Emotet Malware Sightings: Emotet originated as a banking trojan, and has continued to evolve into more pernicious malware. It goes after banking credentials and sensitive information. Remember, data is the new gold. Typically, the malware is conveyed via a malicious macro hidden in attachments that are very well disguised as legitimate business communications like invoices. Once Emotet is downloaded, it gets activated, goes looking for the data to harvest, and then exfiltrates that back to the command and control servers. This follows each step in the Cyber Kill Chain: Recon, Weaponize, Deliver, Exploit, Install, Command and control. Followed by Actions, meaning the attacker’s true intent. In this case, that can involve the sale of information and the continued spread of Emotet across systems to harvest more.
GoAhead Remote Exploit: This is a biggie. CVE-2017-17562: Remote LD_PRELOAD exploitation of GoAhead web server. Remote exploitation of anything isn’t good, but as it happens GoAhead runs a hell of a lot of things: printers, network gear, CC cameras. Users of telecoms hosting stuff. I took a look on Shodan to see how many connections there are and found over 400K.
Per their website:
GoAhead is the world’s most popular, tiny embedded web server. It is compact, secure and simple to use. GoAhead is deployed in hundreds of millions of devices and is ideal for the smallest of embedded devices.
Welcome to our security nightmare of convenience without proper configuration. This isn’t something new, however. It’s been around awhile. And there is a patch here: https://www.elttam.com.au/blog/goahead/
Botnets and Bitcoins: Bitcoin mining has become an issue, given the rapid rise in value of this volatile commodity. Because it takes so much energy to produce this intangible product, miners resort to harnessing other people’s equipment through sketchy downloads not from the Apple or Google playstores, via keyloggers through malware, and via botnets. At the moment, organized cybercrime is going after database services using a new botnet in the “Hex-Men” attacks. These are based out of China, and the reach is global. Why you should care: according to GuardiCore researcher Daniel Goldberg, these boxes are sensitive production Web servers, running MS SQL, ElasticSearch etc. Daniel has co-authored a report for GuardiCore on this with Ofri Ziv, who warns:
The fact that they are targeting databases is pretty amazing to me and it’s something that people need to really, really pay more attention to