Tag Archives: stop-dos

WikiLeaks’ website was taken offline with a DDoS attack amid an ongoing hacker feud.

As a long-time feud between rival hacking groups boiled over, the WikiLeaks website was caught in the crossfire and brought offline by a distributed-denial-of-service (DDoS) attack on 5 June. However, rather than react with anger, leaked chat logs show how WikiLeaks’ Twitter account engaged the group responsible, called OurMine, and even offered hacking tips for the future. Direct messages leaked to Buzzfeed show how WikiLeaks’ account, rumoured to be helmed by the website’s founder Julian Assange, told the group – which has become known for hacking the online profiles of high-profile figures – their talents could be put to better use. OurMine has recently hacked a slew of celebrities and technology executives including Facebook’s Mark Zuckerberg, Google’s Sundar Pichai and Spotify founder Daniel Ek. Every time, they leave a message telling the victim how weak their security is and leave a link to their website. Indeed the group claims to be a security firm rather than a hacking outfit. In any case, as far as ‘hacks’ go, OurMine’s activity is fairly tame. Until WikiLeaks’ website was taken down – thanks to an ongoing head-to-head with the Anonymous collective – there was little real damage caused to victims other than embarrassment. The DDoS attack took down the famous whistleblowing website by sending waves of traffic towards its servers, a common tactic used in hacktivist circles as a means of protest. After the incident, WikiLeaks got in touch and said the group was wasting its time by not making the most of the chances received by infiltrating profiles of the rich and famous. “If you support us and want to show you’re skills, then don’t waste your time with DDoS etc,” the account wrote. “Find us interesting mail spools or docs and send them to [WikiLeaks]. That’ll have a much greater impact.” After OurMine replied with “We never change their passwords we are just testing their accounts’ security” WikiLeaks said it was a “huge waste.” The message continued: “There’s a lot more than (sic) could have been done with those accounts. Sending DM’s as Zuckerberg to further access elsewhere. Same with Google CEO. You could have used these accounts to gain access to much more significant information, revealing corrupt behaviour elsewhere.” Based on the chats, OurMine appeared to agree with the new direction. “Great idea,” it said. One the hackers, speaking with Wired, previously said: “We don’t need money, but we are selling security services because there is a lot [of] people [who] want to check their security. We are not blackhat hackers, we are just a security group…we are just trying to tell people that nobody is safe.” Source: http://www.ibtimes.co.uk/wikileaks-tells-ourmine-hackers-impersonate-high-profile-victims-reveal-corrupt-behaviour-1569499

There Are over 100 DDoS Botnets Based on Lizard Squad’s LizardStresser

While most of Lizard Squad’s first members are in jail or hiding and hoping that law enforcement won’t come knocking on their door, the group continues to live on through new members, new attacks, but also through the LizardStresser toolkit, which they leaked online at the start of 2015. The toolkit was heavily forked and adapted, as many other hacking groups sought to use it to create their own botnets to use for DDoS attacks, either just to annoy people, extort companies or hacktivism activities. LizardStresser is geared towards infecting IoT devices Arbor Networks says that LizardStresser is not extremely complicated, and is nothing more than a DDoS attack toolkit that uses the ancient IRC protocol to communicate between the C&C server and the client-side component. Because LizardStresser is coded in C and designed to run on Linux architectures, Arbor Networks says that a lot of groups that are deploying new LizardStresser instances are taking advantage of unsecured IoT devices running on platforms such as x86, ARM, and MIPS, where a stripped-down Linux version is the preferred OS. We touched on this topic last year when Lizard Squad’s new members were having trouble with their own botnet after unknown security researchers were trying to hijack some of these infected IoT systems. Webcams make the bulk of the LizardStresser-based botnets According to Arbor Networks, most of these infected IoT devices are Internet-connected webcams, accessible through a page broadcasting the “NETSurveillance WEB” title, and using their default access passwords. In a DDoS attack of over 400 Gbps aimed at a gaming site, Arbor says that 90% of the bots that participated in the attack were these type of webcams. The DDoS attacks are extremely simple and don’t even use traffic amplification/reflection techniques. LizardStresser was created to launch direct DDoS attacks, meaning the bots send UDP or TCP floods directly to the target. LizardStresser launches direct DDoS attacks, no protocol amplification Because of the massive amount of unsecured IoT devices, groups that use LizardStresser can launch massive DDoS attacks, previously thought to be unachievable without UDP-based amplification protocols such as NTP or SNMP. Furthermore, LizardStresser also includes a telnet brute-forcing feature that’s used to test new devices for default passwords and inform the C&C server about possible new victims. All of these make features make LizardStresser a popular choice when hacking outfits and hacktivism groups are looking for tools to build or broaden their DDoS capabilities. Overall, there’s a growing trend in terms of hacking groups adopting LizardStresser. “LizardStresser is becoming the botnet-du-jour for IOT devices given how easy it is for threat actors to make minor tweaks to telnet scanning,” says Matthew Bing of Arbor Networks. “With minimal reseach [sic] into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets.” Number of C&C servers using LizardStresser in 2016 Source: http://news.softpedia.com/news/there-are-over-100-ddos-botnets-based-on-lizard-squad-s-lizardstresser-505816.shtml#ixzz4D0b6wPkw

See the article here:
There Are over 100 DDoS Botnets Based on Lizard Squad’s LizardStresser

Massive DDoS attacks reach record levels as botnets make them cheaper to launch

Nineteen attacks that exceeded 100Gbps were recorded during the first three months of 2016 There were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gbps during the first three months of the year, almost four times more than in the previous quarter. Even more concerning is that these mega attacks, which few companies can withstand on their own, were launched using so-called booter or stresser botnets that are common and cheap to rent. This means that more criminals can now afford to launch such crippling attacks. “In the past, very few attacks generated with booter/stresser tools exceeded the 100 Gbps mark,” researchers from Akamai said in the company’s State of the Internet security report for the first quarter of 2016 that was released Tuesday. By comparison, only five DDoS attacks over 100 Gbps were recorded during the fourth quarter of 2015 and eight in the third quarter. Nineteen such attacks in a single quarter is a new high, with the previous record, 17, set in the third quarter of 2014. But high bandwidth is not the only aspect of DDoS attacks that can cause problems for defenders. Even lower-bandwidth attacks can be dangerous if they have a high packet rate. A large number of packets per second poses a threat to routers because they dedicate RAM to process every single packet, regardless of its size. If a router serves multiple clients in addition to the target and exhausts its resources, that can cause collateral damage. According to Akamai, in the first quarter there were six DDoS attacks that exceeded 30 million packets per second (Mpps), and two attacks that peaked at over 50 Mpps. DDoS reflection and amplification techniques continue to be used extensively. These involve abusing misconfigured servers on the Internet that respond to spoofed requests over various UDP-based protocols. Around one-in-four of all DDoS attacks seen during the first three months of 2016 contained UDP (User Datagram Protocol) fragments. This fragmentation can indicate the use of DDoS amplification techniques, which results in large payloads. The four next most common DDoS attack vectors were all protocols that are abused for DDoS reflection: DNS (18 percent), NTP (12 percent), CHARGEN (11 percent) and SSDP (7 percent). Another worrying trend is that an increasing number of attacks now use two or more vectors at the same time. Almost 60 percent of all DDoS attacks observed during the first quarter were multivector attacks: 42 percent used two vectors and 17 percent used three or more. “The continued rise of multi-vector attacks suggests that attackers or their attack tools are growing more sophisticated,” the Akamai researchers said in their report. “This causes problems for security practitioners, since each attack vector requires unique mitigation controls.” China, the U.S. and Turkey were the top three countries from where DDoS attack traffic originated, but this indicates where the largest number of compromised computers and misconfigured servers are located, not where the attackers are based. The most-hit industry was gaming, accounting for 55 percent of all attacks. It was followed by software and technology (25 percent), media and entertainment (5 percent), financial services (4 percent) and Internet and telecommunications (4 percent). Being hit by one isn’t the only way DDoS attacks can affect businesses: They can also be blackmailed with the threat of one, an increasing trend over the past year. In some cases attackers don’t even have to deliver on their threats. Researchers from CloudFlare reported recently that an extortion group earned $100,000 without ever launching a single DDoS attack. Source: http://www.itnews.com/article/3079988/massive-ddos-attacks-reach-record-levels-as-botnets-make-them-cheaper-to-launch.html

See original article:
Massive DDoS attacks reach record levels as botnets make them cheaper to launch

Hackers Hit Facebook CEO Mark Zuckerberg’s Twitter and Pinterest Accounts

Facebook co-founder and CEO Mark Zuckerberg was apparently targeted by a hacking team over the weekend that was able to access his seldom-used Twitter and Pinterest accounts. The hacker group OurMine, believed to be based in Saudi Arabia, posted messages to Zuckerberg’s Twitter account, @finkd, which features just 19 tweets and hasn’t been otherwise updated since 2012. The team also briefly commandeered Zuckerberg’s Pinterest account, which has just a few boards and pins. Both Twitter and Pinterest have since removed the unauthorized content on Zuckerberg’s accounts, and Twitter has also suspended OurMine’s main account. The group is now posting on Twitter via a backup account. ‘Saving People from Other Hackers’ On Sunday, OurTeam tweeted on the backup account, “i don’t understand why @twitter suspended our account while we are saving people from other hackers!” Another tweet posted this morning added, “Our Old Twitter (@_OurMine_) is suspended because we are just trying to secure Mark Zuckerberg Accounts!” The person or people posting to the backup OurTeam Twitter page also noted they would try to get the team’s main Twitter account unsuspended. Contrary to some news reports stating that OurTeam claimed to have found Zuckerberg’s login information from user data leaked from a major hack attack on LinkedIn in 2012, the hacking group noted in a tweet yesterday that it had made no such claim and added that it had never used LinkedIn. ‘Relatively New’ Hacking Group OurMine is a “relatively new” hacking group that first appeared on Twitter in March 2015, according to a report published by the content delivery network specialist Akamai last year. The team initially appeared to focus on distributed denial of service (DDoS) attacks on gaming services, and later took responsibility for similar such attacks on financial service companies. Nine companies were attacked by OurTeam on July 22 of last year, with the combined DDoS attack levels exceeding 117 gigabytes per second. OurMine has also claimed to have attacked a number of other targets, including Soundcloud and PewDiePie. Zuckerberg hasn’t made any public statement regarding the OurMine attacks on his accounts. However, after OurMine tweeted it had accessed his accounts, Zuckerberg responded, “No you didn’t. Go away, skids.” That tweet has also since been removed. A June 2012 hack of LinkedIn was originally believed to have involved just 6.5 million passwords — at least, that’s the number LinkedIn first acknowledged. However, a report emerged last month that a dark Web marketplace and another site, LeakedSource, had obtained data from 167 million hacked LinkedIn accounts. Of those, 117 million included e-mails and passwords. The remaining accounts are thought to belong to users who logged into the site via Facebook. Some news reports have stated that OurTeam claimed to have found Zuckerberg’s Twitter and Pinterest password — “dadada” — in the compromised LinkedIn data. Source: http://www.sci-tech-today.com/news/Hackers-Hit-Zuckerberg-s-Accounts/story.xhtml?story_id=012001GT5W5O

Russia’s top 3 banks were target of world’s largest DDoS attack

Russia’s three largest Russian banks – VTB, Sberbank and Bank of Moscow – came under a massive DDoS-attack in the fall of 2015, a top manager at VTB has said. Claiming the attackers demanded a bitcoin payment for stopping the attack. A senior official from one of Russia’s largest banks has revealed that the lender became the target of the most extensive DDoS-attack in the entire history of monitoring in the fall of 2015. “A certain group of perpetrators” carried out a series of “the strongest DDoS-attacks” against Sberbank, VTB and Bank of Moscow for several days, Dmitry Nazipov, senior vice president of VTB, told the Russian media on June 1. According to him, the bank received a “fairly typical letter” in English at that time demanding a bitcoin payment in return for stopping the attacks. “Obviously, we did not agree to pay, but that attack was generally localized in three days, and was not repeated on such a scale thereafter,” said Nazarov. He pointed out that to solve the problem, VTB collaborated with police, telecom service providers and the Central Bank’s information security center, FinCert. In September 2015, the deputy head of the Central Bank’s main security and information protection directorate, Artyom Sychev, said that the websites of five major Russian banks had been subjected to a DDoS-attack. He did not disclose the names of the banks. Sychev said that after the end of the attacks, some of the banks attacked received letters from extortionists who demanded that 50 bitcoins (the average value of a bitcoin was around $230 in September 2015 – RBTH) be transferred to them for not repeating such attacks. He noted that the banks did not suffer damage as a result of the attack. Earlier on June 1, the Federal Security Service and the Interior Ministry reported the detention of 50 suspects in a theft of 1.7 billion rubles ($25 million) from financial institutions. The police also said that they could prevent 2.2 billion rubles’ ($32.5 million) worth of possible damage. The law enforcement agencies turned to security software producer Kaspersky Lab for help in identifying the suspects. According to the company, the hackers stole 3 billion rubles ($44.5 million). Six Russian banks, including Metallinvestbank, the Russian International Bank, Metropol and Regnum, were victims of the hackers. Source: https://rbth.com/business/2016/06/02/russias-top-3-banks-were-target-of-worlds-largest-ddos-attack_599743

DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

In a new wrinkle in cybercriminal business modeling, distributed denial of service (DDoS)-for-hire services are being offered on the popular website Fiverr—where, as its name suggests, various professional services are offered for $5. According to Imperva, DDoS-for-hire services are a widespread business for hackers, typically billing themselves as “stressor” services to “help test the resilience of your own server.” In reality, they’re renting out access to a network of enslaved botnet devices, (e.g., Trojan-infected PCs), which are used as a platform to launch DDoS attacks. And once a user hands over his money, the criminals don’t care whose servers are ‘stress tested.’ A year ago, Imperva’s survey of the 20 most common stressor services showed that the average price was $38 per hour, and went as low as $19. Recently, the SecureWorks Underground Hacker Marketplace Report showed that, on the bottom end, the cost of hiring such a service on the Russian underground dropped to just five dollars per hour. “The price tag made us think of Fiverr—a trendy online marketplace where various professional services are offered for five bucks?” Incapsula researchers said, in a blog. “Would DDoS dealers have the audacity to use this platform to push their wares? A quick site search confirmed that, in fact, they would.” Imperva reached out to see if the Fiverr offers were the innocent stress testers they claimed to be. “To do so, we created an account on Fiverr and asked each of the stressor providers the following question: Regarding the stress test, does the site have to be my own?” the researchers noted. “Most had the good sense to ignore our message. One suggested that we talk on Skype.” In the end, an offering with a skull and bones image that offered to “massive DDoS attack your website” responded, saying: “Honestly, you [can] test any site. Except government state websites, hospitals.” Imperva quickly contacted Fiverr to let them know about the misuse of their service—they responded and acted to remove the providers. “Fiverr’s decisive action should serve as an example to an online community that, by and large, has accepted the existence of illegal stressors as a fact of life,” the researchers noted. Source: http://www.infosecurity-magazine.com/news/ddosforhire-services-go-up-on/

More:
DDoS-for-Hire Services Go Up on Fiverr for 5 Bucks

Devices Infected With New Ransomware Versions Will Execute DDoS Attacks

A combination of Ransomware and DDoS attacks is heralding a new wave of cyber attacks against consumers and enterprises around the world. Security experts are concerned this may become a standard practice going forward; this is not good news by any means. Ransomware And DDoS Is A Potent Mix Over the past few years, ransomware attacks have become the norm rather than an exception. But the people responsible for these attack continue to improve their skills, and infected machines will now start executing distributed denial of service attacks as well. Not only will users not be able to access their files, but the device will also become part of a botnet attacking other computers and networks around the world. KnowBe4 CEO Stu Sjouwerman stated: “ Adding DDoS capabilities to ransomware is one of those ‘evil genius’ ideas. Renting out DDoS botnets on the Dark Web is a very lucrative business, even if prices have gone down in recent years. You can expect [bundling] it to become a fast-growing trend.” One of the first types of ransomware to embrace this new approach is Cerber, a Bitcoin malware strain which has been wreaking havoc for quite some time now. Attacks have been using “weaponized” Office documents to deliver malware to computers, which would then turn into a member of a botnet to DDoS other networks. While some people see this change as a logical evolution of ransomware attacks, this is a worrying trend, to say the least. Assailants can come up with new ways to monetize their ransomware attacks, even if the victim decides not to pay the fee. As long as the device is infected, it can be used to execute these DDoS attacks, which is a service worth the money to the right [wrong] people. A recent FireEye report shows how the number of Bitcoin ransomware attacks will exceed 2015 at the rate things are going right now. Now that DDoS capabilities are being added to the mix, it is not unlikely the number of infections will increase exponentially over the next few months. Moreover, removing the ransomware itself is no guarantee computer systems will not be used for DDoS purposes in the future, and only time will tell if both threats can be eliminated at the same time. Source: http://themerkle.com/devices-infected-with-new-ransomware-versions-will-execute-ddos-attacks/

View post:
Devices Infected With New Ransomware Versions Will Execute DDoS Attacks

Bitrated faces severe DDoS attack and $3,200 ransom demand

A couple of hours ago, Bitrated, a bitcoin trust platform meant for reputation management and consumer protection has posted a tweet, warning users about an ongoing DDoS attack, carried out in the form of an extortion attempts. During the last couple of weeks, numerous Bitcoin-related companies, but also other businesses from all around the world have been affected by such attacks. According to a Medium post written by the Bitrated, it seems like they received a warning mail five minutes prior to the commencement of the attack, asking for a total of 7 BTC, worth around $3,200 at the time of writing. Unlike other extortionists who decided not to stand up to their promise, Bitrated’s servers were attacked for a couple of hours, and were put under a strain of 3.2 Gb/s. In return, DigitalOcean null routed trading on their network infrastructure. According to Bitrated, the company has an ethic code which makes them unable to succumb to any extortion attempts. They believe that blackmail demands are unethical, and funding the extortionists will undoubtedly lead to further attacks. Bitrated also mentioned that due to their nature of being a bootstrapped startup, they do not have the financial resources required to counter-attack such demands, which is why the service may be unavailable for a while. Based on everything that has been outlined so far, what do you personally think about this DDoS attack? Let us know your thoughts in the comment section below. UPDATE: The DDoS attacks have stopped. Therefore, the platform is available. Bitrated encourages users who wish to do so, to withdraw their funds from the system as soon as possible. Source: http://themerkle.com/bitrated-faces-severe-ddos-attack-and-3200-ransom-demand/

Read the article:
Bitrated faces severe DDoS attack and $3,200 ransom demand

Anonymous Launches DDoS attacks Against Denver Police Website Against Fatal Shooting

Anonymous NWH targets Denver police department domain with DDoS attack to register protest against the fatal shooting of 39-year-old Dion Avila An Anonymous-linked team of attackers called New World Hacking (NWH) has conducted a series of powerful distributed denial-of-service ( DDoS ) attacks on Denver city, county and police website earlier today forcing the site to go offline — The reason for targeting the site was last week’s (Tuesday 14th April) police shooting in which Dion Avila Damon was allegedly killed inside his parked car near the Denver Art Museum. In an exclusive conversation with two of the NWH attackers (Sad Prophet and SinfulHazeCE) behind this attack, HackRead told that: “We see how Denver police don’t care so if they don’t care about killing and innocent; we don’t care about continuous attacks on Denver.” The attackers also hint for a database leak within a week or so depending on the response from Denver police department. However, Fox news reported that Police is investigating an officer-involved in the shooting. Remember, the NWH is the same group who claimed responsibility for shutting down Xbox online service , BBC news servers , HSBC UK’s online banking, the official website for Donald Trump’s election campaign, Salt Lake city Police and airport websites . At the time of publishing this article, the Denver police department website was down. Source: https://www.hackread.com/anonymous-shut-denver-police-website/

View post:
Anonymous Launches DDoS attacks Against Denver Police Website Against Fatal Shooting

BadLock Opens Door for Samba-based MiTM, DDoS Attacks

Details of a new, high-impact vulnerability known as BadLock have been revealed, affecting Samba, the standard Windows interoperability suite of programs for Linux and Unix. As the researchers who discovered it noted, “we are pretty sure that there will be exploits soon after we publish all relevant information.” Fortunately, patches have been released today, and admins would behoove themselves to update their systems immediately. The vulnerability was discovered by Stefan Metzmacher, a member of the international Samba Core Team, working at SerNet on Samba. He reported the bug to Microsoft and has been working closely with the computing giant to fix the problem. The research team said that the security vulnerabilities can be mostly categorized as man-in-the-middle or denial of service attacks. The several MITM attacks that the flaw enables would permit execution of arbitrary Samba network calls using the context of the intercepted user. So for instance, by intercepting administrator network traffic for the Samba AD server, attackers could view or modify secrets within an AD database, including user password hashes, or shutdown critical services. On a standard Samba server, attackers could modify user permissions on files or directories. As far as DDoS, Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service. While there are several proof of concept (PoC) exploits that researchers have developed, they’re not releasing them to the public, nor are they going into detail on what the vulnerability entails or arises from. Red Hat researchers offered a bit more on the flaw: It is “a protocol flaw in the DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows Active Directory infrastructure. DCE/RPC is the specification for a remote-procedure call mechanism that defines both APIs and an over-the-network protocol. The Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups. The protocol exposes the “account database” for both local and remote Microsoft Active Directory domains. The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies. This protocol, with minor exceptions, enables remote policy-management scenarios. Both SAMR and LSA protocols are based on the DCE 1.1 RPC protocol.” These protocols are typically available to all Windows installations, as well as every Samba server. They are used to maintain the Security Account Manager database, which applies to all roles (for example, standalone, domain controller or domain member). The flaw thus gives attackers a way to insert themselves into that communications chain, and go on to execute a MiTM or DDoS attack. The BadLock researchers announced weeks ago that they would be making this announcement and releasing patches, drawing not a little derision for hyping the situation—especially since they went so far as to develop a logo. But the researchers said that they were simply making use of the hash-taggable name to get people interested, talking about it and ready to patch. “Like Heartbleed, what branded bugs are able to achieve is best said with one word: Awareness,” the researchers noted. “It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding—it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.” Source: http://www.infosecurity-magazine.com/news/badlock-opens-door-for-sambabased/

Read the original:
BadLock Opens Door for Samba-based MiTM, DDoS Attacks