Contents

Links

https://securityaffairs.co/wordpress/125377/malware/glupteba-botnet-take-down.html

Cisco Warns of Many Old Vulnerabilities Being Exploited in Attacks

Cisco Last Week
- added exploitation warnings to more than 20 advisories detailing security defects in Cisco IOS, NX-OS, and HyperFlex software
- carry severity ratings of ‘critical’ or ‘high’
- been addressed 4-5 years ago.
  - execute arbitrary code (RCE)
  - denial-of-service (DoS) condition
  - execute arbitrary commands.
CVSS score of 9.8.
- CVE-2017-12240
- CVE-2018-0171
- CVE-2018-0125
- CVE-2021-1497
- CVE-2018-0147
15 advisories that deal with high severity.
US Cybersecurity and Infrastructure Security Agency (CISA
- added these vulnerabilities to its Known Exploited Vulnerabilities Catalog
  - months ago

Glupteba botnet is back after Google disrupted it

Glupteba
- blockchain-enabled botnet
- Active since 3022
- Composed of more than 1 million Windows PC
  - Dec 2021
- stealing users’ credentials and data
- mining cryptocurrencies
- abusing victims’ machine resources
- setting up proxies to funnel other people’s internet traffic through infected machines and routers.
- spread via cracked or pirated software and pay-per-install (PPI) schemes.
December 2021
- Google announced it has taken down the infrastructure
- sued Russian nationals Dmitry Starovikov and Alexander Filippov for creating and operating the botnet.
I’m Back
- Nozomi Networks
- surge in the number of infections worldwide
  - increase of malicious bitcoin addresses
  - increase in TOR hidden service being used as C2 servers
  - at least five different merchants and exchanges were used to fund the Glupteba addresses since 2019
  - identified 15 Glupteba bitcoin addresses.
  - used passive DNS records to uncover Glupteba domains and hosts.
  - analyzed the latest set of TLS certificates used by the bot to figure out the infrastructure.

Zscaler
- manufacturing, education and healthcare being the most commonly targeted.
- U.S., India and Japan seeing the biggest increases in attacks.
- Encrypted Channels being used to hide traffic.
  - Variety of attacks
  - malware continues to be the most prevalent.
- Malicious scripts and payloads made up nearly 90% of the encrypted attack tactics blocked in 2022.
  - Includes ransomware.
    - 80% up this year
defenses become more complex.
- attackers have also continued to evolve their techniques.
- malware variants that are harder to spot
- bypass reputation-based technologies