Researchers have observed a steady activity of 2,000 infection attempts per day, with peaks of up to 15,000 attempts. Analysis of the botnets, named mirai_ptea and mirai_aurora, reveals that they use Tor proxies to communicate with the C2 and the TEA algorithm to hide sensitive data, with their ultimate goal being DDoS attacks.
The vulnerability allows remote code execution without authentication and is found in those KGUARD DVR devices with firmware prior to 2017, including up to 3,000 devices currently exposed online. Netlab researchers have identified two new botnets based on Mirai code that use a 0-day vulnerability in KGUARD digital video recording devices as a method of propagation. More information: New Mirai botnet variants exploit a zero-day in KGUARD DVRs It is recommended to apply the mitigation and blocking measures for IOCs attached to the briefing note. In addition, the researchers indicate that they have also managed to exploit the CVE 2020-0688 and CVE 2020-17144 vulnerabilities in Microsoft Exchange servers, in order to allow remote code execution and further access to victims’ networks. This brute-force attack methodology allows the actors to obtain the credentials of their victims, to subsequently use these accesses to carry out lateral movements. According to the researchers, this campaign has been running from mid-2019 to the beginning of this year and is reportedly being directed against entities from different sectors that mainly use Microsoft Office 365 cloud services, among others. Several American and British agencies, NSA, CISA, FBI and NCSC, have published an alert about a campaign of brute force attacks carried out from the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). More information: Brute-force attack campaign by members of the Russian GRU These vulnerabilities could provide an entry vector into the internal networks of companies that have the exposed administration port of the vulnerable router. The three vulnerabilities lie in the HTTPd component and allow an unauthenticated remote attacker to bypass authentication and perform the backup function to obtain access credentials, as well as recover these through side-channel attacks by measuring the response time upon authentication. These were reported in a security advisory by Netgear in December 2020, along with details for patching the vulnerabilities. Security researchers at Microsoft 365 Defender Research have published details of three critical vulnerabilities with CVSS scores between 7.1 and 9.4 in NETGEAR DGN-2200v1 routers with versions prior to v1.0.0.60. More information: Microsoft releases technical details of critical vulnerabilities in NETGEAR routers With this intrusion, Nobelium gained access to basic account information of a limited number of Microsoft customers, data that has been used to launch targeted phishing campaigns. Additionally, as part of this investigation, Microsoft identified a credential-stealing trojan installed on the device of one of its customer support employees. So far, there are three known compromises as a result of this activity. In terms of sectors, the attacks are mainly affecting technology companies (57%) and government (20%), as well as, to a lesser extent, financial institutions and think tanks.
This time, researchers warn of targeted brute-force and password spraying attacks against entities in 36 different countries, almost half of which are focused on the United States.
Microsoft has issued an update on the activities of the Russian threat actor known as Nobelium (aka APT29), which is credited with compromising the SolarWinds supply chain in late 2020. New activity of the threat actor Nobelium