Security News

Law enforcement and judicial authorities worldwide have effected a global takedown of the Emotet botnet, Europol announced today. "The Emotet infrastructure essentially acted as a primary door opener for computer systems on a global scale. Once this unauthorised access was established, these were sold to other top-level criminal groups to deploy further illicit activities such data theft and extortion through ransomware. Investigators have now taken control of its infrastructure in an international coordinated action," they explained.

A recently identified piece of malware is targeting Linux devices to ensnare them into a botnet capable of malicious activities such as distributed denial of service and crypto-mining attacks. Dubbed FreakOut, the malware is infecting devices that haven't yet received patches for three relatively new vulnerabilities, including one that was made public earlier this month.

An ongoing malware campaign has been found exploiting recently disclosed vulnerabilities in network-attached storage devices running on Linux systems to co-opt the machines into an IRC botnet for launching distributed denial-of-service attacks and mining Monero cryptocurrency. Regardless of the vulnerabilities exploited, the end goal of the attacker appears to be to download and execute a Python script named "Out.py" using Python 2, which reached end-of-life last year - implying that the threat actor is banking on the possibility that that victim devices have this deprecated version installed.

Recently discovered Gitpaste-12 worm that spreads via GitHub and also hosts malicious payload on Pastebin, has returned with even more exploits. This time, the advanced worm and botnet has returned with over 30 vulnerability exploits.

Palo Alto Networks security researchers have discovered a Linux-based cryptocurrency-mining botnet that being delivered via PostgreSQL. Dubbed PGMiner, the botnet exploits a remote code execution vulnerability in PostgreSQL to compromise database servers and then abuse them for mining for the Monero cryptocurrency. An open source relational database management system widely used in production environments, PostgreSQL has a "Copy from program" feature that was labeled as a vulnerability, something that the PostgreSQL security team quickly disputed.

A new wormable botnet that spreads via GitHub and Pastebin to install cryptocurrency miners and backdoors on target systems has returned with expanded capabilities to compromise web applications, IP cameras, and routers. Early last month, researchers from Juniper Threat Labs documented a crypto-mining campaign called "Gitpaste-12," which used GitHub to host malicious code containing as many as 12 known attack modules that are executed via commands downloaded from a Pastebin URL. The attacks occurred during a 12-day period starting from October 15, 2020, before both the Pastebin URL and repository were shut down on October 30, 2020.

An innovative Linux-based cryptocurrency mining botnet has been uncovered, which exploits a disputed PostgreSQL remote code-execution vulnerability to compromise database servers. The miner takes a fileless approach, deleting the PostgreSQL table right after code launch, researchers said: PGMiner clears the "Abroxu" table if it exists, creates a new "Abroxu" table with a text column, saves the malicious payload to it, executes the payload on the PostgreSQL server and then clears the created table.

Multiple botnets are targeting thousands of publicly exposed and still unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems. The attacks are taking aim at a recently patched WebLogic Server vulnerability, which was released by Oracle as part of its October 2020 Critical Patch Update and subsequently again in November in the form of an out-of-band security patch.

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan at least since 2012 has now set its sights on Linux servers to fly under the radar. According to a new analysis published by Intezer today and shared with The Hacker News, the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.

The vast number of Internet-of-Things devices are proving to be lucrative for botnet operators to carry out various attacks - from sending spam to launching harmful distributed denial-of-service attacks, according to Derek Manky, Chief of Security Insights & Global Threat Alliances at Fortinet's FortiGuard Labs. Manky said he's seen an increase in a number of botnets made up of compromised IoT devices, which can be attributed to various factors.