fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

New Pro-Ocean Malware Worms Through Apache, Oracle, Redis Servers

New Pro-Ocean Malware Worms Through Apache, Oracle, Redis Servers

The financially-motivated Rocke hackers are using a new piece of cryptojacking malware called Pro-Ocean to target vulnerable instances of Apache ActiveMQ, Oracle WebLogic, and Redis.

The new malware is a step up from the previous threat used by the group in that it comes with self-spreading capabilities, blindly throwing exploits at discovered machines.

Hiding malicious activity

Rocke cryptojacking hackers have not changed their habit of attacking cloud applications and leverage known vulnerabilities to take control of unpatched Oracle WebLogic (CVE-2017-10271) and Apache ActiveMQ (CVE-2016-3088) servers. Unsecured Redis instances are also on the list.

Researchers at Palo Alto Networks analyzing the malware say it includes “new and improved rootkit and worm capabilities” that allow it to hide malicious activity and spread to unpatched software on the network.

To stay under the radar, Pro-Ocean uses LD_PRELOAD, a native Linux feature that forces binaries to prioritize the loading of specific libraries. The method is not new and is constantly seen in other malware.

Also Read: 10 Practical Benefits of Managed IT Services

The new part is that the developers took the rootkit capabilities further by implementing publicly available code that helps conceal malicious activity.

One example relates to the ‘open’ function of the ‘libc’ library, tasked with opening a file and returning its descriptor. The researchers discovered that the malicious code determines if a file needs to be hidden before calling ‘open.’

source: Palo Alto Networks

“If it determines that the file needs to be hidden, the malicious function will return a “No such file or directory” error, as if the file in question does not exist” – Palo Alto Networks

Crude self-spreading mechanism

The actors behind Pro-Ocean have also moved from manually exploiting victims to an unrefined automated process. A  Python script takes the infected machine’s public IP address using the ident.me service and then tries to infect all machines in the same 16-bit subnet.

There is no selection in the process and the attackers simply throw public exploits at the discovered hosts hoping that one of them sticks.

source: Palo Alto Networks

If there is successful exploitation, the Python script delivers a payload that downloads an installation script for Pro-Ocean from a remote HTTP server.

The installation script, written in Bash and obfuscated, plays an important part in Rocke’s cryptojacking operations. Apart from delivering Pro-Ocean it also eliminates competition by terminating other malware and miners running on the infected host.

Additionally, it gives Pro-Ocean full online access by deleting the iptables firewall and uninstalls monitoring agents that could sound the alarm.

source: Palo Alto Networks

The cryptojacking gang also tries to get the most power for the Monero mining activity. For this purpose, Pro-Ocean comes with a module that keeps an eye on the CPU usage of the running legitimate processes, killing any that uses more than 30%.

The same module ensures that there is as little downtime in the mining process as possible by checking if the malware is active on the machine and starting it if it’s not.

Although the malware currently takes advantage of just two vulnerabilities, Palo Alto Networks says that the list could be expanding and Pro-Ocean could target any cloud application if its developer decides to add more exploits.

Based on the analysis, the researchers say that Pro-Ocean’s targets are Alibaba and Tencent cloud services.

Rocke Group was discovered in 2018 by researchers at Cisco Talos. Previously characterized by simplicity, the attacks from this actor have grown in complexity lately.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

While not rising to the sophistication level of other malware, Rocke’s cryptomining operations have evolved to include self-spreading features and better hiding tactics.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us