Zoho, Man Jailed for Bulletproof Hosting, and AT&T Botnet Found
Friday, December 3rd, 2021
And yet, another week has passed by. This means we should all be excited for Hacker News! Here’s your next list of curated content, just for today. Hope you all enjoy it!
Cheers,
William from Hacker News
General News for the Week
Threat Group Takes Aim Again at Cloud Platform Provider Zoho
State-backed adversaries expanded attacks against cloud platform company Zoho and its ManageEngine ServiceDesk Plus software, a help desk and asset management solution. A recent campaign marks an uptick in attacks against the firm’s platform, which have also included past targeting of Zoho’s ADSelfService Plus.
This most recent campaign, reported by Palo Alto Networks Unit 42 this week, dovetails warnings in September by the FBI, CISA and the U.S. Coast Guard Cyber Command (CGCYBER) of similar attacks. That targeting included an unspecified APT exploiting a then zero-day vulnerability in Zoho’s password management solution called ADSelfService Plus.
New Malvertising Campaigns Spreading Backdoors, Malicious Chrome Extensions
A series of malicious campaigns have been leveraging fake installers of popular apps and games such as Viber, WeChat, NoxPlayer, and Battlefield as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension with the goal of stealing credentials and data stored in the compromised systems as well as maintaining persistent remote access.
…
The attacks are believed to have commenced in late 2018, with intermittent activity observed towards the end of 2019 and through early 2020, followed by fresh spikes since April 2021, while mainly singling out users in Canada, followed by the U.S., Australia, Italy, Spain, and Norway.
Russian Man Gets 60 Months Jail for Providing Bulletproof Hosting to Cyber Criminals
A Russian national charged with providing bulletproof hosting services for cybercriminals, who used the platform to spread malware and attack U.S. organizations and financial institutions between 2009 to 2015, has received a 60-month prison sentence.
34-year-old Aleksandr Grichishkin, along with Andrei Skvortsov, founded the bulletproof hosting service and rented its infrastructure to other criminal clientele for distributing a wide range of malware and attempted to cause millions of dollars in losses to U.S. victims.
Bulletproof hosting operations are similar to regular web hosting, but are a lot more lenient about what can be hosted on their servers. They are known for providing secure hosting for malicious content and activity and assuring anonymity to threat actors.
Breaches and Leaks of the Week
AT&T Takes Steps to Mitigate Botnet Found Inside Its Network
AT&T is taking action to take down a botnet that had set up shop inside its network, infecting 5,700 VoIP servers that route traffic from enterprise customers to upstream mobile providers.
Researchers from Netlab, a network security division of Chinese tech giant Qihoo 360, first discovered what they characterized as a “brand-new botnet” attacking Edgewater Networks devices, using a vulnerability in EdgeMarc Enterprise Session Border Controllers, tracked as CVE-2017-6079. Attackers had accessed vulnerable servers to install a modular malware strain that researchers dubbed “EwDoor,” researchers disclosed in a report published earlier this week.
Attacks of the Week
Finland Faces Blizzard of FluBot-Spreading Text Messages
The Flubot banking trojan is blanketing Finland, spreading via Android phones that are sending millions of malicious text messages.
On Friday, the National Cyber Security Centre (NCSC-FI) at the Finnish Transport and Communications Agency posted a “severe” alert about the malware blizzard, which it said was spreading via dozens of message variants that are sneezing out Flubot like mad.
Once installed, Flubot sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information. It also sends out additional text messages to the infected device’s contact list, which allows it to “go viral” — like the flu.
WIRTE Hacker Group Targets Government, Law, Financial Entities in the Middle East
Government, diplomatic entities, military organizations, law firms, and financial institutions primarily located in the Middle East have been targeted as part of a stealthy malware campaign as early as 2019 by making use of malicious Microsoft Excel and Word documents.
Russian cybersecurity company Kaspersky attributed the attacks with high confidence to a threat actor named WIRTE, adding the intrusions involved "MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant," which is a Visual Basic Script (VBS) with functionality to amass system information and execute arbitrary code sent by the attackers on the infected machine.
This Week’s Featured Tools
ZipExec
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded into a string that is rebuilt on disk. This encoded string is then loaded into a JScript file that when executed, would rebuild the password-protected zip file on disk and execute it.
This is done programmatically by using COM objects to access the GUI-based functions in Windows via the generated JScript loader, executing the loader inside the password-protected zip without having to unzip it first. By password protecting the zip file, it protects the binary from EDRs and disk-based or anti-malware scanning mechanisms.
ShonyDanza
A customizable, easy-to-navigate tool for researching, pen testing, and defending with the power of Shodan.
With ShonyDanza, you can:
Obtain IPs based on search criteria
Automatically exclude honeypots from the results based on your pre-configured thresholds
Pre-configure all IP searches to filter on your specified net range(s)
Pre-configure search limits
Use build-a-search to craft searches with easy building blocks
Use stock searches and pre-configure your own stock searches
Check if IPs are known malware C2s
Get host and domain profiles
Scan on-demand
Find exploits
Get total counts for searches and exploits
Automatically save exploit code, IP lists, host profiles, domain profiles, and scan results to directories within ShonyDanza
** Please keep in mind that this is a curated list of links to articles, not posts created by HN. We claim no ownership of any article discussed above.