Skip to main content

Posts

Showing posts from March, 2020

Hackers Exploiting Two 0-Day Bugs in DrayTek Routers & Create A Backdoor in Enterprise Networks

Researchers observed two new hackers groups abusing two DrayTek Routers’ zero-day vulnerabilities to exploit the enterprise network routers and perform a series of attacks. Recently we have  reported  a similar attack in which hackers hijack Home Routers & Change The DNS Settings to implant malware via a malicious website. This is another new wave of attack where attackers using zero-day bugs to perform attacks including eavesdropping on device’s network traffic, running SSH services on high ports, creating system backdoor accounts, and implanting specific malicious Web Session backdoor. The ongoing zero-day attack was initially disclosed on December 25, 2019, with an indicator of compromise (IOC), and it is highly weaponized in nature. 360 Netlab @360Netlab #0-day Since 2019-12-04 08:22:29 (UTC), we have been witnessing ongoing 0 day attack targeting a network CPE vendor (not the big players, but there are about ~100,000 devices online accor...

Operation Poisoned News – Hackers Deliver Malware Targeting iOS Users Using Local News Links

A new campaign dubbed Operation Poisoned News that uses news local news sites links to deploy  malware  called lightSpy on the user’s iOS devices. Attackers posted the news articles in various forums, by clicking on the link it takes users to the news sites, but they also have hidden iframe that loads malicious code. The malicious code is capable of exploiting vulnerabilities present in iOS 12.1 and 12.2, clicking on those links leads to the installation of malware lightSpy on the iOS devices. Poisoned News Campaign The lightSpy is the backdoor module that allows attackers to execute the code remotely and to manipulate files in the affected device. Security researchers from Trend Micro  observed  the watering hole attack targeting iOS users. The links posted by the attackers include three iframes. The only visible link is the original news website, with the other two invisible links, one used for analytics purposes and another site hosting exploits. ...

APT36 jumps on the coronavirus bandwagon, delivers Crimson RAT

Since the coronavirus became a worldwide health issue, the desire for more information and guidance from government and health authorities has reached a fever pitch. This is a  golden opportunity for threat actors  to capitalize on fear, spread misinformation, and generate mass hysteria—all while compromising victims with scams or malware campaigns. Profiting from global health concerns,  natural disasters , and other extreme weather events is nothing new for cybercriminals. Scams related to SARS,  H1N1 (swine flu) , and avian flu have circulated online for more than a decade. According to  reports from ZDnet , many state-sponsored threat actors have already started to distribute coronavirus lures, including: Chinese APTs: Vicious Panda, Mustang Panda North Korean APTs: Kimsuky Russian APTs: Hades group (believed to have ties with APT28), TA542 ( Emotet ) Other APTs: Sweed (Lokibot) Recently, the Red Drip team  reported  that APT36 ...

Thousands of Coronavirus (COVID-19) Related Sites As Bait by Hackers

As the world comes to grips with the  coronavirus pandemic , the situation has proven to be a blessing in disguise for threat actors, who've taken advantage of the opportunity to target victims with scams or malware campaigns. Now, according to a new report published by  Check Point Research  today and shared with The Hacker News, hackers are exploiting the COVID-19 outbreak to spread their own infections, including registering malicious Coronavirus-related domains and selling discounted off-the-shelf malware in the dark web. "Special offers by different hackers promoting their 'goods' — usually malicious malware or exploit tools — are being sold over the darknet under special offers with 'COVID19' or 'coronavirus' as discount codes, targeting wannabe cyber-attackers," the cybersecurity firm said. COVID-19 Discounts: Exploit Tools for Sale The report comes following an uptick in the number of  malicious coronavirus-related domains  that hav...

Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices

A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines. Called " Mukashi ," the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall products to take control of the devices and add them to a network of infected bots that can be used to carry out Distributed Denial of Service (DDoS) attacks. Multiple Zyxel NAS products running firmware versions up to 5.21 are vulnerable to the compromise, Palo Alto Networks' Unit 42 global threat intelligence team said, adding they uncovered the first such exploitation of the flaw in the wild on March 12. Zyxel's Pre-Authentication Command Injection Flaw Mukashi hinges on a pre-authentication  command injection vulnerability  (tracked as  CVE-2020-9054 ), for which a proof-of-...