- that is, with port 3389 open -- experience more than 150,000 login attempts per week.

An online service used by Hong Kong demonstrators said a large digital attack that knocked out its servers briefly over the weekend was unprecedented and originated in some cases from websites in China. From a report: LIHKG, a forum that's been used for organizing mass rallies in Hong Kong, posted a statement online after it was the target of what's known as a distributed denial of service, or DDoS, attack, or a flood of traffic that disables a site by overwhelming its computers. Total requests to the site hit 1.5 billion and unique visitors surged to 6.5 million per hour, the group said. "We have reasons to believe that there is a power, or even a national level power behind to organize such attacks as botnet from all over the world were manipulated in launching this attack," the statement read.

The Hong Kong protests began in June over a bill allowing extraditions to mainland China and have evolved into a wider push against Beijing's expanding control over the city. Participants, often under the controversial slogan "Liberate Hong Kong; revolution of our times," have used digital services like LIHKG and Telegram to organize secretly. Digital Attack Map, which provides information on daily cyber attacks around the world, showed the financial hub at the heart of a DDoS attack in recent days, as protesters clashed with police.

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers. From a report: The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer's processor. Although the malware was used to generate money, the malware operators easily could have run other malicious code, like spyware or ransomware. The malware also has wormable properties, allowing it to spread from computer to computer. Since its first appearance, the cryptocurrency mining malware has spread across the world, including the U.S., Russia, and Central and South America. According to a blog post announcing the bust, security firm Avast confirmed the operation was successful. The security firm got involved after it discovered a design flaw in the malware's command and control server. That flaw, if properly exploited, would have "allowed us to remove the malware from its victims' computers" without pushing any code to victims' computers, the researchers said.

French police, with help from an antivirus firm, took control of a server that was used by cybercriminals to spread a worm programmed to mine cryptocurrency from more than 850,000 computers. Once in control of the server, the police remotely removed the malware from those computers. Motherboard reports: Antivirus firm Avast, which helped France's National Gendarmerie cybercrime center, announced the operation on Wednesday. Avast said that they found that the command and control server, which was located in France, had a design flaw in its protocol that made it possible to remove the malware without "making the victims execute any extra code," as the company explained in its lengthy report.

Cybersecurity firms such as Avast, as well as Trend Micro, had been tracking the worm, called Retadup, since last spring. Most of the infected computers were used by the malware authors to mine the cryptocurrency Monero, but in some cases it was also used to push ransomware and password-stealing malware, according to Avast. As the antivirus firm reported, most Retadup victims were in South America, with Peru, Venezuela, Bolivia and Mexico at the top of the list.

The Internet Storm Center reports: RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability (CVE-2019-0708). While the reporting around this "Bluekeep" vulnerability focused on patching vulnerable servers, exposing RDP to the Internet has never been a good idea. Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them.

The latest example of such a botnet is an ongoing malicious campaign we are refering to as "GoldBrute". This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet... Each bot will only try one particular username and password per target. This is possibly a strategy to fly under the radar of security tools as each authentication attempt comes from different addresses.
Long-time Slashdot reader UnderAttack writes: Infected systems will retrieve target lists from the command and control server and attempt to brute force credentials against the list, while at the same time looking for more exposed servers. With all the attention spent on patching RDP servers for the recent "BlueKeep" vulnerability, users should also make sure to just not expose RDP in the first place. Even patched, it will still be susceptible to brute forcing.

Researchers have discovered an advanced piece of Linux malware that has escaped detection bypasses antivirus products and appears to be actively used in targeted attacks. Ars Technica reports: HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer's post went live, the VirusTotal malware service indicated Hidden Wasp wasn't detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.

Some of the evidence analyzed -- including code showing that the computers it infects are already compromised by the same attackers -- indicated that HiddenWasp is likely a later stage of malware that gets served to targets of interest who have already been infected by an earlier stage. It's not clear how many computers have been infected or how any earlier related stages get installed. With the ability to download and execute code, upload files, and perform a variety of other commands, the purpose of the malware appears to be to remotely control the computers it infects. That's different from most Linux malware, which exists to perform denial of service attacks or mine cryptocurrencies. Some of the code appears to be borrowed from Mirai, while other code has similarities to other established projects or malware including the Azazel rootkit, the ChinaZ Elknot implant, and the recently discovered Linux variant of Winnti, a family of malware that previously had been seen targeting only Windows.

So-called "bad bots," tasked with performing denial-of-service (DoS) attacks or other malicious activities like automatically publishing fake content or reviews, are estimated to make up roughly 37.9 percent of all internet traffic. "In 2018, one in five website requests -- 20.4 percent -- of traffic was generated by bad bots alone," reports ZDNet, citing Distil Networks' latest bot report, "Bad Bot Report 2019: The Bot Arms Race Continues." From the report: According to Distil Networks' latest bot report, the financial sector is the main target for such activity, followed by ticketing, the education sector, government websites, and gambling. Based on the analysis of hundreds of billions of bad bot requests over 2018, simple bots, which are easy to detect and defend against, accounted for 26.4 percent of bad bot traffic. Meanwhile, 52.5 percent came from those considered to be "moderately" sophisticated, equipped with the capability to use headless browser software as well as JavaScript to conduct illicit activities.

A total of 73.6 percent of bad bots are classified as Advanced Persistent Bots (APBs), which are able to cycle through random IP addresses, switch their digital identities, and mimic human behavior. Amazon is the leading ISP for bad bot traffic origins. In total, 18 percent of bad bot traffic came from the firm's services, a jump from 10.62 percent in 2017. Almost 50 percent of bad bots use Google Chrome as their user agent and 73.6 percent of bad bot traffic was recorded as originating from data centers, down from 82.7 percent in 2017. The United States outstrips all other countries as a generator of bad bots. In total, 53.4 percent of bad bot traffic came from the US, followed by the Netherlands and China. The most blocked country by IP is Russia, together with Ukraine and India.

Three Romanians ran a complicated online fraud operation -- along with a massive malware botnet -- for nine years, reports ZDNet, netting tens of millions of US dollars, but their crime spree is now over. But now they're all facing long prison sentences.

"The three were arrested in late 2016 after the FBI and Symantec had silently stalked their malware servers for years, patiently waiting for the highly skilled group to make mistakes that would leave enough of a breadcrumb trail to follow back to their real identities."

An anonymous Slashdot reader writes: The group started from simple eBay scams [involving non-existent cars and even a fake trucking company] to running one of the most widespread keylogger trojans around. They were considered one of the most advanced groups around, using PGP email and OTR encryption when most hackers were defacing sites under the Anonymous moniker, and using multiple proxy layers to protect their infrastructure. The group operated tens of fake websites, including a Yahoo subsidiary clone, conned and stole money from their own money mules, and were of the first groups to deploy Bitcoin crypto-mining malware on desktops, when Bitcoin could still be mined on PCs.

The Bayrob group was led by one of Romania's top IT students, who went to the dark side and helped create a malware operation that took nine years for US authorities and the FBI to track and eventually take down. Before turning hacker, he was the coach of Romania's national computer science team, although he was still a student, and won numerous awards in programming and CS contests.

An anonymous reader quotes a report from Ars Technica: Mirai, the "botnet" malware that was responsible for a string of massive distributed denial of service (DDoS) attacks in 2016 -- including one against the website of security reporter Brian Krebs -- has gotten a number of recent updates. Now, developers using the widely distributed "open" source code of the original have added a raft of new devices to their potential bot armies by compiling the code for four more microprocessors commonly used in embedded systems.

Researchers at Palo Alto Networks' Unit 42 security research unit have published details of new samples of the Mirai botnet discovered in late February. The new versions of the botnet malware targeted Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors. These processors are used on a wide range of embedded systems, including routers, networked sensors, base band radios for cellular communications and digital signal processors. The new variants also include a modified encryption algorithm for botnet communications and a new version of the original Mirai TCP SYN denial-of-service attack. Based on the signature of the new attack option, Unit 42 researchers were able to trace activity of the variants back as far as November 2018.

An anonymous reader quotes a report from ZDNet: Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices -- smart signage TVs and wireless presentation systems. This new strain is being used by a new IoT botnet that security researchers from Palo Alto Networks have spotted earlier this year. The botnet's author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits. Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment. Furthermore, the botnet operator has also expanded Mirai's built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai's considerable list of default creds, researchers said in a report published earlier today.

The purpose and modus operandi of this new Mirai botnet are the same as all the previous botnets. Infected devices scan the internet for other IoT devices with exposed Telnet ports and use the default credentials (from their internal lists) to break in and take over these new devices. The infected bots also scan the internet for specific device types and then attempt to use one of the 27 exploits to take over unpatched systems. The new Mirai botnet is specifically targeting LG Supersign signage TVs and WePresent WiPG-1000 wireless presentation systems.

An anonymous reader writes: A security researcher has uncovered a ring of malicious GitHub accounts promoting over 300 backdoored Windows, Mac, and Linux applications and software libraries. The malicious apps contained code to gain boot persistence on infected systems and later download other malicious code -- which appeared to be a "sneaker bot," a piece of malware that would add infected systems to a botnet that would later participate in online auctions for limited edition sneakers.

All the GitHub accounts that were hosting these files -- backdoored versions of legitimate apps -- have now been taken down. One account, in particular, registered in the name of Andrew Dunkins, hosted 305 backdoored ELF binaries. Another 73 apps were hosted across 88 other accounts.

itwbennett writes: Security researchers at Varonis have uncovered a new attack using a new version of the venerable Qbot malware that "creates scheduled tasks and adds entries to the system registry to achieve persistence," writes Lucian Constantin, reporting on the attack for CSO. "The malware then starts recording all keystrokes typed by users, steals credentials and authentication cookies saved inside browsers, and injects malicious code into other processes to search for and steal financial-related text strings." The researchers "found logs showing 2,726 unique victim IP addresses," writes Constantin, but because "computers inside an organization typically access the internet through a shared IP address, the researchers believe the number of individually infected systems to be much larger." The malware first appeared in 2009 and was found to be uploading 2GB of stolen confidential information to its FTP servers each week by April 2010 from private and public sector computers, including 1,100 on the NHS network in the UK. A modified version of the malware resurfaced in April 2016 that was believed to have infected more than 54,000 PCs in thousands of organizations around the world. As Varonis now reports, Qbot is making yet another comeback.

We'll likely see a rise in internet blackouts in 2019, for two reasons: countries deliberately "turning off" the internet within their borders, and hackers disrupting segments of the internet with distributed denial-of-service (DDoS) attacks. Above all, both will force policymakers everywhere to reckon with the fact that the internet itself is increasingly becoming centralized -- and therefore increasingly vulnerable to manipulation, making everyone less safe. From a report: The first method -- states deliberately severing internet connections within their country -- has an important history. In 2004, the Maldivian government caused an internet blackout when citizens protested the president; Nepal similarly caused a blackout shortly thereafter. In 2007, the Burmese government apparently damaged an underwater internet cable in order to "staunch the flow of pictures and messages from protesters reaching the outside world." In 2011, Egypt cut most internet and cell services within its borders as the government attempted to quell protests against then-President Hosni Mubarak; Libya then did the same after its own unrest.

In 2014, Syria had a major internet outage amid its civil war. In 2018, Mauritania was taken entirely offline for two days when undersea submarine internet cables were cut, around the same time as the Sierra Leone government may have imposed an internet blackout in the same region. When we think about terms like "cyberspace" and "internet," it can be tempting to associate them with vague notions of a digital world we can't touch. And while this is perhaps useful in some contexts, this line of thinking forgets the very real wires, servers, and other hardware that form the architecture of the internet. If these physical elements cease to function, from a cut wire to a storm-damaged server farm, the internet, too, is affected. More than that, if a single entity controls -- or can at least access -- that hardware for a region or even an entire country, government-caused internet blackouts are a tempting method of censorship and social control.

One study found that 66% of tweets with links were posted by "suspected bots" -- with an even higher percentage for certain kinds of content. Now a new California law will require bots to disclose that they are bots.

But does that violate the bots' freedom of speech, asks Laurent Sacharoff, a law professor at the University of Arkansas. "Even though bots are abstract entities, we might think of them as having free speech rights to the extent that they are promoting or promulgating useful information for the rest of us," Sacharoff says. "That's one theory of why a bot would have a First Amendment free speech right, almost independent of its creators." Alternatively, the bots could just be viewed as direct extensions of their human creators. In either case -- whether because of an independent right to free speech or because of a human creator's right -- Sacharoff says, "you can get to one or another nature of bots having some kind of free speech right."

In previous Bulletin coverage, the author of the new California law dismisses the idea that the law violates free speech rights. State Sen. Robert Hertzberg says anonymous marketing and electioneering bots are committing fraud. "My point is, you can say whatever the heck you want," Hertzberg says. "I don't want to control one bit of the content of what's being said. Zero, zero, zero, zero, zero, zero. All I want is for the person who has to hear the content to know it comes from a computer. To me, that's a fraud element versus a free speech element."

Sacharoff believes that the issue of bots and their potential First Amendment rights may one day have its day in court. Campaigns, he says, will find that bots are helpful and that their "usefulness derives from the fact that they don't have to disclose that they're bots. If some account is retweeting something, if they have to say, 'I'm a bot' every time, then it's less effective. So sure I can see some campaign seeking a declaratory judgment that the law is invalid," he says. "Ditto, I guess, [for] selling stuff on the commercial side."

Long-time Slashdot reader AmiMoJo shared this article from New York magazine: In late November, the Justice Department unsealed indictments against eight people accused of fleecing advertisers of $36 million in two of the largest digital ad-fraud operations ever uncovered... Hucksters infected 1.7 million computers with malware that remotely directed traffic to "spoofed" websites.... [B]ots "faked clicks, mouse movements, and social network login information to masquerade as engaged human consumers." Some were sent to browse the internet to gather tracking cookies from other websites, just as a human visitor would have done through regular behavior. Fake people with fake cookies and fake social-media accounts, fake-moving their fake cursors, fake-clicking on fake websites -- the fraudsters had essentially created a simulacrum of the internet, where the only real things were the ads.

How much of the internet is fake? Studies generally suggest that, year after year, less than 60 percent of web traffic is human; some years, according to some researchers, a healthy majority of it is bot. For a period of time in 2013, the Times reported this year, a full half of YouTube traffic was "bots masquerading as people," a portion so high that employees feared an inflection point after which YouTube's systems for detecting fraudulent traffic would begin to regard bot traffic as real and human traffic as fake. They called this hypothetical event "the Inversion...."

[N]ot even Facebook, the world's greatest data-gathering organization, seems able to produce genuine figures. In October, small advertisers filed suit against the social-media giant, accusing it of covering up, for a year, its significant overstatements of the time users spent watching videos on the platform (by 60 to 80âpercent, Facebook says; by 150 to 900 percent, the plaintiffs say). According to an exhaustive list at MarketingLand, over the past two years Facebook has admitted to misreporting the reach of posts on Facebook Pages (in two different ways), the rate at which viewers complete ad videos, the average time spent reading its "Instant Articles," the amount of referral traffic from Facebook to external websites, the number of views that videos received via Facebook's mobile site, and the number of video views in Instant Articles.
On Twitter the author also shared a Twitter thread by the Washington Post's director of advertising technology, who shares his own complaints about the ecosystem of online advertising. "The problem isn't just that the internet is full of fakery and bullshit and bad numbers and malfunctioning metrics and bullshitters and fraudsters. The problem is that all the fake shit is layered on top of other fake shit and it just COMPOUNDS itself... Like you get fake users, who get autoplay videos which no one is really watching....

"That's not even counting the entire ad campaigns that are fake where the product is just a bullshit excuse to collect data on you."

In a report published last week by cyber-security firm ESET, the company detailed 21 "new" Linux malware families. All operate in the same manner, as trojanized versions of the OpenSSH client. From a report: They are developed as second-stage tools to be deployed in more complex "botnet" schemes. Attackers would compromise a Linux system, usually a server, and then replace the legitimate OpenSSH installation with one of the trojanized versions.

An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

An anonymous reader quotes a report from ZDNet: A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned. The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. "I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions." But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.

At the Usenix Security conference this week, a group of Princeton University security researchers will present a study that considers a little-examined question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side? From a report: In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters. Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid. Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people -- a population roughly equal to Canada or California -- the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners. "Power grids are stable as long as supply is equal to demand," says Saleh Soltan, a researcher in Princeton's Department of Electrical Engineering, who led the study. "If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want."