Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label DDOS Attack. Show all posts
News
Anti-DDoS Measures cyber attack DDOS Attack News

Massive 1Tbps DDoS Attack Cripples Online Betting Site, Exposes Industry’s Ongoing Cybersecurity Failures

 

An online betting company has been knocked offline by a colossal 1-terabit-per-second Distributed Denial of Service (DDoS) attack, exposing glaring weaknesses in the digital defences of the gambling industry. Reported by TechRadar, the attack unleashed a massive flood of junk traffic that overwhelmed the site’s infrastructure, rendering its services inaccessible for hours. 

What makes the incident more concerning is the lack of sophistication behind it—this wasn’t a complex, stealthy operation but rather a brute-force flood that succeeded purely through scale. Despite the growing prevalence of such attacks in recent years, many companies in high-risk sectors like online gambling continue to treat cybersecurity as an afterthought. 

With their operations heavily reliant on constant uptime and revenue tied to every second online, gambling platforms remain prime targets for attackers, yet many fail to invest in fundamental protections like cloud-based DDoS mitigation, real-time monitoring, and incident response planning. 

Cybersecurity experts are baffled by this ongoing negligence, especially when previous headline-grabbing attacks—such as the 1.3Tbps assault on GitHub in 2018 or AWS’s 2.3Tbps encounter in 2020—should have prompted serious change. 
Compounding the issue is the role of Internet Service Providers (ISPs), who continue to shy away from proactive upstream filtering, allowing these massive data floods to reach their targets unchecked. The financial impact of such downtime is severe, with potential losses not only in revenue but also in user trust, legal exposure, and long-term brand damage. 

Security professionals stress that effective DDoS defence requires more than just faith in hosting providers; it demands deliberate investment in scalable protection tools like AWS Shield, Cloudflare, or Akamai, along with robust infrastructure redundancy and tested incident response strategies. 

In 2025, DDoS attacks are no longer anomalies—they’re a constant threat woven into the fabric of the internet. Ignoring them is not cost-saving; it’s gambling with disaster.
Read more »
phishing
DDOS Attack Hackers IP Address Personal Data phishing

Shocking Ways Hackers Can Exploit Your IP Address – You’re Not as Safe as You Think




Your IP address may look like a long number row, but to a hacker, it can be an instrument of evil activity. While your exposure to an IP doesn't pose an immediate danger per se, it is thus important to understand what a hacker can do with it. Let's break down how cybercriminals can exploit an IP and how you can keep it safe.

Determining Your Broad Area of Location

The very first thing a hacker will easily know once he has obtained your IP address is your general area of location. He can find out your city or region using even simple online tools such as IP tracking websites. Of course, he won't pinpoint the street number but can already pinpoint your general area or location which may trigger other related hacking attempts such as phishing attacks. Hackers would use your address and ISP to dupe you through social engineering.

IP Spoofing: Identity Mimicry Online

The hacker can manipulate the IP addresses and make it seem like the actions they are performing are coming from your device. In this method, which is known as IP spoofing, hackers perpetrate various illegal activities while concealing identities. Many people employ IP spoofing in DDoS attacks whereby hackers inject tremendous amounts of traffic into a network to actually shut it down. Using your IP address during this attack may keep them undetected while they wreck the damage.

Selling Your IP Address

One seems minute, but hackers sell bundles of thousands of IP addresses in bulk across the dark web, and those addresses can be used in large-scale social engineering projects that lead to data theft. Used with other personal data, your IP address can be a wonderful commodity in some hacker's arsenal, allowing them to crack into almost any online account.

Scanning for Further Information

Using this method, and with the use of such tools as Nmap, hackers can not only obtain your IP but also uncover which OS your machine is running, applications that are installed, and open ports. If vulnerabilities exist in your system, they can launch specific attacks on those particular weaknesses, which will then allow them to get into your network, and even control your devices.

A DDoS attack

Although it is seldom that DDoS attacks any user, hackers can use your IP to attack you using DDoS, which will turn your device into a traffic flooder and take it offline. Such attacks are usually employed in larger organisations, although those engaging in activities such as online gaming and other competitive activities are also at risk. For instance, some players have used DDoS attacks to cut off their opponents' internet.

How to Hide Your IP Address

The likelihood that someone actually targeted you may be low, but this is equally as important to adhere to these safety precaution guidelines. With a virtual private network or a proxy server, your public IP address remains hidden, which makes it extremely hard for hackers to find and take advantage of it. It can also protect your devices by updating them as regularly as possible and using firewalls.

It is important to note that knowing an IP address doesn't give hackers total control over your system. However, it can be part of a scheme that encourages them to come closer to extracting more personal information or conducting attacks. However, usually there's little chance that someone would go out of his way to harm you using just your IP address; still, you can never be too safe. Securing the network and masking the IP simply reduces these risks from IP-based attacks.

Care needs to be taken, and preventative measures need to be in place so that nobody would use those malpractices against you.


Read more »
US Elections
Cyber Attacks DDOS Attack Pro-Palestine Group Social Media Hack US Elections

Pro-Palestine Outfit Takes Responsibility for Hacking Donald Trump-Elon Musk Interview

 

During a conversation between billionaire Elon Musk and Republican presidential candidate Donald Trump on Musk's social media platform X, technical issues occurred that Musk claimed were caused by a DDoS attack.

The discussion was significant since it was Trump's high-profile comeback to X following his 2021 Twitter ban in the wake of the Capitol rioting. In addition, Musk has been a big supporter of Trump as a candidate for the US presidency, thus inviting the former president to speak on his platform was a noteworthy choice that drew attention. 

What unfolded during the interview?

Less than 20 minutes into the much-anticipated interview, Musk announced that the social media site had been struck by a massive distributed denial of service attack. 

DDoS is an assault on a platform that tries to bring it down by overloading it with too many enquiries in too short a time. Many of the queries are pointless because the goal is to drive excessive traffic to the platform, causing it to eventually fail. 

 L“There appears to be a massive DDoS attack on 𝕏. Working on shutting it down. Worst case, we will proceed with a smaller number of live listeners and post the conversation later,” Musk posted on X on August 13 at 5:48 am IST. He later confirmed this, promising that an unedited audio version will be available soon. 

Who is behind the DDoS incident? 

Palestinian rights 'hacktivists' took responsibility for the attack, claiming their boasts were a ploy to bolster their activism message.

“Rippersec is a pro-Palestine hacktivist group who conducts DDoS attacks motivated by geopolitical events,” digital security writer CyberKnow posted to X. “The group like many hacktivist groups also thrives off attention,' the writer warned, “making it easy for them to claim this to improve credibility and reputation.” 

However, researchers from XLab, China's cybersecurity research and threat analysis department, claimed they had discovered solid evidence to the contrary, setting out their case for a proven DDoS attack in a report on Wednesday. 

“We identified four Mirai botnet C2s (command and controllers) involved in the attack. Additionally, other attack groups also participated using methods like HTTP proxy attacks,” the firm's researchers reported in a blog post. 

'Mirai' is a type of malicious code that converts internet-connected Linux-based devices into remotely controlled 'zombies' for a 'botnet' army.

In a 'HTTP proxy attack,' hackers intercept and modify online communication between sites, servers, and computers, either to steal confidential data or to change the content for a number of purposes. 

“The attack lasted from 8:37am to 9:28am Beijing time [8:37–9:28pm Eastern],' XLab noted, 'which closely matches the delay durations in the start time of the interview. Our analysis indicates that the attack did occur,” their report summed it up. 

As evidence of its findings, the firm shared screenshots of a social media channel called 'UglyBotnet' in which one anonymous user appeared to claim responsibility for the attack. 

Has such an outage occurred before? 

Rhis is not the first time that an X event has been disrupted by technical troubles. A Twitter Spaces event with Florida Governor Ron DeSantis in May 2023 was delayed and had difficulties, which Musk blamed on "straining" systems. 

When Musk bought Twitter in 2022, he began removing key teams and professionals who had kept the old social media network running. Many customers criticised his decision on the new platform's history of outages. Musk, in turn, criticised Twitter and its code stack for being "brittle.”
Read more »
Germany
botnet Golang C2 Server Cyber Security Cyber Threats DDOS Attack DNS Germany

New Golang-Based Botnet 'Zergeca' Discovered


 

Researchers at QiAnXin XLab have found a new and dangerous botnet called Zergeca. This botnet, written in the Go programming language (Golang), can launch powerful distributed denial-of-service (DDoS) attacks, which can overwhelm and shut down targeted websites or services.

How Zergeca Was Discovered

In May 2024, researchers came across a suspicious file uploaded from Russia to a security website called VirusTotal. This file, located at /usr/bin/geomi, had a unique identifier but wasn't marked as harmful. Another similar file was uploaded from Germany on the same day. This led experts to discover that these files were part of a new botnet, which they named Zergeca, inspired by a string in its code that reminded them of the Zerg creatures from the video game StarCraft.

Zergeca is capable of six different types of DDoS attacks. It also has additional features, such as acting as a proxy, scanning networks, upgrading itself, staying persistent on infected devices, transferring files, providing remote access, and collecting sensitive information from compromised devices. One unique aspect of Zergeca is its use of multiple DNS resolution methods, preferring DNS over HTTPS (DoH) for communicating with its command and control (C2) server. It also uses an uncommon library called Smux for encrypted communication.

The C2 server used by Zergeca has been linked to at least two other botnets named Mirai since September 2023. This suggests that the creator of Zergeca has prior experience with running botnets.

Between early and mid-June 2024, Zergeca was used to carry out DDoS attacks on organisations in Canada, the United States, and Germany. The primary attack method used was known as ackFlood. Victims of these attacks were spread across multiple countries and different internet networks.

Zergeca operates through four main modules: persistence, proxy, silivaccine, and zombie. The persistence module ensures the botnet stays active on infected devices, while the proxy module manages proxying tasks. The silivaccine module removes any competing malware, ensuring that Zergeca has full control of the device. The zombie module is the most critical, as it carries out the botnet's main functions, including DDoS attacks, scanning, and reporting information back to the C2 server.

To stay active, Zergeca adds a system service called geomi.service on infected devices. This service ensures that the botnet process restarts automatically if the device reboots or the process is stopped.

Researchers have gained insights into the skills of Zergeca’s creator. The use of techniques like modified file packing, XOR encryption, and DoH for C2 communication shows a deep understanding of how to evade detection. The implementation of the Smux protocol demonstrates advanced development skills. Given these abilities, researchers expect to see more sophisticated threats from this author in the future.

The discovery of Zergeca highlights the increasing intricacy of cyber threats. Organisations must remain vigilant and adopt strong security measures to protect against such advanced attacks. The detailed analysis of Zergeca provides valuable information on the capabilities and tactics of modern botnets, emphasising the need for continuous monitoring and proactive defence strategies in cybersecurity.


Read more »
UAE
cyber threat DDOS Attack Middle East Sensitive data Technology UAE

UAE Takes Measures to Strengthen Cybersecurity in the META Region

 



The United Arab Emirates (UAE) is emerging as a beacon of innovation and technological advancement in the Middle East, and its commitment to cybersecurity is a vital element in shaping its hyper-connected future. As the UAE's digital footprint expands, so too does the potential for cyberattacks that could disrupt critical infrastructure and compromise sensitive data.

Recent statistics reveal a concerning increase in the UAE's vulnerability to cyber threats, including ransomware and DDoS attacks. In a joint report by the UAE government and CPX security, it was found that nearly 155,000 vulnerable points exist within the UAE, with Dubai being the most concentrated area. Insider attacks, where individuals within organizations misuse their access to steal data, are also a growing concern as the country embraces cloud computing and artificial intelligence.

The financial implications of data breaches in the Middle East have also surged, with the region ranking second only to the US in terms of breach costs. The average cost of a data breach in the Middle East exceeded $8 million in 2023, highlighting the urgent need for robust cybersecurity measures. However, a critical gap remains, as nearly a quarter of oil and gas companies and government entities in the region lack dedicated cybersecurity teams.


The UAE is actively addressing these challenges through a multi-pronged approach to enhance its cybersecurity shield. Here are the top cybersecurity trends shaping the UAE's digital landscape in 2024:

1. Advanced Threat Detection: The UAE recognizes the limitations of traditional security methods and is investing in advanced threat detection systems powered by artificial intelligence (AI), machine learning (ML), and behavioural analytics. This approach enables real-time identification and response to sophisticated cyber threats.

2. Public-Private Partnerships (PPPs) for Enhanced Security: The UAE is forging partnerships between the government and private sector to create a united front against cyber threats. Collaborations with organisations like the UN's ITU and leading cybersecurity firms demonstrate a commitment to sharing expertise and resources.

3. Cloud Security on the Rise: With the increasing reliance on cloud storage and processing, the UAE is experiencing a surge in cloud security solutions. This growth is driven by investments from cloud service providers, proactive government measures, and the need for enhanced protection against cyberattacks.

4. Cybersecurity Education and Training: The UAE is investing in cybersecurity education and training programs to equip professionals with the necessary skills to combat cyber threats. From specialised courses in universities to workshops for businesses, there is a concerted effort to build a strong cybersecurity workforce in the country.

5. Zero Trust Security Model Gaining Traction: The adoption of the zero-trust security model is growing in the UAE as businesses move away from traditional network perimeters. This model constantly verifies users and devices before granting access to resources, offering enhanced security in a more open, cloud-based environment.

6. Regulatory Compliance: The UAE has implemented stringent cybersecurity regulations to safeguard critical infrastructure and sensitive data. Adhering to these regulations is mandatory for organisations operating in the country, ensuring a baseline level of cybersecurity.

7. Quantum Cryptography: The UAE is investing in the research and development of quantum cryptography technologies to protect against future cyber threats posed by quantum computers. This cutting-edge approach leverages the principles of quantum mechanics to secure communications.

8. Focus on Critical Infrastructure Protection: Protecting critical infrastructure is a top priority in the META region, with specific measures being implemented to safeguard sectors such as energy, transportation, and healthcare systems. These measures are essential for maintaining national security and ensuring the continuity of essential services.

9. Growth of Cybersecurity Startups and Innovations: The META region is witnessing a surge in cybersecurity startups that are developing tailored solutions to address regional needs. Initiatives like Dubai's Innovation Hub and Saudi Arabia's cybersecurity accelerators are nurturing a conducive environment for these startups to thrive.

10. Cyber Threat Intelligence Sharing: Sharing cyber threat intelligence is increasingly important in the META region. Governments and organisations are establishing platforms for real-time sharing of threat information, enhancing collective cybersecurity defence.

As the UAE continues to advance in AI, PPPs, and cloud security, the question remains whether these advancements will stay ahead of the ever-evolving tactics of cybercriminals. The future of cybersecurity depends on the UAE's ability to adopt cutting-edge solutions and anticipate and adapt to the next wave of threats. 


Read more »
Technology
Broader Gateway Protocol DDOS Attack Facebook Meta Technical Glitch Technology

Technical Glitch Causes Global Disruption for Meta Users

 


In a recent setback for Meta users, a widespread service outage occurred on March 5th, affecting hundreds of thousands worldwide. Meta's spokesperson, Andy Stone, attributed the disruption to a "technical issue," apologising for any inconvenience caused.

Shortly after the incident, multiple hacktivist groups, including Skynet, Godzilla, and Anonymous Sudan, claimed responsibility. However, cybersecurity firm Cyberint revealed that the disruption might have been a result of a cyberattack, as abnormal traffic patterns indicative of a DDoS attack were detected.

The outage left Facebook and Instagram users unable to access the platforms, with many being inexplicably logged out. Some users, despite entering correct credentials, received "incorrect password" messages, raising concerns about a potential hacking event. Both desktop and mobile users, totaling over 550,000 on Facebook and 90,000 on Instagram globally, were impacted.

This isn't the first time Meta (formerly Facebook) faced such issues. In late 2021, a six-hour outage occurred when the Border Gateway Protocol (BGP) routes were withdrawn, effectively making Facebook servers inaccessible. The BGP functions like a railroad switchman, directing data packets' paths, and the absence of these routes caused a communication breakdown.

As the outage unfolded, users found themselves abruptly logged out of the platform, exacerbating the inconvenience. The disruption's ripple effect triggered concerns among users, with fears of a potential cyberattack amplifying the chaos.

It's worth noting that hacktivist groups often claim responsibility for disruptions they may not have caused, aiming to boost their perceived significance and capabilities. In this case, the true source of the disruption remains under investigation, and Meta continues to work on strengthening its systems against potential cyber threats.

In the contemporary sphere of technology, where service interruptions have become more prevalent, it is vital for online platforms to educate themselves on cybersecurity measures. Users are urged to exercise vigilance and adhere to best practices in online security, thus effectively mitigating the repercussions of such incidents.

This incident serves as a reminder of the interconnected nature of online platforms and the potential vulnerabilities that arise from technical glitches or malicious activities. Meta assures users that they are addressing the issue promptly and implementing measures to prevent future disruptions.

As the digital world persists in evolution, users and platforms alike must adapt to the dynamic landscape, emphasising the importance of cybersecurity awareness and resilient systems to ensure a secure online experience for all.




Read more »
Threat Landscape
Cyber space DDOS Attack Security Framework Technology Threat Landscape

Here's Why Robust Space Security Framework is Need of the Hour

 

Satellite systems are critical for communication, weather monitoring, navigation, Internet access, and numerous other purposes. These systems, however, suffer multiple challenges that jeopardise their security and integrity. To tackle these challenges, we must establish a strong cybersecurity framework to safeguard satellite operations.

Cyber threats to satellites 

Satellite systems suffer a wide range of threats, including denial-of-service (DoS) attacks and malware infiltration, as well as unauthorised access and damage triggered by other objects in their orbit that hinder digital communications. 

For satellite systems, these major threats can distort sensor systems, resulting in harmful actions based on inaccurate data. For example, a faulty sensor system could cause a satellite's orbit path to collide with another satellite or natural space object. If a sensor system fails, it may result in the failure of other space and terrestrial systems that rely on it. Jamming or sending unauthorised satellite guidance and control commands has the potential to destroy other orbiting space spacecraft.

DoS attacks can lead satellites to become unresponsive or, worse, shut down. Satellite debris fallout could pose a physical safety risk and damage to other countries' space vehicles or the earth. Malware installed within systems via insufficiently secured access points may have an influence on the satellite and spread to other systems with which it communicates. 

Many of the 45,000 satellites have been in service for years and have minimal (if any) built-in cybersecurity protection. Consider the Vanguard 1 (1958 Beta 2), a small, solar-powered satellite that orbits Earth. It was launched by the United States on March 17, 1958, and is the oldest satellite still orbiting the earth.

Given potential risks that satellites face, a comprehensive cybersecurity strategy is required to mitigate such risks. Engineering universities and tech organisations must also work with government agencies and other entities that design and build satellites to develop and execute a comprehensive cybersecurity, privacy, and resilience framework to regulate industries that are expanding their use of space vehicles. 

Cybersecurity framework

The NIST Cybersecurity Framework (CSF) outlines five critical processes for mitigating common threats, including those related with satellite systems: identify, protect, detect, respond, and recover.

Identify

First, identify the satellite data, individuals, personnel, systems, and facilities that support the satellite's uses goals, and objectives. Document the location of each satellite, as well as the links between each satellite component and other systems. Knowing which data is involved and how it is encrypted can help with contingency, continuity, and disaster recovery planning. Finally, understand your risk landscape and any elements that may affect the mission so that you can plan for and avoid potential incidents. This information will aid in the successful management of cybersecurity risk for satellite systems and its associated components, assets, data, and capabilities. 

Protect

Using the recently identified data, choose, develop, and implement the satellite's security ecosystem to best protect all of its components and associated services. Be aware that traditional space operations and vehicles typically rely on proprietary software and hardware that were not intended for a highly networked satellite, cyber, and data environment. As a result, legacy components may lack certain security measures. As a result, create, design, and use verification procedures to prevent loss of assurance or functionality in satellite systems' physical, logical, and ground parts, as well as to allow for response to and recovery from cybersecurity incidents. To protect satellite systems, physical and logical components must be secured, access limits monitored, and cybersecurity training made available.

Detect 

Create and implement relevant actions to monitor satellite systems, connections, and physical components for unforeseen incidents and alert users and applications of their detection. Use monitoring to spot anomalies within space components, and put in place a strategy for dealing with them. Use many sensors and sources to correlate events, monitor satellite information systems, and maintain access to ground segment facilities in order to detect potential security breaches. 

Respond

Take appropriate actions to mitigate the impact of a cybersecurity attack or unusual incident on a satellite system, ground network, or digital ecosystem. Cybersecurity teams should inform key stakeholders regarding the incident and its implications. They should also put in place systems for responding to and mitigating new, known, and anticipated threats or vulnerabilities, as well as continuously improving these processes based on lessons learned. 

Recover 

Create and implement necessary activities to preserve cybersecurity and resilience, as well as to restore any capabilities or services that have been impaired as a result of a cybersecurity event. The objectives are to quickly restore satellite systems and associated components to normal functioning, return the organisation to its appropriate operational state, and prevent the same type of incident from recurring.

As our world continues to rely on satellite technology, cyber threats will emerge and adapt. It is critical to safeguard these systems by developing a comprehensive cybersecurity framework that outlines the way to design, create, and operate them. Such a structure enables organisations to respond effectively to incidents, recover swiftly from interruptions, and remain ahead of potential threats.
Read more »
Threat Landscape
Cyber Crime DDOS Attack Online Security Online Traffic Threat Landscape

Hackers are Launching DDoS Attacks During Peak Business Hours

 

Threat groups' tactics to avoid detection and cause harm are becoming increasingly sophisticated. Many security practitioners have seen distributed denial-of-service (DDoS) attacks carried out during peak business hours, when firms are more likely to be understaffed and caught off guard.

DDoS attacks are a year-round threat, but we've seen an increase in attacks around the holiday season. Microsoft mitigated an average of 1,435 assaults per day in 2022. These attacks peaked on September 22, 2022, with roughly 2,215 documented attacks, and continued at a greater volume until the last week of December. From June to August, the number of attacks were reduced.

One reason for this trend could be that many organisations operate with fewer security staff and limited resources to monitor their networks and apps during the holidays. The huge volume of traffic and income made by organisations during this peak business season make this time of year even more tempting to attackers. 

Cybercriminals frequently take advantage of this opportunity to carry out lucrative attacks at a low cost. A DDoS assault can be ordered via a DDoS subscription service for as little as $5 under a cybercrime-as-a-service business model. In the meantime, small and medium-sized businesses spend an average of $120,000 to restore services and manage operations during a DDoS attack. 

With this knowledge, security teams can take preemptive steps to fight against DDoS assaults during busy business seasons. Continue reading to find out how. 

Understanding the varieties of DDoS attacks 

Before we can discuss how to protect against DDoS attacks, we must first comprehend what they are. DDoS attacks are classified into three groups, each with its own set of cyberattacks. Attackers can utilise a variety of attack types against a network, including those from distinct categories. 

The first type of attack is a volumetric attack. This type of attack focuses on bandwidth and is intended to overload the network layer with traffic. A domain name server (DNS) amplification attack, which leverages open DNS servers to flood a target with DNS answer traffic, is one example.

Then there are protocol attacks. This category primarily targets resources by exploiting flaws in the protocol stack's Layers 3 and 4. A protocol attack may be a synchronisation packet flood (SYN) attack, which uses all available server resources, rendering the server unusable. 

The last type of DDoS assault is resource layer attacks. This category is meant to disrupt data flow between hosts by targeting Web application packets. Consider an HTTP/2 Rapid Reset attack, for example. In this case, the attack delivers a predetermined amount of HTTP requests followed by RST_STREAM. This pattern is then repeated to produce a large volume of traffic on the targeted HTTP/2 servers.
Read more »
OpenAI
Anonymous Sudan ChatGPT Cyber Attacks DDoS DDOS Attack Hacktivists OpenAI

OpenAI Reveals ChatGPT is Being Attacked by DDoS


AI organization behind ChatGPT, OpenAI, has acknowledged that distributed denial of service (DDoS) assaults are to blame for the sporadic disruptions that have plagued its main generative AI product.

As per the developer’s status page, ChatGPT and its API have been experiencing "periodic outages" since November 8 at approximately noon PST.

According to the most recent update published on November 8 at 19.49 PST, OpenAI said, “We are dealing with periodic outages due to an abnormal traffic pattern reflective of a DDoS attack. We are continuing work to mitigate this.”

While the application seemed to have been operating normally, a user of the API reported seeing a "429 - Too Many Requests" error, which is consistent with OpenAI's diagnosis of DDoS as the cause of the issue.

Hacktivists Claim Responsibility 

Hacktivist group Anonymous Sudan took to Telegram, claiming responsibility of the attacks. 

The group claimed to have targeted OpenAI specifically because of its support for Israel, in addition to its stated goal of going against "any American company." The nation has recently been under heavy fire for bombing civilians in Palestine.

The partnership between OpenAI and the Israeli occupation state, as well as the CEO's declaration that he is willing to increase investment in Israel and his multiple meetings with Israeli authorities, including Netanyahu, were mentioned in the statement.

Additionally, it asserted that “AI is now being used in the development of weapons and by intelligence agencies like Mossad” and that “Israel is using ChatGPT to oppress the Palestinians.”

"ChatGPT has a general biasness towards Israel and against Palestine," continued Anonymous Sudan.

In what it described as retaliation for a Quran-burning incident near Turkey's embassy in Stockholm, the group claimed responsibility for DDoS assaults against Swedish companies at the beginning of the year.

Jake Moore, cybersecurity advisor to ESET Global, DDoS mitigation providers must continually enhance their services. 

“Each year threat actors become better equipped and use more IP addresses such as home IoT devices to flood systems, making them more difficult to protect,” says Jake.

“Unfortunately, OpenAI remains one of the most talked about technology companies, making it a typical target for hackers. All that can be done to future-proof its network is to continue to expect the unexpected.”  

Read more »
Medusa Ransomware
AT Auckland Transport Auckland Transport attack Cyber Attacks DDOS Attack Medusa Attacks Medusa Ransomware

Auckland Transport Suffers Another Ransomware Attack, Mobile App and Website Affected


Official website of Auckland Transport has suffered another cyberattack where their mobile app and live departure displays have been compromised. 

The spokesperson for Auckland Transport (AT) said they believed this attack was is in fact linked to the most recent one, in which a ransomware gang known as Medusa demanded a US $1 million ransom and threatened to post AT's data online if it was not paid.

“The current issue is a malicious attempt to disrupt the traffic to our website, by overwhelming it with a flood of internet traffic - a distributed denial-of-service attack,” the spokesperson stated. “Customers are experiencing intermittent issues accessing our website, AT Mobile App, AT Park, Journey Planner and public information displays[…]We are working to maintain security and access to our website but anticipate these issues unfortunately may be ongoing for some time.”

AT further confirmed that it is “confident” that no customer data or financial details have been stolen.

Medusa's Attack on AT

AT was attacked by the Medusa ransomware gang on September 14. Dean Klimpton, the CEO of AT, responded to a Herald report on Medusa's attack where the attackers had threatened to post AT data on the dark web if a US$1 million ($1.7 million) ransom was not paid. 

“AT is aware that Medusa has publicly announced a ransom for data,” Klimpton said. “We have no interest in engaging with this illegal and malicious activity,” he added.

Klimpton further notes that there is a sign indicating that personal or financial data has been compromised in the September attack.

DDoS Attack

A distributed denial of service (DDoS) attack involves an army of bots that gain access to a website simultaneously, preventing ordinary users from accessing it. 

A distributed denial of service (DDoS) attack involves an army of bots that try to access a website simultaneously, overwhelming it and rendering it inaccessible to regular users. Cybersecurity professionals compared it to sheep blocking a country road. Users are blocked, but no data is at risk.

The DDoS attack this afternoon is Medusa's vengeful response to AT's unwillingness to pay the cyber ransom; it poses no harm to any data.

Also, AT’s app suffered an outage earlier this morning, however AT claims that it was just a regular glitch that was not related to the cyberattack.  According to Brett Callow, a threat analyst with the New Zealand-based security company Emsisoft, on August 14 Medusa launched a DDoS attack against Levare International. This company produces prosthetic limbs in Dubai.

Though Medusa originally appeared in 2021, it was not until this year that the ransomware group made headlines.

According to Callow, the organization has taken credit for assaults against the Minneapolis Public School System, Tonga Communications, and the Crown Princess Mary Cancer Centre in Australia, which resulted in the release of private student and teacher records.

Ransomware gangs are often situated in Eastern Europe or Russia due to a combination of computer skills and authorities that are frequently unwilling to cooperate with Western agencies. The location of the gang's base of operations is currently unknown.  

Read more »
Machine learning
cyber attack Cyber Attacks Cyber Data Data Data Safety DDOS Attack Downtime eCitizen Service Kenya Machine learning

Kenya's eCitizen Service Faces Downtime: Analyzing the Cyber-Attack

 

Russian hacking groups have predominantly targeted Western or West-aligned countries and governments, seemingly avoiding any attacks within Russia itself. 

During the Wagner mutiny in June, a group expressed its support for the Kremlin, stating that they didn't focus on Russian affairs but wanted to repay Russia for the support they received during a similar incident in their country.

The attack on Kenya involved a Distributed Denial of Service (DDOS), a well-known method used by hackers to flood online services with traffic, aiming to overload the system and cause it to go offline. This method was also used by Anonymous Sudan during their attack on Microsoft services in June.

According to Joe Tidy, who conducted an interview, it is difficult to ascertain the true identity of the group responsible for the attack. 

Kenya's Information Minister revealed that the attackers attempted to jam the system by generating more than ordinary requests, gradually slowing down the system. Fortunately, no data exfiltration occurred, which would have been highly embarrassing.

Kenya had a reasonably strong cybersecurity infrastructure, ranking 51st out of 182 countries on the UN ITU's Cybersecurity Commitment Index. 

However, the extensive impact of the attack demonstrated the risks of relying heavily on digital technology for critical economic functions without adequately prioritizing cybersecurity. Cybersecurity and digital development should go hand-in-hand, a lesson applicable to many African countries.
Read more »
Outlook
Anonymous Sudan Cloud Platform Cyber Attacks Cyberattack DDOS Attack Microsoft Outlook

Microsoft: Disruptions in Outlook, Cloud Platform Services Were Caused by a Cyberattack


Earlier this June, some periodic but significant disruptions could be seen in Microsoft’s flagship office suite. That cyberattack disrupted services of Microsoft affiliated apps like Outlook email and OneDrive file sharing app along with cloud computing platform. After the attack was confirmed, an anonymous hacktivist seems to have taken the blame, claiming to have flooded the sites with traffic through their distributed denial-of-service (DDoS) attacks.

Microsoft was initially hesitant to admit that DDoS attacks by the murky upstart were to blame, but has since admitted that this was the case.

Although, they did not immediately confirm the number of customers affected by the attack or whether it had any global impact, Microsoft has now provided certain details on the matter.

A Microsoft spokesperson stated that the threat group behind the attacks has confirmed to have been ‘Anonymous Sudan.’ At the time, it took ownership of the situation via its Telegram social media channel. Some cybersecurity experts think the group is based in Russia.

On Friday, an explanation on the matter by Microsoft was published in a blog post following a request from The Associated Press made two days prior. The post, which was sparse on data, stated that the attacks "temporarily impacted availability" of some services. According to the report, the attackers targeted "disruption and publicity" and used probable rented cloud infrastructure and virtual private networks to flood Microsoft servers with attacks from so-called botnets of zombie machines spread around the world.

According to Microsoft, there is no proof that any customer information was accessed or compromised.

In regards to the severity of attacks, Jake Williams, a prominent cybersecurity researcher and a former NSA offensive hacker says “We really have no way to measure the impact if Microsoft doesn’t provide that info.” William added he was unaware of Outlook being attacked previously at this scale.

“We know some resources were inaccessible for some, but not others. This often happens with DDoS of globally distributed systems,” Williams added. “Microsoft’s apparent unwillingness to provide an objective measure of customer impact probably speaks to the magnitude,” he said.

While DDoS attacks do not come under the severity radar in cyber activities since they only make websites inaccessible without even penetrating them, security professionals believe that they can however disrupt the operations of several million of online users if they are successful in exploiting services of software service giants, like Microsoft, since a large chunk of global commerce rely on such organizations.

Read more »
malware
Cayosin Botnet Cryptojacking Campaign DDOS Attack malware

From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet

 

A group of cybersecurity experts has recently unearthed previously unreported payloads linked to a Romanian threat actor named Diicot. The discovery sheds light on the threat actor's capability to execute distributed denial-of-service (DDoS) attacks. In July 2021, a cybersecurity firm called Bitdefender discovered the actions of a threat actor named Diicot (formerly known as Mexals). 

The investigation revealed that Diicot utilized a tool called Diicot Brute, which is a Go-based SSH brute-forcer, to compromise Linux hosts as part of their cryptojacking campaign. Akamai revealed a renewed surge in Diicot's operations that had been previously identified in 2021. This latest wave of attacks, believed to have commenced around October 2022, allowed the threat actor to accumulate illicit profits amounting to approximately $10,000. 

A recent analysis conducted by Cado Security has uncovered that the Diicot group has expanded its tactics by utilizing a ready-made botnet agent called Cayosin. This particular malware, which exhibits similarities to Qbot and Mirai, signifies a significant development for the threat actor as it demonstrates their newfound capability to launch distributed denial-of-service (DDoS) attacks. 

Additionally, the group has engaged in activities such as revealing private information about rival hacking groups, a practice known as doxxing. Furthermore, Diicot relies on the popular communication platform Discord for controlling its operations and extracting stolen data. 

The threat actor, Diicot, employs several distinct tools in their operations: 

Chrome:  This tool functions as an internet scanner using Zmap technology. It gathers information during operations and saves the outcomes to a text file named "bios.txt". 

Update:  This executable is responsible for fetching and executing the SSH brute-forcer and Chrome tools if they are not already present on the compromised system. 

History:  Designed as a shell script, History facilitates the execution of the Update tool. 

DDoS attacks and Cryptojacking Relation 

DDoS attacks and cryptojacking are being combined by cybercriminals. The connection lies in using DDoS attacks to distract from and mask cryptojacking activities. This can involve launching a DDoS attack on a cryptocurrency exchange to divert attention. 

It can also include using DDoS attacks to test a victim's defenses and exploit vulnerabilities for cryptojacking. The consequences of this combination include increased energy consumption, hardware damage, and the potential theft of sensitive information. 

The SSH brute-forcer tool, also known as aliases, utilizes the information extracted from Chrome's text file output. It processes this data to gain access to each identified IP address. If the brute-forcing attempt is successful, it establishes a remote connection to the respective IP address. 

To determine if your computer is part of a botnet, watch out for the following signs: 

  • Unexplained activity: Excessive running of the processor, hard drive, or computer fans without a clear cause. 
  • Slow Internet: Unusually slow internet speeds, despite no active downloads, uploads, or software updates. 
  • Slow reboots and shutdowns: Sluggish shutdowns or restarts, potentially caused by malicious software.
  • Application crashes: Previously stable programs now frequently crashing or behaving erratically. 
  • High RAM usage: Check if an unknown application is consuming a significant portion of your computer's memory. 
  • Mysterious emails: Recipients reporting spam or malicious emails sent from your account. 
  • Unsafe habits: Neglecting important security updates, visiting unsafe websites, downloading unsafe software, or clicking on malicious links. 

To protect against these attacks, organizations are advised to implement measures such as SSH hardening and firewall rules. By implementing SSH hardening practices, organizations can strengthen the security of their SSH configurations. 

Additionally, setting up firewall rules helps limit SSH access to specific IP addresses, reducing the potential for unauthorized access attempts. These proactive measures can significantly enhance the security posture of organizations against SSH-related threats.
Read more »
NCA
Cyber Attacks Cybercrime Markets DDOS Attack National Crime Agency National Cyber Crime Unit NCA

NCA Infiltrates Cybercrime Market With Fake DDoS Sites


UK’s National Crime Agency (NCA) has recently conducted a sting operation as a part of Operation Power Off, a collaboration of international law enforcement agencies to shut down DDoS (distributed denial of service) infrastructure. 

In order to sabotage the online black market, the NCA set up a number of fictitious DDoS websites and offered booter or DDoS-for-hire services. It is important to keep in mind that the UK's Computer Misuse Act of 1990 makes DDoS attacks illegal. 

All of these websites were created by the NCA to appear genuine, giving the visitor the idea that they could initiate DDoS attacks using the provided tools and services. 

According to the agency, many a thousand individuals have visited the sites, although, after registering on the site, visitors are instead presented with a splash screen telling them that their data has been captured and law enforcement authorities would contact them instead of receiving the services they had signed up for. 

In the most recent report, the NCA confirms to have identified one of the websites it was operating, with a message that the data of users has been collected and that they “will be contacted by law enforcement.” 

The individuals who are currently in the UK will be contacted by the NCA or police and are warned about engaging in any cybercrime-related activity, whereas, the details of those overseas are being handed out to international law enforcement. 

DDoS Attacks 

In a DDoS attack, compromised computer systems bombard a target (server or website), causing severe financial or reputational damage to the targeted organization. “DDoS-for-hire, or ‘booter’, services allow users to set up accounts and order DDoS attacks in a matter of minutes […] Such attacks have the potential to cause significant harm to businesses and critical national infrastructure, and often prevent people from accessing essential public services,” said the NCA. 

Alan Merrett, member of NCA’s National Cyber Crime Unit says “booter services” are a key enabler of cybercrime. “The perceived anonymity and ease of use afforded by these services means that DDoS has become an attractive entry-level crime, allowing individuals with little technical ability to commit cyber offences with ease,” he said. 

He added that traditional site takedowns and arrests are key components of law enforcement’s response to threats while adding, “We have extended our operational capability with this activity, at the same time as undermining trust in the criminal market.” 

The NCA says that it will not reveal how many sites it has or for how long they have been running. Therefore, they have urged individuals looking for these services to stay cautious as they might not know who is operating them. 

Read more »
Russian Cyber Security
Cyber Attacks DDoS DDOS Attack DDOS Attacks Killnet Russia Russian Cyber Security

KillNet: Pro-Russian Threat Actors Claims Responsiblity for 14 DDoS Attacks on U.S. Airports

 

On Monday, a pro-Russian hackers group ‘KillNet reportedly claimed to be behind the DDoS attacks, that temporarily took down the websites of several U.S. airports.
 
A similar case was witnessed by Atlanta International Airport. Consequently, users were unable to access the websites for a few hours during the campaign. Though, the attacks did not have any impact on flight operations.
 
The Los Angeles International Airport (LAX) authority informed about a threat on their website to the Transportation Security Administration and the FBI.
 
"The service interruption was limited to portions of the public facing FlyLAX.com website only. No internal airport systems were compromised and there were no operational disruptions," a spokesperson stated in an emailed statement. Adding to the statement, she said the airport’s IT Team has restored all services and is investigating the cause.
 
Later, the hacker group apparently posted the list of the hacked airport websites on Telegram that included 14 targeted domains, urging hackers to participate in the DDoS attack.
 
The Airport websites impacted by the group include Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and the sites of airports in Kentucky, Mississippi, and Hawaii.
 
In a Telegram post on Monday, Killnet listed other U.S. sites that could be the next potential victims of similar DDoS attacks, such as sea terminals and logistics facilities, weather monitoring centers, health care systems, subway systems, and exchanges and online trading systems.
 
Apparently, this DDoS attack was not the first attack by KillNet as KillNet has previously targeted many other countries that were against the Russian invasion of Ukraine. These NATO countries include Italy, Romania, Estonia, Lithuania, and Norway.
 
KillNet's DDoS attacks and those urging other threat actors to carry out are an example of what security experts determine is the tendency in recent years of geopolitical tensions, to be permeated the cyber world. As per the speculations, this campaign against the US and other NATO countries, for instance, instigates days after an explosion demolished a section of a major bridge connecting Russia to the Crimean Peninsula.
Read more »
Russia
Cobalt Strike Cyber Attacks DDOS Attack Ransomware Gang Russia

Anonymous Hacker Targets Cobalt Strike Servers Linked to Former Conti Gang Members

 

An anonymous hacking group launched DDoS assaults on Cobalt Strike servers handled by former Conti ransomware members with anti-Russian texts to halt their operation. 

Earlier this year in May, the Conti ransomware gang permanently switched off its operation but its members joined other groups, such as Quantum, Hive, and BlackCat. However, former Conti members continued employing the same Cobalt Strike infrastructure to launch new attacks. 

The hackers flooded the CS servers employed by Conti hackers to control the Cobalt Strike (CS) with anti-Russian texts such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” 

According to Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), the hackers targeted at least four Cobalt Strike servers by former Conti gang members. 

The messages are flooding the servers at a rapid rate of nearly two every second resulting in the disruption of Conti ransomware operations. Kremez says whoever is behind this activity constantly targeting Cobalt Strike servers is believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered. 

“Red teamers operating Cobalt Strike infrastructure to help identify gaps for organizations need to ensure that they are properly protecting their infrastructure,” stated Jerrod Piker, threat analyst at Deep Instinct. “DoS/DDoS protection is necessary as evidenced by the recent Conti group attacks, as well as advanced malware prevention, identity protection, and access control. Attackers will always look for and eventually discover low-hanging fruit, so we have to ensure that we make their discovery process as difficult as possible.” 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows.

Hackers getting the taste of their own medicine 

It remains unclear who is behind these messages but for the moment they’re keeping the hackers busy. Last month, the LockBit ransomware gang suffered a DDoS attack disrupting its operation. The attack was launched after the gang claimed responsibility for a hack on security firm Entrust earlier this year. 

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data. However, the halt was temporary and the ransomware gang came online with enhanced infrastructure allowing them to keep the stolen data intact even when facing distributed denial-of-service (DDoS) attacks.
Read more »
Vulnerabilities and Exploits
Bugs DDOS Attack Flaws Vulnerabilities and Exploits

Mirai Variant MooBot Botnet Exploiting D-Link Router Flaws

 

MooBot, a Mirai botnet variant, is transforming vulnerable D-Link devices into an army of denial-of-service bots by exploiting multiple vulnerabilities. 

Palo Alto Networks Unit 42 said in a Tuesday report, "If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks."
 
MooBot, which was first revealed in September 2019 by Qihoo 360's Netlab team, has previously aimed at LILIN digital video recorders and Hikvision video surveillance products to broaden its network. As many as four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples in the most recent wave of attacks discovered by Unit 42 in early August 2022. These are some examples:
  • CVE-2015-2051 (CVSS score: 10.0) - D-Link HNAP SOAPAction Header Command Execution Vulnerability
  • CVE-2018-6530 (CVSS score: 9.8) - D-Link SOAP Interface Remote Code Execution Vulnerability
  • CVE-2022-26258 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability, and
  • CVE-2022-28958 (CVSS score: 9.8) - D-Link Remote Command Execution Vulnerability
Exploiting the aforementioned flaws successfully could result in remote code execution and the retrieval of a MooBot payload from a remote host, which then decodes instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.

Customers with D-Link appliances are strongly advised to implement the company's patches and upgrades to mitigate potential threats.

The researchers stated, "The vulnerabilities [...] have low attack complexity but critical security impact that can lead to remote code execution.n Once the attacker gains control in this manner, they could take advantage by including the newly compromised devices into their botnet to conduct further attacks such as DDoS."
Read more »
United States
Cyber Attacks DDOS Attack Government Sites Taiwan United States

Taiwanese Government Sites Suffered DDoS Attacks Following Nancy Pelosi Visit

 

Multiple Taiwanese government sites were disrupted by distributed denial-of-service (DDoS) attacks following the much-publicized arrival of U.S. House Speaker Nancy Pelosi who became the first high-ranking U.S. official in 25 years to visit the democratic island nation. 

Pelosi reportedly met Taiwanese President Tsai Ing-wen and reiterated America’s support for the country of 24 million. 

The cyber attacks caused intermittent outages across the government English portal, some websites of the presidential office, foreign ministry, and defense ministry. 

According to Taiwan's foreign ministry, the attacks on its website and the government's English portal were linked to Chinese and Russian IP addresses that tried to access the websites up to 8.5 million times per minute. 

A separate statement from a Tsai spokesperson on Facebook said the attack had funneled 200 times more traffic than usual to the site. However, it was back up and running just 20 minutes later, it added. 

“While the PRC is more than capable of this type of attack, DDoS is fairly unsophisticated and somewhat brutish, and it's not a tool they are known to deploy,” explained Casey Ellis, founder, and CTO at Bugcrowd. China has an enormous population of very clever technologists, large security research and hacking community, and a large government-sponsored team with offensive capability ranging from information warfare to targeted exploit development and R&D.” 

Experts believe that the attacks were likely launched by Chinese activist hackers rather than the Chinese government as retaliation for the visit of Nancy Pelosi. 

Taiwan has accused China of ramping up cyber assaults since the 2016 election of President Tsai Ing-wen, who views the island as a sovereign nation and not a part of China. In 2020, Taiwanese authorities said China-linked hackers breached at least 10 Taiwan government agencies and secured access to nearly 6,000 email accounts in an attempt to exfiltrate data. 

Earlier this year in February, Chinese APT group APT10 (aka Stone Panda, Bronze Riverside) targeted Taiwan’s financial trading sector with a supply chain attack. The malicious campaign was launched by the threat actors in November 2021, but it hit a peak between February 10 and 13 2022, Taiwanese cybersecurity firm CyCraft reported.
Read more »
malware
Botnet Cyber Attacks DDOS Attack IoT devices malware

Mantis Botnet Behind Largest HTTPS DDoS Attack Targeting Cloudflare Users

 

A botnet called Mantis has been linked to record-breaking assaults targeting nearly 1,000 Cloudflare customers. 

In June 2022, DDoS mitigation firm Cloudflare disclosed that it successfully thwarted a record-breaking DDoS attack of 26 million requests per second. Just a couple of months earlier in April, Cloudflare also mitigated a previous record-breaking attack of 15.3 million requests per second. Mantis has now been linked to both attacks. 

For the attacks, the majority of traffic originated from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks. In the past month alone, over 3,000 HTTP DDoS attacks have been launched against Cloudflare customers.

While previous record-setting DDoS attacks have predominately been generated from botnets that have exploited the rapid proliferation of IoT devices, the latest assaults have increased their intensity by exploiting far more powerful devices. 

Cloudflare’s Product Manager Omer Yoachimik stated that the attack last month “originated mostly from cloud service providers as opposed to residential internet service providers, indicating the use of hijacked virtual machines and powerful servers to generate the attack—as opposed to much weaker Internet of Things devices.” 

In one attack on an unnamed customer last month, more than 212 million HTTPS requests were generated from over 1,500 networks across 121 countries in under 30 seconds. 

The most impacted industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S. firms, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. 

According to Cloudflare researchers, the botnet is identical to the shrimp and is less than 10cm in length. Despite being so small, the claws of mantis shrimps can generate a shock wave with a force of 1,500 Newtons at speeds of 83 km/h from a standing start. 

“The Mantis botnet operates a small fleet of approximately 5,000 bots, but with them can generate a massive force — responsible for the largest HTTP DDoS attacks we have ever observed,” explained Yoachimik.
Read more »
RPS
Cloud Services Cyber Attacks DDOS Attack HTTP Requests RPS

Cloudflare Mitigates a Record-Breaking DDoS Assault Peaking at 26 Million RPS

 

Last week, Cloudflare thwarted the largest HTTPS DDoS attack ever recorded. The attack amassed 26 million HTTPS requests per second, breaking the previous record of 15.3 million requests for that protocol set earlier this year in April. 

The attack targeted an unnamed Cloudflare customer and mainly originated from cloud service providers instead of local internet services vendors, which explains its size and indicates that hijacked virtual devices and powerful servers were exploited during the assault, Cloudflare Product Manager Omer Yoachimik disclosed in a blog post. 

To deliver the malicious traffic, nearly 5,000 devices were employed with each endpoint generating roughly 5,200 RPS at peak. This demonstrates the true nature of virtual machines and servers when used for DDoS attacks, as other larger botnets aren’t capable of impersonating a fraction of this power. 

For example, a botnet of 730,000 devices was spotted generating nearly 1 million RPS, which makes the botnet behind the 26 million RPS DDoS attack 4,000 times stronger. 

"To contrast the size of this botnet, we've been tracking another much larger but less powerful botnet of over 730,000 devices," stated Omer Yoachimik. "The latter, larger botnet wasn't able to generate more than one million requests per second, i.e., roughly 1.3 requests per second on average per device. Putting it plainly, this botnet was, on average, 4,000 times stronger due to its use of virtual machines and servers.” 

Thirty seconds into the assault, the botnet generated over 212 million HTTPS requests from more than 1,500 networks, located in 121 nations. Most requests came from Indonesia, the US, Brazil, and Russia with the French OVH (Autonomous System Number 16276), the Indonesian Telkomnet (ASN 7713), the US-based iboss (ASN 137922), and the Libyan Ajeel (ASN 37284) being the top source networks.

According to Cloudflare, the assault was over HTTPS, making it more expensive in terms of required computational resources, as establishing a secure TLS encrypted connection costs more. Consequently, it also costs more to mitigate it. 

"HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection," Yoachimik explained. "Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We've seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale." 

This is one of the multiple volumetric assaults identified by Cloudflare throughout the last several years. An HTTP DDoS attack that was discovered in August 2021 saw around 17.2 million requests per second being generated. More recently, a mitigated 15.3 million rps attack that occurred in April 2022 saw around 6,000 bots being employed in order to target a Cloudflare customer who was running a crypto launchpad. 

Last year in November, Microsoft revealed that it thwarted a record-breaking 3.47 terabits per second (Tbps) DDoS attack that flooded servers used by an Azure customer from Asia with malicious packets.
Read more »
Subscribe to: Posts (Atom)