Search This Blog

Showing posts with label hack. Show all posts

Extended DDoS Attack With 25.3B+ Requests Thwarted


On June 27, 2022, the cybersecurity firm Imperva mitigated a DDoS attack with over 25.3 billion requests. The attack, according to experts, sets a new record for Imperva's application DDoS mitigation solution. The attack, which targeted an unnamed Chinese telecommunications company, was notable for its duration, lasting more than four hours and peaking at 3.9 million RPS. 

“On June 27, 2022, Imperva mitigated a single attack with over 25.3 billion requests, setting a new record for Imperva’s application DDoS mitigation solution” reads the announcement. “While attacks with over one million requests per second (RPS) aren’t new, we’ve previously only seen them last for several seconds to a few minutes. On June 27, Imperva successfully mitigated a strong attack that lasted more than four hours and peaked at 3.9 million RPS.”

The Chinese telecommunications company had previously been targeted by large attacks, and experts added that two days later, a new DDoS attack hit its website, albeit for a shorter period of time. This record-breaking attack had an average rate of 1.8 million RPS. To send multiple requests over individual connections, threat actors used HTTP/2 multiplexing or combining multiple packets into one.

The attackers' technique is difficult to detect and can bring down targets with a limited number of resources.

“Since our automated mitigation solution is guaranteed to block DDoS in under three seconds, we estimate that the attack could have reached a much greater rate than our tracked peak of 3.9 million RPS.” continues Imperva.

This attack was launched by a botnet comprised of nearly 170,000 different IP addresses, including routers, security cameras, and compromised servers. The compromised devices can be found in over 180 countries, with the majority of them in the United States, Indonesia, and Brazil.

Akamai mitigated the largest DDoS attack ever against one of its European customers on Monday, September 12, 2022. The malicious traffic peaked at 704.8 Mpps and appears to be the work of the same threat actor as the previous record, which Akamai blocked in July and hit the same customer.

Cyberattack Compels Albuquerque Public Schools to Close 144 Schools


Following a cyberattack that attacked the district's attendance, communications, and transportation systems, all 144 Albuquerque Public Schools are closed for the remainder of this week, according to APS's announcement on mid-day Thursday. 

APS is one of the 50 largest school districts in the country, with around 74,000 students. 

District IT staff discovered the problem on Wednesday, and APS posted a statement on its website and Twitter account that afternoon stating, “All Albuquerque Public Schools will be closed Thursday, Jan. 13, due to a cyberattack that has compromised some systems that could impact teaching, learning, and student safety. … The district is working with contracted professionals to fix the problem.” 

"The district continues to examine a cyberattack that affected the student information system used to take attendance, contact families in emergencies, and ensure that students are picked up from school by authorised people," APS stated online on Thursday afternoon and cancelled classes for Friday. 

APS said it will reopen schools on Tuesday, Jan. 18, after being closed on Monday for Martin Luther King Jr. Day, specifying that administrative offices stayed open. The attack was detected Wednesday morning when instructors attempted to enter onto the student information system and were unable to obtain access to the site, according to APS Superintendent Scott Elder in a brief statement uploaded to the district's APS Technology YouTube page. 

Elder further stated, “APS is working with local and national law enforcement as well as teams of cyber specialists to as quickly as possible limit our exposure to this attack, to protect all systems in our network and ensure a safe environment to return to school and business as usual.” 

He noted that the district's IT department had been "mitigating attacks" in recent weeks. A spokeswoman told the Albuquerque Journal she was sceptical about what kind of attack it was and said she didn’t know whether those responsible had demanded a ransom.

Hacker Hacked Multiple High-profile FIFA 22 Accounts by Phishing EA Support Agents


Electronic Arts (EA) has cited "human error" within its customer experience team for a recent wave of high-profile FIFA Ultimate Team account takeovers, with some individuals falling victim to a socially engineered phishing attack. 

EA initiated an inquiry after several top traders in FIFA's Ultimate Team game complained that their accounts had been taken over and emptied of points and thousands of dollars in-game currency last week. Phishers were able to hack less than 50 top trader accounts by "exploiting human error" among EA's customer care employees, according to a post on the company's website on Tuesday. 

The company stated, “Utilizing threats and other ‘social engineering’ methods, individuals acting maliciously were able to exploit human error within our customer experience team and bypass two-factor authentication to gain access to player accounts.” 

Ultimate Team is an online soccer game in which players create virtual squads of real-life competitive players and compete against other online teams. Top traders acquire a substantial amount of in-game currency and points by exchanging individuals and forming diverse teams. 

EA eventually identified was a situation described online by traders who posted screenshots of unusual account behaviour, such as attackers calling EA's customer service via the live chat feature and demanding that an account's email address be altered. While many of these requests were ignored, at least one customer service representative eventually gave in to pressure and altered an account holder's email address. This necessitated the staffer circumventing security processes that require extra verification from account owners, according to a Twitter user and Ultimate Team trader called FUT Donkey, who stated his account had been hacked. 

Response & Impact: 

In response to the incident, EA will require "EA advisors and individuals who assist with the service of EA accounts" to get individual re-training, as well as additional team training primarily focused on security, practices, and phishing techniques, according to the company. 

EA will also add stages to the account ownership verification procedure in FIFA Ultimate Team, including "mandatory managerial permission for all email change requests," according to the company. 

According to the company's article, it will also upgrade its customer experience software to clearly evaluate and identify suspicious behavior and at-risk accounts to further restrict the potential for human mistakes in the account update process. 

The incident should serve as a warning to other gaming platforms: Hackers that attack these sites will continue to show off their skills, just as top traders compete for accolades and currency within the game, according to another security specialist in an email to Threatpost. 

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify stated, “Gamers and streamers are a massive global trend across social media platforms, capturing the attention of millions who want to know their secret techniques on how they get to the next level.” 

“Hacking is now also becoming a glorified streamed event with the world’s top hackers streaming their hacking skills online, showing off new techniques and methods on how to bypass security and get the initial foothold.” 

Unfortunately for gaming platforms, he noted in his email that this new trend will "certainly grow and manifest in the year ahead."

FinTech Company Struck by Log4j Says "No" to Paying the Ransom


ONUS, one of the largest Vietnamese crypto trading platforms, was recently hit by a cyberattack. Hackers aimed for the company's payment system, which was running a vulnerable version of Log4j. 

Following the cyberattack, extortion began, with hackers apparently blackmailing the company into paying a $5 million ransom, or user data would be made public. According to BleepingComputer, the corporation refused to pay, and as a result, information of about nearly 2 million ONUS users showed up for sale on forums. 

Around December 9, a Proof of Concept (POC) exploit for the well-known and presently making headlines Log4j vulnerability, CVE-2021-44228, appeared on Github. Threat actors have spotted a chance to substantially exploit it since then. ONUS's Cyclos server, which used a vulnerable version of Log4Shell, was one of their targets. 

Between December 11 and December 13, the hackers were able to successfully exploit it. They also installed backdoors to increase the access's power. On December 13, a Cyclos alert apparently informed ONUS that its systems needed to be fixed; nevertheless, even if the Cyclos instance was patched, it appeared to be a late response. Threat actors had plenty of time to steal important data. According to BleepingComputer, the databases held nearly 2 million customer records, including E-KYC (Know Your Customer) information, hashed passwords, and personal information. It's worth noting that the Log4Shell flaw was discovered on a sandbox server used "for programming purposes only." 

However, hackers were able to get access to other storage sites, such as Amazon S3 buckets, where production data was stored, due to a system misconfiguration. The threat actors reportedly demanded a $5 million ransom from ONUS, which the business refused and instead decided to inform customers about the cyberattack through a closed Facebook group. 

Chien Tran, the CEO from ONUS declared that “As a company that puts safety first, we are committed to providing our customers with transparency and integrity in business operations. (…) That is why, after careful consideration, the right thing we need to do now is to inform the entire ONUS community about this incident.” 

According to an ONUS announcement on the subject, hackers were able to obtain the following consumer data from the fintech firm: 
• Name, phone number, and email address; 
• Address; 
• KYC data (procedures used by Fintech enterprises to get identification documents and customers’ proofs along with “video selfie” for an automated check); 
• Encrypted history; 
• Transaction history; 
• Other encrypted data. 

The Misconfiguration in the Amazon S3 Buckets 

Besides Log4j, which facilitated an entry for the threat actors, there was another issue too with ONUS’ Amazon S3 buckets linked to improper access control. CyStack started an investigation on the incident and published their report with details about the cyberattack and the backdoor the hackers managed to plant on the impacted system.

“During monitoring, CyStack – ONUS’s security partner, detected and reported a cyberattack on ONUS system to us. The hacker took advantage of a vulnerability in a set of libraries on the ONUS system to get into the sandbox server (for programming purposes only). However, due to a configuration problem, this server contains information that gave bad guys access to our data storage system (Amazon S3) and stole some essential data.” 

“Also on these servers, ONUS had a script to periodically back up the database to S3 which contained the database hostname and username/password as well as backup SQL files. As a consequence, the attackers could access the ONUS database to get user information. (…) To facilitate access, the attackers downloaded and ran a backdoor on the server. This backdoor was named kworker for the purpose of disguising as the Linux operating system’s kworker service. (…) The kworker backdoor obtained was written in Golang 1.17.2 and built for Linux x64. It was used as a tunnel connecting the C&C server and the compromised server via SSH protocol (a wise way to avoid detection!).” 

According to BleepingComputer, because the organisation declined to pay the requisite ransom to hackers, customer data was for sale on a data breach marketplace by December 25. Hackers claim to have 395 copies of the ONUS database tables, which contain personal information and hashed passwords. 

CyStack advised ONUS to fix Log4j, deactivate any exposed AWS credentials, and properly configure AWS access rights, as well as the recommendation that public access to crucial S3 buckets be blocked. Users should upgrade to the current Log4j version 2.17.1 as soon as possible. ONUS also stated that none of its assets was harmed and that the company's team has been working with security specialists to identify and address flaws. 

The company's asset management and storage system, ONUS Custody, was also improved. In the case of a property loss, the firm must ensure that the ONUS Protection Fund would take care of the problem.

Confluence servers hacked to install malware

Cybercriminals are now exploiting a vulnerability in Confluence servers to install cryptojacking malware. According to a report by Trend Micro, the vulnerability has been well documented in the past. However, at the time, it was being used to target victims with DDoS attacks.

Confluence is a widely popular planning and collaboration software developed by the Australian software giant, Atlassian. Trend Micro reported that it had noticed one of the vulnerabilities, CVE-2019-3396, in April, a month after Atlassian published an advisory covering the same. CVE-2019-3396 is a template injection in the Widget Connector that allows cybercriminals to execute code remotely on their victims’ machines.

The vulnerability was first used for a DDoS attack in Romania. However, the cybersecurity and analytics company revealed that hackers are now using it to install a Monero crypto miner that comes with a rootkit. The rootkit serves to hide the malware’s network activity. It also shows false CPU usage on the affected machine, misleading the user and further concealing the mining process. The report further revealed that the rootkit re-installs the malware should the victim manage to remove it.

The attack begins by sending a command to download a shell script hosted on Pastebin, an online content hosting service where users store plain text for a set period of time. The malware then kills off some of the processes running on the host machine before downloading other resources, also from Pastebin.

The vulnerability mainly targets older versions of Confluence, with Atlassian urging its users to download patched versions of Confluence Server and Data Center to protect themselves.

In recent times, cryptojacking has become increasingly popular with cybercriminals. The tactics are also advancing, with the criminals seeking to stay ahead of the security experts. As we reported recently, a new malware that targets Linux servers has been modified to shut down other crypto miners in the host’s system. Known as Shellbot, the malware uses the SSH brute force technique to infect servers that are connected to the internet and that have a weak password.

Bank details of Bernard Matthews employees stolen

A suspected cyber-attack "potentially compromised" the bank account details of 200 workers at Bernard Matthews.

The turkey producer has made staff aware of the suspected hack.

The Norfolk-based company said it was alerted by its bank on 22 January, as first reported in the EDP.

A spokesman said: “After being first alerted by our bank, we reported the incident to the relevant authorities and put in place extra security measures, as well as offering additional security advice to those affected.” "We continue to monitor the situation but we are not aware colleagues have been affected any further," he added.

The person or group behind the hack is unknown.

Bernard Matthews employs 3,000 people across East Anglia. The company is a major employer in Norfolk and Suffolk, including at its plant at Holton, near Halesworth, and its headquarters at Great Witchingham.
The business has been through a difficult time in recent years, coming close to collapse in 2013.

Last year, it was one of two interested parties bidding to take over Banham Poultry, in Attleborough, which was eventually sold to Chesterfield Poultry.

In 2016 the Boparan Private Office, owned by food tycoon and 2 Sisters Food Group entrepreneur Ranjit Boparan, known as the “Chicken King”, bought the firm in a pre-pack deal in 2016 from Rutland Partners, saving 2,000 jobs after the firm posted pre-tax losses of £5.2m.

Twitter Account Of Actress Stefanie Scott for sale in UnderGround hacking forum

A recent post on an underground hacking forum claimed to sell the Twitter account of the actress "Stefanie Scott" . This is one of the rare time's the attack can be prevented before it happens so I am releasing this  post in public interest.And to show how such celebrity accounts are sold by hackers.

Now lets analyze the post . First I am worried by his statement of "pm me for her twitter ETC" which point's that he is in control of MORE than her twitter account. And she seems oblivious to the fact that her account's might be hijacked because she tweeted about an hour ago and the sales thread has been opened way before that .

As you can see such accounts can go for 400$ or more .The account has 256,211 followers which is worth a lot.Most such hacks don't affect the celebrities as much as the followers whose computers or accounts might be hijacked as the result of following the links posted by a hacker posing as the celebrity. 

It is the responsibility of the celebrity to keep his/her account safe as they are not the only people affected, their fans often take the worst side of the attack.

PS: This might just be a scam by the user to rip off  other users but it seems unlikely since he is a higher level of user and would not like "scam reports" to be opened against him.I will update this article if I get more information.