As a long-time feud between rival hacking groups boiled over, the WikiLeaks website was caught in the crossfire and brought offline by a distributed-denial-of-service (DDoS) attack on 5 June. However, rather than react with anger, leaked chat logs show how WikiLeaks’ Twitter account engaged the group responsible, called OurMine, and even offered hacking tips for the future. Direct messages leaked to Buzzfeed show how WikiLeaks’ account, rumoured to be helmed by the website’s founder Julian Assange, told the group – which has become known for hacking the online profiles of high-profile figures – their talents could be put to better use. OurMine has recently hacked a slew of celebrities and technology executives including Facebook’s Mark Zuckerberg, Google’s Sundar Pichai and Spotify founder Daniel Ek. Every time, they leave a message telling the victim how weak their security is and leave a link to their website. Indeed the group claims to be a security firm rather than a hacking outfit. In any case, as far as ‘hacks’ go, OurMine’s activity is fairly tame. Until WikiLeaks’ website was taken down – thanks to an ongoing head-to-head with the Anonymous collective – there was little real damage caused to victims other than embarrassment. The DDoS attack took down the famous whistleblowing website by sending waves of traffic towards its servers, a common tactic used in hacktivist circles as a means of protest. After the incident, WikiLeaks got in touch and said the group was wasting its time by not making the most of the chances received by infiltrating profiles of the rich and famous. “If you support us and want to show you’re skills, then don’t waste your time with DDoS etc,” the account wrote. “Find us interesting mail spools or docs and send them to [WikiLeaks]. That’ll have a much greater impact.” After OurMine replied with “We never change their passwords we are just testing their accounts’ security” WikiLeaks said it was a “huge waste.” The message continued: “There’s a lot more than (sic) could have been done with those accounts. Sending DM’s as Zuckerberg to further access elsewhere. Same with Google CEO. You could have used these accounts to gain access to much more significant information, revealing corrupt behaviour elsewhere.” Based on the chats, OurMine appeared to agree with the new direction. “Great idea,” it said. One the hackers, speaking with Wired, previously said: “We don’t need money, but we are selling security services because there is a lot [of] people [who] want to check their security. We are not blackhat hackers, we are just a security group…we are just trying to tell people that nobody is safe.” Source: http://www.ibtimes.co.uk/wikileaks-tells-ourmine-hackers-impersonate-high-profile-victims-reveal-corrupt-behaviour-1569499
Read More:
WikiLeaks’ website was taken offline with a DDoS attack amid an ongoing hacker feud.
While most of Lizard Squad’s first members are in jail or hiding and hoping that law enforcement won’t come knocking on their door, the group continues to live on through new members, new attacks, but also through the LizardStresser toolkit, which they leaked online at the start of 2015. The toolkit was heavily forked and adapted, as many other hacking groups sought to use it to create their own botnets to use for DDoS attacks, either just to annoy people, extort companies or hacktivism activities. LizardStresser is geared towards infecting IoT devices Arbor Networks says that LizardStresser is not extremely complicated, and is nothing more than a DDoS attack toolkit that uses the ancient IRC protocol to communicate between the C&C server and the client-side component. Because LizardStresser is coded in C and designed to run on Linux architectures, Arbor Networks says that a lot of groups that are deploying new LizardStresser instances are taking advantage of unsecured IoT devices running on platforms such as x86, ARM, and MIPS, where a stripped-down Linux version is the preferred OS. We touched on this topic last year when Lizard Squad’s new members were having trouble with their own botnet after unknown security researchers were trying to hijack some of these infected IoT systems. Webcams make the bulk of the LizardStresser-based botnets According to Arbor Networks, most of these infected IoT devices are Internet-connected webcams, accessible through a page broadcasting the “NETSurveillance WEB” title, and using their default access passwords. In a DDoS attack of over 400 Gbps aimed at a gaming site, Arbor says that 90% of the bots that participated in the attack were these type of webcams. The DDoS attacks are extremely simple and don’t even use traffic amplification/reflection techniques. LizardStresser was created to launch direct DDoS attacks, meaning the bots send UDP or TCP floods directly to the target. LizardStresser launches direct DDoS attacks, no protocol amplification Because of the massive amount of unsecured IoT devices, groups that use LizardStresser can launch massive DDoS attacks, previously thought to be unachievable without UDP-based amplification protocols such as NTP or SNMP. Furthermore, LizardStresser also includes a telnet brute-forcing feature that’s used to test new devices for default passwords and inform the C&C server about possible new victims. All of these make features make LizardStresser a popular choice when hacking outfits and hacktivism groups are looking for tools to build or broaden their DDoS capabilities. Overall, there’s a growing trend in terms of hacking groups adopting LizardStresser. “LizardStresser is becoming the botnet-du-jour for IOT devices given how easy it is for threat actors to make minor tweaks to telnet scanning,” says Matthew Bing of Arbor Networks. “With minimal reseach [sic] into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets.” Number of C&C servers using LizardStresser in 2016 Source: http://news.softpedia.com/news/there-are-over-100-ddos-botnets-based-on-lizard-squad-s-lizardstresser-505816.shtml#ixzz4D0b6wPkw 
All clues lead back to Chinese DVR vendor TVT A botnet of over 25,000 bots lies at the heart of recent DDoS attacks that are ferociously targeting business around the world. More exactly, we’re talking about massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites. US-based security vendor Sucuri discovered this botnet, very active in the last few weeks, and they say it’s mainly composed of compromised CCTV systems from around the world. Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri’s main product, its WAF (Web Application Firewall). Botnet can crank out attacks of 50,000 HTTP requests per second Sucuri thought they had this one covered, just as other cases where companies that move their sites behind their WAF block the attacks, and eventually the attacker moves on to other targets. Instead, they were in for a surprise. While the initial attack was a Layer 7 DDoS with over 35,000 HTTP requests per second hitting the server and occupying its memory with garbage traffic, as soon as the attackers saw the company upgrade their website, they quickly ramped up the attack to 50,000 requests. For Layer 7 attacks, this is an extraordinarily large number, enough to drive any server into the ground. But this wasn’t it. The attackers continued their assault at this high level for days. Botnet’s nature allowed attacks to carry out attacks at higher volumes Usually, DDoS attacks flutter as the bots come online or go offline. The fact that attackers sustained this high level meant their bots were always active, always online. Sucuri’s research into the incident discovered over 25,513 unique IP addresses from where the attacks came. Some of these were IPv6 addresses. The IPs were spread all over the world, and they weren’t originating from malware-infected PCs, but from CCTV systems. Taiwan accounted for a quarter of all compromised IPs, followed by the US, Indonesia, Mexico, and Malaysia. In total, the compromised CCTV systems were located in 105 countries. Top 10 locations of botnet’s IPs The unpatched TVT firmware comes back to haunt us all Of these IPs, 46 percent were assigned to CCTV systems running on the obscure and generic H.264 DVR brand. Other compromised systems were ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, or MagTec CCTV. Sucuri says that all these devices might be linked to Rotem Kerner’s investigation, which discovered a backdoor in the firmware of 70 different CCTV DVR vendors . These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher, and the issues were never fixed, leading to crooks creating this huge botnet. This is not the first CCTV-based botnet used for DDoS attacks. Incapsula detected a similar botnet last October. The botnet they discovered was far smaller, made up of only 900 bots . Source: http://news.softpedia.com/news/a-massive-botnet-of-cctv-cameras-involved-in-ferocious-ddos-attacks-505722.shtml#ixzz4CsbxFc4A