Security News

Mozi, a peer-to-peer botnet known to target IoT devices, has gained new capabilities that allow it to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE, according to new findings. "Network gateways are a particularly juicy target for adversaries because they are ideal as initial access points to corporate networks," researchers at Microsoft Security Threat Intelligence Center and Section 52 at Azure Defender for IoT said in a technical write-up.

The main components of the security tool are the Cobalt Strike client - also known as a Beacon - and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific "Malleability" customizations, such as how often the client is to report to the server or specific data to periodically send.

An Estonian national has pleaded guilty in a United States court to two counts of computer fraud and abuse over his role in creating and operating a proxy botnet. He then used these devices to create an Internet of Things botnet called "Russian2015," which he operated using the domain Russian2015.

Threat actors behind the infamous TrickBot malware have been linked to a new ransomware strain named "Diavol," according to the latest research. Diavol and Conti ransomware payloads were deployed on different systems in a case of an unsuccessful attack targeting one of its customers earlier this month, researchers from Fortinet's FortiGuard Labs said last week.

Cybersecurity researchers on Thursday revealed details about a new Mirai-inspired botnet called "Mirai ptea" that leverages an undisclosed vulnerability in digital video recorders provided by KGUARD to propagate and carry out distributed denial-of-service attacks. Chinese security firm Netlab 360 pinned the first probe against the flaw on March 23, 2021, before it detected active exploitation attempts by the botnet on June 22, 2021.

Russian national Oleg Koshkin was convicted for charges related to the operation of a malware crypter service used by the Kelihos botnet to obfuscate malware payloads and evade detection. "In particular, Koshkin worked with Peter Levashov, the operator of the Kelihos botnet, to develop a system that would allow Levashov to crypt the Kelihos malware multiple times each day," the Department of Justice said.

A recently developed botnet named "Simps" has emerged from the cyber-underground to carry out distributed denial-of-service attacks on gaming targets and others, using internet of things nodes. According to the Uptycs' threat research team, Simps was first seen in April being dropped on IoT devices by the Gafgyt botnet.

The Lemon Duck cryptocurrency-mining botnet has added the ProxyLogon group of exploits to its bag of tricks, targeting Microsoft Exchange servers. That's according to researchers at Cisco Talos, who said that the cybercrime group behind Lemon Duck has also added the Cobalt Strike attack framework into its malware toolkit and has beefed up anti-detection capabilities.

Roughly one million computers are getting rid of the Emotet malware after law enforcement agencies served them an update meant to trigger an uninstall process on April 25. One of the most prevalent threats of the past half a decade, Emotet first emerged in 2014 as a banking Trojan, but evolved into a malware downloader that was employed by many cybercriminals to distribute various payloads.

A heretofore little-seen botnet dubbed Prometei is taking a page from advanced persistent threat cyberattackers: The malware is exploiting two of the Microsoft Exchange vulnerabilities collectively known as ProxyLogon, in order to drop a Monero cryptominer on its targets. The report noted that Cybereason has recently seen wide swathes of Prometei attacks on a variety of industries, including construction, finance, insurance, manufacturing, retail, travel and utilities.