Reaper Botnet Dwarfs Mirai


By this point everyone and their mother has heard of the botnet dubbed ‘Mirai’, an infamous botnet infrastructure from last year that managed to take down a good chunk of the internet by attacking Dyn, a DNS provider. Well as of this September, weak passwords might have become the least of your worries if you’re like 60% of Check Point’s ThreatCloud covered corporations, and have un-patched vulnerabilities on your network.

Dubbed Reaper, or IOTroop by some, a new IoT botnet is propagating, and shows no sign of slowing down. Today, researchers have ruled out the possibility that Mirai and Reaper are connected, at least on a technical level, due to the superiority that Reaper has displayed in its intrusion and propagation techniques. Whereas Mirai was spread through the exploitation of default passwords across IoT devices, Reaper utilizes a specialized strand of malware that exploits well known vulnerabilities (such as those present in many printers and IoT toasters) to gain entry to a device, and further uses that device to spread itself to others connected.

With near exponential growth, Qihoo 360 Netlab witnessed approximately 2 million newly infected devices waiting to be processed by a C&C server, of which there are several that have thus been identified. The best thing that any concerned corporation or user can do at this point in time, would be to ensure that every machine on their network has updated firmware, and software in an attempt to limit the spread of this variable plague infecting IoT networks worldwide.

Currently, it appears as if we all might be witnessing a ‘calm before the storm’, situation, with this botnet ramping up massively in numbers and, according to Check Point, updating its capabilities on a daily basis. What else can I say but stay safe, and brace for impact, as when this thing hits, it’ll make the Dyn attack look like a birthday party.

– Kenneth Nero

Sources: Here, and Here, also Here


The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm


Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016

New Bashware Hacking Technique Has Potential To Affect Windows 10 Users

A new hacking technique found and dubbed ‘Bashware’ by cyber security firm Check Point can be used by hackers seeking to attack Windows 10 users.

The exploit comes from the Linux shell that already exists inside Windows 10, the Windows Subsystem for Linux, or WSL, and it allows malware to just completely go undetected past antivirus software and other protections in place.

The potential impact of this attack is huge since many people use Windows 10 as their operating system, and anybody who does run it could be at risk from hackers who use this technique.

Check Point researchers Dvir Atias and Gal Elbaz commented on the threat after performing some tests with major protection software: “We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all”. This shows that in its current state, the WSL provides a major gateway for hackers to get into even protected systems.

What WSL does on Windows systems is that it allows for testing code on Windows and Linux settings but requires a developer to activate it.

The reason why the exploit exists is not because of lackluster coding but because it was not something that was known by the developers at the time of implementation so it was impossible to protect against.

The one thing that could hinder this hacking technique is the fact that the attacker would need to have admin access to the computer but many hackers already have ways to access this via other programs or social engineering.

Microsoft is actively trying to find a way to fight against this exploit but a spokesperson said that they are not worried. In fact, they view this as low risk. The spokesperson stated that “One would need to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default”.

All an attacker would need to do is obtain the admin access to the computer and trick the user into rebooting the computer.

The Bashware technique is a particularly powerful exploit for Windows 10 that can be used to bypass even the best anti-virus software but security companies are already working on a fix.



– Alex Haubert

Hacker Group Makes Profit Off Of Selling Hacking Tools

In the past few years, the mysterious hacker group known as the “Shadow Brokers” have been responsible for the stealing and releasing of NSA secrets on the internet. Now, more recently, they have done more than just expose this classified information; They have created a way to make money off of it. The Shadow Brokers have started a service that sells their stolen hacking tools to anyone who is subscribed to them. Little is known about the service, as only a handful of subscribers have been identified. However, it has been estimated that the group has made almost $90,000 in the selling of these hacking tools.

Image result for shadow brokers

Although the group’s intentions have mainly been releasing secret and valuable hacking information, it seems as though that the Shadow Brokers are not interested in the satisfaction of their own customers. Earlier this summer, an anonymous subscriber to this service publicly detested it. Stating that the “Shadow Brokers had ripped [him or her] off,” it was explained that the tool received was old and dated compared to the kinds of hacking tools used today.

It is unclear as to what specific tools can be bought from the Shadow Brokers, but those investigating believe that the best they have to offer are the tools that they initially exposed. This might explain why there could be some complaint among their subscribers. Unless there are more people willing to provide insight about the Shadow Broker’s service, it could be very difficult to uncover more information about this underground hacking market.


– Jared Albert

Sophisticated spyware discovered after 5 years

          An advanced spyware has recently been discovered by researchers at Symantec and Kaspersky Lab. This spyware, called Remsec, has been active as far back as October 2011. Remsec is highly sophisticated and uses stealth techniques and encryption to avoid detection, something that it clearly does very well. Once deployed, Remsec opens a backdoor into the infected system, monitors network traffic, logs keystrokes, and has the ability to steal files. It also allows for custom modules to be deployed into the infected system.

Researchers have suggested that Remsec might be the work of a nation state due to its sophistication and have found IP addresses within the U.S. that may have a connection to it. The targets that have been discovered so far are in countries such as China, Russia, and Iran among others. According to researchers at Symantec, none of the currently known infections appear to be normal targets for APTs like this one, which brings up a lot of questions about who might be behind this, and what their goal is.

-Michael Belle