Courses on how to build botnets by dark web crooks
Botnets are widely used to commit ransomware attacks, distribute malware and, generally, perform many other types of malicious activities. And this threat is likely to increase in the coming future since dark web forums are actively offering lessons to visitors on how to make money via botnets. The computers that have been affected and become a part of the botnet are used by malicious actors to distribute malware and phishing emails to many other devices. Also, botnet operators are actively leasing the controlled machines to other malicious actors. As a result, the number of infected devices in a single army can reach hundreds or even thousands of machines.
An example of malware turning victims’ computers into a part of a large botnet is TrickBot malware. This malware provides attackers with a backdoor into victims’ computers. In many cases, botnets are used to conduct powerful DDoS attacks. Today there are many botnet operators who teach others how to use botnets and make huge money. These malicious courses often pretend to be special cybersecurity training or something similar.
Ransomware gangs now have enough financial capacity to buy zero-day flaws
Malicious actors are becoming more advanced. They are now willing to buy zero-day flaws that have been traditionally associated with nation-states. By taking advantage of vulnerabilities and exploits malicious actors can get huge profits. Zero-day flaws are especially popular among cybercriminals since these vulnerabilities are not known to cybersecurity researchers. Also, potential victims will not be able to apply security updates to patch these flaws.
The recent example of the exploitation of zero-day flaws by cybercriminals is Microsoft Exchange vulnerabilities. Cybercriminals were actively trying to exploit these flaws as soon as possible until patches were widely applied. For the last few years, the share of certain ransomware gangs in the market for zero-day flaws has increased significantly and now they are among the main buyers on this market.
The majority of consumers do not change their passwords after breaches
According to the results of the recent study conducted by the Identity Theft Resource Center, the shocking disconnect exists between awareness about the best practices following a data breach and real actions taken by consumers. More than 1,000 consumers were polled by the researchers. More than 55% of respondents have experienced the compromise of their accounts for the last few years and, thus, have a good understanding of measures that need to be taken to enhance their security after a breach.
However, only 22% of respondents who have experienced a breach, have changed their passwords soon after the incident. At the same time, 85% of respondents have admitted using the same password for a few accounts. At the same time, 48% of respondents have admitted lack of trust in password managers as one of the main reasons behind using the same password for many accounts.
Monero crypto is mined through hacked Alibaba Cloud servers
Malicious actors are actively targeting servers running on Alibaba Cloud to mine Monero cryptocurrency. Although cryptojacking is not a new trend in the world of cybercrimes, the visible intensification of attacks targeting Alibaba’s cloud infrastructure is visible. The popularity of Alibaba Elastic Computer Service instances among cybercriminals is explained by their auto-scaling feature whereby the service automatically adjusts computing resources depending on the volume of user requests.
The increase in resource usage causes additional expenditures for customers. The main actors in the cryptojacking landscape are Kinsing and TeamTNT. Their code shares common characteristics such as the ability to remove competitors who are also mining crypto and the ability to disable security features on victims’ machines.
Massive 2 Tbps DDoS attack has been blocked by Cloudflare
Cloudflare has blocked one of the largest DDoS attacks ever recorded. According to the statement made by the company, the attack was launched from approximately 15K bots that were running the variant of the original Mirai code on exploited IoT devices and unpatched GitLab instances. The attack took place 2 weeks after the company Rapid7 had issued a warning of GitLab vulnerability the severity level of which equaled 10 out of 10 on the CVSS severity scale. By exploiting this vulnerability malicious actors could remotely run code such as botnet malware on affected servers.
According to the estimates made by Rapid7, at least 30K internet-facing GitLab instances remain unpatched. Cloudflare believes that the blocked attack was a multi-vector attack combining DNS amplification attacks with UDP floods. Although the attack was addressed by Cloudflare, the trend is not likely to slow down in the coming future.