Tag Archives: var-username

South Korea no 1 origin point for DDoS attacks

South Korea has taken the top spot as the largest origin point for DDoS attacks in 2016. Imperva documented DDoS attacks coming out of South Korea at a rate nearly triple that of Russia, which came in second. In fact, South Korea attained a proportion of global DDoS responsibility greater than the next three countries combined. DDoS attacks are one of the more popular tools in the hacker’s toolkit. DDoS, or distributed denial of service attacks, work by essentially flooding the target with traffic. Attackers will normally employ botnets to do this, making it seem as though millions of people are all visiting the same site at the exact same second. Though a favourite of hacktivists, the attack is also employed by cyber-criminals, often using it as a smokescreen to distract defenders while stealing information from the parts of networks that are left undefended. The blackmail group DD4BC, for example, would relentlessly DDoS websites until the unfortunate victims coughed up a couple of bitcoins. Ewan Lawson, a Royal United Services Institute fellow and expert in cyber-security, offered insight as to why South Korea might have reached this zenith. Lawson told SCMagazineUK.com , “It feels like it is in part a reflection of the networked nature of [South Korea] but there are other countries with similar degrees of penetration or greater.” South Korea has one of the highest internet penetration rates in the world and also enjoys one of the faster internet speeds, last year rated at an average of 23.6 Mbps. “It would therefore suggest”, said Lawson, “that there is some vulnerability in the gateways and/or servers that are being exploited by the DDoS enabling malware.” Igal Zeifman, senior manager at Imperva, told SC , “As a rule, botnets thrive either in regions with high Internet connectivity or in emerging Internet markets with a high prevalence of unsecured connected devices.” Zeifman added, “South Korea certainly fits the former scenario, with botnet shepherds benefiting from the organic evolution in connection speeds—something that also improves the attacking (upload) capabilities of compromised devices.” Botnets have been growing rapidly in South Korea over the past year. The South Korean DDoS activity primarily comes from two botnets – Nitol and PCRat – both of which offer remote control over the infected devices. Where they differ is their attack traffic signatures, Zeifman told SC. Nitol, for example, is a Chinese botnet and will probably send out attack disguised as search engine crawlers from Baidu, an immensely popular Chinese website. Jarno Limnell, professor of cyber-security at Aalto university in Finland, explained to SC that both of these botnets are Windows based: “A typical ‘member’ of a botnet is, therefore, a Windows PC. The easiest way to do it – non-updated (and possibly illegal) Windows with the appropriate vulnerability. I guess that in South Korea there a lot of these kind of PCs available to build botnets.” Russia and Ukraine came second and third respectively. Though beaten by South Korea, Zeifman told SC that the two countries owe much of their increased activity to “the emergence of new botnets built out of Windows OS devices compromised with the Generic!BT malware”. Zeifman added this may be indicative of poor security in those countries: “The fact that a known, and pretty outdated, type of malware is successfully being used points to inefficient security measures on the part of device owners.” Meanwhile, and perhaps unsurprisingly, the United States was the most DDoSed country in the world over the last quarter, far outpacing the combined total of the other nine most DDoSed countries. Some of the report’s other findings included the fact that DDoS attacks, are “upping their game” when it comes to botnets. Imperva’s report says this, “this was best exemplified by an increase in the number of DDoS bots with an ability to slip through standard security challenges, commonly used to filter out attack traffic.” Over the first quarter of this year, the number of these kinds of bots “mushroomed” from 6.1 percent to 36.6 percent, as a proportion of total bots. What makes them different is that some of these bots can hold cookies while others can spot javascript, making for a deadly combination. DDoS attackers are also narrowing their gazes. Imperva notes that while DDoS attacks may have once been brutish and crude, the company is seeing far more finesse in the deployment. Attackers have been experimenting with new methods and vectors, which the reports says suggests “that more perpetrators are now re-prioritising and crafting attacks to take down DDoS mitigation solutions, rather than just the target.” Source: http://www.scmagazineuk.com/south-korea-no-1-origin-point-for-ddos-attacks/article/491220/

More:
South Korea no 1 origin point for DDoS attacks

Blizzard’s Battle.net Hit With Major DDoS Attack

When the waters finally calmed, Blizzard took to Twitter with the following message. That’s because some nefarious individuals launched a DDOS attack on the service. In fact, all of Blizzard’s U.S. servers were down for an extended period last night. Sony and Microsoft undergo similar attacks on a regular basis and are especially prone to such attacks during the holidays. GAMING SERVICES were hit with a distributed denial-of-service (DDoS) attack that forced users to eat Cheetos while not screaming at total strangers. This isn’t the first time the group has attacked a gaming company. Blizzard has suffered an attack on its servers that halted access to many of its games. By about 11:45 p.m., Blizzard sent out the above tweet giving gamers the all clear to jump back online. Given some of the realm stability issues caused by the service interruptions, there may be some log loss when loot is dropped or crafting occurs. A DDoS attack targeting game developer Blizzard’s servers has disrupted gamers from logging into popular games such as Diablo 3 and World of Warcraft. From the looks of it, a Blizzard employee’s Outlook account was hacked which lead to personal information and contact lists with information about other Blizzard employees being found. Maybe the hacking group felt their fellow gamers were being wronged (they weren’t) and this was their grand form of retaliation. They have teased that they have “more to come” without explaining what they plan to do next. Source: http://sacredheartspectrum.com/2016/04/blizzards-battle-net-hit-with-major-ddos-attack/

Originally posted here:
Blizzard’s Battle.net Hit With Major DDoS Attack

BadLock Opens Door for Samba-based MiTM, DDoS Attacks

Details of a new, high-impact vulnerability known as BadLock have been revealed, affecting Samba, the standard Windows interoperability suite of programs for Linux and Unix. As the researchers who discovered it noted, “we are pretty sure that there will be exploits soon after we publish all relevant information.” Fortunately, patches have been released today, and admins would behoove themselves to update their systems immediately. The vulnerability was discovered by Stefan Metzmacher, a member of the international Samba Core Team, working at SerNet on Samba. He reported the bug to Microsoft and has been working closely with the computing giant to fix the problem. The research team said that the security vulnerabilities can be mostly categorized as man-in-the-middle or denial of service attacks. The several MITM attacks that the flaw enables would permit execution of arbitrary Samba network calls using the context of the intercepted user. So for instance, by intercepting administrator network traffic for the Samba AD server, attackers could view or modify secrets within an AD database, including user password hashes, or shutdown critical services. On a standard Samba server, attackers could modify user permissions on files or directories. As far as DDoS, Samba services are vulnerable to a denial of service from an attacker with remote network connectivity to the Samba service. While there are several proof of concept (PoC) exploits that researchers have developed, they’re not releasing them to the public, nor are they going into detail on what the vulnerability entails or arises from. Red Hat researchers offered a bit more on the flaw: It is “a protocol flaw in the DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows Active Directory infrastructure. DCE/RPC is the specification for a remote-procedure call mechanism that defines both APIs and an over-the-network protocol. The Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups. The protocol exposes the “account database” for both local and remote Microsoft Active Directory domains. The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies. This protocol, with minor exceptions, enables remote policy-management scenarios. Both SAMR and LSA protocols are based on the DCE 1.1 RPC protocol.” These protocols are typically available to all Windows installations, as well as every Samba server. They are used to maintain the Security Account Manager database, which applies to all roles (for example, standalone, domain controller or domain member). The flaw thus gives attackers a way to insert themselves into that communications chain, and go on to execute a MiTM or DDoS attack. The BadLock researchers announced weeks ago that they would be making this announcement and releasing patches, drawing not a little derision for hyping the situation—especially since they went so far as to develop a logo. But the researchers said that they were simply making use of the hash-taggable name to get people interested, talking about it and ready to patch. “Like Heartbleed, what branded bugs are able to achieve is best said with one word: Awareness,” the researchers noted. “It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding—it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.” Source: http://www.infosecurity-magazine.com/news/badlock-opens-door-for-sambabased/

Read the original:
BadLock Opens Door for Samba-based MiTM, DDoS Attacks

Anonymous Conducts Usual DDoS Attacks on Israel for #OpIsrael

“Anonymous” vows to carry on its annual assaults on Israeli infrastructure linked to its #OpIsrael campaign on April 7, 2015 — However, it seems more hype than harm The first attacks in connection with #OpIsrael occurred in 2013, wherein some divisions of the Anonymous hackers mutually launched multiple organized cyber-attacks against Israeli websites on the eve of the Holocaust Remembrance Day, on April 8. From 2013 onwards, the group carried out such attacks consistently same date every year, and in a recent video statement, it has pledged to continue these attacks in 2016. However, this year, Holocaust Remembrance Day is on May 4, but the attacks will still occur on April 7. Israel has planned a hackathon on ironically the same day: In recent years, these cyber attacks contained DDoS attacks, database leaks, website defacements, and social media account hijacking but aAfter the recent spasms against Ukraine’s electrical power grid, this year, the Israeli government has also arranged a hackathon with over 400 participants who will take on against the potential cyber-attack on the country’s power grid, transportation system, and government IT networks. This potential threat based hackathon is also scheduled for today. History of some high-profile cyber attacks against Israel: 1. In 2013, Israel’s major traffic tunnel was hit by a cyber-attack, causing huge financial damages. 2. In 2014, Izz al-Din al-Qassam Brigade of Hamas successfully hacked the ongoing transmission of famous Israeli Channel 10 and replaced it with images of wounded Palestinian families. 3. In April 2015, several computer networks belonging to the Israeli military were penetrated by Arabic-speaking hackers under a four-month spying campaign by using provocative images of IDF’s women soldiers. 4. In January 2016, Israeli power authority network was hit by a sophisticated ransomware. 5. In February 2016, pro-Hezbollah hackers took over country’s security camera systems. Data leak and DDoS attacks conducted by Anonymous and pro-Palestinian hackers: The hacktivists are already targeting Israeli government and civilian websites. In the latest attacks, hundreds of government-owned websites have been under DDoS attacks forcing them to stay offline. There are several tweets containing Pastebin links in which attackers are claiming to dump credit card data of several Israeli citizens. One hacktivist group going with the handle of RedCult has leaked a list of about 1000 alleged Facebook users from Israel containing emails and their clear-text passwords. The websites that have been taken offline include Israel Defense Forces, Israeli ministry of justice, Israeli Immigration, Israel Police Department, Israel Airport Authority, Israeli ministry of justice, rights and services for Holocaust survivors and other top government websites. Source: https://www.hackread.com/anonymous-cyber-attack-on-israel/

See original article:
Anonymous Conducts Usual DDoS Attacks on Israel for #OpIsrael

DDoS Attacks With BillGates Linux Malware Intensify

XOR botnet authors migrate to using BillGates malware Over the past six months, security researchers from Akamai’s SIRT team have observed a shift in the cyber-criminal underground to using botnets created via the BillGates malware to launch massive 100+ Gbps DDoS attacks. The BillGates malware is a relatively old malware family aimed at Linux machines running in server environments. Its primary purpose is to infect servers, link them together in a botnet controlled via a central C&C server, which instructs bots to launch DDoS attacks at their targets. The malware has been around for some years and due to its (irony-filled) name is probably one of the most well-known Linux-targeting malware families. Former XOR botnet operators reverted to using BillGates A BillGates botnet is capable of launching Layer 3, 4, and 7 DDoS attacks. More accurately it supports ICMP floods, TCP floods, UDP floods, SYN floods, HTTP floods and DNS reflection floods. According to Akamai’s Security Intelligence Research Team (SIRT), ever since the XOR DDoS botnet , also Linux-based, has been neutralized a few months back, hacking outfits have switched to the BillGates botnet for their attacks. While not as powerful as the XOR botnet, which was capable of launching 150+ Gbps attacks, BillGates attacks can go over 100 Gbps when needed. Moreover, as Akamai noticed, the hacking crew that deployed the XOR botnet has also switched to using BillGates malware, the CDN and cyber-security provider seeing DDoS attacks on the very same targets the XOR botnet crew was previously attacking. Most BillGates DDoS attacks targeted Asian online gaming servers DDoS attacks launched with this botnet have were seen targeting Asia-based companies and their digital properties, mostly located in online gaming. Besides the original XOR crew, the malware has been used to build different botnet by multiple gangs and has even been used as the base for other Linux-based DDoSing malware. The BillGates malware is available for purchase on underground hacking forums, and it comes in the form of a “malware builder” which allows each crew to generate its own strand, that can run on different C&C servers. Last June , Akamai observed a similar spike in DDoS attacks coming from botnets built with the BillGates malware. Source: http://news.softpedia.com/news/ddos-attacks-with-billgates-linux-malware-intensify-502697.shtml

See the original article here:
DDoS Attacks With BillGates Linux Malware Intensify

Hacker Faces 10 Years for DDoS Attacks and Sex Toy Pranks in DOJ Crackdown

A nonymous’s repeated attacks on Donald Trump since December of 2015 have made hacker harassment a part of everyday conversation. Today, the United States Department of Justice handed down a sentence to a member of the Electronik Tribulation Army (ETA) that shows just how severe the punishment for those types of hacks can be. Benjamin Earnest Nichols, a 37-year-old ETA member from Oklahoma City, pled guilty to intentionally causing damage with a distributed denial of service (DDoS) attack on mcgrewsecurity.com in 2010. Nichols hasn’t been sentenced yet, but faces a maximum of 10 years in federal prison and a $250,000 fine. It’s the DDoS attack that put Nichols in court, but the list of other things he admits to doing range from costly to downright dirty: causing $6,500 in losses to McGrew Security because of a downed website, making disparaging remarks and insulting McGrew (owner of the attacked website and security service), photoshopping images of McGrew, and sending sex toys to McGrew’s home. The exact type of sex toys were not mentioned in the U.S. Attorney’s Office press release. Regardless, it’s the type of behavior hacking groups have made a name doing. It’s also behavior that the U.S. DOJ plans on stopping. McGrew became a target of the ETA because of his role in the arrest of Jesse McGraw, the leader of the hacker group, back in 2009. McGraw was arrested after he installed malware and a remote-access program on dozens of computers at the North Central Medical Plaza in Dallas. He planned to use the medical computers for a DDoS attack on a rival hacker group, but was stopped before anything came of his tampering. He was sentenced to nine years in federal prison in 2011. It was one of the first major cybercrime sentences given, and the hacking community still mentions the decision’s importance. After McGraw’s arrest, Nichols and two other ETA members turned their eyes on McGrew. “They set up a website in my name to pose as me, and put up embarrassing content or things they though would embarrass me, including a call-to-action to buy sex toys, and fake pornographic images,” McGrew told Wired in 2010. “They harvest email addresses from the university I work at and emailed it out to those.” McGrew was a key witness against McGraw, so the FBI got involved. They raided Nichols’ home because his actions were “affecting a potential witness in an official proceeding,” the search warrant affidavit read. The search warrant lists Nichols as going by the names “thefixer25,” ”fixer,” “fix,” ”c0aX,” and “ballsdeep.” Witness intimidation is a federal crime. The ETA responded by posting the following on its website: “On the 23rd of June 2010 the Federal Bureau of Investigation issued search warrants on ETA members. All their computers and electronic devices have been taken for forensic investigation…. We are not terrorists, we are freedom fighters and cyber protesting is not illegal.” Back in 2009, when McGraw was arrested, ETA members were hyper aware of how they could be next. When Nichols was asked if he was still in the ETA in an email from another member, he responded: “Right now admissal (sic) of any kind like that is certainly what some douchebag prosecutor would like. I cannot give you that answer when you ask me outright, however.” Nichols also said that he wiped his computers. Turns out he didn’t wipe them well enough, and can look forward to big time for his hacking crimes. It’s a message from the DOJ to the hacking community that it surely won’t ignore. Source: https://www.inverse.com/article/13891-hacker-faces-10-years-for-ddos-attacks-and-sex-toy-pranks-in-doj-crack

Read the article:
Hacker Faces 10 Years for DDoS Attacks and Sex Toy Pranks in DOJ Crackdown

Over half of companies feel investment in DDoS protection is justified

A quarter of all companies risk their business-critical systems due to a lack of anti-DDoS protection according to new research by Kaspersky Lab. It’s the kind of absence that can cause enterprises massive financial loss and reputational damage and, according to the research, more than half of companies feel that investing in protection against DDoS attacks is justified. About the same number of survey respondents from telecoms (82 percent) and finance (78 percent) think anti-DDoS protection is an important cyber-security requirement for infrastructure. Just shy of a quarter (24 percent) of respondents don’t use DDoS protection or only use it part of the time (41 percent). Only 34 percent of companies are fully protected against the threat. A majority of companies with no anti-DDoS protection are the ones attacked the most often such as media (36 percent), healthcare and education (both 31 percent). A quarter of companies stated that the stability of business-critical systems is a priority for their organisation, however only 15 percent plan to implement anti-DDoS protection in the near future. “It’s important to take DDoS attacks seriously as they can be just as damaging to a business as any other cyber-crime, especially if used as part of a bigger targeted attack. Organisations must understand that protection of the IT infrastructure requires a comprehensive approach and continuous monitoring, regardless of the company’s size or sphere of activity,” said Russ Madley, head of B2B at Kaspersky Lab. Source: http://www.scmagazineuk.com/over-half-of-companies-feel-investment-in-ddos-protection-is-justified/article/487567/

Novosti-Armenia and ARKA news agencies come Tuesday under heavy DDoS-attacks

The websites of Novosti-Armenia (newsarmenia.am) and ARKA (arka.am) news agencies came Tuesday under heavy DDoS-attacks, hampering access to these resources for half an hour. An inquiry found that the attacks were carried out from Russian IP addresses, but this does not mean that the order came from that country. The administrations of both websites have managed to eliminate the problem. DDoS attack is short for Distributed Denial of Service Attack. DDoS is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DoS attacks: those that crash services and those that flood services. The most serious attacks are distributed and in many or most cases involve forging of IP sender addresses so that the location of the attacking machines cannot easily be identified, nor can filtering be done based on the source address. Source: http://arka.am/en/news/technology/novosti_armenia_and_arka_news_agencies_come_tuesday_under_heavy_dddos_attacks/

Link:
Novosti-Armenia and ARKA news agencies come Tuesday under heavy DDoS-attacks

Hacker Redirects DDoS Attack to Israeli Intelligence Site

A hacker using the handle “The Jester” allegedly rerouted distributed denial-of-service (DDoS) attacks to hit the Israeli intelligence agency Mossad. The Jester became a high-profile hacker in 2010 when he claimed to have attacked the Wikileaks website. He also is known to attack websites affiliated with ISIS, Hamas, Anonymous and the Occupy movement. In a 2010 article, the New York Times claimed the Jester is a former military contractor who was involved with US special forces operations. The Jester’s website reportedly came under attack with DDoS attacks, which the hacker claims to have redirected against the Israeli intelligence service. He claims to have altered the IP address that his website was registered on to the Mossad address. “To the s***loads attacking my blog, I’ve pointed my domain to 147.237.0.71. Ur now hitting Israeli Intelligence Service (Mossad). Good luck,” the Jester, or th3j35t3r, wrote in an online post. The hacker said he redirected the traffic to Mossad’s IP address because “they can look after themselves perfectly well,” according to reports. Israel’s Information and Communications Technology Authority reportedly issued a statement that Mossad’s website did not encounter irregularities or down time. The Israeli intelligence service’s website remains online and functional, while the Jester’s site is offline at the time of this post. Source: http://www.batblue.com/hacker-redirects-ddos-attack-to-israeli-intelligence-site/

Finnish Defense Ministry Hit by DDoS Cyberattack

Finland’s Ministry of Defence (MoD) is reviewing its IT security infrastructure in the wake of a distributed denial of service (DDoS) attack on its main website. The attack was launched hours before Finnish President Sauli Niinistö met with Russian President Vladimir Putin in Moscow on March 22 to discuss regional security issues and the implementation of deeper cooperation on border defense. Initial investigations by the National Cyber Defense Center (NCDC) are examining the possibility that the cyberattack may have been launched from Russia to coincide with high-level, inter-government talks. Similar DDoS attacks launched against public and private organizations in Sweden in March had traced the servers to Russia. Niinistö met with US President Barack Obama in Washington on April 1. The meeting took place during the international Nuclear Security Summit hosted by the US president. Finland’s MoD confirmed that the sustained DDoS attack, which lasted more than three hours, was the second such cyberattack against its online IT infrastructure in 2016. The MoD responded by diverting traffic from its main site defmin.fi to a temporary site. The previous DDoS attack took place Feb. 27 and lasted nearly five hours. Other key government department websites, including finance, social affairs and health, agriculture and forestry, and the Council of State office, were targeted in simultaneous attacks. The timing of the latest DDoS attack is significant, coming as Finnish and US governments finalize plans connected to joint military exercises in Finland. Source: http://www.defensenews.com/story/defense/international/2016/04/04/finnish-defense-ministry-hit-ddos-cyberattack/82608438/

See original article:
Finnish Defense Ministry Hit by DDoS Cyberattack