Post · BT Free Social

Post

@briankrebs@infosec.exchange · 4 days ago

New, from me: The Kimwolf Botnet is Lurking in Corporate, Govt. Networks

A new Internet-of-Things botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.

https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/

#botnet #infosec #IoT #DDoS #threatresearch #malware

An illustration showing the head of a robot with arrows pointing down to two computer screens below. The robot's head has antennae sticking out diagonally from the top of its square head, almost resembling a TV box.

BrianKrebs

@briankrebs@infosec.exchange replied · 15 hours ago

I'd heard that Comcast was getting ready to issue a report on how it's been dealing with the massive number of Aisuru/Kimwolf botnet infections on their network. Also, Kimwolf piggybacked on IPIDEA's proxy network, and data from Synthient shows Comcast's email service (imap.comcast.net) was the most-requested domain of IPIDEA users (these are credential-stuffing attacks).

Glad I didn't wait for their report. It's basically a recap of everything we know so far, but narry a word about how it's affecting their customers. Instead, the blog post uses the old "we ran the malware in a lab and here's what we saw" approach to admiring the problem.

https://corporate.comcast.com/press/releases/localhost-as-an-attack-multiplier-resproxy-co-infection-and-lateral-expansion

a pie graph showing The top 50 domain names sought out by users of IPIDEA’s residential proxy service, according to Synthient.Comcast.net, appsflyer.com make up the largest chunk, shown in blue and red slices respectively.

System Adminihater

@systemadminihater@cyberplace.social replied · 15 hours ago

@briankrebs Netflow can detect this stuff trivially

Carl (He/Him)

@nitpicking@mstdn.party replied · 15 hours ago

@briankrebs Did you mean "admitting" the problem?

BrianKrebs

@briankrebs@infosec.exchange replied · 15 hours ago

@nitpicking admiring is admitting it, IMHO.

BrianKrebs

@briankrebs@infosec.exchange replied · 15 hours ago

The world would be a better and safer place if legacy ISPs stopped giving away email accounts. None of them want to be in the email business, and probably 95 percent of these accounts have horrible passwords, no MFA, and they get taken over constantly by cybercriminals and used for bad stuff.

𝙳𝚊𝚒𝚕𝚢 𝙵𝚒𝚜𝚑𝚠𝚛𝚊𝚙

@Sheep_Overboard@infosec.exchange replied · 11 hours ago

@briankrebs

Always avoided them and wise to do so. Like using the web host to register you domain, a problem when you gotta move.

T2R

@T2R@infosec.exchange replied · 11 hours ago

@briankrebs AMEN. Also Cloud providers need to reign in trial accounts from sending emails outside of their domain until they are a verified business.

cpm

@cpm@spore.social replied · 13 hours ago

@briankrebs
this assumes

many isps themselves didn't:
a) enter the game with criminal ambition

b) just didn't toss up their handsand surrender to the overwhelming 'internet is for scams' modern times.

c) something else

Steve Atkins

@lluad@mastodon.ie replied · 14 hours ago

@briankrebs Yes, but...

The email accounts at Google and Microsoft are also constantly used for bad stuff. But because they're giant monoliths you can't just block them, and they have no real incentive to fix anything. That these accounts are "legitimate users" rather than compromised accounts doesn't make any difference to the harm they do.

The odds of getting an issue fixed at a regional ISP is significantly higher than it is at Google or Microsoft.

BrianKrebs

@briankrebs@infosec.exchange replied · 15 hours ago

Also, any continued IMAP support that doesn't make it easy to incorporate 2FA or other things really doesn't help.

RootWyrm 🇺🇦:progress:

@rootwyrm@weird.autos replied · 15 hours ago

@briankrebs the problem is a LOT more than that. I've been running email servers for 30 years.

People cramming in OAuth WILL BE SHOT ON SIGHT.
People insisting on passkeys WILL BE SHOT ON SIGHT.
People who suggest PGP WILL BE SHOT ON SIGHT.

We actually know and have known what is needed to fix this shit for a LONG time. The problem is that the big three (MS, Google, and Yahoo) have basically hijacked what "email" is and are making the problems worse while also creating no end of new ones.

Martin Steiger 🚀

@martinsteiger@chaos.social replied · 15 hours ago

@briankrebs OK, what is supposed to replace IMAP?

Varbin :arctic_fox: :gay_furr: -> FUKS@39c3

@varbin@infosec.exchange replied · 15 hours ago

@briankrebs As OAuth for IMAP is terrible to integrate in email apps (usually every app has to register with the email provider), does "other things" include something like application passwords?

Natalie Esmerelda

@LearnToLivePrivate@privacysafe.social replied · 15 hours ago

@briankrebs this is a golden post! 5*

Thad

@Thad@brontosin.space replied · 15 hours ago

@briankrebs Cox stopped offering them a long time ago, and transferred the management over to Yahoo a couple of years ago.

Unfortunately the changeover was a mess and an opportunity for phishers. Instruct your users to expect an e-mail from Cox with a link they can click on and enter their e-mail and password, well, what do you think is going to happen?

Walker

@Walker@infosec.exchange replied · 15 hours ago

@briankrebs And ISP email accounts are functionally useless and a pain.

In my youth I rented multiple apartments, moving every few years. Each time I would have to setup a new internet connection with a different ISP. I could not take my previous ISP email address with me.

that is why Yahoo, Hotmail, and the like were more popular.

Lord Tom Klopf of CZ :jrbd:

@thomas_klopf@dobbs.town replied · 15 hours ago

@briankrebs a few grandmas might be confused but it would be worth it

Robert [KJ5ELX] :donor:

@FuturisticRobert@infosec.exchange replied · 15 hours ago

@briankrebs I can't remember the last time I saw a legitimate email from an ISP based email account. I'm sure anyone else who has to deal with a lot of bad email see's the same thing.

royal

@royal@theres.life replied · 15 hours ago

@briankrebs not just giving away email accounts; creating them whether you want them or not.

smxi

@smxi@fosstodon.org replied · 2 days ago

@briankrebs I'm not at all surprised by the infections in organization networks. Many years ago I worked an IT job at a big organization, and one of my jobs was to disinfect local malware infection nodes. Those used "enterprise av", mcafee in this case, which, like norton, seemed to function as pro not antivirus. I was fascinated by how the infections spread to local machines first, forming nodes. Unless security people make all tech/software choices, the choices will be wrong and bad.

shx

@shx@climatejustice.social replied · 2 days ago

@briankrebs off topic, is it possible the RSS feed is broken?
curl -sS https://krebsonsecurity.com/feed/|grep lastBuild
<lastBuildDate>Wed, 14 Jan 2026 00:47:38 +0000</lastBuildDate>

Was surprised that this new gem did not appear in the feedreader.

BrianKrebs

@briankrebs@infosec.exchange replied · 2 days ago

@shx Yeah something broke and I'm not sure what. Looking into it, thanks.

Maxime Thiebaut

@0xThiebaut@infosec.exchange replied · 2 days ago

@briankrebs Great read and series! Quick FYI that it seems this one didn’t reach your RSS feed (yet)

Lord Tom Klopf of CZ :jrbd:

@thomas_klopf@dobbs.town replied · 2 days ago

@briankrebs I’m a bit ignorant on this topic, but I work in IT. Can someone in this thread suggest any open-source traffic inspection tools for Linux that would alert to bots on an internal network? I have a number of iot devices at home, usual smart home stuff. I keep it all behind firewall/nat but.. who knows. I was thinking to route all my home network traffic via my Linux server for a while to inspect for ‘bad stuff’

BrianKrebs

@briankrebs@infosec.exchange replied · 2 days ago

@thomas_klopf you need something connected to your main router or switch that can sniff all the traffic going in and out. I'm experimenting with an installation of Security Onion on an ancient Windows laptop w/ two ethernet connectors. The software on the switch lets you mirror the port from the router on a different port, which connects to the laptop running Security Onion. You can then log in to the web interface from any system on the local network and see your traffic.

Lord Tom Klopf of CZ :jrbd:

@thomas_klopf@dobbs.town replied · 2 days ago

@briankrebs cool thanks for the tips there! I’ll check out Security Onion. Unfortunately my consumer router can’t do port mirroring, so I’m thinking to put the linux server between the router and the upstream connection to see what’s going on, hope security onion can work with that setup. Thanks again!

BT Free Social

BT Free is a non-profit organization founded by @ozoned@btfree.social . It's goal is for digital privacy rights, advocacy and consulting. This goal will be attained by hosting open platforms to allow others to seamlessly join the Fediverse on moderated instances or by helping others join the Fediverse.

BT Free Social: About · Code of conduct · Privacy ·

Bonfire social · 1.0.1 no JS en

Automatic federation enabled