Cyber security Researchers at Splink have shared details about what they believe is a reappearance of one. cryptocurrency Boot net which is going to be especially later. Windows Server. Running on Amazon Cloud computing Platform, Amazon Web Services (AWS).
Based on their detailed analysis, Splunk’s Threat Research Team (STRT) says that the campaign against AWS’s IP address space begins with Chinese and Iranian IP addresses.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey will take no more than 60 seconds of your time, and we would appreciate it if you would share your experiences with us.
Telegram-powered C2 infrastructure.
Interestingly, STRT shares that there was a valid binary for all compromised VMs. Telegram Desktop client. The researchers say the attackers used it to help bind VMs to their boot nets.
Threatening actors misuse the desktop version of the app’s Telegram API, execute commands on compromised hosts and turn them into bots, after which additional tools and payloads are automatically downloaded. can go.
According to STRT, Crypto wallet The mined Monero was also used in previous campaigns starting in 2018.
Noting other similarities between the current attack and previous campaigns, including the use of similar exploitative techniques, STRT believes that the current campaign is run by the same threatening actors as the previous campaigns. Were behind
Since these attacks do not appear to be exploiting software vulnerabilities, and are forcing them to go the way of hosts, researchers recommend that administrators review their passwords.
“As we have seen in our research, the best way to prevent these attack vectors is to patch your Windows servers first and apply the latest security updates. There is a big factor in compromise. Network level validation. The NLA will also help thwart barbaric attacks of force.