NOTE: "Defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking."
AVrecon malware infects 70,000 Linux routers to build botnet
- July 14, 2023
- 02:35 AM
- 2
Since at least May 2021, stealthy Linux malware called AVrecon was used to infect over 70,000 Linux-based small office/home office (SOHO) routers and add them to a botnet designed to steal bandwidth and provide a hidden residential proxy service.
This allows its operators to hide a wide spectrum of malicious activities, from digital advertising fraud to password spraying.
According to Lumen's Black Lotus Labs threat research team, while the AVrecon remote access trojan (RAT) compromised over 70,000 devices, only 40,000 were added to the botnet after gaining persistence.
The malware has largely managed to evade detection since it was first spotted in May 2021 when it was targeting Netgear routers. Since then, it went undetected for over two years, slowly ensnaring new bots and growing into one of the largest SOHO router-targeting botnets discovered in recent years.
"We suspect the threat actor focused on the type of SOHO devices users would be less likely to patch against common vulnerabilities and exposures (CVEs)," Black Lotus Labs said.
"Instead of using this botnet for a quick payout, the operators maintained a more temperate approach and were able to operate undetected for more than two years. Due to the surreptitious nature of the malware, owners of infected machines rarely notice any service disruption or loss of bandwidth."
Once infected, the malware sends the compromised router's info to an embedded command-and-control (C2) server. After contact making contact, the hacked machine is instructed to establish communication with an independent group of servers, known as second-stage C2 servers.
The security researchers found 15 such second-stage control servers, which have been operational since at least October 2021, based on x.509 certificate information.
Lumen's Black Lotus security team also addressed the AVrecon threat by null-routing the botnet's command-and-control (C2) server across their backbone network.
This effectively severed the connection between the malicious botnet and its central control server, significantly impeding its capacity to execute harmful activities.
"The use of encryption prevents us from commenting on the results of successful password spraying attempts; however, we have null-routed the command and control (C2) nodes and impeded traffic through the proxy servers, which rendered the botnet inert across the Lumen backbone," Black Lotus Labs said.
In a recently issued binding operational directive (BOD) published last month, CISA ordered U.S. federal agencies to secure Internet-exposed networking equipment (including SOHO routers) within 14 days of discovery to block potential breach attempts.
Successful compromise of such devices would enable the threat actors to add the hacked routers to their attack infrastructure and provide them with a launchpad for lateral movement into their internal networks, as CISA warned.
The severity of this threat stems from the fact that SOHO routers typically reside beyond the confines of the conventional security perimeter, greatly diminishing defenders' ability to detect malicious activities.
The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel SOHO network equipment to hide their malicious activity within legitimate network traffic, according to a joint advisory published by Five Eyes cybersecurity agencies (including the FBI, NSA, and CISA) in May.
The covert proxy network was used by the Chinese state hackers to target critical infrastructure organizations across the United States since at least mid-2021.
"Threat actors are using AVrecon to proxy traffic and to engage in malicious activity like password spraying. This is different from the direct network targeting we saw with our other router-based malware discoveries," said Michelle Lee, threat intelligence director of Lumen Black Lotus Labs.
"Defenders should be aware that such malicious activity can originate from what appears to be a residential IP address in a country other than the actual origin, and traffic from compromised IP addresses will bypass firewall rules such as geofencing and ASN-based blocking."
Related Articles:
Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices
Hackers infect Linux SSH servers with Tsunami botnet malware
New Condi malware builds DDoS botnet out of TP-Link AX21 routers
Fake Linux vulnerability exploit drops data-stealing malware
New Zerobot malware has 21 exploits for BIG-IP, Zyxel, D-Link devices
Train in cybersecurity with this ethical hacking training bundle deal
Fixing bugs before they become nightmares is the best way to protect your system. This set of ten courses shows you how to protect the networks you use for $39.99, 63% off the $110 MSRP.
- JULY 16, 2023
- 08:22 AM
0
Gamaredon hackers start stealing data 30 minutes after a breach
Ukraine's Computer Emergency Response Team (CERT-UA) is warning that the Gamaredon hacking operates in rapid attacks, stealing data from breached systems in under an hour.
- JULY 15, 2023
- 10:07 AM
- 0
Deploy AI effectively with this ChatGPT and Python training bundle deal
Artificial intelligence has enormous potential to streamline rote tasks and free up your time. This 14-course bundle helps you tap into that potential for $39.99, 74% off the $154 MSRP.
- JULY 15, 2023
- 08:14 AM
- 0
Genesis Market infrastructure and inventory sold on hacker forum
The administrators of the Genesis Market for stolen credentials announced on a hacker forum that they sold the store and a new owner would get the reins "next month."
- JULY 14, 2023
- 04:29 PM
- 0
Microsoft still unsure how hackers stole Azure AD signing key
Microsoft says it still doesn't know how Chinese hackers stole an inactive Microsoft account (MSA) consumer signing key used to breach the Exchange Online and Azure AD accounts of two dozen organizations, including government agencies.
- JULY 14, 2023
- 04:18 PM
- 2
Rockwell warns of new APT RCE exploit targeting critical infrastructure
Rockwell Automation says a new remote code execution (RCE) exploit linked to an unnamed Advanced Persistent Threat (APT) group could be used to target unpatched ControlLogix communications modules commonly used in manufacturing, electric, oil and gas, and liquified natural gas industries.
- JULY 14, 2023
- 02:52 PM
- 0
Spotify reportedly makes users' private playlists public
In what is shaping up to be a widespread privacy controversy, Spotify has come under scrutiny following allegations by users that the music streaming service made their private playlists public without their consent.
- JULY 14, 2023
- 12:28 PM
- 6
WordPress AIOS plugin used by 1M sites logged plaintext passwords
The All-In-One Security (AIOS) WordPress security plugin, used by over a million WordPress sites, was found to be logging plaintext passwords from user login attempts to the site's database, putting account security at risk.
- JULY 14, 2023
- 11:55 AM
- 0
BreachForums owner Pompompurin pleads guilty to hacking charges
20-year-old Conor Brian Fitzpatrick aka Pompompurin, the owner of the notorious BreachForums (aka Breached) hacking forum, has pleaded guilty to charges of hacking and possession of child pornography.
- JULY 14, 2023
- 11:31 AM
- 1
Colorado State University says data breach impacts students, staff
Colorado State University (CSU) has confirmed that the Clop ransomware operation stole sensitive personal information of current and former students and employees during the recent MOVEit Transfer data-theft attacks.
- JULY 14, 2023
- 10:23 AM
- 0
No comments:
Post a Comment