New Murdoc_Botnet Targets AVTECH Cameras and Huawei Routers

January 21, 2025January 21, 2025

Title: Surge in Murdoc_Botnet Activity: Cybersecurity Experts Warn of New DDoS Threats

Introduction

Cybersecurity experts are raising alarms about a significant new campaign that targets vulnerabilities in AVTECH IP cameras and Huawei HG532 routers, recruiting these devices into a variant of the Mirai botnet known as Murdoc_Botnet. This large-scale operation has been active since July 2024, compromising over 1,370 systems primarily located in Malaysia, Mexico, Thailand, Indonesia, and Vietnam.

Understanding Murdoc_Botnet’s Threat

The Murdoc_Botnet campaign showcases advanced capabilities, exploiting security flaws like CVE-2017-17215 and CVE-2024-7029 to infiltrate IoT devices. Qualys security researcher Shilpesh Trivedi noted that this campaign effectively compromises devices to build expansive botnet networks.

Key Vulnerabilities Exploited

CVE-2017-17215
CVE-2024-7029

These vulnerabilities are leveraged to gain initial access, where a shell script downloads and executes the botnet malware based on the device’s CPU architecture. The primary aim of these attacks is to utilize the botnet for distributed denial-of-service (DDoS) attacks, posing a serious threat to online services.

Recent Developments in DDoS Attacks

Recent reports indicate that another variant of the Mirai botnet, dubbed gayfemboy, has also emerged, exploiting newly discovered security flaws in Four-Faith industrial routers. This variant has been active since early November 2024.

Additionally, a large-scale DDoS attack campaign has targeted major Japanese corporations and banks since late 2024. This attack has affected various sectors including telecommunications, technology, and financial services, with over 55% of the compromised devices located in India.

Key Statistics on Compromised Devices

India: 55% of compromised devices
Other affected countries: South Africa, Brazil, Bangladesh, and Kenya.

Characteristics of the Murdoc_Botnet

The botnet comprises malware variants derived from Mirai and BASHLITE. Trend Micro reports that it employs various DDoS attack methods and can update its malware and enable proxy services. The initial infiltration involves loading malware that connects to a command-and-control (C2) server for further instructions.

Protecting Against Murdoc_Botnet and DDoS Attacks

To mitigate the risks associated with this evolving threat, cybersecurity experts recommend:

Monitoring suspicious processes and network traffic.
Applying firmware updates regularly.
Changing default usernames and passwords on devices.

By taking these precautions, users can enhance their defenses against botnet attacks.

Conclusion

As the Murdoc_Botnet campaign continues to evolve, staying informed and implementing security measures is crucial for both individuals and organizations. For more insights on cybersecurity threats and protective strategies, feel free to explore our related articles or share your thoughts in the comments below.

For continued updates on cybersecurity, follow us on Twitter and LinkedIn for more exclusive content.

Microsoft Reveals macOS Flaw CVE-2024-44243 That Allows Rootkits

January 14, 2025January 14, 2025

Microsoft has revealed a critical security flaw in Apple’s macOS, identified as CVE-2024-44243, which could allow attackers to bypass the operating system’s System Integrity Protection (SIP). This vulnerability, rated with a CVSS score of 5.5, enables malicious actors with root access to install harmful kernel drivers via unauthorized third-party extensions. Apple addressed the issue with the release of macOS Sequoia 15.2. The flaw exploits the Storage Kit daemon’s entitlement, risking the integrity of critical system components. Users are urged to stay updated on security patches to protect against evolving cyber threats.

CISA Adds Critical USAHERDS Flaw to Exploited Vulnerabilities List

December 24, 2024January 18, 2025

CISA has identified a high-severity vulnerability, CVE-2021-44207, in Acclaim Systems USAHERDS, adding it to the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This flaw, with a CVSS score of 8.1, involves hard-coded static credentials that can allow attackers to execute arbitrary code on affected servers, particularly in versions 7.4.0.1 and earlier. Previously exploited by the APT41 threat actor, CISA recommends federal agencies implement vendor mitigations by January 13, 2025. Additionally, Adobe has warned of a critical flaw (CVE-2024-53961) in ColdFusion, urging users to apply patches.

Active Exploitation of VMware and Kemp LoadMaster Vulnerabilities

December 1, 2024December 1, 2024

Critical security vulnerabilities in Progress Kemp LoadMaster (CVE-2024-1212) and VMware vCenter Server (CVE-2024-38812 and CVE-2024-38813) are being actively exploited, prompting warnings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CVE-2024-1212, with a CVSS score of 10.0, allows remote attackers to execute arbitrary commands, while the VMware vulnerabilities could enable remote code execution and privilege escalation. CISA urges federal agencies to remediate these issues by December. Recent reports indicate heightened cybersecurity threats, including a new ransomware variant targeting Veeam Backup & Replication. Organizations must remain vigilant in addressing these vulnerabilities.

Chinese Hackers Target Telecoms in 12+ Countries with GHOSTSPIDER

December 1, 2024December 1, 2024

Cybersecurity experts report a surge in cyberattacks by the China-linked group Earth Estries, utilizing a new backdoor, GHOSTSPIDER, to target Southeast Asian telecom companies. This advanced persistent threat (APT) has compromised over 20 organizations, including those in telecommunications and government sectors across more than a dozen countries. Earth Estries employs various malware, including the Demodex rootkit and MASOL RAT, exploiting vulnerabilities in widely used software. Their operations are sophisticated, involving multi-modular implants and stealthy attacks that complicate detection. As telecoms remain key targets for such threat actors, heightened cybersecurity vigilance is crucial.

Microsoft Fixes 63 Flaws, Two Actively Exploited in Update

February 12, 2025February 12, 2025

On Tuesday, Microsoft released critical updates addressing 63 security vulnerabilities, including two actively exploited flaws. The vulnerabilities were categorized as three Critical, 57 Important, one Moderate, and two Low. Notable vulnerabilities include CVE-2025-21391 and CVE-2025-21418, which allow attackers to delete files and gain SYSTEM privileges, respectively. The U.S. Cybersecurity and Infrastructure Security Agency has listed these vulnerabilities in its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch them by March 2025. Users are urged to stay updated on these vulnerabilities and apply necessary patches from Microsoft and other vendors to enhance security.

Hackers Target SimpleHelp RMM Flaws for Ransomware Attacks

February 7, 2025February 7, 2025

Cybersecurity experts warn that vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) software are being exploited for ransomware attacks. The critical flaws, identified as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, were patched in versions released in January 2025. Organizations using SimpleHelp are urged to update immediately to prevent unauthorized access, privilege escalation, and remote code execution. Recent attack patterns show cybercriminals conducting network scans and establishing backdoors for persistent access. To mitigate risks, organizations should update software, invest in cybersecurity solutions, and educate employees about social engineering tactics. Proactive measures are essential to safeguard sensitive data.