Lenovo NAS is in Wipe mode

LenovoEMC Iomega

A hacker group going by the name of ‘Cl0ud SecuritY’ is breaking into old LenovoEMC (formerly Iomega) network-attached storage (NAS) devices, wiping files, and leaving ransom notes

Attacks appear to have targeted only LenovoEMC/Iomega NAS devices that are exposing their management interface on the internet without a password.

ZDNet was able to identify around 1,000 such devices using a Shodan search.
Many of the NAS devices we found this way contained a ransom note named “RECOVER YOUR FILES !!!!.txt.”

All ransom notes were signed with the ‘Cl0ud SecuritY’ monicker and used the same “cloud@mail2pay.com” email address as the point of contact.

The recent attacks recorded over the past month appear to be a continuation of attacks that started last year, and which have also exclusively targeted LenovoEMC (formerly Iomega) NAS stations.

While last year’s attacks were not signed and used a different contact email, there are many similarities between the ransom note texts used in both 2019 and 2020 to believe the same threat actor is behind both attack waves.

The Cl0ud SecuritY hackers claim to have copied the victim’s files to their servers and threatened to leak files, usually if a ransom note is not paid within five days.

However, there is no evidence to suggest the data has been backed up anywhere, nor that any data from past victims has been leaked online anywhere over the past year.

Based on current evidence, the ransom notes appear to carry empty threats, and their role seems to be to scare victims into paying a ransom demand for data hackers have already wiped.

Lenovo has discontinued both the LenovoEMC and Iomega NAS lines in 2018, and the reason why we only identified around 1,000 devices still exposed online, as most NAS stations have reached their EOL long ago and have been decommissioned by many users.

The attacks on LenovoEMC/Iomega NAS devices are not the first that have targeted NAS devices in recent years. NAS devices have usually been targeted by DDoS malware, but also by ransomware gangs like Muhstik, QSnatch, and eCh0raix. The attacks on LenovoEMC/Iomega devices are extortion attempts and not ransomware attacks, as they have not encrypted any files, but rather wiped data and demanded a recovery fee.

Hackbit++++Guloader Deadly combo

Recent spear-phishing emails have been found spreading the Hakbit ransomware using the GuLoader dropper and malicious Microsoft Excel attachments.

What’s happening?

Hakbit ransomware campaign is targeting employees across Germany, Austria, and Switzerland with malicious Excel attachments via GMX, a popular email provider.

Research findings

These emails direct targeted victims to open the attachments on their computer instead of their mobile devices.
The mid-level employees targeted belong to healthcare, pharmaceutical, financial, legal, business service, and retail sectors.
This low-volume campaign uses financial lures, such as “Tax Repayment’ and “Your Bill”.

What should you know about GuLoader?

GuLoader is an emerging security threat and is actively used to deliver malware via cloud services.
The executable is a Visual Basic 6 wrapper that decrypts some shellcode containing the main functionality.
Initially, the dropper was used to download Parallax RAT but recently, it has been applied to other info-stealer and remote access trojans, including Netwire, Tesla, and FormBook.

What should you know about Hakbit?

The ransomware has been operational since 2019 and has taken victims from Europe and the US.
It has also been found to be associated with the Thanos ransomware as Hakbit samples are built using Thanos ransomware builder.
After encrypting the files, the operators demand a ransom.

The takeaway

GuLoader, as a malware dropper, is frequently appearing in the wild and has gained the status of one of the most advanced downloaders. Hakbit is used in targeted ransomware campaigns specifically designed for people from certain organizations, roles, and native languages.

Windows 10 2004 … Its again erroneous

It’s been exactly a month Windos 10 2004 released. It has cool features but still it’s erroneous a bit… Struggling a little to cop up ..

Windows 10 version 2004, which was released on May 27, is currently available for seekers or those who manually check for updates in Windows Updates settings.

In addition to new features, Windows 10 version 2004 (May 2020 Update) also comes with improvements to block potentially unwanted programs, also known short PUPs and PUAs, from showing up on your system or being installed on Windows PCs.

Windows 10 May 2020 Update allows you to maintain a track of the potentially unwanted programs and prevent from being downloaded or installed on Windows 10 systems.

The Potentially Unwanted Programs or Potential Unwanted Programs come included in various types of software bundling and driver or registry optimizer.

After applying May 2020 Update, users are reporting that Windows Security app triggers security threat alerts even when the PUA file is gone. After the PUA has been removed or allowed to run on Windows 10, later scans of Windows Security are detecting the old items again, causing an erroneous detection loop.

It appears that Windows Defender has been defaulted to identify PUPs as a threat in Windows 10 version 2004. After the PUP has been removed, Windows Defender identities the same file again and again as a threat on the subsequent scans of the history.

To fix PUP and PUA warnings in Windows Security app, you would need to delete PUPs history information by following these steps:

• Open File Explorer.
• Navigate to C:ProgramData–> Microsoft–>Windows Defender–>ScansHistory Service
• In the Service folder, delete PUP related files.
• Restart Windows and do a quick scan in Windows Security app.


The notifications for PUPs won’t show up again until another PUP file is loaded on your system.

It’s not yet clear whether Microsoft is aware of the reports, but a fix could be planned as the issue has been widely reported by affected users on Microsoft’s answers forum.

The post Windows 10 version 2004 bug triggers repeated security alerts appeared first on Windows Latest

Docker @ rare instance .. docked by DDoS malware

XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.

The Kaiji botnet was discovered by security researcher MalwareMustDie and the experts at Intezer Labs in April while it was targeting Linux-based IoT devices via SSH brute-force attacks.

Two variants of existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware .

Botnet operators are looking for Docker servers that expose port 2375, which is one of the two ports of the Docker API and it’s used for unauthenticated and unencrypted communications.

Experts pointed out that there is a notable difference between the attack methods implemented by the two malware variants. While the XORDDoS bot infects all the containers hosted on the Docker server, the Kaiji bot deploys the DDoS malware in its own container.

Upon compromising a Docker server, XORDDoS will run a sequence of commands to identify containers and infect them with the DDoS malware. The malware can also gather information about the compromised system, and it can download and execute other payloads.

URL linked to the attacker, experts discovered other malware such as Backdoor.Linux.DOFLOO.AB targeting Docker containers.Operators of the Kaiji bot scan the web for exposed Docker servers and deploy an ARM container that executed its binary. Operators leverage on a script to download and execute the main payload, and to remove Linux binaries that are basic components of the operating system but are not necessary for its DDoS operation.

Kaiji is also able to collect information about the compromised system, and of course to launch various types of DDoS attacks, including ACK, IPS spoof, SSH, SYN, SYNACK, TCP and UDP attacks.

Recommendations for security Docker servers:

1. Secure the container host. Take advantage of monitoring tools, and host containers in a container-focused OS.

2.Secure the networking environment. Use intrusion prevention system (IPS) and web filtering to provide visibility and observe internal and external traffic.

3.Secure the management stack. Monitor and secure the container registry and lock down the Kubernetes installation.

4.Secure the build pipeline. Implement a thorough and consistent access control scheme and install strong endpoint controls.
Adhere to the recommended best practices.
Use security tools to scan and secure containers.