Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions,…

Secure Gaming during holidays is essential as cyberattacks rise by 50%. Protect accounts with 2FA, avoid fake promotions, use secure downloads, and trust verified tools to enjoy safe, uninterrupted gameplay.

The holiday season is a time of joy for gamers, with more free time to play, exciting events, and in-game promotions. However, this festive period comes with higher risks of cyberattacks than any other period of the year.

Studies by Wowvendor, a company dealing in WoW services, indicate that hackers increase their activity by 50% during the holidays and especially prey on gamers via malware and phishing. This article will detail these risks and give some useful advice on how to enjoy gaming without compromising your account security.

****The Rise of Cyber Threats During Holidays****

The gaming community gets busy during the holidays. Unfortunately, cybercriminals find this an attractive target. The key reasons for increased risks are as follows:

*   **Increased player traffic** – A large consumer base of online gaming creates, in turn, more opportunities for hackers to exploit vulnerabilities.
*   **Attractive holiday promotions** – Many players get tricked into fake giveaways and deals, without knowing it compromises their data security.
*   **Malware in pirated games** – Most of the time, hackers put harmful software inside cracked versions of popular titles.

For instance, cybersecurity companies have informed that the number of phishing emails with “in-game rewards notifications” and “discount offers” have spiked around the times of past holiday seasons. These examples of threats put the importance of vigilance during peak gaming hours deeper into focus.

****Common Cyber Threats to Gamers****

Cyber threats range from gaming cyber attacks and data security incidents to DDoS attacks. This will likely impact some players more and possibly their performance during peak gaming periods. Understanding these dangers can help players stay protected:

****Fake add-ons, mods and Phishing schemes** **

Hacks through counterfeit mods are common in games such as World of Warcraft. Hackers distribute these infected mods using counterfeit mods and give the malware the chance to steal login credentials or infect the device they’re playing on. Additionally, fraudulent links and websites trick people into providing personal information or downloading malicious software.

****DDoS attacks** **

The gaming industry is seeing a lot of DDoS attacks (distributed denial of service attacks), wherein hacker group gets a network of infected devices (botnet) that perform a network DDoS attack to inundate a game server or a group of players with a massive amount of traffic. This overload disrupts the server or network connection and has broken the game so that normal users can’t even get in.

These attacks send many requests and place a heavy load onto the server. Hackers aim at certain players’ IP addresses and try to degrade their connection, or that of the player behind it, to give themselves an in-game advantage. This type of targeted interference disrupts competitive gameplay and can negatively impact a game’s experience for the player.

Additionally, the number of ransomware attacks against gaming accounts has risen as well. They involve locking players out of their accounts and asking for payment to access them. When you are faced with unfamiliar software or links, it’s best to stay awake and alert to risks.

****Best Practices for Secure Gaming****

A large number of cyber attacks on gamers can stem from unauthorized downloads, according to leading cyber security firm Kaspersky. To enjoy your games safely during the holidays, follow these cybersecurity tips:

*   **Download software from official sources** — Do not download games or updates from untrusted websites — they can hide malware.
*   **Use two-factor authentication (2FA)** — It simply gives you extra protection for your gaming accounts.
*   **Verify promotional offers** — Don’t accept offers that are simply too good even to be true. There are always official channels for you to confirm their legitimacy.
*   **Avoid cracked games** — First and foremost pirated games are illegal, and they’re dangerous for security reasons too.

Working with your use of strong, unique passwords across all your accounts, these measures can go a long way toward mitigating your risk of being victimized in this way.

****The Role of Gaming Companies****

Leading gaming companies have stepped up their efforts to combat cyber threats. Their initiatives include:

*   **Enhanced security systems** – AI detecting and blocking unusual activity on gaming networks.
*   **Regular updates and patches** – Time and time again, developers release updates to patch vulnerabilities, and protect players with updates.
*   **Player education** – Many platforms offer users a way of recognizing and preventing scammers.

For instance, World of Warcraft’s creators, Blizzard Entertainment, is constantly monitoring its ecosystem for threats and expelling them while at the same time urging players to use solutions, for example, 2FA. Machine learning has been introduced into other companies, such as Valve and Riot Games, in an attempt to detect possible hacking through in-game behaviours.

****Advanced Cybersecurity Tools for Gamers****

Gamers now have access to cutting-edge cybersecurity solutions tailored to safeguard their online experience:

*   **Gaming-optimized VPNs** – VPN services will make sure that you have safe, encrypted connections while reducing latency and optimizing the routing of the server. It shields against DDoS attacks and keeps the gameplay smooth.
*   **Anti-phishing extensions** – Google Safe Browsing and Microsoft Defender SmartScreen are tools that actively block malicious sites and alert players that a phishing page is attempting to lure them into a trick.
*   **Behavioural analytics and anti-cheat systems** – Dedicated platforms use machine learning to analyze login patterns and in-game behaviour, detecting anomalies like hacking or unauthorized access.
*   **DDoS mitigation services** – Distribution denial-of-service attacks that cause gaming servers to stop working are identified and neutralized by Cloudflare, Akamai Prolexic, and other companies that protect gaming servers so that gamers can continue enjoying online sessions uninterrupted.

With these state-of-the-art tools, gamers will be protected from changing threats, which will protect gaming for the holidays and beyond.

****Stay on the Safe Side****

The holiday season is a wonderful opportunity to connect with your favourite games and communities. While cyber threats do increase during this period, staying informed and adopting secure practices can protect your gaming experience. From using official platforms to enabling two-factor authentication, every step you take helps reduce risks.

Gaming companies are also playing their part by providing services and insights that enhance player safety. By working together and staying alert, gamers can fully embrace the holiday spirit, free from cybersecurity concerns.

1.  What is Blockchain Gaming and its Play-to-Earn Model?
2.  Exploring Data Privacy and Security in B2B Gaming Data
3.  The Rise of Blockchain Gaming and Secure Marketplaces
4.  Winos4.0 Malware Targeting Windows via Fake Gaming Apps
5.  Gcore Thwarts 500 Million PPS DDoS Attack on Gaming Company

Secure Gaming During the Holidays

Mirai and Keksec botnet variants are exploiting critical vulnerabilities in D-Link routers. Learn about the impact, affected devices, and how to protect yourself from these attacks.

****In This Article, You Will Read About:****

*   **Increased Botnet Activity**: Surge in the activity of new “FICORA” and “CAPSAICIN” botnets, variants of Mirai and Kaiten.

*   **Exploited Vulnerabilities**: Attackers exploit known D-Link router vulnerabilities (e.g., CVE-2015-2051, CVE-2024-33112) to execute malicious commands.

*   **Botnet Capabilities**: Both botnets use shell scripts, target Linux systems, kill malware processes, and conduct DDoS attacks.

*   **Global Impact**: FICORA targeted multiple countries, while CAPSAICIN focused on East Asia, which had intense activity for over two days.

*   **Mitigation Measures**: Regular firmware updates and robust network monitoring are recommended to prevent exploitation.

FortiGuard Labs has observed a surge in the activity of two botnets, “FICORA” and “CAPSAICIN,” in October and November 2024. In its blog post, shared exclusively with Hackread.com, FortiGuard Labs’ Threat Research team explained that these botnets are variants of the well-known Mirai and Kaiten botnets and can execute malicious commands.

Further probing revealed that the distribution of these botnets involves exploiting D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings action on the Home Network Administration Protocol (HNAP) interface. 

These vulnerabilities include CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. These CVEs represent specific instances of vulnerabilities within D-Link routers that attackers have exploited. They often involve flaws in how HNAP handles user input and authentication. Attackers use the HNAP interface to deliver the malware, and this weakness was first exposed almost a decade ago.

The affected platforms include D-Link DIR-645 Wired/Wireless Router Rev. Ax, D-Link DIR-806 devices, and D-Link GO-RT-AC750 GORTAC750\_revA\_v101b03 and GO-RT-AC750\_revB\_FWv200b02. According to FortiGuard Labs IPS telemetry, the botnets have a high severity level and are spread through older attacks.

The FICORA botnet is malicious software that targets multiple Linux architectures and encodes its configuration using the ChaCha20 encryption algorithm. Furthermore, its functionalities also include a brute force attack feature, embedding a shell script with hexadecimal ASCII characters to identify and kill other malware processes, and DDoS attack functionalities using protocols like UDP, TCP, and DNS.

This botnet, according to to FortiGuard Labs Threat Research team’s blog post, downloads a shell script named ‘multi’ that uses various methods including wget, ftpget, curl, and tftp to download the actual malware.

Downloader script “multi” using the “curl” command (Via FortiGuard Labs)

The FICORA botnet attack, which targeted many countries worldwide, was triggered by attackers from Netherlands servers. On the other hand, the CAPSAICIN attack, unlike FICORA, was only intensely active over two days between October 21 and 22, 2024, and targeted East Asian countries. 

However, like FICORA it also exhibits diverse functionalities, including downloading a shell script called ‘bins.sh’, targeting multiple Linux architectures, killing known botnet processes, establishing a connection with its C2 server, sending victim host information, and offering DDoS attack functions.

Although the vulnerabilities exploited in this attack have been known for almost a decade, these attacks are still prevalent, which is concerning. Nevertheless, to reduce the risk of D-Link devices being compromised by botnets, it is recommended to regularly update firmware and maintain comprehensive network monitoring.

“FortiGuard Labs discovered that “FICORA” and “CAPSAICIN” spread through this weakness. Because of this, it is crucial for every enterprise to regularly update the kernel of their devices and maintain comprehensive monitoring,” FortiGuard Lab’s researcher Vincent Li concluded.

1.  **Mirai-Inspired Gorilla Botnet Hits 0.3m Targets in 100 Countries**
2.  **OracleIV DDoS Botnet Malware Hits Docker Engine API Instances**
3.  **Androxgh0st Botnet Hits IoT Devices, Exploiting 27 Vulnerabilities**
4.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
5.  **Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks**

FICORA, CAPSAICIN Botnets Exploit Old D-Link Router Flaws for DDoS Attacks

Cybersecurity researchers are warning about a spike in malicious activity that involves roping vulnerable D-Link routers into two different botnets, a Mirai variant dubbed FICORA and a Kaiten (aka Tsunami) variant called CAPSAICIN.
"These botnets are frequently spread through documented D-Link vulnerabilities that allow remote attackers to execute malicious commands via a GetDeviceSettings

FICORA and Kaiten Botnets Exploit Old D-Link Vulnerabilities for Global Attacks

LockBit ransomware gang's takedown is in progress!

****KEY SUMMARY POINTS****

*   **Arrest of Rostislav Panev**: Dual Russian-Israeli national Rostislav Panev, a key developer for the LockBit ransomware group, was arrested in Israel in August and awaits extradition to the U.S.

*   **Role in LockBit Operations**: Panev allegedly developed and maintained malware infrastructure for LockBit, enabling affiliates to launch ransomware attacks globally since 2019.

*   **Evidence Seized**: Authorities discovered administrator credentials for LockBit’s dark web tools, malware source codes, and control panel access during Panev’s arrest.

*   **Admissions and Payments**: Panev admitted to disabling antivirus software, deploying malware, and printing ransom notes, earning over $230,000 in cryptocurrency for his work.

*   **Impact of LockBit**: LockBit ransomware has targeted over 1,800 U.S. victims and thousands more worldwide, causing billions in damages and collecting over $500 million in ransom payments.

The U.S. Department of Justice (DoJ) has announced the arrest of Rostislav Panev, a dual Russian and Israeli national accused of being a key developer for the LockBit ransomware operation.

The 51-year-old was apprehended in Israel back in August and is now awaiting extradition to the United States to face charges including computer fraud, wire fraud, and extortion for his role in developing and maintaining LockBit ransomware infrastructure from 2019 to 2024.

LockBit, once dubbed the “most destructive ransomware group in the world,” has created major problems for thousands of victims across more than 120 countries, including over 1,800 in the U.S. alone. **From hospitals** and schools to **critical infrastructure** and multinational corporations, no sector has been safe from their attacks.

The group’s malicious activities have reportedly netted them at least $500 million in ransom payments while causing billions more in damages through lost revenue and recovery costs.

****Who is Rostislav Panev?****

According to the DoJ’s **press release**, Panev allegedly played a critical role in the development and maintenance of LockBit’s malware infrastructure. From the group’s emergence in 2019 until at least February 2024, Panev worked as a developer, creating tools that enabled LockBit affiliates to carry out attacks and extort victims.

During his arrest, authorities seized Panev’s computer, uncovering evidence that linked him directly to the group’s operations. This included administrator credentials for a dark web repository containing source code for multiple versions of the LockBit builder, a tool used to generate custom malware for specific victims. Investigators also found access credentials for the LockBit control panel, a dark web dashboard used by developers and affiliates to coordinate attacks.

According to the DoJ’s superseding criminal complaint, in interviews with Israeli authorities following his arrest, Panev admitted to writing code that disabled antivirus software, deployed malware across victim networks, and printed ransom notes on connected printers. He also confessed to receiving regular cryptocurrency payments for his work, summing over $230,000 between June 2022 and February 2024.

****Takedown of LockBit****

Panev’s arrest is the latest in a series of actions against the LockBit group. Earlier this year, the UK’s National Crime Agency (NCA) **led a coordinated international effort** to disrupt LockBit’s operations, seizing key servers and websites used by the group. This move significantly crippled LockBit’s ability to launch new attacks and extort victims.

The DoJ has also charged seven other individuals associated with LockBit, including **Dmitry Yuryevich Khoroshev**, the group’s alleged primary administrator. Khoroshev, who remains at large, is believed to have played a central role in recruiting affiliates and overseeing LockBit’s operations.

Two other LockBit affiliates, Mikhail Vasiliev and Ruslan Astamirov, have already pleaded guilty to their involvement in the group and are awaiting sentencing. Meanwhile, other key figures like Artur Sungatov and Ivan Kondratyev remain fugitives, with rewards of up to $10 million offered for information leading to their arrest.

In November 2024, Russian authorities arrested **Mikhail Pavlovich Matveev**, also known as Wazawaka and Boriselcin, a member of the Lockbit group. Matveev is also wanted by the FBI for his involvement in the Hive and Babuk ransomware operations.

Nevertheless, the fight against ransomware takes a major step forward with Panev’s extradition and prosecution, marking an important milestone in holding cybercriminals accountable. The message is simple: in our connected world, cybercrime doesn’t pay.

1.  **Ukraine Arrests Cryptor Specialist Aiding Conti and LockBit**
2.  **Rabbi Arrested for Hacking CCTV at Lady’s Swimwear Shop**
3.  **FBI Kills Kelihos Botnet Amid Russian Hacker’s Arrest in Spain**
4.  **Israeli arrested for hacking Madonna’s PC, selling songs online**
5.  **Husband, wife among ransomware operators arrested in Ukraine**

LockBit Developer Rostislav Panev, a Dual Russian-Israeli Citizen, Arrested

Cyberattacks against OT/ICS engineering workstations are widely underestimated, according to researchers who discovered malware designed to shut down Siemens workstation engineering processes.

Source: Constantine Johnny via Alamy Stock Photo

NEWS BRIEF

Operational technology (OT) and Industrial control systems (ICS) are increasingly exposed to compromise through engineering workstations. A new malware developed to kill stations running Siemens systems joins a growing list of botnets and worms working to infiltrate industrial networks through these on-premises, Internet-connected attack vectors.

Forescout researchers reported the discovery of the Siemens malware, which they called "Chaya\_003." But that's hardly an isolated case. The researchers also found two Mitsubishi engineering workstations compromised by the Ramnit worm, they explained in a new report.

"Malware in OT/ICS is more common than you think — and engineering workstations connected to the Internet are targets," the Forescout team warned.

Researchers from SANS said engineering workstation compromise accounts for more than 20% of OT cybersecurity incidents, the report noted. Botnets targeting OT systems, which the report said includes Aisuru, Kaiten, and Gafgyt, rely on Internet-connected devices to infiltrate networks.

Engineering workstations make excellent targets for cyberattack because they are on-premises stations running traditional operating systems as well as specialized software tools provided by vendors such as the Siemens TIA portal or Mitsubishi GX Works, the Forescout team wrote.

To defend against these campaigns, OT/ICS network operators should ensure engineering workstations are protected and that there is adequate network segmentation, and implement an ongoing threat monitoring program.

The report acknowledges malware developed specifically for OT environments is relatively rare compared with efforts put behind enterprise compromises, "but there’s little room to sleep easily if you’re a security operator in OT or manage industrial control system security," the researchers added.

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

OT/ICS Engineering Workstations Face Barrage of Fresh Malware

Juniper Networks is warning that Session Smart Router (SSR) products with default passwords are being targeted as part of a malicious campaign that deploys the Mirai botnet malware.
The company said it's issuing the advisory after "several customers" reported anomalous behavior on their Session Smart Network (SSN) platforms on December 11, 2024.
"These systems have been infected with the Mirai

Juniper Warns of Mirai Botnet Targeting SSR Devices with Default Passwords

A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

In the hit virtual reality game _Gorilla Tag_, you swing your arms to pull your primate character around—clambering through virtual worlds, climbing up trees and, above all, trying to avoid an infectious mob of other gamers. If you’re caught, you join the horde. However, some kids playing the game claim to have found a way to cheat and easily “tag” opponents.

Over the past year, teenagers have produced video tutorials showing how to side-load a virtual private network (VPN) onto Meta’s virtual reality headsets and use the location-changing technology to get ahead in the game. Using a VPN, according to the tutorials, introduces a delay that makes it easier to sneak up and tag other players.

While the workaround is likely to be an annoying but relatively harmless bit of in-game cheating, there’s a catch. The free VPN app that the video tutorials point to, Big Mama VPN, is also selling access to its users’ home internet connections—with buyers essentially piggybacking on the VR headset’s IP address to hide their own online activity.

This technique of rerouting traffic, which is best known as a residential proxy and more commonly happens through phones, has become increasingly popular with cybercriminals who use proxy networks to conduct cyberattacks and use botnets. While the Big Mama VPN works as it is supposed to, the company’s associated proxy services have been heavily touted on cybercrime forums and publicly linked to at least one cyberattack.

Researchers at cybersecurity company Trend Micro first spotted Meta’s VR headsets appearing in its threat intelligence residential proxy data earlier this year, before tracking down that teenagers were using Big Mama to play _Gorilla Tag_. An unpublished analysis that Trend Micro shared with WIRED says its data shows that the VR headsets were the third most popular devices using the Big Mama VPN app, after devices from Samsung and Xiaomi.

“If you’ve downloaded it, there’s a very high likelihood that your device is for sale in the marketplace for Big Mama,” says Stephen Hilt, a senior threat researcher at Trend Micro. Hilt says that while Big Mama VPN may be being used because it is free, doesn’t require users to create an account, and apparently doesn’t have any data limits, security researchers have long warned that using free VPNs can open people up to privacy and security risks.

These risks may be amplified when that app is linked to a residential proxy. Proxies can “allow people with malicious intent to use your internet connection to potentially use it for their attacks, meaning that your device and your home IP address may be involved in a cyberattack against a corporation or a nation state,” Hilt says.

"Gorilla Tag is a place to have fun with your friends and be playful and creative—anything that disturbs that is not cool with us,” a spokesperson for Gorilla Tag creator Another Axiom says, adding they use “anti-cheat mechanisms” to detect suspicious behavior. Meta did not respond to a request for comment about VPNs being side-loaded onto its headsets.

**Proxies Rising**

Big Mama is made up of two parts: There’s the free VPN app, which is available on the Google Play store for Android devices and has been downloaded more than 1 million times. Then there’s the Big Mama Proxy Network, which allows people (among other options) to buy shared access to “real” 4G and home Wi-Fi IP addresses for as little as 40 cents for 24 hours.

Vincent Hinderer, a cyber threat intelligence team manager who has researched the wider residential proxy market at Orange Cyberdefense, says there are various scenarios where residential proxies are used, both for people who are having traffic routed through their devices and also those buying and selling proxy services. “It’s sometimes a gray zone legally and ethically,” Hinderer says.

For proxy networks, Hinderer says, one end of the spectrum is where networks could be used as a way for companies to scrape pricing details from their competitors' websites. Other uses can include ad verification or people scalping sneakers during sales. They may be considered ethically murky but not necessarily illegal.

At the other end of the scale, according to Orange’s research, residential proxy networks have broadly been used for cyber espionage by Russian hackers, in social engineering efforts, as part of DDoS attacks, phishing, botnets, and more. “We have cybercriminals using them knowingly,” Hinderer says of residential proxy networks generally, with Orange Cyberdefense having frequently seen proxy traffic in logs linked to cyberattacks it has investigated. Orange’s research did not specifically look at uses of Big Mama's services.

Some people can consent to having their devices used in proxy networks and be paid for their connections, Hinderer says, while others may be included because they agreed to it in a service’s terms and conditions—something research has long shown people don’t often read or understand.

Big Mama doesn’t make it a secret that people who use its VPN will have other traffic routed through their networks. Within the app it says it “may transport other customer’s traffic through” the device that’s connected to the VPN, while it is also mentioned in the terms of use and on a FAQ page about how the app is free.

The Big Mama Network page advertises its proxies as being available to be used for ad verification, buying online tickets, price comparison, web scraping, SEO, and a host of other use cases. When a user signs up, they’re shown a list of locations proxy devices are located in, their internet service provider, and how much each connection costs.

This marketplace, at the time of writing, lists 21,000 IP addresses for sale in the United Arab Emirates, 4,000 in the US, and tens to hundreds of other IP addresses in a host of other countries. Payments can only be made in cryptocurrency. Its terms of service say the network is only provided for “legal purposes,” and people using it for fraud or other illicit activities will be banned.

Despite this, cybercriminals appear to have taken a keen interest in the service. Trend Micro’s analysis claims Big Mama has been regularly promoted on underground forums where cybercriminals discuss buying tools for malicious purposes. The posts started in 2020. Similarly, Israeli security firm Kela has found more than 1,000 posts relating to the Big Mama proxy network across 40 different forums and Telegram channels.

Kela’s analysis, shared with WIRED, shows accounts called “bigmama\_network” and “bigmama” posted across at least 10 forums, including cybercrime forums such as WWHClub, Exploit, and Carder. The ads list prices, free trials, and the Telegram and other contact details of Big Mama.

It is unclear who made these posts, and Big Mama tells WIRED that it does not advertise.

Posts from these accounts also said, among other things, that “anonymous” bitcoin payments are available. The majority of the posts, Kela’s analysis says, were made by the accounts around 2020 and 2021. Although, an account called “bigmama\_network” has been posting on the clearweb Blackhat World SEO forum until October this year, where it has claimed its Telegram account has been deleted multiple times.

In other posts during the last year, according to the Kela analysis, cybercrime forum users have recommended Big Mama or shared tips about the configurations people should use. In April this year, security company Cisco Talos said it had seen traffic from the Big Mama Proxy, alongside other proxies, being used by attackers trying to brute force their way into a variety of company systems.

**Mixed Messages**

Big Mama has few details about its ownership or leadership on its website. The company’s terms of service say that a business called BigMama SRL is registered in Romania, although a previous version of its website from 2022, and at least one live page now, lists a legal address for BigMama LLC in Wyoming. The US-based business was dissolved in April and is now listed as inactive, according to the Wyoming Secretary of State’s website.

A person using the name Alex A responded to an email from WIRED about how Big Mama operates. In the email, they say that information about free users’ connections being sold to third parties through the Big Mama Network is “duplicated on the app market and in the application itself several times,” and people have to accept the terms of conditions to use the VPN. They say the Big Mama VPN is officially only available from the Google Play Store.

“We do not advertise and have never advertised our services on the forums you have mentioned,” the email says. They say they were not aware of the April findings from Talos about its network being used as part of a cyberattack. “We do block spam, DDOS, SSH as well as local network etc. We log user activity to cooperate with law enforcement agencies,” the email says.

The Alex A persona asked WIRED to send it more details about the adverts on cybercrime forums, details about the Talos findings, and information about teenagers using Big Mama on Oculus devices, saying they would be “happy” to answer further questions. However, they did not respond to any further emails with additional details about the research findings and questions about their security measures, whether they believe someone was impersonating Big Mama to post on cybercrime forums, the identity of Alex A, or who runs the company.

During its analysis, Trend Micro’s Hilt says that the company also found a security vulnerability within the Big Mama VPN, which could have allowed a proxy user to access someone’s local network if exploited. The company says it reported the flaw to Big Mama, which fixed it within a week, a detail Alex A confirmed.

Ultimately, Hilt says, there are potential risks whenever anyone downloads and uses a free VPN. “All free VPNs come with a trade-off of privacy or security concerns,” he says. That applies to people side-loading them onto their VR headsets. “If you’re downloading applications from the internet that aren't from the official stores, there’s always the inherent risk that it isn’t what you think it is. And that comes true even with Oculus devices.”

This VPN Lets Anyone Use Your Internet Connection. What Could Go Wrong?

KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…

****KEY SUMMARY POINTS****

*   **FBI Alert on HiatusRAT**: The FBI issued a Private Industry Notification (PIN) warning about HiatusRAT malware campaigns targeting Chinese-branded web cameras and DVRs, leveraging remote access for device infiltration.

*   **Evolving Cyber Threat**: HiatusRAT, active since 2022, has been used to exploit outdated network devices, Taiwanese organizations, and a US government server. Recent campaigns focus on webcams and DVRs across the US, Canada, the UK, Australia, and New Zealand.

*   **Exploitation of Vulnerabilities**: Hackers are exploiting unpatched security flaws in devices like Hikvision and D-Link using tools like Ingram and Medusa, targeting TCP ports such as 23, 554, and 8080.

*   **Mitigation Efforts**: The FBI recommends isolating vulnerable devices from networks, implementing multi-factor authentication, enforcing strong password policies, and promptly updating firmware and software.

*   **Collaborative Response**: Sonu Shankar, a former federal critical infrastructure official, is collaborating with CISOs to address the escalating threat posed by these campaigns.

The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting Chinese-branded web cameras and DVRs. These attacks leverage a remote access trojan (RAT) called HiatusRAT, which grants remote access to compromised devices. 

HiatusRAT has been evolving since at least July 2022, and cybercriminals have used it to infiltrate outdated network devices, Taiwanese organizations, and even a US government server. Previous HiatusRAT campaigns have targeted edge routers to collect traffic passively and function as a covert command-and-control network. In March 2024, HiatusRAT actors launched a large-scale scanning campaign focusing on webcams and DVRs in the US, Canada, UK, Australia, and New Zealand.

Hackers are exploiting security weaknesses in devices like Hikvision cameras and D-Link devices as many vendors haven’t addressed critical vulnerabilities like CVE-2017-7921 (Hikvision cameras), CVE-2020-25078 (D-Link devices), CVE-2018-9995, CVE-2021-33044, and CVE-2021-36260, among others.

They are exploiting unpatched flaws targeting devices with telnet access, an insecure remote access protocol, and even brute-forcing access. The actors targeted Xiongmai and Hikvision devices with telnet access using webcam-scanning tools Ingram and Medusa.

“They used Ingram—a webcam-scanning tool available on Github—to conduct scanning activity. And they used Medusa—an open-source brute-force authentication cracking tool—to target Hikvision cameras with telnet access,” the **PIN** (PDF) read. Targeted TCP ports included 23, 26, 554, 2323, 567, 5523, 8080, 9530, and 56575.

The FBI advises companies to limit the use of devices mentioned in the PIN and isolate them from their network. They should regularly monitor networks and employ best cybersecurity practices, including reviewing security policies, user agreements, and patching plans.

Furthermore, companies should patch and update operating systems, software, and firmware as soon as manufacturer updates are available change network system and account passwords regularly, enforce a strong password policy, and require multi-factor authentication whenever possible.

1.  **FBI: Chinese Hackers Compromised US Telecom Networks**
2.  **Tech Support Courier Scam Aiming at Cash and Metals, FBI**
3.  **FBI Alert: Russian Hackers Target Ubiquiti Routers for Botnet**
4.  **FBI: Androxgh0st Malware Building Botnet for Credential Theft**
5.  **FBI Targets 764 Network: Man Faces 30 Years for Cyberstalking**

FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs

Androxgh0st, a botnet targeting web servers since January 2024, is also deploying IoT-focused Mozi payloads, reveals CloudSEK’s latest research.

****KEY POINTS****

*   **Rapid Vulnerability Exploitation**: The Androxgh0st botnet has expanded its arsenal, exploiting 27 vulnerabilities across web servers, IoT devices, and various technologies, including Cisco ASA, Atlassian JIRA, and TP-Link routers.

*   **Integration with Mozi Botnet**: The botnet incorporates Mozi payloads, targeting IoT devices and potentially sharing command-and-control infrastructure, signaling increased coordination and sophistication.

*   **Focus on Weak Security Practices**: Androxgh0st employs brute-force attacks, credential stuffing, and exploitation of devices with default or weak passwords to gain administrative access and maintain persistence.

*   **Global and Chinese-Specific Targets**: The botnet exploits vulnerabilities in both global systems and Chinese-specific technologies, with evidence pointing to links to Chinese CTF communities and Mandarin-based phishing tactics.

*   **Urgent Call for Patching**: Researchers recommend immediate patching of all affected systems to mitigate risks, including remote code execution, data breaches, and ransomware attacks.

CloudSEK’s contextual AI digital risk platform Xvigil has uncovered a significant evolution in the Androxgh0st botnet, revealing its exploitation of over 20 vulnerabilities and operational **integration with the Mozi botnet** with expected rise of, at least, 75% more web-application vulnerabilities by mid- 2025.This indicates a significant increase in Androxgh0st’s initial attack vector arsenal from 11 in November 2024 to around 27 within a month.

For your information, CISA **issued** an advisory earlier this year regarding Androxgh0st’s expanding attack surface, including Cisco ASA, Atlassian JIRA, and PHP frameworks, allowing unauthorized access and remote code execution.

CloudSEK’s research highlights Androxgh0st’s expansion beyond its initial focus on web servers, now incorporating IoT-focused Mozi payloads. It is actively exploiting 27 vulnerabilities across various technologies.

These include exploiting a web script injection vulnerability (**CVE-2014-2120**) in Cisco ASA, leveraging a path traversal vulnerability (**CVE-2021-26086**) for remote file reading, exploiting a local file inclusion vulnerability (**CVE-2021-41277**) for arbitrary file downloads, and targeting vulnerabilities in PHPUnit, Laravel, PHP-CGI, TP-Link routers, Netgear devices, and GPON routers.

Numerous other vulnerabilities are exploited now, including those in Sophos Firewall, Oracle EBS, OptiLink ONT1GEW, Spring Cloud Gateway, and various Chinese-specific software. The Sophos Authentication bypass vulnerability leads to Remote Code Execution (RCE) in the firewall’s User Portal and Webadmin web interfaces, allowing an unauthenticated attacker to execute arbitrary code.

This vulnerability is also present in Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload, which can be exploited to gain remote code execution as an Oracle user. OptiLink ONT1GEW GPON 2.1.11\_X101 Build 1127.190306 also allows remote code execution (authenticated). Finally, PHP CGI argument injection issue (**CVE-2024-4577**) is another issue affecting PHP-CGI.

This exploitation enables unauthorized access and remote code execution, posing significant risks to global web servers and IoT networks. Moreover, the botnet’s growing sophistication is evident in its shared infrastructure, persistent backdoor tactics, and the incorporation of Mozi payloads, the **report** read.

The research indicates a significant operational overlap between Androxgh0st and the Mozi botnet, with Androxgh0st deploying Mozi payloads to infect IoT devices and potentially sharing command and control infrastructure, suggesting a high level of coordination or unified control structure.

Further probing revealed that Androxgh0st **employs sophisticated tactics** such as code injection and file appending to maintain persistent access to compromised systems. It targets WordPress installations using brute-force attacks and **credential stuffing** to gain administrative access, and frequently exploits devices with default, weak or easily guessable passwords.

Although definitive attribution is complex, the research suggests links to Chinese CTF communities due to targeting of Chinese-specific technologies and software. This includes the use of the “PWN\_IT” string in injected payloads and command infrastructure, using Mandarin in phishing baits and source code, and potential connections to Chinese Kanxue-hosted CTF events. Successful exploitation can lead to data breaches, theft, system disruption, ransomware attacks, botnet amplification, and espionage and surveillance activities.

Screenshot shoes countries where devices have been most impacted for and the Chinese connection detailed by researchers in their blog (Via CloudSec)

“CloudSEK recommends immediate patching of these vulnerabilities to mitigate risks associated with the Androxgh0st botnet, which is known for systematic exploitation and persistent backdoor access,” researchers noted.

1.  **Legion: Credential Harvesting Malware Sold on Telegram**
2.  **Malware in Fake Business Proposals Hits YouTube Creators**
3.  **Cisco Urges Immediate Patch for Decade-Old WebVPN Flaw**
4.  **Black Basta Uses MS Teams, Email Bombing to Spread Malware**
5.  **Goldoon Botnet Hits D-Link Devices by Exploiting 9-Year-Old Flaw  
    **

Tag

#botnet