Tag Archives: brute force attacks

Crooks claims to have stolen 4TB of data from TransUnion South Africa

TransUnion South Africa discloses a data breach, threat actors who stolen sensitive data, demanded a ransom payment not to release stolen data.

TransUnion South Africa announced that threat actors compromised a company server based in South Africa using stolen credentials. Threat actors have stolen company data and demanded a ransom payment not to release stolen data.

As a precautionary measure, the company temporarily took part of its infrastructure offline.

“A criminal third party obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials. We have received an extortion demand and it will not be paid.” reads the statement published by the company.

TransUnion notified law enforcement and the country’s regulators.

The company has declared that it will not pay the ransom and hired cybersecurity and forensic experts to investigate the extent of the security breach.

The company believes the security breach only impacted an isolated server holding limited data from South African business.

“We are engaging clients in South Africa about this incident. As our investigation progresses, we will notify and assist individuals whose personal data may have been affected. We will be making identity protection products available to impacted consumers free of charge.” continues the statement.

“The security and protection of the information we hold is TransUnion’s top priority”, said Lee Naik, CEO TransUnion South Africa. “We understand that situations like this can be unsettling and TransUnion South Africa remains committed to assisting anyone whose information may have been affected.”

BleepingComputer reported that the Brazilian cybercrime group “N4ughtysecTU” has claimed responsibility for the attack and allegedly stolen 4TB of data.

The attackers claim to have hacked a poorly secured TransUnion SFTP server and stolen data related to 54 million customers.

The group told BleepingComputer that conducted a brute force attack on the SFTP server and breached an account using the password “Password.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

How to secure QNAP NAS devices? The vendor’s instructions

QNAP is warning customers of ransomware attacks targeting network-attached storage (NAS) devices exposed online.

Taiwanese vendor QNAP has warned customers to secure network-attached storage (NAS) exposed online from ransomware and brute-force attacks.

“Ransomware and brute-force attacks have been widely targeting all networking devices, and the most vulnerable victims will be those devices exposed to the Internet without any protection. QNAP urges all QNAP NAS users to follow the security setting instructions below to ensure the security of QNAP networking devices.” states the security advisory published by the company. “Check whether your NAS is exposed to the Internet.”

Customers can check whether their NAS is exposed online by using the Security Counselor, a built-in security portal for QNAP NAS devices.

If the NAS is exposed to the Internet the dashboard will display the message “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP.”

Administrator of devices exposed to the Internet should:

  • Disable the Port Forwarding function of the router. Disable the port forwarding setting of NAS management service port (port 8080 and 433 by default) from the Virtual Server, NAT or Port Forwarding setting
  • Disable the UPnP function of the QNAP NAS from the QTS menu of myQNAPcloud. Disable the “Enable UPnP Port forwarding” under “Auto Router Configuration item.

The vendor also published a guide to securely access QNAP NAS via the Internet through myQNAPcloud Link.

In December a new wave of ech0raix ransomware attacks targeted QNAP NAS devices. Users reported numerous compromises of their devices a few days before Christmas.

According to BleepingComputer, forum users reported an intensification of the attacks since December 20, the analysis of submissions to the ID ransomware service for this specific threat started to increase on December 19 and reached a peak on December 20.

ech0raix ransomware operators demand a ransom raising from .024 ($1,200) up to .06 bitcoins ($3,000).

In August, a new variant of the eCh0raix ransomware started infecting Network-Attached Storage (NAS) devices from Taiwanese vendors QNAP and Synology.

The eCh0raix ransomware has been active since at least 2019, when eExperts from security firms Intezer and Anomali separately discovered sample of the ransomware targeting Network Attached Storage (NAS) devices.

NAS servers are a privileged target for hackers because they normally store large amounts of data.The ransomware was targeting poorly protected or vulnerable NAS servers manufactured by QNAP, threat actors exploited known vulnerabilities or carried out brute-force attacks.

The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is written in the Go programming language and uses AES encryption to encrypt files. The malicious code appends .encrypt extension to filenames of encrypted files.

In May, QNAP warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability.

The Taiwanese vendor was informed of ongoing eCh0raix ransomware attacks that infected QNAP NAS devices using weak passwords.

Independent experts observed a surge in eCh0raix infection reports between April 19 and April 26.

In the same period, the vendor also warned its users of an ongoing AgeLocker ransomware outbreak.

In 2019, Anomali researchers reported a wave of eCh0raix attacks against Synology NAS devices, threat actors conducted brute-force attacks against them.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]

New GoldBrute Botnet is attempting to infect 1.5 Million RDP Servers

A new botnet tracked as GoldBrute is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

A new botnet tracked as GoldBrute has appeared in the threat landscape, it is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.

The botnet is currently targeting over 1.5 million unique endpoints online, it is used to brute-force RDP connections or to carry out credential stuffing attacks.

“This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet. Shdoan lists about 2.4 million exposed servers  [1]. GoldBrute uses its own list and is extending it as it continues to scan and grow.” wrote the researchers Renato Marinho of Morphus Labs who discovered the bot.

The GoldBrute botnet currently has a single command and control server (104[.]156[.]249[.]231), its bots exchange data with the C2 via AES encrypted WebSocket connections to port 8333. 

Querying the Shodan search engine for systems with RDP enabled it is possible to find roughly 2.4 million machines.

“An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute” continues the expert.

“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot.” 

Below the complete attack chain:

  • Botnet brute-forces RDP connection and gains access to a poorly protected Windows system.
  • It downloads a big zip archive containing the GoldBrute Java code and the Java runtime itself. It uncompresses and runs a jar file called “bitcoin.dll”.
  • The bot will start to scan the internet for “brutable” RDP servers and send their IPs to the C2 that in turn sends a list of IP addresses to brute force.
  • GoldBrute bot gets different “host + username + password”  combinations.
  • Bot performs brute-force attack and reports result back to C2 server.

According to the researcher, the list of “brutable” RDP targets is rapidly growing, this suggests that also the size of the botnet is increasing.

“Analyzing the GoldBrute code and understanding its parameters and thresholds, it was possible to manipulate the code to make it save all “host + username + password” combinations on our lab machine.” continues the expert.

“After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase. With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below.”

The GoldBrute botnet is difficult to detect because every bot only launches one password-guessing attempt per victim.

The report published by Marinho also includes a list of IoCs.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – GoldBrute botnet, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

GoScanSSH Malware spread avoiding Government and Military networks

Security experts at Cisco Talos discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.

Security researchers at Cisco Talos have discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.

The malicious code was written in Go programming language, uncommon for malware development, and implements several interesting features, for example, it tries to avoid infecting devices on government and military networks.

“Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics.” reads the analysis published by Talos.

The attacker created unique malware binaries for each infected system, researchers also reported that the GoScanSSH command and control (C2) infrastructure was leveraging the Tor2Web proxy service making hard the tracking of the C&C infrastructure and resilient to takedowns.

GoScanSSH conducted brute-force attack against publicly accessible SSH servers that allowed password-based SSH authentication. The hackers are leveraging a word list containing more than 7,000 username/password combinations. When GoScanSSH discovered a valid credential set, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server and executed.

While scanning for vulnerable SSH servers, GoScanSSH randomly generates IP addresses, avoiding special-use addresses. the malware then compares each IP address to a list of CIDR blocks that the malicious code will not attempt to scan because they are network ranges primarily controlled by various government and military entities.

The malware specifically avoids ranges assigned to the U.S. Department of Defense, experts also noticed that one of the network ranges in the list is assigned to an organization in South Korea.

The researchers detected more than 70 unique malware samples associated with the GoScanSSH malware family, the experts observed samples that were compiled to support multiple system architectures including x86, x86_64, ARM and MIPS64.

The experts also observed multiple versions (e.g, versions 1.2.2, 1.2.4, 1.3.0, etc.) of the malware in the wild, a circumstance that suggests the threat actors behind the malicious code is continuing to improve the malware.

 

According to the researchers, threat actors are likely trying to compromise larger networks, experts believe attackers are well resourced and with significant skills.

They are being active since June 2017 and already deployed 70 different versions of the GoScanSSH malware using over 250 distinct C&C servers.

The analysis of passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed confirmed that the number of infected systems is low.

“In analyzing passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed, resolution attempts were seen dating back to June 19, 2017, indicating that this attack campaign has been ongoing for at least nine months. Additionally, the C2 domain with the largest number of resolution requests had been seen 8,579 times.” states the analysis published by Talos.

Further details on the GoScanSSH malware, including IoCs, are reported in the analysis published by Talos.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GoScanSSH malware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Chaos backdoor, a malicious code that returns from the past targets Linux servers

Security experts from GoSecure, hackers are launching SSH brute-force attacks on poorly secured Linux servers to deploy a backdoor dubbed Chaos backdoor.

“This post describes a backdoor that spawns a fully encrypted and integrity checked reverse shell that was found in our SSH honeypot,” states the report published by GoSecure.

“We named the backdoor ‘Chaos’, following the name the attacker gave it on the system. After more research, we found out this backdoor was originally part of the ‘sebd’ rootkit that was active around 2013.”

The Chaos backdoor was one of the components of the “sebd” Linux rootkit that appeared in the threat landscape back in 2013, researchers discovered a post on hackforums.net, where a user claims to know how the backdoor was made publicly available.

It seems that the source code of the backdoor was caught by a “researcher” that released it on the forum by changing the name of the backdoor in Chaos to trick members into believing that is was a new threat.

The malicious code is now being used by attackers in the wild to target Linux servers worldwide.

Researchers performed an Internet-wide scan using the handshake extracted from the client in order to determine the number of infected Linux servers and they discovered that this number is quite low, below the 150 marks.

The installation of the Chaos backdoor starts with the attacker downloading a file that pretended to be a jpg from http://xxx.xxx.xxx.29/cs/default2.jpg.

The file was currently a .tar archive containing the Chaos (ELF executable), the client (ELF executable), initrunlevels Shell script, the install Shell script.

“Chaos”, in the tar archive, is the actual backdoor that is installed on the victim’s system and the “Client” file is the client to connect to the installed backdoor.

The backdoor is not sophisticated is doesn’t rely on any exploits, it opens a raw socket on port 8338 on which it listens to commands.

“Any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes,” GoSecure experts say. “However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service.”

To check if your system is infected experts suggest to run the following command as root:

and analyze the list the processes to determine which are legitimate ones that have listening raw sockets open.

“Because chaos doesn’t come alone but with at least one IRC Bot that has remote code execution capabilities, we advise infected hosts to be fully reinstalled from a trusted backup with a fresh set of credentials.” suggest experts to the owner of infected systems.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Chaos Backdoor, Linux Servers)

[adrotate banner=”5″]

[adrotate banner=”13″]

After Westminster attack, now Scottish parliament hit by brute-forcing attack

The Scottish Parliament has been targeted by a “brute force” attack, the assault is still ongoing and is similar to the one that hit the British Parliament.

The Scottish Parliament is under attack, crooks are brute-forcing email accounts in the attempt to access members’ emails.

The attack appears similar to the one that in June targeted the British Parliament and that caused the IT staff to shut down external access to mitigate the threat.

MSPs and Holyrood staff were warned on Tuesday that unidentified hackers were running “brute-force” attacks on systems in the devolved assembly,

“Chief executive Sir Paul Grice said the attack, from “external sources”, was similar to that which affected Westminster in June.

He confirmed the attack in a message to MSPs and staff with parliamentary email addresses, urging them to be vigilant.” reported the BBC.

“Mr Grice said “robust cyber security measures” identified the attack early, and systems “remain fully operational”.”

Mr Grice sent an email to MSPs and Parliament staff to check the security of their passwords and improve it as possible, he also announced a password reset for weak passwords. The IT staff at the Scottish Parliament is urging Legislators and support staff to update their passwords with longer and stronger combinations of letters, numbers and special characters in response.

“The parliament’s monitoring systems have identified that we are currently the subject of a brute force cyber attack from external sources.” reads Mr Grice’s email.

“This attack appears to be targeting parliamentary IT accounts in a similar way to that which affected the Westminster Parliament in June. Symptoms of the attack include account lockouts or failed logins.”

“The parliament’s robust cyber security measures identified this attack at an early stage and the additional security measures which we have in readiness for such situations have already been invoked. Our IT systems remain fully operational.”

Russian state-sponsored hackers were blamed for the attacks against Westminster systems occurred in June that led to the exposure of at least 90 accounts.

According to El Reg that has seen the message issued to all MSPs and staff at Holyrood, the cyber-attack is still ongoing and there is no evidence to suggest that the hackers have breached Scottish Parliament defences. IT systems continue to be fully operational.

Sincerely speaking I really don’t understand why sensitive email accounts are not protected by a two-factor authentication mechanism and why users are not forced to use strong passwords.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Scottish Parliament, hacking)

[adrotate banner=”13″]

Number of WordPress Attacks powered by compromised routers is rapidly dropping

Experts from security firm WordFence reported a rapid reduction of WordPress attacks originating from hundreds of ISPs worldwide.

Experts at the security firm Wordfence a few weeks ago reported that tens of thousands of flawed routers from dozens of ISPs worldwide were recruited in a botnet used to power several types of attacks against WordPress websites.

Hackers exploited the CVE-2014-9222 flaw, also known as ‘Misfortune Cookie,‘ to hack thousands of home routers and abuse them for WordPress attacks.

According to a new analysis published by WordFence, the volume of the attacks had started to drop significantly over the weekend, by Monday evening, the 30,000 or 40,000 attack attempts coming every hour from some ISPs had dropped to less than 5,000.  and the frequency of the attacks continued to decrease.

According to the researchers, this frequency is continuing to decrease.

“Yesterday morning we noticed that there was a rapid drop-off in attacks from the ISPs we identified 3 weeks ago, that had targeted WordPress websites.” reads the analysis published by WordFence.

“This is what the change in activity looked like from the top 50 ISPs from where these attacks were originating during a 72 hour period ending yesterday (Monday) evening. Click the chart for a larger version.”

“As you can see, starting at around midnight on Sunday night (April 30th) Pacific time, the number of attacks we are seeing from ISPs where we found vulnerable routers have dropped from peaks of 40,000 in some cases to peaks of just above 5,000 attacks per hour. In many cases the attacks drop to much lower levels and continue to decrease.”

The root cause of this drop is still unclear, researchers at WordFence believe the situation will be more clear in the next week.

A possible cause is that the attackers ended their operation for some reason, otherwise law enforcement along security firms have tracked the botnet and took down the command and control (C&C) servers.

A few weeks ago,  US authorities announced have dismantled the infamous Kelihos botnet. In the same period, the Interpol located and shut down nearly 9,000 Command and control servers located in Asia and hacked with a WordPress plug-in exploit.

This reduction of WordPress attacks originating from hundreds of ISPs worldwide is a good news. The experts were able to track the WordPress attacks originating from these ISPs and ban IP addresses involved in the botnet.

“The attacks originating from these ISPs were also resulting in their IP addresses being blacklisted by Wordfence and other services like SpamHaus. That resulted in the customers of those ISPs suffering because certain websites and services would block them. By reducing these attacks, this ensures those ISP customers have full internet access again.” concluded WordFence.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Misfortune Cookie, WordPress attacks)

[adrotate banner=”13″]

The number of ICS Attacks continues to increase worldwide

According to data provided by IBM Managed Security Services, the number of ICS attacks in 2016 continues to increase worldwide.

Industrial control systems (ICS) continues to be a privileged target of hackers. According to IBM Managed Security Services, the number of cyber attacks increased by 110 percent in 2016 compared to 2015.

According to the researchers from IBM, the spike is associated with a significant increase to brute force attacks on supervisory control and data acquisition (SCADA) systems.

IBM notices an increase in ICS traffic caused by SCADA brute-force attacks, unfortunately in some cases systems are exposed on the Internet with default credentials or weak passwords.

IBM warns of the availability of a penetration testing framework named smod that was used in a large number of attacks. The tool was published on the GitHub repository in January 2016, it allows to assess the Modbus serial communications protocol. It could also be used by attackers to power brute-force attacks.

“In January 2016, GitHub released a penetration testing solution that contained a brute-force tool that can be used against Modbus, a serial communication protocol. The public release and subsequent use of this tool by various unknown actors likely led to the rise in malicious activity against ICS in the past 12 months.” states the blog post published by IBM Managed Security Services.

The analysis of the sources of the attacks revealed that threat actors in the US accounted for the majority of ICS attacks in 2016 (60%), followed by Pakistan (20%), and China (12%). The United States also topped the list of the top 5 destination countries, this data is considered normal by experts because the US  has the largest number of internet-connected ICS systems in the world.

The report mentions the following three notable ICS attacks occurred in the last years.

  • The 2013 New York dam attack. Iranian hackers penetrated the industrial control system of a dam near New York City in 2013, raising concerns about the security of US critical infrastructure.
  • The 2015 Ukrainian power outage. Experts speculated the involvement of the Russian Government. According to security experts, the BlackEnergy malware was a key element of the attack against Ukrainian power grid that caused the power outage.
  • The 2016 SFG malware attacks. The Labs team at SentinelOne recently discovered a sophisticated malware dubbed Furtim specifically targeting at least one European energy company.

The report warns organization in any industry of cyber attacks against ICS system and urges the adoption of necessary countermeasures.

“Organizations across all verticals must take full responsibility for protecting their own assets and consumers. There should be no exceptions, since the best way to keep adversaries out of an ICS is to implement simple safeguards, best practices and risk management solutions.” states the report.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ICS attacks, SCADA)

[adrotate banner=”13″]

Wordfence warns of a huge increase in brute force attacks on WordPress

Security experts from Wordfence observed a huge increase in Brute Force attacks in the last three weeks.

The security firm Wordfence is warning the WordPress community of a spike in the number of brute force attacks against websites running WordPress. has increased significantly in December compared to the previous period.

The researchers observed brute force attacks on WordPress websites soar in December.

Brute force attacks still represent a valid method to guess the admin credentials. According to Wordfence, in the last weeks, such kind of attacks increased in a significant way.

“Three weeks ago, on November 24th, we started seeing a rise in brute force attacks. As a reminder, a brute force attack is one that tries to guess your username and password to sign into your WordPress website.” states a blog post published by Wordfence.

In the period between October 16 and November 24, the experts observed less than 500,000 websites were attacked each day. The number of websites attacked soared starting with November 24, it was greater than 700,000 in some days. Wordfence blocked as many as 23 million brute force attack attempts per day.

The number of unique attack IPs also increased in the same period, passing from an average of roughly 13,000 per day to more than 30,000.

Top 20 countries from which the brute force attacks were launched during the past 24 hours is led by Ukraine (15,7% of total attacks), followed by France (11.1%), Russia (6.8%), the U.S. (6.6%), India (5.8%), China (4.2%), Germany (3.2%), Italy (2.4%) and the U.K. (2.2%).

“Most of the attacks come from 8 IP addresses in Ukraine.” states the analysis. “These IPs all belong to the same organization and are on the same network. Doing a Google search on the top IP brings back many reports of abuse around the Internet. They belong to a hosting company in Ukraine called “Pp Skslugan“. The servers are a mix. Some aren’t running any services. Others appear to be running Windows IIS web server. ” “These IPs are using brute force attacks exclusively. They don’t launch any sophisticated attacks. They are hammering away at WordPress sites at a rate of over a quarter million login attempts each, in some cases, during a 24 hour period.”

The researcher also tracked other specific networks used in the attacks, France sources have been tracked back to a company called Iliad-Entreprises. Other organizations involved in the cyber attacks are OVH, GoDaddy and BSNL.

hacker

Recently the firm RIPS Technologies published a report based on the analysis of 44,705 plugins in the official WordPress plugins directory and discovered that more than 8,800 of them are flawed.

When it comes to WordPress attacks involving the exploitation of vulnerabilities, malicious actors usually target unpatched plugins. A study conducted recently by RIPS Technologies has showed that of 44,000 plugins available in the official WordPress plugins directory, 8,800 are affected by at least one vulnerability.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – WordPress, brute force attacks)