We found a spam campaign that uses compromised devices to attack vulnerable web servers. From the devices, attackers use a PHP script to send an email with an embedded link to a scam site to specific email addresses. The use of compromised devices for attacks make attribution difficult, and attackers can have repeated access to the server even after patching.Read More
Our honeypot sensors, which are designed to emulate Secure Shell (SSH), Telnet, and File Transfer Protocol (FTP) services, recently detected a mining bot related to the IP address 18.104.22.168. The address has been seen to search for both SSH- and IoT-related ports, including 22, 2222, and 502. In this particular attack, however, the IP has landed on port 22, SSH service. The attack could be applicable to all servers and connected devices with a running SSH service.Read More
Mobile malware’s disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data. We recently found 200 unique Android apps—with installs ranging between 500,000 and a million on Google Play—embedded with a backdoor: MilkyDoor (detected by Trend Micro as ANDROIDOS_MILKYDOOR.A).
MilkyDoor is similar to DressCode (ANDROIDOS_SOCKSBOT.A)—an Android malware family that adversely affected enterprises—given that both employ a proxy using Socket Secure (SOCKS) protocol to gain a foothold into internal networks that infected mobile devices connect to. MilkyDoor, maybe inadvertently, provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies. Further, this is carried out without the user’s knowledge or consent.
While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.Read More