[Security Weekly] Newly Discovered Borat RAT a “Triple Threat” Capable of Ransomware and DDoS
April 2022, Issue II
1. Borat RAT a “triple threat” capable of ransomware deployment and DDoS
Recently, a novel remote access trojan (RAT) was discovered by researchers at Cyble Research Labs, dubbing it Borat as it uses a photo of the fictional character to brand itself. Besides the features of a conventional RAT (e.g., spying and remote control), the Borat RAT is also capable of deploying ransomware and DDoS on the victim’s machine, making it a triple threat to organizations.
The Borat RAT is sold on the dark web as a complete framework, manageable through a central dashboard with all the features and options. Its remote access feature is capable of functions like recording audio and webcam footage, hijacking mouse and keyboard, exporting screenshots, collecting meta information, as well as exfiltrating and deleting files.
What’s more concerning is its encryption and decryption features. With these, users can encrypt files on the victim’s machine and generate their own ransom notes. An additional option is to deploy distributed denial-of-service (DDoS) to disrupt normal traffic into the victim’s server.
2. Spring4Shell vulnerability exploited to target tech industries worldwide
The Spring4Shell (CVE-2022-22965) vulnerability, a critical remote code execution (RCE) flaw in the Spring Framework for Java, was reported on March 31. The Cybersecurity and Infrastructure Security Agency (CISA), along with Microsoft, immediately warned all US organizations and federal agencies to apply patches.
The Spring Framework is one of the most popular open-source frameworks for Java. The Spring4Shell vulnerability resides when several configurations overlap. First, the Java Development Kit (JDK) needs to be version 9.0 or above, while the Spring Framework version is between 5.3.0 and 5.3.17, between 5.2.0 and 5.2.19, or any previous version. Second, Apache Tomcat is the Servlet container. Third, a traditional Java web archive (WAR) is deployed to a single Tomcat server.
Soon after the discovery, researchers at Check Point discovered over 37,000 exploit attempts over a single weekend, noting that 16% of all organizations worldwide were targeted. Later reports suggested that the Miral malware was already exploiting the vulnerability to infect servers for DDoS attacks.
To prevent further exploit attempts, all organizations that use the Java Spring Framework should immediately update to the latest versions.
3. Wind turbine giant Nordex Group attacked by Conti ransomware
German-based Nordex Group, one of the largest wind turbine manufacturers in the world, was claimed to be attacked by the Conti ransomware gang on March 31.
Nordex first reported the incident on April 2, suggesting that the attack was detected at an early stage by its cybersecurity team. Operations at multiple locations were immediately shut down. Remote access to its IT systems was temporarily halted to protect customer data. Nordex added that its initial investigations showed that the attack only affected its internal IT systems and that no customer data were compromised.
On April 14, the Conti ransomware gang claimed responsibility for the attack on its leak site. However, no data were leaked at this time. One possibility is that the attackers failed to steal any data from the company, which is consistent with Nordex’s claim. The other possibility is that ransom negotiations might be taking place.
Check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Car, Energy, Factory, City Solutions: Penta IoT Security