AT2k Design BBS Message Area
Casually read the BBS message area using an easy to use interface. Messages are categorized exactly like they are on the BBS. You may post new messages or reply to existing messages!

You are not logged in. Login here for full access privileges.

Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page
   Networked Database  Computer Support/Help/Discussion...   [1776 / 1862] RSS
 From   To   Subject   Date/Time 
Message   Sean Rima    All   Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Inf   March 4, 2025
 12:15 PM *   

Internet service providers (ISPs) in China and the West Coast of the United
States have become the target of a mass exploitation campaign that deploys
information stealers and cryptocurrency miners on compromised hosts.

The findings come from the Splunk Threat Research Team, which said the activity
also led to the delivery of various binaries that facilitate data exfiltration
as well as offer ways to establish persistence on the systems.

The unidentified threat actors performed "minimal intrusive operations to avoid
detection, with the exception of artifacts created by accounts already
compromised," the Cisco-owned company said in a technical report published last
week.

"This actor also moves and pivots primarily by using tools that depend and run
on scripting languages (e.g., Python and Powershell), allowing the actor to
perform under restricted environments and use API calls (e.g., Telegram) for C2
[command-and-control] operations."

The attacks have been observed leveraging brute-force attacks exploiting weak
credentials. These intrusion attempts originate from IP addresses associated
with Eastern Europe. Over 4,000 IP addresses of ISP providers are said to have
been specifically targeted.

Upon obtaining initial access to target environments, the attacks have been
found to drop several executables via PowerShell to conduct network scanning,
information theft, and XMRig cryptocurrency mining by abusing the victim's
computational resources.

Prior to the payload execution is a preparatory phase that involves turning off
security product features and terminating services associated with cryptominer
detection.

The stealer malware, besides featuring the ability to capture screenshots,
serves akin to a clipper malware that's designed to steal clipboard content by
searching for wallet addresses for cryptocurrencies such as Bitcoin (BTC),
Ethereum (ETH), Binance Chain BEP2 (ETHBEP2), Litecoin (LTC), and TRON (TRX).

The gathered information is subsequently exfiltrated to a Telegram bot. Also
dropped to the infected machine is a binary that, in turn, launches additional
payloads -

    Auto.exe, which is designed to download a password list (pass.txt) and list
of IP addresses (ip.txt) from its C2 server for carrying out brute-force attacks

"The actor targeted specific CIDRs of ISP infrastructure providers located on
the West Coast of the United States and in the country of China," Splunk said.

"These IPs were targeted by using a masscan tool which allows operators to scan
large numbers of IP addresses which can subsequently be probed for open ports
and credential brute-force attacks."

https://thehackernews.com/2025/03/over-4000-i...

... TCOB1: https://binkd.rima.ie telnet: binkd.rima.ie
--- GoldED+/LNX 1.1.5-b20240309
 * Origin:  <-Sean's Pointless Point->  (618:500/1.1)
  Show ANSI Codes | Hide BBCodes | Show Color Codes | Hide Encoding | Hide HTML Tags | Show Routing
Previous Message | Next Message | Back to Computer Support/Help/Discussion...  <--  <--- Return to Home Page
VADV-PHP
Execution Time: 0.0171 seconds

If you experience any problems with this website or need help, contact the webmaster.
VADV-PHP Copyright © 2002-2025 Steve Winn, Aspect Technologies. All Rights Reserved.
Virtual Advanced Copyright © 1995-1997 Roland De Graaf.
 v2.1.250224