First detected in 2011, the malware campaign that later became known as Windigo was able to infiltrate around 25,000 servers over a two-year period (2012-2014), with the malicious gang behind it demonstrating a high level of technical expertise. Operation Windigo is a set of Linux server-side malware tools used to redirect web traffic, send spam and host other malicious content.
At the core of Operation Windigo is Linux/Ebury, an OpenSSH backdoor and credential stealer, using that backdoor, the attackers installed additional malware to perform web traffic redirection (using Linux/Cdorked), send spam (using Perl/Calfbot or SSH tunnels) and, most importantly, steal credentials when the OpenSSH client was used to spread further.
In 2014 ESET published a research report entitled Operation Windigo. This report was awarded the inaugural Péter Szőr Award for best technical research at VB2014 and has also been used by law enforcement to explain exactly what Windigo is to prosecutors, lawyers and judges.
ESET’s collaboration with the FBI
At ESET our job is to protect all internet users and this task often requires collaboration with others such as law enforcement. In the case of Windigo, we have collaborated with the FBI through the sharing of technical details about the malicious operation and the malware components involved. This cooperation resulted in allowing the FBI investigators to better understand the various parts of this very complex scheme.
Maxim Senakh sentenced
The following timeline outlines the occurence of events leading up to the sentencing of Maxim Senakh
2015-01-13: Indictment against Maxim Senakh is produced, charging him with 11 counts.
2015-08-08: Maxim Senakh is arrested by Finnish authorities at its border while returning to Russia after personal travel.
2016-01-05: Finland agrees to the extradition of Senakh.
2016-02-04: Senakh is extradited from Finland to the US, where he pleads not guilty to all charges against him.
2017-03-28: Maxim Senakh enters into a plea agreement with the US Attorney’s Office and pleads guilty to the first count of the indictment, the remaining 10 being dismissed.
2017-08-03: Senakh is sentenced to 46 months in federal prison, without the possibility of parole.
Where are we now?
Not long after Senakh’s arrest in 2015, there was a sharp decrease in the traffic redirected by Cdorked, the component responsible for sending web visitors to exploit kits or unwanted advertisement pages and this activity has not resumed. The FBI had determined that this malicious activity benefited Senakh directly.
Unfortunately, however the sentencing of Senakh has not resulted in the complete shutdown of Windigo as new variants of Win32/Glupteba, a Windows malware that has strong ties with Windigo have been identified.
In addition, the malware component at the core of Windigo, has evolved. Development has continued with changes made to the latest versions, such as evasion of most of the public indicators of compromise, improved precautions against botnet takeover and a new mechanism to hide the malicious files on the filesystem.
With COVID-19 concerns canceling
face-to-face meetings, be aware of the security risks of videoconferencing and
how to easily overcome them
As a way of
controlling the spread of the COVID-19 pandemic, several countries have been
forced to impose a lockdown on its citizens bringing normal operations to a
near stand-still. Consequently, a considerable percentage of the working
population has turned to remote
working, a chunk of it for the first time.
This has spiked
up the demand for video conferencing services, chat systems, and online
collaboration tools to serve the increasing number of students, employees, and
teachers, among other experts working from home.
By 11th March 2020, Kentik―a San Francisco network operator— had achieved a 200% increase in video traffic within the provided working hours in Asia and North America. Even before the start of the official lockdown in California.
In the same
vein, the UK Prime Minister chaired
a cabinet meeting via zoom, which communicated the government’s appeal for
social distancing through the use of video conferencing. His actions, however,
brought about several questions regarding the security of the communication.
But with a quick
rejoinder, the UK’s National Cyber Security Centre pointed out that such
communications shouldn’t cause any worries if they are below particular
classifications. Accordingly, companies have developed confidence in the
technology; therefore, are utilizing it to communicate with their remote
an employee (or typical user), you need to understand the technology’s built-in
security options, as well as control features before using it. Here we provide
you with some primary considerations. Let’s dig in!
Your immediate surroundings
For you to
realize a smooth and quality video conferencing experience, it is essential to
cordon off your working space to prevent in kind of interruptions that might
occur while in session; for instance, from your kids, better half, or even
that your working area is devoid of any sensitive or confidential
information/material that can be captured by the camera.
As you may be
aware, a lot of video conferencing platforms allow the creation of multiple
user groups to enable the providence of internet domain according to specific
criteria; for instance, the use of company email address to join a video call.
Or offer access
to a limited number of people whose email addresses have been invited or
scheduled for a call.
As such, when
creating a meeting, you can enable the set a meeting password option that
creates a randomly generated code for your invitees to input before joining a
conversation. Similarly, you can authenticate those using phones by the use of
a numerical password. However, avoid embedding the password in the meeting
As an organizer,
you can hold your participants in a “waiting room,” as you approve
them one by one, which gives you full control over whom to allow or deny
access. In case you have a large conference, you can delegate such duties to
your trusted attendees.
File transfers and communication over the net
As a rule of
thumb, always ensure that your end-to-end communication is encrypted. Do not
assume that this option is the default for video calls since a few services may
require you to request encryption.
If the third-party
endpoint client software is permitted, ensure it abides by the requirements of
the end-to-end encryption.
consider limiting the types of documents you can send across the net; for
instance, avoid transferring executable files.
Manage the attendees, as well as the engagement process
attendees will be distracted by notifications, pop-ups, and emails, among other
things, when attending your conference calls. Therefore, as a host, you can
request notification from your service provider if your conferencing client
isn’t the primary or active window (depending on your platform). For instance,
if you are a tutor, you can use this feature to get the attention of all your
You can also
monitor those who joined the call by downloading the attendee list at the end
of the call. Or request attendees to register before being connected.
Limit screen sharing capabilities
As the host, the
sole responsibility of controlling screen sharing remains only yours, unless
you delegate it to someone else that you trust. This eliminates any chances of
an individual sharing content by mistake.
only share the required application rather than the whole desktop when screen
sharing. This is informed by the fact; even the name of a file or Icon can
divulge sensitive company information.
To ensure the
security of your company communications, take time to consider all the
available options security settings on your video conferencing system (or one
the service you intend to use to prevent the selling, sharing, collection, or
re-use of your data.
In case you
require more advice and endpoint client software for your video conferencing
needs, then ESET has been here for you for over 30 years. We want to assure you
that we will be here to protect your online activities during these uncertain
from threats to your security online with an extended trial of our
machine shows no signs of slowing down, as fraudsters continue to dispense bogus
health advice, peddle fake testing kits and issue malware-laced purchase orders
Coronavirus pandemic continues to escalate, more companies
are now shifting to remote work as a way of containing the spread of the
disease. Similarly, lockdowns and travel bans, among other stringent measures,
have become the order of the day across several nations. And to worsen the
situation, there is a massive shortage of the required medical kits.
Such a crisis
provides fraudsters undue advantage over a vulnerable lot that is financially
destabilized, as well as emotionally drained as a result of the pandemic.
In this case,
you would likely receive fake updates regarding the pandemic, as well as
non-existent offers for personal protective equipment, among others. Likewise,
if you’re a business, you would certainly receive faux purchase orders and
Fortunately, as a follow up to our previous article about the ways scammers are exploiting coronavirus fears, we provide you with a few examples of the new campaigns aimed at stealing your money or personal information. To enable you to keep your guard up. Shall we?
As the virus
continues to escalate, more people are currently searching for practical
information on how they can protect themselves. As a result, scammers have
conveniently positioned themselves as the true COVID-19 information
“crusaders” by impersonating well-known health organizations, such as
surprised if you receive an email (containing an attachment) supposedly coming
from a reputable health organization offering you “vital information”
on how you can protect yourself from the disease.
our research team identified one such file containing a Trojan designed to
steal personal credentials.
Apart from the
WHO, fraudsters are also impersonating the US Centers for Disease Control and
Prevention (CDC). Accordingly, the FBI has given a warning about scummy
emails mainly riddled with malware-infested attachments and links purporting to
originate from the CDC.
To reduce the number of people falling for
such schemes, the WHO shares examples of its official email addresses and
methods of communication on its website.
Urgent purchase orders and late payments
Owing to the
increased pressure from governments to reduce the spread of the virus,
Companies, as well as factories, have been forced to streamline their
operations according to the current situation. As an example, companies to
integrate work from home modules, while factories to either increase or reduce
their production capacities depending on their products.
changes have brought about a climate of uncertainty that offers fraudsters a
In this case, as
a factory owner or executive, be on the lookout for “urgent purchase
orders” from “company representatives.” Since this fake orders
come from scammers who want to make a kill out of your desperation of making
some revenue before things go south.
Sadly, if you
download such “urgent orders” (usually in attachments), your PC will
be installed with malicious
code designed to steal your details.
Below is an
excellent example of such an “urgent order”:
would receive a “proof of payment” for you to take care of the order.
However, like the last example above, instead of receiving a bank statement,
the attached document contains a Trojan injector.
High demand products
increase in demand compounded with an inadequate supply for essential
protective items, such face masks has created another avenue for scams.
example of such a scam involves a fraudulent site that is offering
“OxyBreath Pro” face masks at a reduced price. These can lure you
since there is a shortage of masks, and what is available is highly-priced.
However, if you
click on the provided links, you’ll be at risk of exposing your sensitive
personal information to the scammers.
Bogus testing gear
unavailability or short supply of medical kits for testing folks for the virus
has also attracted fraudsters in droves.
the existent low supply of masks, respirators, and hand sanitizers, among other
necessities, has prompted scammers to impersonate medical officials. So that, they can provide non-existent or
fake COVID-19 test kits, as well as illegitimate “corona cures.”
To contain these
despicable actions, the U.S. Food and Drug Administration (FDA) has issued
warnings that it hasn’t allowed the sale or purchase of coronavirus
self-testing kits; therefore, it is currently bursting such sellers.
In a wrap, what
we have shared is a representative of the many current fraudulent campaigns
doing rounds in our media spaces due to the prevailing situation.
Thus, it is
critical to maintaining high alertness to avoid falling victim to both the
COVID-19 pandemic, as well as the ensuing scam epidemic escalating through the
internet. To keep yourself safe from the scams, you can practice the following
Avoid downloading files or
clicking on links from unknown sources
Never fall for unrealistic
offers or order goods from unverified suppliers. You may also make a point of
checking out the purported vendor’s reviews
Invest in an excellent endpoint
solution which can shield you from phishing
attacks, as well as other forms of scams
If an email suggests coming
from a reputable organization, double-check with the firm’s website to confirm
If you require
consultation, as well as endpoint solutions for your cybersecurity needs, then
ESET has been here for you for over 30 years. We want to assure you that we
will be here to protect your online activities during these uncertain times,
from threats to your security online with an extended trial of our