computer wormRed Canary Intelligence analysts discovered a Windows Worm in hundreds of networks belonging to a variety of organizations all over the world.

It was discovered by a research team and named "Raspberry Robin". The malware worm spreads via infected USB devices and was first discovered in September 2021. Sekoia had also seen the worm earlier. Similar code strains were also reported by them on QNAP NAS devices during November 2019.

We don't know much about the threat group that created the worm. It does not connect it to any large, organized, active hackers around the world. It is however very sophisticated, according to code analysis.

It is capable of causing immense harm and has spread widely. The threat actors behind this virus have not chosen to make themselves known. It is not clear whether they want the worm spread faster to maximize its effect or if they are still trying to figure out how far it can spread.

Microsoft has classified this threat as high-risk due to the insufficient information regarding the details of the worm. While hackers haven't yet decided to use the worm for malicious payload distribution, they emphasize that this could change in future.

This is an alarming sign. Your IT staff should be on high alert and aware about the threat. Nearly certain, we will be able share more information about this worm and who might have been responsible.

Hackers use VoIP systems to install PHP web shells

cyber attackPalo Alto Networks security division has been monitoring the activities of a cybersecurity campaign targeting VoIP servers.

Companies of all sizes use them to unify communications. It is particularly attractive as it can be used in conjunction with the Digium phones module, which allows for FreePBX.

Over a period of approximately 3 months, the team has already collected over half a million malignant code samples. Analyzing those code samples revealed that attackers exploit a remote code execution vulnerability.

Security researchers have found that hackers are actively exploiting this flaw at least since December 2021.

The Unit 42 team believes the attackers wanted to install PHP web shells on compromised systems based on code samples. This would enable them to execute arbitrary commands from the compromised servers.

Check Point, another security company, confirmed Unit 42's findings. Both teams emphasize that the campaign remains ongoing. Worse, there appear to be two groups involved in this attack. It is unclear if they are working together or if this coincidence is true. It could be that one follows the other to make sure they don't miss an opportunity.

The campaign's attackers are technically skilled and clever. They have cleverly integrated anti-detection strategies such as hiding the name of the backdoor so that the file name matches that of a file on the system. To spot it, you would need sharp eyes.

Awareness of possible cyber attacks is only half of the solution. Contacting security companies like Integrated Technology Systems is the rest of the solution. Contract us today if you want to keep yor network secure.

Integrated Technology Systems
6 East 45th Street, Suite 400
New York, NY 10017