Apr 04, 2024NewsroomVulnerability / Internet Protocol

New research has found that the CONTINUATION frame in the HTTP/2 protocol can be exploited to conduct denial-of-service (DoS) attacks.

The technique has been codenamed HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center (CERT/CC) on January 25, 2024.

“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream,” CERT/CC said in an advisory on April 3, 2024.

“An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.”

Like in HTTP/1, HTTP/2 uses header fields within requests and responses. These header fields can comprise header lists, which in turn, are serialized and broken into header blocks. The header blocks are then divided into block fragments and transmitted within HEADER or what’s called CONTINUATION frames.

“The CONTINUATION frame (type=0x9) is used to continue a sequence of header block fragments,” the documentation for RFC 7540 reads.

“Any number of CONTINUATION frames can be sent, as long as the preceding frame is on the same stream and is a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.”

The last frame containing headers will have the END_HEADERS flag set, which signals the remote endpoint that it’s the end of the header block.

According to Nowotarski, CONTINUATION Flood is a class of vulnerabilities within several HTTP/2 protocol implementations that pose a more severe threat compared to the Rapid Reset attack that came to light in October 2023.

“A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation,” the researcher said. “Remarkably, requests that constitute an attack are not visible in HTTP access logs.”

The vulnerability, at its core, has to do with incorrect handling of HEADERS and multiple CONTINUATION frames that pave the way for a DoS condition.

In other words, an attacker can initiate a new HTTP/2 stream against a target server using a vulnerable implementation and send HEADERS and CONTINUATION frames with no set END_HEADERS flag, creating a never-ending stream of headers that the HTTP/2 server would need to parse and store in memory.

While the exact outcome varies depending on the implementation, impacts range from instant crash after sending a couple of HTTP/2 frames and out of memory crash to CPU exhaustion, thereby affecting server availability.

“RFC 9113 […] mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly,” Nowotarski said.

“At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.”

The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758).

Users are recommended to upgrade affected software to the latest version to mitigate potential threats. In the absence of a fix, it’s advised to consider temporarily disabling HTTP/2 on the server.

Minecraft, with over 500 million registered users and 166 million monthly players, faces significant risks from distributed denial-of-service (DDoS) attacks, threatening server functionality, player experience, and the game’s reputation. Despite the prevalence of DDoS attacks on the game, the majority of incidents go unreported, leaving a gap in awareness and protection. This article explains what happens to a Minecraft server during a DDoS attack and how to protect against such attacks. For an in-depth version of the article, check out this white paper.

When Creepers Breach: What Happens When an Attack Is Successful

When a Minecraft server is hit with a DDoS attack, players may have problems with logging in to servers, loading worlds, navigating biomes, using tools, and chatting. They can also experience general lags, disconnections, timeouts, or server crashes. These in-game disruptions can ruin the gaming experience for players while causing financial and reputational losses to server owners, operators, and the wider Minecraft community.

What Happens to a Minecraft Server During a DDoS Attack?

In a DDoS attack, the attacker’s objective is to disrupt a Minecraft server, rendering it unstable or unavailable to legitimate users, by flooding it with malicious traffic until it becomes overwhelmed. DDoS attacks on Minecraft servers can last anywhere from a few seconds to days, depending on their severity and the countermeasures in place.

Severe attacks can cost players prize money in tournaments, diminish players’ confidence in the server, cause server crashes, or even force servers to be upgraded for better redundancy and resilience against future attacks.

Evidence of an Attack

This checklist serves as a handy reference guide when facing suspicious network activities that resemble DDoS attacks.

If several of these signs converge at any given time for your Minecraft server, there’s a high probability that a DDoS attack is underway and requires immediate remediation.

If you’re not sure whether an attack is occurring, contact your ISP or host. They should be able to verify whether it’s a DDoS attack or not. In some cases, these signs could be symptoms of other cyberattacks or unrelated network issues, and will thus yield false positive results.

Impact on Minecraft Servers and the Minecraft Community

DDoS attacks significantly affect Minecraft servers, players, server owners, and the entire community. Disruption of gameplay isn’t the only concern. An attack leading to a player missing out on significant tournament earnings, has, in extreme cases, resulted in tragic outcomes with profound emotional impacts, rippling through the community and reaching friends and family. This emphasizes the need for robust protection and awareness.

DDoS attacks on Minecraft servers can have numerous impacts:

• Poor gaming experience: DDoS attacks cause latency, lag, or disconnections, making Minecraft unplayable and negatively impacting the user experience.
• Gameplay imbalance: Rival players might exploit unresponsive servers during a DDoS attack to unfairly gain an advantage for themselves over players on the targeted servers.
• Server downtime: Crucial for online games, server downtime from intense DDoS attacks makes Minecraft servers unavailable, frustrating players who invest time, effort, energy, and passion in building, exploring, and interacting within the Minecraft environment.
• Financial losses: DDoS attacks lead to potential revenue loss for server owners relying on donations, premium memberships, or in-game purchases. Attackers may demand a fee to scale back the attack, but complying with ransom demands invites future attacks.
• Extra expenses: Yo-yo DDoS attacks create traffic fluctuations, increasing overhead costs for cloud-hosted servers.
• Identity theft: DDoS may be a smokescreen for hacking and identity theft, increasing vulnerability during server unavailability.
• Server ban for innocent parties: Persistent DDoS attacks on shared hosting plans can result in temporary bans for Minecraft servers, impacting both server members and server owners who depend on member revenues for financial support.
• Reputational damage: Persistent DDoS attacks damage the reputation of a Minecraft server, leading to a decline in the server’s popularity and user base.
• Community fallout: Persistent DDoS attacks can result in the breakup of Minecraft servers, fracturing social interactions and prompting players to leave.
• Switching costs: Gamers face tangible and intangible costs when moving to a new server, including the loss of in-game purchases and achievements, subscriptions, and relationships.

Examples of Recent Attacks

Most Minecraft server DDoS attacks never make it to the news. A lot of small-scale attacks hit personal or private servers for the reasons discussed above. However, larger-scale DDoS attacks are more likely to create press because of their value as a marketing strategy for DDoS protection providers or because of the real-life consequences that result from the attack.

The largest ever Minecraft DDoS attack targeted the popular Wynncraft Minecraft server in 2022. A Mirai botnet variant launched a two-minute long 2.5 Tbps attack using UDP and TCP flood packets to attack the server, aiming to disrupt gameplay for hundreds of thousands of players.

Massive attacks on this scale—and the many more attacks on private and smaller servers that attract less attention—highlight the need to be wary of Minecraft DDoS attacks. It is therefore essential for server owners, admins, engineers, and hosting providers to protect their servers and the users who rely on them. Let’s explore some methods for DDoS mitigation.

Obsidian Walls: How to Protect Minecraft Servers Against DDoS Attacks

Basic Protective Measures

To defend your Minecraft server against DDoS attacks, begin with basic security measures:

• Install antivirus software to block malware that could enlist your server into a botnet.
• Use a VPN to obscure your server’s IP address.
• Secure your SSH connection by modifying the SSH port number or switching to key-generated SSH security using PuTTY.
• Implement allowlists or whitelists to permit access only to verified players, and use blacklists to block malicious IPs or players.
• Get a firewall, especially for self-hosted servers.
• Incorporate rate limiting on network devices to manage traffic flow.
• Keep your Minecraft server software and plugins up-to-date to patch vulnerabilities.

It’s important to stay current on the latest DDoS tactics, signs, and countermeasures, and ensure server moderators are also well-informed. Building a strong, supportive community, and promoting a positive gaming environment by vetting new members and monitoring forum chats for threats, can deter peer-to-peer DDoS attacks. In cases of serious threats, don’t hesitate to involve law enforcement or seek legal assistance.

Advanced Protective Measures

The above protective measures are baseline cybersecurity solutions; for comprehensive defense against DDoS attacks, a specialized approach like Gcore DDoS Protection is required. We offer real-time, all-in-one protection against DDoS attacks of any size, duration, or complexity, ensuring uninterrupted gaming. Built by gamers, for gamers, Gcore DDoS Protection provides tailored defense mechanisms, ultra-low false positive rate, and dedicated technical support, ensuring your Minecraft server remains protected every time, everywhere, in every situation.

By analyzing traffic and customizing protection strategies, we safeguard your server across all Minecraft versions and plugins. Our powerful infrastructure is capable of handling massive DDoS traffic spikes with a 110 Tbps capacity CDN. We block attacks from the very first query without compromising legitimate traffic, based on session rather than solely relying on IP addresses.

Diamond Defense: Proven Gaming Protection

Prevention is better than a cure. The gaming industry is one of the top three most attacked industries according to Gcore Radar and the FBI, and the average gaming DDoS attack costs victims upwards of $25,000 in losses, without factoring in any ransoms. Even for teams with in-house IT units, an attack may require significant time and labor to effect disaster recovery, and much more time to repair a reputation tarnished by unmitigated DDoS attacks.

Gcore DDoS Protection is a complete, proven service for mitigating DDoS attacks on Minecraft servers. Get a complimentary expert consultation and discover how we can protect your server and save you from the devastating consequences of DDoS attacks. Start with a free trial to experience the power of Gcore DDoS Protection for yourself.

Mar 06, 2024NewsroomServer Security / Cryptocurrency

Threat actors are targeting misconfigured and vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services as part of an emerging malware campaign designed to deliver a cryptocurrency miner and spawn a reverse shell for persistent remote access.

“The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts,” Cado security researcher Matt Muir said in a report shared with The Hacker News.

The activity has been codenamed Spinning YARN by the cloud security company, with overlaps to cloud attacks attributed to TeamTNT, WatchDog, and a cluster dubbed Kiss-a-dog.

It all starts with deploying four novel Golang payloads that are capable of automating the identification and exploitation of susceptible Confluence, Docker, Hadoop YARN, and Redis hosts. The spreader utilities leverage masscan or pnscan to hunt for these services.

“For the Docker compromise, the attackers spawn a container and escape from it onto the underlying host,” Muir explained.

The initial access then paves the way for the deployment of additional tools to install rootkits like libprocesshider and diamorphine to conceal malicious processes, drop the Platypus open-source reverse shell utility, and ultimately launch the XMRig miner.

“It’s clear that attackers are investing significant time into understanding the types of web-facing services deployed in cloud environments, keeping abreast of reported vulnerabilities in those services and using this knowledge to gain a foothold in target environments,” the company said.

The development comes as Uptycs revealed 8220 Gang’s exploitation of known security flaws in Apache Log4j (CVE-2021-44228) and Atlassian Confluence Server and Data Center (CVE-2022-26134) as part of a wave of assaults targeting cloud infrastructure from May 2023 through February 2024.

“By leveraging internet scans for vulnerable applications, the group identifies potential entry points into cloud systems, exploiting unpatched vulnerabilities to gain unauthorized access,” security researchers Tejaswini Sandapolla and Shilpesh Trivedi said.

“Once inside, they deploy a series of advanced evasion techniques, demonstrating a profound understanding of how to navigate and manipulate cloud environments to their advantage. This includes disabling security enforcement, modifying firewall rules, and removing cloud security services, thereby ensuring their malicious activities remain undetected.”

The attacks, which single out both Windows and Linux hosts, aim to deploy a cryptocurrency miner, but not before taking a series of steps that prioritize stealth and evasion.

It also follows the abuse of cloud services primarily meant for artificial intelligence (AI) solutions to drop cryptocurrency miners as well as host malware.

“With both mining and AI requiring access to large amounts of GPU processing power, there’s a certain degree of transferability to their base hardware environments,” HiddenLayer noted last year.

Cado, in its H2 2023 Cloud Threat Findings Report, noted that threat actors are increasingly targeting cloud services that require specialist technical knowledge to exploit, and that cryptojacking is no longer the only motive.

“With the discovery of new Linux variants of ransomware families, such as Abyss Locker, there is a worrying trend of ransomware on Linux and ESXi systems,” it said. “Cloud and Linux infrastructure is now subject to a broader variety of attacks.”

Feb 20, 2024NewsroomServer Security / Cryptojacking

A novel malware campaign has been observed targeting Redis servers for initial access with the ultimate goal of mining cryptocurrency on compromised Linux hosts.

“This particular campaign involves the use of a number of novel system weakening techniques against the data store itself,” Cado security researcher Matt Muir said in a technical report.

The cryptojacking attack is facilitated by a malware codenamed Migo, a Golang ELF binary that comes fitted with compile-time obfuscation and the ability to persist on Linux machines.

The cloud security company said it detected the campaign after it identified an “unusual series of commands” targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options –

It’s suspected that these options are turned off in order to send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention.

This step is then followed by threat actors setting up two Redis keys, one pointing to an attacker-controlled SSH key and the other to a cron job that retrieves the malicious primary payload from a file transfer service named Transfer.sh, a technique previously spotted in early 2023.

The shell script to fetch Migo using Transfer.sh is embedded within a Pastebin file that’s, in turn, obtained using a curl or wget command.

Persistence

The Go-based ELF binary, besides incorporating mechanisms to resist reverse engineering, acts as a downloader for an XMRig installer hosted on GitHub. It’s also responsible for performing a series of steps to establish persistence, terminate competing miners, and launch the miner.

On top of that, Migo disables Security-Enhanced Linux (SELinux) and searches for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud. It further deploys a modified version (“libsystemd.so”) of a popular user-mode rootkit named libprocesshider to hide processes and on-disk artifacts.

It’s worth pointing out that these actions overlap with tactics adopted by known cryptojacking groups like TeamTNT, WatchDog, Rocke, and threat actors associated with the SkidMap malware.

“Interestingly, Migo appears to recursively iterate through files and directories under /etc,” Muir noted. “The malware will simply read files in these locations and not do anything with the contents.”

“One theory is this could be a (weak) attempt to confuse sandbox and dynamic analysis solutions by performing a large number of benign actions, resulting in a non-malicious classification.”

Another hypothesis is that the malware is looking for an artifact that’s specific to a target environment, although Cado said it found no evidence to support this line of reasoning.

“Migo demonstrates that cloud-focused attackers are continuing to refine their techniques and improve their ability to exploit web-facing services,” Muir said.

“Although libprocesshider is frequently used by cryptojacking campaigns, this particular variant includes the ability to hide on-disk artifacts in addition to the malicious processes themselves.”

Feb 07, 2024NewsroomCybersecurity / Software Security

JetBrains is alerting customers of a critical security flaw in its TeamCity On-Premises continuous integration and continuous deployment (CI/CD) software that could be exploited by threat actors to take over susceptible instances.

The vulnerability, tracked as CVE-2024-23917, carries a CVSS rating of 9.8 out of 10, indicative of its severity.

“The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server,” the company said.

The issue impacts all TeamCity On-Premises versions from 2017.1 through 2023.11.2. It has been addressed in version 2023.11.3. An unnamed external security researcher has been credited with discovering and reporting the flaw on January 19, 2024.

Users who are unable to update their servers to version 2023.11.3 can alternately download a security patch plugin to apply fixes for the flaw.

“If your server is publicly accessible over the internet and you are unable to take one of the above mitigation steps immediately, we recommend temporarily making it inaccessible until mitigation actions have been completed,” JetBrains advised.

While there is no evidence that the shortcoming has been abused in the wild, a similar flaw in the same product (CVE-2023-42793, CVSS score: 9.8) came under active exploitation last year within days of public disclosure by multiple threat actors, including ransomware gangs and state-sponsored groups affiliated with North Korea and Russia.

Feb 01, 2024NewsroomCryptocurrency / Botnet

Cybersecurity researchers have detailed an updated version of the malware HeadCrab that’s known to target Redis database servers across the world since early September 2021.

The development, which comes exactly a year after the malware was first publicly disclosed by Aqua, is a sign that the financially-motivated threat actor behind the campaign is actively adapting and refining their tactics and techniques to stay ahead of the detection curve.

The cloud security firm said that “the campaign has almost doubled the number of infected Redis servers,” with an additional 1,100 compromised servers, up from 1,200 reported at the start of 2023.

HeadCrab is designed to infiltrate internet-exposed Redis servers and wrangle them into a botnet for illicitly mining cryptocurrency, while also leveraging the access in a manner that allows the threat actor to execute shell commands, load fileless kernel modules, and exfiltrate data to a remote server.

While the origins of the threat actor are presently not known, they make it a point to note in a “mini blog” embedded into the malware that the mining activity is “legal in my country” and that they do it because “it almost doesn’t harm human life and feelings (if done right).”

The operator, however, acknowledges that it’s a “parasitic and inefficient way” of making money, adding their aim is to make $15,000 per year.

“An integral aspect of the sophistication of HeadCrab 2.0 lies in its advanced evasion techniques,” Aqua researchers Asaf Eitani and Nitzan Yaakov said. “In contrast to its predecessor (named HeadCrab 1.0), this new version employs a fileless loader mechanism, demonstrating the attacker’s commitment to stealth and persistence.”

It’s worth noting that the previous iteration utilized the SLAVEOF command to download and save the HeadCrab malware file to disk, thereby leaving artifact traces on the file system.

HeadCrab 2.0, on the other hand, receives the malware’s content over the Redis communication channel and stores it in a fileless location in a bid to minimize the forensic trail and make it much more challenging to detect.

Also changed in the new variant is the use of the Redis MGET command for command-and-control (C2) communications for added covertness.

“By hooking into this standard command, the malware gains the ability to control it during specific attacker-initiated requests,” the researchers said.

“Those requests are achieved by sending a special string as an argument to the MGET command. When this specific string is detected, the malware recognizes the command as originating from the attacker, triggering the malicious C2 communication.”

Describing HeadCrab 2.0 as an escalation in the sophistication of Redis malware, Aqua said its ability to masquerade its malicious activities under the guise of legitimate commands poses new problems for detection.

“This evolution underscores the necessity for continuous research and development in security tools and practices,” the researchers concluded. “The engagement by the attacker and the subsequent evolution of the malware highlights the critical need for vigilant monitoring and intelligence gathering.”

Jan 25, 2024NewsroomVulnerability / Software Security

The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE).

The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-in command line interface (CLI)

“Jenkins uses the args4j library to parse command arguments and options on the Jenkins controller when processing CLI commands,” the maintainers said in a Wednesday advisory.

“This command parser has a feature that replaces an @ character followed by a file path in an argument with the file’s contents (expandAtFiles). This feature is enabled by default and Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable it.”

A threat actor could exploit this quirk to read arbitrary files on the Jenkins controller file system using the default character encoding of the Jenkins controller process.

While attackers with “Overall/Read” permission can read entire files, those without it can read the first three lines of the files depending on the CLI commands.

Additionally, the shortcoming could be weaponized to read binary files containing cryptographic keys, albeit with certain restrictions. Provided the binary secrets can be extracted, Jenkins says it could open the door to various attacks –

• Remote code execution via Resource Root URLs
• Remote code execution via “Remember me” cookie
• Remote code execution via stored cross-site scripting (XSS) attacks through build logs
• Remote code execution via CSRF protection bypass
• Decrypt secrets stored in Jenkins
• Delete any item in Jenkins
• Download a Java heap dump

“While files containing binary data can be read, the affected feature attempts to read them as strings using the controller process’s default character encoding,” Jenkins said.

“This is likely to result in some bytes not being read successfully and being replaced with a placeholder value. Which bytes can or cannot be read depends on this character encoding.”

Security researcher Yaniv Nizry has been credited with discovering and reporting the flaw, which has been fixed in Jenkins 2.442, LTS 2.426.3 by disabling the command parser feature.

As a short-term workaround until the patch can be applied, it’s recommended to turn off access to the CLI.

The development comes nearly a year after Jenkins addressed a pair of severe security vulnerabilities dubbed CorePlague (CVE-2023-27898 and CVE-2023-27905) that could lead to code execution on targeted systems.

Jan 10, 2024NewsroomServer Security / Cryptocurrency

A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023.

“The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims,” Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.

Mirai, which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs, which is capable of mounting distributed denial-of-service (DDoS) attacks.

There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.

This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely attempts to pivot to custom malware.

Despite NaoBot’s Mirai foundations, its spreader module leverages an SSH scanner to search for servers susceptible to dictionary attack in order to brute-force them and add an SSH public key in the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries post successful exploitation or propagate itself to new victims.

“NoaBot is compiled with uClibc, which seems to change how antivirus engines detect the malware,” Kupchik noted. “While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures are of an SSH scanner or a generic trojan.”

Besides incorporating obfuscation tactics to render analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.

What makes the new variant a cut above other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or the wallet address, thereby making it impossible to assess the profitability of the illicit cryptocurrency mining scheme.

“The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner,” Kupchik said, highlighting some level of preparedness of the threat actors.

Akamai said it identified 849 victim IP addresses to date that are spread geographically across the world, with high concentrations reported in China, so much so that it amounts to almost 10% of all attacks against its honeypots in 2023.

“The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks,” Kupchik said. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”

Jan 09, 2024NewsroomData Security / Cyber Attack

Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access.

“The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical report shared with The Hacker News.

The campaign, linked to actors of Turkish origin, has been codenamed RE#TURGENCE by the cybersecurity firm.

Initial access to the servers entails conducting brute-force attacks, followed by the use of xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors that of a prior campaign dubbed DB#JAMMER that came to light in September 2023.

This stage paves the way for the retrieval of a PowerShell script from a remote server that’s responsible for fetching an obfuscated Cobalt Strike beacon payload.

The post-exploitation toolkit is then used to download the AnyDesk remote desktop application from a mounted network share for accessing the machine and downloading additional tools such as Mimikatz to harvest credentials and Advanced Port Scanner to carry out reconnaissance.

Lateral movement is accomplished by means of a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.

That attack chain, ultimately, culminates with the deployment of Mimic ransomware, a variant of which was also used in the DB#JAMMER campaign.

“The indicators as well as malicious TTPs used in the two campaigns are completely different, so there is a very high chance these are two disparate campaigns,” Kolesnikov told The Hacker News.

“More specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling. RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity.”

Securonix said it uncovered an operational security (OPSEC) blunder made by the threat actors that allowed it to monitor clipboard activity owing to the fact that the clipboard sharing feature of AnyDesk was enabled.

This made it possible to glean their Turkish origins and their online alias atseverse, which also corresponds to a profile on Steam and a Turkish hacking forum called SpyHack.

“Always refrain from exposing critical servers directly to the internet,” the researchers cautioned. “With the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network.”

Dec 27, 2023NewsroomMalware / Server Security

Poorly secured Linux SSH servers are being targeted by bad actors to install port scanners and dictionary attack tools with the goal of targeting other vulnerable servers and co-opting them into a network to carry out cryptocurrency mining and distributed denial-of-service (DDoS) attacks.

“Threat actors can also choose to install only scanners and sell the breached IP and account credentials on the dark web,” the AhnLab Security Emergency Response Center (ASEC) said in a report on Tuesday.

In these attacks, adversaries try to guess a server’s SSH credentials by running through a list of commonly used combinations of usernames and passwords, a technique called dictionary attack.

Should the brute-force attempt be successful, it’s followed by the threat actor deploying other malware, including scanners, to scan for other susceptible systems on the internet.

Specifically, the scanner is designed to look for systems where port 22 — which is associated with the SSH service — is active and then repeats the process of staging a dictionary attack in order to install malware, effectively propagating the infection.

Another notable aspect of the attack is the execution of commands such as “grep -c ^processor /proc/cpuinfo” to determine the number of CPU cores.

“These tools are believed to have been created by PRG old Team, and each threat actor modifies them slightly before using them in attacks,” ASEC said, adding there is evidence of such malicious software being used as early as 2021.

To mitigate the risks associated with these attacks, it’s recommended that users rely on passwords that are hard to guess, periodically rotate them, and keep their systems up-to-date.

The findings come as Kaspersky revealed that a novel multi-platform threat called NKAbuse is leveraging a decentralized, peer-to-peer network connectivity protocol known as NKN (short for New Kind of Network) as a communications channel for DDoS attacks.