Security News

An ongoing search engine optimization poisoning attack campaign has been observed abusing trust in legitimate software utilities to trick users into downloading BATLOADER malware on compromised machines. "The threat actor used 'free productivity apps installation' or 'free software development tools installation' themes as SEO keywords to lure victims to a compromised website and to download a malicious installer," researchers from Mandiant said in a report published this week.

A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio. These campaigns rely on the compromise of legitimate websites to plant malicious files or URLs that redirect users to sites that host malware disguised as popular apps.

Researchers have demonstrated yet another variant of the SAD DNS cache poisoning attack that leaves about 38% of the domain name resolvers vulnerable, enabling attackers to redirect traffic originally destined to legitimate websites to a server under their control. From Kaminsky Attack to SAD DNS. DNS cache poisoning, also called DNS spoofing, is a technique in which corrupt data is introduced into a DNS resolver's cache, so that DNS queries return an incorrect response for a trusted domain and users are directed to malicious websites.

Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets. SEO poisoning, also known as "Search poisoning," is an attack method that relies on optimizing websites using 'black hat' SEO techniques to rank higher in Google search results.

Microsoft is tracking a series of attacks that use SEO poisoning to infect targets with a remote access trojan capable of stealing the victims' sensitive info and backdooring their systems. The malware delivered in this campaign is SolarMarker, a.NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.

A hacker gained access to the water treatment system for the city of Oldsmar, Florida, and attempted to increase the concentration of sodium hydroxide, also known as lye and caustic soda, to extremely dangerous levels. The attack on the computer system at Oldsmar water treatment system happened on Friday at 1:30 PM, through a remote desktop software that allowed authorized users to troubleshoot system problems remotely.

Hackers successfully infiltrated the computer system controlling a water treatment facility in the U.S. state of Florida and remotely changed a setting that drastically altered the levels of sodium hydroxide in the water. "At no time was there a significant effect on the water being treated, and more importantly the public was never in danger," Sheriff Gualtieri said in a statement.

U.S. law enforcement agencies are investigating a remote compromise of a Florida city's water plant, warning that the hackers tried to poison the water supply serving approximately 15,000 residents. The hack was spotted on February 5th - and neutralized - in real time by staff at the plant that supplies water to Oldsmar, a small city close to Tampa, Florida.

Researchers at Israel-based boutique cybersecurity consultancy JSOF this week disclosed the details of seven potentially serious DNS-related vulnerabilities that could expose millions of devices to various types of attacks. Its DNS subsystem "Provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and caching of common record types."

Seven vulnerabilities affecting Dnsmasq, a caching DNS and DHCP server used in a variety of networking devices and Linux distributions, could be leveraged to mount DNS cache poisoning attack and/or to compromise vulnerable devices. "Some of the bigger users of Dnsmasq are Android/Google, Comcast, Cisco, Red Hat, Netgear, and Ubiquiti, but there are many more. All major Linux distributions offer Dnsmasq as a package, but some use it more than others, e.g., in OpenWRT it is used a lot, Red Hat use it as part of their virtualization platforms, Google uses it for Android hotspots, while, for example Ubuntu just has it as an optional package," Shlomi Oberman, CEO and researcher at JSOF, told Help Net Security.