alt=3D render of a stylized black and red checkers board with abstract pieces.

2025-02-11 Post a Comment

Huge cyber attack under way – 2.8 million IPs being used to target VPN devices

ByÂ Sead FadilpaÅ¡iÄ‡

Millions of devices, likely infected with malware, are being used in a hacking campaign
Researchers spotted brute-force attacks against VPN and other internet-connected devices
The majority of the IP addresses are located in Brazil

A wide range of Virtual Private Network (VPN) and other networking devices are currently under attack by threat actors trying to break in to wider networks, experts have warned.

Threat monitoring platform The Shadowserver Foundation warned about the ongoing attack on X, noting someone is currently using roughly 2.8 million different IP addresses to try and guess theÂ passwords for VPNs and similar devices built by Palo Alto Networks, Ivanti, SonicWall, and others.

Besides VPNs, the threat actors are going for gateways, security appliances, and other edge devices connected to the public internet.

Brute force

To conduct the attack, the threat actors are using MikroTik, Huawei, Cisco, Boa, and ZTE routers and other internet-connected devices, likely compromised withÂ malware, or broken into themselves, thanks to weak passwords.

Speaking toÂ BleepingComputer, The Shadowserver Foundation said that the attack recently increased in intensity.

From those 2.8 million, the majority (1.1 million) are located in Brazil, with the rest split between Turkey, Russia, Argentina, Morocco, and Mexico.

This is a typical brute-force attack, in which threat actors try to log into a device by submitting an enormous amount of username/password combinations, until one succeeds. Brute-force attacks are usually successful against devices protected with poor passwords (those that donâ€™t have a strong combination of uppercase and lowercase letters, numbers, and special symbols). The whole process is automated, making it possible on a grander scale.

The automation part is made possible through malware. Usually, the devices used in the attack are part of a botnet, or a residential proxy service. Residential proxies are IP addresses assigned to real devices by internet service providers (ISPs). They make it appear as though the user is browsing from a legitimate residential location rather than a data center, which makes them a major target for cybercriminals.

Cyber security

2025-01-23 Post a Comment

Dangerous new botnet targets webcams, routers across the world

Story byÂ Sead FadilpaÅ¡iÄ‡

Security researchers observe new botnet-building campaign called Murdoc
Its attacks are targeting IP cameras and routers
More than 1,000 devices have been identified as compromised

Cybersecurity researchers from the Qualys Threat Research Unit have observed a new large-scale operation exploiting vulnerabilities in IP cameras and routers to build out a botnet.

In aÂ technical analysis, Qualys said the attackers were mostly exploiting CVE-2017-17215 and CVE-2024-7029, seeking to compromise AVTECH IP cameras, and Huawei HG532 routers. The botnet is essentially Mirai, although in this case it was dubbed Murdoc.

Qualys said Murdoc demonstrated â€œenhanced capabilities, exploiting vulnerabilities to compromise devices and establish expansive botnet networks.â€

The persevering Mirai

The campaign most likely started in July 2024, and has so far managed to compromise 1,370 systems. Most of the victims are located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.

With a network of internet-connected devices (bots) under their control, malicious actors can mount Distributed Denial of Service (DDoS) attacks, bringing websites and services down, disrupting operations and causing financial and reputational harm.

Mirai is a highly popular botnetÂ malware. Created by three college students in the US: Paras Jha, Josiah White, and Dalton Norman, Mirai became infamous in 2016 after orchestrating a large-scale DDoS attack on Dyn, that temporarily disrupted major websites, including Netflix, and Twitter.

The creators released the source code online, right before their arrest in 2017. They pled guilty to using the botnet for DDoS attacks and other schemes.

While law enforcement continues to target and disrupt the botnet, it has shown great resilience and continues to be active to this day.

Less than two weeks ago, a Mirai variant named â€˜gayfemboyâ€™ was found exploiting a bug in Four-Faith industrial routers. Although clearly spawned from Mirai, this new version differs greatly, abusing more than 20 vulnerabilities and targeting weak Telnet passwords. Some of the vulnerabilities have never been seen before, and donâ€™t have CVEs assigned just yet. Among them are bugs in Neterbit routers, and Vimar smart home devices.