securityboulevard.com
Open in
urlscan Pro
2606:4700:10::ac43:f6b
Public Scan
URL:
https://securityboulevard.com/2022/07/what-is-zuorat/
Submission: On August 01 via api from DE — Scanned from DE
Submission: On August 01 via api from DE — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://securityboulevard.com/
<form action="https://securityboulevard.com/" class="search-form searchform clearfix" method="get">
<div class="search-wrap">
<input type="text" placeholder="Search" class="s field" name="s">
<button class="search-icon" type="submit"></button>
</div>
</form>POST /2022/07/what-is-zuorat/
<form method="post" enctype="multipart/form-data" id="gform_10" action="/2022/07/what-is-zuorat/">
<div class="gform_body gform-body">
<ul id="gform_fields_10" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_10_1" class="gfield gfield_contains_required field_sublabel_below field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_10_1"><label class="gfield_label" for="input_10_1">Email<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_10_1" type="text" value="" class="large" placeholder="Your Email" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_10_2" class="gfield gfield_html gfield_html_formatted gfield_no_follows_desc field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_2">
<div class="gsection_description"><a href="https://securityboulevard.com/privacy-policy/">View Security Boulevard <u>Privacy Policy</u></a></div>
</li>
<li id="field_10_3" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_3">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_10_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_10_4" class="gfield gform_hidden field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_4">
<div class="ginput_container ginput_container_text"><input name="input_4" id="input_10_4" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_10_5" class="gfield gfield--width-full field_sublabel_below field_description_below hidden_label gfield_visibility_visible" data-js-reload="field_10_5"><label class="gfield_label" for="input_10_5">CAPTCHA</label>
<div id="input_10_5" class="ginput_container ginput_recaptcha gform-initialized" data-sitekey="6Ld9rm8cAAAAAEa1mXDqRlCvlsP8t1u1weqyOCJn" data-theme="light" data-tabindex="-1" data-size="invisible" data-badge="bottomright">
<div class="grecaptcha-badge" data-style="bottomright"
style="width: 256px; height: 60px; display: block; transition: right 0.3s ease 0s; position: fixed; bottom: 14px; right: -186px; box-shadow: gray 0px 0px 5px; border-radius: 2px; overflow: hidden;">
<div class="grecaptcha-logo"><iframe title="reCAPTCHA"
src="https://www.google.com/recaptcha/api2/anchor?ar=1&k=6Ld9rm8cAAAAAEa1mXDqRlCvlsP8t1u1weqyOCJn&co=aHR0cHM6Ly9zZWN1cml0eWJvdWxldmFyZC5jb206NDQz&hl=en&v=5JGZgxkKwe0uOXDdUvSaNtk_&theme=light&size=invisible&badge=bottomright&cb=kpdombflme9u"
width="256" height="60" role="presentation" name="a-5z67euwe6ij0" frameborder="0" scrolling="no" sandbox="allow-forms allow-popups allow-same-origin allow-scripts allow-top-navigation allow-modals allow-popups-to-escape-sandbox"
tabindex="-1"></iframe></div>
<div class="grecaptcha-error"></div><textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response"
style="width: 250px; height: 40px; border: 1px solid rgb(193, 193, 193); margin: 10px 25px; padding: 0px; resize: none; display: none;"></textarea>
</div><iframe style="display: none;"></iframe>
</div>
</li>
<li id="field_10_6" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible" data-js-reload="field_10_6"><label class="gfield_label" for="input_10_6">Email</label>
<div class="ginput_container"><input name="input_6" id="input_10_6" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_10_6">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_10" class="gform_button button" value="Subscribe Now"
onclick="if (!window.__cfRLUnblockHandlers) return false; if(window["gf_submitting_10"]){return false;} window["gf_submitting_10"]=true; "
onkeypress="if (!window.__cfRLUnblockHandlers) return false; if( event.keyCode == 13 ){ if(window["gf_submitting_10"]){return false;} window["gf_submitting_10"]=true; jQuery("#gform_10").trigger("submit",[true]); }">
<input type="hidden" class="gform_hidden" name="is_submit_10" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="10">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_10" value="WyJbXSIsImExN2ZmNzMxNzRmOWUyZjU4NDM0NzI5MzVhYzMzZjI2Il0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_10" id="gform_target_page_number_10" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_10" id="gform_source_page_number_10" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1659369937683"></p>
</form>Text Content
Monday, August 1, 2022 * Please stop calling all Crypto Scams "Pig Butchering!" * Essential Web Application Security Checklist * Smarter Not Harder: 3 Ways API Analytics Can Help Application Owners * Threat Actors Circumvent Microsoft Efforts to Block Macros * Authentication Within FSI: Now and Next * * * * * * * SECURITY BOULEVARD The Home of the Security Bloggers Network Community Chats Webinars Library * Home * Cybersecurity News * Features * Industry Spotlight * News Releases * Security Bloggers Network * Latest Posts * Contributors * Syndicate Your Blog * Write for Security Boulevard * Events * Upcoming Events * Upcoming Webinars * On-Demand Events * On-Demand Webinars * Chat * Security Boulevard Chat * Marketing InSecurity Podcast * Library * Related Sites * Techstrong Group * Container Journal * DevOps.com * Security Boulevard * Techstrong Research * Techstrong TV * Devops Chat * DevOps Dozen * DevOps TV * Digital Anarchist * Media Kit * About Us * Analytics * AppSec * CISO * Cloud * DevOps * GRC * Identity * Incident Response * IoT / ICS * Threats / Breaches * More * Blockchain / Digital Currencies * Careers * Cyberlaw * Mobile * Social Engineering * Humor TwitterLinkedInFacebookRedditEmailShare Security Bloggers Network Home » Security Bloggers Network » What is ZuoRAT? WHAT IS ZUORAT? by Avi Hein on July 6, 2022 Avi Hein | July 6, 2022 ZuoRAT is a remote access trojan (RAT) that attacks small office/home office (SOHO) routers. On June 29, 2022, Black Lotus Labs, the threat intelligence arm of Lumen Technologies, revealed the existence of this vulnerability. The code appears to be a heavily modified version of the code behind the Mirai botnet. The source code for Mirai was released in 2016. According to the security researchers, the threat targeted North America and Europe, and may have remained undetected for two years. The attacks started in October 2020 and targeted known vulnerabilities in routers from ASUS, Cisco, DrayTek, and NETGEAR. Attackers were then able to identify more devices on the network and move laterally to additional systems. Given the timing, it is likely that the attackers took advantage of the rapid shift to work-from-home brought upon by the COVID-19 pandemic. HOW ARE USERS INFECTED? According to Black Lotus Labs, “ZuoRAT is a MIPS file compiled for SOHO routers that can enumerate a host and internal LAN, capture packets being transmitted over the infected device and perform person-in-the-middle attacks (DNS and HTTPS hijacking based on predefined rules).” The ZuoRAT attack begins by exploiting known vulnerabilities CVE-2020-26878 and CVE-2020-26879 using a Python-compiled Windows Portable Executable file to target SOHO routers. However, the researchers have only been able to gain access to the exploit script for JCG-Q20 model routers. Therefore, it’s possible that there are additional exploits not yet known. The malware queries several web services to gain the router’s public IP address. If it does not obtain the public IP address, then ZuoRAT deletes itself. It is likely that the threat actor used unpatched vulnerabilities to steal credentials from the targeted routers. Although patches for these vulnerabilities exist, device administrators often don’t apply the patches. WHO IS BEHIND THE ATTACK? While the threat technique of compromising SOHO routers as an attack vector to gain access to an adjacent LAN is not unique, it is not frequently reported. According to the researchers, “reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization.” CONCLUSION While there have always been many ways for malicious actors to target networks, there is only a handful of router-based malware. Black Lotus Labs notes that they “hypothesize [the attack] has been living undetected on the edge of targeted networks for years.” Therefore, it is critical that users – and particularly individuals and small businesses – protect their traffic at the point of entry: their router. Endpoint security simply doesn’t protect connected devices. Additionally, most home and small business networks are too small, and administrators are not sophisticated enough, to use additional mitigation measures such as micro-segmentation. To protect their customers, many communication service providers are turning to network-based security which stops the attacks on the network level before they even reach their customers’ devices. Of the Indicators of Compromise related to this threat, most are IP addresses. Therefore, DNS-based security solutions do not provide sufficient protection as they do not block IP addresses. It is critical to not rely on DNS-based security for complete protection. The good news is that customers using Allot Secure, including NetworkSecure and the router-based HomeSecure and BusinessSecure are protected from this attack. *** This is a Security Bloggers Network syndicated blog from | Allot Blog authored by Avi Hein. Read the original post at: https://www.allot.com/blog/what-is-zuorat-trojan-malware/ July 6, 2022July 6, 2022 Avi Hein 0 Comments Allot Secure, BusinessSecure, Cybersecurity, HomeSecure, SMB Security, ZuoRAT * ← Clone Wars Revisited – Facebook Friend Requests * My First Three Years in the Social Engineering World → TECHSTRONG TV – LIVE Click full-screen to enable volume control Watch latest episodes and shows SUBSCRIBE TO OUR NEWSLETTERS Get breaking news, free eBooks and upcoming events delivered to your inbox. * Email* * View Security Boulevard Privacy Policy * * * CAPTCHA * Email This field is for validation purposes and should be left unchanged. Δ MOST READ ON THE BOULEVARD Cybersecurity Vendor Consolidation on the Horizon Solved: Subzero Spyware Secret — Austrian Firm Fingered Google ‘Delays Making Less Money’ — Third-Party Cookie Ban on Hold White House Announces Free Cybersecurity Training Not-So-Secret Service: Text Retention and Deletion Policies The Strategic Impact of Verizon’s 2022 Data Breach Investigations Report API Vulnerabilities Jump Up 3.7x in Q2-2022 ESG Technical Review of the Gurucul Security Analytics and Operations Platform TLDR: The Highlights of AWS re:Inforce 2022 What are the Best Qualifications for Cybersecurity in 2022? UPCOMING WEBINARS Wed 17 CODE TAMPERING: FOUR KEYS TO PIPELINE INTEGRITY August 17 @ 1:00 pm - 2:00 pm Mon 22 API SECURITY August 22 @ 1:00 pm - 2:00 pm Wed 24 IMPLEMENTING IDENTITY ACCESS PRIORITIZATION AND RISK-BASED ALERTING FOR HIGH-FIDELITY ALERTS August 24 @ 1:00 pm - 2:00 pm Tue 30 CISO TALK MASTER CLASS EPISODE: CATCH LIGHTNING IN A BOTTLE – THE ESSENTIALS: BRINGING IT ALL TOGETHER August 30 @ 1:00 pm - 2:00 pm More Webinars DOWNLOAD FREE EBOOK INDUSTRY SPOTLIGHT Analytics & Intelligence Application Security Cloud Security Cybersecurity Data Security DevOps Editorial Calendar Featured Identity & Access Identity and Access Management Incident Response Industry Spotlight IoT & ICS Security Malware Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities MICODUS CAR TRACKERS ARE SUPER VULNERABLE AND DANGEROUS July 21, 2022 Richi Jennings | Jul 21 0 Comments Application Security Cloud Security Cybersecurity Data Security Industry Spotlight Security Boulevard (Original) HOW AI SECURES THE FUTURE OF DIGITAL PAYMENTS July 18, 2022 Natasha Lane | Jul 18 0 Comments Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity Data Security Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response Industry Spotlight Most Read This Week Network Security News Popular Post Security Boulevard (Original) Spotlight Threats & Breaches Vulnerabilities HIPAA FAIL: ~33% OF HOSPITAL WEBSITES SEND PII TO FACEBOOK June 17, 2022 Richi Jennings | Jun 17 Comments Off on HIPAA FAIL: ~33% of Hospital Websites Send PII to Facebook TOP STORIES Analytics & Intelligence Application Security Cyberlaw Cybersecurity Data Security DevOps Endpoint Featured Governance, Risk & Compliance Incident Response Malware Most Read This Week News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities SOLVED: SUBZERO SPYWARE SECRET — AUSTRIAN FIRM FINGERED July 29, 2022 Richi Jennings | 2 days ago 0 Comments Analytics & Intelligence Application Security Cloud Security Cyberlaw Cybersecurity DevOps Featured Governance, Risk & Compliance Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight GOOGLE ‘DELAYS MAKING LESS MONEY’ — THIRD-PARTY COOKIE BAN ON HOLD July 28, 2022 Richi Jennings | 3 days ago 0 Comments Cybersecurity Data Security Endpoint Featured Mobile Security News Security Boulevard (Original) Spotlight NOT-SO-SECRET SERVICE: TEXT RETENTION AND DELETION POLICIES July 28, 2022 Mark Rasch | 4 days ago 0 Comments SECURITY HUMOR ROBERT M. LEE’S & JEFF HAAS’ LITTLE BOBBY COMIC – ‘WEEK 392’ JOIN THE COMMUNITY * Add your blog to Security Bloggers Network * Write for Security Boulevard * Bloggers Meetup and Awards * Ask a Question * Email: info@securityboulevard.com USEFUL LINKS * About * Media Kit * Sponsors Info * Copyright * TOS * DMCA Compliance Statement * Privacy Policy RELATED SITES * Techstrong Group * Container Journal * DevOps.com * Techstrong Research * Techstrong TV * DevOps Chat * DevOps Dozen * DevOps TV * Digital Anarchist * * * * * * * Copyright © 2022 Techstrong Group Inc. All rights reserved. ✓ Thanks for sharing! AddToAny More… Notifications previousnextslideshow