VulnHub

FortiGuard Labs has reported that attackers are exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR devices, utilizing it to deploy a Mirai-based botnet. This vulnerability allows unauthorized commands to be executed on the affected devices, potentially turning them into part of a larger network of compromised devices. Users of TBK DVR systems should be particularly vigilant, as this exploitation could lead to significant disruptions or unauthorized access to their networks. The presence of this botnet in the wild raises concerns about the broader implications for IoT security and the need for manufacturers to address such vulnerabilities swiftly. It’s crucial for users to stay informed and take appropriate action to protect their devices.

Researchers from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42 have identified that attackers are exploiting a command injection vulnerability, CVE-2024-3721, in TBK DVRs and outdated TP-Link Wi-Fi routers. This medium-severity flaw, which has a CVSS score of 6.3, allows malicious actors to hijack these devices to create a botnet for DDoS attacks. The compromised TBK DVRs and EoL TP-Link routers are particularly concerning as they can be easily targeted due to their lack of ongoing support and security updates. This situation poses a significant risk to users, as their devices can be turned into tools for larger-scale cyberattacks without their knowledge. Users of these devices should take immediate action to secure their systems against potential exploitation.

The PowMix botnet has been quietly targeting the workforce in the Czech Republic since December, using randomized communication techniques to evade detection. This stealthy operation involves the botnet compromising systems to potentially gain unauthorized access to sensitive information or resources. Researchers at The Hacker News have reported on the campaign, emphasizing the risk it poses to businesses and organizations in the region. As the botnet continues its activities, it raises concerns about the security of the Czech workforce and the need for enhanced protective measures against such covert attacks. Organizations are urged to remain vigilant and adopt robust security practices to defend against this emerging threat.

A report from Qrator Labs has revealed a significant increase in a DDoS botnet, which has now ballooned to 13.5 million compromised devices over the past year. The majority of these devices are located in the United States, Brazil, and India. This surge in botnet size has enabled attackers to launch unprecedented distributed denial-of-service attacks, reaching up to 2 terabits per second. The fintech and betting industries appear to be the primary targets of these assaults. This situation raises alarms for businesses in these sectors, as the sheer scale of attacks could disrupt services and lead to substantial financial losses.

A recent report from Qrator Labs indicates that the largest known DDoS botnet has expanded to encompass 13.5 million devices. This massive botnet is capable of launching Distributed Denial of Service (DDoS) attacks reaching up to 2 terabits per second. The primary target of these attacks has been the financial technology sector, raising concerns for companies in that space. With such a vast number of devices potentially under the control of attackers, the threat to both service availability and data security is significant. Companies in the FinTech sector, as well as other industries relying on online services, need to bolster their defenses to mitigate the risks associated with these powerful DDoS attacks.

The Masjesu botnet, also referred to as XorBot, has emerged as a stealthy DDoS-for-hire service that primarily targets Internet of Things (IoT) devices. Unlike many other botnets, Masjesu avoids high-profile targets, such as Department of Defense IP addresses, opting instead for less conspicuous victims. This botnet employs XOR encryption to maintain low visibility and ensure its persistence within compromised systems. As the use of IoT devices continues to rise, the potential for such botnets to disrupt services and cause damage increases, making it crucial for users and organizations to secure their devices against such threats. The activity of Masjesu raises concerns about the growing sophistication of DDoS services that are accessible for hire, which can have widespread implications for network stability and security.

Threat actors are actively targeting vulnerable ComfyUI deployments using a custom Python scanner to hijack instances for cryptomining and to create a proxy botnet. This malicious activity involves scanning cloud IP ranges to find systems that haven't been secured. Once compromised, these systems can be exploited for unauthorized cryptomining, which can lead to significant financial losses for the affected users and businesses. The ease of access for attackers highlights a concerning gap in cloud security practices. Organizations using ComfyUI should ensure their deployments are properly configured and secured to prevent these types of attacks.

Mirai malware has evolved into numerous variants, including notable ones like Aisuru and KimWolf, which are fueling the growth of botnets that target vulnerable Internet of Things (IoT) devices. These variants are being used in large-scale attacks, posing significant risks to users worldwide. Researchers are warning that many IoT devices, often lacking adequate security measures, are at high risk of being compromised by these evolving threats. As these botnets expand, the potential for widespread disruption increases, highlighting the urgent need for manufacturers and users to improve security protocols for their devices. This situation emphasizes the ongoing challenge of securing IoT ecosystems against sophisticated malware attacks.

The RondoDox botnet is ramping up its activities, now targeting 174 different vulnerabilities with an alarming rate of 15,000 exploitation attempts each day. This more focused campaign signals a strategic shift in how the botnet operates, making it a significant concern for cybersecurity experts. Organizations and individuals who use software with these vulnerabilities are at heightened risk of being attacked. The botnet's ability to exploit these flaws could lead to unauthorized access, data breaches, and other serious security incidents. As researchers continue to monitor this situation, it's crucial for affected users to take preventive measures and patch their systems promptly.

The RondoDox botnet has ramped up its operations, now targeting 174 different vulnerabilities and reaching a peak of 15,000 exploitation attempts each day. This botnet is adopting a more focused strategy, which raises concerns for organizations as it indicates a shift towards exploiting specific weaknesses rather than a broader, less efficient approach. The increase in targeted attacks could impact a wide range of systems and software that have these vulnerabilities, potentially leading to data breaches or system compromises. Companies and IT teams need to be vigilant and proactive in securing their systems against these threats to prevent exploitation. It’s crucial for affected organizations to review their security posture and apply necessary patches or updates.

An international law enforcement operation has successfully dismantled SocksEscort, a criminal proxy service that had infected around 369,000 residential and small business routers across 163 countries. The U.S. Department of Justice revealed that this botnet was used for large-scale fraud, leveraging malware to control the infected routers. Users of these routers were largely unaware that their devices had been compromised. The operation underscores the ongoing threat posed by botnets and the importance of securing home and business networks. With thousands of routers involved, this incident serves as a reminder for individuals and businesses to regularly update their devices and apply security patches to protect against such malware infections.

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.

Researchers have identified a new botnet named SSHStalker that uses the Internet Relay Chat (IRC) protocol for its command-and-control operations. This botnet targets Linux systems, employing older kernel exploits to gain access. It features tools for hiding its activities, including log tampering and rootkit-like components. The existence of SSHStalker is concerning as it demonstrates that attackers are still leveraging outdated vulnerabilities to compromise systems. Organizations running Linux servers should assess their security measures and patch any known vulnerabilities to mitigate potential risks from this botnet.