Last week we announced the discovery of Bondnet, a new botnet that was uncovered by GuardiCore Labs. The originator of Bondnet had installed a cryptocurrency miner and backdoor in thousands of servers of varying power and conscripted them into a botnet – a group of computing devices that can be centrally controlled for malicious purposes.
GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions.
It was one of those warm summer nights, no clouds, just a bright full moon lighting the way. Someone had unknowingly stumbled upon our honeypot, completely unaware of the fact that her every move was recorded and fully analyzed. Thanks to our deception technology, we could easily reroute the attacker, making her believe she reached her real target.
Over the past few months, we’ve been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.
We’ve documented thousands of attacks originating from hundreds of IPs, running similar attack flows while using different binaries. In this report we will share our research on the PhotoMiner’s timelines, infection strategies, C&C servers and provide tools to help detect the malware. Read more
In a recent piece in Forbes following the Anthem data-security breach, legendary venture capitalist Vinod Khosla wrote “There’s a universal truth regarding every cyber-attack: attack behavior never appears normal”.
While Mr. Khosla is a maverick in many fields I believe this time he got it wrong. Please allow me to explain.
Let’s consider a different example, the recent Carbanak cyber crime campaign, through which over 100 global banks were robbed of an estimated one billion dollars. The technology aspect of the attacks got the most media attention. However, in reality the technology was not nearly as advanced as state-of-the-art technology used by some intelligence agencies around the world (e.g. Stuxnet, Flame or the Equation Group). Read more
On February 16th, 2015, Kaspersky lab published a report titled “Carbanak APT – The Great Bank Robbery”, telling the story of a cyber attack campaign on numerous banks and financial institutions, spanning from late 2013, and resulting in an estimated cumulative losses of $1B. The attack has been dubbed by Media outlets such as CNN “the Ocean’s eleven of cyber strikes”. Read more
