Arbor Threat Intelligence

Arbor's Security Engineering & Response Team (ASERT) Blog
image description

Dipping Into The Honeypot

Executive Summary Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks. IOT bots are indiscriminate – they will […]

Read more

Tunneling Under the Sands

Executive Summary ASERT recently came across spear-phishing emails targeting the Office of the First Deputy Prime Minister of Bahrain. A similar campaign uncovered by Palo Alto’s Unit 42 found the activity distributing an updated variant of BONDUPDATER, a PowerShell-based Trojan, which they attribute to Iranian APT […]

Read more

Double the Infection, Double the Fun

Executive Summary Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks […]

Read more

A New Twist In SSDP Attacks

Arbor ASERT has uncovered a new class of SSDP abuse where naïve devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets have ephemeral source and destination ports, making mitigation more difficult – a SSDP diffraction attack. This […]

Read more

Kardon Loader Looks for Beta Testers

Kardon Loader Advertisement

Key Findings ASERT researchers discovered Kardon Loader being advertised on underground forums. Kardon Loader features functionality allowing customers to open their own botshop, which grants the purchaser the ability to rebuild the bot and sell access to others. Kardon Loader is in early stages of […]

Read more

OMG – Mirai Minions are Wicked

Executive Summary Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in […]

Read more

Lojack Becomes a Double-Agent

Executive Summary ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains.  The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity.  Fancy Bear actors typically choose […]

Read more