VulnHub

A recent report from Qrator Labs indicates that the largest known DDoS botnet has expanded to encompass 13.5 million devices. This massive botnet is capable of launching Distributed Denial of Service (DDoS) attacks reaching up to 2 terabits per second. The primary target of these attacks has been the financial technology sector, raising concerns for companies in that space. With such a vast number of devices potentially under the control of attackers, the threat to both service availability and data security is significant. Companies in the FinTech sector, as well as other industries relying on online services, need to bolster their defenses to mitigate the risks associated with these powerful DDoS attacks.

The Masjesu botnet, also referred to as XorBot, has emerged as a stealthy DDoS-for-hire service that primarily targets Internet of Things (IoT) devices. Unlike many other botnets, Masjesu avoids high-profile targets, such as Department of Defense IP addresses, opting instead for less conspicuous victims. This botnet employs XOR encryption to maintain low visibility and ensure its persistence within compromised systems. As the use of IoT devices continues to rise, the potential for such botnets to disrupt services and cause damage increases, making it crucial for users and organizations to secure their devices against such threats. The activity of Masjesu raises concerns about the growing sophistication of DDoS services that are accessible for hire, which can have widespread implications for network stability and security.

Threat actors are actively targeting vulnerable ComfyUI deployments using a custom Python scanner to hijack instances for cryptomining and to create a proxy botnet. This malicious activity involves scanning cloud IP ranges to find systems that haven't been secured. Once compromised, these systems can be exploited for unauthorized cryptomining, which can lead to significant financial losses for the affected users and businesses. The ease of access for attackers highlights a concerning gap in cloud security practices. Organizations using ComfyUI should ensure their deployments are properly configured and secured to prevent these types of attacks.

Mirai malware has evolved into numerous variants, including notable ones like Aisuru and KimWolf, which are fueling the growth of botnets that target vulnerable Internet of Things (IoT) devices. These variants are being used in large-scale attacks, posing significant risks to users worldwide. Researchers are warning that many IoT devices, often lacking adequate security measures, are at high risk of being compromised by these evolving threats. As these botnets expand, the potential for widespread disruption increases, highlighting the urgent need for manufacturers and users to improve security protocols for their devices. This situation emphasizes the ongoing challenge of securing IoT ecosystems against sophisticated malware attacks.

The RondoDox botnet is ramping up its activities, now targeting 174 different vulnerabilities with an alarming rate of 15,000 exploitation attempts each day. This more focused campaign signals a strategic shift in how the botnet operates, making it a significant concern for cybersecurity experts. Organizations and individuals who use software with these vulnerabilities are at heightened risk of being attacked. The botnet's ability to exploit these flaws could lead to unauthorized access, data breaches, and other serious security incidents. As researchers continue to monitor this situation, it's crucial for affected users to take preventive measures and patch their systems promptly.

The RondoDox botnet has ramped up its operations, now targeting 174 different vulnerabilities and reaching a peak of 15,000 exploitation attempts each day. This botnet is adopting a more focused strategy, which raises concerns for organizations as it indicates a shift towards exploiting specific weaknesses rather than a broader, less efficient approach. The increase in targeted attacks could impact a wide range of systems and software that have these vulnerabilities, potentially leading to data breaches or system compromises. Companies and IT teams need to be vigilant and proactive in securing their systems against these threats to prevent exploitation. It’s crucial for affected organizations to review their security posture and apply necessary patches or updates.

An international law enforcement operation has successfully dismantled SocksEscort, a criminal proxy service that had infected around 369,000 residential and small business routers across 163 countries. The U.S. Department of Justice revealed that this botnet was used for large-scale fraud, leveraging malware to control the infected routers. Users of these routers were largely unaware that their devices had been compromised. The operation underscores the ongoing threat posed by botnets and the importance of securing home and business networks. With thousands of routers involved, this incident serves as a reminder for individuals and businesses to regularly update their devices and apply security patches to protect against such malware infections.

The latest Security Affairs Malware newsletter covers several significant malware threats that have emerged recently. Notably, a group identified as Stan Ghouls is targeting users in Russia and Uzbekistan using the NetSupport Remote Access Trojan (RAT), which allows attackers to control infected systems remotely. Another concerning development is the discovery of ZeroDayRAT, a new spyware designed to infiltrate both Android and iOS devices. Additionally, researchers have uncovered a Linux botnet named SSHStalker, which utilizes old-school IRC methods to compromise new victims. These activities demonstrate the evolving tactics of cybercriminals and emphasize the need for users and organizations to remain vigilant against these persistent threats.

Researchers have identified a new botnet named SSHStalker that uses the Internet Relay Chat (IRC) protocol for its command-and-control operations. This botnet targets Linux systems, employing older kernel exploits to gain access. It features tools for hiding its activities, including log tampering and rootkit-like components. The existence of SSHStalker is concerning as it demonstrates that attackers are still leveraging outdated vulnerabilities to compromise systems. Organizations running Linux servers should assess their security measures and patch any known vulnerabilities to mitigate potential risks from this botnet.

A new botnet named SSHStalker has emerged, targeting Linux servers and infecting around 7,000 systems. This botnet exploits vulnerabilities from older 2009-era software, utilizing IRC bots and mass-scanning techniques to gain access. Researchers from Flare discovered SSHStalker while monitoring SSH honeypots over a two-month period, specifically using weak credentials to attract attackers. The presence of this botnet underscores the ongoing risk posed by outdated security measures, especially for systems that have not been updated in years. Users and administrators of Linux servers need to be vigilant and ensure their systems are secure against such legacy exploits.

A new botnet called SSHStalker has compromised approximately 7,000 Linux systems, primarily those hosted in the cloud. This botnet uses Internet Relay Chat (IRC) for control and automates attacks via Secure Shell (SSH) to gain access to these systems. The attackers are exploiting weak SSH credentials, making it crucial for system administrators to strengthen their password policies and implement key-based authentication. This incident highlights the ongoing vulnerability of Linux servers to automated attacks and the importance of maintaining strong security practices. Users need to be vigilant and consider regular audits of their SSH configurations to prevent unauthorized access.

A new Linux botnet named 'SSHStalker' has reportedly infected around 7,000 systems. This botnet employs a mass-compromise strategy, utilizing various scanners and malware to gain control over vulnerable devices. The attackers are likely taking advantage of outdated security practices, which makes this incident a reminder for system administrators to enhance their security measures. The widespread nature of this botnet indicates that many users might be at risk, especially if their systems are not properly secured. Addressing these vulnerabilities is crucial to prevent further infections and potential data breaches.

The Prometei botnet has compromised a UK construction firm's server by taking advantage of weak or default passwords through the Remote Desktop Protocol (RDP). This incident raises serious concerns about the security practices within the construction industry, which may not prioritize strong password policies. Attackers exploiting such vulnerabilities can gain unauthorized access to sensitive data, potentially leading to data breaches or further malicious activities. Companies are urged to implement stronger password policies and consider using multi-factor authentication to protect against similar attacks. This incident serves as a reminder of the importance of basic cybersecurity hygiene for all organizations, regardless of their sector.