The "dark_nexus" bot is named by Bitdefender researchers. It is not a Windows malware this time. The Linux ELF format executables on IoT devices are their targets. That is, the possible victims may be routers (from Dasan Zhone, Dlink, and ASUS), video recorders and so on. There are 12 kinds of CPU architectures of embedded Linux are possible to be infected. The bots inside victims form the dark_nexus botnet. A message from the researches -
In 2019 December, IBM X-Force team published a report (https://www.ibm.com/downloads/cas/OAJ4VZNJ) detailing new variants of ZeroCleare: a data-destroying malware family attributed to Iran. According to the IBM X-Force report, there are several important points - The initial access IP address of this ZeroCleare is 18.104.22.168, which was associated with ITG13 in recent Oilrig/APT34 leaks, and as also reported by Palo Alto, was used to scan target networks and access accounts as early as the fall of 2018.
Introduction Many major media have reported this security event about New Orleans city including C/NET, BleepingComputer and others. From the information provided by these media, we are almost sure that the attacker is Ryuk ransomware. Figure 1 - C/NET news about New Orleans ransomware event Figure 2 - BleepingComputer news about New Orleans ransomware event Lionic’s Inspection on Ryuk Ransomware
Hsinchu, Taiwan – November 18, 2019 – AegisLab reviewed several CVE (https://cve.mitre.org/) entries and found the following 2018 CVE Vulnerabilities are not fixed yet. The CIRCONTROL is notified by the email on Oct 15 but no response so far. AegisLab has done the obligation to report to CIRCONTROL one month before publishing security report. Actually CIRCONTROL should begin fixing these vulnerable devices since 2018 but they did not. The header of Lionic's notifying email -