Kaspersky releases free tool that scans Linux for known threats
Users can use Kaspersky’s new virus removal tool, KVRT for Linux, to scan their systems and remove malware and other known threats for free. Despite the misconception that Linux systems are inherently secure from threats, recent examples such as the XZ Utils backdoor prove otherwise.
KVRT is not a real-time threat protection tool; it’s a standalone scanner that can detect malware, adware, legitimate programs used for malicious purposes, and other known threats. The application scans the entire system using an antivirus database that is regularly updated, requiring users to download the latest definitions each time.
Kaspersky’s application scans system memory, startup objects, boot sectors, and all files in the operating system for malware, including archived files. The tool has been tested on various Linux distributions such as Red Hat Enterprise Linux, CentOS, Linux Mint, Ubuntu, SUSE, openSUSE, and Debian. Even if your distribution isn’t on the list of supported systems, Kaspersky recommends running a scan as an extra precaution.KVRT main
Using KVRT
KVRT can be downloaded from here, and once downloaded, the user needs to make the file executable and run it as root for maximum functionality.
KVRT can be executed both in a graphical user interface (GUI) or the terminal, as a command-line tool. So, it’s also usable in lower init runlevels (down to 3) where people might be stuck following a malware infection.
If regular users execute the scanner, it won’t have the required permissions to scan all directories and partitions where threats could be hiding.
Data of 560 million Ticketmaster customers for sale after alleged breach
On the recently revived BreachForums hacking forum, ShinyHunters is offering to sell the personal and financial information of 560 million Ticketmaster customers for $500,000.
The supposedly stolen databases, which were initially listed for sale on the Russian hacking forum Exploit, contain 1.3TB of data and include the customers’ full details (such as names, home and email addresses, and phone numbers), as well as information regarding tickets, orders, and events.
Moreover, the databases hold customer credit card information, including hashed credit card numbers, last four digits of credit card numbers, credit card and authentication types, and expiration dates, with financial transactions ranging from 2012 to 2024.
When questioned about when and how the data was stolen, ShinyHunters responded, “can’t say anything about this.”As reported by cybersecurity collective vx-underground, some threat actors purportedly breached Ticketmaster and extracted data from AWS instances “by pivoting from a Managed Service Provider.”
Ticketmaster declined to comment when asked if the FBI was investigating ShinyHunters’ claims. It is always better to pay using a third-party provider, such as PayPal or Google Pay, rather than using your credit card..
Malware bricks 600,000 routers
In 2023, a malware botnet called Pumpkin Eclipse caused 600,000 small office and home office (SOHO) internet routers to go offline, disrupting customers’ internet connectivity. Lumen’s Black Lotus Labs observed the incident, which disrupted internet access across several Midwest states between October 25 and October 27, 2023. This led to the affected owners needing to replace their routers.
The incident affected a single internet service provider (ISP) and three router models used by the firm: the ActionTec T3200s, ActionTec T3260s, and Sagemcom F5380.
This particular ISP serves vulnerable communities in the United States and experienced a 49% drop in operating modems following the ‘Pumpkin Eclipse’ incident.
While the ISP’s name was not disclosed by Black Lotus, it appears to be similar to a Windstream outage that occurred during the same time period.
Reddit users began reporting problems with their routers on October 25, 2023.
Seven months later, a new report by Black Lotus shed some light on the incident, explaining that a botnet bricked 600,000 routers across the Midwest states in October 2023.
According to Lumen Technologies’ Black Lotus Labs, 600,000 SOHO routers owned by a single ISP were shut down. This took place from October 25-27 and led to the permanent malfunctioning of the affected devices, requiring them to be replaced with new hardware. Public scans data revealed that this caused a drastic decline of 49% in the modems within the affected ISP’s ASN.
Researchers were unable to identify the vulnerability used for initial access, so attackers either exploited weak credentials or utilized a zero-day flaw.
A bash script named “get_scrpc” executes the first stage payload, which fetches a second script called “get_strtriiush,” which retrieves and executes the primary bot payload, “Chalubo” (“mips.elf”).
During communication with command and control (C2) servers, Chalubo uses ChaCha20 encryption to protect the communication channel, while it wipes all files from disk and changes the process name once it starts.
Using Lua scripts, an attacker can send commands to the bot, allowing exfiltration of data, downloading additional modules, or introducing new payloads.
The bot collects host-based information, including the MAC address, device ID, device type, device version, and local IP address, following its execution, which includes a 30-minute delay to evade sandboxes. Black Lotus Labs did not observe any DDoS attacks from Chalubo, indicating Pumpkin Eclipse’s operational goals.The analysts note that Chalubo misses a persistence mechanism, so rebooting the infected router disrupts the bot’s operation.
Black Lotus Labs says its telemetry data indicates that Chalubo operates 45 malware panels communicating over 650,000 unique IP addresses from October 3 to November 3, most based in the United States.
Only one of these panels was used for the destructive attack and it focused on a specific American ISP, causing Black Lotus researchers to believe that the attacker purchased the Chalubo panel for the specific purpose of deploying the destructive payload on routers.
“The second unique aspect is that this campaign was confined to a particular ASN. Most previous campaigns we’ve seen target a specific router model or common vulnerability and have effects across multiple providers’ networks. In this instance, we observed that both Sagemcom and ActionTec devices were impacted at the same time, both within the same provider’s network. This led us to assess it was not the result of a faulty firmware update by a single manufacturer, which would normally be confined to one device model or models from a given company. Our analysis of the Censys data shows the impact was only for the two in question. This combination of factors led us to conclude the event was likely a deliberate action taken by an unattributed malicious cyber actor, even if we were not able to recover the destructive module.” – Black Lotus
Unfortunately, the researchers could not find the payload used to brick the routers, so they were unable to determine how it was done or for what purpose.
The takeaway from this story is always ensure your Username and Password of your Router is strong.
References
Kaspersky releases free tool that scans Linux for known threats BLEEPING COMPUTERS
Data of 560 million Ticketmaster customers for sale after alleged breach BLEEPING COMPUTERS
Malware botnet bricked 600,000 routers in mysterious 2023 attack BLEEPING COMPUTERS