Category Archives: DDoS Vendors

DDoS attack takes down Cirrus Communications

Fixed wireless broadband provider Cirrus Communications has experienced a distributed denial of service (DDoS) attack that incapacitated half its network. Cirrus provides wireless networks to business, apartment complexes, residential colleges and military bases. The company says it is a last mile provider and prides itself on “competitive pricing … in metropolitan data centres to remote or broadband constrained areas,” an “ability to deliver high bandwidth where organisations need it” and an “Its ability to connect multiple locations for organisations on a breakthrough economic basis.” But over the last day, those services have not been available to all customers, as CEO Eric Heyde told The Register the company yesterday experienced a DDoS attack that took down “more than 50 per cent” of its network and that it experienced “struggles” in the wake of the event. “We are very close to full recovery,” Heyde told The Reg . “We’ve only got a couple of per cent of the network down at present.” [15:30 AEST – Ed} Heyde said the attack hit Cirrus’ core network, rather than the radio equipment on the edge. “It’s too early to say where the attack came from,” he added, and declined to offer further comment on the attack’s origins. Reg readers have suggested the attack has disrupted communications to other carriers that use Cirrus’ services. Source: http://www.theregister.co.uk/2014/07/30/ddos_takes_down_cirrus_communications/

Continued here:
DDoS attack takes down Cirrus Communications

Attackers install DDoS bots on Amazon cloud, exploiting Elasticsearch weakness

Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers.   Elasticsearch is an increasingly popular open-source search engine server developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface). Because it has a distributed architecture that allows for multiple nodes, Elasticsearch is commonly used in cloud environments. It can be deployed on Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms. Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. This feature poses a security risk because it doesn’t require authentication and the script code is not sandboxed. Security researchers reported earlier this year that attackers can exploit Elasticsearch’s scripting capability to execute arbitrary code on the underlying server, the issue being tracked as CVE-2014-3120 in the Common Vulnerabilities and Exposures (CVE) database. Elasticsearch’s developers haven’t released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default. Last week security researchers from Kaspersky Lab found new variants of Mayday, a Trojan program for Linux that’s used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused, said Kaspersky Lab researcher Kurt Baumgartner Friday in a blog post. The attackers break into EC2 instances—virtual machines run by Amazon EC2 customers—by exploiting the CVE-2014-3120 vulnerability in Elasticsearch 1.1.x, which is still being used by some organizations in active commercial deployments despite being superseded by Elasticsearch 1.2.x and 1.3.x, Baumgartner said.   The Kaspersky researchers managed to observe the early stages of the Elasticsearch attacks on EC2. They said that the attackers modified publicly available proof-of-concept exploit code for CVE-2014-3120 and used it to install a Perl-based Web shell—a backdoor script that allows remote attackers to execute Linux shell commands over the Web. The script, detected by Kaspersky products as Backdoor.Perl.RShell.c, is then used to download the new version of the Mayday DDoS bot, detected as Backdoor.Linux.Mayday.g. The Mayday variant seen on compromised EC2 instances didn’t use DNS amplification and only flooded sites with UDP traffic. Nevertheless, the attacks forced targets, which included a large regional bank in the U.S. and a large electronics maker and service provider from Japan, to switch their IP (Internet Protocol) addresses to those of a DDoS mitigation provider, Baumgartner said. “The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers,” he said. “The situation is probably similar at other cloud providers.” Users of Elasticsearch 1.1.x should upgrade to a newer version and those who require the scripting functionality should follow the security recommendations made by the software’s developers in a blog post on July 9. Source: http://www.networkworld.com/article/2458741/attackers-install-ddos-bots-on-amazon-cloud-exploiting-elasticsearch-weakness.html#tk.rss_all

Continue Reading:
Attackers install DDoS bots on Amazon cloud, exploiting Elasticsearch weakness

DDoS attacks grow as first DIY kits emerge

Alongside the report, Trustwave is reporting the discovery of DIY DDoS kits for sale from just US$ 200 (£118) and which give users – apart from a high bandwidth connection – all they need to stage a wide-scale attack. The analysis – from Prolexic Technologies, now part of Akamai – claims to show that distributed denial of service activity has surged by 22 percent over the last quarter, putting levels close to those seen in Q1 of this year, when existing DDoS volume and allied records were broken. Delving into the report reveals there was a 72 percent increase in the average bandwidth of attacks during the second quarter, along with a shift to reflection-based attacks that undermine common web protocols, as well as the arrival of server-side botnets that exploit web vulnerabilities in Windows and Linux-based systems. The analysis concludes that there have been shifts in the industry targets compared with last quarter’s DDOS activity. The difference in these numbers, says the report, may be due to the different types of malicious actors on the Internet that may be active at any particular time. “It is clear that the majority of malicious actors preferred to use of volumetric attacks in Q2 – this trend was seen across all verticals. A significant variant in attack vectors by industry was the use of a very sophisticated botnets against financial and media sites,” notes the report, adding that these attacks do not seem to fit the previous patterns and motives of the DDoS criminal ecosystem. According to Trustwave, meanwhile, its research has revealed that hackers are now selling the Neutrino Bot malware kit, which it can be used to infect a large number of computers, create a botnet, and launch DDoS attacks against websites and services at will. For US$ 500 (£294), meanwhile, hackers will sell all comers BetaBot 1.6, which Trustwave says is a remote access Trojan that can run DDoS attacks, and steal sensitive data, passwords and files from infected systems. Karl Sigler, Trustwave’s threat intelligence manager, said he was unsurprised by the findings. “Supply and demand affects malware markets like they do any market. Even though demand is high, there is an increasing amount of malware competing with each other and this helps drive down the cost. There is also a cost-benefit issue. Criminals look at how much they can make by selling stolen data acquired using the malware. Finally, age plays a role. The longer malware is on the market, the cheaper it tends to get,” he said. Rob Bamforth, a principal analyst with Quocirca, the business analysis and research house, said that the surge in volumes and incidences of DDoS attacks in the second quarter identified by Akamai suggests a larger number of servers being infected by cyber-criminals – coupled with the fact that that many systems `out there’ are Windows XP-based, which has become a legacy operating system since it reached end-of-life with Microsoft back in April. “It also suggests there is a degree of complacency in the business sector, with many managers saying they do not want to invest extra money in IT security, as they do not see a return. Many businesses are suffering an ongoing squeeze on costs, so a failure to invest in security is understandable, even if it is not the correct approach to take,” he told SCMagazineUK.com . Nick Mazitelli, a senior consultant with Context Information Security, meanwhile, said that Akamai’s analysis that the widespread dissemination of increasingly capable attacker toolsets is a trend we see right across the threat landscape, from cyber-crime through to state-sponsored attacks and everything in between. “On the one hand this trend is fuelled by the on-going professionalisation and commoditisation of criminal marketplaces, and on the other by increasing levels of interconnection between threat groups of all stripes. Not only does this mean that existing threat groups have access to improved capability, but it also lowers the barrier of entry for newcomers thereby increasing the number of malicious parties active in the landscape – both factors that unavoidably increase the tempo of what is effectively an arms race between attacker and defender,” he said. “With this increased tempo as background it is important to highlight the necessity of a flexible and adaptable approach to security based on a sound understanding of the threat landscape. In particular those aspects of security concerned with network security monitoring as well as incident response are areas that have often been overlooked in the past, but are critical components of effectively managing the risk and minimising the potential impact of these constantly evolving threats,” he added. Source: http://www.scmagazineuk.com/ddos-attacks-grow-as-first-diy-kits-emerge/article/362573/

Excerpt from:
DDoS attacks grow as first DIY kits emerge

Four fake Google haxbots hit YOUR WEBSITE every day

Goog the perfect ruse to slip into SEO orfice One in every 24 Googlebots is a imitation spam-flinging denial of service villain that masquerades as Mountain View to sneak past web perimeter defences, according to security chaps at Incapsula.…

Read this article:
Four fake Google haxbots hit YOUR WEBSITE every day

Mayhem malware ropes Linux, UNIX servers into botnets

A new malware that researchers have dubbed Mayhem is being used to target Linux and Unix web servers and has so far compromised over 1,400 Linux and FreeBSD servers around the world, warn researchers …

Read the article:
Mayhem malware ropes Linux, UNIX servers into botnets

Image akincilar-graphic-message-protesting-against-treatment-palestinians-has-replaced-homepage.jpg

#OpSaveGaza: Anonymous Takes Down 1,000 Israeli Government and Business Websites

Hacker collective Anonymous has announced that it has taken down over a thousand of crucial Israeli websites in a huge new coordinated cyber-attack called #OpSaveGaza on 11 July and 17 July, in support of the people of Palestine. Some of the websites, such as the Tel Aviv Police Department’s online presence, are still offline two days after the distributed denial of service (DDoS) attacks, and numerous Israeli government homepages have been replaced by graphics, slogans, and auto-playing audio files made by AnonGhost, the team of hackers who coordinated the attack. The official Israeli government jobs website has had its homepage replaced by a graphic titled “Akincilar”, which is Turkish for the Ottoman Empire’s troops. Akincilar: A graphic and message protesting against the treatment of Palestinians is still replacing the homepage of certain Israeli government websites A message written in English and Turkish – presumably by Turkish hackers – and accompanied by pictures of Palestinians suffering says: “The Jerusalem cause is Muslims’ fight of honour” and says that people who fight for Palestine are “on the side of Allah”. Another Israeli government website now bears an AnonGhost graphic and lists the usernames of 38 hackers. An audio file that auto-plays when the page loads plays music and a synthesized newsreader clip, together with a message beseeching human rights organisations, hackers and activists to attack Israeli websites to become the “cyber shield, the voice for the forgotten people”. AnonGhost’s #OpSaveGaza message has been displayed on many Israeli websites Many of the websites have since been restored. The hackers have also leaked lists of Israeli government email addresses obtained by hacking websites of the Ministry of Immigrant Absorption, the Ministry of Justice, the Ministry of Culture and Sport, the Ministry of Housing and Construction and much more. Israeli websites belonging to restaurants, local businesses, associations, societies, academic foundations and even a symphony orchestra were also attacked, as well as a subdomain belonging to MSN Israel. A message on the main Pastebin page and some of the hacked websites reads : “The act of launching rockets from Gaza sector to Israhell is an acceptable and normal reaction against those pigs, it’s called Resistance and not terrorism. “Israhell never existed its only Palestine, it’s our home. If you are a Hacker, Activist, a Human Right Organisation then hack israel websites and expose to the world their crimes, show to the world how much blood is on their hands, blood of innocent children and women.” Anonymous has previously run another campaign in April targeting Israeli websites, although on a smaller scale. About 500 websites went offline during the OpIsrael campaign and the hackers released the phone numbers and email addresses of some Israeli officials. Source: http://www.ibtimes.co.uk/opsavegaza-anonymous-takes-down-1000-israeli-government-business-websites-1457269

View article:
#OpSaveGaza: Anonymous Takes Down 1,000 Israeli Government and Business Websites

17-Year-Old Behind Norway DDoS Attacks This Week

On Thursday, the Norwegian police have arrested and charged a 17-year-old in connection to the recent massive distributed denial-of-service (DDoS) attacks directed at major financial institutions and other businesses in the country. The teen, from the city of Bergen, on Norway’s west coast, claimed to be part of the hacktivist group Anonymous Norway, who, in a Twitter message, dismissed any connection to him or the DDoS incidents. On the day of the attack, the teenager sent a letter to the media, claiming to be part of Anonymous and saying that “the motivation behind the current attacks and the next attacks in the future is to get the community to wake up. The number of major IT security attacks is increasing and there is nothing being done to prevent such events.” Evidence that Anonymous Norway was not involved in the incidents is the fact that the boy joined the group’s Facebook page on the same day of the attack. Furthermore, the hacker outfit provided a Pastebin link in a new tweet, pointing to the identity of the perpetrator; they did not create the post, just scooped it up. Initially, the youngster was charged with gross vandalism, which carries a maximum prison sentence of six years in Norway. However, since he has no record and is still a minor, this should be greatly reduced. According to News in English, Frode Karlsen of the Bergen police told Norwegian Broadcasting that the authorities are taking the matter seriously because this sort of attack can have significant impacts on society, like individuals not being able to reach emergency services in case they needed help. After his arrest, the teen cooperated in the investigation and clarified the nature of his actions. His defense lawyer stated that “he’s sorry for having caused all this and has laid his cards on the table.” The DDoS attack, which occurred on Tuesday, was considered among the largest ever seen in Norway and leveraged the vulnerable “pingback” WordPress feature. Its increased significance is due to the fact that it targeted layers three (network) and four (transport) of the OSI model, as well as layer seven (application), at the same time. Mitigating an application layer DDoS attack is not too easy, because the requests are directed at the application interface and mimic legitimate behavior, which makes filtering out the bad traffic more difficult. The attack aimed at disrupting the online services of major financial institutions in Norway (Norges Bank, Sparebank 1, Storebrand, Gjensidige, Nordea, Danske Bank), as well as other business, like Scandinavian Airlines (SAS) and Norwegian Air. The website of the largest telecommunications company in Norway, Telenor, was also affected. Source: http://news.softpedia.com/news/17-Year-Old-Behind-Norway-DDoS-Attacks-this-Week-450391.shtml

Read the article:
17-Year-Old Behind Norway DDoS Attacks This Week

Brute-force bot busts shonky PoS passwords

RAM scrapers foisted on 60 terminals A botnet has compromised 60 point of sale (PoS) terminals by brute-force password attacks against poorly-secured connections, FireEye researchers say.…

See more here:
Brute-force bot busts shonky PoS passwords

‘Political’ DDoS Attacks Skyrocket in Russia

Commercial hackers in Russia are giving way to politically motivated cyber criminals targeting ideological enemies, a new study said Wednesday. The most powerful DDoS attacks on Russian websites in the first six months of 2014 were triggered by the political crisis in Ukraine, digital security company Qrator Labs revealed. February’s Olympic Games in Sochi also prompted a spike in DDoS attacks, said the study, as reported by Bfm.ru news website. Hacker attacks in Russia have generally decreased in quantity, but have become more powerful compared with the first six months of 2013, the report said. About 2,700 distributed denial-of-service (DDoS) attacks occurred during the first six months of 2014, compared with 4,400 over the same period last year, Bfm.ru said. But the number of powerful attacks upward of 1 Gbps increased five times to more than 7 percent of the total, the report said, citing Qrator Labs digital security company. Some of the attacks peaked at 120 to 160 Gbps, the report said. Attack time also grew significantly, with DDoS strikes lasting up to 91 days, compared with 21 days in the first half of 2013. Average botnet size tripled from 136,000 to 420,000 machines per attack. This indicates ideological motivation on behalf of the attackers, who, unlike criminal hackers attacking websites for money, have more time at their disposal, Qrator Labs was quoted as saying. The media made the list of prime DDoS targets along with payment systems and real estate websites. Last season, Forex websites and online stock exchanges accounted for the “absolute majority” of the attacks, the study said, without providing exact figures. Source: http://www.themoscowtimes.com/news/article/political-ddos-attacks-skyrocket-in-russia/503226.html

Read More:
‘Political’ DDoS Attacks Skyrocket in Russia