Security News

Microsoft says the Sysrv botnet is now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers. "The new variant, which we call Sysrv-K, sports additional exploits and can gain control of web servers" by exploiting various vulnerabilities, the Microsoft Security Intelligence team said in a Twitter thread. "These vulnerabilities, which have all been addressed by security updates, include old vulnerabilities in WordPress plugins, as well as newer vulnerabilities like CVE-2022-22947."

The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. Emotet is a self-propagating modular trojan that can maintain persistence on the host.

Microsoft and a consortium of cybersecurity companies took legal and technical steps to disrupt the ZLoader botnet, seizing control of 65 domains that were used to control and communicate with the infected hosts. "ZLoader is made up of computing devices in businesses, hospitals, schools, and homes around the world and is run by a global internet-based organized crime gang operating malware as a service that is designed to steal and extort money," Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit, said.

Microsoft has announced a months-long effort to take control of 65 domains that the ZLoader criminal botnet gang has been using as command-and-control servers. The tech giant's Digital Crimes Unit obtained a court order to take down the domains, which are now directed to a Microsoft-controlled sinkhole so they can't communicate with the botnet.

A threat group that pursues crypto mining and distributed denial-of-service attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things devices since last month. "This botnet is mainly derived from Gafgyt's source code but has been observed to borrow several modules from Mirai's original source code," Fortinet FortiGuard Labs said in a report this week.

The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware, particularly in the Singapore region since the start of April 2022. The development comes as the U.S. Cybersecurity and Infrastructure Security Agency earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "Evidence of active exploitation."

A rapidly growing botnet is ensnaring routers, DVRs, and servers across the Internet to target more than 100 victims every day in distributed denial-of-service attacks. The number of unique IP addresses linked to the botnet also oscillates, with 360 Netlab saying that they're tracking a 10,000-strong Fodcha army of bots using Chinese IP addresses every day, most of them using the services of China Unicom and China Telecom.

A new Mirai-based botnet malware named Enemybot has been observed growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices, with the threat actor operating it known as Keksec. The particular threat group specializes in crypto-mining and DDoS; both supported by botnet malware that can nest in IoT devices and hijack their computational resources.

A prolific threat group known for deploying distributed denial-of-service and cryptomining attacks is running a new botnet that is built using the Linux-based Gafgyt source code along with some code from the Mirai botnet malware. Keksec is using the Enemybot malware as a classic botnet, rolling up compromised Internet of Things devices into a larger botnet that can be used to launch DDoS attacks.

There has been a land rush of sorts among threat groups trying to use the vulnerability discovered in the open-source Spring Framework last month, and now researchers at Trend Micro are saying it's being actively exploited to execute the Mirai botnet. The Mirai malware is a long-running threat that has been around since 2016 and is used to pull smaller networked and Internet of Things devices such as IP cameras and routers into a botnet that can then be used in such campaigns as distributed denial-of-service and phishing attacks.