For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.
Why is everyone scared of Emotet?
Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication.

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.

**Why is everyone scared of Emotet?**

Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory.

It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.

The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps.

And the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.

**How has Emotet upgraded over the years?**

Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:

*   2014\. Money transfer, mail spam, DDoS, and address book stealing modules.
*   2015\. Evasion functionality.
*   2016\. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
*   2017\. A spreader and address book stealer module.
*   2021\. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
*   2022\. Some features remained the same, but this year also brought several updates.

This tendency proves that Emotet isn't going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.

**What features has a new Emotet 2022 version acquired?**

After almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know about a new 2022 version:

*   It drops IcedID, a modular banking trojan.
*   The malware loads XMRig, a miner that steals wallet data.
*   The trojan has binary changes.
*   Emotet bypasses detection using a 64-bit code base.
*   A new version uses new commands:

Invoke rundll32.exe with a random named DLL and the export PluginInit

*   Emotet's goal is to get credentials from Google Chrome and other browsers.
*   It's also targeted to make use of the SMB protocol to collect company data
*   Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:

The Emotet's Excel lure

**How to detect Emotet?**

The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.

With its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.

For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:

> eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho

Later, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key HKEY\_CURRENT\_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value with the length 8 symbols (letters and characters).

Of course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave because rules need to update.

Another way to detect this banker was its malicious documents - crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.

To overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most convenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but also get already extracted configurations from the sample.

There are some features that you use just for Emotet analysis:

*   reveal C2 links of a malicious sample with the FakeNet
*   use Suricata and YARA rulesets to successfully identify the botnet
*   Get data about C2 servers, keys, and strings extracted from the sample's memory dump
*   gather fresh malware's IOCs

The tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable time.

ANY.RUN sandbox has prepared incredible deals for **Black Friday 2022**! Now is the best time to boost your malware analysis and save some money! Check out special offers for their premium plans but for a limited time – from 22-29 November, 2022.

Emotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like ANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and good threat hunting!

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

All You Need to Know About Emotet in 2022

For 6 months, the infamous Emotet botnet has shown almost no activity, and now it's distributing malicious spam. Let's dive into details and discuss all you need to know about the notorious malware to combat it.

**Why is everyone scared of Emotet?**

Emotet is by far one of the most dangerous trojans ever created. The malware became a very destructive program as it grew in scale and sophistication. The victim can be anyone from corporate to private users exposed to spam email campaigns.

The botnet distributes through phishing containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL downloads and then loads into memory.

It searches for email addresses and steals them for spam campaigns. Moreover, the botnet drops additional payloads, such as Cobalt Strike or other attacks that lead to ransomware.

The polymorphic nature of Emotet, along with the many modules it includes, makes the malware challenging to identify. The Emotet team constantly changes its tactics, techniques, and procedures to ensure that the existing detection rules cannot be applied. As part of its strategy to stay invisible in the infected system, the malicious software downloads extra payloads using multiple steps.

And the results of Emotet behavior are devastating for cybersecurity specialists: the malware is nearly impossible to remove. It spreads quickly, generates faulty indicators, and adapts according to attackers' needs.

**How has Emotet upgraded over the years?**

Emotet is an advanced and constantly changing modular botnet. The malware started its journey as a simple banking trojan in 2014. But since then, it has acquired a bunch of different features, modules, and campaigns:

*   2014\. Money transfer, mail spam, DDoS, and address book stealing modules.
*   2015\. Evasion functionality.
*   2016\. Mail spam, RIG 4.0 exploit kit, delivery of other trojans.
*   2017\. A spreader and address book stealer module.
*   2021\. XLS malicious templates, uses MSHTA, dropped by Cobalt Strike.
*   2022\. Some features remained the same, but this year also brought several updates.

This tendency proves that Emotet isn't going anywhere despite frequent "vacations" and even the official shutdown. The malware evolves fast and adapts to everything.

**What features has a new Emotet 2022 version acquired?**

After almost half a year of a break, the Emotet botnet returned even stronger. Here is what you need to know about a new 2022 version:

*   It drops IcedID, a modular banking trojan.
*   The malware loads XMRig, a miner that steals wallet data.
*   The trojan has binary changes.
*   Emotet bypasses detection using a 64-bit code base.
*   A new version uses new commands:

Invoke rundll32.exe with a random named DLL and the export PluginInit

*   Emotet's goal is to get credentials from Google Chrome and other browsers.
*   It's also targeted to make use of the SMB protocol to collect company data
*   Like six months ago, the botnet uses XLS malicious lures, but it adopted a new one this time:

The Emotet's Excel lure

**How to detect Emotet?**

The main Emotet challenge is to detect it in the system quickly and accurately. Besides that, a malware analyst should understand the botnet's behavior to prevent future attacks and avoid possible losses.

With its long story of development, Emotet stepped up in the anti-evasion strategy. Through the evolution of the process execution chain and malware activity inside the infected system changes, the malware has modified detection techniques drastically.

For example, in 2018, it was possible to detect this banker by looking at the name of the process – it was one of these:

> eventswrap, implrandom, turnedavatar, soundser, archivesymbol, wabmetagen, msrasteps, secmsi, crsdcard, narrowpurchase, smxsel, watchvsgd, mfidlisvc, searchatsd, lpiograd, noticesman, appxmware, sansidaho

Later, in the first quarter of 2020, Emotet started to create specific key into the registry - it writes into the key HKEY\_CURRENT\_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER value with the length 8 symbols (letters and characters).

Of course, Suricata rules always identify this malware, but detection systems often continue beyond the first wave because rules need to update.

Another way to detect this banker was its malicious documents - crooks use specific templates and lures, even with grammatical errors in them. One of the most reliable ways to detect Emotet is by the YARA rules.

To overcome malware's anti-evasion techniques and capture the botnet – use a malware sandbox as the most convenient tool for this goal. In ANY.RUN, you can not only detect, monitor, and analyze malicious objects but also get already extracted configurations from the sample.

There are some features that you use just for Emotet analysis:

*   reveal C2 links of a malicious sample with the FakeNet
*   use Suricata and YARA rulesets to successfully identify the botnet
*   Get data about C2 servers, keys, and strings extracted from the sample's memory dump
*   gather fresh malware's IOCs

The tool helps to perform successful investigations quickly and precisely, so malware analysts can save valuable time.

ANY.RUN sandbox has prepared incredible deals for **Black Friday 2022**! Now is the best time to boost your malware analysis and save some money! Check out special offers for their premium plans but for a limited time – from 22-29 November, 2022.

Emotet has not demonstrated full functionality and consistent follow-on payload delivery. Use modern tools like ANY.RUN online malware sandbox to improve your cybersecurity and detect this botnet effectively. Stay safe and good threat hunting!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New users and monetization methods are increasingly profitable for gaming industry, but many companies find they have to stem growth in cheats, hacks, and other fraud to keep customers loyal.

The video game industry has been booming of late — and cybercriminals are drawn to it as an expanding threat surface, seeing players as a potentially less cautious group of victims. As such, cybersecurity has risen in profile as a major business priority and differentiator for many in the industry.

There's been an influx of casual gamers drawn to new mobile platforms during the pandemic, and companies have found increasingly profitable ways of monetizing in-game items and social experiences. Gaming studios and affiliated games companies seek to keep those users playing while maintaining that growth and profitability in the post-pandemic era.

But with so much entertainment competition out there — not just from other games, but also streaming and digital platforms — it's easy enough for players hacked or cheated one too many times to drop one game and pick up another one instead. Gaming industry insiders like Jonathan Shroyer say that if gaming companies are lax in security, "their games will not succeed."

"Players of games depend on trust, credibility, and predictability when leveraging a brand's game," says Shroyer, chief CX innovation officer for Arise Gaming, a consulting firm that helps gaming companies improve customer satisfaction and gamer engagement in their platforms. "If they find out there was a hack, or fraud, or other security issues, you will see a dramatic drop in gameplay and spend."

He says this is especially true in mobile gaming as these are the least sticky and most casual games in the industry. But the impact of cyber trust is felt across console, PC, virtual reality (VR), and streaming customers as well.

**More Gamers, More Attacks & More Customer Expectations**

There's a lot of money at stake for gaming companies planning for the future. According to a recent study by PwC earlier this year, the video gaming industry will earn $235.7 billion in 2022. That's following a massive tear over the last few years, with the combination of PC, console, and casual gaming companies increasing their revenue by an astonishing 32% from 2019 through 2021. PwC says it expects gaming revenue to keep ticking up from now through 2026 by a healthy 8.4% compound annual growth rate.

As the money has been flowing into everything from eSports to hyper-casual gaming, so, too, have the attacks. Akamai reported recently that cyberattacks on player accounts and gaming companies has increased "dramatically" in the past year, with Web application attacks rising by 167%. The firm says gaming is the industry most hit by distributed denial-of-service (DDoS) attacks, making up 37% of all DDoS globally. That's double the volume of attacks lobbed at the financial sector, which is the second-most DDoS-attacked vertical industry.

Account takeovers, cheating hacks, and fraud are all growing problems, and gamers are taking note of which companies are addressing these cybersecurity issues and which aren't. A study of attitudes from 10,000 gamers worldwide that was released last week by Kaspersky showed that 70% of regular gamers think hacking is a big problem in the gaming world. Around 63% of respondents said their accounts aren't safe enough from attacks — with one in three reporting that their accounts have been hacked in the last two years. And 89% of gamers said they want game developers to pay more attention to cybersecurity issues.

These stats point to why cybersecurity is fast becoming a huge engagement pillar for game studios right alongside designing creative gameplay and immersive worlds. It's a tricky proposition for security executives in this world, because gamers also have big expectations when it comes to gameplay and the overall ambiance of a gaming environment, says Julie Tsai, a longtime cybersecurity executive with deep expertise in the gaming world.

"Users and the community expect things at a high level. They expect things to be intuitive, they expect things to be in the spirit of the gaming — and also sometimes in the spirit of the culture of the particular gamer community they're in," says Tsai, who was head of security for Roblox for the past three years prior to recently venturing on her own as a security consultant. "They're very, very passionate and attached to these things. And also for a security professional, it means that you're going to be dealing with some of the strongest attackers and the adversaries that you can think of because they're very creative and often gamers themselves."

**Today's Biggest Cyberthreats to Gaming**

Like any other vertical industry, games companies are tasked with protecting their organizations from all nature of cybersecurity threats to their business. Many of them are large enterprises with the same concerns for the protection of internal systems, financial platforms, and employee endpoints as any other firm.

"Gaming companies have the same responsibility as any other organization to protect customer privacy and preserve shareholder value. While not specifically regulated like hospitals or critical infrastructure, they must comply with laws like GDPR and CaCPA," explains Craig Burland, CISO for Inversion6, a managed security service provider and fractional CISO firm. "Threats to gaming companies also follow similar trends seen in other segments of the economy — intellectual property (IP) theft, credential theft, and ransomware."

IP issues are heightened for these firms, like many in the broader entertainment category, as content leaks for highly anticipated new games or updates can give a brand a black eye at best, and at worst hit them more directly in the financials. The industry saw this kind of fallout in full effect in September when a hack of Take-Two Interactive and subsequent public leak of Grand Theft Auto 6 resulted in a 2.3% stock drop for the firm.

Layered on top of all of those typical enterprise cybersecurity concerns are unique eccentricities in protecting gaming platforms and player ecosystems. The gaming platforms are their brands — financial and customer service engines all rolled into one. And they're supremely juicy targets for all nature of malfeasance.

Some of the most common concerns gaming companies must contend with are cheaters who seek to take advantage of technical or bugs or design flaws to their advantage, spammers finding ways to blast out links to gamers to everything from snake-oil products to porn, scammers seeking to take advantage of and steal from younger gamers. And then, of course, most common of all are the everyday cyber fraudsters cashing in on account theft.

"What you have to realize is that criminals attack games for one of three reasons: status, ideology, or cash," says Brett Johnson, chief criminal officer for Arkose Labs and a former cybercriminal who before he went straight ran ShadowCrew, the forerunner to today's Dark Web marketplaces. "Most attacks — 98% or more — are cash driven. So criminals are looking for the easiest access that gives the largest return on investment."

The black-hat ROI prospects have especially grown now that gaming companies have monetized in-game assets through means like direct purchase, voluntary advertising views, and recurring subscriptions. This presents endlessly more new ways to commit financial fraud and launder money through gaming platforms. From a gaming cyber defender's perspective, this means that cheating and hacks now not only threaten gameplay experience, but create more financial and legal risks.

"Any time real money value is tied to in game assets, you will see a spike in fraud and other bad actors," Shroyer explains.

Attackers are turning up the heat on game users and platform with credential stuffing attacks and social engineering scams to break into accounts and access in-game currency and unique items. They leverage third-party marketplaces to sell these in-game assets off the platform for real currency to other gamers who want to bolster their characters or speed up their progress. This creates an ideal situation to not only fence stolen in-game assets, but to launder money stolen elsewhere online.

A lot of this criminal activity is powered by bots and click farms to scale up the profitability of their criminal enterprise, Johnson says.

"The problem is, from an attacker point of view, it's not really worth it to me to attack people manually. If you consider most of these accounts, the dollar amounts are not high enough for me to do that," he says. "So I need to find a way to scale that without me having to manually sign on or try to take over to account. And the answer to that is bots."

**The Culture Wildcard**

Many of the criminal ploys targeting games will also play upon the emotional mindset of gamers, who just want to have as much fun as possible. It makes them more likely to maybe fall for a phishing lure in hopes of getting a sneak peek at a new feature, or go to great lengths to buy items from a third-party marketplace that could speed up their progress.

"The gamer almost immediately is not acting out of reason or logic — it's a knee-jerk type of emotional thing. They want to play that game," Johnson says. "It's much easier for me as an attacker to use that to my advantage because they're already going through that door of reacting emotionally."

This highlights the big balancing act that gaming companies generally have to manage when it comes to protecting their platforms and their users. They've got to design better technical controls and more cyber resilience in their systems without damaging player experience or the vibrancy of the gaming culture built up around their brands and their gaming titles.

As Tsai alluded, gamers are passionate and they're also often curious hackers by nature. That includes the creative and benign type, but also the black hats.

The game industry has always been a place where everyone from script kiddies to budding cybercriminals have come to cut their teeth. For the most part, though, the cohort is usually mostly made up of customers who want to be able to develop and share their custom mods and who are willing to spend a lot of engaged time and money on their games, building up a community that buoys up successful games and studio brands.

This means that a lot of the work of security executives is in detangling the malicious elements from that creative and loyal group of gamers. This takes user education and outreach, foresight in design, and engineering work.

**Engineering Good Choices for Gamers**

On the latter front, some of the easiest and most low-hanging fruit can come through layered protection measures that just make it more expensive for attackers to run roughshod over platform with automated bot attacks.

"If a security product can increase the cost of the attack, the chances of the criminal staying on that platform, not very good," Johnson says. "That criminal's going to find someplace else where they can profit easier and not have to have the investment to get the attack to be successful."

According to Shroyer, the industry is in a lot better place now with moderating and managing mods and curbing cheating because there's more technical measures available to developers.

"Gaming brands now have more tools in their toolkit to prevent these activities," he says. "A few examples are unique online accounts that  require the latest software update to play games, new tech and security placed in gaming data centers that make hacking more difficult, and the ability to turn off access via games online if bad behaviors are noticed. These don't eradicate the issues, but similar to how Netflix and Hulu curbed illegal movie downloading, these tools have had a similar effect in the gaming space."  

More fundamentally at the design level, though, Tsai says that security teams and gaming developers also have to work to create player journeys and experiences less hackable. This doesn't mean shutting off the faucet for mods and other beneficial hacking in the platform. Instead, it means doing better threat modeling of platforms, locking down the riskiest areas and providing guardrails for user "developers" almost in the same way that a DevSecOps team would do so for internal developers.

"There's a saying in engineering with regards to user centricity, which is 'Make me make good choices,'" she says. "And so in that respect, you want to create technology that either encourages or only allows users to make good choices."

This kind of effort takes significant effort and a security-first mentality for game development. However, it's an investment that has a definite ROI for gaming firms, she says.

"Security ties to how users in the community think of your integrity and trust you. These are long-term assets," she says. "If you gain credibility over the years, it can absolutely be a business value-add."

For Gaming Companies, Cybersecurity Has Become a Major Value Proposition

By Habiba Rashid
The DDoS attack took place moments after the European Parliament voted to declare the Russian government a state sponsor of terrorism.
This is a post from HackRead.com Read the original post: Killnet Hits European Parliament Website with DDoS Attack

Staying true to its reputation of being known for relying majorly on DDoS attacks, the pro-Kremlin hacking group Killnet has struck again and this time, their target was the European Parliament website.

This DDoS attack took place after the governing body voted to declare the Russian government a state sponsor of terrorism. 

The distributed denial-of-service attack or DDoS attack took place on Wednesday afternoon European time and the website stayed down for a few hours before becoming operational again. 

It is worth noting that the DDoS attack came just days after Killnet claimed responsibility for targeting government sites in the United Kingdom and vowed to target more in the coming days.

Killnet members quickly claimed the credit for the attack shortly after and posted screenshots showing the European Parliament website was unavailable in 23 countries on Telegram. Furthermore, the text accompanying the images included a homophobic remark toward the legislative body. 

“Strap-on shelling of the server part of the official website of the European Parliament!” the group posted to its Telegram channel.

Screenshot shared by Killnet in its Telegram group.

The attacks against the European Parliament came hours after the agency adopted a resolution officially identifying Russia as a state sponsor of terrorism. It was adopted by the member states with 494 votes in favor, 58 against, and 44 abstentions.

Members of the European Parliament “highlight that the deliberate attacks and atrocities committed by Russian forces and their proxies against civilians in Ukraine, the destruction of civilian infrastructure and other serious violations of international and humanitarian law amount to acts of terror and constitute war crimes,” the declaration stated. “In light of this, they recognize Russia as a state sponsor of terrorism and as a state that ‘uses means of terrorism.’”

Since the Russo-Ukraine war began in February, Killnet has launched 76 attacks against countries supporting Ukraine. 

1.  Anti-Russian OldGremlin Gang Launches Linux Malware
2.  34 Russian Hacking Groups Stole 50 Million User Passwords
3.  New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
4.  RapperBot malware targets gaming servers with DDoS attacks
5.  DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Killnet Hits European Parliament Website with DDoS Attack

By Habiba Rashid
On Telegram, Killnet declared that “all medical institutions, government services, and online services” could soon be attacked.
This is a post from HackRead.com Read the original post: Pro-Russian Killnet group hits UK organizations with DDoS attacks

On November 22nd, in the early hours of the morning, Prince William’s website was reportedly attacked by a Russian hacking group Killnet. In a message posted on Telegram, Killnet stated the reason for the attack to be UK’s continued support for Ukraine.

Killnet said it had conducted the attack “due to the supply of high-precision missiles to Ukraine.”

Killnet on Telegram (Screenshot shared with Hackread.com by Check Point cyber security firm)

Although the website is now functioning, there are additional security checks on the connection by Cloudflare (the company that provides secure web connections) which were not present before. 

The attack appeared to be a distributed denial-of-service attack (DDoS attack) which causes a server to be overwhelmed by numerous bogus requests, usually from bot servers – something Killnet is well known for. However, this information has not been confirmed. 

Killnet also declared in a message on Telegram that “all medical institutions, Government services, and online services” could soon be attacked as well. In further posts, the group said it was targeting the websites of the London Stock Exchange, the British Army, and the Bankers’ Automated Clearing System (Bacs).

Currently, all three websites are functional however, the British Army website displayed undergoing “planned maintenance” message on Tuesday, November 22nd.

Killnet on Telegram claiming responsibility for series of DDoS attacks (Screenshot shared with Hackread.com by Check Point cyber security firm)

In a conversation with Hackread.com, Muhammad Yahya Patel, Security Evangelist at Check Point Software said “Killnet is a prolific political pro-Russian hacking group that moves targets every few weeks based on geopolitical developments. As a major player in the hacktivism space, they also suggest and define the targets for other pro-Russian groups. We have seen a 42% global increase in cyberattacks since the start of the Russia-Ukraine war, with a significant rise in state-sponsored groups. These DDoS attacks are the latest efforts from hacktivists to disrupt high-profile websites, including those of the Royal household, as part of their political agenda.”

DDoS attacks are unlikely to compromise data or systems because they simply flood the web server with too many requests so that it cannot respond in time. During the attack, the loss of connection is likely to be short-lived since web operators can identify numerous IP connections originating from the same block.

Therefore, threat actors employing this technique are unlikely to achieve any real damage because this technique is not very successful these days and most companies nowadays employ technologies to offset such attacks. 

This is not the first time Killnet has taken it upon itself to wage a cyber war due to the ongoing political situation between Ukraine and Russia. Previously, they tried to take down the Eurovision song contest. Due to not being invited, they tried to cause chaos in Italy (the host nation) but were thwarted and Ukraine went on to win the competition. 

The group also attempted to take down the online voting servers throughout the final but was unable to break through the “wide range of security measures” that Eurovision officials promised. Instead, they chose to attack several Italian institutions in the semi-final and final in Turin. 

1.  34 Russian Hacking Groups Stole 50 Million User Passwords
2.  New DDoS Malware ‘Chaos’ Hits Linux and Windows Devices
3.  RapperBot malware targets gaming servers with DDoS attacks
4.  Anti-Russian OldGremlin Ransomware Gang Launches Linux Malware
5.  DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists

I am a cyber security writer and one of my favourite games is Minecraft. I also really like obscure cat memes and during my free time, if I'm not found hanging around in Discord voice channels with my friends, I'm probably cycling and taking pictures of random cats on the street.

Pro-Russian Killnet group hits UK organizations with DDoS attacks

By Waqas
The most prominent CMS today is WordPress which is being used by over 455 million across the globe.
This is a post from HackRead.com Read the original post: Step-by-Step Security Guide for WordPress

As the internet becomes increasingly integral to daily life, website security is more important than ever. Hackers can gain access to sensitive information, like credit card numbers and social security numbers, through websites with weak security. This can lead to identity theft and financial fraud.

Your website’s CMS (content management system) works as the backbone of your entire setup. The most prominent CMS today is WordPress which is being used by over 455 million across the globe. Naturally, WordPress is a lucrative target for cybercriminals and highlights the fact why WordPress security should never be ignored.

WordPress or another other CMS, while 100% security may be a myth, there are a few things you can do to ensure your website is secure from external and internal threats.

**Secure Hosting**

A website is a powerful tool that can help businesses of all sizes reach new customers and grow. However, a website is only as secure as the hosting provider that it uses. That’s why it’s important to choose a secure website hosting provider when setting up your website. Here are two things to look for in a secure website hosting provider:

**1. Industry-Leading Security Measures:** A good web hosting provider will have industry-leading security measures in place to protect your website from hackers and other online threats. This includes things like firewalls, DDoS protection, and malware scanning.

**2. Regular Backups:** In the event that your website is hacked or compromised, regular backups will ensure that you can quickly restore your site to its previous state. A good web hosting provider will perform regular backups of your site automatically.

**Strengthening Login Credentials**

According to studies, around 8 percent of hacked WordPress websites are due to weak passwords. However, as the largest self-hosted blogging tool in the world, WordPress has a responsibility to its users to keep their information safe. One way it does this is by natively offering two-factor authentication (2FA).

Two-factor authentication is an extra layer of security that requires not only a username and password but also something that the user has on them, like a phone. This makes it much harder for someone to hack into a WordPress account, even if they have the login credentials.

WordPress offers 2FA through several different methods, including SMS text messages, email, and authenticator apps. Which method you choose is up to you, but we recommend using an authenticator app like Authy or Google Authenticator.

**Updated Plugins**

The reason why WordPress powers millions of websites and blogs is its user-friendliness and free plugins. Although WordPress is good at adding new features and constantly issues security patches, zero-day vulnerabilities can be a calamity.

Therefore, always keep your plugins up to date because newer versions of plugins often fix security vulnerabilities that older versions had. Outdated plugins can cause compatibility issues with other plugins or with WordPress itself.

Additionally, newer versions of plugins usually have new features and improvements that can make your site run better. So next time you see a plugin update available, don’t ignore it – go ahead and update!

**Hiding WordPress Login URL**

There are a few reasons webmasters might want to change the default WordPress login URL. By doing so, you can help keep your site more secure from hackers and bots who try to gain access by brute force. Additionally, it can also deter casual users from trying to snoop around areas of your site they shouldn’t be.

If you’re running a membership site or online community, you may also want to change the login URL to something more branded and memorable for your users. By making it easy for them to find and login, you can reduce frustration and increase adoption.

Whatever your reason for wanting to change the WordPress login URL, it’s actually quite easy to do. There are a few different methods you can use, including plugins and editing code directly.

**Login Limit Plugin**

As a website owner, it’s important to make sure that your site is secure. One way to do this is by using a WordPress login limit plugin. This type of plugin will help to protect your site by limiting the number of failed login attempts.

There are many benefits of using a WordPress login limit plugin. By limiting the number of failed login attempts, you can help to prevent hackers from gaining access to your site. Additionally, this plugin can also help to improve the security of your password.

If you’re looking for a way to improve the security of your website, then we recommend that you consider using a WordPress login limit plugin.

**Security Plugins**

Using a security plugin is a must. There are many security plugins available for WordPress, but not all of them are created equal. Do some research and find a plugin that suits your needs. (We recommend looking into Wordfence or Sucuri.)

Once you’ve found a plugin, install it and activate it. Follow the instructions on the plugin’s settings page to configure it properly.

Most security plugins will offer features like blocking IP addresses, two-factor authentication, malware scanning, and more. Choose the features that are most important to you and make sure they’re enabled.

Keep your security plugin up to date by installing new versions when they’re released.

**Sharing Admin Access**

If you’re planning on giving someone else access to your WordPress admin panel, there are a few security precautions you should take first.

For starters, be sure to create a separate user account for the person to whom you’re granting access. That way, if their account is ever compromised, your main admin account will remain safe.

Next, be sure to set strong passwords for both your main admin account and the new user account. Use a combination of letters, numbers, and symbols to make it as difficult as possible for hackers to guess.

**Take Away**

Malicious actors are continuously coming up with new ways to use a company’s online presence against them, while cyber security specialists are always coming up with new ways to resist them.

This is the never-ending cycle of cybersecurity, and we’re all trapped in its center. Your WordPress site is just like any other website on the internet when it comes to cyber-attacks. However, by following the above-recommended tips and hacks, you can secure your WordPress website from cyber criminals or at least reduce the risk of being attacked. 

1.  What is WooCommerce, and Why You Should Care
2.  Tips for Using Uploader Widgets on WordPress Blogs
3.  5 WordPress Security Solutions with Free SSL Certificates
4.  Flaws in 2 famous WordPress plugins put millions of sites at risk
5.  WordPress GDPR Compliance plugin hacked to spread backdoor

Step-by-Step Security Guide for WordPress

By Waqas
The suspect, Vyacheslav Igorevich Penchukov, was wanted by the FBI since August 2012.
This is a post from HackRead.com Read the original post: Ukrainian behind global Zeus malware operation finally caught

As per security journalist Brian Krebs, a Ukrainian national identified as Vyacheslav Igorevich Penchukov has been arrested by Swiss law enforcement agencies. The suspect was nabbed for his involvement in cybercrime especially the infamous Zeus malware.

The suspect used the nickname Tank and Father. He was arrested on 23 October 2022 from Geneva and is awaiting extradition to the USA, reported Krebs.

**About Zeus**

For your information, Zeus is a banking trojan created by an unknown individual known by the handle lucky12345. The devices infected by this highly adaptable malware can be included in an army of a botnet to launch distributed denial of service attacks (DDoS attacks).

The FBI wanted Penchukov on cybercrime charges for more than a decade. He was a member of one of the most notorious cybercrime gangs dubbed JabberZeus. In their malicious campaigns, the cybercriminals stole over $70 million from innocent victims’ bank accounts. 

The gang, which the US Department of Justice referred to as a wide-ranging racketeering enterprise, used Zeus malware for their operations. Reportedly, Penchukov was in a western Ukrainian city called Uzhgorod before Russia invaded the country. He traveled with fake identification details and was in Geneva at the time of his arrest, where he came to meet his wife.

It is worth noting that the suspect was charged in Nebraska back in August 2012 along with Ivan Viktorovich Klepikov, known by the nick “nowhere” and “petrovich,” and Alexey Dmitrievich Bron, also known as “thehead.” 

**Details of Charges**

In 2014, the US Department of Justice released court documents that revealed Penchukov worked with eight gang members. Together they infected countless business computers with Zeus malware to steal account numbers, passwords, and other sensitive data to hack bank accounts and siphon funds from the victims’ accounts.

They were charged for their role in a botnet-based campaign in which they collected targeted users’ bank account login credentials using Zeus malware and drained funds from their accounts. The gang sent the money outside the USA via an extensive network of money mules.

1.  Arrested: 4 hackers involved in SIM Swap, malware attacks
2.  ATM hacker behind $1 billion malware heists arrested in Spain
3.  Japanese boy arrested for developing crypto-stealing malware
4.  Hacker gets 14 years jail over Scan4You malware scanning service
5.  Malware service operators arrested; offered antivirus bypassing tools

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Ukrainian behind global Zeus malware operation finally caught

A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus.
Vyacheslav Igorevich Penchukov, who went by online pseu­do­nyms "tank" and "father," is said to have been involved in the day-to-day operations of the group

A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called **Zeus**.

Vyacheslav Igorevich Penchukov, who went by online pseu­do­nyms "tank" and "father," is said to have been involved in the day-to-day operations of the group. He was apprehended on October 23, 2022, and is pending extradition to the U.S.

Details of the arrest were first reported by independent security journalist Brian Krebs.

Penchukov, along with Ivan Viktorovich Klepikov (aka "petrovich" and "nowhere") and Alexey Dmitrievich Bron (aka "thehead"), was first charged in the District of Nebraska in August 2012.

According to court documents released by the U.S. Depart of Justice (DoJ) in 2014, Penchukov and eight other members of the cybercriminal group infected "thousands of business computers" with Zeus, which is capable of stealing passwords, account numbers, and other information relevant to log into online banking accounts.

These captured credentials were then used to siphon funds from the accounts, with the DoJ calling the Jabber Zeus gang a "wide-ranging racketeering enterprise."

The Zeus banking trojan is believed to have been authored by an anonymous individual who is only known by the handle lucky12345, a WIRED report from 2017 said, describing Penchukov as a well-known local DJ with a penchant for high-end BMWs and Porsches.

More importantly, machines infected by the "endlessly adaptable" malware could be folded into a botnet whose power can be harnessed to carry out distributed denial-of-service (DDoS) attacks.

A successor to Zeus, known as Gameover Zeus and which functioned as a peer-to-peer botnet, was temporarily disrupted in 2014 as part of an international law enforcement operation codenamed Tovar.

All the defendants have been accused of conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud.

Two of his co-conspirators, Yevhen Kulibaba (aka "jonni") and Yuriy Konovalenko (aka "jtk0"), pleaded guilty in November 2014 after being extradited from the U.K. and were sentenced to two years and 10 months of incarceration on May 28, 2015.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva

By Owais Sultan
The top causes of cloud hacking have evolved over the years. Currently, APIs are among the top threats to clouds.
This is a post from HackRead.com Read the original post: Cloud Hacking – Why API Remains the Biggest Threat?

Cloud computing is central to digital transformation. Most enterprises use cloud-based services today. They help enterprises remain agile and resilient in the era of constant changes.

 92% of enterprises host resources and functions in the cloud. These resources and functions are vital to business operations. But how secure are clouds? Not very.

98% of enterprises faced cloud hacking, as per a 2021 study. This figure has shot up over 18 months from 10% in 2020. 

The top causes of cloud hacking have evolved over the years. Currently, APIs are among the top threats to clouds. And API security risk is a disturbing trend in cyber security today. Two-thirds of cloud breaches are due to misconfigured APIs.

Why are APIs the top threats to your clouds? What can you do to protect your clouds and the resources hosted? Keep reading to find out. 

**Cloud Hacking: A Snapshot **

First things first, can the cloud be hacked? Yes, absolutely! CISA warned us last year.

Hackers are aware of the criticality of clouds to enterprises today. They also know that many companies use public clouds. Private/ on-premise clouds are more difficult to hack than public clouds.

With public clouds, enterprises and vendors share security responsibilities. There are growing numbers of vulnerabilities in public ones that attackers can exploit. 

Several enterprises also fail to apply adequate security controls to secure the cloud. As a result, we are seeing an increase in the instances of cloud hacking. 

**Why are APIs Top Threats to Cloud Security? **

Insecure APIs and interfaces are among the top threats to cloud security today. They are second on the list after insufficient identity, access, and key management. 

**Ascent of APIs **

APIs weren’t considered a big threat to cloud security in 2019. Back then, API dependency was minimal. Today, our dependence on APIs is growing rapidly. We are shifting away from web-based infrastructures to API infrastructures for apps. Monolithic apps and websites are fewer. 

APIs provide developers with agile, hassle-free building blocks to develop cloud services. They offer much better connectivity. But these benefits also come with several risks. So, we see that they are top security concerns for CISOs. 

**APIs Widen the Attack Surface **

APIs make it easy for cloud hacking by widening the attack surface. How do they widen the attack surface? Because they are everywhere. Their ubiquity creates an interconnected architecture.

A misconfiguration here or a broken access control there is all a hacker needs. They can hack clouds using these vulnerabilities. 

Further, there is a massive rise in the use of external APIs and third-party cloud services. You will have to face the damage if your vendor doesn’t take API security seriously. 90% of data breaches target cloud assets and servers. 

**APIs Create Data Security Problems by Their Very Nature **

APIs ensure easier access and connectivity to resources and data. In other words, they expose data and resources programmatically. You will expose sensitive data residing in the cloud to attackers if you don’t secure APIs. Attackers can then modify, delete, or steal data easily. 

APIs threaten cloud data security because most enterprises don’t have the: 

*   proper access controls
*   real-time visibility 
*   robust data security policies

**Managing APIs is Complex  **

Enterprises use 15,564 APIs on average. API use has grown exponentially within enterprises in the past year at 201%. Larger enterprises use an average of 25,592 APIs.

This makes it difficult for developers to monitor, manage and secure all their APIs. The lack of centralized visibility further augments this challenge. 

As a result, several vulnerabilities and security weaknesses arise. These unmanaged shadow APIs enable attackers to perform cloud hacking easily. Here are some examples of such vulnerabilities: 

*   SaaS misconfigurations 
*   Disabled security controls 
*   Unauthenticated endpoints 
*   Disabled logging and monitoring 

**API Security Myths Cause Poor Security Posture **

Some of these API security myths are:  

*   Port-based blocking works 
*   Signature-based techniques are enough to secure APIs
*   Firewalls, API gateways, and IAM tools are enough to secure APIs 
*   Single, automated tools work effectively against API threats. For instance – next-gen WAFs and Intrusion prevention systems (IPS)

But the reality is starkly different. You need multi-layered, comprehensive API security solutions that combine 

*   Next-gen WAF
*   API-specific rules 
*   Global threat feeds
*   Real-time, centralized visibility 
*   Advanced Bot and DDoS mitigation
*   Self-learning AI, automation, and analytics
*   Behavioral analysis to detect malicious behavior
*   Expertise of certified security professionals to address more complex issues 

Only such solutions ensure that you don’t get blindsided by exposed APIs.

**Conclusion **

Cloud hacking caused by exposed APIs is a big problem for your business. It causes multiple layers of damage to cloud security. Avert these damaging consequences by hardening your API security.

Choose solutions like **Indusface API Protection** for real-time, context-aware, data-aware, fully managed security. 

1.  Explaining Cloud Native Application Security
2.  What are the future prospects of a Cloud architect?
3.  Secure Email Gateway Vs. Integrated Cloud Email Security

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Cloud Hacking – Why API Remains the Biggest Threat?

By Deeba Ahmed
RapperBot malware is known for brute-forcing SSH servers that can accept password authentication.
This is a post from HackRead.com Read the original post: New RapperBot malware targets gaming servers with DDoS attacks

Fortinet FortiGuard Labs researchers discovered new samples of RapperBot malware, indicating that threat actors are building a botnet to launch crippling distributed denial of service attacks (DDoS attacks) against game servers.

The malware was reported previously in FortiGuard’s article- So RapperBot, What Ya Bruting For?

FortiGurad’s researchers Joie Salvio and Roy Tay noted a drop in the number of samples circulating in the wild in August 2022 from when it was first discovered. They identified new samples from October using the same unique C2 protocol RapperBot malware used earlier. For your information, RapperBot malware is known for brute-forcing SSH servers that can accept password authentication.

This malware is different because it can perform Telnet brute-force apart from supporting DoS attacks through the Generic Routing Encapsulation (GRE) tunneling protocol and UDP floods targeting game servers that run Grand Theft Auto: San Andreas.

The Telnet brute-forcing code is developed for self-propagation. Researchers noted that the Mirai botnet inspires the RapperBot malware since the Telnet code resembles the Mirai Satori.

It is worth noting that Mirai’s source code was leaked in October 2016, and since then, many different variants of Mirai have emerged.

Researchers at FortiGuard are certain that the samples are created for a brand-new DDoS campaign against game servers. It may also be the reappearance of a similar campaign detected earlier in 2022. This new campaign is much different from the older RapperBot campaign detected in February 2022, which later disappeared in April.  

Fortinet researchers wrote in a blog post that the malware could only target appliances running PowerPC, ARM, SH4, SPARC, and MIPS architectures. It can quickly halt its self-propagation mechanism if they are run on Intel chipsets.

> “Based on the undeniable similarities between this new campaign and the previously reported RapperBot campaign, it is highly likely that they are being operated by a single threat actor or by different threat actors with access to a privately-shared base source code.”
> 
> Joie Salvio and Roy Tay – FortiGurad

Top/Featured Image: PixaBay – Victoria\_Watercolor

1.  **Major EU country hit by crippling DDoS attacks**
2.  **Iran’s Largest Steel Producer Hit By Crippling Cyberattack**
3.  **Two major flight tracking services hit by crippling cyberattacks**
4.  **European Banking Authority victim in MS Exchange Server hack**
5.  **Fake WHO Emails on COVID-19 Dropping Nerbian RAT Across Europe**

Tag

#ddos