<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
     xmlns:content="http://purl.org/rss/1.0/modules/content/"
     xmlns:dc="https://purl.org/dc/elements/1.1/"
     xmlns:dcterms="http://purl.org/dc/terms/"
     xmlns:media="http://search.yahoo.com/mrss/"
     xmlns:atom="http://www.w3.org/2005/Atom"
>
    <channel>
                    <atom:link href="https://www.itpro.com/feeds/tag/botnets" rel="self" type="application/rss+xml" />
                            <title><![CDATA[ Latest from ITPro in Botnets ]]></title>
                <link>https://www.itpro.com/tag/botnets</link>
        <description><![CDATA[ All the latest botnets content from the ITPro team ]]></description>
                                    <lastBuildDate>Thu, 11 Jun 2026 15:34:35 +0000</lastBuildDate>
                            <language>en</language>
                                <item>
                                                            <title><![CDATA[ Security experts sound alarm over 'expanded' China-linked botnet used to target US critical infrastructure and military assets ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/security-experts-sound-alarm-over-expanded-china-linked-botnet-used-to-target-us-critical-infrastructure-and-military-assets</link>
                                                                            <description>
                            <![CDATA[ The China-linked botnet highlights risk of leaving routers and IoT devices unpatched ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">WVBT35GnszqKNu8mRcoKdm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/T88XCMBKcwGSg5qaEXtdDR-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 11 Jun 2026 15:34:35 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Nicole Kobie ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/8Y8JDDTQ7XDEk49FoAFP2S.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Nicole Kobie first started writing for ITPro in 2007. As a freelance journalist covering technology and business, Nicole&#039;s work includes  bylines in New Scientist, Wired, PC Pro and many more. &lt;/p&gt;&lt;p&gt;Nicole the author of a book about the history of technology, The Long History of the Future.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/T88XCMBKcwGSg5qaEXtdDR-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Chinese hackers concept image showing People&#039;s Republic of China (PRC) flag in background with shadowed hands typing on a laptop keyboard in foreground.]]></media:description>                                                            <media:text><![CDATA[Chinese hackers concept image showing People&#039;s Republic of China (PRC) flag in background with shadowed hands typing on a laptop keyboard in foreground.]]></media:text>
                                <media:title type="plain"><![CDATA[Chinese hackers concept image showing People&#039;s Republic of China (PRC) flag in background with shadowed hands typing on a laptop keyboard in foreground.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/T88XCMBKcwGSg5qaEXtdDR-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The JDY <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet </a>is back and expanding via attacks on unpatched routers, cameras and other edge devices. </p><p>According to a report from Lumen's Black Lotus Labs the JDY botnet now makes up 1,500 compromised small office and home office (SOHO) devices, as well as edge and Internet of Things (IoT) devices, and is used by Chinese state-backed hackers including <a href="https://www.itpro.com/security/cyber-attacks/volt-typhoon-threat-group-electric-grid">Volt Typhoon</a> as a scanner to spot exposed services for exploitation. </p><p>JDY was first spotted back in 2023 as part of an investigation into the KV botnet, which was used for covert data transfer while JDY was focused on scanning and reconnaissance. After KV was taken down last year by the US government, JDY remained an active threat, Black Lotus Labs noted in a <a href="https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation" target="_blank"><u>report</u></a>. </p><p>Now, the JDY botnet has doubled in size, with compromised devices located across Europe and Asia, though the majority are in the US. The network is used to scan a range of targets for weaknesses, though the US military is a clear focus.</p><p>"The expansion of the JDY botnet underscores how China‑nexus threat actors are scaling reconnaissance as a core enabler of exploitation," Black Lotus Labs said in a blog post. </p><p>"By distributing scanning and fingerprinting across thousands of <a href="https://www.itpro.com/security/cyber-attacks/lapdogs-cyber-espionage-campaign-iot-home-office-routers">compromised SOHO and IoT devices</a>, operators can rapidly identify vulnerable infrastructure and targets of interest while evading traditional, IP‑based defenses."</p><p>Gabrielle Hempel, Security Operations Strategist at Exabeam, noted that discussions around botnets normally focus on data theft, but there's more to consider. </p><p>"We spend a lot of time talking about nation-state actors stealing information, but the scarier reality is that many of these operations are designed to establish positioning and persistence," she said. </p><p>"If geopolitical tensions ever escalate, having access already in place is far more valuable than trying to gain it during a crisis. Persistent access provides intelligence collection opportunities today and potential disruption options tomorrow."</p><h2 id="targeting-unpatched-edge-devices">Targeting unpatched edge devices</h2><p>Previously, JDY focused on two Cisco router models but has now expanded its botnet to include a range of manufacturers. Using edge devices helps the botnet's activity blend into regular traffic, the security lab added. </p><p>Devices aren't added to the JDY botnet at random, however. Indeed, the attackers are looking for specific models with known exploitable flaws. </p><p>"Black Lotus Labs found that JDY botnet operators target specific devices for scanning and reconnaissance, rather than conducting widespread, indiscriminate scanning," the post said. "Most notably, there was a selective increase in scans of Fortinet equipment immediately after the disclosure of a new vulnerability, indicating the ability and intent to find and exploit vulnerable devices before patches are widely applied."</p><p>Hempel noted that JDY continues the trend of attackers focusing on easy to exploit edge devices that are often missed in security efforts. </p><p>"As we have seen with many recent attacks, campaigns like JDY don’t rely on the sophisticated zero days that everyone loves to talk about, but leverage poorly maintained edge devices, exposed infrastructure, and slow patching," Hempel added. "It’s the low-hanging fruit that they are after to get in.</p><h2 id="what-should-enterprises-do">What should enterprises do?</h2><p>Given that, it's no surprise that Black Lotus Labs advises companies to follow existing best practice for routers, firewalls, and IOT devices: install patches for known flaws, run security updates, and regularly reboot. </p><p>Beyond that, the security lab advised enterprises to adopt the <a href="https://www.itpro.com/cloud/cloud-security/what-is-secure-access-service-edge-sase">Secure Access Service Edge (SASE)</a> architecture or similar solutions to reduce the attack surface and implement existing guidance from national security bodies about how to mitigate against Volt Typhoon and China-Linked threat groups. </p><p>"The JDY botnet underscores the risk of relying on traditional IP-based security controls such as geofencing, IP reputation-based detection, and static blocklists," the security lab added. </p><p>"The large number of US-based SOHO and IoT devices that comprise the botnet allows operators to blend in with legitimate user traffic, making malicious scanning and reconnaissance activity harder to detect."</p><h3 class="article-body__section" id="section-follow-us-on-social-media"><span>FOLLOW US ON SOCIAL MEDIA</span></h3>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Thousands of Asus routers are being used to fuel a massive cyber crime spree ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/thousands-of-asus-routers-are-being-used-to-fuel-a-massive-cyber-crime-spree</link>
                                                                            <description>
                            <![CDATA[ Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">eKJRcjhiqzpr5rwsNrbEFS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/FqwdpUKc89SZqpjHUQRg63-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 12 Mar 2026 11:10:20 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Nicole Kobie ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/8Y8JDDTQ7XDEk49FoAFP2S.png ]]></dc:source>
                                                                <dc:description><![CDATA[ &lt;p&gt;Nicole Kobie first started writing for ITPro in 2007. As a freelance journalist covering technology and business, Nicole&#039;s work includes  bylines in New Scientist, Wired, PC Pro and many more. &lt;/p&gt;&lt;p&gt;Nicole the author of a book about the history of technology, The Long History of the Future.&lt;/p&gt; ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/FqwdpUKc89SZqpjHUQRg63-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Earth with a global botnet showing red and blue-colored lines spreading out across the planet.]]></media:description>                                                            <media:text><![CDATA[Earth with a global botnet showing red and blue-colored lines spreading out across the planet.]]></media:text>
                                <media:title type="plain"><![CDATA[Earth with a global botnet showing red and blue-colored lines spreading out across the planet.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/FqwdpUKc89SZqpjHUQRg63-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.itpro.com/malware/28076/what-is-malware">Malware</a> targeting Asus routers has built a <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet </a>of 14,000 devices to spread malicious traffic, according to researchers at Lumen's Black Lotus Labs. </p><p>Dubbed "KadNap", the malware was first spotted in August 2025, with 60% of the infected devices located in the US, with others spotted in the UK, across Europe, and Australia, among others. Alongside Asus routers, the malware is also targeting edge networking devices. </p><p>KadNap slips by existing network protections using the Kademlia distributed hash table (DHT) designed for peer-to-peer networks like BitTorrent to hide its own originating <a href="https://www.itpro.com/virtual-private-network-vpn/30351/how-do-you-hide-an-ip-address">IP address</a>. </p><p>"Infected devices use the DHT protocol to locate and connect with a command-and-control (C2) server, while defenders cannot easily find and add those C2s to threat lists," the researchers at Black Lotus Labs said in a <a href="https://blog.lumen.com/silence-of-the-hops-the-kadnap-botnet/" target="_blank"><u>blog post</u></a>. </p><p>“In short, the innovative use of the DHT protocol allows the malware to establish robust communication channels that are difficult to disrupt by hiding in the noise of legitimate peer-to-peer traffic."</p><p>Access to that network is then sold via a proxy service called "Doppelganger" to be used for criminal activity, researchers added. </p><p>"KadNap’s bots are sold through Doppelganger, a service whose users leverage these hijacked devices for a range of malicious purposes, including brute-force attacks and highly targeted exploitation campaigns," researchers said. </p><p>"As a result, every IP address associated with this botnet represents a significant, persistent risk to organizations and individuals alike."</p><p><em>ITPro </em>contacted Asus for comment, but did not receive a response by time of publication.</p><h2 id="spotting-kadnap">Spotting KadNap</h2><p>This particular botnet-building malware was spotted last summer by a Lumen algorithm that searches out dodgy networks as they pop up, with the company noticing 10,000 Asus devices all communicating with one set of servers. </p><p>Once the malicious file was on the router or other IoT or edge hardware, it would download a shell script and start the process of adding the kit to the botnet. </p><p>To hide, KadNap makes use of a legitimate distributed hash table known as Kademlia, which was designed to make it easier to find information across peers.</p><p>"To better understand this system, think of Kademlia like using a chain of friends to find someone’s phone number: each friend does not know the whole number but knows someone who can get you closer to the answer," the researchers explained. </p><p>"Passing your request along this chain, you quickly put together the whole phone number. Likewise, Kademlia nodes forward queries to others that are 'closer' to the target, enabling fast and efficient searches without knowing the whole network."</p><p>KadNap uses a custom version of the DHT to hide the IP address of the criminal's command and control server. That allows a newly infected router to find and connect to previously infected nodes to share additional payloads and build a bot network. </p><p>"The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control," the researchers said. "Their intention is clear: avoid detection and make it difficult for defenders to protect against."</p><h2 id="what-can-enterprises-do">What can enterprises do?</h2><p>Lumen said its own customers have been protected from these attacks since last August, and that it would share indicators of compromise (IoC) publicly so others could be protected as well. </p><p>Beyond that, the lab advised security professionals working on network defense to keep watch for attacks on weak credentials or suspicious logins, even if they seem to come from safe IP addresses. </p><p>Additional advice includes protecting cloud assets from communicating with bots and make use of Web Application Firewalls. </p><p>Regarding KadNap specifically, it's worth checking if devices aren't connecting to public BitTorrent trackers. </p><p>For users of small office or home office (SOHO) routers, Lumen advice includes:</p><ul><li>Ensuring routers are patched, updated, and rebooted regularly</li><li>Bolstering password security</li><li>Replacing outdated or unsupported devices</li></ul><h3 class="article-body__section" id="section-follow-us-on-social-media"><span>FOLLOW US ON SOCIAL MEDIA</span></h3>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Europol hails triple takedown with Rhadamanthys, VenomRAT, and Elysium sting operations ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/europol-hails-triple-takedown-with-rhadamanthys-venomrat-and-elysium-sting-operations</link>
                                                                            <description>
                            <![CDATA[ The Rhadamanthys infostealer operation is one of the latest victims of Europol's Operation Endgame, with more than a thousand servers taken down ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">84rf84B6USKP3XsAAbyTHC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/hNt2JaLuS3Ribvoh5XfgT8-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 17 Nov 2025 12:08:54 +0000</pubDate>                                                                                                                                <updated>Mon, 17 Nov 2025 12:09:39 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/hNt2JaLuS3Ribvoh5XfgT8-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of a Europol sign affixed to its Amsterdam headquarters]]></media:description>                                                            <media:text><![CDATA[Image of a Europol sign affixed to its Amsterdam headquarters]]></media:text>
                                <media:title type="plain"><![CDATA[Image of a Europol sign affixed to its Amsterdam headquarters]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/hNt2JaLuS3Ribvoh5XfgT8-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>In the latest stage of its Operation Endgame campaign, Europol has seriously disrupted the Rhadamanthys infostealer, VenomRAT, and Elysium <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet </a>malware operations.</p><p>More than 1,000 servers used by the groups to infect hundreds of thousands of victims worldwide with <a href="https://www.itpro.com/malware/28076/what-is-malware">malware </a>were last week taken down.</p><p>Law enforcement searched one location in Germany, one in Greece, and nine in the Netherlands, seizing 20 domains. One arrest, related to the VenomRAT tool, has been made in Greece.</p><p>"The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials. Many of the victims were not aware of the infection of their systems," Europol said. </p><p>"The main suspect behind the infostealer had access to over 100,000 crypto wallets belonging to these victims, potentially worth millions of euros."</p><p>These hadn't yet been used to steal assets, Europol said. However, it's recommended checking <a href="http://politie.nl/checkyourhack" target="_blank"><u><em>politie.nl/checkyourhack</em></u></a> and <a href="http://haveibeenpwned.com" target="_blank"><u><em>haveibeenpwned.com</em></u></a> to find out whether computers have been hacked and learn what to do.</p><p>The Rhadamanthys infostealer harvests browser-resident data, including credentials, browser data, autofill information, and cryptocurrency wallet artifacts from browsers, password managers, and crypto wallets. </p><p><a href="https://www.proofpoint.com/us/blog/threat-insight/operation-endgame-quakes-rhadamanthys" target="_blank"><u>According to Proofpoint</u></a>, it costs between $300 and $500 a month, with options for a higher price point for customized uses. The firm said it appears that the threat actor behind Rhadamanthys was not only facilitating information stealer operations but also stealing sensitive data from Rhadamanthys affiliates. </p><p>"In addition to the infrastructure disruption, it’s likely that this operation will also negatively affect the criminals’ reputation, leading affiliates to mistrust them," the firm pointed out.</p><p><a href="https://www.shadowserver.org/news/rhadamanthys-historical-bot-infections-special-report/" target="_blank"><u>According to the Shadowserver Foundation</u></a>, which assisted in the operation, Rhadamanthys has grown to become one of the leading infostealers since Operation Endgame 2.0 disrupted the infostealer landscape earlier this year.   </p><p>"It is important to note that Rhadamanthys may have been used to drop additional malware on infected systems, so other malware infections may also be active on these systems and require further local remediation efforts," the Shadowserver Foundation warned. </p><p>"These victim systems may also have been used in historic or recent intrusions and ransomware incidents." </p><p>VenomRAT, which first appeared in 2020, generally arrives through malicious email attachments or links, also using fake <a href="https://www.itpro.com/security/antivirus/367785/best-business-antivirus">antivirus </a>pages. </p><p>It gives its operators remote desktop-style control, allowing the theft of files, browser data, cryptocurrency wallets, credit card details, account passwords, and authentication cookies.</p><p>While it's mainly been used to target Latin American organizations, it has also claimed victims in North America and Western Europe. </p><p>The Elysium botnet meanwhile, carries out data theft, payload delivery and other tasks.</p><p>Operation Endgame, launched in 2024, has now led to total  seizures of more than €21 million. This latest action follows an Operation Endgame raid in May that saw 300 servers taken down and 650 domains seized, along with €3.5 million. </p><h3 class="article-body__section" id="section-more-from-itpro"><span>MORE FROM ITPRO</span></h3><ul><li><a href="https://www.itpro.com/security/botnets-are-being-sold-on-the-dark-web-for-as-little-as-dollar99">Botnets are being sold on the dark web for as little as $99</a></li><li><a href="https://www.itpro.com/security/malware/what-is-polymorphic-malware">What is polymorphic malware?</a></li><li><a href="https://www.itpro.com/security/malware/malware-as-a-service-explained-what-it-is-and-why-businesses-should-take-note">Everything you need to know about Malware as a Service</a></li></ul>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Seized database helps Europol snare botnet customers in ‘Operation Endgame’ follow-up sting ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/europol-operation-endgame-botnet-follow-up-arrests</link>
                                                                            <description>
                            <![CDATA[ Europol has detained several people believed to be involved in a botnet operation as part of a follow-up to a major takedown last year. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vsdWMViFBLwKPaWxpsCreJ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/X8SLtm2YmMKNBeG8ZeCDXf-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 10 Apr 2025 12:02:51 +0000</pubDate>                                                                                                                                <updated>Thu, 10 Apr 2025 18:37:55 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Emma Woollacott ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/aWfskavxoVSMDy6cDWtYmJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/X8SLtm2YmMKNBeG8ZeCDXf-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Europol logo and badge pictured on the exterior of the Europol headquarters in The Hague, Netherlands.]]></media:description>                                                            <media:text><![CDATA[Europol logo and badge pictured on the exterior of the Europol headquarters in The Hague, Netherlands.]]></media:text>
                                <media:title type="plain"><![CDATA[Europol logo and badge pictured on the exterior of the Europol headquarters in The Hague, Netherlands.]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/X8SLtm2YmMKNBeG8ZeCDXf-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Europol has detained several people believed to be involved in a <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet </a>operation as part of a follow-up to a major takedown last year. </p><p>Following the <em>Operation Endgame</em> investigation, major malware droppers including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, were shut down last year.</p><p>According to Europol, analysis of the contents of a seized database enabled it to identify customers of the SmokeLoader pay-per-install botnet, operated by an individual known as <em>‘Superstar’</em>.</p><p>The law enforcement agency has now made arrests, carried out house searches, and conducted arrest warrants or ‘knock and talks’. </p><p>"Superstar used his botnet to run a pay-per-install service, enabling customers to gain access to victims’ machines. Customers used the service to deploy malware for their own criminal activities," Europol said. </p><p>"Investigations revealed that botnet access was purchased for a range of purposes, including keylogging, webcam access, <a href="https://www.itpro.com/security/28084/what-is-ransomware">ransomware </a>deployment, cryptomining and more. Law enforcement tracked down the customers as they were registered in a database seized during Operation Endgame." </p><p>The <a href="https://www.itpro.com/malware/28076/what-is-malware">malware </a>had infected millions of computers around the world, according to the FBI. SystemBC facilitated anonymous communication between an infected system and a command-and-control servers.</p><p>Meanwhile, Bumblebee was distributed mainly via phishing campaigns or compromised websites, and was designed to enable the delivery and execution of further payloads on compromised systems.</p><p>SmokeLoader was mainly used as a downloader to install additional malicious software onto the systems it infected. Similarly, IcedID - also known as BokBot - had been further developed to carry out a range of crimes as well as the theft of financial data. </p><h2 id="europol-hails-success-of-largest-botnet-takedown">Europol hails success of largest botnet takedown</h2><p>As part of last year's operation - the largest ever against a botnet - more than 100 servers were shut down or disrupted and over 2,000 internet domains tied to the hacking activities were seized. </p><p>But while last May's activities were focused on the high-level players who were using ransomware, for example, this latest set of raids is designed to mop up the customers of Cybercrime as a Service providers.  </p><p>Law enforcement agencies in several countries were able to link online personas and their usernames to actual individuals. </p><p>"When called in for questioning, several suspects chose to cooperate with the authorities by facilitating the examination of digital evidence stored on their personal devices," Europol said. </p><p>"Several suspects resold the services purchased from SmokeLoader at a markup, thus adding an additional layer of interest to the investigation."</p><p>Europol said it’s not quite finished yet, either. The law enforcement agency is still investigating possible leads, revealing it has more suspects in the crosshairs. </p><h3 class="article-body__section" id="section-more-from-itpro"><span>MORE FROM ITPRO</span></h3><ul><li><a href="https://www.itpro.com/security/botnets-are-being-sold-on-the-dark-web-for-as-little-as-dollar99">Botnets are being sold on the dark web for as little as $99</a></li><li><a href="https://www.itpro.com/security/cyber-crime/cobalt-strike-takedown-fortra-microsoft">Cobalt Strike abusers have been dealt a hammer blow</a></li><li><a href="https://www.itpro.com/security/cyber-crime/the-zservers-takedown-is-another-big-win-for-law-enforcement">The Zservers takedown is another big win for law enforcement</a></li></ul>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Horabot campaign targeted businesses for more than two years before finally being discovered ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/horabot-campaign-targeted-businesses-for-more-than-two-years-before-finally-being-discovered</link>
                                                                            <description>
                            <![CDATA[ The newly-discovered Horabot botnet has attacked companies in the accounting, investment, and construction sectors in particular ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">T3a8dreTad7uG4RF7bkT6R</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/gJZrGbjJ6m3w8DWp96whhM-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 02 Jun 2023 11:11:56 +0000</pubDate>                                                                                                                                <updated>Fri, 02 Jun 2023 12:05:33 +0000</updated>
                                                                                                                                            <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/gJZrGbjJ6m3w8DWp96whhM-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[High quality 3D rendered image of North and South America]]></media:description>                                                            <media:text><![CDATA[High quality 3D rendered image of North and South America]]></media:text>
                                <media:title type="plain"><![CDATA[High quality 3D rendered image of North and South America]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/gJZrGbjJ6m3w8DWp96whhM-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security researchers have issued a warning over a sophisticated malware botnet that has flown under the radar for more than two years.</p><p>Analysis by security firm Cisco Talos also found that organisations across “several business verticals” have been targeted by the botnet since November 2020.</p><p>Dubbed ‘Horabot’, the <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet"><u>botnet</u></a> was spotted infecting devices with a banking trojan and spam tools to steal sensitive financial information and assume control of user email accounts to wage phishing attacks.</p><p>Users of email services such as Gmail, Yahoo, and Outlook, have been impacted by the botnet, with their accounts used to send malicious emails to contacts.</p><p>“Horabot enables the threat actor to control the victim’s Outlook mailbox, exfiltrate contacts’ email addresses, and send <a href="https://www.itpro.com/security/29093/what-is-phishing"><u>phishing</u></a> emails with malicious HTML attachments to all addresses in the victim’s mailbox,” researchers said.</p><p>“The banking trojan can collect the victim’s login credentials for various online accounts, operating system information and keystrokes. It also steals one-time security codes or soft tokens from the victim’s online banking applications.”</p><p>According to Talos, the botnet has specifically targeted Spanish-speaking users in the Americas, and could be based in Brazil.</p><p>Companies operating in the accounting, construction, engineering, and investment sectors are thought to have been particularly targeted by the botnet.</p><h2 id="how-does-horabot-work">How does Horabot work?</h2><p>Technical analysis from Cisco Talos revealed that the campaign is a “multi-stage attack chain” beginning with an initial phishing email. This then delivers a malicious payload via a <a href="https://www.itpro.com/operating-systems/microsoft-windows/356552/what-is-windows-powershell"><u>PowerShell</u></a> downloader script.</p><p>“When a victim opens the HTML file attachment, an embedded URL is launched in the victim’s browser, redirecting to another malicious HTML file from an attacker-controlled AWS EC2 instance,” researchers said in a <a href="https://blog.talosintelligence.com/new-horabot-targets-americas/" target="_blank"><u>blog post</u></a>. “The content displayed on the victim’s browser lures them to click an embedded malicious hyperlink which downloads a RAR file.”</p><p>This payload was found to create specially crafted Windows shortcut files that run during the startup process of a victims machine and force it to restart.</p><p>Upon reboot, these malicious files enable the attacker to further infect the device.</p><p>“After the victim’s machine is rebooted, the malicious Windows startup files run the payloads by sideloading them to the legitimate executables and downloading and executing two other PowerShell scripts from a different attacker-controlled server,” the blog post explained.</p><p>“One is the PowerShell downloader script, which the attacker attempts to execute to re-infect the victim’s machine, and another is Horabot.”</p><h2 id="analysis-of-the-banking-trojan">Analysis of the banking trojan</h2><p>Analysis from Talos found that the banking trojan used in this campaign specifically targets the victim’s login credentials and financial information.</p><p>This trojan enables the attacker to monitor activity on a victim’s device by collecting system information such as hostnames, IPv4 addresses, OS version information, and insights on <a href="https://www.itpro.com/security/malware/28083/best-free-malware-removal-tools"><u>anti-virus software</u></a> present on the machine.</p><p>Data gathered by the trojan is then extracted to an attacker-controlled server, researchers added.</p><p>“The reconnaissance data is exfiltrated to the attacker-controlled server through an HTTP POST request,” Talos explained “The banking trojan targets the victim’s sensitive information, such as login credentials and financial transaction security codes, and logs keystrokes and manipulates the victim machine’s clipboard data.</p><p>“The trojan also has anti-analysis and anti-detection capabilities to evade the sandbox and virtual environments.”</p><h2 id="phishing-spam-tool">Phishing spam tool</h2><p>The second element of this botnet campaign involves the use of a spam tool, researchers explained. This acts as a secondary payload during the attack and enables the threat actor to assume control of the victim’s email accounts.</p><p>“The spam tool is a 32-bit DLL written in Delphi and, when run on the victim’s machine, will attempt to compromise the victim’s login credentials for webmail services such as Yahoo, Gmail, and Hotmail,” Cisco analysts explained.</p><p>Once user credentials have been compromised, this tool takes “full control” of the account and begins creating and circulating spam emails to contacts found in the victim’s mailbox.</p><p>This spambot also displayed “information-stealing capabilities”, including the ability to log keystrokes, capture screenshots, and track mouse activity on an infected computer.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Brand-new Emotet campaign socially engineers its way from detection ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/cyber-security/370253/new-emotet-socially-engineers-evade-detection</link>
                                                                            <description>
                            <![CDATA[ This latest resurgence follows a three-month hiatus and tricks users into re-enabling dangerous VBA macros ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">gQYF1N9DjyMh5XWwbFu6a8</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/9Xr5cbyCaue8fcgNdkming-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 14 Mar 2023 11:40:39 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Ross Kelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/Y5vrV2V98Np6jHAGmAtCd3.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/9Xr5cbyCaue8fcgNdkming-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Black screen with neon blue lines of code written across and a skull shape appears overlayed the code]]></media:description>                                                            <media:text><![CDATA[Black screen with neon blue lines of code written across and a skull shape appears overlayed the code]]></media:text>
                                <media:title type="plain"><![CDATA[Black screen with neon blue lines of code written across and a skull shape appears overlayed the code]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/9Xr5cbyCaue8fcgNdkming-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Emotet botnet has returned for a fresh campaign deploying various tactics such as binary padding and social engineering to evade security defences.</p><p>Organisations have been warned to remain vigilant amidst a fresh wave of Emotet spam activity that has surged since the start of the year, following a three-month period of low activity. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/361340/what-is-emotet" data-original-url="/security/hacking/361340/what-is-emotet">What is Emotet?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/369526/hundreds-of-thousands-of-emotet-attacks-spotted-daily-after-hiatus" data-original-url="/security/cyber-attacks/369526/hundreds-of-thousands-of-emotet-attacks-spotted-daily-after-hiatus">Hundreds of thousands of Emotet attacks spotted daily after four-month hiatus</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" data-original-url="/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">Europol takes down 'dangerous' Emotet botnet</a></p></div></div><p>The acceleration in attacks has been driven by the resurgence of the ‘Epoch 4’ botnet, which has been used to deliver malicious documents attached to seemingly legitimate emails.</p><p>This latest iteration of <a href="https://www.itpro.com/security/hacking/361340/what-is-emotet" data-original-url="https://www.itpro.com/security/hacking/361340/what-is-emotet">Emotet</a> was found to mimic replies in existing email chains and threads, duping users into believing the malicious content was from a previous conversation. </p><p>“These types of emails are often paired with social engineering techniques that are designed to get recipients to click on a link or download an attachment containing malware,” Trend Micro said in a <a href="https://www.trendmicro.com/en_us/research/23/c/emotet-returns-now-adopts-binary-padding-for-evasion.html">blog post</a>. </p><h2 id="new-emotet-campaign-how-does-it-work">New Emotet campaign: How does it work?</h2><p>Malicious emails in this latest Emotet campaign were found to contain a .zip attachment. Once opened, this delivers a Word document that dupes the user into enabling a malicious macro, researchers said.</p><p>Although Microsoft <a href="https://www.itpro.com/security/cyber-security/368513/microsoft-confirms-vba-macro-backtrack-is-only-temporary" data-original-url="https://www.itpro.com/security/cyber-security/368513/microsoft-confirms-vba-macro-backtrack-is-only-temporary">disabled VBA macros in Windows by default in 2022</a>, Emotet's malicious documents "deploy social engineering techniques to trick users into enabling macros to allow the attack to proceed as intended".</p><p>Finally, once enabled this macro downloads a malicious payload (DLL) to infect the device. </p><p>A key concern in this campaign is that this iteration of Emotet uses large file sizes to bypass security scans and <a href="https://www.itpro.com/security/endpoint-security/369700/withsecure-elements-endpoint-protection-review-holistic" data-original-url="https://www.itpro.com/security/endpoint-security/369700/withsecure-elements-endpoint-protection-review-holistic">endpoint protection</a> processes. Each malicious email includes a 600kb zip file which contains a Word document of over 500mb, researchers said.</p><p>Binary padding isn't an uncommon method of malware obfuscation. It attempts to exploit the file size limitations in security products by inflating the malicious payloads' file sizes - a method which can trick scanning tools into bypassing the file altogether.</p><p>“Malicious actors use zip compression to transport the relatively small files via email and HTTP, before decompression is used to inflate the files to evade security solutions. Finally, reconnaissance activities are performed either via IP configs or through the affected machine’s system information,” researchers said.</p><h2 id="emotet-remains-resilient-and-dangerous">Emotet remains resilient and dangerous</h2><p>Trend Micro researchers said the Emotet resurgence shows that it remains a “prolific and resilient” threat for organisations globally. </p><p>The botnet has survived previous takedowns led by law enforcement, including a notable <a href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" data-original-url="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">disruption of its infrastructure in 2021</a>.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="9aV8AD2DMrX3t6bB85r9iW" name="9aV8AD2DMrX3t6bB85r9iW.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/9aV8AD2DMrX3t6bB85r9iW.png" mos="https://cdn.mos.cms.futurecdn.net/9aV8AD2DMrX3t6bB85r9iW.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>An in-depth analysis of the Microsoft 365 threat landscape</strong></p><p class="fancy-box__body-text">Cyber security report 2023</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/370244/an-in-depth-analysis-of-the-microsoft-365-threat-landscape" data-original-url="/security/malware/370244/an-in-depth-analysis-of-the-microsoft-365-threat-landscape">FREE DOWNLOAD</a></p></div></div><p>In this instance, a joint operation between Europol and international law enforcement agencies from the UK, US, and France seized control of several hundred servers. The takedown granted a reprieve for hundreds of victims infected with malware. </p><p>While this appeared to put a major dent in the operation, within a year researchers observed another <a href="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot" data-original-url="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot">resurgence of the botnet</a>, revealing that its infrastructure had “almost doubled” in the space of a few months. </p><p>Research from Proofpoint in November 2022 found that after another hiatus period, Emotet was responsible for <a href="http://botnet%20is%20now%20acting%20as%20a%20primary%20facilitator%20for%20the%20delivery%20of%20major%20malware%20strains.">hundreds of thousands of daily attacks</a>, once again securing its place as a “primary facilitator” of malware delivery. </p><p>Trend Micro suggested that organisations will continue to face growing threats from Emotet in the coming months, noting that “it would not be surprising to see it evolve further in future attacks” by employing alternative malware delivery methods. </p><p>Threat actors are also expected to adopt new evasion techniques and integrate “additional second and even third-stage payloads into its routine”. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft says “it’s just too difficult” to effectively disrupt ransomware ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/369457/microsoft-says-its-just-too-difficult-to-effectively-disrupt-ransomware</link>
                                                                            <description>
                            <![CDATA[ The company details its new approach to combatting cyber crime as the underground industry drains $6 trillion from the global economy ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">djzDCNYtmTmE37jnmzwdbv</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/Wo9fqSWgWRqgiQUBs8e8DT-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 04 Nov 2022 13:00:06 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/Wo9fqSWgWRqgiQUBs8e8DT-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Someone holding a padlock in front of the Microsoft logo]]></media:description>                                                            <media:text><![CDATA[Someone holding a padlock in front of the Microsoft logo]]></media:text>
                                <media:title type="plain"><![CDATA[Someone holding a padlock in front of the Microsoft logo]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/Wo9fqSWgWRqgiQUBs8e8DT-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A leading Microsoft security executive said the efforts of law enforcement to try and shut down ransomware operations aren’t enough to provide a meaningful deterrent.</p><p>Although he praised the strong work that has been done to take down the likes of REvil in recent years, Tom Burt, CVP of customer security and trust at Microsoft said the volume of takedowns isn’t enough to stop the crime altogether.</p><p>His comments were delivered at a press event on Thursday alongside a pre-publication briefing on Microsoft’s annual Digital Defence Report, which was released on Friday.</p><p>"The problem with the efforts by law enforcement globally to try to address ransomware is that the challenges of conducting traditional law enforcement investigations and prosecutions against ransomware actors are just too difficult given the the cross-border nature of that activity, the fact that a lot of the actors are beyond the reach of law enforcement that care about this issue. It's just too difficult," said Burt.</p><p>"And while there have been some notable successes in the last year by law enforcement going after cyber criminals, and we applaud those efforts, and we work in partnership with law enforcement whenever we can, the volume of those successful prosecutions is just way too small to be a meaningful deterrent."</p><p>Asked about the nature of ransomware organisations’ evolving tactics, such as triple extortion, Microsoft said the primary development in tactics, techniques, and procedures (TTPs) is in how they evade detection.</p><p>Burt said he and Microsoft expect this trend to continue especially now the <a href="https://www.itpro.com/security/29332/the-rise-of-ransomware-as-a-service" data-original-url="https://www.itpro.com/security/29332/the-rise-of-ransomware-as-a-service">ransomware as a service (RaaS)</a> model is continuing to see an increase in popularity.</p><p>“We continue to see the proliferation of human-operated ransomware where the targets of these ransomware attacks have been researched in detail by the criminals so that the demands that they make for ransom to be paid, continue to escalate,” he said.</p><p>“The groups that are most active in providing ransomware as a service are very sophisticated and well-resourced, and as we and law enforcement and others seek to detect what they are doing and disrupt their activity, we will certainly see them continuing to evolve their approaches to try to avoid detection and to avoid disruption.”</p><h2 id="disrupting-the-disruptors-a-change-in-tack">Disrupting the disruptors: A change in tack</h2><p>Microsoft is now shifting its focus on ransomware, and cyber crime more generally, towards publicising the inner workings of cyber criminal operations, while continuing to assist in any law enforcement operations that require its insight and services.</p><p>Specifically, it believes changing its focus towards identifying the infrastructure being used to deliver ransomware and the infrastructure being used to receive ransom payments will help the industry more in the long term.</p><p>The company’s cyber security team regularly posts detailed blogs detailing its investigations into various ransomware and other cyber criminal groups to raise awareness in the security community of the common tactics used by ransomware gangs to successfully target organisations.</p><p>Microsoft’s disruption efforts also extend to the wide use of <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnets</a> in the cyber criminal underground too, Burt said.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="sr7PL6RyX4xfWCPshjfCie" name="sr7PL6RyX4xfWCPshjfCie.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/sr7PL6RyX4xfWCPshjfCie.png" mos="https://cdn.mos.cms.futurecdn.net/sr7PL6RyX4xfWCPshjfCie.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Building a better password strategy for your business</strong></p><p class="fancy-box__body-text">Exploring the strategies and exploits that hackers are using to circumvent password security measures</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/369393/building-a-better-password-strategy-for-your-business" data-original-url="/security/369393/building-a-better-password-strategy-for-your-business">FREE DOWNLOAD</a></p></div></div><p>The company detailed its ongoing efforts in the space in its annual Digital Defence Report. It said it was able to disrupt the infrastructure of seven different threat groups in the past year which has led, by its estimates, to the safety of more than 17 million potential <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> victims.</p><p>Botnets continue to act as a principal pathway through which cyber crime is conducted, said Burt, and they are becoming increasingly sophisticated and resilient to disruption efforts.</p><p><a href="https://www.itpro.com/security/hacking/361340/what-is-emotet" data-original-url="https://www.itpro.com/security/hacking/361340/what-is-emotet">Emotet</a> is one such botnet operation that has proven especially difficult for cyber security experts to take down in recent years. Europol <a href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" data-original-url="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">famously took down the botnet’s infrastructure</a> in January 2021 after years of work to reach that goal, but even then experts warned that it may make a resurgence.</p><p>That resurgence came <a href="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot" data-original-url="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot">less than a year later</a> when, in November 2021, its infrastructure went back online, growing in numbers rapidly in the proceeding days. This week, according to the Emotet-tracking group Cryptolaemus, the botnet has <a href="https://twitter.com/Cryptolaemus1/status/1587792659275448320">started distributing malware again</a> after a four-month break.</p><p>“You will see our <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet</a> disruptions, instead of being a single-day or a single-week operation in which we successfully disrupt them, we now know that our successful disruption is going to take months or even a year to ultimately bring down botnets,” said Burt.</p><p>“But I think you will see over the course of the coming year, that we'll continue to do that work as we try to find ways to scale what we can bring to the battle against cyber crime.”</p><p>Microsoft said ransomware, and cyber crime more broadly, is showing no signs of slowing down. It's expected to drain $6 trillion (£5.3 trillion) from the global economy by the end of next year - a figure rising to $10 trillion (£8.9 trillion) in 2025, according to research it presented from Cybersecurity Ventures.</p><p>One of the reasons why cyber crime continues to see an uptick in popularity and success is due to the way in which the barrier to entry is being consistently lowered, Microsoft said in its report. Cyber criminals’ tactics evolve and new tools are always being built to make conducting cyber attacks easier for lower-skilled individuals.</p><p>Previously highlighted by Microsoft's regular security reporting, it once again cited the growing proliferation of so-called cyber mercenary groups, like the <a href="https://www.itpro.com/security/spyware/368665/european-company-unmasked-as-cyber-mercenary-group-with-ties-to-russia" data-original-url="https://www.itpro.com/security/spyware/368665/european-company-unmasked-as-cyber-mercenary-group-with-ties-to-russia">Austria-based DSIRF</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/361480/three-revil-ransomware-gang-members-arrested-following-international" data-original-url="/security/ransomware/361480/three-revil-ransomware-gang-members-arrested-following-international">REvil ransomware gang members arrested in international operation</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" data-original-url="/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">Europol takes down 'dangerous' Emotet botnet</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/369222/what-is-triple-extortion-ransomware" data-original-url="/security/ransomware/369222/what-is-triple-extortion-ransomware">Will triple extortion ransomware truly take off?</a></p></div></div><p>These groups belong to a growing industry of cyber experts that develop powerful hacking tools and sell them to the highest bidder, which are commonly <a href="https://www.itpro.com/security/34794/what-threat-do-nation-state-hackers-pose-to-businesses" data-original-url="https://www.itpro.com/security/34794/what-threat-do-nation-state-hackers-pose-to-businesses">nation-states</a>.</p><p>When it comes to ransomware defence, organisations are still failing to implement the basics of cyber security, according to the insights provided by Microsoft’s incident responders. Insufficient privilege access controls were cited as the most common error made by organisations that led to <a href="https://www.itpro.com/security/28084/what-is-ransomware" data-original-url="https://www.itpro.com/security/28084/what-is-ransomware">ransomware</a> attacks, Microsoft said. 93% of incidents the team investigated this year saw poor controls implemented, allowing for easier lateral movement.</p><p>This was closely followed by ‘the limited adoption of <a href="https://www.itpro.com/security/network-security/358282/what-is-zero-trust" data-original-url="https://www.itpro.com/security/network-security/358282/what-is-zero-trust">security frameworks</a>’ and ‘insecure configuration of identity providers’ as leading facilitators of successful ransomware attacks, with 87% and 86% of victims falling short in these areas respectively.</p><p><a href="https://www.itpro.com/security/29982/what-is-two-factor-authentication" data-original-url="https://www.itpro.com/security/29982/what-is-two-factor-authentication">Multi-factor authentication (MFA)</a> was another key contributor to successful attacks - 74% of victims did not implement an <a href="https://www.itpro.com/security/361870/five-things-to-consider-before-choosing-an-mfa-solution" data-original-url="https://www.itpro.com/security/361870/five-things-to-consider-before-choosing-an-mfa-solution">MFA solution</a> in the workplace.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Beating the bad bots: Six ways to identify and block spam traffic ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/botnets/367828/beating-the-bad-bots-six-ways-to-identify-and-block-spam-traffic</link>
                                                                            <description>
                            <![CDATA[ Not all traffic is good. Learn how to prevent bad bots from overrunning your website ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">56VSCtxDvBQH6uRACt6dCC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bvWGsJDiZtn7AiG7ePDJ6a-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 05 Oct 2022 23:37:54 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Sead Fadilpašić ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/HnxuiN4wFNemB3zUasMJ88.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bvWGsJDiZtn7AiG7ePDJ6a-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[graphical representation of a botnet]]></media:description>                                                            <media:text><![CDATA[graphical representation of a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[graphical representation of a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bvWGsJDiZtn7AiG7ePDJ6a-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Advancements in technology have helped us propel forward, changing the way we work and live our daily lives. However, its rapid adoption has led to less successful means. We have all seen and participated in those various bot tests that some websites carry out, where we have to select the picture tiles which have particular objects. This is to control the usage of the site and reduce spam traffic.</p><p>Spam traffic is used in some cases by cybercriminals to commit scams and fraud, and has become a tool for phishing scam and malware spread. It is problematic, as it is inexpensive to create and send. In 2020, spam messages accounted for a colossal 58.71 percent of email traffic.</p><h2 id="what-is-a-bad-bot">What is a bad bot?</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="7G6HscCo9KYES8PCcgoptc" name="" alt="graphical representation of a computing network" src="https://cdn.mos.cms.futurecdn.net/7G6HscCo9KYES8PCcgoptc.jpg" mos="https://cdn.mos.cms.futurecdn.net/7G6HscCo9KYES8PCcgoptc.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Getty Images)</span></figcaption></figure><p>There are a range of different bots that you find on the backend of the internet carrying out different types of tasks. Some are harmless, such as search engine bots used by Google and Bing, which help the service specifically by browsing the internet to help make available content that can be useful to users based on search queries.</p><p>However, bad bots are used in an entirely different way to serve a different purpose. These include searching sites and scraping data to benefit other sites, or sell on and steal information and repost it under a different identity.</p><p>Bad bots also can disturb site metrics, as they inflate search results and increase website traffic unnecessarily, leading to slower loading times and unnecessary investments in hardware to maintain the website infrastructure.</p><p>They are also able to perform malicious acts on-site, which lead to damaging networks through things such as distributed denial of service (DDoS) attacks. These attacks flood sites with data higher than a level that sites can handle.</p><p>Bad bots are mostly organised on botnets, which are a collection of internet-connected devices that have been infected by malware, allowing hackers to control them. Cybercriminals use botnets to instigate a botnet attack, and these attacks consist of malicious activities.</p><p>Attacks such as these are hard to prevent, as they can come in many shapes and forms as discussed above, such as emails, but they are even harder to control as they are not really considered illegal. It is possible and legal to create a botnet of computers that an individual or company owns which they have permission to control.</p><h2 id="how-to-identify-spam-traffic">How to identify spam traffic</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="fnewe99xXS2Vj4SQGnoraN" name="" alt="visual graphic of people and analytics" src="https://cdn.mos.cms.futurecdn.net/fnewe99xXS2Vj4SQGnoraN.jpg" mos="https://cdn.mos.cms.futurecdn.net/fnewe99xXS2Vj4SQGnoraN.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><p>Traffic bots are likely to be hitting a wide variety of websites every hour, and so, here are some insights into how to best identify spam traffic.</p><h3 class="article-body__section" id="section-1-issues-with-page-load-speed"><span>1. Issues with page load speed</span></h3><p>Conducting a page load speed test regularly is good practice to identify if a traffic bot has hit your site. If your website loading speed suddenly looks different between the tests, that's a good indicator. Although there are many reasons why your loading speed may decrease, especially if you have made some changes, checking the page load speed is the first action and indicator.</p><p>Measuring bounce rates also gives you a good indication as to whether your site is being spammed: a high bounce rate means non-human traffic. Measuring a natural audience's behaviour compared to bot behaviour and analysing the traffic metrics will give you clear indication of whether your site is being spammed or not.</p><h3 class="article-body__section" id="section-2-duplicate-content"><span>2. Duplicate content</span></h3><p>For many websites, the value lies in the content that is placed onto it. Bots have a way of invading sites and duplicating content. If you do find duplicate content that comes back with a higher percentage from a plagiarism checker, there is a chance your site has been hit by a bot that is scraping the content of your site.</p><h3 class="article-body__section" id="section-3-verifying-ip-addresses-and-sources-of-traffic"><span>3. Verifying IP addresses and sources of traffic</span></h3><p>Other data such as IP addresses and the sources your traffic is coming from indicate if your site is receiving spammed traffic. Regular and high numbers of return visits from the same IP address could be an indication that your site is getting bot traffic. If you also see a new increase in traffic from other regions and countries you hadn't before, there is a good chance that's a traffic bot.</p><h3 class="article-body__section" id="section-4-monitor-metrics"><span>4. Monitor metrics</span></h3><p>If you keep an eye on site traffic, it will be easy to predict when a traffic bot is hitting your site. When you notice a sudden increase in traffic count to your site all at the same time, chances are your site is being hit by a traffic bot. A high traffic count means a high amount of bots or the same for frequently returning to your site.</p><h2 id="how-to-block-spam-traffic-in-google-analytics">How to block spam traffic in Google Analytics</h2><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="qhd9zaRE3E539S5d5MorZe" name="" alt="Google Analytics on two laptops screens" src="https://cdn.mos.cms.futurecdn.net/qhd9zaRE3E539S5d5MorZe.jpg" mos="https://cdn.mos.cms.futurecdn.net/qhd9zaRE3E539S5d5MorZe.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><h3 class="article-body__section" id="section-1-filter-traffic-analytics"><span>1.Filter traffic analytics</span></h3><p>Monitoring and filtering analytics data from your site gives you a clear and reasonable idea of the types of information and data removed from your site. All you will need to do is create a separate view in Google Analytics, which will give you this information. You can go to the admin section and click on the + on the ‘All website data’ menu. From there, click on ‘create new’ and set an appropriate time zone. This is vital, as it will allow you to compare data more accurately.</p><h3 class="article-body__section" id="section-2-add-personal-spam-referrals"><span>2. Add personal spam referrals</span></h3><p>Based on the data that comes from your website, Google Analytics is quite good at blocking bots from your site. However, even after doing the above step, there will still be some referrals that potentially slip through the system. To help catch the ones that slip through, open your referral report and sort your descending data according to bounce rate. This means those with the most bounce rate should be at the top. By using the advance filters, you will be able to see website sessions that go beyond a certain threshold.</p><h3 class="article-body__section" id="section-3-block-bots-and-spiders-that-you-detect"><span>3. Block bots and spiders that you detect</span></h3><p>There’s a chance you could end up with several bots in your SEO traffic, which can be a nightmare. However, it is possible to not have to remove them all manually, as Google Analytics has elements that take care of it all. It will block all the known bots, and save you lots of time and energy.</p><p>One of the best things about this is that when it comes across a new bot, Google automatically updates it to get rid of it. Simply click on 'Exclude all hits from bots and spiders' in the new view you created in step one under view settings.</p><p>Another great tool for identifying bot traffic is Finteza. The tool automatically identifies the quality of incoming traffic and gives it a specific category (e.g. “Clean Traffic”, “Bot traffic”, “Cookie Manipulation”, “Spam”, and more).</p><h3 class="article-body__section" id="section-4-setup-a-bad-bot-referrer-filter"><span>4.Setup a bad bot referrer filter</span></h3><p>In the new view you have created, create a new 'bad referrers' filter by going to 'Admin'>' View'>' Filter'>' Add Filter', and create a name for it. Once this is done, click on 'custom'>' Exclude'. Once this is done, in the 'Filter Field' section click on 'Campaign Source'. Here you will be able to input the domains to keep them off your site.</p><h3 class="article-body__section" id="section-5-block-traffic-coming-from-specific-countries"><span>5.Block traffic coming from specific countries</span></h3><p>Blocking traffic from different countries is only recommended if you are sure you are receiving spam traffic from these specific countries. You wouldn't want to prevent yourself from getting any kind of traffic that can convert into paying customers, and so you need to be confident that this traffic is spam. To block spam traffic, go to your admin tab and create a new view. From here click 'Filters'> 'New Filter Button'. Here you will be able to filter out your traffic by blocking countries.</p><p>One of the most essential parts of blocking bad bots and spam is to work on the practice of keeping an eye on it, and keeping up to date with it in your weekly and monthly tasks. This is because of the way spamming works and the amount of spam. Although you have set restrictions, you may find that you are getting spammed from other countries, or that Google may not have automatically caught the bots, which means you will have to do it manually.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Ukraine's vigilante IT army now has a DDoS bot to automate attacks against Russia ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/botnets/367744/ukraines-vigilante-it-army-deploys-ddos-bot-automate-russia-attacks</link>
                                                                            <description>
                            <![CDATA[ The 270,000-strong IT Army of Ukraine will now combine supporters' cloud infrastructure to strengthen the daily attacks against their invaders ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kuTAJK1cMRCHXnSDFm9obD</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/8TMxhmpPnyT43pPKfAujqY-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 19 May 2022 12:03:32 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/8TMxhmpPnyT43pPKfAujqY-1280-80.jpg">
                                                            <media:credit><![CDATA[Getty Images]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[The Ukrainian flag generated digitally in the form of data]]></media:description>                                                            <media:text><![CDATA[The Ukrainian flag generated digitally in the form of data]]></media:text>
                                <media:title type="plain"><![CDATA[The Ukrainian flag generated digitally in the form of data]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/8TMxhmpPnyT43pPKfAujqY-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Ukraine’s unofficial ‘army’ of IT vigilantes has developed a new automated attack tool to increase the effectiveness of its cyber attacks against Russian domains.</p><p>Its “attack automation bot” was built to help more people easily launch <a href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" data-original-url="https://www.itpro.com/security/28026/what-is-a-ddos-attack">distributed denial of service (DDoS) cyber attacks</a> against Russia. The new tool encourages individuals to donate their cloud resources to the bot, which is capable of launching a “coordinated attack from all the available servers”.</p><p>“To run all our attacks at the same time we recommend to use our new <a href="https://www.itpro.com/security/distributed-denial-of-service-ddos/367500/ddos-attacks-surge-to-record-numbers-in-2022" data-original-url="https://www.itpro.com/security/distributed-denial-of-service-ddos/367500/ddos-attacks-surge-to-record-numbers-in-2022">DDoS</a> bot,” the group said on its website. “All you need is [to] send credentials to your servers to our bot and check how [the] attack is going via Telegram bot.”</p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="ZmkD3AcQGGrcYqPeL5CxcZ" name="" alt="Flow chart showing how the automated DDoS bot works" src="https://cdn.mos.cms.futurecdn.net/ZmkD3AcQGGrcYqPeL5CxcZ.jpg" mos="https://cdn.mos.cms.futurecdn.net/ZmkD3AcQGGrcYqPeL5CxcZ.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><p>Should they wish to, supporters are also encouraged to purchase and share the credentials of new servers that can be bought for the sole purpose of strengthening the <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet's</a> attack.</p><p>The organised group of cyber-savvy individuals who want to actively support Ukraine from afar has been growing in number since the start of the conflict. The group is <a href="https://www.itpro.com/security/cyber-security/364260/how-telegram-became-ukraine-digital-ally-russia-war" data-original-url="https://www.itpro.com/security/cyber-security/364260/how-telegram-became-ukraine-digital-ally-russia-war">assembled on Telegram</a> and currently has more than 270,000 members.</p><p>The group’s members are fed instructions by leaders on a daily basis, complete with IP addresses, specific ports, and web domains that need to be targeted to disrupt the Russian regime as the war continues.</p><p>Past targets have included media organisations, banks, airlines, and app stores.</p><p>Russian cyber attacks against Ukraine have been large and sustained, starting weeks before the conflict broke out.</p><p>The Five Eye intelligence alliance <a href="https://www.itpro.com/security/cyber-attacks/367634/five-eyes-and-us-governments-confirm-russia-behind-attacks" data-original-url="https://www.itpro.com/security/cyber-attacks/367634/five-eyes-and-us-governments-confirm-russia-behind-attacks">confirmed last week</a> that it believed with a high degree of confidence that Russia was behind the attacks on Ukraine in the early stages of the war.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-warfare/367342/russian-cyber-attacks-should-your-business-worry" data-original-url="/security/cyber-warfare/367342/russian-cyber-attacks-should-your-business-worry">Should your business worry about Russian cyber attacks?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/367634/five-eyes-and-us-governments-confirm-russia-behind-attacks" data-original-url="/security/cyber-attacks/367634/five-eyes-and-us-governments-confirm-russia-behind-attacks">Five Eyes and US governments finally confirm Russia was behind Ukrainian government, Viasat cyber attacks</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/distributed-denial-of-service-ddos/367500/ddos-attacks-surge-to-record-numbers-in-2022" data-original-url="/security/distributed-denial-of-service-ddos/367500/ddos-attacks-surge-to-record-numbers-in-2022">DDoS attacks surge to record numbers in 2022 as a result of Russia-Ukraine war</a></p></div></div><p>The <a href="https://www.itpro.com/security/cyber-attacks/361984/ukrainian-government-and-embassies-targeted-by-massive-cyber-attacks" data-original-url="https://www.itpro.com/security/cyber-attacks/361984/ukrainian-government-and-embassies-targeted-by-massive-cyber-attacks">attacks on Ukrainian government websites</a> in January, which also involved the use of the <a href="https://www.itpro.com/security/cyber-warfare/367342/russian-cyber-attacks-should-your-business-worry" data-original-url="https://www.itpro.com/security/cyber-warfare/367342/russian-cyber-attacks-should-your-business-worry">destructive Whispergate ‘wiper’ malware</a>, were attributed to Russia’s military intelligence service, the GRU, as was the 24 February attack on communications company Viasat.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="PGoruQcVQLZaD3tFfbynhC" name="PGoruQcVQLZaD3tFfbynhC.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/PGoruQcVQLZaD3tFfbynhC.png" mos="https://cdn.mos.cms.futurecdn.net/PGoruQcVQLZaD3tFfbynhC.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The Total Economic Impact™ of Mimecast</strong></p><p class="fancy-box__body-text">Cost savings and business benefits enabled by using Mimecast with Microsoft 365</p><p class="fancy-box__body-text">FREE DOWNLOAD</p></div></div><p>The attack on Viasat was conducted one hour before the Russia invasion of Ukraine became official and it was later revealed to have had effects in wider Europe, as <a href="https://www.itpro.com/security/cyber-attacks/367498/russian-affiliates-believed-to-be-behind-cyber-attacks-on-wind" data-original-url="https://www.itpro.com/security/cyber-attacks/367498/russian-affiliates-believed-to-be-behind-cyber-attacks-on-wind">wind farms</a> and individual internet users outside of Ukraine also suffered outages.</p><p>The collateral effects of the Viasat attack were the most visceral examples of the ‘spillover effects’ many experts believed would affect Europe in the ongoing war between Russia and Ukraine in cyber space.</p><p>Russia has a history of launching devastating attacks on Ukraine dating back many years. Some of the most significant incidents have <a href="https://www.itpro.com/security/28940/notpetya-ransomware" data-original-url="https://www.itpro.com/security/28940/notpetya-ransomware">involved the use of Petya malware</a> and repeated targeting of the country’s power grid, firstly in 2015, then again in 2016, and most recently in April 2022.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft's secure VBA macro rules already being bypassed by hackers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/367495/microsofts-secure-vba-macro-rules-already-being-bypassed-by</link>
                                                                            <description>
                            <![CDATA[ Recent analysis of Emotet activity has revealed a shift away from malicious Office documents to drop malware ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">nSFMiC3AvVhj5tdBHUVL15</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/wufKpTa9DSu32GPHRLpFAS-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 26 Apr 2022 12:11:11 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/wufKpTa9DSu32GPHRLpFAS-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[3D illustration of the emotet botnet triggering an alert on a smartphone positioned next to a laptop]]></media:description>                                                            <media:text><![CDATA[3D illustration of the emotet botnet triggering an alert on a smartphone positioned next to a laptop]]></media:text>
                                <media:title type="plain"><![CDATA[3D illustration of the emotet botnet triggering an alert on a smartphone positioned next to a laptop]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/wufKpTa9DSu32GPHRLpFAS-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The cyber criminal group operating the resurgent Emotet botnet have been observed trialling new attack techniques after Microsoft’s new rules on macro-enabled documents come into force.</p><p>Attributed to Threat Actor 542 (TA542), Proofpoint researchers said Emotet has been observed taking a ‘spring break’ with low levels of activity coinciding with observed changes in attack methodology.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/361340/what-is-emotet" data-original-url="/security/hacking/361340/what-is-emotet">What is Emotet?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot" data-original-url="/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot">Emotet infrastructure has almost doubled since resurgence was confirmed</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default" data-original-url="/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default">Microsoft disables VBA macros in Office by default following years of complaints</a></p></div></div><p>Emotet has typically exploited weak rules on macro-enabled Microsoft Office documents to deliver the malware payload to victims, but now Microsoft has made the default handling of macro-enabled documents more secure, its attack vectors are seemingly about to change. </p><p>In a report published today, Proofpoint said it observed <a href="https://www.itpro.com/security/hacking/361340/what-is-emotet" data-original-url="https://www.itpro.com/security/hacking/361340/what-is-emotet">Emotet</a> moving away from malicious Office documents and instead is now opting to include OneDrive URLs in spam email campaigns that lead to the download of a zip archive containing XLL files that drop Emotet <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a>.</p><p>The malicious emails are typically designed to lure victims with one-word subject lines such as ‘Salary’ with the zip archive files adopting similar file names as the original lure: ‘Salary_new.zip’ was one example which contained XLL file names such as ‘Salary_and_bonuses-04.01.2022.xll’.</p><p>The XLL files will drop and run Emotet which uses the Epoch 4 botnet, Proofpoint said. It’s a new attack method, the timing of which - coinciding with Microsoft’s more secure handling of VBA macros - is not a coincidence.</p><p>Asked whether the trial of new attack tactics, techniques, and procedures (TTPs) was linked to the new rules on macro-enabled Office documents, Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said it “absolutely” was.</p><p>“This is something threat actors who are agile and experienced like TA542 will likely continue to do as time goes on,” she said to <em>IT Pro</em>. “The Microsoft choice to make changes to default handling of macro documents has implications on the threat landscape and this could be a part of threat actors making decisions to leverage new attack chains that aren’t impacted by that decision.</p><p>“Malicious macro documents are a large part of the threat landscape, but they’re not the only option. We regularly observe actors using container files like .iso’s, for example. Threat actor groups will continue to experiment, and early signs point towards XLL files being one direction the landscape may shift toward.”</p><p>Microsoft announced changes to the <a href="https://www.itpro.com/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default" data-original-url="https://www.itpro.com/software/microsoft-office/362184/microsoft-disables-vba-macros-in-office-by-default">default handling of VBA macros in February</a>, the rules of which came into force this month. It also said it would disable XL4 macros last year, both moves were made to stymie cyber attacks using this method of payload delivery.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="HzoyL9nmubvMyv9xsnSFZ5" name="HzoyL9nmubvMyv9xsnSFZ5.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/HzoyL9nmubvMyv9xsnSFZ5.png" mos="https://cdn.mos.cms.futurecdn.net/HzoyL9nmubvMyv9xsnSFZ5.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Security awareness training strategies for account takeover protection</strong></p><p class="fancy-box__body-text">Why you need an inside-the-perimeter strategy for internal threats</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/internet-security/359469/security-awareness-training-strategies-for-account-takeover" data-original-url="/security/internet-security/359469/security-awareness-training-strategies-for-account-takeover">FREE DOWNLOAD</a></p></div></div><p><em>IT Pro</em> asked Proofpoint for data on the number of successful Emotet attacks it has observed, and the number of Emotet attacks taking place since <a href="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot" data-original-url="https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot">its 2021 resurgence</a>, but it was unable to share the data.</p><p>Other cyber security outfits, such as Black Lotus Labs, have <a href="https://blog.lumen.com/emotet-redux">published their findings</a> after tracking Emotet’s new version, saying that in March 2022, unique Emotet detections were in the tens of thousands per day. Check Point also said it was the <a href="https://www.checkpoint.com/press/2022/march-2022s-most-wanted-malware-easter-phishing-scams-help-emotet-assert-its-dominance">most prevalent malware strain</a> it tracked in March 2022.</p><p>“After months of consistent activity, Emotet is switching things up,” said DeGrippo. “It is likely the threat actor is testing new behaviours on a small scale before delivering them to victims more broadly, or to distribute via new TTPs alongside its existing high-volume campaigns.</p><p>“Organisations should be aware of the new techniques and ensure they are implementing defences accordingly.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Linux botnet spreads using Log4Shell flaw  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/botnets/367007/linux-botnet-spreads-using-log4shell-flaw</link>
                                                                            <description>
                            <![CDATA[ The malware uses DNS tunnelling to communicate with its C2 control server ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">jAP5QYZKaDCzgfnUa7Ad4q</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/JxRDcV87vvv46xd3hkohXc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 16 Mar 2022 16:51:44 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Linux]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                                    <dc:creator><![CDATA[ Danny Bradbury ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/JxRDcV87vvv46xd3hkohXc-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Visual representation of an active botnet, with several black nodes connected with white strands]]></media:description>                                                            <media:text><![CDATA[Visual representation of an active botnet, with several black nodes connected with white strands]]></media:text>
                                <media:title type="plain"><![CDATA[Visual representation of an active botnet, with several black nodes connected with white strands]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/JxRDcV87vvv46xd3hkohXc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The B1txor botnet, which is spreading via the Log4Shell flaw, enables attackers to get shell access to Linux systems and install a rootkit.</p><p>Chinese security company 360Netlab discovered and named the bot in February and publicly disclosed it this week. It takes the form of a backdoor for Linux that uses DNS tunnelling for its command and control (C2) communications.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">What is the Log4Shell vulnerability?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/distributed-denial-of-service-ddos/363945/hackers-target-elasticsearch-to-set-up-ddos" data-original-url="/security/distributed-denial-of-service-ddos/363945/hackers-target-elasticsearch-to-set-up-ddos">Hackers target Elasticsearch to set up DDoS botnet on AWS</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/361907/ftc-threatens-legal-action-companies-failing-to-patch-log4shell" data-original-url="/security/cyber-security/361907/ftc-threatens-legal-action-companies-failing-to-patch-log4shell">FTC threatens legal action against companies failing to patch Log4Shell</a></p></div></div><p>The researchers observed the software propagating via the <a href="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability" data-original-url="https://www.itpro.com/security/zero-day-exploit/361819/what-is-log4shell-log4j-vulnerability">Log4Shell</a> flaw in the Logj logging system that was first discovered in December.</p><p>The domain information that it uses to communicate with its C2 server is encrypted. Once the botnet client has decrypted it, it uses a DNS query to send its communications to the C2 domain, including stolen information and command execution results. The C2 server sends the next payload in the body of a DNS response.</p><p>The payload supports 14 instructions, which include simple beaconing to the C2 server, uploading system information, reading and writing files, forwarding traffic, opening a shell, and executing arbitrary system commands. The backdoor can also start a proxy service.</p><p>The botnet is buggy, according to the Netlab360 team, with one socket binding function rendered entirely inoperable thanks to code mistakes. Nevertheless, enough of the code works to make it a threat.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="NhMQzdZrFWPUNLGH4vbCi8" name="NhMQzdZrFWPUNLGH4vbCi8.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/NhMQzdZrFWPUNLGH4vbCi8.png" mos="https://cdn.mos.cms.futurecdn.net/NhMQzdZrFWPUNLGH4vbCi8.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The state of SD-WAN, SASE and zero trust security architectures</strong></p><p class="fancy-box__body-text">Be a leader in the deployment of zero trust, SD-WAN and SASE</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/365560/the-state-of-sd-wan-sase-and-zero-trust-security-architectures" data-original-url="/security/365560/the-state-of-sd-wan-sase-and-zero-trust-security-architectures">FREE DOWNLOAD</a></p></div></div><p>"We presume that the author of B1txor20 will continue to improve and open different features according to different scenarios, so maybe we will meet B1txor20's siblings in the future," they said in an <a href="https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en">analysis</a> of the malware.</p><p>Linux backdoors are popular for attacking the servers that run large portions of the internet. In November, criminals were found <a href="https://www.itpro.com/security/malware/361611/hackers-use-linux-backdoor-on-compromised-e-commerce-sites-with-software" data-original-url="https://www.itpro.com/security/malware/361611/hackers-use-linux-backdoor-on-compromised-e-commerce-sites-with-software">using</a> one to compromise e-commerce sites with a software skimmer. In August, Trend Micro <a href="https://www.itpro.com/software/linux/360665/hackers-target-outdated-versions-of-linux-in-the-cloud" data-original-url="https://www.itpro.com/software/linux/360665/hackers-target-outdated-versions-of-linux-in-the-cloud">reported</a> that hackers were targeting outdated versions of the operating system to gain control of resources in the cloud.</p><p>Last month, VMware researchers <a href="https://www.itpro.com/software/linux/362197/linux-multi-cloud-ransomware-on-the-rise" data-original-url="https://www.itpro.com/software/linux/362197/linux-multi-cloud-ransomware-on-the-rise">identified</a> increased ransomware attacks against Linux servers in multi-cloud operating environments and called for more countermeasures.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Emotet infrastructure has almost doubled since resurgence was confirmed ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/malware/361551/emotet-returns-spreading-quickly-help-of-trickbot</link>
                                                                            <description>
                            <![CDATA[ Researchers confirm the infrastructure has also been upgraded for a "better secured", more resilientoperation ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">jZJuK8U2Yj2sT32p7EkxnC</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/wufKpTa9DSu32GPHRLpFAS-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 16 Nov 2021 10:48:10 +0000</pubDate>                                                                                                                                <updated>Wed, 17 Nov 2021 11:15:10 +0000</updated>
                                                                                                                                            <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/wufKpTa9DSu32GPHRLpFAS-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[3D illustration of the emotet botnet triggering an alert on a smartphone positioned next to a laptop]]></media:description>                                                            <media:text><![CDATA[3D illustration of the emotet botnet triggering an alert on a smartphone positioned next to a laptop]]></media:text>
                                <media:title type="plain"><![CDATA[3D illustration of the emotet botnet triggering an alert on a smartphone positioned next to a laptop]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/wufKpTa9DSu32GPHRLpFAS-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><strong>UPDATE:</strong> In the 24 hours after Emotet's reemergence was first confirmed, researchers have discovered that the infrastructure supporting the spread has almost doubled.</p><p>The operators of the latest version of Emotet have increased the active command and control infrastructure (C2) from eight on Monday to 14 by the end of Tuesday, <a href="https://twitter.com/abuse_ch/status/1460649241454563341">according</a> to the team at the abuse.ch research project at the Bern University of Applied Sciences.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/361340/what-is-emotet" data-original-url="/security/hacking/361340/what-is-emotet">What is Emotet?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" data-original-url="/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">Europol takes down 'dangerous' Emotet botnet</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware" data-original-url="/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware">Updated Emotet toolkit ends 2020 as most dangerous malware</a></p></div></div><p>C2s facilitate communication between the infected host and the botnet's operators, allowing them to launch attacks such as data exfiltration, <a href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/security/28026/what-is-a-ddos-attack">distributed denial of service</a> (DDoS), and system shutdowns and reboots.</p><p>Businesses are advised to block all of Emotet's C2s to prevent any further infection. Cryptolaemus is updating pages on online services such as <a href="https://urlhaus.abuse.ch">URLHaus</a> and <a href="https://bazaar.abuse.ch/browse.php?search=tag%3Aemotet">MalwareBazaar</a> with known C2 server addresses for those wanting to keep on top of the spread.</p><p>Some researchers <a href="https://twitter.com/GossiTheDog/status/1460682826773372931">said</a> they have been analysing the resurgent Emotet's code and confirmed it has been upgraded, along with its infrastructure, leading to a "better secured", more resilient operation.</p><p>They also added that it's highly likely that the current Emotet operator, or operators, have access to the source code from the original botnet previously taken down by law enforcement.</p><p>Others, such as <a href="https://twitter.com/TrendMicroRSRCH/status/1460902283768700929">Trend Micro Research</a>, are conducting further analysis to confirm these suspicions.</p><p>Elsewhere, the Cryptolaemus group have observed a new development in its delivery. The research team <a href="https://app.any.run/tasks/58cf184b-46d9-422c-873a-58239ef8387d">published an example</a> of how URL-based lures are also now being used in addition to Emotet's traditional .zip and .docm attachment delivery methods.</p><p>Japanese cyber security firm JPCERT/CC has also <a href="https://twitter.com/jpcert_en/status/1460834382378192898">released an early build</a> of a tool that can help businesses detect the newly returned version of Emotet in infected Windows hosts.</p><p><strong>16/11/2021: Emotet botnet returns and is 'spreading quickly' following year-long absence</strong></p><p>The notorious malware strain <a href="https://www.itpro.com/security/hacking/361340/what-is-emotet" target="_blank" data-original-url="https://www.itpro.com/security/hacking/361340/what-is-emotet">Emotet</a> is back in the wild and infecting systems, multiple security research teams have confirmed.</p><p>Security expert Luca Ebach of G Data first observed TrickBot trackers picking up suspicious activity on Sunday as bots attempted to download dynamic link library (DLL) files onto their system which contained Emotet code.</p><p>Since publishing his research on Monday, experts across the industry have corroborated the findings.</p><p>White hat hacking group Cryptolaemus published a deeper analysis on Monday evening, also confirming Emotet was back after being disrupted by international law enforcement <a href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" data-original-url="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">earlier this year</a>.</p><p>The group observed that malicious payloads are being downloaded from just seven URLs and spread via email. At this time, only attachment-based malspam has been observed (.docm and .xlsm files).</p><p>Attachments closely resemble the file templates of Emotet's previous 'Red Dawn' campaign, encouraging victims to click malicious links from inside the infected document.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/1460403597368344581"></a></p></blockquote><div class="see-more__filter"></div></div><p>Cryptolaemus believes the email addresses used to distribute Emotet are stolen and are hijacking email reply chains from a recently as October, a similar attack vector used by Emotet previously and more recently by Qakbot operators <a href="https://www.itpro.com/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware" data-original-url="https://www.itpro.com/security/ransomware/361417/microsoft-exchange-servers-distribute-squirrelwaffle-malware">hijacking Microsoft Exchange servers</a>.</p><p>There are slight changes to the Emotet payload code too, Ebach <a href="https://cyber.wtf/2021/11/15/guess-whos-back">noted</a>. While network traffic closely resembles that which has been observed previously, the <a href="https://www.itpro.com/security/innovation-at-work/24460/what-is-data-encryption" target="_blank" data-original-url="https://www.itpro.com/security/innovation-at-work/24460/what-is-data-encryption">encryption</a> used to hide the data appears to have evolved.</p><p>Emotet samples seem to be using a method called control-flow flattening to obfuscate the code. Instead of being able to view the flow of the programme easily - like in a flow chart - all stages are placed beside each other and a switch statement controls the flow of the program, making it more difficult to see how every stage works in unison.</p><p>The <a href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> is also now using <a href="https://www.itpro.com/network-internet/30416/http-vs-https-what-difference-does-it-make-to-security" data-original-url="https://www.itpro.com/network-internet/30416/http-vs-https-what-difference-does-it-make-to-security">HTTPS</a> with a self-signed server certificate to secure its network traffic, Ebach said.</p><p>The distribution has been described as a total reverse of that seen in its original campaign. Instead of Emotet installing <a href="https://www.itpro.com/security/ransomware/360101/diavol-ransomware-linked-to-trickbot-botnet" data-original-url="https://www.itpro.com/security/ransomware/360101/diavol-ransomware-linked-to-trickbot-botnet">TrickBot</a>, a banking <a href="https://www.itpro.com/security/30081/what-is-a-trojan-virus" data-original-url="https://www.itpro.com/security/30081/what-is-a-trojan-virus">trojan</a>, the Emotet <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet</a> is being rebuilt using TrickBot's infrastructure.</p><p>"It appears that Emotet is now delivered in systems already compromised by TrickBot, " said Nikos Mantas, incident response expert at Obrela Security Industries to <em>IT Pro</em>. "This change in the delivery of the payload displays a new mindset by the attackers themselves. Instead of sending malicious emails and risking triggering any defence mechanisms, Emotet now is opting for stealthier delivery inside already infected systems. If Trickbot has gone unnoticed, then Emotet should be as well. </p><p>"Although the findings are still in early report stages, hence attribution remains to be seen, it is a good time for security managers to verify if the takeaways derived from previous incidents are communicated and which corrective measures have been applied to strengthen the security posture of their organisations," he added.</p><p>Earlier in 2021, Europol coordinated an international effort to disrupt Emotet infrastructure and German law enforcement later used that infrastructure to uninstall Emotet from infected devices.</p><p>Experts have already suggested similar disruption operations should be restarted given Emotet's links to Qakbot, TrickBot, and Bazarloader - all of which have ties with ransomware. </p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="GmEy94iCPBFPs9V6HWFekm" name="GmEy94iCPBFPs9V6HWFekm.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/GmEy94iCPBFPs9V6HWFekm.jpg" mos="https://cdn.mos.cms.futurecdn.net/GmEy94iCPBFPs9V6HWFekm.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The best defence against ransomware</strong></p><p class="fancy-box__body-text">How ransomware is evolving and how to defend against it</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/361095/the-best-defence-against-ransomware" data-original-url="/security/ransomware/361095/the-best-defence-against-ransomware">FREE DOWNLOAD</a></p></div></div><p>Researchers from cyber security outfits Cofense, Malwarebytes, Proofpoint, and others have all confirmed that they too have observed Emotet spreading.</p><p>"We recently became aware of what appears to be the return of Emotet," <a href="https://cofenselabs.com/not-again-emotet-returns">said</a> Jason Meurer, senior research engineer at Cofense. The TrickBot malware family began delivering a dll that is suspiciously similar to the old Emotet payloads. While information is still being developed around this, the shared distribution between TrickBot and Emotet from past endeavours points to this likely being a legitimate return.</p><p>"As we’ve seen in the past, Emotet likes to do things in phases when it comes back and this appears to be the ‘staging’ phase of their operation," he added. "While we cannot say if or when we expect for them to begin sending malicious emails again, it would be a good bet that it could be within the next few weeks. This timing correlations with the holiday season and campaigns that we’ve witnessed in the past."</p><p>Since the original findings were published Monday evening, Cryptolaemus researchers <a href="https://twitter.com/ffforward/status/1460425182313684993">said</a> in the early hours of Tuesday morning that Emotet is "spreading fast" without a TrickBot intermediary. </p><p>Although the original Emotet campaign was thought to have been taken down earlier this year as part of Europol's Operation Lady Bird, <a href="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet" data-original-url="https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet">doubts remained</a> over whether the malware would eventually make a return.</p><p>Speaking at the time, Europol encouraged anyone concerned about being infected with the malware to keep cyber security tools updated and to adopt heightened vigilance when interacting with emails and attachments.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ DOJ extradites Ukrainian man who used a botnet to decrypt login credentials ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/botnets/360839/ukrainian-man-extradited-after-using-a-botnet-to-decrypt-login-credentials</link>
                                                                            <description>
                            <![CDATA[ The 28-year-old allegedly sold passwords to other criminals on the dark web ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">iQYdYbLYiSfukfDvgBCTpb</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ipwYAqcGxCt9q3ep3wqdvZ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 09 Sep 2021 16:57:20 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ipwYAqcGxCt9q3ep3wqdvZ-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Botnet on a red background]]></media:description>                                                            <media:text><![CDATA[Botnet on a red background]]></media:text>
                                <media:title type="plain"><![CDATA[Botnet on a red background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ipwYAqcGxCt9q3ep3wqdvZ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The Department of Justice (DOJ) has extradited a Ukrainian man for allegedly accessing thousands of devices and trafficking passwords.</p><p>Glib Oleksandr Ivanov-Tolpintsev, a 28-year-old from Chernivtsi, Ukraine, operated a botnet of computers after they were infected with malware and controlled them without the user’s knowledge, according to a <a href="https://www.justice.gov/usao-mdfl/pr/ukrainian-cyber-criminal-extradited-decrypting-credentials-thousands-computers-across">statement</a> by the US Attorney's Office.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/ransomware/360101/diavol-ransomware-linked-to-trickbot-botnet" data-original-url="/security/ransomware/360101/diavol-ransomware-linked-to-trickbot-botnet">Diavol ransomware linked to Trickbot botnet</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/botnets/359321/botnet-targets-vulnerable-microsoft-exchange-servers" data-original-url="/security/botnets/359321/botnet-targets-vulnerable-microsoft-exchange-servers">Botnet targets vulnerable Microsoft Exchange servers</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/355738/security-service-of-ukraine-arrests-infamous-hacker-sanix" data-original-url="/security/hacking/355738/security-service-of-ukraine-arrests-infamous-hacker-sanix">Security Service of Ukraine arrests infamous hacker Sanix</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/ransomware/34749/microsoft-cut-off-entirety-of-ukraine-from-its-network-during-notpetya-attacks" data-original-url="/ransomware/34749/microsoft-cut-off-entirety-of-ukraine-from-its-network-during-notpetya-attacks">Microsoft cut off entirety of Ukraine from its network during NotPetya attacks</a></p></div></div><p>The devices were then used to guess login passwords belonging to users worldwide.</p><p>“During the course of the conspiracy, Ivanov-Tolpintsev stated that his botnet was capable of decrypting the login credentials of at least 2,000 computers every week,” the DOJ said.</p><p>Ivanov-Tolpintsev, using the aliases “sergios” and “mars” then sold these credentials on a dark web website that specializes in buying and selling access to compromised computers. Once sold on this website, hackers used the keys to perform many illegal activities, including tax fraud and ransomware attacks. </p><p>Ivanov-Tolpintsev listed over 6,000 compromised computers for sale on the marketplace and generated over $80,000 in illicit proceeds.</p><p>The <a href="https://www.justice.gov/usao-mdfl/press-release/file/1431116/download">indictment</a> alleges Ivanov-Tolpintsev asked a dark web marketplace if it was accepting sellers of login credentials from compromised computers in May 2016.</p><p>By April 2017, Ivanov-Tolpintse had collected the login credentials of 20,000 compromised computers. The formal accusation noted that he sold credentials of victims from Colorado, California, Florida, and Maryland.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="x4UCqjLn2p2mwZtwTHzKRJ" name="x4UCqjLn2p2mwZtwTHzKRJ.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/x4UCqjLn2p2mwZtwTHzKRJ.jpg" mos="https://cdn.mos.cms.futurecdn.net/x4UCqjLn2p2mwZtwTHzKRJ.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>X-Force Threat Intelligence Index</strong></p><p class="fancy-box__body-text">Top security threats and recommendations for resilience</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-security/360175/x-force-threat-intelligence-index" data-original-url="/security/cyber-security/360175/x-force-threat-intelligence-index">FREE DOWNLOAD</a></p></div></div><p>To bring in Ivanov-Tolpintsev, the DOJ had to subpoena emails from Google to find out the attacker’s real name and a Jabber address he used to contact the Marketplace representatives.</p><p>Ivanov-Tolpintsev was arrested in Poland in October 2020 and extradited to the US. The investigation was carried out with assistance from the Polish National Police, the Polish Prosecutor’s Office, and the Polish Ministry of Justice. </p><p>The Ukrainian appeared in a downtown court in Florida on Tuesday before US Magistrate Julie Sneed, who ordered his arrest pending trial. He is facing charges of conspiracy, trafficking in unauthorized access devices, and trafficking in computer passwords. If convicted of all charges, the Ukrainian faces up to a 17-year sentence in an American prison. Assistant United States Attorney Carlton C. Gammons will prosecute the case.</p><p>The prosecution also notified Ivanov-Tolpintsev that the US intends to seize over $82,000, which can allegedly be attributed to the proceeds of crimes. </p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Botnet targets vulnerable Microsoft Exchange servers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/botnets/359321/botnet-targets-vulnerable-microsoft-exchange-servers</link>
                                                                            <description>
                            <![CDATA[ Cryptocurrency-mining botnet Prometei targeting same flaws as Hafnium attacks ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">99sz6cBxZiv3eP6tGLr8</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ipwYAqcGxCt9q3ep3wqdvZ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 23 Apr 2021 13:45:25 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ipwYAqcGxCt9q3ep3wqdvZ-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Botnet on a red background]]></media:description>                                                            <media:text><![CDATA[Botnet on a red background]]></media:text>
                                <media:title type="plain"><![CDATA[Botnet on a red background]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ipwYAqcGxCt9q3ep3wqdvZ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.itpro.com/security" data-original-url="https://www.itpro.com/security">Security</a> researchers have revealed that a <a href="https://www.itpro.com/digital-currency/30249/what-is-cryptocurrency-mining" data-original-url="https://www.itpro.com/digital-currency/30249/what-is-cryptocurrency-mining">cryptocurrency-mining</a> botnet, dubbed Prometei, is targeting the same Microsoft Exchange vulnerabilities associated with the <a href="https://www.itpro.com/security/hacking/358890/exchange-hack-ncsc-issues-warning-as-microsoft-investigates-security" data-original-url="https://www.itpro.com/security/hacking/358890/exchange-hack-ncsc-issues-warning-as-microsoft-investigates-security">recent Hafnium attacks</a>.</p><p>According to researchers, these botnets target financial gain by stealing bitcoins and penetrate the network for malware deployment and credential harvesting. With a significant number of organizations far from patched, this puts thousands of businesses worldwide and billions of dollars at risk.</p><p>Researchers said that Prometei appears to be active in systems across various industries, including finance, insurance, retail, manufacturing, utilities, travel, and construction. Researchers have also observed the botnet infecting networks in the UK, the US, South America, and East Asia.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/server-storage/servers/359207/microsoft-releases-three-new-exchange-server-patches" data-original-url="/server-storage/servers/359207/microsoft-releases-three-new-exchange-server-patches">NSA uncovers new "critical" flaws in Microsoft Exchange Server</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/358856/microsoft-exchange-servers-targeted-by-at-least-10-hacker-groups" data-original-url="/security/cyber-attacks/358856/microsoft-exchange-servers-targeted-by-at-least-10-hacker-groups">Microsoft Exchange servers targeted by 'at least ten hacker groups'</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/hacking/358799/hundreds-of-thousands-of-victims-identified-in-microsoft-exchange-server" data-original-url="/security/hacking/358799/hundreds-of-thousands-of-victims-identified-in-microsoft-exchange-server">‘Hundreds of thousands’ of victims in Microsoft Exchange Server attacks</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched" data-original-url="/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched">A critical flaw in 350,000 Microsoft Exchange remains unpatched</a></p></div></div><p>Researchers also found hackers were explicitly avoiding infecting targets in former Soviet bloc countries. This leads them to believe the Prometei group is financially motivated and operated by Russian-speaking individuals, though a nation-state does not back it.</p><p>The primary function of Prometei is to install the Monero crypto miner on corporate endpoints. The malware is spreading across networks using known Microsoft Exchange vulnerabilities, in addition to known exploits EternalBlue and BlueKeep.</p><p>In addition to affecting Windows systems, there are also versions for Linux systems. Researchers said the malware adjusts its payload based on the operating system it detects on the targeted machines when spreading across the network.</p><p>Researchers discovered the Prometei botnet in July 2020, but new evidence showed it was in the wild as far back as 2016. The Prometei botnet is continuously evolving, with new features and tools observed in the newer versions, they added.</p><p>Assaf Dahan, senior director and head of threat research, Cybereason, said the botnet poses a big risk for companies because it’s been underreported.</p><p>“When the attackers take control of infected machines, they are not only capable of mining bitcoin by stealing processing power, but can also exfiltrate sensitive information as well. If they desire to do so, the attackers could also infect the compromised endpoints with other malware and collaborate with ransomware gangs to sell access to the endpoints,” he said.</p><p>“And to make matters worse, cryptomining drains valuable network computing power, negatively impacting business operations and the performance and stability of critical servers.”</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Purple Fox malware can now spread between Windows devices ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/malware/359008/purple-fox-malware-can-now-spread-between-windows-devices</link>
                                                                            <description>
                            <![CDATA[ The rootkit has added self-propagating capabilities to its arsenal with roughly 100,000 machines already infected ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kD9KenyUKEDXageueKLNsk</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/pWi8tQ4CWALmesmtcrnygC-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 24 Mar 2021 12:36:27 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/pWi8tQ4CWALmesmtcrnygC-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[An origami purple fox on a wooden surface]]></media:description>                                                            <media:text><![CDATA[An origami purple fox on a wooden surface]]></media:text>
                                <media:title type="plain"><![CDATA[An origami purple fox on a wooden surface]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/pWi8tQ4CWALmesmtcrnygC-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A <a href="https://www.itpro.com/malware/28076/what-is-malware" target="_blank" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">nasty malware strain</a> affecting Windows machines, known as Purple Fox, has developed worm-like functionality that allows it to spread between devices on an automated basis. </p><p>Purple Fox was first discovered in March 2018 as a malware strain that infected devices by using exploit kits targeting <a href="https://www.itpro.com/infrastructure/network-internet/356807/microsoft-to-end-internet-explorer-11-support-in-2021" target="_blank" data-original-url="https://www.itpro.com/infrastructure/network-internet/356807/microsoft-to-end-internet-explorer-11-support-in-2021">Internet Explorer</a> browsers, and sending phishing emails.</p><p>Researchers with Guardicore, however, have identified new worm-like capabilities in Purple Fox that allows it to self-propagate a rootkit between targeted machines.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/358416/wormable-android-malware-spreading-through-whatsapp" data-original-url="/security/malware/358416/wormable-android-malware-spreading-through-whatsapp">Wormable Android malware is spreading through WhatsApp</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/vulnerability/358937/weekly-threat-roundup-duckduckgo-chrome-and-cisco" data-original-url="/security/vulnerability/358937/weekly-threat-roundup-duckduckgo-chrome-and-cisco">Weekly threat roundup: DuckDuckGo, Chrome, Cisco</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/359003/university-of-northampton-hit-by-cyber-attack" data-original-url="/security/cyber-attacks/359003/university-of-northampton-hit-by-cyber-attack">University of Northampton hit by cyber attack</a></p></div></div><p>The new campaign distributing Purple Fox, which has been running since the end of 2020, is based on a novel spreading technique combining indiscriminate port scanning and the exploitation of server message block (SMB) services with weak passwords.</p><p>To date, <a href="https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm" target="_blank">Guardicore’s researchers</a> have identified 90,000 attacks, which amounts to a roughly 600% rise in the total number of infections since May 2020. </p><p>“While it appears that the functionality of Purple Fox hasn’t changed much post-exploitation, its spreading and distribution methods – and its worm-like behaviour – are much different than described in previously published articles,” said researcher Amit Serper. </p><p>“Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and <a href="https://www.itpro.com/virtualisation/31628/what-is-server-virtualisation" data-original-url="https://www.itpro.com/virtualisation/31628/what-is-server-virtualisation">exploited servers</a> hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns.”</p><p>Purple Fox operates from a vast network of compromised servers that host its dropper and payload, the researchers also learned. The vast majority of these serving the initial payload are running on relatively old versions of Windows Server, running <a href="https://www.itpro.com/security/33052/microsoft-flags-iis-flaw-that-could-lead-to-100-cpu-usage-spikes-when-exploited" target="_blank" data-original-url="https://www.itpro.com/security/33052/microsoft-flags-iis-flaw-that-could-lead-to-100-cpu-usage-spikes-when-exploited">IIS version 7.5</a> and Microsoft FTP, both of which are known to have multiple vulnerabilities.</p><p>According to the findings, the wormable campaign can start spreading after a victim's machine is compromised through a vulnerable service, such as an SMB, or a payload is sent by email through a phishing campaign exploiting a browser vulnerability.</p><p>Once a machine is infected, the malware blocks several ports in order to prevent the infected machine from being reinfected or exploited by another malware strain.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="L8vUrzgp7mhwUJ5GEHSyyi" name="L8vUrzgp7mhwUJ5GEHSyyi.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/L8vUrzgp7mhwUJ5GEHSyyi.png" mos="https://cdn.mos.cms.futurecdn.net/L8vUrzgp7mhwUJ5GEHSyyi.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>Managing security risk and compliance in a challenging landscape</strong></p><p class="fancy-box__body-text">How key technology partners grow with your organisation</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business-strategy/digital-transformation/354266/managing-security-risk-and-compliance-in-a" data-original-url="/business-strategy/digital-transformation/354266/managing-security-risk-and-compliance-in-a">FREE DOWNLOAD</a></p></div></div><p>Purple Fox then generates IP ranges and scans them on port 445, using probes to identify exposed devices with weak passwords, and brute-forcing them to catch devices into a botnet. </p><p>Purple Fox has even been on the NHS’ radar, with <a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3533" target="_blank">NHS Digital warning about its capabilities for months</a>. It warned healthcare organisations about the malware’s capacity to exploit privilege escalation vulnerabilities in October 2020, for example, while recently issuing a warning over its use of SMB brute-force attacks to automatically propagate. </p><p>To prevent infection, NHS Digital advises that secure configurations are applied to all devices and that <a href="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management" target="_blank" data-original-url="https://www.itpro.com/security/27713/the-importance-and-benefits-of-effective-patch-management">security updates are applied</a> as soon as they’re available. Organisations should also apply tamper protection settings in security products where available. </p><p>Users, furthermore, should apply <a href="https://www.itpro.com/security/two-factor-authentication-2fa/358323/cyber-criminals-bypassing-mfa-to-access-cloud-service" target="_blank" data-original-url="https://www.itpro.com/security/two-factor-authentication-2fa/358323/cyber-criminals-bypassing-mfa-to-access-cloud-service">multi-factor authentication (MFA)</a> and lockout policies where practicable, while administrative accounts should only be restricted for strictly necessary purposes.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Europol takes down 'dangerous' Emotet botnet ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/malware/358450/europol-takes-down-dangerous-emotet-botnet</link>
                                                                            <description>
                            <![CDATA[ Experts urge businesses to stay vigilant as it's unlikely Emotet is down for good ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">3G8p9d26KEr6YZ6NCK7ydZ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 28 Jan 2021 10:27:08 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of small robots connected to represent a botnet]]></media:description>                                                            <media:text><![CDATA[Image of small robots connected to represent a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[Image of small robots connected to represent a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Europol has led international efforts to disrupt the Emotet botnet, killing off one of the most prevalent and dangerous global cyber security threats.</p><p>Investigators from Europol and nations including the UK, US, and France seized control of several hundred servers that comprised Emotet’s infrastructure this week.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware" data-original-url="/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware">Updated Emotet toolkit ends 2020 as most dangerous malware</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-crime/358297/worlds-largest-dark-web-marketplace-taken-offline" data-original-url="/security/cyber-crime/358297/worlds-largest-dark-web-marketplace-taken-offline">World’s largest dark web marketplace taken offline</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/358164/the-scariest-security-horror-stories-of-2020" data-original-url="/security/358164/the-scariest-security-horror-stories-of-2020">The scariest security horror stories of 2020</a></p></div></div><p>Through coordinated action, law enforcement and judicial authorities gained control of the malware's infrastructure and "took it down from the inside", authorities announced on Wednesday. Victims infected with the <a href="https://www.itpro.com/malware/28076/what-is-malware" target="_blank" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> will now be redirected to law enforcement-controlled landing pages.</p><p>The UK's National Crime Agency (NCA) confirmed it had worked with international colleagues for nearly two years to map the infrastructure of Emotet. The takedown was launched yesterday, and the operation included the searches of properties in Ukraine. Europol described these actions as a unique and new approach to disrupt the activities of cyber criminals.</p><p>The NCA led the financial arm of the investigation, which included tracking how the criminal network was funded, and who was profiteering. They learned $10.5 million (approximately £7.7 million) had moved over a two-year period to just one cryptocurrency platform, while $500,000 (roughly £366,000) had been spent on maintaining its infrastructure.</p><h3 class="article-body__section" id="section-the-world-39-s-most-wanted"><span>The world's most wanted</span></h3><p>This operation is highly significant considering how prevalent and dangerous the Emotet botnet was considered. The threat was once a mere banking Trojan when it was conceived in 2014, but would eventually mutate into a notorious distributor for other strains. This ‘loader’ malware has also been behind <a href="https://www.itpro.com/security/trojans/357036/qbot-malware-surges-into-the-top-ten-most-common-business-threats" target="_blank" data-original-url="https://www.itpro.com/security/trojans/357036/qbot-malware-surges-into-the-top-ten-most-common-business-threats">other infamous threats including Qbot</a>, TrickBot, and <a href="https://www.itpro.com/security/ransomware/357581/ryuk-behind-a-third-of-all-ransomware-attacks-in-2020" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/357581/ryuk-behind-a-third-of-all-ransomware-attacks-in-2020">the rampant Ryuk ransomware</a>.</p><p>Research published this month showed <a href="https://www.itpro.com/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware" data-original-url="https://www.itpro.com/security/malware/358252/updated-emotet-toolkit-ends-2020-as-most-dangerous-malware">Emotet was used to target 100,000 users per day</a> over December 2020, impacting 7% of organisations around the world during this period.</p><p>“Emotet was instrumental in some of the worst cyber attacks in recent times and enabled up to seventy percent of the world’s malwares including the likes of Trickbot and Ryuk, which have had significant economic impact on UK businesses," said deputy director of the National Cyber Crime Unit, Nigel Leary.</p><p>"This case demonstrates the scale and nature of cyber-crime, which facilitates other crimes and can cause huge amounts of damage, both financially and psychologically."</p><p>Emotet used various methods to avoid detection, and deployed techniques to stay persistent. For example, it was able to infect entire corporate networks by spreading laterally after gaining access to just a few devices.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="9FzsZ8tLYrdLr2hXWfbm2m" name="9FzsZ8tLYrdLr2hXWfbm2m.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/9FzsZ8tLYrdLr2hXWfbm2m.jpg" mos="https://cdn.mos.cms.futurecdn.net/9FzsZ8tLYrdLr2hXWfbm2m.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>How LogPoint uses MITRE ATT&CK</strong></p><p class="fancy-box__body-text">Stronger cyber security with MITRE ATT&CK</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/cyber-attacks/358342/how-logpoint-uses-mitre-attck" data-original-url="/security/cyber-attacks/358342/how-logpoint-uses-mitre-attck">FREE DOWNLOAD</a></p></div></div><p>Through an automated process, Emotet was delivered to victims’ devices through infected email attachments, in combination with a variety of lures. These have included fake invoices, shipping notices, and <a href="https://www.itpro.com/security/hacking/358344/hackers-using-covid-vaccine-as-a-lure-to-spread-malware" target="_blank" data-original-url="https://www.itpro.com/security/hacking/358344/hackers-using-covid-vaccine-as-a-lure-to-spread-malware">information about COVID-19</a>.</p><p>The emails all contained malicious Word documents either in the email itself, or accessible through a link. Once opened, users would be prompted to “enable macros” so the malicious code hidden in the file could run, and install Emotet malware.</p><p>The cyber criminals behind Emotet would then effectively sell access to compromised victims to other threat groups, who would use Emotet as a vehicle to launch their own attacks. These might include banking Trojans or ransomware strains.</p><h3 class="article-body__section" id="section-beware-the-botnet-39-s-resurrection"><span>Beware the botnet's resurrection</span></h3><p>Stefano De Blasi, a threat researcher with Digital Shadows, welcomed news of the “proactive” operation but warned businesses should not become complacent.</p><p>US Cyber Command, for example, took down Trickbot in October last year, but <a href="https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version" target="_blank">the security threat has recently re-emerged</a> in the shape of a far more persistent strain.</p><p>“The "new and unique approach" of this coordinated action has likely gained law enforcement a deeper knowledge of the inner workings of Emotet which, in turn, might also result in longer downtime for Emotet,” De Blasi said.</p><p>“Nonetheless, it is crucial to highlight that despite the infrastructure takeover conducted by law enforcement, it is unlikely that Emotet will cease to exist after this operation. Malicious botnets are exceptionally versatile, and it is likely that their operators will sooner or later be able to recover from this blow and rebuild their infrastructure - just like the TrickBot operators did after the aforementioned operation.”</p><p>This is the latest example of law enforcement action against prominent cyber threats, with Europol earlier this month also coordinating efforts to <a href="https://www.itpro.com/security/cyber-crime/358297/worlds-largest-dark-web-marketplace-taken-offline" target="_blank" data-original-url="https://www.itpro.com/security/cyber-crime/358297/worlds-largest-dark-web-marketplace-taken-offline">take down the world’s largest dark web marketplace</a>. The operation, which also included the UK’s National Crime Agency (NCA), put a halt to illegal trade valued at approximately £125 million.</p><p>Only this week, meanwhile, <a href="https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware" target="_blank">the US Department of Justice (DoJ)</a> launched action against the platform hosting the infamous NetWalker ransomware, disrupting its operations and seizing $500,000 (roughly £366,000). The scale of the NetWalker threat exploded last year <a href="https://www.itpro.com/security/ransomware/356999/netwalker-ransomware-has-raked-in-29m-since-march" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/356999/netwalker-ransomware-has-raked-in-29m-since-march">due to its ‘as a service’ expansion</a>, with the group offering its tools for sale over the dark web.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ CMS platforms succumb to KashmirBlack botnet as businesses rush online ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/357516/gigantic-worldwide-kashmirblack-botnet-targeting-cms-platforms</link>
                                                                            <description>
                            <![CDATA[ Businesses warned to prioritise security as coronavirus forces many to ply their trade digitally ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">iHVhjFhuG91dBVzKbTPoMF</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/JxRDcV87vvv46xd3hkohXc-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 22 Oct 2020 15:14:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Networking]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/JxRDcV87vvv46xd3hkohXc-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Visual representation of an active botnet, with several black nodes connected with white strands]]></media:description>                                                            <media:text><![CDATA[Visual representation of an active botnet, with several black nodes connected with white strands]]></media:text>
                                <media:title type="plain"><![CDATA[Visual representation of an active botnet, with several black nodes connected with white strands]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/JxRDcV87vvv46xd3hkohXc-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>An active <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" target="_blank" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet</a> comprising hundreds of thousands of hijacked systems spread across 30 countries is exploiting an old vulnerability to target widely-used <a href="https://www.itpro.com/security/33149/90-of-hacked-cms-sites-in-2018-were-powered-by-wordpress" target="_blank" data-original-url="https://www.itpro.com/security/33149/90-of-hacked-cms-sites-in-2018-were-powered-by-wordpress">content management systems (CMS)</a>.</p><p>Dubbed KashmirBlack, this sophisticated botnet has a well-designed infrastructure made up of a single command and control (C&C) server, and more than 60 surrogate servers.</p><p>The botnet exploits the PHPUnit remote code execution vulnerability, a well-known flaw that’s almost a decade old, that's present in a number of older CMS platforms. These kinds of platforms are notorious for their poor cyber hygiene, mainly because many users deploy legacy versions, use unsupported plugins, and often set <a href="https://www.itpro.com/security/34616/the-top-password-cracking-techniques-used-by-hackers" target="_blank" data-original-url="https://www.itpro.com/security/34616/the-top-password-cracking-techniques-used-by-hackers">weak passwords</a>, according to researchers with Imperva.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/34703/iot-botnets-are-on-the-rise-and-5g-isn-t-helping-anything" data-original-url="/security/34703/iot-botnets-are-on-the-rise-and-5g-isn-t-helping-anything">IoT botnets are on the rise and 5G isn’t helping anything</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/357456/weekly-threat-roundup-windows-10-adobe-and-sonicwall-vpns" data-original-url="/security/357456/weekly-threat-roundup-windows-10-adobe-and-sonicwall-vpns">Weekly threat roundup: Windows 10, Adobe, and SonicWall VPNs</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/357323/iot-botnet-exploiting-two-zero-day-flaws-in-tenda-routers" data-original-url="/security/357323/iot-botnet-exploiting-two-zero-day-flaws-in-tenda-routers">IoT botnet exploiting two zero-day flaws in Tenda routers</a></p></div></div><p>This particular flaw is known and entirely patchable, however, the botnet has managed to capitalise on a sudden surge in the number of companies that have been disrupted by the coronavirus pandemic, which now require easy to use web frameworks to help move their business online. This includes well-known platforms like <a href="https://www.itpro.com/security/zero-day-exploit/357014/millions-of-wordpress-sites-targeted-due-to-file-manager-zero-day" data-original-url="https://www.itpro.com/security/zero-day-exploit/357014/millions-of-wordpress-sites-targeted-due-to-file-manager-zero-day">WordPress</a>, the researchers claim.</p><p>The team have published technical details around KashmirBlack following a six-month undercover investigation, monitoring its evolution over time and the nature of its underlying infrastructure.</p><p>The operation, which began around November 2019, is now made up of hundreds of thousands of bots organised in a highly sophisticated architecture, making millions of attacks each day. The researchers claim its architecture “works like magic”, with attackers able to expand and add new exploits or payloads without much effort at all.</p><p>KashmirBlack also uses sophisticated methods to camouflage itself, as well as exploiting a number of vulnerabilities to maintain uptime and protect its operation. Imperva also uncovered evidence of widely-used software development frameworks and methodologies, including <a href="https://www.itpro.com/devops/28097/what-is-devops" target="_blank" data-original-url="https://www.itpro.com/devops/28097/what-is-devops">DevOps</a> and <a href="https://www.itpro.com/agile-development/28040/what-is-agile-development" target="_blank" data-original-url="https://www.itpro.com/agile-development/28040/what-is-agile-development">Agile</a>, that the hackers are deploying to help the botnet evolve and add new targets with ease.</p><p>“This is the first time we have been able to get visibility into how exactly a botnet like this operates; an important discovery that will help the industry better understand how these nefarious groups evolve and sustain their activity,” said security researcher at Imperva, Ofir Shaty, who co-authored the research.</p><p>“The level of orchestration is remarkable. It’s a very polished operation using the latest software development techniques. With potentially millions of victims across the world, this level of sophistication should be a cause for concern. Once a server is being controlled by a hacker, it has the potential to compromise other servers in the domain in a domino effect, leading to potential data leakage, driving down brand reputation, and eventually losing revenue.”</p><p>The botnet itself appears to specialise in <a href="https://www.itpro.com/digital-currency/30249/what-is-cryptocurrency-mining" target="_blank" data-original-url="https://www.itpro.com/digital-currency/30249/what-is-cryptocurrency-mining">cryptocurrency mining</a>, spamming, and defacement, although priorities have shifted over time. This capacity to shift focus also allows the botnet to change which repositories it may use to store <a href="https://www.itpro.com/malware/28076/what-is-malware" target="_blank" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malicious code</a> and scripts deployed.</p><p>Researchers believe the KashmirBlack botnet recently evolved to use the popular cloud-based service <a href="https://www.itpro.com/collaboration/33858/welcome-to-the-age-of-the-platform" target="_blank" data-original-url="https://www.itpro.com/collaboration/33858/welcome-to-the-age-of-the-platform">Dropbox</a> to replace its C&C server. They found evidence that the Dropbox API is being used to fetch attack instructions and upload reports from ‘spreading bots’.</p><p>Moving to this type of system also allows the botnet to hide criminal activity behind legitimate web services, working to camouflage the botnet traffic and secure the operation.</p><p>Based on a hacking signature, Imperva has identified the hacker known as 'Exect1337' as being part of the crew running the botnet. This individual is a member of the Indonesian group PhantomGhost, which normally focuses on defacement. This individual also accidentally left a marker within the botnet code, which gave rise to the name KashmirBlack.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ IoT botnet exploiting two zero-day flaws in Tenda routers ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/357323/iot-botnet-exploiting-two-zero-day-flaws-in-tenda-routers</link>
                                                                            <description>
                            <![CDATA[ The Ttint botnet is based heavily on the Mirai malware and includes 12 protocols for remote access ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">d7ioMNmaSjTkxLFuciW7kj</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 05 Oct 2020 09:40:36 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of small robots connected to represent a botnet]]></media:description>                                                            <media:text><![CDATA[Image of small robots connected to represent a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[Image of small robots connected to represent a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Attackers have spread a Remote Access Trojan (RAT) based on the Mirai malware to create a <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" target="_blank" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet</a> by exploiting two zero-day vulnerabilities in routers manufactured by Tenda.</p><p>The botnet, dubbed Ttint, targets routers specifically and is based on code from the <a href="https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect" target="_blank" data-original-url="https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect">Mirai botnet-spreading malware</a>. This malware was found to receive ten Mirai <a href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/security/28026/what-is-a-ddos-attack">distributed denial of service (DDoS)</a> attack instructions, as well as 12 remote control instructions, <a href="https://blog.netlab.360.com/ttint-an-iot-remote-control-trojan-spread-through-2-0-day-vulnerabilities" target="_blank">according to researchers with Netlab</a>.</p><p>The team first detected hackers using the first of two zero-day vulnerabilities to spread samples of the malware. The flaw, tagged as CVE-2018-14558, was disclosed publicly for the first time in July by researchers with <a href="https://blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68">Independent Security Evaluators</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/34703/iot-botnets-are-on-the-rise-and-5g-isn-t-helping-anything" data-original-url="/security/34703/iot-botnets-are-on-the-rise-and-5g-isn-t-helping-anything">IoT botnets are on the rise and 5G isn’t helping anything</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices" data-original-url="/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices">Chinese hackers building a botnet out of five million compromised Android devices</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/28086/iot-privacy-security-concerns" data-original-url="/security/28086/iot-privacy-security-concerns">IoT privacy and security concerns</a></p></div></div><p>Netlab saw the second Tenda router zero-day vulnerability, tagged as CVE-2020-10987, being exploited to spread Ttint samples in August this year. The team subsequently reported the details of this flaw, as well as the proof-of-concept, although the manufacturer has not yet responded.</p><p>Ttint samples were compared during these two periods of emergence and the researchers found the command and control (C2) instructions were exactly the same, albeit with some differences in the vulnerability, cipher key and C2 protocol.</p><p>“The conventional Mirai variants normally focus on DDoS, but this variant is different,” according to Netlab’s report. ”In addition to DDoS attacks, it implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router DNS, setting iptables, executing custom system commands.</p><p>“In addition, at the C2 communication level, it uses the WSS (WebSocket over TLS) protocol. Doing this can circumvent the typical Mirai traffic detection at the traffic level, and it also provides secure encrypted communication for C2.”</p><p>While Ttint is a botnet, the 12 different remote access methods stand it apart from most other botnets, with hackers using the routers as proxies to relay traffic, tamper with firewall and DNS settings, and execute commands remotely.</p><p>When running, Ttint deletes its own files, manipulates the watchdog and prevents the device from restarting. The malware also runs on a single instance by binding to the port, and modifies the process name to confused the user. Finally, it establishes a connection with the decrypted C2 server and reports device information. From this point, it waits for the C2 server to issue instructions and it executes corresponding attacks.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="HFU9R7MEjkx37vatSUvduS" name="HFU9R7MEjkx37vatSUvduS.png" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/HFU9R7MEjkx37vatSUvduS.png" mos="https://cdn.mos.cms.futurecdn.net/HFU9R7MEjkx37vatSUvduS.png" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The state of data protection and cloud</strong></p><p class="fancy-box__body-text">The challenge of providing effective enterprise data protection</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/policy-legislation/data-protection/356815/the-state-of-data-protection-and-cloud" data-original-url="/policy-legislation/data-protection/356815/the-state-of-data-protection-and-cloud">FREE DOWNLOAD</a></p></div></div><p>In terms of the infrastructure, the attacker first used a Google cloud service IP and then switched to a hosting provider in Hong Kong. When researchers looked up the website certificate, sample, domain name and IP in its DNSmon system, it was able to see more infrastructure IPs, samples and further C2 domain names.</p><p>Neither zero-day flaw has been patched, according to Netlab. <em>IT Pro</em> has approached Tenda for a comment and is awaiting a response.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ IoT botnets are on the rise and 5G isn’t helping anything ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/34703/iot-botnets-are-on-the-rise-and-5g-isn-t-helping-anything</link>
                                                                            <description>
                            <![CDATA[ Botnets are more common and coming in more diverse strains than ever before ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">8ptymDWnUhwyKuSbWNoUja</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 29 Oct 2019 09:33:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Internet of Things]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                    <category><![CDATA[Internet]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of small robots connected to represent a botnet]]></media:description>                                                            <media:text><![CDATA[Image of small robots connected to represent a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[Image of small robots connected to represent a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The detection of IoT botnets is at an all-time high and the number of varieties is also steadily rising - two trends that are showing no signs of slowing down.</p><p>That's according to Kevin McNamee, director of threat intelligence at Nokia who added that the advent of 5G 'creates more problems than it solves'.</p><p>Referencing figures from Nokia's 2019 Threat Intelligence Report, McNamee said the telecoms giant observed 78% of <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" target="_blank" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnets</a> carried active malware, 35% of which shared similarities in either code or attack methodology with 2016's Mirai.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" data-original-url="/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">Was Mirai malware behind Dyn DDoS attack?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/botnets/1644/what-is-a-botnet" data-original-url="/botnets/1644/what-is-a-botnet">What is a botnet?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/34412/what-is-the-5g-health-scare" data-original-url="/mobile/34412/what-is-the-5g-health-scare">What is the 5G health scare?</a></p></div></div><p>The hugely successful Mirai botnet in 2016 which was responsible for <a href="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful" target="_blank" data-original-url="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful">one of the biggest DDoS attacks in history</a>, has inspired a wide portfolio of newer iterations that are pervasively proliferating.</p><p>Satori and <a href="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai" target="_blank" data-original-url="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai">Reaper</a> botnets are examples of the more malicious variants which succeeded Mirai, while Hajime copied Mirai's attack methodology to plug the vulnerabilities its malicious predecessor exploited in the first place - a bot for good.</p><p>Researchers at Unit 42 announced in March that they had discovered <a href="https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect" target="_blank" data-original-url="https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect">another new variant of Mirai</a> that had an updated attack methodology, a wider-reaching attack surface which specifically targeted enterprise IoT devices.</p><p>Any device that's visible on the open internet right now can be targeted by an IoT botnet and if it has a vulnerability as well, then it will be hacked within minutes, said McNamee, and the advent of 5G complicates things further.</p><p>While the next generation of mobile networking has its cyber security advantages, such as network slicing, it also presents issues that could exacerbate the already growing botnet bother.</p><p>"Now with 5G, we're going to be moving to much more devices, bigger networks, higher bandwidth and probably the carriers are going to make decisions around what IP addresses to use and likely they'll use <a href="https://www.itpro.com/internet-protocol-version-6-ipv6/30660/what-is-ipv6" target="_blank" data-original-url="https://www.itpro.com/internet-protocol-version-6-ipv6/30660/what-is-ipv6">IPv6 addresses</a> [rather than the current IPv4 ones]," said McNamee. "So there is the potential to make the wrong decisions that you're opening up the attack surface by making those devices visible."</p><p>He also noted that due to more IoT devices becoming potentially visible, it means that bots can recruit more devices through which it can launch offensives like DDoS attacks. These can then become far more damaging than before due to the larger bandwidth that 5G affords.</p><p>"More IoT devices means bigger botnets," he said. "So nowadays, when you see a botnet of 100,000 bots, think five years down the road, [we could see] a botnet of 1 million, 2 million or 10 million bots."</p><p>In addition, the ability for a 5G network to be 'sliced' or segmented by the carrier might also present problems that it otherwise intends to solve.</p><p>Network slicing is emblematic of classic cyber security best practice: segmenting different parts of a network so attackers can't move across the whole company. Alongside the more inherently secure and encrypted 5G control plane, the slicing capability gives businesses an added layer of network security and a way of mitigating the negative possibilities of attacks exploiting higher bandwidths.</p><p>However, segmenting the network can also make an attacker's job easier by signposting where the information they want resides. It's like the context page of a textbook indicating the page of a topic but also the pages on which you can easily find different sub-topics.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Botnet spreads 30,000 sextortion emails in an hour  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/botnets/34647/botnet-spreads-30000-sextortion-emails-in-an-hour</link>
                                                                            <description>
                            <![CDATA[ Recipients ordered to pay $800 in Bitcoin under threat of compromising photos leaking online ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qapwry3AZRxfk2De4Ly653</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/5kULMHTo637QZXDCTJ7RMW-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 17 Oct 2019 10:11:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Bobby Hellard ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/bsR2tHSyVKUoyXZF5pNsDA.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/5kULMHTo637QZXDCTJ7RMW-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/5kULMHTo637QZXDCTJ7RMW-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Some 450,000 hijacked computers have been used to send phishing scams in a large scale "sextortion" campaign, with victims receiving emails threatening to release compromising photos of recipients unless they cough up $800 in Bitcoin.</p><p>The campaign using botnets to target more than 27 million victims at a rate of 30,000 per hour with their own personal information, supposedly taken from previous data breaches.</p><p>There is a suggestion that only a small number have opened the emails, but researchers believe botnets still offered a great "return on investment" for hackers.</p><p>"A botnet can be used for many, many things," said Charles Henderson, from IBM's X-Force Red security team, according to the <a href="https://www.bbc.co.uk/news/technology-50065713" target="_blank"><em>BBC</em></a>. "This was just one task assigned to it."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/botnets/1644/what-is-a-botnet" data-original-url="/botnets/1644/what-is-a-botnet">What is a botnet?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/cyber-security/34631/the-human-element-of-a-cyber-security-strategy-for-email" data-original-url="/cyber-security/34631/the-human-element-of-a-cyber-security-strategy-for-email">The human element of a cyber security strategy for email</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/29093/what-is-phishing" data-original-url="/security/29093/what-is-phishing">What is phishing?</a></p></div></div><p>A <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" target="_blank" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet</a> is a network of computers that have been compromised by hackers, usually by malware spread via infected webpages of malicious email attachments. They can quickly send out and spread attacks across a wide number of machines and mask hackers tracks.</p><p>So far, the closest anyone has come to finding the culprits is through security firm Check Point, which monitored one of the Bitcoin wallets being used to collect funds from the scam.</p><p>In other sexploitation news, more than 300 people have been arrested after the world's "largest dark web child porn marketplace" was shut down by UK investigators.</p><p>The site had more than 200,000 videos, all of which had been downloaded more than a million times, but was taken down last year after a UK investigation into a child sex offender led to its existence.</p><p>Although it had been shut down a year ago, officials revealed on Wednesday that 337 suspects had been arrested in 38 countries with US authorities unsealing nine indictments against the site's owner, Jong Woo Son, a 23-year-old man from South Korea, according to <a href="https://techcrunch.com/2019/10/16/doj-child-exploitation-dark-web" target="_blank"><em>TechCrunch</em></a>.</p><p>The UK's National Crime Agency has revealed the arrests were made in the UK, Ireland, America, South Korea, Germany, Spain, Saudi Arabia, the United Arab Emirates, the Czech Republic and Canada - as well as many more.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Equifax named the most Googled data breach of all time ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/34372/equifax-named-the-most-googled-data-breach-of-all-time</link>
                                                                            <description>
                            <![CDATA[ 2014's Heartbleed takes the top spot for cyber threat searches ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">imATUy7LuaKFNwZ4d6ocff</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/smx5FrTsvRSRvRjUKtdfVC-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 11 Sep 2019 11:14:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/smx5FrTsvRSRvRjUKtdfVC-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[man reading computer code]]></media:description>                                                            <media:text><![CDATA[man reading computer code]]></media:text>
                                <media:title type="plain"><![CDATA[man reading computer code]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/smx5FrTsvRSRvRjUKtdfVC-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The infamous 2017 Equifax data breach that affected 148 million individuals, including more than 600,000 UK citizens, is the most searched for data breach of all time, according to cybersecurity firm Redscan.</p><p>The company scoured Google's annual Year in Search report to find out which data protection incidents had attracted the most attention from people using the search engine over the past year.</p><p>The Collection #1 data breach was 2019's most searched-for data protection incident. In previous years, <a href="https://www.itpro.com/general-data-protection-regulation-gdpr/33989/marriott-fined-99m-for-2018-data-breach" target="_blank" data-original-url="https://www.itpro.com/general-data-protection-regulation-gdpr/33989/marriott-fined-99m-for-2018-data-breach">Marriott</a> (2018), <a href="https://www.itpro.com/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century" target="_blank" data-original-url="https://www.itpro.com/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century">Equifax</a> (2017), <a href="https://www.itpro.com/security/32193/yahoo-to-pay-out-39-million-after-massive-data-breach" target="_blank" data-original-url="https://www.itpro.com/security/32193/yahoo-to-pay-out-39-million-after-massive-data-breach">Yahoo</a> (2016) and <a href="https://www.itpro.com/security" target="_blank" data-original-url="https://www.itpro.com/security/24011/anthem-data-breach-why-the-data-centric-security-message-needs-resuscitating">Anthem</a> (2015) have had the dubious honour of being the most searched-for data breaches on Google.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century" data-original-url="/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century">The Equifax Effect: Explaining the biggest security disaster of the 21st century</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know" data-original-url="/security/22101/heartbleed-bug-everything-you-need-to-know">Heartbleed bug: Everything you need to know</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/exploits/30478/what-are-meltdown-and-spectre-and-are-you-affected" data-original-url="/exploits/30478/what-are-meltdown-and-spectre-and-are-you-affected">What are Meltdown and Spectre and are you affected?</a></p></div></div><p>The Redscan researchers said Equifax's behaviour following the breach, including late disclosure and communicating details poorly, as well as three of its executives selling millions of dollars worth of stock before announcing the incident, could have spiked search interest.</p><p>Although the world of business has seen some fairly significant cyber security threats in recent years, such as Mirai, NotPetya and Bluekeep, the threat that eclipsed them all in terms of Google searches was 2014's <a href="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know" target="_blank" data-original-url="https://www.itpro.com/security/22101/heartbleed-bug-everything-you-need-to-know">Heartbleed</a>.</p><p>The bug found in the OpenSSL cryptographic software library used to secure online connections and underpin the security of servers and VPNs, was discovered in 2014 but was believed to be around for two years prior.</p><p>The likes of Mumsnet, Gloucester City Council and the Canada Revenue Agency were hit and data was stolen as a result, including social insurance numbers and other sensitive information.</p><p>Heartbleed received more than twice as many search hits than WannaCry, famous for crippling the NHS, and almost four times as many as <a href="https://www.itpro.com/exploits/30478/what-are-meltdown-and-spectre-and-are-you-affected" target="_blank" data-original-url="https://www.itpro.com/exploits/30478/what-are-meltdown-and-spectre-and-are-you-affected">Meltdown</a> which affected widely deployed Intel and ARM processors.</p><p>"The disruption and damage breaches can cause means that swiftly detecting and responding to them has never been so important," <a href="https://www.redscan.com/wp-content/uploads/2019/09/Redscan-Report_-Cyber-Security-In-Search_Sept19.pdf" target="_blank">said Redscan in the report</a>.</p><p>"Businesses need to learn from the mistakes of organisations such as Equifax and ensure that if they suffer a breach, they have appropriate procedures in place to report it to regulators as well as communicate the risks to all individuals affected."</p><p>It's not all doom and gloom however the report also shone a light on the most searched for cyber security celebrites on Google.</p><p>Canadian investor and cyber security personality Robert Herjavec was the most searched industry figure in 2019, raking a similar number of searches as Holly Hunter, best known for voicing Elastigirl in the hit movie series The Incredibles.</p><p>Herjavec, founded internet security software company BRAK Systems which he sold in 2000 to AT&T for $30 million (24,136,500) but is perhaps best known for his TV appearances on Dragon's Den and Shark Tank.</p><p>John McAffee came in second place, the controversial cyber security pioneer equalled the number of searches as David Bradley, the actor famous for roles in the Harry Potter series and Game of Thrones. Kevin Mitnick, Bruce Schneier and Troy Hunt comprised the rest of the top five.</p><p>Although the need for passwords hasn't lessened in recent years, that fact isn't represented in the number of people researching the topic. Searches for 'passwords' have declined dramatically around a 90% reduction searches has been observed since 2004.</p><p>"It's a bit concerning that searches for passwords are in such a steep decline," said Redscan. "Good password hygiene is essential, and people are often really bad at setting unique passwords."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ What is a botnet? ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/botnets/1644/what-is-a-botnet</link>
                                                                            <description>
                            <![CDATA[ An in-depth look at the evolution of this highly effective method of cyber crime ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">srtguGF5BBNV2H6tQ6vCYm</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 04 Sep 2019 10:30:00 +0000</pubDate>                                                                                                                                <updated>Wed, 14 Jul 2021 15:33:00 +0000</updated>
                                                                                                                                            <category><![CDATA[Antivirus]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of small robots connected to represent a botnet]]></media:description>                                                            <media:text><![CDATA[Image of small robots connected to represent a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[Image of small robots connected to represent a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Botnets were originally invented as simple docile systems, designed to run tasks repeatedly. They were so good at it, however, that they soon quickly became a technology of interest for the wrong types of people. </p><p>Essentially, botnets (the malicious ones, at least) are made up of an army of infected machines and they grow by infecting new targets, such as PCs, smartphones, tablets, and all kinds of <a href="https://www.itpro.com/cloud-computing/28037/what-is-iot" target="_blank" data-original-url="https://www.itpro.com/cloud-computing/28037/what-is-iot">internet-connected</a> devices - from smart doorballs to <a href="https://www.itpro.com/security/ransomware/357259/iot-coffee-machine-hacked-to-demand-ransom" target="_blank" data-original-url="https://www.itpro.com/security/ransomware/357259/iot-coffee-machine-hacked-to-demand-ransom">coffee machines</a>. </p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/607167/the-storm-botnet-is-finally-dead--but-whats-next" data-original-url="/607167/the-storm-botnet-is-finally-dead--but-whats-next">The Storm botnet is finally dead – but what's next?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/355868/hackers-revive-years-old-malware-to-exploit-mass-remote-working" data-original-url="/security/malware/355868/hackers-revive-years-old-malware-to-exploit-mass-remote-working">Hackers revive years-old malware to exploit mass remote working</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/34703/iot-botnets-are-on-the-rise-and-5g-isn-t-helping-anything" data-original-url="/security/34703/iot-botnets-are-on-the-rise-and-5g-isn-t-helping-anything">IoT botnets are on the rise and 5G isn’t helping anything</a></p></div></div><p>The earliest uses of botnets can be traced all the way back to before the millennium, and they've changed significantly in the years that followed. What we know as botnets today are far more sophisticated, and dangerous. </p><p>There are countless computers around the world that are currently under botnet control, with thousands of operations still active despite numerous and successful takedowns. </p><p>What we've described above, however, doesn't even scratch the surface of what a botnet is, nor what it's capable of. For a full, in-depth look at the technology, we've rounded up all you need to know about them. </p><h3 class="article-body__section" id="section-not-all-botnets-are-bad"><span>Not all botnets are bad</span></h3><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="48SvkRxBH5mjkLniYoHtw" name="" alt="DDoS attack" src="https://cdn.mos.cms.futurecdn.net/48SvkRxBH5mjkLniYoHtw.jpg" mos="https://cdn.mos.cms.futurecdn.net/48SvkRxBH5mjkLniYoHtw.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><p>Now, as mentioned above, they're not inherently bad, often they used to perform much of the background work and repetition that goes into the delivery of online services.</p><p>The problem came when someone worked out a way to mobile these types of networks against other ones. From then on, countless botnets have emerged to cause havoc for a relatively low cost attack. </p><p>The purpose of a botnet is to self-propagate, spreading to machines and infecting them with a <a href="https://www.itpro.com/security/30081/what-is-a-trojan-virus" target="_blank" data-original-url="https://www.itpro.com/security/30081/what-is-a-trojan-virus">Trojan</a> that typically sits idle and remains hidden until activated. Once switched on, an infected system will go to work in tandem with other devices on the bot network, pooling resources into a single action.</p><p>What that action is depends on the purpose of the botnet. It's common for criminals to use the processing power of an infected machine to launch <a href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/security/28026/what-is-a-ddos-attack">distributed denial of service (DDoS) attacks</a> against other networks.</p><p>Yet most the of work performed by botnets is behind the scenes. They're often deployed to churn out spam emails to millions of users, usually laced with Trojans designed to ensnare new devices. Botnets can even be hired to bombard a website with traffic to artificially inflate a site's visitor rate.</p><h3 class="article-body__section" id="section-analysing-the-economic-impact-of-botnets"><span>Analysing the economic impact of botnets</span></h3><p>Historically, botnets targeted online financial institutions as that's where the money is at. Today, currencies have spread to all corners of the internet, making every business a target.</p><p><a href="https://www.itpro.com/business-intelligence/21861/what-is-business-intelligence" target="_blank" data-original-url="https://www.itpro.com/business-intelligence/21861/what-is-business-intelligence">Business intelligence</a> is one crucial, but previously overlooked area for organisations. Now, firms are finding more utility in analytics tools than ever before and certainly rely on such insights to remain competitive.</p><p>Botnets armed with an array of weaponry are wreaking havoc with such data, rendering much of it meaningless and causing harmful economic repercussions.</p><div  class="fancy-box"><div class="fancy_box-title">RELATED RESOURCE</div><div class="fancy_box_body"><figure class="van-image-figure "  ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="TpQGJuV8JLJg48R7p8QdfN" name="TpQGJuV8JLJg48R7p8QdfN.jpg" caption="" alt="" src="https://cdn.mos.cms.futurecdn.net/TpQGJuV8JLJg48R7p8QdfN.jpg" mos="https://cdn.mos.cms.futurecdn.net/TpQGJuV8JLJg48R7p8QdfN.jpg" link="" align="" fullscreen="" width="0" height="0" attribution="" endorsement="" class="pinterest-pin-exclude"></p></div></div></figure><p class="fancy-box__body-text"><strong>The top three IT pains of the new reality and how to solve them</strong></p><p class="fancy-box__body-text">Driving more resiliency with unified operations and service management</p><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/business-strategy/it-infrastructure/360224/the-top-three-it-pains-of-the-new-reality-and-how-to" data-original-url="/business-strategy/it-infrastructure/360224/the-top-three-it-pains-of-the-new-reality-and-how-to">FREE DOWNLOAD</a></p></div></div><p><strong>Web-scraping bots</strong> can copy copyrighted or trademarked data and reuse it on other websites. Two versions of the content diminish your site's search authority, negatively affecting SEO rankings.</p><p><strong>Disrupted denial-of-service (DDoS)</strong> attacks can disrupt applications and networks, making them unavailable and creating false leads which affect traffic metrics. Poor marketing decisions may be made as a result.</p><p><strong>Advertising fraud</strong> occurs when bots click on advertisements. Consequently, data reported to the advertisers is skewed, costing money for non-human clicks leading to no additional revenue.</p><p><strong>Customer trust</strong> can deteriorate as inboxes are filled with unwanted mail, fake social accounts relentlessly pushing biased views, and controversy is stirred through comments and vote-rigging. Frustrated customers are usually not long-term customers.</p><p>Whether in the form of an unresponsive website, traffic being redirected to a competitor, sales chasing false leads or paying for more ad clicks, botnets cause a failure in business intelligence that directly correlates with a negative economic impact on the organisation.</p><h3 class="article-body__section" id="section-where-did-botnets-come-from"><span>Where did botnets come from?</span></h3><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="txHjhCHZV6uTCsLAyZcf9Q" name="" alt="" src="https://cdn.mos.cms.futurecdn.net/txHjhCHZV6uTCsLAyZcf9Q.jpg" mos="https://cdn.mos.cms.futurecdn.net/txHjhCHZV6uTCsLAyZcf9Q.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><p>It's unsurprisingly difficult to pinpoint the moment where botnets became a reality, but Sub7 and Pretty Park, a Trojan and a worm, are seen as malware that helped to fuel the rise of the botnet.</p><p>They were spotted just before the turn of the millennium and introduced the concept of an infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands. </p><p>One of the next significant moments in the botnet timeline was the emergence of the Global Threat bot, otherwise known as GTbot, in 2000. This was a new breed of botnet, capable of running custom scripts in response to IRC events. It also had access to raw TCP (transmission control protocol) and UDP (user datagram protocol) sockets, so it was perfect for simple denial of service (DDoS) attacks.</p><p>Another significant development came in 2002 when Agobot emerged. This introduced the concept of a staged attack, with payloads delivered sequentially. An initial attack would install a back door, the second would try to take out <a href="https://www.itpro.com/antivirus/28144/best-antivirus" target="_blank" data-original-url="https://www.itpro.com/antivirus/28144/best-antivirus">antivirus software</a> and the third blocked access to security vendor websites.</p><p>Bredolab, one of the largest botnets ever recorded, emerged in 2009 with an estimated 30 million bots under its control. A network of this size was capable of sending out 3.6 billion malicious spam emails every day.</p><p>Then, in 2016, we saw the rise of Mirai, a notorious botnet that's <a href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">widely believed to have been behind the attack on the Dyn network</a> in October of that year, which saw Spotify, Netflix, Amazon and others taken offline. Since then the botnet has evolved; in March 2019, for example, <a href="https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect" target="_blank" data-original-url="https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect">a new Mirai variant that targeted vulnerable business devices</a> was uncovered. </p><h3 class="article-body__section" id="section-social-botnets"><span>Social botnets</span></h3><p>Hackers have been forced to evolve the way they build botnets over the years, most notably in the early 2000s when a shift was made from IRC communications to peer-to-peer.</p><p>IRC communication had proved highly effective, however, security researchers soon found they could simply blacklist the IRC command and control (C&C) to kill off the botnet.</p><p>Hackers, being the savvy denizens of the virtual world that they are, looked to P2P networks instead to decentralise the command and control infrastructure. In the case of the <a href="https://www.itpro.com/610215/waledac-spammers-fake-bomb-blast-news-story" data-original-url="https://www.itpro.com/610215/waledac-spammers-fake-bomb-blast-news-story">Waledac botnet</a>, zombie machines were used to provide a P2P network that effectively hid the key servers. This effectively made it near impossible to disrupt their operations.</p><h3 class="article-body__section" id="section-future-botnets"><span>Future botnets</span></h3><p>As botnets evolved, so did their ability to disrupt. The Cutwail botnet, active in 2007, introduced further camouflaging techniques and has made a significant mark in the growth of the botnet industry.</p><p>Cutwail included the concept of backup connections, allowing each bot to cryptographically generate alternative hostnames for their command and control servers on a daily basis.</p><p>The <a href="https://www.itpro.com/617209/timeline-a-year-of-the-conficker-worm" data-original-url="https://www.itpro.com/617209/timeline-a-year-of-the-conficker-worm">Conficker</a> botnet, which appeared in 2008, adopted a similar technique and was capable of generating 50,000 alternative names every day.</p><p>Continual developments such as these have helped cyber criminals conceal their botnet activity, leaving law enforcement at a loss.</p><h3 class="article-body__section" id="section-taking-on-the-bad-botnet"><span>Taking on the bad botnet </span></h3><p>It has not been a completely easy ride for cyber criminals, however, and there have been some major busts in recent times.</p><p>The <a href="https://www.itpro.com/608238/worldwide-spam-spewing-server-taken-down" data-original-url="https://www.itpro.com/608238/worldwide-spam-spewing-server-taken-down">McColo takedown</a> in 2008 was one of the most famous. The hosting firm was taken offline after a <em>Washington Post</em> reporter contacted two of the company's internet service providers to warn them of malicious activity going through McColo servers.</p><p>The provider was found to be hosting command and control servers for a number of big-time botnets, including both Rustock and Cutwail.</p><p>When McColo was pulled off the internet that November, a global drop in spam levels of almost 80% was reported. However, spam would soon return to its previous prominence soon enough.</p><p>More recently, following an investigation by the FBI, the mastermind by the Kelihos botnet was arrested in 2017 while holidaying in Spain. Russian hacker Peter Levashov was thought to have orchestrated the activities of as many as 300,000 enthralled computers.</p><p>The <a href="https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0?utm_source=MIT+Technology+Review&utm_campaign=8b3d1fce9c-The_Download_2017-04-07&utm_medium=email&utm_term=0_997ed6f472-8b3d1fce9c-153925993">dismantling of the network</a> was only made possible thanks to fresh powers granted to the FBI allowing it to remotely access computers that it's unable to physically confiscate.</p><p>Perhaps the largest botnet takedown took place in December 2017, when the <a href="https://www.itpro.com/security/30093/task-force-silences-massive-andromeda-botnet" data-original-url="https://www.itpro.com/security/30093/task-force-silences-massive-andromeda-botnet">two-million strong Andromeda army was silenced</a> by a joint task force comprising agents from the FBI, Europol's European Crime Centre, Eurojust, the Joint Cybercrime Action Task Force, as well as representatives from private organisations such as Microsoft.</p><p>The Andromeda botnet was thought to have involved in the propagation of at least 80 different families of malware with a global reach, making it one of the most complex takedown operations in recent times.</p><h3 class="article-body__section" id="section-how-do-you-protect-yourself"><span>How do you protect yourself?</span></h3><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="x2orUMVhGGTNgvBLvxXXzP" name="" alt="Woman holding a smartphone and installing an antivirus on her laptop" src="https://cdn.mos.cms.futurecdn.net/x2orUMVhGGTNgvBLvxXXzP.jpg" mos="https://cdn.mos.cms.futurecdn.net/x2orUMVhGGTNgvBLvxXXzP.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><p>The most important, and perhaps obvious step all users should take is making sure they have the <a href="https://www.itpro.com/antivirus/28144/best-antivirus" data-original-url="https://www.itpro.com/antivirus/28144/best-antivirus">latest security software</a> installed on a PC or network. Most security vendors today have some sort of built-in malware detection and removal tools as standard and should be switched on at all times.</p><p>But basic security hygiene is also highly recommended. Always be vigilant to emails that are from outside your organisation or from those you don't know, particularly if they arrive with attachments. This is a favoured way to spread Trojans and it's possible your system won't pick up on the infection.</p><p>It's also highly recommended that you keep all your devices updated with the latest security patches. These are significantly more important than new feature patches, as they tend to plug system holes that are either being actively exploited by hackers or are likely to be in the near future.</p><p>Generally, botnets favour those targets that are easy to reach, and quick to infect, and even basic security measures are usually enough to thwart an attack.</p><p>Like most forms of cyber crime, however, bringing an end to botnets is inconceivable.The real task is to simply try to come out victorious in each battle, all the while accepting the fact that the war can never be won.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ GoldBrute botnet targeting Windows RDP systems in brute force hacking spree ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/botnets/33799/goldbrute-botnet-targeting-windows-rdp-systems-in-brute-force-hacking-spree</link>
                                                                            <description>
                            <![CDATA[ More than 1.5 million unique IP addresses have been compromised with the figure only expected to rise ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vxGxrFLtt5UFgaWuHZBdmh</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 07 Jun 2019 10:55:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Image of small robots connected to represent a botnet]]></media:description>                                                            <media:text><![CDATA[Image of small robots connected to represent a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[Image of small robots connected to represent a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WNXcYNnPxnyVLA3cdByw5h-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Hackers have deployed a <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" target="_blank" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnet</a> that's actively targeting systems running a remote desktop protocol (RDP) connection using a hard-to-detect brute-forcing mechanism.</p><p>A security researcher has discovered that more than 1.5 million RDP endpoints have so far been compromised by a botnet dubbed GoldBrute and that this figure is only expected to rise.</p><p>It highlights that brute-forcing still remains a dangerous method of attack, despite recent <a href="https://www.itpro.com/security/33697/security-researcher-auctions-off-windows-10-zero-day-exploits" target="_blank" data-original-url="https://www.itpro.com/security/33697/security-researcher-auctions-off-windows-10-zero-day-exploits">widespread attention given to the critical Windows Bluekeep vulnerability</a>.</p><p>This was revealed last month as a remote desktop service (RDS), remote code execution (RCE) and RDP flaw that could allow attackers to run arbitrary malicious code on older Windows systems.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/30953/hacker-botnets-can-automate-a-cyber-attack-in-15-seconds" data-original-url="/security/30953/hacker-botnets-can-automate-a-cyber-attack-in-15-seconds">Hacker botnets can automate a cyber attack in 15 seconds</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect" data-original-url="/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect">Devastating Mirai variant is back on the hunt for businesses to infect</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/28196/the-cybersecurity-skills-your-business-needs" data-original-url="/security/28196/the-cybersecurity-skills-your-business-needs">The cyber security skills your business needs</a></p></div></div><p>The brute-forcing botnet, by contrast, has been scouring the web for exposed RDP servers and is taking advantage of inadequate passwords to build a network of hacked endpoints, according to <a href="https://morphuslabs.com/goldbrute-botnet-brute-forcing-1-5-million-rdp-servers-371f219ec37d" target="_blank">Morphus Labs' chief research officer Renato Marinho</a>.</p><p>"RDP, the remote desktop protocol, made the news recently after Microsoft patched a critical remote code execution vulnerability," he said.</p><p>"While the reporting around this 'Bluekeep' vulnerability focused on patching vulnerable servers, exposing RDP to the internet has never been a good idea.</p><p>"Botnets have been scanning for these servers and are using weak and reused passwords to gain access to them."</p><p>A system breached by GoldBrute will first be instructed to download an 80MB-sized ZIP file that contains the <a href="https://www.itpro.com/malware/28076/what-is-malware" target="_blank" data-original-url="https://www.itpro.com/malware/28076/what-is-malware">malware</a> strain. This programme then scans random IP addresses to find potential hosts with exposed RDP servers that aren't already listed on the main GoldBrute directory of known endpoints.</p><p>After finding 80 new endpoints, the malware sends this list of IP addresses to a single remote command and control (C&C) server. The infected system, in turn, receives a list of IP addresses to brute-force.</p><p>Crucially, there is only one attempt to crack each IP address listed, with a single username and password combination.</p><p>This is a possible strategy, according to Marinho, to "fly under the radar of security tools", because each authentication attempt comes from different addresses. It means GoldBrute's hacking attempts are difficult to detect by a range of security systems deployed by businesses.</p><p>The successful username and password combinations are then fed back into the C&C server where the attackers behind GoldBrute will have access to them.</p><p>After analysing GoldBrute code and trying to understand its mechanics, Marinho's team received 2.1 million IP addresses, of which 1,596,571 were unique. They then <a href="https://isc.sans.edu/diaryimages/images/gold-brute-map.png" target="_blank">plotted these addresses onto a global map</a>, with South Korea a clear hotspot for attacks, followed by other parts of Asia as well as sites in the US, central Europe, and the UK.</p><p>Meanwhile, in light of the Bluekeep threat plaguing legacy Windows systems, the National Cyber Security Centre (NCSC) has <a href="https://www.ncsc.gov.uk/report/weekly-threat-report-31st-may-2019" target="_blank">reiterated advice to businesses to apply Microsoft's latest security patches as soon as possible</a>.</p><p>Organisations should also focus on external-facing RDP services, critical servers such as domain controllers and management servers, as well as non-critical servers but those with RDP enabled.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Devastating Mirai variant is back on the hunt for businesses to infect ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/33260/devastating-mirai-variant-is-back-on-the-hunt-for-businesses-to-infect</link>
                                                                            <description>
                            <![CDATA[ Security researchers have found a new variant of the malicious botnet that grounded some of the world's biggest tech companies ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">h7aM3ViRLTiv2ToW7DrYVc</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/6JP4nYwoULENLMPR8kYKda-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 19 Mar 2019 11:12:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/6JP4nYwoULENLMPR8kYKda-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hacker typing on a keyboard]]></media:description>                                                            <media:text><![CDATA[Hacker typing on a keyboard]]></media:text>
                                <media:title type="plain"><![CDATA[Hacker typing on a keyboard]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/6JP4nYwoULENLMPR8kYKda-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A new variant of the crushing Mirai botnet, which specifically places enterprises in its crosshairs, has been discovered by security researchers. </p><p>Mirai first shook the world in 2016 and became known for being the worst DDoS attack in history. </p><p>Three years later, Mirai has returned, according to experts from Unit 42, Palo Alto Networks' security arm. It comes with an enhanced arsenal of features which increase the botnet's attack surface but, most pertinently, it has a revised attack strategy.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century" data-original-url="/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century">The Equifax Effect: Explaining the biggest security disaster of the 21st century</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" data-original-url="/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">Was Mirai malware behind Dyn DDoS attack?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" data-original-url="/security/28026/what-is-a-ddos-attack">What is a DDoS attack?</a></p></div></div><p>Mirai is still a botnet designed to exploit IoT devices, but in its latest iteration it seeks out vulnerable business devices - specifically, wireless presentation systems and the TVs used to present to rooms full of clients, partners and colleagues.</p><p>"This new Mirai is a perfect example of why every organisation needs to map their own networks from an external point of view and close off everything that is open and does not need to be," said Jamo Niemela, principal researcher at F-secure. "The types of new devices that Mirai attacks have no business of being visible to the Internet."</p><p>The WePresent WiPG-1000 wireless presentation system and the LG Supersign TV were the two devices singled-out by researchers as most vulnerable to the attack.</p><p>"This development indicates to us a potential shift to using Mirai to target enterprises," said Ruchna Nigam, senior threat researcher at Unit 42.</p><p>"The previous instance where we observed the botnet targeting enterprise vulnerabilities was with the incorporation of exploits against Apache Struts and SonicWall."</p><p>The new variant of Mirai includes new exploits in its multi-exploit battery as well as new credentials to use in its brute force attacks. In addition, the malicious payload attached to it was hosted at a compromised business website based in Colombia.</p><p>These new features, Nigam notes, gives Mirai a larger attack surface than before. By targeting firms which have business-grade bandwidth on their network, the combination can facilitate far larger-scale <a href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/security/28026/what-is-a-ddos-attack">DDoS attacks</a>.</p><p>"These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches," Nigam added.</p><p>"And in the case of devices that cannot be patched, to remove those devices from the network as a last resort."</p><p>Last September, Mirai was discovered by Unit 42 attempting to target enterprise networks. As noted above, the previous variant targeted the same Apache Struts vulnerability that hackers used to carry out the infamous and the <a href="https://www.itpro.com/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century" data-original-url="https://www.itpro.com/security/33242/the-equifax-effect-explaining-the-biggest-security-disaster-of-the-21st-century">Equifax data breach</a>.</p><p>Mirai has been attributed to a host of cyber attacks since <a href="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful" target="_blank" data-original-url="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful">three American twentysomethings</a> launched it in 2016. The FBI has said that it believed the trio was not involved in the massive Dyn attack of 2016, but <a href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">Mirai was at least part of the attack</a> that hit the DNS provider and a selection of the biggest tech companies in the world.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Briton sentenced for huge cyber attack on Liberian telco ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/32731/briton-sentenced-for-huge-cyber-attack-on-liberian-telco</link>
                                                                            <description>
                            <![CDATA[ Operating out of Cyprus, this hacker-for-hire knocked the entire country's internet offline - thought to be world first ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kCEdM1roERfcir3U9ZCfBg</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/J8JvaNRSjnbxgJrYer6Ee6-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 14 Jan 2019 12:18:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Crime]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Connor Jones ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/LPjgE2kGKixS9aF7Jdp2mT.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/J8JvaNRSjnbxgJrYer6Ee6-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Graphic of a cyber criminal or hacker]]></media:description>                                                            <media:text><![CDATA[Graphic of a cyber criminal or hacker]]></media:text>
                                <media:title type="plain"><![CDATA[Graphic of a cyber criminal or hacker]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/J8JvaNRSjnbxgJrYer6Ee6-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A British cyber criminal hired by a Liberian telco has been jailed for 32 months in the UK for unleashing targeted DDoS attacks against another rival telco in 2016.</p><p>Being paid a monthly retainer by Cellcom, Daniel Kaye used a Mirai botnet which harnessed unsecured webcams to inundate Lonestar, the rival telco, with unsustainable levels of traffic which at its peak, caused the entire country's internet to go down.</p><p>Legal or not, it was definitely effective. Lonestar claimed its inability to provide service to its customers resulted in the loss of tens of millions of dollars as customers left the network. The telco also spent a further $600,000 in remedial action to prevent further attacks.</p><p>Kaye also hacked Deutsche Telekom's infrastructure to transmit some of the traffic to Lodestar.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" data-original-url="/security/28026/what-is-a-ddos-attack">What is a DDoS attack?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/it-legislation/28174/what-is-the-computer-misuse-act" data-original-url="/it-legislation/28174/what-is-the-computer-misuse-act">What is the Computer Misuse Act?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/32117/what-is-the-dark-web" data-original-url="/security/32117/what-is-the-dark-web">What is the dark web?</a></p></div></div><p>After his spell in Cyprus where hs was based during his freelance Liberian attacks, Kaye returned to the UK in February 2017 and was arrested carrying $10,000 on his person, a sum which was part of the payments he received from Cellcom.</p><p>The <a href="http://www.nationalcrimeagency.gov.uk/news/1542-international-hacker-for-hire-jailed-for-cyber-attacks-on-liberian-telecommunications-provider" target="_blank">National Crime Agency</a> by this time had already linked him to the unsuccessful attack on three British banks - Lloyds, Barclays and Halifax - in January 2017 but Kaye claims he loaned out the botnet on the <a href="https://www.itpro.com/security/32117/what-is-the-dark-web" target="_blank" data-original-url="https://www.itpro.com/security/32117/what-is-the-dark-web">dark web</a> during this time. These charges were later formally dropped.</p><p>Germany wanted Kaye extradited to face punishment there for hacking and misusing its infrastructure but instead, he faced the stronger charges for his crimes in Africa.</p><p>Kaye was tried and sentenced in the UK because British law (<a href="https://www.itpro.com/it-legislation/28174/what-is-the-computer-misuse-act" target="_blank" data-original-url="https://www.itpro.com/it-legislation/28174/what-is-the-computer-misuse-act">Computer Misuse Act 1990</a>) allows a cyber criminal to prosecuted for an offence anywhere in the world.</p><p>Kaye is believed to be the first cyber criminal to bring down an entire nation's internet and as a result, "a substantial number of Lonestar's customers switched to competitors", said Babatunde Osho, Lonestar's former chief executive in written submissions to the court.</p><p>"In the years preceding the <a href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/security/28026/what-is-a-ddos-attack">DDoS</a> attacks, Lonestar's annual revenue exceeded $80m (62.4m). Since the attacks, revenue has decreased by tens of millions and its current liabilities have increased by tens of millions."</p><p>"Daniel Kaye was operating as a highly skilled and capable hacker-for-hire," said Mike Hulett, head of operations at the National Cyber Crime Unit. "His activities inflicted substantial damage on numerous businesses in countries around the world, demonstrating the borderless nature of cyber crime.</p><p>"Working in collaboration with international law enforcement partners played a key role in bringing Daniel Kaye to justice."</p><p>"The fact that he was caught and brought to justice shows some of the value of continued cooperation with our European counterparts in tackling cybercrime on a cross-border basis," said Paul McKay, senior analyst at Forrester. It is a rare example of a successful prosecution of a cybercriminal in an area where criminal attribution and bringing individuals to court to face prosecution is notoriously difficult."</p><p>Kaye was unsuccessful in the UK, but the botnet was so effective in Africa because Liberia's internet at the time was only provided only by a few telcos, relying on limited Atlantic cable which isn't as secure as modern European internet as traffic can reach users through more routes.</p><p>According to investigators, Liberia's internet was repeatedly downed between November 3 and November 4 2016 disrupting not just Lonestar but organisations and ordinary users up and down the state.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Mirai 'botmasters' now exploiting Hadoop flaw to target Linux servers  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/botnets/32427/mirai-botmasters-now-exploiting-hadoop-flaw-to-target-linux-servers</link>
                                                                            <description>
                            <![CDATA[ Malware used to take half the internet offline is being used to build powerful botnets with just a handful of compromised servers ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">R2bseevemBzbH149Gfeez</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ew9s64ZUki6oq7CnWj76LA-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 23 Nov 2018 10:44:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ew9s64ZUki6oq7CnWj76LA-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Botnet]]></media:description>                                                            <media:text><![CDATA[Botnet]]></media:text>
                                <media:title type="plain"><![CDATA[Botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ew9s64ZUki6oq7CnWj76LA-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Cyber criminals who used a botnet malware that took large parts of the internet offline in 2016 are now abusing Linux servers at scale.</p><p>Mirai, an open source malware, was conventionally used to target Internet of Things (IoT) devices like wireless cameras and routers. Malicious actors infamously used Mirai to construct a botnet that <a href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">led to a devastating distributed denial of service (DDoS) attack</a> against major online platforms.</p><p>But researchers have found evidence that certain strains are now targeting Linux servers, with a handful of attackers using custom tools to exploit a Hadoop YARN vulnerability and deliver malware instead of relying on bots to spread.</p><p>This is the first time security researchers have spotted non-IoT Mirai "in the wild", according to Network performance management firm <a href="https://asert.arbornetworks.com/mirai-not-just-for-iot-anymore" target="_blank">Netscout</a>.</p><p>"Mirai is no longer solely targeting IoT devices. While the techniques used to deliver Mirai to both IoT and Linux servers may be similar, it's much easier for attackers to attack the x86 monoculture of Linux servers than the wide array of CPUs used in IoT devices," said Netscout researcher Matthew Bing.</p><p>"The limited number of sources we've seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear - to install the malware on as many devices as possible."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful" data-original-url="/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful">Mirai: Trio confesses to creating the world's most powerful DDoS botnet</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices" data-original-url="/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices">Chinese hackers building a botnet out of five million compromised Android devices</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/30304/mirai-okiru-botnet-targets-billions-of-arc-based-iot-devices" data-original-url="/malware/30304/mirai-okiru-botnet-targets-billions-of-arc-based-iot-devices">Mirai 'Okiru' botnet targets billions of ARC-based IoT devices</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/botnets/31641/duo-unravels-massive-three-tiered-crypto-giveaway-botnet" data-original-url="/botnets/31641/duo-unravels-massive-three-tiered-crypto-giveaway-botnet">Duo unravels massive three-tiered ‘crypto-giveaway’ botnet</a></p></div></div><p>YARN (Yet Another Resource Negotiator) is a technology deployed as a resource management and job scheduling system for <a href="https://www.itpro.com/databases/28075/what-is-hadoop" target="_blank" data-original-url="https://www.itpro.com/databases/28075/what-is-hadoop">Apache Hadoop</a>. It's responsible for allocating system resources to various applications running a Hadoop cluster, as well as scheduling tasks to execute on different nodes.</p><p>The vulnerability manifests as a command injection flaw that allows an attacker to execute arbitrary shell commands and resembles many flaws seen in IoT devices. It's for this reason Mirai attackers see Linux servers as a viable target.</p><p>His team's global network of 'honeypot' servers of recorded tens of thousands of attempts to exploit the vulnerability per day, indicating the flaw is being abused "at scale", with attackers sending exploits to as many vulnerable servers as they possibly can.</p><p>"Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords," Bing continued.</p><p>"What's different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers."</p><p>Data centre-based Linux servers present a greater opportunity to launch DDoS attacks as they have more bandwidth than IoT devices, he explained, with attackers able to build a powerful botnet from just a handful of servers.</p><p>Mirai was behind <a href="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful" target="_blank" data-original-url="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful">one of the most disruptive DDoS attacks the world has sustained</a>, with cyber criminals sending tens of millions of access requests to domain name system (DNS) provider Dyn from compromised IoT devices.</p><p>Dyn is used by a host of industry giants like Twitter, Spotify and Github to name a few, meaning all these services were taken offline when the DNS provider was targeted.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Growing 'anti-vaxx' online debate pinned on Russian botnets ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/botnets/31777/growing-anti-vaxx-online-debate-pinned-on-russian-botnets</link>
                                                                            <description>
                            <![CDATA[ Sophisticated bots and trolls are ‘playing both sides’ of the debate to spread public health myths ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">rpWU9soLa6BAWoYiemswva</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/VaYq4WC25EYpzyS4Lwhmwg-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 24 Aug 2018 10:38:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/VaYq4WC25EYpzyS4Lwhmwg-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Map of Russian-originating bots connected together through a botnet]]></media:description>                                                            <media:text><![CDATA[Map of Russian-originating bots connected together through a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[Map of Russian-originating bots connected together through a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/VaYq4WC25EYpzyS4Lwhmwg-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Russian bots are engaged in a campaign to spread health-related myths on Twitter - by promoting the views of vaccine sceptics and posing as users concerned with public health.</p><p>Unlike conventional <a href="https://www.itpro.com/botnets/1644/what-is-a-botnet" target="_blank" data-original-url="https://www.itpro.com/botnets/1644/what-is-a-botnet">botnets</a>, which are used to spread malware, "content polluters" - likely originating in Russia - use similar methods to promote conspiracy theories and myths around vaccination, according to a study in the American Journal of Public Health (AJPH).</p><p>Researchers examined the frequency of anti-vaxx messages posted by humans and suspected bots between 2014 and 2017, and analysed the content posted on Twitter hashtags associated with Russian troll activity.</p><p>The study, titled '<a href="https://ajph.aphapublications.org/doi/pdf/10.2105/AJPH.2018.304567" target="_blank">Weaponised Health Communication</a>', found that by confronting vaccine sceptics directly, bots were able to legitimise their position in the public discourse - and artificially inflate the anti-vaccine debate.</p><p>"Unlike troll accounts, content polluters (ie, disseminators of malware, unsolicited commercial content, and other disruptive material that typically violates Twitter's terms of service) post anti-vaccine messages 75% more often than does the average non-bot Twitter user," the researchers concluded.</p><p>"Thus, it is unclear to what extent their promotion of vaccine-related content is driven by true anti-vaccine sentiment or is used as a tactic designed to drive up click-through rates by propagating motivational content ("clickbait")."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/botnets/1644/what-is-a-botnet" data-original-url="/botnets/1644/what-is-a-botnet">What is a botnet?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/botnets/31641/duo-unravels-massive-three-tiered-crypto-giveaway-botnet" data-original-url="/botnets/31641/duo-unravels-massive-three-tiered-crypto-giveaway-botnet">Duo unravels massive three-tiered ‘crypto-giveaway’ botnet</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices" data-original-url="/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices">Chinese hackers building a botnet out of five million compromised Android devices</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/31527/how-russia-hacked-the-2016-election" data-original-url="/security/31527/how-russia-hacked-the-2016-election">How Russia hacked the 2016 election</a></p></div></div><p>Vaccines have long been considered safe and risk-free according to the overwhelming medical and scientific consensus. But myths and scare campaigns around vaccine usage at different points in time have led to the needless spread of disease and public health issues.</p><p>A recent resurgence of Measles across Europe, for instance, with <a href="https://www.theguardian.com/society/2018/aug/20/low-mmr-uptake-blamed-for-surge-in-measles-cases-across-europe" target="_blank">41,000 cases recorded in the six first months of 2018</a> - more than double the whole of last year - has been tied with false claims around vaccinations which have hindered parents from immunising their children.</p><p>The study found that Russian trolls and Twitter bots post content about vaccinations, both positive and negative, at significantly higher rates than the average user, indicating the aim was not to promote either side of the debate - but t raise the prominence of the debate itself.</p><p>Examples of myths propagated include the idea that vaccines can cause fatal side effects, that a secret government database of vaccine-damaged children exists, and that most diseases vaccines target are relatively harmless - making vaccines a needless risk.</p><p>"The highest proportion of anti-vaccine content is generated by accounts with unknown or intermediate bot scores," the researchers continued.</p><p>"Although we speculate that this set of accounts contains more sophisticated bots, trolls, and cyborgs, their provenance is ultimately unknown.</p><p>"Therefore, beyond attempting to prevent bots from spreading messages over social media, public health practitioners should focus on combating the messages themselves while not feeding the trolls."</p><p>Botnets are conventionally deployed to spread malware, and are becoming increasingly sophisticated as cyber security specialists attempt to combat them. Duo Security, for instance, earlier this month revealed <a href="https://www.itpro.com/botnets/31641/duo-unravels-massive-three-tiered-crypto-giveaway-botnet" target="_blank" data-original-url="https://www.itpro.com/botnets/31641/duo-unravels-massive-three-tiered-crypto-giveaway-botnet">the existence of a 15,000-strong botnet structured in a three-tiered hierarchy</a> which promoted a fake cryptocurrency giveaway; evolving over time to remain undetected.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Duo unravels massive three-tiered ‘crypto-giveaway’ botnet ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/botnets/31641/duo-unravels-massive-three-tiered-crypto-giveaway-botnet</link>
                                                                            <description>
                            <![CDATA[ Researchers used a machine learning model to weed through 88 million Twitter accounts for bots and spammers ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">xr54RNf1j2zUiqJbfneghR</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/bvWGsJDiZtn7AiG7ePDJ6a-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 07 Aug 2018 10:58:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Networking]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/bvWGsJDiZtn7AiG7ePDJ6a-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[graphical representation of a botnet]]></media:description>                                                            <media:text><![CDATA[graphical representation of a botnet]]></media:text>
                                <media:title type="plain"><![CDATA[graphical representation of a botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/bvWGsJDiZtn7AiG7ePDJ6a-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Researchers have uncovered a sophisticated botnet perpetuating a cryptocurrency scam in one of the most wide-reaching studies of the Twitter ecosystem to date.</p><p>Comprised of at least 15,000 bots in a three-tiered hierarchical structure, a team of Duo Security researchers observed how the crypto-scam botnet worked to spread a fake 'cryptocurrency giveaway', and evolved over time to remain undetected.</p><p>Duo's principal R&D engineer Jordan Wright and data scientist Olabode Anise published their findings in a report titled <em>'<a href="https://duo.com/assets/pdf/Duo-Labs-Dont-At-Me-Twitter-Bots.pdf" target="_blank">Dont @ Me: Hunting Twitter Bots at Scale</a>'</em>, ahead of a presentation at the 2018 Black Hat cybersecurity conference in Las Vegas tomorrow.</p><p>As part of the process, the researchers analysed more than 88 million Twitter accounts - one of the largest random Twitter datasets to date - between May and July 2018, and processed their APIs in a machine learning model to differentiate a human account from a bot.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/30953/hacker-botnets-can-automate-a-cyber-attack-in-15-seconds" data-original-url="/security/30953/hacker-botnets-can-automate-a-cyber-attack-in-15-seconds">Hacker botnets can automate a cyber attack in 15 seconds</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices" data-original-url="/mobile/30776/chinese-hackers-building-a-botnet-out-of-five-million-compromised-android-devices">Chinese hackers building a botnet out of five million compromised Android devices</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/641809/worlds-third-largest-botnet-taken-down" data-original-url="/641809/worlds-third-largest-botnet-taken-down">World's third largest botnet taken down</a></p></div></div><p>The crypto-giveaway botnet, according to Duo, would first involve bots spoofing a legitimate cryptocurrency-associated account by stealing its display name and avatar. These accounts would subsequently spread fake links in replies to genuine users' tweets, and were also seen to take on the identity of a celebrity, or news organisation.</p><p>The team then learned many of them followed the same Twitter accounts, declared "hub accounts". They were unclear as to the exact contribution these accounts made to the botnet, but theorised they are "randomly chosen accounts which the bots follow in an effort to appear legitimate".</p><p>Amplification bots, fake accounts that exist purely to like tweets to artificially inflate their popularity and visibility, comprised the final tier of this structure and were deployed to raise the prominence of the tweets promoting the scam, as well as afford them legitimacy.</p><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="DYZsBntBhMAqx7YyegYVQi" name="" alt="" src="https://cdn.mos.cms.futurecdn.net/DYZsBntBhMAqx7YyegYVQi.png" mos="https://cdn.mos.cms.futurecdn.net/DYZsBntBhMAqx7YyegYVQi.png" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div></figure><p>They mapped the relationship between the amplification bots, and the bots they support, to discover previously unknown accounts; in turn performing further analysis to unravel a sophisticated structure. In this process they established it was possible to follow a thread "that can result in the unraveling of the entire botnet".</p><p>"Users are likely to trust a tweet more or less depending on how many times it's been retweeted or liked. Those behind this particular botnet know this, and have designed it to exploit this very tendency," Duo's Anise said.</p><p>"Malicious bot detection and prevention is a cat-and-mouse game," Wright added. "We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done."</p><p>The tools and techniques the pair used to uncover the cryptocurrency scam botnet, which they are <a href="https://www.blackhat.com/us-18/briefings/schedule/index.html#dont--me-hunting-twitter-bots-at-scale-10699" target="_blank">set to highlight at Black Hat</a>, are being made publicly available <a href="https://github.com/duo-labs/twitterbots" target="_blank">via Github</a> following their presentation.</p><p>Although botnets can be structured in different ways, the paper noted the structure and appearance of this particular one <a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/uncovering-a-persistent-diet-spam-operation-on-twitter.pdf" target="_blank">resembled the 'diet-spam botnet' discovered by Symantec in 2015</a> - with dedicated roles assigned to different clusters. Alternatively, botnets may exist in a 'flat' structure where each fake account exhibits the same behaviour.</p><p>"Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner," a company spokesperson said.</p><p>"Spam and certain forms of automation are against Twitter's rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.</p><p>"When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter's API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related."</p><p><a href="https://duo.com/blog/dont-me-hunting-twitter-bots-at-scale" target="_blank">Writing in a blogpost</a>, the principal researchers said they were pleased with Twitter's initial response to their findings, and the company's announcement that it would be challenging "more than 9.9 million potentially spammy or automated accounts per week". </p><p>"We're excited to see these efforts by Twitter and are hopeful that these increased investments will be effective in combating spam and malicious content," the pair wrote.</p><p>"However, we don't consider the problem solved. The case study presented in this paper demonstrates that organized botnets are still active and can be discovered with relatively straightforward analysis."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ IoT revenue opportunity to exceed $1 trillion by 2025 ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/internet-of-things-iot/31218/iot-revenue-opportunity-to-exceed-1-trillion-by-2025</link>
                                                                            <description>
                            <![CDATA[ More than half of IoT devices will be deployed in enterprises as the market shifts away from connectivity ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">dZcpYT3pxPdohXqJUPwrD1</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/a4ymtHSCHyEoyrMbc6Gq7K-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 31 May 2018 09:47:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Internet of Things]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                    <category><![CDATA[Internet]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/a4ymtHSCHyEoyrMbc6Gq7K-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A collection of IoT devices]]></media:description>                                                            <media:text><![CDATA[A collection of IoT devices]]></media:text>
                                <media:title type="plain"><![CDATA[A collection of IoT devices]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/a4ymtHSCHyEoyrMbc6Gq7K-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The global Internet of Things (IoT) market will exceed $1 trillion in value by 2025, with more than half of connected devices set to be deployed in business settings.</p><p>While the revenue opportunity is projected to be $1.1 trillion worldwide, the market will shift away from connectivity, and instead towards platforms, applications and services, according to <a href="https://www.gsma.com/newsroom/press-release/new-gsma-study-operators-must-look-beyond-connectivity-to-increase-share" target="_blank">forecasts by GSMA</a>, a global trade body representing mobile network operators.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/cloud-computing/28037/what-is-iot" data-original-url="/cloud-computing/28037/what-is-iot">What is the Internet of Things (IoT)?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/internet-of-things-iot/30894/microsoft-will-plough-5bn-into-iot-over-the-next-four-years" data-original-url="/internet-of-things-iot/30894/microsoft-will-plough-5bn-into-iot-over-the-next-four-years">Microsoft will plough $5bn into IoT over the next four years</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/internet-of-things-iot/30715/iot-security-measures-need-teeth-to-counter-the-spread-of-hackable" data-original-url="/internet-of-things-iot/30715/iot-security-measures-need-teeth-to-counter-the-spread-of-hackable">IoT security measures 'need teeth' to counter the spread of hackable devices</a></p></div></div><p>Of the 25.2 billion devices expected by 2025 - 6.3 billion more than in 2016 - those deployed within enterprises of vertical-specific applications will account for more than half; 13.8 billion devices versus only 11.4 billion in the consumer market, predominantly driven by developments in the smart home market.</p><p>Meanwhile, the Asia Pacific region is forecast to become the largest region both in terms of revenue and number of connections, accounting for 35% of revenue, $386 billion, and 44% of connections, 11 billion - with <a href="https://twitter.com/GSMA/status/1002101160478732288" target="_blank">GSMA also suggesting</a> the growth of just China's GDP from IoT is expected to reach $1.8 trillion by 2030.</p><p>"As the number of connected consumer devices and industrial machines grow rapidly, the IoT ecosystem will evolve to become a trillion-dollar market over the course of the next decade," said Sylwia Kechiche, principal Analyst IoT at GSMA Intelligence.</p><p>"But the IoT revenue opportunity is shifting away from simply connecting devices to addressing specific sectors with tailored solutions, and successful ecosystem players will need to adapt their business models in line with these market trends."</p><p>Connectivity revenue will grow in the period to 2025, but this will only account for 5% of the trillion-dollar revenue opportunity projected. More than two-thirds of this market share will fall on platforms, applications and services, while professional services, including system integration, managed services and consulting, will account for the remaining share.</p><p>"It's well understood that connectivity will represent only a fraction of the total IoT opportunity. Complementing our IoT connections data with this major new dataset and analysis on IoT revenue provides a comprehensive and realistic view on where market opportunities exist for operators, vendors, integrators, and everyone else playing in the IoT ecosystem," said Peter Jarich, Head of GSMA Intelligence.</p><p>The IoT market has certainly in recent years been expanding into a variety of sectors, for example, in health. Earlier this month a <a href="https://www.itpro.com/internet-of-things-iot/31101/nhs-highland-hospital-trials-iot-enabled-medical-beds" target="_blank" data-original-url="https://www.itpro.com/internet-of-things-iot/31101/nhs-highland-hospital-trials-iot-enabled-medical-beds">Scottish hospital began trialling IoT-powered medical beds</a>, so these could be monitored more efficiently as they moved through the building.</p><p>But as the IoT market expands, so will concerns over the growing attack surface that deploying billions more connected devices will bring, underlined by a spate of security issues involving IoT devices in recent months. In April, for instance, more than 168,000 unpatched IoT devices, located via the Shodan IoT search engine, were <a href="https://www.itpro.com/internet-of-things-iot/30905/attackers-target-vulnerability-in-cisco-switches" target="_blank" data-original-url="https://www.itpro.com/internet-of-things-iot/30905/attackers-target-vulnerability-in-cisco-switches">targeted by attackers believed to be "associated with nation state actors"</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Malware hiding Android apps return to Google Play after a simple name change ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/malware/31106/malware-hiding-android-apps-return-to-google-play-after-a-simple-name-change</link>
                                                                            <description>
                            <![CDATA[ Symantec discovers seven malicious apps sneaked back onto Google Play with different names ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">7ujm4rGQ2bQ3bgfcHDPov6</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/iLsCtPzkhPvM4FhARntwdJ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 14 May 2018 09:57:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Keumars Afifi-Sabet ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/EAvwpZggMZ2K5h8s2pTAEm.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/iLsCtPzkhPvM4FhARntwdJ-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[A red Android mascot]]></media:description>                                                            <media:text><![CDATA[A red Android mascot]]></media:text>
                                <media:title type="plain"><![CDATA[A red Android mascot]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/iLsCtPzkhPvM4FhARntwdJ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Researchers have discovered a set of malicious apps on the Google Play Store that are reappearing after being removed by simply changing their names.</p><p>Malware identified as Android.Reputation.1, a Trojan <a href="https://www.symantec.com/security-center/writeup/2014-022612-2619-99" target="_blank">first encountered in 2014</a>, has been found in new iterations of at least seven apps on the Play Store after Google was previously alerted to them.</p><p>These new apps, featuring under a different publisher, carry the same code but are listed under an altered name, according to researchers from security company Symantec. The apps offer an array of features including emoji keyboard add-ons, calculators, call recorders, and storage space cleaners.</p><p>"The Google Play app store has a reputation as the safest place online to get Android apps," wrote Symantec's Martin Zhang, principle software engineer, and Shaun Aimoto, technical product owner, in a <a href="https://www.symantec.com/blogs/threat-intelligence/persistent-malicious-apps-google-play" target="_blank">blogpost</a>, adding: "And Google does a good job of advising users to limit exposure to malware and other risks by configuring their phones to forbid side-loading and alternative app markets in the Android Settings.</p><p>"We've encountered several apps in the past, however, that manage to gain access to this walled garden. The latest of these discoveries is a set of apps that has managed to reappear in the Play store even after we alerted Google and the original app was removed."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/malware/28083/best-free-malware-removal-tools" data-original-url="/security/malware/28083/best-free-malware-removal-tools">6 of the best free malware removal tools in 2023</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="/malware/28076/what-is-malware">What is malware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/cyber-crime/30911/scale-of-cyber-risk-to-uk-businesses-is-bigger-than-ever" data-original-url="/cyber-crime/30911/scale-of-cyber-risk-to-uk-businesses-is-bigger-than-ever">Scale of cyber risk to UK businesses is "bigger than ever"</a></p></div></div><p>The apps, once installed, take measures to stay on the device, disappear and wipe their tracks, including waiting for hours before launching malicious activity to avoid arousing suspicion and requesting admin privileges - using the Google Play icon when doing so to feign legitimacy.</p><p>The apps also retain the ability to change the launcher icon and their "running apps" icon in the system settings once installed, again using well-known icons such as Google Play or Google Maps to avoid suspicion, as well as pushing content such as ads or scams to the device.</p><p>Earlier this month Symantec discovered <a href="https://www.symantec.com/blogs/threat-intelligence/hidden-app-malware-google-play" target="_blank">38 malicious apps</a> carrying the Android.Reputation.1 Trojan on the Play Store disguised as game and education apps - hiding their existence from users by removing their icons from the home screen. </p><p>The company previously discovered a set of eight apps hiding a "highly prevalent" type of malware, dubbed <a href="https://www.symantec.com/connect/blogs/android-malware-google-play-adds-devices-botnet-and-performs-ddos-attacks" target="_blank">Android.Sockbot</a>, in late 2017, which operated by adding compromised devices into a botnet to potentially perform DDoS attacks. The apps boasted an install base of between 600,000 and 2.6 million devices.</p><p>"Of course, the most foolproof way to identify malware involves a balanced combination of data gathering, machine learning, and human expertise, all with a focus on app behaviour," Symantec's post continued.</p><p>The researchers provided the standard recommendations for users to avoid falling foul to sophisticated malware such as this, including keeping software up-to-date, avoiding downloading apps from unfamiliar sites, only installing apps from trusted publishers, reviewing permission requests, and installing a mobile security app.</p><p><em>IT Pro</em> contacted Symantec and Google but neither were able to comment at the time of writing.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Github weathers world's largest DDoS attack ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/distributed-denial-of-service-ddos/30679/github-weathers-worlds-largest-ddos-attack</link>
                                                                            <description>
                            <![CDATA[ The site had just ten minutes of downtime ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5ooh2hBWS9xHG7FmsM8AYL</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/eh3tpQbV8t3R2LEom8nn8F-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 02 Mar 2018 10:14:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/eh3tpQbV8t3R2LEom8nn8F-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/eh3tpQbV8t3R2LEom8nn8F-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Github has weathered the biggest DDoS attack in history with just 10 minutes of downtime, according to new reports.</p><p>The code-sharing site was subjected to a colossal 1.35Tbits/sec surge in traffic, as unknown hackers attempted to take the platform offline. The attack was foiled by Akamai Prolexic's anti-DDoS protections, which Github automatically activated shortly after detecting the spike in traffic.</p><p>"We understand how much you rely on GitHub and we know the availability of our service is of critical importance to our users," said Github site reliability engineering manager Sam Kottler in a blog post detailing the incident. "To note, at no point was the confidentiality or integrity of your data at risk."</p><p>"Making GitHub's edge infrastructure more resilient to current and future conditions of the internet and less dependent upon human involvement requires better automated intervention. We're investigating the use of our monitoring infrastructure to automate enabling DDoS mitigation providers and will continue to measure our response times to incidents like this with a goal of reducing mean time to recovery," he said.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/28026/what-is-a-ddos-attack" data-original-url="/security/28026/what-is-a-ddos-attack">What is a DDoS attack?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/29224/the-cyber-security-threat-in-charts" data-original-url="/security/29224/the-cyber-security-threat-in-charts">The cyber security threat in six charts</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/ddos/28039/how-to-stop-a-ddos-attack" data-original-url="/security/ddos/28039/how-to-stop-a-ddos-attack">How to stop a DDoS attack</a></p></div></div><p>The attack appears to be the largest on record, surpassing the previous record-holder, a 1.2Tbits/sec onslaught <a href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">launched against Dyn in 2016</a>.</p><p>While the attack on Github was larger in volume, the Dyn DDoS was both more sustained and more effective, knocking out internet connections and major websites across large portions of the US for many hours.</p><p>The Github attack, by contrast, was called off by the perpetrators after just eight minutes, which may indicate that the incident was merely a test of the hackers' capabilities.</p><p>As opposed to the Dyn attack and other major DDoS attacks, this incident did not involve the use of a malicious botnet like <a href="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful" target="_blank" data-original-url="https://www.itpro.com/distributed-denial-of-service-ddos/30150/mirai-trio-confesses-to-creating-the-worlds-most-powerful">Mirai</a> or <a href="https://www.itpro.com/security/29837/reaper-iot-botnet-only-partially-mobilised" target="_blank" data-original-url="https://www.itpro.com/security/29837/reaper-iot-botnet-only-partially-mobilised">Reaper</a>. Instead, the hackers used a relatively new form of DDoS, which involves exploiting poor authentication on memcached servers.</p><p>Memcached servers are used for database caching, and are intended to help speed up website. But if left publicly exposed online, hackers can use them to carry out DDoS attacks by spoofing a target's IP address and querying the servers with specific commands.</p><p>The servers will then respond with a data packet that can be up to fifty times larger than the size of the request, allowing attackers to swamp targets in vast amounts of traffic with ease. Experts estimate that there are around 100,000 unprotected memcached servers sitting online that can be exploited in this manner.</p><p>"This massive DDoS attack was possible because organisations operating memcached servers failed to implement some very basic security practices," said Synopsys principal scientist Sammy Migues.</p><p>"The impact was minimal because GitHub was commendably prepared to survive an attack much larger than this. Unless the unwitting operators of these memcached servers take corrective action, it is inevitable that other ill-equipped targets will fall victim to similar DDoS attacks and suffer a much longer outage."</p><p>According to Ashley Stephenson, CEO of Corero Network Security, this attack also demonstrates the speed with which the cyber criminal community will jump on any new vulnerability.</p><p>"It is just a few days since the memcached reflection/amplification vulnerability became widely known. Within a week the largest DDoS ever reported lands on our doorstep, an event that will make mainstream news," explained Stephenson. </p><p>"Meanwhile, Corero has observed a steady ramp in the past few days of memcached based attacks on the wider community. The terabit attack will grab the 'biggest and baddest' headlines casting a shadow that will obscure the thousands of businesses worldwide that have been hit with smaller but equally disruptive DDoS attacks leveraging the memcached vector during the past week."</p><p>This isn't the first time Github has been the victim of a DDoS attack - the company was also hit by an attack in 2015, which are believed to have been <a href="https://www.itpro.com/security/24319/github-falls-victim-to-possible-chinese-cyber-attack" target="_blank" data-original-url="https://www.itpro.com/security/24319/github-falls-victim-to-possible-chinese-cyber-attack">orchestrated by the Chinese government</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Researchers warn of nine vulnerabilities in Dell EMC's Isilon platform ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/cross-site-scripting-xss/30557/researchers-warn-of-nine-vulnerabilities-in-dell-emcs-isilon-platform</link>
                                                                            <description>
                            <![CDATA[ The company's OneFS storage OS is vulnerable to cross-site request forgeries and privilege escalation ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">aeK6qVit6RzFV2FRd1qaw5</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/GgUF2EYCjWw5zeaPXGt8Q3-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 15 Feb 2018 10:21:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/GgUF2EYCjWw5zeaPXGt8Q3-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Dell EMC logo]]></media:description>                                                            <media:text><![CDATA[Dell EMC logo]]></media:text>
                                <media:title type="plain"><![CDATA[Dell EMC logo]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/GgUF2EYCjWw5zeaPXGt8Q3-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Researchers have discovered security flaws in the operating system powering Dell EMC's Isilon storage platform, which could open them up to remote code execution by hackers.</p><p>The flaws were discovered by Maximiliano Vidal and Ivan Huertas from Core Security and include nine CVEs that, if exploited, could enable privilege escalation and cross-site request forgery attacks.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/28959/the-human-security-risk" data-original-url="/security/28959/the-human-security-risk">The human security risk</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/30505/ssl-based-cyber-attacks-surged-30-over-the-past-six-months" data-original-url="/security/30505/ssl-based-cyber-attacks-surged-30-over-the-past-six-months">SSL-based cyber attacks surged 30% over the past six months</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/exploits/30494/the-cyber-secrets-that-are-too-good-to-reveal" data-original-url="/exploits/30494/the-cyber-secrets-that-are-too-good-to-reveal">The cyber secrets that are too good to reveal</a></p></div></div><p>"There are no anti-CSRF tokens in any forms on the web interface," a security advisory issued by Core Security read. "This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain."</p><p>"The web console contains a plethora of sensitive actions that can be abused, such as adding new users with SSH access or re-mapping existing storage directories to allow read-write-execute access to all users."</p><p>Attackers could then use the privilege escalation vulnerabilities to run Python code of shell commands with root access, the advisory warned, and use cross-site scripting to impersonate victims, although researchers also noted that the attack relied on some degree of social engineering.</p><p>The flaws, which were first discovered in September last year, affect various versions of Dell EMC's Isilon OneFS software ranging from version 7.1.1.11 to version 8.1.1.0. The company told <em>IT Pro</em> that it has now <a href="https://support.emc.com/downloads/15209_Isilon-OneFS" target="_blank">issued security updates</a> to address the vulnerabilities, and has alerted customers via <a href="https://support.emc.com/kb/517728" target="_self">a security advisory</a>.</p><p>"With software vulnerabilities a fact of life in the technology industry, Dell EMC follows best practices in managing and responding to security vulnerabilities in our products. Our goal is to provide customers with timely information, guidance and mitigation to address threats from vulnerabilities," a spokesperson for the company said. "This is a good example of coordinated disclosure in action."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ 2017's biggest security horror stories ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/30140/2017s-biggest-security-horror-stories</link>
                                                                            <description>
                            <![CDATA[ The year's worst security incidents we'd hate to see again in 2018 ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">sxuetR8FUa1zLDyQTCMPWS</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/G3hDdZ7EVEA5669KdffBPQ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 15 Dec 2017 17:02:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jane McCallion ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/G3hDdZ7EVEA5669KdffBPQ-1280-80.jpg">
                                                            <media:credit><![CDATA[Bigstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Open padlock on circuit board]]></media:description>                                                            <media:text><![CDATA[Open padlock on circuit board]]></media:text>
                                <media:title type="plain"><![CDATA[Open padlock on circuit board]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/G3hDdZ7EVEA5669KdffBPQ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Cybersecurity is always top of mind for businesses, but that's especially been the case in 2017.</p><p>From ransomware to botnets, this year's tech news has been dominated by a regular flow of security crises.</p><p>Here are some of the top cybersecurity incidents of 2017 that we don't want to see repeated in 2018.</p><h3 class="article-body__section" id="section-unsecured-clouds-and-databases"><span>Unsecured clouds and databases</span></h3><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="SqKEWgGvLCoVy67jqodyEM" name="" alt="Bucket leaking water" src="https://cdn.mos.cms.futurecdn.net/SqKEWgGvLCoVy67jqodyEM.jpg" mos="https://cdn.mos.cms.futurecdn.net/SqKEWgGvLCoVy67jqodyEM.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Big Stock)</span></figcaption></figure><p>Probably the trend that can most easily be prevented by users is databases facing the public internet that should have been secured, but weren't.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/28133/what-is-cyber-security" data-original-url="/security/28133/what-is-cyber-security">What is cyber security?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/innovation-at-work/29580/the-truth-about-encryption" data-original-url="/security/innovation-at-work/29580/the-truth-about-encryption">The truth about encryption</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/28084/what-is-ransomware" data-original-url="/security/28084/what-is-ransomware">What is ransomware?</a></p></div></div><p>Two of the biggest bungles in this area relate to Amazon Web Services' (AWS) S3 cloud storage service and MongoDB's NoSQL database.</p><p>A spate of data leaks across 2017 came about because of unencrypted S3 buckets, affecting organisations including <a href="https://www.itpro.com/security/29694/accenture-exposes-137gb-of-client-data-on-unsecured-aws-buckets" data-original-url="https://www.itpro.com/security/29694/accenture-exposes-137gb-of-client-data-on-unsecured-aws-buckets">Accenture</a>, <a href="https://www.itpro.com/security/29019/three-million-wwe-fan-accounts-exposed-online" data-original-url="https://www.itpro.com/security/29019/three-million-wwe-fan-accounts-exposed-online">WWE</a>, the <a href="https://www.itpro.com/security/28996/aa-our-handling-of-security-breach-fell-short" data-original-url="https://www.itpro.com/security/28996/aa-our-handling-of-security-breach-fell-short">AA</a> and <a href="https://www.itpro.com/security/29071/two-million-dow-jones-customer-details-exposed-via-cloud" data-original-url="https://www.itpro.com/security/29071/two-million-dow-jones-customer-details-exposed-via-cloud">Dow Jones</a>.</p><p>These companies had apparently failed to read the small print of their contracts with AWS and hadn't realised this particular storage service wasn't encrypted by default.Thus, customer data was left exposed on the open web for anyone to see, leading to major security crises.</p><p>The issue was finally resolved in November <a href="https://www.itpro.com/security/29907/aws-adds-default-encryption-to-leaky-s3-buckets" data-original-url="https://www.itpro.com/security/29907/aws-adds-default-encryption-to-leaky-s3-buckets">when AWS decided it would add default encryption to S3 buckets</a>, taking the onus off customers.</p><p>In the case of MongoDB, the situation was much the same. Users failed to encrypt their databases, which led to <a href="https://www.itpro.com/security/27885/26000-unsecured-mongodb-servers-hit-by-ransomware" data-original-url="https://www.itpro.com/security/27885/26000-unsecured-mongodb-servers-hit-by-ransomware">several waves of ransomware attacks</a> rather than data leaks, with the cybercriminals encrypting the exposed servers and demanding Bitcoin for their release.</p><p>Unfortunately for the victims, there is no central resolution as with AWS S3, as MongoDB offers database software, rather than a cloud storage service, that can be installed on pretty much any server. The general advice, from both the company and the security community, is to turn on encryption, or at the very least password protection, at the point of installation sage advice for any IT administrator, irrespective of the service or software they are using.</p><h3 class="article-body__section" id="section-ransomware-attacks"><span>Ransomware attacks</span></h3><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="KtKFCSr53Qf22hEveofYDb" name="" alt="Graphic of a user engaging in a ransomware exchange" src="https://cdn.mos.cms.futurecdn.net/KtKFCSr53Qf22hEveofYDb.jpg" mos="https://cdn.mos.cms.futurecdn.net/KtKFCSr53Qf22hEveofYDb.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Bigstock)</span></figcaption></figure><p>While ransomware has been a popular tool for cybercriminals for many years, 2017 saw an uptick in large-scale attacks.</p><p>Two of the most notable global ransomware attacks were WannaCry, which hit in May, and NotPetya, which landed in June.</p><p>WannaCry made global news after it spread rapidly around the world, with the<a href="https://www.itpro.com/security/28648/nhs-ransomware-attack" data-original-url="https://www.itpro.com/security/28648/nhs-ransomware-attack">NHS in England and Wales being particularly badly hit</a>. The attack was notable for several reasons. First, the speed of the spread; within hours of the first incidents being reported in Asia on 12 May, it had started to spread internationally. By the end of the day, over 230,000 computers in 150 countries were infected.</p><p>Second is the systems affected. WannaCry exclusively infected Windows operating systems, both server and desktop. Although Microsoft had issued a patch for the vulnerability in March 2017, many large organisations' systems <a href="https://www.itpro.com/security/innovation-at-work/29794/what-have-we-learnt-from-the-nhs-ransomware-attack" data-original-url="https://www.itpro.com/security/innovation-at-work/29794/what-have-we-learnt-from-the-nhs-ransomware-attack">hadn't been updated for one reason or another</a> (sometimes due to staffing, sometimes due to dependent software or other technical reasons).</p><p>Many were quick to point to the continued use of Windows XP despite it no longer being supported by Microsoft for several years. However, research from Kaspersky Lab demonstrated that, in fact, most of the infected computers were running Windows 7, which was still covered by Microsoft support at the time.</p><p>The third interesting thing about WannaCry is its alleged provenance. While there's no indication the US National Security Agency (NSA) created the ransomware itself, it has been suggested that EternalBlue, the Windows vulnerability that allowed the malware to spread and infect numerous systems at such high speed, was discovered by the agency some years ago but not reported to Microsoft. Instead, the organisation allegedly used it as an offensive tool in cyber warfare and defence. The existence of EternalBlue and other similar tools <a href="https://www.itpro.com/hacking/27125/was-an-insider-behind-the-nsa-hack" data-original-url="https://www.itpro.com/hacking/27125/was-an-insider-behind-the-nsa-hack">were revealed by Shadow Brokers in 2016</a>.</p><p>While WannaCry was fast and effective, it was short-lived British independent security researcher Marcus Hutchins discovered a so-called "kill switch" embedded in the ransomware's code and was able to disable the initial attack in one fell swoop.</p><p>The same can't be said for NotPetya. According to WebRoot, this malware strain <a href="https://www.itpro.com/security/29863/notpetya-was-nastier-than-wannacry-ransomware-say-experts" data-original-url="https://www.itpro.com/security/29863/notpetya-was-nastier-than-wannacry-ransomware-say-experts">was the most damaging and dangerous to emerge in 2017</a>. Despite using the same EternalBlue exploit as WannaCry, NotPetya was less widespread, but it was more persistent: first emerging in June 2017, it continued to infect systems all the way through to the autumn.</p><p>The creator's MO was also different: although it looked like a traditional ransomware attack, including displaying a ransom message, it didn't simply encrypt the system it created utter havoc. Once affected, the files were irrevocably scrambled, meaning that even if victims did pay the ransom they still wouldn't get their files back. Indeed, it has been speculated by various researchers that havoc and infamy were the main objectives of these criminals, rather than generating money.</p><h3 class="article-body__section" id="section-botnets"><span>Botnets</span></h3><figure class="van-image-figure pull-" data-bordeaux-image-check ><div class='image-full-width-wrapper'><div class='image-widthsetter' ><p class="vanilla-image-block" style="padding-top:56.25%;"><img id="K4eR6BTeCSEvtjHyKQrma3" name="" alt="DDoS Attack on screen" src="https://cdn.mos.cms.futurecdn.net/K4eR6BTeCSEvtjHyKQrma3.jpg" mos="https://cdn.mos.cms.futurecdn.net/K4eR6BTeCSEvtjHyKQrma3.jpg" align="" fullscreen="" width="" height="" attribution="" endorsement="" class="pull-"></p></div></div><figcaption itemprop="caption description" class="pull-"><span class="credit" itemprop="copyrightHolder">(Image credit: Shutterstock)</span></figcaption></figure><p>Like the other tactics on this list, botnets aren't new. What is new, however, is how they're powered.</p><p>Continuing a trend started by the <a href="https://www.itpro.com/security/27292/new-scanner-allows-users-to-check-iot-devices-for-mirai-malware-infection" data-original-url="https://www.itpro.com/security/27292/new-scanner-allows-users-to-check-iot-devices-for-mirai-malware-infection">Mirai botnet in 2016</a>, 2017 saw outbreaks of DDoS and other attacks from botnets powered by Internet of Things (IoT) devices.</p><p>As such devices aren't typically thought of as computers, consumers in particular have failed to change default passwords before connecting them to the internet. To make the situation worse, some of these so-called "headless" devices don't give users any control over security settings anyway, meaning there's no way to protect them once they're exposed online.</p><p>While Mirai continued to cause disruption through 2017, with <a href="https://www.itpro.com/security/28407/us-college-hit-by-54-hour-mirai-ddos-attack" data-original-url="https://www.itpro.com/security/28407/us-college-hit-by-54-hour-mirai-ddos-attack">a 54-hour DDoS attack on an American university in March</a> being the most notable of these.</p><p>Later in the year, <a href="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai" data-original-url="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai">a new IoT botnet dubbed Reaper emerged, which security researchers claimed will be worse than Mirai</a>. This is because rather than cracking default or weak passwords, as Mirai did, Reaper infiltrates IoT devices via unpatched vulnerabilities. Once again, this is something that is largely in the hands of vendors, rather than consumers, to secure.</p><p><a href="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai" data-original-url="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai"></a><a href="https://www.itpro.com/security/29837/reaper-iot-botnet-only-partially-mobilised" data-original-url="https://www.itpro.com/security/29837/reaper-iot-botnet-only-partially-mobilised">Reaper is only partially mobilise</a><a href="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai" target="_blank" data-original-url="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai">d, a</a><a href="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai" data-original-url="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai">ccording to a report released in late 2017 by Arbor Networks</a>,with several thousand infected devices lying dormant. This raises concerns of a potential wide-scale DDoS attack in 2018.</p><p>Cybersecurity is a constant game of cat and mouse and true total security is unattainable but that doesn't mean businesses, consumers and vendors can't do their best to mitigate vulnerabilities and build up protection. Let's hope that in 2018 we see greater use of basic security precautions to defend against these potential monster attacks.</p><p><em>Pictures: Bigstock</em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Task force silences massive Andromeda botnet ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/30093/task-force-silences-massive-andromeda-botnet</link>
                                                                            <description>
                            <![CDATA[ The botnet is thought to have spewed malware from two million infected devices ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">kENCs652QRrs3fj3c5Agz8</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/WciiKZPemRNFViPBh5GoPf-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 05 Dec 2017 11:21:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/WciiKZPemRNFViPBh5GoPf-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/WciiKZPemRNFViPBh5GoPf-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A massive botnet responsible for spreading malware using a two million-strong army of infected devices has finally been taken down by a joint task force of police agencies and private companies.</p><p>Thought to have been one of the largest ever discovered, the <a href="https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation" target="_blank">Andromeda</a> botnet has been associated with 80 different malware families, and in the last six months alone, was detected or blocked on an average of one million devices every month.</p><p>The botnet was stopped by a joint task force comprising agents from the FBI, <a href="https://www.itpro.com/cyber-crime/30078/uk-cops-to-lose-access-to-europols-cyber-crime-resources-after-brexit" target="_blank" data-original-url="https://www.itpro.com/cyber-crime/30078/uk-cops-to-lose-access-to-europols-cyber-crime-resources-after-brexit">Europol's European Cybercrime Centre (EC3)</a>, Eurojust, the Joint Cybercrime Action Task Force (J-CAT), and a number of private organisations, including Microsoft.</p><p>Praising the cooperation between private and public organisations, Steven Wilson, head of EC3, said: "This is another example of international law enforcement working together with industry partners to tackle the most significant cyber criminals and the dedicated infrastructure they use to distribute malware on a global scale.</p><p>"The clear message is that public-private partnerships can impact these criminals and make the internet safer for all of us.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/27698/avalanche-malware-network-taken-down-by-security-consortium" data-original-url="/security/27698/avalanche-malware-network-taken-down-by-security-consortium">Avalanche malware network taken down by security consortium</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai" data-original-url="/malware/29783/iot-reaper-will-be-worse-than-mirai">IoT Reaper 'will be worse than Mirai'</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/28407/us-college-hit-by-54-hour-mirai-ddos-attack" data-original-url="/security/28407/us-college-hit-by-54-hour-mirai-ddos-attack">US college hit by 54-hour Mirai DDoS attack</a></p></div></div><p>The Andromeda botnet is also thought to have been deployed by the now infamous <a href="https://www.itpro.com/security/27698/avalanche-malware-network-taken-down-by-security-consortium" target="_blank" data-original-url="https://www.itpro.com/security/27698/avalanche-malware-network-taken-down-by-security-consortium">Avalanche malware network</a>, which was used to spread Trojans to German speakers in Germany, Austria and Switzerland in an attempt to extort money. That network was eventually taken down by the Luneburg Police in cooperation with the FBI, Eurojust, and Europol in late 2016.</p><p>Insights gained during the Avalanche investigation by local police agencies in Germany were instrumental in dismantling the Andromeda botnet, according to Europol. More than 1,500 domains carrying the Andromeda malware were subject to "sinkholing", a technique that redirects traffic between infected devices to servers controlled by the investigators.</p><p>Microsoft found that during a 48-hour sinkholing window, around two million unique Andromeda IP addresses were logged from 223 different countries, including the UK, France, Belgium, Italy, Spain, and non-EU states such as Australia, Canada and Singapore.</p><p>The investigation has led to the arrest of an individual in Belarus, but information on the suspect hasn't been released.</p><p>While the closure of the botnet is a significant victory for law enforcement agencies and those working to curb the effect of the highly lucrative malware industry, the threat has not been entirely removed.</p><p>Although the Avalanche network has now been down for almost a year, it's thought that as many as 55% of those devices originally infected are still infected today. It's likely that the residual effects of the Andromeda botnet will still be felt for some years to come.</p><p>There's also the issue of the remaining botnets still out there, including the recently discovered Reaper network, which managed to infect up to <a href="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai" target="_blank" data-original-url="https://www.itpro.com/malware/29783/iot-reaper-will-be-worse-than-mirai">10,000 devices in a single day</a>.</p><p>Security researchers have also attempted to curb the spread of the infamous Mirai botnet, following a successful attack on the <a href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">Dyn server network</a> last year, and a <a href="https://www.itpro.com/security/28407/us-college-hit-by-54-hour-mirai-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/security/28407/us-college-hit-by-54-hour-mirai-ddos-attack">54-hour DDoS storm</a> against a US college in March, however efforts to introduce a <a href="https://www.itpro.com/security/28990/software-fix-for-mirai-infected-iot-devices-fails" target="_blank" data-original-url="https://www.itpro.com/security/28990/software-fix-for-mirai-infected-iot-devices-fails">software fix for IoT devices</a> have so far failed. </p><p><em>Image: Bigstock</em></p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ DDoS attacks blamed on 70,000-strong Android botnet ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/29331/ddos-attacks-blamed-on-70000-strong-android-botnet</link>
                                                                            <description>
                            <![CDATA[ Security researchers discover Mirai-style 'WireX' botnet ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">tv2amZMqsWUZsrevQg3p61</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 29 Aug 2017 09:56:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[botnet]]></media:description>                                                            <media:text><![CDATA[botnet]]></media:text>
                                <media:title type="plain"><![CDATA[botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A vast botnet comprised of 70,000 Android devices has been blamed by security researchers for a string of DDoS attacks conducted over the past few weeks.</p><p>Experts from cyber security organisations including RiskIQ, Flashpoint, Akamai, Cloudflare, Team Cymru, Oracle Dyn, Google and others joined forces to combat the botnet, dubbed WireX.</p><p>Similar to the Mirai attacks of last year, WireX used a network of malware-infected devices to flood targets with legitimate-looking HTTP requests, knocking them offline through the sheer volume of traffic.</p><p>Rather than IoT and networking devices, however, this attack was carried out using compromised Android phones. Researchers estimated that the botnet contained at least 70,000 devices in over 100 countries, although senior Akamai engineer Chad Seaman told security expert Brian Krebs that <a href="https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet" target="_blank">the figure could be much higher</a>.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/malware/28076/what-is-malware" data-original-url="/malware/28076/what-is-malware">What is malware?</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/android/28184/the-best-antivirus-for-android-phones" data-original-url="/android/28184/the-best-antivirus-for-android-phones">Best antivirus for Android 2021: Bitdefender, Norton, Kaspersky and more</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/antivirus/28144/best-antivirus" data-original-url="/antivirus/28144/best-antivirus">Best antivirus for Windows 10</a></p></div></div><p>While researchers estimate that WireX could have been active from 2 August, the bulk of attacks did not start until 15 August, catching the attention of the security community a couple of days later on 17 August.</p><p>"These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies, and intelligence firms," said <a href="https://blogs.akamai.com/2017/08/the-wirex-botnet-an-example-of-cross-organizational-cooperation.html" target="_blank">a joint blog post</a> published by Akamai, Flashpoint, Cloudflare and RiskIQ. "Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery."</p><p>The researchers warned that keeping a DDoS attack quiet is almost impossible, and said victims should reach out for help rather than trying to pretend that everything is running smoothly.</p><p>"The best thing that organisations can do when under a DDoS attack is to share detailed metrics related to the attack," the blog post noted. "With this information, those of us who are empowered to dismantle these schemes can learn much more about them than would otherwise be possible."</p><p>According to the post-mortem report issued by the security companies involved, the malware masqueraded as seemingly-legitimate apps, including storage managers, ringtone apps and video players.</p><p>Many were downloadable only from third-party app stores, but roughly 300 of the malicious apps were hosted on the Google Play Store. Google has now removed these apps from its store, and is in the process of remotely wiping them from users' devices.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ US college hit by 54-hour Mirai DDoS attack ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/28407/us-college-hit-by-54-hour-mirai-ddos-attack</link>
                                                                            <description>
                            <![CDATA[ New Mirai variant unleashed a 30,000 RPS storm higher education institution ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">cHcJDdDY1GwmCCsn8oEL2y</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/K4eR6BTeCSEvtjHyKQrma3-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 31 Mar 2017 13:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Attacks]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jane McCallion ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/K4eR6BTeCSEvtjHyKQrma3-1280-80.jpg">
                                                            <media:credit><![CDATA[Shutterstock]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[DDoS Attack on screen]]></media:description>                                                            <media:text><![CDATA[DDoS Attack on screen]]></media:text>
                                <media:title type="plain"><![CDATA[DDoS Attack on screen]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/K4eR6BTeCSEvtjHyKQrma3-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A university in the US was hit by a 54-hour, non-stop DDoS attack at the end of last month, apparently caused by a Mirai-powered botnet.</p><p>News of the attack comes from data and application security firm Imperva, which counts the targeted college as a customer. According to <a href="https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html" target="_blank">a blog post</a> by Dima Bekerman, a security researcher at Imperva, the attack started in the early hours of the morning on 28 February, with the average traffic flow clocking in at over 30,000 requests per second (RPS), although a peak of about 37,000 RPS was seen. Over the course of the attack, more than 2.8 billion requests were generated.</p><p>"Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet," said Bekerman.</p><p>"Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers. While we don't know for sure, open telnet (23) ports and TR-069 (7547) ports on these devices might indicate that they were exploited by known vulnerabilities."</p><p>Upon further investigation, Bekerman and his colleagues found 56% of the IPs used in the attack belonged to DVRs manufactured by a single vendor, which has now been contacted by Imperva.</p><p>Neither the name of the college involved, nor the DVR maker have been revealed.</p><p>Bekerman said there are several things that set this attack apart from others using Mirai.</p><p>The first is that the DDoS bots used in the attack "were hiding behind different user-agents than the five hardcoded in the default Mirai version".</p><p>"This and the size of the attack itself led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks," said Bekerman.</p><p>The second is the sheer length of the onslaught.</p><p>"With over 90% of all application layer assaults lasting under six hours, an attack of this duration stands in a league of its own," he said.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/malware/27743/new-mirai-variant-hijacked-talktalk-routers-for-botnet" data-original-url="/malware/27743/new-mirai-variant-hijacked-talktalk-routers-for-botnet">New Mirai variant 'hijacked TalkTalk routers for botnet'</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ FTC: D-Link IoT devices put thousands of customers at risk ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/27868/ftc-d-link-iot-devices-put-thousands-of-customers-at-risk</link>
                                                                            <description>
                            <![CDATA[ D-Link calls Federal Trade Commission's claims "vague and unsubstantiated" ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">nPRH5uGyrTNzy67gAQWiBt</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/CafQrf23bp4hEf3WfndzgY-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 06 Jan 2017 11:01:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Dale Walker ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/YhUVp3rWtcZPM5XznPeTmX.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/CafQrf23bp4hEf3WfndzgY-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hacking]]></media:description>                                                            <media:text><![CDATA[Hacking]]></media:text>
                                <media:title type="plain"><![CDATA[Hacking]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/CafQrf23bp4hEf3WfndzgY-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The US Federal Trade Commission has accused D-Link of putting thousands of customers at risk by failing to provide adequate security measures in its IoT devices. </p><p>Charges filed yesterday say the Taiwanese company failed to take steps to prevent intruders from hacking IoT devices, with the view to steal customer network data or add devices to a larger 'botnet'.</p><p>D-Link called the allegations "vague and unsubstantiated".</p><p>The <a href="https://www.ftc.gov/system/files/documents/cases/170105_d-link_complaint_and_exhibits.pdf" target="_blank">filing</a>, made to the US District Court for the Northern District of California, represents a wider FTC campaign to improve the security of connected devices around the home, including webcams, routers, security cameras and other smart home technology.</p><p>The complaint states D-Link has "failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorised access", and has failed to protect customers against flaws considered "among the most critical and widespread web application vulnerabilities since at least 2007".</p><p>D-Link is accused of repeatedly failing to guard against "easily preventable software flaws", including the use of default user credentials, command injection flaws, and backdoors, which would allow the remote hacking of devices.</p><p>Specified in the complaint are D-Link's Wireless N 300 Router, N Dual Band Router, and the N Network Camera.</p><p>The company's allegedly inadequate approach to security has meant D-Link devices have put thousands of customers at risk of unauthorised access, and of being made part of a larger IoT botnet, according to the complaint.</p><p>"The FTC has made vague and unsubstantiated allegations relating to routers and IP cameras," a D-Link spokesperson responded in a statement. "D-Link Systems will vigorously defend itself against the unwarranted and baseless charges made by the FTC."</p><p>"The complaint does not allege any breach of a D-Link Systems device. Instead, the FTC speculates that consumers were placed 'at risk' to be hacked, but fails to allege that actual consumers suffered or are likely to suffer actual substantial injuries," the statement adds.</p><p>A D-Link Wi-Fi camera <a href="http://blog.senr.io/blog/home-secure-home" target="_blank">flaw</a> discovered in July 2016 was found to have potentially exposed <a href="https://dlink-report.shodan.io" target="_blank">400,000 devices</a> to remote hacking, allowing intruders to change default credentials and potentially spy on users in their home. A firmware update to the DCS-930L Cloud Camera allowed hackers to use a single line of code to gain unauthorised access. D-Link is yet to respond to <em>IT Pro</em>'s request for comment on the issue.</p><p>The hacking of IoT devices has led to the creation of botnets on a massive scale, resulting in a series of attacks by the so-called 'Mirai botnet' in 2016. Since its discovery, the army of enthralled IoT devices has launched some of the largest DDoS attacks in history, including the massive cyber attack against <a href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" target="_blank" data-original-url="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">Dyn servers</a> in October, which knocked sites such as Twitter, Netflix and Reddit offline.</p><p>The FTC brought <a href="https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put" target="_blank">similar charges against Asus</a> last February, after a flaw was discovered in 2014 that allowed almost 13,000 routers to be remotely hacked, forcing the company into a program of independent security reviews for the next 20 years.</p><p>The complaint outlines six counts of breaking FTC policy, including misrepresentation of promotional security material and unfairness in handling customer safety. The FTC has requested the court to force D-Link to review security practices and reimburse any legal fees.</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/malware/27743/new-mirai-variant-hijacked-talktalk-routers-for-botnet" data-original-url="/malware/27743/new-mirai-variant-hijacked-talktalk-routers-for-botnet">New Mirai variant 'hijacked TalkTalk routers for botnet'</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/security/27521/mirai-botnet-did-not-knock-liberias-internet-offline-say-security-experts" data-original-url="/security/27521/mirai-botnet-did-not-knock-liberias-internet-offline-say-security-experts">Mirai botnet did not knock Liberia's internet offline, say security experts</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Mirai botnet did not knock Liberia's internet offline, say security experts  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/27521/mirai-botnet-did-not-knock-liberias-internet-offline-say-security-experts</link>
                                                                            <description>
                            <![CDATA[ West African country didn't suffer nationwide outage last week, contrary to reports ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">5QFBuuvPTP3YYfQK7t5F3n</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/HGsxHrFn66GRNs9JenPtde-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 07 Nov 2016 11:03:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Internet of Things]]></category>
                                                    <category><![CDATA[Infrastructure]]></category>
                                                    <category><![CDATA[Internet]]></category>
                                                                                                                    <dc:creator><![CDATA[ Adam Shepherd ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/3n2BoLAtRj8Z5eRfxtwyK8.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/HGsxHrFn66GRNs9JenPtde-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[DDos Attack]]></media:description>                                                            <media:text><![CDATA[DDos Attack]]></media:text>
                                <media:title type="plain"><![CDATA[DDos Attack]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/HGsxHrFn66GRNs9JenPtde-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Security experts have dismissed last week's reports that Liberia's entire internet infrastructure was taken down by a DDoS attack, stating that this story was "simply not true".</p><p>Despite widespread coverage, the claims were debunked by security expert Brian Krebs who found that contrary to reports, the attack <a href="https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-really-take-liberia-offline">did not cause a nationwide outage</a>. He spoke to Daniel Brewer, general manager for the Cable Consortium of Liberia, who told him that "we have no knowledge of a national internet outage and there are [sic] no data to [substantiate] that."</p><p>The reports stemmed from <a href="https://medium.com/@networksecurity/shadows-kill-mirai-ddos-botnet-testing-large-scale-attacks-sending-threatening-messages-about-6a61553d1c7#.6jvz5tf5k">security architect Kevin Beaumont</a>, who noticed attacks on Liberian telecoms infrastructure while monitoring the activity of the Mirai botnet. He apparently spoke to an anonymous source withing a local telco, who supposedly confirmed that the country's single submarine internet cable - which Beaumont pointed to a "single point of failure" - was under 500Gbps attacks.</p><p>"From monitoring, we can see websites hosted in country going offline during the attacks," he wrote. "Additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack."</p><p>Many news outlets (including <em>IT Pro</em>) took this to mean that the internet connection for the whole country was under threat, but Brewer emphatically confirmed that this was not the case, stating "both our ACE submarine cable monitoring systems and servers hosted (locally) in LIXP (Liberia Internet Exchange Point) show no downtime in the last 3 weeks."</p><p>It appears that the attacks observed by Beaumont were in fact mounted against a mobile telco; one that had a DDoS mitigation service in place to minimise the effects of the attack. While local web performance may have been intermittent, it was decidedly not a nationwide issue.</p><p>This was confirmed by cloud and security company Akamai as well as Dyn, the DNS provider that was hit by <a href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" data-original-url="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">a much bigger DDoS last month</a>. The company's director of internet analysis tweeted that there was no evidence of any widespread problems.</p><div class="see-more see-more--clipped"><blockquote class="twitter-tweet hawk-ignore" data-lang="en"><p lang="en" dir="ltr"><a href="https://twitter.com/cantworkitout/status/794592487159529472"></a></p></blockquote><div class="see-more__filter"></div></div><p>However, security expert <a href="https://www.grahamcluley.com/did-mirai-botnet-liberia-offline">Graham Cluley</a> cautioned that although the Liberian incident was not as bad as initially thought, Mirai and other IoT-based malware still poses a significant threat.</p><p>"None of this is to say Mirai that is not a serious threat, of course," he wrote, "and that new botnets based upon its leaked code don't pose a significant threat to internet infrastructure as they exploit poorly-protected IoT devices."</p><div  class="fancy-box"><div class="fancy_box-title"></div><div class="fancy_box_body"><p class="fancy-box__body-text"><a data-analytics-id="inline-link" href="https://www.itpro.com/security/27292/new-scanner-allows-users-to-check-iot-devices-for-mirai-malware-infection" data-original-url="/security/27292/new-scanner-allows-users-to-check-iot-devices-for-mirai-malware-infection">New scanner allows users to check IoT devices for Mirai malware infection</a> <a data-analytics-id="inline-link" href="https://www.itpro.com/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack" data-original-url="/hacking/27449/was-mirai-malware-behind-dyn-ddos-attack">Was Mirai malware behind Dyn DDoS attack?</a></p></div></div>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Botnets live long and prosper, despite cyber security efforts ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/24782/botnets-live-long-and-prosper-despite-cyber-security-efforts</link>
                                                                            <description>
                            <![CDATA[ Increased cyber-vigilance failing to reduce operating life of botnet servers ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">4Jr7sGJquLoNB4VZMQUGGy</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 11 Jun 2015 13:57:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Ransomware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jane McCallion ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[botnet]]></media:description>                                                            <media:text><![CDATA[botnet]]></media:text>
                                <media:title type="plain"><![CDATA[botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The length of time a botnet command and control server is online has remained constant over the past six months, despite increased awareness of this type of threat.</p><p>Research by ISP Level 3 Communications found that during the first quarter of 2015 C&C servers survived an average of 38 days on the internet before being taken offline - a figure that has remained constant since Q4 2014.</p><p>Perhaps more worryingly, the server going offline can be as much a byproduct of the server owner upgrading software or patching vulnerabilities as malware discovery and removal.</p><p>However, the average number of victims per C&C server fell dramatically over the quarter, from 3,763 in January to 338 in March.</p><p>Level 3 said this can be attributed both to general "vigilance on behalf of the security community" and, while no one action is mentioned by the company, it is worth noting the precipitous drop in numbers follows almost immediately in the wake of the <a href="https://www.europol.europa.eu/content/botnet-taken-down-through-international-law-enforcement-cooperation">Ramnit botnet</a>, which had infected 3.2 million computers, being taken offline by Europol's European Cybercrime Centre (EC3) in late February.</p><p><strong>Cyber crime economics</strong></p><p>Despite big takedowns like Ramnit, the economics of cyber crime still work in the favour of malicious actors. Last year, Dell Secureworks found <a href="http://www.secureworks.com/assets/pdf-store/white-papers/wp-underground-hacking-report.pdf">the cost of renting a 1,000-server UK-based botnet was $120 per month</a>, an increase of 600 per cent from 2013 and a lucrative deal for the botnet owners.</p><p>Level 3 Communications also found that 22 per cent of C&C servers have more than one threat purpose.</p><p>"Most likely, many of these botnets are commercial in nature, and they are part of a diversified business," said Level 3. "For example, they may serve multiple, for-profit purposes, such as malware distribution, DDoS attacking and phishing services."</p><p>"Botnet operation is a lucrative business, with a simple setup. Operational costs to create, maintain and move a botnet, once shut down, are low. Blocked botnets can come back online often within hours of being shut down," the company added.</p><p>This doesn't mean those renting the infrastructure get a raw deal, though.</p><p>In its 2015 Global Security Report, security firm Trustwave found attackers' estimated ROI for exploit kit and ransomware schemes, the "vast bulk" of which is distributed by a botnet, was over 1,400 per cent.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Android malware sends texts to China ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/21269/android-malware-sends-texts-to-china</link>
                                                                            <description>
                            <![CDATA[ MisoSMS used in at least 64 spyware campaigns, steals text messages, emails them to China. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">62qxbk4Woz7kPHMGtKMMa3</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/T8qicrZDhsULtqNrjWTwg9-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 18 Dec 2013 16:34:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/T8qicrZDhsULtqNrjWTwg9-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                                                                                                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/T8qicrZDhsULtqNrjWTwg9-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>One of the largest botnets ever created is stealing text messages and sending them to Chinese servers, according to an IT security firm.</p><p>Researcher at FireEye said they had discovered 64 Android botnet campaigns that belongs to the MisoSMS malware family.</p><p>According to FireEye, each of the campaigns used webmail as its command and control infrastructure. This infrastructure comprises of more than 450 unique malicious email accounts.</p><p>MisoSMS infects Android systems by deploying a class of malicious Android apps, according to the researchers. The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user's personal SMS messages and emails them to a command and control (CnC) infrastructure hosted in China.</p><p>"This application exfiltrates the SMS messages in a unique way. Some SMS-stealing malware sends the contents of users' SMS messages by forwarding the messages over SMS to phone numbers under the attacker's control," said FireEye researchers Vinay Pidathala, Hitesh Dharmdasani, Jinjian Zhai and Zheng Bu in a <a href="http://www.fireeye.com/blog/technical/botnet-activities-research/2013/12/misosms.html">blog post</a>.</p><p>"Others send the stolen SMS messages to a CnC server over TCP connections. This malicious app, by contrast, sends the stolen SMS messages to the attacker's email address over an SMTP connection," they added.</p><p>The researchers said that MisoSMS is one of the largest mobile botnets that uses modern botnet techniques and infrastructure.</p><p>The firm said it was working with Korean law enforcement and the Chinese webmail vendor to mitigate this threat. "This threat highlights the need for greater cross-country and cross-organisational efforts to take down large malicious campaigns," the company said in a statement.</p><p>It has also been working with the security community to dismantle the CnC infrastructure used by the malware.</p><p>As reported by IT Pro, <a href="https://www.itpro.com/malware/21215/android-malware-discovered-calling-premium-rate-numbers" data-original-url="https://www.itpro.com/malware/21215/android-malware-discovered-calling-premium-rate-numbers">Android malware has also been discovered</a> calling premium rate numbers.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft shuts down a $2.7m a month click fraud botnet ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/21167/microsoft-shuts-down-a-27m-a-month-click-fraud-botnet</link>
                                                                            <description>
                            <![CDATA[ Botnet suspected to originate in Russia was using 2 million machines. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">urFVVFqudFr63BaxFsafPL</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/J4wG2PuKJ2uJwj6dxBh2xd-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 06 Dec 2013 09:33:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Microsoft]]></category>
                                                    <category><![CDATA[Software]]></category>
                                                                                                <author><![CDATA[ itpro@futurenet.com (ITPro) ]]></author>                    <dc:creator><![CDATA[ ITPro ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/J4wG2PuKJ2uJwj6dxBh2xd-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[fraud]]></media:description>                                                            <media:text><![CDATA[fraud]]></media:text>
                                <media:title type="plain"><![CDATA[fraud]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/J4wG2PuKJ2uJwj6dxBh2xd-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft continues to fight against botnets by smashing a network which was using 2 million machines around the world.</p><p>The software giant filed a lawsuit in Texas and won a judge's order directing internet service providers to block all traffic to 18 internet addresses that were used to direct fraudulent activity to the infected machines.</p><p>Law enforcement in many European countries served warrants at the same time, seizing servers expected to contain more evidence about the leaders of the ZeroAccess crime ring, which was devoted to "click fraud."</p><div><blockquote><p>Microsoft said the botnet had been costing advertisers on Bing, Google and Yahoo an estimated $2.7 million monthly.</p></blockquote></div><p>Such rings use networks of captive machines, known as botnets, in complicated schemes that force them to click on ads without the computer owners' knowledge. The schemes cheat advertisers on search engines including Microsoft's Bing by making them pay for interactions that have no chance of leading to a sale. Microsoft said the botnet had been costing advertisers on Bing, Google and Yahoo an estimated $2.7 million monthly.</p><p>The coordinated effort marks the eighth time Microsoft has moved against a botnet and a rare instance of it doing serious damage to one that is controlled with a peer-to-peer mechanism, where infected machines give each other instructions instead of relying on a central server that defenders can hunt down and disable.</p><p>But the ZeroAccess botnet still had a weakness. The code in the infected machines told them to reach out to one of the 18 numeric Internet addresses for details on which ads to click.</p><p>Microsoft recently opened a new Cybercrime Center in Redmond and is using new tools in its efforts. They are helped by a provision in trademark that allows pretrial seizure of suspected counterfeit goods, including websites that, as in the present case, are spreading tainted versions of the Internet Explorer browser.</p><p>The company is working with national computer security authorities in various countries and with Internet service providers to notify individual computer owners with infected machines, hoping to reach most of them before the fraudsters can spread new instructions.</p><p>Microsoft has been sharing evidence with the FBI and Europol, the continent's law enforcement coordinating service. National agencies took part in seizure actions in Germany, Switzerland, Latvia, Luxembourg, and the Netherlands.</p><p>For now, at least, the fraud by this network has stopped, said Microsoft Assistant General Counsel Richard Boscovich.</p><p>The operators of the botnet are believed to be in Russia, while the author of the malicious software distributed on it could be based elsewhere, Boscovich said.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Wordpress botnet attack could pave way for larger site takedowns  ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/security/19621/wordpress-botnet-attack-could-pave-way-larger-site-takedowns</link>
                                                                            <description>
                            <![CDATA[ Cyber attack on blogging platform could have far-reaching effects, warn IT security experts. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">x8q8b9QGGAeif1kzu1cmA5</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/ua6Wqv5dSQAHRw7TFiuf34-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 16 Apr 2013 09:25:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Cyber Crime]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Caroline Donnelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/ua6Wqv5dSQAHRw7TFiuf34-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Blogging]]></media:description>                                                            <media:text><![CDATA[Blogging]]></media:text>
                                <media:title type="plain"><![CDATA[Blogging]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/ua6Wqv5dSQAHRw7TFiuf34-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The fallout from the Wordpress cyber attack could have far-reaching repercussions, as security experts fear the perpetrators could seize on compromised accounts to spread malicious material.</p><p>The blogging platform has reportedly been hit by a "brute force" attack that targets the Wordpress administration portal and tries to log into accounts with the username "admin" by trying thousands of passwords.</p><p>A botnet is thought to have been employed to carry out the attack, as tens of thousands of unique IP address have been recorded trying to hack into Wordpress installs.</p><p>Wordpress founder Matt Mullenweg, said admin' had been the default username for many users until the introduction of a newer version of the site several years ago.</p><p>"If you still use admin' as a username on your blog, change it, use a strong password, if you're on WP.com turn on two-factor authentication, and make sure you're up-to-date on the latest version of Wordpress," he wrote in a blog post.</p><div><blockquote><p>Blog writers should use strong passwords to protect their accounts and their users, whom they have a responsibility to protect.</p></blockquote></div><p>"Do this and you'll be ahead of 99 per cent of sites out there and probably never have a problem."</p><p>Hosting provider CloudFlare said the attack <a target="_blank" href="http://blog.cloudflare.com/#!">could pave the way for a larger one</a> later down the line.</p><p>"One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack," said the company in a blog post.</p><p>"These larger machines can cause much more damage in DDoS (Distributed Denial of Service) attacks because the servers have larger network connections and are capable of generating significant amounts of traffic," it continued.</p><p>Olli-Pekka Niemi, vulnerability expert at network security vendor Stonesoft, said the attackers could also gain access to people's accounts to carry out further attacks.</p><p>"By compromising Wordpress blogs, attackers may be able to upload malicious content and embed this into the blog. When readers visit the blogs in question they would then be subject to attack, come under compromise and develop into botnets," Niemi warnd.</p><p>"Blog writers should use strong passwords to protect their accounts and their users, whom they have a responsibility to protect."</p><p>Meanwhile, Matt Middleton-Leal, UK and Ireland regional director security vendor Cyber-Ark, said there is a risk that once cracked these Wordpress login credentials could be used to gain access to other sites.</p><p>"If Wordpress users have been targeted in this attack, they should change their username and password details for their Wordpress account, but also for any other accounts for which they use the same credentials," said Middleton-Leal. </p><p>"This is especially critical if the same details are used for work purposes, as protecting these details is essential when it comes to securing what really matters within an organisation."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Malwarebytes sounds alarm over anti-virus imposter website ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/645412/malwarebytes-sounds-alarm-over-anti-virus-imposter-website</link>
                                                                            <description>
                            <![CDATA[ Malwarebiter promises to protect users, but infects them with a Zeus Trojan instead, it is claimed. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">ktqfwQuGfWEcyQMkHzZJ12</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/dd5xm3nSA7M2ocaGBBYMC-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 31 Jan 2013 09:00:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Malware]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jane McCallion ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/dd5xm3nSA7M2ocaGBBYMC-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Jolly roger keyoard key]]></media:description>                                                            <media:text><![CDATA[Jolly roger keyoard key]]></media:text>
                                <media:title type="plain"><![CDATA[Jolly roger keyoard key]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/dd5xm3nSA7M2ocaGBBYMC-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Anti-virus vendor Malwarebytes has alerted consumers to a website it claims is delivering malware to computers.</p><p>The website, named Malwarebiter, was discovered earlier this week by Malwarebytes analyst Adam Kujawa.</p><p>Malwarebytes has accused Malwarebiter of copying its own website's styling to give it a veneer of credibility.</p><p>The company also accuses the alleged imposter of using spam or other underhand means to boost its Facebook following to increase its apparent legitimacy.</p><p>However, what has concerned the organisation most is that the website is apparently carrying out drive-by' attacks on users who do not even download the product.</p><p>"Traffic analysis from our visit revealed roe.js', a file containing javascript," Joshua Cannell, malware intelligence analyst at Malwarebytes said in a blog post.</p><p>"Upon further inspection the file revealed an embedded iFrame object that links to a rogue IP hosting the Blackhole Exploit Kit.</p><p>"iFrames allow web developers to embed the contents of one webpage within another [and] using iFrames for drive-by malware attacks is common since they can be crafted invisible to the naked eye," Cannell explained.</p><p>The roe.js file then executes either a java or a PDF exploit, resulting in the infamous Zeus Trojan being downloaded onto the visitor's PC, roping it in to one of the internet's most notorious botnets.</p><p>Anyone who installs Malwarebiter's anti-malware programme will find it does not detect the newly installed Zeus malware. Instead, they may be directed to a second website, Ad-purge, which is a known fake spyware reporter.</p><p>In turn, both websites are linked to a third, Rebrand Software, which creates software products for private buyers who then sell it on as their own.</p><p>Furthermore, Malwarebytes claims numerous other pieces of malware have been discovered contacting the Rebrand Software domain.</p><p>Cannell said it is "vital" for PC users to protect themselves from software exploitation.</p><p>"The <a href="https://www.itpro.com/645187/calls-for-java-overhaul-grow-as-more-security-flaws-emerge" target="blank" data-original-url="https://www.itpro.com/645187/calls-for-java-overhaul-grow-as-more-security-flaws-emerge">Java</a> and <a href="https://www.itpro.com/633664/adobe-tops-security-risk-list" target="blank" data-original-url="https://www.itpro.com/633664/adobe-tops-security-risk-list">PDF</a> exploits found on Malwarebiter's website could be prevented by keeping your software patched and up to date.</p><p>"However, this does not always solve the problem as both java and PDF viewers are highly targeted for exploitation, with new vulnerabilities discovered every day.</p><p>"In light of this, users might want to stop using java altogether. As for protection from malicious PDFs ... users might be better off viewing [them] in secure browsers, like Google Chrome," advised Cannell.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Eset claims PokerAgent botnet stole 16,000 Facebook logins ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/645388/eset-claims-pokeragent-botnet-stole-16000-facebook-logins</link>
                                                                            <description>
                            <![CDATA[ Attackers demonstrate ability to commit large-scale Facebook theft. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">9SAzyrMvzaWXsyD891Ygij</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/UUXyjBZanZJiSSnNTi97UZ-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Wed, 30 Jan 2013 10:31:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Rene Millman ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/vwWuTPNRCuw9vEaWzuXYnR.png ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/UUXyjBZanZJiSSnNTi97UZ-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cyber war]]></media:description>                                                            <media:text><![CDATA[Cyber war]]></media:text>
                                <media:title type="plain"><![CDATA[Cyber war]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/UUXyjBZanZJiSSnNTi97UZ-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>The login details of more than 16,000 Facebook users were stolen by the PokerAgent botnet during 2011 and 2012, according to IT security firm Eset.</p><p>While the Trojan now appears to be inactive, the analysis shows how botnets have changed strategy by targeting social networking sites.</p><p>According to Robert Liposky, a malware research at Eset, the threat was mostly active in Israel. It is understood that 800 computers were infected, and 16,194 Facebook credentials stolen.</p><p>The code suggests the attacker seeks out Facebook users who have something of value.</p><p>He said the botnet was designed to harvest Facebook log-on credentials, and collect credit card information linked to Facebook accounts and Zynga Poker player stats, presumably with the intention to mug the victims.</p><p>It was discovered about a year ago, said Liposky. An analysis of the source code found it was written in C#, making it easy to decode.</p><p>The botnet does not log into the infected user's Facebook account, he revealed. "The botnet serves rather as a proxy, so that the illegal activities (the tasks given to bots) are not carried out from the perpetrator's computer," said Liposky.</p><p>Using an existing stolen Facebook username and password, the botnet logs into a compromised account and browses to secure.facebook.com/settings?tab=paymentsion=methods'.</p><p>It then searches for the string You have <strong>X</strong> payment methods saved', and directs the relevant info back to the command and control server.</p><p>In doing so, the credentials database becomes one listing potentially valuable Facebook victims.</p><p>The credentials database is enlarged by a 'ShouldPush' function in the malware.</p><p>"Immediately after we had gathered solid information on these criminal activities, we cooperated with both the Israeli CERT and Israeli law enforcement," said Liposky.</p><p>"The details of the investigation cannot be disclosed for reasons of confidentiality."</p><p>With the botnet largely inactive for now, Liposky could only speculate how the attacker abused the harvested data.</p><p>"The code suggests the attacker seeks out Facebook users who have something of value, worth stealing determined by the Poker stats and credit card details saved in their Facebook account.</p><p>"Later, the attacker can simply abuse the credit card information themselves or they may sell the database to other criminals," he said.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Alleged Zeus botnet master nabbed in Bangkok ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/645070/alleged-zeus-botnet-master-nabbed-in-bangkok</link>
                                                                            <description>
                            <![CDATA[ Financial malware netted 'Happy Hacker' $100m over three years, authorities claim. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">2BcXcd3rUb3e2Jb9gPzehD</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/qhLi8K4NAqM9kAXrWKbxzh-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 14 Jan 2013 16:18:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Jane McCallion ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/qhLi8K4NAqM9kAXrWKbxzh-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Hand coming out of screen stealing credit card]]></media:description>                                                            <media:text><![CDATA[Hand coming out of screen stealing credit card]]></media:text>
                                <media:title type="plain"><![CDATA[Hand coming out of screen stealing credit card]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/qhLi8K4NAqM9kAXrWKbxzh-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>An Algerian hacker arrested in Thailand on 6 January is the master of a botnet that stole $100 million (62 million) from banks worldwide, it is claimed.</p><p>Dubbed the Happy Hacker' because of his smiling appearance, 24-year-old computer sciences graduate Hamza Bendelladj was arrested in Suvarnabhumi Airport, Bangkok, following a tip-off from the FBI.</p><p>Bendelladj, who is said to have gone by the handle bx1, is alleged to have been in command of a significant Botnet using two of the most notorious financial malwares of the past five years, <a href="https://www.itpro.com/643942/inner-workings-of-citadel-malware-exposed" target="blank" data-original-url="https://www.itpro.com/643942/inner-workings-of-citadel-malware-exposed">ZeuS</a> and <a href="https://www.itpro.com/634276/soca-and-virgin-partner-in-spyeye-fight" target="blank" data-original-url="https://www.itpro.com/634276/soca-and-virgin-partner-in-spyeye-fight">SpyEye</a>.</p><p>Thai immigration bureau chief Pharnu Kerdlarpphon told a press conference Bendelladj had allegedly hacked private accounts held in 217 banks and financial institutions worldwide, amassing huge amounts of money, the <a href="http://www.bangkokpost.com/news/security/329622/police-nab-suspect-wanted-for-hacking" target="blank">Bangkok Post reports</a>.</p><p>"With just one transaction he could earn 10 to 20 million dollars. He's been travelling the world, flying first class and living a life of luxury," Kerdlarpphon said.</p><p>At the press conference, Bendelladj laughed off suggestions from the Thai authorities that he was on the FBI's top-10 most wanted list, saying he was "maybe just 20th or 50th", before denying he is a terrorist.</p><p>He is now awaiting extradition to the US state of Georgia.</p><p>Commenting on Bendelladj's detention, Marcin Kleczynski, CEO of Malwarebytes, told <em>IT Pro</em>: "Arrests like this do not typically impact the volume of threats in the short term, because there are so many variants in the wild, but over time more virulent zero-day Trojans will take the mantle.</p><p>"The power in coordinated law-enforcement actions is more that they act as a deterrent for aspiring malware-writers, proving that it is not easy to remain electronically hidden from the police," Kleczynski added.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Apple OS X users warned of botnet risk ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/639967/apple-os-x-users-warned-of-botnet-risk</link>
                                                                            <description>
                            <![CDATA[ Russian anti-virus vendor claims over half a million Apple devices could be infected with botnet. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">wbATJW15orKssikgJUJ6ZV</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/wQ6WgpL5aWTp3p9aBhpHr5-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 05 Apr 2012 13:07:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Antivirus]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Caroline Donnelly ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/wQ6WgpL5aWTp3p9aBhpHr5-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Malware]]></media:description>                                                            <media:text><![CDATA[Malware]]></media:text>
                                <media:title type="plain"><![CDATA[Malware]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/wQ6WgpL5aWTp3p9aBhpHr5-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Anti-virus vendor Doctor Web claims that at least 550,000 Apple devices from across the globe have been infected by the Backdoor.Flashback botnet.</p><p>The Russian vendor said that nearly 13 per cent of the affected devices are located in the UK, although the vast majority (56.6 per cent) are US-based.</p><p>"This once again refutes claims by some experts that there are no cyber threats to Mac OS X," said the firm in a <a href="http://news.drweb.com/show/?i=2341&lng=en&c=14" target="blank">blog post</a>.</p><p>However, in a tweet sent by Doctor Web malware analyst, Sorokin Ivan, it was claimed that the actual number of affected devices could be slightly higher than first thought.</p><p>"This once again refutes claims by some experts that there are no cyber-threats to Mac OS X."</p><p>"At this moment botnet Flashback [has infected] over 600k [devices], include[ing] 274 bots from Cupertino," he wrote.</p><p>The blog post also explained that the infection starts when Mac users are redirected to compromised websites containing corrupt JavaScript code.</p><p>Once installed, this file is used to download malicious content from a remote server, which is then activated.</p><p>It is also claimed that, at the end of March, links to more than 4 million sites, containing this code, could be found among the search results on Google.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Will the FBI close down your online business this March? ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/638995/will-the-fbi-close-down-your-online-business-this-march</link>
                                                                            <description>
                            <![CDATA[ In tackling the DNSChanger botnet, the FBI may take a load of businesses offline. Davey Winder is, unsurprisingly, anxious... ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">qKoJehMSWE6qH6xgh1ycxJ</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/W5dasaMiHTnPzHjAzKsLFB-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Fri, 17 Feb 2012 12:32:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Data Breaches]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Davey Winder ]]></dc:creator>                                                                                    <dc:source><![CDATA[ https://cdn.mos.cms.futurecdn.net/qKL6BZiS7oo9Hmyy2yd3WJ.jpg ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/W5dasaMiHTnPzHjAzKsLFB-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[FBI]]></media:description>                                                            <media:text><![CDATA[FBI]]></media:text>
                                <media:title type="plain"><![CDATA[FBI]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/W5dasaMiHTnPzHjAzKsLFB-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Even though the botnet behind the <a href="https://www.itpro.com/637270/dns-changer-botnet-smashed-in-major-cyber-crime-bust" target="_blank" data-original-url="https://www.itpro.com/637270/dns-changer-botnet-smashed-in-major-cyber-crime-bust">DNSChanger Trojan was dismantled</a> towards the end of last year, a huge number of enterprises appear to still be infected.</p><p>So what's the problem if the power behind the Trojan has been hauled off to jail? Well how about the small matter of the FBI apparently insisting it will seek to disconnect any computer still found to be infected with DNSChanger on 8 March?</p><p>DNSChanger was one of the most malicious of Trojans to hit businesses last year, infecting around 4 million computers globally. It worked by changing the host system's Domain Name Server (DNS) settings to point them at assorted advertising and often malicious sites via the now dismantled botnet.It also made changes to ensure that infected systems could no longer access security vendor sites in order to get help with removal of the thing.</p><p>DNSChanger was one of the most malicious of Trojans to hit businesses last year.</p><p>It was a typically clever bit of malware and one that proved to be pretty successful, allegedly netting the Estonian gang behind it upwards of 8 million in profit. It did all of this by simply changing the NameServer Registry key value to a custom IP address upon installation of the malicious executable.</p><p>But, I have to ask on your behalf once again, why does any of this actually matter now the command and control botnet that was handling the DNS diversions has been dismantled and no longer exists, so that those infected computers cannot be pointed towards the nefarious sites? That's where the FBI comes in.</p><p>The botnet itself was uncovered after a co-ordinated attack on the malware infrastructure. Law enforcement authorities and service providers effectively reverse engineered the botnet and alerted customers whose machines were infected with the Trojan.</p><p>Half of all Fortune 500 companies are still infected.</p><p>Now this is where it gets interesting and a little perturbing: the FBI managed to secure a court order which enabled it to replace the DNS heart of the Trojan, so that all traffic would flow through a surrogate DNS server instead. The court order in question allows the FBI to maintain this surrogate DNS service until 8 March. After which, and I'm guessing you are ahead of me here, any business whose computers are still infected with the Trojan, and therefore still using this surrogate DNS service, will find themselves removed from the internet entirely and dumped into 404-ville.</p><p>Which could, if the numbers I have seen are to be believed, lead to an awful lot of companies suddenly and catastrophically being denied access to the internet. Within the US alone, and remember that DNSChanger was a global infection spreading across more than 100 countries, half of all Fortune 500 companies are still infected and half of all major government agencies likewise carry at least one infected machine.</p><p>The DNSChanger Working Group, established to help co-ordinate remediation of the Trojan infection, is known to be considering applying for an extension to the court deadline to relieve the likely impact otherwise, given the high number of infections still found to be active. But it could all be something of a pointless exercise. After all, the Conficker Working Group had a similar remit and some three years after it was founded there are still thought to be around three million systems still infected with the Conficker Worm.</p><p>It would be a good thing if the situation frightened those enterprises who have not bothered to properly scan for and remove any DNSChanger infections to implement a proper security strategy. If you want to be sure you are not one of them, then perhaps you should contact your security vendor for advice as to how to check your network for evidence of infection.</p><p>One cannot help but marvel at the irony of the timing of all this though, what with Anonymous having made a declaration that it would launch a DDoS attack against DNS root servers, and effectively take down the internet, on 30 March. Now it looks like, for a large number of businesses anyway, that the FBI may just beat them to it.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Kelihos suspect: I didn't do it ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/638575/kelihos-suspect-i-didnt-do-it</link>
                                                                            <description>
                            <![CDATA[ Andrey Sabelnikov heads online to protest his innocence after Microsoft claims he was helping run the Kelihos botnet. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">vu13efGp7a3wJpkiFnNJQA</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/PS7YsyrtQCGD5dJC72Ho9L-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Mon, 30 Jan 2012 09:53:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Tom Brewster ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/PS7YsyrtQCGD5dJC72Ho9L-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Cyber crime]]></media:description>                                                            <media:text><![CDATA[Cyber crime]]></media:text>
                                <media:title type="plain"><![CDATA[Cyber crime]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/PS7YsyrtQCGD5dJC72Ho9L-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>A Russian man suspected of helping run and create the Kelihos botnet has proclaimed his innocence.</p><p>Last week, <a href="https://www.itpro.com/638476/microsoft-suspects-ex-antivirus-worker-of-kelihos-botnet-creation" target="_blank" data-original-url="https://www.itpro.com/638476/microsoft-suspects-ex-antivirus-worker-of-kelihos-botnet-creation">Microsoft issued an amended complaint</a> at the US District Court for the Eastern District of Virginia claiming former antivirus professional Andrey N Sabelnikov was "responsible for the operations of the Kelihos botnet."</p><p>Sabelnikov has subsequently posted a blog on <a href="http://sabelnikov.livejournal.com" target="_blank">LiveJournal</a>, saying he was "dismayed" at being named a suspect.</p><p>We look forward to seeing Mr Sabelnikov in court so we can continue this discussion.</p><p>The Russian claimed he "did not commit this crime" and had "never participated in the management of botnets."</p><p>Sabelnikov said he had been over to America on business in late January when Microsoft lodged the complaint, but decided to return to Russia as he could not afford legal assitance in the US.</p><p>He added he was ready to answer questions relating to Kelihos.</p><p>The Kelihos botnet was shut down last year, but Microsoft has continued to hunt for the perpetrators and have them prosecuted.</p><p>Microsoft had previously accused Dominique Piatti, a Czech man running the dotFREE domain hosting company, claiming his business was registering subdomains used to operate Kelihos.</p><p>However, Microsoft came to the conclusion dotFREE was simply being used by Kelihos's controllers and came to an agreement with Piatti.</p><p>Cooperation with Piatti led to this week's fresh allegations against Sabelnikov.</p><p>At its peak, the Kelihos spam engine had infected an estimated 40,000 machines.</p><p>Microsoft response</p><p>In response to Sabelnikov's claims, Microsoft said it stood by its original complaint and it looked forward to seeing the Russian in court.</p><p>"As this is a case pending in court, we cannot comment further except to say that we look forward to seeing Mr Sabelnikov in court so we can continue this discussion," Richard Boscovich, senior attorney for Microsoft's Digital Crime Unit, told the <a href="http://www.bbc.co.uk/news/business-16779779" target="_blank">BBC</a>.</p><p>Read on for our look at the <a href="https://www.itpro.com/637312/the-war-on-botnets" target="_blank" data-original-url="https://www.itpro.com/637312/the-war-on-botnets">war on botnets</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Microsoft suspects ex-antivirus worker of Kelihos botnet creation ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/638476/microsoft-suspects-ex-antivirus-worker-of-kelihos-botnet-creation</link>
                                                                            <description>
                            <![CDATA[ A Russian IT pro is accused of helping create and run the Kelihos botnet. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">86WuGv5dXdfjAn7gxHo7qD</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Tue, 24 Jan 2012 15:20:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Tom Brewster ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[botnet]]></media:description>                                                            <media:text><![CDATA[botnet]]></media:text>
                                <media:title type="plain"><![CDATA[botnet]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/NvNcjCxE4grRy5nwDBaSXb-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p>Microsoft has continued its assault on the Kelihos <a href="https://www.itpro.com/637270/dns-changer-botnet-smashed-in-major-cyber-crime-bust" target="_blank" data-original-url="https://www.itpro.com/637270/dns-changer-botnet-smashed-in-major-cyber-crime-bust">botnet</a>, naming a former IT security professional as the controller of the malicious network.</p><p>An amended complaint US District Court for the Eastern District of Virginia, Microsoft alleged that Russian Andrey Sabelnikov was running the botnet.</p><p>In the complaint, Microsoft said Sabelnikov was working on a freelance basis for a software development and consulting firm, and had previously been a project manager at an anti-virus provider.</p><p>Thousands of computers are still infected with its malware.</p><p>The Kelihos botnet was shut down last year, but Microsoft has continued to hunt for the perpetrators and have them prosecuted.</p><p>Microsoft had previously accused Dominique Piatti, a Czech man running the dotFREE domain hosting company, claiming his business was registering subdomains used to operate Kelihos.</p><p>However, Microsoft came to the conclusion dotFREE was simply being used by Kelihos's controllers and came to an agreement with Piatti.</p><p>Cooperation with Piatti led to this week's fresh allegations against Sabelnikov.</p><p>"In today's complaint, Microsoft presented evidence to the court that Mr. Sabelnikov wrote the code for and either created, or participated in creating, the Kelihos malware," said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit, in a <a href="http://blogs.technet.com/b/microsoft_blog/archive/2012/01/23/microsoft-names-new-defendant-in-kelihos-case.aspx" target="_blank">blog post</a>.</p><p>"Further, the complaint alleges that he used the malware to control, operate, maintain and grow the Kelihos botnet. These allegations are based on evidence Microsoft investigators uncovered while analyzing the Kelihos malware."</p><p>Microsoft also claimed Sabelnikov registered more than 3,700 'cz.cc' subdomains from dotFREE and misused them to operate and control the Kelihos botnet.</p><p>"Although the Kelihos botnet remains inactive since the successful takedown in September, thousands of computers are still infected with its malware," Boscovich warned. "This case is certainly not over."</p><p>Head <a href="http://support.microsoft.com/contactus/cu_sc_virsec_b107" target="_blank">here</a> for information on how to remove Kelihos from machines.</p><p>One major issue hindering botnet fighters is the lack of regulation on the subdomain provider industry. Providers are not required to know who their customers are, meaning cyber criminals can take advantage and host malicious activities on their servers.</p><p>Read on for <em>IT Pro's</em> report on the <a href="https://www.itpro.com/637312/the-war-on-botnets" target="_blank" data-original-url="https://www.itpro.com/637312/the-war-on-botnets">war on botnets</a>.</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
                                <item>
                                                            <title><![CDATA[ Koobface infections halted after Facebook exposure ]]></title>
                                                                                                                                                                                                <link>https://www.itpro.com/638395/koobface-infections-halted-after-facebook-exposure</link>
                                                                            <description>
                            <![CDATA[ Facebook's decision to name Koobface suspects has an immediate impact, but no arrests have been made. ]]>
                                                                                                            </description>
                                                                                                                                <guid isPermaLink="false">nJMfX25g27PKaTb83WtEqq</guid>
                                                                                                <enclosure url="https://cdn.mos.cms.futurecdn.net/8U9mVTAi5jpsmPSwjLVCuY-1280-80.jpg" type="image/jpeg" length="0"></enclosure>
                                                                        <pubDate>Thu, 19 Jan 2012 10:28:00 +0000</pubDate>                                                                                                                                                                                                                                <category><![CDATA[Hacking]]></category>
                                                    <category><![CDATA[Security]]></category>
                                                                                                                    <dc:creator><![CDATA[ Tom Brewster ]]></dc:creator>                                                                                    <dc:source><![CDATA[ null ]]></dc:source>
                                                                <dc:description><![CDATA[ null ]]></dc:description>
                                                                                                                                                                                                                                                <media:content type="image/jpeg" url="https://cdn.mos.cms.futurecdn.net/8U9mVTAi5jpsmPSwjLVCuY-1280-80.jpg">
                                                            <media:credit><![CDATA[null]]></media:credit>
                                                                                                                                                                                                                                    <media:description><![CDATA[Facebook]]></media:description>                                                            <media:text><![CDATA[Facebook]]></media:text>
                                <media:title type="plain"><![CDATA[Facebook]]></media:title>
                                                    </media:content>
                                                    <media:thumbnail url="https://cdn.mos.cms.futurecdn.net/8U9mVTAi5jpsmPSwjLVCuY-1280-80.jpg" />
                                                                                                                                                                    <content:encoded >
                            <![CDATA[
                            <article>
                                <p><a href="https://www.itpro.com/628150/koobface-turns-eyes-towards-macs" target="_blank" data-original-url="https://www.itpro.com/628150/koobface-turns-eyes-towards-macs">Koobface</a> has stopped infecting new machines, according to reports, following the public exposure of five people suspected to be behind the criminal operation.</p><p><a href="https://www.itpro.com/638350/koobface-crooks-unmasked" target="_blank" data-original-url="https://www.itpro.com/638350/koobface-crooks-unmasked">Facebook and Sophos chose to release the names</a> of those they believed to be running the Koobface botnet earlier this week.</p><p>Jan Droemer and Dirk Kollberg, German security researchers who wrote up an in-depth report on how they tracked the suspects, said servers running Koobface stopped responding after they released their information via a Sophos blog, according to <a href="http://www.reuters.com/article/2012/01/19/us-facebook-cybersecurity-idUSTRE80I05720120119" target="_blank">Reuters</a>.</p><p>Our decision to become transparent about this has had a 24-hour impact.</p><p>Koobface had stopped spreading via Facebook nine months ago but was continuing to propagate in different ways and via different social networks.</p><p>Kaspersky had estimated that Koobface had managed to infect between 400,000 and 800,000 machines in 2010. It first appeared in 2008.</p><p>The suspects left a vast trail of digital clues that led to their names appearing in reports, including Facebook pages.</p><p>They were also involved in more salacious affairs, including appearances at adult film conferences.</p><p>They also failed to lock investigators out of command and control (C&C) centre data, which eventually led to the leaking of their web pseudonyms.</p><p>Those identified have now erased social networking profiles found by the researchers.</p><p>"The thing that we are most excited about is that the botnet is down," said Facebook security official Ryan McGeehan.</p><p>"Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it's permanent but it was certainly effective."</p><p>Facebook declared late on Tuesday it would continue to fight the botnet even though it had been banished from the social network.</p><p>"While we have been able to keep Koobface off Facebook, we won't declare victory against the virus until its authors are brought to justice," the company said in a <a href="http://www.facebook.com/notes/facebook-security/facebooks-continued-fight-against-koobface/10150474399670766" target="_blank">blog post</a>.</p><p>"We feel it is the interest of everyone online to work with law enforcement and the larger security community to identify the gang and see the full force of law brought to bear against those who have made millions in ill-gotten gains.</p><p>"To this end, we will be sharing our intelligence with the rest of the online security community in the coming weeks in an effort to rid the web of this virus forever."</p>
                                                            </article>
                            ]]>
                        </content:encoded>
                                                </item>
            </channel>
</rss>