HOTTEST
A highly sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying content management system (CMS) platforms.
Named KashmirBlack, the botnet started operating in November 2019.
Security researchers from Imperva —who analyzed the botnet last week in a two-part series— said the botnet’s primary purpose appears to be to infect websites and then use their servers for cryptocurrency mining, redirecting a site’s legitimate traffic to spam pages, and to a lesser degree, showing web defacements.
Imperva said the botnet started out small, but after months of constant growth, it has evolved into a sophisticated behemoth capable of attacking thousands of sites per day.
The biggest changes occurred in May this year when the botnet increased both its command-and-control (C&C) infrastructure, but also its exploit arsenal.
Nowadays, KashmirBlack is “managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure,” Imperva said.
“[The botnet] handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”Image: Imperva
KashmirBlack expands by scanning the internet for sites using outdated software and then using exploits for known vulnerabilities to infect the site and its underlying server.
Some of the hacked servers are then used for spam or crypto-mining, but also to attack other sites and keep the botnet alive.
Since November 2019, Imperva says it has seen the botnet abuse 16 vulnerabilities:
The exploits listed above allowed KashmirBlack operators to attack sites running CMS platforms like WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager.
Some exploits attacked the CMS itself, while others attacked some of their inner components and libraries.
“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva researchers said on Friday.
Based on multiple clues it found, Imperva researchers said they believed the botnet was the work of a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost. MoreRansomware has become a major threat to the manufacturing industry as cyber-criminal groups increasingly take an interest in targeting the industrial control systems (ICS) that manage operations.
According to analysis by cybersecurity researchers at security company Dragos, the number of publicly recorded ransomware attacks against manufacturing has tripled in the last year alone.More on privacy
While a lot of manufacturing relies on traditional IT, some elements of manufacturing relies on ICS when mass-producing products – and that’s an area that several hacking groups are actively looking to target.
SEE: Network security policy (TechRepublic Premium)
That’s potentially very troubling because the interconnected nature of the manufacturing supply chain means that if one factory gets taken down by a cyberattack, it could have wide-ranging consequences.
For example, if a manufacturing facility that mass produces medicines or other health products was hit by a ransomware attack, that could have knock-on impacts for the healthcare sector as a whole.
It’s this level of threat that has led cybersecurity researchers at Dragos to describe ransomware with the ability to disrupt industrial processes as the “biggest threat” to manufacturing operations – and at least five hacking groups are actively targeting or demonstrating interest in manufacturing.For cyber criminals, manufacturing makes a highly strategic target because in many cases these are operations that can’t afford to be out of action for a long period of time, so they could be more likely to give in to the demands of the attackers and pay hundreds of thousands of dollars in bitcoin in exchange for getting the network back.
“Manufacturing requires significant uptime in order to meet production and any attack that causes downtime can cost a lot of money. Thus, they may be more inclined to pay attackers,” Selena Larson, intelligence analyst for Dragos, told ZDNet.
“Additionally, manufacturing operations don’t necessarily have the most robust cybersecurity operations and may make interesting targets of opportunity for adversaries,” she added.
The nature of manufacturing means industrial and networking assets are often exposed to the internet, providing avenues for hacking groups and ransomware gangs to gain access to the network via remote access technology such as remote desktop protocol (RDP) and VPN services or vulnerabilities in unpatched systems.
As of October 2020, the company said there were at least 108 advisories containing 262 vulnerabilities impacting industrial equipment found in manufacturing environments during the course of this year alone, many of which potentially leave networks vulnerable to ransomware and other cyberattacks.
“Unfortunately, unpatched vulnerabilities that can enable initial access will always be an issue. Testing and applying patches as soon as practicable is very important for preventing exploitation,” said Larson.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Cyber criminals are deploying ransomware because it’s often the quickest and easiest way to make money from compromising a large network. But by gaining enough control of the network to deploy ransomware, hackers will often also be able to access intellectual property and sensitive data that also resides within the network.
That could potentially lead to hacking groups using ransomware as a smokescreen for cyberattacks designed to steal intellectual property, which could be extremely damaging to victims in the long run.
“Gaining visibility into the OT environment is very crucial – you can’t protect what you don’t know exists,” said Larson.
That means taking steps such as conducting regular architecture reviews to identify assets, ensuring devices and services are kept up to date, and conducting “crown jewel analysis” to identify potential weaknesses that could disrupt business continuity.
MORE ON CYBERSECURITY MoreGoogle says it will automatically delete location logs when it detects visits to abortion clinics and domestic violence shelters. In a blog post, Jen Fitzpatrick, senior vice president of Google Core Systems & Experiences, said the changes would be rolling out in the coming weeks.Following the overturning of the landmark Roe v. Wade ruling, which enshrined the right to legal abortion in the United States, there are fears that data collected through search histories, medical tracking apps, and GPS location data, among other technologies, could be used in prosecutions. According to Fitzpatrick, while many privacy controls are on offer for users, the tech giant will also contribute by ensuring that some datasets are automatically wiped before such a future becomes a reality. “Given that these issues apply to healthcare providers, telecommunications companies, banks, tech platforms, and many more, we know privacy protections cannot be solely up to individual companies or states acting individually,” the executive says. Location history on your Google account is off by default, but some users may find it useful for personalized recommendations. However, if location history is enabled and a user visits a sensitive area, Google will now delete these logs automatically. Suppose the company’s systems detect a visit to places including medical facilities, counseling centers, domestic violence shelters, abortion and fertility clinics, or addiction treatment centers. In that case, Fitzpatrick says, “we will delete these entries from Location History soon after they visit.” Period tracking apps and software are also of concern. At the moment, the logs of menstruation trackers in Google Fit and Fitbit can be deleted one record at a time, but the company intends to expand this to allow multiple logs to be removed at once. Google has also reiterated its stance on law enforcement data demands. In some cases, the company is legally obligated to hand over user information. Still, users are informed when their data is shared unless Google is barred from doing so or a situation is considered an emergency. The company also publishes a regular transparency report that shares the number of law enforcement requests it receives and how many are successful. Google may push back against over-broad requests or object to providing records at all. “We remain committed to protecting our users against improper government demands for data, and we will continue to oppose demands that are overly broad or otherwise legally objectionable,” Fitzpatrick commented. “We also will continue to support bipartisan legislation, such as the NDO Fairness Act recently passed by the House of Representatives, to reduce secrecy and increase transparency around government data demands.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
Image: Getty Images
Twitter has joined other social media companies to call out Australia’s anti-trolling laws as an extreme risk to the privacy of Australians, particularly minority communities.Kara Hinesley, Twitter Australia’s director for public policy, appeared before a Senate legal and constitutional affairs committee hearing on Tuesday afternoon to speak about its privacy concerns regarding the federal government’s anti-trolling Bill.The Bill, currently before Parliament, seeks to remove the liability held by owners of social media pages for any defamatory material posted on those pages. If passed, it would also create the requirement for social media companies to identify people if they post potentially defamatory material.”Under this bill, online platforms choose between facing liability in court or turning over private sensitive information about users without a legal determination as to whether the content is in fact defamatory under the law,” Hinesley said.Hinesley added the requirement to identify people, even those using anonymous accounts, would adversely affect minority communities.”We’ve seen a number of people both from a whistleblower space to even domestic violence situations, people that identify within the LGBTQIA community, utilising anonymous or synonymous accounts as ways and basically entry points into conversations about important matters,” Hinesley said.”We do think that there are potential safety concerns which would be the opposite result of the stated intention of the Bill.”Twitter senior public policy director Kathleen Reen, meanwhile, said the anti-trolling Bill would not help social media companies protect users and that the platform was unsure whether it could meet the Bill’s information collection requirements. Liberal Senator and committee chair Sarah Henderson was not convinced by Twitter’s argument, however, with the Senator referring to her own ongoing dispute with Twitter as evidence that the anti-trolling legislation is required.”Obviously, I’ve experienced this personally, where a police search warrant issued by Victorian Police has been met with a brick wall from Twitter,” Senator Henderson said.”And you’re now saying that Twitter is re-examining the way the data was held, and it tends to make data held offshore available under circumstances where an end-user disclosure order is issued against Twitter, requiring them to hand over identifying information.”Twitter’s concerns echoed those of Meta, who told the committee last Thursday it would be extremely difficult, even for online companies as large as Meta, to collate content to meet the Bill’s requirements.”It might not actually be possible to maintain a constantly updated contact list of both email and phone numbers of all Australians and all people who might be visiting Australia,” said Mia Garlick, Meta APAC policy director.RELATED COVERAGE More[embedded content] Three WordPress vulnerabilities commonly used by e-learning and Fortune 500 were subject to severe security issues, researchers say. On Thursday, Check Point published research surrounding three popular WordPress plugins, LearnPress, LearnDash, and LifterLMS, learning management systems (LMS) widely used for educational purposes especially at a time when distance learning is being more widely […] More
A highly sophisticated botnet is believed to have infected hundreds of thousands of websites by attacking their underlying content management system (CMS) platforms.
Named KashmirBlack, the botnet started operating in November 2019.
Security researchers from Imperva —who analyzed the botnet last week in a two-part series— said the botnet’s primary purpose appears to be to infect websites and then use their servers for cryptocurrency mining, redirecting a site’s legitimate traffic to spam pages, and to a lesser degree, showing web defacements.
Imperva said the botnet started out small, but after months of constant growth, it has evolved into a sophisticated behemoth capable of attacking thousands of sites per day.
The biggest changes occurred in May this year when the botnet increased both its command-and-control (C&C) infrastructure, but also its exploit arsenal.
Nowadays, KashmirBlack is “managed by one C&C (Command and Control) server and uses more than 60 – mostly innocent surrogate – servers as part of its infrastructure,” Imperva said.
“[The botnet] handles hundreds of bots, each communicating with the C&C to receive new targets, perform brute force attacks, install backdoors, and expand the size of the botnet.”Image: Imperva
KashmirBlack expands by scanning the internet for sites using outdated software and then using exploits for known vulnerabilities to infect the site and its underlying server.
Some of the hacked servers are then used for spam or crypto-mining, but also to attack other sites and keep the botnet alive.
Since November 2019, Imperva says it has seen the botnet abuse 16 vulnerabilities:
The exploits listed above allowed KashmirBlack operators to attack sites running CMS platforms like WordPress, Joomla!, PrestaShop, Magneto, Drupal, vBulletin, osCommerce, OpenCart, and Yeager.
Some exploits attacked the CMS itself, while others attacked some of their inner components and libraries.
“During our research we witnessed its evolution from a medium-volume botnet with basic abilities to a massive infrastructure that is here to stay,” Imperva researchers said on Friday.
Based on multiple clues it found, Imperva researchers said they believed the botnet was the work of a hacker named Exect1337, a member of the Indonesian hacker crew PhantomGhost. MoreRansomware has become a major threat to the manufacturing industry as cyber-criminal groups increasingly take an interest in targeting the industrial control systems (ICS) that manage operations.
According to analysis by cybersecurity researchers at security company Dragos, the number of publicly recorded ransomware attacks against manufacturing has tripled in the last year alone.More on privacy
While a lot of manufacturing relies on traditional IT, some elements of manufacturing relies on ICS when mass-producing products – and that’s an area that several hacking groups are actively looking to target.
SEE: Network security policy (TechRepublic Premium)
That’s potentially very troubling because the interconnected nature of the manufacturing supply chain means that if one factory gets taken down by a cyberattack, it could have wide-ranging consequences.
For example, if a manufacturing facility that mass produces medicines or other health products was hit by a ransomware attack, that could have knock-on impacts for the healthcare sector as a whole.
It’s this level of threat that has led cybersecurity researchers at Dragos to describe ransomware with the ability to disrupt industrial processes as the “biggest threat” to manufacturing operations – and at least five hacking groups are actively targeting or demonstrating interest in manufacturing.For cyber criminals, manufacturing makes a highly strategic target because in many cases these are operations that can’t afford to be out of action for a long period of time, so they could be more likely to give in to the demands of the attackers and pay hundreds of thousands of dollars in bitcoin in exchange for getting the network back.
“Manufacturing requires significant uptime in order to meet production and any attack that causes downtime can cost a lot of money. Thus, they may be more inclined to pay attackers,” Selena Larson, intelligence analyst for Dragos, told ZDNet.
“Additionally, manufacturing operations don’t necessarily have the most robust cybersecurity operations and may make interesting targets of opportunity for adversaries,” she added.
The nature of manufacturing means industrial and networking assets are often exposed to the internet, providing avenues for hacking groups and ransomware gangs to gain access to the network via remote access technology such as remote desktop protocol (RDP) and VPN services or vulnerabilities in unpatched systems.
As of October 2020, the company said there were at least 108 advisories containing 262 vulnerabilities impacting industrial equipment found in manufacturing environments during the course of this year alone, many of which potentially leave networks vulnerable to ransomware and other cyberattacks.
“Unfortunately, unpatched vulnerabilities that can enable initial access will always be an issue. Testing and applying patches as soon as practicable is very important for preventing exploitation,” said Larson.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Cyber criminals are deploying ransomware because it’s often the quickest and easiest way to make money from compromising a large network. But by gaining enough control of the network to deploy ransomware, hackers will often also be able to access intellectual property and sensitive data that also resides within the network.
That could potentially lead to hacking groups using ransomware as a smokescreen for cyberattacks designed to steal intellectual property, which could be extremely damaging to victims in the long run.
“Gaining visibility into the OT environment is very crucial – you can’t protect what you don’t know exists,” said Larson.
That means taking steps such as conducting regular architecture reviews to identify assets, ensuring devices and services are kept up to date, and conducting “crown jewel analysis” to identify potential weaknesses that could disrupt business continuity.
MORE ON CYBERSECURITY More
Internet of Things
Samsung Spotlights Next-generation IoT Innovations for Retailers at National Retail Federation’s BIG Show 2017
That’s Fantasy! The World’s First Stone Shines And Leads You to The Right Way
LG Pushes Smart Home Appliances To Another Dimension With ‘Deep Learning’ Technology
The Port of Hamburg Embarks on IoT: Air Quality Measurement with Sensors