0405119483 [email protected]

Kaspersky releases free tool that scans Linux for known threats

Users can use Kaspersky’s new virus removal tool, KVRT for Linux, to scan their systems and remove malware and other known threats for free. Despite the misconception that Linux systems are inherently secure from threats, recent examples such as the XZ Utils backdoor prove otherwise.

KVRT is not a real-time threat protection tool; it’s a standalone scanner that can detect malware, adware, legitimate programs used for malicious purposes, and other known threats. The application scans the entire system using an antivirus database that is regularly updated, requiring users to download the latest definitions each time.

Kaspersky’s application scans system memory, startup objects, boot sectors, and all files in the operating system for malware, including archived files. The tool has been tested on various Linux distributions such as Red Hat Enterprise Linux, CentOS, Linux Mint, Ubuntu, SUSE, openSUSE, and Debian. Even if your distribution isn’t on the list of supported systems, Kaspersky recommends running a scan as an extra precaution.KVRT main

Using KVRT

KVRT can be downloaded from here, and once downloaded, the user needs to make the file executable and run it as root for maximum functionality.

KVRT can be executed both in a graphical user interface (GUI) or the terminal, as a command-line tool. So, it’s also usable in lower init runlevels (down to 3) where people might be stuck following a malware infection.

If regular users execute the scanner, it won’t have the required permissions to scan all directories and partitions where threats could be hiding.

 

Data of 560 million Ticketmaster customers for sale after alleged breach

On the recently revived BreachForums hacking forum, ShinyHunters is offering to sell the personal and financial information of 560 million Ticketmaster customers for $500,000.

The supposedly stolen databases, which were initially listed for sale on the Russian hacking forum Exploit, contain 1.3TB of data and include the customers’ full details (such as names, home and email addresses, and phone numbers), as well as information regarding tickets, orders, and events.

Moreover, the databases hold customer credit card information, including hashed credit card numbers, last four digits of credit card numbers, credit card and authentication types, and expiration dates, with financial transactions ranging from 2012 to 2024.

When questioned about when and how the data was stolen, ShinyHunters responded, “can’t say anything about this.”As reported by cybersecurity collective vx-underground, some threat actors purportedly breached Ticketmaster and extracted data from AWS instances “by pivoting from a Managed Service Provider.”

Ticketmaster declined to comment when asked if the FBI was investigating ShinyHunters’ claims. It is always better to pay using a third-party provider, such as PayPal or Google Pay, rather than using your credit card..

Malware bricks  600,000 routers

In 2023, a malware botnet called Pumpkin Eclipse caused 600,000 small office and home office (SOHO) internet routers to go offline, disrupting customers’ internet connectivity. Lumen’s Black Lotus Labs observed the incident, which disrupted internet access across several Midwest states between October 25 and October 27, 2023. This led to the affected owners needing to replace their routers.

The incident affected a single internet service provider (ISP) and three router models used by the firm: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380.

This particular ISP serves vulnerable communities in the United States and experienced a 49% drop in operating modems following the ‘Pumpkin Eclipse’ incident.

While the ISP’s name was not disclosed by Black Lotus, it appears to be similar to a Windstream outage that occurred during the same time period.

Reddit users began reporting problems with their routers on October 25, 2023.

Seven months later, a new report by Black Lotus shed some light on the incident, explaining that a botnet bricked 600,000 routers across the Midwest states in October 2023.

According to Lumen Technologies’ Black Lotus Labs, 600,000 SOHO routers owned by a single ISP were shut down. This took place from October 25-27 and led to the permanent malfunctioning of the affected devices, requiring them to be replaced with new hardware. Public scans data revealed that this caused a drastic decline of 49% in the modems within the affected ISP’s ASN.

Researchers were unable to identify the vulnerability used for initial access, so attackers either exploited weak credentials or utilized a zero-day flaw.

A bash script named “get_scrpc” executes the first stage payload, which fetches a second script called “get_strtriiush,” which retrieves and executes the primary bot payload, “Chalubo” (“mips.elf”).

 

During communication with command and control (C2) servers, Chalubo uses ChaCha20 encryption to protect the communication channel, while it wipes all files from disk and changes the process name once it starts.

Using Lua scripts, an attacker can send commands to the bot, allowing exfiltration of data, downloading additional modules, or introducing new payloads.

The bot collects host-based information, including the MAC address, device ID, device type, device version, and local IP address, following its execution, which includes a 30-minute delay to evade sandboxes. Black Lotus Labs did not observe any DDoS attacks from Chalubo, indicating Pumpkin Eclipse’s operational goals.The analysts note that Chalubo misses a persistence mechanism, so rebooting the infected router disrupts the bot’s operation.

Black Lotus Labs says its telemetry data indicates that Chalubo operates 45 malware panels communicating over 650,000 unique IP addresses from October 3 to November 3, most based in the United States.

Only one of these panels was used for the destructive attack and it focused on a specific American ISP, causing Black Lotus researchers to believe that the attacker purchased the Chalubo panel for the specific purpose of deploying the destructive payload on routers.

“The second unique aspect is that this campaign was confined to a particular ASN. Most previous campaigns we’ve seen target a specific router model or common vulnerability and have effects across multiple providers’ networks. In this instance, we observed that both Sagemcom and ActionTec devices were impacted at the same time, both within the same provider’s network. This led us to assess it was not the result of a faulty firmware update by a single manufacturer, which would normally be confined to one device model or models from a given company. Our analysis of the Censys data shows the impact was only for the two in question. This combination of factors led us to conclude the event was likely a deliberate action taken by an unattributed malicious cyber actor, even if we were not able to recover the destructive module.” – Black Lotus

Unfortunately, the researchers could not find the payload used to brick the routers, so they were unable to determine how it was done or for what purpose.

The takeaway from this story is always ensure your Username and Password of your Router is strong.

 

References

Kaspersky releases free tool that scans Linux for known threats     BLEEPING COMPUTERS

Data of 560 million Ticketmaster customers for sale after alleged breach        BLEEPING COMPUTERS

Malware botnet bricked 600,000 routers in mysterious 2023 attack    BLEEPING COMPUTERS

What our Clients Say

Daniel G
Daniel G
2024-01-15
Digby was a great help fixing a number of mistakes (and the effects of the same) I had unwittingly made with permissions on my laptop and communication between external drives. Would highly recommend!
Pancho Villa
Pancho Villa
2024-01-12
I had my sons MAC book repaired by Digby. Digby was very thorough and professional in his approach and communication. He quoted a fair price and undertook the repairs on time. I would highly recommend.
Andrew Bruce
Andrew Bruce
2023-12-28
Digby provided a high quality service in uograge my computer after backing up and reinstalling my data, folders and files. He met his time and cost quotes and the machine is fully up and operational. I cannot praise digby'd service too highly.
Inez McQuillin
Inez McQuillin
2023-12-24
Thanks for the excellent service
Almas Nurlybekuly
Almas Nurlybekuly
2023-12-21
Hi All, I do not usually write the reviews, but this time I would like to thank Perth Computer Repairs for the provided service. I bought computer from my previous employer and I wanted to do a fresh installation of Windows. I tried to do it myself at first, but could not re-install the windows due to the security an error which said: "There is an error. Cannot connect the Windows Server while booting." Then, quickly looked at the highest rated computer repair service near me. Called them, got the good repair cost. Dropped computer and got it fixed quickly. The owner is very laid back and nice person. Very competitive price and very quality service. Definitely a place to trust. Currently, enjoying my fresh Windows install. Thank you very much!
Greg Reid
Greg Reid
2023-12-14
I tell you if you want honest service, no bull call Digby, he's your man.
Virginie Chetty
Virginie Chetty
2023-12-12
Digby sourced and setup my new laptop exactly to my needs so that I can remotely access my work computer.
Dianne Casella
Dianne Casella
2023-11-21
Digby was efficient, thorough and very helpful in moving me forward with my computer concerns. I am very grateful to have been able to utilise Perth Computer Repairs.
Eric Brain
Eric Brain
2023-11-16
Good value repair of my son's pc. Would recommend.
Gwyn annika1@y7mail.com
2023-11-13
This man is so patient - me being somewhat of an older generation and not tech savvy - he helped navigate through a printer problem and certainly recommend him to anyone with computer issues!

Contact

Address

126  Whatley Crescent

Maylands

Phone

0405 119 483