Search This Blog

Showing posts with label DDoS. Show all posts

New Network Protocols Abused To Launch Large-Scale Distributed Denial of Service (DDoS) Attacks


The Federal Bureau of Investigation issued an alert just the previous week cautioning about the discovery of new network protocols that have been exploited to launch large-scale distributed denial of service (DDoS) attacks. 

The alert records three network protocols and a web application as newfound DDoS attack vectors.  

The list incorporates CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software. 

Three of the four (CoAP, WS-DD, ARMS) have just been exploited in reality to launch monstrous DDoS attacks, the FBI said dependent on ZDNet's previous reporting. 


 COAP 

In December 2018, cyber actors began exploiting the multicast and command transmission features of the Constrained Application Protocol (CoAP) to lead DDoS reflection and amplification assaults, bringing about an enhancement factor of 34, as indicated by open-source reporting. 


WS-DD 

In May and August 2019, cyber actors abused the Web Services Dynamic Discovery (WS-DD) convention to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits for every second (Gbps), in two separate influxes of attack, as indicated by open-source reporting. 


ARMS 

In October 2019, cyber actors abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to lead DDoS amplification attacks, according to open-source reporting. 


JENKINS 

In February 2020, UK security researchers identified a vulnerability in the inherent network discovery protocols of Jenkins servers-free, open-source, automation workers used to help the software development process that cyber actors could exploit to conduct DDoS amplification attacks - as indicated by open-source reporting. 

FBI officials believe that these new DDoS threats will keep on being exploited further to cause downtime and damages for the 'foreseeable future'. 

The reason for the alert is to warn US companies about the 'imminent danger', so they can put resources into DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks utilizing these new vectors. 

As of now, these four new DDoS attack vectors have been utilized inconsistently, however, industry specialists anticipate that them to become widely abused by DDoS-for-hire services.

Gothic Panda and Stone Panda: Chinese Hackers that Launched Mass Cyber Attacks on Indian Companies


Two Hacking groups from China named Gothic Panda and Stone Panda have been identified for organizing the majority of the cyber attacks on Indian companies in June 2020. Mumbai Mirror reported was the first to know about the incident. On 20th June, it published a report on its website regarding the issue. As per the cybersecurity experts, the word is that both the hacking groups are likely to work independently and not state-sponsored; however, they work in the interests of the Chinese government. According to experts, an anonymous source said that the attacks were launched under the disguise of VPN and Proxy Servers. After investigation, the attacks led us to Gothic Panda and State Panda, say the officials.

Chinese hackers launched more than 40,000 attacks. The hackers had used some unique malware to gain confidential data of the companies and later used the information for extortion. According to the reports, the hackers broke into at least six private/public companies' safety procedures. These include a government-regulated organization in Jammu and Kashmir and companies operating in New Delhi and Mumbai. The attacks were traced back to Souther Western Chinese province named Sichuan. These players also attempted to take down websites linked to companies that were involved in banking and finance.

The hackers used DDoS attacks (Distributed Denial of Service) and Internet Protocol Hijack. Experts say that these attacks, also called 'Probes,' look for vulnerabilities in a website's security features. In an incident where the hackers were able to crash the website, the home page was modified, and the content was changed with a foreign language. Experts say that there were no other successful probes except this incident.

In a DDoS attack, the hacker tries to rupture a cyber network, such as a website. For example, if a website page's utility provider's limit is 5000 requests/second, the hackers will pile it up with 5,00,000 requests/second and crash the website. Whereas in an Internet Protocol Hijack, the hacker tries to divert the course of traffic. In this case, the internet traffic was diverted through China for surveillance purposes.

DDoSecrets Banned From Twitter ; But Has No Plans To Slow Down



For the past year and a half, a rather small group of activists known as Distributed Denial of Secrets, or DDoSecrets, has discreetly yet consistently released a flood of hacked and leaked documents, from Russian oligarchs' emails to the stolen communications of Chilean military leaders to shell company databases.

A few weeks ago, the group released its most prominent break yet: BlueLeaks, a 269-gigabyte collection of approximately a million police files provided to DDoSecrets by a source lined up with the hacktivist group Anonymous, spanning emails, audio files, and interagency updates pulled from law enforcement "fusion centers," which fill in as intelligence sharing hubs. 

As indicated by DDoSecrets, it speaks to the biggest ever release of hacked US police data. It might make DDoSecrets famous as the beneficiary to WikiLeaks' mission—or at least the one it clung to in its previously more optimistic years—and the inheritor of its ceaseless battles against critics and censors. "Our role is to archive and publish leaked and hacked data of potential public interest," writes the group's co-founder, Emma Best, a longtime transparency activist, in a text message interview. "We want to inspire people to come forward, and release accurate information regardless of its source." 

As the media's focus developed around the BlueLeaks release, Twitter proceeded to ban the group's account, referring to a policy that it doesn't permit the distribution of hacked data. 

The company caught up with a significantly progressively step, eliminating tweets that link to the DDoSecrets website, which keeps up an accessible database of the entirety of its leaks, and suspending a few accounts retroactively for linking to the group's material. 

Be that as it may, DDoSecrets, an organization with no proper address and whose careful budgeting runs for the most part on donations, is as yet strategizing a reaction and the best workaround to further 'publicize its leaks' —conceivably moving to Telegram or Reddit—however has no goal of letting the ban stop its work. Together with BlueLeaks, however, DDoSecrets has, for the first time went ahead to release a significant leak of documents from US organizations, upping the ante. 

Activists and journalists going through the documents promptly discovered evidence that the FBI had monitored the social accounts of protesters for local law enforcement and tracked bitcoin donations to protest groups. The leak likewise incorporates personally recognizable data about police officers and in any event, banking details. 

However, Best, who has teamed up with WikiLeaks previously, relates to the pronouns they/them, says that DDoSecrets has gained from WikiLeaks' mistakes just as its successes. 

 She additionally blames Assange explicitly for attempting to conceal the fact that specific documents are provided by state-sponsored hackers, as when he implied that the documents take from the Democratic National Committee and the Clinton Campaign may have originated from murdered Clinton staff member Seth Rich. 

DDoSecrets is additionally taking an altogether different tack from WikiLeaks in securing the anonymity of sources. As it has quit facilitating a WikiLeaks-style submission system on a server secured by the anonymity software Tor, as WikiLeaks and most other leaking sites have done. 

The methodology hints that the group considers principled hackers to be as its core sources as opposed to non-specialized leakers or informants within companies says Gabriella Coleman, a hacker-focused anthropologist at McGill University who composed a fundamental book on the hacktivist group Anonymous and is rather friendly with a portion of DDoSecrets' staff.

Nonetheless, as experts have spoken out on this issue it is clearly evident that the Twitter ban following its BlueLeaks publication represents a major setback for the group.

All You Need to Know About the Recent DDoS Attacks and Threats that have Surfaced in the U.S


Cybersecurity experts have denied incidents of any DDoS s attacks in recent times. However, the attacks on T-Mobile's services that resulted in an outage seems to tell a different story. In a recent incident, T-Mobile suffered a blackout, and the customers quickly realized it and registered their complaints about the cellular issue. Witnessing the problem, company president Neville Ray on his twitter account said that the employees were working on the problem and would soon resolve the issue. He further noted that the data and messaging service would be in work early and apologized for the inconvenience.


Similar incidents came from different cyber agencies, but the most surprising was an image shared by an account, which, according to officials, can be linked to activists "Anonymous." Anonymous published a Digital Attack Map, which showed various attacks on the U.S postal services. We don't have much information regarding the issue at hand, but the cybersecurity experts claim that no such incidents happened. The intriguing thing is the fact that T-Mobile had faced a similar problem. As of now, it seems that the U.S may be a potential target for a large scale DDoS (distributed denial-of-service) attack.

The DDoS attack might be capable of stuffing online services with traffic from various sources, making it useless. Media outlets from across the world have reported similar attacks in recent times. Netscout, a global cybersecurity organization, said 200 cyberattacks targeted towards the U.S. In another incident, an unknown online activist group named Anonymous shared a digital attack map that showed various attacks in the U.S and Brazil. It claimed on Twitter that the U.S was under a massive DDoS attack, and the tweet went viral.

"In light of this DDoS attack, your reminder that @realDonaldTrump eliminated the cybersecurity coordinator position at the NSC in 2018. And in 2019, at least a dozen high-level officials resigned from the cybersecurity mission established under Obama," tweeted Representative Ted Lieu. We haven't the official names, but a handful of anonymous politicians have also complained about the possibility of DDoS attacks. It should be noted that these DDoS attacks have surfaced when the U.S is battling the global pandemic, and the entire country is protesting for civil rights. All these things just do not seem ordinary, and one should give some thought about it.

UPnP Vulnerability Affects Billion of Devices Allowing DDoS Attacks, Data Exfiltration


A new security vulnerability affecting devices running UPnP protocol has been discovered by a researcher named Yunus Çadırcı; dubbed as CallStranger the security flaw could be exploited by remote unauthenticated attackers to perform a number of malicious acts such as data exfiltration and distributed denial-of-service popularly known as DDoS attacks.

UPnP protocol is designed to speed up the process of automatic discovery and to facilitate interaction with devices on a network, it doesn't have any kind of verification or authentication and therefore is supposed to be employed within trusted LANs. Most of the internet-connected devices contain support for UPnP, however, the Device Protection service responsible for adding security features has not been broadly accepted.

The security vulnerability that is being tracked as CVE-2020-12695, affects Windows PCs, TVs, Cisco, Belkin Broadcom, Dell, D-Link, Gaming Consoles, Samsung, routers from Asus, Huawei, ZTE, TP-Link and probably many more.

While giving insights into his discovery, Çadırcı told, “[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet-facing and billions of LAN devices.”

“Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet-facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to the Internet. Don't port forward to UPnP endpoints,” he further added.

“Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end-user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from the Internet to Intranet but Intranet2Intranet may be an issue.” The researcher concluded.

In order to stay safe, vendors are recommended to act upon the latest specifications put forth by the OCF, and users are advised to actively look out for vendor support channels for updates. Meanwhile, Device manufacturers are advised to disable the UPnP protocol on Internet-obtainable interfaces.

How Coronavirus Panic Created a Perfect Opportunity for Cyberattacks in Crucial Sectors?


In tough times like this, there is always someone out there looking for a weak spot to attack their enemy. The impact of Coronavirus today has devastated the socio-economic and political sectors; it has disrupted the commercial industry entirely, which has led to the fall of global trade and commerce, and unmistakably the panic and the terror among the people. Few people are already aware of this, but unfortunately, there still exist several people who are not aware of the fact that hackers are using it as an opportunity to exploit this vulnerability by launching cyberattacks.


For instance, recently, the US Department of Health and Human Services suffered a cyberattack while it was dealing with the coronavirus situation. However, none of the website's data and information was compromised. Still, according to the officials, hackers responsible for the attack are state-sponsored, looking for it as an opportunity to attack the working of the US departments and institutions. In other incidents, cyberattacks under the name of 'Wuhan Coronavirus' were launched in many countries. According to Kaspersky experts, ten files with the names of 'coronavirus-spread' contain malware, and file-encrypting infections are barging into systems and corrupting them.

The Potential Target Areas

1. Political: Cyber attacks can be launched on prominent political infrastructures like government ministries and health departments with the use of false information and misinformation. The latest DDoS attack on the US Department of health is just a beginning. False reports of 'nationwide lockdown' or 'nationwide quarantine' appeared in many countries like India and the US. The government is continuously working to expose these fake news by launching an official caution advisory on their websites requesting the public not to trust or share unverified information.

2. Criminal: The hackers are looking at it as an opportunity to launch cyberattacks. According to Checkpoint's Global Threat Index, "hackers around the globe have found the Coronavirus serving them well as an enabler for their activities. They are still riding the wave of the epidemic. Our Global Threat Index for January 2020 shows cyber-criminals are exploiting interest in the global epidemic to spread malicious activity, with several spam campaigns relating to the outbreak of the virus."

DDoS Attacks on the Gaming Giant Blizzard Causing Worldwide Service Disruption


In order to ruin the users' stay at home during their work from home period brought about by COVID-19, the hackers have hit gaming giant "Blizzard" with a colossal DDoS attack causing worldwide service disruption.

The attack, as per reports was carried out on March 18th around 2:20 AM (GMT) when Blizzard users took the issue to Twitter and the Customer Support handle for Blizzard on Twitter additionally affirmed enduring the DDoS attacks.

The company further clarified that it is “currently investigating an issue affecting our authentication servers, which may result in failed or slow login attempts.”

As indicated by DownDetector's live map, Blizzard is as yet enduring the result of the attack particularly in the US, Israel, Bahrain, Iraq, China, Singapore, Malaysia, and Denmark and a few other countries.
Image credit: Down Detector’s live map


Furthermore, it is very unclear whether the DDoS attack has halted as there has been no update tweet from the company. It is, however, worth noting that Blizzard is home to probably the most mainstream games including World of Warcraft, Overwatch, Heroes of the Storm and Diablo Immortal, and so on.

The gaming monster has a strong customer base with in excess of 32 million active users across the global. Aside from these EA Sport, a division of Electronic Arts is likewise enduring a worldwide service blackout.

It is indistinct on the off chance that it is an aftereffect of a DDoS attack or the company is confronting technical challenges within however there have been various tweets from EA Sports customers complaining about lagging and connectivity issues.

As indicated by DownDectector's live map, EA Sports is as yet enduring lagging issues in the US, United Kingdom, France, Spain, Denmark, Japan, and Israel, and so forth.

Image credit: Down Detector’s live map


By and by, it is most likely not a smart decision to DDoS Blizzard but rather users are encouraged to remain tuned for any further news with respect to the attack.

Hackers launch DDoS Attacks to Target Australian Banks


Hackers threatening banks in Monero to pay large amounts of money, and if the demands are not met, hackers have blackmailed to launch DDoS attacks against the banks. Since last week, bank corporations and different organizations in the financial sector in Australia have become the target of DDoS extortion campaigns.

A hackers group is blackmailing the victims to pay heavy amounts as a ransom. The attackers threaten to conduct a DDoS (Distributed Denial of Service) attack unless they are paid with XMR cryptocurrency in Monero. A security threat has been sent out by ACSC (Australian Cyber Security Centre) to inform the public about the attack. According to ACSC, none of the hackers have launched any attacks, nor has there been any news of DDoS attacks. The current evidence serves as proof of this claim.


DDoS Campaign Began in 2019 

The Global Ransom Denial of Service (DDoS), a campaign that started in October 2019, is responsible for launching the attacks on Australian financial organizations. According to ZDNet, earlier ransom efforts targeted financial companies and the banking sector. But over time, these attacks expanded and reached out to other industries. The list of nations who were the victims of the ransom threat is the banking sector in South Africa and Singapore, the telecom sector in turkey, ISP providers in South Africa and gambling websites in South Asian countries.

The ransom demands kept going on, and the attackers systematically extended the campaigns to 10 different countries across the world. Some of the attacks were successful but not all of them, as it would have been near to impossible to launch an all-out DDoS resource attack against each party. According to claims of ZDNet, it confirms that numerous attacks launched against the parties as a part of the campaign were successful.

The Group keeps changing names 

The group responsible for these attacks kept changing their identity to prevent being identified by the authorities. At first, they used Fancy Bear, the Russian hackers' group responsible for the 2014 White House Attack and 2016 DNC hack. After that, they used Cozy Bear, another Russian hacking group which is also infamous for the 2016 DNC attack.

Chinese Cyber-attack Hit Telegram Amidst Hong Kong Protests


Telegram a secure messaging app was as of late literally bombarded by a network of computers in China following the protests started by the Hong Kong government's plans to authorize another law.

On Tuesday night, as the protesters assembled close to the Legislative Building of Hong Kong, the authorities arrested the administrator of a Telegram talk group with approx. 20,000 individuals, despite the fact that he was absent at the protest site.

This law thusly enacted by the Hong Kong Government is said to enable individuals in the city to be 'extradited' to Mainland China, where the court framework is closed off from open scrutiny and firmly constrained by the Communist Party.

The uncommon estimates taken up by the Hong Kong authorities propose that the police have made their own way against the protesters, by constraining the digital communication.

Since the protesters were utilizing the present systems networking tools to summon their positions, share wellbeing tips and arrange reserves of nourishment and beverages, even as they find a way to shroud their characters. The experts reacted by tracking them where they plan their moves, recommending that they are taking cues to the manners in which China polices the internet.

Protesters and police offers like have yet brought along carried another 'technological savvy to the standoff.

Lokman Tsui, a professor at the School of Journalism and Mass Communication at the Chinese University of Hong Kong, shared his opinions with respect to the entire circumstance by saying that, We know the government is using all kinds of data and trails to charge people later on, this is why people are minimizing their footprints as much as possible, they are being much more conscious and savvy about it.”

The police used tear gas as protesters came closer to the Legislative Council building in Hong Kong on Wednesday. Protesters used the app Telegram to organize, but the police were watching.

Telegram said on its Twitter account that it had the option to settle its administrations not long after the attack started. It portrayed the overwhelming traffic as a DDoS attack, in which servers are invaded with solicitations from a planned system of PCs.

A significant number of these protesters seem, by all accounts, to be college-eyed and carefully adroit. They went to considerable lengths to keep from being captured or carefully followed. To go to and from the protesters, many remained in lines to purchase single-ride subway tickets as opposed to utilizing their digital payment cards, which can be followed. Some even standing up to the police, securing their faces with caps and covers, giving them anonymity just as some protection from the tear gas.

Beijing however is the one nation that has been accused in the past for attacks that silence political speech outside mainland China's borders.

“The bottom line is whether to trust Beijing,” said Dr. Tsui, the communications professor. “This is a government that routinely lies to its own citizens, that censors information, that doesn’t trust its own citizens. You can’t ask us to trust you if you don’t trust us.”

“These kids that are out there, all the young people, they’re smart,” he added. “They know not to trust Beijing.”

The event however presents no new challenge for Telegram, for as it has been utilized for boundless protests previously too — and has confronted numerous administration as well as government crackdowns. Some of the leading examples of nations who prohibited or obstructed its utilization include Russia, Moscow and Iran.

Telegram hit by DDoS attack





A most secure messaging app Telegram has been hit by a "powerful" distributed denial-of-service (DDoS) attack on Wednesday morning.

The app was down for many users across the globe, but people in the United States were most badly affected by this attack, according to DownDetector.

The  company said in a tweet, ‘We’re currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues.’

The app was down for just a little over an hour, and in the meantime, the company tweeted an explanation of how a DDoS attack works.

"Imagine that an army of lemmings just jumped the queue at McDonald's in front of you – and each is ordering a whopper," Telegram tweeted. "The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can't even see you to try and take your order."

The firm described the whole mechanism of how hackers accomplish a DDoS attack.

"To generate these garbage requests, bad guys use 'botnets' made up of computers of unsuspecting users which were infected with malware at some point in the past. This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa," the company said in another tweet.

However, Telegram said that every users’ data was safe, there was no kind of data hack through the whole attack. 

"There's a bright side: All of these lemmings are there just to overload the servers with extra work – they can't take away your Big Mac and Coke," the company tweeted.

Telegram refused to respond to a request for comment. 





The Dark Side of Kremlin- The Catalogue of Russian Data Leaks: All You Need To Know




Thousands of Russian emails and documents were leaked online in the late January in a catalogue named “The Dark Side of Kremlin”.


The catalogue was published by a “transparency collective” which goes by the name of “Distributed Denial of Secrets”.

DDoS encompasses an anonymous group of journalists, researchers, tech-experts and activists.

The documents contained private information regarding all the major hot-shots of Russia including the politicians, religious figures and the military.

The DDoS say, that their only job is to provide information to those who need it. If the information strengthens suspicions it hardly matters.

They also mentioned that their collection of data including emails, chat logs and attachments were hacked a few years ago by several hacking groups in Russia and Ukraine.

The Cyber Junta, Russian hackers Shaltai-Boltai, Ukrainian Cyber Alliance and other international parties were among the few accused.

The information leaked includes private documents and emails from the Ministry of Defense, the Russian Presidential Administration and other high-level political operatives.

Russia’s Prime Minister Dimitry Medvedev’s phone was hacked and his holiday pictures were uploaded online.

Russian President’s chef who controls companies that cater fancy banquets in Kremlin also lost his private notes to the leak.

The leak also includes the elaborate personal notes made by the chef on conversations between Putin and European leaders from Italy and Britain.

The most revealing hacks were the ones that came from the Russian Presidential Administration, which fairly let the Russian government, be a little more “transparent”.

The leak had details on how the government controls the Russian media and the way it transmits messages etc.

The most concerning part is that no one knows for sure how much and what kinds of information have been laid out bare in the open.

The leaks also provide an insight about the relations between Ukraine and Russia.

The inner-doings of Russia’s proxies and other insidious groups have also been brought into the light.

The DDoS had experienced a wipe on their servers making it imperative for them to upload it soon, in order to prevent the data from being censored.

Reportedly, this leak can’t be considered as a revenge for anything that has happened before, it was just an attempt at transparency.

A lot of the information present in the leaks was already available on the web but a lot of new investigations have been given birth due to this massive leakage.

This Russian document leak has created a paradigm shift in the way countries take their cyber-security seriously.

Analyzing these leaks could possibly lead Russia to adopting a new way of securing the web and its Presidential administration.

The government has already started taking care of its cyber-security vigilantly and all the loop holes will soon be filled up.

Attackers Utilize UPnP Features to Make DDoS Attacks Harder To Be Recognized




Security researchers are continuously observing DDoS attacks that utilize the UPnP features of home routers to modify network packets and make DDoS attacks harder to be recognizable and relieve with classic solutions.

Researchers from Imperva detailed the first UPnP port masking method, a new technique, a month ago.

Imperva staff announced that some DDoS botnets had begun utilizing the UPnP protocol found on home routers to skip the DDoS traffic off the router, but change the traffic's source port to an arbitrary number.

By changing the source port, more seasoned DDoS mitigation systems that depended on perusing this data to square approaching attacks started failing left and right, thus permitting the DDoS attacks to hit their intended targets.

The new DDoS mitigation systems that depend on deep packet inspection (DPI) are fit for identifying these sorts of attacks that utilize randomized source ports, however these are likewise more fiscally expensive for users and furthermore work slower, thus taking more time to distinguish and stop attacks.
\
Researchers at Imperva, Back in May, said that they've seen botnets executing DDoS attacks through the DNS and NTP protocols , but by utilizing UPnP to camouflage the traffic as originating from irregular ports, and not port 53 (DNS) or port 123 (NTP).

In those days, Bleeping Computer had foreseen that the strategy would turn out to be more prevalent among the botnet creators. This feeling turned out to be true yesterday when in a report by Arbor Networks, the organization wrote about observing comparative DDoS attacks that utilized the UPnP protocol, yet this time the procedure was utilized to mask the SSDP-based DDoS assaults.

SSDP DDoS attacks that would have been effectively moderated by blocking the approaching packets that came from port 1900 were harder to spot as the majority of the traffic originated from random ports rather than just one.

This UPnP-based port masking technique is obviously spreading among DDoS administrators, and DDoS mitigation providers will have to alter on the off chance that they need to stay in business, while organizations should put into overhauled securities in the event that they need to stay above water amidst these new types of deadly DDoS attacks.