Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DDOS Attacks. Show all posts
NKN protocol
Blockchain Technology Cyber Security Cybersecurity DDOS Attacks multi-platform threat NKAbuse NKN protocol

NKAbuse Malware Utilizes NKN Blockchain Technology for Executing DDoS Attacks

 

A newly identified multi-platform threat named NKAbuse has surfaced, employing a decentralized peer-to-peer network connectivity protocol known as NKN (New Kind of Network) for communication. Russian cybersecurity firm Kaspersky detailed the malware's capabilities in a report, describing it as a robust implant with both flooder and backdoor functionalities.

NKN, boasting over 62,000 nodes, functions as a software overlay network on the existing Internet, allowing users to share unused bandwidth and earn token rewards through a blockchain layer on top of the TCP/IP stack. NKAbuse, however, takes advantage of this technology to execute distributed denial-of-service (DDoS) attacks and operate as an implant within compromised systems.

While threat actors commonly exploit emerging communication protocols for command-and-control purposes to elude detection, NKAbuse stands out by leveraging blockchain technology. This malicious software communicates with the bot master using the NKN protocol, implementing the Go programming language. Its primary targets seem to be Linux systems, including IoT devices, particularly in Colombia, Mexico, and Vietnam.

The scale of the attacks remains uncertain, but Kaspersky highlighted an incident involving the exploitation of a six-year-old critical security flaw in Apache Struts (CVE-2017-5638, CVSS score: 10.0) to breach an unnamed financial company. The attack sequence involves the delivery of an initial shell script, responsible for downloading the implant from a remote server after verifying the target host's operating system. The server hosting the malware supports various CPU architectures, featuring eight different versions of NKAbuse.

Notably, NKAbuse lacks a self-propagation mechanism, requiring delivery through an initial access pathway, such as exploiting security flaws. The malware employs cron jobs to persist through reboots, checking the user ID and, if it is root (ID 0), adding itself to the crontab for every reboot.

The malware also incorporates backdoor features enabling it to send periodic heartbeat messages to the bot master, providing system information, capturing screenshots, performing file operations, and executing system commands. Kaspersky emphasizes that NKAbuse is crafted for integration into a botnet but can adapt to functioning as a backdoor on a specific host. The use of blockchain technology ensures reliability and anonymity, hinting at the potential for the botnet to expand steadily over time without an identifiable central controller.

Zheng "Bruce" Li, co-founder of NKN, expressed surprise at the misuse of NKN technology, emphasizing that NKN was designed to offer secure, private, decentralized, and scalable peer-to-peer communication. He expressed a willingness to collaborate with security experts to enhance internet safety.
Read more »
Sensitive data
Data Breach DDOS Attacks Digital Age Malicious actor Open Source Sensitive data

Blender's Battle: Triumph Over DDoS Adversity

Open-source projects are now the foundation of innovation in a world where digital infrastructure is becoming more and more important. Even these groups, though, appear to be vulnerable to the constant threat of cyberattacks. The Blender Project was recently the target of Distributed Denial of Service (DDoS) assaults, which serve as a sobering reminder of the difficulties facing open-source endeavors in the digital age.

Blender, a versatile and powerful 3D creation suite, found itself in the crosshairs of a major DDoS attack, temporarily knocking its servers offline. The assault disrupted services, leaving users unable to access crucial resources. However, the Blender community, known for its resilience and collaborative spirit, swiftly rallied to address the challenge head-on.

The attack's origins remain shrouded in mystery, but the Blender Foundation acknowledged the incident through an official statement. They detailed the ongoing efforts to mitigate the impact and restore normalcy. Open source projects often operate on limited resources, making them susceptible targets for malicious actors. Despite this vulnerability, Blender's response underscores the dedication and determination of the open-source community to safeguard its assets.

Blender's official website (blender.org) became a focal point for concerned users seeking updates on the situation. The Blender Foundation utilized its communication channels to keep the community informed, ensuring transparency during the crisis. Users were encouraged to stay vigilant and patient as the team worked diligently to resolve the issue.

TechRadar reported on the severity of the attack, emphasizing the temporary unavailability of Blender's servers. The Verge also covered the incident, shedding light on the disruptive nature of DDoS attacks and their potential ramifications for widely-used platforms. Such incidents serve as a stark reminder of the importance of cybersecurity for digital infrastructure.

Despite the challenges posed by the DDoS onslaught, the Blender community's commitment to open-source principles emerged as a beacon of hope. The Blender Foundation's response exemplifies the resilience ingrained in collaborative endeavors. This incident reinforces the need for continued vigilance and proactive security measures within the open-source ecosystem.

As Blender emerges from this cyber crisis, it stands not only as a symbol of resilience but also as a reminder of the collective strength that open-source projects embody. The challenges posed by DDoS attacks have sparked a renewed commitment to fortifying the digital defenses of open-source initiatives. The Blender community's ability to weather this storm reflects the collaborative spirit that defines the open-source landscape, leaving us hopeful for a future where innovation can thrive securely in the digital realm.

Read more »
DDOS Attacks
airline industry Anonymous Hackers Data Breach DDOS Attacks

SAS Airlines Faces $3 Million Ransom Demand After DDoS Attacks

 

Scandinavian Airlines (SAS) has recently become the target of a series of Distributed Denial of Service (DDoS) attacks, resulting in a $3 million ransom demand from a hacker group called Anonymous Sudan. This incident highlights the increasing sophistication and financial motivations behind cyberattacks on major organizations.

The DDoS attacks, which overwhelmed SAS's computer systems and disrupted its online operations, were followed by a ransom note demanding the hefty sum of $3 million in exchange for stopping the attacks and preventing further damage. The hackers threatened to expose sensitive data and continue their assault if the ransom was not paid within a specified timeframe.

The airline industry has been a recurring target for cybercriminals due to the potentially massive financial losses and disruption caused by such attacks. In this case, SAS faced significant operational challenges as its website and other online services were rendered inaccessible to customers, leading to a loss of revenue and damaging its reputation.

Responding to the situation, SAS promptly notified the appropriate authorities and engaged with cybersecurity experts to mitigate the ongoing attacks. The company also worked to restore its affected systems and strengthen its overall security posture to prevent future incidents. Collaboration with law enforcement agencies and cybersecurity professionals is crucial in investigating these attacks and bringing the perpetrators to justice.

The incident serves as a reminder for organizations to enhance their cybersecurity measures and be prepared for the evolving threats posed by cybercriminals. Proactive steps, such as conducting regular security assessments, implementing robust network infrastructure, and educating employees about potential risks, can help mitigate the impact of such attacks.

Incident response planning should also be given top priority by enterprises in order to reduce downtime and financial losses in the case of an attack. This entails developing a clear plan for confining and isolating the assault, recovering systems and data from backups, and keeping open lines of communication with key stakeholders all along the procedure.

The SAS Airlines ransom demand serves as a sobering reminder of the constant threat posed by cyberattacks and the significant financial implications for targeted organizations. Heightened cybersecurity measures, swift incident response, and collaboration among industry stakeholders are crucial in combatting these threats and safeguarding critical infrastructure from malicious actors.

Read more »
Vulnerability and Exploits.
DDOS Attacks Firewalls Malicious actor SMB Software Vulnerability and Exploits.

SLP Vulnerability Exposes Devices to Powerful DDoS Attacks

Security researchers have recently discovered a new vulnerability that has the potential to launch devastating Distributed Denial of Service (DDoS) attacks. The Server Message Block (SMB) protocol, which is widely used in various devices and systems, including Windows machines and some network-attached storage devices, contains the SLP vulnerability. Attackers can exploit this vulnerability to send specially crafted SMB packets that force the target device to allocate excessive memory or processing power to the request, ultimately causing a crash or downtime.

The SLP vulnerability is particularly dangerous because it enables attackers to amplify the impact of their DDoS attacks by up to 2200 times more than previous methods. This increased power can overwhelm the target’s defenses and cause lasting damage. Unfortunately, there is no straightforward solution for this vulnerability as it is deeply embedded in the SMB protocol and affects various devices and systems. However, organizations can take some steps to mitigate the risk of attack, such as implementing access controls, and firewalls, and monitoring their networks for any suspicious SMB activity.

The discovery of the SLP vulnerability highlights the need for robust cybersecurity measures and constant vigilance against evolving threats. As attackers develop new tactics and exploit new vulnerabilities, organizations must stay ahead of the curve and protect their networks and systems from harm.

The SLP vulnerability is a significant concern for organizations that use SMB protocol, as it exposes them to potential DDoS attacks. The impact of these attacks can be devastating and long-lasting, highlighting the need for constant vigilance and strong cybersecurity measures. Organizations must take proactive steps to monitor their networks, implement access controls, and limit the exposure of SMB services to the internet to mitigate the attack risk. The discovery of the SLP vulnerability underscores the critical importance of staying ahead of the curve in cybersecurity and constantly adapting to new threats.
Read more »
IP Address
Botnet Cloud Computing Cloudfare Cyber Attacks DDOS Attacks FBI HTTP IP Address

 Massive DDoS Attack was Thwarted by Cloudflare

 

Prioritized firms like gaming providers, hosting providers, cloud computing platforms, and cryptocurrency enterprises, according to Cloudflare, emanated from more than 30,000 IP addresses.
The greatest volumetric distributed denial-of-service (DDoS) attack that Cloudflare has seen to date was stopped.

The greatest attack, which is the largest documented HTTP DDoS attack, topped 71 million rps, per Cloudlare's analysis. The volume is 35% greater than the previous record, 45 million rps from June 2022, which had been recorded.

The FBI accused six suspects of their involvement in running 'Booter' or 'Stresser' platforms, which anybody can use to execute DDoS attacks, in response to this stream of continuously escalating attacks, and seized dozens of Internet domains. Operation PowerOFF, a larger, more coordinated worldwide law enforcement operation against DDoS-for-hire services, included the action.

Cloudflare has been collaborating with the victims to strike down the botnet and is providing service providers with a free botnet threat feed that will transmit threat intelligence from their IP and any ongoing attacks coming from their hosted autonomous system.

Researchers cautioned entities to take action immediately before the next campaign: protecting against DDoS attacks is crucial for organizations of all sizes, even while DDoS attacks on non-critical websites might not result in permanent harm or safety hazards. DDoS attacks against internet-facing equipment and patient-connect technology in the healthcare industry put patients' safety at risk.



Read more »
User Privacy
Artificial Intelligence Data protection DDOS Attacks malware Network Attacks User Privacy

DDoS Attacks Can Be Mitigated by AI

A DDoS protection system is necessary since DDoS attacks are so common. Numerous media and web-based consumer platforms are supported by AI machine learning algorithms currently. AI does not need the ten-year development cycles of nuclear weapons or bombers to be deployed or even upgraded because it is mostly software running on commercial processors.

Along with speed and accuracy, the rate of false positives shows how effective your detection is; the smaller the number, the better. Up until recently, neutralizing a DDoS assault of 2Tbps in scale might also block 100Gbps to 200Gbps of valid network traffic due to the industry-accepted rate of 5% to 10% false positives.  

Investment may be necessary for the implementation of ML and AI technologies. Based on the expertise working across numerous sectors, researchers have found important factors that can make any AI/ML implementation much more effective, resulting in a successful deployment as opposed to AI technology remaining on the stand and improved return on investment.

Ways ML/AI technologies can be utilized

1. Finding operational challenges:

The first step to the successful adoption of any AI or ML solution is to pinpoint the business issues the organization is attempting to solve with AI/ML and secure support from all important stakeholders. The roadmap for getting there can be created by being clear about the preferred result and evaluating use cases motivated by business imperatives and quantitative success factors of an AI/ML implementation. 

2. Data accessibility:

To develop the AI/ML model, a sufficient database that is pertinent to the business challenge being addressed must be made available. Organizations may encounter circumstances where such data is not yet accessible. The company should next devise and carry out a plan to begin gathering pertinent data while concentrating on other business issues that can be helped by accessible data science. 

3. Adopting optimal algorithms to perform:

It is frequently preferable to use a model or method with fewer parameters. Examining model validity is a crucial stage in this process, can the chosen model provide rationales and explanations in simple English that can be understood. Reasons for judgments made by an expert or algorithm are necessary in some regulated businesses. . In such cases, model explainability packages like LIME or SHAP can offer explanations that are simple enough for humans to understand.

4. Approach to operationalization:

It is apparent that a successful deployment requires clarity regarding how the forecasts and insights from AI/ML fit into routine operations. The model scores and insights will be used in what ways by the organization? In the operational workflow, how does the AI/ML model fit? Will technology entirely replace parts of the present manual processes, or will it only be utilized to support the analysts' judgment? Will the solution be applied on-premises or in the cloud? A clear plan that answers these issues will help to ensure that the solution is implemented and does not remain on the back burner.

5. Educating, enabling, and skilling:

Building teams with specialists in multiple fields of the AI/ML domain is crucial, of course. Confirm that the resources and expertise necessary to support the functioning of the AI/ML solution are accessible. Any skills shortages should be filled by either retraining the current workforce or hiring fresh talent with the necessary qualifications.

AI/ML algorithms now make it possible to identify DDoS activity early and put in place quick, precise, and effective mitigation procedures to resist such attacks.

Experts can protect our networks from harmful DDoS attacks, keep the functioning of the service, and provide user protection online by integrating big data analytics and AI/ML into every phase of a thorough DDoS security strategy. 
Read more »
saaS
Cyber Crime Cyber Crime Reports DDoS DDOS Attacks DDoS Flaw Microsoft Ransomware saaS

A Huge DDoS Network was Taken Down by the US DOJ

 


According to the US Department of Justice (DOJ), 48 domains were seized after it was discovered that they were offering distributed denial of service (DDoS) attacks on-demand as a service that criminals could exploit.  

This information was provided in a press release from the office of E Martin Estrada, the United States Attorney for the Central District of California. This release was intended to inform the public that in addition to these seizures, six defendants are being charged with crimes in connection with operating these platforms.  
 
With the addition of the DDoS attacks which are plaguing the internet, this news brings back to the forefront the concept of Cybercrime-as-a-Service, outlined in the Microsoft Digital Defence Report (MDDR) released in November 2022. 

What is DDoS?

It is a platform for performing distributed denial-of-service attacks (DDoS attacks) that primarily allows anyone to purchase and execute such attacks for free. Based on the software as a service (SaaS) business model, these services are lucrative because they allow the owner of an IoT botnet to conduct low-overhead attacks.


DoS-for-Hire Services

Until recently, the majority of cybercrime-as-a-service reports have covered cybercrime using the context of ransomware, or a threat actor encrypting data and locking it out so that people cannot access what they want (usually until a ransom has been paid), or droppers bots that spread malware via delaying software updates.  

Despite this, DDoS-as-a-service (sometimes known as "booters" since they boot targeted systems from the internet) continues to be one of the most popular cybercrime methods for those who wish to commit a crime without having the necessary knowledge. 

According to the US Attorney's office, the websites seized during the operation launched "millions" of DDoS attacks, attacking victims around the world, with some claiming to provide legitimate services for your business to cope with stress. 

With booter services such as these, anyone can launch cyberattacks against victims, causing grave harm to individuals, and compromising the internet access of everyone, said US Attorney Estrada, noting the ease with which the attacks are carried out, allowing for maximum damage to be done. 

This week’s sweeping law enforcement activity is a considerable step in our ongoing efforts to eradicate criminal conduct that threatens the internet’s infrastructure and our ability to function in a digital world.

There are several organizations, including the FBI, the National Crime Agency, the Netherlands Police, and the National Crime Strategy, which are taking a much softer approach towards anyone who shows an interest in using the DDoS-for-hire services that are available. 

To deter would-be cybercriminals from investing in these services and to educate the public about the dangers of DDoS activity, an advertorial campaign will be conducted using placement ads in search engines on common keywords related to DDoS-for-hire activity. The campaign aims to target the use of common keywords related to DDoS-for-hire activity. As part of its commitment to victims, the FBI has also pledged to assist them whenever possible. 

"The FBI is ready to work with victims of crimes whether they launch them independently or hire a skilled contractor to execute them," said Donald Alway, Assistant Director in Charge of the FBI Los Angeles Field Office. 

American victims of cybercrime are encouraged to contact their local FBI field office or to file a complaint with the FBI's Internet Crime Complaint Center at www.ic3.gov.
Read more »
Vulnerabilities and Exploits
Akamai Bypass Methods DDOS Attacks Online Security RCE Flaw Vulnerabilities and Exploits

Researchers Find an Akamai WAF Access Point

The bypassing of Spring Boot-based Akamai web app firewalls (WAF) by a hacker could result in remote code execution (RCE).

The WAF from Akamai uses adaptive technologies to prevent known online security risks and was modified a few months ago in order to reduce the danger of Distributed Denial-of-Service (DDoS) attacks.

According to security researcher Peter M, the exploit employed Spring Expression Language (SpEL) injection, better known by the alias 'pmnh'. Usman Mansha and the analyst Peter H. claimed that Akamai has subsequently corrected the vulnerability, which was not given a CVE number.  

"This was the second RCE via SSTI we identified on this program, after the first one, the program added a WAF which we were able to overcome in a different portion of the application," GitHub explanation of the Akamai WAF RCE read. 

Access Point for WAF

The most straightforward approach to access the java.lang. Runtime class was through the SpEL reference $T(java.lang.Runtime), however, Akamai's software prevented this. 

Discovering a connection to a random class was the next step. Peter M., a technical writer, said that this would enable reflection-based or direct method invocation to access the desired method. 

Peter M. and Mansha constructed an arbitrary String using the java.lang and used a reflection mechanism to gain access to Class.forName.Accessible runtime value through Java.lang.

A second string was made to access the Runtime.getRuntime function and java.lang.Runtime, allowing for the creation of an effective RCE payload. The server recognized the final payload as a GET request because it was less than 3kb in size. 

The WAF was a difficult obstacle to get over, though. Finding an access point required more than 14 hours and 500 roughly designed tries, according to Peter M. In order to stop blatant copycats, the researcher chose not to provide the final payload in text format. 


Read more »
User Privacy
Cyber Crime DDOS Attacks EU Europol Phishing Attacks User Privacy

DDoS-for-Hire Websites are Seized by Authorities

 

According to Europol, international police deactivated roughly 50 well-known websites that charged users to perform distributed denial-of-service attacks and detained seven people who were allegedly the sites' administrators.

Operation Power Off was a coordinated effort by law enforcement agencies in the US, the Uk, the Netherlands, Poland, and Germany to combat attacks that have the potential to shut down the internet.

According to the police, the defendants misrepresented their websites as being services that could be employed for network testing while actually charging users for DDoS assaults against universities, government organizations, gaming platforms, and millions of people both domestically and overseas. Websites are rendered unavailable by DDoS attacks, which function by flooding them with unwanted traffic.

"These DDoS-for-hire websites, with paying customers both inside and outside the US, enabled network outages on a massive scale, targeting millions of victim computers around the world," said Antony Jung, special agent in charge of the operation at the FBI's field office in Anchorage, Alaska. Before purchasing or offering these illicit services, prospective users and administrators should exercise caution.

The largest DDoS-for-hire services are available on these sites, according to the UK's National Crime Agency (NCA), one of which has been used to launch more than 30 million attacks in its existence. Additionally, it has taken possession of customer data and, pending examination, may soon take legal action against UK site visitors.

DDoS Attack Is Illegal

DDoS poses the risk of lowering the barrier to entry for cybercrime. As per Europol, anyone with no technical expertise can start DDoS attacks with the press of a button for as little as $10, taking down entire networks and websites.

The harm they can cause to victims can be severe, financially crushing businesses and stripping people of necessary services provided by banks, governmental agencies, and law enforcement. Many young IT enthusiasts participate in this allegedly low-level crime feeling motivated by their imagined anonymity, unaware of the potential repercussions of such online activity.

The police take DDoS attacks seriously. Irrespective of their size, all users are monitored by law authorities, whether they are high-level hackers launching DDoS assaults against for-profit targets or casual users kicking their rivals out of video games.


Read more »
Google
Blockchain Cloud Services Crypto Currency Cyber Security DDOS Attacks Google

Google Cloud Delivers Web3 Developers for Blockchain Node Engine

The Blockchain still has more than 38 million customers in 140 countries worldwide, according to the Google Cloud website. In a news release, the business stated that the launch represents a resolve to aid Web3 developers in creating and deploying new products on platforms based on blockchain technology. 

Blockchains serve as a sort of decentralized database because they are made up of transaction data that is encrypted and permanently stored. The governing infrastructure is a node, which is a computer or server that holds the whole copy of the blockchain's transaction history in addition to depending on a central authority to confirm data.

Amit Zavery, GM and VP of engineering and platform, and James Tromans, director of cloud web3, announced the new service in a blog post that explained how difficult it is for blockchain nodes to stay in sync since they must continually exchange the most relevant blockchain data. It requires a lot of resources and data.

By providing a service model to handle node creation and a safe development environment in a fully managed product, Google Cloud aims to make it simpler. From Google's standpoint, it is far simpler to let them handle the labor-intensive tasks while you focus on creating your web3 application.

Additionally, Web3 businesses that need dedicated nodes can create effective contracts, relay transactions, read or write blockchain data, and more using the dependable and fast network architecture of Google Cloud. Organizations using Web3 benefit from quicker system setup, secure development, and managed service operations.

The goal of Google's blockchain service is to deploy nodes with the security of a virtual private cloud firewall that restricts networking and communication to vetted users and computers. The ability to access the notes from processes like distributed denial of service assaults will be restricted by other services like Google Cloud Armor.

Gains from Node Engine

The majority will adopt this method after Ethereum, which will employ it first. The following are some advantages that businesses could gain from using this Google Cloud Node Engine.

It takes a significant amount of time to manually node, and it can prove difficult for a node to sync with the network. However, the developers can deploy nodes using Google Cloud's Node Engine in a single transaction, simplifying and speeding up the procedure.

In the realm of cryptocurrency, data security is of utmost importance. The developers will benefit from the Engine Node's assistance in protecting their data and preventing illegal access to the nodes. Additionally, Google Cloud shields the nodes from DDoS assaults, just like Cloud Armor.

This development seeks to "assist enterprises with a stable, easy-to-use blockchain node web host so they can focus their efforts on developing and scaling their Web3 apps," according to Google Cloud's official website.

An approved group fully manages the Google Cloud Engine Node. The staff will administer the system during an outage, therefore you will have no concerns about availability. Nodes need to be restarted and monitored during an outage; the group will take care of it for clients.

Read more »
Russian Cyber Security
Cyber Attacks DDoS DDOS Attack DDOS Attacks Killnet Russia Russian Cyber Security

KillNet: Pro-Russian Threat Actors Claims Responsiblity for 14 DDoS Attacks on U.S. Airports

 

On Monday, a pro-Russian hackers group ‘KillNet reportedly claimed to be behind the DDoS attacks, that temporarily took down the websites of several U.S. airports.
 
A similar case was witnessed by Atlanta International Airport. Consequently, users were unable to access the websites for a few hours during the campaign. Though, the attacks did not have any impact on flight operations.
 
The Los Angeles International Airport (LAX) authority informed about a threat on their website to the Transportation Security Administration and the FBI.
 
"The service interruption was limited to portions of the public facing FlyLAX.com website only. No internal airport systems were compromised and there were no operational disruptions," a spokesperson stated in an emailed statement. Adding to the statement, she said the airport’s IT Team has restored all services and is investigating the cause.
 
Later, the hacker group apparently posted the list of the hacked airport websites on Telegram that included 14 targeted domains, urging hackers to participate in the DDoS attack.
 
The Airport websites impacted by the group include Los Angeles International, Chicago O’Hare, Hartsfield-Jackson Atlanta International Airport, the Los Angeles International Airport (LAX), the Chicago O’Hare International Airport (ORD), the Orlando International Airport (MCO), the Denver International Airport (DIA), the Phoenix Sky Harbor International Airport (PHX), and the sites of airports in Kentucky, Mississippi, and Hawaii.
 
In a Telegram post on Monday, Killnet listed other U.S. sites that could be the next potential victims of similar DDoS attacks, such as sea terminals and logistics facilities, weather monitoring centers, health care systems, subway systems, and exchanges and online trading systems.
 
Apparently, this DDoS attack was not the first attack by KillNet as KillNet has previously targeted many other countries that were against the Russian invasion of Ukraine. These NATO countries include Italy, Romania, Estonia, Lithuania, and Norway.
 
KillNet's DDoS attacks and those urging other threat actors to carry out are an example of what security experts determine is the tendency in recent years of geopolitical tensions, to be permeated the cyber world. As per the speculations, this campaign against the US and other NATO countries, for instance, instigates days after an explosion demolished a section of a major bridge connecting Russia to the Crimean Peninsula.
Read more »
Telegram
Command and Control(C2) Cyber Security DDOS Attacks Encryption Ransomware Attacks. Russian Hackers Telegram

Evolution of LilithBot Malware and Eternity Threat Group

A variant of the versatile malware LilithBot was recently uncovered by ThreatLabz in its database. This was connected to the Eternity group, also known as the Eternity Project, a threat entity affiliated with the Russian Jester Group, which has been operating since at least January 2022, according to further investigation.

In the darknet, Eternity disseminates many malware modules bearing the Eternity name, such as a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.

LilithBot Malware

The distribution channels for the LilithBot that were found were a specialized Telegram group and a Tor connection that offered one-stop shopping for these multiple payloads. It included built-in stealer, clipper, and miner capabilities in addition to its primary botnet activity. 

The LilithBot multipurpose malware bot was discovered by Zscaler's ThreatLabz threat research team in July 2022 and was being offered as a subscription by the Eternity organization. In this campaign, the threat actor adds the user to its botnet and then steals files and user data by sending it via the Tor network to a command-and-control (C2) server. The malware in this campaign performs the functions of a stealer, miner, clipper, and botnet while using false certificates to avoid detection.

This malware-as-a-service (MaaS) is unusual because, in addition to using a Telegram channel to share updates on the latest features, it also uses a Telegram Bot to let customers create the binary. Common cryptocurrencies accepted by Eternity for payments include BTC, ETH, XMR, USDT, LTC, DASH, ZEC, and DOGE. Eternity often conducts business via Telegram.

If the buyer requests it, hackers will construct viruses with add-on functionality and offer customized viruses. The infection costs from $90 and $470 in USD. The Eternity Telegram channel demonstrates the frequent upgrades and improvements the team makes to its services.

The Eternity gang frequently refers users to a dedicated Tor link where a detailed description of their various viruses and their features may be found. The Tor link takes you to the homepage, where you can learn more about the different products and modules you may buy. The targeted user's files and documents are encrypted by the malware. A specific video explaining how to create the ransomware payload is available on the Tor page. Their Ransomware is the most expensive item on sale. For yearly membership, Eternity Stealer costs $260.
  • Eternity Miner as a yearly subscription costs $90.
  • Eternity Miner ($90 )as an annual subscription 
  • Eternity Clipper ($110 )
  • Eternity Ransomware ($490)
  • Eternity Worm ($390)
  • Eternity DDoS Bot (N/A) 

It is adaptable to the unique needs of clients and can constantly be updated at no further cost. They also provide their clients with numerous additional discounts and perks.

It is possible that the organization is still carrying out these tasks as the LilithBot malware has developed, but doing so in more complex ways, for as by completing them dynamically, encrypting the tasks like other areas of code, or employing other cutting-edge strategies.

The 'Microsoft Code Signing PCA' certificate authority issues a valid Microsoft-signed file, and it will also show a countersignature from Verisign. But as research is seen, LilithBot's bogus certificates lack a countersignature and appear to have been granted by the unverified Microsoft Code Signing PCA 2011.

Read more »
Windows
DDOS Attacks Infected Devices Linux malware Safety Security Windows

This New Chaos Malware Infects Windows & Linux Devices for DDoS Attacks

 

Lumen Technologies' threat intelligence team, Black Lotus Labs, has issued a warning about Chaos, a new variant of the Kaiji distributed denial-of-service (DDoS) botnet that targets enterprises and large organisations. 

The Golang-based Kaiji malware is presumed to be of Chinese origin and emerged in early 2020, targeting Linux systems and internet of things (IoT) devices via SSH brute force attacks. By mid-2020, the threat had expanded to include Docker servers. The recently discovered Chaos malware, like Kaiji, is written in Go and uses SSH brute force attacks to infect new devices. 

Additionally, it targets known vulnerabilities and infects with stolen SSH keys. The threat is compatible with multiple architectures, including ARM, Intel (i386), MIPS, and PowerPC, and it can run on both Linux and Windows, according to Black Lotus.

Chaos establishes persistence and connects to an embedded command and control (C&C) server after infecting a device. Following that, it receives staging commands, such as starting propagation via known CVEs or SSH or starting IP spoofing. The malware first creates a mutex on infected Windows systems by binding to a UDP port that it hides from the analysis. If the binding fails, the malware's process terminates.

After the initial set of staging instructions, Black Lotus Labs observed numerous additional commands being sent to bots. These commands would result in new propagation attempts, additional compromise of the infected device, DDoS attacks, or crypto-mining.

Chaos can also build a reverse shell on the target device by using an open-source script designed to run on Linux-native bash shells, allowing the attackers to upload, download, or modify files. From mid-June to mid-July, Black Lotus Labs observed hundreds of unique IP addresses representing Chaos-infected devices, followed by an increase in new staging C&C servers in August and September. The majority of infections occur in Europe, North and South America, and Asia-Pacific (but not Australia or New Zealand).

In September, the botnet was spotted launching DDoS attacks against the domains or IP addresses of over 20 organisations. The entities targeted are from various industries, including entertainment, finance, gaming, media, and hosting. It was also seen targeting DDoS-as-a-Service providers and a cryptocurrency mining exchange.

 Black Lotus Labs concluded, “Not only does it target enterprise and large organizations but also devices and systems that aren’t routinely monitored as part of an enterprise security model, such as SOHO routers and FreeBSD OS. And with a significant evolution from its predecessor, Chaos is achieving rapid growth since the first documented evidence of it in the wild.”
Read more »
Security
attackers attacks Cyber Attacks DDOS Attacks hack Hackers Imperva Security

Extended DDoS Attack With 25.3B+ Requests Thwarted

 

On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.
Read more »
User Privacy
Akamai Command and Control(C2) Cyber Crime DDOS Attacks IP Address User Privacy

Akamai Sighted an Evolving DDoS attack in EU

 

The most recent DDoS attack record was set by Akamai in July, but it was surpassed on Monday, September 12, by a fresh attack. 

In a DDoS attack, cybercriminals flood servers with fictitious requests and traffic to block legitimate users from using their services.

According to the cybersecurity and cloud services provider Akamai, the recent attack looks to be the work of the same threat actor, indicating that the operators are now strengthening their swarm.

European businesses were the main targets of the current attack, according to Akamai. It peaked at 704.8 million packets per second, making it the second attack of this size against the same client in as few as three months and around 7% more powerful than the attack in July.

Prior to June 2022, this user primarily experienced attack traffic against the principal data center, as per Craig Sparling of Akamai. Six data center locations were hit by the threat actors' firepower in Europe and North America.

The day after it was discovered, the attack was stopped. This DDoS attack, while not the biggest ever, was notable because it was the biggest one on European organizations. The DDoS attack vector utilized by the attackers included UDP, along with ICMP, SYN, RESET floods, TCP anomaly, and PUSH flood.

The multidestination attack was immediately launched by the attackers' command and control system, increasing the number of active IPs per minute from 100 to 1,813 in just 60 seconds.

This expansion of the targeting area attempts to attack resources that aren't deemed essential and aren't effectively safeguarded, but whose absence will still be problematic for the company.

Published in July, the company saw 74 DDoS attacks, and 200 or more were added later. The business claimed that this campaign shows how hackers are always enhancing their attack methods to avoid detection. 

However, because the particular organization had safeguarded all 12 of its data centers in response to the July incident, 99.8% of the malicious traffic was already pre-mitigated.

The security company Akamai concluded, that having a solid DDoS mitigation platform and plan in place is essential for protecting your company from disruption and downtime.





Read more »
VoIP
Data Breach DDOS Attacks Double extortion Encryption Firewall GitHub Lorenz Ransomware VoIP

Lorenz Ransomware: Network Breach via VoIP

A ransomware group has been spotted adopting a unique initial-access technique to infiltrate commercial phone systems using voice-over-IP (VoIP) devices before switching to corporate networks to carry out double-extortion operations.

The anonymous organization was affected by the Lorenz ransomware strain, according to a team at Arctic Wolf. 

Lorenz Ransomware 

The Lorenz encryptor is similar to the ones employed by a prior ransomware operation known as ThunderCrypt, according to Michael Gillespie of ID Ransomware.

This gang is also known for providing access to its targets' private systems to other hackers along with the material that has been stolen prior to encryption in order to lure its victims into paying a ransom.

After leaking the stolen material as password-protected RAR archives if ransoms are not paid, Lorenz also divulges the password to open the leaked archives, giving the general public access to the files.

VoIP Threats

According to Arctic Wolf researchers, Lorenz used the bug to gain a reverse shell, and the group then used Chisel, a Golang-based rapid TCP/UDP tunnel that is transmitted through HTTP, as a tunneling tool to infiltrate the corporate environment. According to the GitHub page, "the tool is mostly useful for going through firewalls."

The attacks demonstrate a shift by threat actors toward using 'lesser recognized or monitored assets' to gain access to networks and engage in additional criminal behavior, the researchers further told. 

CrowdStrike published a blog post about the Mitel vulnerability and a possible ransomware attack attempt using the same CVE back in June. Since then, Mitel has patched this crucial zero-day flaw and recommended all users do the same. After providing a remediation script for vulnerable MiVoice Connect versions in April, Mitel resolved the problem by delivering security updates in the first half of June 2022.

The hackers then shifted into the network using the free source TCP tunneling application Chisel. Following initial access, the group waited for over a month before moving laterally, using FileZilla to exfiltrate data, and encrypting ESXi systems with BitLocker and Lorenz ransomware.

Considering that Mitel Voice-over-IP (VoIP) brands are used by businesses in crucial industries around the world including government agencies and that over 19,000 devices are currently vulnerable to attacks over the Internet, according to security expert Kevin Beaumont, this is a significant addition to the gang's toolkit.

Threat actors have used record-breaking DDoS amplification assaults to exploit further security holes affecting Mitel devices. Since at least December 2020, the Lorenz ransomware group has been focusing on enterprises all across the world, extorting hundreds of thousands of dollars from each victim.








Read more »
Telegram
Check Point Cyber Crime DDOS Attacks Japan Cyber Security Killnet Russian Hackers Telegram

Killnet Targets Japanese Government Websites

According to investigation sources on Wednesday, the Tokyo Metropolitan Police Department intends to look into the recent website outages of the Japanese government and other websites that may have been brought on by cyberattacks by a Russian hacker organization.  

As per Chief Cabinet Secretary Hirokazu Matsuno, the government is apparently investigating if issues with the aforementioned sites were brought on by a denial-of-service (DDoS) attack. 

As per experts, access to the government's e-Gov portal website, which provides a wealth of administrative information, temporarily proved challenging on Tuesday.  

The pro-Russian hacker collective Killnet claimed responsibility for the attack and alleged it had attacked the electronic system of the tax authority and Japan's online public services in a post on the messaging app Telegram. Furthermore, it appeared that the hacker collective wrote that it was an uprising over Japan's 'militarism' and that it kicked the samurai. 
 
However, as per Sergey Shykevich, manager of Check Point Software's threat intelligence group, Killnet was likely responsible for these attacks.  

Killnet's justification for these strikes, according to Shykevich, "is owing to Japan's support of Ukraine in the ongoing Russia-Ukraine war, as well as a decades-long dispute over the Kuril Islands, which both sides claim control over."

As per the sources, the MPD will look into the cases by gathering specific data from the affected businesses and government bodies. The National Police Agency will assess whether the hack on the e-Gov website qualified as a disruption that materially impairs the operation of the government's primary information system as defined by the police statute, which was updated in April.

The cybersecurity expert added that firms in nations under attack by Killnet should be aware of the risks because the group employs a variety of tactics, such as data theft and disruptive attacks, to achieve its objectives. 

Following a recent large-scale attack by Killnet on websites in Italy, Lithuania, Estonia, Poland, and Norway, there have been allegations of attacks targeting Japanese government websites.





Read more »
WordPress
Cloudfare Data Breach DDOS Attacks JavaScript WordPress

 Bogus DDoS Protection Alerts Distribute RATs

Researchers from Sucuri cautioned that malware distributors are luring users into downloading and running malware on their computers by taking advantage of their expertise and innate trust in DDoS protection pages.

DDoS protection alerts are web pages that users' browsers deliver when checks are made to ensure that the visitor is actually a human and not a bot or a DDoS assault participant.

Tactics of the scam 

These warnings would appear to be an inconvenience, but their sole purpose was to serve as preliminary checks before the user accessed the intended web page. They are also important to ensure malicious traffic is blocked before it reaches its objectives.

The attacks start with a malicious JavaScript injection intended to target WordPress sites, which causes a bogus Cloudflare DDoS protection pop-up, according to Sucuri's experts.

When the user clicks on the bogus popup, an ISO file containing a remote access trojan (RAT) is downloaded onto their machine. In addition, the victim is told to open the file to get a verification code needed to access the target website.

The NetSupport RAT, RaccoonStealer information stealer, and two more payloads were seen being dropped by the ISO file.

The RAT is frequently used to screen victims before the distribution of ransomware and has been related to FakeUpdates/SocGholish. According to Malwarebytes researcher Jerome Segura, the ISO file contains a shortcut that pretends to be executable and executes PowerShell from another text file.

NetSupport RAT, which was at first a genuine program called NetSupport Manager, gives hackers remote access to the victim's computer, allowing them to install more malware, steal sensitive data, or even entangle the system in a botnet.

As website owners struggle to distinguish genuine visitors from the voluminous bot traffic, these have grown in popularity in recent years.

"Remote access trojans (RATs) are among the most harmful infections a computer can contract as they offer the attackers total control of the system. The victim is now entirely at their mercy. Both site owners and visitors can take all necessary safety procedures", as per Sucuri.

Users are advised to avoid downloading and opening odd files, update their operating system and applications frequently and consider installing a script-blocking browser extension.




Read more »
Spam
Cyber Attacks DDOS Attacks Estonia Cyber Security Killnet Russian Hackers Spam

Russian-Linked Hackers Target Estonia

 

In response to the government's removal of a monument honoring Soviet World War II veterans, a pro-Kremlin hacker group launched its greatest wave of cyberattacks in more than ten years, which Estonia successfully repelled.

Luukas Ilves, Estonia's under-secretary for digital transformation at the Ministry of Economic Affairs and Communications, stated that "yesterday saw the most significant cyberattacks against Estonia since 2007".

According to reports, the former Soviet state removed a Red Army monument from Tallinn Square this week, and the eastern city of Narva also got rid of a Soviet-era tank. After Russia invaded Ukraine, the authorities vowed to remove hundreds of these monuments by the end of the year.

On Wednesday, the Russian hacker gang Killnet claimed responsibility for the attacks and stated a wave of DDoS attacks have allegedly been launched against the 200 websites of public and private sector organizations in response, including an online citizen identity system. 

A replica Soviet Tu-34 tank from World War II was taken off the public display on Tuesday in the town of Narva, close to Estonia's border with Russia, and brought to the Estonian War Museum in Viimsi, according to Killnet, which claimed responsibility for a similar attack against Lithuania in June.

It's worth noting as based on sources, that the DDoS attacks timed with a Russian media fake news campaign alleging that the Estonian government was destroying Soviet war graves. The country's ethnic Russians reportedly rioted as a result of this.

Estonia's Cybersecurity 

According to the National Cyber Security Index, the nation has a 17 percentage point advantage over the average for Europe and is placed third in the ITU Global Cybersecurity Index 2020. 

After experiencing significant DDoS attacks on both public and private websites in 2007, Estonia, a country that is a member of the European Union and NATO, took steps to strengthen its cybersecurity. It attributed these attacks to Russian actors who were enraged over the removal of another Soviet-era monument at the time.

The nation's e-government services, along with other industries including banking and the media, were significantly disrupted throughout the weeks-long campaign. The dismantling of a monument honoring the Soviet Red Army also sparked the attacks.

The Tallinn memorial served as a grim reminder of Estonia's 50 years of Soviet captivity to the government and many Estonians, while other ethnic Russians saw its removal as an attempt to obliterate their past. 

The incident did, however, motivate the government to step up its cybersecurity efforts, and as a result, it is today thought to have one of the best defensive positions of any international government.











Read more »
SSH
Brute Force Attacks DDOS Attacks IoT malware Mirai botnet SSH

FortiGuard Labs: Evolving RapperBot IoT Malware Detected

Since June, FortiGuard Labs has been monitoring the "RapperBot" family of revolving IoT malware. Although the original Mirai source code was greatly influenced by this family, it differs from other IoT malware families in that it has the capacity to brute force credentials and connect to SSH servers rather than Telnet, which was how Mirai implemented it. 

The malware is alleged to have gathered a series of hacked SSH servers, with over 3,500 distinct IP addresses used to scan and brute-force its way into the servers. The malware is named from an encoded URL to a YouTube rap music video in an early draft.

Analysis of the malware

According to the Fortinet analysis, the majority of the malware code implements an SSH 2.0 client that can connect to and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR.

RapperBot turned out to be a Mirai fork with unique features, its own command and control (C2) protocol, and unusual post-compromise for a botnet. RapperBot was created to target ARM and MIPS and has limited DDoS capabilities.

The attempt to create durability on the compromised host, which effectively allows the hacker to keep ongoing access long after the malware has been uninstalled or the unit has been restarted, serves as further proof of how Mirai has deviated from its usual behavior.

RapperBot used a self-propagation technique via a remote binary downloader, which was eliminated by the hackers in mid-July, as per Fortinet researchers who watched the bot and proceeded to sample new variants.

The recent versions in circulation at the time included a shell command that switched the victim's SSH keys for the hackers. A unique file named "/.ssh/authorized keys" is used to get access by inserting the operators' SSH public key. This enables the attacker to log in and authenticate to the server using the associated private key without providing a password.

The root user "suhelper" is added by the bot to the compromised endpoints in the most recent samples that the researchers have examined. The bot also sets up a Cron job to add the user again every hour if an administrator finds the account and deletes it.

Observations 

As per Fortinet, analysts observed no new post-compromise payloads transmitted during the monitoring time, so the virus simply lays dormant on the affected Linux systems. 

Despite the botnet abandoning self-propagation in favor of persistence, it is said that the botnet underwent substantial alterations in a short period of time, the most notable of which being the removal of DDoS attack elements from the artifacts at one point, only to be reinstated a week later.

At best, the campaign's ultimate goals are still unclear, and little more action is taken after a successful compromise. It is evident that SSH servers with pre-configured or easily guessable credentials are being gathered into a botnet for some unknown future use.

Users should set secure passwords for their devices or, turn off password authentication for SSH to protect themselves from such attacks.

Read more »
Subscribe to: Posts (Atom)