AP correspondent Rica Ann Garcia reports on the death of five Palestinian journalists in Gaza
Day: December 26, 2024
Akamai researchers discovered a new Mirai botnet variant targeting a vulnerability in DigiEver DS-2105 Pro DVRs.
Akamai researchers spotted a Mirai-based botnet that is exploiting an remote code execution vulnerability in DigiEver DS-2105 Pro NVRs.
The experts pointed out that this Mirai variant has been modified to use improved encryption algorithms. The Mirai variant incorporates ChaCha20 and XOR decryption algorithms.
In November 2024, the Akamai Security Intelligence Research Team (SIRT) observed increased activity targeting the URI /cgi-bin/cgi_main.cgi, linked to a Mirai-based malware campaign exploiting an unassigned RCE vulnerability in DVR devices, including DigiEver DS-2105 Pro.
“Further investigation into this campaign revealed a new botnet that calls itself the “Hail Cock Botnet” that’s been active since at least September 2024.” reads the analysis published by Akamai. “Using a Mirai malware variant that incorporates ChaCha20 and XOR decryption algorithms, it has been seen compromising vulnerable Internet of Things (IoT) devices in the wild, such as the DigiEver DVR, and TP-Link devices through CVE-2023-1389.”
Upon exploiting the vulnerability, the malicious code can inject commands via the ntp parameter, allowing attackers to download Mirai-based malware through HTTP POST requests over port 80, referencing “IP Address:80/cfg_system_time.htm” in the HTTP Referer header.
The new Mirai malware variant also targets the TP-Link flaw CVE-2023-1389 and the vulnerability CVE-2018-17532 affecting Teltonika RUT9XX routers.
The malware maintains persistence using a cron job that downloads a shell script from “hailcocks[.]ru.”
The bot uses curl or wget to download the “wget.sh” file, ensuring compatibility if one is unavailable on the host.
The malware connects to various hosts for Telnet/SSH brute-forcing and uses a single IP linked to “kingstonwikkerink[.]dyn” for C2 communication. Compromised hosts display unique strings during execution, including “you are now apart of hail cock botnet” in older versions and “I just wanna look after my cats, man.” in newer ones.
“One of the easiest methods for threat actors to compromise new hosts is to target outdated firmware or retired hardware.” concludes the report. “The DigiEver DS-2105 Pro, which is approximately 10 years old now, is an example. Hardware manufacturers do not always issue patches for retired devices, and the manufacturer itself may sometimes be defunct. Therefore, in circumstances in which security patches are unavailable and unlikely to come, we recommend upgrading vulnerable devices to a newer model.”
Akamai’s report includes indicators of compromise (IoC) associated with these attacks along with Yara rules for the detection of the threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
Categories
Indian Ocean Tsunami: 20 years on
Memorial events have been held across the Indian Ocean to mark 20 years since the tsunami that killed more than 220,000. Also on the programme, China has approved controversial plans to build what will be the world’s largest hydropower dam on the Tibetan plateau; and the promise of non-alcoholic wine. (Photo: People light candles during a memorial for the 20th anniversary of the Indian Ocean tsunami at a tsunami wave-shaped monument erected for the victims of the 2004 tsunami in Ban Nam Khem, a southern fishing village destroyed by the wave, in Phang Nga province, Thailand, December 26, 2024. REUTERS/Stringer)
Images may be subject to copyright. Learn More
My Opinion: We see the (long awaited for and the most logical) signs of the emerging Israel – Ukraine Military and Intelligence Cooperation.
As reported earlier, Ukraine sent some weapons, mostly drones to the rebels who now came to power in Syria.
And now they cooperated in the Aktau Crash Operation.
Prior to the crash Ukraine conducted the intense drone attack on Grozny, among other locations in Russia. The Russian Air Defense systems including the missiles, responded; and one of the missiles exploded near the plane, possibly producing the shrapnel holes in the tail area. It is also possible that the landing gears were damaged in this attack, and they were unable to open later, at the time of the plane’s landing in Aktau.
Whatever damage the plane sustained, it was perfectly able to cross the Caspian sea, probably to burn the excess fuel, to prevent fire on hard landing. But that exactly what happened.
Why was the distressed plane refused to land in the close by Russian airports?
Most likely, they did not want the bad publicity of the crash on the Russian territory, especially during the high level CIS meeting in St. Petersburg. In one word, the Prestige.
The ORDA – PRESTIGE. See also the related Arbat Prestige.
The black boxes were found and are in the process of decoding and analysis. They should supply some data. But that’s how the general outline looks like now.
Michael Novakhov | 12.26.24 | Post Link
Links
Categories
NPR News: 12-26-2024 10AM EST
Categories
