An example of a threat that is always adapting is Zerobot, which is a Go-based botnet that spreads largely via vulnerabilities in Internet of Things (IoT) devices and online applications. The malware’s controllers are continually adding new exploits and capabilities to it. For many months, the research team for Microsoft Defender for IoT has been keeping an eye on Zerobot, which is also referred to as ZeroStresser by its owners. Since Microsoft began monitoring it, Zerobot has undergone many iterations of modification and has been made available as part of a malware as a service program. The Federal Bureau of Investigation (FBI) seized multiple domains in December 2022 that were related with DDoS-for-hire businesses. Among those domains was one that had ties to Zerobot.

Microsoft has already remarked on the ever-changing environment of potential dangers. The transition in the cyber economy toward malware as a service has industrialized attacks and made it simpler for attackers to purchase and use malware, establish and maintain access to compromised networks, and use ready-made tools to carry out their attacks. This has led to an increase in the number of successful cyberattacks. We have been keeping an eye out for adverts for the Zerobot botnet on a variety of social media networks, in addition to other notifications about the sale and maintenance of the malware, as well as additional capabilities that are currently under development.

The Zerobot botnet, which was discovered for the first time earlier this month, is targeting Apache systems in an effort to broaden the range of Internet of Things (IoT) devices that it is able to attack.

The Zerobot botnet, which was discovered for the first time earlier this month, is targeting Apache systems in an effort to broaden the range of Internet of Things (IoT) devices that it is able to attack.

According to a report that was made public on Wednesday by the Microsoft Security Threat Intelligence (MSTIC) team, the malware-as-a-service (MaaS) model is being used to sell the botnet, which was written in the Go programming language. The botnet spreads through vulnerabilities in Internet of Things (IoT) devices and web applications.

Researchers from Fortinet’s FortiGuard Labs were the ones who made the first discovery of Zerobot at the beginning of December. They said that the botnet was aiming for Linux machines. The objective, much like that of traditional botnets, is to gain control of internet-connected devices such as firewalls, routers, and webcams and incorporate them into a botnet in order to carry out DDoS assaults.

The report that was released by MSTIC this week expands upon the original results that were discovered by FortiGuard by describing the progressions that have been made in the botnet’s most recent generation.

According to research published by MSTIC, “Zerobot 1.1 expands its capabilities by including new attack techniques and new vulnerabilities for supported architectures,” which broadens the scope of the malware’s ability to infect a variety of various kinds of electronic gadgets.

They wrote that Zerobot, which is also known by its operators as ZeroStresser and is tracked by Microsoft as DEV-1061, uses multiple modules to infect vulnerable devices that are based on a variety of architectural designs and operating systems. This information comes from the fact that Microsoft is aware of the malware. The most recent update, however, targets the Apache and Apache Spark operating systems.

According to the information provided by MSTIC, Zerobot 1.1 is now able to exploit vulnerabilities in Apache (CVE-2021-42013) and Apache Spark (CVE=2022-33891). There are also more flaws in the MiniDVBLinux DVR systems, Grandstream networking systems, and Roxy-WI graphical user interface.

The researchers wrote that the botnet takes advantage of vulnerabilities on devices that have not been patched or that have inadequate security measures in place. In some instances, the botnet will use brute-force techniques on vulnerable devices that include insecure configurations that use default or weak credentials.

According to their report, “the malware may try to acquire device access by exploiting a combination of eight popular usernames and 130 passwords for IoT devices using SSH and telnet on ports 23 and 2323 to propagate to devices.” They also noted that efforts have been made to open ports and connect to them via port-knocking on ports 80, 8080, 8888, and 2323.

The malicious payload that is dropped by the botnet is either a generic script named zero.sh that executes Zerobot or a script that downloads the Zerobot binary of a particular architecture via brute force. Either way, the payload is harmful.

In the beginning of this month, the FBI took control of roughly fifty domains that were being used to perform distributed denial of service assaults (DDoS) all over the globe. One of those domains was linked with ZeroStresser.

The Internet of Things is driven by a variety of central processing unit designs, including x86, Arm, and MIPs. Zerobot will continue to sift through many binary options until it locates the correct one.

Additionally, the malware utilizes a variety of persistence mechanisms that are specific to each operating system. The researchers said that they have uncovered samples that can operate on Windows and be saved through the Startup folder, despite the fact that it is unable to propagate to Windows-based computers. It makes use of a mix of desktop entry, daemon, and service setups on systems that are based on Linux.

The Windows samples are derived from a piece of open-source malware that can infect computers running Windows, Linux, and macOS.

Zerobot was known to have nine distinct ways of initiating DDoS assaults, and the researchers at MSTIC identified seven more. These new techniques include sending UDP and TCP packets with customisable payloads, as well as delivering SYN or ACK packets either singly or jointly.

Researchers from Microsoft also discovered a sample that is capable of running on Windows and is based on a cross-platform (Linux, Windows, macOS) open-source remote administration tool (RAT) that has multiple features including the ability to manage processes, perform file operations, take screenshots, and run commands. The discovery of this tool was made possible by research into the command-and-control (C2) IP addresses used by the malware. This Remote Administration Tool (RAT) may be downloaded with the use of a script named impst.sh:

The ongoing development of new capabilities and the speed with which they are being added to the most recent version of Zerobot highlight how urgent it is to establish thorough security measures. The following are some precautions that should be taking to safeguard devices and networks against the danger posed by Zerobot

Utilize security solutions that offer integrated protection across endpoints, identities, email, apps, and data. These solutions have the ability to give cross-domain visibility and detection capabilities.
Adopt a complete IoT security solution lfor IoT to see and monitor all IoT and OT devices, detect and respond to threats, and integrate with SIEM/SOAR and XDR platforms.

The post Zerobot botnet can now hack into Apache, Apache Spark servers appeared first on Information Security Newspaper | Hacking News.

The malware’s objective is to infect other computers so that they may be added to a distributed denial-of-service (DDoS) botnet, which can then be used to perform devastating cyberattacks against certain targets. The malicious software also includes a “anti-kill” module, which is meant to prevent the process from being terminated or killed. At the moment, the primary emphasis of Zerobot is on performing distributed denial of service attacks. On the other hand, one might also utilize it as a means of initial access.

In addition to being able to do network scans and self-propagation to nearby devices, Zerobot is also capable of running commands on either Windows (CMD) or Linux (Bash). After Zerobot has established its presence on the hacked device, it will communicate some basic information about the victim to the command and control (C2) server by establishing a WebSocket connection to the server and sending the information.

The following computer architectures are targeted by this particular Zerobot variant: i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. It is stored with the filename “zero,” which is also where the name of the campaign originated from. In order to obtain access to the device, Zerobot contains exploits for 21 different vulnerabilities and makes use of them.

The following vulnerabilities are targeted by Zerobot when it attempts to penetrate its targets:

• CVE-2022-22965: Spring MVC and Spring WebFlux (Spring4Shell)
• CVE-2022-25075: TOTOLink A3000RU router
• CVE-2022-26186: TOTOLink N600R router
• CVE-2022-26210: TOTOLink A830R router
• CVE-2022-30525: Zyxel USG Flex 100(W) firewall
• CVE-2022-34538: MEGApix IP cameras
• CVE-2022-37061: FLIX AX8 thermal sensor cameras
• CVE-2020-25506: D-Link DNS-320 NAS
• CVE-2021-35395: Realtek Jungle SDK
• CVE-2021-36260: Hikvision product
• CVE-2021-46422: Telesquare SDT-CW3B1 router
• CVE-2022-01388: F5 BIG-I
• CVE-2014-08361: miniigd SOAP service in Realtek SDK
• CVE-2017-17106: Zivif PR115-204-P-RS webcams
• CVE-2017-17215: Huawei HG523 router
• CVE-2018-12613: phpMyAdmin
• CVE-2020-10987: Tenda AC15 AC1900 router

IOCs

C2:

176[.]65[.]137[.]5

Files:

7ae80111746efa1444c6e687ea5608f33ea0e95d75b3c5071e358c4cccc9a6fc

df76ab8411ccca9f44d91301dc2f364217e4a5e4004597a261cf964a0cd09722

cd9bd2a6b3678b61f10bb6415fb37ea6b9934b9ec8bb15c39c543fd32e9be7bb

50d6c5351c6476ea53e3c0d850de47059db3827b9c4a6ab4d083dfffcbde3579

7722abfb3c8d498eb473188c43db8abb812a3b87d786c9e8099774a320eaed39

2955dc2aec431e5db18ce8e20f2de565c6c1fb4779e73d38224437ac6a48a564

191ce97483781a2ea6325f5ffe092a0e975d612b4e1394ead683577f7857592f

447f9ed6698f46d55d4671a30cf42303e0bd63fe8d09d14c730c5627f173174d

e0766dcad977a0d8d0e6f3f58254b98098d6a97766ddac30b97d11c1c341f005

6c284131a2f94659b254ac646050bc9a8104a15c8d5482877d615d874279b822

5af002f187ec661f5d274149975ddc43c9f20edd6af8e42b6626636549d2b203

74f8a26eb324e65d1b71df9d0ed7b7587e99d85713c9d17c74318966f0bead0a

9c16171d65935817afd6ba7ec85cd0931b4a1c3bafb2d96a897735ab8e80fd45

b1d67f1cff723eda506a0a52102b261769da4eaf0551b10926c7c79a658061fd

f0bb312eacde86d533c922b87e47b8536e819d7569baaec82b9a407c68084280

2460434dabafe5a5dde0cce26b67f0230dbcd0d0ab5fabad1a1dbc289dc6432f

2af33e1ff76a30eb83de18758380f113658d298690a436d817bd7e20df52df91

4483c4f07e651ce8218216dd5c655622ff323bf3cdfe405ffeb69eafa75efad5

7c085185f6754aef7824c201d8443300ff2b104521d82f9a8b8feb5d4c8d3191

6ac49092ee1bdd55ddbf57df829f20aac750597d85b5904bb7bafa5b51fbb44d

f9fc370955490bdf38fc63ca0540ce1ea6f7eca5123aa4eef730cb618da8551f

6dd71163b6ab81a35ce373875a688ad9b31e0d1c292f02e8b2bafa7b3d1e3731

d88e9248ff4c983aa9ae2e77cf79cb4efc833c947ec2d274983e45c41bbe47e1

96bbb269fd080fedd01679ea82156005a16724b3cde1eb650a804fa31f18524e

439b2e500e82c96d30e1ef8a7918e1f864e6d706d944aeddffe61b8bf81ef6d3

af48b072d0070fa09bca0868848b62df5228c34ef24d233d8eb75a1fde8ac23f

5824fc51fcfba1a6315fd21422559d63c56f0e2192937085d65f9a0ac770eb3a

c9ea4cda12c14c895e23988229831b8f04ccab315c1cbc76a9efae888be55a3b

e2c2a0cccefc4314c110f3c0b887e5008073e607c61e1adde5000efb8e630d50

The post Zerobot botnet can hack into TOTOLink, Zyxel, Realtek, D-Link , F5, Huawei, MEGApix, Telesquare, Zivif, Tenda & Hikvision devices appeared first on Information Security Newspaper | Hacking News.

The malware, identified as EnemyBot, targets services such as VMware Workspace ONE, Adobe ColdFusion, and WordPress, as well as some IoT and Android devices. EnemyBot has been deployed at an astonishing speed thanks to the exploitation of known security flaws.

This new malware was developed from the source code used by other botnets, including Mirai, Qbot, and Zbot. Hackers use EnemyBot to target Linux systems and IoT devices.  

A closer look

According to the report, malware is divided into four main sections:

• A Python script ‘cc7.py’, used to download all dependencies and compile malware on different operating system architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created for malware propagation
• The main source code, which includes all the functions of EnemyBot, and incorporates the source code of the other botnets
• A hide.c segment that is manually compiled and executed to encode/decode malware strings
• A command and control (C&C) component to receive vital actions and payloads from hackers

The malware also features a feature for scanning vulnerable IP addresses and an “adb_infect” feature, which abuses the Android Debug Bridge feature for mobile device compromise.

Among the failures exploited in this campaign are:

• CVE-2021-44228 and CVE-2021-45046, also known as Log4Shell
• CVE-2022-1388, a vulnerability in F5 BIG IP devices
• CVE-2022-25075, TOTOLink A3000RU routers fail
• CVE-2021-35064, flaw at Kramer VIAWare

While researchers believe this campaign is in its early stages, the constant updating that malware receives and the possibility of exploiting multiple vulnerabilities would allow hackers to deploy massive campaigns soon.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post EnemyBot: New IoT malware exploits one-day vulnerabilities to hack thousands of devices appeared first on Information Security Newspaper | Hacking News.

The researchers mention that Cyclops Blink allowed threat actors to gain persistence on affected devices through firmware updates, providing remote access to affected networks. The botnet malware is modular, making it easy to upgrade to infect new devices and access new pools of vulnerable hardware.

U.S. Attorney General Merrick Garland has attributed this activity to the Russian military intelligence agency, known as GRU: “The Russian government has used similar infrastructure to attack its targets in Ukraine. We were able to disrupt this botnet before it could be used in bulk thanks to our work with international agencies.”

This research work made it possible to remove malware from all Watchguard devices identified as C&C servers. For its part, the Federal Bureau of Investigation (FBI) notified the owners of compromised devices in the United States and other regions of the world.

Chris Wray, director of the FBI, mentions that the botnet was shut down following close cooperation with Watchguard while analyzing the malware and developing compromise detection tools: “As we move forward, any Firebox device that acted as a bot may remain vulnerable in the future until its owners mitigate the flaws. Therefore, those owners still need to go ahead and take the detection and remediation steps recommended by the manufacturer.”

Sandworm and the Russian government

Also known as Voodoo Bear, BlackEnergy and TeleBots, this hacking group has been active for more than 15 years and is believed to be made up of military-trained hackers, who are part of Unit 74455, part of the GRU Special Technologies Center.

Between 2015 and 2016, Sandworm hackers were linked to the BlackEnergy malware, the tool responsible for the massive blackouts in Ukraine. Other disruptive tools allegedly linked to Sandworm are KillDisk and NotPetya, malware variants that caused millions of dollars in losses years ago.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Watchguard firewalls and ASUS routers in the U.S. are being attacked by the Russian government: How to fix it? appeared first on Information Security Newspaper | Hacking News.

MIVD, a Dutch military intelligence group, managed to track down the compromised routers after a thorough investigation so it is in the process of notifying victims. So far the exact number of devices hacked has not been confirmed, although experts believe that a few dozen attacks could be confirmed.

For cybersecurity specialists it is curious that the intelligence agency is making public the details about its investigation, although the director of MIVD Jan Swillens considers that transparency is necessary in this type of cases: “The threat is sometimes closer than you think. We want the Dutch to be aware of this cyberattack orchestrated by a state actor.”

Cybersecurity researchers mention that Unit 74455 is part of Russia’s military intelligence service and is considered by many to be one of the most dangerous cybercriminal groups in the world, responsible for several of the most notable attacks in recent years. Between 2015 and 2017 this group achieved a massive disruption of electricity services in Ukraine, in addition to launching other massive attacks against other areas of critical infrastructure on Ukrainian territory.

The attack reported by MIVD follows warnings from the British and American security services, which claimed that Russian hacking groups could be about to deploy powerful attacks using a new type of malware known as CyclopsBlink. This malware variant is introduced into WatchGuard’s routers and firewall solutions to add the affected devices to a massive botnet.

Specialists point out that CyclopsBlink is installed as part of a supposed update and then remains on the affected router. Individuals and companies that have modified the default settings and enabled external access are vulnerable, according to reports collected so far.

Once installed, the malware communicates with the attackers’ systems. The botnet can be controlled centrally and collectively and can be used for espionage, influence and sabotage purposes. The threat is considered active, so network device administrators should take all possible security measures to prevent these attacks.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Major Russian cyberattack globally halted by intelligence agencies in the Netherlands appeared first on Information Security Newspaper | Hacking News.

It all started with a report from the same firm published in 2018, when Akamai reported that more than 65,000 home routers had been added to the UPnProxy botnet through the exploitation of a severe vulnerability in UPnP. At the time, the firm noted that more than 23 million IP addresses were vulnerable to remote code execution (RCE) via a single UDP packet, leaving nearly 7,000 versions of routers exposed to attack.

The exploitation of the protocol allows threat actors to control the traffic in and out of networks. In addition, the malicious botnet was composed of vulnerable devices, including malicious NAT injections that turn routers into proxies, which is why the botnet was identified as UPnProxy.

About Eternal Silence, experts mention that this is a family of injections that abuse a couple of vulnerabilities (CVE-2017-0144 and CVE-2017-7494) in unupdated Windows and Linux systems. These vulnerabilities are old but still affect more than 45,000 routers, and all contain the so-called “silent cookie” for exploitation. This set of injections is used for exposing TCP ports 139 and 445 on devices behind the router.

Successful exploitation of the vulnerabilities would allow threat actors to use the compromised devices as part of a botnet or else abuse their processing capabilities for cryptocurrency mining and even deploy ransomware across affected networks.

Experts recommend users to install router updates and firmware patches to contain the risk of exploitation. The report also adds that many UPnP vulnerabilities are still being exploited, making this an active security risk. In case your devices have already been compromised with Eternal Silence, it is recommended to update or restart the device to its factory settings.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hackers are exploiting Universal Plug and Play (UPnP) to turn routers into a proxy server used to carry out cyber attacks appeared first on Information Security Newspaper | Hacking News.

Tom Burt, Vice President of Customer Security and Trust at Microsoft, said, “Nickel has focused its efforts on public and private organizations, including diplomatic entities and foreign ministries in North America, Central America, South America, the Caribbean, Europe and Africa.”

The tech giant was able to take down the hackers’ infrastructure after a U.S. court issued an order stemming from the group’s actions. This order mentions that malicious websites were to be switched to secure servers, changing authorized name servers to NS104a.microsoftintemetsafety.net and NS104b.microsoftintemetsafety.net.

Microsoft’s security teams first detected the malicious behavior in 2016, while security firms such as Mandiant say Nickel’s existence is set back to 2010. In addition, for a couple of years the presence of this group was detected in attacks against European and Latin American countries, mainly operating malware delivery campaigns for network monitoring and data theft.

Nickel’s operations are funded by Chinese government and use previously compromised third-party VPN platforms, stolen credentials in phishing campaigns, and exploits targeting undated Exchange Server and SharePoint servers.

Since the investigation began, 24 criminal cases have been drawn up against these hackers and five against their sponsors, in addition to the removal of nearly 10,000 malicious websites and more than 500,000 online platforms potentially associated with this operation have been blocked.

Microsoft has made considerable efforts in the fight against cybercrime; A few months ago, the company seized the computing infrastructure of the Necurs botnet, used by threat actors for the distribution of malware payloads, which put millions of devices around the world at risk. According to Microsoft, at its highest point of activity Necurs was able to reach more than 40 million targets in less than two months.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Microsoft counter attacked the infrastructure used by Chinese military hackers appeared first on Information Security Newspaper | Hacking News.

Pink is the largest botnet detected since 2015, with scans that have identified up to 1,963,000 active IP addresses associated with this malicious infrastructure in a day. On the other hand, at the beginning of 2020 the CNCERT reported that the bot node IP addresses associated with this botnet exceed 5 million. Home IP addresses are dynamically assigned, so the actual size of infected devices behind this data cannot be accurately calculated, although it is certain that these are millions of devices.

Pink’s first reports came in late 2019, when a researcher shared with some security firms a sample of the malware employed by operators: “From the beginning we found it surprising, since in its peak hour it had a total infection of more than 1.6 million devices, most of them based in China”,  the researchers point out.

Pink’s controllers appear to base their operation on a combination of third-party services, P2P and C&C servers, which translates into an architecture resistant to attempts to disrupt their activities, and it is difficult for security firms to detect this malicious activity. Operators have so many resources that every time a service provider tried to address the problem, a botmaster would send firmware updates to disrupt these activities.

In addition, threat actors exploit a zero-day flaw in broadband devices of certain brands with a wide presence in China and other regions of Asia because the malware used by Pink can only compromise MIPS implementations employed by Asian manufacturers.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Largest botnet with control of millions of devices discovered. THE PINK BOTNET appeared first on Information Security Newspaper | Hacking News.

Mozi was first detected in 2019 by Netlab researchers, reaching around 15,000 infected devices in just a couple months.

The researchers claim that these devices are valuable targets for hackers, as they can be the ideal entry point to a corporate network: “The compromise of these routers would allow Man-in-The-Middle (MiTM) attacks by hijacking HTTP and DNS spoofing; this would allow subsequent attacks such as ransomware infections and other malicious practices.”

In addition to these new features, the new version of the botnet features advanced persistence and adaptation capabilities to the compromised gateway architecture, which will allow Mozi operators to prevent malicious payloads from being removed during a device reboot, something rare among ransomware developers.

Mozi’s attack method also allows threat actors to plan for more complex attacks, such as deploying modules on infected gateways for interception of HTTP and DNS requests and denial of service (DoS) conditions.

As if that weren’t enough, new versions of Mozi will also be able to tell the infected gateway to respond to DNS requests from specific web domains with a custom IP address to redirect users to a malicious server, allowing hackers to deploy phishing campaigns.

The advanced features of this botnet allow a stealth redirect of HTTP 301, which allows users to send users of legitimate websites to malicious platforms. Microsoft mentions that hackers are exploiting weak Telnet passwords, in addition to multiple un-updated vulnerabilities to gain access to affected devices.

Still, the operating system makers did not provide details about the flaws exploited in this campaign or the compromised Netgear, Huawei, and ZTE gateway models.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post The Mozi IoT botnet evolved to gain persistence on Netgear, Huawei, and ZTE gateways. How to defend your network? appeared first on Information Security Newspaper | Hacking News.

Cybersecurity experts report the detection of a botnet allegedly operated from China, infecting around 100 thousand devices according to the figures collected until June 2021. According to Avast’s report, the malware of this botnet, known as DirtyMoe, PurpleFox or Perkiler was identified for the first time since the end of 2017.

The goal of the operators of this botnet is to infect thousands of Windows systems to mine cryptocurrencies (cryptojacking attack) without affected users detecting the infection, although experts mention that the botnet has also been used to launch denial of service (DoS) attacks. The operators deploy the malware via malicious emails and websites that host a toolkit identified as PurpleFox, which abuses some web browser-based flaws and gain access to the affected Windows systems.

This malicious tool had already been identified by the cybersecurity community, although its capabilities were never given much importance. However, according to the Avast report the botnet is growing at a steady rate, accumulating more than 100 thousand infected computers currently.

It is in 2021 when the highest point in the activity of DirtyMoe has been detected, whose operators have driven the massive deployment of malware, adding an SMB module capable of scanning the entire Internet and performing brute force attacks against exposed Windows systems.

The SMB module allows malware to explode in terms of infections, in what Avast described as a logarithmic scale, reaching more than 100 thousand infected systems during the first half of 2021 alone.

It should be noted that this is just an Avast estimate obtained from devices with their antivirus solution installed, so the number of DirtyMoe infections could be much higher. Another report, published by Chinese security firm Tencent also points to the rapid rise in DirtyMoe infections over the past few months, especially in Europe and Asia.

The threat is still active, although Avast is already preparing a report on the evolution and operations of malware, along with indicators of compromise (IOC) that administrators of affected systems will be able to identify a possible infection.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How this new Chinese botnet is taking control of computers worldwide appeared first on Information Security Newspaper | Hacking News.

According to Dzmitry Naskavets, who provides legal assistance services to Russian-speaking people in the U.S., he released some details of the trial: “In most cases like this the defendants plead guilty; Zhukov decided not to cooperate and even declined the possibility of receiving my advice.” Naskavets adds that the defendant claims to have developed an artificial intelligence tool for business administration and even asked the judge responsible for the case to be assigned a new lawyer.

Zhukov’s allegations were unsuccessful, as the jury found him guilty of the four counts brought by the prosecution (wire fraud, conspiracy to commit fraud, money laundering, and transaction transaction with resources of illicit origin).

For his part, New York District Attorney Mark Lesko said, “The defendant is a con man who employed advanced technology to steal millions of dollars from various U.S. companies. Perhaps Zhukov believed he would get away with it, but the US Government has again shown its ability to bring cybercriminals to justice.”

On Zhukov’s fraudulent tactics, court documents state that the defendant used a massive botnet to create an ad network known as Media Methane to place ads on websites in exchange for a very attractive fee; instead of redirecting users to legitimate e-commerce websites, these ads led to malicious pages for various purposes.

The defendant allegedly programmed the servers to simulate human activity on the Internet; for example, when browsing the Internet, they would scroll down a web page and start and stop video players. Zhukov also rented more than 650k IP addresses and recorded them in the name of large telecommunications companies to make it look like computer traffic came from residential homes.

The scheme faked billions of ad views and diverted more than $7 million USD from companies that believed their ads were being viewed by real users. Victims included The New York Times, The New York Post, Comcast, Nestlé Purina and Time Warner Cable.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post “King of Fraud” faces major sentence for the operation of a massive botnet; US companies scammed for up to $7 million USD appeared first on Information Security Newspaper | Hacking News.

As you will recall, the term botnet refers to a network of computer systems committed to a specific malware variant, executed autonomously and automatically and under remote control by attack operators.

Experts say hackers have used dozens of mobile apps to mimic the image of over 6,000 CTV apps, equivalent to around 650 million ad requests per day. This botnet was first identified in 2020 and since then companies such as Google and Roku have tried to mitigate their progress, although operators have managed to grow inordinately.

A characteristic feature of this botnet is that it seems to work by falsifying signals within malicious mobile apps for Android, pretending to operate as consumer TV streaming products running Roku OS, Fire OS, tvOS, among other CTV platforms.

The report notes that this botnet exploits changes in the implementation of various digital services, which came earlier than expected by the pandemic: “This approach can be particularly lucrative for threat actors, as the average price of ads on CTV platforms is much higher than ads on websites or mobile applications” , experts add.

In addition, Pareto operators have demonstrated great sophistication in their mode of operation, continuously changing phishing cycles to create new false traffic indicators.

As if that weren’t the case, experts also found a collection of at least 35 apps available in Roku Channel Store that receive instructions from the same server that operates Pareto: “This C&C server sends instructions to all compromised Android devices; Similarly, Roku apps connected to Pareto counterfeit CTV products to increase the scope of the attack,” concludes the report.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Giant Android botnet compromise thousands of Internet TV users appeared first on Information Security Newspaper | Hacking News.