Tag Archives: Malware and Virus Protection

Posted on Author Atlantic Computer Services Categories Blog

Microsoft Warns New Sysrv Botnet Variant Is Dangerous

Security researchers employed by Microsoft have recently spotted a variant of the Sysrv botnet.  They have dubbed the new variant Sysrv-K.

This new variant works in two ways.  First, it exploits a flaw in the Spring Cloud Gateway that allows remote code execution (tracked as CVE-2022-22947). Second, the botnet scans the web for WordPress plugins with older, unpatched vulnerabilities.

Of significance, this variant of the botnet can take control of web servers, which makes it dangerous indeed.

Additionally, Sysrv-K contains new features that the original Sysrv botnet lacked. These include exploits for six different Remote Code Execution vulnerabilities that target the ThinkPHP framework, Drupal CMS, the VMware products XML-RPC, XXL-Job, SaltStack, as well as MongoDB’s Mongo Express admin interface.

Microsoft’s researchers had this to say about their recent discovery:

“A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot.

Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet.”

Sysrv-K constitutes a significant threat if you rely on any of the code mentioned above.  Be sure your IT Security staff is aware of this new threat so they can prepare for and guard against it.

Sadly, one thing we know for sure about 2022 is that this won’t be the last serious threat we are forced to bring to your attention in a bid to shed light on the latest activities in the hacking world.  Stay vigilant out there.

0
Posted on Author Atlantic Computer Services Categories Blog

You Might Need This HP Bios Security Update

HP recently released a BIOS update to address a pair of high-severity vulnerabilities that affect a wide range of PC and notebook products offered by the company.  In both cases, the vulnerabilities would allow an attacker to execute code arbitrarily and with Kernel level privileges.

The two flaws are being tracked as CVE-2021-3808 and CVE-2021-3809 respectively, and both bear a CVSS 3.1 score of 8.8 which makes them both serious issues indeed.

Worse, the two issues impact more than 200 models of HP equipment, including Zbook Studio, ZHAN Pro, EliteBook, ProBook, Elite Dragonfly, business desktop PCs like the EliteDesk and ProDesk, retail PoS computers like the Engage, workstations like the Z1 and Z2, and thin client PCs.

For a comprehensive listing of impacted products, please refer to HP’s security advisory page and scan for the product you own.

Security researcher Nicholas Starke has done a deep dive into both issues.

Starke had this to say about the matter:

“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks.”

HP has been having a tough time of things lately.  Just two months ago, the company released a BIOS update that addressed sixteen separate flaws. Three months before that, they released a BIOS update that addressed a completely different set of flaws.

Kudos to HP for their time and attention to this matter. However, one has to wonder what has broken down in their core development process that allowed so many serious BIOS flaws to slip through undetected in the first place?

Unfortunately, there’s no word on that but if you haven’t yet applied the latest security update, you’ll definitely want to apply this one as soon as possible.

0
Posted on Author Atlantic Computer Services Categories Blog

New Method Hides Malware In Windows Event Logs

At least one group of hackers has learned a new trick you need to be aware of.  Security researchers at Kapersky Lab have discovered a malicious campaign-in-progress that is using event logs to store malware. That is a technique that has not been seen or documented until now.

This new methodology is designed for maximum stealth, allowing the threat actor to plant fileless malware in the target device’s file system.

The dropper used in this case makes a copy of the legitimate OS error handling file called “WerFault.exe.”  This is placed in C:WindowsTasks, and then it drops an encrypted binary resource to the wer.dll in the same location, which is used for Windows Error Reporting.

DLL hijacking is something that has been seen before.  It is a move that allows hackers to exploit a legitimate program that isn’t designed with many checks, which allows malicious code to be loaded into memory.

Denis Legezo is the lead security researcher at Kaspersky. Legezo notes that the loader itself is harmless, but the hackers have hidden shellcodes inside the Windows event logs, and that’s what allows it all to function.

Legezo’s team traced the attack back to its origins in September of 2021 when the victim was tricked into downloading a RAR file from the file sharing service File.io.

It’s a scary piece of work. Based on an analysis of the code, it seems clear that the threat actor behind this new technique is highly advanced.

The fear is that the details surrounding this new method will be widely shared on the Dark Web. This would allow other, less technically proficient threat actors to copy it. Given how difficult to detect the method is, it’s likely to become incredibly popular very quickly.

All that to say, if you’re an IT Security Professional, your life is probably about to get a whole lot harder unfortunately.

0
Posted on Author Atlantic Computer Services Categories Blog

Beware Of New Backdoor Malware Targeting Linux Users

The name Kevin Beaumont may not be familiar to you, but if you’re a Linux or Solaris user, he may have just saved you a whole lot of grief.

Recently, Mr. Beaumont discovered a stealthy backdoor malware that has been quietly infecting Linux and Solaris SPARC systems for more than five years.  BPFdoor only parses ICMP, UDP and TCP packets checking them for a specific data value and in the case of UDP and TCP packets, also checking for a password.

It can sit quietly on an infected system for an extended period. However,  once triggered, it allows the hacker who placed it there complete access to a compromised device.  Beaumont found BPDdoor activity on networks all over the world.  It was most notably found in South Korea, Hong Kong, India, Vietnam, Myanmar, Turkey and of course, the United States.

He also discovered eleven different speed test servers infected with BPFdoor. Although he was at a loss to explain how those systems may have been compromised since they run on closed-source software.

A different researcher named Craig Rowland issued a comprehensive technical report on BPFdoor and outlined some of its very clever anti-evasion tactics.

The tactics include the fact that it:

  • Resides in system memory and deploys anti-forensics action (wipes the process environment, albeit unsuccessfully as it leaves it empty)
  • Loads a Berkeley Packet Filter (BPF) sniffer allowing it to work in front of any locally running firewalls to see packets
  • Modifies ‘iptables’ rules when receiving a relevant packet to allow attacker communication through the local firewall
  • Masquerades the binary under a name like a common Linux system daemon
  • Renames and runs itself as /dev/shm/kdmtmpflush
  • Changes the date of the binary (time stamping) to October 30, 2008, before deleting it

Thanks to the research of these two individuals, an incredibly stealthy malware strain that specifically targets Linux and Solaris systems has now been exposed to sunlight.  Although the malware is well-designed and contains several clever anti-evasion tactics, now that the word is out, IT Security professionals know what to look for and can begin the process of purging it from infected systems.  Kudos to both.

0
Posted on Author Atlantic Computer Services Categories Blog

Security Warnings Coming To Certain Google Apps To Help Users

Google has been making some fantastic changes to bolster user security in recent weeks. That includes changes to their Google Play Store that will require developers to disclose exactly what data they plan to track and collect when users install the apps they create.

In a related vein, the tech giant has also recently added some powerful new security features to Google Docs, Sheets, and Slides that now display warning banners any time users attempt to open a suspicious file on the web.

Too often, users will open a file without giving much thought to who put it before them or where it resides (whether a trusted network drive or somewhere on the cloud, for example).  Unfortunately, hackers are keenly aware of this and will often plant poisoned files that appear to be legitimate work files in places where users are likely to find them. Then, the hackers simply sit back and wait until they reel someone in.

These recent changes to Google Workspace apps are designed with one goal in mind. To help the people using those apps make better decisions bout whether to open a file, even if it looks completely legitimate.

This new warning feature builds on a system the company began implementing for Google Drive files back in January of this year (2022) and uses the same warning banners you’ll find there.  A bright yellow, hard to miss banner appearing at the top of the page after a user has clicked on a link, but before the file is downloaded.

These brightly colored banners display warning messages essentially asking the user if he or she is sure about downloading a file from an untrusted source that may contain malicious code.  Note that Enterprise users were a bit slower than everyone else to get the new functionality because of the way Google organized the rollout. By the time you read this, they should be visible for everyone.

0
1 5 6 7 8 9 43