New botnet detected that deletes data from the infected device
A group of researchers from the company Netlab 360 published yesterday their latest findings on a new botnet that specialises in deleting all partitions and data from infected devices. Called HEH, it is a botnet that spreads through brute force attacks against any type of device connected to the network and which has the SSH ports (23 and 2323) exposed. Once the access keys (normally weak or default) have been undermined, up to seven binaries are downloaded to carry out the malicious activities, which mainly consist of continuing propagation via brute force and the execution of commands in Shell to delete the data from the device. While the botnet has the ability to infect any exposed device with unsafe SSH ports, its malware only works on *NIX platforms. Researchers believe that both the botnet and the malware are still under development, so the adding of new capabilities soon would not be discarded.
Impersonation of banks on social networks
ESET researchers have reported a campaign of impersonation of financial institutions in social networks in order to obtain personal information from customers and to carry out telephone scams afterwards. The investigation started after Instagram received a private message from an account pretending to be Banco de Galicia (an entity that operates in Argentina). This generic message attempted to establish a first contact with the victims to obtain their telephone number to be attended by customer service in the event of a complaint or query. When observing the account from which it was sent, which made use of the name and logo of the entity, it was observed that it was in fact a false account. This case has also been detected in other social networks such as Facebook and Twitter, as well as with other banking entities. For the moment, Banco de Galicia decided to close its accounts in Instagram in order to avoid deceiving its customers. ESET recommends extreme caution and never provide personal information to accounts that appear to be suspicious or unverified.
Multiple vulnerabilities in HP Device Manager
The technology firm HP has issued a security alert to report three critical vulnerabilities in the HP Device Manager whose exploitation could compromise the affected systems. The errors identified have been catalogued as CVE-2020-6925, CVE-2020-6926 and CVE-2020-6927. In addition, according to HP, two of the three vulnerabilities (CVE-2020-6925, CVE-2020-6926) affect all versions of HP Device Manager. To mitigate the exploitation risk of the CVE-2020-6927, users can download HP Device Manager version 5.0.4. Regarding the other two flaws, the company has not yet released updates, although it has issued some recommendations for partial mitigation:
- Limit incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only.
- Remove the dm_postgres account from the Postgres database.
- Update the dm_postgres account password within HP Device Manager Configuration Manager.
Critical Vulnerabilities in QNAP Helpdesk
QNAP has corrected two critical vulnerabilities (CVE-2020-2506 and CVE-2020-2507) in the Helpdesk application. This tool is integrated into QNAP’s NAS devices and allows for remote support, which enables remote connection to the device with the owner’s permission. Both vulnerabilities are due to inadequate access control which, if successfully exploited, could allow attackers to gain control of a QNAP device. QNAP recommends updating the Helpdesk to the latest version as soon as possible. QNAP recently issued a security warning about an increase in AgeLocker ransomware attacks against exposed NAS devices.