Security News

Log4Shell exploitation: Which applications may be targeted next?Spring4Shell has dominated the information security news these last six days, but Log4Shell continues to demand attention and action from enterprise defenders as diverse vulnerable applications are being targeted in attacks in the wild. Security flaws found in 82% of public sector software applicationsVeracode has released new findings that show the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors.

The U.S. Department of Justice announced that it neutralized Cyclops Blink, a modular botnet controlled by a threat actor known as Sandworm, which has been attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation. "The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command-and-control of the underlying botnet," the DoJ said in a statement Wednesday.

The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation. The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet.

"The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as 'bots,' the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices' control," the US DOJ stated. The malware targeted networking devices by WatchGuard and ASUS. "These network devices are often located on the perimeter of a victim's computer network, thereby providing Sandworm with the potential ability to conduct malicious activities against all computers within those networks," the DOJ stated.

The US Justice Department today revealed details of a court-authorized take-down of command-and-control systems the Sandworm cyber-crime ring used to direct network devices infected by its Cyclops Blink malware. The move follows a joint security alert in February from US and UK law enforcement that warned of WatchGuard firewalls and ASUS routers being compromised to run Cyclops Blink.

US government officials announced today the disruption of the Cyclops Blink botnet linked to the Russian-backed Sandworm hacking group before it was used in attacks. The malware, used by Sandworm to create this botnet since at least June 2019, is targeting WatchGuard Firebox firewall appliances and multiple ASUS router models.

A variant of the Mirai botnet called Beastmode has been observed adopting newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022 to infect unpatched devices and expand its reach potentially. "The Beastmode Mirai-based DDoS campaign has aggressively updated its arsenal of exploits," Fortinet's FortiGuard Labs Research team said.

A Mirai-based distributed denial-of-service botnet tracked as Beastmode has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. The authors of DDoS botnets did not waste any time and added these flaws to their arsenal to take advantage of the opportunity window before Totolink router owners applied the security updates.

Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open-source, in-memory, key-value data store that could be abused to achieve remote code execution on the underlying machine.

The Muhstik malware gang is now actively targeting and exploiting a Lua sandbox escape vulnerability in Redis after a proof-of-concept exploit was publicly released. On March 10th, a proof-of-concept exploit was publicly released on GitHub, allowing malicious actors to run arbitrary Lua scripts remotely, achieving sandbox escape on the target host.