Search This Blog

Showing posts with label DDOS Attacks. Show all posts

35 yrs Of Imprisonment for the Administrator of 200,000 DDoS Attacks

 

After a 9-day trial, a California jury that held two distributed denial of service (DDoS) operations administrators, found him guilty. Matthew Gatrel, a 32 years old man, of Saint Charles, Illinois, operated two websites that enabled payment to users to launch over 200,000 DDoS attacks on private and public targets. 

Court filings disclose that since October 2014 Gatrel has operated DDoS services. DownThem and Ampnode are the two sites being used, which allowed the operation of DDoS attacks. Gatrel has used DownThem to sell DDOS services subscriptions (sometimes referred to as "booters" or "stressers") and AmpNode has supplied clients that wanted pre-configured servers with DDoS attack programs and lists of vulnerable systems that may magnify the attack. 

The researchers have discovered that they have over 2,000 registered clients in databases of the DownThem booter portal. As per the documents, more than 200,000 DDoS attacks are launched by users. The targets covered households and schools, universities, websites of municipal and local authorities, and financial organizations throughout the world. 

“Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services” - the U.S. Department of Justice.

Several subscriptions can be used by clients, each with different attack and offensive capabilities like length, force, or the potential of competitor attacks. 

If the victim is accessible, the service would deploy "reflected amplification attacks" from AmpNode attack servers, employing "hundreds or thousands of other servers connected to the Internet." 

In this operation, Gatrel hadn't been alone. In 2018, Juan Martinez of Pasadena assisted him to operate the DownThem website. 

Gatrel is faced with a maximum statutory imprisonment of 35 years scheduled for January 27, 2022, where sentences for the federal prison for three crimes of which he was found guilty are : 

  • one count of conspiracy to commit unauthorized impairment of a protected computer.
  • one count of conspiracy to commit wire fraud.
  • one count of unauthorized impairment of a protected computer.

However, Juan Martinez has already pleaded guilty, unlike Gatrel, to his final hearing on 2nd December · he can face a statutory maximum term of imprisonment of 10 years in his final trial.

A Look at the Triple Extortion Ransomware

 

Ransomware has traditionally concentrated on encryption, but one of the most common recent additions is the exfiltration and threatening disclosure of critical data in a "double extortion" assault. Threat actors, on the other hand, must continually develop new ways to enhance the effect of a successful assault since the financial incentives are so high. One of the most recent methods is known as "triple extortion," which adds another way to extort money from targets. 

The prospect of stolen data being released online has been a typical point of leverage for criminals seeking further ransom payments in what is known as double extortion. More than 70% of ransomware assaults now include exfiltrate data, demonstrating how quickly this type of attack tactic has become the norm.

Threat actors have lately introduced another layer to ransomware assaults based on this approach. In other words, this latest ransomware advancement means that a ransomware assault no longer stops at the first victim. Ransom demands may now be directed towards a victim's clients or suppliers under triple extortion. At the same time, other pressure points such as DDoS attacks or direct media leaks are added to the mix. 

The more leverage the perpetrators have in a ransomware assault, the more likely the victim is to pay. If the gang is successful in not just encrypting vital systems but also downloading sensitive data and threatening to leak it, they will have the upper hand and will be able to demand payment if the victim does not have sufficient backup procedures. 

According to Brian Linder, a cybersecurity evangelist at Check Point Software, triple extortion has become more common in the previous six months, with ransomware gangs making robocalls to customers, shareholders, partners, the press, and financial analysts if the victimised organisation fails to fall victim to the first two extortion efforts. 

“So, imagine if you don’t pay the ransom, we’re going to let all the stock analysts know that you’ve been attacked and likely drive some percentage of your market value out of the market,” Linder says. “We do expect this to be highly exploited. It’s fairly easy to do.” 

Depending on the attacker's initial effectiveness in infiltrating the network, they can get access to information about the victim's clients, including names and phone numbers, and have automated messages ready to go. 

Companies and organizations that retain client or customer data, as well as their own, are the most apparent targets for ransomware operations that go beyond single or double extortion. Healthcare organizations are obvious targets in this regard. As a result, the first known instance of triple extortion occurred late last year when hackers obtained access to Vastaamo, a Finnish physiotherapy provider. Threat actors demanded money directly from the thousands of Vastaamo clients whose records they were able to exfiltrate, rather than contacting the provider for a ransom.

Hackers switched to combined cyber attacks on the Russian financial sector

Experts began to note the particular interest of cybercriminals in the Russian banking sector as early as mid-summer 2021. In July, the Bank of Russia reported about the risks of "infecting" financial institutions through members of their ecosystems.

In August, FinCERT noted a series of large-scale DDoS attacks on at least 12 major Russian banks, processing companies and Internet service providers. The requests came from the USA, Latin America and Asia.

In early September, the Russian financial sector was attacked again. So, large banks and telecom operators that provide them with communication services were attacked.

Since August 9, the Russian Cyber Threat Monitoring Center (SOC) of the international service provider Orange Business Services has recorded a big increase in the number of requests. Attackers combine not only well-known attacks such as TCP SYN, DNS Amplification, UDP Flood and HTTPS Flood, but also only recently discovered ones, for example, DTLS Amplification.

In total, more than 150 attacks were recorded during the month, from August 9 to September 9, 2021. At the same time, their intensity is constantly increasing. Criminals are constantly trying to increase the power of attacks in the hope that telecom providers will not be able to clean up traffic in such large volumes.

In addition, the attackers used large international botnets. So, SOC Orange Business Services identified one of the networks based in Vietnam and South America, with more than 60 thousand unique IP addresses, and which was used to organize attacks like HTTPS Flood on the 3D Secure payment verification service.

The attackers also used the HTTPS Flood attack to make it impossible to use the banks' application, in this case, the attack was carried out from the IP addresses of Russia, Ukraine and France.

“Based on how persistently and ingeniously cybercriminals act, we can say that we are dealing with a complex planned action aimed at destabilizing at least the Russian financial market,” said Olga Baranova, COO of Orange Business Services in Russia and the CIS.


Ransomware Attacks Increased Exponentially in 2021

 

The growing threat of ransomware has been highlighted by NCC Group's Research Intelligence and Fusion Team (RIFT) analysis. Between January-March 2021 and April-June 2021, the number of ransomware assaults studied by the team climbed by 288%, indicating that enterprises are still facing waves of digital extortion in the form of targeted ransomware. 

The rise of the "triple extortion" ransomware technique whereby attackers, in addition to stealing sensitive data and threatening to release it publicly unless a payment is made, also target the organization's customers, vendors, or business partners in the same way, has fuelled the increase in attacks. 

Conti ransomware, which commonly employs email phishing to remote into a network via an employee's device, was responsible for 22% of ransomware data leaks studied between April and June. The Avaddon ransomware, which was linked to 17% of ransomware data leaks, was just behind it. While victims of this ransomware strain faced data encryption, the potential of data breaches, and the larger risk of DDoS attacks disrupting operations, the ransomware strain is now thought to be dormant. 

In addition to the substantial increase in ransomware assaults, organizations have seen a 29% of cyber-attacks worldwide, with the largest growth rates in the Europe Middle East and Africa (EMEA) area and America, at 36% and 24%, respectively. While the Asia-Pacific (APAC) region witnessed only a 13% increase in attacks, it had the highest number of weekly cyber intrusions at 1,338. The weekly number for EMEA was 777, while the weekly number for America was 688. 

This issue is hurting organizations all over the world, with the United States accounting for 49% of victims with known locations in the last three months, followed by France at 7% and Germany at 4%. The Colonial Pipeline ransomware attack in June, which was carried out by DarkSide ransomware affiliates, is one significant case. Oil supplies were disrupted, and there were fuel shortages across the United States as a result of the strike. 

Christo Butcher, global lead for threat intelligence at NCC Group, said: “Over the years, ransomware has become a significant threat to organizations and governments alike. We’ve seen targets range from IT companies and suppliers to financial institutions and critical national infrastructure providers, with ransomware-as-a-service increasingly being sold by ransomware gangs in a subscription model.” 

“It’s therefore crucial for organizations to be proactive about their resilience. This should include proactive remediation of security issues, and operating a least-privilege model, which means that if a user’s account is compromised, the attacker will only be able to access and/or destroy a limited amount of information,” he added.

12-Year-Old Authentication Bypass Vulnerability Could Allow Network Compromise

 

At least 20 router models have been found to have a 12-year-old authentication bypass vulnerability that might allow attackers to hijack networks and devices, possibly affecting millions of users. The critical path traversal bug was discovered by Evan Grant of Tenable and is tracked as CVE-2021–20090 with a CVSS of 9.8. It can be exploited by unauthenticated, remote attackers. Grant discovered the problem in Buffalo routers, notably the Arcadyan-based web interface software.

Grant discovered that bypass check() only checked as many bytes as there were in the bypass_list strings. Grant was able to circumvent authentication by exploiting this flaw, letting unauthenticated users view pages they shouldn't be able to. Two more vulnerabilities, CVE-2021-20091 and CVE-2021-20092, were discovered, however, they only target specific Buffalo routers at this time. 

According to Grant, this latest revelation raises concerns about the danger of supply chain attacks, which are becoming a more common and serious threat to businesses and technology users. “There is a much larger conversation to be had about how this vulnerability in Arcadyan’s firmware has existed for at least 10 years and has therefore found its way through the supply chain into at least 20 models across 17 different vendors,” Grant wrote. "Consequently, we were surprised they hadn’t been discovered and fixed by the manufacturer or vendors who are selling affected devices over the past decade." 

On Friday, just three days following the bug's disclosure, Juniper Networks cybersecurity researchers announced that they had detected active exploitation of the bug. “We have identified some attack patterns that attempt to exploit this vulnerability in the wild coming from an IP address located in Wuhan, Hubei province, China,” they wrote in a post. “The attacker seems to be attempting to deploy a Mirai variant on the affected routers.”

Mirai is a long-running botnet that can be used to launch distributed denial-of-service (DDoS) attacks by infecting linked devices. It first appeared in 2016, when it overloaded Dyn web hosting servers, bringing down over 1,200 websites, including Netflix and Twitter. Its source code was disclosed later that year, prompting the emergence of additional Mirai versions. 

According to Juniper, several of the scripts used in the latest wave of assaults are similar to those used in prior attacks in February and March. “The similarity could indicate that the same threat actor is behind this new attack and attempting to upgrade their infiltration arsenal with yet another freshly disclosed vulnerability,” researchers wrote.

GitLab Fixes Several Vulnerabilities Reported by Bug Bounty

 

With an update to its software development infrastructure, Gitlab has addressed numerous vulnerabilities — including two high-impact online security flaws. 

GitLab is a web-based DevOps life cycle platform providing an open-source license from GitLab Inc. to offer wiki, problem-tracking, and continuous pipeline integration and deployment capabilities. Ukrainian programmers Dmytro Zaporozhets and Valery Sizov have designed the program.

In GitLab's GraphQL API, a cross-site request forgery (CSRF) has developed a mechanism for an attacker to call modifications while they are impersonating as their victims. 

Cross-Site Request Forgery (CSRF) is an attack that causes an end-user in a web application to perform undesirable activities wherein he or she is presently authenticated. Users of a web application may be lured towards carrying out activities of an attacker using some social engineering support (such as delivering a link by email or chat). If the target is a regular user, a successful CSRF attack can force the user to make modifications such as money transfers, email addresses, etc. CSRF can compromise the whole web application when the victim is an administration account. 

The Gitlab Webhook feature could be exploited for denial- of service (DoS) attacks because of a second high-level security vulnerability. 

An attack by a Denial-of-Service (DoS) is designed to shut down a user computer system or network, which makes it unreachable to its intended users. DoS attacks achieve this by flooding or delivering information to the target causing a crash.

'Afewgoats' researchers have identified DoS vulnerability and reported it through a HackerOne-operated GitLab bug reward program. 

For both higher intensity vulnerabilities, CVE trackers were requested, although identification is not yet assigned. The Daily Swig was told by Ethical hackers that they had been working on a strategy for attacking webhook services. 

"The webhook connections usually have timeouts set, but my badly-behaving webserver can bypass them and keep the connection open for days," afewgoats explained. "It's the only Denial of Service, but it could tie up huge amounts of memory on the victim servers." 

"So far it's been successful against PHP, Ruby, and Java targets," they added. 

Through updating installations to a new version of GitLab, CRSF and DoS issues and a range of minor errors can be rectified. 

As a security advisory from GitLab, the platform upgrade addresses 15 medium severity and two low-impact issues. These add-on vulnerabilities also include a clipboard DOM-based cross-site scripting (XSS) issue, a reflected XSS in release edit pages, and the audit log problem of the stored XSS.

DDoS Attack on Filipino Media Outlets Linked to Philippine Government and Army

 

Sweden-based digital rights nonprofit Qurium Media has reported a targeted campaign of distributed denial-of-service (DDoS) attacks on Filipino media outlets and a human rights group that appears to be coming from the country’s Department of Science and Technology (DOST) and Army. 

Qurium Media Foundation “has received a brief but frequent denial of service attacks against the Philippine alternative media outlets Bulatlat and Altermidya, as well as the human rights group Karapatan during May and June 2021,” said the organization in its online report. 

On 18 May, a DOST machine launched a vulnerability scan on Bulatlat with what Qurium said resembled Xerosecurity's "Sn1per" tool – an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. These types of network attack surface and risk assessments are rarely done without permission from a system owner and are believed to be the perpetrators checking on the status of the cyber attacks

The most recent attack noted by the Qurium group occurred on the night of June 22 and lasted several hours, wherein threat actors flooded Bulatlat’s and Altermidya’s websites with junk traffic to make it inaccessible. 

A forensic investigation carried out by Qurium revealed an identical firewall configuration, indicating action from another machine from within the organization. Its digital certificate was linked to an email address issued by the Office of the Assistant Chief of Staff for Intelligence (OG2-PAS) of the Philippine Army. 

DOST originally denied its involvement in the attack but later Rowena Guevara, the organization’s Undersecretary for Research and Development told local media that it “assist[s] other government agencies by allowing the use of some of its IP addresses in the local networks of other government agencies.” However, she did not mention the specific agency, dismissing it as the subject of a government investigation. 

Last week, media outlet ABS-CBN reported that one lawmaker has introduced a resolution in the country’s House of Representatives to investigate ‘state-sanctioned’ cyberattacks against media entities. “I think it is pretty obvious that these cyberattacks are really state-sanctioned, and that the regime has a policy of attacking critical media. I don’t think that their denial would be acceptable at this point,” Ferdinand Gaite, a Filipino politician stated.

Newly discovered Mirai Botnet is Exploiting DVR in DDoS Attack

 

On Thursday, cybersecurity experts disclosed details regarding a newly discovered Mirai-inspired botnet called "mirai_ptea". It exploits an undisclosed flaw in a digital video recorder (DVR) provided by KGUARD to propagate and execute a distributed denial of service (DDoS) attack.

Netlab 360, a Chinese security company pinned the first investigation into defects on March 23, 2021, before aggressive botnet attempts were detected on June 22, 2021. Since the emergence of the Mirai botnet in 2016, it has been linked to a series of large-scale DDoS attacks. 

In October 2016, users of DNS service provider Dyn in Europe and North America lost access to major Internet platforms and services. Since then, numerous versions of Mirai have sprung up in the field, partly because the source code is available on the internet. Mirai_ptea is no exception. 

According to researchers, the Mirai botnet is a piece of nasty Internet of Things (IoT) malware that compromised 300,000 IoT devices, such as wireless cameras, routers, and digital video recorders. It scans Internet of Things devices and uses default passwords and then adds the passwords into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure.

Cybersecurity researchers have not revealed the whole details regarding the security flaw in an attempt to prevent further exploitation, but the researchers said the KGUARD DVR firmware had vulnerable code prior to 2017 that enabled remote execution of system commands without authentication. At least approximately 3,000 devices published online are vulnerable to this flaw.

In addition to using Tor Proxy to link with the Command and Control (C2) server, analysis of the mirai_ptea sample disclosed extensive encryption of all sensitive resource information. It is decoded to establish a connection with the C2 server and retrieve attack commands for execution, including launching DDoS attacks. 

"The geographic distribution of bot source IPs is [...] mainly concentrated in the United States, Korea, and Brazil," the researchers stated, with infections reported across Europe, Asia, Australia, North and South America, and parts of Africa. 

In 2017, Paras Jha, 21, of Fanwood, New Jersey; Josiah White, 20, of Washington, Pennsylvania; and Dalton Norman, 21, of Metairie, Louisiana were charged for creating the Mirai IoT botnet. The three admitted conspiracy to violate the Computer Fraud & Abuse Act.

341% Surge in DDoS Attacks During the Epidemic

 

The epidemic resulted in a 341 percent spike year-over-year in distributed denial of services (DDoS) attacks as per Nexusguard's Annual Threat Report 2020, which is targeting sectors that provided connection, services, and entertainment to populated populations that were compelled for shelter. 

The enormous change in online behavior and dependence on connectivity has stretched communications service providers (CSPs) and ISPs that have supplied the backbone for such remote operation, including DDoS (RDDoS) ransom attacks on the extorted payment companies in exchange for being online. 

Juniman Kasman, CTO for Nexusguard said, “During 2020, the pandemic forced a complete shift in how the world lived and worked, and attackers were ready to take full advantage of the situation, adeptly targeting connectivity and entertainment providers.” 

With lockdown and worldwide social distancing measures, online gaming and Internet dependency have flourished in 2020, which have also been tempting targets for attackers. Attack motivations include economic and political gains, retaliation, cyberwar, and even personal pleasure. 

Analysts expect the RDDoS attacks to grow by 30 percent over the next year, particularly because of cryptocurrencies' prominence. In contrast, smaller attacks (less than 10 Gbps in size) will contribute shortly to 99% of all DDoS attacks, as they remain hard to detect and cost-effective to deploy. 

“With attackers using stealthier, smaller attacks increasing in complexity, CSPs and enterprises will need deep learning, multidimensional DDoS detection, and other advanced techniques to avoid outages,” Kasman added.  

The research has explicated that CSPs – and in particular ISPs – continue to be affected by sophisticated bit-and-piece attacks that drip trash through a huge IP pool. 301 of the CSPs were struck by bit-and-piece attacks in 23 countries in the year 2020. 

Researchers warn that the newer evasive DDoS attacks will lead to catastrophic disruptions from CSPs and other businesses which rely on thresholds and symbolic detection methods.

A denial of service attack is a cyber-attack, wherein the attacker aims to disrupt the operations of a host connected to the Internet temporarily or permanently, by making a computer or network resource unavailable to its intended users. 

FBI says Attackers Breached US Local Govt After Hacking a Fortinet Appliance

 

After issuing a cybersecurity advisory warning that APT hacker groups are purposefully targeting vulnerabilities in Fortinet FortiOS, the FBI now warned that after hacking a Fortinet appliance, state-sponsored attackers compromised the webpage of a US local government. 

Fortinet is a multinational security company based in Sunnyvale, California. It creates and sells cybersecurity solutions, which include hardware like firewalls as well as software and services like anti-virus protection, intrusion prevention systems, and endpoint security components.

"As of at least May 2021, an APT actor group almost certainly exploited a Fortigate appliance to access a web-server hosting the domain for a U.S. municipal government," the FBI's Cyber Division said in a TLP:WHITE flash alert published on 27th May. 

The advanced persistent threat (APT) actors moved laterally around the network after gaining access to the local government organization's server, creating new domain controller, server, and workstation user identities that looked exactly like existing ones. On compromised systems, attackers linked to this ongoing APT harmful activity have created 'WADGUtilityAccount' and 'elie' accounts, according to the FBI.

This APT organization will most likely utilize this access to capture and exfiltrate data from the victims' network, according to the FBI. "The APT actors are actively targeting a broad range of victims across multiple sectors, indicating the activity is focused on exploiting vulnerabilities rather than targeted at specific sectors," the FBI added.

Last month, the FBI and the CISA issued a warning about state-sponsored hacking groups gaining access to Fortinet equipment by exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. The threat actors are also scanning for CVE-2018-13379 vulnerable devices on ports 4443, 8443, and 10443, and enumerating servers that haven't been patched against CVE-2020-12812 and CVE-2019-5591. 

Once they've gained access to a vulnerable server, they'll use it in subsequent attacks aimed at critical infrastructure networks. "APT actors may use other CVEs or common exploitation techniques—such as spear-phishing—to gain access to critical infrastructure networks to pre-position for follow-on attacks," the two federal agencies said.

"APT actors have historically exploited critical vulnerabilities to conduct distributed denial-of-service (DDoS) attacks, ransomware attacks, structured query language (SQL) injection attacks, spear-phishing campaigns, website defacements, and disinformation campaigns." They further told. 

Plex Media Servers Actively Abused To Amplify DDoS Attacks

Research workers with NetScout's Atlas Security Engineering and Response Team have warned against the threat actors campaign, they said that attackers are exploiting server systems of the Plex Media app to amplify various DDoS (Distributed Denial of Service) attacks. 

Plex Media Server provides a streaming system that runs on a variety of platforms, including Windows, Linux, macOS, and FreeBSD, as well as network-attached storage (NAS) hardware devices, RAID units, and digital media players, Docker containers, and more features such as users share video and other media with other devices. 

As of now, network monitoring firm Netscout believes that about 27,000 Plex Media servers are at the risk of the DDoS dilate attacks, reported in an alert report published on Wednesday which has been released this week. 

As part of Plex normal activities, system scans local networks with the help of G'Day Mate (GDM), this activity allows Plex device to find out other supported media devices and streaming users. Additionally, the system also uses SSDP (Simple Service Discovery Protocol) which helps in tracking down Universal Plug and Play (UPnP). 

Netscout stated that DDoS attacks are being observed since November 2020, exploiting UDP/32414 SSDP HTTP/U. Amplification attack happens when cybercriminals send requests to the server system in small numbers, and if the server responds back with numerous responses. The threat actors also can mock the source IP address to display as the victim, resulting in traffic that deluges victim resources and cause a crash. 

"We’ve seen its use as far back as November when activity ramped up, but most of the time, we see its use is in multi-vector attacks rather than as a primary vector, which can result in some uncertainty in finding an exact day it began to be used," Richard Hummel, Manager of Threat Intelligence at Netscout said in an email interview when asked if the first time PMSSDP was observed as a DDoS attack amplification vector. 

"The total number of attacks from Jan 1, 2020, to present day, clocked in at approximately 5,700 (compared to the more than 11 million attacks in total we saw during the same time frame)," Richard Hummel added.

DDoS Campaign Exposed by the Security Firm Radware

 

Security firm Radware uncovered the threat actors' campaign named 'distributed denial-of-service' (DDoS). This campaign was launched to target the same set of victims from September 2020 after the companies failed to pay the initial ransom between five and ten bitcoins ($160,000 and $320,000) as demanded by the threat actors.

According to the reports, an anonymous group of hackers attacked the victims in August or September 2020 for the first time. In December 2020 and January, threat actors sent additional ransom extortion emails to the organizations after the victims failed to pay the initial ransom. Threat actors attacked the organizations with a DDoS strike immediately after the organizations received the second set of intimidating messages.

The latest DDoS strike surpassed 200Gbps and continued for more than nine hours without any disruption. As per the reports of Radware, the latest ransom note reads, “maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back”.

Radware security experts are convinced that the series of attacks were managed by the same ransomware group due to the identical infrastructure in the strike and the messages received from the ransomware group. Also, the organizations that received the latest letters were not leaked in the media last year therefore only the original ransomware group would have known that the companies have been targeted last year.

Radware security experts have noticed the change in the threat actor’s strategy, in previous strikes threat actors targeted the organizations for few weeks and then passed on. “The 2020-2021 global ransom DDoS campaign represents a strategic shift from these tactics. DDoS extortion has now become an integral part of the threat landscape for organizations across nearly every industry since the middle of 2020”, the report explained.

This group of threat actors does not hold back in returning to the targets that originally ignored their warnings, this is the massive fundamental change in the tactics of threat actors. According to Radware, the companies should be prepared for another letter and strike in the upcoming months.

Gamer Alert: More than 10 Billion Attacks On Gaming Industry In 2 Years


According to cybersecurity firm Akamai's recent report titled "State of the Internet/Security," the gaming sector has suffered a big hit in the previous two years. Experts have reported around 10 Billion cyberattacks on the gaming industry between June 2018 and June 2020.

Akamai recorded 100 Billion credential stuffing attacks during this period, out of which 10 Billion amount to attacks on the gaming sector. Besides credential stuffing, Akamai also recorded web application attacks. Hackers targeted around 150 Million web application attacks on the gaming sector.

"This report was planned and mostly written during the COVID-19 lockdown, and if there is one thing that's kept our team san; it is constant social interaction and the knowledge that we're not alone in our anxieties and concerns," says the report. Web application attacks mostly deployed SQL injections and LFI ( Local File Inclusion ) attacks as per the latest published report. It is because hackers can sensitive information of users on the game server using SQL and LFI.

The data can include usernames, account info, passwords, etc. Besides this, experts say that the gaming sector is also a primary target for DDoS (distributed denial-of-service) attacks. Between July 2019 and July 2020, Akamai identified 5,600 DDoS attacks, out of which hackers targeted 3000 attacks on the gaming sector. The increase in the attacks can be because most gamers don't pay much attention to cybersecurity.

According to data, 55% of gamers experienced suspicious activity in their accounts. However, just 20% of these gamers expressed concern about the compromise. Around 50% of hacked players feel that security is a mutual responsibility between gamers and gaming companies. 

Akamai emphasized their concern over the gaming sector becoming an easy target for the hackers. According to Akamai's report, "Web attacks are constant. Credential stuffing attacks can turn data breaches from the days of old (meaning last week) into new incidents that impact thousands (sometimes millions) of people and organizations of all sizes. DDoS attacks disrupt the world of instant communication and connection. These are problems that gamers, consumers, and business leaders face daily. This year, these issues have only gotten worse, and the stress caused by them was compounded by an invisible, deadly threat known as COVID-19."

NZX Underwent Power Outage Caused Due to Multiple Cyberattacks, Trading Halted


New Zealand’s stock market exchange came to an abrupt halt after being hit by cyberattacks multiple times over a week, blocking the access to its website and resulting in a major power outage caused due to a distributed denial of service (DDOS) attack from overseas, state-backed adversaries.

The unknown attackers put to work a group of computers and bombarded the NZX website with requests to connect by commanding these computers, which resulted in overloading the exchange’s servers and shutting down its website.

The systems harnessed to instigate the attack probably belonged to innocent businesses that would have been exploited by the malware earlier. The owners of these compromised computers have most likely stayed oblivious to the fact that they have been hijacked to facilitate a cyberattack.

On Wednesday, the Wellington-based NZX exchange issued a statement wherein they explained how the Tuesday attack affected their websites and the market announcement platform. Blaming the attack on overseas adversaries, the NZX said that it had “experienced a volumetric DDoS attack from offshore via its network service provider, which impacted NZX network connectivity”.

“A DDOS attack aims to disrupt service by saturating a network with significant volumes of internet traffic. The attack was able to be mitigated and connectivity has now been restored for NZX,” the exchange further said.

While commenting on the matter, Dr. Rizwan Asghar, from the school of computer science at Auckland University told that it was difficult to trace the source of such a cyberattack as the threat actors exhibited a tendency to hide their IP addresses.

To combat the attacks, New Zealand’s spy agency, The Government Communications Security Bureau (GCSB) was sought by the NZX; by Friday GCSB constituted a group to investigate the matter which concluded that the motivation of the DDoS attack seems to be financial rather than political as claimed by few.

The findings of the investigation denied the involvement of state-backed agents in the attacks by stating that, "The nature of this tends to be a criminal activity rather than state-backed. You can't rule it out but it's more likely than not to be criminal activity."

NZ Stock Exchange Halted Temporarily Twice After Being Hit by Cyber Attacks


The New Zealand stock exchange was hit by a cyber-attack due to which it had to remain offline two days in a row. The exchange said the attack had "impacted NZX network connectivity" and it had chosen to temporarily halt trading in cash markets not long before 16:00 local time.

The trading had to be stopped briefly for a second time, yet was back ready for action before the day's end. 

A DDoS attack is generally a quite straightforward kind of cyber-attack, wherein a huge 'array' of computers all attempt to connect with an online service at the same time usually resulting in 'overwhelming its capacity'. 

They frequently use devices undermined by malware, which the owners don't know are a part of the attack. 

While genuine traders may have had issues with carrying out their business, but it doesn't mean any financial or personal data was accessed. NZX said the attack had come “from offshore via its network service provider". 

The subsequent attack had halted the trading for a long time in the working day - from 11:24 to 15:00 local time, the exchange said. In any case, in spite of the interference, the exchange was up at the end of the business, close to its 'all-time' high. 

Nonetheless, NZX said it had first been hit by a distributed denial of service (DDoS) attack from abroad and so the New Zealand cybersecurity organization CertNZ had also given a caution in November that mails were being sent to financial firms threatening DDoS attacks except if a ransom was paid. 

The mails professed to be from a notable Russian hacking group Fancy Bear. 

Be that as it may, CertNZ said at the time 'the threat had never had never been carried out, past a 30-minute attack as a scare tactic'.

Over 500 SSH Servers being Breached by FritzFrog P2P Botnet


Cyberspace has seen an unprecedented rise in modified versions of peer-to peer, also known as (P2P) threats, it might have appeared that these P2P services have been vanishing, but in reality, they have emerged even stronger in newer ways. BitTorrent and eMule are still known to be in use by attackers.

A peer-to-peer (P2P) network is an IT infrastructure in which two or more computers have agreed to share resources such as storage, bandwidth and processing power with one another. Besides file sharing, it also allows access to devices like printers without going through separate server software. A P2P network is not to be confused with client-server network that users have traditionally used in networking, here, the client does not contribute resources to the network.

Researchers at Guardicore have recently discovered a sophisticated peer-to-peer (P2P) botnet called as FritzFrog that has been actively operated since January 2020, breaching SSH servers; it’s a Golang-based modular malware that executes a worm malware written in Golang, it is multi-threaded, completely volatile, and fileless and leaves no trace on the infected system’s disk.

It has a decentralized infrastructure which distributes control among all its nodes. The network uses AES for symmetric encryption and the Diffie-Hellman protocol for key exchange in order to carry out P2P communication via an encrypted channel.

So far, more than 20 malware samples have been discovered by the researchers as FritzFrog attempted to brute force over 500 SSH servers belonging to educational institutions, governmental institutions, telecom organizations, banks, and medical centers worldwide. The campaign also targeted some well known high-education institutions in the United States and Europe, along with a railway firm.

Botnets are being leveraged by attackers for DDoS attacks and other malicious activities, as per the recent attack trend. Earlier in June this year, the Monzi malware was seen exploiting IoT devices, mainly DVRs and routers. Threat actors brought together various malware families namely Mirai, Gafgyt and IoT Reaper, to carry out a botnet capable of DDoS attacks, command or payload execution or data exfiltration.

“FritzFrog’s binary is an advanced piece of malware written in Golang. It operates completely in-memory; each node running the malware stores in its memory the whole database of targets and peers,” according to Guardicore’s report.

“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats.”

“Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication, which is much safer. In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.” The report further read.

A resurgence in DDoS Attacks amidst Global COVID-19 lockdowns


Findings of Link11's Security Operations Center (LSOC) uncovered a 97% increase in the number of attacks for the months of April, May, and June in 2020 when compared with the attacks during the same period in the previous year, with an increment of 108% in May 2020.

The annual report incorporates the data which indicated that the recurrence of DDoS attacks relied upon the day of the week and time, with most attacks concentrated around weekends of the week and evenings. 

More attacks were registered on Saturdays, and out of office hours on weekdays. 

Marc Wilczek, COO, Link11 says, “The pandemic has forced organizations to accelerate their digital transformation plans, but has also increased the attack surface for hackers and criminals – and they are looking to take full advantage of this opportunity by taking critical systems offline to cause maximum disruption. This ‘new normal’ will continue to represent a major security risk for many companies, and there is still a lot of work to do to secure networks and systems against the volume attacks. Organizations need to invest in security solutions based on automation, AI, and Machine Learning that are designed to tackle multi-vector attacks and networked security mechanisms...” 


Key findings from the annual report include: 

Multivector attacks on the rise: 52% of attacks consisted of a few strategies for the attack, making them harder to defend against. One attack included at least 14 techniques.

The growing number of reflection amplification vectors:: More usually utilized vectors included DNS, CLDAP, and NTP, while WS Discovery and Apple Remote Control are still being utilized in the wake of being discovered in 2019. 

DDoS sources for reflection amplification attacks distributed around the globe: The top three most significant source nations in H1 2020 were the USA, China, and Russia. Be that as it may, the ever-increasing number of attacks have been traced back to France. 

The average attack bandwidth remains high: The attack volume of DDoS attacks has balanced out at a relatively elevated level, at an average of 4.1 Gbps. In most attacks, 80% were up to 5 Gbps. The biggest DDoS attack was halted at 406 Gbps. 

DDoS attacks from the cloud: At 47%, the percentage of DDoS attacks from the cloud was higher than the entire year 2019 (45%). Instances from every single established provider were 'misused', however, the more usual ones were Microsoft Azure, AWS, and Google Cloud. 

The longest DDoS attack lasted 1,390 minutes – 23 hours and interval attacks, which are set like little pinpricks and flourish on repetition lasted an average of 13 minutes.


Online Michigan Bar Exam Hit by a Distributed Denial of Service (DDoS) Attack



The recently conducted online Michigan bar exam was briefly taken down as it was hit by a rather "sophisticated" cyberattack. 

The test had been hit by a distributed denial of service (DDoS) attack, which includes a hacker or group endeavoring to bring down a server by overpowering it with traffic according to ExamSoft, one of the three vendors offering the exam that certifies potential attorneys. 

The incident marked the first DDoS attack the organization had encountered at a network level, ExamSoft said, and it worked with the Michigan Board of Law Examiners to give test-takers more time to take the test after it was ready for action once more. 

The company noted that "at no time" was any information compromised, and that it had the option to “thwart the attack, albeit with a minor delay” for test-takers. 

The Michigan Supreme Court tweeted preceding the organization's statement that a "technical glitch" had made the test go down, and those test takers were “emailed passwords and the test day will be extended to allow for the delay for some test takers to access the second module.” 

As per the court, those taking the test with provisions from the Americans with Disabilities Act were not affected by the episode.

 “All exam takers were successfully able to start and complete all modules of the Michigan Bar exam,” the organization wrote. 

“This was a sophisticated attack specifically aimed at the login process for the ExamSoft portal which corresponded with an exam session for the Michigan Bar,” ExamSoft said in a statement on Tuesday. 

United for Diploma Privilege, a national gathering of law students, graduates, professors, and lawyers pushing for the bar exam to be postponed during the COVID-19 pandemic, raised worries about data privacy issues associated with the cyberattack.  

Numerous states have opted to offer the bar exam in-person this month, while others will offer the test online in early October. 

A spokesperson for the National Conference of Bar Examiners (NCBE), which drafts a segment of the test, told 'The Hill' just earlier this month that states and jurisdiction could decide to offer the test through vendors such as ExamSoft, Extegrity and ILG Technologies.


The Public Chamber of the Russian Federation reported a DDoS attack on its website


The website of the Public Chamber (OP) of Russia was attacked by hackers. The site of the project on the fight against fakes at all levels feikam[.]net was also subjected to a DDoS attack. Currently, there is no access to sites, an error appears when trying to access them.

Alexander Malkevich, the head of the expert advisory group of the Public Chamber of Russia on public control of remote electronic voting, said that the attack began after the end of receiving votes from online voters.

In his opinion, the attack is connected with the active work of the Public Chamber of the Russian Federation to expose fakes about the all-Russian vote on amendments to the Constitution.

"In the evening of June 30, after the official end of the online voting process, the website of the Public Chamber of the Russian Federation was attacked by hackers who managed to interrupt its normal operation for a while. This is very similar to the retribution of those who were prevented by members of the Chamber from wreaking havoc during the voting, especially considering that there was the hack of the site http://feikam.net/  at the same time," he noted.

According to Mr. Malkevich, 5 thousand fakes were found on the Internet, and their number has grown several times as the voting began to approach. Earlier, he noted that mostly false information about the amendments to the Constitution is distributed through the media-foreign agents and in social networks.

It's important to note that All-Russian voting began on June 25 throughout Russia and lasted until July 1. On it, citizens were asked whether they approve of the amendments to the Constitution. The "Yes" and "No" options were indicated in the Bulletin. The main amendment is the nullification of Vladimir Putin’s presidency so that he can become president again.

UPnP Vulnerability Affects Billion of Devices Allowing DDoS Attacks, Data Exfiltration


A new security vulnerability affecting devices running UPnP protocol has been discovered by a researcher named Yunus Çadırcı; dubbed as CallStranger the security flaw could be exploited by remote unauthenticated attackers to perform a number of malicious acts such as data exfiltration and distributed denial-of-service popularly known as DDoS attacks.

UPnP protocol is designed to speed up the process of automatic discovery and to facilitate interaction with devices on a network, it doesn't have any kind of verification or authentication and therefore is supposed to be employed within trusted LANs. Most of the internet-connected devices contain support for UPnP, however, the Device Protection service responsible for adding security features has not been broadly accepted.

The security vulnerability that is being tracked as CVE-2020-12695, affects Windows PCs, TVs, Cisco, Belkin Broadcom, Dell, D-Link, Gaming Consoles, Samsung, routers from Asus, Huawei, ZTE, TP-Link and probably many more.

While giving insights into his discovery, Çadırcı told, “[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet-facing and billions of LAN devices.”

“Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet-facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to the Internet. Don't port forward to UPnP endpoints,” he further added.

“Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end-user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from the Internet to Intranet but Intranet2Intranet may be an issue.” The researcher concluded.

In order to stay safe, vendors are recommended to act upon the latest specifications put forth by the OCF, and users are advised to actively look out for vendor support channels for updates. Meanwhile, Device manufacturers are advised to disable the UPnP protocol on Internet-obtainable interfaces.