Found 4 bookmarks
Newest
FBI Warning on IoT Devices: How to Tell If You Are Impacted
FBI Warning on IoT Devices: How to Tell If You Are Impacted
On June 5th, the FBI released a PSA titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of BADBOX malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers also encountered primarily on Android TV set-top boxes. However, the malware has impacted tablets, digital projectors, aftermarket vehicle infotainment units, picture frames, and other types of IoT devices. One goal of this malware is to create a network proxy on the devices of unsuspecting buyers, potentially making them hubs for various potential criminal activities, putting the owners of these devices at risk from authorities. This malware is particularly insidious, coming pre-installed out of the box from major online retailers such as Amazon and AliExpress. If you search “Android TV Box” on Amazon right now, many of the same models that have been impacted are still up being sold by sellers of opaque origins. Facilitating the sale of these devices even led us to write an open letter to the FTC, urging them to take action on resellers. The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov. The FBI lists these IoC: The presence of suspicious marketplaces where apps are downloaded. Requiring Google Play Protect settings to be disabled. Generic TV streaming devices advertised as unlocked or capable of accessing free content. IoT devices advertised from unrecognizable brands. Android devices that are not Play Protect certified. Unexplained or suspicious Internet traffic. The following adds context to above, as well as some added IoCs we have seen from our research.
#eff#EN#2025#guide#IoCs#FBI#BADBOX
·eff.org·
FBI Warning on IoT Devices: How to Tell If You Are Impacted
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise) On 5 May, 16:00 GMT+0, our automated malware analysis pipeline detected a suspicious package released, rand-user-agent@1.0.110. It detected unusual code in the package, and it wasn’t wrong. It detected signs of a supply chain attack against this legitimate package, which has about ~45.000 weekly downloads. What is the package? The package rand-user-agent generates randomized real user-agent strings based on their frequency of occurrence. It’s maintained by the company WebScrapingAPI (https://www.webscrapingapi.com/). Our analysis engine detected suspicious code in the file dist/index.js. Lets check it out, here seen through the code view on npm’s site: We’ve got a RAT (Remote Access Trojan) on our hands. Here’s an overview of it: Behavior Overview The script sets up a covert communication channel with a command-and-control (C2) server using socket.io-client, while exfiltrating files via axios to a second HTTP endpoint. It dynamically installs these modules if missing, hiding them in a custom .node_modules folder under the user's home directory.
#aikido.dev#EN#2025#supply-chain-attack#IoCs#rand-user-agent#npm
·aikido.dev·
RATatouille: A Malicious Recipe Hidden in rand-user-agent (Supply Chain Compromise)
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
  • Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima. The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea. Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others. Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges. Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators. IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies. Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Void Dokkaebi.
#trendmicro#EN#2025#Russia#North-Korea#network#research#infrastructure#IoCs
·trendmicro.com·
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)