Hacker News: An Army of Thousands of Hacked Servers Found Mining Cryptocurrencies


A new botnet consisting of more than 15,000 compromised servers has been used to mine various cryptocurrencies, earning its master around $25,000 per month.

Mining cryptocurrencies can be a costly investment, as it requires an enormous amount of computing power, but cybercriminals have found an easy money-making solution.

Dubbed BondNet, the botnet was first spotted in December 2016 by GuardiCore researchers, who traced back the botnet malware developer, using online handle Bond007.01, to China.

According to the GuardiCore researchers, Bond007.01 is currently using BondNet for mining cryptocurrencies — primarily Monero, but also ByteCoin, RieCoin, and ZCash — but they warn that the hacker could easily take full control of compromised servers for malicious purposes, like mounting Mirai-style DDoS attacks.


BondNet Attacks only Windows Server Machines

Since mining cryptocurrencies require large amounts of CPU/GPU power, the botnet master goes after Windows Server machines; instead of consumer IoT devices.

However, in order to compromise Windows Server machines, the botnet master relies on different attack techniques. Researchers say the hacker uses a combination of old vulnerabilities and weak user/password combinations to attack mostly old and unsupported Windows Server machines.

The most common flaws exploited by the botnet operator include known phpMyAdmin configuration flaws, exploits in JBoss, and bugs in Oracle Web Application Testing Suite, MSSQL servers, ElasticSearch, Apache Tomcat, Oracle Weblogic, and other services.

Once the hacker gain access to a Windows Server machine, he deploys Visual Basic files to gather information about the infected system and then install a Remote Access Trojan (RAT) and a cryptocurrency miner to make a huge profit from the hacked servers.


BondNet’s Botnet Infrastructure

One thing that’s worth noticing is that the botnet operator does not use all infected machines for mining cryptocurrencies. The operator has built its botnet infrastructure of compromised servers with various roles:

1. Some infected machines serve as scanning servers to check for vulnerable systems on the Internet by going through a list of IP addresses with open ports that have been compiled with the WinEggDrop TCP port scanner.

2. Some servers are used as file servers to host the mining software.

3. Other infected servers are turned into command-and-control (C&C) servers after they have been equipped with a fork of goup — a small open source HTTP server written in Golang.

“Building an attack infrastructure on top of victim machines helps conceal the attacker’s true identity and origin of the attack,” the GuardiCore researchers explained in their report published Thursday.

“It also provides high availability infrastructure, which is very helpful when relying on compromised servers, providing infinite backup options in case one of the servers fails or loses connectivity to the internet.”

BondNet has already infected more than 15,000 server machines at major institutions around the world, including high-profile global companies, universities, and city councils, while the majority of them runs Windows Server 2008 R2.

Additionally, the BondNet botnet adds around 500 new machines to its network each day, and an approximately the same number of servers are delisted.

Here’s How to Detect the Threat and How to Mitigate:

To prevent your machines from getting hacked, server admins are advised to secure their systems by regularly applying security patches for all software, updating the firmware, and employing stronger passwords.

Meanwhile, GuardiCore has also provided network and file indicators of compromise systems to help server administrators check whether their machines are among compromised ones.

The researchers have also released a detection & cleanup tool (registration is required to download it) to help admins find and remove BondNet bots from their servers, as well as instructions on how to clean the system manually, without using the script.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Hacker News: Warning! Don’t Click that Google Docs Link You Just Received in Your Email


Did someone just share a random Google Doc with you?

First of all — Do not click on that Google Doc link you might have just received in your email and delete it immediately — even if it’s from someone you know.

I, my colleagues at The Hacker News, and even people all around the Internet, especially journalists, are receiving a very convincing OAuth phishing email, which says that the person [sender] “has shared a document on Google Docs with you.

Once you clicked the link, you will be redirected to a page which says, Google Docs would like to read, send and delete emails, as well access to your contacts,asking your permission to “allow” access.

If you allow the access, the hackers would immediately get permission to manage your Gmail account with access to all your emails and contacts, without requiring your Gmail password.

But How? The “Google Docs” app that requests permissions to access your account is fake and malicious, which is created and controlled by the attacker.

You should know that the real Google Docs invitation links do not require your permission to access your Gmail account.

Anything Linked to Compromised Gmail Accounts is at Risk


Once the app controlled by the attacker receives permissions to manage your email, it automatically sends same Google Docs phishing email to everyone on your contact list on your behalf.

Since your personal and business email accounts are commonly being used as the recovery email for many online accounts, there are possibilities that hackers could potentially get control over those online accounts, including Apple, Facebook, and Twitter.

In short, anything linked to a compromised Gmail account is potentially at risk and even if you enabled two factor authentication, it would not prevent hackers to access your data.

Meanwhile, Google has also started blacklisting malicious apps being used in the active phishing campaign.

“We are investigating a phishing email that appears as Google Docs. We encourage you to not click through & report as phishing within Gmail,” Google tweeted.

This Google Docs phishing scheme is spreading incredibly quickly, hitting employees at multiple organizations and media outlets that use Google for email, as well as thousands of individual Gmail users who are reporting the same scam at the same time.

If by anyhow you have clicked on the phishing link and granted permissions, you can remove permissions for the fraudulent “Google Docs” app from your Google account. Here’s how you can remove permissions:

  1. Go to your Gmail accounts permissions settings at https://myaccount.google.com and Sign-in.
  2. Go to Security and Connected Apps.
  3. Search for “Google Docs” from the list of connected apps and Remove it. It’s not the real Google Docs.
Stay tuned to our Facebook Page for more updates ! Stay Safe!

Update: Google Docs Phishing Scam Hits Nearly One Million Users

Google said that the last night’s Google Docs phishing campaign affected “fewer than 0.1%” of Gmail users, which means nearly one million people were affected by it, handing over their email access to attackers.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password


WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances.

The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.

The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.

“This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website,” Golunski wrote in an advisory published today. “As there has been no progress, in this case, this advisory is finally released to the public without an official patch.”

Golunski is the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server and compromise the target web application.

The vulnerability lies in the way WordPress processes the password reset request, for the user it has been initiated.

In general, when a user requests to reset his/her password through forgot password option, WordPress immediately generates a unique secret code and sends it to user’s email ID already stored in the database.

What’s the Vulnerability?

While sending this email, WordPress uses a variable called SERVER_NAME to obtain the hostname of a server to set values of the From/Return-Path fields.


Here, “From” refers to the email address of the sender and “Return-Path” refers to the email address where ‘bounce-back’ emails should be delivered in the case of failure in the delivery for some reason.

According to Golunski, an attacker can send a spoofed HTTP request with a predefined custom hostname value (for example attacker-mxserver.com), while initiating password reset process for a targeted admin user.

Since the hostname in the malicious HTTP request is an attacker-controlled domain, the From and Return-Path fields in the password reset email will be modified to include an email ID associated with the attacker’s domain, i.e. wordpress@attacker-mxserver.com, instead of wordpress@victim-domain.com.

“Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker’s choice. As a result, WordPress will pass the following headers and email body to the /usr/bin/sendmail wrapper,” Golunski says.

Don’t get confused here: You should note that the password reset email will be delivered to victim’s email address only, but since the From and Return-Path fields now point to attacker’s email ID, the attacker can also receive reset code under following scenarios:

  1. If, in case, the victim replies to that email, it will be delivered to attacker email ID (mentioned in ‘From’ field), containing a password reset link in the message history.
  2. If, for some reason, victim’s email server is down, the password reset email will automatically bounce-back to the email address mentioned in “Return-Path” field, which points to the attacker’s inbox.
  3. In another possible scenario, to forcefully retrieve bounce-back email, the attacker can perform a DDoS attack against the victim’s email server or send a large number of emails, so that the victim’s email account can no longer receive any email.

“The CVE-2017-8295 attack could potentially be carried out both with user interaction (the user hitting the ‘reply’ button scenario), or without user interaction (spam victim’s mailbox to exceed their storage quota),” Golunski told The Hacker News in an email.

For obvious reason, this is not a sure shot method, but in the case of targeted attacks, sophisticated hackers can manage to exploit this flaw successfully.

Another notable fact on which successful exploitation of this flaw depends is that, even if WordPress website is flawed, not all web servers allow an attacker to modify hostname via SERVER_NAME header, including WordPress hosted on any shared servers.

“SERVER_NAME server header can be manipulated on default configurations of Apache Web server (most common WordPress deployment) via HOST header of an HTTP request,” Golunski says.

Since the vulnerability has now been publically disclosed with no patch available from the popular CMS company, WordPress admins are advised to update their server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.

Mohit Kumar - Hacking News
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Four California Students Sue After Being Suspended For “Liking” Postings on Instragram


225px-Instagram_logoThere is an important lawsuit that has been filed in California after four high school student were suspended for simply “liking” Instagram posts deemed racist.  The lawsuit could force reconsideration of the erosion of free speech rights for students, including the widening scope of discipline for student speech outside of schools.  School officials now believe that they have full license to punish students if their personal views outside of school do not conform with accepted values. This case did have troubling aspects that raised legitimate concerns (though these students were not the author of the posting).  The question is one of authority to regulate speech outside of schools if they do not involve criminal threats.

View original post 611 more words

Final Lada Ray French Election Predictions are up on EARTH SHIFT REPORT 18!

Place ur bets folks! 😉

Futurist Trendcast

The final Lada Ray’s French election outcome predictions are now posted on EARTH SHIFT REPORT 18!  If you have already purchased the report, please go back to your saved or bookmarked report page. You can’t miss it, here’s what you’ll see:

marine-le-pen vs emmanuel-macron-french-election 2017


Final Lada Ray predictions: ​Outcome of French election, with percentages for each candidate and extensive Q&A on what will happen after in France and EU!

You’ll find my entire new article under the title:


and just above the title:


If you would still like to purchase Earth Shift Report 18, please click on ESR18 title or image below:




View original post 23 more words

%d bloggers like this: