Search This Blog

Showing posts with label DDOS Attacks. Show all posts

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.

Akamai Sighted an Evolving DDoS attack in EU

 

The most recent DDoS attack record was set by Akamai in July, but it was surpassed on Monday, September 12, by a fresh attack. 

In a DDoS attack, cybercriminals flood servers with fictitious requests and traffic to block legitimate users from using their services.

According to the cybersecurity and cloud services provider Akamai, the recent attack looks to be the work of the same threat actor, indicating that the operators are now strengthening their swarm.

European businesses were the main targets of the current attack, according to Akamai. It peaked at 704.8 million packets per second, making it the second attack of this size against the same client in as few as three months and around 7% more powerful than the attack in July.

Prior to June 2022, this user primarily experienced attack traffic against the principal data center, as per Craig Sparling of Akamai. Six data center locations were hit by the threat actors' firepower in Europe and North America.

The day after it was discovered, the attack was stopped. This DDoS attack, while not the biggest ever, was notable because it was the biggest one on European organizations. The DDoS attack vector utilized by the attackers included UDP, along with ICMP, SYN, RESET floods, TCP anomaly, and PUSH flood.

The multidestination attack was immediately launched by the attackers' command and control system, increasing the number of active IPs per minute from 100 to 1,813 in just 60 seconds.

This expansion of the targeting area attempts to attack resources that aren't deemed essential and aren't effectively safeguarded, but whose absence will still be problematic for the company.

Published in July, the company saw 74 DDoS attacks, and 200 or more were added later. The business claimed that this campaign shows how hackers are always enhancing their attack methods to avoid detection. 

However, because the particular organization had safeguarded all 12 of its data centers in response to the July incident, 99.8% of the malicious traffic was already pre-mitigated.

The security company Akamai concluded, that having a solid DDoS mitigation platform and plan in place is essential for protecting your company from disruption and downtime.





Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.








Killnet Targets Japanese Government Websites

According to investigation sources on Wednesday, the Tokyo Metropolitan Police Department intends to look into the recent website outages of the Japanese government and other websites that may have been brought on by cyberattacks by a Russian hacker organization.  

As per Chief Cabinet Secretary Hirokazu Matsuno, the government is apparently investigating if issues with the aforementioned sites were brought on by a denial-of-service (DDoS) attack. 

As per experts, access to the government's e-Gov portal website, which provides a wealth of administrative information, temporarily proved challenging on Tuesday.  

The pro-Russian hacker collective Killnet claimed responsibility for the attack and alleged it had attacked the electronic system of the tax authority and Japan's online public services in a post on the messaging app Telegram. Furthermore, it appeared that the hacker collective wrote that it was an uprising over Japan's 'militarism' and that it kicked the samurai. 
 
However, as per Sergey Shykevich, manager of Check Point Software's threat intelligence group, Killnet was likely responsible for these attacks.  

Killnet's justification for these strikes, according to Shykevich, "is owing to Japan's support of Ukraine in the ongoing Russia-Ukraine war, as well as a decades-long dispute over the Kuril Islands, which both sides claim control over."

As per the sources, the MPD will look into the cases by gathering specific data from the affected businesses and government bodies. The National Police Agency will assess whether the hack on the e-Gov website qualified as a disruption that materially impairs the operation of the government's primary information system as defined by the police statute, which was updated in April.

The cybersecurity expert added that firms in nations under attack by Killnet should be aware of the risks because the group employs a variety of tactics, such as data theft and disruptive attacks, to achieve its objectives. 

Following a recent large-scale attack by Killnet on websites in Italy, Lithuania, Estonia, Poland, and Norway, there have been allegations of attacks targeting Japanese government websites.





 Bogus DDoS Protection Alerts Distribute RATs

Researchers from Sucuri cautioned that malware distributors are luring users into downloading and running malware on their computers by taking advantage of their expertise and innate trust in DDoS protection pages.

DDoS protection alerts are web pages that users' browsers deliver when checks are made to ensure that the visitor is actually a human and not a bot or a DDoS assault participant.

Tactics of the scam 

These warnings would appear to be an inconvenience, but their sole purpose was to serve as preliminary checks before the user accessed the intended web page. They are also important to ensure malicious traffic is blocked before it reaches its objectives.

The attacks start with a malicious JavaScript injection intended to target WordPress sites, which causes a bogus Cloudflare DDoS protection pop-up, according to Sucuri's experts.

When the user clicks on the bogus popup, an ISO file containing a remote access trojan (RAT) is downloaded onto their machine. In addition, the victim is told to open the file to get a verification code needed to access the target website.

The NetSupport RAT, RaccoonStealer information stealer, and two more payloads were seen being dropped by the ISO file.

The RAT is frequently used to screen victims before the distribution of ransomware and has been related to FakeUpdates/SocGholish. According to Malwarebytes researcher Jerome Segura, the ISO file contains a shortcut that pretends to be executable and executes PowerShell from another text file.

NetSupport RAT, which was at first a genuine program called NetSupport Manager, gives hackers remote access to the victim's computer, allowing them to install more malware, steal sensitive data, or even entangle the system in a botnet.

As website owners struggle to distinguish genuine visitors from the voluminous bot traffic, these have grown in popularity in recent years.

"Remote access trojans (RATs) are among the most harmful infections a computer can contract as they offer the attackers total control of the system. The victim is now entirely at their mercy. Both site owners and visitors can take all necessary safety procedures", as per Sucuri.

Users are advised to avoid downloading and opening odd files, update their operating system and applications frequently and consider installing a script-blocking browser extension.




Russian-Linked Hackers Target Estonia

 

In response to the government's removal of a monument honoring Soviet World War II veterans, a pro-Kremlin hacker group launched its greatest wave of cyberattacks in more than ten years, which Estonia successfully repelled.

Luukas Ilves, Estonia's under-secretary for digital transformation at the Ministry of Economic Affairs and Communications, stated that "yesterday saw the most significant cyberattacks against Estonia since 2007".

According to reports, the former Soviet state removed a Red Army monument from Tallinn Square this week, and the eastern city of Narva also got rid of a Soviet-era tank. After Russia invaded Ukraine, the authorities vowed to remove hundreds of these monuments by the end of the year.

On Wednesday, the Russian hacker gang Killnet claimed responsibility for the attacks and stated a wave of DDoS attacks have allegedly been launched against the 200 websites of public and private sector organizations in response, including an online citizen identity system. 

A replica Soviet Tu-34 tank from World War II was taken off the public display on Tuesday in the town of Narva, close to Estonia's border with Russia, and brought to the Estonian War Museum in Viimsi, according to Killnet, which claimed responsibility for a similar attack against Lithuania in June.

It's worth noting as based on sources, that the DDoS attacks timed with a Russian media fake news campaign alleging that the Estonian government was destroying Soviet war graves. The country's ethnic Russians reportedly rioted as a result of this.

Estonia's Cybersecurity 

According to the National Cyber Security Index, the nation has a 17 percentage point advantage over the average for Europe and is placed third in the ITU Global Cybersecurity Index 2020. 

After experiencing significant DDoS attacks on both public and private websites in 2007, Estonia, a country that is a member of the European Union and NATO, took steps to strengthen its cybersecurity. It attributed these attacks to Russian actors who were enraged over the removal of another Soviet-era monument at the time.

The nation's e-government services, along with other industries including banking and the media, were significantly disrupted throughout the weeks-long campaign. The dismantling of a monument honoring the Soviet Red Army also sparked the attacks.

The Tallinn memorial served as a grim reminder of Estonia's 50 years of Soviet captivity to the government and many Estonians, while other ethnic Russians saw its removal as an attempt to obliterate their past. 

The incident did, however, motivate the government to step up its cybersecurity efforts, and as a result, it is today thought to have one of the best defensive positions of any international government.











FortiGuard Labs: Evolving RapperBot IoT Malware Detected

Since June, FortiGuard Labs has been monitoring the "RapperBot" family of revolving IoT malware. Although the original Mirai source code was greatly influenced by this family, it differs from other IoT malware families in that it has the capacity to brute force credentials and connect to SSH servers rather than Telnet, which was how Mirai implemented it. 

The malware is alleged to have gathered a series of hacked SSH servers, with over 3,500 distinct IP addresses used to scan and brute-force its way into the servers. The malware is named from an encoded URL to a YouTube rap music video in an early draft.

Analysis of the malware

According to the Fortinet analysis, the majority of the malware code implements an SSH 2.0 client that can connect to and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.

RapperBot turned out to be a Mirai fork with unique features, its own command and control (C2) protocol, and unusual post-compromise for a botnet. RapperBot was created to target ARM and MIPS and has limited DDoS capabilities.

The attempt to create durability on the compromised host, which effectively allows the hacker to keep ongoing access long after the malware has been uninstalled or the unit has been restarted, serves as further proof of how Mirai has deviated from its usual behavior.

RapperBot used a self-propagation technique via a remote binary downloader, which was eliminated by the hackers in mid-July, as per Fortinet researchers who watched the bot and proceeded to sample new variants.

The recent versions in circulation at the time included a shell command that switched the victim's SSH keys for the hackers. A unique file named "/.ssh/authorized keys" is used to get access by inserting the operators' SSH public key. This enables the attacker to log in and authenticate to the server using the associated private key without providing a password.

The root user "suhelper" is added by the bot to the compromised endpoints in the most recent samples that the researchers have examined. The bot also sets up a Cron job to add the user again every hour if an administrator finds the account and deletes it.

Observations 

As per Fortinet, analysts observed no new post-compromise payloads transmitted during the monitoring time, so the virus simply lays dormant on the affected Linux systems. 

Despite the botnet abandoning self-propagation in favor of persistence, it is said that the botnet underwent substantial alterations in a short period of time, the most notable of which being the removal of DDoS attack elements from the artifacts at one point, only to be reinstated a week later.

At best, the campaign's ultimate goals are still unclear, and little more action is taken after a successful compromise. It is evident that SSH servers with pre-configured or easily guessable credentials are being gathered into a botnet for some unknown future use.

Users should set secure passwords for their devices or, turn off password authentication for SSH to protect themselves from such attacks.

Windows 11: Account Lockout Policy Set Against Brute Force Attacks

Brute force exploits are injected into ransomware and other sorts of unauthorized access since they typically rely on automated methods to test a massive amount of passwords for one or more user accounts. 

Beginning with Insider Preview version 22528.1000, Windows 11 automatically mitigates such exploits by capping the number of unsuccessful sign-in attempts at 10, for a period of 10 minutes.

"In order to reduce RDP and other brute force password vectors, DEFAULT account lockout policy is now enabled in Win11 builds. The command will make brute forcing more tricky, which is decent. This technique is frequently used in Human Operated Ransomware and other attacks," stated David Weston, vice president of OS and enterprise security at Microsoft.

Setting Lockout Policy

By establishing a threshold of between 1 and 999 failed sign-in attempts that would cause a user account to be locked, IT security professionals already had the option of preventing brute force attacks using the account lockout policy.

The Account lockout threshold policy enables configuring the maximum number of unsuccessful sign-in attempts before a user account is locked. Once locked, an account cannot be used again until the administrator unlocks it or until the time period provided by the Account lockout duration policy setting has passed. 

It suggested restricting the account lockout time to no more than 15 minutes and setting the account lockout threshold to a high enough number to cater to users mistakenly mistyping their passwords.

However, the reset account lockout countdown will eventually run out, giving the user three more opportunities if they wait and try to log in again the following day, effectively making it appear as though there have been no failed logins.

The effectiveness of brute force attacks is considerably reduced by restricting the amount of password entry tries, but Microsoft warns that threat actors could abuse this security feature to perform denial-of-service (DoS) attacks by locking multiple user accounts in an enterprise.


Italy Alerts Organizations of Incoming DDoS Attacks

 

On Monday, Italy's Computer Security Incident Response Team (CSIRT) issued an urgent warning about the significant threat of cyberattacks against national entities. The Italian organisation is referring to a DDoS (distributed denial-of-service) cyberattack, which may not be catastrophic but can nonetheless cause financial and other harm due to service failures and interruptions. 

“There continue to be signs and threats of possible imminent attacks against, in particular, national public entities, private entities providing a public utility service or private entities whose image is identified with the country of Italy,” describes the public alert. 

The indicators are Telegram postings from the Killnet organisation inciting massive and unprecedented assaults on Italy. Killnet is a pro-Russian hacktivist group that launched an attack on Italy two weeks ago, employing an ancient but still powerful DDoS technique known as 'Slow HTTP.' As a result, CSIRT's advised defensive actions this time are related to this sort of assault but also contain numerous generic pieces of advice. 

Last Tuesday, Killnet announced "Operation Panopticon," appealing for 3,000 "cyber fighters" to join in 72 hours. Last week, the group restated the call to action multiple times. The necessary sign-up form requests information on the volunteers' system, origin, age, and Telegram account, as well as the tools needed to launch resource-depletion attacks. 

While DDoS appears to be the primary purpose, it is possible that Killnet intends to utilise DDoS to force defences to cope with service outages rather than active cyberattacks. Killnet presented an etymology definition of the word Panopticon, implying data leaks and warning that 90% of the country's officials will 'go crazy.' 

Killnet's recent targeting of entities in numerous countries, Italy among them, for backing Ukraine's resistance against Russia has resulted in the group's targeting of Italian groups. This prompted Anonymous Italy to take action, launching attacks on Killnet and doxing some of its members via social media. As a result, Killnet retaliated. 

The CSIRT Italy website was intermittently inaccessible at the time of writing, but no long-term connection difficulties were observed. There have also been reports of Poste Italiane, Italy's national postal service provider, going down for many hours this morning. 

However, the agency told la Repubblica that the disruption was caused by a software upgrade that did not proceed as planned, rather than by Killnet assaults. Other local media sources that regularly monitor the availability of Italian sites claim that the web portals of the State Police and the Italian Ministries of Foreign Affairs and Defense are also unavailable. At the time of writing, the sites of the two ministries appear to have been damaged by a DDoS assault, according to BleepingComputer.

Russian Sberbank: Facing Massive Waves of DDoS Attacks

 

Sberbank, Russia's banking and financial services company, has been the target of unprecedented hacking attacks. The bank was hit by the largest distributed denial-of-service (DDoS) attack in its history earlier this month. Thousands of internet users have been targeting Sberbank in recent months, according to Sergei Lebed, vice president and director of cybersecurity at Sberbank, who spoke to the audience at the Positive Hack Days conference. 

Sberbank is Russia's largest financial institution and Europe's third-largest, with total assets exceeding $570 billion. Following Russia's invasion of Ukraine, the entity was among the first to be sanctioned, and its operations on the European continent have been severely limited as a result. Since the beginning of the crisis in February, hackers aligned with Ukraine have targeted Sberbank. 

This action, according to the bank, is ongoing. waves of agressive attacks Sberbank claims to have repelled the most significant DDoS attack it has ever witnessed on May 6, 2022, with a rate of 450GB/sec. DDoS assaults deplete resources, making online services inaccessible to clients, causing business interruption and financial losses. 

A botnet with 27,000 compromised devices in the United States, the United Kingdom, Japan, and Taiwan generated the malicious traffic that enabled the attack against Sberbank's main website. According to Lebed, fraudsters employed various strategies to carry out this cyberattack, including code injections into advertising scripts, malicious Chrome extensions, and DDoS-wielding Docker containers. 

As per Lebed, they have detected over 100,000 internet users hitting them in the last few months, with 46 simultaneous DDoS attempts on various Sberbank services reported in March. Many of these attacks took advantage of online streaming and movie theatre traffic, a strategy used by pro-Russian threat groups against critical Ukrainian websites. Visitors' web browsers run carefully constructed code found in injected scripts, which generates a large number of requests to certain URLs, in this example under Sberbank's domain. 

"Today, the bank faces cyberattacks around the clock. Sberbank's Security Operation Center analyzes cyber threats 24/7 and promptly responds to them," stated Sergei Lebed/

"However, when it comes to companies in other sectors, most of them have never encountered anything like this before and may suffer damages," cautionedSberbank's vice president.

DDoS attacks of this magnitude are likely to persist as long as geopolitical tensions create a polarised atmosphere, and as Sberbank's announcement concludes, they may decrease in number but increase in power. This is consistent with Radware's research from yesterday, which detailed a 36-hour 1.1 Tbps DDoS attack on a US service provider, indicating that threat actors are becoming significantly more capable even compared to last year.

Microsoft Reveals Massive Surge in XorDdos Attacks on Linux Devices

 

XorDdos, a stealthy distributed denial-of-service (DDoS) malware targeting Linux devices has witnessed a massive 254% increase in activity during the last six months, Microsoft revealed in a report.

The malware launches automated password-guessing assaults across thousands of Linux servers to find identical admin credentials used on Secure Shell (SSH) servers. SSH is a secure network communications protocol commonly used for remote system administration. 

Once XorDdos identifies valid SSH credentials, it uses root privileges to run a script that downloads and installs XorDdos on the target device. It also employs XOR-based encryption to communicate with the attacker's command and control infrastructure. 

The malware enables adversaries to create potentially significant disruptions on target systems and is used to bring in other dangerous threats or to provide a vector for follow-on activities. Microsoft found that devices first infected with XorDdos were later infected with additional malware such as the Tsunami backdoor, which further deploys the XMRig coin miner. 

"While we did not observe XorDdos directly installing and distributing secondary payloads like Tsunami, it's possible that the trojan is leveraged as a vector for follow-on activities," Microsoft wrote in a blog post. The malware can hide its activities from common detection techniques. In a recent campaign, Microsoft saw it overwriting sensitive files with a null byte. 

"Its evasion capabilities include obfuscating the malware's activities, evading rule-based detection mechanisms and hash-based malicious file lookup, as well as using anti-forensic techniques to break process tree-based analysis. We observed in recent campaigns that XorDdos hides malicious activities from analysis by overwriting sensitive files with a null byte. It also includes various persistence mechanisms to support different Linux distributions," Microsoft notes. 

The XorDdos payload Microsoft examined is a 32-bit Linux format ELF file with a modular binary written in C/C++. Microsoft notes that XorDdos uses a daemon process that runs in the background, outside the control of users, and terminates when the system is offline. 

In recent years, XorDdos has targeted misconfigured Docker clusters in the cloud using compromised systems to overwhelm a target network or service with fake traffic in order to render it inaccessible. According to CrowdStrike, XorDdos was one of the most active Linux-based malware families of 2021, with 35% growth compared to the previous year. 

Besides launching DDoS attacks, the malware’s operators use the XorDDoS botnet to install rootkits, maintain access to hacked devices, and, likely, drop additional malicious payloads.

Telegram is Selling the Eternity Malware Kit, Which Offers Malicious Services 

 

Cybercriminals have recently used Telegram to offer malware and other dangerous tools as services. Researchers have discovered a deadly new malware subscription plan which can be used to facilitate a wide range of attacks. 

The "Eternity Project," a modular malware kit, has capabilities that allow buyers to steal passwords and credit card information, launch ransomware attacks and infiltrate victims with cryptomining software. Each component of the malware toolkit, such as an information stealer, a coin miner, a clipper, ransomware software, a worm spreader, and, finally, a DDoS (distributed denial of service) bot, can be purchased separately. 

The creators share the latest update, usage instructions, and debate feature proposals on a private Telegram channel with over 500 members. Buyers can apparently use the Telegram Bot to assemble the binary automatically after choosing its desired feature set and paying the equivalent amount in cryptocurrency. The malware module is the most premium at $490 per year. The info-stealer, which costs $260 per year, steals passwords, credit cards, bookmarks, tokens, cookies, and autofill data from over twenty different web browsers. 

The malware's versatility is also highlighted through a deep-dive investigation of the infostealer module. Researchers claim that this single tool may gather data from a wide range of apps, including web browsers and cryptocurrency wallets, as well as VPN clients, messaging apps, and more. 

The miner module is $90 a year and includes features such as task manager invisibility, auto-restart once killed, and startup launch persistence. The clipper is a $110 application that scans the clipboard for cryptocurrency wallet credentials and replaces them with wallets controlled by the user. The Eternity Worm is available for $390 from the developer, and it can propagate itself using USB drivers, lan shares, local files, cloud drives, Python projects, Discord accounts, and Telegram accounts.

The authors say it's FUD (completely undetectable), a claim supported by Virus Total data showing zero detections for the strain. Surprisingly, the ransomware module provides an option of setting a timer that, when reached, renders the files entirely unrecoverable. This adds to the victim's pressure to pay the ransom as soon as possible. 

Despite the wide range of hazards posed by Eternity Project malware, Cyble says there are a few precautions consumers can take. Maintaining regular data backups, keeping software up to date, and avoiding visiting untrustworthy websites and email attachments are recommended best practices.

Russia Dubbed as the "Centre" of European-wide Cyber-Attacks

 

Since the beginning of Russia's invasion of Ukraine, the EU, UK, US, and other allies have recognized that Russia has been behind a wave of cyber-attacks. The most recent distributed denial-of-service (DDoS) attack on Viasat's commercial communications network in Ukraine, which occurred on the same day that Russia launched its full-fledged invasion, had a greater impact across Europe, disrupting wind farms and internet users. 

The outage on Viasat affected almost one-third of bigblu's 40,000 users throughout Europe, including Germany, France, Hungary, Greece, Italy, and Poland, according to Eutelsat, the parent company of bigblu satellite internet service. The incident impacted wind farms and internet users in central Europe, creating outages for thousands of Ukrainian customers. 

In the regard, the key statements by the West are as follows:

  • The European Union said that Russia was behind the strike, which occurred "one hour before" the invasion of Ukraine. 
  • Estonia: The member of the European Union went even further. With "high certainty," the country blamed the hack on Russia's military intelligence arm, saying it had "gone counter to international law." 
  • The United Kingdom's National Cyber Security Centre is "almost convinced" that Russia was behind the Viasat attack, according to the UK, citing "new UK and US intelligence." Meanwhile, the report said that "Russian Military Intelligence was probably certainly involved" in defacing Russian websites and releasing damaging spyware.
The main aim, according to the joint intelligence advisory, was the Ukrainian military. "Thousands of terminals have been destroyed, rendered useless, and are unable to be restored," according to Viasat. Russian military intelligence was likely certainly engaged in the January 13 attacks on Ukrainian official websites and the distribution of Whispergate harmful malware, according to the UK's National Cyber Security Centre (NCSC). 

"This is clear and alarming proof of an intentional and malicious attack by Russia against Ukraine, which had huge ramifications for ordinary people and businesses in Ukraine and across Europe," Foreign Secretary Liz Truss said. 

In the past Russian criminals hijacked the updater system of Ukrainian accounting software provider MEDoc in June 2017, infecting MEDoc users with the wiper virus NotPetya. The evidence suggests that Wiper malware infected several Ukrainian government networks again in 2022, and Gamaredon attacks targeted roughly 5,000 entities, including key infrastructure and government departments.

NCSC director of operations Paul Chichester addressed why the attribution was being done now, two and a half months after the occurrence, at a press conference at CYBERUK 2022. "We execute attributions in a process-driven manner; accuracy is extremely essential to us," he explained. Collaboration with international bodies such as the EU and the Five Eyes adds to the length of time it took to provide this material. 

Such cyber action aims to demoralize the public and degrade essential infrastructure. The perceived difficulties of precisely attributing the attack to any single aggressor is a benefit of conducting the earliest stages of kinetic activity in cyberspace. Putin has been emphatic in his denial of any Russian government participation in the attacks.

Cloudflare Blocks a  DDoS Attack with 15 million Requests Per Second

 

On Wednesday, Cloudflare, an internet infrastructure company, revealed it has successfully resisted one of the largest volumetric distributed denials of service (DDoS) attacks ever seen. A DDoS attack with a pace of 15.3 million requests per second (rps) was discovered and handled earlier this month, making it one of the greatest HTTPS DDoS attacks ever. 

According to Cloudflare's Omer Yoachimik and Julien Desgats, "HTTPS DDoS assaults are more pricey of necessary computational resources due to the increased cost of establishing a secure TLS encrypted connection." "As a result, the attacker pays more to launch the assault, and the victim pays more to mitigate it. Traditional bandwidth DDoS assaults, in which attackers seek to exhaust and jam the victim's internet connection bandwidth, are different from volumetric DDoS attacks. Instead, attackers concentrate on sending as many spam HTTP requests as possible to a victim's server to consume valuable server CPU and RAM and prevent legitimate visitors from accessing targeted sites."

Cloudflare previously announced it mitigated the world's largest DDoS attack in August 2021, once it countered a 17.2 million HTTP requests per second (rps) attack, which the company described as nearly three times larger than any prior volumetric DDoS attack ever observed in the public domain. As per Cloudflare, the current attack was launched from a botnet including about 6,000 unique infected devices, with Indonesia accounting for 15% of the attack traffic, trailed by Russia, Brazil, India, Colombia, and the United States. 

"What's intriguing is the majority of the attacks came from data centers," Yoachimik and Desgats pointed out. "We're seeing a significant shift away from residential network Internet Service Providers (ISPs) and towards cloud compute ISPs." According to Cloudflare, the attack was directed at a "crypto launchpad," which is "used to showcase Decentralized Finance projects to potential investors." 

Amazon Web Services recorded the largest bandwidth DDoS assault ever at 2.3 terabytes per second (Tbps) in February 2020. In addition, cybersecurity firm Kaspersky reported this week about the number of DDoS attacks increased 4.5 times year over year in the first quarter of 2022, owing partly to Russia's invasion of Ukraine.

The Fodcha DDoS Botnet Hits Over 100 Victims

 

Qihoo 360 researchers have found a rapidly spreading new botnet called Fodcha which is capable of performing over 100 attacks every day. Employing this new malware, the threat actor is attacking routers, DVRs, and servers. The actors were able to infect nearly 62,000 machines with the Fodcha virus in less than a month, as per the researchers. 

360 Netlab reports that the number of unique IP addresses affiliated with the botnet fluctuates, as they are monitoring a 10,000-strong Fodcha army of bots utilizing Chinese IP addresses every day, with the majority of them using China Unicom (59.9%) and China Telecom (59.9%) services (39.4 percent ). 

Researchers alleged that "Based on firsthand data from the security industry with whom we collaborated, the frequency of live bots is more than 56000." "The global infection appears to be quite large, as there are over 10,000 daily active bots (IPs) in China, as well as over 100 DDoS victims are targeted daily." 

The Fodcha infects devices by exploiting n-day vulnerabilities in many devices and employing the Crazyfia brute-force cracking tool. The botnet targets a variety of devices and services, including but not limited to: 

RCE for Android ADB Debug Server 
CVE-2021-22205 on GitLab 
CVE-2021-35394 in the Realtek Jungle SDK 
JAWS Webserver unverified shell command execution on MVPower DVR 
LILIN DVR RCE: LILIN DVR
TOTOLINK Routers: Backdoor TOTOLINK Routers
ZHONE Router: Web RCE ZHONE Router 

After successfully acquiring access to susceptible Internet-exposed devices samples, Fodcha attackers use Crazyfia result data to deploy malware payload. The botnet samples, according to 360 Netlab, target MIPS, MPSL, ARM, x86, and other CPU platforms. 

The botnet used the folded[.]in command-and-control (C2) domain from January 2022 until March 19, when it switched to fridgexperts[.]cc when the cloud vendor took down the essential C2 domain. 

"The switch from v1 to v2 is due to a cloud vendor shutting down the C2 servers corresponding to the v1 version, leaving Fodcha's operators with no alternative but to re-launch v2 and upgrade C2," the researchers reported. "The new C2 is mapped to over a dozen IP addresses and is scattered across different countries, including the United States, Korea, Japan, and India." It also includes more cloud providers, including Amazon, DediPath, DigitalOcean, Linode, and others. 


New Hybrid Enemybot Malware Targets Routers, Web Servers

 

A recently discovered DDoS botnet is enslaving multiple router models and various types of web servers by abusing known vulnerabilities, researchers at Fortinet Labs warned. 

Dubbed Enemybot, the botnet has been linked to the cybercrime group named Keksec which specializes in DDoS attacks and cryptocurrency mining and has been linked to multiple botnets such as Simps, Ryuk, and, Samel. 

The malware is the result of combining and modifying the source code of the Gafgyt (Bashlite) botnet – which leaked in 2015 –and the infamous Mirai botnet, with the latest version using the scanner module and a bot killer module. 

Enemybot employs multiple obfuscation methodologies meant not only to prevent analysis, but also to keep it concealed from other botnets, and connect to a remote server that's hosted in the Tor anonymity network to fetch attack commands. 

The new botnet also attempts to exploit a wide range of devices and architectures by using known combinations of usernames and passwords, running shell commands on Android devices with a compromised Android Debug Bridge port (5555), and targeting roughly 20 known router vulnerabilities.

The most recent of the targeted security loopholes is CVE-2022-27226, a remote code execution issue that impacts iRZ mobile routers, and which was made public on March 19, 2022. Enemybot, Fortinet points out, is the first botnet to target devices from this vendor. 

Enemybot also targets the now infamous Apache Log4j remote code execution vulnerabilities disclosed last year (CVE-2021-44228 and CVE-2021-45046), as well as a couple of path traversal issues in the Apache HTTP server (CVE-2021-41773 and CVE-2021-42013). 

The botnet also attempts to abuse security loopholes in TOTOLINK routers and Seowon routers, as well as older vulnerabilities in ThinkPHP, D-Link routers, NETGEAR products, Zhone routers, and ZyXEL devices. 

Once a flaw has been successfully abused, the malware runs a shell command to download a shell script from a URL that is dynamically updated by the C&C. The script is responsible for downloading the actual Enemybot binary compiled for the target device’s architecture.

After successful exploitation, the malware links to its C&C server and waits for further instructions. Based on received commands, it can perform DNS amplification attacks and various types of DDoS assaults, sniff traffic, and spread to other devices via brute force attacks. 

“This mix of exploits targeting web servers and applications beyond the usual IoT devices, coupled with the wide range of supported architectures, might be a sign of Keksec testing the viability of expanding the botnet beyond low-resource IoT devices for more than just DDoS attacks. Based on their previous botnet operations, using them for crypto mining is a big possibility,” Fortinet notes.

Anonymous : 900,000 Emails From Russian State Media Were Leaked

 

Anonymous which has been trying to target Russia since the invasion of Ukraine has reported more attacks against critical infrastructure sectors, including one which used an "improved" version of Russian Conti ransomware, and has called for the targeting of companies for proceeding to do business in Russia after the slaughter of Ukrainian civilians in Bucha. 

More than 900,000 emails by the All-State Television and Radio Broadcasting Company were purportedly leaked by the NB65 or Network Battalion 65 group, which is linked to the famed hacker collective Anonymous (VGTRK). 

DDoSecrets, a non-profit whistleblower site for news leaks, has rendered the 786.2 GB cache accessible to the public as a torrent file after NB65 apparently shared the hacked emails with them on Monday. In this regard, Emma Best, a co-founder of DDoSecrets said, "An unprecedented expose of state-owned media and propaganda which the Russian government views crucial to the state security."

A hacker organization called NB65 has been infiltrating Russian entities, collecting private data, and exposing it online for the past month, claiming the attacks are related to Russia's occupation of Ukraine. The emails, according to the Everyday Dot, span more than 20 years of correspondence and include discussions about daily operations as well as sanctions put on Russia by many other countries in reaction to its invasion of Ukraine.

Tensor, the Russian space program Roscosmos, and VGTRK, the state-owned Russian Television and Radio broadcaster, are among the Russian organizations said to have been targeted by the hacking group. The stated theft of 786.2 GB of data, comprising 900,000 emails and 4,000 files, was released on the DDoS Secrets website following the attack on VGTRK. Since the end of March, the NB65 hackers have been using a new tactic that is attacking Russian institutions with ransomware assaults. 

Conti's source code was released after the company allied with Russia in the Ukraine invasion, and a security researcher obtained 170,000 internal chat conversations and source code for the company's operation. 

Threat analyst Tom Malka first alerted to NB65's activities but was unable to locate a ransomware sample, and the hacking gang refused to provide it. This changed when a sample of the NB65's updated Conti ransomware executable was published to VirusTotal, letting us see how it functions. 

On VirusTotal, almost all antivirus vendors identify this sample as Conti, and Intezer Analyze discovered it shares 66% of the code with other Conti ransomware samples. When encrypting files, gives NB65's malware a run for its money.

The All-Russian State Television and Radio Broadcaster (VGTRK) is Russia's largest media conglomerate, with five national television channels, two major international networks, five radio shows, and over 80 regional television and radio networks under its umbrella. The ransomware will also leave R3ADM3.txt ransom notes all over the encrypted device, with threat actors accusing President Vladimir Putin of invading Ukraine for the attacks. 

Due to New Router Flaws, Beastmode Botnet Has a Greater DDoS Potential

 

Beastmode (or B3astmode), a Mirai-based decentralized denial-of-service (DDoS) botnet, has extended its list of exploits to include three new ones, all of which target various models of Totolink devices.

Totolink is a well-known electronics sub-brand of Zioncom which recently published firmware patches to address three critical-severity flaws. DDoS botnet programmers wasted little time in adding these holes to their arsenal to take advantage of the window of opportunity before Totolink router customers installed the security patches. Beastmode has gained control of vulnerable routers, giving it access to hardware resources it can use to execute DDoS attacks.

The following is a list of vulnerabilities in TOTOLINK routers: 

  • CVE-2022-26210 (CVSS 9.8) - A command injection vulnerability that could be used to execute arbitrary code. 
  • CVE-2022-26186 is a vulnerability that affects computers (CVSS score: 9.8) TOTOLINK N600R and A7100RU routers are vulnerable to a command injection vulnerability. 
  • CVE-2022-25075 to CVE-2022-25084 (CVE-2022-25075 to CVE-2022-25084) (CVSS scores: 9.8) - A buffer overflow vulnerability has been discovered in certain TOTOLINK routers, resulting in code execution.  

CVE-2021-4045 is used to target the TP-Link Tapo C200 IP camera, which the researchers haven't seen in any other Mirai-based campaign. For the time being, the exploit has been implemented incorrectly and does not operate. "Device users must still update its camera software to correct this issue," the researchers suggest, citing indications of continued development. 

Although the flaws affect different devices, they all have the same effect: they allow the attacker to insert commands to download shell scripts via the wget command and infect the device with Beastmode. The shell scripts differ depending on which devices have been infected and which exploit has been used.

The vulnerabilities were not the only ones introduced to the Beastmode botnet; its creators also added the following previous bugs:

D-Link is affected by CVE-2021-45382, a remote code execution bug. DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L are the DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. 
  • CVE-2021-4045 — Unauthenticated remote code execution bug in the TP-Link Tapo C200 IP camera. 
  • CVE-2017-17215 —  Unauthenticated remote code execution problem in Huawei HG532
  • CVE-2016-5674 — Remote execution of arbitrary PHP code through the log argument in the Netgear ReadyNAS product line.
Ensure to deploy the available security updates which correct the vulnerabilities mentioned above to prevent Mirai versions from seizing control of any router or IoT devices. Totolink users should go to the vendor's download center, choose the device model, and download and install the most recent firmware version available. 

A slow internet connection is one of the symptoms if your router has been exploited. Additional indicators include the device heating up more than usual, inability to get into the administration panel, changing settings, or an unresponsive device, which a typical user is likely to overlook.

After 17 years, the Zlib Crash-An-App Flaw Has Been Patched

 

Four years after the vulnerability was first found but left unpatched, the widely used Zlib data-compression library now has a patch to close a vulnerability that might be abused to crash apps and services. Tavis Ormandy, a bug hunter for Google Project Zero, informed the Open-Source-Software-Security mailing list about the programming error, CVE-2018-25032, which he discovered while trying to figure out what caused a compressor crash. 

"We reported it upstream, but it turns out the bug is already public since 2018, but the update never made it into a release. As far as they are aware, no CVE has ever been assigned to it." Ormandy stated. Furthermore, when Eideticom's Danilo Ramos discovered the defect in April 2018, it was 13 years old, implying this bug had been lurking for 17 years, waiting to be exploited. 

Zlib is a data-compression general-purpose library that is free, and legally unencumbered (i.e., not covered by any patents). It can be used on nearly any computer hardware and operating system. Anyone who has ever used softwares like PKZIP, WinRAR, 7-Zip, or any archiving utilities will attest to how data compression software has always been useful.

The primary goal of data compression is to save space, such as by reducing the amount of storage space required for backups or reducing data transfer bandwidth. Despite the computational overhead of squashing and expanding data before and after storing or sending it, compression frequently saves time and space by reducing the amount of data that must be moved back and forth between a fast storage location like RAM (memory) and a slow storage location like a disc, tape, or network. 

The patch was never included in a Zlib software update, and Ormandy showed a proof-of-concept exploit which works against both default and non-default compression schemes supported by the library just a few days after discovering the problem. This means any attempt to unpack maliciously designed compressed data may cause an application or network service to crash. 

In a nutshell, this is a memory corruption flaw: if user-supplied data is particularly formatted, software that relies on Zlib to compress it can crash and terminate due to an out-of-bounds write. The open-source Zlib is so extensively used that there are plenty of potential avenues for exploitation, which is why this problem is such a huge deal, in contrast to its nearly two-decade history. Zlib's algorithm, DEFLATE, which became an internet standard in 1996, is used to squash and expand data in a variety of file formats and protocols, and the software it handles these inputs to, will almost certainly use zlib. 

According to Sophos, these programs include Firefox, Edge, Chromium, and Tor, as well as the PDF reader Xpdf, video player VLC, Word and Excel compatible software LibreOffice, and picture editor GIMP. The Zlib problem, which was first discovered in 1998, enables data in a pending buffer to corrupt a distance symbol table. Out-of-bounds access can cause the program to crash and even create a denial of service. 

Users should install a non-vulnerable version of the zlib shared library, which they can usually get from the OS maker by downloading the latest updates, and developers should make sure the software packages don't rely on a vulnerable version of the reliance, pushing out app or service updates as needed.

Single Packets Launching DDoS Attacks in the Wild

 

Cybersecurity experts from Akamai, Cloudflare, Mitel, Netscour, Lumen Black Lotus Labs, The ShadowServer foundation, Telus, and Team Cymru have revealed a DDoS (denial of service attack) with an intensity ratio crossing 4 billion to one and it can be deployed using a single pocket. Termed as CVE-2022-26143, the vulnerability exists around 2600 incorrect provisional Mitel MiCollab and MiVoice Business Express systems that work as a PBX to internet gateways, going through a test mode that shouldn't be exposed on the internet. 

"The exposed system test facility can be abused to launch a sustained DDoS attack of up to 14 hours in duration by means of a single spoofed attack initiation packet, resulting in a record-setting packet amplification ratio of 4,294,967,296:1," ShadowServer blog post writes. You should also note that single packet attention initiation has the capability of precluding network operator traceback of the spoofed attack initiator traffic. It helps to hide the origin of the attack infrastructure, which makes it less possible for the origin of the attack to be identified compared to other UDP reflection/amplification DDoS attack vectors. 

A driver in the Mitel system includes a command platform command that executes a stress test of status update packets, thereby theoretically producing 4,294,967,294 packets within 14 hours at a maximum possible prize of 1,184 bytes. ShadowServer further explains "this would yield a sustained flood of just under 393Mbps of attack traffic from a single reflector/amplifier, all resulting from a single spoofed attack initiator packet of only 1,119 bytes in length." The results mean around 2,200,288,816:1 unimaginable amplification ratio. 

It indicates a multiplier of 220 Billion percent, caused by a single packet. Fortunately, the Mitel system only processes one command at a time, this means that if a system is compromised by DDoS attacks, the users may think about why the outbound connection is getting disrupted and not available. According to ZDNet, "the first attacks using the exploit began on February 18, these were reflected mainly onto ports 80 and 443, and targeted ISPs, financial institutions, and logistics companies."