Security News
Researchers have uncovered a new worm targeting Linux based x86 servers, as well as Linux internet of things devices. Of note, the malware utilizes GitHub and Pastebin for housing malicious component code, and has at least 12 different attack modules available - leading researchers to call it "Gitpaste-12." It was first detected by Juniper Threat Labs in attacks on Oct. 15, 2020.
A critical vulnerability in a SonicWall enterprise VPN firewall can be exploited to crash the device or remotely execute code on it, reverse engineers said this week. In a statement SonicWall said it "Was contacted by a third-party research team regarding issues related to SonicWall next-generation virtual firewall models." The spokesman went on to say that SonicWall's own engineers discovered even more vulns while reproducing Tripwire's findings, going on to develop patches for the whole lot.
Threatpost editors discuss a cryptomining malware targeting AWS systems, a recent development in a lawsuit against the IBM-owned Weather Channel app, and more. Listen to the full podcast below or download direct here.
Cado Security has identified a crypto-mining worm that attempts to steal Amazon Web Services credentials belonging to the organizations whose systems it has infected. The TeamTNT worm can also scan for open Docker APIs, execute Docker images and install itself.
A fileless worm dubbed FritzFrog has been found roping Linux-based devices - corporate servers, routers and IoT devices - with SSH servers into a P2P botnet whose apparent goal is to mine cryptocurrency. Simultaneously the malware creates a backdoor on the infected machines, allowing attackers to access it at a later date even if the SSH password has been changed in the meantime.
A cryptomining worm from the group known as TeamTNT is spreading through the Amazon Web Services cloud and collecting credentials. Attacking AWS. The attack starts with targeting the way that AWS stores credentials in an unencrypted file at ~/.aws/credentials, and additional configuration details in a file at ~/.aws/config.
A malicious cryptocurrency miner and DDoS worm that has been targeting Docker systems for months now also steals Amazon Web Services credentials. The worm still scans for open Docker APIs, then spins up Docker images and install itself in a new container, but it now also searches for exploitable Kubernetes systems and files containing AWS credentials and configuration details - just in case the compromised systems run on the AWS infrastructure.
Microsoft on Tuesday patched a wormable hole in its Windows Server software that can be exploited remotely to completely commandeer the machine without any authorization. Some 18 of those CVE-listed security flaws are considered critical, meaning remote code execution is possible without user interaction.
A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. "Although the language is about 10 years old, and is used by many legitimate programmers, there has not been as much activity with Golang malware," according to F5. That said, in April, another wormable Golang loader known as Kinsing was spotted dropping XMRig onto Docker instances.
Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol. The SMB bug fix was a late addition to Microsoft's March edition of Patch Tuesday - after the security hole was accidentally disclosed by the Cisco Talos research team in a blog post recapping this month's updates: Cisco thought Microsoft had fixed the bug this week as part of March's Patch Tuesday, and alerted the world to the bug's presence to get people to install their updates.