Meet the Administrators of the RSOCKS Proxy Botnet

Read Time:5 Minute, 21 Second

Authorities in the United States, Germany, the Netherlands and the U.K. last week said they dismantled the “RSOCKS” botnet, a collection of millions of hacked devices that were sold as “proxies” to cybercriminals looking for ways to route their malicious traffic through someone else’s computer. While the coordinated action did not name the Russian hackers allegedly behind RSOCKS, KrebsOnSecurity has identified its owner as a 35-year-old Russian man living abroad who also runs the world’s top Russian spamming forum.

The RUSdot mailer, the email spamming tool made and sold by the administrator of RSOCKS.

According to a statement by the U.S. Department of Justice, RSOCKS offered clients access to IP addresses assigned to devices that had been hacked:

“A cybercriminal who wanted to utilize the RSOCKS platform could use a web browser to navigate to a web-based ‘storefront’ (i.e., a public web site that allows users to purchase access to the botnet), which allowed the customer to pay to rent access to a pool of proxies for a specified daily, weekly, or monthly time period. The cost for access to a pool of RSOCKS proxies ranged from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.”

The DOJ’s statement doesn’t mention that RSOCKS has been in operation since 2014, when access to the web store for the botnet was first advertised on multiple Russian-language cybercrime forums.

The user “RSOCKS” on the Russian crime forum Verified changed his name to RSOCKS from a previous handle: “Stanx,” whose very first sales thread on Verified in 2016 quickly ran afoul of the forum’s rules and prompted a public chastisement by the forum’s administrator.

Verified was hacked twice in the past few years, and each time the private messages of all users on the forum were leaked. Those messages show that after being warned of his forum infraction, Stanx sent a private message to the Verified administrator detailing his cybercriminal bona fides.

“I am the owner of the RUSdot forum (former Spamdot),” Stanx wrote in Sept. 2016. “In spam topics, people know me as a reliable person.”

A Google-translated version of the Rusdot spam forum.

RUSdot is the successor forum to Spamdot, a far more secretive and restricted forum where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the community’s implosion in 2010. Even today, the RUSdot Mailer is advertised for sale at the top of the RUSdot community forum.

Stanx said he was a longtime member of several major forums, including the Russian hacker forum Antichat (since 2005), and the Russian crime forum Exploit (since April 2013). In an early post to Antichat in January 2005, Stanx disclosed that he is from Omsk, a large city in the Siberian region of Russia.

According to the cyber intelligence firm Intel 471, the user Stanx indeed registered on Exploit in 2013, using the email address stanx@rusdot.com, and the ICQ number 399611. A search in Google for that ICQ number turns up a cached version of a Vkontakte profile for a Denis “Neo” Kloster, from Omsk, Russia.

Cybersecurity firm Constella Intelligence shows that in 2017, someone using the email address istanx@gmail.com registered at the Russian freelancer job site fl.ru with the profile name of “Denis Kloster” and the Omsk phone number of 79136334444.

That phone number is tied to the WHOIS registration records for multiple domain names over the years, including proxy[.]info, allproxy[.]info, kloster.pro and deniskloster.com.

A copy of the passport for Denis Kloster, as posted to his Vkontakte page in 2019. It shows that in Oct. 2019, he obtained a visa from the American Embassy in Bangkok, Thailand.

The “about me” section of DenisKloster.com says the 35-year-old was born in Omsk, that he got his first computer at age 12, and graduated from high school at 16. Kloster says he’s worked in many large companies in Omsk as a system administrator, web developer and photographer.

According to Kloster’s blog, his first real job was running an “online advertising” firm he founded called Internet Advertising Omsk (“riOmsk“), and that he even lived in New York City for a while.

“Something new was required and I decided to leave Omsk and try to live in the States,” Kloster wrote in 2013. “I opened an American visa for myself, it was not difficult to get. And so I moved to live in New York, the largest city in the world, in a country where all wishes come true. But even this was not enough for me, and since then I began to travel the world.”

The current version of the About Me page on Kloster’s site says he closed his advertising business in 2013 to travel the world and focus on his new company: One that provides security and anonymity services to customers around the world. Kloster’s vanity website and LinkedIn page both list him as CEO of a company called “SL MobPartners.”

In 2016, Deniskloster.com featured a post celebrating three years in operation. The anniversary post said Kloster’s anonymity business had grown to nearly two dozen employees, all of whom were included in a group photo posted to that article (and some of whom Kloster thanked by their first names and last initials).

The employees who kept things running for RSOCKS, circa 2016.

“Thanks to you, we are now developing in the field of information security and anonymity!,” the post enthuses. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”

Mr. Kloster did not respond to repeated requests for comment.

It’s not clear if the coordinated takedown targeting the RSOCKS botnet will be permanent, as the botnet’s owners could simply rebuild — and possibly rebrand — their crime machine. But the malware-based proxy services have struggled to remain competitive in a cybercrime market with increasingly sophisticated proxy services that offer many additional features.

The demise of RSOCKS follows closely on the heels of VIP72[.]com, a competing proxy botnet service that operated for a decade before its owners pulled the plug on the service last year.

Read More

Understanding the Ransomware Ecosystem: From Screen Lockers to Multimillion-Dollar Criminal Enterprise

Read Time:1 Minute, 58 Second

A new report from Tenable Research explores the key players in the ransomware ecosystem and the tactics that have helped propel it from a fledgling cyberthreat into a force to be reckoned with.

Ransomware is a constantly evolving cyberthreat, and it is through its evolution that ransomware has managed to not only survive, but thrive.

There are a number of reports that detail ransomware’s evolution, from the earliest form of ransomware known as the AIDS (or PC Cyborg) Trojan in 1989 to its transition into screen locker ransomware and, ultimately, the cryptolocker ransomware that encrypts files on systems. This type of ransomware became the basis for how modern ransomware operates.

Screen locker ransomware relied on fear tactics targeting individual users, using law enforcement imagery of the Federal Bureau of Investigation (FBI) and UK’s Metropolitan Police Service (the Met), along with text claiming that the victim had accessed pornographic or child abuse content from their computer. These victims were instructed to pay a “fine,” which was typically between $100-500, in order to unlock their systems. In reality, these users could regain access to their systems without payment, as none of their files were tampered with.

Over the last four years, ransomware has skyrocketed into a multimillion-dollar, self-sustaining industry. It has become a part of the routine experience for organizations following noteworthy attacks against critical infrastructure like the Colonial Pipeline or JBS Foods attacks in 2021.

Image Source: Security Boulevard

Underpinning the success of today’s ransomware is what’s called the ransomware ecosystem. In our latest report, we explore the key players that shape the ransomware ecosystem and the tactics that have helped propel ransomware into the most dominant threat to organizations today

What you’ll get from this report:

A better understanding of how the ransomware ecosystem evolved
The most common attack vectors used by the players in the ecosystem
Guidance on how to prepare and defend against ransomware attacks
A list of the vulnerabilities likely to be exploited in ransomware attacks

Get more information

Download the full report here
Attend the webinar: Tenable’s Ransomware Ecosystem Report: Understanding the Key Players, Common Attack Vectors and Ways You Can Avoid Becoming a Victim
Blog post about The Ransomware Ecosystem Tenable.sc Dashboard
Blog post about The Ransomware Ecosystem Tenable.sc Report
Follow Tenable’s Security Response Team on the Tenable Community

Read More

Symbiote Backdoor in Linux

Read Time:54 Second

Interesting:

What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.

News article:

Researchers have unearthed a discovery that doesn’t occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.

No public attribution yet.

So far, there’s no evidence of infections in the wild, only malware samples found online. It’s unlikely this malware is widely active at the moment, but with stealth this robust, how can we be sure?

Read More

How to Set Up a VPN

Read Time:6 Minute, 44 Second

In today’s connected world, you can do so much on the internet. It’s never been easier to stay entertained (Netflix, anyone?), informed, and productive. But it’s important to keep your online activities private and safe, whether you’re checking social media, using a streaming service, or banking online.  

With the right solutions, you can have a worry-free online experience. 

Thankfully, virtual private network (VPN) software keeps your data secure by hiding your IP address (the address your device uses to access the network). In this article, discover the benefits of a VPN, learn how to set one up, and review some things to consider when looking for the right VPN solution for you. 

What is a VPN?

A virtual private network (VPN) is software that protects your internet connection by keeping your IP address secure and anonymous. Essentially, it opens a private tunnel just for you!  

It does this by making a secure connection between your internet-connected device and a remote VPN server. It also encrypts the information you upload onto the internet, preventing others from intercepting it.  

This means you can feel confident surfing the web without worrying about other people uncovering your location, identity, or online activity 

Benefits of a VPN

A perfect digital world wouldn’t have malware, website trackers, ISP data throttling, or prying eyes. Thankfully, investing in a good VPN can help you overcome a lot of these challenges.  

Here’s a little more detail about the benefits of a VPN: 

Stay safe by blocking malware. Depending on the type of VPN you use, it may come with a feature that blocks malware. This functionality adds another protective layer to your network, like some sort of firewall, so you don’t lose sleep over malicious software. 
Beat the ISP throttling blues. VPNs provide a practical way to stop your internet service provider from throttling your bandwidth or data. Without throttling, you can enjoy maximum internet speeds even after you’ve reached your data or bandwidth limit. 
Outsmart website trackers. Mobile apps and websites work tirelessly to record information about your online activity. This practice can be bothersome if you’re a stickler for privacy. A VPN keeps the trackers guessing about the nature of your information thanks to advanced encryption. 
Protect yourself on public Wi-Fi. If you regularly connect to the internet via public Wi-Fi, it’s important to stay safe using a VPN. An unsecured public Wi-Fi network provides an easy way for criminals to steal sensitive information like your credit card number and passwords. There’s no need to worry about anyone seeing or stealing your data when you use a VPN. 

How to set up a VPN server

Investing in the right tools is a surefire way to make yourself feel less vulnerable to online risks. Rather, you’ll feel empowered to enjoy a care-free online experience.  

McAfee® Safe Connect VPN is one such tool that gives you the freedom to enjoy all the good things that the internet offers without worrying about online privacy or safety. 

This tool works on multiple platforms, including Microsoft Windows, macOS, Android, and iOS. More importantly, McAfee Safe Connect VPN is easy to set up on different devices, allowing you to benefit from bank-grade AES 256-bit encryption. So, you can browse the internet using Chrome or another browser and connect via public Wi-Fi without losing sleep over vulnerability to risks. 

Depending on your preferences, it’s possible to set up a VPN automatically or manually. We discuss the steps to set up a VPN manually in the sections below. 

Set up a VPN connection on Windows

Easy setup and connection to a VPN server are key factors when choosing the right tool or software for your needs. On a Windows 10 system, just follow a few steps to establish a secure and stable connection. 

Search for the virtual private network on Cortana. 
Then, go to the VPN settings and select the plus sign (“+”). 
On the drop-down menu that appears, select “Windows built-in.” (The system automatically sets the VPN type to automatic. You can change it to VPN protocols like PPTP, TCP, SSTP, L2TP/IPsec, or IKEv2.) 
In the next fields, add VPN configuration details from your VPN provider (in this case, McAfee Safe Connect VPN). 
Once you’ve completed filling in the details, click “Save” and then “Next.” 
In the last step, select the McAfee VPN connection, and you’re done! 

Set up a VPN connection on a Mac

The next time you need to set up a VPN on a Mac computer, you’ll be pleased to know that the setup steps are short and sweet. 

Here’s what you need to do. 

Start by clicking “Network” under “System Preferences.” 
Next, click on the “+” sign and select “VPN.” 
In the pop-up interface that appears, add details like connection name, server address, VPN type, server name, and authentication settings for advanced options. 
In the final step, click “Apply” and “OK” to finish. 

5 things to look for in a VPN

Picking the best VPN solution that takes care of your privacy needs involves ticking various boxes based on the features and functionality that matter most to you. 

Here are some things to look for in a virtual private network: 

The number of servers: A good VPN should offer a selection of servers that can handle a lot of traffic without undermining connection speeds. 
Robust data encryption: Converting data into a code is what makes a good VPN tick. So, opt for a VPN with the latest encryption technology, such as AES 256-bit encryption offered by McAfee SafeConnect VPN. 
Server location: The VPN service should also offer servers located in various regions depending on your connection requirements. Nearby service can reduce lag, particularly when you want to engage in online gaming. And sometimes, you need a VPN server from another region or country to get around geo-blocking. 
Excellent tech support: The right VPN solution should come with good technical support to help you find answers to any questions you may have. 
Ease of use: A good VPN client should be easy to set up and use so you can focus on your online activities rather than tweaking the VPN settings. 

Can you use a VPN on mobile devices?

If you have a mobile device like an Apple iPhone or Android device, you can also enjoy the benefits that come with using a VPN.  

Setting up and using a VPN like McAfee’s Safe Connect VPN on an Android device or iOS platform is super easy. Just download the VPN from the app store or the McAfee website, and you’re good to go.  

McAfee offers both a free VPN (with 250 MB of free data every month and protection for one device) and paid subscription plans that come with unlimited data and protection for up to five devices. You can also enjoy a 30-day free trial to see if it’s the right VPN for you. 

It’s usually fine to just use the default settings, too, so you don’t have to do anything else other than login. 

Keep your browsing private

Hiding your IP address and maximizing privacy has never been easier thanks to virtual private networks. These tools can also protect you from prying eyes by converting the information you upload to the internet into code using advanced encryption technology.  

VPNs have several advantages, including getting around website trackers used by advertisers to monitor your online activities. Another thing to remember is that it’s relatively easy to set one up no matter your operating system 

If you’re looking for the right VPN solution for you, consider McAfee Secure VPN — included in McAfee Total Protection — which comes with the latest encryption technology. Whether you install the software on your mobile or desktop device, you can be confident that you and your family’s sensitive data is secure.  

The post How to Set Up a VPN appeared first on McAfee Blog.

Read More

How Microsoft Purview can help with ransomware regulatory compliance

Read Time:1 Minute, 22 Second

Nations across the globe are taking regulatory action to reduce the ransomware threat. In March, for example, new U.S. ransomware reporting requirements were signed into law. Covered entities that experience a cyber incident must report it to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the covered entity believes that the incident occurred. Additional guidance is still being worked on but at a minimum the following requirements will be included:

Identify and describe the function of the affected information systems, networks that were, or are reasonably believed to have been affected by such cyber incident.
Describe the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information systems or network or disruption of business or industrial operations.
Estimate the date range of such incident.
Assess the impact to the operations of the covered entity.
Report ransomware payments within 24 hours after they have been made.
Submit any new or different information that becomes available surrounding the ransomware attack to CISA.
Preserve data relevant to the covered cyber incident or ransom payment.

Think of that list. Would you be able to report within 72 hours that you’d had a ransomware incident? Wouldn’t you still be in the middle of trying to recover from an incident? This is often the major difference between smaller businesses and larger businesses. Small businesses just want to get back in business. They often don’t want to deal with the reporting side or, worse, would not have the means to notify every impacted customer that their data is at risk.

To read this article in full, please click here

Read More

How the Secure Software Factory Reference Architecture protects the software supply chain

Read Time:43 Second

The term “factory” related to software production might seem bizarre. Most still associate it with the collection, manipulation and manufacturing of hard materials such as steel, automobiles or consumer electronics. However, software is produced in a factory construct as well. “Software factory” generally refers to the collection of tools, assets and processes required to produce software in an efficient, repeatable and secure manner.

The software factory concept has taken hold in both the public and private sector, being recognized by organizations such as MITRE and VMware. The U.S. Department of Defense (DoD) has a robust ecosystem of at least 29 software factories, most notably Kessel Run and Platform One. Given the concern over software vulnerability, particularly in the software supply chain, it’s important to execute the software factory approach in a secure manner.

To read this article in full, please click here

Read More