Search This Blog

Showing posts with label DDOS Attack. Show all posts

NCA Infiltrates Cybercrime Market With Fake DDoS Sites

UK’s National Crime Agency (NCA) has recently conducted a sting operation as a part of Operation Power Off, a collaboration of international law enforcement agencies to shut down DDoS (distributed denial of service) infrastructure. 

In order to sabotage the online black market, the NCA set up a number of fictitious DDoS websites and offered booter or DDoS-for-hire services. It is important to keep in mind that the UK's Computer Misuse Act of 1990 makes DDoS attacks illegal. 

All of these websites were created by the NCA to appear genuine, giving the visitor the idea that they could initiate DDoS attacks using the provided tools and services. 

According to the agency, many a thousand individuals have visited the sites, although, after registering on the site, visitors are instead presented with a splash screen telling them that their data has been captured and law enforcement authorities would contact them instead of receiving the services they had signed up for. 

In the most recent report, the NCA confirms to have identified one of the websites it was operating, with a message that the data of users has been collected and that they “will be contacted by law enforcement.” 

The individuals who are currently in the UK will be contacted by the NCA or police and are warned about engaging in any cybercrime-related activity, whereas, the details of those overseas are being handed out to international law enforcement. 

DDoS Attacks 

In a DDoS attack, compromised computer systems bombard a target (server or website), causing severe financial or reputational damage to the targeted organization. “DDoS-for-hire, or ‘booter’, services allow users to set up accounts and order DDoS attacks in a matter of minutes […] Such attacks have the potential to cause significant harm to businesses and critical national infrastructure, and often prevent people from accessing essential public services,” said the NCA. 

Alan Merrett, member of NCA’s National Cyber Crime Unit says “booter services” are a key enabler of cybercrime. “The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyber offences with ease,” he said. 

He added that traditional site takedowns and arrests are key components of law enforcement’s response to threats while adding, “We have extended our operational capability with this activity, at the same time as undermining trust in the criminal market.” 

The NCA says that it will not reveal how many sites it has or for how long they have been running. Therefore, they have urged individuals looking for these services to stay cautious as they might not know who is operating them. 

KillNet: Pro-Russian Threat Actors Claims Responsiblity for 14 DDoS Attacks on U.S. Airports


On Monday, a pro-Russian hackers group ‘KillNet reportedly claimed to be behind the DDoS attacks, that temporarily took down the websites of several U.S. airports.
A similar case was witnessed by Atlanta International Airport. Consequently, users were unable to access the websites for a few hours during the campaign. Though, the attacks did not have any impact on flight operations.
The Los Angeles International Airport (LAX) authority informed about a threat on their website to the Transportation Security Administration and the FBI.
"The service interruption was limited to portions of the public facing website only. No internal airport systems were compromised and there were no operational disruptions," a spokesperson stated in an emailed statement. Adding to the statement, she said the airport’s IT Team has restored all services and is investigating the cause.
Later, the hacker group apparently posted the list of the hacked airport websites on Telegram that included 14 targeted domains, urging hackers to participate in the DDoS attack.
The Airport websites impacted by the group include Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and the sites of airports in Kentucky, Mississippi, and Hawaii.
In a Telegram post on Monday, Killnet listed other U.S. sites that could be the next potential victims of similar DDoS attacks, such as sea terminals and logistics facilities, weather monitoring centers, health care systems, subway systems, and exchanges and online trading systems.
Apparently, this DDoS attack was not the first attack by KillNet as KillNet has previously targeted many other countries that were against the Russian invasion of Ukraine. These NATO countries include Italy, Romania, Estonia, Lithuania, and Norway.
KillNet's DDoS attacks and those urging other threat actors to carry out are an example of what security experts determine is the tendency in recent years of geopolitical tensions, to be permeated the cyber world. As per the speculations, this campaign against the US and other NATO countries, for instance, instigates days after an explosion demolished a section of a major bridge connecting Russia to the Crimean Peninsula.

Anonymous Hacker Targets Cobalt Strike Servers Linked to Former Conti Gang Members


An anonymous hacking group launched DDoS assaults on Cobalt Strike servers handled by former Conti ransomware members with anti-Russian texts to halt their operation. 

Earlier this year in May, the Conti ransomware gang permanently switched off its operation but its members joined other groups, such as Quantum, Hive, and BlackCat. However, former Conti members continued employing the same Cobalt Strike infrastructure to launch new attacks. 

The hackers flooded the CS servers employed by Conti hackers to control the Cobalt Strike (CS) with anti-Russian texts such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” 

According to Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), the hackers targeted at least four Cobalt Strike servers by former Conti gang members. 

The messages are flooding the servers at a rapid rate of nearly two every second resulting in the disruption of Conti ransomware operations. Kremez says whoever is behind this activity constantly targeting Cobalt Strike servers is believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered. 

“Red teamers operating Cobalt Strike infrastructure to help identify gaps for organizations need to ensure that they are properly protecting their infrastructure,” stated Jerrod Piker, threat analyst at Deep Instinct. “DoS/DDoS protection is necessary as evidenced by the recent Conti group attacks, as well as advanced malware prevention, identity protection, and access control. Attackers will always look for and eventually discover low-hanging fruit, so we have to ensure that we make their discovery process as difficult as possible.” 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows.

Hackers getting the taste of their own medicine 

It remains unclear who is behind these messages but for the moment they’re keeping the hackers busy. Last month, the LockBit ransomware gang suffered a DDoS attack disrupting its operation. The attack was launched after the gang claimed responsibility for a hack on security firm Entrust earlier this year. 

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data. However, the halt was temporary and the ransomware gang came online with enhanced infrastructure allowing them to keep the stolen data intact even when facing distributed denial-of-service (DDoS) attacks.

Mirai Variant MooBot Botnet Exploiting D-Link Router Flaws


MooBot, a Mirai botnet variant, is transforming vulnerable D-Link devices into an army of denial-of-service bots by exploiting multiple vulnerabilities. 

Palo Alto Networks Unit 42 said in a Tuesday report, "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks."
MooBot, which was first revealed in September 2019 by Qihoo 360's Netlab team, has previously aimed at LILIN digital video recorders and Hikvision video surveillance products to broaden its network. As many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples in the most recent wave of attacks discovered by Unit 42 in early August 2022. These are some examples:
  • CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability, and
  • CVE-2022-28958 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
Exploiting the aforementioned flaws successfully could result in remote code execution and the retrieval of a MooBot payload from a remote host, which then decodes instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.

Customers with D-Link appliances are strongly advised to implement the company's patches and upgrades to mitigate potential threats.

The researchers stated, "The vulnerabilities [...] have low attack complexity but critical security impact that can lead to remote code execution.n Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS."

Taiwanese Government Sites Suffered DDoS Attacks Following Nancy Pelosi Visit


Multiple Taiwanese government sites were disrupted by distributed denial-of-service (DDoS) attacks following the much-publicized arrival of U.S. House Speaker Nancy Pelosi who became the first high-ranking U.S. official in 25 years to visit the democratic island nation. 

Pelosi reportedly met Taiwanese President Tsai Ing-wen and reiterated America’s support for the country of 24 million. 

The cyber attacks caused intermittent outages across the government English portal, some websites of the presidential office, foreign ministry, and defense ministry. 

According to Taiwan's foreign ministry, the attacks on its website and the government's English portal were linked to Chinese and Russian IP addresses that tried to access the websites up to 8.5 million times per minute. 

A separate statement from a Tsai spokesperson on Facebook said the attack had funneled 200 times more traffic than usual to the site. However, it was back up and running just 20 minutes later, it added. 

“While the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it's not a tool they are known to deploy,” explained Casey Ellis, founder, and CTO at Bugcrowd. China has an enormous population of very clever technologists, large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.” 

Experts believe that the attacks were likely launched by Chinese activist hackers rather than the Chinese government as retaliation for the visit of Nancy Pelosi. 

Taiwan has accused China of ramping up cyber assaults since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation and not a part of China. In 2020, Taiwanese authorities said China-linked hackers breached at least 10 Taiwan government agencies and secured access to nearly 6,000 email accounts in an attempt to exfiltrate data. 

Earlier this year in February, Chinese APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack. The malicious campaign was launched by the threat actors in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users


A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.

Cloudflare Mitigates a Record-Breaking DDoS Assault Peaking at 26 Million RPS


Last week, Cloudflare thwarted the largest HTTPS DDoS attack ever recorded. The attack amassed 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set earlier this year in April. 

The attack targeted an unnamed Cloudflare customer and mainly originated from cloud service providers instead of local internet services vendors, which explains its size and indicates that hijacked virtual devices and powerful servers were exploited during the assault, Cloudflare Product Manager Omer Yoachimik disclosed in a blog post. 

To deliver the malicious traffic, nearly 5,000 devices were employed with each endpoint generating roughly 5,200 RPS at peak. This demonstrates the true nature of virtual machines and servers when used for DDoS attacks, as other larger botnets aren’t capable of impersonating a fraction of this power. 

For example, a botnet of 730,000 devices was spotted generating nearly 1 million RPS, which makes the botnet behind the 26 million RPS DDoS attack 4,000 times stronger. 

"To contrast the size of this botnet, we've been tracking another much larger but less powerful botnet of over 730,000 devices," stated Omer Yoachimik. "The latter, larger botnet wasn't able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.” 

Thirty seconds into the assault, the botnet generated over 212 million HTTPS requests from more than 1,500 networks, located in 121 nations. Most requests came from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks.

According to Cloudflare, the assault was over HTTPS, making it more expensive in terms of required computational resources, as establishing a secure TLS encrypted connection costs more. Consequently, it also costs more to mitigate it. 

"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," Yoachimik explained. "Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale." 

This is one of the multiple volumetric assaults identified by Cloudflare throughout the last several years. An HTTP DDoS attack that was discovered in August 2021 saw around 17.2 million requests per second being generated. More recently, a mitigated 15.3 million rps attack that occurred in April 2022 saw around 6,000 bots being employed in order to target a Cloudflare customer who was running a crypto launchpad. 

Last year in November, Microsoft revealed that it thwarted a record-breaking 3.47 terabits per second (Tbps) DDoS attack that flooded servers used by an Azure customer from Asia with malicious packets.

Ukrainians DDoS Russian Vodka Supply Chains


According to the Russian news portal Vedomosti, Ukrainian cyber threat actors compromised Russia’s central alcohol distribution portal that is considered crucial for the distribution of alcoholic beverages in Russian regions called Unified State Automated Alcohol Accounting Information System or EGAIS.

EGAIS is a portal that plays important role in alcohol distribution in the nation. As per the law, for all alcohol producers and distributors, it is mandatory to register their shipments with EGAIS. Therefore, this attack caused extensive service blockage across Russia. 

The group hit the portal with DDoS attacks launched on May 2nd and 3rd. Through the DDoS or distributed denial of service attacks, the perpetrators overwhelm servers with superfluous requests in an attempt to overload systems and render some or all legitimate requests from being fulfilled. 

Also, according to the experts, sophisticated strategies have to be required against such types of attacks, as simply attempting to block a single source is insufficient. Three sites belonging to the platform have been hit by DDoS attacks. 

On May 4th, two EGAIS sites showed the error “the server stopped responding,” and the third didn’t work. The attacks took place on May 2nd and the next day system failures became more obvious about the attack. 

Wine trader Fort said that the site stopped working on May 4th, and the Union of Alcohol Producers, Igor Kosarev, and Ladoga representatives claimed the same. 

Fort further added that they had failed to upload about 70% of invoices to EGAIS due to the attack. Its supplies of wine to retail chains and restaurants in the region apparently failed to distribute on May 4 due to the incident. The outage impacted not only vodka distribution but wine companies faced disruption as well alongside purveyors of other types of alcohol. 

“Due to a large-scale failure, factories cannot accept tanks with alcohol, and customers, stores, and distributors cannot receive finished products that have already been delivered to them,” Vedomosti reported.

Ukrainian threat actors group, the Disbalancer took responsibility for the attack and announced their future plans to launch more attacks on the platform.

Imperva Mitigates 2.5 million RPS Ransom DDoS Assaults Targeting Unnamed Firm


Imperva, a cyber security software and services firm on Friday claimed it thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack targeting an unnamed company. 
According to Nelli Klepfish, a security analyst at Imperva, the company against which the DDoS assault was launched received multiple ransom notes during the attack. To prevent the loss of “hundreds of millions” in market cap and to remain online, the company paid the attackers in bitcoin.  
Imperva thwarted more than 12 million embedded requests targeting random pages of the firm’s site. The next day, the attackers sent over 15 million requests to the same site, however, this time the URL contained a different message. But the attackers employed similar methodology of threatening the company’s CEO for devastating consequences, such as the company’s stock price plummeting if they refuse to pay the ransom.  
The most devastating assault is said to have lasted less than a minute, in which researchers measured 2.5 million RPS (1.5Gbps of TCP traffic in terms of bandwidth) as the highest number of requests received.  
An identical attack was sustained by one of the sister sites operated by the same firm that lasted nearly 10 minutes, even as the attackers constantly changed their attack tactics and ransom notes to avert mitigation.  
Evidence gathered by Imperva points to the DDoS assaults originating from the Mēris botnet, which has exploited a now-patched security loophole in Mikrotik routers (CVE-2018-14847) to strike targets, including Yandex, a Russia-based technology and search engine giant last September.  
"The types of sites the threat actors are after appear to be business sites focusing on sales and communications," Klepfish said. "Targets tend to be U.S.- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price."  
Imperva unearthed about 34,815 sources of attack’s origin. In 20% of the cases Imperva discovered, the attackers launched 90 to 750 thousand RPS. Top attack sources attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.  
Imperva reported an interesting fact that the attackers are claiming to be members of REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement agencies earlier this January. However, the researchers yet to confirm that the claims are made by the original REvil operators or some imposter.

Expert Opinion: The Consequences of the War of the Hacker Group Anonymous against Russia


Anonymous hacktivists announced on Twitter about the beginning of the war with Russia because of the special operation in Ukraine. The group is known for its massive DDoS attacks, declassification of government documents, and hacking of politicians' accounts. Information security experts told how Anonymous can harm Russia. 

Information security experts are confident that a real threat may be hiding behind the Anonymous statement. "Government websites, government online services such as Gosuslugi, email, social media accounts of politicians, websites and IT infrastructure of state banks and defense companies can be attacked", said Sergey Nenakhov, head of the information security audit department of Infosecurity a Softline Company. 

According to him, this community has repeatedly manifested itself earlier in hacktivism, hacking government websites, e-mails of politicians from different countries. They also manifested themselves in the online fight against the Islamic State organization (it is banned in Russia), obtaining and publishing information about members of the terrorist organization. 

Group-IB noted that the danger lies in the fact that other groups, including pro-state hacker groups targeting critical infrastructure facilities, may operate under the guise of Anonymous. 
"As for Anonymous, they act as follows: first, in public communities, for example, on Twitter, they call for attacks on certain organizations as part of a particular campaign. In order for users to easily identify these attacks, they usually use special hashtags for each event and the hashtag Anonymous. These campaigns can be joined by young hackers without professional skills and abilities. However, the strength of such actions lies precisely in the mass character of hacktivists," the company explained.

Fedor Dbar, commercial director of Security Code, believes that much will depend on whom the group will carry out the attacks. "The most serious consequences could be caused by attacks on critical information infrastructure (CII) facilities, but it cannot be said that tomorrow we will be left without electricity or electricity."

Ukraine: DDoS Attacks on State Websites Continue


Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions. 

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks. 

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said. 

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet. 

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert. 

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution. 

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy. 

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."

The Russian Expert Listed the Main Signs of Smartphone Surveillance


Along with the unconditional benefits, the smart devices around us also carry a number of dangers. Thus, with the help of a smartphone, attackers can gain access to the personal data of its owner. According to Evgeny Kashkin, associate professor of the Department of Intelligent Information Security Systems at RTU MIREA, there are several signs that may indirectly indicate that your smartphone has become a spy. 

"An important point, in this case, is the requirement for applications to use a camera, microphone, as well as access to data (images and videos) on the phone during installation. Of course, you can disagree with this point during the installation, but most likely, then the application will not work at all or will work incorrectly," the expert explains. 

According to him, for a number of applications, these access rights are mandatory for work, but there are applications where "such rights for normal operation are simply absurd." For example, a home internet account status application. 

Another important factor, in his opinion, is the use of geolocation in applications. At the same time, it`s not only about GPS, but also the use of cellular data, as well as connections to various web resources. Such an approach, on the one hand, can greatly facilitate the search for the right companies within walking distance in a number of search engines, but, on the other hand, the cell phone conducts a "total" tracking of your movements. The key question, in this case, is how the data will be used by those who collect it. 

A number of companies have gone even further in this context. They started tracking the email messages of the users. Thus, with the banal purchase of an electronic plane ticket, the system will notify you in advance of the departure date, and on the day of departure, it will build you a route to the airport, taking into account traffic jams. 

He also advises paying attention to the sudden and uneven loss of battery power. This may indicate that a malicious program is running in the background that can use the phone to carry out a DDOS attack. 

Another alarming symptom is the sudden freezing of the phone or even turning it off for no objective reason. And finally, the occurrence of noises and extraneous sounds during a conversation may also indicate that your phone is being monitored. 

During a Live Stream Ceremony, the Nobel Foundation Disclosed a DDoS attack


The Nobel Foundation and the Norwegian Nobel Institute have revealed a cyberattack on its network intended at sabotaging last month's award ceremony Livestream. 

The cyberattack put the websites under great stress in an attempt to prevent updating and publishing fresh information on the Nobel Prize and Nobel Laureates' accomplishments It is "a long-term threat to freedom of expression," according to the foundation. It stated that it had reported the incident to authorities, however, no information as to who was responsible for the cyberattack had been provided. 

As the Nobel community has pointed out, the perpetrators of the DDoS assault are unknown at the moment. However, given the charges against the Nobel panel for making arbitrary selections in the past, an assumption of state-backed hackers were behind the security incident.

On January 21, in a press release, the institution said, "During the Nobel Day while the prize ceremonies were being live-streamed from Oslo and Stockholm, a so-called distribution denial-of-service (DDoS) attack disrupted the and sites."
DDoS assaults swamp websites with fictitious traffic, causing outages and obstructing access to information. It has also emerged as a weapon for intimidating and harassing websites. Furthermore, the Nobel Prize committee has been chastised for omitting scholars who made a significant contribution to awarded studies or for overlooking groundbreaking discoveries in favor of rewarding small findings. 

Journalist Dmitry Muratov and Rappler CEO Maria Ressa were among the Nobel laureates at Nobel Day 2021, and his keynote speeches emphasized the importance of press freedom and its role in preserving democracy in an era of fake news, disinformation, and the rise of authoritarianism around the world. 

Given the political controversies surrounding some of the Nobel Prizes bestowed by the normally prestigious Nobel Foundation, the involvement of a state-backed actor in such attacks would not be unusual.

IP Spoofing Flaw Leaves Django REST Applications Vulnerable to DDoS Attacks


Attackers used an IP spoofing flaw in Django REST to bypass the framework's throttling function, which is designed to protect apps from mass requests. 

Mozilla, Red Hat, and Heroku, among others, use Django REST as a toolkit for constructing web APIs. It includes a throttling function that limits the number of API queries a client may make. Bot activity, denial-of-service attacks, and malicious actions such as brute-force attempts on login sites, one-time passwords, and password reset pages are all protected by this feature. 

IP addresses are used by Django REST to recognize clients and implement throttling request restrictions. Clients can, however, deceive the server and hide their IP address, according to security researcher Hosein Vita. 

He told The Daily Swig, “Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling.” 

As a result, if the X-Forwarded-For header is included in a web request, the server will interpret it as the client's IP address. Vita was able to submit an endless number of requests with the same client by changing the X-Forwarded-For value. The approach only works for unauthenticated queries, according to Vita's bug report. 

APIs that require user authentication take both the user’s ID and the IP address into account when throttling, so IP spoofing is not enough to circumvent the request limits. According to Vita, the attack requires no specific server access, and an attacker who "can just see the website can abuse this method. 

Its immediate impact could be DDoS attacks caused by fraudulent requests flooding Django servers. However, it can also be used for other objectives, such as bypassing login page defences against brute-force attacks. Vita apparently identified the flaw while pen-testing an app with a one-time password login page. 

He stated, “You could log in [to the application] with OTP but I got blocked after many attempts. After my research, I used X-Forwarded-For header, and again I could send requests but after some attempts, again I got blocked.” 

The researcher added: “From my previous background in Django, I guessed it could get bypassed by changing the value of X-Forwarded-For header, and you could send 30 requests with each IP. Then I checked that in my Django API and it was correct.” 

The Django REST team was contacted by The Daily Swig for comment on the vulnerability. Meanwhile, Vita suggests using complementary strategies to protect applications from brute-force attacks. 

He added, “Always use other aspects of security measures as secondary methods. Use Captcha or other related methods to reduce attacks like this in important endpoints. For OTPs, use a token for each generated OTPs.”

Cisco Vulnerability Damages the Firewall


Positive Technologies threat experts have warned that a defect identified this week in Cisco's Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls could potentially contribute to denial-of-service (DoS) attacks. 

As per Positive Technologies expert Nikita Abramov, the high-severity bug (CVE-2021-34704) does not demand elevated privileges or specific access to attack. An attacker only needs to create a demand wherein one of the portions is larger than the device expects. 

According to Cisco, the flaw is the consequence of poor input validation while parsing HTTPS queries. The problem, if abused, might allow an attacker to compel the device to restart, culminating in a DoS circumstance, according to the vendor. 

This has the potential to have a significant effect on the business., noted Abramov. “If attackers disrupt the operation of Cisco ASA and Cisco FTD, a company will be left without a firewall and remote access,” he wrote in a research note. 

“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from outside will be restricted. At the same time, firewall failure will reduce the protection of the company.” 

Cisco has already fixed the flaw in the most recent versions of its ASA and FTD firmware. 

Positive Technologies further advises concerned clients to use security information and event management (SIEM) solutions to prevent and identify breaches.

The vendor addressed a bug in its Firepower Devices Manager (FDM) and On-Box software in August, allowing the researcher to take complete control of the company's Firepower next-generation firewalls. 

The vulnerability, identified by Abramov and threat researcher Mikhail Klyuchnikov, received a severity score of 6.3 on the standard vulnerability ranking methodology. 

The vulnerability exploited another flaw in Cisco's FDM On-Box representational state transfer (REST) API, allowing intruders to execute arbitrary code on a compromised device's operating system.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” Abramov wrote. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”

FBI: HelloKitty Ransomware Adds DDoS to Extortion Techniques


The FBI has released a flash notice to private industry partners, alerting them that the HelloKitty ransomware gang (also known as FiveHands) has incorporated distributed denial-of-service (DDoS) attacks into its toolbox of extortion techniques. 

The FBI claimed in a notice coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) that the ransomware group would use DDoS assaults to take down its victims' official websites if they didn't pay the ransom. 

HelloKitty is also notorious for collecting and encrypting sensitive data from victims' infected servers. Later, the stolen files are then used as leverage to compel the victims to pay the ransom under the fear of the stolen material being leaked publicly on a data leak site. 

The FBI stated, "In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company's public-facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker." 

To breach the targets' networks, the group's ransomware operators would utilize a variety of tactics, including compromised credentials and newly fixed security flaws in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). 

About HelloKitty 

HelloKity is a ransomware operation created by people operating since November 2020 and was first discovered by the FBI in January 2021. The group is well known for breaking into and encrypting CD Projekt Red's networks and claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games in February. 

The ransomware gang has also been seen utilizing a Linux version that targets VMware's ESXi virtual machine infrastructure since at least July 2021. They're just one of several ransomware gangs targeting Linux systems after enterprises switched to virtual machines for more effective resource use and easier device management. Ransomware operators may now encrypt numerous servers concurrently with a single order by targeting their virtual machines, saving time and effort. 

HelloKitty rapidly expanded its activity in July and August, shortly after commencing to use the Linux variant in assaults, as per submissions made by their victims on the ID Ransomware site. The HelloKitty ransomware, or versions of it, has also gone by the names DeathRansom and Fivehands. 

In its advisory, the FBI also included an extensive list of indications of compromise (IOCs) to assist cybersecurity experts and system administrators in preventing attacks organized by the HelloKitty ransomware.

South Korean Telecom Operator Crippled by DDoS Attack


South Korean telecommunications operator KT suffered a nationwide network outage earlier this week, affecting its telephone and wireless services including phone calls, internet, and other services.

The suspected distributed denial-of-service (DDoS) attack crippled the network for almost an hour. Customers using the telco's network were unable to access the internet for around 40 minutes at around 11am on Monday. Since then, general access to the Internet has been restored for KT users in most parts of the country. 

To investigate the matter, a team of security experts from the Seoul cyber department was dispatched to KT's headquarters in Seongnam, Gyeonggi Province, just south of Seoul. Later in the day, KT restated that the outage appeared to have been caused by large-scale DDoS attacks. The firm said it is still looking for the culprits behind the DDoS and will continue to analyze the extent of the damage. 

“The telco's network was shut down due to a large-scale DDoS attack. During the outage, the company's crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack,” KT spokesperson stated. 

The Ministry of Science and ICT said they are keeping a close eye on the matter in collaboration with KT. However, the ministry did not confirm that the network failure was caused by a DDoS attack, but it said the other major telcos SK Telecom and LG Uplus were not affected.

Despite not being victims of the DDoS attack, users of the services of SK Telecom and LG Uplus raised complaints on social media regarding telcos network outages. Spokespersons for these telcos said the network outages were due to a sudden surge in traffic from KT users switching their services due to KT’s internet outage. Both SK Telecom and LG Uplus representatives said they would be monitoring the situation closely. 

According to the Science and ICT Ministry data, around 16.3 million people are dependent on KT for internet service as of March 2021. The last time KT suffered a network outage was in 2018 when a fire broke at its Ahyeon branch in central Seoul. The fire caused internet and phone service disruptions in nearby areas, including the Seoul districts of Jung-gu, Yongsan-gu, and Seodaemun-gu.

Turkish National Charged for DDoS Attack on U.S. Company


Authorities in the United States charged a Turkish national for launching distributed denial-of-service (DDoS) assaults against a Chicago-based multinational hospitality company using a now-defunct malware botnet. 

Izzet Mert Ozek, 32, is accused of launching attacks against the Chicago multinational in August 2017 using WireX, a botnet developed using Android malware. 

According to authorities, Ozek's attacks caused infected Android devices to transmit massive volumes of online traffic to the company's public website and online booking service, leading servers to crash. As per the news release from the US Department of Justice, the charges were announced on September 29 in the Northern District of Illinois. 

The press release stated, “In August 2017, IZZET MERT OZEK used the WireX botnet, which consisted of compromised Google Android devices, to direct large amounts of network traffic to the hospitality company’s website, preventing legitimate users from completing hotel bookings, according to an indictment returned Tuesday in U.S. District Court in Chicago. The hospitality company, which managed luxury hotels and resorts, was headquartered in Chicago and the servers for its website were located in northern Illinois.” 

“The indictment charges Ozek, 32, with one count of intentionally causing damage to a protected computer. Ozek is believed to be residing in Turkey, and a warrant for his arrest will be issued.” 

The official statement and indictment do not specify whether Ozek developed the WireX botnet himself or bought it from a third party. The botnet, which was created just a month before in July 2017, soon grew to gigantic size of more than 120,000 bots after its creator attacked Android smartphones with fraudulent Android apps. 

Months after the disastrous Mirai malware attacks at the end of 2016, the cyber-security industry responded quickly to eliminate the emerging danger while it was still in its early phases. 

A coalition of security firms, including Akamai, Cloudflare, Flashpoint, Google, Dyn, RiskIQ, and Team Cymr, launched an investigation weeks after the attack on the Chicago multinational company to track WireX’s bots and backend infrastructure and then seize and take down its command and control systems.

Bandwidth Suffers Outages Caused by DDoS Attack


Within the last couple of days, has been the latest target of distributed denial of service attacks targeting VoIP companies. 

Bandwidth, a firm providing Voice over Internet Protocol (VoIP), services to companies and resellers, revealed that it suffered a failure after reporting on the DDoS attack on the 27th of September, Monday night. 

Bandwidth Chief Executive Officer David Morken confirmed the incident and also claimed that "a number of critical communications service providers have been targeted by a rolling DDoS attack." Bandwidth started reporting unintended voice and messaging services breakdown from September 25 at 3:31 p.m. EST. 

Bandwidth has since provided periodic status updates describing voice disruptions, improved services 911 (E911), messaging, and portal access. As Bandwidth is among the world's major voicemail service providers for IP firms, several other VoIP suppliers, including Twilio, Accent, DialPad,, and RingCentral, have experienced disruptions throughout the past few days. 

While the fact that all those failures are linked to a service outage has not been established, one failure report specifically cites Bandwidth while the others say an upstream provider is implicated. "While we have mitigated much-intended harm, we know some of you have been significantly impacted by this event. For that, I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously," Morken said. 

The firm continues to monitor the circumstance with the network services and technical teams and actively engages with the customers to deal with any questions. The company mentioned that they’re going to post updates to because they have further information to provide.

Since the statement was issued, the firm updated the details of a number of incoming and outgoing calling services with partial outages. 

On its Cloud Service Status page, Accent said on Tuesday that the "upstream provider continues to acknowledge the DDoS attack has returned to their network however we are seeing a very limited impact to inbound calling for our services." 

"Mitigation steps are being put in place to route inbound phone numbers around the upstream carrier the impact to service grows. We will continue to monitor the situation and update the status as appropriate," Accent wrote. 

Further, on Monday, a source said that their clients were experiencing serious issues with their migrated phone lines. The firm is the downstream retailer of Bandwidth hosted products and claimed that because of the bandwidth problem, they knew major telecoms company that "was in emergency mode".

Considering VoIP services are usually routed through the internet and necessitate public access to their servers and endpoints, they are indeed the main targets for DDoS extortion. Hackers would be overwhelmed by the transmission of more queries than possible to carry out these DDoS assaults, and the targeted devices and servers will not be available to everyone else. 

"Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network," reads a screenshot shared on Reddit. 

Monday night, Bandwidth said that it had restored its services, although it was not apparent if threats were ceased or demands were fulfilled as asked by the actors. Nevertheless, it is usual for cybercriminals to stop attacks momentarily while pushing for extortion, while on Tuesday morning the DDoS attacks were resumed. 

Russian Electronic Voting System Struck by 19 DDoS Attacks in One Day


Yandex, the Russian technology and search engine powerhouse, disclosed last week that it had been hit by one of the world's biggest DDoS attacks ever recorded. 

A distributed denial-of-service (DDoS) attack involves flooding a website or service with a large amount of internet traffic until it stops working and eventually goes down. Cybercriminals have been known to create botnets and launch DDoS attacks using hacked systems or vulnerable/exposed Internet of Things (IoT) devices. 

Russia's remote electronic voting system has now become the next victim of the campaign, as to what appears to be a continuation of targeted DDoS attacks. 

According to reports, the 8th Russian State Duma (lower house) elections took place between September 17 and September 19. Voters had to head to the polls to cast their vote for the heads of nine Russian regions and 39 regional parliaments. 

According to Russian news agency Tass, remote electronic voting took place in six locations, including Sevastopol and the regions of Kursk, Murmansk, Nizhny Novgorod, Rostov, and Yaroslavl. 

Around 19 DDoS attempts were thwarted, according to Mikhail Oseevsky, president of Rostelecom. The head of the country's major digital service provider, Rostelecom, told the reporters at the Central Election Commission's information centre that some of the DDoS assaults were very short, spanning only a few minutes, while the biggest lasted 5 hours and 32 minutes. 

“It (the DDoS attack) began early in the morning and ended in the middle of the day,” Oseevsky disclosed. 

Many of the country's digital resources, including the elections, state services websites, and the CEC's portal, were attacked, according to Oseevsky. 

He continued by stating that there have been several efforts to launch large-scale attacks on these resources. The department, on the other hand, was well-prepared to combat and minimise the threat, according to the president. 

The assaults arose from a number of different countries which include: 
  • India 
  • China 
  • Brazil 
  • Russia 
  • Germany 
  • Thailand 
  • Lithuania 
  • Bangladesh 
  • United States 
According to the elections commission, three targeted cyberattacks were documented from abroad, two of which targeted the centre's main website and the third was a DDoS attack.