HEH botnet is going after exposed Telnet Services on IoT devices

Researchers spotted a new IoT botnet that brute forces telnet ports on routers and then erase infected devices. HEH botnet also has some peculiar feature – or its creators have a strange sense of humour – it briefly displays the United Nations’ Universal Declaration of Human Rights… and is coded to display it in eight languages.

New HEH botnet can wipe routers and IoT devices

A newly discovered botnet contains code that can wipe all data from infected systems, such as routers, servers, and Internet of Things (IoT) devices. Named HEH, the botnet spreads by launching brute-force attacks against any internet-connected system that has its Telnet ports (23 and 2323) exposed online. If the device uses default or easy-to-guess Telnet credentials, the botnet gains access to the system, where it immediately downloads one of seven binaries that install the HEH malware.

This HEH malware doesn’t contain any offensive features (i.e. ability to launch DDoS attacks, install crypto-miners, or code to run proxies). The only features present are: 

  1. a function that ensnares infected devices and coerces them to perform Telnet brute-force attacks across the internet to help amplify the botnet.; 
  2. a feature that lets attackers run Shell commands on the infected device
  3. a variation of this second feature that executes a list of predefined Shell operations that wipe all the device’s partitions. 
Early-stage botnet

HEH botnet was discovered by security researchers from Netlab and detailed for the first time last week. Researchers can’t tell if the device-wiping operation is intentional or if it’s just a poorly coded self-destruction routine. But regardless of its purpose, if this feature ever gets triggered, it could result in hundreds or thousands of bricked and non-functioning devices. This could include home routers, Internet of Things (IoT) smart devices, and even Linux servers. 

Since wiping all partitions also wipes the device’s firmware or operating system, this operation has the potential to temporarily brick devices — until their firmware or operating systems are reinstalled.

Currently, Netlab said it detected HEH samples that can run on the following CPU architectures x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC. The botnet is still spreading.


Raccine, this new ransomware vaccine kills programs wiping Windows shadow volumes

Windows creates backups of your system and data files and store them in Shadow Volume Copy snapshots – every single day. These snapshots can then be used to recover files if they are mistakenly changed or deleted. Which is a serious problem for cybercriminals, that is why one of the first things ransomware does when executed is to delete all Shadow Volume copies on the targeted computer.

Is there a way to outsmart cybercriminals? Yes, a newly released ransomware vaccine program can terminate processes that try to delete volume shadow copies using Microsoft’s vssadmin.exe program.

There are two methods of deleting Shadow Volumes:

vssadmin delete shadows /all /quiet


vssadmin.exe resize shadowstorage /for=D: /on=D: /maxsize=401MB

The Raccine ransomware vaccine monitors for the deletion of shadow volume copies – it intercepts the request and kills the invoking proces. If it detects a process is using ‘vssadmin delete’ or ‘vssadmin resize shadowstorage’ it will automatically terminate the process, which is usually done before ransomware begins encrypting files on a computer.

Raccine may also terminate legitimate software that uses vssadmin.exe as part of their backup routines. Admins should configure roth plans by adding the ability to allow certain programs to bypass Raccine in the future so that they are not mistakenly terminated.


Cybercriminals are using a critical flaw in File Manager WordPress Plugin to exploit Zerologon vulnerability

File Manager is a popular WordPress Plugin used to manage files on WordPress sites. But according to Wordfence researchers, it has a serious flaw which an attacker could exploit by sending a specially crafted request to the connector.minimal.php file and this way gain remote code execution on the vulnerable WordPress site.

Zerologon… again

The Zerologon vulnerability is based on an encryption flaw, and allows changing the account machine password to empty. Then the Domain Controller NTML hashes can be exfiltrated remotely. Problem #2: the machine password must be restored quickly, otherwise the DCs will not synchronize and this can break the network.

If communication with the Domain Controller can be performed from the attacker’s viewpoint – with a foothold on your internal network – he essentially could become Domain Admin with just one click.

Although communication with the internal network and Domain Controller can only be made on the intranet, many networks have weak policies and a bad architecture based on network segregation and segmentation, which allows, for example, that web servers – located at the DMZ – can also communicate internally with the internal network assets and with the Domain Controllers. In order to take advantage, external agents have abusing a vulnerability in File-Manager plugin – CVE-2020-25213 that allows the execution of arbitrary code on the server-side (RCE vulnerability).

An ongoing cyber campaign

According to WordFence, on September 4th, 2020, there were recorded attacks on over 1.7 million sites, and on September 10, the total number of sites attacked has increased to over 2.6 million.

How do criminals abuse this vulnerability?

  • To disseminate phishing campaign sand deliver malware in-the-wild;
  • To implant backdoors to steal data, credit card information, or sensitive information (PII);
  • To add cryptominers (java scripts) to the source-code inside specific pages (e.g., index.php); and
  • To escalate on the internal network and abuse of Zerologon vulnerability to attack Domain Controllers.


MosaicRegressor: Second-ever UEFI rootkit found in the wild

Researchers have spotted a rare kind of potentially dangerous malware that targets a machine’s booting process to drop persistent malware. The campaign involved the use of a compromised UEFI (Unified Extensible Firmware Interface) containing a malicious implant, making it the second known public case where a UEFI rootkit has been used in the wild.

According to Kaspersky, the rogue UEFI firmware images were modified to incorporate several malicious modules, which were then used to drop malware on victim machines in a series of targeted cyberattacks directed against diplomats and members of an NGO from Africa, Asia, and Europe.

UEFI is a firmware interface and a replacement for BIOS that improves security, ensuring that no malware has tampered with the boot process. Because UEFI facilitates the loading of the operating system itself, such infections are resistant to OS reinstallation or replacement of the hard drive. A sophisticated attacker can modify the firmware in order to have it deploy malicious code that will be run after the operating system is loaded. 

That’s exactly what this threat actor appears to have done. Although the exact infection vector employed to overwrite the original firmware remains unknown at this stage, a leaked manual suggests the malware may have been deployed through physical access to the victim’s machine.

Source: BitsRegEx variant overview (Kaspersky)

The new UEFI malware is a custom version of the Hacking Team’s VectorEDK bootkit, which was leaked in 2015. It’s used to plant a second payload, called the MosaicRegressor — “a multi-stage and modular framework aimed at espionage and data gathering” that consists of additional downloaders to fetch and execute secondary components.

The downloaders contact the C2 server to grab next-stage DLLs in order to execute specific commands, the results of which are exported back to the C2 server or forwarded to a “feedback” mail address from where the attackers can collect the amassed data. The payloads are transferred in a variety of ways, including via e-mail messages from mailboxes (“mail.ru”) hard-coded in the malware’s binary.

Kaspersky connects one of MosaicRegressor’s variants with Chinese hacker groups broadly known as Winnti (aka APT41).


Do you have thirst for knowledge? There is ten more cybersecurity stories below

1. Male Chastity Device Comes with Massive Security Flaws (Threat Post)
2. A sophisticated cyberattack hit the International Maritime Organization (Dark Reading)
3. Meet ‘Egregor,’ a New Ransomware Family to Watch (Dark Reading)
4. Crypto-mining malware adds Linux password stealing capability (Bleeping Computer)
5. Black-T Malware Emerges From Cryptojacker Group TeamTNT (Threat Post)
6. Malware Families Turn to Legit Pastebin-Like Service (Threat Post)
7. Hackers exploit Windows Error Reporting service in new fileless attack (ZDNet)
8. Microsoft 365 outage takes down Outlook and Microsoft Teams again (Bleeping Computer)
9. Clop ransomware hits Software AG, demands $20 million+ ransom (HackRead)
10. Android ransomware authors have a new trick to go with an old shakedown technique (Cyberscoop)