Last week in security news, researchers revealed that a new malware family called Mozi is in the process of building an internet of things (IoT) botnet. Mozi wasn’t the only digital threat that made its first appearance in news headlines that week. Speculoos backdoor also gained some attention for a new attack campaign perpetrated by the APT41 threat actor.

Top Story of the Week: Mozi’s IoT Bots

In December 2019, Black Lotus Labs at CenturyLink noticed that the security firm’s reputation systems had registered an increase in activity involving the otherwise static IoT Reaper malware family. The research team decided to investigate further. This effort revealed that IoT Reaper had nothing to do with the attack and that the activity actually involved a new malware family whose compromised hosts contained references to files with “Mozi” in their names.

Black Lotus Labs ultimately learned that CenturyLink’s reputation systems had mislabeled the activity because Mozi had evolved from the source code of IoT Reaper, Gafgyt and Mirai. It used this code to begin building a P2P botnet of its own by targeting routers, DVRs and other IoT devices that were either unpatched or unprotected by strong credentials.

Source: iStock

Also in Security News

  • TA505 Targeted Networks With SDBbot RAT: IBM X-Force revealed that it spotted a campaign in which the threat actor Hive0065, otherwise known as TA505, leveraged spear phishing emails impersonating Onehub to target enterprise employees in Europe. Those emails sought to steal users’ credentials and infect their machines with the SDBbot remote-access Trojan (RAT).
  • New York State Confirmed Intrusion Against Government Network: As reported by The Wall Street Journal, New York’s Office of Information Technology Services discovered a breach in late January in which attackers had constructed tunnels into servers used for relaying sensitive data. The state responded by hiring outside security services and working with the FBI to investigate the incident.
  • Speculoos Backdoor Distributed by Campaign Exploiting CVE-2019-19781: In an attack spotted by Palo Alto Networks’ Unit 42, malicious actors targeted various organizations in North America, South America and Europe with a campaign that exploited CVE-2019-19781. This flaw granted attackers the capability of executing remote code for the purpose of installing Speculoos.
  • AZORult, NanoCore RAT Delivered by FreeDom Loader: Zscaler observed that the attack campaign began with malspam messages carrying PowerPoint files. These attachments relied on macros to download an encoded VBScript from Pastebin, a script that then used PowerShell to spawn FreeDom loader for the purpose of installing AZORult or NanoCore RAT.
  • WebEx Users Targeted With Spoofed IT Security Alerts: Per Cofense, this attack campaign sought to target WebEx users by sending out messages from an address designed to look like “meetings[@]webex[.]com.” Those messages attempted to trick recipients into visiting a phishing landing page designed to steal their WebEx credentials.
  • Nemty Ransomware’s Operators Announced End of RaaS Program: ZDNet learned that the operators of Nemty ransomware had announced on the dark web that they would be shutting down their creation’s ransomware-as-a-service (RaaS) platform. Shortly after that announcement, these malicious actors also closed the portal used by Nemty to leak its victims’ data.

Security Tip of the Week: Secure Your IoT Devices

Security professionals can help defend their organizations against malware such as Mozi by improving the authentication measures on their IoT devices. Specifically, they should enable two-factor authentication where it’s available and implement strong passwords on all of their corporate assets. Infosec personnel also need to invest in their ability to passively discover all of their IoT devices so that they can locate and remediate vulnerabilities and other security risks on a timely basis.

More from

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis.Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last few…

2 min read

Machine Learning Applications in the Cybersecurity Space

3 min read - Machine learning is one of the hottest areas in data science. This subset of artificial intelligence allows a system to learn from data and make accurate predictions, identify anomalies or make recommendations using different techniques. Machine learning techniques extract information from vast amounts of data and transform it into valuable business knowledge. While most industries use these techniques, they are especially prominent in the finance, marketing, healthcare, retail and cybersecurity sectors. Machine learning can also address new cyber threats. There…

3 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read