Jess Weatherbed reports via The Verge: Midjourney says it has banned Stability AI staffers from using its service, accusing employees at the rival generative AI company of causing a systems outage earlier this month during an attempt to scrape Midjourney's data. Midjourney posted an update to its Discord server on March 2nd that acknowledged an extended server outage was preventing generated images from appearing in user galleries. In a summary of a business update call on March 6th, Midjourney claimed that "botnet-like activity from paid accounts" -- which the company specifically links to Stability AI employees -- was behind the outage.

According to Midjourney user Nick St. Pierre on X, who listened to the call, Midjourney said that the service was brought down because "someone at Stability AI was trying to grab all the prompt and image pairs in the middle of a night on Saturday." St. Pierre said that Midjourney had linked multiple paid accounts to an individual on the Stability AI data team. In its summary of the business update call on March 6th (which Midjourney refers to as "office hours"), the company says it's banning all Stability AI employees from using its service "indefinitely" in response to the outage. Midjourney is also introducing a new policy that will similarly ban employees of any company that exercises "aggressive automation" or causes outages to the service.

St. Pierre flagged the accusations to Stability AI CEO Emad Mostaque, who replied on X, saying he was investigating the situation and that Stability hadn't ordered the actions in question. "Very confusing how 2 accounts would do this team also hasn't been scraping as we have been using synthetic & other data given SD3 outperforms all other models," said Mostaque, referring to the Stable Diffusion 3 AI model currently in preview. He claimed that if the outage was caused by a Stability employee, then it was unintentional and "obviously not a DDoS attack." Midjourney founder David Holz responded to Mostaque in the same thread, claiming to have sent him "some information" to help with his internal investigation.

An anonymous reader quotes a report from Ars Technica: The FBI and partners from 10 other countries are urging owners of Ubiquiti EdgeRouters to check their gear for signs they've been hacked and are being used to conceal ongoing malicious operations by Russian state hackers. The Ubiquiti EdgeRouters make an ideal hideout for hackers. The inexpensive gear, used in homes and small offices, runs a version of Linux that can host malware that surreptitiously runs behind the scenes. The hackers then use the routers to conduct their malicious activities. Rather than using infrastructure and IP addresses that are known to be hostile, the connections come from benign-appearing devices hosted by addresses with trustworthy reputations, allowing them to receive a green light from security defenses.

"In summary, with root access to compromised Ubiquiti EdgeRouters, APT28 actors have unfettered access to Linux-based operating systems to install tooling and to obfuscate their identity while conducting malicious campaigns," FBI officials wrote in an advisory Tuesday. APT28 -- one of the names used to track a group backed by the Russian General Staff Main Intelligence Directorate known as GRU -- has been doing just for at least the past four years, the FBI has alleged. Earlier this month, the FBI revealed that it had quietly removed Russian malware from routers in US homes and businesses. The operation, which received prior court authorization, went on to add firewall rules that would prevent APT28 -- also tracked under names including Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit -- from being able to regain control of the devices.

On Tuesday, FBI officials noted that the operation only removed the malware used by APT28 and temporarily blocked the group using its infrastructure from reinfecting them. The move did nothing to patch any vulnerabilities in the routers or to remove weak or default credentials hackers could exploit to once again use the devices to surreptitiously host their malware. "The US Department of Justice, including the FBI, and international partners recently disrupted a GRU botnet consisting of such routers," they warned. "However, owners of relevant devices should take the remedial actions described below to ensure the long-term success of the disruption effort and to identify and remediate any similar compromises."

Those actions include:

- Perform a hardware factory reset to remove all malicious files
- Upgrade to the latest firmware version
- Change any default usernames and passwords
- Implement firewall rules to restrict outside access to remote management services

Connor Jones reports via The Register: A Ukrainian cybercrime kingpin who ran some of the most pervasive malware operations faces 40 years in prison after spending nearly a decade on the FBI's Cyber Most Wanted List. Vyacheslav Igorevich Penchukov, 37, pleaded guilty this week in the US to two charges related to his leadership role in both the Zeus and IcedID malware operations that netted millions of dollars in the process. Penchukov's plea will be seen as the latest big win for US law enforcement in its continued fight against cybercrime and those that enable it. However, authorities took their time getting him in 'cuffs. [...]

"Malware like IcedID bleeds billions from the American economy and puts our critical infrastructure and national security at risk," said US attorney Michael Easley for the eastern district of North Carolina. "The Justice Department and FBI Cyber Squad won't stand by and watch it happen, and won't quit coming for the world's most wanted cybercriminals, no matter where they are in the world. This operation removed a key player from one of the world's most notorious cybercriminal rings. Extradition is real. Anyone who infects American computers had better be prepared to answer to an American judge."

This week, he admitted one count of conspiracy to commit a racketeer influenced and corrupt organizations (RICO) act offense relating to Zeus, and one count of conspiracy to commit wire fraud in relation to IcedID. Each count carries a maximum sentence of 20 years. His sentencing date is set for May 9, 2024. Zeus malware, a banking trojan that formed a botnet for financial theft, caused over $100 million in losses before its 2014 dismantlement. Its successor, SpyEye, incorporated enhanced features for financial fraud. Despite the 2014 takedown of Zeus, Penchukov moved on to lead IcedID, a similar malware first found in 2017. IcedID evolved from banking fraud to ransomware, severely affecting the University of Vermont Medical Center in 2020 with over $30 million in damages.

An anonymous reader shares a report: More than 1,000 Ubiquiti routers in homes and small businesses were infected with malware used by Russian-backed agents to coordinate them into a botnet for crime and spy operations, according to the Justice Department. That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password. Access to the routers allowed the hacking group to "conceal and otherwise enable a variety of crimes," the DOJ claims, including spearphishing and credential harvesting in the US and abroad.

Unlike previous attacks by Fancy Bear -- that the DOJ ties to GRU Military Unit 26165, which is also known as APT 28, Sofacy Group, and Sednit, among other monikers -- the Ubiquiti intrusion relied on a known malware, Moobot. Once infected by "Non-GRU cybercriminals," GRU agents installed "bespoke scripts and files" to connect and repurpose the devices, according to the DOJ. The DOJ also used the Moobot malware to copy and delete the botnet files and data, according to the DOJ, and then changed the routers' firewall rules to block remote management access. During the court-sanctioned intrusion, the DOJ "enabled temporary collection of non-content routing information" that would "expose GRU attempts to thwart the operation." This did not "impact the routers' normal functionality or collect legitimate user content information," the DOJ claims. "For the second time in two months, we've disrupted state-sponsored hackers from launching cyber-attacks behind the cover of compromised US routers," said Deputy Attorney General Lisa Monaco in a press release.

On Tuesday, The Independent, Tom's Hardware, and many other tech outlets reported on a story about how three million smart toothbrushes were used in a DDoS attack. The only problem? It "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes." From the report: The original article, called "The toothbrushes are attacking," starts with the following passage: "She's at home in the bathroom, but she's part of a large-scale cyber attack. The electric toothbrush is programmed with Java, and criminals have unnoticed installed malware on it - like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused. This example, which seems like a Hollywood scenario, actually happened. It shows how versatile digital attacks have become." [...]

The "3 million hacked smart toothbrushes" story has now been viral for more than 24 hours and literally no new information about it has emerged despite widespread skepticism from people in the security industry and its virality. The two Fortinet executives cited in the original report did not respond to an email and LinkedIn message seeking clarification, and neither did Fortinet's PR team. The author of the Aargauer Zeitung story also did not respond to a request for more information. I called Fortinet's headquarters, asked to speak to the PR contact listed on the press release about its earnings, which was published after the toothbrush news began to go viral, and was promptly disconnected. The company has continued to tweet about other, unrelated things. They have not responded to BleepingComputer either, nor the many security researchers who are asking for further proof that this actually happened. While we don't know how this happened, Fortinet has been talking specifically about the dangers of internet-connected toothbrushes for years, and has been using it as an example in researcher talks. In a statement to 404 Media, Fortinet said "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred."

An anonymous reader quotes a report from Tom's Hardware: According to a recent report published by the Aargauer Zeitung (h/t Golem.de), around three million smart toothbrushes have been infected by hackers and enslaved into botnets. The source report says this sizable army of connected dental cleansing tools was used in a DDoS attack on a Swiss company's website. The firm's site collapsed under the strain of the attack, reportedly resulting in the loss of millions of Euros of business. In this particular case, the toothbrush botnet was thought to have been vulnerable due to its Java-based OS. No particular toothbrush brand was mentioned in the source report. Normally, the toothbrushes would have used their connectivity for tracking and improving user oral hygiene habits, but after a malware infection, these toothbrushes were press-ganged into a botnet.

Stefan Zuger from the Swiss branch of the global cybersecurity firm Fortinet provided the publication with a few tips on what people could do to protect their own toothbrushes -- or other connected gadgetry like routers, set-top boxes, surveillance cameras, doorbells, baby monitors, washing machines, and so on. "Every device that is connected to the Internet is a potential target -- or can be misused for an attack," Zuger told the Swiss newspaper. The security expert also explained that every connected device was being continually probed for vulnerabilities by hackers, so there is a real arms race between device software/firmware makers and cyber criminals. Fortinet recently connected an 'unprotected' PC to the internet and found it took only 20 minutes before it became malware-ridden. UPDATE 1/7/24: This attack "didn't actually happen," writes Jason Koebler via 404 Media. "There are no additional details about this apparent attack, and most of the article cites general research by a publicly traded cybersecurity company called Fortinet which has detected malicious, hijacked internet of things devices over the years. A search on Fortinet's website shows no recent published research about hacked smart toothbrushes."

The cybersecurity firm Fortinet said in a statement: "To clarify, the topic of toothbrushes being used for DDoS attacks was presented during an interview as an illustration of a given type of attack, and it is not based on research from Fortinet or FortiGuard Labs. It appears that due to translations the narrative on this topic has been stretched to the point where hypothetical and actual scenarios are blurred. FortiGuard Labs has not observed Mirai or other IoT botnets target toothbrushes or similar embedded devices."

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," said FBI Director Christopher Wray in a prepared testimony before the House Select Committee on the Chinese Communist Party. NBC News reports: Wray also argued that "there has been far too little public focus" that Chinese hackers are targeting critical infrastructure in the U.S. such as water treatment plants, electrical grids, oil and natural gas pipelines, and transportation systems, according to the prepared remarks. "And the risk that poses to every American requires our attention -- now," his prepared testimony said.

As Wray testified, the Justice Department and FBI announced they had disabled a Chinese hacking operation that had infected hundreds of small office and home routers with botnet malware that targeted critical infrastructure. The DOJ said the hackers, known to the private sector as "Volt Typhoon," used privately owned small routers that were infected with "KV botnet" malware to conceal further Chinese hacking activities against U.S. and foreign victims. Wray addressed the malware in his testimony, emphasizing that it targets critical infrastructure in the U.S. [...]

At Wednesday's hearing, the director of the federal Cybersecurity and Infrastructure Security Agency, Jen Easterly, testified that Americans should expect efforts by China to wage influence campaigns online relating to the 2024 election. However, Easterly added that she was confident that voting systems and other election infrastructure are well-defended. "To be very clear, Americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that's been done by state and local election officials, by the federal government, by vendors, by the private sector since 2016," Easterly said in her testimony.

Wray emphasized in the remarks that the "cyber onslaught" of Chinese hackers "goes way beyond prepositioning for future conflict," saying in the prepared remarks that every day the hackers are "actively attacking" U.S. economic security, engaging in "wholesale theft of our innovation, and our personal and corporate data." "And they don't just hit our security and economy. They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents," the excerpts said.

An LG washing machine owner discovered that his smart home appliance was uploading an average of 3.66GB of data daily. "Concerned about the washer's internet addiction, Johnie forced the device to go cold turkey and blocked it using his router UI," reports Tom's Hardware. From the report: Johnie's initial screenshot showed that on a chosen day, the device uploaded 3.57GB and downloaded about 100MB, and the data traffic was almost constant. Meanwhile, according to the Asus router interface screenshot, the washing machine accounted for just shy of 5% of Johnie's internet traffic daily. The LG washing machine owner saw the fun in his predicament and joked that the device might use Wi-Fi for "DLCs (Downloadable Laundry Cycles)." He wasn't entirely kidding: The machine does download presets for various types of apparel. However, the lion's share of the data transferred was uploaded.

Working through the thread, we note that Johnie also pondered the possibility of someone using his washing machine for crypto mining. "I'd gladly rent our LPU (Laundry Processing Unit) by the hour," he quipped. Again, there was the glimmer of a possibility that there could be truth behind this joke. Another social media user highlighted a history of hackers taking over LG smart-connected appliances. The SmartThinQ home appliances HomeHack vulnerability was patched several weeks after being made public. A similar modern hack might use the washing machine's computer resources as part of a botnet. Taking control of an LG washing machine as part of a large botnet for cryptocurrency mining or nefarious networking purposes wouldn't be as far-fetched as it sounds. Large numbers of relatively low-power devices can be formidable together. One of the more innocent theories regarding the significant data uploads suggested laundry data was being uploaded to LG so it could improve its LLM (Large Laundry Model). It sought to do this to prepare for the launch of its latest "AI washer-dryer combo" at CES, joked Johnie.

For now, it looks like the favored answer to the data mystery is to blame Asus for misreporting it. We may never know what happened with Johnie, who is now running his LG washing machine offline. Another relatively innocent reason for the supposed high volume of uploads could be an error in the Asus router firmware. In a follow-up post a day after his initial Tweet, Johnie noted "inaccuracy in the ASUS router tool," with regard to Apple iMessage data use. Other LG smart washing machine users showed device data use from their router UIs. It turns out that these appliances more typically use less than 1MB per day.

Previously unknown self-replicating malware has been infecting Linux devices worldwide, installing cryptomining malware using unusual concealment methods. The worm is a customized version of Mirai botnet malware, which takes control of Linux-based internet-connected devices to infect others. Mirai first emerged in 2016, delivering record-setting distributed denial-of-service attacks by compromising vulnerable devices. Once compromised, the worm self-replicates by scanning for and guessing credentials of additional vulnerable devices. While traditionally used for DDoS attacks, this latest variant focuses on covert cryptomining. ArsTechnica adds: On Wednesday, researchers from network security and reliability firm Akamai revealed that a previously unknown Mirai-based network they dubbed NoaBot has been targeting Linux devices since at least last January. Instead of targeting weak telnet passwords, the NoaBot targets weak passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which allows the attackers to generate digital coins using victims' computing resources, electricity, and bandwidth. The cryptominer is a modified version of XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai has been monitoring NoaBot for the past 12 months in a honeypot that mimics real Linux devices to track various attacks circulating in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that's already infected. The following figure tracks the number of attacks delivered to the honeypot over the past year.

An anonymous reader quotes a report from Ars Technica: Miscreants are actively exploiting two new zero-day vulnerabilities to wrangle routers and video recorders into a hostile botnet used in distributed denial-of-service attacks, researchers from networking firm Akamai said Thursday. Both of the vulnerabilities, which were previously unknown to their manufacturers and to the security research community at large, allow for the remote execution of malicious code when the affected devices use default administrative credentials, according to an Akamai post. Unknown attackers have been exploiting the zero-days to compromise the devices so they can be infected with Mirai, a potent piece of open source software that makes routers, cameras, and other types of Internet of Things devices part of a botnet that's capable of waging DDoSes of previously unimaginable sizes.

Akamai researchers said one of the zero-days under attack resides in one or more models of network video recorders. The other zero-day resides in an "outlet-based wireless LAN router built for hotels and residential applications." The router is sold by a Japan-based manufacturer, which "produces multiple switches and routers." The router feature being exploited is "a very common one," and the researchers can't rule out the possibility it's being exploited in multiple router models sold by the manufacturer. Akamai said it has reported the vulnerabilities to both manufacturers, and that one of them has provided assurances security patches will be released next month. Akamai said it wasn't identifying the specific devices or the manufacturers until fixes are in place to prevent the zero-days from being more widely exploited.

The Akamai post provides a host of file hashes and IP and domain addresses being used in the attacks. Owners of network video cameras and routers can use this information to see if devices on their networks have been targeted. [...] In an email, Akamai researcher Larry Cashdollar wrote: "The devices don't typically allow code execution through the management interface. This is why getting RCE through command injection is needed. Because the attacker needs to authenticate first they have to know some login credentials that will work. If the devices are using easy guessable logins like admin:password or admin:password1 those could be at risk too if someone expands the list of credentials to try." He said that both manufacturers have been notified, but only one of them has so far committed to releasing a patch, which is expected next month. The status of a fix from the second manufacturer is currently unknown. Cashdollar said an incomplete Internet scan showed there are at least 7,000 vulnerable devices. The actual number of affected devices may be higher.

Last year, Andrew Appel, professor of computer science at Princeton University, wrote a 5-part series about Switzerland's e-voting system, highlighting the inherent security vulnerabilities it faces and the safeguards the country has in place. Now, he's writing about an interesting new vulnerability in the system that can be exploited to manipulate votes without anyone knowing. The vulnerability was discovered by Swiss computer scientist Andreas Kuster. From a blog post written by security technologist Bruce Schneier: "The Swiss Post e-voting system aims to protect your vote against vote manipulation and interference. The goal is to achieve this even if your own computer is infected by undetected malware that manipulates a user vote. This protection is implemented by special return codes (Prufcode), printed on the sheet of paper you receive by physical mail. Your computer doesn't know these codes, so even if it's infected by malware, it can't successfully cheat you as long as, you follow the protocol.

Unfortunately, the protocol isn't explained to you on the piece of paper you get by mail. It's only explained to you online, when you visit the e-voting website. And of course, that's part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable. To demonstrate this, I built a proof-of-concept demonstration."

Appel again: "Kuster's fake protocol is not exactly what I imagined; it's better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what's on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn't know what's on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video."

The Cyber Police Department of the National Police of Ukraine dismantled another massive bot farm, seizing computer equipment, mobile phones, and roughly 150,000 SIM cards of multiple mobile operators. BleepingComputer reports: The bots were used to push Russian propaganda justifying Russia's war in Ukraine, to disseminate illegal content and personal information, and in various other fraudulent activities. In a joint operation, the cyber police and units of the Ukrainian National Police executed 21 search operations in Vinnytsia, Zaporizhzhia, and Lvivand.

"The cyber police established that the attackers used special equipment and software to register thousands of bot accounts in various social networks and subsequently launch advertisements that violated the norms and legislation of Ukraine," a cyber police press release reads [machine translation]. "In addition to spreading hostile propaganda, the accounts were also used for unauthorized distribution of personal data of Ukrainian citizens on the Internet, in Internet fraud schemes, and for sending known false messages about threats to citizens' safety, destruction or damage to property." Cyber police in Ukraine have busted several pro-Russian bot farms in the last year, including one last month called "Botoferma" and another one late last year that was working for the Russian secret services. Ukraine also traced a Russian propaganda operation to a bot farm that was secretly operating in the country's own capital of Kyiv last August. "The farm operated more than 1 million bot accounts, which helped the propaganda operation build an audience of over 400,000 users on social media," reports PCMag.

An anonymous reader quotes a report from Ars Technica: Hundreds of Internet-exposed devices inside solar farms remain unpatched against a critical and actively exploited vulnerability that makes it easy for remote attackers to disrupt operations or gain a foothold inside the facilities. The devices, sold by Osaka, Japan-based Contec under the brand name SolarView, help people inside solar facilities monitor the amount of power they generate, store, and distribute. Contec says that roughly 30,000 power stations have introduced the devices, which come in various packages based on the size of the operation and the type of equipment it uses.

Searches on Shodan indicate that more than 600 of them are reachable on the open Internet. As problematic as that configuration is, researchers from security firm VulnCheck said Wednesday, more than two-thirds of them have yet to install an update that patches CVE-2022-29303, the tracking designation for a vulnerability with a severity rating of 9.8 out of 10. The flaw stems from the failure to neutralize potentially malicious elements included in user-supplied input, leading to remote attacks that execute malicious commands. Security firm Palo Alto Networks said last month the flaw was under active exploit by an operator of Mirai, an open source botnet consisting of routers and other so-called Internet of Things devices. The compromise of these devices could cause facilities that use them to lose visibility into their operations, which could result in serious consequences depending on where the vulnerable devices are used.

"The fact that a number of these systems are Internet facing and that the public exploits have been available long enough to get rolled into a Mirai-variant is not a good situation," VulnCheck researcher Jacob Baines wrote. "As always, organizations should be mindful of which systems appear in their public IP space and track public exploits for systems that they rely on." Baines said that the same devices vulnerable to CVE-2022-29303 were also vulnerable to CVE-2023-23333, a newer command-injection vulnerability that also has a severity rating of 9.8. Although there are no known reports of it being actively exploited, exploit code has been publicly available since February. Incorrect descriptions for both vulnerabilities are one factor involved in the patch failures, Baines said. Both vulnerabilities indicate that SolarView versions 8.00 and 8.10 are patched against CVE-2022-29303 and CVE-2023-293333. In fact, the researcher said, only 8.10 is patched against the threats.

An anonymous reader quotes a report from KrebsOnSecurity: Authorities in Germany this week seized Internet servers that powered FlyHosting, a dark web offering that catered to cybercriminals operating DDoS-for-hire services, KrebsOnSecurity has learned. FlyHosting first advertised on cybercrime forums in November 2022, saying it was a Germany-based hosting firm that was open for business to anyone looking for a reliable place to host malware, botnet controllers, or DDoS-for-hire infrastructure. A statement released today by the German Federal Criminal Police Office says they served eight search warrants on March 30, and identified five individuals aged 16-24 suspected of operating "an internet service" since mid-2021. The German authorities did not name the suspects or the Internet service in question.

"Previously unknown perpetrators used the Internet service provided by the suspects in particular for so-called 'DDoS attacks', i.e. the simultaneous sending of a large number of data packets via the Internet for the purpose of disrupting other data processing systems," the statement reads. The German authorities said that as a result of the DDoS attacks facilitated by the defendants, the websites of various companies as well as those of the Hesse police have been overloaded in several cases since mid-2021, "so that they could only be operated to a limited extent or no longer at times." The statement says police seized mobile phones, laptops, tablets, storage media and handwritten notes from the unnamed defendants, and confiscated servers operated by the suspects in Germany, Finland and the Netherlands.

An anonymous reader shares a report: KmsdBot, a cryptomining botnet that could also be used for denial-of-service (DDOS) attacks, broke into systems through weak secure shell credentials. It could remotely control a system, it was hard to reverse-engineer, didn't stay persistent, and could target multiple architectures. KmsdBot was a complex malware with no easy fix. That was the case until researchers at Akamai Security Research witnessed a novel solution: forgetting to put a space between an IP address and a port in a command. And it came from whoever was controlling the botnet.

With no error-checking built in, sending KmsdBot a malformed command -- like its controllers did one day while Akamai was watching -- created a panic crash with an "index out of range" error. Because there's no persistence, the bot stays down, and malicious agents would need to reinfect a machine and rebuild the bot's functions. It is, as Akamai notes, "a nice story" and "a strong example of the fickle nature of technology." KmsdBot is an intriguing modern malware. It's written in Golang, partly because Golang is difficult to reverse-engineer. When Akamai's honeypot caught the malware, it defaulted to targeting a company that created private Grand Theft Auto Online servers. It has a cryptomining ability, though it was latent while the DDOS activity was running. At times, it wanted to attack other security companies or luxury car brands.

An anonymous reader quotes a report from KrebsOnSecurity: In December 2021, Google filed a civil lawsuit against two Russian men thought to be responsible for operating Glupteba, one of the Internet's largest and oldest botnets. The defendants, who initially pursued a strategy of counter suing Google for tortious interference in their sprawling cybercrime business, later brazenly offered to dismantle the botnet in exchange for payment from Google. The judge in the case was not amused, found for the plaintiff, and ordered the defendants and their U.S. attorney to pay Google's legal fees. The lawyer for the defendants, New York-based cybercrime defense attorney Igor Litvak, filed a motion to reconsider (PDF), asking the court to vacate the sanctions against him. He said his goal is to get the case back into court. "The judge was completely wrong to issue sanctions," Litvak told KrebsOnSecurity. "From the beginning of the case, she acted as if she needed to protect Google from something. If the court does not decide to vacate the sanctions, we will have to go to the Second Circuit (Court of Appeals) and get justice there."

Meanwhile, Google said the court's decision will have significant ramifications for online crime, adding that it's observed a 78 percent reduction in the number of hosts infected by Glupteba since its technical and legal attacks on the botnet last year.

"While Glupteba operators have resumed activity on some non-Google platforms and IoT devices, shining a legal spotlight on the group makes it less appealing for other criminal operations to work with them," reads a blog post from Google's General Counsel Halimah DeLaine Prado and vice president of engineering Royal Hansen. "And the steps [Google] took last year to disrupt their operations have already had significant impact."

A 36-year-old Russian man recently identified by KrebsOnSecurity as the likely proprietor of the massive RSOCKS botnet has been arrested in Bulgaria at the request of U.S. authorities. At a court hearing in Bulgaria this month, the accused hacker requested and was granted extradition to the United States, reportedly telling the judge, "America is looking for me because I have enormous information and they need it." From the report: On June 22, KrebsOnSecurity published Meet the Administrators of the RSOCKS Proxy Botnet, which identified Denis Kloster, a.k.a. Denis Emelyantsev, as the apparent owner of RSOCKS, a collection of millions of hacked devices that were sold as "proxies" to cybercriminals looking for ways to route their malicious traffic through someone else's computer. A native of Omsk, Russia, Kloster came into focus after KrebsOnSecurity followed clues from the RSOCKS botnet master's identity on the cybercrime forums to Kloster's personal blog, which featured musings on the challenges of running a company that sells "security and anonymity services to customers around the world." Kloster's blog even included a group photo of RSOCKS employees.

The Bulgarian news outlet 24Chasa.bg reports that Kloster was arrested in June at a co-working space in the southwestern ski resort town of Bansko, and that the accused asked to be handed over to the American authorities. "I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges," Kloster reportedly told the Bulgarian court this week. "I am not a criminal and I will prove it in an American court." 24Chasa said the defendant's surname is Emelyantsev and that he only recently adopted the last name Kloster, which is his mother's maiden name. As KrebsOnSecurity reported in June, Kloster also appears to be a major player in the Russian email spam industry. [...] Kloster turned 36 while awaiting his extradition hearing, and may soon be facing charges that carry punishments of up to 20 years in prison.

Slashdot reader storagedude writes: Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.

The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.

Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.

Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.

Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That's why the attack can be scripted. It's not uncommon to find such scripts along with other modules in info-stealing and other malware.

For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, "Google's Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data."

To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.

Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It's recommended that users uncheck the setting called "remember passwords," and users should probably not allow persistent sessions as well.

Developers can be part of the problem if they don't secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.

ZDNet is warning that Linux users need to watch out for "a new peer-to-peer (P2P) botnet that spreads between networks using stolen SSH keys and runs its crypto-mining malware in a device's memory." The Panchan P2P botnet was discovered by researchers at Akamai in March and the company is now warning it could be taking advantage of collaboration between academic institutions to spread by causing previously stolen SSH authentication keys to be shared across networks.

But rather than stealing intellectual property from these educational institutions, the Panchan botnet is using their Linux servers to mine cryptocurrency, according to Akamai... "Instead of just using brute force or dictionary attacks on randomized IP addresses like most botnets do, the malware also reads the id_rsa and known_hosts files to harvest existing credentials and use them to move laterally across the network...." Akamai found 209 peers, but only 40 of them are currently active and they were mostly located in Asia.

And why is the education sector more impacted by Panchan? Akamai guesses this could be because of poor password hygiene, or that the malware moves across the network with stolen SSH keys.
Akamai writes that the malware "catches Linux termination signals (specifically SIGTERM — 0xF and SIGINT — 0x2) that are sent to it, and ignores them.

"This makes it harder to terminate the malware, but not impossible, since SIGKILL isn't handled (because it isn't possible, according to the POSIX standard, page 313)."

"In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos," writes the Microsoft 365 Defender Research Team. It's a trojan combining denial-of-service functionality with XOR-based encryption for communication.

Microsoft calls it part of "the trend of malware increasingly targeting Linux-based operating systems, which are commonly deployed on cloud infrastructures and Internet of Things devices." And ZDNet describes the trojan "one of the most active Linux-based malware families of 2021, according to Crowdstrike." XorDdos conducts automated password-guessing attacks across thousands of Linux servers to find matching admin credentials used on Secure Shell (SSH) servers... Once credentials are gained, the botnet uses root privileges to install itself on a Linux device and uses XOR-based encryption to communicate with the attacker's command and control infrastructure.

While DDoS attacks are a serious threat to system availability and are growing in size each year, Microsoft is worried about other capabilities of these botnets. "We found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner," Microsoft notes... Microsoft didn't see XorDdos directly installing and distributing the Tsunami backdoor, but its researchers think XorDdos is used as a vector for follow-on malicious activities...

XorDdoS can perform multiple DDoS attack techniques, including SYN flood attacks, DNS attacks, and ACK flood attacks.
Microsoft's team warns that the trojan's evasion capabilities "include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis.

"We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions."