At a glance.
- Mozi botnet dwarfs the competition.
- RedDelta continues targeting the Holy See.
- Rampant Kitten targets Iranian dissidents, both domestically and in the diaspora.
- Cerberus activity spikes following source code leak.
- Bit-and-piece DDoS attacks are on the rise.
- Maze ransomware delivered via VM.
- A look at cybersecurity companies' security practices.
Mozi botnet dwarfs the competition.
Researchers at IBM X-Force have been tracking Mozi, an IoT botnet that surfaced in late 2019 and displays code overlap with Mirai. X-Force says the Mozi botnet generated almost 90% of observed IoT traffic between October 2019 and the end of June 2020. The number of IoT attacks during this period was 400% higher than the total number of IoT attacks during the previous two years combined. The researchers note, "This startling takeover was accompanied by a huge increase in overall IoT botnet activity, suggesting Mozi did not remove competitors from the market. Rather, it flooded the market, dwarfing other variants’ activity."
X-Force says Mozi's success is largely due to its use of command injection attacks against misconfigured IoT devices. An additional, broader factor is the rapidly expanding attack surface as more IoT devices go online each day.
The use of command injection attacks against IoT devices isn't unique to Mozi, however. The researchers explain that nearly all attacks against IoT devices involve this technique, for three reasons: "First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited. Second, PHP modules built into IoT web interfaces can be exploited to give malicious actors remote execution capability. And third, IoT interfaces often are left vulnerable when deployed because administrators fail to harden the interfaces by sanitizing expected remote input." Additionally, command injection attacks are easily automated, and newly discovered or unpatched vulnerabilities provide fresh opportunities for exploitation.
RedDelta continues targeting the Holy See.
Recorded Future's Insikt Group says the China-affiliated threat actor RedDelta has continued targeting the Vatican and the Catholic Diocese of Hong Kong, in spite of the security firm's July report exposing the group's operations. The group changed out some of its C2 infrastructure the day after Recorded Future's publication, indicating that it was aware of the report, but many of its servers remained live. The researchers say this "highlights the group’s willingness to continue to use publicly known infrastructure as long as access is maintained." They note that RedDelta probably doesn't feel the need to switch to new infrastructure, since many of the group's targets—primarily religious organizations and NGOs—lack the necessary security resources to identify the malicious activity.
Rampant Kitten targets Iranian dissidents.
Check Point describes Rampant Kitten, an ongoing Iranian surveillance operation aimed at the country's dissidents, expats, and minority groups, including the Association of Families of Camp Ashraf and Liberty Residents (AFALR), Azerbaijan National Resistance Organization, and Balochistan citizens. The operation has been active for at least six years. The threat actor's toolset includes four variants of a Windows infostealer and an Android backdoor. The Android malware is designed to steal SMS-based two-factor authentication codes. The attackers seem particularly interested in gaining access to victims' Telegram accounts, and they launched multiple phishing campaigns to this end. The Windows malware also seeks access to Telegram Desktop, and it establishes persistence by replacing Telegram's updater file.
Cerberus activity spikes following source code leak.
Kaspersky notes that the recent leak of the Cerberus banking Trojan's source code has led to an expected increase in attacks using the Android malware. Cerberus has also gained more sophisticated capabilities since its code was published, and Kaspersky is now calling it "Cerberus v2." The malware can stealthily send and receive SMS messages, open overlays that spoof banking applications, steal codes from multifactor authentication apps, access saved credit card and contact information, redirect phone calls, and much more.
Kaspersky researcher Dmitry Galov stated, "It's not the first time we’ve seen something like this happen, but this boom of activity since the developers abandoned the project is the biggest developing story we’ve tracked for a while. We continue to investigate all found artefacts associated with the code, and will publish further in-depth analysis very soon. But, in the meantime, the best form of defence that users can adopt involves aspects of security hygiene that they should be practicing already across their mobile devices and banking security."
Kaspersky recommends only downloading apps from the Google Play Store or Apple's App Store, disabling your phone's ability to download programs from unknown sources, and installing updates promptly.
Bit-and-piece DDoS attacks are on the rise.
According to Nexusguard's most recent DDoS Threat Report, "bit-and-piece" DDoS attacks increased by 570% in Q2 2020 compared to the same period last year. Nexusguard explains that bit-and-piece DDoS attacks involve "injecting doses of junk traffic of negligible size into a large pool of IP addresses across hundreds of IP prefixes, which eventually paralyze the target when the junk traffic starts to accumulate from different IPs." Bit-and-piece attacks are designed to blend in with legitimate traffic, making it very difficult for defenders to mitigate the attack without blocking legitimate users. These attacks are also smaller and more efficient than other types of DDoS attacks, allowing them to thwart threshold-based mitigation tactics.
Maze ransomware delivered via VM.
Sophos warns that the Maze ransomware operators are delivering their payloads via virtual machines, a technique first used by the RagnarLocker ransomware earlier this year. BleepingComputer explains that the attackers turned to this tactic after their first two attempts to install the ransomware failed. Sophos says the attackers had been in the network for at least six days before deploying this tactic, and they configured the VM specifically for the victim's shared network drives.
A look at cybersecurity companies' security practices.