Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DDOS Attack. Show all posts
Technology
Broader Gateway Protocol DDOS Attack Facebook Meta Technical Glitch Technology

Technical Glitch Causes Global Disruption for Meta Users

 


In a recent setback for Meta users, a widespread service outage occurred on March 5th, affecting hundreds of thousands worldwide. Meta's spokesperson, Andy Stone, attributed the disruption to a "technical issue," apologising for any inconvenience caused.

Shortly after the incident, multiple hacktivist groups, including Skynet, Godzilla, and Anonymous Sudan, claimed responsibility. However, cybersecurity firm Cyberint revealed that the disruption might have been a result of a cyberattack, as abnormal traffic patterns indicative of a DDoS attack were detected.

The outage left Facebook and Instagram users unable to access the platforms, with many being inexplicably logged out. Some users, despite entering correct credentials, received "incorrect password" messages, raising concerns about a potential hacking event. Both desktop and mobile users, totaling over 550,000 on Facebook and 90,000 on Instagram globally, were impacted.

This isn't the first time Meta (formerly Facebook) faced such issues. In late 2021, a six-hour outage occurred when the Border Gateway Protocol (BGP) routes were withdrawn, effectively making Facebook servers inaccessible. The BGP functions like a railroad switchman, directing data packets' paths, and the absence of these routes caused a communication breakdown.

As the outage unfolded, users found themselves abruptly logged out of the platform, exacerbating the inconvenience. The disruption's ripple effect triggered concerns among users, with fears of a potential cyberattack amplifying the chaos.

It's worth noting that hacktivist groups often claim responsibility for disruptions they may not have caused, aiming to boost their perceived significance and capabilities. In this case, the true source of the disruption remains under investigation, and Meta continues to work on strengthening its systems against potential cyber threats.

In the contemporary sphere of technology, where service interruptions have become more prevalent, it is vital for online platforms to educate themselves on cybersecurity measures. Users are urged to exercise vigilance and adhere to best practices in online security, thus effectively mitigating the repercussions of such incidents.

This incident serves as a reminder of the interconnected nature of online platforms and the potential vulnerabilities that arise from technical glitches or malicious activities. Meta assures users that they are addressing the issue promptly and implementing measures to prevent future disruptions.

As the digital world persists in evolution, users and platforms alike must adapt to the dynamic landscape, emphasising the importance of cybersecurity awareness and resilient systems to ensure a secure online experience for all.




Read more »
Threat Landscape
Cyber space DDOS Attack Security Framework Technology Threat Landscape

Here's Why Robust Space Security Framework is Need of the Hour

 

Satellite systems are critical for communication, weather monitoring, navigation, Internet access, and numerous other purposes. These systems, however, suffer multiple challenges that jeopardise their security and integrity. To tackle these challenges, we must establish a strong cybersecurity framework to safeguard satellite operations.

Cyber threats to satellites 

Satellite systems suffer a wide range of threats, including denial-of-service (DoS) attacks and malware infiltration, as well as unauthorised access and damage triggered by other objects in their orbit that hinder digital communications. 

For satellite systems, these major threats can distort sensor systems, resulting in harmful actions based on inaccurate data. For example, a faulty sensor system could cause a satellite's orbit path to collide with another satellite or natural space object. If a sensor system fails, it may result in the failure of other space and terrestrial systems that rely on it. Jamming or sending unauthorised satellite guidance and control commands has the potential to destroy other orbiting space spacecraft.

DoS attacks can lead satellites to become unresponsive or, worse, shut down. Satellite debris fallout could pose a physical safety risk and damage to other countries' space vehicles or the earth. Malware installed within systems via insufficiently secured access points may have an influence on the satellite and spread to other systems with which it communicates. 

Many of the 45,000 satellites have been in service for years and have minimal (if any) built-in cybersecurity protection. Consider the Vanguard 1 (1958 Beta 2), a small, solar-powered satellite that orbits Earth. It was launched by the United States on March 17, 1958, and is the oldest satellite still orbiting the earth.

Given potential risks that satellites face, a comprehensive cybersecurity strategy is required to mitigate such risks. Engineering universities and tech organisations must also work with government agencies and other entities that design and build satellites to develop and execute a comprehensive cybersecurity, privacy, and resilience framework to regulate industries that are expanding their use of space vehicles. 

Cybersecurity framework

The NIST Cybersecurity Framework (CSF) outlines five critical processes for mitigating common threats, including those related with satellite systems: identify, protect, detect, respond, and recover.

Identify

First, identify the satellite data, individuals, personnel, systems, and facilities that support the satellite's uses goals, and objectives. Document the location of each satellite, as well as the links between each satellite component and other systems. Knowing which data is involved and how it is encrypted can help with contingency, continuity, and disaster recovery planning. Finally, understand your risk landscape and any elements that may affect the mission so that you can plan for and avoid potential incidents. This information will aid in the successful management of cybersecurity risk for satellite systems and its associated components, assets, data, and capabilities. 

Protect

Using the recently identified data, choose, develop, and implement the satellite's security ecosystem to best protect all of its components and associated services. Be aware that traditional space operations and vehicles typically rely on proprietary software and hardware that were not intended for a highly networked satellite, cyber, and data environment. As a result, legacy components may lack certain security measures. As a result, create, design, and use verification procedures to prevent loss of assurance or functionality in satellite systems' physical, logical, and ground parts, as well as to allow for response to and recovery from cybersecurity incidents. To protect satellite systems, physical and logical components must be secured, access limits monitored, and cybersecurity training made available.

Detect 

Create and implement relevant actions to monitor satellite systems, connections, and physical components for unforeseen incidents and alert users and applications of their detection. Use monitoring to spot anomalies within space components, and put in place a strategy for dealing with them. Use many sensors and sources to correlate events, monitor satellite information systems, and maintain access to ground segment facilities in order to detect potential security breaches. 

Respond

Take appropriate actions to mitigate the impact of a cybersecurity attack or unusual incident on a satellite system, ground network, or digital ecosystem. Cybersecurity teams should inform key stakeholders regarding the incident and its implications. They should also put in place systems for responding to and mitigating new, known, and anticipated threats or vulnerabilities, as well as continuously improving these processes based on lessons learned. 

Recover 

Create and implement necessary activities to preserve cybersecurity and resilience, as well as to restore any capabilities or services that have been impaired as a result of a cybersecurity event. The objectives are to quickly restore satellite systems and associated components to normal functioning, return the organisation to its appropriate operational state, and prevent the same type of incident from recurring.

As our world continues to rely on satellite technology, cyber threats will emerge and adapt. It is critical to safeguard these systems by developing a comprehensive cybersecurity framework that outlines the way to design, create, and operate them. Such a structure enables organisations to respond effectively to incidents, recover swiftly from interruptions, and remain ahead of potential threats.
Read more »
Threat Landscape
Cyber Crime DDOS Attack Online Security Online Traffic Threat Landscape

Hackers are Launching DDoS Attacks During Peak Business Hours

 

Threat groups' tactics to avoid detection and cause harm are becoming increasingly sophisticated. Many security practitioners have seen distributed denial-of-service (DDoS) attacks carried out during peak business hours, when firms are more likely to be understaffed and caught off guard.

DDoS attacks are a year-round threat, but we've seen an increase in attacks around the holiday season. Microsoft mitigated an average of 1,435 assaults per day in 2022. These attacks peaked on September 22, 2022, with roughly 2,215 documented attacks, and continued at a greater volume until the last week of December. From June to August, the number of attacks were reduced.

One reason for this trend could be that many organisations operate with fewer security staff and limited resources to monitor their networks and apps during the holidays. The huge volume of traffic and income made by organisations during this peak business season make this time of year even more tempting to attackers. 

Cybercriminals frequently take advantage of this opportunity to carry out lucrative attacks at a low cost. A DDoS assault can be ordered via a DDoS subscription service for as little as $5 under a cybercrime-as-a-service business model. In the meantime, small and medium-sized businesses spend an average of $120,000 to restore services and manage operations during a DDoS attack. 

With this knowledge, security teams can take preemptive steps to fight against DDoS assaults during busy business seasons. Continue reading to find out how. 

Understanding the varieties of DDoS attacks 

Before we can discuss how to protect against DDoS attacks, we must first comprehend what they are. DDoS attacks are classified into three groups, each with its own set of cyberattacks. Attackers can utilise a variety of attack types against a network, including those from distinct categories. 

The first type of attack is a volumetric attack. This type of attack focuses on bandwidth and is intended to overload the network layer with traffic. A domain name server (DNS) amplification attack, which leverages open DNS servers to flood a target with DNS answer traffic, is one example.

Then there are protocol attacks. This category primarily targets resources by exploiting flaws in the protocol stack's Layers 3 and 4. A protocol attack may be a synchronisation packet flood (SYN) attack, which uses all available server resources, rendering the server unusable. 

The last type of DDoS assault is resource layer attacks. This category is meant to disrupt data flow between hosts by targeting Web application packets. Consider an HTTP/2 Rapid Reset attack, for example. In this case, the attack delivers a predetermined amount of HTTP requests followed by RST_STREAM. This pattern is then repeated to produce a large volume of traffic on the targeted HTTP/2 servers.
Read more »
OpenAI
Anonymous Sudan ChatGPT Cyber Attacks DDoS DDOS Attack Hacktivists OpenAI

OpenAI Reveals ChatGPT is Being Attacked by DDoS


AI organization behind ChatGPT, OpenAI, has acknowledged that distributed denial of service (DDoS) assaults are to blame for the sporadic disruptions that have plagued its main generative AI product.

As per the developer’s status page, ChatGPT and its API have been experiencing "periodic outages" since November 8 at approximately noon PST.

According to the most recent update published on November 8 at 19.49 PST, OpenAI said, “We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing work to mitigate this.”

While the application seemed to have been operating normally, a user of the API reported seeing a "429 - Too Many Requests" error, which is consistent with OpenAI's diagnosis of DDoS as the cause of the issue.

Hacktivists Claim Responsibility 

Hacktivist group Anonymous Sudan took to Telegram, claiming responsibility of the attacks. 

The group claimed to have targeted OpenAI specifically because of its support for Israel, in addition to its stated goal of going against "any American company." The nation has recently been under heavy fire for bombing civilians in Palestine.

The partnership between OpenAI and the Israeli occupation state, as well as the CEO's declaration that he is willing to increase investment in Israel and his multiple meetings with Israeli authorities, including Netanyahu, were mentioned in the statement.

Additionally, it asserted that “AI is now being used in the development of weapons and by intelligence agencies like Mossad” and that “Israel is using ChatGPT to oppress the Palestinians.”

"ChatGPT has a general biasness towards Israel and against Palestine," continued Anonymous Sudan.

In what it described as retaliation for a Quran-burning incident near Turkey's embassy in Stockholm, the group claimed responsibility for DDoS assaults against Swedish companies at the beginning of the year.

Jake Moore, cybersecurity advisor to ESET Global, DDoS mitigation providers must continually enhance their services. 

“Each year threat actors become better equipped and use more IP addresses such as home IoT devices to flood systems, making them more difficult to protect,” says Jake.

“Unfortunately, OpenAI remains one of the most talked about technology companies, making it a typical target for hackers. All that can be done to future-proof its network is to continue to expect the unexpected.”  

Read more »
Medusa Ransomware
AT Auckland Transport Auckland Transport attack Cyber Attacks DDOS Attack Medusa Attacks Medusa Ransomware

Auckland Transport Suffers Another Ransomware Attack, Mobile App and Website Affected


Official website of Auckland Transport has suffered another cyberattack where their mobile app and live departure displays have been compromised. 

The spokesperson for Auckland Transport (AT) said they believed this attack was is in fact linked to the most recent one, in which a ransomware gang known as Medusa demanded a US $1 million ransom and threatened to post AT's data online if it was not paid.

“The current issue is a malicious attempt to disrupt the traffic to our website, by overwhelming it with a flood of internet traffic - a distributed denial-of-service attack,” the spokesperson stated. “Customers are experiencing intermittent issues accessing our website, AT Mobile App, AT Park, Journey Planner and public information displays[…]We are working to maintain security and access to our website but anticipate these issues unfortunately may be ongoing for some time.”

AT further confirmed that it is “confident” that no customer data or financial details have been stolen.

Medusa's Attack on AT

AT was attacked by the Medusa ransomware gang on September 14. Dean Klimpton, the CEO of AT, responded to a Herald report on Medusa's attack where the attackers had threatened to post AT data on the dark web if a US$1 million ($1.7 million) ransom was not paid. 

“AT is aware that Medusa has publicly announced a ransom for data,” Klimpton said. “We have no interest in engaging with this illegal and malicious activity,” he added.

Klimpton further notes that there is a sign indicating that personal or financial data has been compromised in the September attack.

DDoS Attack

A distributed denial of service (DDoS) attack involves an army of bots that gain access to a website simultaneously, preventing ordinary users from accessing it. 

A distributed denial of service (DDoS) attack involves an army of bots that try to access a website simultaneously, overwhelming it and rendering it inaccessible to regular users. Cybersecurity professionals compared it to sheep blocking a country road. Users are blocked, but no data is at risk.

The DDoS attack this afternoon is Medusa's vengeful response to AT's unwillingness to pay the cyber ransom; it poses no harm to any data.

Also, AT’s app suffered an outage earlier this morning, however AT claims that it was just a regular glitch that was not related to the cyberattack.  According to Brett Callow, a threat analyst with the New Zealand-based security company Emsisoft, on August 14 Medusa launched a DDoS attack against Levare International. This company produces prosthetic limbs in Dubai.

Though Medusa originally appeared in 2021, it was not until this year that the ransomware group made headlines.

According to Callow, the organization has taken credit for assaults against the Minneapolis Public School System, Tonga Communications, and the Crown Princess Mary Cancer Centre in Australia, which resulted in the release of private student and teacher records.

Ransomware gangs are often situated in Eastern Europe or Russia due to a combination of computer skills and authorities that are frequently unwilling to cooperate with Western agencies. The location of the gang's base of operations is currently unknown.  

Read more »
Machine learning
cyber attack Cyber Attacks Cyber Data Data Data Safety DDOS Attack Downtime eCitizen Service Kenya Machine learning

Kenya's eCitizen Service Faces Downtime: Analyzing the Cyber-Attack

 

Russian hacking groups have predominantly targeted Western or West-aligned countries and governments, seemingly avoiding any attacks within Russia itself. 

During the Wagner mutiny in June, a group expressed its support for the Kremlin, stating that they didn't focus on Russian affairs but wanted to repay Russia for the support they received during a similar incident in their country.

The attack on Kenya involved a Distributed Denial of Service (DDOS), a well-known method used by hackers to flood online services with traffic, aiming to overload the system and cause it to go offline. This method was also used by Anonymous Sudan during their attack on Microsoft services in June.

According to Joe Tidy, who conducted an interview, it is difficult to ascertain the true identity of the group responsible for the attack. 

Kenya's Information Minister revealed that the attackers attempted to jam the system by generating more than ordinary requests, gradually slowing down the system. Fortunately, no data exfiltration occurred, which would have been highly embarrassing.

Kenya had a reasonably strong cybersecurity infrastructure, ranking 51st out of 182 countries on the UN ITU's Cybersecurity Commitment Index. 

However, the extensive impact of the attack demonstrated the risks of relying heavily on digital technology for critical economic functions without adequately prioritizing cybersecurity. Cybersecurity and digital development should go hand-in-hand, a lesson applicable to many African countries.
Read more »
Outlook
Anonymous Sudan Cloud Platform Cyber Attacks Cyberattack DDOS Attack Microsoft Outlook

Microsoft: Disruptions in Outlook, Cloud Platform Services Were Caused by a Cyberattack


Earlier this June, some periodic but significant disruptions could be seen in Microsoft’s flagship office suite. That cyberattack disrupted services of Microsoft affiliated apps like Outlook email and OneDrive file sharing app along with cloud computing platform. After the attack was confirmed, an anonymous hacktivist seems to have taken the blame, claiming to have flooded the sites with traffic through their distributed denial-of-service (DDoS) attacks.

Microsoft was initially hesitant to admit that DDoS attacks by the murky upstart were to blame, but has since admitted that this was the case.

Although, they did not immediately confirm the number of customers affected by the attack or whether it had any global impact, Microsoft has now provided certain details on the matter.

A Microsoft spokesperson stated that the threat group behind the attacks has confirmed to have been ‘Anonymous Sudan.’ At the time, it took ownership of the situation via its Telegram social media channel. Some cybersecurity experts think the group is based in Russia.

On Friday, an explanation on the matter by Microsoft was published in a blog post following a request from The Associated Press made two days prior. The post, which was sparse on data, stated that the attacks "temporarily impacted availability" of some services. According to the report, the attackers targeted "disruption and publicity" and used probable rented cloud infrastructure and virtual private networks to flood Microsoft servers with attacks from so-called botnets of zombie machines spread around the world.

According to Microsoft, there is no proof that any customer information was accessed or compromised.

In regards to the severity of attacks, Jake Williams, a prominent cybersecurity researcher and a former NSA offensive hacker says “We really have no way to measure the impact if Microsoft doesn’t provide that info.” William added he was unaware of Outlook being attacked previously at this scale.

“We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Williams added. “Microsoft’s apparent unwillingness to provide an objective measure of customer impact probably speaks to the magnitude,” he said.

While DDoS attacks do not come under the severity radar in cyber activities since they only make websites inaccessible without even penetrating them, security professionals believe that they can however disrupt the operations of several million of online users if they are successful in exploiting services of software service giants, like Microsoft, since a large chunk of global commerce rely on such organizations.

Read more »
malware
Cayosin Botnet Cryptojacking Campaign DDOS Attack malware

From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet

 

A group of cybersecurity experts has recently unearthed previously unreported payloads linked to a Romanian threat actor named Diicot. The discovery sheds light on the threat actor's capability to execute distributed denial-of-service (DDoS) attacks. In July 2021, a cybersecurity firm called Bitdefender discovered the actions of a threat actor named Diicot (formerly known as Mexals). 

The investigation revealed that Diicot utilized a tool called Diicot Brute, which is a Go-based SSH brute-forcer, to compromise Linux hosts as part of their cryptojacking campaign. Akamai revealed a renewed surge in Diicot's operations that had been previously identified in 2021. This latest wave of attacks, believed to have commenced around October 2022, allowed the threat actor to accumulate illicit profits amounting to approximately $10,000. 

A recent analysis conducted by Cado Security has uncovered that the Diicot group has expanded its tactics by utilizing a ready-made botnet agent called Cayosin. This particular malware, which exhibits similarities to Qbot and Mirai, signifies a significant development for the threat actor as it demonstrates their newfound capability to launch distributed denial-of-service (DDoS) attacks. 

Additionally, the group has engaged in activities such as revealing private information about rival hacking groups, a practice known as doxxing. Furthermore, Diicot relies on the popular communication platform Discord for controlling its operations and extracting stolen data. 

The threat actor, Diicot, employs several distinct tools in their operations: 

Chrome:  This tool functions as an internet scanner using Zmap technology. It gathers information during operations and saves the outcomes to a text file named "bios.txt". 

Update:  This executable is responsible for fetching and executing the SSH brute-forcer and Chrome tools if they are not already present on the compromised system. 

History:  Designed as a shell script, History facilitates the execution of the Update tool. 

DDoS attacks and Cryptojacking Relation 

DDoS attacks and cryptojacking are being combined by cybercriminals. The connection lies in using DDoS attacks to distract from and mask cryptojacking activities. This can involve launching a DDoS attack on a cryptocurrency exchange to divert attention. 

It can also include using DDoS attacks to test a victim's defenses and exploit vulnerabilities for cryptojacking. The consequences of this combination include increased energy consumption, hardware damage, and the potential theft of sensitive information. 

The SSH brute-forcer tool, also known as aliases, utilizes the information extracted from Chrome's text file output. It processes this data to gain access to each identified IP address. If the brute-forcing attempt is successful, it establishes a remote connection to the respective IP address. 

To determine if your computer is part of a botnet, watch out for the following signs: 

  • Unexplained activity: Excessive running of the processor, hard drive, or computer fans without a clear cause. 
  • Slow Internet: Unusually slow internet speeds, despite no active downloads, uploads, or software updates. 
  • Slow reboots and shutdowns: Sluggish shutdowns or restarts, potentially caused by malicious software.
  • Application crashes: Previously stable programs now frequently crashing or behaving erratically. 
  • High RAM usage: Check if an unknown application is consuming a significant portion of your computer's memory. 
  • Mysterious emails: Recipients reporting spam or malicious emails sent from your account. 
  • Unsafe habits: Neglecting important security updates, visiting unsafe websites, downloading unsafe software, or clicking on malicious links. 

To protect against these attacks, organizations are advised to implement measures such as SSH hardening and firewall rules. By implementing SSH hardening practices, organizations can strengthen the security of their SSH configurations. 

Additionally, setting up firewall rules helps limit SSH access to specific IP addresses, reducing the potential for unauthorized access attempts. These proactive measures can significantly enhance the security posture of organizations against SSH-related threats.
Read more »
NCA
Cyber Attacks Cybercrime Markets DDOS Attack National Crime Agency National Cyber Crime Unit NCA

NCA Infiltrates Cybercrime Market With Fake DDoS Sites


UK’s National Crime Agency (NCA) has recently conducted a sting operation as a part of Operation Power Off, a collaboration of international law enforcement agencies to shut down DDoS (distributed denial of service) infrastructure. 

In order to sabotage the online black market, the NCA set up a number of fictitious DDoS websites and offered booter or DDoS-for-hire services. It is important to keep in mind that the UK's Computer Misuse Act of 1990 makes DDoS attacks illegal. 

All of these websites were created by the NCA to appear genuine, giving the visitor the idea that they could initiate DDoS attacks using the provided tools and services. 

According to the agency, many a thousand individuals have visited the sites, although, after registering on the site, visitors are instead presented with a splash screen telling them that their data has been captured and law enforcement authorities would contact them instead of receiving the services they had signed up for. 

In the most recent report, the NCA confirms to have identified one of the websites it was operating, with a message that the data of users has been collected and that they “will be contacted by law enforcement.” 

The individuals who are currently in the UK will be contacted by the NCA or police and are warned about engaging in any cybercrime-related activity, whereas, the details of those overseas are being handed out to international law enforcement. 

DDoS Attacks 

In a DDoS attack, compromised computer systems bombard a target (server or website), causing severe financial or reputational damage to the targeted organization. “DDoS-for-hire, or ‘booter’, services allow users to set up accounts and order DDoS attacks in a matter of minutes […] Such attacks have the potential to cause significant harm to businesses and critical national infrastructure, and often prevent people from accessing essential public services,” said the NCA. 

Alan Merrett, member of NCA’s National Cyber Crime Unit says “booter services” are a key enabler of cybercrime. “The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyber offences with ease,” he said. 

He added that traditional site takedowns and arrests are key components of law enforcement’s response to threats while adding, “We have extended our operational capability with this activity, at the same time as undermining trust in the criminal market.” 

The NCA says that it will not reveal how many sites it has or for how long they have been running. Therefore, they have urged individuals looking for these services to stay cautious as they might not know who is operating them. 

Read more »
Russian Cyber Security
Cyber Attacks DDoS DDOS Attack DDOS Attacks Killnet Russia Russian Cyber Security

KillNet: Pro-Russian Threat Actors Claims Responsiblity for 14 DDoS Attacks on U.S. Airports

 

On Monday, a pro-Russian hackers group ‘KillNet reportedly claimed to be behind the DDoS attacks, that temporarily took down the websites of several U.S. airports.
 
A similar case was witnessed by Atlanta International Airport. Consequently, users were unable to access the websites for a few hours during the campaign. Though, the attacks did not have any impact on flight operations.
 
The Los Angeles International Airport (LAX) authority informed about a threat on their website to the Transportation Security Administration and the FBI.
 
"The service interruption was limited to portions of the public facing FlyLAX.com website only. No internal airport systems were compromised and there were no operational disruptions," a spokesperson stated in an emailed statement. Adding to the statement, she said the airport’s IT Team has restored all services and is investigating the cause.
 
Later, the hacker group apparently posted the list of the hacked airport websites on Telegram that included 14 targeted domains, urging hackers to participate in the DDoS attack.
 
The Airport websites impacted by the group include Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and the sites of airports in Kentucky, Mississippi, and Hawaii.
 
In a Telegram post on Monday, Killnet listed other U.S. sites that could be the next potential victims of similar DDoS attacks, such as sea terminals and logistics facilities, weather monitoring centers, health care systems, subway systems, and exchanges and online trading systems.
 
Apparently, this DDoS attack was not the first attack by KillNet as KillNet has previously targeted many other countries that were against the Russian invasion of Ukraine. These NATO countries include Italy, Romania, Estonia, Lithuania, and Norway.
 
KillNet's DDoS attacks and those urging other threat actors to carry out are an example of what security experts determine is the tendency in recent years of geopolitical tensions, to be permeated the cyber world. As per the speculations, this campaign against the US and other NATO countries, for instance, instigates days after an explosion demolished a section of a major bridge connecting Russia to the Crimean Peninsula.
Read more »
Russia
Cobalt Strike Cyber Attacks DDOS Attack Ransomware Gang Russia

Anonymous Hacker Targets Cobalt Strike Servers Linked to Former Conti Gang Members

 

An anonymous hacking group launched DDoS assaults on Cobalt Strike servers handled by former Conti ransomware members with anti-Russian texts to halt their operation. 

Earlier this year in May, the Conti ransomware gang permanently switched off its operation but its members joined other groups, such as Quantum, Hive, and BlackCat. However, former Conti members continued employing the same Cobalt Strike infrastructure to launch new attacks. 

The hackers flooded the CS servers employed by Conti hackers to control the Cobalt Strike (CS) with anti-Russian texts such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” 

According to Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), the hackers targeted at least four Cobalt Strike servers by former Conti gang members. 

The messages are flooding the servers at a rapid rate of nearly two every second resulting in the disruption of Conti ransomware operations. Kremez says whoever is behind this activity constantly targeting Cobalt Strike servers is believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered. 

“Red teamers operating Cobalt Strike infrastructure to help identify gaps for organizations need to ensure that they are properly protecting their infrastructure,” stated Jerrod Piker, threat analyst at Deep Instinct. “DoS/DDoS protection is necessary as evidenced by the recent Conti group attacks, as well as advanced malware prevention, identity protection, and access control. Attackers will always look for and eventually discover low-hanging fruit, so we have to ensure that we make their discovery process as difficult as possible.” 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows.

Hackers getting the taste of their own medicine 

It remains unclear who is behind these messages but for the moment they’re keeping the hackers busy. Last month, the LockBit ransomware gang suffered a DDoS attack disrupting its operation. The attack was launched after the gang claimed responsibility for a hack on security firm Entrust earlier this year. 

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data. However, the halt was temporary and the ransomware gang came online with enhanced infrastructure allowing them to keep the stolen data intact even when facing distributed denial-of-service (DDoS) attacks.
Read more »
Vulnerabilities and Exploits
Bugs DDOS Attack Flaws Vulnerabilities and Exploits

Mirai Variant MooBot Botnet Exploiting D-Link Router Flaws

 

MooBot, a Mirai botnet variant, is transforming vulnerable D-Link devices into an army of denial-of-service bots by exploiting multiple vulnerabilities. 

Palo Alto Networks Unit 42 said in a Tuesday report, "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks."
 
MooBot, which was first revealed in September 2019 by Qihoo 360's Netlab team, has previously aimed at LILIN digital video recorders and Hikvision video surveillance products to broaden its network. As many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples in the most recent wave of attacks discovered by Unit 42 in early August 2022. These are some examples:
  • CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability, and
  • CVE-2022-28958 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
Exploiting the aforementioned flaws successfully could result in remote code execution and the retrieval of a MooBot payload from a remote host, which then decodes instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.

Customers with D-Link appliances are strongly advised to implement the company's patches and upgrades to mitigate potential threats.

The researchers stated, "The vulnerabilities [...] have low attack complexity but critical security impact that can lead to remote code execution.n Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS."
Read more »
United States
Cyber Attacks DDOS Attack Government Sites Taiwan United States

Taiwanese Government Sites Suffered DDoS Attacks Following Nancy Pelosi Visit

 

Multiple Taiwanese government sites were disrupted by distributed denial-of-service (DDoS) attacks following the much-publicized arrival of U.S. House Speaker Nancy Pelosi who became the first high-ranking U.S. official in 25 years to visit the democratic island nation. 

Pelosi reportedly met Taiwanese President Tsai Ing-wen and reiterated America’s support for the country of 24 million. 

The cyber attacks caused intermittent outages across the government English portal, some websites of the presidential office, foreign ministry, and defense ministry. 

According to Taiwan's foreign ministry, the attacks on its website and the government's English portal were linked to Chinese and Russian IP addresses that tried to access the websites up to 8.5 million times per minute. 

A separate statement from a Tsai spokesperson on Facebook said the attack had funneled 200 times more traffic than usual to the site. However, it was back up and running just 20 minutes later, it added. 

“While the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it's not a tool they are known to deploy,” explained Casey Ellis, founder, and CTO at Bugcrowd. China has an enormous population of very clever technologists, large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.” 

Experts believe that the attacks were likely launched by Chinese activist hackers rather than the Chinese government as retaliation for the visit of Nancy Pelosi. 

Taiwan has accused China of ramping up cyber assaults since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation and not a part of China. In 2020, Taiwanese authorities said China-linked hackers breached at least 10 Taiwan government agencies and secured access to nearly 6,000 email accounts in an attempt to exfiltrate data. 

Earlier this year in February, Chinese APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack. The malicious campaign was launched by the threat actors in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.
Read more »
malware
Botnet Cyber Attacks DDOS Attack IoT devices malware

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users

 

A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.
Read more »
RPS
Cloud Services Cyber Attacks DDOS Attack HTTP Requests RPS

Cloudflare Mitigates a Record-Breaking DDoS Assault Peaking at 26 Million RPS

 

Last week, Cloudflare thwarted the largest HTTPS DDoS attack ever recorded. The attack amassed 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set earlier this year in April. 

The attack targeted an unnamed Cloudflare customer and mainly originated from cloud service providers instead of local internet services vendors, which explains its size and indicates that hijacked virtual devices and powerful servers were exploited during the assault, Cloudflare Product Manager Omer Yoachimik disclosed in a blog post. 

To deliver the malicious traffic, nearly 5,000 devices were employed with each endpoint generating roughly 5,200 RPS at peak. This demonstrates the true nature of virtual machines and servers when used for DDoS attacks, as other larger botnets aren’t capable of impersonating a fraction of this power. 

For example, a botnet of 730,000 devices was spotted generating nearly 1 million RPS, which makes the botnet behind the 26 million RPS DDoS attack 4,000 times stronger. 

"To contrast the size of this botnet, we've been tracking another much larger but less powerful botnet of over 730,000 devices," stated Omer Yoachimik. "The latter, larger botnet wasn't able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.” 

Thirty seconds into the assault, the botnet generated over 212 million HTTPS requests from more than 1,500 networks, located in 121 nations. Most requests came from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks.

According to Cloudflare, the assault was over HTTPS, making it more expensive in terms of required computational resources, as establishing a secure TLS encrypted connection costs more. Consequently, it also costs more to mitigate it. 

"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," Yoachimik explained. "Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale." 

This is one of the multiple volumetric assaults identified by Cloudflare throughout the last several years. An HTTP DDoS attack that was discovered in August 2021 saw around 17.2 million requests per second being generated. More recently, a mitigated 15.3 million rps attack that occurred in April 2022 saw around 6,000 bots being employed in order to target a Cloudflare customer who was running a crypto launchpad. 

Last year in November, Microsoft revealed that it thwarted a record-breaking 3.47 terabits per second (Tbps) DDoS attack that flooded servers used by an Azure customer from Asia with malicious packets.
Read more »
Ukrainians
cyber attack Cyber Attacks Cyber Threats DDOS Attack Russian Ukrainians

Ukrainians DDoS Russian Vodka Supply Chains

 

According to the Russian news portal Vedomosti, Ukrainian cyber threat actors compromised Russia’s central alcohol distribution portal that is considered crucial for the distribution of alcoholic beverages in Russian regions called Unified State Automated Alcohol Accounting Information System or EGAIS.

EGAIS is a portal that plays important role in alcohol distribution in the nation. As per the law, for all alcohol producers and distributors, it is mandatory to register their shipments with EGAIS. Therefore, this attack caused extensive service blockage across Russia. 

The group hit the portal with DDoS attacks launched on May 2nd and 3rd. Through the DDoS or distributed denial of service attacks, the perpetrators overwhelm servers with superfluous requests in an attempt to overload systems and render some or all legitimate requests from being fulfilled. 

Also, according to the experts, sophisticated strategies have to be required against such types of attacks, as simply attempting to block a single source is insufficient. Three sites belonging to the platform have been hit by DDoS attacks. 

On May 4th, two EGAIS sites showed the error “the server stopped responding,” and the third didn’t work. The attacks took place on May 2nd and the next day system failures became more obvious about the attack. 

Wine trader Fort said that the site stopped working on May 4th, and the Union of Alcohol Producers, Igor Kosarev, and Ladoga representatives claimed the same. 

Fort further added that they had failed to upload about 70% of invoices to EGAIS due to the attack. Its supplies of wine to retail chains and restaurants in the region apparently failed to distribute on May 4 due to the incident. The outage impacted not only vodka distribution but wine companies faced disruption as well alongside purveyors of other types of alcohol. 

“Due to a large-scale failure, factories cannot accept tanks with alcohol, and customers, stores, and distributors cannot receive finished products that have already been delivered to them,” Vedomosti reported.

Ukrainian threat actors group, the Disbalancer took responsibility for the attack and announced their future plans to launch more attacks on the platform.
Read more »
User Security
Cyber Attacks DDOS Attack security threat User Security

Imperva Mitigates 2.5 million RPS Ransom DDoS Assaults Targeting Unnamed Firm

 

Imperva, a cyber security software and services firm on Friday claimed it thwarted a massive 2.5 million RPS (requests per second) ransom DDoS attack targeting an unnamed company. 
 
According to Nelli Klepfish, a security analyst at Imperva, the company against which the DDoS assault was launched received multiple ransom notes during the attack. To prevent the loss of “hundreds of millions” in market cap and to remain online, the company paid the attackers in bitcoin.  
 
Imperva thwarted more than 12 million embedded requests targeting random pages of the firm’s site. The next day, the attackers sent over 15 million requests to the same site, however, this time the URL contained a different message. But the attackers employed similar methodology of threatening the company’s CEO for devastating consequences, such as the company’s stock price plummeting if they refuse to pay the ransom.  
 
The most devastating assault is said to have lasted less than a minute, in which researchers measured 2.5 million RPS (1.5Gbps of TCP traffic in terms of bandwidth) as the highest number of requests received.  
 
An identical attack was sustained by one of the sister sites operated by the same firm that lasted nearly 10 minutes, even as the attackers constantly changed their attack tactics and ransom notes to avert mitigation.  
 
Evidence gathered by Imperva points to the DDoS assaults originating from the MÄ“ris botnet, which has exploited a now-patched security loophole in Mikrotik routers (CVE-2018-14847) to strike targets, including Yandex, a Russia-based technology and search engine giant last September.  
 
"The types of sites the threat actors are after appear to be business sites focusing on sales and communications," Klepfish said. "Targets tend to be U.S.- or Europe-based with the one thing they all have in common being that they are all exchange-listed companies and the threat actors use this to their advantage by referring to the potential damage a DDoS attack could do to the company stock price."  
 
Imperva unearthed about 34,815 sources of attack’s origin. In 20% of the cases Imperva discovered, the attackers launched 90 to 750 thousand RPS. Top attack sources attacks came from Indonesia, followed by the U.S., China, Brazil, India, Colombia, Russia, Thailand, Mexico, and Argentina.  
 
Imperva reported an interesting fact that the attackers are claiming to be members of REvil, the infamous ransomware-as-a-service cartel that suffered a major setback after a number of its operators were arrested by Russian law enforcement agencies earlier this January. However, the researchers yet to confirm that the claims are made by the original REvil operators or some imposter.
Read more »
Ukraine
Anonymous Cyber Security CyberWar DDOS Attack Government Sites Group-IB Hacker group Russia Ukraine

Expert Opinion: The Consequences of the War of the Hacker Group Anonymous against Russia

 

Anonymous hacktivists announced on Twitter about the beginning of the war with Russia because of the special operation in Ukraine. The group is known for its massive DDoS attacks, declassification of government documents, and hacking of politicians' accounts. Information security experts told how Anonymous can harm Russia. 


Information security experts are confident that a real threat may be hiding behind the Anonymous statement. "Government websites, government online services such as Gosuslugi, email, social media accounts of politicians, websites and IT infrastructure of state banks and defense companies can be attacked", said Sergey Nenakhov, head of the information security audit department of Infosecurity a Softline Company. 

According to him, this community has repeatedly manifested itself earlier in hacktivism, hacking government websites, e-mails of politicians from different countries. They also manifested themselves in the online fight against the Islamic State organization (it is banned in Russia), obtaining and publishing information about members of the terrorist organization. 

Group-IB noted that the danger lies in the fact that other groups, including pro-state hacker groups targeting critical infrastructure facilities, may operate under the guise of Anonymous. 
"As for Anonymous, they act as follows: first, in public communities, for example, on Twitter, they call for attacks on certain organizations as part of a particular campaign. In order for users to easily identify these attacks, they usually use special hashtags for each event and the hashtag Anonymous. These campaigns can be joined by young hackers without professional skills and abilities. However, the strength of such actions lies precisely in the mass character of hacktivists," the company explained.

Fedor Dbar, commercial director of Security Code, believes that much will depend on whom the group will carry out the attacks. "The most serious consequences could be caused by attacks on critical information infrastructure (CII) facilities, but it cannot be said that tomorrow we will be left without electricity or electricity."
Read more »
United States
Cyber Attacks CyberWar DDOS Attack Fancy Bear NATO Russia Ukraine Ukraine Websites Ukrainian Cyber Security United States

Ukraine: DDoS Attacks on State Websites Continue

 

Since February 23, some Ukrainian government websites have been subjected to DDoS attacks: web resources of the Ministry of Defense, the Verkhovna Rada of Ukraine, the Ministry of Foreign Affairs and others have suffered interruptions. 

The Insider publication (the organization is included in the list of foreign agents by the Ministry of Justice of Russia), referring to the data of the independent cyber analyst Snorre Fagerland, stated that the hacker group ART23 (Fancy Bear), which is attributed to links with the Main Intelligence Directorate of the Russian Federation, was behind the attacks. 

However, Igor Bederov, head of the Information and Analytical Research Department at T.Hunter, called this statement a provocation. "The investigation of a cyberattack (attribution) is a long and complex process that cannot be carried out from beginning to end in hours. Analysis of hacker software and malicious code is always a long and painstaking process," Mr. Bederov said. 

According to him, even if traces leading to Fancy Bear were indeed found, it's still impossible to say that this particular group was behind the attack. Mr. Bederov thinks that other hackers could have also taken advantage of the malware previously used by Fancy Bear. It's possible because hacker tools are openly resold on the Darknet. 

"Primary attribution is based on matching the hacker code used in today's attack with the code used in yesterday's attack, as well as special characters specific to a language group. This approach is fundamentally wrong, because the code can be stolen or bought, and the linguistic features can be imitated," said the expert. 

Mr. Bederov also noted that within the framework of pro-state activity, mainly Chinese groups like to engage in substitution of attribution. In addition, according to him, the NATO cyber intelligence center located in Tallinn was previously noticed for the substitution of attribution. 

Earlier it was reported that DDoS attacks on the website of the Ministry of Defense of Ukraine could have been deliberately set up by the United States. Earlier, Viktor Zhora, Deputy Chairman of the State Service for Special Communications and Information Protection of Ukraine, said that the government of Ukraine is ready for the scenario of forced destruction of secret data on servers. According to him, the authorities do not want to take risks and are not going to leave documentation and detailed information about the population of Ukraine to the enemy. 

He also said that if Russia gets access to government passwords, Ukrainian specialists "will quickly block access to hacked accounts."
Read more »
surveillance
DDOS Attack Location data location tracking Mobile Hacking Mobile Security Smartphone surveillance

The Russian Expert Listed the Main Signs of Smartphone Surveillance

 

Along with the unconditional benefits, the smart devices around us also carry a number of dangers. Thus, with the help of a smartphone, attackers can gain access to the personal data of its owner. According to Evgeny Kashkin, associate professor of the Department of Intelligent Information Security Systems at RTU MIREA, there are several signs that may indirectly indicate that your smartphone has become a spy. 

"An important point, in this case, is the requirement for applications to use a camera, microphone, as well as access to data (images and videos) on the phone during installation. Of course, you can disagree with this point during the installation, but most likely, then the application will not work at all or will work incorrectly," the expert explains. 

According to him, for a number of applications, these access rights are mandatory for work, but there are applications where "such rights for normal operation are simply absurd." For example, a home internet account status application. 

Another important factor, in his opinion, is the use of geolocation in applications. At the same time, it`s not only about GPS, but also the use of cellular data, as well as connections to various web resources. Such an approach, on the one hand, can greatly facilitate the search for the right companies within walking distance in a number of search engines, but, on the other hand, the cell phone conducts a "total" tracking of your movements. The key question, in this case, is how the data will be used by those who collect it. 

A number of companies have gone even further in this context. They started tracking the email messages of the users. Thus, with the banal purchase of an electronic plane ticket, the system will notify you in advance of the departure date, and on the day of departure, it will build you a route to the airport, taking into account traffic jams. 

He also advises paying attention to the sudden and uneven loss of battery power. This may indicate that a malicious program is running in the background that can use the phone to carry out a DDOS attack. 

Another alarming symptom is the sudden freezing of the phone or even turning it off for no objective reason. And finally, the occurrence of noises and extraneous sounds during a conversation may also indicate that your phone is being monitored. 

Read more »
Subscribe to: Posts (Atom)