SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: How attackers are hiding in proxyware
Description: Adversaries are finding new ways to monetize their attacks by abusing internet-sharing, or "proxyware" platforms like Honeygain, Nanowire, and others. This poses new challenges to organizations, especially to those whose internet access is rated as residential. But any organization could be at risk, as there are platforms that also allow data center-based internet sharing. Malicious actors are taking multiple avenues to monetize these new platforms in their favor. The most obvious one is the silent installation of the platform client to "sell" the victim's bandwidth without their knowledge. In some cases, the adversaries patch the client to stop any alerts that would warn the victim. As these platforms became more popular, the adversaries started to leverage trojanized installers, which install the legitimate platform client as well as digital currency miners and information stealers. Given the nature of proxyware services, the users expect that their performance will suffer, making it a perfect disguise for coin miners.
Snort SIDs: 45549, 46237, 58030 – 58033
Cisco Secure Endpoint OSQueries: malware_honeygain_trojanized_installer, malware_honeygain_loader, malware_honeygain_bot
Title: Botnet starting to scan for routers vulnerable to Realtek exploits
Description: A botnet similar to Mirai is actively scanning for wireless routers affected by a recently disclosed denial-of-service vulnerability affecting SDKs for Realtek chipsets. An attacker could exploit the vulnerability by sending specially crafted inputs, eventually crashing the HTTP server running the management interface and eventually the router. Security researchers are calling the botnet in question “Dark.IoT.” The botnet reportedly waits for researchers and organizations to publish proof-of-concepts for newly discovered vulnerabilities, and only takes days to eventually incorporate them. Other Realtek vulnerabilities were disclosed two weeks ago that affect dozens of internet-of-things devices, including internet-connected cameras and WiFi repeaters.
Snort SIDs: 58052 - 58059