Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DDOS Tools. Show all posts

Defending Against Stealer Log Cyber Threats

Cyber attacks are a serious concern in a digital environment that is becoming more linked. Silent cyber threats have become more common among the many different types of cyberattacks because of their covert nature and potentially disastrous outcomes. The stealer log, a tool used by bad actors to steal sensitive information from unwitting victims, is one notable variation. This article addresses ways to lessen the impact of the stealer log lifecycle on people and organizations while also delving into its complexities.

According to cybersecurity experts, a stealer log is a sophisticated malware designed to covertly infiltrate systems, gather confidential data, and exfiltrate it without arousing suspicion. These logs can harvest a wide array of information, including login credentials, financial data, and personal identification. An analysis by Flare Systems reveals that stealer logs often initiate their lifecycle through phishing emails or compromised websites, thus underscoring the importance of email security and robust browsing practices.

"Stealer logs are a testament to cybercriminals' evolving tactics. Understanding their lifecycle is crucial in building effective defenses against these threats," remarks Dr. Emily Parker, a cybersecurity analyst.

The lifecycle of a stealer log typically encompasses several stages:

  • Infiltration: Cybercriminals distribute malware through deceptive emails or exploit kits on compromised websites. Users are tricked into downloading and executing the malware, unknowingly granting it access to their systems.
  • Data Collection: Once inside the system, the stealer log meticulously captures sensitive data. It can record keystrokes, take screenshots, and extract stored passwords from browsers and other applications.
  • Encryption and Exfiltration: The stolen data is encrypted and transmitted to a remote server controlled by the attackers. This step ensures that the information remains hidden from security measures.
  • Remote Command and Control: Attackers can remotely control the malware, allowing them to update its functionality, deploy additional payloads, or pivot to new attack vectors.

Efforts to counter the stealer log threat are underway. A study highlights the significance of multi-factor authentication (MFA) and security awareness training in safeguarding against these threats. "Employing MFA adds an additional layer of protection, requiring attackers to breach multiple barriers, which can significantly impede their progress," states cybersecurity expert John Anderson.

Moreover, Flare Systems emphasizes continuous monitoring and incident response readiness as vital components of effective defense strategies. Regular system scans, behavioral analysis, and prompt patching of vulnerabilities can help detect and mitigate potential breaches before they escalate.

As cyber-attacks get more sophisticated, it is crucial to comprehend the lifecycle of tools like stealer logs while creating proactive security measures. By combining user education, technological advancements, and stringent security protocols, people and organizations can continue to have an advantage in the continuous struggle with cyber attackers. By being knowledgeable and using the right strategies, one can move confidently and resiliently in the digital world.

 Bangladesh Cyber Incident Response Team has Issued a Warning About Malware Attacks Around Eid

 

Officials have warned of a possible cyber-attack on Bangladesh's financial and other key institutions' computer systems during the Eid vacations. According to a statement issued by the Digital Security Agency, the affected authorities must install or update anti-DDOS hardware and software. 

Officials believe the warning was sent by the government's specialized cyber-threat agency as a global cyberwar erupts in the Russia-Ukraine conflict, with NATO assisting the latter with arms support. 

The Bangladesh Computer Council's e-Government Computer Incident Response Team (BGD e-GOV CIRT) also recommends all key information facilities' internal systems be checked and monitored.

Following the current conflict between Ukraine and Russia, Tarique M Barkatullah, director (operations) of the Digital Security Agency and project director of the BGD e-GOV CIRT, stated “hackers from both sides are using important information infrastructures of different countries to spread botnets and malware and attack each other.” 

Botnets are computer networks infected with malware (such as computer viruses, key loggers, and other malicious code or malware) and remotely controlled by criminals, either for monetary gain or to launch assaults on websites or networks. 

BGD e-Gov CIRT discovered over 1400 IP numbers used in Russia after analyzing the warning message issued by the Russian Computer Security Incident Response Team. According to the CIA, hackers are using these IPs to spread propaganda and launch distributed denial of service (DDoS) operations. 

Tareq M Barkatullah, project director of BGD e-Gov CIRT, remarked in this reference: “The country's afflicted financial institutions and public service suppliers are being hampered in providing its usual services due to the exploitation of these IP-enabled Bangladeshi servers."

According to the Financial Express, Prof Dr. Md Salim Uddin, chairman of the executive committee of Islami Bank Bangladesh Limited (IBBL), several financial institutions have been targeted by cyber-attacks as a result of the current crisis between Ukraine and Russia.

IBBL is well-prepared to thwart any cyber-attack because it is always adopting new technological solutions. Among the internal systems, he emphasized strengthening cyber-security with new tech solutions and monitoring systems. To prevent all types of cyber threats, financial institutions should join an organization or platform to improve cooperation and integration. He further urges the government to expand collaboration and support in this area in order to combat rising cyber-threats in the future.

DDoS-for-Hire website taken down in global collaboration of law enforcement agencies


Webstresser.org, a popular DDoS-for-Hire website service on Wednesday was taken down by authorities from the US, UK, Netherlands, and various other countries in a major international investigation and arrests have been made.

The website is blamed for more than four million cyber attacks globally in the past three years and had over 134,000 registered users at the time of the takedown.

The operation, dubbed “Operation Power OFF,” targeted Webstresser.org, a website service which launched DDoS attacks all over the world at the buyer’s bidding. It involved law enforcement agencies from the Netherlands, United Kingdom, Serbia, Croatia, Spain, Italy, Germany, Australia, Hongkong, Canada, and United States of America, coordinating with Europol.

The domain name was seized by the US Department of Defence.

The website allowed criminals to buy attacks on businesses and was responsible for cyber attacks all over the world, including a British suspect who used the site to attack several high-street banks last year, causing hundreds of thousands of pounds of damage.

“As part of the operational activity, an address was identified and searched in Bradford and a number of items seized. NCA officers believe an individual linked to the address used the webstresser service to target seven of the UK’s biggest banks in attacks in November 2017,” UK’s National Crime Agency said in a statement.

The site was one of the various websites operating openly as a “stresser” service that offered to test a company’s cybersecurity defenses. According to investigators, the gang behind the website sold cyber attacks for as little as $14.99.

Seven suspected administrators have been arrested over the last few days or subjected to searches by authorities. and computers have been seized in UK, Holland, and elsewhere.

Law enforcement also took “further measures” against frequent users of the service, details of which have not yet been disclosed.

“By taking down world’s largest illegal DDOS seller in a worldwide joint law enforcement operation based on NCA intelligence, we have made an unprecedented impact on DDOS cybercrime,” said Gert Ras, Head of the National High Tech Crime Unit at the Dutch National Police. “Not only were the administrators of this illegal service arrested, but also users will now face prosecution and civil liability for caused damage.”

Two Israeli Teenagers arrested and charged for selling DDOS Service


Two Israeli teenagers from Sharon region were formerly arrested after eighteen months of investigation.

The Israelis are responsible for thousands of cyber attacks around the world, causing damage estimated in more than million dollars.

According to local news report, they have created a Shell company in England and sold Distributed Denial of Service (DD, OS) attack as service.

"In January of 2016, a covert investigation was opened against the suspects who set up and managed a website called vdos-s[dot]com, which sold packages created to cause the servers to crash," police told local news report.

The DDOS attack is used for disrupting access to the victims' websites. Price of the "attack pacakge" offered by them was ranged from 19.99 $ to $ 499,99.

More than two million cyber attacks were conducted in the United States, England, Holland and Sweden, causing multi million-dollar losses. Suspects earned above 613 thousand dollars. The money was seized after Bank accounts were identified and frozen.

- Christina

HULK - Web Server DoS Tool

Barry Shteiman, a principal security engineer at Imperva, has released a Python-based web server denial-of-service (DOS) tool called HULK (Http Unbearable Load King).

HULK is a web server denial of service tool written for research purposes. It is designed to generate volumes of unique and obfuscated traffic at a webserver, bypassing caching engines and therefore hitting the server's direct resource pool.

Some Techniques
  • Obfuscation of Source Client – this is done by using a list of known User Agents, and for every request that is constructed, the User Agent is a random value out of the known list
  • Reference Forgery – the referer that points at the request is obfuscated and points into either the host itself or some major prelisted websites.
  • Stickiness – using some standard Http command to try and ask the server to maintain open connections by using Keep-Alive with variable time window
  • no-cache – this is a given, but by asking the HTTP server for no-cache , a server that is not behind a dedicated caching service will present a unique page.
  • Unique Transformation of URL – to eliminate caching and other optimization tools, I crafted custom parameter names and values and they are randomized and attached to each request, rendering it to be Unique, causing the server to process the response on each event.
More details can be found here.

Anonymous Hackers developed Web LOIC DDOS Tool for Android


Anonymous Hackers developed a new version of The Low Orbit Ion Cannon (LOIC), an infamous DDOS tool which is used to take down websites by sending large number of malicious request to server.

The same tool has been ported to JavaScript to perform a DoS directly from a browser. The existence of Web LOIC, along with anonymous web hosting services such as pastehtml, has made it possible for any user on the Internet to participate in those attacks with just one click.

The web LOIC for Android is not something that was developed from scratch, instead they used free online service that create Android application with just URL, HTML code or Document. This tool is developed to aid hackers in OpArgentina.

This tool sends 1,000 HTTP requests with the message "We are LEGION!" as one of the parameters.e LEGION.”

The tool is available here.

SSL Certificate Authority KPN stopped issuing certificates

SSL(Secure Socket Layer) Certificate Authority , KPN stopped issuing certificates after the detection of DDOS Tool on Server.  KPN is Netherlands based SSL certificated provider.  They found DDOS tool on their server during the Security Audit, the tool may have been there for as long as four years.
"Although there is no evidence that the production of the certificate is compromised, can not be completely excluded that this did happen. Therefore, KPN Corporate Market (formerly Getronics) decided the application and issuance of new certificates temporarily discontinued, pending further investigation. This is to ensure that the certificates be issued optimal procedure is safe and reliable.

KPN has replaced the web servers. An additional, independent investigation takes place to ensure that KPN complies with the required safeguards, procedures and rules applicable to the issue of Internet safety certificates. Interior Ministry and Logius, agency e-government, are closely involved in the processA."  Said in official statement,translate to english.

Previously, Another Dutch Based Certificate authority, DigiNotar compromised by unknown attacker,issuing a huge number of fraudulent, but valid, certificates for high-value domains, including some belonging to Google, Yahoo, the CIA and others. This results in DigiNotar went out of Business and KPN get new customers from DigiNotar. But now KPN Server is Breached.

KPN has replaced the web servers. An additional, independent investigation takes place to ensure that KPN complies with the required safeguards, procedures and rules applicable to the issue of Internet safety certificates. Interior Ministry and Logius, agency e-government, are closely involved in the process.


THC(The Hacker's Choice) SSL DOS tool released

Today the German hacker group “The Hacker’s Choice” officially released a new DDoS tool. The tool exploits a weakness in SSL to kick a server off the Internet.

Technical details can be found at http://www.thc.org/thc-ssl-dos.

“We decided to make the official release after realizing that this tool leaked to the public a couple of months ago” said a member of THC who wants to remain anonymous.

The tool departs from traditional DDoS tools: It does not require any bandwidth and just a single attack computer (“bot”).

The THC-SSL-DOS attack is en par with other resource exhausting DDoS attacks. Some of those methods played a vital role in demonstrations against oppressive governments (like the DDoS attack against Iran’s leader) and against companies that violate free speech (like the DDoS attack against Mastercard for closing Wikileak’s non-profit donation account because of an alleged typo/misspelling in the application form).

“Here at THC the rights of the citizen and the freedom of speech are at the core of our research”, says a member of THC in a private interview this morning.

“We are hoping that the fishy security in SSL does not go unnoticed. The industry should step in to fix the problem so that citizens are safe and secure again. SSL is using an aging method of protecting private data which is complex, unnecessary and not fit for the 21st century.”, Says a THC member, referring to 3 major vulnerabilities disclosed in SSL over the past 3 years.

To list the 3 major vulnerabilities here THC explains: “In 2009 a vulnerability was disclosed that broke the encryption of SSL. De-facto making all SSL traffic unsafe. In 2011 various Certification Authorities got hacked. De-facto making all SSL traffic unsafe _again_.”

“We warned in 2002 about giving hundreds of commercial companies (so called Certification Authorities) a master key to ALL SSL traffic.”, says Fred Mauer, a senior cryptographer at THC. “Only a real genius can come up with such an idea!”.

“And last but not least the immense complexity of SSL Renegotiation strikes again in 2011 with the release of THC-SSL-DOS.”.

“It’s time for a new security model that adequately protects the citizens.”.

The THC-SSL-DOS tool is a Proof Of Concept tool to disclose fishy security in SSL. It works great if the server supports SSL Renegotiation. It still works if SSL Renegotiation is not supported but requires some modifications and more bots before an effect can be seen.

Our tests reveal that the average server can be taken down from a single IBM laptop through a standard DSL connection.

Taking on larger server farms who make use of SSL Load balancer required 20 average size laptops and about 120kbit/sec of traffic.

All in all superb results.

Interesting here is that a security feature that was supposed to make SSL more secure makes it indeed more vulnerable to this attack:

SSL Renegotiation was invented to renegotiate the key material of an SSL connection. This feature is rarely used. In fact we could not find any software that uses SSL Renegotiation. Yet it’s enabled by default by most servers.

An old saying comes true all over again: Complexity is the enemy of security.

“Renegotiating Key material is a stupid idea from a cryptography standpoint. If you are not happy with the key material negotiated at the start of the session then the session should be re-established and not re-negotiated”, says THC.

Optima DDOS 10a botnet leaked on Hacker Forums(r00tW0rm)

"Optima DDOS 10a Botnet" full version is available to download in Hacker forums.

In this new version 10a according to the author was raised in secrecy bot system and optimized grabber passwords. It cost about $ 600 worth.

Features a bot:
  • DDoS attacks of three types - http flood, icmp-flood, syn-flood.
  • Theft of stored passwords from some applications installed on the victim's system, details below.
  • Opening on the infected system proxy Socks5.
  • The possibility of cheating various counters on the websites (http-access the sites).
  • Hidden download and run the specified file to the affected systems.
  • Installed in the system as a service
  • Weight bot - 95.5 kb, written in Delphi.

AnDOSid~DDOS Tool for Android~Developed for PenTesters

SCOTT HERBERT Developed a new DDOS Tool for Android, designed for Security Professionals/PenTesters.

AnDOSid allows PenTesters to simulate a DOS attack (A http post flood attack to be exact) and of course a dDOS on a web server, from mobile phones.

AnDOSid is actively being developed and Devleoper welcome feedback from the security community as to how you would like the application to evolve.

AnDoSid costs only Rs. 74.6 (1.62 USD)

What's in this version:

  • Requires Internet access to send the http post data
  • Requires phone state to access the IMEI (one of the two identifiers sent with each post)
Some possible new features could include:-
  • A drop down list of recent targets
  • User defined delay between posts
  • An option for GET based testing
Screenshots:


Slowhttptest ~ Slow HTTP DoS vulnerability Tool


Slow HTTP DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.

This tool actively tests if it's possible to acquire enough resources on HTTP server by slowing down requests to get denial of service at application layer.

Download it from Here.
Installation Guide is Here.