Researchers have shut down an "expansive" ad fraud scheme that spoofed more than 1,700 applications from 120 publishers and impacted roughly 11 million devices. 
"VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views," fraud prevention firm

Mobile Security / Malvertising

Researchers have shut down an "expansive" ad fraud scheme that spoofed more than 1,700 applications from 120 publishers and impacted roughly 11 million devices.

"VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraudsters to stack numerous invisible video ad players behind one another and register ad views," fraud prevention firm HUMAN said.

The operation gets its name from the use of a DNS evasion technique called Fast Flux and VAST, a Digital Video Ad Serving Template that's employed to serve ads to video players.

The sophisticated operation particularly exploited the restricted in-app environments that run ads on iOS to place bids for displaying ad banners. Should the auction be won, the hijacked ad slot is leveraged to inject rogue JavaScript that establishes contact with a remote server to retrieve the list of apps to be targeted.

The includes the bundle IDs that belong to legitimate apps so as to conduct what's called as an app spoofing attack, in which a fraudulent app passes off as a highly-regarded app in an attempt to trick advertisers into bidding for the ad space.

The ultimate objective, per HUMAN, was to register views for as many as 25 video ads by layering them atop one another in a manner that's completely invisible to the users and generates illicit revenue.

"It doesn't stop with the stacked ads, though," the company said. "For as many of those as might be rendering on a user's device at once, they keep loading new ads until the ad slot with the malicious ad code is closed."

"The actors behind the VASTFLUX scheme clearly have an intimate understanding of the digital advertising ecosystem," it further added, stating the campaign also rendered an endless "playlist" of ads to defraud both the advertising companies and apps that show ads.

The takedown of VASTFLUX arrives three months after the disruption of Scylla, a fraud operation targeting advertising software development kits (SDKs) within 80 Android apps and 9 iOS apps published on the official storefronts.

VASTFLUX, which generated over 12 billion bid requests per day at its peak, is only the latest in a stretch of ad fraud botnets that have been shuttered in recent years, after 3ve, PARETO, and Methbot.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Massive Ad Fraud Scheme Targeted Over 11 Million Devices with 1,700 Spoofed Apps

Threat actors are diversifying across all aspects to attack critical infrastructure, muddying the threat landscape, and forcing industrial organizations to rethink their security.

The motive of financial and political gain — fueled partially by the ongoing conflict in Ukraine — has emboldened threat actors to barrage industrial control systems (ICS) with ever more disruptive cyberattacks, diversifying the threat landscape for critical infrastructure, new research shows.

This trend is expected to continue throughout 2023 with attackers arming themselves with new tactics and malware, forcing ICS operators to level up if they want to protect their networks, according to Nozomi Networks' "OT/IoT Security Report: A Deep Look Into the ICS Threat Landscape" for the second half of 2022, published Jan. 18.

It used to be that nation-state actors were the leading perpetrators of attacks against ICS, primarily using remote access Trojans (RATs) to drop malware payloads and gain remote access to networks, as well as mounting distributed denial-of-service (DDoS) attacks to cause "inconvenient" disruption, says Roya Gordon, security research evangelist at Nozomi Networks. "Historically, critical infrastructure disruptions were seen as a nation-state tactic," she says.

However, the now-infamous Colonial Pipeline attack in May 2021 marked a significant shift in this trend. In that incident, a ransomware attack that started with a stolen password caused panic and gas shortages across the eastern United States, and attackers realized how disruptive and potentially lucrative new attack vectors could be, she says.

"The Colonial Pipeline attack demonstrated how cybercriminals can leverage ransomware attacks on critical infrastructure — since they tend to depend heavily on real-time data, and have the means to meet ransom demands — for financial gain," Gordon notes.

Then with Russia's attack on Ukraine last February, attacks on ICS got political, with hacktivists, traditionally known for data breaches and DDoS attacks, wielding destructive wiper malware to disrupt transportation systems such as railroads and other critical infrastructure in the Ukraine for political gain, she says.

This marked a shift in not only who was attacking ICS, but how and for what motive they were launching these attacks, Gordon says. "All in all, this unprecedented level of activity across all fronts should cause us concern."

**Top ICS Cyberattack Trends**

The report identified top trends in the ICS threat landscape based on a compilation of information from various sources including open source media, CISA ICS-CERT advisories, and Nozomi Networks telemetry, as well as on exclusive IoT honeypots that Nozomi researchers employ for "a deeper insight into how adversaries are targeting OT and IoT, furthering the understanding of malicious botnets that attempt to access these systems," Gordon says.

What researchers observed over the last six months was a significant uptick in attacks that caused disruption to a number of industries, with transportation and healthcare being among the top new sectors finding themselves in the crosshairs of adversaries among more traditional targets.

Attackers are using various methods of initial entry to ICS networks, although some common weak security links that have historically plagued not just ICS but the entire enterprise IT sector — weak/cleartext passwords and weak encryption — continue to be the top access threats.

Still, “Root” and “admin” credentials are most often used as a way for threat actors to gain initial access and escalate privileges once in the network, the findings show. Other ways threat actors find their way in include brute-force attacks and DDoS attempts.

In terms of malware, RATs remain the most common malware detected against ICS, while DDoS malware and unusually high and still-rising IoT botnet activity continued to be the top threat for IoT devices on a network. The use of default credentials to hack IoT devices was the primary means of entry for IoT botnets, the researchers found.

Over the second half of last year, attacks on ICS spiked in July, October, and December, with more than 5,000 unique attacks in each of those months. Manufacturing and energy remained the most vulnerable industries, followed by water/wastewater, healthcare, and transportation systems.

Interestingly, despite the uptick in targeting Ukraine, the top attacker IP addresses observed in the second half of 2023 didn't come from Russia nor countries that side with Russia, the researchers found. Instead, the main IP addresses associated with ICS attacks were in China, the US, South Korea, and Taiwan, according to Nozomi's data.

**The Look Ahead**

Top among ICS/IoT threats to watch out for: adversaries will use hybrid threat tactics that don't follow what operators may have seen in the past, which means "it will become increasingly difficult to categorize types of threat actors based on TTPs and motives," according to the report.

Organizations in the healthcare sector — which saw a spike in attacks when COVID-19 hit that has continued even as the pandemic largely wanes — should be mindful to stay on top of medical-device updates, according to Nozomi. Threat actors will likely use exploits to access medical systems that aggregate device data, a manipulation that can have dire and even life-threatening consequences for patients, potentially leading to malfunctions, misreadings, or even overdoses in automatic release of medication.

Another new threat on the horizon is from AI-driven chatbots that attackers will use for malicious purposes, such as writing code or developing exploits for vulnerabilities. They also can use them to generate more accurate phishing/social engineering texts that can be used as entry access to ICS networks, the researchers said.

"All this could reduce the time it takes to develop targeted threat campaigns, thus increasing the frequency of cyberattacks," according to the report.

Though the news appears gloomy, securing ICS against oncoming threats can be as simple as practicing "basic cyber hygiene," employing typical IT security practices that any organization already should be using, Gordon says.

"While threat actors may have the capability to access OT and IoT directly, it's one of their long-standing strategies to first breach IT and pivot into OT," she says. "Therefore, taking steps to secure IT is key."

ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware

Unpatched Cisco bugs, tracked as CVE-2023-20025 and CVE-2023-20026, allow lateral movement, data theft, and malware infestations.

Two security vulnerabilities in Cisco routers for small and midsize businesses (SMBs) could allow unauthenticated cyberattackers to take full control of a target device to run commands with root privileges. Unfortunately, they'll remain unpatched even though proof-of-concept exploits are floating around in the wild.

Among other things, a successful compromise could allow cyberattackers to eavesdrop on or hijack VPN and session traffic flowing through the device, gain a foothold for lateral movement within a company's network, or run cryptominers, botnet clients, or other malware.

"It’s an attractive target from a technical point of view. As an attacker, if you manage to get remote code execution on core routing or network infrastructure, your ability to move laterally increases exponentially," noted Casey Ellis, founder and CTO at Bugcrowd, in an emailed comment.

**Critical-Rated Bug Offers Root Privileges**

The first bug is a critical-rated authentication bypass issue (CVE-2023-20025) that exists in the Web management interface of the devices and carries a rating of 9 out of 10 on the CVSS vulnerability-severity scale.

Meanwhile, the second flaw — tracked as CVE-2023-20026 — can allow remote code execution (RCE) with a caveat: an attacker would need to have valid administrative credentials on the affected device to be successful, so the bug is rated medium, with a 6.5 CVSS score.

They both affect all versions of the RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). As such, the appliances therefore no longer receive security updates, according to the networking giant's Jan. 11 advisory.

The advisory noted that both bugs are "due to improper validation of user input within incoming HTTP packets," so an attacker needs only to send a crafted HTTP request to the Web-based management interface to gain root access on the underlying operating system.

Cisco "is aware that proof-of-concept exploit code is available for the vulnerabilities that are described in this advisory," it said, though in-the-wild attacks have so far not been spotted.

While there are no workarounds that address the bugs, a possible mitigation would be to disable remote management of the routers and block access to ports 443 and 60443, according to Cisco, meaning the routers would only be accessible through the LAN interface.

"It’s always a best practice not to allow remote administration of network devices accessible from the open internet, however, small business using some MSP/MSSPs have to leave it open for their service providers," John Bambenek, principal threat Hunter at Netenrich, noted via email. "That said, this is the worst of all worlds with PoC code publicly available and no ... patches available."

Replacing the devices is the best course of action to fully protect one's business, the researchers noted.

**Big Impact, Even at EoL**

Researchers noted that the routers' existing installed base is significant, even though the devices have been discontinued. It's not uncommon for out-of-date gear to linger on in business environments well after it's been cut off — offering a rich playground for cyberattackers.

"The Cisco small business routers affected by these vulnerabilities still see reasonably widespread usage, though they are all officially end of life," Mike Parkin, senior technical engineer at Vulcan Cyber, said via email. "The challenge will be that these devices are typically found in small businesses with limited resources or used by individuals who may not have the budget to replace them."

And, it's not just SMBs who are affected, Bugcrowd's Ellis noted: "SMB routers are very widely deployed, and in a post-COVID hybrid/work from home world, it’s not just an SMB problem. Branch offices, COEs, and even home offices are potential users of the vulnerable product."

Critical Cisco SMB Router Flaw Allows Authentication Bypass, PoC Available

Russia's NoName057(16) group offers incentives and prizes via Telegram channel for "heroes" to mount attacks against targets within Ukraine and pro-Ukrainian countries.

A Russian threat group is offering incentives and cryptocurrency prizes in an effort to recruit Dark Web volunteers — who it calls "heroes" — to its distributed denial-of-service (DDoS) cyberattack ring.

A group tracked as NoName057(16) has launched the project, called DDosia, which aims at bolstering an earlier effort to mount DDoS attacks on websites in Ukraine and pro-Ukrainian countries. However, rather than try to do all the work themselves, DDosia "entices people to join their efforts by offering prizes for the best performers, paying rewards out in cryptocurrencies," Avast researcher Martin Chlumecký wrote in a post on the Avast.io "Decoded" blog published Jan. 11.

Avast researchers first identified NoName057(16) in September, when they observed Ukraine-targeted DDoS attacks that the group was carrying out using botnets. The campaign specifically targeted websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine, as well as in neighboring countries supporting Ukraine, such as Estonia, Lithuania, Norway, and Poland.

A remote access Trojan (RAT) called Bobik was instrumental in carrying out the DDoS attacks for the group in the original attack, which had a success rate of 40 percent using the malware, the researchers said.

However, the group ran into a hitch in their plans when the botnet was taken down in early September, according to the group's Telegram channel, the researchers said. NoName057 subsequently launched DDosia to target the same set of pro-Ukraine entities on Sept. 15 as a response to this setback, they said.

"By launching the DDosia project, NoName057(16) tried to create a new parallel botnet to facilitate DDoS attacks," Chlumecký wrote in the post. The project also represents a pivot to a public, incentive-based DDoS effort versus the more secretive Bobik botnet, the researchers said.

**DDosia Technical Details**

The DDosia client is comprised of a Python script created and controlled by NoName057(16). The DDosia tool is only available for verified/invited users via a semiclosed Telegram group — unlike the Babik malware, the researchers said. Another differentiator between the two efforts is that DDosia appears to have no additional backdoor activity, they noted. Bobik on the other hand offers extensive spyware capabilities, including keylogging, running and terminating processes, collecting system information, downloading/uploading files, and dropping further malware onto infected devices.

To become a DDosia member, a volunteer must through a registration process facilitated by the @DDosiabot in the dedicated Telegram channel, the researchers said. After registering, members receive a DDosia zip file that includes an executable.

NoName057(16) also "strongly recommends" that volunteers use a VPN client, "connecting through servers outside of Russia or Belarus, as traffic from the two countries is often blocked in the countries the group targets," Chlumecký wrote.

The principal DDosia C2 server used in the DDosia campaign was located at 109. 107. 181. 130; however, it was taken down on Dec. 5, researchers said. Because NoName057(16) continues to actively post on its Telegram channel, the researchers assume it must have another botnet, they said.

The DDosia application has two hardcoded URLs that are used to download and upload data to the C2 server. The first one is used to download a list of domain targets that will be attacked, while the second one is used for statistical reporting, the researchers said.

DDosia sends the list of targets to the botnet as an uncompressed and unencrypted JSON file with two items: targets and randoms, the researchers said.

"The former contains approximately 20 properties that define DDoS targets; each target is described via several attributes: ID, type, method, host, path, body, and more," Chlumecký wrote. "The latter describes how random strings will look via fields such as: digit, upper, lower, and min/max integer values."

DDosia also generates random values at runtime for each attack, likely because attackers want to randomize HTTP requests and make each HTTP request unique for a better success rate, the researchers said.

**Rewarding DDoS "Heroes"**

The most important new aspect of DDoS attacks is the possibility of volunteers who get involved in the campaign being rewarded, the researchers said. Via one of the aforementioned technical aspects of how DDosia works, NoName057(16) collects statistical information about performed attacks and successful attempts by its network of volunteers, which it calls "heroes," they said.

NoName057(16) pays out these heroes — who Chlumecký noted can "easily" manipulate the statistics for success — in cryptocurrency sums of up to thousands of rubles, or the equivalent of hundreds of dollars.

**DDosia: Looming Potential for Disruption**

Currently, the success rate of the DDosia campaign is lower than the previous Bobik campaign, with around 13% of all of attempted attacks disrupting targets, the researchers said.

However, the project "has the potential to be a nuisance when targeted correctly," Chlumecký wrote. The group currently has about 1,000 members; however, if that rises, researchers expect its success rate also to grow, they said.

"Therefore, the successful attack depends on the motivation that NoName057(16) provides to volunteers," Chlumecký explained.

The researchers estimate that one DDosia "hero" can generate about 1,800 requests per minute using four cores and 20 threads, with the speed of request generation depending on the quality of the attacker’s Internet connection. Assuming that at least half of the current membership base is active, this means that the total count of requests to defined targets can be up to 900,000 requests per minute, the researchers said.

"This can be enough to take down Web services that do not expect heavier network traffic," Chlumecký noted. Meanwhile, "servers that expect a high network activity load are more resilient to attacks," he added.

"Given the evolving nature of DDosia and its fluctuating network of volunteers, only time will tell how successful DDosia ultimately will be," Chlumecký said.

Indeed, Russia's attack on Ukraine in February 2022 has driven DDoS attacks to an all-time high, allowing attackers to cause digital and IT-related disruption in a cyberwar that's been mounted alongside the ground war since it began.

NonName057(16) are among a number of threat groups perpetrating these attacks, albeit one of the less sophisticated ones whose attacks at this point remain low-impact and cause little significant damage, the researchers said.

Chlumecký likened the group to another pro-Russia threat actor Killnet, whose activities are aimed at drawing media attention: "NoName057(16) activities are still more of a nuisance than dangerous."

Big Prizes, Cash on Offer for Joining 'DDosia' Anti-Ukraine Cyberattack Project

Organizations are looking for new methods to safeguard the virtual machines, containers, and workload services they use in the cloud.

In 2022, we saw explosive transitions in the cloud security market — every aspect of the ecosystem, including vendors, products, and infrastructure, went through a radical change. It birthed new categories like data security posture management (DSPM), saw established vendors jumping to announce cloud data lakes like Amazon Security Lake, and put vendors through turmoil, like KnowBe4 being acquired by Vista Equity for $4.3 billion.

As we look forward to 2023, cybersecurity for workloads (virtual machines, containers, services) in the public cloud will continue to evolve, with customers trying to balance the need for aggressive cloud adoption and compliance with security needs. CIOs and CISOs will challenge their teams to build the foundation for a security platform that can consolidate point products, support multiple clouds (AWS, Azure, and GCP), and leverage automation to scale security operations. A zero-trust architecture will lead the way to workload protection in the cloud, real-time data protection, and centralized policy enforcement. Here’s a deeper dive into how these five dynamics will make their presence felt in 2023 with public cloud workloads.

**Generative Attacks Will Become Targeted and Personalized**

Automation and machine learning empower cybercriminals to launch sophisticated, targeted attacks. Scripted botnets can conduct network reconnaissance on cloud infrastructure, and valuable data can be harvested and used to launch further attacks. Malware packages are becoming a commodity, with readily available automated tools in which the level of abstraction enables even unimaginative minds to become lethal. For example, ChatGPT, which has taken the tech world by storm, can use machine learning to auto-script malware.

Cyberthreat researcher @lordx64 shared an example of malware auto-generated by ChatGPT. The malware used PowerShell to download ransomware using an obfuscation script, encrypt all the files, and exfiltrate the key to google.com.

**Centralized Security Posture Will Become the Norm to Tackle Workload Sprawl**

Misconfigurations due to human error remain the biggest root cause of cyberattacks. Many attacks use techniques such as code injection and buffer overflow to prey on weak configurations. With the cloud enabling workloads to be spun up and down frequently, configuring security policies at individual firewalls at every virtual private cloud (or a trust zone) opens the door for human error.

Organizations will increasingly look for architectures that can centralize cloud security policy definitions, enforcements, and remediations. Only when cyber prevention is delivered from a central platform can defense be applied to all workloads, instead of just a few select ones.

**Zero-Trust For Workload Protection Will Gain Momentum**

Zero trust will see widespread adoption to protect assets by enforcing an explicit trust framework for all assets in the public cloud. Implementing zero trust in the public cloud is different and unique because customers are dealing with ephemeral and dynamic resources. With zero trust platforms that were architectured for the cloud can bring down cost overruns and complexity. Before a workload in a public cloud can request a resource, it must go through an extensive trust check — one that combines identity, device risk, location, threat intelligence, behavioral analytics, and context. Upon successfully establishing explicit trust, the resource will then be subject to corporate security policy for access control.

**CIOs Will Look For More Effective Multicloud Security Tools**

When it comes to vendor best practices, CIOs are increasingly looking at diversified portfolios of public cloud infrastructure for three main reasons. They want to reduce reliance on a single vendor; many are also looking to integrate infrastructure inherited from mergers and acquisitions. And CIOs need to leverage best-of-breed services from different vendors, such as Google Cloud BigQuery for data analytics, AWS for mobile apps, Oracle Cloud for ERP, for example.

    

Figure: AWS shared responsibility model for protecting cloud resources.

Every cloud vendor preaches the notion of “shared security responsibility,” putting the onus on the customer to implement a security infrastructure for their cloud resources. Savvy IT shops ensure they pick a cybersecurity platform that supports multiple public cloud environments.

**Real-Time Data Protection Will Be a Core Criterion for Cloud Data Governance, Security**

Securing sensitive data such as protected health information, personally identifying information, financial information, patents, confidential corporate data, and other intellectual property is arduous when data moves to the cloud. Legacy data loss prevention (DLP) architectures that rely on regexes, scans, and static rules are insufficient and ineffective for DLP in the cloud.

The rise of the data security posture management category has provided critical visibility into the need for observability and real-time analysis. Proxy-based architectures that can decrypt and inspect all SSL traffic will become a cornerstone for enterprises that truly care about protecting their sensitive data.

Migration to the cloud is not a new trend in the corporate world, but the implications of cybersecurity for cloud workloads are still evolving. While there are no clear answers yet, these are some of the leading indicators customers will use to navigate in 2023.

Read more _Partner Perspectives_ from Zscaler.

5 Ways Cybersecurity for Cloud Workloads Will Evolve in 2023

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.
Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance,

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.

Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities.

Given its use multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's suspected to be a pay-per-install (PPI) botnet capable of serving next-stage payloads.

Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2).

Cybersecurity firm SEKOIA said it was able to identify at least eight virtual private servers (VPSs) hosted on Linode that function as a second C2 layer that likely act as forward proxies to the next as-yet-unknown tier.

"Each compromised QNAP seems to act as a validator and forwarder," the France-based company said. "If the received request is valid, it is redirected to an upper level of infrastructure."

The attack chain thus unfolds as follows: When a user inserts the USB drive and launches a Windows shortcut (.LNK) file, the msiexec utility is launched, which, in turn, downloads the main obfuscated Raspberry Robin payload from the QNAP instance.

This reliance on msiexec to send out HTTP requests to fetch the malware makes it possible to hijack such requests to download another rogue MSI payload either by DNS hijacking attacks or purchasing previously known domains after their expiration.

One such domain is tiua\[.\]uk, which was registered in the early days of the campaign in late July 2021 and used as a C2 between September 22, 2021, and November 30, 2022, when it was suspended by the .UK registry.

"By pointing this domain to our sinkhole, we were able to obtain telemetry from one of the first domains used by Raspberry Robin operators," the company said, adding it observed several victims, indicating "it was still possible to repurpose a Raspberry Robin domain for malicious activities."

The exact origins of how the first wave of Raspberry Robin USB infections took place remain currently unknown, although it's suspected that it may have been achieved by relying on other malware to disseminate the worm.

This hypothesis is evidenced by the presence of a .NET spreader module that's said to be responsible for distributing Raspberry Robin .LNK files from infected hosts to USB drives. These .LNK files subsequently compromise other machines via the aforementioned method.

The development comes days after Google's Mandiant disclosed that the Russia-linked Turla group reused expired domains associated with ANDROMEDA malware to deliver reconnaissance and backdoor tools to targets compromised by the latter in Ukraine.

"Botnets serve multiple purposes and can be reused and/or remodeled by their operators or even hijacked by other groups over time," the researcher said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

By Habiba Rashid
Along with the websites of the central bank, Bankdata—a company that develops IT solutions for the financial industry—was also targeted by a DDoS attack.
This is a post from HackRead.com Read the original post: DDoS Attacks Hit Denmark Central Bank and 7 Private Banks

The official websites of Denmark‘s central bank and seven other private banks in the country were hit by a series of massive DDoS attacks on Tuesday, January 10th, 2022. The attacks caused them to be inaccessible to users, according to the central bank.

Along with the websites of the central bank, Bankdata—a company that develops IT solutions for the financial industry—was also targeted by a DDoS attack.

**What is a DDoS attack?**

A DDoS attack, or Distributed Denial of Service attack, is a malicious cyberattack used to disrupt the availability of a service to its intended users. It’s an attack that attempts to make an online service unavailable by flooding it with an overwhelming amount of traffic from multiple sources.

DDoS attacks are often large-scale and can target web servers, networks, applications, and Internet-connected (IoT) devices. During DDoS attacks, attackers send a huge volume of requests to the targeted resource in order to saturate its network bandwidth or resources.

This forces the server to slow down drastically or even crash completely, making it unavailable for legitimate users. The goal is usually either financial gain through ransom demands or simply disruption and destruction.

**Current Status**

As for the latest attack on Danish banks; a spokesperson for the central bank told Reuters that its website was working normally on Tuesday afternoon, and the attack did not impact the bank’s other systems or day-to-day operations.

Due to the DDoS attack on Bankdata, seven private banks’ websites were affected and could not be accessed, a company spokesperson said. The banks included two of Denmark’s largest, Jyske Bank and Sydbank, they said. 

Sydbank confirmed on its Facebook page that access to its website had been restricted on Tuesday. A Jyske spokesperson confirmed some customers had experienced problems accessing its website on Tuesday.

At the time of writing, all targeted websites, including the National Bank’s website, were restored and available online.

1.  Cloudflare Thwarted Largest Ever HTTPS DDoS Attack
2.  Iran’s Largest Steel Producer Hit By Crippling Cyberattack
3.  Microsoft Alert: DDoS Botnet Hit Private Minecraft Servers
4.  Killnet Hits European Parliament Website with DDoS Attack
5.  Mirai botnet resurfaces with MooBot variant; hits D-Link devices

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

DDoS Attacks Hit Denmark Central Bank and 7 Private Banks

Protection against XSS, SQLi, and more web attacks for Go-based web applications

Protection against XSS, SQLi, and more web attacks for Go-based web applications

A developer has released a new tool for Go applications that is designed to combat web-based attacks.

Developer and security engineer Dwi Siswanto revealed the open source teler-waf software on January 2. The 24-year-old said on Twitter that the technology was designed to “improve the security of Go-based web applications”.

Available on GitHub, teler-waf acts as HTTP middleware, with an interface for integrating intrusion detection system (IDS) functionality into existing applications.

Teler-waf’s security functions include protection against common web-based threats, such as cross-site scripting (XSS) attacks and SQL injections.

Furthermore, the tool will detect bad IP addresses linked to known threat actors and botnets; malicious HTTP referers, crawlers, and scrapers suspected of causing performance issues or performing illicit data scraping; and locations associated with directory-based brute-force attacks.

**Under the bonnet**

Speaking to The Daily Swig, Siswanto, who developed teler-waf independently, said the software has several benefits.

A key feature, for example, is the use of datasets updated daily that track known vulnerabilities and malicious patterns of attack. External resources include information from the PHPIDS project, CVE lists from the Project Discovery team, and collections sourced from the Nginx Ultimate Bad Bot Blocker and Crawler Detect.

WIN SWAG Complete our reader survey to be in with a chance of winning Burp Suite merchandise

In addition, teler-waf comes with a net/http handler for integration with application routing functionality, which Siswanto said “makes it easy to integrate into any framework and \[is\] also highly configurable, allowing it to be tailored to the specific needs of a given web application.

“When a client makes a request to a route protected by teler-waf, the request is first checked against the teler IDS to detect known malicious patterns,“ the developer says. “If no malicious patterns are detected, the request is then passed through for further processing.”

**Show and teler**

Siswanto is also the creator of teler, a real-time HTTP intrusion detection and threat alert system.

He told us that the popularity of the Go framework persuaded him to adapt teler IDS to resemble a past project, AntiScanScanClub, an automatic website scan blocker package.

“My goal was to use teler IDS functionality not only for detection, but also for early prevention,” he explains. “I could say that teler-waf is a progress from the AntiScanScanClub.”

At this time, there is no formal development timeline, although there are hopes for future contributors to join and some milestones are “still being determined”.

Teler-waf’s inaugural and current release, v0.0.1, is labeled as experimental.

Siswanto said: “It \[is\] experimental because there are currently some TODO lists I \[have\] to revisit that need to be addressed, which might be major changes that could affect both configuration and performance. I hope that teler-waf will become stable and ready for use in production in the near future.”

As Go continues to increase in popularity, other developers have also released tools to protect applications built using the language. In December, for instance, Viktor Chuchurski and Alessandro Cotto released Safeurl, software designed to thwart server-side request forgery (SSRF) attacks.

RELATED Safeurl HTTP library brings SSRF protection to Go applications

Meet teler-waf: Security-focused HTTP middleware for the Go framework

Categories: News
Tags: WordPress

Tags:  exploit

Tags:  vulnerability

Tags:  plugin

Tags:  theme

Tags:  update

Tags:  linux malware

Tags:  backdoor

It's time to check your website is up to date.



(Read more...)




The post Malware targets 30 unpatched WordPress plugins appeared first on Malwarebytes Labs.

If you make use of plugins on your WordPress site (and you probably do), it’s time to take a good look at what’s running under the hood. Ars Technica reports that unpatched vulnerabilities being exploited across no fewer than 30 plugins.

**A long list of plugin problems**

If you own or operate a website there is a very good chance it uses WordPress. More than 40 precent of websites use a version of it, and it's used on more websites that all other website Content Management Systems (CMS) combined. One of the reasons it's so popular is that it can be easily extended by adding plugins, of which there are tens of thousands.

Provided it is kept up to date and protected by two-factor authentication, WordPress itself is quite secure. Because of that, in recent years threat actors have focussed on exploiting it via vulnerabilities in plugins rather than attacking it directly.

Plugins are created by third parties and vary widely in quality. Some are updated frequently while others are unsupported. Some are so popular that they are successful software products in their own right, with paid staff, secure development lifecycles, and millions of users, and others are made by lone hobbyists. And while WordPress will update itself with security fixes by default, automatic updating of pluigns has to be enabled by each website operator.

So, news of a malware campaign targeting plugins with unpatched vulnerabilities is no surprise. In fact researchers suggest the malware used for these attacks may have been in circulation for three years. Ars Technica reports that once a vulnerable website is detected, the attack injects rogue scripts into the pages of the site. The scripts redirect website visitors to malicious websites when they click anywhere on an affected web page.

According to research by Dr Web, attacks rely on unpatched versions of the following plugins or themes:

*   WP Live Chat Support Plugin
*   WordPress – Yuzo Related Posts
*   Yellow Pencil Visual Theme Customizer Plugin
*   Easysmtp
*   WP GDPR Compliance Plugin
*   Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
*   Thim Core
*   Google Code Inserter
*   Total Donations Plugin
*   Post Custom Templates Lite
*   WP Quick Booking Manager
*   Facebook Live Chat by Zotabox
*   Blog Designer WordPress Plugin
*   WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
*   WP-Matomo Integration (WP-Piwik)
*   WordPress ND Shortcodes For Visual Composer
*   WP Live Chat
*   Coming Soon Page and Maintenance Mode
*   Hybrid
*   Brizy WordPress Plugin
*   FV Flowplayer Video Player
*   WooCommerce
*   WordPress Coming Soon Page
*   WordPress theme OneTone
*   Simple Fields WordPress Plugin
*   WordPress Delucks SEO plugin
*   Poll, Survey, Form & Quiz Maker by OpinionStage
*   Social Metrics Tracker
*   WPeMatico RSS Feed Fetcher
*   Rich Reviews plugin

**Plugging the plugin gap**

Time and again, not updating a plugin comes back to haunt WordPress admins in the worst possible way. Cleanup is often not an easy task, and a tiny slice of preventative action can keep you far away from a massive repair operation further down the line.

The following preventative maintenance could save you a lot of trouble:

*   **Update existing plugins**. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to **Dashboard** > **Updates.** (The **Themes** and **Plugins** menu items will also have red circles next to them if any need updating.) Update everything.
*   **Turn on automatic updates for plugins**. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the **Plugins** screen and clicking **Enable auto-updates** next to each plugin.
*   **Remove unsupported plugins**. Go to the **Plugins** screen and click **View details** for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
*   Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company. The last thing you want is a stack of emails some rainy Monday morning telling you that visitors have been drafted into a botnet courtesy of your blog.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malware targets 30 unpatched WordPress plugins

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Tag

#botnet