Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Updated Kmsdx botnet targets IoT devices

Researchers spotted an updated version of the KmsdBot botnet that is now targeting Internet of Things (IoT) devices. The Akamai Security Intelligence Response Team (SIRT) discovered a new version of the KmsdBot botnet that employed an updated Kmsdx binary targeting Internet of Things (IoT) devices. KmsdBot is an evasive Golang-based malware that was first detected by […]

KmsdBot botnet

Researchers spotted an updated version of the KmsdBot botnet that is now targeting Internet of Things (IoT) devices.

The Akamai Security Intelligence Response Team (SIRT) discovered a new version of the KmsdBot botnet that employed an updated Kmsdx binary targeting Internet of Things (IoT) devices.

KmsdBot is an evasive Golang-based malware that was first detected by Akamai in November 2022, it infects systems via an SSH connection that uses weak login credentials.

The malware was employed in cryptocurrency mining campaigns and to launch denial-of-service (DDoS) attacks. KmsdBot supports multiple architectures, including as Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection.

The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.

Since mid-July 2023, the binary observed in the attacks includes support for telnet scanning and support for more CPU architectures.

The bot targets private gaming servers, cloud hosting providers, and certain government and educational sites.

“The addition of IoT targeting also gives us some insight into the threat actor’s behavior and the landscape in general. Despite the existence of IoT for several years now, along with multiple large-scale IoT-driven distributed denial-of-service (DDoS) attacks, this new evolution demonstrates the vastness of the threat landscape still posed by IoT.” reads the report published by Akamai.

The sample checks for valid telnet services by attempting to connect to the devices on port 23, if the check passes (returns false) the bot proceeds to run the infection payload.

The telnet scanner also verifies that the receiving buffer contains data.

KmsdBot botnet

To investigate the attack and find the victims, the researchers looked at a text file (telnet.txt) that is downloaded by the bot. The file contains a list of commonly used credentials for varying applications. The use of these credentials unfortunately is still effective because many IoT devices are left with default credentials.

“each round of kmsd has had a few targets that have seemed out of scope. This time, a few Romanian government sites and some Spanish universities came under fire.” concludes the report which also includes Indicators of compromise (IoC). “The inconsistency of targeting is consistent with the threat actor behavior behind kmsd, which is likely a botnet-for-hire service. These attacks are targeting ports 80 and 443 with HTTP POST requests, and “bigdata” attacks remain the primary attack of choice.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, KmsdBot botnet)