September 11, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
An Emerging Ducktail Infostealer – Active IOCs
August 15, 2024
ICS: Multiple Siemens Products Vulnerabilities
August 15, 2024
An Emerging Ducktail Infostealer – Active IOCs
August 15, 2024
ICS: Multiple Siemens Products Vulnerabilities
August 15, 2024
Severity
High
Analysis Summary
A new version of the Gafgyt botnet has been found by cybersecurity experts, and it targets computers with weak SSH passwords to use the GPU's processing capacity to mine cryptocurrency on infected instances. This suggests that the IoT botnet is going after more resilient servers that are operating in cloud-native settings.
Known to be active in the wild since 2014, Gafgyt (also known as BASHLITE, Lizkebab, and Torlus) has a history of taking advantage of weak or default passwords to take over devices including routers, cameras, and digital video recorders (DVRs). Additionally, it can take advantage of vulnerabilities in devices made by Dasan, Huawei, Realtek, SonicWall, and Zyxel. The compromised devices are gathered into a botnet that can attack targets of interest with distributed denial-of-service (DDoS) attacks. Evidence suggests that Keksec, a threat group also known as Kek Security and FreakOut, is behind Gafgyt and Necro.
IoT botnets such as Gafgyt are always changing to include new functionality; in 2021, variations were discovered that borrowed several modules from the leaked Mirai source code and used the TOR network to mask their harmful behavior. It's important to remember that the early 2015 internet leak of Gafgyt's source code aided in the creation of additional modifications and versions.
According to the most recent attack chains, next-stage payloads are deployed by brute-forcing SSH servers with weak passwords to enable a cryptocurrency mining attack using "systemd-net," but not before rival malware that was previously operating on the compromised host is eliminated. Additionally, it launches a worming module called ld-musl-x86, a Go-based SSH scanner that spreads malware to other systems and searches the internet for weakly secured servers. The researchers said that this effectively increases the botnet's size. This includes SSH, Telnet, and credentials for cloud systems such as AWS, Azure, and Hadoop, as well as game servers.
The cryptocurrency miner in use is called XMRig, and it mines Monero. But in this instance, the threat actor wants to use the --opencl and --cuda settings to build a cryptominer that makes use of the computing capacity of the GPU and NVidia GPU. This, together with the fact that the threat actor is primarily affecting cryptocurrency mining as opposed to DDoS attacks, bolsters the assertion that this variant is distinct from earlier ones. Cloud-native environments with powerful CPU and GPU capabilities are the target audience. There are more than 30 million publicly accessible SSH servers. Consequently, users must take precautions to safeguard the instances from brute-force attacks and possible exploitation.
Impact
- Cryptocurrency Theft
- Denial of Service
- Operational Disruption
Remediation
- Never trust or open links and attachments received from unknown sources/senders.
- Upgrade your operating system.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Immediately change default passwords on IoT devices to unique ones.
- Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
- Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
- Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
- Disable any unnecessary services or features on IoT devices to reduce their attack surface.
- Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
- Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
- Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.