Rapid evolution of the EnemyBot botnet
Since its discovery last March by Securonix researchers, the botnet known as EnemyBot, focused on carrying out DDoS attacks, has continued to expand, thanks in particular to the addition of exploits for recent critical vulnerabilities in web servers, content management systems, IoT devices and Android devices.
Back in April, samples analysed by Fortinet showed the integration of the exploitation of more than 12 vulnerabilities to exploit flaws in processor architecture. Now, a new report from AT&T Labs reports the detection of a new variant in which exploits have been added for 24 vulnerabilities, most of them critical and some of which do not even have a CVE assigned to them.
Among the flaws, it is worth highlighting the addition of exploits for recent important flaws such as those known in VMWare May (CVE-2022-22954), Spring (CVE-2022-22947) or BIG-IP (CVE-2022-1388). This threat has been attributed to the Keksec group, which has specialised in building botnets since 2016.
In addition, the malware code has been published in a GitHub repository , making it accessible to other threat actors. Thanks to its publication, it has been confirmed that it is a threat built from the code of multiple botnets (Mirai, Qbot or Zbot), which makes it a more powerful and adjustable threat.
The rapid evolution of EnemyBot makes it necessary to closely assess the progress of other projects from this group, such as Tsunami, Gafgyt, DarkHTTP, DarkIRC and Necro.
* * *
Mozilla fixes vulnerabilities in its products
None of the fixed bugs have been identified as critical, but several vulnerabilities classified as highly critical have been fixed. It should be noted that the exploitation of these flaws by a remote threat agent could lead to the following impacts: remote code execution, evasion of security restrictions, disclosure of sensitive information, spoofing, denial of service and data manipulation.
Mozilla recommends upgrading to the following versions of its Firefox 101, Firefox ESR 91.10 and Thunderbird 91.10 products to mitigate the vulnerabilities.
* * *
Killnet threatens Italian entities again
Italy’s CSIRT has issued an alert warning that there is a risk of imminent attacks against national public entities, private entities providing a public utility service or private entities identified with Italy. This warning comes after the hacktivist group Killnet issued a statement on its Telegram channel inciting massive and unprecedented attacks against Italy.
This is not the first time that the group has shown interest in this country, having already carried out denial-of-service attacks against it last May. Killnet announced on 24 May that it was launching operation Panopticon, calling on users to become part of the group and providing them with tools to carry out the attacks.
The name of the operation, as they have indicated, refers to a type of construction designed so that the whole of a structure can be observed from the inside and from a single point. In relation to the name used, Bleeping Computer suggests that it is possible that DDoS is the main target but that Killnet may want to focus efforts on mitigating this type of attack rather than remediating other types of cyber-attacks, perhaps hinting at some kind of information leakage with the name used.
Finally, yesterday Italian media reported that several services such as the Italian state police and the Ministries of Foreign Affairs and Defence had their services interrupted, although the group has not claimed responsibility for such events so far.
* * *
Actively exploited 0-day in Confluence
Atlassian has issued a security advisory to warn of the active exploitation of a 0-day vulnerability in Confluence for which no patches are yet available. This vulnerability, listed as CVE-2022-26134 and with a critical risk, allows remote unauthenticated code execution in Confluence Server and Confluence Data Center (pending confirmation if in all versions, but most likely so).
Exploitation of this vulnerability was detected by the Volexity team during the investigation of a security incident last weekend where they observed that, after initial access through exploitation of this 0-day, the attackers deployed an in-memory copy of BEHINDER, an open-source web server that provides the attacker with capabilities such as in-memory webshells and built-in support for interaction with Meterpreter and Cobalt Strike.
Once BEHINDER was deployed, the attackers used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and another custom file upload shell. Atlassian recommends that customers restrict Internet access to the affected product instances and disable the instances in both Confluence Server and Data Center. Atlassian also said that customers using Confluence hosted in the Atlassian Cloud would not be affected.