Vercara’s Open-Source Intelligence (OSINT) Report – September 6 – September 12, 2024

New Vo1d malware infects 1.3 million Android streaming boxes. 

(TLP: CLEAR) Vo1d is a sophisticated malware strain that targets Android-based streaming boxes. Its primary functions involve unauthorized access, control, and exploitation of these devices. The malware has rapidly spread, affecting millions of devices globally. It is distributed through malicious applications, often disguised as legitimate software or streaming apps. Users unknowingly install these apps from unofficial sources or compromised app stores. Once installed, Vo1d provides attackers with remote control capabilities over the infected device. This allows them to execute commands, install additional malicious software, and exfiltrate data. 

(TLP: CLEAR) Comments: The Vo1d malware incident underscores the importance of vigilance and proactive security measures for Android-based streaming devices, particularly given their increasing use and the potential for large-scale impacts from such infections. Regularly monitoring device performance and network activity can help in identifying and addressing infections early. Malicious actors continually look for vulnerabilities that would enable the installation of botnet malware that can be used for future Distributed Denial-of-Service (DDoS) attacks. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.” Using a combination of agent-based and network-based detection, such as with a Protective DNS Solution, provides overlapping protection for conventional IT assets such as laptops, desktops, and some servers but also for non-standard IT assets such as IoT devices and some servers that cannot run anti-malware software. 

NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. 

Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. 
Source: https://www.bleepingcomputer.com/news/security/new-vo1d-malware-infects-13-million-android-streaming-boxes/   

New Linux malware campaign exploits Oracle Weblogic to mine cryptocurrency. 

(TLP: CLEAR) Hadooken is a newly discovered Linux-based malware designed to exploit Oracle WebLogic servers. It focuses on compromising these servers to gain unauthorized access, control, and potentially launch further attacks. Hadooken primarily targets unpatched vulnerabilities in Oracle WebLogic servers. It exploits specific weaknesses to gain access and execute malicious payloads. It may also leverage weak or default credentials to facilitate unauthorized access to the servers. Once installed, Hadooken provides attackers with remote access to the compromised server. This allows them to execute commands, deploy additional malware, and control the server’s functions. 

(TLP: CLEAR) Comments: The primary risk is the full compromise of Oracle WebLogic servers, which can lead to unauthorized access to critical applications and infected servers may experience operational disruptions, including performance degradation and potential downtime. Hadooken’s targeting of Oracle WebLogic servers highlights the need for vigilant security practices and timely updates to protect against emerging threats that exploit server vulnerabilities. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one click of a button.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://thehackernews.com/2024/09/new-linux-malware-campaign-exploits.html  
https://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/  

Iranian cyber group OilRig targets Iraqi government in sophisticated malware attack. 

(TLP: CLEAR) The cyber group OilRig, attributed to Iranian state-sponsored actors, has been actively targeting a range of organizations with advanced cyber operations. Their recent activities involve deploying new malware and exploiting specific vulnerabilities to achieve their objectives. OilRig employs phishing emails as a primary method for initial access. These emails often contain malicious attachments or links that, when interacted with, deploy malware onto the victim’s system. OilRig has introduced new strains of malware tailored for different stages of the attack lifecycle such as Remote Access Trojans (RATs), data exfiltration tools and custom exploits.  

(TLP: CLEAR) Comments: Organizations are advised to implement strong security practices, such as regular patching of vulnerabilities and using advanced threat detection solutions. Educating users to recognize and avoid phishing attempts can reduce the risk of initial compromise. OilRig’s activities highlight the sophisticated nature of state-sponsored cyber operations and the need for robust cybersecurity measures to protect against advanced persistent threats (APTs). 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented.” By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers. 
Source: https://thehackernews.com/2024/09/iranian-cyber-group-oilrig-targets.html  

Hackers proxyjack & cryptomine Selenium Grid Servers. 

(TLP: CLEAR) Attackers have been targeting Selenium Grid servers, which are typically used for automating web application testing. The exploitation involves two primary methods: ProxyJack and Cryptomine. These attacks take advantage of vulnerabilities in the Selenium Grid infrastructure to perform unauthorized activities. Attackers exploit misconfigured or poorly secured Selenium Grid servers to route their traffic through these servers. This obfuscates their true origin and can be used to conduct activities such as scraping, brute force attacks, or other illicit operations. 

(TLP: CLEAR) Comments: This exploitation significantly increases the load on the server, leading to performance degradation and increased operational costs due to the higher resource consumption. Insufficient access controls or default credentials can also make it easier for attackers to gain control of these servers. Ensuring Selenium Grid servers are properly configured, with appropriate access controls and restricted exposure to the internet is a must. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events.” One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. 
Source: https://www.darkreading.com/application-security/hackers-proxyjack-and-cryptomine-selenium-grid-servers   

Quad7 botnet expands to target SOHO routers and VPN appliances. 

(TLP: CLEAR) The Quad7 botnet, previously known for its attacks on enterprise-level systems, has now shifted its focus to smaller-scale networks, particularly SOHO routers. This change signifies a strategic broadening of its target base, aiming to exploit less-secured, high-availability devices. Infected devices connect to a C2 server, allowing attackers to control and update the malware. The botnet can be used to execute Distributed Denial of Service (DDoS) attacks, leveraging the sheer number of compromised devices to overwhelm target systems.  

(TLP: CLEAR) Comments: The Quad7 botnet’s move to target SOHO environments underscores the need for heightened security measures in smaller network setups, as they become increasingly attractive to cybercriminals seeking to exploit widespread vulnerabilities. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events.” One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 
Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 
Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.