Remaiten [1]ESET report that malware authors have merged the capabilities of Kaiten/Tsunami and Gafgyt to create a hybrid known as Remaiten, a.k.a. KTN-Remastered or Kaiten Remastered.In a handover from Gafgyt, the Remaiten bot begins by performing a telnet scan, attempting to connect randomly from a hardcoded list of IPs via port 23. If it manages to connect, the bot will then attempt to log-in using its own list of credentials. If it succeeds, the next step is to determine the type of device it has accessed and then download an appropriate version of its own code to execute. Once the bot is up and running on this device the cycle will repeat.Active versions of Remaiten can drop other malicious payloads onto their hosts, or use them to launch denial of service (DoS) attacks. One simple way to prevent compromise is to use strong login credentials.Full analysis and IOC available here. [2]KimcilWare Ransomware [3]Several websites using the Magento e-commerce platform have been hit with a ransomware variant called KimcilWare.It's not known exactly how KimcilWare is infecting Magento users, but the ransom note it leaves behind provides "tuyuljahat@hotmail.com" as a contact address. It appears that this actor has been using at least two ransomware scripts on Magento customers. The first locks files with a .kimcilware extension and asks for $140, while the second uses a .locked extension and charges $440.It does not appear to be possible to decrypt data without paying the ransom, although doing so is certainly not recommended.Several law firms may be hacking victimsThe FBI is attempting to discover whether hackers have stolen confidential information from several prestigious law firms after a breach last summer. Two firms that may be compromised are Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, although other groups are also likely to be involved.Top passwords to avoidSplashData has released its 2015 list of most commonly used passwords. Discounting the usual offenders and their variants ("12345", "passw0rd", "qwerty"), the top 25 most used passwords and their ranks are:7. football10. baseball11. welcome16. dragon 17. master 18. monkey 19. letmein 20. login 21. princess 23. solo 25. starwarsOpSafePharma [4]A new and largely unreported hacking operation has been uncovered in Italy after its chief architect, a hacker known by the alias "Artek", was arrested by police in his home in Udine. Throughout OpSafePharma Artek, and his accomplices, launched a series of attacks against the Italian Department of Health in protest against their stance on Attention Deficit Disorder (ADHD).The campaign utilised a number of DDoS attacks against hospitals, local health authorities and government sites. Artek is also guilty of using SQL injection to steal data from the Italian Red Cross and publish it online.The campaign is thought to be loosely supported by Anonymous, the hacktivist collective.Anonymous hack Angolan sites [5]The Portuguese branch of Anonymous have hacked various government sites in Angola in response to the jailing of 17 youth activists.Angolan President Jose Eduardo dos Santos has ruled the country for 27 years and often responds to perceived dissent with harsh authoritative measures. Anonymous Portugal decried the jailings as unjust and used DDoS attacks to disable the function of over 20 government site, the sites are reportedly still disabled 24 hours after the attacks.IS leak more police detailsThe Islamic State [6] hacking division, the Cyber Caliphate Army (CCA) [7], has continued its trend of leaking the details of American police officers online. Silobreaker’s Daily Digest reported on March 16 [8] that Minnesota officers had their details shared on Twitter, with IS accounts encouraging lone wolf attacks against them. The same group has struck again, this time in New Jersey, with a 39 page list being posted online alongside a raft of messages encouraging attacks against the officers.The New Jersey police department is insisting that the CCA did not breach their servers, but rather obtained the information from a third party source.The Silobreaker Team
[1] https://my.silobreaker.com/view360oldlayout.aspx?item=11_988050216&
[2] http://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/
[3] https://my.silobreaker.com/view360oldlayout.aspx?item=11_987532763&
[4] https://my.silobreaker.com/view360oldlayout.aspx?item=11_988372582&
[5] https://my.silobreaker.com/view360oldlayout.aspx?item=11_414943089&
[6] https://my.silobreaker.com/view360oldlayout.aspx?item=11_10737571&
[7] https://my.silobreaker.com/view360old.aspx?item=11_775273407
[8] http://www.silobreaker.com/silobreaker-daily-cyber-digest-16-march-2016/
↧