The attack, which occurred on October 29, 2024, targeted an Internet Service Provider (ISP) in Eastern Asia and was launched by a Mirai-variant botnet comprising over 13,000 compromised Internet of Things (IoT) devices.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

This record-breaking assault lasted a mere 80 seconds but represented a significant leap in attack volume, surpassing previous records set earlier in the same year. In September, Cloudflare had mitigated a 3.8 Tbps attack, followed by a 4.2 Tbps attack in early October.

The attack’s brevity and intensity highlight a growing trend in DDoS tactics. Cloudflare reports that 91% of network layer DDoS attacks and 72% of HTTP DDoS attacks now conclude within ten minutes.

This shift towards short, intense bursts of traffic poses new challenges for cybersecurity teams, emphasizing the need for automated, always-on protection systems.

Record-breaking 5.6 Tbps DDoS Attack

Throughout 2024, Cloudflare observed a dramatic surge in DDoS activity. The company’s autonomous defense systems mitigated approximately 21.3 million DDoS attacks, marking a 53% increase from the previous year. On average, Cloudflare blocked 4,870 DDoS attacks every hour.

The fourth quarter of 2024 saw a particularly alarming trend, with over 420 hyper-volumetric attacks exceeding rates of 1 billion packets per second (pps) and 1 Tbps. More concerning still, the number of attacks surpassing 1 Tbps grew by an astonishing 1,885% compared to the previous quarter.

In Q4 alone, Cloudflare mitigated 6.9 million DDoS attacks, representing a 16% increase quarter-over-quarter and an 83% surge year-over-year. Of these, 49% (3.4 million) were Layer 3/Layer 4 DDoS attacks, while 51% (3.5 million) were HTTP DDoS attacks.

The majority of HTTP DDoS attacks (73%) were launched by known botnets, with an additional 11% caught impersonating legitimate browsers. Another 10% contained suspicious or unusual HTTP attributes.

Interestingly, the attack vectors are evolving. Thirteen of the top user agents appearing most frequently in DDoS attacks were Chrome versions ranging from 118 to 129, indicating that attackers are attempting to blend in with regular traffic.

The record-breaking October attack utilized UDP flooding, which exploits the User Datagram Protocol to overwhelm target systems. Despite its immense scale, Cloudflare’s autonomous defense systems detected and mitigated the attack without human intervention or service disruption.

As IoT devices proliferate and botnets become more powerful, organizations must remain vigilant and invest in robust, automated DDoS protection systems to safeguard their digital infrastructure against these evolving threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

The post Record-breaking 5.6 Tbps DDoS Attack From 13,000 Mirai Hacked Devices appeared first on Cyber Security News.

This incident made most of its services temporarily unavailable, but the data was not affected.

The DDoS attack on the Internet Archive began in the early hours of May 27, 2024. The organization confirmed the attack via its social media channels, including X (formerly Twitter) and Mastodon, stating that while the data was secure, the majority of their services were disrupted.

The attack was described as a “back and forth battle” with the attackers, requiring continuous adjustments to mitigate the impact.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The immediate effect of the DDoS attack was the unavailability of the Internet Archive’s services, which include the Wayback Machine, a crucial tool for accessing archived web pages.

Users reported difficulties accessing the site and its resources, sparking frustration and concern within the digital preservation community.

Despite the disruption, the Internet Archive’s team actively working to restore services, achieving significant progress within a few hours.

The attack on the Internet Archive drew widespread criticism and concern from various online communities. On platforms like Reddit and Hacker News, users expressed their dismay, likening the attack to “setting fire to a library.”

While this attack did not impact the Archive’s data, the temporary disruption of services underscores the fragility of even large, well-resourced online platforms in the face of determined bad actors.

The motives behind the attack remain speculative. Some suggest it could be an attempt to censor or destroy digital records, while others believe it might be a random act by individuals testing their capabilities.

This incident highlights the vulnerability of even well-established digital repositories to cyberattacks. The Internet Archive, which houses millions of historical documents and websites, is critical in preserving digital history.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

The post Internet Archive is Under DDoS Attack For Several Hours appeared first on Cyber Security News.

It aimed at assisting federal, state, local, tribal, and territorial government entities in responding to Distributed Denial-of-Service (DDoS) attacks.

Understanding the Threat Landscape

DDoS attacks originate from multiple sources and can be particularly challenging to trace and block.

The guide provides an in-depth overview of the DoS and DDoS landscapes, detailing attack types, motivations, and potential impacts on government operations.

It emphasizes the importance of planning for emerging DDoS trends and technologies to better defend against malicious activity.

CISA and FBI have recently released a comprehensive guide that provides technical details and best practices to respond effectively to Distributed Denial of Service (DDoS) attacks.

DoS vs. DDoS: What’s the Difference?

The guide clarifies the distinction between DoS and DDoS attacks.

A DoS attack typically involves a single source overwhelming a system with traffic, while a DDoS attack uses multiple sources, often coordinated through botnets, to amplify the disruption.

The distributed nature of DDoS attacks makes them more challenging to defend against.

CISA Cyber recently tweeted about the release of a guide by CISA and FBI that provides detailed information on how to respond to DDoS attacks

Categorizing DDoS Attacks

DDoS attacks are categorized into three main types:

1. Volume-Based Attacks: These aim to consume bandwidth or system resources by overwhelming the target with massive traffic.

2. Protocol-Based Attacks: These exploit network protocol vulnerabilities to degrade performance or cause malfunctions, often targeting Layers 3 and 4 of the OSI model.

3. Application Layer-Based Attacks: These attack specific applications or services, exploiting weaknesses to consume processing power or cause malfunctions. They focus on Layer 7 of the OSI model.

Proactive Steps Against DDoS Attacks

The guide outlines several proactive measures organizations can take to minimize the potential damage of a DDoS attack:

• Conducting risk assessments
• Implementing robust network monitoring
• Analyzing traffic to establish a baseline
• Integrating Captcha challenges
• Developing a comprehensive incident response plan
• Employing DDoS mitigation services
• Planning for bandwidth capacity
• Implementing load-balancing solutions
• Configuring firewalls and updating systems
• Ensuring redundancy and failover mechanisms
• Training employees on cybersecurity awareness

Identifying a DDoS Attack

Recognizing a DDoS attack can be challenging.

The guide lists symptoms such as website unavailability, network congestion, unusual traffic patterns, server crashes, high resource utilization, and communication disruptions as potential indicators of an ongoing attack.

Responding to a DDoS Incident

When an attack is identified, organizations are advised to:

• Activate their incident response plan
• Notify service providers
• Gather evidence
• Implement traffic filtering
• Enable DDoS mitigation services
• Scale up bandwidth and resources
• Utilize CDN services
• Maintain clear communication with stakeholders
• Learn from the attack to improve future responses

Recovery and Reporting

Post-attack, organizations should assess the impact, restore services, perform a post-incident analysis, implement remediation measures, review security controls, update incident response plans, educate employees, enhance network monitoring, engage with law enforcement, and maintain transparent communication with stakeholders.

The joint guide released by CISA, FBI, and MS-ISAC is a critical resource for government agencies and organizations.

It provides them with the necessary tools and knowledge to effectively respond to and recover from DDoS attacks, ensuring the resilience and security of their operations in the face of evolving cyber threats.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

The post CISA & FBI Released Guide to Respond for DDoS Attacks appeared first on Cyber Security News.

This can disrupt or even completely disable:-

• Websites
• Servers
• Networks

This can cause significant financial losses, damage to reputation, and potential security vulnerabilities.

Recently, cybersecurity analysts at Cloudflare observed the DDoS attack of 201 million HTTP requests per second. 

Peak DDOS Attack

With one of the world’s largest networks, Cloudflare handles vast data, serving 64 million HTTP requests per second and 2.3 billion DNS queries daily. 

Cloudflare prevents 140 billion cyber threats daily, offering valuable insights into DDoS trends. 

Lately, there’s been a rise in DDoS attacks against:-

• Israeli media sites
• Israeli financial sites
• Israeli government sites
• Palestinian websites

HTTP DDoS attacks target web properties, including mobile apps and e-commerce sites, exploiting HTTP/2 for better performance, which can aid botnets.

From late August 2023, Cloudflare and others faced a relentless DDoS campaign, exploiting the CVE-2023-44487 HTTP/2 Rapid Reset vulnerability. 

These attacks reached millions of requests per second, averaging 30M rps, with some hitting 201M rps.

Cloud-based botnets using HTTP/2 deliver 5,000 times more power per node, enabling hyper-volumetric DDoS attacks with small 5-20K node botnets, far surpassing previous IoT botnets with millions of nodes, reads the report.

Over two months, the following percentage of attacks were performed:-

• 19% of attacks hit Cloudflare infrastructure
• 18% targeted gaming companies
• 10% went after recognized VoIP providers

The attack campaign caused a 65% QoQ increase in HTTP DDoS attacks, totaling 8.9 trillion requests mitigated by Cloudflare. L3/4 attacks also increased by 14%, driven by large volumetric attacks, with the largest reaching 2.6 Tbps, launched by a variant of Mirai botnet.

Top HTTP DDoS Attack Sources

Here below, we have mentioned all the top HTTP DDoS attack sources:-

• United States with 15.78%
• China with 12.62%
• Brazil with 8.74%
• Germany with 7.52%
• Indonesia with 5.36%
• Argentina, with 3.04%
• Russian Federation with 2.73%
• India with 2.48%
• Egypt with 2.33%
• Netherlands with 2.26%

Top Attacked Industries

Here below, we have mentioned all the top attacked industries:-

• Gaming & Gambling with 5.41%
• Information Technology and Internet with 4.38%
• Cryptocurrency with 3.43%
• Computer Software with 2.16%
• Telecommunications with 1.58%
• Marketing & Advertising with 1.43%
• Retail with 1.36%
• BFSI with 0.33%
• Hospitality with 0.20%
• Online Media with 0.18%

Cloudflare users with HTTP reverse proxy (CDN/WAF) are shielded from HTTP DDoS attacks. Others, including non-HTTP users and those not using Cloudflare, should adopt automated HTTP DDoS protection.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

The post Cloudflare Observed The Peak DDOS Attack of 201 Million HTTP Requests Per Second  appeared first on Cyber Security News.

Recently, the DDoS defense platform of Akamai Prolexic prevented the largest DDoS attack on a major U.S. financial institution’s platform, reaching 633.7 Gbps and 55.1 Mpps.

Security analysts at Akamai reported that this largest DDoS attack lasted for less than 2 minutes, and in this attack, threat actors used the combination of the following flood attack vectors:-

• ACK
• PUSH
• RESET
• SYN

Prolexic’s DDoS protection shield platform prevented several record-breaking attacks in Europe and Asia-Pacific, including a 704.8 Mpps spike in September 2022 and a 900.1 Gbps surge in February 2023.

Advanced DDoS protection is crucial for companies in today’s world. Apptrana provides comprehensive coverage against DDoS and Bot attacks, making it highly recommended for businesses to employ.

Malicious Traffic source

Here below, we have mentioned the top malicious traffic sources:-

• Bulgaria
• Brazil
• China
• India
• United States
• Thailand
• Russia
• Ukraine
• Vietnam
• Japan

Moreover, U.S. traffic surged to over twice its usual volume during the attack. DDoS attacks, deliberate and cost-effective, now serve as smokescreens for triple extortion ransomware attacks on vital financial institutions, impacting entire economies.

Attack Analysis

From 10-15% historically, DDoS attacks on financial services surged to over 30% since 2021, marking a significant shift in attack patterns once seen primarily in the following sectors:-

• Software
• Tech
• Gaming
• Media
• Entertainment
• Internet
• Telecom

Besides this, a surge in deeper reconnaissance threats and attacks on vulnerable assets was noted by the security researchers at Akamai. 

However, the recent DDoS attack seems quite different than the usual ones, as in this attack, threat actors directly targeted a major US-based financial institution’s primary web page, aiming to disrupt online banking.

Moreover, Akamai confirmed zero collateral damage due to proactive defense with their global command center partnership. While in today’s high-risk environment, a solid DDoS strategy is crucial and essential.

Recommendations

Here below, we have mentioned all the recommendations provided by the Akamai:-

• Make sure to adopt CISA recommendations promptly.
• Check all the key subnets and IPs for effective mitigation controls.
• Establish continuous DDoS security controls as your initial defense layer.
• Enhance security with advanced network cloud firewall beyond basic DDoS protection.
• Form a proactive crisis team and keep incident plans and runbooks up to date.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

The post Massive DDoS Attacks at 633.7 Gbps Combining ACK, PUSH, RESET, and SYN Packets appeared first on Cyber Security News.

Juniper Networks has addressed this vulnerability on their security advisory along with certain workarounds.

Junos OS evolved, and Junos OS was built on Linux Kernel and FreeBSD kernel, respectively, that uses a BGP session which enables the exchange of routing between the internet and the large networks of systems.

At the end of August, a pre-auth RCE was reported, and additional details about the proof of concept have been published.

However, Juniper Networks has released patches for fixing this vulnerability.

CVE-2023-4481: DoS (Denial of Service) in Routing Protocol Daemon

The BGP UPDATE messages are received over an established BGP session which can be terminated with an UPDATE message error. This UPDATE message can be specially crafted by a threat actor and can go through unaffected systems and intermediate BGP speakers.

An attacker can continuously send this BGP UPDATE message which will result in a Denial of Service condition on affected devices. However, there are prerequisites for a remote attacker, including at least one established BGP session. 

This issue affects both IPv4 and IPv6 implementations of eBGP (External Border Gateway Protocol) and iBGP (External Border Gateway Protocol). The CVSS score for this vulnerability has been given as 7.5 (High).

Remediation & Workaround

Products affected by this vulnerability include Junos OS prior to 23.4R1, and Junos OS Evolved prior to 23.4R1-EVO. To fix this issue, Users of these products are recommended to upgrade to the latest versions of Junos OS: 23.4R1* and Junos OS Evolved: 23.4R1-EVO*. 

As a means workaround for this vulnerability, Juniper Networks provided a step that involves the configuring of BGP error tolerance. 

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

The post Junos OS Flaw Allows a Network-based Attacker to Launch DoS Attack appeared first on Cyber Security News.

A “credential stuffing attack” was allegedly planned by Joseph Garrison to steal money from DraftKings user accounts.

U.S. Attorney Damian Williams said: “As alleged, Garrison used a credential stuffing attack to hack into the accounts of tens of thousands of victims and steal hundreds of thousands of dollars.  Today, thanks to the work of my Office and the FBI, Garrison learned that you shouldn’t bet on getting away with fraud.”

During a credential stuffing attack, a cyber threat actor gathers stolen credentials, or username and password pairs, obtained from other significant data breaches of other firms, which are available for purchase on the dark web.  

“The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers to compromise accounts where the user has maintained the same password.”, DOJ reported.

In this case, there were numerous attempts to log into the accounts of the betting website using a vast list of stolen credentials in connection with the attack on the betting website.

Through the credential stuffing attack, GARRISON and others could obtain access to almost 60,000 accounts on the betting website (the “Victim Accounts”).

The individuals who gained unauthorized access to the victim accounts were able to add a new payment method to the account, deposit $5 into it to verify it, and then withdraw all of the account’s funds using the new payment method (i.e., to a newly added financial account belonging to the hacker), stealing the victim account’s funds. 

 GARRISON and others used this technique to steal over $600,000 from 1,600 victim accounts.

Police Carried Out An Investigation

Law enforcement discovered almost 700 similar “config” files for dozens of corporate websites on GARRISON’s computer. These programs need unique “config” files for a target website to perform credential-stuffing attacks.  

On GARRISON’s computer, law enforcement discovered files containing approximately 40 million username and password pairs, which are also employed in credential stuffing attacks.

Additional information implicating the defendant in the November 2022 credential attempt on the betting platform was discovered while reviewing Garrison’s phone, including conversations with co-conspirators about hacking the website.

During one of these conversations, Garrison also stated that he didn’t think law authorities would be able to catch him or bring charges against him because “fraud is fun. I’m addicted to seeing money in my account. I’m like obsessed with bypassing shit.”

Garrison also formerly managed a website called “Goat Shop,” where he sold user accounts that had been compromised. At its height, this site brought him $15,000 every day.

The FBI’s criminal complaints noted that Wisconsin police interviewed Garrison in June 2022, when he would have been a minor, suggesting that he was compelled to close the business.

He may spend decades behind bars if convicted of the accusations, which include conspiring to hack computers and committing wire fraud.

Common Security Challenges Facing CISOs? – Download Free CISO’s Guide

The post 18-Year-Old Charged for Hacking Into 60,000 Users’ Accounts appeared first on Cyber Security News.

Threat actors can exploit this vulnerability to execute extensive DDoS attacks with a staggering amplification of 2,200X.

Researchers at BitSight and Curesec have tracked the vulnerability as “CVE-2023-29552,” which has exposed around 54,000 exploitable instances of the SLP used by over 2,000 organizations.

Threat actors can leverage these instances for conducting DDoS amplification attacks. Organizations worldwide have unknowingly deployed vulnerable devices, and here they are mentioned below:-

• Konica Minolta printers
• VMWare ESXi Hypervisors
• Planex Routers
• IBM Integrated Management Modules

Vulnerable SLP Instances

Here below, we have mentioned all the countries with the most vulnerable instances:-

• The United States
• Great Britain
• Japan
• Germany
• Canada
• France
• Italy
• Brazil
• The Netherlands
• Spain

Here the most exciting thing is that there are several Fortune 1000 companies or organizations using these vulnerable instances in the following sectors:-

• Technology
• Telecommunications
• Healthcare
• Insurance
• Finance
• Hospitality
• Transportation

Technical Analysis

SLP mainly facilitates the communication and connection between devices on LAN, an old internet protocol introduced in 1997.

While it does so through a service availability system that operates on port 427 using UDP and TCP, organizations have exposed SLP on tens of thousands of devices never designed to be exposed on the public internet over the years. Report says.

With a CVSS score of 8.6, CVE-2023-29552 is a vulnerability that affects all exploitable instances.

Threat actors can exploit all these vulnerable instances to conduct reflective DoS amplification attacks against targeted entities.

On the successful exploitation of the vulnerability, unauthenticated attackers can manipulate the SLP server by registering arbitrary services.

This enables them to modify the content and size of the server’s response and achieve a massive DoS amplification attack.

Moreover, CISA has reached out to notify vulnerable vendors about the severity of the flaw. DoS attacks cost SMBs an average of $120,000, and larger businesses face even more significant financial losses due to higher disruption expenses.

Typical and Reflective DoS Amplification Attack

Here below, we have mentioned the key steps that involve in a Typical reflective DoS amplification attack:-

• Step 1: The attacker finds an SLP server on UDP port 427.
• Step 2: The attacker spoofs a request to that service with the victim’s IP as the origin.
• Step 3: The attacker repeats step two as long as the attack is ongoing.

Here below, we have mentioned the steps that involve in a Reflective DoS amplification attack leveraging CVE-2023-29552:-

• Step 1: The attacker finds an SLP server on UDP port 427.
• Step 2: The attacker registers services until SLP denies more entries.
• Step 3: The attacker spoofs a request to that service with the victim’s IP as the origin.
• Step 4: The attacker repeats step three as long as the attack is ongoing.

Threat actors could use multiple SLP instances to coordinate an actual attack; to do so; they could flood their targets with huge traffic.

Recommendation

The following recommendations should be followed to protect the assets of your organization from potential exploitation:-

• On the systems that are exposed, make sure to disable the SLP.
• Ensure to properly configure a firewall, as it will filter the traffic on UDP and TCP port 427.
• Organizations must have an incident response plan in place.
• Ensure that all the robust security measures and access controls are implemented.

Building Your Malware Defense Strategy – Download Free E-Book

The post SLP Protocol Vulnerability Lets Attackers Launch Powerful 2,200x DDoS Attack appeared first on Cyber Security News.

The frequency and scale of DDoS attacks have increased. Attackers are using more sophisticated methods to evade detection and mitigation.

One of the factors contributing to the increase in DDoS attacks is the rise of IoT devices. They made it easier for attackers to create large DDoS botnets to launch devastating attacks.

A massive DDoS attack against the DNS provider Dyn, caused widespread disruption to internet services, including major websites such as Twitter, Reddit, and Netflix.

Mirai botnet was the source of the attack. The attack was launched using a botnet of compromised IoT devices.

What Makes IoT Devices so Attractive to Threat Actors?

IoT Devices Are Difficult to Secure

Most importantly, IoT devices are often less secure than traditional computing devices and can be easily compromised by attackers. Users remain mostly unaware of the risks. So, they don’t know just how important firmware updates and security infrastructures are. Because of that, they may not implement any.

A company can be home to a significant number of IoT devices. The more unsecured devices, the more hackers can potentially take advantage of them.

Another challenge in IoT security is that not all IoT devices feature a user interface that makes it easy for users to update and secure their technology.

Insecure passwords (or a complete lack thereof), inability to patch firmware, and leaks in the authentication and data transfer ecosystem can also be problematic.

All these factors, taken together, make IoT a target for cybercrime.

Are IoT Botnets Growing?

IoT devices are growing in popularity. Exploding Topics says there are over 13 billion connected IoT devices worldwide. Further, they expect the usage to surpass 25.4 billion by 2030.

For reasons we’ve explored, IoT devices are targets for malware. Having infected devices, cybercriminals can control botnets remotely. They can even launch attacks anonymously, as origins are harder to trace. Attacks can also be launched without any knowledge of the device’s owner.

What Are Hackers After?

DDoS attacks using IoT devices make it possible for threat actors to take down websites and cause an interruption in service.

Cybercriminals are motivated by different factors, depending on the attack and its scope. But whether it’s sabotaging competitive companies or rendering services inaccessible, the intention behind an attack is rarely benign. It often involves extortion.

IoT Worlds says:

“Some botnets are used to steal people’s personal information, like their credit card numbers or login credentials. Others are used to send spam or launch attacks against websites. Still, others are used to mine cryptocurrency without the owner’s knowledge. No matter their purpose, all botnets rely on a network of infected computers, called ‘bots,’ to do their bidding.”

DDoS Attack Using IoT Devices: Where Do They Originate?

A recent report has shown that China is now the main source of HTTP DDoS attack traffic, beating out the U.S. as the primary source. Attacks from China-registered IP addresses increased by 29% year over year and 19% quarter over quarter.

India was found to be the second largest source of HTTP DDoS attack traffic, with an increase of 61% year over year. The U.S. and Brazil are close on their heels.

Filip TRUȚĂ of Bitdefender says:

“The use of IoT devices in synchronized attacks is growing globally, with China listed as the top host country for DDoS weapons, followed at a distance by the United States.”

What are the impacts of DDoS attacks?

• Reputational harm. All it takes is one attack on one customer for your business to gain a less-than-pristine reputation. Once your reputation has been compromised, it’s hard to rebuild. This can cost you clients, revenue, and time.

• Lost business. Regardless of industry, there are worthwhile alternatives. If your website is down, then it’s not unlikely your prospects will find another solution and purchase it instead. To facilitate customer loyalty, you must protect against DDoS attacks.
• Financial costs. Beyond lost customers and money invested in rebuilding infrastructures, you can also lose data, company assets, and other resources in a DDoS attack.
• Security infrastructure. After a DDoS attack, you must diagnose and identify all potential vulnerabilities. There are also costs associated with equipment and labor.

Do I need DDoS Protection Solution?

There are a few basic things everyone can do to ensure better protection:

• Keep your devices updated: Ensure that your IoT devices are running the latest software and firmware updates, as these often include security patches.
• Segment your network: It can help limit the damage a DDoS attack can cause by isolating affected devices.
• Monitor your network: Regularly monitoring your network can help you to detect and respond to a DDoS attack quickly before it becomes a major issue.
• Use strong and unique credentials: Use strong and unique credentials for all IoT devices and change default usernames and passwords.
• Limit the number of inbound connections: Limit the number of inbound connections to your IoT devices to reduce the attack surface.
• Train employees: Train your employees to recognize and report suspicious activity, such as phishing emails and unexpected network traffic.
• Have an incident response plan in place: It is essential to quickly respond to and recover from a DDoS attack.

But this may not be enough. If you want to stay in business, you can no longer ignore the need for a DDoS protection solution. It’s the cost of doing business in the modern age.

A managed solution is vital to deal with DDoS attacks. A multi-layered DDoS mitigation solution identifies and blocks malicious traffic while allowing legitimate traffic to pass through. This can be done through various methods, such as rate limiting, traffic shaping, and using blacklists and whitelists.

Additionally, DDoS mitigation solutions can provide real-time monitoring and reporting to help organizations quickly respond to and recover from a DDoS attack.

It is designed to provide visibility into DDoS events and secure the availability of resources that attackers target to disrupt.

In addition, security experts with deep expertise in the security landscape can offer the support and guidance you need to prevent disaster.

Want to know more about effective DDoS protection? Explore what AppTrana has to offer.

The post Why DDoS Attacks Use IoT Devices as Weapons? appeared first on Cyber Security News.

Latest version also features new DDoS capabilities as observed by the Microsoft Defender for IoT research team. Since November at least, Zerobot has been under active development as part of its development process. 

Several new modules and features have been added to the new versions to increase the attack vectors available to the botnet, respectively. As a result, it is now easier for cybercriminals to infect new devices, such as:- 

• Firewalls
• Routers
• Cameras

By exploiting the year-old exploits, the following devices were actively targeted by the malware modules that were removed by the developers in early December:-

• phpMyAdmin servers
• Dasan GPON home routers
• D-Link DSL-2750B wireless routers

Zerobot Modules

In addition to the updates discovered by Microsoft, the malware’s toolkit also includes new exploits. This latest update enables it to now target seven new types of devices and software, which is a significant improvement. While this also includes the:-

• Unpatched versions of Apache
• Unpatched versions of Apache Spark

In addition to these new capabilities, the Zerobot 1.1 features a comprehensive list of new modules, including:-

• CVE-2017-17105: Zivif PR115-204-P-RS
• CVE-2019-10655: Grandstream
• CVE-2020-25223: WebAdmin of Sophos SG UTM
• CVE-2021-42013: Apache
• CVE-2022-31137: Roxy-WI
• CVE-2022-33891: Apache Spark
• ZSL-2022-5717: MiniDVBLinux

Zerobot is also capable of exploiting known vulnerabilities to propagate through compromised devices. The most interesting thing about this malware is that the known security flaws that it exploits are not included in the binary of the malware.

New DDoS Capabilities

There are seven new DDoS capabilities available with the updated malware, including TCP_XMAS, which is a new DDoS attack method. Here below we have mentioned all the seven new DDoS capabilities:-

• UDP_RAW: Sends UDP packets where the payload is customizable.
• ICMP_FLOOD: Supposed to be an ICMP flood, but the packet is built incorrectly.
• TCP_CUSTOM: Sends TCP packets where the payload and flags are fully customizable.
• TCP_SYN: Sends SYN packets.
• TCP_ACK: Sends ACK packets.
• TCP_SYNACK: Sends SYN-ACK packets.
• TCP_XMAS: Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.

As early as mid-November, this Go-based malware was spotted for the first time, and security analysts concluded that it was spreading quickly. Nearly two dozen exploits were utilized when it was released in order to infect different types of devices with it.

Flaws tied to Zerobot

The following vulnerabilities and exploits have been detected by Microsoft Defender, and are linked to Zerobot activity:-

• CVE-2014-8361
• CVE-2016-20017
• CVE-2017-17105
• CVE-2017-17215
• CVE-2018-10561
• CVE-2018-20057
• CVE-2019-10655
• CVE-2020-7209
• CVE-2020-10987
• CVE-2020-25506
• CVE-2021-35395
• CVE-2021-36260
• CVE-2021-42013
• CVE-2021-46422
• CVE-2022-22965
• CVE-2022-25075
• CVE-2022-26186
• CVE-2022-26210
• CVE-2022-30023
• CVE-2022-30525
• CVE-2022-31137
• CVE-2022-33891
• CVE-2022-34538
• CVE-2022-37061
• ZERO-36290
• ZSL-2022-5717

Recommendations

It is recommended by Microsoft that in order to protect your devices and networks from the Zerobot threat, you should take the following steps:-

• Implement security solutions that are capable of detecting threats across domains and providing cross-domain visibility.
• Take a proactive approach to IoT security by adopting a comprehensive security solution.
• The configuration of devices should be secure to prevent unauthorized access.
• It is important to keep your device up-to-date in order to maintain its health.
• Make sure that you use the least privileged access whenever possible.
• Make sure your endpoints are secure with a Windows security solution that provides a comprehensive approach.
• Apps that can be used by your employees should be managed.
• Executables that are no longer needed or stale should be cleaned up on a regular basis.

Indicators of compromise (IOCs):

Domains and IP addresses:

• zero[.]sudolite[.]ml
• 176.65.137[.]5
• 176.65.137[.]5:1401
• 176.65.137[.]6
• ws[:]//176.65.137[.]5/handle
• http[:]//176.65.137[.]5:8000/ws

New Zerobot hashes (SHA-256)

• aed95a8f5822e9b1cd1239abbad29d3c202567afafcf00f85a65df4a365bedbb
• bf582b5d470106521a8e7167a5732f7e3a4330d604de969eb8461cbbbbdd9b9a
• 0a5eebf19ccfe92a2216c492d6929f9cac72ef37089390572d4e21d0932972c8
• 1e7ca210ff7bedeefadb15a9ec5ea68ad9022d0c6f41c4e548ec2e5927026ba4
• 05b7517cb05fe1124dd0fad4e85ddf0fe65766a4c6c9986806ae98a427544e9d
• 5625d41f239e2827eb05bfafde267109549894f0523452f7a306b53b90e847f2
• c304a9156a032fd451bff49d75b0e9334895604549ab6efaab046c5c6461c8b3
• 66c76cfc64b7a5a06b6a26976c88e24e0518be3554b5ae9e3475c763b8121792
• 539640a482aaee2fe743502dc59043f11aa8728ce0586c800193e30806b2d0e5
• 0f0ba8cc3e46fff0eef68ab5f8d3010241e2eea7ee795e161f05d32a0bf13553
• 343c9ca3787bf763a70ed892dfa139ba69141b61c561c128084b22c16829c5af
• 874b0691378091a30d1b06f2e9756fc7326d289b03406023640c978ff7c87712
• 29eface0054da4cd91c72a0b2d3cda61a02831b4c273e946d7e106254a6225a7
• 4a4cb8516629c781d5557177d48172f4a7443ca1f826ea2e1aa6132e738e6db2
• bdfd89bdf6bc2de5655c3fe5f6f4435ec4ad37262e3cc72d8cb5204e1273ccd6
• 62f23fea8052085d153ac7b26dcf0a15fad0c27621f543cf910e37f8bf822e0e
• 788e15fd87c45d38629e3e715b0cb93e55944f7c4d59da2e480ffadb6b981571
• 26e68684f5b76d9016d4f02b8255ff52d1b344416ffc19a2f5c793ff1c2fdc65
• e4840c5ac2c2c2170d00feadb5489c91c2943b2aa13bbec00dbcffc4ba8dcc2d
• 45059f26e32da95f4bb5dababae969e7fceb462cdeadf7d141c39514636b905a
• 77dd28a11e3e4260b9a9b60d58cb6aaaf2147da28015508afbaeda84c1acfe70
• cf232e7d39094c9ba04b9713f48b443e9d136179add674d62f16371bf40cf8c8
• 13657b64a2ac62f9d68aeb75737cca8f2ab9f21e4c38ce04542b177cb3a85521
• eb33c98add35f6717a3afb0ab2f9c0ee30c6f4e0576046be9bf4fbf9c5369f71
• e3dd20829a34caab7f1285b730e2bb0c84c90ac1027bd8e9090da2561a61ab17
• 3685d000f6a884ca06f66a3e47340e18ff36c16b1badb80143f99f10b8a33768
• cdc28e7682f9951cbe2e55dad8bc2015c1591f89310d8548c0b7a1c65dbefae3
• 869f4fb3f185b2d1231d9378273271ddfeebb53085daede89989f9cc8d364f5f
• 6c59af3ed1a616c238ee727f6ed59e962db70bc5a418b20b24909867eb00a9d6
• ef28ee3301e97eefd2568a3cb4b0f737c5f31983710c75b70d960757f2def74e
• 95e4cc13f8388c195a1220cd44d26fcb2e10b7b8bfc3d69efbc51beb46176ff1
• 62f9eae8a87f64424df90c87dd34401fe7724c87a394d1ba842576835ab48afc
• 54d1daf58ecd4d8314b791a79eda2258a69d7c69a5642b7f5e15f2210958bdce
• 8176991f355db10b32b7562d1d4f7758a23c7e49ed83984b86930b94ccc46ab3
• 8aa89a428391683163f0074a8477d554d6c54cab1725909c52c41db2942ac60f
• fd65bd8ce671a352177742616b5facc77194cccec7555a2f90ff61bad4a7a0f6
• 1e66ee40129deccdb6838c2f662ce33147ad36b1e942ea748504be14bb1ee0ef
• 57f83ca864a2010d8d5376c68dc103405330971ade26ac920d6c6a12ea728d3d
• 7bfd0054aeb8332de290c01f38b4b3c6f0826cf63eef99ddcd1a593f789929d6

SparkRat hashes (SHA-256):

• 0ce7bc2b72286f236c570b1eb1c1eacf01c383c23ad76fd8ca51b8bc123be340
• cacb77006b0188d042ce95e0b4d46f88828694f3bf4396e61ae7c24c2381c9bf
• 65232e30bb8459961a6ab2e9af499795941c3d06fdd451bdb83206a00b1b2b88

Penetration Testing As a Service – Download Red Team & Blue Team Workspace

The post New Zerobot Malware Exploiting Apache Vulnerabilities to Launch DDoS Attack appeared first on Cyber Security News.