Tag Archive for: servers

Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack

/in


Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan.

According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims.

Further research revealed that Androxgh0st operators are exploiting multiple CVEs, including CVE-2021-3129 and CVE-2024-1709 to deploy a web shell on vulnerable servers, granting remote control capabilities. Moreover, evidence suggests active web shells associated with CVE-2019-2725

Androxgh0st Malware Compromises Servers Worldwide, Building Botnets for Attacks
Image: Veriti

Androxgh0st Threat Actor Ramps Up Activity

Hackread.com has been tracking Androxgh0st operations since was first noticed in December 2022. The malware operator is known for deploying Adhublika ransomware and was previously observed communicating with an IP address associated with the Adhublika group.

Androxgh0st operators prefer exploiting Laravel applications to steal credentials for cloud-based services like AWS, SendGrid, and Twilio. They exploit vulnerabilities in Apache web servers and PHP frameworks, deploying webshells for persistence. 

However. their recent focus seems to be building botnets to exploit more systems. Recently, the FBI and CISA issued a joint Cybersecurity Advisory (CSA) advisory, warning about Androxgh0st constructing a botnet to carry out credential theft and establish backdoor access. 

Last year, Cado Security Ltd. revealed the details of a Python-based credential harvester and a hacking tool called Legion, linked to the AndroxGh0st malware family. Legion is designed to exploit email services for abuse.

The Way Forward

Veriti’s research goes onto show the importance of proactive exposure management and threat intelligence in cyber security. Organizations must regularly update their security measures, including patch management for known vulnerabilities, strong web shell deployment monitoring, and behavioural analysis tools to prevent breaches and protect against similar vulnerabilities.

  1. Russian Hackers Hit…

Source…

‘Lucifer’ Botnet Turns Up the Heat on Apache Hadoop Servers

/in


A threat actor is targeting organizations running Apache Hadoop and Apache Druid big data technologies with a new version of the Lucifer botnet, a known malware tool that combines cryptojacking and distributed denial of service (DDoS) capabilities.

The campaign is a departure for the botnet, and an analysis this week from Aqua Nautilus suggests that its operators are testing new infection routines as a precursor to a broader campaign.

Lucifer is self-propagating malware that researchers at Palo Alto Networks first reported in May 2020. At the time, the company described the threat as dangerous hybrid malware that an attacker could use to enable DDoS attacks, or for dropping XMRig for mining Monero cryptocurrency. Palo Alto said it had observed attackers also using Lucifer to drop the NSA’s leaked EternalBlue, EternalRomance, and DoublePulsar malware and exploits on target systems.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” Palo Alto had warned at the time.

Now, it’s back and targeting Apache servers. Researchers from Aqua Nautilus who have been monitoring the campaign said in a blog this week they had counted more than 3,000 unique attacks targeting the company’s Apache Hadoop, Apache Druid, and Apache Flink honeypots in just the last month alone.

Lucifer’s 3 Unique Attack Phases

The campaign has been ongoing for at least six months, during which time the attackers have been attempting to exploit known misconfigurations and vulnerabilities in the open source platforms to deliver their payload.

The campaign so far has been comprised of three distinct phases, which the researchers said is likely an indication that the adversary is testing defense evasion techniques before a full-scale attack.

“The campaign began targeting our honeypots in July,” says Nitzan Yaakov, security data analyst at Aqua Nautilus. “During our investigation, we observed the attacker updating techniques and methods to achieve the main goal of the attack — mining cryptocurrency.”

During the first stage of the new campaign, Aqua researchers observed the attackers scanning the Internet for…

Source…

Meris Botnet Sets Record with Massive DDoS Attacks Across Global Servers

/in


In a startling display of cyber force, the Meris botnet has successfully executed the largest DDoS (Distributed Denial of Service) attacks in history this summer, targeting a wide range of countries including the United States, Russia, New Zealand, and the United Kingdom. This malicious network, comprising over 250,000 devices, overwhelmed some of the most robust servers worldwide, marking a significant moment in cyber warfare.

Research conducted by the Russian search engine Yandex, alongside insights from DDoS mitigation service Qrator Labs, has unveiled that Meris is a new breed of botnet. Its capacity to generate an unprecedented 21.8 million requests per second (RPS) during an attack on Yandex on September 5 highlights its potential to cripple almost any infrastructure, including highly resilient networks.

Unprecedented Scale and Impact

The Meris botnet’s capability to launch attacks of such magnitude lies in its unique focus on the number of requests per second, a method that sets it apart from traditional DDoS attacks which generally aim to saturate servers with massive amounts of data. This strategy has enabled Meris to take down significant infrastructures, as evidenced by the disruption caused to major companies in New Zealand, including banks like ANZ and Kiwibank, NZ Post, MetService, and even the New Zealand Police.

Technical Sophistication

Unlike typical ‘Internet of Things’ (IoT) devices often associated with botnets, the devices commandeered by Meris are high-performance and likely connected via Ethernet, contributing to the botnet’s formidable power. This revelation, coupled with the attackers’ technique of rotating devices to avoid revealing their full capacity, complicates efforts to mitigate the botnet’s impact.

Global Response and Mitigation

The emergence of Meris has prompted a global response, with entities like Cloudflare and Yandex at the forefront of efforts to counteract the botnet’s attacks. The record-breaking assault on Yandex, which surpassed previous incidents attributed to the Mirai botnet, underscores the escalating challenge of safeguarding digital infrastructure against such sophisticated…

Source…

Update ConnectWise ScreenConnect Servers Or Take Offline As Ransomware Is Deployed

/in


‘It’s odd because now our work has shifted to not getting ahead of the vulnerability and understanding it and sharing the intel, it’s watching the internet burn and trying to respond and remediate the best we can. We’re watching the world burn,’ says John Hammond, principal security researcher at threat hunting firm Huntress.


The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice Thursday that ConnectWise partners and end customers should pull the cord on all on-prem ScreenConnect servers if they cannot update to the latest version amid the ConnectWise ScreenConnect vulnerabilities that was reported early this week.

And exploits are already being seen in the wild.

“We’re seeing such a variety of different attempts,” John Hammond, principal security researcher at threat hunting firm Huntress, told CRN. “So many different threat actors are just taking advantage of these golden hours of exploitation.”

In a 30-page report released Friday, Ellicott City, Maryland-based Huntress has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation. Exploits being deployed include ransomware, cryptocurrency coin miners, Cobalt Strike and additional remote access.

One company, UnitedHealth Group’s Change Healthcare, was experiencing slowdowns at pharmacies due to a strain of LockBit malware related to ScreenConnect vulnerabilities, according to a report on SC Magazine.

In an 8-K filing with the U.S. Securities and Exchange Commission on Wednesday, United Healthcare Group, the parent company of Change HealthCare, “identified a suspected nation-state associated cyber security threat actor had gained access to some of the Change Healthcare information technology system.

”During the disruption, certain networks and transactional services may not be accessible,” the filing stated.

[Related: Huntress On ‘Critical’ ConnectWise Vulnerabilities: ‘It Does Have A Certain Firestorm Potential’]

Source…