August 10, 2022
David Redekop

This Week In Nerd News #84 Dark Utilities – Commoditizing C2 Command and Control

This Week In Nerd News #84

This Week In Nerd News #84

It keeps getting easier and easier to be a cyber criminal. One of the areas that used to require some expensive expertise was for the remote command and control of internet-connected devices, especially the kind that was done without the awareness of owners. Such remote control ends up being *the* key to an attacker’s ability to obtain persistence on a compromised network.

This Command and Control is also known as C2, and has been notoriously difficult to detect and prevent against. Our presentation at blackhat this week addresses this very issue, but in the mean time, we’re finding out how commoditized C2 has already become. A cyber criminal no loger needs to build his own C2 infrastructure because it can now be rented. The most complex part of a cyber criminal’s business is now commoditized, and that’s what brings us to the first story of this week about Dark Utilities:

YouTube video

Thousands of hackers flock to ‘Dark Utilities’ C2-as-a-Service

Available for both TOR and the clear web as a C2 service, it then hosts malicious payloads on IPFS. This clearly lowers the bar for would be cyber criminals, which means we need to raise our defenses.

Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations.

 

The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.

 

A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems.

 

Read More: Thousands of hackers flock to ‘Dark Utilities’ C2-as-a-Service

Google Patches Critical Android Flaw Allowing Remote Code Execution via Bluetooth

It’s 2022 and three dozen vulnerabilities have just been fixed in Android, including a critical issue that can be exploited for remote code execution over Bluetooth. If your Android devices aren’t managed and updated yet, you know what to do!

Google on Monday published a security bulletin describing the latest round of patches for the Android operating system. Three dozen vulnerabilities have been fixed, including a critical issue that can be exploited for remote code execution over Bluetooth.

 

The critical vulnerability is tracked as CVE-2022-20345 and it affects the System component. It has been patched with Android 12 and 12L updates.

 

According to Google, an attacker does not require additional execution privileges to remotely execute arbitrary code over a Bluetooth attack. No additional details are available about the vulnerability.

 

Read More: Google Patches Critical Android Flaw Allowing Remote Code Execution via Bluetooth

New Linux malware brute-forces SSH servers to breach networks

“Unlike the majority of Mirai variants, which natively brute force Telnet servers using default or weak passwords, RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication”

A new botnet called ‘RapperBot’ is being used in attacks since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers to establish a foothold on the device.

 

The researchers show that RapperBot is based on the Mirai trojan but deviates from the the original malware’s normal behavior, which is uncontrolled propagation to as many devices as possible.

 

Instead, RapperBot is more tightly controlled, has limited DDoS capabilities, and its operation appears geared towards initial server access, likely to be used as stepping stones for lateral movement within a network.

 

Read More: New Linux malware brute-forces SSH servers to breach networks

Critical Vulnerabilities Allow Hacking of Cisco Small Business Routers

These updates released by Cisco for some of its small business routers patch serious vulnerabilities that could allow threat actors to take control of affected devices..

Updates released by Cisco for some of its small business routers patch serious vulnerabilities that could allow threat actors to take control of affected devices.

 

Three vulnerabilities have been identified by external researchers in Cisco’s RV160, RV260, RV340, and RV345 series VPN routers. An unauthenticated attacker could exploit the flaws remotely for arbitrary code execution and denial-of-service (DoS) attacks.

 

Two of the vulnerabilities have been assigned a ‘critical’ severity rating. One of them, CVE-2022-20842, affects the routers’ web-based management interface and is caused by insufficient user input validation. An attacker can exploit the weakness by sending specially crafted HTTP requests to the targeted device. Successful exploitation can result in arbitrary code being executed on the underlying operating system (OS) with root privileges, or the targeted device entering a DoS condition.

 

Read More: Critical Vulnerabilities Allow Hacking of Cisco Small Business Routers

Resolving Availability vs. Security, a Constant Conflict in IT

The conundrum: Ops team focus on availability… security teams lock down. Looks like there’s a reasonable compromise, but each organization needs to find that sweet spot for themselves.

Conflicting business requirements is a common problem – and you find it in every corner of an organization, including in information technology. Resolving these conflicts is a must, but it isn’t always easy – though sometimes there is a novel solution that helps.

 

In IT management there is a constant struggle between security and operations teams. Yes, both teams ultimately want to have secure systems that are harder to breach. However, security can come at the expense of availability – and vice versa. In this article, we’ll look at the availability vs. security conflict, and a solution that helps to resolve that conflict.

 

Read More: Resolving Availability vs. Security, a Constant Conflict in IT

Did you know?

AirShot is a cool macOS wallpaper app that automatically displays an aerial shot of your current location. It’s not for everyone all the time, but it’s pretty cool if you’re on business travel for the amount of times we open up the maps app to see what’s around us.