Search This Blog

Showing posts with label DDOS Attacks. Show all posts

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

Russia Dubbed as the "Centre" of European-wide Cyber-Attacks

 

Since the beginning of Russia's invasion of Ukraine, the EU, UK, US, and other allies have recognized that Russia has been behind a wave of cyber-attacks. The most recent distributed denial-of-service (DDoS) attack on Viasat's commercial communications network in Ukraine, which occurred on the same day that Russia launched its full-fledged invasion, had a greater impact across Europe, disrupting wind farms and internet users. 

The outage on Viasat affected almost one-third of bigblu's 40,000 users throughout Europe, including Germany, France, Hungary, Greece, Italy, and Poland, according to Eutelsat, the parent company of bigblu satellite internet service. The incident impacted wind farms and internet users in central Europe, creating outages for thousands of Ukrainian customers. 

In the regard, the key statements by the West are as follows:

  • The European Union said that Russia was behind the strike, which occurred "one hour before" the invasion of Ukraine. 
  • Estonia: The member of the European Union went even further. With "high certainty," the country blamed the hack on Russia's military intelligence arm, saying it had "gone counter to international law." 
  • The United Kingdom's National Cyber Security Centre is "almost convinced" that Russia was behind the Viasat attack, according to the UK, citing "new UK and US intelligence." Meanwhile, the report said that "Russian Military Intelligence was probably certainly involved" in defacing Russian websites and releasing damaging spyware.
The main aim, according to the joint intelligence advisory, was the Ukrainian military. "Thousands of terminals have been destroyed, rendered useless, and are unable to be restored," according to Viasat. Russian military intelligence was likely certainly engaged in the January 13 attacks on Ukrainian official websites and the distribution of Whispergate harmful malware, according to the UK's National Cyber Security Centre (NCSC). 

"This is clear and alarming proof of an intentional and malicious attack by Russia against Ukraine, which had huge ramifications for ordinary people and businesses in Ukraine and across Europe," Foreign Secretary Liz Truss said. 

In the past Russian criminals hijacked the updater system of Ukrainian accounting software provider MEDoc in June 2017, infecting MEDoc users with the wiper virus NotPetya. The evidence suggests that Wiper malware infected several Ukrainian government networks again in 2022, and Gamaredon attacks targeted roughly 5,000 entities, including key infrastructure and government departments.

NCSC director of operations Paul Chichester addressed why the attribution was being done now, two and a half months after the occurrence, at a press conference at CYBERUK 2022. "We execute attributions in a process-driven manner; accuracy is extremely essential to us," he explained. Collaboration with international bodies such as the EU and the Five Eyes adds to the length of time it took to provide this material. 

Such cyber action aims to demoralize the public and degrade essential infrastructure. The perceived difficulties of precisely attributing the attack to any single aggressor is a benefit of conducting the earliest stages of kinetic activity in cyberspace. Putin has been emphatic in his denial of any Russian government participation in the attacks.

Cloudflare Blocks a  DDoS Attack with 15 million Requests Per Second

 

On Wednesday, Cloudflare, an internet infrastructure company, revealed it has successfully resisted one of the largest volumetric distributed denials of service (DDoS) attacks ever seen. A DDoS attack with a pace of 15.3 million requests per second (rps) was discovered and handled earlier this month, making it one of the greatest HTTPS DDoS attacks ever. 

According to Cloudflare's Omer Yoachimik and Julien Desgats, "HTTPS DDoS assaults are more pricey of necessary computational resources due to the increased cost of establishing a secure TLS encrypted connection." "As a result, the attacker pays more to launch the assault, and the victim pays more to mitigate it. Traditional bandwidth DDoS assaults, in which attackers seek to exhaust and jam the victim's internet connection bandwidth, are different from volumetric DDoS attacks. Instead, attackers concentrate on sending as many spam HTTP requests as possible to a victim's server to consume valuable server CPU and RAM and prevent legitimate visitors from accessing targeted sites."

Cloudflare previously announced it mitigated the world's largest DDoS attack in August 2021, once it countered a 17.2 million HTTP requests per second (rps) attack, which the company described as nearly three times larger than any prior volumetric DDoS attack ever observed in the public domain. As per Cloudflare, the current attack was launched from a botnet including about 6,000 unique infected devices, with Indonesia accounting for 15% of the attack traffic, trailed by Russia, Brazil, India, Colombia, and the United States. 

"What's intriguing is the majority of the attacks came from data centers," Yoachimik and Desgats pointed out. "We're seeing a significant shift away from residential network Internet Service Providers (ISPs) and towards cloud compute ISPs." According to Cloudflare, the attack was directed at a "crypto launchpad," which is "used to showcase Decentralized Finance projects to potential investors." 

Amazon Web Services recorded the largest bandwidth DDoS assault ever at 2.3 terabytes per second (Tbps) in February 2020. In addition, cybersecurity firm Kaspersky reported this week about the number of DDoS attacks increased 4.5 times year over year in the first quarter of 2022, owing partly to Russia's invasion of Ukraine.

The Fodcha DDoS Botnet Hits Over 100 Victims

 

Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 


New Hybrid Enemybot Malware Targets Routers, Web Servers

 

A recently discovered DDoS botnet is enslaving multiple router models and various types of web servers by abusing known vulnerabilities, researchers at Fortinet Labs warned. 

Dubbed Enemybot, the botnet has been linked to the cybercrime group named Keksec which specializes in DDoS attacks and cryptocurrency mining and has been linked to multiple botnets such as Simps, Ryuk, and, Samel. 

The malware is the result of combining and modifying the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 –and the infamous Mirai botnet, with the latest version using the scanner module and a bot killer module. 

Enemybot employs multiple obfuscation methodologies meant not only to prevent analysis, but also to keep it concealed from other botnets, and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands. 

The new botnet also attempts to exploit a wide range of devices and architectures by using known combinations of usernames and passwords, running shell commands on Android devices with a compromised Android Debug Bridge port (5555), and targeting roughly 20 known router vulnerabilities.

The most recent of the targeted security loopholes is CVE-2022-27226, a remote code execution issue that impacts iRZ mobile routers, and which was made public on March 19, 2022. Enemybot, Fortinet points out, is the first botnet to target devices from this vendor. 

Enemybot also targets the now infamous Apache Log4j remote code execution vulnerabilities disclosed last year (CVE-2021-44228 and CVE-2021-45046), as well as a couple of path traversal issues in the Apache HTTP server (CVE-2021-41773 and CVE-2021-42013). 

The botnet also attempts to abuse security loopholes in TOTOLINK routers and Seowon routers, as well as older vulnerabilities in ThinkPHP, D-Link routers, NETGEAR products, Zhone routers, and ZyXEL devices. 

Once a flaw has been successfully abused, the malware runs a shell command to download a shell script from a URL that is dynamically updated by the C&C. The script is responsible for downloading the actual Enemybot binary compiled for the target device’s architecture.

After successful exploitation, the malware links to its C&C server and waits for further instructions. Based on received commands, it can perform DNS amplification attacks and various types of DDoS assaults, sniff traffic, and spread to other devices via brute force attacks. 

“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for crypto mining is a big possibility,” Fortinet notes.

Anonymous : 900,000 Emails From Russian State Media Were Leaked

 

Anonymous which has been trying to target Russia since the invasion of Ukraine has reported more attacks against critical infrastructure sectors, including one which used an "improved" version of Russian Conti ransomware, and has called for the targeting of companies for proceeding to do business in Russia after the slaughter of Ukrainian civilians in Bucha. 

More than 900,000 emails by the All-State Television and Radio Broadcasting Company were purportedly leaked by the NB65 or Network Battalion 65 group, which is linked to the famed hacker collective Anonymous (VGTRK). 

DDoSecrets, a non-profit whistleblower site for news leaks, has rendered the 786.2 GB cache accessible to the public as a torrent file after NB65 apparently shared the hacked emails with them on Monday. In this regard, Emma Best, a co-founder of DDoSecrets said, "An unprecedented expose of state-owned media and propaganda which the Russian government views crucial to the state security."

A hacker organization called NB65 has been infiltrating Russian entities, collecting private data, and exposing it online for the past month, claiming the attacks are related to Russia's occupation of Ukraine. The emails, according to the Everyday Dot, span more than 20 years of correspondence and include discussions about daily operations as well as sanctions put on Russia by many other countries in reaction to its invasion of Ukraine.

Tensor, the Russian space program Roscosmos, and VGTRK, the state-owned Russian Television and Radio broadcaster, are among the Russian organizations said to have been targeted by the hacking group. The stated theft of 786.2 GB of data, comprising 900,000 emails and 4,000 files, was released on the DDoS Secrets website following the attack on VGTRK. Since the end of March, the NB65 hackers have been using a new tactic that is attacking Russian institutions with ransomware assaults. 

Conti's source code was released after the company allied with Russia in the Ukraine invasion, and a security researcher obtained 170,000 internal chat conversations and source code for the company's operation. 

Threat analyst Tom Malka first alerted to NB65's activities but was unable to locate a ransomware sample, and the hacking gang refused to provide it. This changed when a sample of the NB65's updated Conti ransomware executable was published to VirusTotal, letting us see how it functions. 

On VirusTotal, almost all antivirus vendors identify this sample as Conti, and Intezer Analyze discovered it shares 66% of the code with other Conti ransomware samples. When encrypting files, gives NB65's malware a run for its money.

The All-Russian State Television and Radio Broadcaster (VGTRK) is Russia's largest media conglomerate, with five national television channels, two major international networks, five radio shows, and over 80 regional television and radio networks under its umbrella. The ransomware will also leave R3ADM3.txt ransom notes all over the encrypted device, with threat actors accusing President Vladimir Putin of invading Ukraine for the attacks. 

Due to New Router Flaws, Beastmode Botnet Has a Greater DDoS Potential

 

Beastmode (or B3astmode), a Mirai-based decentralized denial-of-service (DDoS) botnet, has extended its list of exploits to include three new ones, all of which target various models of Totolink devices.

Totolink is a well-known electronics sub-brand of Zioncom which recently published firmware patches to address three critical-severity flaws. DDoS botnet programmers wasted little time in adding these holes to their arsenal to take advantage of the window of opportunity before Totolink router customers installed the security patches. Beastmode has gained control of vulnerable routers, giving it access to hardware resources it can use to execute DDoS attacks.

The following is a list of vulnerabilities in TOTOLINK routers: 

  • CVE-2022-26210 (CVSS 9.8) - A command injection vulnerability that could be used to execute arbitrary code. 
  • CVE-2022-26186 is a vulnerability that affects computers (CVSS score: 9.8) TOTOLINK N600R and A7100RU routers are vulnerable to a command injection vulnerability. 
  • CVE-2022-25075 to CVE-2022-25084 (CVE-2022-25075 to CVE-2022-25084) (CVSS scores: 9.8) - A buffer overflow vulnerability has been discovered in certain TOTOLINK routers, resulting in code execution.  

CVE-2021-4045 is used to target the TP-Link Tapo C200 IP camera, which the researchers haven't seen in any other Mirai-based campaign. For the time being, the exploit has been implemented incorrectly and does not operate. "Device users must still update its camera software to correct this issue," the researchers suggest, citing indications of continued development. 

Although the flaws affect different devices, they all have the same effect: they allow the attacker to insert commands to download shell scripts via the wget command and infect the device with Beastmode. The shell scripts differ depending on which devices have been infected and which exploit has been used.

The vulnerabilities were not the only ones introduced to the Beastmode botnet; its creators also added the following previous bugs:

D-Link is affected by CVE-2021-45382, a remote code execution bug. DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L are the DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. 
  • CVE-2021-4045 — Unauthenticated remote code execution bug in the TP-Link Tapo C200 IP camera. 
  • CVE-2017-17215 —  Unauthenticated remote code execution problem in Huawei HG532
  • CVE-2016-5674 — Remote execution of arbitrary PHP code through the log argument in the Netgear ReadyNAS product line.
Ensure to deploy the available security updates which correct the vulnerabilities mentioned above to prevent Mirai versions from seizing control of any router or IoT devices. Totolink users should go to the vendor's download center, choose the device model, and download and install the most recent firmware version available. 

A slow internet connection is one of the symptoms if your router has been exploited. Additional indicators include the device heating up more than usual, inability to get into the administration panel, changing settings, or an unresponsive device, which a typical user is likely to overlook.

After 17 years, the Zlib Crash-An-App Flaw Has Been Patched

 

Four years after the vulnerability was first found but left unpatched, the widely used Zlib data-compression library now has a patch to close a vulnerability that might be abused to crash apps and services. Tavis Ormandy, a bug hunter for Google Project Zero, informed the Open-Source-Software-Security mailing list about the programming error, CVE-2018-25032, which he discovered while trying to figure out what caused a compressor crash. 

"We reported it upstream, but it turns out the bug is already public since 2018, but the update never made it into a release. As far as they are aware, no CVE has ever been assigned to it." Ormandy stated. Furthermore, when Eideticom's Danilo Ramos discovered the defect in April 2018, it was 13 years old, implying this bug had been lurking for 17 years, waiting to be exploited. 

Zlib is a data-compression general-purpose library that is free, and legally unencumbered (i.e., not covered by any patents). It can be used on nearly any computer hardware and operating system. Anyone who has ever used softwares like PKZIP, WinRAR, 7-Zip, or any archiving utilities will attest to how data compression software has always been useful.

The primary goal of data compression is to save space, such as by reducing the amount of storage space required for backups or reducing data transfer bandwidth. Despite the computational overhead of squashing and expanding data before and after storing or sending it, compression frequently saves time and space by reducing the amount of data that must be moved back and forth between a fast storage location like RAM (memory) and a slow storage location like a disc, tape, or network. 

The patch was never included in a Zlib software update, and Ormandy showed a proof-of-concept exploit which works against both default and non-default compression schemes supported by the library just a few days after discovering the problem. This means any attempt to unpack maliciously designed compressed data may cause an application or network service to crash. 

In a nutshell, this is a memory corruption flaw: if user-supplied data is particularly formatted, software that relies on Zlib to compress it can crash and terminate due to an out-of-bounds write. The open-source Zlib is so extensively used that there are plenty of potential avenues for exploitation, which is why this problem is such a huge deal, in contrast to its nearly two-decade history. Zlib's algorithm, DEFLATE, which became an internet standard in 1996, is used to squash and expand data in a variety of file formats and protocols, and the software it handles these inputs to, will almost certainly use zlib. 

According to Sophos, these programs include Firefox, Edge, Chromium, and Tor, as well as the PDF reader Xpdf, video player VLC, Word and Excel compatible software LibreOffice, and picture editor GIMP. The Zlib problem, which was first discovered in 1998, enables data in a pending buffer to corrupt a distance symbol table. Out-of-bounds access can cause the program to crash and even create a denial of service. 

Users should install a non-vulnerable version of the zlib shared library, which they can usually get from the OS maker by downloading the latest updates, and developers should make sure the software packages don't rely on a vulnerable version of the reliance, pushing out app or service updates as needed.

Single Packets Launching DDoS Attacks in the Wild

 

Cybersecurity experts from Akamai, Cloudflare, Mitel, Netscour, Lumen Black Lotus Labs, The ShadowServer foundation, Telus, and Team Cymru have revealed a DDoS (denial of service attack) with an intensity ratio crossing 4 billion to one and it can be deployed using a single pocket. Termed as CVE-2022-26143, the vulnerability exists around 2600 incorrect provisional Mitel MiCollab and MiVoice Business Express systems that work as a PBX to internet gateways, going through a test mode that shouldn't be exposed on the internet. 

"The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," ShadowServer blog post writes. You should also note that single packet attention initiation has the capability of precluding network operator traceback of the spoofed attack initiator traffic. It helps to hide the origin of the attack infrastructure, which makes it less possible for the origin of the attack to be identified compared to other UDP reflection/amplification DDoS attack vectors. 

A driver in the Mitel system includes a command platform command that executes a stress test of status update packets, thereby theoretically producing 4,294,967,294 packets within 14 hours at a maximum possible prize of 1,184 bytes. ShadowServer further explains "this would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length." The results mean around 2,200,288,816:1 unimaginable amplification ratio. 

It indicates a multiplier of 220 Billion percent, caused by a single packet. Fortunately, the Mitel system only processes one command at a time, this means that if a system is compromised by DDoS attacks, the users may think about why the outbound connection is getting disrupted and not available. According to ZDNet, "the first attacks using the exploit began on February 18, these were reflected mainly onto ports 80 and 443, and targeted ISPs, financial institutions, and logistics companies."

DoS Attackers are Employing ‘TCP Middlebox Reflection’ to Knock Websites Offline

 


Distributed denial-of-service (DDoS) hackers are employing a new amplification technique called TCP Middlebox Reflection to target websites. Last week, researchers at Akamai, a content distribution network firm, detected the novel attack methodology for the first time in the wild, six months after the technique was published in theory. 

"The attack […] abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim machine, creating a powerful DDoS attack," Akamai researchers stated in a blog post. "This type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint."

Generally, most DDoS assaults exploit the User Datagram Protocol (UDP) to amplify packet delivery by sending packets to a server that replies with a larger packet size, which is then forwarded to the victim. In these attacks, the attacker sends thousands of DNS or NTP requests containing a fake source IP address to the victim, causing the destination server to return the responses back to the spoofed address in an amplified manner that exhausts the bandwidth issued to the target. 

The amplification technique was published in a research paper in August 2021, which showed that malicious actors could exploit middleboxes such as firewalls via TCP to magnify denial of service attacks.  

While UDP reflection vectors DoS amplification attacks have traditionally been used in DoS amplification assaults due to the protocol’s connectionless nature. The novel attack approach exploits TCP non-compliance in middleboxes such as deep packet inspection (DPI) tools to launch TCP-based reflective amplification assaults.  

The first wave of this novel campaign is said to have occurred around February 17, targeting Akamai customers across banking, travel, gaming, media, and web hosting industries with high amounts of traffic that peaked at 11 Gbps at 1.5 million packets per second (Mpps).  

"The vector has been seen used alone and as part of multi-vector campaigns, with the sizes of the attacks slowly climbing," Chad Seaman, lead of the security intelligence research team (SIRT) at Akamai, explained.  

The basic thought of attackers with TCP-based reflection is to exploit the middleboxes that are used to enforce censorship laws and enterprise content filtering policies by sending specially designed TCP packets to trigger a volumetric response. Indeed, in some cases, Akamai noted that a single SYN packet with a 33-byte payload triggered a 2,156-byte response, effectively achieving an amplification factor of 65x (6,533%).  

"The main takeaway is that the new vector is starting to see real world abuse in the wild. Typically, this is a signal that more widespread abuse of a particular vector is likely to follow as knowledge and popularity grows across the DDoS landscape and more attackers begin to create tooling to leverage the new vector,” Seaman explained.

Log4Shell Utilized for Crypto Mining and Botnet Creation

 

The serious problem in Apache's widely used Log4j project, known as Log4Shell, hasn't caused the calamity predicted, but it is still being exploited, primarily from cloud servers in the United States. Because it was reasonably straightforward to exploit and since the Java application logging library is implemented in many different services, the Log4Shell vulnerability was brought to attention as it raised concerns for being potentially abused by attackers. 

According to a Barracuda study, the targeting of Log4Shell has fluctuated over the last few months, but the frequency of exploitation attempts has remained pretty stable. Barracuda discovered the majority of exploitation attempts originated in the United States, followed by Japan, Central Europe, and Russia. 

Researchers discovered the Log4j version 2.14.1 in December 2021. Reportedly, all prior versions were vulnerable to CVE-2021-44228, also known as "Log4Shell," a significant zero-day remote code execution bug.

Log4j's creator, Apache, attempted to fix the problem by releasing version 2.15.0. However, the vulnerabilities and security flaws prolonged the patching race until the end of every year, when version 2.17.1 ultimately fixed all issues. 

Mirai malware infiltrates a botnet of remotely managed bots by targeting publicly outed network cameras, routers, and other devices. The threat actor can then use this botnet to launch DDoS assaults on a single target, exhausting its resources and disrupting any online services. The malicious actors behind these operations either rent vast botnet firepower to others or undertake DDoS attacks to extort money from businesses. Other payloads which have been discovered as a result of current Log4j exploitation include: 

  • Malware is known as BillGates (DDoS)
  • Kinsing is a term used to describe the act of (cryptominer) 
  • XMRig XMRig XMRig X (cryptominer) 
  • Muhstik Muhstik Muhstik (DDoS) 

The payloads range from harmless online jokes to crypto-mining software, which utilizes another person's computers to solve equations and earn the attacker cryptocurrency like Monero. 

The simplest method to protect oneself from these attacks is to update Log4j to version 2.17.1 or later, and to maintain all of the web apps up to date. Even if the bulk of threat actors lose interest, some will continue to target insecure Log4j deployments since the numbers are still significant. 

Security updates have been applied to valuable firms which were lucrative targets for ransomware assaults, but neglected systems running earlier versions are good targets for crypto mining and DDoS attacks.

Viasat Claims Delay on a "Cyber Event"

 

Viasat Inc., an American communications provider, claims its satellite internet services in Ukraine and Europe are being disrupted by a "cyber incident." 

Based in Carlsbad, California, Viasat offers high-speed satellite broadband access and secure networking systems to military and commercial customers throughout the United States and around the world. The problem stems from Viasat's purchase of the Ka-SAT satellite from the satellite's launcher and former owner, Eutelsat, in April 2021. 

"While we attempt to restore service to affected consumers, we're also looking into and evaluating our European network and systems to figure out what's causing the problem. We're also putting further network safeguards in place to avoid any further consequences." authorities stated. 

According to the firm, the interruption began on February 24, the day Russia invaded Ukraine, and it contacted "law enforcement and government partners," adding it had "no indication of consumer data is implicated." In a statement to PaxEx.Aero, another ISP, Germany-based EUSANET, the company said it was suffering problems as well. 

An insider told British news channel Sky News that the interruptions were triggered by a distributed denial of service (DDoS) attack. The number of Viasat users in Ukraine is unknown, and the firm has declined to specify how many are affected. Subsequently, Viasat's stock was up 3.5 percent in lunchtime trade Monday, trading at around $45. 

To optimize service area, Viasat operates huge satellites in geosynchronous orbit, which means people are stationary at a location roughly 35,000 kilometers from Earth.

This is the conventional method of providing broadband access from space, but a number of businesses, including SpaceX's Starlink, are investing in constructing networks in low-Earth orbit which use hundreds or thousands of satellites.

DDoS Assaults on Ukrainian Banking Elite has Resumed Yet Again


Cyberattacks took down Ukrainian official and bank websites, prompting the government to declare a statewide state of emergency amid growing fears that Russian President Vladimir Putin could launch a full-scale military invasion of Ukraine. The websites of Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank) were also blasted in the onslaught and brought down Ukrainian government sites as well, according to Internet monitor NetBlocks. 

"At around 4 p.m., another massive DDoS attack on the state commenced. We have relevant data from several banks," stated Mykhailo Fedorov, Minister of Digital Transformation, who also mentioned the parliament website had been hacked. Hackers were prepared to conduct big attacks on government organizations, banks, and the defense sector, as Ukrainian authorities said earlier this week. 

SSSCIP and other national cybersecurity authorities in Ukraine are currently "working on countering the assaults, gathering and evaluating information." According to the Computer Emergency Response Team of Ukraine (CERT-UA), the attackers used DDoS-as-a-Service platforms and numerous bot networks, including Mirai and Meris, to carry out the DDoS attacks on February 15th. The DDoS attacks were traced to Russia's Main Directorate of the General Staff of the Armed Forces on the same day, according to the White House. 

"We have technical information indicating ties the Russian main intelligence directorate, or GRU," Deputy National Security Advisor for Cyber Anne Neuberger stated. "Known GRU infrastructure was spotted delivering huge volumes of communication to Ukraine-based IP addresses and domains." 

Neuberger went on to say as, despite the "limited impact," the strikes can be considered as "setting the framework" for more disruptive attacks, which could coincide with a possible invasion of Ukraine's territory. 

The UK government also blamed Russian GRU hackers for the DDoS strikes last week which targeted Ukrainian military and state-owned bank websites. Following a press release from Ukraine's Security Service (SSU), which also had its website hacked, the country was attacked by a "huge wave of hybrid warfare." The SSU announced earlier this month so, during January 2022, it stopped over 120 cyberattacks aimed at Ukrainian governmental entities.

Carpet Bombing DDoS Attacks Increased in 2021

 

In a carpet bombing, a DDoS attack targets different IPs of any company in a short span of time, these account for 44% of total attacks that happened last year, but the difference between the first and second half of 2021 is huge. Carpet bombing accounted for 34% of total attacks resolved in Q1 and Q2, however, the attacks increased in the second half accounting for 60% attacks and 56% attacks in Q3 and Q4 respectively. The longest attack recorded 9 days, 22 hours, and 42 minutes, however, these were over within minutes. Around 40% of the attacks were observed by SOC in 2021 in the first quarter of 2021. 

The figures dropped in second and third quarters while rising again in the fourth quarter. "The domain name system (DNS) has long been a popular target for DDoS attacks, both as an amplification vector and as a direct target, as well as for other types of exploits," reports Helpnet Security. Attacks varied in nature compared to the past few years. Single attack vectors account for 54% of attacks in 2021, in comparison to 5% in 2020, representing more activity of attackers. Also, the number of attacks using more than four-vectors also increased, accounting for a record 4% of total attacks, this means when an attacker gets serious, it gets difficult for victims to protect themselves. 

Botnets continue to be the main part in DDoS attacks in 2021, security experts are discovering new botnets and command and control (C2) servers every day. The high-profile botnet in 2021 was Meris, it uses HTTP pipelines to stuff web applications, bombarding websites and apps with large numbers of requests per second. The SOC also observed high-intensity amplification km DDoS attacks, which use familiar vectors like DNS and Remote Desktop Protocol (RDP) and new variants as well. 

The report covers how web apps are vulnerable from different fronts, threats against web services have risen with the increase in usage of web applications, making web apps the top hacking vector in the attacks. "While the vast majority of attacks fell into the 25 gigabits per second (Gbps) and undersize category, and the average attack was just 4.9 Gbps last year, 2021 saw many large-scale attacks as well. The largest measured 1.3 terabits per second (Tbps) and the most intense was 369 million packets per second (Mpps)," reports Helpnet Security.

Russia Suspected of Espionage Against Ukraine Via Two Big Nations

 

On Friday, the White House suspected Russia of being behind recent cyberattacks on Ukraine's defense department and banking institutions. 

The statement by Anne Neuberger, the White House's top cyber official, was the most precise attribution of culpability for the cyber breaches which have occurred as tensions between Russia and Ukraine have risen. Although the attacks this week had a "limited impact" since Ukrainian officials were able to swiftly restore its networks, Neuberger believes hackers were laying the framework for future devastating invasions. 

As tensions between Russia and Ukraine rise, Britain has joined the United States in criticizing the GRU military intelligence agency for the widespread denial-of-service attacks. The strike, according to the British Foreign Office, "showed a persistent disdain for Ukrainian integrity." This is just another example of Russia's aggressive behavior toward Ukraine."

Russians may also be laying the foundations for more disruptive measures in the event of a Ukrainian invasion. Neuberger remarked, "We expect more destabilizing or damaging cyber action if Russia decides to continue its invasion of Ukraine, and we're working closely with friends and partners to guarantee to be prepared to call out the behavior and respond." 

The United States was publicly criticizing Russia because it needed to "call out the action swiftly." "The international community must be ready to expose harmful cyber operations and hold actors accountable for any disruptive or damaging cybersecurity threats," Neuberger added. 

The widespread breach of service attacks on Tuesday was described by Ukrainian officials as the deadliest in the country's history. However, while these certainly affected internet banking, hampered some government-to-public interactions, and were definitely intended to induce fear. "Typical DDoS attacks survive because the defenders are untrained," said Roland Dobbins, DDoS engineer at cybersecurity organization Netscout, adding that the most market mitigation technologies designed to resist such attacks are ineffective.

DDoS Attacks Hit Ukrainian Government Websites

 

DDoS attacks are causing havoc for the Ministry of Defense and the Armed Forces of Ukraine, as well as two of the country's state-owned banks, Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank). 

Bank customers got text messages saying that bank ATMs were down today, according to Ukraine's Cyberpolice, who added that the messages were "part of an information attack and do not correspond to reality." 

The Ukrainian Ministry of Defense, whose website was taken down as a result of the attacks, stated their website was most likely assaulted by DDoS: an excessive number of requests per second was observed. 

"Starting from the afternoon of February 15, 2022, there is a powerful DDOS attack on a number of information resources of Ukraine," Ukraine's State Service for Special Communication and Information Protection added. 

"In particular, this caused interruptions in the work of web services of Privatbank and Oschadbank. The websites of the Ministry of Defense and the Armed Forces of Ukraine were also attacked."

While the Ukrainian defence ministry's website is down, Oschadbank and Privatbank's websites are still up and running, albeit users are unable to access their online banking. Privatbank users have been experiencing problems with payments and the bank's mobile app, according to the Ukrainian Center for Strategic Communications and Information Security. Some stated that they couldn't get into their Privat24 internet banking accounts, while others said they observed inaccurate balances and recent transactions. 

A traffic geofencing rule was added to Privatbank's web application firewall (WAF), which automatically removed the website's contents for IP addresses outside of Ukraine and displayed a "BUSTED! PRIVATBANK WAF is watching you)" message. 

The Security Service of Ukraine (SSU) stated on Monday that the country is being targeted in a "massive wave of hybrid warfare" aimed at instilling fear in Ukrainians and undermining their faith in the state's ability to safeguard them. The SSU further stated that it has already blocked many such attempts related to hostile intelligence agencies, as well as dismantled bot farms aimed at spreading fear in Ukrainian residents through bomb threats and fake news.  

Attacks on Ukrainian authorities are being coordinated by the Gamaredon hacking organisation (connected to Russia's Federal Security Service (FSB) by Ukrainian security and secret agencies), according to the country's Computer Emergency Response Team. 

A day later, the SSU announced that it has prevented more than 120 cyberattacks aimed at Ukrainian governmental institutions in January 2022. 

Gamaredon has been directing a wave of spear-phishing emails targeting Ukrainian businesses and organisations relevant to Ukrainian issues since October 2021, according to Microsoft.

Microsoft Claims it Countered the Largest-Ever DDoS Attack on Azure Servers

 

Microsoft has experienced a record-breaking 3.47 terabits per second (Tbps) distributed denial of service (DDoS) attack on its Azure servers in Asia. 

According to Azure Networking product manager Alethea Toh, an unnamed Azure user in Asia was targeted with a DDoS attack in November with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second.

The attack originated from roughly 10,000 sources across the globe, including China, South Korea, Russia, Iran, and Taiwan, lasting for 15 minutes. However, it is not the first one of such gigantic scale, as there were two additional assaults, one of 3.25 Tbps and another of 2.55 Tbps in December in Asia.

"In November, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. We believe this to be the largest attack ever reported in history," said Alethea Toh. "This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan." 

But this isn't the only large attack Microsoft has had to deal with over the past few months. Last year in December, Microsoft countered two more attacks that surpassed 2.5 Tbps, both of which were focused on customers in Asia. The first of the attacks was a 3.25 Tbps UDP attack, while the other attack was a 2.55 Tbps UDP flood that lasted for just a little over five minutes.

According to Microsoft, these attacks, are part of an unprecedented number of attacks seen over the course of the second half of 2021 around the globe. In India alone, Microsoft experienced a 30-fold surge in DDoS attacks in October. Additionally, in 2021, Microsoft mitigated 40% more attacks in the second half of the year compared to the first half. On August 10th alone, Microsoft saw a whopping 4,296 attacks. 

The primary reason DDoS attacks have escalated so much during the end of 2021 is related to DDoS "for hire" services, which Microsoft notes, are incredibly cheap these days to acquire, giving attackers more incentive to push more attacks. Despite this, Microsoft has successfully countered every single attack aimed at it thus far. Let's hope the company's team of highly skilled engineers can continue to do so for the foreseeable future.

Nearly Half a Billion Cyberattacks Targeted the Tokyo 2020 Olympic Games

 

The NTT Corporation, which was in charge of supplying a large portion of the network security and telecommunications services for the 2020 Olympic and Paralympic Games in Tokyo this year, claimed that over 450 million attempted cyberattacks occurred throughout the event. Officials from the company have stated that none of the attacks were successful and that the games went off without a hitch. Despite this, the total number of attacks was 2.5 times higher than during the 2012 London Olympics. 

Emotet malware, email phishing, and phoney websites that looked like the official Games sites were among the assault types, according to NTT. NTT further claims that the attacks were successfully thwarted due to 200 cybersecurity professionals who had undergone extensive training and simulations of anticipated attacks before the games. These dangers were not unexpected; the company had anticipated ransomware and Distributed Denial of Service (DDoS) attacks from state-sponsored hackers, as well as strikes against key infrastructure.

"Cybercriminals certainly saw the Games -- and its related supply chain -- as a high-value target with low downtime tolerance. After all, crime follows opportunity. And with connected stadiums, fan engagement platforms, and complete digital replicas of sporting venues and the events themselves becoming the norm, there's plenty of IT infrastructure and data to target -- and via a multitude of components," NTT's Andrea MacLean said. 

NTT released a detailed report on the games, stating that it offered both communication and broadcasting services to connect the Games venues with the Tokyo Big Sight, which served as an International Broadcast Centre. To prepare its cybersecurity team, NTT stated it performed various cybersecurity training programmes and ran simulations ahead of the event. 

However, NTT was not the only corporation to foresee the threats. The FBI also issued a private advisory before the event, advising individuals working on the 2020 Olympics to be prepared for possible threats. According to the FBI report, the attacks could include "threats to block or disrupt live broadcasts of the event, steal and possibly hack and leak sensitive data, or impact public or private digital infrastructure supporting the Olympics, or impact public or private digital infrastructure supporting the Olympics." 

The FBI's notification went on to mention the Pyeongchang cyberattack in February 2018, when Russian hackers used the OlympicDestroyer malware to destroy web servers during the opening ceremony.

The number of DDoS attacks on Russian companies has increased 2.5 times since the beginning of the year

The press service of Rostelecom reported that the number of DDoS attacks on Russian companies in the three quarters of 2021 increased 2.5 times compared to the same period last year.

According to the report, “the main targets of the attackers were financial organizations, the public sector, as well as the sphere of online commerce. The number of DDoS attacks on data centers and gaming, which were the focus of hackers a year ago, has decreased”.

The largest number of attacks occurred in Moscow, their share was 60% of the total number of incidents, the shares of other regions did not exceed 7%.

The company added that the number of DDoS attacks on banks increased by 3.5 times, almost 90% of them occurred in September.

The number of DDoS attacks in the online trading segment increased by 20%. The number of DDoS attacks on the public sector also doubled in August and September compared to the same period in 2020.

“Every year, the power and complexity of DDoS attacks increases. This is due to the active use of larger-scale botnets by hackers. They consist of a variety of devices, and more and more vulnerabilities are used to hack them,” said Timur Ibragimov, head of the Anti-DDoS and WAF platform of Solar MSS cybersecurity services at Rostelecom-Solar.

According to him, in particular, in September, the attackers organized the largest DDoS attack using the Meris botnet, the estimated scale of which is 200 thousand devices. “Such attacks are already directed at well-protected organizations and companies whose resources can only be disabled by a very powerful DDoS. For example, it can be banks, large industrial or energy enterprises, etc.,” he added.

It is worth noting that, according to Atlas VPN, the number of DDoS attacks worldwide in the first half of the year increased by 11%, reaching 5.4 million. Thus, the number of attacks in the first half of the year turned out to be a record.

Yanluowang Ransomware Deployed in Latest Attacks

 

Yanluowang (named after one of the ten Chinese rulers of hell, Yanluo Wang), is a newly created ransomware strain, that has been identified attacking a high-profile company. 

Upon identifying unusual behavior utilizing the legal AdFind command line Active Directory query tool, the Yanluowang ransomware was detected during an event involving an undisclosed big business. Malicious actors frequently utilize AdFind to conduct reconnaissance activities, such as gaining access to information needed to travel across their victims' networks. 

The latest strain was found by Broadcom's Symantec's threat hunter team, and at first look, it sticks out due to its unusual nickname, which is derived from the name of a Chinese deity: Yanluo Wang. He was Death's God and Diyu's Fifth Court Ruler in Chinese mythology (Diyu being depicted as the Chinese hell). The detection of this specific name appears to be connected to the extension it employs for file encryption on afflicted computers. 

Within days of the investigators finding the suspicious AdFind tool, the attackers tried to distribute their ransomware payloads throughout the compromised organization's networks. Before spreading ransomware on compromised computers, threat actors would use a malicious program to do the following: Create a .txt document with the number of remote computers to be checked on the command line. Use Windows Management Instrumentation (WMI) to obtain a list of processes operating on the remote computers mentioned in the .txt file, and lastly log all of the processes and remote machine names to processes.txt. 

And once the infected application is installed, the ransomware will suspend the hypervisor virtual machine, terminate the precursor tool harvesting process (including SQL and Veeam), and encrypt files with the ".yanluowang" extension. 

On the compromised machine, the Yanluowang gang typically leaves a README.txt ransom note advising victims not to approach law authorities or ransomware negotiation firms. 

Violations of the attacker's regulations will lead to threat actors launching distributed denial of service (DDoS) attacks against the targets and contacting workers and business partners. They also threaten to replicate the procedure in a few weeks and erase the victim's data, which is a typical tactic used to coerce victims into paying ransoms.