There’s not much more than fine print between stress testing and DDoS-as-a-service Two Israeli men have been arrested for running a distributed-denial-of service-as-a-service site, after one seemingly claimed to attack the Pentagon.…
Read the original:
Israeli Pentagon DDoSers explain their work, get busted by FBI
A web service that helped customers carry out distributed denial-of-service (DDoS) attacks on unsuspecting victims has been hacked revealing data on the customers that availed of this clandestine service. According to security journalist Brian Krebs, vDos was hacked recently and he obtained a copy of the leaked data in July. Upon scrutinizing the database, he claims that vDOS is being run by two Israeli cybercriminals under the pseudonyms of P1st or P1st0 and AppleJ4ck, with associates in the United States. vDOS allegedly offered monthly subscriptions to DDoS attack services, paid in bitcoin or even through PayPal, with the prices based on how long the attack would last. These DDoS attacks would launch fake traffic at victim websites, overwhelming their servers and knocking the sites offline. A particularly strong DDoS attack could cripple a site for days. “And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic,” Krebs said in his analysis. He added that he believes vDOS was handling hundreds or even thousands of concurrent attacks a day. Kreb’s analysis is based on data from April to July. Apparently all other attack data going back to the service’s founding in 2012 has been wiped away. Krebs’ source for info on the hack was allegedly able to exploit a hole in vDOS that allowed him to access its database and configuration files. It also allowed him to source the route of the service’s DDoS attacks to four servers in Bulgaria. Among the data dump were service complaint tickets where customers could file issues they had with the DDoS attacks they purchased. Interestingly the tickets show that the owners of vDOS declined to carry out attacks on Israeli sites to avoid drawing attention to themselves in their native land. The duo supposedly made $618,000 according to payments records dating back to 2014 in the data dump. “vDOS does not currently accept PayPal payments. But for several years until recently it did, and records show the proprietors of the attack service worked assiduously to launder payments for the service through a round-robin chain of PayPal accounts,” Krebs said. The operators of the DDoS service are believed to have enlisted the help of members from the message board Hackforums in laundering the money. Krebs warned that services like vDOS are worrisome because they make cybercrime tools available to pretty much anyone willing pay. In some cases, vDOS offered subscriptions as low as $19.99. These sorts of tools, also known as booter services, can be used ethically for testing how your site holds up against large swathes of traffic but in the wrong hands they can be abused and sold very easily. “The scale of vDOS is certainly stunning, but not its novelty or sophistication,” Ofer Gayer of security firm Imperva said but added that this new widespread attention on DDoS service might stall them for a while. Source: https://sports.yahoo.com/news/hack-reveals-inner-workings-shady-180952571.html
View article:
Hack reveals the inner workings of shady DDoS service vDOS
It has been a while sine I wrote about this subject (or about anything at all for that matter) but, it occurred to me to today that the distributed denial of service (DDoS) extortionist issue is a problem that needs to be talked about again. Over the last couple years there have been a lot of websites come under attack from miscreants armed with all manner of distributed denial of service platforms and tools. Often these attackers would first launch an attack and then contact the victim company to say “check your logs to see we’re for real”. Once their bonafides were established they would then demand a sum of money to be paid in bitcoin or suffer the “wrath” of their DDoS attack that was more often that naught was severely oversold. There have been examples of criminal outfits like DD4BC who were true to their word when they made a threat. They would in fact follow through on their threat of an attack. This came to an unceremonious end a year ago when one of the main ne’er do wells was arrested by Europol. More often than naught however, these extortion gangs turn out to be little more than confidence tricksters. One such example was the Armada Collective. This was a criminal outfit that did little more than threaten targets but, with one lone exception, never followed through on the threats they made. Mind you, they did end up making a tidy sum of money from their victims. What this did accomplish was to set a precedent that has given rise to the copycat attackers. A prime example of this was an in an email that I received from a friend. His organization was threatened by a copycat group that were masquerading as the Armada Collective. Basically using the name as a hex sign. A brand name that could be used to possibly intimidate an organization. Here is a redacted version of the email that he provided to me. From: Armada Collective Sent: Subject: ATTENTION: Ransom request!!! FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective. All your servers will be DDoS-ed starting Wednesday (Jun 29 2016) if you don’t pay 5 Bitcoins @ [Bitcoin wallet address redacted] When we say all, we mean all – users will not be able to access sites host with you at all. If you don’t pay by Wednesday, attack will start, price to stop will increase by 5 BTC for every day of attack. If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. This is not a joke. Our attacks are extremely powerful – sometimes over 1 Tbps per second. So, no cheap protection will help. Prevent it all with just 5 BTC @ [Bitcoin wallet address redacted] Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! Bitcoin is anonymous, nobody will ever know you cooperated. While people might not be aware that an organization had in fact cooperated, as per their email, they would be setting a horrible example. The more that companies pay extortionists like this the more emboldened that the criminals would become. This could potentially become a lucrative endeavor for the criminals. At the time of this writing 1 bitcoin was valued at roughly $628 USD. At a bare minimum there would be 5 bitcoin per email above, they would be raking in at least $3000 USD for each successful attack. Not bad for the cost of an email. If you are the recipient of an email like this, seek help to protect your enterprise. Do not feel compelled to pay the attackers. You have no guarantees that they won’t return. Source: http://www.forbes.com/sites/davelewis/2016/09/08/ddos-extortionist-copycats-continues-to-hound-victims/#2c6d7a7b4d06
Read this article:
DDoS Extortionist Copycats Continue To Hound Victims
A security researcher discovered a Trojan that infects Linux platforms used in distributed denial of service (DDoS) attacks. According to MalwareMustDie, the security researcher responsible for the discovery, the malware is written in the Lua programming language (version 5.3.0). The malware, dubbed Linux/Luabot, targets the Linux operating system, used often in web servers and Internet of Things (IoT) devices. The Trojan issues botnet commands to affected systems, MalwareMustDie wrote in a blog post published on Monday. “There are plenty new ELF malware coming & lurking our network recently & hitting out Linux layer IoT and services badly,” MalwareMustDie wrote in the blog post. The researcher advised security professionals to “watch for unusual hazards for the security of our 24/7 running Linux nodes.” Last week, security firm Sucuri disclosed vulnerabilities in IoT home routers that were exploited to launch an application-level DDoS attack. The Strider cyberespionage group disclosed by Symantec last month also used modules written in Lua. Source: http://www.scmagazine.com/luabot-malware-used-to-launch-ddos-attacks/article/520814/
View article:
Luabot malware used to launch DDoS attacks
Arbor security claims Rio was a success in terms of mitigating powerful, prolonged DDoS attacks Public facing websites belonging to organisations affiliated with the 2016 Rio Olympics were targeted by sustained, sophisticated DDoS attacks reaching up to 540Gbps, according to Arbor Networks. Many of these attacks started months before the Olympic Games had begun, but the security company said that attackers increased their efforts significantly during the games, generating the longest-duration sustained 500Gbps+ DDoS attack Arbor has ever seen. “And nobody noticed,” boasted Arbor’s Security Engineering and Response Team (ASERT). Virtual battlegrounds Just like other public services like electricity and water, the ins and outs of keeping websites up and running should be hidden from the general public, allowing them to go about their business without knowing about the virtual warfare being engaged behind server lines. And in ASERT’s opinion, the Rio Olympic Games “set the bar for rapid, professional, effective DDoS attack mitigation under the most intense scrutiny of any major international event to date”. “Over the last several months, several organizations affiliated with the Olympics have come under large-scale volumetric DDoS attacks ranging from the tens of gigabits/sec up into the hundreds of gigabits/sec,” blogged ASERT. “A large proportion of the attack volume consisted of UDP reflection/amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services. “The defenders of the Rio Olympics’ online presence knew they’d have their work cut out for them, and prepared accordingly. “A massive amount of work was performed prior to the start of the games; understanding all the various servers, services, applications, their network access policies, tuning anomaly-detection metrics in Arbor SP, selecting and configuring situationally-appropriate Arbor TMS DDoS countermeasures, coordinating with the Arbor Cloud team for overlay ‘cloud’ DDoS mitigation services, setting up virtual teams with the appropriate operational personnel from the relevant organisations, ensuring network infrastructure and DNS BCPs were properly implemented, defining communications channels and operational procedures. “And that’s why the 2016 DDoS Olympics were an unqualified success for the defenders! Most DDoS attacks succeed simply due to the unpreparedness of the defenders – and this most definitely wasn’t the case in Rio.” However, not all defence tactics worked surrounding the Olympic Games. The Brazilian arm of hacking collective Anonymous was successful in targeting websites that included the official website of the federal government for the 2016 games and the Brazilian Ministry of Sports. Anonymous was also able to leak personal and financial data belonging to Brazilian sports domains such as the Brazilian Confederation of Boxing and the Brazilian Triathlon Confederation. “Hello Rio de Janeiro. We know that many have realized how harmful it was (and still is) the Olympic Games in the city. The media sells the illusion that the whole city celebrates and commemorate the reception of tourists from all over the world, many of them attracted by the prostitution network and drugs at a bargain price. This false happiness hides the blood shed in the suburbs of the city, mainly in the favelas thanks to countless police raids and military under the pretext of a fake war,” stated Anonymous. “Therefore, we will continue with our operations to unmask the numerous arbitrary actions of those who are state and therefore its own population enemies.” Source: http://www.techweekeurope.co.uk/security/rio-olympics-ddos-attacks-196998
Excerpt from:
Rio 2016 Olympics Suffered Sustained 540Gbps DDoS Attacks
DOSarrest Expands Into Second City in Asia VANCOUVER, BRITISH COLUMBIA–(Marketwired – Aug. 30, 2016) – DOSarrest Internet Security announced today that they have expanded their DDoS protection cloud in Asia, with a new DDoS mitigation node in Hong Kong. The new node will work in conjunction with their existing nodes in New York, Los Angeles, London, Singapore and Vancouver and will have the same connectivity as the others, including multiple 10 Gb/Sec uplinks to multiple carriers. Mark Teolis, CEO at DOSarrest says, “This new Hong Kong scrubbing center will have excellent connectivity in the region including multiple Chinese upstream providers. To compliment the 6 upstream providers there will be an additional 10Gb/Sec link into the Hong Kong Internet Exchange (HKiX) for even better route diversity. Our customers have asked for it and we are delivering” Teolis adds, “Having great connectivity into China allows us to offer our customers great performance using our caching engine and also more importantly it allows us to stop attacks closer to the source if need be.” Jag Bains, CTO at DOSarrest states, “This new Hong Kong node is part of our global capacity expansion that includes, new hardware in all existing locations, plus the addition of 100+ Gb/Sec of Internet capacity. We need this in order to offer some new services that we will be rolling out in 2017.” About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, B.C., Canada is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services. Additional Web security services offered are Cloud based W eb A pplication F irewall (WAF) , V ulnerability T esting and O ptimization (VTO) as well as cloud based global load balancing . More information at www.DOSarrest.com CONTACT INFORMATION Media Contact: Jenny Wong Toll free CAD/US 1-888-818-1344 ext. 205 UK Freephone 0800-016-3099 ext. 205 CR@DOSarrest.com Source: http://www.marketwired.com/press-release/-2154179.htm
Read More:
DOSarrest Expands Into Second City in Asia
The global mobile deep packet inspection (DPI) market will grow at an impressive CAGR of almost 22% until 2020, according to Technavio. Stateful packet inspection Stateful packet inspection (SPI), also known as shallow packet inspection technology, was widely used for detecting abnormal packets by inspecting the packet headers only. SPI was not able to detect many new network attacks such as network intrusion detection systems (NIDS) evasion and distributed denial of service. Thus, DPI became … More ?
Excerpt from:
Global mobile deep packet inspection market explodes
The company measured threats faced by its customers during a roughly one-year time period, seeing a 211 percent year-over-year increase in attacks. More commonly known as DDoS attacks, they are designed to flood servers with artificial internet traffic that causes access interruption to websites or network systems. The firm largely attributed this apparent growth to the establishment of several botnet operations — which serve as a platform to automate and increase attack volume — and malicious actors’ ability to access greater bandwidth to help generate and use such weapons. Dark Web dealers are using these botnets, according to Imperva, to offer more effective cyber tools to would-be customers. “The amount of traffic, or bandwidth, that is able to be generated and used as a weapon is at an all-time high. This is likely the result of more compromised machines with higher bandwidth,” Imperva Vice President Tim Matthews told FedScoop. In short, hackers are able to launch denial of service attacks by manipulating a hosting provider to re-route IP addresses towards a preferred server. Those DDoS attacks recorded by Imperva — recorded between March 2015 and April 2016 — targeted a diverse range of clients. Even so, all of the attacks similarly aimed to disrupt each organization’s digital operations at one of two distinct levels: application or network. To be clear, an application-based DDoS effectively works to discontinue online access to a specific property, like a website or software service, rather than an entire network. Because app-based DDoS attacks are by nature less expansive, they typically leverage less traffic. In the past, DDoS-ing an entire network has presented a challenge for hackers due to the sheer artificial traffic required to pull it off. But Imperva’s new report suggests that botnets are significantly changing this dynamic; making it easier for individual operations to disrupt larger segments of the internet. Another worrisome trend in the DDoS arena, spotted by Imperva, is that when a target gets hit once, it should prepare for another wave. Data shows that 40 percent of affected targets were attacked more than once, while 16 percent were targeted more than five times. In the past, DDoS attacks have been used to distract an organization from a more malicious data breach, leading to the possible exfiltration of valuable data like customer finances and personal records. Here’s what a DDoS looks like via a data visualization by cybersecurity firm Norse : Source: http://fedscoop.com/ddos-attacks-up-211-percent-august-2016
Read the article:
“The amount of traffic, or bandwidth, that is able to be generated and used as a weapon is at an all-time high.,” said one expert.
A backdoor Trojan named Twitoor is the first instance of Android malware that receives its commands from a Twitter account. Keeping their botnet out of law enforcement’s and other criminals’ hands is imperative for botmasters if they want to keep earning. C&C servers are the norm, but they can be tracked down, seized by the authorities and, ultimately, reveal crucial information about the botnet, allowing them to shut it down or cripple it. Twitter or … More ?
Originally posted here:
Twitter-controlled Android backdoor delivers banking malware
Gaming servers are a top target of DDoS assaults,’ Imperva security researcher Ofer Gayer told IBTimes UK. Developer Blizzard’s Battle.net servers were hit with yet another DDoS attack on Tuesday (23 August) resulting in latency and connection issues in some of its popular titles including Overwatch, World of Warcraft and Hearthstone. The company acknowledged the interruption on its Twitter support channels in both the US and Europe, indicating that it was not restricted to just one region. The company also said that its sites and forums were “experiencing issues” at the time in a separate tweet. The latest attack is the second such assault targeting the developer’s servers this month and the third since the launch of its popular hero-based shooter, Overwatch, in May. It also comes at the end of which ran from 2 August to 22 August in celebration of the Olympic Games in Rio. On 3 August, Blizzard’s Battle.net servers were crippled by another massive DDoS attack that caused connection, login and latency issues across some of its popular titles. The disruption also occurred on the same day Blizzard launched its Summer Games series. Hacking collective PoodleCorp claimed responsibility for the alleged attack. The same hacker group also claimed responsibility for taking down Pokémon Go’s servers in July. In June, Blizzard’s servers were hit with another alleged DDoS attack claimed by notorious hacker group Lizard Squad that prevented players from accessing their games. DDoS attacks, which are difficult to prevent and defend against, have continued to plague online companies’ networks in recent years, particularly those of major gaming companies’ servers. “Gaming servers are a top target of DDoS assaults,” Ofer Gayer, a senior security researcher at Imperva, told IBTimes UK. “They have been hit with some of the largest and longest attacks on recent record.” He added that mitigating DDoS attacks on game servers is a “particularly complex task”. “Since only gaming platforms are highly sensitive to latency and availability issues, they’re ideal DDoS attack targets,” Gayer said. “Gamers are very sensitive to the impact on latency, so what may be considered negligible for most services, can be very frustrating for the gaming community. This can be affected by multiple factors, most prominently the distribution of scrubbing locations and TTM (time to mitigate).” Imperva’s latest DDoS Threat Landscape Report found that DDoS attacks have increased by a massive 220% over the past year “with no signs of abating”. It also noted that the UK has become the second most popular target for DDoS attacks in the world. Blizzard’s official Customer Support Twitter account later confirmed that the “technical issues” they were experiencing earlier have been resolved. At the time of publication, no hacking group has claimed responsibility for the most recent alleged DDoS attack. Source: http://www.ibtimes.co.uk/blizzards-battle-net-servers-hit-by-yet-another-ddos-attack-1577793
More:
Blizzard’s Battle.net servers hit by yet another DDoS attack