Proxy and anonymization networks have been dominating the headlines, this piece discusses its origins and evolution on the threat landscape with specific focus on state sponsored abuse.

Thursday, December 12, 2024 06:00

As long as we've had the internet, users have tried to obfuscate how and what they are connecting to. In some cases, this is to work around restrictions put in place by governments or a desire to access content that is not otherwise available in a given region.

This is why technologies like VPNs and The Onion Router (TOR) become popular: They allow users to easily access content without exposing their IP address or location. These technologies are intended to protect users and information and have done a good job of doing so. However, adversaries have taken notice and are using proxy networks for malicious activities.

**Proxy Chain Services**

It is important to distinguish the different proxy chain services, as there are legitimate reasons for some of them to exist. From a privacy/defender point-of-view, they can be split into the following groups:

*   **VPN and TOR:** These services provide the user anonymity, but the defender can, for the most part, determine that it's receiving requests from these networks. As such, there is no expectation that the origin of the connection is the exact same as the user’s physical location. The user has no control of the path or exit node location. 
*   **Commercial residential services:** These provide anonymity to users, while at the same time allowing them to choose the exit point. These services do not provide any clues to the defender about the nature of the connection. 
*   **Malicious proxy services:** Threat actors use these networks to hide their location and choose their exit node. These are set up to be used by malicious operators from multiple sources. They can take two shapes: The nodes are installed on leased servers from different providers in different regions, or their nodes can be compromised edge devices that bounce connections in chains.

The first group has a clear legitimate use case, and the second has been advertised as a means to measure marketing engagement. However, threat actors can also use them without the bandwidth owner understanding what is at risk. The third case is clear: The networks are built to be rented for distributed denial-of-service (DDoS) attacks or access to be sold so other actors can anonymize their activities.

**History**

Leveraging proxy networks for malicious purposes was something we first stumbled on with our research into Honeygain. This was one of the first times we saw technologies like proxyware being abused maliciously. 

Proxyware is a type of technology that uses agents installed by users to act as proxies for other users. The users installing these agents are typically compensated for adding their node to the proxy network. Criminals stumbled upon this quickly and began to weaponize and monetize it, allowing them to benefit from the anonymity these technologies provide since it traces back to a random computer in a random location. At the time, the focus was purely criminal in nature, but state-sponsored groups have been leveraging TOR and VPNs for decades to launch their attacks, typically dropping out of a VPN near the target.

State-sponsored groups also realize that TOR and VPNs have limitations and could potentially expose their operations, so they needed something more opaque and less traceable. Enter VPNFilter.

VPNFilter was the first large-scale proxy network leveraged by state-sponsored actors, in this case Russia. This completely changed how proxy networks were operated and would set the tradecraft for state-sponsored proxy networks for the next several years. The most unique aspect of VPNFilter was the targeting: small office and home office (SOHO) routers. 

The network was made up of SOHO routers that were being compromised with malicious firmware providing a variety of capabilities, including interception and proxy capabilities. 

This was also a fairly significant botnet, consisting of some 500,000 devices that created a massive network from which to launch attacks without repercussions. Fortunately, we worked with affected vendors, and they resolved many of the issues that were being exploited, both vulnerability and otherwise. 

This wasn't the last time we saw Russian-aligned actors leveraging these types of botnets. A few years later, Cyclops Blink was uncovered. Another Russian actor controlled a proxy network that again primarily consisted of consumer devices. 

The targeting of consumer devices for this type of activity has become the focus of state-sponsored groups’ foray into this space. They also make excellent targets, since many users leave default configurations in place and rarely think to update their devices. Fortunately, post-VPNFilter, many vendors have switched to automatic updates, allowing for more frequent patching. This has resulted in state-sponsored groups widening their targeting. 

Today, we see not just SOHO routers, but also NAS and a variety of IoT devices being targeted and added to these networks. This problem has just gotten worse in the past several years.

**State of the Art**

As recently as September, the FBI took down a botnet associated with Chinese hacking activities. This was just the latest in a spate of attacks originating from proxy networks. This activity has been largely associated with Volt Typhoon by the U.S. Government, with a broader attribution of China-linked activities in the recent FBI takedown.

Currently, there are several proxy-based networks, with a focus on SOHO devices (e.g., routers, NAS, etc.) and a variety of IoT components (e.g., security cameras) being compromised and added to a botnet that, in some ways, mirrors Mirai botnet activities. 

The basic operating model for these botnets is that they are peer-to-peer, meaning there is no discernable routing. This model provides a sophisticated network of devices to obfuscate the true origin of an attack, and in many circumstances, allows the attacker to appear in close proximity to the victim, including coming from geographically adjacent residential networks. 

The attacks originating from these networks have been tied to espionage and the targeting of critical infrastructure in the U.S. and globally. Most countries are concerned with this escalation, and it has the attention of the majority of vendors in this space. 

These networks have also grown with staggering efficiency, with new nodes being added constantly as other nodes fall off and need to be compromised again. Based on reporting, the majority of these infections are using N-Day vulnerabilities or weak credentials to gain access, something we've seen repeatedly out of botnets like Mirai for the last decade. The major difference is that Mirai is used to conduct DDoS attacks, and the new iterations are being used to launch state-sponsored attacks with anonymity.

**Network Resiliency Coalition**

The repeated use of N-Day vulnerabilities and weak credentials ties into the work that Cisco has been doing for some time related to old and outdated networking equipment and the risks they introduce. The Network Resiliency Coalition is one of the projects aimed at trying to resolve this difficult problem. Anonymization networks' reliance on networking equipment, specifically exploiting known vulnerabilities, adds more weight to the importance of this effort. By working with industry peers, Cisco is trying to help remove many of the systems that are being abused in these attacks by working with vendors to ensure proper patching is provided to mitigate these known vulnerabilities, in a timely manner.  

More projects like this that encompass the IoT industry and the non-edge SOHO appliances like NAS devices would also have a contribution to the fight against anonymization networks. This combined with better credential management, most notably ensuring that default credentials are complex and unique, could make a huge impact on how successful these networks are in continuing to grow. Vendors are working to try and resolve some of these weaknesses, but it also is paramount for defenders to take note.

**Impact on Defenders**

This continued focus by state-sponsored groups to leverage these networks presents problems for defenders. Attacks from these groups are likely to be coming from residential networks, potentially even from residential networks in the same cities and countries as your organization operates, making identification and attribution increasingly difficult. 

Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly. 

This is further complicated by the increased focus by state-sponsored groups on the use of legitimate credentials. If you have a connection coming from the same IP space as your employees, using legitimate credentials organizations have little hope to stop it. This is where the increased focus on identity comes into play — organizations need to start taking additional steps to be able to distinguish between the illegitimate and legitimate use of credentials, and that ties back to behavior. 

Increasingly, organizations should be looking at users’ behavior when it comes to connections.

*   Are they using their typical device type? (e.g., Windows desktop/MacOS laptop)
*   Are they logging on during their typical hours? (e.g., 9-5 M-F)
*   Are there other managed devices in proximity?
*   Are they using their managed device?

This last point is a critical one. For organizations particularly concerned with credential abuse, managed device access restriction may be the best option. 

This ensures that only managed devices can connect to corporate VPNs through technologies like certificates. 

The downside to this approach is that it's expensive, and for many organizations not practical, but for those with the budgets and the concern, it's a needed escalation beyond just multi-factor authentication (MFA). 

You may have noticed we haven’t mentioned MFA until now. But that’s because in 2024, it's assumed you've already rolled out MFA for medium to large enterprises. It is no longer an optional security feature. 

Defenders need to adjust for the state-sponsored threats they will be facing in 2024 and beyond. This means adding more identity capabilities in the near term and looking at additional security protections like managed device-only access in the future.

The evolution and abuse of proxy networks

SUMMARY Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake,…

****SUMMARY****

*   **Dubbed AuthQuake; the flaw in Microsoft MFA allowed attackers to bypass security measures and access accounts.**

*   **Vulnerability impacted Azure, Office 365, and other Microsoft services with over 400 million users at risk.**

*   **Exploit leveraged the lack of rate limiting and extended validity of TOTP codes for login sessions.**

*   **Attackers could bypass MFA in under 70 minutes with a 50% success rate without user interaction.**

*   **Microsoft patched the flaw permanently on October 9, 2024, with stricter rate-limiting mechanisms.**

Cybersecurity researchers at Oasis Security have identified a vulnerability in Microsoft’s Multi-Factor Authentication (MFA), known as AuthQuake, which allows attackers to bypass security measures and gain unauthorized access to user accounts. 

With over 400 million paid Office 365 subscriptions, the vulnerability could be a highly lucrative opportunity for cyber criminals to steal sensitive information such as emails, files, and communications across Microsoft’s platforms like Outlook, OneDrive, Teams, Azure, etc.

****Exploiting Rate Limit and Time-Based One-Time Password (TOTP)****

The exploit takes advantage of two key weaknesses in the MFA setup: Lack of Rate Limiting and Extended Timeframe for TOTP Codes. When users log in, they’re assigned a session ID and asked to verify their identity using a Time-Based One-Time Password (TOTP) from an authenticator app. The problem is that the system permits up to 10 failed login attempts per session without notifying the user or triggering any alerts.

The lack of rate limiting allows attackers to quickly create new login sessions and trial multiple TOTP codes, which are essentially six-digit numbers. Given that there are a million possible combinations for these codes, an attacker could theoretically exhaust all options without encountering any security measures.

On the other hand, TOTP codes are typically valid for only 30 seconds, the testing conducted by Oasis revealed that the system allowed codes to remain valid for up to 3 minutes. This extended time frame significantly increases the chances of success for an attacker attempting to guess the correct code.

****Result?****

According to Oasis Security’s **blog post** shared with Hackread.com ahead of its publishing on Wednesday, December 11, researchers concluded that attackers could bypass MFA in under 70 minutes with a 50% success rate, all without any user interaction or alerts. Here’s a demonstration the researchers created while testing the exploit themselves:

****Microsoft’s Response****

Oasis Security reported the incident to **Microsoft**. The tech giant was quick to respond and implemented a permanent fix on October 9, 2024, after a temporary fix was deployed on July 4, 2024. The fix involved introducing stricter rate limits that activate after a number of failed attempts, lasting for about half a day.

**Jason Soroko**, Senior Fellow at Sectigo, emphasizes the broader implications of this discovery stating, _“_AuthQuake highlights significant flaws in Microsoft’s MFA implementation. It’s a wake-up call for organizations to adopt patches and reconsider their reliance on outdated MFA solutions. The move towards passwordless authentication is not just a trend but a necessity for future-proofing our security measures._“_

****Lesson for Users and Companies****

While the specific flaw has been patched, organizations should inform employees about the importance of cybersecurity and encourage them to report any suspicious login attempts. Moreover, despite the recent issues, MFA remains a critical security measure therefore, use authenticator apps or explore stronger **passwordless methods** for added protection.

1.  **Microsoft Bookings Flaw Enables Account Hijacking**
2.  **Mirai botnet exploiting Azure OMIGOD vulnerabilities**
3.  **Hackers Use Excel Files to Deliver Remcos RAT Variant**
4.  **Azure AI Flaws Lets Attacks Bypass Moderation Safeguards**
5.  **Microsoft Azure Exploited to Create Undetectable Cryptominer**

AuthQuake Flaw Allowed MFA Bypass Across Azure, Office 365 Accounts

SUMMARY Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based…

****SUMMARY****

*   **The new DCOM attack leverages Windows Installer service for stealthy backdoor deployment.**

*   **Attack exploits the IMsiServer interface for remote code execution and persistence.**

*   **Malicious DLLs are remotely written, loaded, and executed to compromise systems.**

*   **It requires the attacker and victim to be within the same domain, limiting the scope.**

*   **Consistent DCOM hardening patches can mitigate attack effectiveness.**

Cybersecurity researchers at Deep Instinct have uncovered a novel and powerful Distributed Component Object Model (DCOM) based lateral movement attack method that enables attackers to stealthily deploy backdoors on target Windows systems.

The attack exploits the Windows Installer service to remotely write custom DLLs, load them into an active service, and execute them with arbitrary parameters. For context, a DLL (Dynamic Link Library) is a Windows file that contains code, data, and resources shared by multiple programs.

The attack, detailed in Deep Instinct’s technical blog and shared with Hackread.com, exploits the IMsiServer COM interface. By reversing its internals, attackers can manipulate its functions to achieve remote code execution, bypass traditional security controls and establish persistent footholds on compromised systems.

For your information, DCOM Lateral Movement is a technique used to move sideways within a network by exploiting vulnerabilities in DCOM, which allows communication between programs on different computers.

On the other hand, Computer Objects (COM) are compiled code that provides services to the system, based on interfaces implemented by its class defined by a globally unique Class ID (CLSID) and accessed remotely with a globally unique identifier (GUID) – AppID. All communication among COM components occurs through interfaces.

The technique involves identifying the vulnerable Windows Installer service, exploiting its COM interface, crafting a malicious DLL containing malicious code, writing the DLL remotely, loading the DLL into a running service process, and executing the code. The attacker gains control over the service, manipulating its functions to remotely interact with it.

The malicious DLL is then loaded into the Windows Installer service, allowing the attacker to execute its code, and granting them remote access to the system. This method is particularly effective against Windows Installer due to its broad system privileges and network accessibility.

The DCOM Upload & Execute attack is powerful but has limitations, researchers noted in the technical blog post. It requires both attacker and victim machines to be within the same domain, restricting its applicability to specific organizational boundaries.

Consistent DCOM Hardening patch statuses can reduce the attack’s effectiveness in environments with varying patch levels. Apart from that, the uploaded payload must be a strongly named .NET assembly and must be compatible with the target machine’s architecture, either x86 or x64, which adds complexity to the attack process.

COM interfaces and tables (Credit: Deep Instinct)

Deep Instinct research discusses IDispatch, a fundamental COM interface that enables scripting languages and higher-level languages to interact with COM objects. However, it is not directly involved in the DCOM Upload & Execute attack due to the IMsiServer interface not implementing IDispatch.

This means that traditional scripting languages like PowerShell cannot directly interact with it using standard techniques. Researchers used lower-level techniques to manipulate the IMsiServer interface and achieve remote code execution by directly calling the interface’s methods and passing necessary parameters.

1.  Voice assistant devices manipulated with ultrasonic waves
2.  Hackers can Downgrade Windows to Exploit Patched Flaws
3.  Electromagnetic Waves Steal Data from Air-Gapped Systems
4.  ‘Matrix’ Hackers Deploy Massive IoT Botnet for DDoS Attacks
5.  Hackers Can Steal Data from Air-Gapped PCs via SATA Cables

New DCOM Attack Exploits Windows Installer for Backdoor Access

A malicious botnet called Socks5Systemz is powering a proxy service called PROXY.AM, according to new findings from Bitsight.
"Proxy malware and services enable other types of criminal activity adding uncontrolled layers of anonymity to the threat actors, so they can perform all kinds of malicious activity using chains of victim systems," the company's security research team said in an analysis

Socks5Systemz Botnet Powers Illegal Proxy Service with 85,000+ Hacked Devices

DroidBot, a sophisticated Android RAT, is targeting individuals and financial institutions across Europe.

****KEY POINTS****

*   **DroidBot Discovery**: A new Android spyware, DroidBot, was identified in mid-2024, operating as Malware-as-a-Service (MaaS).

*   **Targets and Tactics**: It targets financial institutions and users by disguising itself as security or banking apps and exploiting Android Accessibility Services.

*   **Capabilities**: DroidBot can intercept messages, log keystrokes, capture screenshots, and remotely control devices.

*   **Affiliate Network**: Used by 17 affiliate groups, it has attacked 77 targets across Europe, with expansion likely.

*   **Prevention Tips**: Avoid unknown apps, update devices, and use reliable antivirus tools.

A recent discovery by Cleafy Labs has shed light on a new Android spyware threat dubbed DroidBot, identified in mid-2024 and operates on the MaaS (Malware-as-a-Service) operation model.

Similar to the legitimate Software-as-a-Service (SaaS) model, malware developers rent access to the malware in the MaaS model, making it easier for cybercriminals to launch attacks without requiring advanced technical expertise.

Spyware advert on a Russian forum (Credit: Cleafy Labs)

According to Cleafy Labs’ investigation, DroidBot is a sophisticated Android Remote Access Trojan (RAT) targeting financial institutions and individuals across Europe. This spyware is believed to have been developed by a Turkish-speaking group and leverages advanced techniques to steal sensitive information and control infected devices.

Research revealed that DroidBot is designed to target a wide range of victims, including banking customers, cryptocurrency exchange users, and government employees. It employs various tactics to compromise devices, such as disguising itself “as generic security applications, Google services, or popular banking apps,” and exploiting the Android Accessibility Services for its malicious activities.

After infecting your device, DroidBot can intercept SMS messages, log keystrokes, and capture screenshots of the device’s screen. It can also remotely control the device, allowing attackers to make calls, send messages, and access sensitive data.

This spyware offers a combination of hidden VNC and overlay capabilities with spyware-like features. It includes a keylogger and monitoring routines, enabling user interception, making it a potent tool for surveillance and credential theft.

Additionally, DroidBot’s dual-channel communication mechanism allows for outbound data transmission using the MQTT protocol, which was also used by Copybara and BRATA/AmexTroll banking trojans, and inbound commands over HTTPS, enhancing its operational flexibility and resilience.

The most concerning aspect of DroidBot is that it operates on the MaaS model with 17 distinct affiliate groups identified each using a unique identifier. This allows cybercriminals to rent access to the malware, making it easier for them to launch attacks without requiring advanced technical expertise.

“At the time of analysis, 77 distinct targets have been identified, including banking institutions, cryptocurrency exchanges, and national organisations, underscoring its potential for widespread impact,” researchers noted in the blog post.

DroidBot is currently in active development, with some functions like root checks being placeholders and features varying between samples. Despite these inconsistencies, the malware has demonstrated potential, targeting users in the UK, Italy, France, Spain, Turkey, and Portugal, and a probable expansion into Latin American regions.

“Within the code, we can see that this information is customised for 4 main languages: **English**, **Italian**, **Spanish**, and **Turkish**,” Cleafy Labs revealed.

To protect yourself from DroidBot and similar threats, be cautious when downloading apps from unknown sources, keep your devices updated with the latest security patches and use reliable antivirus software.

1.  **First Mobile Crypto Drainer on Google Play Steals $70K**
2.  **Spyware Found in Google Play Store Apps, 2m Downloads**
3.  **Google Removes Swing VPN App Exposed as DDoS Botnet**
4.  **Malware infected Minecraft modpacks hit Google Play Store**
5.  **These 8 Apps on Play Store Contain Android/FakeApp Trojan**
6.  **35 malicious apps found on Google Play, installed by 2m users**

New DroidBot Android Spyware Targeting Banking and Crypto Users

The vulnerability was first identified in 2014.

****SUMMARY:****

*   **Critical Patch Alert:** Cisco ASA users must urgently address a 10-year-old WebVPN vulnerability (CVE-2014-2120) that attackers are now actively exploiting.

*   **XSS Risk Identified:** The flaw allows unauthenticated attackers to perform cross-site scripting (XSS) attacks via malicious links, potentially compromising sensitive data and injecting malware.

*   **Active Exploitation:** Recent reports highlight that malware like AndroxGh0st is leveraging CVE-2014-2120, prompting Cisco to update its advisory in November 2024.

*   **Government Action Required:** CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue, mandating federal agencies to patch it by December 3, 2024.

*   **No Workaround Available:** Upgrading the Cisco ASA software to a patched version is the only solution—reach out to Cisco support or service providers to secure your network.

If you are using a Cisco Adaptive Security Appliance (ASA) for your network security, it is time to patch a critical vulnerability that’s been around, surprisingly, for ten years.

Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA.

This vulnerability, tracked as CVE-2014-2120, is a medium-severity vulnerability caused due to insufficient input validation of a parameter, which could be exploited by convincing a user to access a malicious link. Clicking this link can force them into giving away sensitive information, hijacking browsing sessions, or even injecting malware. 

The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. 

In November 2024, the Cisco Product Security Incident Response Team (PSIRT) identified this emerging pattern of new exploitation attempts. This coincides with a report from security firm CloudSEK, which revealed that malware called AndroxGh0st is using CVE-2014-2120 (among others) to spread.

It is worth noting that CISA added CVE-2014-2120 to its KEV (Known Exploited Vulnerabilities) catalogue on November 12, requiring government agencies to address it by December 3, 2024.

The re-exploitation of this flaw shows the need for timely software updates and security patches. Unfortunately, there’s no quick fix or workaround for this vulnerability. Your only protection is to upgrade your Cisco ASA software to a version that includes a patch. Don’t wait – contact your Cisco support channel and get the update process rolling. Upgrading is crucial to ensure your network remains secure. 

Customers with Cisco products that are provided or maintained through agreements with third-party support organizations like Cisco Partner/resellers/service providers should consult their service providers to identify the best workaround or fix for their networks before deployment.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed in on the situation stating, _“_These attacks highlight how technical debt and low cybersecurity maturity can compound risk. Many organizations struggle with basic cybersecurity capabilities, leaving them vulnerable to both historical and emerging threats._“_

_“_If adversaries can exploit older flaws, they will. Addressing the risks associated with legacy systems is imperative, however, it demands investments that many organizations lack the resources to make,_”_ Jason explained.

1.  **Decade Old Software Bug Sets 3000 US Prisoners Free**
2.  **Goldoon Botnet Exploits 9-Year-Old Flaw on D-Link Devices**
3.  **7-Year-Old Pre-Installed Google Pixel App Flaw Risks Millions**
4.  **Intel Broker Cisco Breach: Selling Stolen Data from Major Firms**
5.  **Cisco Web UI Flaw Exploited Massly, Impacting Over 40K Devices  
    **

Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability

Mikhail Pavlovich Matveev (aka Wazawaka) has been wanted by the FBI since 2023.

****SUMMARY****

*   **FBI-Wanted Hacker Arrested**: Russian authorities have reportedly detained Mikhail Pavlovich Matveev, known by aliases like Wazawaka and Boriselcin.

*   **Cybercrime Connections**: Matveev is linked to major ransomware groups such as Hive, LockBit, and Babuk, responsible for high-profile attacks on critical infrastructure and government agencies.

*   **Significant Ransom Demand**: The Department of Justice alleges Matveev extorted at least $75 million in ransom payments from global victims.

*   **Notable Attacks**: He is suspected of involvement in the 2021 Babuk attack on Washington D.C.’s police and a 2022 Hive attack on a New Jersey healthcare NGO.

*   **Potential Global Impact**: His arrest could disrupt several ransomware groups, but extradition to the U.S. remains uncertain due to geopolitical tensions.

Mikhail Pavlovich Matveev, known by his online aliases Wazawaka, Uhodiransomwar, m1x, and Boriselcin, is believed to have been arrested in Russia, which could be a potential turning point in the fight against cybercrime since the hacker is wanted by the FBI (Federal Bureau of Investigation).

Matveev is a big deal in the dark web underworld. He’s been linked to some of the most damaging ransomware attacks in recent years that have targeted critical infrastructure, government agencies, and businesses worldwide. His alleged involvement with groups like Hive, LockBit, and Babuk has made him a powerful cybersecurity threat worldwide.

Reports suggest that he was involved in a lockout attack on the Washington D.C. Metropolitan Police Department from Babuk in April 2021 and a ransomware attack from Hive, targeting a healthcare NGO in New Jersey in 2022.

It is worth noting that in early 2023, the Hive ransomware gang was disrupted by the FBI, Europol, German, and Dutch agencies, seizing their dark web website, The Hive Leak site, preventing the gang from attacking and extorting victims

Also, in 2022, LockBit infected the computer systems of 1,400 victims, including a Holiday Inn hotel in Turkey, likely involving Matveev. The Department of Justice (DoJ) suspects he extracted at least $75 million in ransom payments.

Investigators allege that in January, the accused developed specialized malicious software to encrypt files and data without user consent, intending to use it to encrypt data of commercial organizations and receive ransoms for decryption.

The US government has been on the hunt for Matveev, offering a $10 million reward for information leading to his arrest. The DoJ had previously filed criminal charges against him, accusing him of launching attacks on US law enforcement and healthcare organizations.

While Russian authorities have not officially confirmed the arrest, Russian state news agency PИA Hoвocти reported that the Kaliningrad Interior Ministry and Russian prosecutors have sent a case against “a programmer accused of creating a malicious program to court,” with an anonymous source confirming Matveev as the detained programmer. The charges against him include creating malicious software designed to encrypt files and data, with the intent of extorting ransom payments from victims.

The arrest of Matveev, if confirmed, could have significant implications. It could potentially disrupt the activities of several ransomware groups and deter future attacks. However, the question of whether the US will be able to extradite him remains uncertain, given the complex geopolitical tensions between the two countries.

1.  Russia ”neutralizes” REvil ransomware gang, arrests 14
2.  Infraud Organization Group Members Arrested by Russian
3.  50 hackers Who Stole $25M Arrested by Russian Authorities
4.  Russian Authorities Arrest Nine for Stealing $17M from Banks
5.  FBI Kills Kelihos Botnet Amid Russian Hacker’s Arrest in Spain

FBI-Wanted Hacker Behind Global Ransomware Attacks Arrested in Russia

Check Point Research has discovered cybercriminals exploiting the popular Godot Game Engine to deliver malicious software. Discover the techniques used by attackers and how to protect yourself from these threats.

****SUMMARY****

*   **Cybercriminals are exploiting the Godot game engine to deliver malware called GodLoader, targeting multiple platforms like Windows, macOS, and Linux.**

*   **GodLoader hides malicious code in game files, bypassing antivirus detection and compromising over 17,000 devices since June 2024.**

*   **The malware uses sandbox evasion, Microsoft Defender exclusions, and GitHub-hosted repositories to distribute attacks.**

*   **GodLoader’s payloads include RedLine Stealer and cryptocurrency miners, affecting 1.2 million Godot game users.**

*   **The Godot team advises downloading software from trusted sources and avoiding cracked files to stay safe.**

Check Point Research (CPR) has published its latest research on a novel multi-platform technique employed by cybercriminals to exploit the popular open-source game engine, Godot to deliver a newly discovered malicious payload dubbed GodLoader after bypassing traditional security measures.

The concerning aspect is GodLoader’s cross-platform functionality, making it effective on macOS, Windows, Linux, iOS, and Android. Although designed to target Windows, it can be used on Linux and macOS with minimal adjustments.  The malware is, reportedly, distributed via the Stargazers Ghost Network on GitHub, using over 200 repositories and 225 accounts between September and October 2024. 

“The threat actor behind this malware has been utilizing it since June 29, 2024, infecting over 17,000 machines,” and an attack can put 1.2 million users of Godot-developed games at risk, researchers noted in the blog post.

According to CPR’s research, cybercriminals exploit the flexibility of Godot’s scripting language, GDScript and embed malicious code within game assets, executing it when the game is launched. This is a stealthy approach, which enables attackers to bypass antivirus detection and compromise systems without raising alarms.

Further probing revealed that it uses sandbox and virtual machine detection, as well as Microsoft Defender exclusions, to avoid detection. The malware was hosted on Bitbucket.org and distributed across four attack waves, with initial payloads including RedLine Stealer and XMRig cryptocurrency miners.

For your information, Godot is a powerful tool for game development that allows developers to bundle game assets and scripts into .pck files, which contain the game’s resources, including images, sounds, and scripts. By injecting malicious GDScript code into these .pck files, attackers can trick the game engine into executing harmful commands.

As soon as the game loads the infected .pck file, the hidden script springs into action, downloading and deploying additional malware payloads onto the victim’s device.

The attack flow (Via CPR)

****Godot Engine’s Statement****

The Godot Engine development team, in response, has issued a statement, explaining that GodLoader doesn’t exploit a specific weakness in Godot itself because like any programming language (e.g. Python or Ruby) Godot also allows the creation of both good and bad programs. Though the malware exploits Godot’s scripting language (GDScript) to deliver its payload, this doesn’t make Godot inherently unsafe.

The team also noted that it isn’t a one-click exploit because the GodLoader malware tricks users into downloading/executing a seemingly harmless file (typically a .pck file disguised as a software crack). This file wouldn’t work on its own and the attackers also must provide the Godot runtime (.exe file) separately to make it successful. This means users have to take multiple steps to install the malware, making it less likely to be a one-click exploit.

Nonetheless, team Godot emphasizes the importance of good security habits and downloading from trusted sources like official websites, established distribution platforms, or trusted individuals. Windows and macOS users should check for signed executables and notarization by a trusted party and avoid using cracked software as it is a common target for malicious actors.

1.  **Gcore Thwarts 500M PPS DDoS Attack on Gaming Firm**
2.  **What is Blockchain Gaming and its Play-to-Earn Model?**
3.  **Exploring Data Privacy and Security in B2B Gaming Data**
4.  **Winos4.0 Malware Hits Windows via Fake Gaming Apps**
5.  **Gaming Firms, Community Members Hit by Dark Frost Botnet**

Godot Engine Exploited to Spread Malware on Windows, macOS, Linux

Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware.

Source: TippaPatt via Shutterstock

Businesses are not the only organizations looking for skilled cybersecurity professionals; cybercriminals are also advertising for individuals capable of creating dark AI models and penetration-testing products — that is, ransomware — to reduce the chance of defenders finding ways to circumvent the scheme.

In advertisements on Telegram chats and forums — such as the Russian Anonymous Marketplace, or RAMP — ransomware affiliate groups and initial access providers are seeking cybersecurity professionals to help find and close holes in their malware and other attack tools, security firm Cato Networks stated in its "Q3 SASE Threat Report." In the past, the firm's threat researchers have noted advertisements seeking developers capable of creating a malicious version of ChatGPT.

The search for more technical talent highlights the recent success of law enforcement and private companies in taking down botnets and helping defenders recover their data, says Etay Maor, chief security strategist at Cato Networks.

"They definitely want to make sure that all the effort they're putting into their software is not going to be turned over when somebody finds a vulnerability," he says. "They're really stepping up their game in terms of approaching software development, making it closer to what an enterprise would do than what is typically seen today from other development groups."

The search for better software security is the latest sign of technical evolution among cybercriminal groups. In Southeast Asia, cybercriminal syndicates have grown from illegal gambling and drug cartels into enterprises that rake in more than $27 billion a year, fueling improvements in money laundering, technical development, and forced labor.

**Penetration Testing Just the Latest**

As cybercriminal groups grow, specialization is a necessity. In fact, as cybercriminal gangs grow, their business structures increasingly resemble a corporation, with full-time staff, software development groups, and finance teams. By creating more structure around roles, cybercriminals can boost economies of scale and increase profits.

Currently, the top ransomware groups are LockBit, RansomHub, PLAY, Hunters International, and Akira — all likely using more structured roles and cybercriminal services to operate efficiently, according to a 2024 review of the top ransomware groups by threat intelligence firm Recorded Future, now part of Mastercard International.

"These emerging groups and platforms bring new and interesting ways to attack so organizations need to be on their toes and adjust their cybersecurity accordingly," the company stated in a blog post. "As they evolve, understanding their modus operandi and targets will be key to mitigating the impact."

New cybercriminals groups are always appearing, and that also means new opportunities for skilled cybercriminals. The first half of 2024 saw 21 new ransomware groups appear in underground forums, although many of those new groups are likely rebranded versions of previous groups that had splintered. Overall, 68 groups posted more than 2,600 claimed breaches to leak sites in the first six months of the year, a 23% increase over the same period in 2023, according to cybersecurity firm Rapid7.

Most malware and tools created by the groups use C or C++ — the programming language used in 58 samples — but the use of more modern, memory-safe languages is growing, with Rust used in 10 samples and Go used in six samples, according to a report released by Rapid7, which noted "the complexity of the ransomware business model, with groups coming and going, extortion tactics intensifying, builders and code 'leaking' — and all the while, the overall scope of the threat only expanding."

**More Aggressive Defense**

Finally, some groups required specialization in roles based on geographical need — one of the earliest forms of contract work for cybercriminals is for those who can physically move cash, a way to break the paper trail. "Of course, there's recruitment for roles across the entire attack life cycle," Maor says. "When you're talking about financial fraud, mule recruitment ... has always been a key part of the business, and of course, development of the software, of malware, and end of services."

Cybercriminals' concerns over software security boil down to self-preservation. In the first half of 2024, law enforcement agencies in the US, Australia, and the UK — among other nations — arrested prominent members of several groups, including the ALPHV/BlackCat ransomware group and seized control of BreachForums. The FBI was able to offer a decryption tool for victims of the BlackCat group — another reason why ransomware groups want to shore up their security.

Current geopolitical disruptions, which can lead to highly skilled people unemployed, are making it more likely that cybercriminals groups will be able to convince legitimate cybersecurity professionals to take a risk and do illegal work, Cato Networks' Maor says.

"There's people ... losing jobs in Eastern Europe because of the current war situation, so unfortunately you see that in the underground forums, where you have smart people there, who — at the end of the day — need to put food on the table," he says. "If that means they have to resort to jobs that are not necessarily super legal, if that's what they need to do to pay the bills, then they'll pop up on these forums and be like, 'Hey, I worked for this company. I have this knowledge ... and I can offer access.'"

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Ransomware Gangs Seek Pen Testers to Boost Quality

Over the past year, "Matrix" has used publicly available malware tools and exploit scripts to target weakly secured IoT devices — and enterprise servers.

Source: Kundra via Shutterstock

A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.

In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption.

**Matrix Unleashed**

The attacker, whom researchers at Aqua Nautilus are tracking as "Matrix" after spotting the campaign recently, has established a store of sorts on Telegram, where customers can buy different DDoS plans and services. These include plans ranging from "Basic" to "Enterprise" that allow purchasers to unleash DDoS attacks of different durations at the transport and applications layers of targets of their choice.

"Although this campaign does not use advanced techniques, it capitalizes on widespread security gaps across a range of devices and software," said Assaf Morag, lead data analyst at Aqua in a blog post this week. "The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

DDoS attacks have been a standard item in attacker playbooks for a long time. Though organizations have generally gotten better at dealing with them over the years, DDoS attacks remain hard to protect against entirely. Threat actors have continuously increased the volume and duration of DDoS attacks while developing techniques to target different layers of the network to maximize their disruptive impact. A Gcore study released earlier this year showed a 46% increase in DDoS attacks in the first half of 2024 compared with the same period last year. Some attacks peaked in excess of multiple terabits of attack traffic per second.

Matrix's campaign appears to have launched in November 2023 with the creation of a GitHub account. The attacker has been using the account primarily as a repository for various publicly available malware tools downloaded from different sources and which, in some cases, Matrix then modified for use in the DDoS campaign.

**Off-the-Shelf Attack Tools**

Aqua's analysis of Matrix's GitHub account showed a collection of commonly available DDoS botnet tools, including perennial favorite Mirai, DDoS agent, Pybot, Pynet, SSH Scan Hacktool, and Discord Go. Most of these tools are publicly available and open source; what distinguishes Matrix is how it's been able to integrate and use these tools effectively in assembling a DDoS botnet. "Instead of forking repositories, the tools are downloaded and modified locally, suggesting a level of customization and adaptability," Morag said.

Matrix has been using the tools to scan the Internet for IoT devices with known vulnerabilities in them that the owners have left unpatched. Many of the vulnerabilities that the threat actor's attack scripts scan for are older flaws, including one from 2014 (CVE-2014-8361) a remote code execution (RCE) vulnerability in Realtek Software Development Kit.

Aqua listed vulnerabilities the attacker is targeting, including three from 2017 (CVE-2017-17215, CVE-2017-18368, and CVE-2017-17106); another three targeted vulnerabilities are from 2018 (CVE-2018-10561, CVE-2018-10562, and CVE-2018-9995). The vulnerabilities affect a range of Internet-connected devices including network routers, DVRs, cameras, and telecom equipment.

And in something of a departure from typical DDoS campaigns, the threat actor is scanning the IP ranges of several cloud service providers for vulnerabilities and misconfigurations in telnet, SSH, Hadoop YARN, and other enterprise servers. One of the vulnerabilities that Matrix has targeted is CVE-2024-27348, a critical RCE vulnerability in Apache HugeGraph servers. Nearly half (48%) the scanning activity that Aqua observed targeted servers in AWS environments, 34% were in Microsoft Azure, and 16% on Google's cloud platform. For the moment at least, Matrix's primary focus appears to be China and Japan, likely due to the high density of IoT devices in those countries, Morag said.

**Brute-Force Attacks**

As is common in most such campaigns, Matrix has also been taking advantage of default and weak passwords and misconfigurations to compromise IoT devices and enterprise servers and making them part of the DDoS botnet. Aqua found Matrix using a brute-force script against 167 username and password pairs that organizations had used to secure access to their IoT and server environments. A startling 134 of the pairs granted root or admin level access on affected devices.

Aqua's analysis showed there are 35 million systems running the software that the attacker appears to be targeting. Not all of them are vulnerable. But if even if just 1% are exploitable, that would give the attacker a botnet of around 350,000 devices.

In comments to Dark Reading, Morag says only content delivery networks and organizations with visibility into Internet traffic logs can really say what the actual size of the botnet that Matrix has assembled. But indications are that it is large. "We have hundreds of honeypots, and we usually see an attack/campaign on one or two types of honeypots. But in this case, we saw attacks on our SSH, Telnet, Jupytar Lab, Jupytar Notebook, Hadoop, HugeGraph, and a few simulators of IoT devices," which is unusual, he says. "In addition, the attacker utilized some of our honeypots to attack Telnet and SSH, with a 95% success rate."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Tag

#botnet