Category Archives: DDoS Criminals

Brit teen arrested for involvement in DDoS attack on ProtonMail

George Duke-Cohan was recruited by criminal group Apophis Squad A 19-YEAR-OLD MEMBER of hacking group Apophis Squad has been arrested by British cops. George Duke-Cohan from Watford, who uses the aliases ‘7R1D3N7?, ‘DoubleParalla’ and ‘optcz1?, was identified after the criminal group launched a series of DDoS attacks on Swiss-based encrypted email and VPN provider ProtonMail in June. Writing on the ProtonMail blog, CEO Andy Yen said that a team of security researchers had assisted the firm in investigating those responsible for the attacks. “Our security team began to investigate Apophis Squad almost immediately after the first attacks were launched. In this endeavour, we were assisted by a number of cybersecurity professionals who are also ProtonMail users,” he said. “It turns out that despite claims by Apophis Squad that federal authorities would never be able to find them, they themselves did not practice very good operational security. In fact, some of their own servers were breached and exposed online.” Yen did not go into details about how Duke-Cohan was ‘conclusively’ identified, save to say that “intelligence provided by a trusted source” played a part. The group attacked ProtonMail in June, apparently on a whim, but the attacks intensified after CTO Bart Butler responded to a tweet from the group, saying “we’re back you clowns”. Apophis Squad also attacked Tutanota, another encrypted email provider. Users of ProtonMail email and VPN services saw them briefly disrupted, but “due to the efforts of Radware, F5 Networks, and our infrastructure team, we were able keep service disruptions to a minimum,” Yen said. As a member of Apophis Squad, Duke-Cohan was also involved in making hoax bomb threats to schools and colleges and airlines which saw 400 educational facilities in the UK and USA evacuated and a United Airlines flight grounded in San Francisco in March. He pleaded guilty in Luton Magistrates Court to three counts of making bomb threats and is due to appear before Luton Crown Court on September 21 to face further charges. He also faces possible extradition to the US. Marc Horsfall, senior investigating officer at the National Crime Agency said: “George Duke-Cohan made a series of bomb threats that caused serious worry and inconvenience to thousands of people, not least an international airline. He carried out these threats hidden behind a computer screen for his own enjoyment, with no consideration for the effect he was having on others.” Duke-Cohan’s parents have said he was “groomed” by “serious people” online through playing the game Minecraft. Apophis Squad is thought to be based in Russia. ProtonMail’s Yen said other attackers have also been identified and the authorities notified. “We will investigate to the fullest extent possible anyone who attacks ProtonMail or uses our platform for crime. We will also cooperate with law enforcement agencies within the framework of Swiss law,” he said. Source: https://www.theinquirer.net/inquirer/news/3062293/brit-teen-arrested-for-involvement-in-ddos-attack-on-protonmail

More here:
Brit teen arrested for involvement in DDoS attack on ProtonMail

Mikrotik routers pwned en masse, send network data to mysterious box

Researchers uncover botnet malware pouncing on security holes More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server.…

Department of Labour denies server compromise in recent cyberattack

The government department says the attack did not expose any sensitive or confidential information. The South African Department of Labour has confirmed a recent cyberattack which disrupted the government agency’s website. In a statement, the Department of Labour said that a distributed denial-of-service (DDoS) attack was launched against the organization’s front-facing servers over the weekend. According to the department’s acting chief information officer Xola Monakali, the “attempt was through the external Domain Name Server (DNS) server which is sitting at the State Information Technology Agency,” and “no internal servers, systems, or client information were compromised, as they are separated with the relevant protection in place.” The government agency has asked external cybersecurity experts to assist in the investigation. DDoS attacks are often launched through botnets, which contain countless enslaved devices — ranging from standard PCs to IoT devices — which are commanded to flood a domain with traffic requests. When the volume reaches peak levels, this can prevent legitimate traffic from being able to access the same resource, leading to service disruption. Some of the worst we have seen in recent times include the Mirai botnet, made up of millions of compromised IoT devices, which was powerful enough to disrupt online services across an entire country. With the rapid adoption of IoT and connected devices, including mobile products, routers, smart lighting and more, botnets have become more powerful. Unfortunately, many of our IoT products lag behind in security and the use of lax or default credentials, open ports, and unpatched firmware has led to botnets which automatically scan for vulnerable devices online and add them to the slave pool with no-one the wiser. In July, a threat actor was able to create a botnet 18,000 device-strong in only 24 hours. The botnet scanned the Internet for connected devices left unpatched against Huawei router vulnerability CVE-2017-17215. It is not known who is behind the DDoS attack against the government agency. However, News24 reports that hacker “Paladin” may be responsible. The individual reportedly tipped off reporters that the attack was taking place as a test for a “full-scale attack” due to take place in the future against another government website. Paladin is also believed to be responsible for DDoS attacks launched against SA Express, the country’s Presidency domain, and the Department of Environmental Affairs. Source: https://www.zdnet.com/article/department-of-labour-denies-server-compromise-in-recent-cyberattack/

View the original here:
Department of Labour denies server compromise in recent cyberattack

DraftKings rides to court, asks to unmask 10 DDoS suspects

Fantasy sports outfit looks to hunt down group that bombarded its site A US sports gaming company is asking permission to unmask 10 people it believes were behind a massive DDoS attack on its website earlier this month.…

A DDoS Knocked Spain’s Central Bank Offline

In a distributed-denial-of-service (DDoS) attack that began on Sunday, 26 August, and extended into today, Spain’s central bank was knocked offline. While Banco de Espana struggled to fight off the attack, business operations were not disrupted, according to Reuters . “We suffered a denial-of-service attack that intermittently affected access to our website, but it had no effect on the normal functioning of the entity,” a spokeswoman for Banco de Espana wrote in an email. DDoS attacks interrupt services by overwhelming network resources. Spain’s central bank is a noncommercial bank, which means that it does not offer banking services online or on site, and communications with the European Central Bank were not impacted. “Worryingly, as of Tuesday afternoon their website remained offline despite the attack having started on Sunday. Whether this was as a result of an ongoing attack, recovering from any resulting damage or as a precaution pending a forensic investigation is not clear,” said Andrew Lloyd, president, Corero Network Security. “The recent guidance from the Bank of England (BoE) requires banks to have the cyber-resilience to ‘resist and recover’ with a heavy emphasis on ‘resist.’ The BoE guidance is a modern take on the old adage that ‘prevention is better than cure.’ Whatever protection the Bank of Spain had in place to resist a DDoS attack has clearly proven to be insufficient to prevent this outage.” To help mitigate the risk of a DDoS attack, banks and other financial institutions can invest in real-time protection that can detect attacks before they compromise systems and impact customer service. As of the time of writing this, the bank’s website appears to be back online. Source: https://www.infosecurity-magazine.com/news/ddos-knocked-spains-central-bank/

Cisco smells a RAT in Breaking Security’s Remcos PC wrangler

Researchers say pentesting software being used for botnets Cisco Talos says criminals are using one research company’s testing tools to set up and run botnets.…

View original post here:
Cisco smells a RAT in Breaking Security’s Remcos PC wrangler

DDoS Attack Volume Rose 50% in Q2 2018

Distributed Denial of Service (DDoS) attacks aimed at disruption remain a massive problem for businesses big and small, despite the shutdown of the Webstresser DDoS-for-hire service. Attackers are also increasingly striking outside of normal business hours, researchers have found. A new report shows attack volumes rose 50% to an average 3.3 Gbps during May, June and July 2018, from 2.2 Gbps in Q1. Despite a 36% decrease in the overall number of attacks – likely as a result of DDoS-as-a-service website Webstresser being shuttered in an international police operation – attack volumes increased. 46% of incidents used two or more vectors in Q2, with a total of 9,325 attacks recorded during the quarter. That’s 102 per day, on average. A 50% increase in hyper-scale attacks (80 Gbps+) was also recorded, while the most complex attacks used 13 vectors in total, researchers found. Broadly speaking, DDoS attacks can be divided into three main categories, which point to the attack vectors employed by bad actors: Volume Based Attacks – bad actors saturate the bandwidth of the attacked site (measured in bits per second / Bps) Protocol Attacks – attackers consume actual server resources (measured in packets per second / Pps). Application Layer Attacks – hackers seek to crash the web server (measured in requests per second / Rps) High-volume attacks were assisted by Memcached reflection, SSDP reflection and CLDAP. The highest attack bandwidth was recorded at 156 Gbps (gigabits per second), while the total duration of attacks during the quarter was 1,221 hours. Attackers used two vectors 17% of the time, and three vectors 16% of the time. The most-frequently observed attacks were UDP floods (59.7%), TCP SYN floods (3.3%) and ICMP floods (0.9%). 773 attacks used the Memcached reflection amplification technique, while the SSDP reflection technique generated the greatest proportion of DDoS packets. New data from a similar study, by Nexusguard, recently showed that the number of unguarded Memcached servers is dropping, yet many remain vulnerable to attacks. The same research uncovered that DNS amplification attacks have increased 700% worldwide since 2016 and, in the first quarter of 2018, 55 DNS amplification attacks relied on vulnerable Memcached servers to amplify their DDoS efficiency by a factor of 51,000. Source: https://securityboulevard.com/2018/08/ddos-attack-volume-rose-50-in-q2-2018/

Lawmakers want to know when Ajit Pai knew FCC’s cyberattack claim was false

Democratic lawmakers want to know why the agency didn’t inform consumers of the falsity of its claim sooner A group of House democrats want to know when FCC Chairman Ajit Pai knew that the agency’s claims of a DDoS attack were false. Last week, the FCC’s Office of Inspector General released a report that found no evidence to support the claims of DDoS attacks in May of 2017. The agency had previously blamed multiple DDoS attacks for temporarily taking down a comment section of its website following a segment of Last Week Tonight, in which comedian John Oliver asked viewers to submit comments to the FCC and speak out in support of net neutrality. However, viewers were unable to voice their opinion on the proposed rollback of net neutrality because the comment submission section wasn’t available at the time. Now that it has come to light that the agency’s claims of a DDoS attack were false, a handful of Democratic lawmakers want to know when Pai became aware that there was no DDoS attack and why the agency didn’t correct its public statements alleging a DDoS attack before now. Misrepresented facts “We want to know when you and your staff first learned that the information the Commission shared about the alleged cyberattack was false,” Democratic lawmakers wrote in a letter to Pai. “It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” they wrote. The letter was signed by Representatives Frank Pallone Jr. (NJ), Mike Doyle (PA), Jerry McNerney (CA) and Debbie Dingell (MI). The results of the investigation concluded that FCC officials deliberately misrepresented facts in responses to Congressional inquiries. “Given the significant media, public and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s report was the first time that you and your staff realized that no cyberattack occurred,” wrote the lawmakers. “Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.” The Democratic lawmakers have asked Pai for complete written responses to their questions by August 28. Pai is also scheduled to appear before a Senate Commerce, Science and Transportation Committee oversight hearing on Thursday where he is expected to face questions about the results of the investigation. Source: https://www.consumeraffairs.com/news/lawmakers-want-to-know-when-ajit-pai-knew-fccs-cyberattack-claim-was-false-081518.html

DDoS attackers increasingly strike outside of normal business hours

DDoS attack volumes have increased by 50% to an average of 3.3 Gbps during May, June and July 2018, compared to 2.2 Gbps during the previous quarter, according to Link11. Attacks are also becoming increasingly complex, with 46% of incidents using two or more vectors. While attack volumes increased, researchers recorded a 36% decrease in the overall number of attacks. There was a total of 9,325 attacks during the quarter: an average of 102 attacks … More ? The post DDoS attackers increasingly strike outside of normal business hours appeared first on Help Net Security .

Read the original:
DDoS attackers increasingly strike outside of normal business hours

Week in review: IoT security, cyber hygiene, Social Mapper

Here’s an overview of some of last week’s most interesting news and articles: Intensifying DDoS attacks: ?Choosing your defensive strategy One of the biggest misconception regarding DDoS attacks is that they are a once-in-a-lifetime event for organizations, says Josh Shaul, VP of Web Security at Akamai. “Our State of the Internet Report found that companies suffered 41 DDoS attacks on average over the last six months,” he points out. August Patch Tuesday forecast: Looking ahead … More ? The post Week in review: IoT security, cyber hygiene, Social Mapper appeared first on Help Net Security .

Taken from:
Week in review: IoT security, cyber hygiene, Social Mapper