The discoveries were made known in two
separate advisories released by the cyber-space protection team earlier this
week.
The first cyber threat is a ransomeware
known as ‘Lokilocker’, which is capable of wiping data from all version of
Windows systems or platforms. It causes data loss, and denial of service (DoS),
which reduces user’s productivity.
“Lokilocker”, is a relatively new
ransomware that has been discovered by security researchers and belonging to
the ransomware family. Lokilocker operates by encrypting user files and renders
the compromised system useless if the victim does not pay the demanded ransom
in time.
To hide the malicious activity, the
ransomware displays a fake window update screen, cancel specific processes and
services, and completely disables the task manager, windows error reporting,
machine firewall and windows defender of the compromised system.
Sadly, it also has in-built processes that
prevent data recovery as it deletes backup files, shadow copies, and removes
system restore points. It also overwrites the user login note and modifies
original equipment manufacturer (OEM) information in the registry of the
compromised system.
Thus, the NCC CSIRT states: “To protect
against infections by LokiLocker and similar ransomware, the best rule is to
always have a backup copy of your data, which should be stored offline,” the
advisory stated.
Additionally, according to CSIRT, “all
downloads and email attachments should be opened with caution, even if they are
from trusted sites or senders. Users should also ensure they attachments are
scanned with an up-to-date antimalware solution, before opening.”
The second cyber threat discovered by the
NCC CSIRT is a Botnet that targets the Microtik version of Routers. As CSIRT
revealed, thousands of routers from Microtik which have been found to be
vulnerable are being used to constitute what has been named one of the largest
botnets in history
This botnet exploits an already-known
vulnerability, which allows unauthenticated remote attackers to read arbitrary
files and authenticated remote attackers to write arbitrary files, due to a
directory traversal vulnerability in the WinBox interface. The vulnerability
which was previously fixed allowed the perpetrators to enslave all the routers
and then rent them out as a service.
In accordance with new research published
by Avast, a cryptocurrency mining campaign taking advantage of the newly
disrupted Glupteba botnet as well as the famed Trickbot malicious software were
found to have been disseminated by the very same command-and-control (C2)
server. The C2 server functions as
botnet-as-a-service, which controls nearly 230,000 vulnerable MicroTik
routers. The Botnet, however, has been linked to what is now called the Meris
Botnet.
The threat types emanating from the botnet
include bypass authentication, data loss, denial of service, remote code
execution, sniff password and unauthorized access. These situations result in
dangers to victims of this cyber threat including malware distribution, mining
cryptocurrency, thereby increasing the use system resources, remote code
execution and data theft.
To be protected against this botnet, NCC
CISRT asdvised users to update or apply the latest patches to their routers
early, set strong router passwords, disable the administration interface of the
routers from the public, stay away from illegitimate or cracked software
versions of legitimate applications, and use decent antivirus software with
in-built web-filtering, and apply the latest patches as soon as they arrive.
0 comments:
Post a Comment