EternalBlue Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Sun, 03 Jul 2022 21:00:28 +0000 en-US hourly 1 https://wordpress.org/?v=73514 200474804 Microsoft reported about activity of the LemonDuck malware https://gridinsoft.com/blogs/microsoft-reported-about-activity-of-the-lemonduck-malware/ https://gridinsoft.com/blogs/microsoft-reported-about-activity-of-the-lemonduck-malware/#respond Tue, 27 Jul 2021 16:15:13 +0000 https://blog.gridinsoft.com/?p=5746 Microsoft researchers have published a detailed analysis of the LemonDuck mining malware and reported that cross-platform malware continues to improve. LemonDuck is capable of attacking Windows and Linux, exploits old vulnerabilities and uses various distribution mechanisms to improve the effectiveness of its campaigns. LemonDuck activity was first discovered in China in May 2019. Later, in… Continue reading Microsoft reported about activity of the LemonDuck malware

The post Microsoft reported about activity of the LemonDuck malware appeared first on Gridinsoft Blog.

]]>
Microsoft researchers have published a detailed analysis of the LemonDuck mining malware and reported that cross-platform malware continues to improve.

LemonDuck is capable of attacking Windows and Linux, exploits old vulnerabilities and uses various distribution mechanisms to improve the effectiveness of its campaigns.

LemonDuck, an actively updated and resilient malware known for its botnets and cryptocurrency mining, has followed a well-known path, exhibiting more sophisticated behavior and expanding its operations. Today LemonDuck not only uses resources [victims] for its bots and mining, but also steals credentials, disables security mechanisms, spreads via email, exhibits lateral movement, and ultimately delivers [to the infected system] other malicious tools controlled by man.Microsoft told.

LemonDuck activity was first discovered in China in May 2019. Later, in 2020, malware began to use decoys related to COVID-19 for its attacks, and most recently exploited ProxyLogon vulnerabilities fixed in Microsoft Exchange to access unprotected systems.

In general, LemonDuck looks for devices vulnerable to issues such as CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon) and CVE-2021-27065 (ProxyLogon).

One of the hallmarks of LemonDuck is the malware’s ability to remove “other attackers from a compromised device, thus getting rid of competing malware and preventing new infections, as well as fixing vulnerabilities that were used to gain access.”

mining malware LemonDuck

LemonDuck attacks typically targets the manufacturing sector and IoT, with the largest number of incidents reported in the US, Russia, China, Germany, UK, India, Korea, Canada, France, and Vietnam.

Microsoft also describes another LemonDuck-related campaign dubbed LemonCat in its report. Experts believe LemonCat is being used for other purposes and has been active since January 2021. In particular, LemonCat was used in attacks against vulnerable Microsoft Exchange servers, and these incidents led to the installation of a backdoor, theft of credentials and information, and the installation of the Ramnit Trojan.

While the LemonCat infrastructure is being used for more dangerous campaigns, it does not mitigate the risk of malware infection associated with the LemonDuck infrastructure. Microsoft said.

Let me remind you that we talked about LemonDuck malware operators attack IoT vendors.

The post Microsoft reported about activity of the LemonDuck malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-reported-about-activity-of-the-lemonduck-malware/feed/ 0 5746
Prometei botnet attacks vulnerable Microsoft Exchange servers https://gridinsoft.com/blogs/prometei-attacks-microsoft-exchange/ https://gridinsoft.com/blogs/prometei-attacks-microsoft-exchange/#respond Fri, 23 Apr 2021 16:24:44 +0000 https://blog.gridinsoft.com/?p=5408 Since the patches for ProxyLogon problems were still not installed, cybercriminals continue their activity, for example, the updated Prometei botnet attacks vulnerable Microsoft Exchange servers. Researchers from Cybereason Nocturnus discovered Prometei malware, which mines Monero cryptocurrency on vulnerable machines. In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail… Continue reading Prometei botnet attacks vulnerable Microsoft Exchange servers

The post Prometei botnet attacks vulnerable Microsoft Exchange servers appeared first on Gridinsoft Blog.

]]>
Since the patches for ProxyLogon problems were still not installed, cybercriminals continue their activity, for example, the updated Prometei botnet attacks vulnerable Microsoft Exchange servers.

Researchers from Cybereason Nocturnus discovered Prometei malware, which mines Monero cryptocurrency on vulnerable machines.

In early March 2021, Microsoft engineers released unscheduled patches for four vulnerabilities in the Exchange mail server, which the researchers collectively named ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

These vulnerabilities can be chained together and exploited to allow an attacker to authenticate on the Exchange server, gain administrator rights, install malware and steal data.

In early March 2021, attacks on vulnerable servers were carried out by more than 10 hack groups, deploying web shells, miners and ransomware on the servers.

According to statistics released by Microsoft last month, approximately 92% of all Internet-connected Exchange servers have already received patches.

This modular malware was first detected last year. It is capable of infecting Windows and Linux systems, and has previously used the EternalBlue exploit to spread across compromised networks and compromise vulnerable machines.

Cybereason Nocturnus experts write that Prometei is active at least since 2016 (judging by the samples uploaded to VirusTotal). The botnet was recently updated and “learned” how to exploit ProxyLogon vulnerabilities.

Thus, now Prometei attacks Exchange servers, and then installs payloads for mining on them, and also tries to spread further along the infected network using the EternalBlue and BlueKeep exploits, detected credentials and modules for SSH or SQL.

The updated malware has backdoor capabilities with support for an extensive set of commands, including downloading and executing files, searching for files on infected systems, and executing programs or commands on behalf of the attackers.

Prometei attacks Microsoft Exchange

If desired, attackers can infect compromised endpoints with other malicious programs and cooperate with ransomware operators, selling them access to systems.the researchers warn.

Let me remind you that I also talked about the fact that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The post Prometei botnet attacks vulnerable Microsoft Exchange servers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/prometei-attacks-microsoft-exchange/feed/ 0 5408
Prometei botnet uses SMB for distribution https://gridinsoft.com/blogs/prometei-botnet-uses-smb-for-distribution/ https://gridinsoft.com/blogs/prometei-botnet-uses-smb-for-distribution/#respond Thu, 23 Jul 2020 16:32:14 +0000 https://blog.gridinsoft.com/?p=4095 Cisco Talos has discovered a new botnet, Prometei, which was active since March 2020 and focused on mining the Monero (XMR) cryptocurrency. The researchers note that the Prometei botnet intensively uses the SMB protocol for distribution. The malware mainly attacks users from the USA, Brazil, Pakistan, China, Mexico and Chile. During four months of activity,… Continue reading Prometei botnet uses SMB for distribution

The post Prometei botnet uses SMB for distribution appeared first on Gridinsoft Blog.

]]>
Cisco Talos has discovered a new botnet, Prometei, which was active since March 2020 and focused on mining the Monero (XMR) cryptocurrency. The researchers note that the Prometei botnet intensively uses the SMB protocol for distribution.

The malware mainly attacks users from the USA, Brazil, Pakistan, China, Mexico and Chile. During four months of activity, the botnet operators “earned” about $5,000, that is, an average of about $1,250 per month.

Do you know who else is focused on mining Monero and manipulates a variety of exploits? Lucifer! (don’t be alarmed – this is such malware)

“The malware uses several techniques for distribution, including LOLbins (living off the land) to use legitimate Windows processes to execute malicious code (including PsExec and WMI), SMB exploits (including EternalBlue), and stolen credentials”, – write Cisco Talos experts.

In total, the researchers counted more than 15 ingredients in Prometei. All of them are controlled by the main module, which encrypts (RC4) the data before sending it to the management server via HTTP.

Prometei botnet uses SMB

Auxiliary modules can be used to establish communication over Tor or I2P, collect system information, check open ports, spread via SMB, and scan the infected system for any cryptocurrency wallets.

For example, a botnet steals passwords using a modified version of Mimikatz (miwalk.exe), and then passwords are passed to the spreader module (rdpclip.exe) for analysis and authentication via SMB. If that doesn’t work, the EternalBlue exploit is used for propagation.

The final payload delivered to the compromised system is SearchIndexer.exe, which is simply an XMRig version 5.5.3.

However, experts write that Prometei is not just a miner, the malware can also be used as a full-fledged Trojan and info-stealer.

“The botnet is split into two main branches: the C ++ branch is dedicated to cryptocurrency mining operations, and the .NET-based branch focuses on credential theft, SMB attacks and obfuscation. At the same time, the main branch can work independently from the second one, since it can independently communicate with the control server, steal credentials and engage in mining”, – say the researchers.

Cisco Talos experts point out that Prometei is unlike most mining botnets. Its authors not only divided their tools according to their purpose, it also “taught” malware to avoid detection and analysis. In particular, even in earlier versions, you can find several layers of obfuscation, which have become much more difficult in later versions.

The post Prometei botnet uses SMB for distribution appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/prometei-botnet-uses-smb-for-distribution/feed/ 0 4095
Lucifer malware uses many exploits, is engaged in mining and DDoS attacks https://gridinsoft.com/blogs/lucifer-malware-uses-many-exploits-is-engaged-in-mining-and-ddos-attacks/ https://gridinsoft.com/blogs/lucifer-malware-uses-many-exploits-is-engaged-in-mining-and-ddos-attacks/#respond Mon, 29 Jun 2020 16:20:16 +0000 https://blog.gridinsoft.com/?p=3980 Palo Alto Networks experts have prepared a report on Lucifer malware, which uses many exploits and, according to experts, “wreaks havoc” on Windows hosts. It is noted that the authors of the malware themselves named their brainchild Satan DDoS, but information security experts call it Lucifer to distinguish it from the Satan cryptographer. The Lucifer… Continue reading Lucifer malware uses many exploits, is engaged in mining and DDoS attacks

The post Lucifer malware uses many exploits, is engaged in mining and DDoS attacks appeared first on Gridinsoft Blog.

]]>
Palo Alto Networks experts have prepared a report on Lucifer malware, which uses many exploits and, according to experts, “wreaks havoc” on Windows hosts. It is noted that the authors of the malware themselves named their brainchild Satan DDoS, but information security experts call it Lucifer to distinguish it from the Satan cryptographer.

The Lucifer botnet attracted the attention of researchers after numerous incidents involving the exploitation of the critical vulnerability CVE-2019-9081 in the Laravel framework, which could lead to remote execution of arbitrary code.

Version of the malware that uses CVE-2019-9081, was spotted on May 29, 2020, after which the campaign stopped on June 10 and resumed after a few days, but with an updated version of the malware.

“If initially it was believed that the malware was quite simple and designed for mining cryptocurrency (Monero), it has now become clear that Lucifer also has a DDoS component and self-distribution mechanism, built on a number of serious vulnerabilities and brute force”, – say the experts.

For distribution on the network, Lucifer uses such well-known exploits as EternalBlue, EternalRomance and DoublePulsar, stolen from special services and in 2017 published in the public domain by The Shadow Brokers. But the attackers are not limited only to this bug, so the list of exploits taken by Lucifer into service is as follows:

  • CVE-2014-6287
  • CVE-2018-1000861
  • CVE-2017-10271
  • CVE-2018-20062 (RCE-vulnerability in ThinkPHP)
  • CVE-2018-7600
  • CVE-2017-9791
  • CVE-2019-9081
  • RCE-backdoor in PHPStudy
  • CVE-2017-0144
  • CVE-2017-0145
  • CVE-2017-8464

It is worth noting that all these vulnerabilities have already been fixed, and patches are available for them.

“After using exploits, an attacker can execute arbitrary commands on a vulnerable device. Considering that the attackers use the certutil utility in the payload to distribute the malware, in this case, the targets are both Windows hosts on the Internet and on the intranet”, — write the researchers.

Lucifer is also able to scan machines with open TCP 135 (RPC) and 1433 (MSSQL) ports and check if certain combinations of usernames and passwords are suitable for them. For brute force attacks, the malware uses a dictionary with 300 passwords and seven user names: sa, SA, su, kisadmin, SQLDebugger, mssql and Chred1433.

“The malware is able to infect devices using IPC, WMI, SMB and FTP, using brute force, as well as using MSSQL, RPC and network sharing”,- say the researchers.

Having infected the system, Lucifer places its copy there using the shell command, and also installs XMRig for secret mining of the Monero cryptocurrency (XMR). Judging by the fact that criminals currently earned only 0.493527 XMR (about $30 at the current exchange rate), experts believe that the malicious campaign is just beginning.

Also, gaining a foothold in the system, Lucifer connects to the management server to receive commands, for example, to launch a DDoS attack, transfer stolen system data or inform its operators about the state of the miner.

A newer version of malware also comes with analysis protection and checks the username and the infected machine before attacking. If Lucifer discovers that it is running in an analytical environment, it ceases all activity.

Recall also that according to the observations of information security experts, Evil Corp returns to criminal activity with WastedLocker ransomware.

The post Lucifer malware uses many exploits, is engaged in mining and DDoS attacks appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/lucifer-malware-uses-many-exploits-is-engaged-in-mining-and-ddos-attacks/feed/ 0 3980
Microsoft recommends Exchange administrators to disable SMBv1 https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/ https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/#respond Thu, 13 Feb 2020 16:45:01 +0000 https://blog.gridinsoft.com/?p=3458 Microsoft strongly recommends administrators disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities. Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this… Continue reading Microsoft recommends Exchange administrators to disable SMBv1

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

]]>
Microsoft strongly recommends administrators disable the SMBv1 protocol on Exchange servers to protect against threats that exploit its vulnerabilities.

Let me remind you that Microsoft has been implementing a systematic refusal to use the outdated SMBv1 for a long time. So, since 2016, the company has advised administrators to withdraw from SMBv1 support since this version of the protocol is almost 30 years old and does not contain the security improvements that were added in later versions.

Security enhancements include encryption, integrity checks before authentication to prevent man-in-the-middle (MiTM) attacks, blocking insecure guest authentication, and more.

To make sure that your Exchange organization is better protected against the latest threats (for example Emotet, TrickBot or WannaCry to name a few) we recommend disabling SMBv1 if it’s enabled on your Exchange (2013/2016/2019) server. There is no need to run the nearly 30-year-old SMBv1 protocol when Exchange 2013/2016/2019 is installed on your system. SMBv1 isn’t safe and you lose key protections offered by later SMB protocol versionsrecommend in Microsoft

Now the Exchange Team has once again reminded administrators of the insecurity of using SMBv1 because various malware still actively abuses them. Some vulnerabilities in SMB are exploited by EternalBlue and EternalRomance, as well as by TrickBot, Emotet, WannaCry, Retefe, NotPetya, Olympic Destroyer, and so on. In addition, known SMB problems can be used to spread the infection to other machines, perform destructive operations, and steal credentials.

In this regard, Microsoft experts strongly recommend disabling the obsolete version of SMB on Exchange 2013/2016/2019 servers.

Before disabling SMBv1, you should make sure you use a correctly configured and supported DAG witness server which supports at least SMBv2. You should make sure that the witness server is running a supported version of Windows Server, which is Windows Server 2012/2012R2/2016 or 2019recommended in Microsoft

The company says they did not check if the Exchange 2010 server was working correctly with SMBv1 disabled. And they are advised to upgrade from Exchange 2010 to Office 365 or a newer version of Exchange Server.

On this week, as part of the “Tuesday of updates” Microsoft fixed 99 bugs in its relatively products, including the sensational 0-day in Internet Explorer, but at the same time, the discontinuation of support for old products causes a very mixed reaction from users.

The post Microsoft recommends Exchange administrators to disable SMBv1 appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/microsoft-recommends-exchange-administrators-to-disable-smbv1/feed/ 0 3458