Search This Blog

Showing posts with label DDoS. Show all posts

341% Surge in DDoS Attacks During the Epidemic

 

The epidemic resulted in a 341 percent spike year-over-year in distributed denial of services (DDoS) attacks as per Nexusguard's Annual Threat Report 2020, which is targeting sectors that provided connection, services, and entertainment to populated populations that were compelled for shelter. 

The enormous change in online behavior and dependence on connectivity has stretched communications service providers (CSPs) and ISPs that have supplied the backbone for such remote operation, including DDoS (RDDoS) ransom attacks on the extorted payment companies in exchange for being online. 

Juniman Kasman, CTO for Nexusguard said, “During 2020, the pandemic forced a complete shift in how the world lived and worked, and attackers were ready to take full advantage of the situation, adeptly targeting connectivity and entertainment providers.” 

With lockdown and worldwide social distancing measures, online gaming and Internet dependency have flourished in 2020, which have also been tempting targets for attackers. Attack motivations include economic and political gains, retaliation, cyberwar, and even personal pleasure. 

Analysts expect the RDDoS attacks to grow by 30 percent over the next year, particularly because of cryptocurrencies' prominence. In contrast, smaller attacks (less than 10 Gbps in size) will contribute shortly to 99% of all DDoS attacks, as they remain hard to detect and cost-effective to deploy. 

“With attackers using stealthier, smaller attacks increasing in complexity, CSPs and enterprises will need deep learning, multidimensional DDoS detection, and other advanced techniques to avoid outages,” Kasman added.  

The research has explicated that CSPs – and in particular ISPs – continue to be affected by sophisticated bit-and-piece attacks that drip trash through a huge IP pool. 301 of the CSPs were struck by bit-and-piece attacks in 23 countries in the year 2020. 

Researchers warn that the newer evasive DDoS attacks will lead to catastrophic disruptions from CSPs and other businesses which rely on thresholds and symbolic detection methods.

A denial of service attack is a cyber-attack, wherein the attacker aims to disrupt the operations of a host connected to the Internet temporarily or permanently, by making a computer or network resource unavailable to its intended users. 

TsuNAME: New DNS Bug could be used to DDoS Authoritative DNS Servers


Security researchers have found extreme domain name system (DNS) fixes that hackers may use to conduct constructive denial-of-service attacks on authoritative DNS servers. The bug they refer to as TsuNAME has been discovered by researchers from SIDN Labs and InternetNZ. The bug is a humongous reflection-based distributed denial of service (DDoS) amplification function attacking authoritative DNS servers. 

Authoritative DNS servers are translated into IP addresses, such as 64.233.160.0, through web domains along like, www.google.com. One must realize the distinction between an authoritative and recursive DNS server to consider the context of the vulnerability and its functions. 

Authoritative DNS servers, like Internet Service Providers (ISPs) and global tech giants, are usually operated by government and private sector organizations. Attackers trying to take advantage of the complexity of TsuNAME DNS target insecure recidivism resolutions to overload reputable servers, including large numbers of malicious DNS queries. 

"Resolvers vulnerable to TsuNAME will send non-stop queries to authoritative servers that have cyclic dependent records," the researchers explain in their security advisory. 

"While one resolver is unlikely to overwhelm an authoritative server, the aggregated effect from many looping, vulnerable recursive resolvers may as well do." 

A potential effect after such an attack could be that authenticated DNS servers are downloaded, which may cause country-wide Internet interruption if a country code top-level domain (ccTLD) is impaired. It could be utilized to perform DDoS attacks on critical DNS infrastructure and services such as large TLDs or ccTLDs, which possibly impact country resources according to primary research materials which makes TsuNAME especially more dangerous. 

"We observed 50% traffic increases due to TsuNAME in production in .nz traffic, which was due to a configuration error and not a real attack," the researchers added. 

TsuNAME also had events affecting an EU-based ccTLD which raised incoming DNS traffic by a factor of 10 due to only two domains that are misconfigured by cyclical dependence. An intruder with access to several fields and a botnet can cause even more damage if their domains are misconfigured and open resolvers are tested. 

The impact of TsuNAME attacks can also be reduced by authoritative server managers using the open-source CycleHunter tool that avoids such incidents, detects, and prevents the pre-emptively fixing of cyclical dependencies in their DNS areas.

Russia Accused by Ukraine for Major Cyber Attacks

 

Ukraine on Monday alleged major attacks against the Ukrainian security and defense website by unidentified Russian Internet networks but did not provide specifics of any losses or mention who it felt was responsible for the attack. Kyiv, Ukraine's capital, previously described Moscow with major cyberattacks against Ukraine as part of the "hybrid war," which Russia opposes. 

“Kyiv has previously accused Moscow of orchestrating large cyber attacks as part of a “hybrid war” against Ukraine, which Russia denies. However, a statement from Ukraine’s National Security and Defense Council did not disclose who it believed organized the attacks or give any details about the effect the intrusions may have had on Ukrainian cybersecurity.” reported The Reuters agency. 

The Ukrainian National Security and Defense Council however has not released a statement that states that the Ukrainian Cyber Security is believed to coordinated or provides specifics about the consequences that intruders may have had. According to a contact, the attacks began on Feb. 18 and threatened web pages belonging to Ukrainian Security Service, the Council itself, and several other state agencies and strategic businesses. 

“It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks,” the Council said. 

“The council added the attacks attempted to infect vulnerable government web servers with a virus that covertly made them part of a botnet used for so-called distributed-denial-of-service (DDoS) attacks on other resources,” concludes Reuters. 

The Council reported that these attacks are intended to infect compromised state web servers with malware that has transformed them into part of a DDoS network. A DDoS attack is a cyber attack in which hackers aim to inundate a network with an extraordinary amount of information traffic so as to paralyze it. 

"It is obvious that it's connected with the latest pro-active efforts by the Service toward protecting national interests and countering Russia, which has been waging its hybrid war against Ukraine, including in the information domain," the official reported. Since Russia annexed Crimea from Ukraine in 2014 and participated in a continuing war in the eastern Donbass region of Ukraine, Russia and Ukraine have been at the loggerhead.

UK Cryptocurrency Exchange EXMO Suffers a 'Massive' DDoS Assault

 

Cryptocurrency exchange EXMO, a British company was targeted in a distributed denial-of-service (DDoS) attack. As a precautionary measure company has shut down its servers temporarily. The company also said in a notification that it suffered a distributed denial-of-service attack on February 15, when its website was offline for two hours.

EXMO’s spokesperson said that the previous DDoS assaults only affected the website but this attack is quite different from previous attacks due to its potency and capability to drive 30 GB of traffic per second affecting the whole network system, including the website, API, Websocket API, and exchange charts. The assault was combated with the help of DDoS protection Qurator and the company has also beefed up the security to avoid any further damage. 

This was the second assault on the company in the last two months, on December 24, threat actors attacked the company and earned 5% of EXMO’s assets from their ‘hot’ wallets. Later, the company confirmed that it has suffered a loss of about $4 million in customer cryptocurrency; currently, there are no proofs to establish the motives behind both the attacks but it is suspected that due to the bitcoin price hit records high, threat actors tried to cash in on the higher value of the stolen assets.

EXMO released an update regarding the developments in an investigation wherein they mentioned, “Our team is currently developing a new infrastructure for hot wallets. Since each blockchain needs a separate server, the process will take some time, once deposits and withdrawals are available, you will have to generate a new wallet address in the ‘Wallet’ section of your account. Our investigation is ongoing, and we are taking all necessary and precautionary measures to prevent such incidents from reoccurring.” 

The company was launched in 2013 and is headquartered in London. Due to Britain’s exit from the European Union, EXMO had chosen to establish their brand into new European bases as part of a contingency plan. The company was registered with the UK Financial Conduct Authority (FCA) for a brief stint as a crypto asset business until July 9th, 2021, following a request submitted back in April 2020. 

EXMO has expanded its reach outside the UK in a very short span of time and the company’s offices are in Kyiv, Barcelona, Moscow, and Istanbul.

DDoS Attacks increase by 154% in 2020 states Neustar

 

DDoS- Distributed Denial of Service is a cyber attack on a specific server or network. It attempts to disrupt the normal functioning of operations. DDoS attacks do all this by flooding the targeted network or server with constant traffic, such as fraudulent requests which overwhelm the system, causing a disruption or denial of service to legitimate traffic. 

In the past few years, the DDoS attacks have doubled showing a significant hike in the attempts by the attackers to threaten the victim of such attacks unless the required ransom is paid to them. Security analysts in Neustar (a global information services and technology company and leader in identity resolution) studied cyber threats and illegal activities and it was found that the number of DDoS attacks between 2019 and 2020 rose by 154 percent. The areas that took a major hit are financial services, telecommunications, and government departments. This figure indicates the rising number, frequency, and severity of cyber-attacks of network sort as remote operations moved companies and grew employee dependency on the internet.

DDoS attacks are emerging, even more frequently now. One important factor why the DDoS attacks have become more common is that even for low-level cybercriminals they are fairly easy to carry out. The rise in smaller DDoS attacks has been largely linked with the rising attack sophistication and intensity. 

Instead of relying on ransomwares or other viruses to take a network-related hostage, DDoS attackers literally threaten DDoS victims if the payment – usually requested in bitcoin –is not received in time. In order to convince the victim to pay, offenders frequently present an assessment of what could come with a short-lived DDoS attack. All that the DDoS attackers require is a botnet to flood traffic to target networks – which can be recruited at cheap underground forums.

"Organisations should avoid paying these ransoms. Instead, any attack should be reported to the nearest law enforcement field office, as the information may help identify the attackers and ultimately hold them accountable," said Michael Kaczmarek, vice president of security product management at Neustar. 

Yet amid warnings of going off-line, it is advised to refrain from reacting to the demands of cybercriminals, so that ransom-led DDoS attacks can be contained to some extent.

NZX Underwent Power Outage Caused Due to Multiple Cyberattacks, Trading Halted


New Zealand’s stock market exchange came to an abrupt halt after being hit by cyberattacks multiple times over a week, blocking the access to its website and resulting in a major power outage caused due to a distributed denial of service (DDOS) attack from overseas, state-backed adversaries.

The unknown attackers put to work a group of computers and bombarded the NZX website with requests to connect by commanding these computers, which resulted in overloading the exchange’s servers and shutting down its website.

The systems harnessed to instigate the attack probably belonged to innocent businesses that would have been exploited by the malware earlier. The owners of these compromised computers have most likely stayed oblivious to the fact that they have been hijacked to facilitate a cyberattack.

On Wednesday, the Wellington-based NZX exchange issued a statement wherein they explained how the Tuesday attack affected their websites and the market announcement platform. Blaming the attack on overseas adversaries, the NZX said that it had “experienced a volumetric DDoS attack from offshore via its network service provider, which impacted NZX network connectivity”.

“A DDOS attack aims to disrupt service by saturating a network with significant volumes of internet traffic. The attack was able to be mitigated and connectivity has now been restored for NZX,” the exchange further said.

While commenting on the matter, Dr. Rizwan Asghar, from the school of computer science at Auckland University told that it was difficult to trace the source of such a cyberattack as the threat actors exhibited a tendency to hide their IP addresses.

To combat the attacks, New Zealand’s spy agency, The Government Communications Security Bureau (GCSB) was sought by the NZX; by Friday GCSB constituted a group to investigate the matter which concluded that the motivation of the DDoS attack seems to be financial rather than political as claimed by few.

The findings of the investigation denied the involvement of state-backed agents in the attacks by stating that, "The nature of this tends to be a criminal activity rather than state-backed. You can't rule it out but it's more likely than not to be criminal activity."

Over 500 SSH Servers being Breached by FritzFrog P2P Botnet


Cyberspace has seen an unprecedented rise in modified versions of peer-to peer, also known as (P2P) threats, it might have appeared that these P2P services have been vanishing, but in reality, they have emerged even stronger in newer ways. BitTorrent and eMule are still known to be in use by attackers.

A peer-to-peer (P2P) network is an IT infrastructure in which two or more computers have agreed to share resources such as storage, bandwidth and processing power with one another. Besides file sharing, it also allows access to devices like printers without going through separate server software. A P2P network is not to be confused with client-server network that users have traditionally used in networking, here, the client does not contribute resources to the network.

Researchers at Guardicore have recently discovered a sophisticated peer-to-peer (P2P) botnet called as FritzFrog that has been actively operated since January 2020, breaching SSH servers; it’s a Golang-based modular malware that executes a worm malware written in Golang, it is multi-threaded, completely volatile, and fileless and leaves no trace on the infected system’s disk.

It has a decentralized infrastructure which distributes control among all its nodes. The network uses AES for symmetric encryption and the Diffie-Hellman protocol for key exchange in order to carry out P2P communication via an encrypted channel.

So far, more than 20 malware samples have been discovered by the researchers as FritzFrog attempted to brute force over 500 SSH servers belonging to educational institutions, governmental institutions, telecom organizations, banks, and medical centers worldwide. The campaign also targeted some well known high-education institutions in the United States and Europe, along with a railway firm.

Botnets are being leveraged by attackers for DDoS attacks and other malicious activities, as per the recent attack trend. Earlier in June this year, the Monzi malware was seen exploiting IoT devices, mainly DVRs and routers. Threat actors brought together various malware families namely Mirai, Gafgyt and IoT Reaper, to carry out a botnet capable of DDoS attacks, command or payload execution or data exfiltration.

“FritzFrog’s binary is an advanced piece of malware written in Golang. It operates completely in-memory; each node running the malware stores in its memory the whole database of targets and peers,” according to Guardicore’s report.

“FritzFrog takes advantage of the fact that many network security solutions enforce traffic only by the port and protocol. To overcome this stealth technique, process-based segmentation rules can easily prevent such threats.”

“Weak passwords are the immediate enabler of FritzFrog’s attacks. We recommend choosing strong passwords and using public key authentication, which is much safer. In addition, it is crucial to remove FritzFrog’s public key from the authorized_keys file, preventing the attackers from accessing the machine. Routers and IoT devices often expose SSH and are thus vulnerable to FritzFrog; consider changing their SSH port or completely disabling SSH access to them if the service is not in use.” The report further read.

New Network Protocols Abused To Launch Large-Scale Distributed Denial of Service (DDoS) Attacks


The Federal Bureau of Investigation issued an alert just the previous week cautioning about the discovery of new network protocols that have been exploited to launch large-scale distributed denial of service (DDoS) attacks. 

The alert records three network protocols and a web application as newfound DDoS attack vectors.  

The list incorporates CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service), and the Jenkins web-based automation software. 

Three of the four (CoAP, WS-DD, ARMS) have just been exploited in reality to launch monstrous DDoS attacks, the FBI said dependent on ZDNet's previous reporting. 


 COAP 

In December 2018, cyber actors began exploiting the multicast and command transmission features of the Constrained Application Protocol (CoAP) to lead DDoS reflection and amplification assaults, bringing about an enhancement factor of 34, as indicated by open-source reporting. 


WS-DD 

In May and August 2019, cyber actors abused the Web Services Dynamic Discovery (WS-DD) convention to launch more than 130 DDoS attacks, with some reaching sizes of more than 350 Gigabits for every second (Gbps), in two separate influxes of attack, as indicated by open-source reporting. 


ARMS 

In October 2019, cyber actors abused the Apple Remote Management Service (ARMS), a part of the Apple Remote Desktop (ARD) feature, to lead DDoS amplification attacks, according to open-source reporting. 


JENKINS 

In February 2020, UK security researchers identified a vulnerability in the inherent network discovery protocols of Jenkins servers-free, open-source, automation workers used to help the software development process that cyber actors could exploit to conduct DDoS amplification attacks - as indicated by open-source reporting. 

FBI officials believe that these new DDoS threats will keep on being exploited further to cause downtime and damages for the 'foreseeable future'. 

The reason for the alert is to warn US companies about the 'imminent danger', so they can put resources into DDoS mitigation systems and create partnerships with their internet service providers to quickly respond to any attacks utilizing these new vectors. 

As of now, these four new DDoS attack vectors have been utilized inconsistently, however, industry specialists anticipate that them to become widely abused by DDoS-for-hire services.

Gothic Panda and Stone Panda: Chinese Hackers that Launched Mass Cyber Attacks on Indian Companies


Two Hacking groups from China named Gothic Panda and Stone Panda have been identified for organizing the majority of the cyber attacks on Indian companies in June 2020. Mumbai Mirror reported was the first to know about the incident. On 20th June, it published a report on its website regarding the issue. As per the cybersecurity experts, the word is that both the hacking groups are likely to work independently and not state-sponsored; however, they work in the interests of the Chinese government. According to experts, an anonymous source said that the attacks were launched under the disguise of VPN and Proxy Servers. After investigation, the attacks led us to Gothic Panda and State Panda, say the officials.

Chinese hackers launched more than 40,000 attacks. The hackers had used some unique malware to gain confidential data of the companies and later used the information for extortion. According to the reports, the hackers broke into at least six private/public companies' safety procedures. These include a government-regulated organization in Jammu and Kashmir and companies operating in New Delhi and Mumbai. The attacks were traced back to Souther Western Chinese province named Sichuan. These players also attempted to take down websites linked to companies that were involved in banking and finance.

The hackers used DDoS attacks (Distributed Denial of Service) and Internet Protocol Hijack. Experts say that these attacks, also called 'Probes,' look for vulnerabilities in a website's security features. In an incident where the hackers were able to crash the website, the home page was modified, and the content was changed with a foreign language. Experts say that there were no other successful probes except this incident.

In a DDoS attack, the hacker tries to rupture a cyber network, such as a website. For example, if a website page's utility provider's limit is 5000 requests/second, the hackers will pile it up with 5,00,000 requests/second and crash the website. Whereas in an Internet Protocol Hijack, the hacker tries to divert the course of traffic. In this case, the internet traffic was diverted through China for surveillance purposes.

DDoSecrets Banned From Twitter ; But Has No Plans To Slow Down



For the past year and a half, a rather small group of activists known as Distributed Denial of Secrets, or DDoSecrets, has discreetly yet consistently released a flood of hacked and leaked documents, from Russian oligarchs' emails to the stolen communications of Chilean military leaders to shell company databases.

A few weeks ago, the group released its most prominent break yet: BlueLeaks, a 269-gigabyte collection of approximately a million police files provided to DDoSecrets by a source lined up with the hacktivist group Anonymous, spanning emails, audio files, and interagency updates pulled from law enforcement "fusion centers," which fill in as intelligence sharing hubs. 

As indicated by DDoSecrets, it speaks to the biggest ever release of hacked US police data. It might make DDoSecrets famous as the beneficiary to WikiLeaks' mission—or at least the one it clung to in its previously more optimistic years—and the inheritor of its ceaseless battles against critics and censors. "Our role is to archive and publish leaked and hacked data of potential public interest," writes the group's co-founder, Emma Best, a longtime transparency activist, in a text message interview. "We want to inspire people to come forward, and release accurate information regardless of its source." 

As the media's focus developed around the BlueLeaks release, Twitter proceeded to ban the group's account, referring to a policy that it doesn't permit the distribution of hacked data. 

The company caught up with a significantly progressively step, eliminating tweets that link to the DDoSecrets website, which keeps up an accessible database of the entirety of its leaks, and suspending a few accounts retroactively for linking to the group's material. 

Be that as it may, DDoSecrets, an organization with no proper address and whose careful budgeting runs for the most part on donations, is as yet strategizing a reaction and the best workaround to further 'publicize its leaks' —conceivably moving to Telegram or Reddit—however has no goal of letting the ban stop its work. Together with BlueLeaks, however, DDoSecrets has, for the first time went ahead to release a significant leak of documents from US organizations, upping the ante. 

Activists and journalists going through the documents promptly discovered evidence that the FBI had monitored the social accounts of protesters for local law enforcement and tracked bitcoin donations to protest groups. The leak likewise incorporates personally recognizable data about police officers and in any event, banking details. 

However, Best, who has teamed up with WikiLeaks previously, relates to the pronouns they/them, says that DDoSecrets has gained from WikiLeaks' mistakes just as its successes. 

 She additionally blames Assange explicitly for attempting to conceal the fact that specific documents are provided by state-sponsored hackers, as when he implied that the documents take from the Democratic National Committee and the Clinton Campaign may have originated from murdered Clinton staff member Seth Rich. 

DDoSecrets is additionally taking an altogether different tack from WikiLeaks in securing the anonymity of sources. As it has quit facilitating a WikiLeaks-style submission system on a server secured by the anonymity software Tor, as WikiLeaks and most other leaking sites have done. 

The methodology hints that the group considers principled hackers to be as its core sources as opposed to non-specialized leakers or informants within companies says Gabriella Coleman, a hacker-focused anthropologist at McGill University who composed a fundamental book on the hacktivist group Anonymous and is rather friendly with a portion of DDoSecrets' staff.

Nonetheless, as experts have spoken out on this issue it is clearly evident that the Twitter ban following its BlueLeaks publication represents a major setback for the group.

All You Need to Know About the Recent DDoS Attacks and Threats that have Surfaced in the U.S


Cybersecurity experts have denied incidents of any DDoS s attacks in recent times. However, the attacks on T-Mobile's services that resulted in an outage seems to tell a different story. In a recent incident, T-Mobile suffered a blackout, and the customers quickly realized it and registered their complaints about the cellular issue. Witnessing the problem, company president Neville Ray on his twitter account said that the employees were working on the problem and would soon resolve the issue. He further noted that the data and messaging service would be in work early and apologized for the inconvenience.


Similar incidents came from different cyber agencies, but the most surprising was an image shared by an account, which, according to officials, can be linked to activists "Anonymous." Anonymous published a Digital Attack Map, which showed various attacks on the U.S postal services. We don't have much information regarding the issue at hand, but the cybersecurity experts claim that no such incidents happened. The intriguing thing is the fact that T-Mobile had faced a similar problem. As of now, it seems that the U.S may be a potential target for a large scale DDoS (distributed denial-of-service) attack.

The DDoS attack might be capable of stuffing online services with traffic from various sources, making it useless. Media outlets from across the world have reported similar attacks in recent times. Netscout, a global cybersecurity organization, said 200 cyberattacks targeted towards the U.S. In another incident, an unknown online activist group named Anonymous shared a digital attack map that showed various attacks in the U.S and Brazil. It claimed on Twitter that the U.S was under a massive DDoS attack, and the tweet went viral.

"In light of this DDoS attack, your reminder that @realDonaldTrump eliminated the cybersecurity coordinator position at the NSC in 2018. And in 2019, at least a dozen high-level officials resigned from the cybersecurity mission established under Obama," tweeted Representative Ted Lieu. We haven't the official names, but a handful of anonymous politicians have also complained about the possibility of DDoS attacks. It should be noted that these DDoS attacks have surfaced when the U.S is battling the global pandemic, and the entire country is protesting for civil rights. All these things just do not seem ordinary, and one should give some thought about it.

UPnP Vulnerability Affects Billion of Devices Allowing DDoS Attacks, Data Exfiltration


A new security vulnerability affecting devices running UPnP protocol has been discovered by a researcher named Yunus Çadırcı; dubbed as CallStranger the security flaw could be exploited by remote unauthenticated attackers to perform a number of malicious acts such as data exfiltration and distributed denial-of-service popularly known as DDoS attacks.

UPnP protocol is designed to speed up the process of automatic discovery and to facilitate interaction with devices on a network, it doesn't have any kind of verification or authentication and therefore is supposed to be employed within trusted LANs. Most of the internet-connected devices contain support for UPnP, however, the Device Protection service responsible for adding security features has not been broadly accepted.

The security vulnerability that is being tracked as CVE-2020-12695, affects Windows PCs, TVs, Cisco, Belkin Broadcom, Dell, D-Link, Gaming Consoles, Samsung, routers from Asus, Huawei, ZTE, TP-Link and probably many more.

While giving insights into his discovery, Çadırcı told, “[The vulnerability] is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF-like vulnerability which affects millions of Internet-facing and billions of LAN devices.”

“Home users are not expected to be targeted directly. If their internet-facing devices have UPnP endpoints, their devices may be used for DDoS source. Ask your ISP if your router has Internet-facing UPnP with CallStranger vulnerability — there are millions of consumer devices exposed to the Internet. Don't port forward to UPnP endpoints,” he further added.

“Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end-user devices. Because of the latest UPnP vulnerabilities, enterprises blocked Internet exposed UPnP devices so we don’t expect to see port scanning from the Internet to Intranet but Intranet2Intranet may be an issue.” The researcher concluded.

In order to stay safe, vendors are recommended to act upon the latest specifications put forth by the OCF, and users are advised to actively look out for vendor support channels for updates. Meanwhile, Device manufacturers are advised to disable the UPnP protocol on Internet-obtainable interfaces.

How Coronavirus Panic Created a Perfect Opportunity for Cyberattacks in Crucial Sectors?


In tough times like this, there is always someone out there looking for a weak spot to attack their enemy. The impact of Coronavirus today has devastated the socio-economic and political sectors; it has disrupted the commercial industry entirely, which has led to the fall of global trade and commerce, and unmistakably the panic and the terror among the people. Few people are already aware of this, but unfortunately, there still exist several people who are not aware of the fact that hackers are using it as an opportunity to exploit this vulnerability by launching cyberattacks.


For instance, recently, the US Department of Health and Human Services suffered a cyberattack while it was dealing with the coronavirus situation. However, none of the website's data and information was compromised. Still, according to the officials, hackers responsible for the attack are state-sponsored, looking for it as an opportunity to attack the working of the US departments and institutions. In other incidents, cyberattacks under the name of 'Wuhan Coronavirus' were launched in many countries. According to Kaspersky experts, ten files with the names of 'coronavirus-spread' contain malware, and file-encrypting infections are barging into systems and corrupting them.

The Potential Target Areas

1. Political: Cyber attacks can be launched on prominent political infrastructures like government ministries and health departments with the use of false information and misinformation. The latest DDoS attack on the US Department of health is just a beginning. False reports of 'nationwide lockdown' or 'nationwide quarantine' appeared in many countries like India and the US. The government is continuously working to expose these fake news by launching an official caution advisory on their websites requesting the public not to trust or share unverified information.

2. Criminal: The hackers are looking at it as an opportunity to launch cyberattacks. According to Checkpoint's Global Threat Index, "hackers around the globe have found the Coronavirus serving them well as an enabler for their activities. They are still riding the wave of the epidemic. Our Global Threat Index for January 2020 shows cyber-criminals are exploiting interest in the global epidemic to spread malicious activity, with several spam campaigns relating to the outbreak of the virus."

DDoS Attacks on the Gaming Giant Blizzard Causing Worldwide Service Disruption


In order to ruin the users' stay at home during their work from home period brought about by COVID-19, the hackers have hit gaming giant "Blizzard" with a colossal DDoS attack causing worldwide service disruption.

The attack, as per reports was carried out on March 18th around 2:20 AM (GMT) when Blizzard users took the issue to Twitter and the Customer Support handle for Blizzard on Twitter additionally affirmed enduring the DDoS attacks.

The company further clarified that it is “currently investigating an issue affecting our authentication servers, which may result in failed or slow login attempts.”

As indicated by DownDetector's live map, Blizzard is as yet enduring the result of the attack particularly in the US, Israel, Bahrain, Iraq, China, Singapore, Malaysia, and Denmark and a few other countries.
Image credit: Down Detector’s live map


Furthermore, it is very unclear whether the DDoS attack has halted as there has been no update tweet from the company. It is, however, worth noting that Blizzard is home to probably the most mainstream games including World of Warcraft, Overwatch, Heroes of the Storm and Diablo Immortal, and so on.

The gaming monster has a strong customer base with in excess of 32 million active users across the global. Aside from these EA Sport, a division of Electronic Arts is likewise enduring a worldwide service blackout.

It is indistinct on the off chance that it is an aftereffect of a DDoS attack or the company is confronting technical challenges within however there have been various tweets from EA Sports customers complaining about lagging and connectivity issues.

As indicated by DownDectector's live map, EA Sports is as yet enduring lagging issues in the US, United Kingdom, France, Spain, Denmark, Japan, and Israel, and so forth.

Image credit: Down Detector’s live map


By and by, it is most likely not a smart decision to DDoS Blizzard but rather users are encouraged to remain tuned for any further news with respect to the attack.

Hackers launch DDoS Attacks to Target Australian Banks


Hackers threatening banks in Monero to pay large amounts of money, and if the demands are not met, hackers have blackmailed to launch DDoS attacks against the banks. Since last week, bank corporations and different organizations in the financial sector in Australia have become the target of DDoS extortion campaigns.

A hackers group is blackmailing the victims to pay heavy amounts as a ransom. The attackers threaten to conduct a DDoS (Distributed Denial of Service) attack unless they are paid with XMR cryptocurrency in Monero. A security threat has been sent out by ACSC (Australian Cyber Security Centre) to inform the public about the attack. According to ACSC, none of the hackers have launched any attacks, nor has there been any news of DDoS attacks. The current evidence serves as proof of this claim.


DDoS Campaign Began in 2019 

The Global Ransom Denial of Service (DDoS), a campaign that started in October 2019, is responsible for launching the attacks on Australian financial organizations. According to ZDNet, earlier ransom efforts targeted financial companies and the banking sector. But over time, these attacks expanded and reached out to other industries. The list of nations who were the victims of the ransom threat is the banking sector in South Africa and Singapore, the telecom sector in turkey, ISP providers in South Africa and gambling websites in South Asian countries.

The ransom demands kept going on, and the attackers systematically extended the campaigns to 10 different countries across the world. Some of the attacks were successful but not all of them, as it would have been near to impossible to launch an all-out DDoS resource attack against each party. According to claims of ZDNet, it confirms that numerous attacks launched against the parties as a part of the campaign were successful.

The Group keeps changing names 

The group responsible for these attacks kept changing their identity to prevent being identified by the authorities. At first, they used Fancy Bear, the Russian hackers' group responsible for the 2014 White House Attack and 2016 DNC hack. After that, they used Cozy Bear, another Russian hacking group which is also infamous for the 2016 DNC attack.

Chinese Cyber-attack Hit Telegram Amidst Hong Kong Protests


Telegram a secure messaging app was as of late literally bombarded by a network of computers in China following the protests started by the Hong Kong government's plans to authorize another law.

On Tuesday night, as the protesters assembled close to the Legislative Building of Hong Kong, the authorities arrested the administrator of a Telegram talk group with approx. 20,000 individuals, despite the fact that he was absent at the protest site.

This law thusly enacted by the Hong Kong Government is said to enable individuals in the city to be 'extradited' to Mainland China, where the court framework is closed off from open scrutiny and firmly constrained by the Communist Party.

The uncommon estimates taken up by the Hong Kong authorities propose that the police have made their own way against the protesters, by constraining the digital communication.

Since the protesters were utilizing the present systems networking tools to summon their positions, share wellbeing tips and arrange reserves of nourishment and beverages, even as they find a way to shroud their characters. The experts reacted by tracking them where they plan their moves, recommending that they are taking cues to the manners in which China polices the internet.

Protesters and police offers like have yet brought along carried another 'technological savvy to the standoff.

Lokman Tsui, a professor at the School of Journalism and Mass Communication at the Chinese University of Hong Kong, shared his opinions with respect to the entire circumstance by saying that, We know the government is using all kinds of data and trails to charge people later on, this is why people are minimizing their footprints as much as possible, they are being much more conscious and savvy about it.”

The police used tear gas as protesters came closer to the Legislative Council building in Hong Kong on Wednesday. Protesters used the app Telegram to organize, but the police were watching.

Telegram said on its Twitter account that it had the option to settle its administrations not long after the attack started. It portrayed the overwhelming traffic as a DDoS attack, in which servers are invaded with solicitations from a planned system of PCs.

A significant number of these protesters seem, by all accounts, to be college-eyed and carefully adroit. They went to considerable lengths to keep from being captured or carefully followed. To go to and from the protesters, many remained in lines to purchase single-ride subway tickets as opposed to utilizing their digital payment cards, which can be followed. Some even standing up to the police, securing their faces with caps and covers, giving them anonymity just as some protection from the tear gas.

Beijing however is the one nation that has been accused in the past for attacks that silence political speech outside mainland China's borders.

“The bottom line is whether to trust Beijing,” said Dr. Tsui, the communications professor. “This is a government that routinely lies to its own citizens, that censors information, that doesn’t trust its own citizens. You can’t ask us to trust you if you don’t trust us.”

“These kids that are out there, all the young people, they’re smart,” he added. “They know not to trust Beijing.”

The event however presents no new challenge for Telegram, for as it has been utilized for boundless protests previously too — and has confronted numerous administration as well as government crackdowns. Some of the leading examples of nations who prohibited or obstructed its utilization include Russia, Moscow and Iran.

Telegram hit by DDoS attack





A most secure messaging app Telegram has been hit by a "powerful" distributed denial-of-service (DDoS) attack on Wednesday morning.

The app was down for many users across the globe, but people in the United States were most badly affected by this attack, according to DownDetector.

The  company said in a tweet, ‘We’re currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues.’

The app was down for just a little over an hour, and in the meantime, the company tweeted an explanation of how a DDoS attack works.

"Imagine that an army of lemmings just jumped the queue at McDonald's in front of you – and each is ordering a whopper," Telegram tweeted. "The server is busy telling the whopper lemmings they came to the wrong place – but there are so many of them that the server can't even see you to try and take your order."

The firm described the whole mechanism of how hackers accomplish a DDoS attack.

"To generate these garbage requests, bad guys use 'botnets' made up of computers of unsuspecting users which were infected with malware at some point in the past. This makes a DDoS similar to the zombie apocalypse: one of the whopper lemmings just might be your grandpa," the company said in another tweet.

However, Telegram said that every users’ data was safe, there was no kind of data hack through the whole attack. 

"There's a bright side: All of these lemmings are there just to overload the servers with extra work – they can't take away your Big Mac and Coke," the company tweeted.

Telegram refused to respond to a request for comment. 





The Dark Side of Kremlin- The Catalogue of Russian Data Leaks: All You Need To Know




Thousands of Russian emails and documents were leaked online in the late January in a catalogue named “The Dark Side of Kremlin”.


The catalogue was published by a “transparency collective” which goes by the name of “Distributed Denial of Secrets”.

DDoS encompasses an anonymous group of journalists, researchers, tech-experts and activists.

The documents contained private information regarding all the major hot-shots of Russia including the politicians, religious figures and the military.

The DDoS say, that their only job is to provide information to those who need it. If the information strengthens suspicions it hardly matters.

They also mentioned that their collection of data including emails, chat logs and attachments were hacked a few years ago by several hacking groups in Russia and Ukraine.

The Cyber Junta, Russian hackers Shaltai-Boltai, Ukrainian Cyber Alliance and other international parties were among the few accused.

The information leaked includes private documents and emails from the Ministry of Defense, the Russian Presidential Administration and other high-level political operatives.

Russia’s Prime Minister Dimitry Medvedev’s phone was hacked and his holiday pictures were uploaded online.

Russian President’s chef who controls companies that cater fancy banquets in Kremlin also lost his private notes to the leak.

The leak also includes the elaborate personal notes made by the chef on conversations between Putin and European leaders from Italy and Britain.

The most revealing hacks were the ones that came from the Russian Presidential Administration, which fairly let the Russian government, be a little more “transparent”.

The leak had details on how the government controls the Russian media and the way it transmits messages etc.

The most concerning part is that no one knows for sure how much and what kinds of information have been laid out bare in the open.

The leaks also provide an insight about the relations between Ukraine and Russia.

The inner-doings of Russia’s proxies and other insidious groups have also been brought into the light.

The DDoS had experienced a wipe on their servers making it imperative for them to upload it soon, in order to prevent the data from being censored.

Reportedly, this leak can’t be considered as a revenge for anything that has happened before, it was just an attempt at transparency.

A lot of the information present in the leaks was already available on the web but a lot of new investigations have been given birth due to this massive leakage.

This Russian document leak has created a paradigm shift in the way countries take their cyber-security seriously.

Analyzing these leaks could possibly lead Russia to adopting a new way of securing the web and its Presidential administration.

The government has already started taking care of its cyber-security vigilantly and all the loop holes will soon be filled up.

Attackers Utilize UPnP Features to Make DDoS Attacks Harder To Be Recognized




Security researchers are continuously observing DDoS attacks that utilize the UPnP features of home routers to modify network packets and make DDoS attacks harder to be recognizable and relieve with classic solutions.

Researchers from Imperva detailed the first UPnP port masking method, a new technique, a month ago.

Imperva staff announced that some DDoS botnets had begun utilizing the UPnP protocol found on home routers to skip the DDoS traffic off the router, but change the traffic's source port to an arbitrary number.

By changing the source port, more seasoned DDoS mitigation systems that depended on perusing this data to square approaching attacks started failing left and right, thus permitting the DDoS attacks to hit their intended targets.

The new DDoS mitigation systems that depend on deep packet inspection (DPI) are fit for identifying these sorts of attacks that utilize randomized source ports, however these are likewise more fiscally expensive for users and furthermore work slower, thus taking more time to distinguish and stop attacks.
\
Researchers at Imperva, Back in May, said that they've seen botnets executing DDoS attacks through the DNS and NTP protocols , but by utilizing UPnP to camouflage the traffic as originating from irregular ports, and not port 53 (DNS) or port 123 (NTP).

In those days, Bleeping Computer had foreseen that the strategy would turn out to be more prevalent among the botnet creators. This feeling turned out to be true yesterday when in a report by Arbor Networks, the organization wrote about observing comparative DDoS attacks that utilized the UPnP protocol, yet this time the procedure was utilized to mask the SSDP-based DDoS assaults.

SSDP DDoS attacks that would have been effectively moderated by blocking the approaching packets that came from port 1900 were harder to spot as the majority of the traffic originated from random ports rather than just one.

This UPnP-based port masking technique is obviously spreading among DDoS administrators, and DDoS mitigation providers will have to alter on the off chance that they need to stay in business, while organizations should put into overhauled securities in the event that they need to stay above water amidst these new types of deadly DDoS attacks.