DDoS attacks and botnets

IoT_reaper: a new growing botnet

Netlab researchers identified a new botnet, which was named IoT_reaper.
The botnet is in its first phases and is rapidly growing: it hasn’t launched a single attack up to now but, as the name suggests, hoards vulnerable IoT devices adding them to it network. It is similar to Mirai, although there are some differences: this one only targets vulnerable devices and doesn’t try to hack a password (with a substantial saving in computational resources), it integrates parts of LUA code that allow more sophisticated attacks and its scans are not invasive, so they are hard to identify.
The botnet added more than 20 thousands devices in less than 2 weeks; devices exploited are D-Link, Netgear and Linksys among the others: the full list is in the article linked before. Luckily there are some patches available.

A botnet is scanning the Web for private SSH keys
In a post on its blog, Wordfence warns about a Web scanning activity that looks for private SSH keys left without precautions on web server.
It’s not clear which botnet is responsible for this scan, however Wordfence warns everyone running a site/server and connects with a key-based authentication system.

Finding the private key allows to connect to the corresponding site/server, the impact is potentially devastating; the mistake that sometimes is done is to copy on the site/server the private key: this one must remain on your computer, well protected. You only have to copy the public key on the server, which is text file usually with the .pub (=public) extension. Often times the private key is a text file without an extension.
Wordfence offers the Gravity service which scans your site and signals any misconfiguration/problem.
Interestingly enough, Gravity has identified how 13% of analyzed sites has sensitive information with public access: configuration files, logs, scripts and backups.

AKAMAI identifies a Fast Flux botnet

In a post on its blog, AKAMAI states it has identified a Fast Flux botnet composed by 14 thousands zombie devices.
The idea behind a “Fast Flux” botnet is to associate different IP addresses to the same site and round-robin rotate them; if domain names are used properly, an hacker can hide the C&C server and make the identification and analysis of the botnet hard. Further information about this type of botnets are available in this ESET post.
This specific botnet hosts several phishing sites, proxies and C&C servers for malware campaigns, as well as web scraping, SQL Injection and Brute Force attacks activities. AKAMAI hasn’t released details on the botnet yet, but as port 7549 (the one of the TR-069 protocol for remote management), it’s believed that vulnerable routers and home network devices are part of the botnet.

Browsers bitcoin mining is ramping

In september ThePirateBay hit the lines with a post which described a test feature on its site which as about the user mining bitcoins when accessing it.
Coinhive is a Javascript library that allows the mining of cryptocurrencies (especially Monero) via browser: the user visits a website and loads the script, which makes the local computer to mine as long as the connection to the site is established. Palo Alto Networks researchers too covered that in an article.
During the last months, services like Coinhive have been spreading: Coin Have, PPoi, MineMyTraffic and JSEcoin. There are even WordPress plugins like Simple Monero Miner and Coin Hive Ultimate.
In some cases users prefer this solution instead of noisy banners, but what would happen when an hacker adds a mining component to an hacked site? Browsers should implement an sort of mining opt-in feature and warn users if a site tries to mine bitcoins.
At the moment an ad-blocker or an anti-mining plugin should do the trick.

Ransomware

Magniber, Cerber’s successor

Magniber is the new ransomware distributed by the Magnitude Exploit Kit, as identified by Malwarebytes researchers.
Magniber has the same payment and encryption system of Cerber, which leads to the rational hypothesis of being a work of the same Cerber developer.
It leverages malvertising techniques and exploits an Internet Explorer vulnerability (which has a patch) on non updated computers. Interestingly enough, it has a mechanism that starts the encryption process only if the victim’s IP address is from South Korea.

New decryption tools are available

If it’s true that every month the list of ransomware grows, on the other hand some researchers and volunteers bless us with decryption tools: if you happen to get hit by a ransomware and don’t have a backup, then don’t despair and store encrypted files somewhere, as a decryption tool might be available sooner or later.
This month we recommend tools for Petya (both Green and Red Petya, Mischa and GoldenEye), LambdaLocker and Stricker (download it here). A resercher that goes by the name of Simone” published a tool for Magniber, which unfortunately has to be compiled in Visual Studio.
MalwareHunter Team’s Ransomware ID service identifies which ransomware encrypted your files, then head to dedicated NoMoreRansom page and look for an encryption tool: most of them are listed here. The NoMoreRansom Project is the point of reference.

Hidden ransomware economy is growing fast

Black Carbon published an interesting study on the economy of ransomware which highlights that this hidden economy grows by 2.500% per year and reaches the $7 million mark.
The study was conducted between August and September 2017 and offers some other interesting facts: there are 6.300 marketplaces, 45.000 listings and prices for DIY kits span from $0.5 to $ 3.000; a new figure is arising: service providers and distributors of RaaS (Ransomware as a Service).
BitCoin and the TOR network are used to guarantee anonymity; the amount of ransoms paid is almost $1 billion: an actual booming economy.

Vulnerabilities

Apache’s OptionsBleed exposes memory information

An Apache bug which exposes information about server’s memory has been disclosed.
HTTP has different methods other than the usual GET and POST, including OPTIONS; several webservers would reply to such request with responses that include all supported methods and snippets of casual strings, giving information in a “bleed-style”, hence the name. It is not as impactful as HeartBleed.
The bug is due to the Limit directive in the main configuration file that restricts access of a user to certain HTTP methods; however if the Limit directive is contained in a non registered .htaccess file and set to an invalid method, Apache exposes in a random manner some strings about its configuration, which are not sufficient to plan an attack or collect sensitive information.
The bug has already been patched, so you just need to update your Apache installation.

A bug in dnsmasq exposes Linux devices

dnsmasq is a software with a small footprint and DNS and DHCP capabilities, suitable for small networks and implemented in mobile devices, operating systems, IoT devices, home router, software (ie Kubernetes) and much more.
Google researchers have found several vulnerabilities that expose systems with dnsmasq. In particular they identified 7 vulnerabilities regarding DNS and DHCP whose effects are relevant: 3 Remote Code Execution, 3 DoS and an Information Leak that neutralizes Address Space Layout Randomization (ASLRS, an anti-exploit capability).

Version 2.78 of the software fixes these bugs; Android released a patch in october’s “Security Bulletin” monthly update.
Further information are available in this TrendMicro blog post.

Sockbot Android malware found in 8 apps on Google Play Store

Symantec researchers have identified 8 apps sold on the Play Store which are infected by the Sockbot Android malware.
This malware started a SOCKS proxy on infected devices which would become part of a botnet waiting for commands from a C&C server.
These apps were skins for the popular game Minecraft, each app counted between 600.000 and 2.6 millions installation; they’ve been removed from the store.

Adobe releases patch for Flash Player

Adobe released a patch for Flash Player which fixes a zero-day vulnerability (CVE-2017-11292) that could be used for Remote Code Execution attacks.
This vulnerability is present in all Flash Players versions, save for 27.0.0.170, on Windows, Linux, macOS and Chrome OS.
The vulnerability was discovered by Kaspersky Labs researchers and has been exploited by the BlackOasis hacking team with email campaigns (infected attachment).

News from the vendors

Firefox Quantum, the new browser by Mozilla

Firefox Quantum is the new browser by Mozilla currently available in beta, whose release is expected in November.
Quantum introduces new features in comparison to the previous versions of Firefox, starting with a new graphical interface called Photon.
The most interesting news are about performances, with the browser finally using all available cores and with an improved memory management.
Other new feature include a screenshot capture tool (with sharing capabilities by means of another Mozilla service), a Library button with quick access to Pocket elements (Pocket is the integrated “read it later” tool), bookmarks, downloads, screenshots, history, synchronized tabs, a new address bar and a new menu customization feature.

NextCloud introduces native end-to-end encryption

The new version of the NextCloud client Firefox Quantum: end-to-end data encryption, aka Client Side Encryption.
At the moment the feature is in beta phase, the general availability is expected with version 13 of the software.
Encryption works on a folder level and, obviously, doesn’t involve the server where NextCloud is installed: the advantage is that should the server be hacked, data remain encrypted. NextCloud also supports full disk encryption.
This feature doesn’t require user passwords, instead it leverages device-generated passcodes; restore of the code can be done with a device associated to the user account or by means of a manual code set at encryption time. The Hardware Security Module protocol is supported for enterprise-grade solutions: an interesting feature in terms of the General Data Protection Regulation, which will be enforced in may 2018.

Microsoft’s Fall Creators Update is now available

The cumulative update package for Windows 10 “Fall Creators Update” is now available.
It’s currently being shipped in different release phases, but you can force the download with the Windows 10 Update Assistant tool.
In addition to several new about apps and features, there’s an interesting news about security: Windows Defender Security Guard.
This is an anti-ransomware tool and safeguards files against unwanted and unauthorized modifications. It replaces the Enhanced Mitigation Experience Toolkit (EMET), whose support will end in July 2018. Windows Defender Antivirus too has an anti-ransomware feature active by default.
Moreover, if you access your Windows profile with an AADP or MSA account, you can reset password and PIN straight from the lock screen with email verification (on another device).

Google releases Chrome 62 and introduces Chrome Cleanup

Google released Chrome 62 for Windows, macOS and Linux.
This release fixes 35 different security issues (8 are marked as high level) and adds new features, like support to variable OpenType fonts, the release of Network Quality Estimator APIs, capturing and streaming DOM elements and warnings for HTTP connections (both in normal and Incognito modes), though they are shown only if the page includes user input fields. Later on, they will be shown for all un-encrypted connections.
Release notes are available at this address.
Moreover, Google added a new feature that warns the user when an extension tries to change the default settings set by the user (extension hijacking) like homepage, proxy and preferred search engine, and the Chrome Cleanup Tool, which was previously available only as a standalone app
This tool checks for software at installation time that tries to change Chrome’s setting and behaviour, warning the user: this way it prevents the installation of unwanted, bundled software components, which often times happens when downloading programs from certain sites.
Lastly, Chrome announces a collaboration with ESET for the creation of an integrated sandboxing environment to scan downloaded files.

Microsoft Patch Tuesday now available

As every second tuesday of the month, Microsoft released the cumulative package of Windows systems updates that is known as Patch Tuesday.
It’s installed automatically if automatic updates are enabled, otherwise it’s available with Windows Update.
This month features 67 updates, 27 of them are labelled as Critical: ricordiamo Microsoft Graphics (Remote Code Execution), Internet Explorer e Microsoft Edge (Memory Corruption), Microsoft Office, Microsoft Skype for Business, Microsoft JET Database Engine, Microsoft Windows (Remote Code Execution), and Chakra Core.
You can also download single updates and find further information in the Security Update Guide.

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  •  GURU advisor: issue 21 - May 2019

    GURU advisor: issue 21 - May 2019

  • GURU advisor: issue 20 - December 2018

    GURU advisor: issue 20 - December 2018

  • GURU advisor: issue 19 - July 2018

    GURU advisor: issue 19 - July 2018

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1