The coin-mining malware also targets older vulnerabilities that defenders may have forgotten.
By | July 23, 2021 — 13:46 GMT (14:46 BST) | Topic: Security
Microsoft is warning customers about the LemonDuck crypto mining malware which is targeting both Windows and Linux systems and is spreading via phishing emails, exploits, USB devices, and brute force attacks, as well as attacks targeting critical on-premise Exchange Server vulnerabilities uncovered in March
Also: The 25 most dangerous software vulnerabilities to watch out for
The group was discovered to be using Exchange bugs to mine for cryptocurrency in May, two years after it first emerged.        
Notably, the group behind LemonDuck is taking advantage of high-profile security bugs by exploiting older vulnerabilities during periods where security teams are focussed on patching critical flaws, and even removing rival malware. 
«[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise,» the Microsoft 365 Defender Threat Intelligence Team note
«Notably, LemonDuck removes other attackers from a compromised device by getting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used to gain access.»
Cisco’s Talos malware researchers have been scoping out the group’s Exchange activities too. It found LemonDuck was using automated tools to scan, detect, and exploit servers before loading payloads such as the Cobalt Strike pen-testing kit — a favored tool for lateraled movement — and web shells, allowing malware to install additional modules. 
According to Microsoft, LemonDuck initially hit China heavily, but it has now expanded to the US, Russia, Germany, the UK, India, Korea, Canada, France, and Vietnam. It focuses on the manufacturing and IoT sectors.
This year, the group ramped up hands-on-keyboard or manual hacking after an initial breach. The group is selective with its targets. 
It also crafted automated tasks to exploit the Eternal Blue SMB exploit from the NSA that was leaked by Kremlin-backed hackers and used in the 2017 WannCry ransomware attack.
«The task was used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well as use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are still observed in LemondDuck campaigns today,» Microsoft’s security team notes. 
LemonDuck got its name from the variable «Lemon_Duck» in a PowerShell script that’s acts as the user agent to track infected devices. 
The vulnerabilities it targets for initial compromise include CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).
«Once inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts to run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of a phishing message with preset messages and attachments to all contacts,» Microsoft notes. 
By | July 23, 2021 — 13:46 GMT (14:46 BST) | Topic: Security
Healthcare is starting to adopt more technology, but it has catching up to do
Datacenter tech: Here’s where the Open Compute Project is going next
Want a strong password? You’re probably still doing it the wrong way
Top programming languages: This ‘workhorse’ has just surged back up the rankings
Please review our terms of service to complete your newsletter subscription.
By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy.
You will also receive a complimentary subscription to the ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe from these newsletters at any time.
You agree to receive updates, alerts, and promotions from the CBS family of companies – including ZDNet’s Tech Update Today and ZDNet Announcement newsletters. You may unsubscribe at any time.
By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.
Hackers netting average of nearly $10,000 for stolen network access
The single most expensive offering seen by Intsights researchers was being offered for about $95,000.
Netgear announces new cybersecurity and privacy features for Armor product
Netgear is partnering with cybersecurity firm Bitdefender to improve the NETGEAR Armor system.
Google makes Titan security keys simpler
Simplifying security is a good thing.
Digital Rights Watch and EFA push for right to repair to quash tech giant monopoly power
The lack of right to repair is hindering on innovation and DIY culture, according to Digital Rights Watch and Electronic Frontiers Australia.
Apple to refuse government demands of expanding scanning beyond child abuse
Cupertino seeks to water down criticism of its on-device image scanning feature coming to iOS 15 and macOS Monterey.
ASPI suggests government work with platforms to fight disinformation for hire
ASPI says there’s growing evidence of states using commercial influence-for-hire networks and the problem can only be solved with cooperation from government and industry. …
Microsoft announces new ransomware detection features for Azure
The Fusion detection for ransomware correlates alerts that are potentially associated with ransomware activities.
Android Trojan hijacks social media in 140 countries hits 10,000 victims
Security company Zimperium uncovered a new malware campaign spread through social media hijacking, third-party app stores, and sideloaded applications. …
How to find and remove spyware from your phone
Surveillance isn’t just the purview of nation-states and government agencies — sometimes, it’s closer to home.
© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use


Por redditxxx