Mindgard researchers uncovered critical vulnerabilities in Microsoft’s Azure AI Content Safety service, allowing attackers to bypass its safeguards…

Mindgard researchers uncovered critical vulnerabilities in Microsoft’s Azure AI Content Safety service, allowing attackers to bypass its safeguards and unleash harmful AI-generated content.

A UK-based cybersecurity-for-AI startup, Mindgard, discovered two critical security vulnerabilities in Microsoft’s Azure AI Content Safety Service in February 2024. These flaws, as per their research shared with Hackread.com, could allow attackers to bypass the service’s safety guardrails.

The vulnerabilities were responsibly disclosed to Microsoft in March 2024, and by October 2024, the company deployed “stronger mitigations” to reduce their impact. However, the details of it have only been shared by Mindgard now.

****Understanding the Vulnerabilities****

Azure AI Content Safety is a Microsoft Azure cloud-based service that helps developers create safety and security guardrails for AI applications by detecting and managing inappropriate content. It uses advanced techniques to filter harmful content, including hate speech and explicit/objectionable material. Azure OpenAI uses a Large Language Model (LLM) with Prompt Shield and AI Text Moderation guardrails to validate inputs and AI-generated content. 

However, two security vulnerabilities were discovered within these guardrails, which protect AI models against jailbreaks and prompt injection. As per the research, attackers could circumvent both the AI Text Moderation and Prompt Shield guardrails and inject harmful content into the system, manipulate the model’s responses, or even compromise sensitive information. 

Microsoft’s Azure AI Content Safety Service and bypassing the (Via Mindgard)

****Attack Techniques****

According to Mindgard’s report, its researchers employed two primary attack techniques to bypass the guardrails including Character injection and Adversarial Machine Learning (AML).

****Character injection:****

It is a technique where text is manipulated by injecting or replacing characters with specific symbols or sequences. This can be done through diacritics, homoglyphs, numerical replacement, space injection, and zero-width characters. These subtle changes can deceive the model into misclassifying the content, allowing attackers to manipulate the model’s interpretation and disrupt the analysis. The goal is to deceive the guardrail into misclassifying the content. 

****Adversarial Machine Learning (AML):****

AML involves manipulating input data through certain techniques to mislead the model’s predictions. These techniques include perturbation techniques, word substitution, misspelling, and other manipulations. By carefully selecting and perturbing words, attackers can cause the model to misinterpret the input’s intent.

****Possible Consequences****

The two techniques effectively bypassed AI text moderation safeguards, reducing detection accuracy by up to 100% and 58.49%, respectively. The exploitation of these vulnerabilities could lead to societal harm as it “can result in harmful or inappropriate input reaching the LLM, causing the model to generate responses that violate its ethical, safety, and security guidelines,” researchers wrote in their blog post shared exclusively with Hackread.com.

Moreover, it allows malicious actors to inject harmful content into AI-generated outputs, manipulate model behaviour, expose sensitive data, and exploit vulnerabilities to gain unauthorized access to sensitive information or systems.

“By exploiting the vulnerability to launch broader attacks, this could compromise the integrity and reputation of LLM-based systems and the applications that rely on them for data processing and decision-making,” researchers noted.

It is crucial for organizations to stay updated with the latest security patches and to implement additional security measures to protect their AI applications from such attacks.

1.  Mirai botnet exploiting Azure OMIGOD vulnerabilities
2.  Microsoft AI Researchers Expose 38TB of Top Sensitive Data
3.  Phishing Attacks Bypass Microsoft 365 Email Safety Warnings
4.  Researchers access primary keys of Azure’s Cosmos DB Users
5.  Data Security: Congress Bans Staff Use of Microsoft’s AI Copilot
6.  New LLMjacking Attack Lets Hackers Hijack AI Models for Profit

Azure AI Vulnerabilities Allowed Attacks to Bypass Moderation Safeguards

The sophisticated Chinese cyberattacks of today rest on important groundwork laid during the pandemic and before.

Source: Cinematic via Alamy Stock Photo

Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices.

Networking devices are a known favorite of China's advanced persistent threats (APT), and why wouldn't they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as useful nodes for botnets. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers. 

Over time, Chinese APTs have been improving on their edge attack capabilities. Since 2018, Sophos has traced a distinct evolution in tactics: from naive, low-level attacks came more sophisticated campaigns against massive numbers of devices, followed by a period of more targeted attacks against specific organizations.

**The First Salvo in a Long Cyber War**

On Dec. 4, 2018, Sophos analysts discovered a suspicious device running network scans against Cyberoam, a Sophos subsidiary based in India. In some ways the attack was run of the mill, using commodity malware and common living-off-the-land (LotL) tactics.

Other evidence, though, suggested that this was something different. For example, the attacker utilized a novel technique to pivot from on-premises devices to the cloud, via an overly permissive identity and access management (IAM) configuration to the Amazon Web Services Systems Manager (AWS SM).

Related:Dark Reading News Desk Live From Black Hat USA 2024

"AWS SM was quite a new technology, and it was quite a subtle misconfiguration," Sophos chief information security officer (CISO) Ross McKerchar recalls. "That was one of the first indicators that we were up against an interesting adversary." 

Later, the attackers deployed a novel rootkit called Cloud Snooper. Cloud Snooper was so stealthy that two third-party consultancies missed it in their analysis, before Sophos eventually picked up on its presence.

The goal of the attack, it seemed, was to collect information useful for future attacks against edge devices. It was a harbinger of what was to come.

**A Five-Year Evolution in Chinese TTPs**

Chinese cyber threats blossomed from roughly 2020 to 2022, as attackers focused on identifying and breaching edge devices en masse.

It worked thanks to the large quantity of devices in the wild that have Internet-facing portals. Typically, these interfaces are designed for internal use. With COVID-19, though, more and more companies were allowing employees to connect from the open Web. This provided a window for hackers with the right kind of credentials or vulnerabilities to get in.

Related:The Overlooked Importance of Identifying Riskiest Users

It helped, too, that around that same time — July 2021 — China's Cyberspace Administration passed the Regulations on the Management of Network Product Security Vulnerability Information rules. These mandates forced cybersecurity researchers to report vulnerabilities to the country's Ministry of Industry and Information Technology (MIIT) before disclosing to any other parties. "It was designed to co-opt the whole country — private citizens included — into being assets for PRC objectives," McKerchar says. Sophos argues with medium confidence that two notable campaigns during this period were facilitated by vulnerabilities responsibly disclosed by researchers at universities in the Chinese city of Chengdu.

Chinese APTs weren't only interested in using compromised devices to attack the companies from whence they came. With varying degrees of success, they would often try to incorporate the devices into broader operational relay box networks (ORBs). These ORBs, in turn, offered higher-level threat actors more sophisticated infrastructure from which to launch more advanced attacks and hide any trace of their origin.

Related:FBI, Partners Disrupt RedLine, Meta Stealer Operations

**What's Happening Now**

After this noisy period, around the middle of 2022, Chinese APTs shifted yet again. Ever since, they've been focused on much more deliberate and targeted attacks against organizations of high value: government agencies, military contractors, research and development firms, critical infrastructure providers, and the like.

These attacks follow no single pattern, involving known and zero-day vulnerabilities, userl and and UEFI bootkits, and whatever other elements pair with active, hands-on-keyboard-type attacks. They almost certainly wouldn't be as sophisticated as they are, though, without all of the years of trial and error that occurred before. Evidence to that is just how effective these threat actors are at overcoming cybersecurity defenses. In recent years, they've demonstrated an ability to sabotage hotfixes for vulnerable devices, and block evidence of their activity from reaching Sophos analysts.

"There's a clear arc of moving to stealthier and stealthier persistence in the activity that we've uncovered," McKerchar says.

He explains how "the first malware, whilst it was bespoke for our devices, it wasn't really trying to hide. They were just banking on nobody looking. In the second wave of attacks they learned a bunch of lessons, remarkably quickly. The malware wasn't explicitly trying to hide, it was just smaller, and naturally able to blend in a bit more. Then after that, they started kind of pulling out more interesting tactics: Trojan class files, memory-resident malware, rootkits, bootkits."

He concludes, "It'd be hard to speculate on what's next, except \[that\] they're going to be improving again."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APTs Cash In on Years of Edge Device Attacks

A vulnerability categorized as “critical” in a photo app installed by default on Synology network-attached storage devices could give attackers the ability to steal data and worse.

The researchers also said the photo application, which helps users organize photos, provided easy access whether customers connect their NAS device directly to the internet themselves or through Synology’s QuickConnect service, which allows users to access their NAS remotely from anywhere. And once attackers find one cloud-connected Synology NAS, they can easily locate others due to the way the systems get registered and assigned IDs.

“There are a lot of these devices that are connected to a private cloud through the QuickConnect service, and those are exploitable as well, so even if you don’t directly expose it to the internet, you can exploit \[the devices\] through this service, and that’s devices in the order of millions,” says Wetzels.

The researchers were able to identify cloud-connected Synology NASes owned by police departments in the United States and France, as well as a large number of law firms based in the US, Canada, and France, and freight and oil tank operators in Australia and South Korea. They even found ones owned by maintenance contractors in South Korea, Italy, and Canada that work on power grids and in the pharmaceutical and chemical industries.

“These are firms that store corporate data … management documents, engineering documents and, in the case of law firms, maybe case files,” Wetzels notes.

The researchers say ransomware and data theft aren’t the only concern with these devices—attackers could also turn infected systems into a botnet to service and conceal other hacking operations, such as a massive botnet that Volt Typhoon hackers from China had built from infected home and office routers to conceal their espionage operations.

Synology did not respond to a request for comment, but the company’s web site posted two security advisories related to the issue on October 25, calling the vulnerability “critical.” The advisories, which confirmed that the vulnerability was discovered as part of the Pwn2Own contest, indicate that the company released patches for the vulnerability. Synology’s NAS devices do not have automatic update capability, however, and it’s not clear how many customers know about the patch and have applied it. With the patch released, it also makes it easier for attackers to now figure out the vulnerability from the patch and design an exploit to target devices.

“It’s not trivial to find \[the vulnerability\] on your own, independently,” Meijer tells WIRED, “but it is pretty easy to figure out and connect the dots when the patch is actually released and you reverse-engineer the patch.”

Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack

Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly evasive password spray attacks.
The tech giant has given the botnet the name CovertNetwork-1658, stating the password spray operations are used to steal credentials from multiple Microsoft customers.
"Active since at least 2021, Storm-0940 obtains initial access

Threat Intelligence / Network Security

Microsoft has revealed that a Chinese threat actor it tracks as Storm-0940 is leveraging a botnet called Quad7 to orchestrate highly evasive password spray attacks.

The tech giant has given the botnet the name CovertNetwork-1658, stating the password spray operations are used to steal credentials from multiple Microsoft customers.

"Active since at least 2021, Storm-0940 obtains initial access through password spray and brute-force attacks, or by exploiting or misusing network edge applications and services," the Microsoft Threat Intelligence team said.

"Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others."

Quad7, aka 7777 or xlogin, has been the subject of extensive analyses by Sekoia and Team Cymru in recent months. The botnet malware has been observed targeting several brands of SOHO routers and VPN appliances, including TP-Link, Zyxel, Asus, Axentra, D-Link, and NETGEAR.

These devices are recruited by exploiting known and as-yet-undetermined security flaws to gain remote code execution capabilities. The botnet's name is a reference to the fact that the routers are infected with a backdoor that listens on TCP port 7777 to facilitate remote access.

Sekoia told The Hacker News in September 2024 the botnet is being mainly used to perform brute-force attempts against Microsoft 365 accounts, adding the operators are likely Chinese state-sponsored actors.

Microsoft has also assessed that the botnet maintainers are located in China, and that multiple threat actors from the country are using the botnet to conduct password spray attacks for follow-on computer network exploitation (CNE) activities, such as lateral movement, deployment of remote access trojans, and data exfiltration attempts.

This includes Storm-0940, which it said has infiltrated target organizations using valid credentials obtained via the password spray attacks, in some cases on the same day the credentials were extracted. The "quick operational hand-off" implies a close collaboration between the botnet operators and Storm-0940, the company pointed out.

"CovertNetwork-1658 submits a very small number of sign-in attempts to many accounts at a target organization," Microsoft said. "In about 80 percent of cases, CovertNetwork-1658 makes only one sign-in attempt per account per day."

As many as 8,000 compromised devices are estimated to be active in the network at any given point of time, although only 20 percent of those devices are involved in password spraying.

The Windows maker also warned that the botnet infrastructure has witnessed a "steady and steep decline" following public disclosure, raising the possibility that the threat actors are "likely acquiring new infrastructure with modified fingerprints" to evade detection.

"Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time," Microsoft noted.

"This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Chinese Botnet Exploiting Router Flaws for Credential Theft

Sophos went so far as to plant surveillance “implants” on its own devices to catch the hackers at work—and in doing so, revealed a glimpse into China's R&D pipeline of intrusion techniques.

For years, it's been an inconvenient truth within the cybersecurity industry that the network security devices sold to protect customers from spies and cybercriminals are, themselves, often the machines those intruders hack to gain access to their targets. Again and again, vulnerabilities in “perimeter” devices like firewalls and VPN appliances have become footholds for sophisticated hackers trying to break into the very systems those appliances were designed to safeguard.

Now one cybersecurity vendor is revealing how intensely—and for how long—it has battled with one group of hackers that have sought to exploit its products to their own advantage. For more than five years, the UK cybersecurity firm Sophos engaged in a cat-and-mouse game with one loosely connected team of adversaries who targeted its firewalls. The company went so far as to track down and monitor the specific devices on which the hackers were testing their intrusion techniques, surveil the hackers at work, and ultimately trace that focused, years-long exploitation effort to a single network of vulnerability researchers in Chengdu, China.

On Thursday, Sophos chronicled that half-decade-long war with those Chinese hackers in a report that details its escalating tit-for-tat. The company went as far as discreetly installing its own “implants” on the Chinese hackers' Sophos devices to monitor and preempt their attempts at exploiting its firewalls. Sophos researchers even eventually obtained from the hackers' test machines a specimen of “bootkit” malware designed to hide undetectably in the firewalls' low-level code used to boot up the devices, a trick that has never been seen in the wild.

In the process, Sophos analysts identified a series of hacking campaigns that had started with indiscriminate mass exploitation of its products but eventually became more stealthy and targeted, hitting nuclear energy suppliers and regulators, military targets including a military hospital, telecoms, government and intelligence agencies, and the airport of one national capital. While most of the targets—which Sophos declined to identify in greater detail—were in South and Southeast Asia, a smaller number were in Europe, the Middle East, and the United States.

Sophos' report ties those multiple hacking campaigns—with varying levels of confidence—to Chinese state-sponsored hacking groups including those known as APT41, APT31, and Volt Typhoon, the latter of which is a particularly aggressive team that has sought the ability to disrupt critical infrastructure in the US, including power grids. But the common thread throughout those efforts to hack Sophos' devices, the company says, is not one of those previously identified hackers groups but instead a broader network of researchers that appears to have developed hacking techniques and supplied them to the Chinese government. Sophos' analysts tie that exploit development to an academic institute and a contractor, both around Chengdu: Sichuan Silence Information Technology—a firm previously tied by Meta to Chinese state-run disinformation efforts—and the University of Electronic Science and Technology of China.

Sophos says it’s telling that story now not just to share a glimpse of China's pipeline of hacking research and development, but also to break the cybersecurity industry's awkward silence around the larger issue of vulnerabilities in security appliances serving as entry points for hackers. In just the past year, for instance, flaws in security products from other vendors including Ivanti, Fortinet, Cisco, and Palo Alto have all been exploited in mass hacking or targeted intrusion campaigns. “This is becoming a bit of an open secret. People understand this is happening, but unfortunately everyone is _zip,_” says Sophos chief information security officer Ross McKerchar, miming pulling a zipper across his lips. “We're taking a different approach, trying to be very transparent, to address this head-on and meet our adversary on the battlefield.”

**From One Hacked Display to Waves of Mass Intrusion**

As Sophos tells it, the company's long-running battle with the Chinese hackers began in 2018 with a breach of Sophos itself. The company discovered a malware infection on a computer running a display screen in the Ahmedabad office of its India-based subsidiary Cyberoam. The malware had gotten Sophos' attention due to its noisy scanning of the network. But when the company's analysts looked more closely, they found that the hackers behind it had already compromised other machines on the Cyberoam network with a more sophisticated rootkit they identified as CloudSnooper. In retrospect, the company believes that initial intrusion was designed to gain intelligence about Sophos products that would enable follow-on attacks on its customers.

Then in the spring of 2020, Sophos began to learn about a broad campaign of indiscriminate infections of tens of thousands of firewalls around the world in an apparent attempt to install a trojan called Asnarök and create what it calls “operational relay boxes” or ORBs—essentially a botnet of compromised machines the hackers could use as launching points for other operations. The campaign was surprisingly well resourced, exploiting multiple zero-day vulnerabilities the hackers appeared to have discovered in Sophos appliances. Only a bug in the malware's cleanup attempts on a small fraction of the affected machines allowed Sophos to analyze the intrusions and begin to study the hackers targeting its products.

Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the…

An international law enforcement operation, led by the United States, Europol, and the Netherlands, has successfully dismantled the infrastructure behind the notorious RedLine and META infostealer malware. Discover how these cyberattacks steal sensitive information and the impact they have on individuals and businesses worldwide.

An international law enforcement operation has successfully dismantled the infrastructure behind two notorious infostealer malware strains: RedLine and Meta. The operation, codenamed “Operation Magnus,” was led by the Dutch National Police, the U.S. Department of Justice (DOJ) and supported by Europol.

The investigation involved law enforcement agencies from across the globe, including Belgium (Belgian Federal Police, Belgian Federal Prosecutor’s Office), Australia (the Australian Federal Police), Portugal (Polícia Judiciária), and the United Kingdom (National Crime Agency).

Other US agencies involved in this operation include the FBI, Naval Criminal Investigative Service, IRS Criminal Investigation, Defense Criminal Investigative Service, and Army Criminal Investigation Division. These agencies collaborated under a Joint Cybercrime Action Taskforce (“JCAT”) Operation Magnus. 

Watch the video released by authorities

This operation resulted in full access (PDF) to the servers hosting the malware’s infrastructure, including source code, license servers, user data, and seizing domains and Telegram accounts. Authorities have created a dedicated website to provide resources for victims and the public

For your information, Infostealers are a type of malware designed to steal sensitive information from victims’ devices, such as login credentials, passwords, and credit card details. These stolen credentials are often sold on underground markets, enabling further cyberattacks and fraudulent activities.

Screenshot from RedLine’s infrastructure

RedLine and META are designed to infiltrate victim computers and steal sensitive information. This stolen data, often referred to as “logs,” can include usernames, passwords, financial information, and even cryptocurrency wallet details. Criminals use these stolen credentials for a variety of nefarious purposes, including launching further attacks, committing fraud, or bypassing multi-factor authentication (MFA). 

Investigations revealed RedLine and META may have infected millions of computers worldwide. Estimates suggest RedLine alone might be one of the most prevalent malware variants globally. Law enforcement has identified millions of unique credentials stolen by the malware, including usernames, passwords, and financial data.

As part of Operation Magnus, authorities unsealed a criminal complaint (PDF) against Maxim Rudometov, believed to be a developer and administrator of RedLine. The complaint accuses Rudometov of managing RedLine’s infrastructure, receiving payments through cryptocurrency accounts, and possessing the malware itself. He faces charges including access device fraud, conspiracy to commit computer intrusion, and money laundering, and if convicted, he could face a maximum sentence of 10 years in prison.

Maxim Rudometov, the alleged developer and administrator of RedLine.

Operation Magnus serves as a powerful example of international cooperation in combating cybercrime. By dismantling the RedLine and META infrastructure, law enforcement has significantly disrupted the activities of cybercriminals who rely on stolen data for their illicit operations. However, the ever-evolving nature of cybercrime necessitates continued vigilance and cooperation between law enforcement and cybersecurity experts.

1.  **VirusTotal Reveals Apps Most Exploited To Spread Malware**
2.  **Konni RAT Exploiting Word Docs to Steal Data from Windows**
3.  **FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices**
4.  **Police Dismantle Phishing-as-a-Service Platform BulletProftLink**
5.  **Arid Viper’s AridSpy Trojan Hits Android Users in Palestine, Egypt**

Operation Magnus: Police Dismantles RedLine and META Infostealer Infrastructure

This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy…

This article details a new campaign by TeamTNT, a notorious hacking group, leveraging exposed Docker daemons to deploy malware, using compromised servers and Docker Hub to spread their attacks. They also use cryptomining to earn money from their victims’ computational power.

Cybersecurity researchers at Aqua Nautilus have discovered a new hacking campaign by Adept Libra (aka TeamTNT), targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers. 

TeamTNT is a notorious hacking group known for aggressive and persistent attacks on cloud-native environments. The group is known for exploiting vulnerabilities in Docker daemons and Kubernetes clusters to deploy malware and hijack resources for cryptocurrency mining.

In a recent campaign, TeamTNT compromised a legitimate Docker Hub account (nmlm99) to host malicious software, uploading around 30 images divided into two categories: infrastructure and impact. The infrastructure images are used to spread malware, while the impact images focus on mining cryptocurrency or renting out computing power.

Attack flow and TeamTNT’s signature

TeamTNT is using Docker Gatling Gun, which scans a massive range of IP addresses (around 16.7 million) for vulnerabilities in Docker daemons running on specific ports (2375, 2376, 4243, and 4244). If a vulnerability is found, a container from a compromised TeamTNT Docker Hub account is deployed, running a minimal Alpine Linux operating system and executing a malicious script called “TDGGinit.sh”. This script likely sets the stage for further malicious activity on the compromised system.

“TeamTNT deploys among other a local search of keys and credentials, such as SSH, cloud metadata server calls etc. Once they gain access, they store and disseminate their malware through these accounts,” the report read.

To evade detection, TeamTNT employs the Sliver malware, a more advanced and stealthier tool compared to their previous tool, Tsunami. They also use familiar names like Chimaera and Bioset to blend in with legitimate processes. Additionally, they steal credentials and scan networks for further targets.

For command and control, TeamTNT relies on web servers, Docker Hub, and various communication protocols like DNS, mTLS, and potentially proxies. Ultimately, their goal is to hijack resources for cryptocurrency mining or sell access to the compromised systems.

To mine cryptocurrency, such as Monero, TeamTNT uses various mining software, including XMRig, T-Rex, CGMiner, BFGMiner, and SGMiner. They often optimize mining operations by targeting specific hardware and software configurations. 

This campaign shows TeamTNT’s ability to adapt and evolve, urging organizations to be alert and upgrade their cybersecurity. The group is highly skilled and motivated and is not afraid to take risks. To protect against TeamTNT risks, organizations must invest in strong security practices, including software updates and network infrastructure security.

1.  **Google Kubernetes Engine Flaws Could Allow Cluster Takeover**
2.  **OracleIV DDoS Botnet Malware Hits Docker Engine API Instances**
3.  **Malware Exploits 9Hits, Turns Docker Servers into Crypto Miners**
4.  **Linux Malware Alert: Spinning YARN Hits Docker, Other Key Apps**
5.  **Cryptomining, Malware Flourish on Exposed Kubernetes Clusters**

TeamTNT Exploits 16 Million IPs in Malware Attack on Docker Clusters

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.
"The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure

Cloud Security / Cryptocurrency

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties.

"The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware," Assaf Morag, director of threat intelligence at cloud security firm Aqua, said in a report published Friday.

The attack activity is once again a testament to the threat actor's persistence and its ability to evolve its tactics and mounting multi-stage assaults with the goal of compromising Docker environments and enlisting them into a Docker Swarm.

Besides using Docker Hub to host and distribute their malicious payloads, TeamTNT has been observed offering the victims' computational power to other parties for illicit cryptocurrency mining, diversifying its monetization strategy.

Rumblings of the attack campaign emerged earlier this month when Datadog disclosed malicious attempts to corral infected Docker instances into a Docker Swarm, alluding it could be the work of TeamTNT, while also stopping short of making a formal attribution. But the full extent of the operation hasn't been clear, until now.

Morag told The Hacker News that Datadog "found the infrastructure in a very early stage" and that their discovery "forced the threat actor to change the campaign a bit."

The attacks entail identifying unauthenticated and exposed Docker API endpoints using masscan and ZGrab and using them for cryptominer deployment and selling the compromised infrastructure to others on a mining rental platform called Mining Rig Rentals, effectively offloading the job of having to manage them themselves, a sign of the maturation of the illicit business model.

Specifically, this is carried out by means of an attack script that scans for Docker daemons on ports 2375, 2376, 4243, and 4244 across nearly 16.7 million IP addresses. It subsequently deploys a container running an Alpine Linux image with malicious commands.

The image, retrieved from a compromised Docker Hub account ("nmlm99") under their control, also executes an initial shell script named the Docker Gatling Gun ("TDGGinit.sh") to launch post-exploitation activities.

One notable change observed by Aqua is the shift away from the Tsunami backdoor to the open-source Sliver command-and-control (C2) framework for remotely commandeering the infected servers.

"Additionally, TeamTNT continues to use their established naming conventions, such as Chimaera, TDGG, and bioset (for C2 operations), which reinforces the idea that this is a classic TeamTNT campaign," Morag said.

"In this campaign TeamTNT is also using anondns (AnonDNS or Anonymous DNS is a concept or service designed to provide anonymity and privacy when resolving DNS queries), in order to point to their web server."

The findings come as Trend Micro shed light on a new campaign that involved a targeted brute-force attack against an unnamed customer to deliver the Prometei crypto mining botnet.

"Prometei spreads in the system by exploiting vulnerabilities in Remote Desktop Protocol (RDP) and Server Message Block (SMB)," the company said, highlighting the threat actor's efforts on setting up persistence, evading security tools, and gaining deeper access to an organization's network through credential dumping and lateral movement.

"The affected machines connect to a mining pool server which can be used to mine cryptocurrencies (Monero) on compromised machines without the victim's knowledge."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining

The Russian-language malware primarily enlists computers to mine Monero, but theoretically it can do worse.

Source: Artimages via Alamy Stock Photo

An 8-year-old modular botnet is still kicking, spreading a cryptojacker and Web shell on machines spread across multiple continents.

"Prometei" was first discovered in 2020, but later evidence suggested that it's been in the wild since at least 2016. In those intervening years it spread to more than 10,000 computers globally, in countries as diverse as Brazil, Indonesia, Turkey, and Germany, whose Federal Office for Information Security categorizes it as a medium-impact threat.

"Prometei's reach is global due to its focus on widely used software vulnerabilities," explains Callie Guenther, senior manager of cyber-threat research at Critical Start. "The botnet spreads through weak configurations and unpatched systems, targeting regions with inadequate cybersecurity practices. Botnets like Prometei typically do not discriminate by region but seek maximum impact by exploiting systemic weaknesses. \[In this case\], organizations using unpatched or poorly configured Exchange servers are particularly at risk."

Trend Micro details what a Prometei attack looks like: clunky in its initial infection but stealthy thereafter, capable of exploiting vulnerabilities in a variety of different services and systems, and focused on cryptojacking but capable of more.

**Loud Entry Into Unloved Systems**

Don't expect an initial Prometei infection to be terribly sophisticated.

The case Trend Micro observed began with a number of failed network login attempts from two IP addresses appearing to come from Cape Town, South Africa, which aligned closely with known Prometei infrastructure.

After its first successful login into a machine, the malware went to work testing out a variety of outdated vulnerabilities that might still be lingering in its target's environment. For example, it uses the half-decade old "BlueKeep" bug in the Remote Desktop Protocol (RDP) — rated a "critical" 9.8 out of 10 in the Common Vulnerability Scoring System — to try and achieve remote code execution (RCE). It uses the even older EternalBlue vulnerability to propagate via Server Message Block (SMB). On Windows systems, it tries the 3-year-old ProxyLogon arbitrary file write vulnerabilities CVE-2021-27065 and CVE-2021-26858, which have "high" 7.8 CVSS ratings.

Exploiting such old vulnerabilities could be read as lazy. In another light, it's an effective approach to weeding out better-equipped systems belonging to more active organizations.

"Prime targets are those systems that have not been or cannot be patched for some reason, which translates to them being either unmonitored or neglected from normal security processes," Mayuresh Dani, manager of security research at Qualys, points out. "The malware authors want to go after easy pickings, and in today's connected world, I consider this intelligent, as if they know that their targets will be plagued by multiple security issues."

**Prometei's Fire**

Once Prometei gets to where it wants to go, it has some neat tricks for achieving its ends. It uses a domain generation algorithm (DGA) to harden its command-and-control (C2) infrastructure, enabling it to continue operating even if victims try blocking one or more of its domains. It manipulates targeted systems to allow its traffic through firewalls, and runs itself automatically upon system reboots.

One particularly useful Prometei command evokes the WDigest authentication protocol, which stores passwords in plaintext in memory. WDigest is typically disabled in modern Windows systems, so Prometei forces those plaintext passwords, which it then dumps into a dynamic link library (DLL). Then, another Prometei command configures Windows Defender to ignore that particular DLL, allowing those passwords to be exfiltrated without raising any red flags.

The most obvious purpose of a Prometei infection appears to be cryptojacking — using infected machines to help mine the ultra-anonymous Monero cryptocurrency without their owners' knowing it. Beyond that, though, it downloads and configures an Apache Web server that serves as a persistent Web shell. The Web shell allows attackers to upload more malicious files and execute arbitrary commands.

As Stephen Hilt, senior threat researcher at Trend Micro, points out, botnet infections are often associated with other kinds of attacks as well.

"I always look at the cryptomining groups being a canary in the coal mine — it's an indicator that there's probably more going on in your system," he says. "If you look at our 2021 blog, there was LemonDuck, a ransomware group, and \[Prometei\] all within the same machines."

**Russia Links**

There is one specific part of the globe that Prometei does not touch.

The botnet's Tor-based C2 server is made to specifically avoid certain exit nodes in some former Soviet countries. To further ensure the safety of Russian-language targets, it possesses a credential-stealing component that deliberately avoids affecting any accounts labeled "Guest" or "Other user" in Russian.

Older variants of the malware contained bits of Russian-language settings and language code, and the name "Prometei" is a translation of "Prometheus" in various Slavic languages. In the famous myth, Zeus programs an eagle to attack Prometheus' liver every day, only for the liver to persist through reboots each night.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'Prometei' Botnet Spreads Its Cryptojacker Worldwide

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no…

A hacker leaked the personal data of 180,000 Esport North Africa users just before the tournament. While no financial details were exposed, users are advised to change passwords and stay alert for phishing attacks.

The hacker, known as “Shooked,” leaked the personal details of over 180,000 Esport North Africa (ESNA) users just one day before the tournament is set to begin in Morocco. The 3 GB data dump, which Shooked claims is the “full database,” was released on **Breach Forums** on the morning of Wednesday, October 23, 2024. The ESNA tournament is scheduled to start on Thursday, October 24th.

Screenshot from the targeted site

For context, Esport North Africa (ESNA – Electronic Sports North Africa) is a platform designed to promote competitive gaming and esports development across the North African region. It organizes tournaments in popular games such as FC25, Free Fire, Street Fighter 6, and other competitive titles, providing opportunities for gamers to showcase their skills.

The leaked data was analyzed by the Hackread.com research team and contains over 9 million lines. However, after the removal of duplicate entries, the total number of unique user records stands at 180,000. This data includes the following information:

*   **User ID**
*   **Country**
*   **Usernames**
*   **IP addresses**
*   **Timestamp**
*   **Session ID**
*   **WordPress URLs**
*   **Email addresses (179,224)**

and other details…

Hacker on Breach Forum and sample data (Screenshot: Hackread.com)

While the leaked data does not include passwords or financial details, the breach appears legitimate. However, final confirmation is pending a response from the organization, which Hackread.com has reached out to for comment.

Cyberattacks on gaming companies and gamers are not new, as they are often lucrative targets for criminals. Last year, Akamai’s research revealed how hackers used **the Dark Frost Botnet** to target gaming companies and players, compromising devices to execute DDoS attacks.

If you have an account on ESNA (ESNA.GG), it’s recommended to change your password as a precaution. Additionally, be cautious of potential phishing emails from cybercriminals posing as Esport North Africa representatives, attempting to **exploit the breach**.

**RELATED ARTICLES**

1.  **Online gaming and protection against cyber attacks**
2.  **RapperBot malware hits gaming servers with DDoS attacks**
3.  **Gaming Giant Activision Employees Hit by SMS Phishing Attack**
4.  **Gaming controllers manufacturer exposed 1.1M customer records**
5.  **How data collected in gaming can be used to breach user privacy**

Tag

#botnet