CySecurity News – Latest Information Security and Hacking Incidents
Heimdal Security released an advisory for its customer base, users, partners, and clients in a matter that involved the emergence of a botnet that has infected thousands of sites. The botnet StealthWorker (GoBrut) has managed a large number of attacks in a very short time, via brute-forcing the target’s internet-facing NAS devices and web servers. For the infected devices, Heimdal says that they will be used in future botnet campaigns for exploiting more hosts. GoBrut is not a botnet novelty exactly.
It was involved in the August 2021 campaign against Synology’s NAS devices, however, its origin can be traced back to February 2019, when malware launched various brute-force attacks against poorly secured CMSs, including Magento. In terms of design, GoBrut is scripted in Golang, a popular programming language in the hacker communities and pen testers because of its flexibility, coding efficiency two IP addresses, and reasonable learning curve. In Synology’s case, the payload was distributed via JS injection or something similar.
Once the distribution was tagged as successful, the malware begins to collect resources, finding the ones vulnerable to brute force. The reason why botnet StealthWorker had impressive success is rooted in how few CMSs manage password hygiene. In various incidents, leaked credentials were default user-password pairs, which hints that no measures were taken to make the passwords strong. Regarding the intrusion, the credentials accessed via distributed dictionary-based brute-forcing were given to a C2 panel hosted on a secondary ‘attack’ address, for C2 performing functions.
Content was cut in order to protect the source.Please visit the source for the rest of the article.Read the original article: