Security Center: LockBit needs only a few hours to encrypt hundreds of devices

Welcome to the next episode of the Xopero Security Center! There is new ransomware offered as a RaaS – named LockBit – that only needs a few hours to encrypt the entire network. This is really alarming – the faster it gets, the greater the chances the attackers will be not detected.

LockBit ransomware needs only a few hours to encrypt hundreds of devices connected to your corporate network

There is a new player on the Ransomware-as-a-Service (RaaS) market. As part of a setup, the LockBit developers earn a percentage of the ransom payments, typically around 25-40%, while the affiliates receive a more significant share at about 60-75%.

How fast? 25 servers and 225 workstations in just three hours – that fast. According to Patrick Van Looy, a cybersecurity specialist at Northwave, the hackers gained access to the corporate network by brute-forcing an administrator account through an outdated VPN service. After gaining access the attacker almost immediately launched the ransomware. It was around 1:00 AM that the initial access took place, after which the ransomware was launched and at around 4:00 AM the attacker logged off. A great example of the classic hit and run scenario. 

When executed, in addition to encrypting the device’s files, LockBit will also perform ARP requests to find other active hosts on the network and then attempts to connect to them over SMB. If the ransomware was able to connect to a computer via SMB, it issues a remote PowerShell command to download the ransomware and execute it. As more computers on the network become infected, these same infected computers help to speed up the deployment of the ransomware to other computers on the network. A fast attack is usually a successful one too. The longer attackers move around/through the network, the greater the chances they will be detected.

Read more

A new Kaiji botnet targets IoT and Linux based servers for the sole purpose of launching DDoS attacks

Named Kaiji, the malware is very different from other IoT malware strains, primarily because it’s written in the Go programming language, rather than C or C++, the two languages in which most IoT malware is coded these days.

According to security researchers, Kaiji has already been spotted in the wild, slowly spreading across the world, making new victims. The Intezer researcher says that for the moment, the botnet is not capable of using exploits to infect unpatched devices. Instead, the Kaiji executes brute-force attacks against IoT devices and Linux servers that have left their SSH port exposed on the internet. Only the “root” account is targeted. That is because the botnet needs root access to infected devices in order to manipulate raw network packets for the DDoS attacks attackers want to carry out. 

Once it gains access to a device’s root account, Kaiji will use the device in three ways. First, for DDoS attacks. Second, to carry out more SSH brute-force attacks against other devices. Third, it steals any local SSH keys and spreads to other devices the root account has managed in the past.

Read more

Looking for Tesla car parts on eBay? There is a chance you will get an extra sensitive user data in the package

It looks like Tesla forgot to wipe personal information of customers from previously used infotainment and Autopilot hardware. “Bad news Sunday. If you had infotainment computer in your Tesla replaced (model3 FSD upgrade, mcu2 retrofit, mcu1 emmc fix or any other fixe requiring computer swap) – consider all accounts you logged into from the car compromised and change pwds,” said the white hat hacker GreenTheOnly in a Twitter post on May 3.

While normal vehicle infotainment systems can store phone numbers, audio media and addresses, Tesla components also enable access to video- and audio-streaming platforms such as Netflix and Spotify. In some of the systems, the researcher found Netflix session cookies that could be used to gain access to the owner’s account, while others included stored Gmail cookies, WiFi passwords and Spotify passwords in plain text. Are you planning to sell your Tesla? Experts advise to manually wipe the data from the infotainment systems. If you are upgrading the car with new fittings, make sure that the service center properly disposes of the hardware and deleted any existing information.

Read more

There is a new macOS spyware hidden in 2FA application

Lazarus Group has added a new variant of the Dacls remote-access trojan (RAT) to its toolbox, which is now spreading via a trojanized two-factor authentication (2FA) application called MinaOTP. The malicious executable is located in “Contents/Resources/Base.lproj/” directory of the fake application and pretends to be a nib file. Once it starts, it creates a property list (.plist) file that specifies the application that needs to be executed after reboot, and the content of the .plist file is hardcoded within the application. This ensures persistence, analysts noted. The malware also has a configuration file, encrypted with AES, that pretends to be a database file related to the Apple Store.

To connect to the C2 server, the application first establishes a TLS connection and then performs beaconing, and it lastly encrypts the data sent over SSL using the RC4 algorithm. After connecting to the C2 and updating the config file, the malware then uploads collected information from the victim’s machine. It also loads seVERAL modules.

Read more

Cereals, a botnet that appears to have had just one single purpose – downloading Anime

For almost eight years, a hacker has silently hijacked D-Link NVRs and NAS devices into a botnet. First spotted in 2012, the botnet reached its peak in 2015 when it amassed more than 10,000 bots. Nowadays it is slowly disappearing, as the vulnerable D-Link devices have started ageing and are being decommissioned. The botnet’s decline was also accelerated when a ransomware strain named Cr1ptT0r wiped the Cereals malware from many D-Link systems in the winter of 2019.

What is really unique, the Cereals botnet exploited just one vulnerability during all its eight-year life. The vulnerability resided in the SMS notification feature of the D-Link firmware that powered the company’s line of NAS and NVR devices. The bug allowed the Cereals author to send a malformed HTTP request to a vulnerable device’s built-in server and execute commands with root privileges. Cereals maintained four backdoor mechanisms to access infected devices, it attempted to patch systems to prevent other attackers from hijacking systems, and it managed infected bots across twelve smaller subnets. However, despite this advanced setup, researchers at Forcepoint says that the botnet was most likely a hobby project.

Read more

Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Hackers breach Ghost blogging platform to mine cryptocurrency (Hack Read)
2. Malware can extract data from air-gapped PC through power supply (Hack Read)
3. Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets (The Hacker News)
4. Game patch gives hackers access to development content on Amazon S3 (Bleeping Computer)
5. Malicious Bots Infiltrate Online Food Delivery (Dark Reading)
6. A hacker group tried to hijack 900,000 WordPress sites over the last week (ZDNet / We Live Security)
7. Cyber volunteers release blocklists for 26,000 COVID-19 threats (Bleeping Computer)
8. Upgraded Aggah malspam campaign delivers multiple RATs (Talos Intelligence)
9. Targeted Ransomware Attack Hits Taiwanese Organizations (Trend Micro)
10. Blue Mockingbird Is Mining Cryptocurrency (Infosecurity)