Thought leadership. threat analysis, news and alerts.
New Botnet Launches DDoS Attacks from Linux Computers
Researchers at SophosLabs have discovered a new botnet that launches a distributed denial-of-service (DDoS) attack from compromised Linux servers and IoT devices.
What is a DDoS Botnet?
A botnet is a collection of computers compromised by a malicious software (malware) and controlled as a group without the owners' knowledge to conduct illegal activities, including DDoS attacks.
In a DDoS attack, hijacked or compromised computers are controlled as a group to attack a particular target, for instance, to overwhelm a particular website with traffic to render the site inaccessible to legitimate users. By leveraging the use of a botnet, attackers can carry out large-scale DDoS attacks.
DDoS attacks don’t just target websites. They also target servers (web, email, DNS, file), web apps, banking, trading and e-commerce platforms, and VoIP systems.
Latest DDoS Botnet
SophosLabs researchers called the latest DDoS botnet that they’ve discovered “Chalubo”. The researchers said they first observed Chalubo in the wild in late August this year. On the 6th of September 2018, SophosLabs researchers said they first recorded how Chalubo works via a honeypot, a decoy computer system used in tracking new hacking methods.
According to the researchers, Chalubo attacks SSH servers, a software program used to remotely access Linux operating systems. There are currently a variety of Chalubo botnet versions for different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL and PowerPC.
Chalubo attackers gain access to a computer by using publicly known default and common username and password combinations. Once the attackers gain access to a computer, it issues commands that retrieve the Elknot, also known as Linux/BillGates malware, a notorious DDoS botnet family that runs on both Linux and Windows operating systems. Elknot, in turn, delivers the rest of the Chalubo botnet package.
This recently reported DDoS botnet incorporates the code of two other notorious DDoS botnets, the Mirai botnet and Xor.DDoS botnet.
In December last year, 3 college-age friends pleaded guilty for creating the Mirai botnet. According to the U.S. Department of Justice, the Mirai botnet, at its peak, consisted of hundreds of thousands of compromised IoT devices used to launch DDoS attacks.
Xor.DDoS botnet, meanwhile, was first observed in the wild in 2015. This botnet hijacks Linux computers for DDoS attacks. While Mirai uses 62 default username and password combinations to gain access to a computer or device, Xor.DDoS uses common or weak username and password combinations.
Chalubo, in particular, uses some of Mirai’s randomizing functions and what appears to be an extended form of the util_local_addr function. Chalubo also uses Xor.DDoS’ DelService & AddService functions, as well as Chalubo’s script gets dropped exactly in the same manner as Xor.DDoS. While Chalubo copies a few code snippets of Mirai and Xor.DDoS, it’s a different botnet taken as a whole, researchers at SophosLabs said.
“The majority of functional code in this bot is entirely new, with a focus on their own Lua handling for, primarily, performing DoS attacks with DNS, UDP, and SYN flavours,” SophosLabs researchers said. “The Lua script built into the bot is a basic control script for calling home to a C2 [command-and-control] server to inform the C2 about details of the infected machine.”
Chalubo’s Lua script communicates with the command-and-control server – a computer that’s controlled by attackers – to receive further instructions. The purpose of the script is to download, decrypt and then execute whatever the script finds.
Chalubo's main components, dropper (the Elknot), main bot and Lua script, are encrypted using the ChaCha stream cipher in an effort to prevent detection. SophosLabs researchers observed that Chalubo triggered the infected computer to conduct a DDoS attack against a single Chinese IP address over port 10100, without masking the local source IP.
According to SophosLabs researchers, the creator or creators of Chalubo botnet may be at the end of testing their botnet and we may see an increase in activity from this new botnet.
A DDoS botnet negatively impacts the hijacked computers. In a similar manner, a DDoS attack negatively impacts a target.
Here are a few signs that the computer in your organization may be a part of a botnet:
-Computer fan kicks into overdrive even when it’s idle
-It takes a long time to shut down the computer or it won’t shut down properly
-Computer programs and internet access are slow
Here are some security measures to prevent attackers from turning the computers in your organization as part of the Chalubo, Mirai or Xor.DDoS botnets:
-Change default and common username and password combinations as these botnets hunt computers using default and common or weak username and password combinations
-In the case of the Chalubo botnet, use SSH keys instead of passwords for logins
-Keep all your software up-to-date
On the part of the DDoS botnet target, a successful DDoS attack against a website, server, e-commerce platform or VoIP system negatively impacts the target’s reputation and damages existing client relationships.
DDoS botnets can be prevented from attacking online resources by regularly monitoring traffic and by conducting a DDoS testing – called in the cybersecurity field as penetration or pen testing.
By monitoring the traffic of your organization’s online resources, abnormal and suspicious traffic can be flagged early on. In DDoS testing, simulated DDoS attacks are conducted against the online resources of your organization to check if they can withstand real DDoS attacks.
Contact ustoday if you need assistance in preventing attackers from hijacking your organization’s computers as part of a DDoS botnet or if you want assistance in protecting your organization’s online resources from DDoS attacks.
Search Engines Blacklist Fewer Sites, Study Shows
A study conducted by SiteLock showed that search engines are blacklisting fewer sites.
Blacklisting happens when a search engine removes a website from its results due to the presence of a malicious software (malware).
In the second quarter of 2018, SiteLockanalyzed over 6 million websites through the use of malware scanners. SiteLock’s analysis showed that search engines like Google and Bing only blacklisted 17.5% of infected websites with malware in the second quarter of 2018, a 6% decrease from the previous year.
Prevalence of Website Malware
Website visitors and website owners alike rely on search engine warnings. On the part of website visitors, they rely on search engines to flag malicious websites that may leave them unprotected as they surf the web.
According to SiteLock, when website owners rely mainly on search engine warnings and outwardly facing symptoms, they may be missing malware that’s attacking their website visitors.
Even as search engines are blacklisting fewer sites, malicious websites aren’t getting fewer. SiteLock’s study showed that 9% or as many as 1.7 million websites have a major security vulnerability that could allow attackers to embed malware on them. The 3 most common security vulnerabilities on websites identified by SiteLock are SQL injection (SQLi), cross-site scripting (XSS) and cross-site request forgery (CSRF).
SQLi security vulnerability allows attackers to inject malicious database code into website text fields or forms. In an SQL injection attack, an attacker can gain full access to the website’s MySQL database, administrative back end or the entire website. MySQL refers to an open source management system that makes it convenient to add, access and manage content in a website's database.
XSS security vulnerability allows attackers to inject malicious code into a web form or web application. In a cross-site scripting attack, the web application is tricked into doing something that it isn’t supposed to do. CSRF, meanwhile, is often used with social engineering – tricking victims. In a cross-site request forgery attack, an attacker forces authenticated users to do unauthorized actions while logged into a vulnerable web application.
SiteLock’s sampled websites showed that 7.19% of sites have an SQLi vulnerability, 1.56% of sites have an XSS vulnerability and .19% of sites have a CSRF vulnerability.
SiteLock’s study also found that sampled websites experience an average of 58 attacks per day, with 1% of the sites infected with a malware. The study further found that website attacks are becoming increasingly sneaky and difficult to detect. An example of a symptomless attack on websites is the browser-based cryptojacking, which doubled (2%) in number compared to last year’s number (1%), according to SiteLock’s study. In browser-based cryptojacking, an attacker hijacks a browser to mine a cryptocurrency.
McAfee’s Blockchain Threat Reportshowed that nearly 30,000 websites host the Coinhive code for mining cryptocurrency with or without a user’s consent. This number, according to McAfee Labs, only accounts for non-obfuscated sites, which means that the actual number is likely much higher.
As it stands, Coinhive resides in a gray area of legitimacy. In an ideal world, both the website owner and website visitor must consent to Coinhive’s browser-based cryptocurrency mining.
A website owner or, in the case of a cyberattack, an attacker may embed the Coinhive code into a website. When a user visits a website with an embedded Coinhive code, the cryptocurrency called “Monero” is then mined from the user's browser using the computing power or CPU of the website visitor. As of October 21, 2018, the price of one Monero coin is $103.
When the Coinhive code is embedded into the website by a website owner, the cryptomining income goes to the website owner. When the Coinhive code is embedded by a cyberattacker, the cryptomining income goes to the attacker.
Coinhive code made its way to YouTube. In January this year, Trend Microdiscovered that attackers abused Google's DoubleClick ad platform, enabling the attackers to display ads on YouTube that contain the Coinhive code. YouTube visitors in select countries, including Japan, France, Taiwan, Italy and Spain were affected, with 80% of the affected visitor's CPU resource was used to mine the cryptocurrency Monero.
"Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively,” a Google representative said in a statement. “We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms.”
Check Pointranked 3 browser-based cryptocurrency mining scripts Coinhive (ranked #1), Crypto-Loot (ranked #2) and JSEcoin (ranked #4) as “February 2018’s Top 10 ‘Most Wanted’ Malware”.
Here are some of the security measures that need to be put in place in order to prevent attackers from installing malware into your website:
Use a Website Malware Scanner
A website malware scanner allows website owners to check their sites for web-based malware.
Keep All Website Applications Up-to-Date
Ensure that your web applications are up-to-date. Using outdated web applications with known security vulnerabilities can leave your website vulnerable to exploitation by cyberattackers.
Use Web Application Firewall (WAF)
Filtering web traffic via WAF is one of the measures in protecting your website from a successful cyberattack. Your traditional perimeter firewalls don’t protect your website.
Contact ustoday if you need assistance in protecting your website against cyberattacks.
Latest Phishing Campaign Attempts to Install Remcos Remote Access Tool into Victims' Computers
Thousands of Icelanders have been targeted in the latest phishing campaign that attempts to install the Remcos remote access tool into the victims' computers, this according to the recent report by Cyren.
While the actual victims may seem low, Cyren said, this could be the largest cyberattack to hit Iceland, a country with just close to 350,000 population.
Latest Phishing Attack Modus Operandi
Magni Reynir Sigurðsson, senior threat analyst at Cyren, reported that the phishing campaign targeting Icelanders, which has been observed since October 6th, begins with an email impersonating the Lögreglan – Icelandic police. The email requests the recipient to come to the police station for questioning. The email also threatens the recipient that an arrest warrant may be issued in case of non-compliance.
The attackers registered the domain name www[dot]logregian[dot]is. This domain name, on the first glance, is very similar to the official domain name of the Icelandic police www[dot]logreglan[dot]is. The only difference is that the “l” in the official site is changed to “i”. Buying this similarly named domain enables the attackers to send emails with sender address ending in “logregian[dot]is”, which on the first glance, closely resembles the emails from the official Icelandic police ending in “logreglan[dot]is”.
The link provided in the phishing email that purportedly leads to additional information about the case leads to the phishing site www[dot]logregian[dot]is that strikingly resembles the official site of the Icelandic police www[dot]logreglan[dot]is.
In the phishing site, the victim is asked to provide an Icelandic social security number. Unlike other phishing sites which can be fooled by entering wrong data, this phishing site knows whether the victim is entering the wrong social security number or not. When a wrong number is entered, an error alert is shown, and when the number entered is correct, this leads to a new phishing webpage that displays the victim's actual name. Sigurðsson hypothesized that the phishers used a database, containing Icelanders’ social security numbers and actual names, that was leaked years ago.
Being able to match the social security number with actual name further give credence to this phishing campaign. To give further credence to this campaign, the attackers ask the victim to enter the authentication number contained in the email that was sent to him.
Entering the authentication number leads the victim to another phishing webpage that automatically downloads a .rar file that purportedly contains additional document about the case. When this .rar file is extracted, a .scr file (Windows Screensaver) disguised as a Word document with file name “Boðun í skýrslutöku LRH 30 Óktóber.scr”, roughly translated to English as “Called in for questioning by the police on October 30th” is shown.
When this disguised Word document is executed, a file called “Yfirvold.exe” and “Yfirvold.vbs” are dropped into the victim's computer. Sigurðsson said that the Yfirvold.vbs file is placed in the Windows Startup folder so that in case the victim reboots his computer the .vbs script will execute Yfirvold.exe – a malware that uses the code and components from a known remote access tool called “REMCOS”.
What Is REMCOS?
REMCOS stands for Remote Control & Surveillance Software. This software is sold online by the company called “Breaking Security”. Remcos’ price ranges from €58 to €389. Buyers of Remcos can also pay using a variety of cryptocurrencies.
Breaking Security markets Remcos as a legitimate software that allows users to remotely control and monitor Windows operating system, from Windows XP and all versions thereafter, including server editions. In addition to selling Remcos, Breaking Security also offers Octopus Protector, keylogger and mass mailer. Octopus Protector encrypts a file laden with malware on the disk, allowing it to bypass several antivirus protections. Keylogger records and sends the keystrokes made on a computer, while a mass mailer sends large volumes of emails.
In the case of the phishing attack targeted against thousands of Icelanders, according to Sigurðsson, the Remcos that’s installed into the victims’ computers comes with keylogging capability, collecting input from the victims’ keyboards and storing them in logs and then uploading them to the command and controller servers controlled by the attackers. These servers, Sigurðsson said, are located in Germany and Holland.
The Remcos that’s installed into the victims’ computers in the Iceland phishing attack also comes with a fact checker that checks if the victims are accessing the largest online banks in Iceland. According to security researcher MalwareHunterTeam, this fact-checking capability is a selective keylogger feature of Remcos.
According to researchers at Cisco Talos, Remcos was also used to attack international news agencies, diesel equipment manufacturers operating within the maritime and energy sector, and HVAC service providers operating within the energy sector.
"Since Remcos is advertised and sold on numerous hacking-related forums, we believe it is likely that multiple unrelated actors are leveraging this malware in their attacks using a variety of different methods to infect systems,” researchers at Cisco Talos said.
Similar to the phishing attack targetting Icelanders, the cyberattacks mentioned by Cisco Talos started with a phishing email, purportedly coming from a government agency and comes with an attached document.
Embedded into the attached document is a small executable. “The extracted executable is simple and functions as the downloader for the Remcos malware,” Cisco Talos researchers said. “It is a very basic program and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the system.”
While the company behind Remcos claims that its software is meant for legitimate use, data in the wild, including the cyber incidents reported by Cyren and Cisco Talos demonstrate that Remcos is being used by malicious actors.
Remcos is a powerful remote access tool that’s being regularly modified to include new functionalities to remotely control and monitor any Windows operating system.
Make sure that your organization is implementing security measures to combat Remcos and another phishing modus operandi.
When you need help, we are a phone call away. Connect with ustoday and protect your business.
Difference Between Malware Outbreak and Ransomware Attack
Are malware outbreak and ransomware attack the same or are they totally different?
The Canadian restaurant chain Recipe Unlimited prefers using the phrase “malware outbreak” over the phrase “ransomware attack”. In a statementissued last October 1, Recipe Unlimited said that it has been experiencing a partial network outage as a result of a “malware outbreak” since September 28, this year. The company didn’t go into details what type of malicious software (malware) infected its IT system.
Recipe Unlimited, formerly Cara Operations, franchises and/or operates more than 1,000 restaurants across Canada, including Swiss Chalet, Montana's, East Side Mario's, Harvey's, St-Hubert, The Keg, Milestones, Kelseys Original Roadhouse, New York Fries, Prime Pubs, Bier Markt, Landing, Original Joe's, State & Main, Elephant & Castle, The Burger's Priest, The Pickle Barrel and 1909 Taverne Moderne.
To prevent further spread of the malware, Recipe Unlimited said it took precautionary measures such as taking a number of systems offline and suspending internet access to affected locations. These precautionary measures resulted in the temporary closure of some of Recipe Unlimited’s restaurants, while those open can only accept cash.
CBC, on the other hand, got hold of a screencap of the ransom note that appeared on the computer compromised by attackers in the Recipe Unlimited’s attack.
The ransom note states, “As soon as we get bitcoins you’ll get all your decrypted data back.” Regarding the actual ransom amount, the ransom note states, “Every day of delay will cost you additional +0.5 BTC [Bitcoin]”. As of October 4, 2018, the price of one Bitcoin hovers around $6,500. The ransom note also states that aside from decrypting all the encrypted data, the company will also "get instructions how to close the hole in security and how to avoid such problems in the future".
When contacted by CBC, the spokesperson of Recipe Unlimited denies that the company’s data is being held for ransom by attackers. "We maintain appropriate system and data security measures," Recipe Unlimited spokesperson told CBC. The spokesperson also told CBC that the ransom note is a "generic" statement associated with the malware called “Ryuk”. In its earlier statement, Recipe Unlimited said it conducts "regular system back-ups to enable us to restore impacted systems”.
What Is Ryuk?
Ryuk is categorized as a ransomware – a malware that encrypts or locks files in hundreds of computers in each infected company and asks for a ransom payment in exchange for the decryption key to unlock the locked files. This ransomware targets organizations that are capable of paying a lot of money.
Some of the victims paid exceptionally large ransom in order to retrieve their files. Back in August this year, Check Point researchers reported that Ryuk attackers earned over $640,000 from ransom payments paid in varying amount (ranging between 15 BTC to 50 BTC) from victims worldwide.
According to Check Point, the source code of Ryuk closely resembles the source code of another ransomware called “HERMES” – the malware used in the attack against the Far Eastern International Bank (FEIB) in Taiwan. In the FEIB attack, $60 million was stolen in a sophisticated SWIFT attack, though this amount was later retrieved.
The difference between HERMES ransomware and Ryuk ransomware, Check Point said, is that while HERMES ransomware was delivered to FEIB’s network as a diversion, Ryuk ransomware is "by no means just a side-show but rather the main act".
What Is a Malware Outbreak?
Malware outbreak refers to a large-scale malware attack that causes widespread damage and disruption to an organization and necessitates extensive recovery time and effort. Ryuk ransomware’s impact on its victims amounts to a malware outbreak.
Here are some measures in preventing a malware outbreak or ransomware attack, as well as some of the security best practices in handling such outbreak or attack:
Keep All Software Up-to-Date
Keep all your organization’s software up-to-date as cyberattackers are known to infiltrate networks using known software security vulnerabilities that are already patched by software vendors.
Practice Network Segmentation
Network segmentation refers to the practice of dividing a computer network into subnetworks. One of the advantages of network segmentation is that in case one subnetwork is infected by a malware, the other subnetworks won’t be infected.
Contain the Outbreak
It’s important to contain the outbreak. Many ransomware programs have a worm capability. This means that the ransomware has the ability to spread itself within networks without user interaction.
One of the effective means of containing the outbreak is by quickly disconnecting infected systems from the overall network infrastructure. Physically disconnecting network cables and applying access controls on network devices are examples of disabling connectivity. One of the side-effects of containment is that this will affect the operation of other non-infected systems in the network.
Full Malware Eradication Process
Containment only stops the spread of the malware. The fact that the malware is still inside your organization’s IT system is a security risk. Full eradication process is necessary in parallel with the containment process.
Backup Critical Files
Make sure to conduct regular backups of critical files so that when an outbreak or cyberattack happens, your organization can get back up again by restoring the impacted systems. Backups also ensure that attackers won’t have a leverage in your organization’s impacted systems as backups can easily be restored, rendering the attackers’ demand for ransom futile.
When you need help, contactour cybersecurity experts and protect your data.
Steve E. Driz, I.S.P., ITCP