Category Archives: DDoS Criminals

Monero-mining botnet targets orgs through recent MS Exchange vulnerabilities

The recent Microsoft Exchange Server vulnerabilities might have initially been exploited by a government-backed APT group, but cybercriminals soon followed suit, using them to deliver ransomware and grow their botnet. One perpetrator of the latter activities is Prometei, a cross-platform (Windows, Linux), modular Monero-mining botnet that seems to have flown under the radar for years. The attackers’ modus operandi Cybereason incident responders have witnessed instances of the botnet enslaving endpoints of companies across the globe, … More ? The post Monero-mining botnet targets orgs through recent MS Exchange vulnerabilities appeared first on Help Net Security .

Excerpt from:
Monero-mining botnet targets orgs through recent MS Exchange vulnerabilities

Week in review: PHP supply chain attack, common zero trust traps, hardening CI/CD pipelines

Here’s an overview of some of last week’s most interesting news and articles: Attackers tried to insert backdoor into PHP source code The PHP development team has averted an attempted supply chain compromise that could have opened a backdoor into many web servers. The growing threat to CI/CD pipelines By hardening CI/CD pipelines and addressing security early in the development process, developers can deliver software faster and more securely. DDoS attacks in 2021: What to … More ? The post Week in review: PHP supply chain attack, common zero trust traps, hardening CI/CD pipelines appeared first on Help Net Security .

Continued here:
Week in review: PHP supply chain attack, common zero trust traps, hardening CI/CD pipelines

DDoS attacks in 2021: What to expect?

We’re only three months into 2021, and Akamai has mitigated 3 out of the 6 largest DDoS attacks they have ever witnessed. Two of these hit the same company on the same day, and the attackers’ goal was extort money from the target. “Growing” DDoS attacks Hoping for a major Bitcoin payout, DDoS attackers continue to raise the bar when it comes to attack size, frequency, and target diversification. “In 2021 alone, we’ve already seen … More ? The post DDoS attacks in 2021: What to expect? appeared first on Help Net Security .

Continue Reading:
DDoS attacks in 2021: What to expect?

Noction Intelligent Routing Platform 3.11 features the remote-triggered blackholing capability

Noction announced the release of the Noction Intelligent Routing Platform 3.11. This version focuses on the new remote-triggered blackholing feature, which allows the redirection of traffic to a non-existent resource (a so-called black hole), or the blocking of the unwanted traffic in a provider’s network, thus preventing such traffic from entering the IRP user’s network. It can be specifically used to understand better and mitigate the effects of the Distributed Denial of Service (DDoS) attacks. … More ? The post Noction Intelligent Routing Platform 3.11 features the remote-triggered blackholing capability appeared first on Help Net Security .

Read the article:
Noction Intelligent Routing Platform 3.11 features the remote-triggered blackholing capability

DDoS attacks surge as cybercriminals take advantage of the pandemic

DDoS attacks reached a record high during the pandemic as cybercriminals launched new and increasingly complex attacks, a Link11 report reveals. The analysis showed a boom in DDoS attacks that were closely linked to the pandemic. Key stats Boom in attacks: From February to September 2020, the number of DDoS attacks nearly doubled and was on average 98% higher than in the same period last year. It Is estimated that there were 50 million DDoS … More ? The post DDoS attacks surge as cybercriminals take advantage of the pandemic appeared first on Help Net Security .

View original post here:
DDoS attacks surge as cybercriminals take advantage of the pandemic

Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws

Remote code execution, denial of service, API abuse possible. Meanwhile, FBI pegs China for Exchange hacks Security and automation vendor F5 has warned of seven patch-ASAP-grade vulnerabilities in its Big-IP network security and traffic-grooming products, plus another 14 vulns worth fixing.…

More:
Now it is F5’s turn to reveal critical security bugs – and the Feds were quick to sound the alarm on these BIG-IP flaws

REvil ransomware gang claims over $100 million profit in a year

REvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across the world from various sectors. They are driven by profit and want to make $2 billion from their ransomware service, adopting the most lucrative trends in their pursuit of wealth. Affiliates do the heavy lifting A REvil representative that uses the aliases “UNKN” and “Unknown” on cybercriminal forums talked to tech blog Russian OSINT offering some details about the group’s activity and hints of what they have in store for the future. Like almost all ransomware gangs today, REvil runs a ransomware-as-a-service (RaaS) operation. Per this model, developers supply file-encrypting malware to affiliates, who earn the lion’s share from the money extorted from victims. With REvil, the developers take 20-30% and the rest of the paid ransom goes to affiliates, who run the attacks, steal data, and detonate the ransomware on corporate networks. “Most work is done by distributors and ransomware is just a tool, so they think that’s a fair split,” REvil representative, Unknown, told Russian OSINT. This means that the developers set the ransom amount, run the negotiations, and collect the money that is later split with affiliates. Long list of victims The cybercriminal operation has encrypted computers at big-name companies, among them Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, and GEDIA Automotive Group. Unknown says that REvil affiliates were able to breach the networks of Travelex and GSMLaw in just three minutes by exploiting a vulnerability in Pulse Secure VPN left unpatched for months after the fix became available [1, 2]. source: Bad Packets REvil’s public-facing representative says that the syndicate has hit the network of a “major gaming company” and will soon announce the attack. They also say that REvil was responsible for the attack in September against Chile’s public bank, BancoEstado. The incident prompted the bank to close all its branches for a day but did not affect online banking, apps, and ATMs. Along with managed services providers (MSPs) that have access to networks of multiple organizations, the most profitable targets for REvil are companies in the insurance, legal, and agriculture sectors. As for initial access, Unknown mentioned brute-force attacks as well as remote desktop protocol (RDP) combined with new vulnerabilities. One example are vulnerabilities tracked as CVE-2020-0609 and CVE-2020-0610 bugs and known as BlueGate. These allow remote code execution on systems running Windows Server (2012, 2012 R2, 2016, and 2019). New money-making avenues REvil initially made its profit from victims paying the ransom to unlock encrypted files. Since the attackers also locked backup servers, victims had few options to recover, and paying was the quickest way. The ransomware business changed last year when operators saw an opportunity in stealing data from breached networks and started to threaten victims with damaging leaks that could have a much worse impact on the company. Even if it takes longer and causes a significant setback, large businesses can recover encrypted files from offline backups. Having sensitive data in the public space or sold to interested parties, though, can be synonymous with losing the competitive advantage and reputation damage that is difficult to rebuild. This method proved to be so lucrative that REvil now makes more money from not publishing stolen data than from decryption ransom. Unknown says that one in three victims are currently willing to pay the ransom to prevent the leaking of company data. This could be the next step in the ransomware business. REvil is also thinking to adopt another tactic designed to increase their odds of getting paid: hitting the victim with distributed denial-of-service (DDoS) attacks to force them to at least (re)start negotiating a payment. SunCrypt ransomware used this tactic recently on a company that had stopped negotiations. The attackers made it clear that they launched the DDoS attack and terminated it when negotiations resumed. REvil plans to implement this idea. REvil’s model for making money is working and the gang already has plenty in their coffers. In their search for new affiliates, they deposited $1 million in bitcoins on a Russian-speaking forum. The move was designed to show that their operation generates plenty of profit. According to Unknown, this step is to recruit new blood to distribute the malware, as the ransomware scene is full to the brim with professional cybercriminals. Although they have truckloads of money, REvil developers are confined to the borders of the Commonwealth of Independent States (CIS, countries in the former Soviet Union) region. A reason for this is attacking a large number of high-profile victims that prompted investigations from law enforcement agencies from all over the world. As such, traveling is a risk REvil developers are not willing to take. REvil built on older code This ransomware syndicate is also referred to as Sodin or Sodinokibi but the name REvil is inspired by the Resident Evil movie and stands for Ransomware Evil. Their malware was first spotted in April 2019 and the group started looking for skilled hackers (elite penetration testers) shortly after GandCrab ransomware closed shop. Unknown says that the group did not create the file-encrypting malware from scratch but bought the source code and developed on top of it to make it more effective. It uses elliptic curve cryptography (ECC) that has a smaller key size than the RSA-based public-key system, with no compromise on security. Unknown says that this is one reason affiliates choose REvil over other RaaS operations like Maze or LockBit. Before shutting their business, GandCrab developers said they made $150 million, while the entire operation collected more than $2 billion in ransom payments. Clearly, REvil developer’s ambitions are greater. BleepingComputer was told that Unknown confirmed that the interview (in Russian) was real. Source: https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/

More:
REvil ransomware gang claims over $100 million profit in a year

How do I select cyber insurance for my business?

There has been a 70%+ increase in the average cost of a cybercrime to an organization over five years to $13mn and a 60%+ increase in the average number of security breaches, a recent report reveals. Losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims, followed by malicious internal actions (9%) – which are infrequent but can be costly. To select suitable … More ? The post How do I select cyber insurance for my business? appeared first on Help Net Security .

Read this article:
How do I select cyber insurance for my business?

Spamhaus Intelligence API: Free threat intelligence data for security developers

Spamhaus Technology releases its Intelligence API. This is the first time Spamhaus has released its extensive threat intelligence via API, providing enriched data relating to IP addresses exhibiting compromised behaviour. Available free of charge, developers can readily access enhanced data that catalogues IP addresses compromised by malware, worms, Trojan infections, devices controlled by botnets, and third party exploits, such as open proxies. The API features live and historical data, including bot names, first seen dates, … More ? The post Spamhaus Intelligence API: Free threat intelligence data for security developers appeared first on Help Net Security .

See the original article here:
Spamhaus Intelligence API: Free threat intelligence data for security developers