Security News

Plex Media servers actively abused to amplify DDoS attacks
2021-02-04 15:54

Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in Distributed Denial of Service attacks. "We've seen its use as far back as November when activity ramped up, but most of the time, we see its use is in multi-vector attacks rather than as a primary vector, which can result in some uncertainty in finding an exact day it began to be used," Hummel said when asked of the first time PMSSDP was observed as a DDoS attack amplification vector.

Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers
2021-02-01 21:18

Advanced persistent threat group Lebanese Cedar has compromised at least 250 public-facing servers since early 2020, researchers said, with its latest malware. The group has added new features to its custom "Caterpillar" webshell and the "Explosive RAT" remote access trojan, both of which researchers at ClearSky Security said they linked to the compromise of the public servers [PDF], which allowed widespread espionage.

New Cryptojacking Malware Targeting Apache, Oracle, Redis Servers
2021-02-01 03:15

A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group Rocke, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers said in a Thursday write-up.

New Pro-Ocean malware worms through Apache, Oracle, Redis servers
2021-01-29 19:06

The financially-motivated Rocke hackers are using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis. The new malware is a step up from the previous threat used by the group in that it comes with self-spreading capabilities, blindly throwing exploits at discovered machines.

Elusive Lebanese Threat Actor Compromised Hundreds of Servers
2021-01-29 14:37

A threat actor believed to be tied to the Lebanese government has compromised hundreds of servers pertaining to organizations worldwide, while maintaining a low profile, threat intelligence firm ClearSky reveals. Referred to as Lebanese Cedar or Volatile Cedar, the advanced persistent threat group has been active since 2012, but operated under the radar since 2015, after its activity was detailed by cybersecurity companies.

How to install and use ClamAV on Ubuntu Server 20.04
2021-01-28 19:09

I'm going to walk you through the installation of ClamAV on Ubuntu Server 20.04. How to install ClamAV. ClamAV is not installed by default.

Hezbollah hackers attack unpatched Atlassian servers at telcos, ISPs
2021-01-28 18:42

Volatile Cedar, an advanced hacker group believed to be connected to the Lebanese Hezbollah Cyber Unit, has been silently attacking companies around the world in espionage operations. Using common web shell utilities as the main hacking tool and rarely relying on other tools, which hindered attribution.

Threat Actors Can Exploit Windows RDP Servers to Amplify DDoS Attacks
2021-01-22 12:45

Netscout so far has identified more than 14,000 "Abusable" Windows RDP servers that can be misused by attackers in DDoS attacks-troubling news at a time when this type of attack is on the rise due to the increased volume of people online during the ongoing coronavirus pandemic. What's more, while initially only advanced attackers with access to "Bespoke DDoS attack infrastructure" used this method of amplification, researchers also observed RDP servers being abused in DDoS-for-hire services by so-called "Booters," they said.

Thousands of Unprotected RDP Servers Can Be Abused for DDoS Attacks
2021-01-22 12:03

Windows admins can configure RDP to run on TCP port 3389 or UDP port 3389, and if the latter is enabled, the system can be abused to launch DDoS attacks that have an amplification ratio of 85.9:1. The company has reported seeing roughly 14,000 unprotected RDP servers that can be abused for such attacks.

SQL Server Malware Tied to Iranian Software Firm, Researchers Allege
2021-01-21 19:42

Now, researchers with Sophos have tracked the origin of the campaign to what they claim is a small software development company based in Iran. "The name of an Iran-based software company was hardcoded into the miner's main configuration file," said researchers with Sophos in a Thursday analysis.