Security News

A financially-motivated threat actor notorious for its cryptojacking attacks has leveraged a revised version of their malware to target cloud infrastructures using vulnerabilities in web server technologies, according to new research. Deployed by the China-based cybercrime group Rocke, the Pro-Ocean cryptojacking malware now comes with improved rootkit and worm capabilities, as well as harbors new evasion tactics to sidestep cybersecurity companies' detection methods, Palo Alto Networks' Unit 42 researchers said in a Thursday write-up.

The financially-motivated Rocke hackers are using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis. The new malware is a step up from the previous threat used by the group in that it comes with self-spreading capabilities, blindly throwing exploits at discovered machines.

A threat actor believed to be tied to the Lebanese government has compromised hundreds of servers pertaining to organizations worldwide, while maintaining a low profile, threat intelligence firm ClearSky reveals. Referred to as Lebanese Cedar or Volatile Cedar, the advanced persistent threat group has been active since 2012, but operated under the radar since 2015, after its activity was detailed by cybersecurity companies.

I'm going to walk you through the installation of ClamAV on Ubuntu Server 20.04. How to install ClamAV. ClamAV is not installed by default.

Volatile Cedar, an advanced hacker group believed to be connected to the Lebanese Hezbollah Cyber Unit, has been silently attacking companies around the world in espionage operations. Using common web shell utilities as the main hacking tool and rarely relying on other tools, which hindered attribution.

Netscout so far has identified more than 14,000 "Abusable" Windows RDP servers that can be misused by attackers in DDoS attacks-troubling news at a time when this type of attack is on the rise due to the increased volume of people online during the ongoing coronavirus pandemic. What's more, while initially only advanced attackers with access to "Bespoke DDoS attack infrastructure" used this method of amplification, researchers also observed RDP servers being abused in DDoS-for-hire services by so-called "Booters," they said.

Windows admins can configure RDP to run on TCP port 3389 or UDP port 3389, and if the latter is enabled, the system can be abused to launch DDoS attacks that have an amplification ratio of 85.9:1. The company has reported seeing roughly 14,000 unprotected RDP servers that can be abused for such attacks.

Now, researchers with Sophos have tracked the origin of the campaign to what they claim is a small software development company based in Iran. "The name of an Iran-based software company was hardcoded into the miner's main configuration file," said researchers with Sophos in a Thursday analysis.

Windows Remote Desktop Protocol servers are now being abused by DDoS-for-hire services to amplify Distributed Denial of Service attacks. The Microsoft RDP service is a built-in Windows service running on TCP/3389 and/or UDP/3389 that enables authenticated remote virtual desktop infrastructure access to Windows servers and workstations.

Windows Remote Desktop Protocol servers are now being abused by DDoS-for-hire services to amplify Distributed Denial of Service attacks. The Microsoft RDP service is a built-in Windows service running on TCP/3389 and/or UDP/3389 that enables authenticated remote virtual desktop infrastructure access to Windows servers and workstations.