Search This Blog

Showing posts with label DDOS Attack. Show all posts

Cloudflare Mitigates a Record-Breaking DDoS Assault Peaking at 26 Million RPS

 

Last week, Cloudflare thwarted the largest HTTPS DDoS attack ever recorded. The attack amassed 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set earlier this year in April. 

The attack targeted an unnamed Cloudflare customer and mainly originated from cloud service providers instead of local internet services vendors, which explains its size and indicates that hijacked virtual devices and powerful servers were exploited during the assault, Cloudflare Product Manager Omer Yoachimik disclosed in a blog post. 

To deliver the malicious traffic, nearly 5,000 devices were employed with each endpoint generating roughly 5,200 RPS at peak. This demonstrates the true nature of virtual machines and servers when used for DDoS attacks, as other larger botnets aren’t capable of impersonating a fraction of this power. 

For example, a botnet of 730,000 devices was spotted generating nearly 1 million RPS, which makes the botnet behind the 26 million RPS DDoS attack 4,000 times stronger. 

"To contrast the size of this botnet, we've been tracking another much larger but less powerful botnet of over 730,000 devices," stated Omer Yoachimik. "The latter, larger botnet wasn't able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.” 

Thirty seconds into the assault, the botnet generated over 212 million HTTPS requests from more than 1,500 networks, located in 121 nations. Most requests came from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks.

According to Cloudflare, the assault was over HTTPS, making it more expensive in terms of required computational resources, as establishing a secure TLS encrypted connection costs more. Consequently, it also costs more to mitigate it. 

"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," Yoachimik explained. "Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale." 

This is one of the multiple volumetric assaults identified by Cloudflare throughout the last several years. An HTTP DDoS attack that was discovered in August 2021 saw around 17.2 million requests per second being generated. More recently, a mitigated 15.3 million rps attack that occurred in April 2022 saw around 6,000 bots being employed in order to target a Cloudflare customer who was running a crypto launchpad. 

Last year in November, Microsoft revealed that it thwarted a record-breaking 3.47 terabits per second (Tbps) DDoS attack that flooded servers used by an Azure customer from Asia with malicious packets.

Ukrainians DDoS Russian Vodka Supply Chains

 

According to the Russian news portal Vedomosti, Ukrainian cyber threat actors compromised Russia’s central alcohol distribution portal that is considered crucial for the distribution of alcoholic beverages in Russian regions called Unified State Automated Alcohol Accounting Information System or EGAIS.

EGAIS is a portal that plays important role in alcohol distribution in the nation. As per the law, for all alcohol producers and distributors, it is mandatory to register their shipments with EGAIS. Therefore, this attack caused extensive service blockage across Russia. 

The group hit the portal with DDoS attacks launched on May 2nd and 3rd. Through the DDoS or distributed denial of service attacks, the perpetrators overwhelm servers with superfluous requests in an attempt to overload systems and render some or all legitimate requests from being fulfilled. 

Also, according to the experts, sophisticated strategies have to be required against such types of attacks, as simply attempting to block a single source is insufficient. Three sites belonging to the platform have been hit by DDoS attacks. 

On May 4th, two EGAIS sites showed the error “the server stopped responding,” and the third didn’t work. The attacks took place on May 2nd and the next day system failures became more obvious about the attack. 

Wine trader Fort said that the site stopped working on May 4th, and the Union of Alcohol Producers, Igor Kosarev, and Ladoga representatives claimed the same. 

Fort further added that they had failed to upload about 70% of invoices to EGAIS due to the attack. Its supplies of wine to retail chains and restaurants in the region apparently failed to distribute on May 4 due to the incident. The outage impacted not only vodka distribution but wine companies faced disruption as well alongside purveyors of other types of alcohol. 

“Due to a large-scale failure, factories cannot accept tanks with alcohol, and customers, stores, and distributors cannot receive finished products that have already been delivered to them,” Vedomosti reported.

Ukrainian threat actors group, the Disbalancer took responsibility for the attack and announced their future plans to launch more attacks on the platform.

Imperva Mitigates 2.5 million RPS Ransom DDoS Assaults Targeting Unnamed Firm

 

Imperva, a cyber security software and services firm on Friday claimed it thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack targeting an unnamed company. 
 
According to Nelli Klepfish, a security analyst at Imperva, the company against which the DDoS assault was launched received multiple ransom notes during the attack. To prevent the loss of “hundreds of millions” in market cap and to remain online, the company paid the attackers in bitcoin.  
 
Imperva thwarted more than 12 million embedded requests targeting random pages of the firm’s site. The next day, the attackers sent over 15 million requests to the same site, however, this time the URL contained a different message. But the attackers employed similar methodology of threatening the company’s CEO for devastating consequences, such as the company’s stock price plummeting if they refuse to pay the ransom.  
 
The most devastating assault is said to have lasted less than a minute, in which researchers measured 2.5 million RPS (1.5Gbps of TCP traffic in terms of bandwidth) as the highest number of requests received.  
 
An identical attack was sustained by one of the sister sites operated by the same firm that lasted nearly 10 minutes, even as the attackers constantly changed their attack tactics and ransom notes to avert mitigation.  
 
Evidence gathered by Imperva points to the DDoS assaults originating from the Mēris botnet, which has exploited a now-patched security loophole in Mikrotik routers (CVE-2018-14847) to strike targets, including Yandex, a Russia-based technology and search engine giant last September.  
 
"The types of sites the threat actors are after appear to be business sites focusing on sales and communications," Klepfish said. "Targets tend to be U.S.- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price."  
 
Imperva unearthed about 34,815 sources of attack’s origin. In 20% of the cases Imperva discovered, the attackers launched 90 to 750 thousand RPS. Top attack sources attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.  
 
Imperva reported an interesting fact that the attackers are claiming to be members of REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement agencies earlier this January. However, the researchers yet to confirm that the claims are made by the original REvil operators or some imposter.

Expert Opinion: The Consequences of the War of the Hacker Group Anonymous against Russia

 

Anonymous hacktivists announced on Twitter about the beginning of the war with Russia because of the special operation in Ukraine. The group is known for its massive DDoS attacks, declassification of government documents, and hacking of politicians' accounts. Information security experts told how Anonymous can harm Russia. 


Information security experts are confident that a real threat may be hiding behind the Anonymous statement. "Government websites, government online services such as Gosuslugi, email, social media accounts of politicians, websites and IT infrastructure of state banks and defense companies can be attacked", said Sergey Nenakhov, head of the information security audit department of Infosecurity a Softline Company. 

According to him, this community has repeatedly manifested itself earlier in hacktivism, hacking government websites, e-mails of politicians from different countries. They also manifested themselves in the online fight against the Islamic State organization (it is banned in Russia), obtaining and publishing information about members of the terrorist organization. 

Group-IB noted that the danger lies in the fact that other groups, including pro-state hacker groups targeting critical infrastructure facilities, may operate under the guise of Anonymous. 
"As for Anonymous, they act as follows: first, in public communities, for example, on Twitter, they call for attacks on certain organizations as part of a particular campaign. In order for users to easily identify these attacks, they usually use special hashtags for each event and the hashtag Anonymous. These campaigns can be joined by young hackers without professional skills and abilities. However, the strength of such actions lies precisely in the mass character of hacktivists," the company explained.

Fedor Dbar, commercial director of Security Code, believes that much will depend on whom the group will carry out the attacks. "The most serious consequences could be caused by attacks on critical information infrastructure (CII) facilities, but it cannot be said that tomorrow we will be left without electricity or electricity."

Ukraine: DDoS Attacks on State Websites Continue

 

Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions. 

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks. 

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said. 

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet. 

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert. 

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution. 

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy. 

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."

The Russian Expert Listed the Main Signs of Smartphone Surveillance

 

Along with the unconditional benefits, the smart devices around us also carry a number of dangers. Thus, with the help of a smartphone, attackers can gain access to the personal data of its owner. According to Evgeny Kashkin, associate professor of the Department of Intelligent Information Security Systems at RTU MIREA, there are several signs that may indirectly indicate that your smartphone has become a spy. 

"An important point, in this case, is the requirement for applications to use a camera, microphone, as well as access to data (images and videos) on the phone during installation. Of course, you can disagree with this point during the installation, but most likely, then the application will not work at all or will work incorrectly," the expert explains. 

According to him, for a number of applications, these access rights are mandatory for work, but there are applications where "such rights for normal operation are simply absurd." For example, a home internet account status application. 

Another important factor, in his opinion, is the use of geolocation in applications. At the same time, it`s not only about GPS, but also the use of cellular data, as well as connections to various web resources. Such an approach, on the one hand, can greatly facilitate the search for the right companies within walking distance in a number of search engines, but, on the other hand, the cell phone conducts a "total" tracking of your movements. The key question, in this case, is how the data will be used by those who collect it. 

A number of companies have gone even further in this context. They started tracking the email messages of the users. Thus, with the banal purchase of an electronic plane ticket, the system will notify you in advance of the departure date, and on the day of departure, it will build you a route to the airport, taking into account traffic jams. 

He also advises paying attention to the sudden and uneven loss of battery power. This may indicate that a malicious program is running in the background that can use the phone to carry out a DDOS attack. 

Another alarming symptom is the sudden freezing of the phone or even turning it off for no objective reason. And finally, the occurrence of noises and extraneous sounds during a conversation may also indicate that your phone is being monitored. 

During a Live Stream Ceremony, the Nobel Foundation Disclosed a DDoS attack

 

The Nobel Foundation and the Norwegian Nobel Institute have revealed a cyberattack on its network intended at sabotaging last month's award ceremony Livestream. 

The cyberattack put the websites under great stress in an attempt to prevent updating and publishing fresh information on the Nobel Prize and Nobel Laureates' accomplishments It is "a long-term threat to freedom of expression," according to the foundation. It stated that it had reported the incident to authorities, however, no information as to who was responsible for the cyberattack had been provided. 

As the Nobel community has pointed out, the perpetrators of the DDoS assault are unknown at the moment. However, given the charges against the Nobel panel for making arbitrary selections in the past, an assumption of state-backed hackers were behind the security incident.

On January 21, in a press release, the institution said, "During the Nobel Day while the prize ceremonies were being live-streamed from Oslo and Stockholm, a so-called distribution denial-of-service (DDoS) attack disrupted the www.nobelprize.org and www.nobelpeaceprize.org sites."
 
DDoS assaults swamp websites with fictitious traffic, causing outages and obstructing access to information. It has also emerged as a weapon for intimidating and harassing websites. Furthermore, the Nobel Prize committee has been chastised for omitting scholars who made a significant contribution to awarded studies or for overlooking groundbreaking discoveries in favor of rewarding small findings. 

Journalist Dmitry Muratov and Rappler CEO Maria Ressa were among the Nobel laureates at Nobel Day 2021, and his keynote speeches emphasized the importance of press freedom and its role in preserving democracy in an era of fake news, disinformation, and the rise of authoritarianism around the world. 

Given the political controversies surrounding some of the Nobel Prizes bestowed by the normally prestigious Nobel Foundation, the involvement of a state-backed actor in such attacks would not be unusual.

IP Spoofing Flaw Leaves Django REST Applications Vulnerable to DDoS Attacks

 

Attackers used an IP spoofing flaw in Django REST to bypass the framework's throttling function, which is designed to protect apps from mass requests. 

Mozilla, Red Hat, and Heroku, among others, use Django REST as a toolkit for constructing web APIs. It includes a throttling function that limits the number of API queries a client may make. Bot activity, denial-of-service attacks, and malicious actions such as brute-force attempts on login sites, one-time passwords, and password reset pages are all protected by this feature. 

IP addresses are used by Django REST to recognize clients and implement throttling request restrictions. Clients can, however, deceive the server and hide their IP address, according to security researcher Hosein Vita. 

He told The Daily Swig, “Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling.” 

As a result, if the X-Forwarded-For header is included in a web request, the server will interpret it as the client's IP address. Vita was able to submit an endless number of requests with the same client by changing the X-Forwarded-For value. The approach only works for unauthenticated queries, according to Vita's bug report. 

APIs that require user authentication take both the user’s ID and the IP address into account when throttling, so IP spoofing is not enough to circumvent the request limits. According to Vita, the attack requires no specific server access, and an attacker who "can just see the website can abuse this method. 

Its immediate impact could be DDoS attacks caused by fraudulent requests flooding Django servers. However, it can also be used for other objectives, such as bypassing login page defences against brute-force attacks. Vita apparently identified the flaw while pen-testing an app with a one-time password login page. 

He stated, “You could log in [to the application] with OTP but I got blocked after many attempts. After my research, I used X-Forwarded-For header, and again I could send requests but after some attempts, again I got blocked.” 

The researcher added: “From my previous background in Django, I guessed it could get bypassed by changing the value of X-Forwarded-For header, and you could send 30 requests with each IP. Then I checked that in my Django API and it was correct.” 

The Django REST team was contacted by The Daily Swig for comment on the vulnerability. Meanwhile, Vita suggests using complementary strategies to protect applications from brute-force attacks. 

He added, “Always use other aspects of security measures as secondary methods. Use Captcha or other related methods to reduce attacks like this in important endpoints. For OTPs, use a token for each generated OTPs.”

Cisco Vulnerability Damages the Firewall

 

Positive Technologies threat experts have warned that a defect identified this week in Cisco's Firepower Threat Defense (FTD) and Adaptive Security Appliance (ASA) firewalls could potentially contribute to denial-of-service (DoS) attacks. 

As per Positive Technologies expert Nikita Abramov, the high-severity bug (CVE-2021-34704) does not demand elevated privileges or specific access to attack. An attacker only needs to create a demand wherein one of the portions is larger than the device expects. 

According to Cisco, the flaw is the consequence of poor input validation while parsing HTTPS queries. The problem, if abused, might allow an attacker to compel the device to restart, culminating in a DoS circumstance, according to the vendor. 

This has the potential to have a significant effect on the business., noted Abramov. “If attackers disrupt the operation of Cisco ASA and Cisco FTD, a company will be left without a firewall and remote access,” he wrote in a research note. 

“If the attack is successful, remote employees or partners will not be able to access the internal network of the organization, and access from outside will be restricted. At the same time, firewall failure will reduce the protection of the company.” 

Cisco has already fixed the flaw in the most recent versions of its ASA and FTD firmware. 

Positive Technologies further advises concerned clients to use security information and event management (SIEM) solutions to prevent and identify breaches.

The vendor addressed a bug in its Firepower Devices Manager (FDM) and On-Box software in August, allowing the researcher to take complete control of the company's Firepower next-generation firewalls. 

The vulnerability, identified by Abramov and threat researcher Mikhail Klyuchnikov, received a severity score of 6.3 on the standard vulnerability ranking methodology. 

The vulnerability exploited another flaw in Cisco's FDM On-Box representational state transfer (REST) API, allowing intruders to execute arbitrary code on a compromised device's operating system.

“To exploit this vulnerability, all attackers need to do is to obtain credentials of a user with low privileges and send a specially crafted HTTP request,” Abramov wrote. “From a technical standpoint, the vulnerability is caused by insufficient user input validation for some REST API commands.”

FBI: HelloKitty Ransomware Adds DDoS to Extortion Techniques

 

The FBI has released a flash notice to private industry partners, alerting them that the HelloKitty ransomware gang (also known as FiveHands) has incorporated distributed denial-of-service (DDoS) attacks into its toolbox of extortion techniques. 

The FBI claimed in a notice coordinated with the Cybersecurity and Infrastructure Security Agency (CISA) that the ransomware group would use DDoS assaults to take down its victims' official websites if they didn't pay the ransom. 

HelloKitty is also notorious for collecting and encrypting sensitive data from victims' infected servers. Later, the stolen files are then used as leverage to compel the victims to pay the ransom under the fear of the stolen material being leaked publicly on a data leak site. 

The FBI stated, "In some cases, if the victim does not respond quickly or does not pay the ransom, the threat actors will launch a Distributed Denial of Service (DDoS) attack on the victim company's public-facing website. Hello Kitty/FiveHands actors demand varying ransom payments in Bitcoin (BTC) that appear tailored to each victim, commensurate with their assessed ability to pay it. If no ransom is paid, the threat actors will post victim data to the Babuk site payload.bin) or sell it to a third-party data broker." 

To breach the targets' networks, the group's ransomware operators would utilize a variety of tactics, including compromised credentials and newly fixed security flaws in SonicWall products (e.g., CVE-2021-20016, CVE-2021-20021, CVE-2021-20022, CVE-2021-2002). 

About HelloKitty 

HelloKity is a ransomware operation created by people operating since November 2020 and was first discovered by the FBI in January 2021. The group is well known for breaking into and encrypting CD Projekt Red's networks and claiming to have stolen the source code for Cyberpunk 2077, Witcher 3, Gwent, and other games in February. 

The ransomware gang has also been seen utilizing a Linux version that targets VMware's ESXi virtual machine infrastructure since at least July 2021. They're just one of several ransomware gangs targeting Linux systems after enterprises switched to virtual machines for more effective resource use and easier device management. Ransomware operators may now encrypt numerous servers concurrently with a single order by targeting their virtual machines, saving time and effort. 

HelloKitty rapidly expanded its activity in July and August, shortly after commencing to use the Linux variant in assaults, as per submissions made by their victims on the ID Ransomware site. The HelloKitty ransomware, or versions of it, has also gone by the names DeathRansom and Fivehands. 

In its advisory, the FBI also included an extensive list of indications of compromise (IOCs) to assist cybersecurity experts and system administrators in preventing attacks organized by the HelloKitty ransomware.

South Korean Telecom Operator Crippled by DDoS Attack

 

South Korean telecommunications operator KT suffered a nationwide network outage earlier this week, affecting its telephone and wireless services including phone calls, internet, and other services.

The suspected distributed denial-of-service (DDoS) attack crippled the network for almost an hour. Customers using the telco's network were unable to access the internet for around 40 minutes at around 11am on Monday. Since then, general access to the Internet has been restored for KT users in most parts of the country. 

To investigate the matter, a team of security experts from the Seoul cyber department was dispatched to KT's headquarters in Seongnam, Gyeonggi Province, just south of Seoul. Later in the day, KT restated that the outage appeared to have been caused by large-scale DDoS attacks. The firm said it is still looking for the culprits behind the DDoS and will continue to analyze the extent of the damage. 

“The telco's network was shut down due to a large-scale DDoS attack. During the outage, the company's crisis management team was working to quickly restore the network back to normal. KT is yet to figure out the extent of the damage or who was behind the DDoS attack,” KT spokesperson stated. 

The Ministry of Science and ICT said they are keeping a close eye on the matter in collaboration with KT. However, the ministry did not confirm that the network failure was caused by a DDoS attack, but it said the other major telcos SK Telecom and LG Uplus were not affected.

Despite not being victims of the DDoS attack, users of the services of SK Telecom and LG Uplus raised complaints on social media regarding telcos network outages. Spokespersons for these telcos said the network outages were due to a sudden surge in traffic from KT users switching their services due to KT’s internet outage. Both SK Telecom and LG Uplus representatives said they would be monitoring the situation closely. 

According to the Science and ICT Ministry data, around 16.3 million people are dependent on KT for internet service as of March 2021. The last time KT suffered a network outage was in 2018 when a fire broke at its Ahyeon branch in central Seoul. The fire caused internet and phone service disruptions in nearby areas, including the Seoul districts of Jung-gu, Yongsan-gu, and Seodaemun-gu.

Turkish National Charged for DDoS Attack on U.S. Company

 

Authorities in the United States charged a Turkish national for launching distributed denial-of-service (DDoS) assaults against a Chicago-based multinational hospitality company using a now-defunct malware botnet. 

Izzet Mert Ozek, 32, is accused of launching attacks against the Chicago multinational in August 2017 using WireX, a botnet developed using Android malware. 

According to authorities, Ozek's attacks caused infected Android devices to transmit massive volumes of online traffic to the company's public website and online booking service, leading servers to crash. As per the news release from the US Department of Justice, the charges were announced on September 29 in the Northern District of Illinois. 

The press release stated, “In August 2017, IZZET MERT OZEK used the WireX botnet, which consisted of compromised Google Android devices, to direct large amounts of network traffic to the hospitality company’s website, preventing legitimate users from completing hotel bookings, according to an indictment returned Tuesday in U.S. District Court in Chicago. The hospitality company, which managed luxury hotels and resorts, was headquartered in Chicago and the servers for its website were located in northern Illinois.” 

“The indictment charges Ozek, 32, with one count of intentionally causing damage to a protected computer. Ozek is believed to be residing in Turkey, and a warrant for his arrest will be issued.” 

The official statement and indictment do not specify whether Ozek developed the WireX botnet himself or bought it from a third party. The botnet, which was created just a month before in July 2017, soon grew to gigantic size of more than 120,000 bots after its creator attacked Android smartphones with fraudulent Android apps. 

Months after the disastrous Mirai malware attacks at the end of 2016, the cyber-security industry responded quickly to eliminate the emerging danger while it was still in its early phases. 

A coalition of security firms, including Akamai, Cloudflare, Flashpoint, Google, Dyn, RiskIQ, and Team Cymr, launched an investigation weeks after the attack on the Chicago multinational company to track WireX’s bots and backend infrastructure and then seize and take down its command and control systems.

Bandwidth Suffers Outages Caused by DDoS Attack

 

Within the last couple of days, Bandwidth.com has been the latest target of distributed denial of service attacks targeting VoIP companies. 

Bandwidth, a firm providing Voice over Internet Protocol (VoIP), services to companies and resellers, revealed that it suffered a failure after reporting on the DDoS attack on the 27th of September, Monday night. 

Bandwidth Chief Executive Officer David Morken confirmed the incident and also claimed that "a number of critical communications service providers have been targeted by a rolling DDoS attack." Bandwidth started reporting unintended voice and messaging services breakdown from September 25 at 3:31 p.m. EST. 

Bandwidth has since provided periodic status updates describing voice disruptions, improved services 911 (E911), messaging, and portal access. As Bandwidth is among the world's major voicemail service providers for IP firms, several other VoIP suppliers, including Twilio, Accent, DialPad, Phone.com, and RingCentral, have experienced disruptions throughout the past few days. 

While the fact that all those failures are linked to a service outage has not been established, one failure report specifically cites Bandwidth while the others say an upstream provider is implicated. "While we have mitigated much-intended harm, we know some of you have been significantly impacted by this event. For that, I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously," Morken said. 

The firm continues to monitor the circumstance with the network services and technical teams and actively engages with the customers to deal with any questions. The company mentioned that they’re going to post updates to status.bandwidth.com because they have further information to provide.

Since the statement was issued, the firm updated the details of a number of incoming and outgoing calling services with partial outages. 

On its Cloud Service Status page, Accent said on Tuesday that the "upstream provider continues to acknowledge the DDoS attack has returned to their network however we are seeing a very limited impact to inbound calling for our services." 

"Mitigation steps are being put in place to route inbound phone numbers around the upstream carrier the impact to service grows. We will continue to monitor the situation and update the status as appropriate," Accent wrote. 

Further, on Monday, a source said that their clients were experiencing serious issues with their migrated phone lines. The firm is the downstream retailer of Bandwidth hosted products and claimed that because of the bandwidth problem, they knew major telecoms company that "was in emergency mode".

Considering VoIP services are usually routed through the internet and necessitate public access to their servers and endpoints, they are indeed the main targets for DDoS extortion. Hackers would be overwhelmed by the transmission of more queries than possible to carry out these DDoS assaults, and the targeted devices and servers will not be available to everyone else. 

"Bandwidth continues to experience a DDoS attack which is intermittently impacting our services. Our network operations and engineering teams continue active mitigation efforts to protect our network," reads a screenshot shared on Reddit. 

Monday night, Bandwidth said that it had restored its services, although it was not apparent if threats were ceased or demands were fulfilled as asked by the actors. Nevertheless, it is usual for cybercriminals to stop attacks momentarily while pushing for extortion, while on Tuesday morning the DDoS attacks were resumed. 

Russian Electronic Voting System Struck by 19 DDoS Attacks in One Day

 

Yandex, the Russian technology and search engine powerhouse, disclosed last week that it had been hit by one of the world's biggest DDoS attacks ever recorded. 

A distributed denial-of-service (DDoS) attack involves flooding a website or service with a large amount of internet traffic until it stops working and eventually goes down. Cybercriminals have been known to create botnets and launch DDoS attacks using hacked systems or vulnerable/exposed Internet of Things (IoT) devices. 

Russia's remote electronic voting system has now become the next victim of the campaign, as to what appears to be a continuation of targeted DDoS attacks. 

According to reports, the 8th Russian State Duma (lower house) elections took place between September 17 and September 19. Voters had to head to the polls to cast their vote for the heads of nine Russian regions and 39 regional parliaments. 

According to Russian news agency Tass, remote electronic voting took place in six locations, including Sevastopol and the regions of Kursk, Murmansk, Nizhny Novgorod, Rostov, and Yaroslavl. 

Around 19 DDoS attempts were thwarted, according to Mikhail Oseevsky, president of Rostelecom. The head of the country's major digital service provider, Rostelecom, told the reporters at the Central Election Commission's information centre that some of the DDoS assaults were very short, spanning only a few minutes, while the biggest lasted 5 hours and 32 minutes. 

“It (the DDoS attack) began early in the morning and ended in the middle of the day,” Oseevsky disclosed. 

Many of the country's digital resources, including the elections, state services websites, and the CEC's portal, were attacked, according to Oseevsky. 

He continued by stating that there have been several efforts to launch large-scale attacks on these resources. The department, on the other hand, was well-prepared to combat and minimise the threat, according to the president. 

The assaults arose from a number of different countries which include: 
  • India 
  • China 
  • Brazil 
  • Russia 
  • Germany 
  • Thailand 
  • Lithuania 
  • Bangladesh 
  • United States 
According to the elections commission, three targeted cyberattacks were documented from abroad, two of which targeted the centre's main website and the third was a DDoS attack.

Mēris Botnet is the Perpetrator Behind the DDoS Attack that Hit Yandex

 

A new botnet dubbed Mēris has launched a record-breaking distributed denial-of-service (DDoS) attack on Russian internet company Yandex. The botnet is thought to have pounded the company's web infrastructure with millions of HTTP requests before peaking at 21.8 million requests per second (RPS), surpassing a recent botnet-powered attack that pounded an unnamed Cloudflare customer in the financial industry with 17.2 million RPS last month. 

 Mēris - which means "Plague" in Latvian - is a "botnet of a new kind," according to Russian DDoS mitigation provider Qrator Labs, which revealed details of the attack on Thursday. The DDoS assaults used a method known as HTTP pipelining, which allows a client (such as a web browser) to create a connection to a server and send numerous requests without having to wait for each answer. 

The malicious traffic came from over 250,000 compromised hosts, mostly Mikrotik network devices, with evidence pointing to a variety of RouterOS versions weaponized by exploiting yet unknown vulnerabilities. 

"It is also clear that this particular botnet is still growing. There is a suggestion that the botnet could grow in force through password brute-forcing, although we tend to neglect that as a slight possibility. That looks like some vulnerability that was either kept secret before the massive campaign's start or sold on the black market," the researchers noted. “Mēris can overwhelm almost any infrastructure, including some highly robust networks due to the enormous RPS power that it brings along.”

Mēris utilises the SOCKS4 proxy on the infected device, the HTTP pipelining DDoS method, and port 5678 to launch an assault, according to the researchers. The hacked devices, according to the researchers, are linked to MikroTik, a Latvian manufacturer of networking equipment for organisations of various kinds. Ports 2000 and 5678 were open on the majority of the attacker devices. The latter refers to MikroTik equipment, which employs it for the function of neighbour detection (MikroTik Neighbor Discovery Protocol). While MikroTik's regular service is delivered via the User Datagram Protocol (UDP), hacked devices additionally have an open Transmission Control Protocol (TCP). 

According to Qrator Labs experts, this type of disguise might be one of the reasons devices were hacked without their owners' knowledge. More than 328,000 hosts replied to a search for open TCP port 5678 on the public internet. However, this number does not include all MikroTik devices, as LinkSys equipment utilises TCP on the same port.

Yandex was subjected to the largest DDoS attack in the history of the Runet

Last weekend, the largest DDoS attack in the history of the Runet was carried out on the company's servers. The record scale of the cyberattack was confirmed by the American company Cloudflare, which specializes in repelling cyber attacks and cooperates with Yandex.

The company barely prevented the DDoS attack, and it continues this week. At the same time, Yandex did not disclose the specifics of the cyberattack, citing an internal audit.

"We are conducting an investigation. We are talking about a threat to infrastructure on a national scale," the source said. He could not say whether the representatives of Yandex had filed a statement with the police or the FSB.

As the representative of Yandex emphasized, despite the power and complexity of repelling a DDoS attack, it did not affect the operation of services, and also did not violate the safety of the company's user data.

Alexander Lyamin, CEO of Qrator Labs, said that in August and September 2021, there is an increase in the number of DDoS attacks on companies from various sectors of the economy, from small businesses to the largest corporations.

“The Mirai botnet, which made a sensation five years ago and was built on the basis of video cameras, has returned to us. Having spent the last few weeks studying the new botnet, we can say that a completely new botnet has appeared, and it is built on the network equipment of a very popular vendor from the Baltic States. It spreads through a vulnerability in the firmware and already counts up to hundreds of thousands of infected devices," Mr. Lyamin noted.

In recent days, several massive DDoS attacks on Russian companies have been reported.

Earlier, E Hacking News reported that the largest banks in Russia were subjected to a large-scale DDoS attack. They experienced problems with payments and card services for some time.

On September 3, it was reported about a failure in the work of the social network Vkontakte. According to Downdetector, complaints about problems with access to the social network began on September 2 in the evening.


New Zealand Banks and Post Offices Hit by a Cyber Attack

 

On Wednesday, the websites of a number of financial institutions in New Zealand, as well as the country's national postal service, were momentarily unavailable due to a cyber-attack, according to officials. A DDoS (distributed denial of service) attack targeting a number of organizations in the nation has been reported, according to the country's Computer Emergency Response Team (CERT). 

Minister David Clark, who is in charge of the digital economy and communications, said CERT has informed him that "a number" of organizations have been compromised. “At this time, efforts to ascertain the impact of this incident are ongoing. I won’t get ahead of this process,” Clark said, in a statement. “CERT assures me it is actively engaging with affected parties to understand and monitor the situation.” 

CERT's objective is to assist businesses and government agencies on how to respond to and prevent cyber-attacks. It also collaborates with other government institutions and law enforcement, such as the National Cyber Security Centre (NCSC). 

According to local media sources, Australia and New Zealand Banking Group's (ANZ.AX) New Zealand site and NZ Post were among the websites hit by the attack. ANZ informed clients through Facebook that it was aware that some of them were unable to use online banking services. "Our tech team are working hard to get this fixed, we apologize for any inconvenience this may cause," the post said. 

The "intermittent interruptions" on NZ Post's website were caused by a problem with one of its third-party suppliers, according to the company. Several Kiwibank clients took to social media to complain outages at the little institution, which is partially controlled by the New Zealand Post. In a Twitter post, Kiwibank apologized to clients and said it was trying to resolve "intermittent access" to its app, online banking, phone banking, and website. 

A DDoS assault overloads a website with more traffic than it can manage, causing it to fail. While the identity of the attacker and their motivation are unknown in this case, the goal might be to extract a ransom from the victim in order for the assault to be stopped. During the NZX assault, Minister for Intelligence Agencies Andrew Little expressed the government's advice: Don't pay the ransom.

The largest banks in Russia were subjected to a large-scale DDoS attack

A new large-scale DDoS attack carried out late in the evening on September 2 led to the system failure of major banks and made some of their services unavailable. Thus, a number of large banks experienced problems with payments and card services for some time.

VTB, Sberbank and Alfa-Bank withstood the attack, but their Internet provider Orange Business Services experienced significant difficulties.

"Everything that went through Internet providers, including land points that are connected by wires, ATMs, POS terminals, did not work for some time," said a bank representative.

"The IT services of our partners and their communication providers faced a DDoS attack, which affected the payment of customers in remote service channels," VTB reported.

Sberbank reported that on September 2, a failure was recorded on the side of an external service provider, which could lead to short delays in the operation of individual services.

"Some reports recorded by the Downdetector resource could be related to problems with one of the local Internet providers," Alfa-Bank reported.

Olga Baranova, Operational Director of Orange Business Services in Russia and the CIS, said that since August 9, the company's cyber threat monitoring center has been recording attacks on financial clients around the clock using capacitive attacks such as Amplification, as well as attacks using encrypted protocols (HTTPS).

"These attacks continue even now. The most powerful one was about 100 Gbps. Moreover, in terms of the number of attacks we detected, this August is comparable to the entire last year," added she.

As explained by the founder and CEO of Qrator Labs, Alexander Lyamin, Amplification attacks are aimed at communication channels, and HTTPS or Application Layer attacks are aimed directly at applications. "DDoS attacks of this type are the most dangerous: they are difficult to detect and neutralize since they can simulate legitimate traffic," noted he.

UK Based Firms, Voip Unlimited, And Voipfone Under DDoS Attack

 

Users of Voipfone's UK business broadband and Voice-over-Internet-Protocol (VoIP) services have reported to ISPreview.co.uk that the supplier has been facing massive service interruptions for the past couple of days, that also seems to be the consequence of a Distributed Denial of Service (DDoS) attack against their system applications. 

Likewise, South Coast-based Voip Unlimited had also reported that it has been bombarded with a "colossal ransom demand" after being struck by a prolonged and large-scale DDoS attack. They believe that it was launched by the Russian cybercriminal organization REvil. 

On September 2nd, it reported that "services are operational ... however the attacks are still ongoing." 

However, at this point, it remains unclear whether any additional UK Internet Telephony Service Providers (ITSP) have also been affected or not. Nevertheless, the UK Comms Council – the industry association which represents ITSPs – has alerted customers well about cyberattacks and reminded them to implement "appropriate DDoS mitigation strategies." 

Mark Pillow, MD of Voip Unlimited, informed that the business accepts "full responsibility of the availability of our services to our clients" and that they feel "extremely sorry for all inconvenience caused." 

He further explained: "At 2 pm 31st August, Voip Unlimited's network was the victim of an alarmingly large and sophisticated DDoS attack attached to a colossal ransom demand." 

DDoS attacks usually function by flooding a target server or end-user with data requests from numerous internet-connected devices (often malware-infected machines/botnets, etc.), causing the designated destination to crash or experience substantial performance issues until the bad traffic ceases. These attacks might potentially reveal additional vulnerabilities that hackers can abuse. 

A number of VoIP Unlimited's networks suffered "intermittent or total loss of internet connectivity services" as a result of the attack, however, clients utilizing its Voip Unlimited Ethernet and Broadband services are thought to have been mostly unharmed. 

"UK Comms Council has communicated to us that other UK SIP (Session Initiation Protocol) providers are affected and identified them as a criminal hacking organization called REvil who appear to be undertaking planned and organized DDoS attacks against VoIP companies in the UK," Pillow added. 

The sheer magnitude of the attack is yet unknown, but according to an email sent by Voipfone on Tuesday and obtained by El Reg, the firm's services were "intermittently disrupted by a DDoS attack" over the Bank Holiday weekend, flooding its system with phony traffic from tens of thousands infected devices. 

It is quite noticeable that the users have now become extremely upset as a result of their inability to access vital digital telecommunication services upon their return to work following the August Bank Holiday weekend. 

In a statement, chair of Comms Council UK Eli Katz told, "Comms Council UK is aware of the Denial of Service attacks currently targeting IP-based communications service providers in the UK and that a small number of our members have been impacted. We have communicated the issue to our membership and are continuing to liaise closely with them to share further information and support as the situation develops." 

Likewise, an alleged DDoS attack on Iran's telecommunications networks in February caused a substantial disturbance, wiping out around 25% of the country's internet connectivity and triggering an early outage of mobile and fixed-line services.

Popular Video Game Developer Targeted in a DDoS Attack

 

Blizzard Entertainment, an American video game developer and publisher announced on Monday that they are under a massive DDoS attack which may cause significant delay and disconnections for some gamers. The company assured the gamers that it would not affect their system and that a DDoS attack is ‘basically a clogged pipe on the internet.’ 

However, a Twitter user dismissed the claims of the company by responding that the delay is caused due to poor load balancing on the systems rather than a DDoS attack. His position in the game's queue was 2376, and his turn to enter the game was expected to take 54 minutes.

How does a DDoS attack work? 

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. A DDoS attack uses more than one unique IP address or machine often from thousands of hosts infected with malware.

A distributed denial of service attack typically involves more than around 3–5 nodes on different networks; fewer nodes may qualify as a DoS attack but is not a DDoS attack. These networks consist of computers and other devices (such as IoT devices) which have been corrupted with malware, allowing them to be controlled remotely by an attacker. These individual devices are referred to as bots (or zombies), and a group of bots is called a botnet.

Blizzard on the hit list of the attackers

Blizzard has dealt with similar issues multiple times throughout the last year and in the early part of this year as well. When gamers attempted to play ‘World of Warcraft’ in January this year, they encountered the same issues with high latency and disconnections. Blizzard seems to have a pattern of attributing connectivity troubles to DDoS attacks. Whether the attacks are real or the result of bad system/network administration, gamers are harmed by these issues. 

Threat actors usually target prominent payment gateways and banks for denial-of-service but in recent times competitive gaming networks are also being targeted due to their popularity. The company is responsible for creating some of the popular games which include Overwatch, Diablo, World of Warcraft, StarCraft, and Warcraft.