Connect with us

CyberSecurity

‘BusySnake’ Infostealer Slithers into Critical Infrastructure Networks

Published

on

BusySnake infostealer

New Malware Campaign Targets Power Grids and Government Networks

A previously undocumented infostealer malware, tracked as BusySnake, has been found infiltrating government agencies and electrical power companies in Russia, Brazil, and Kazakhstan. Security researchers at Kaspersky attribute the campaign to a threat actor they call Armored Likho.

The discovery marks a worrying expansion of cyber-espionage into operational technology environments. While the malware itself is not designed to disrupt power grids directly, its ability to siphon credentials, system data, and internal communications gives attackers a dangerous foothold.

Think about it: once you have an attacker inside a utility’s IT network, the jump to industrial control systems becomes far easier. That’s the real nightmare scenario.

What Is BusySnake? A Low-and-Slow Data Thief

BusySnake is not a fast-moving worm. It’s the opposite — a stealthy, modular infostealer that operates in stages. The malware arrives via spear-phishing emails, often disguised as official correspondence from government or energy-sector partners.

Once executed, it performs several key actions:

  • Credential harvesting — steals login data from browsers, email clients, and VPN software
  • Screen capture — takes periodic screenshots of the victim’s desktop
  • Keylogging — records keystrokes to capture passwords and sensitive conversations
  • File exfiltration — uploads documents matching specific extensions (.doc, .xls, .pdf) to a command-and-control server

The malware communicates over HTTPS to blend in with normal traffic, making detection harder for traditional network monitoring tools.

Armored Likho: Who’s Behind the Attacks?

Kaspersky’s researchers have been tracking Armored Likho since mid-2024. The group shows a clear preference for targeting critical infrastructure — primarily electricity generation and distribution entities, along with central government bodies.

Geographically, the campaign has hit three countries hardest:

  • Russia — multiple regional energy companies and federal agencies
  • Brazil — at least two major electrical utilities and a state-level government network
  • Kazakhstan — a national power grid operator and a ministry

Why these three? The geographic spread suggests the attackers are not driven by simple regional conflict. Instead, they appear interested in energy-sector intelligence across different continents. This could point to state-sponsored espionage or a sophisticated cybercrime group selling access to the highest bidder.

How BusySnake Evades Detection

The malware uses several tricks to stay under the radar. First, it checks for sandbox environments and debuggers before executing its payload — a common anti-analysis technique. If it detects a virtual machine or security tool, it simply shuts down.

Second, BusySnake encrypts its configuration files and uses steganography to hide stolen data inside innocent-looking image files before exfiltration. Security teams scanning for unusual file transfers might miss these pictures entirely.

Third, the malware employs a modular structure. The initial dropper is small and lightweight. Only after confirming a successful infection does it download additional components from the C2 server. This makes signature-based detection nearly useless.

Implications for Critical Infrastructure Security

For organizations running power plants, electrical grids, or government networks, the BusySnake campaign is a wake-up call. The attackers are not just after credit card numbers — they want operational blueprints, SCADA credentials, and internal communications.

Once an attacker has that level of access, they can map out the entire network. From there, it’s a short step to sabotaging industrial control systems or launching ransomware that could black out a city.

Security teams should take immediate action:

  • Segment IT and OT networks — ensure that compromised office computers cannot directly communicate with industrial systems
  • Deploy behavioral detection — look for unusual data transfers, not just known malware signatures
  • Train staff on spear-phishing — many BusySnake infections start with a single employee clicking a malicious attachment
  • Monitor for BusySnake indicators — Kaspersky has published IOCs including C2 domains, file hashes, and registry keys

What Comes Next?

The Armored Likho group shows no signs of slowing down. Kaspersky expects them to expand into other regions and sectors, possibly targeting oil and gas or water treatment facilities next.

For now, the best defense is awareness. Critical infrastructure security teams need to assume they are already being probed. The question is not if an infostealer like BusySnake will arrive at their network perimeter — it’s whether they’ll catch it before the data walks out the door.

Organizations that have not yet reviewed their cybersecurity best practices for power grids should do so immediately. And for anyone still relying on antivirus alone to stop modern infostealers — it’s time to rethink that strategy.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

A 16-Year-Old Bug in Linux KVM Lets Guest VMs Break Out and Attack the Host

Published

on

KVM VM escape

A Bug That Almost Drove a Generation

A 16-year-old vulnerability in Linux’s KVM hypervisor can be triggered from inside a guest virtual machine to corrupt the host kernel’s memory. The result? A full VM escape — the kind of security nightmare that keeps cloud providers up at night.

Tracked as CVE-2026-53359 and nicknamed ‘Januscape’ by its discoverer, the flaw sits in the shadow MMU code that KVM shares across both Intel and AMD x86 processors. The researcher released a public proof-of-concept that panics the host. A separate, unreleased exploit, they claim, can achieve full code execution from the guest.

That’s a 16-year-old bug. It affects every Linux kernel version since the shadow MMU was introduced — which is most of KVM’s lifespan. The vulnerability was introduced in 2008 and only patched in late 2025.

What Exactly Is the Januscape Bug?

The flaw is a use-after-free in KVM’s handling of shadow page tables. Shadow paging is a memory virtualization technique KVM uses when hardware-assisted nested paging (like Intel EPT or AMD NPT) isn’t available or is disabled. The hypervisor maintains shadow page tables that mirror the guest’s physical-to-machine memory mappings.

In the vulnerable code path, a guest can trigger a specific sequence of operations — including a TLB flush and a page fault — that causes KVM to free a shadow page entry while it’s still being referenced. The freed memory can then be reallocated for other purposes. A malicious guest can control that reallocation.

The researcher describes it as a “race between the guest and the host” — the guest forces a specific timing window where the shadow page state becomes inconsistent. Once the host kernel touches the dangling pointer, it’s game over.

Why It Took 16 Years to Find

Shadow paging is complex. The code paths for page table walks, TLB flushes, and fault handling interact in subtle ways. The bug itself is a classic use-after-free, but the trigger conditions are rare enough that it survived years of code reviews and fuzzing campaigns.

It’s also worth nothing that most modern KVM deployments use hardware-assisted virtualization (EPT/NPT), which bypasses shadow paging entirely. That means cloud providers running recent hardware are not directly exposed. But any Linux system running KVM with shadow paging enabled — including many older servers, embedded systems, and test environments — is vulnerable.

Impact: Who Should Worry?

The short answer: anyone running KVM on Intel or AMD x86 systems without hardware nested paging. That includes:

  • Older server hardware (pre-2010 Intel Nehalem/Westmere or AMD Bulldozer era) that lacks EPT/NPT support.
  • Systems where nested virtualization is used, and the L1 hypervisor falls back to shadow paging.
  • Test labs, CI runners, and development environments that disable hardware virtualization features for debugging.
  • Embedded Linux systems running KVM on older x86 CPUs.

For cloud providers running modern hardware with EPT/NPT, the risk is minimal. But the bug is a reminder that KVM security depends on more than just the hypervisor code — the hardware capabilities matter just as much.

Patch and Mitigation

Linux kernel maintainers released a fix in late 2025. The patch is relatively small — it adds a missing reference count increment in the shadow page table code path. Systems running kernel versions 5.x and 6.x should update to the latest stable release.

If patching immediately isn’t possible, there are workarounds:

  • Enable hardware nested paging — ensure Intel EPT or AMD NPT is enabled in the BIOS and that the kernel boots with kvm-intel.ept=1 or kvm-amd.npt=1.
  • Disable shadow paging — if you must run without EPT/NPT, consider using a different hypervisor or limiting guest access to trusted workloads only.
  • Restrict guest capabilities — the bug requires specific hypercalls and page table manipulations. Limiting guest kernel access can reduce the attack surface.

A Wake-Up Call for Legacy Code

The Januscape bug is not a theoretical curiosity. It’s a practical, exploitable vulnerability that sat hidden for 16 years. That it affects both Intel and AMD systems equally makes it a broad threat.

The researcher’s decision to release a host-panicking PoC while keeping the full exploit private is a reasonable compromise — it proves the bug is real without handing out a weapon. But the existence of a working exploit means attackers with enough resources could reverse-engineer it.

For organizations still running older kernels or hardware without EPT/NPT, this is the moment to patch. The bug may be old, but the threat is current. And as cloud computing continues to rely on Linux virtualization at scale, even legacy code paths deserve scrutiny.

Because sometimes, a 16-year-old bug is the one that gets you.

Continue Reading

CyberSecurity

Hackers Pounce on Critical Gitea Docker Bug Just 13 Days After Patch Release

Published

on

Gitea Docker flaw

Attackers Waste No Time With Critical Gitea Bug

It took just 13 days. That’s how long threat actors needed to start probing a critical vulnerability in Gitea Docker images after the fix went public. Security researchers at Sysdig spotted the first exploitation attempts in the wild, and the timeline is a stark reminder of how fast attackers move.

The flaw, tracked as CVE-2026-20896, carries a CVSS score of 9.8 — critical by any measure. It lives in the way Gitea handles the X-WEBAUTH-USER HTTP header. The DevOps platform trusted that header from any source IP address. That’s a big problem.

An unauthenticated client on the internet could simply send a crafted request with that header and get elevated access. No credentials needed. No authentication bypass tricks. Just a header.

How the Gitea Docker Flaw Works

The vulnerability is rooted in Gitea’s authentication logic for Docker registries. When a request arrives, the platform checks the X-WEBAUTH-USER header to determine who’s making the request. The assumption was that only trusted proxies would set that header.

But that assumption was wrong. Sysdig’s researchers found that Gitea didn’t validate the source of the header. Any client — even a random bot scanning the internet — could set it to any username and gain that user’s privileges.

Think about what that means. An attacker could impersonate an admin. They could pull private Docker images. They could push malicious images to a repository. The impact depends on what the compromised account can do, but in a DevOps environment, that’s often everything.

Why This Gitea Vulnerability Is Dangerous

Several factors make CVE-2026-20896 particularly nasty:

  • No authentication required: The attacker doesn’t need valid credentials. They just send the header.
  • Remote exploitation: The flaw is exploitable over the network. No local access needed.
  • High privilege escalation: The attacker can assume any user’s identity, including administrators.
  • Docker registry exposure: Gitea is often used to host private container images. A breach there leaks sensitive code and configurations.

Sysdig’s report notes that the exploitation attempts began just under two weeks after the patch was released. That’s a short window for organizations to update their instances.

Who’s Affected and What to Do

Any organization running Gitea in a Docker container — especially if the instance is exposed to the internet — is at risk. The vulnerability affects versions before the patch that addressed the header trust issue.

If you’re running Gitea, the fix is straightforward: update to the latest version immediately. The Gitea team released a patch that stops trusting the X-WEBAUTH-USER header from untrusted sources. Sysdig also recommends reviewing your Gitea configuration to ensure that if you use reverse proxies, they are properly configured to strip or validate that header.

For teams that can’t update immediately, a workaround exists: block the X-WEBAUTH-USER header at your web application firewall or reverse proxy. But that’s a stopgap, not a solution. The patch is the real fix.

Lessons for DevOps Security

This incident highlights a broader issue in modern infrastructure. DevOps tools like Gitea, GitLab, and Jenkins often run with elevated privileges and handle sensitive data. They’re juicy targets for attackers.

The trust assumption in HTTP headers is a classic mistake. It’s the same kind of flaw that plagued authentication systems for years — trusting something the client can control. Gitea’s developers fixed it, but the 13-day gap between patch and exploitation shows that attackers are watching the same security mailing lists and GitHub repos as defenders.

Organizations should treat security patches for critical vulnerabilities as emergencies. A CVSS 9.8 flaw in a tool that manages container images and CI/CD pipelines isn’t something to schedule for next month’s maintenance window. It’s a fire.

Sysdig’s research is a useful reminder that container security isn’t just about scanning images for known vulnerabilities. It’s also about hardening the platforms that manage those images. A flaw like this one bypasses all your image scanning because it gives the attacker direct access to the registry.

The bottom line? Patch Gitea now. Check your logs for suspicious requests containing X-WEBAUTH-USER headers from unexpected sources. And take a hard look at how your DevOps tools handle authentication. The attackers certainly are.

Continue Reading

CyberSecurity

New Cavern C2 Framework: Iran-Linked Hackers Zero In on Israeli IT and Government

Published

on

Cavern C2 framework

Iran’s MOIS-Linked Group Deploys Cavern in Targeted Campaign

An Iranian hacking group tied to the country’s Ministry of Intelligence and Security (MOIS) has been using a previously unknown modular command-and-control (C2) framework called Cavern — also spelled Cav3rn — to zero in on Israeli organizations. The campaign, uncovered by Check Point Research, has primarily hit IT providers and government entities.

This isn’t just another phishing spree. The attackers built a custom C2 infrastructure from scratch. Cavern is modular, meaning it can swap out components on the fly. That flexibility makes it harder to detect and even harder to shut down.

Who’s Behind Cavern? A MOIS-Linked Threat Cluster

Check Point attributes the activity to a threat cluster that operates under the umbrella of Iran’s MOIS. The group has a track record of targeting Israeli infrastructure, but Cavern marks a technical leap. It’s not a repurposed tool — it’s purpose-built for this campaign.

The victims are telling. IT providers serve as a gateway: compromise one, and you can pivot to dozens of downstream clients. Government targets offer intelligence value. The attackers seem to want both access and information.

How Cavern Works: A Modular C2 Framework

Cavern’s architecture is what makes it stand out. It uses encrypted channels to communicate with implants on compromised machines. Each module handles a specific task — data exfiltration, keylogging, lateral movement — and can be updated or replaced without redeploying the entire framework.

  • Encrypted C2 traffic: Blends in with normal HTTPS, making network monitoring harder.
  • Modular plugins: Attackers can add or remove capabilities on demand.
  • Persistence mechanisms: Uses scheduled tasks and registry modifications to survive reboots.

This modularity is a double-edged sword for defenders. It means the framework can evolve quickly. But it also means that if you spot one module, you might not see the full picture — and the next variant could look completely different.

Targeting Israeli IT Providers and Government Agencies

The campaign’s focus on IT providers is strategic. By compromising a managed service provider (MSP), the attackers can piggyback on legitimate remote administration tools to reach the provider’s clients. That’s a supply chain attack, and it’s been a rising trend globally.

Government targets are more direct: espionage. The attackers appear interested in policy documents, internal communications, and possibly diplomatic cables. Check Point’s report notes that the group used spear-phishing emails with malicious attachments to gain initial access.

Once inside, they deployed Cavern’s implants to establish a persistent foothold. From there, they could move laterally, escalate privileges, and siphon data without triggering alarms.

Technical Deep Dive: Cavern’s Implant and C2 Communication

The Cavern implant is a lightweight executable that phones home to the C2 server using HTTP or HTTPS. The C2 server itself is a PHP-based panel that manages infected machines and issues commands.

Key technical details from Check Point’s analysis:

  • Implant size: Roughly 50 KB, compiled with MinGW to avoid common antivirus signatures.
  • C2 panel: Hosted on compromised servers in multiple countries, including the Netherlands and the United States.
  • Command set: Includes file upload/download, shell execution, process listing, and screen capture.

The attackers also used a custom DNS tunneling technique to bypass network filters. That’s a newer trick: encode data in DNS queries, which many organizations don’t monitor closely.

What This Means for Israeli Cybersecurity Teams

For defenders in Israel — and anyone watching Iranian cyber activity — Cavern is a wake-up call. It shows that MOIS-linked groups are investing in bespoke tooling, not just repurposing existing malware.

Check Point recommends organizations review their network logs for unusual DNS traffic, especially to domains registered in Iran or with suspicious patterns. They also advise tightening access controls on IT provider connections — because a breach at the provider could cascade to your own network.

The Cavern C2 framework is still active, and Check Point expects more variants. This isn’t a one-off operation. It’s a sustained campaign with a dedicated toolkit.

Israeli IT providers and government agencies should treat any unusual system behavior — even seemingly minor anomalies — as a potential sign of Cavern activity. The framework’s modular nature means the attackers can adapt faster than traditional signature-based defenses can keep up.

Continue Reading

Trending