Not a month goes by without a new threat being discovered. In an environment where cyber-resilience is so important, any company that is worried about its corporate cybersecurity needs to make every effort to ensure that cyberattacks don’t cause any harm; or at the very least, to stop them and minimize their repercussions.
This is exactly what is happening with Xwo, a new piece of malware discovered by AT&T’s Alien Labs. This malware searches the Internet for possible vulnerabilities that could be used to open up websites and popular services to cybercrime.
What does Xwo do?
Generally speaking, Xwo has three basic functions to exploit security breaches and allow them to be harnessed by whoever wants to use them for their own ends.
1.- To begin with, Xwo actively scans a large number of pages and online platforms. Its aim is to locate portals that contain vulnerabilities, or those that store default passwords that can easily be exploited. To do so, it combines characteristics of various malware families, such as ransomware, botnets, worms, or cryptojacking malware.
2.- Once a vulnerable portal has been found, unlike other ransomware techniques, this malware doesn’t act alone. Rather, it gathers information about credentials, passwords for protected services, and backups, among other things, and sends it to control servers via an HTTP POST request.
3.- Cybercriminals can store and access the information on this server, and also carry out their own cyberattacks. Their principal aim, in many cases, is to get known portals to redirect to malicious domains (normally with the extension .tk) that will steal as much information as possible. If they succeed, they may even ask for a fee to restore the stolen data.
Who is affected by this malware?
The aim of Xwo is to obtain the credentials of as many people as possible, meaning that large portals and online companies will always be among its targets. Media outlets and even several cybersecurity companies are on the list of those affected.
To do so, this malware focuses its attacks on services such as FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached, Tomcat, phpMyAdmin, VNC or RSYNC, where several vulnerabilities have been found.
How to avoid Xwo
The existence of Xwo is another step forward for cybercrime, and a clear and present danger for all kinds of companies, regardless of their type or size. This is why network administrators in the companies that may become victims of this malware need to enact appropriate measures if they want to protect their cybersecurity:
1.- Secure passwords Companies must be sure not to keep the default passwords that are used on many internal servers, and to employ instead different, more complex passwords. Besides this, it is also a good idea to change credentials with certain frequency. This tip can also be taken up by users themselves; they should use passwords that steer clear of obvious character combinations that cybercriminals can easily guess.
2.- Proactive monitoring. No company can risk discovering a cyberattack or vulnerability when it is already too late. To help, Patch Management audits, monitors, and prioritizes updates for operating systems and applications, all from a single panel. What’s more, it is also able to contain and mitigate attacks that exploit vulnerabilities, applying a constant critical update policy to detect any possible threat, even before it becomes dangerous.
3.- Secure servers. All companies have strategic servers on which they store all kinds of sensitive information that they need for their system to work. To prevent problems, it is vital that, wherever possible, these servers can’t be accessed easily via the Internet. Where that is not possible, they at least need to be as resilient as possible to possible attacks.
The fact is that cyberattacks very often do not start when the brute force invasion happens; rather, they usually begin long before, when another tool was able to analyze possible vulnerabilities without arousing suspicions. This is why every company must be on the lookout for anything suspicious. This way they can proactively protect their corporate cybersecurity, stopping all kinds of malware like Xwo from exploiting their unprotected credentials and services in order to sow chaos on the company’s IT systems.