Tag Archives: ddos

Image unknown-copycat-using-armada-collective-name-for-ddos-for-bitcoin-extortions-497297-4.jpg

Unknown Copycat Using Armada Collective Name for DDoS-for-Bitcoin Extortions

Cyber-crime syndicates are moving in, pushing script kiddies out of the picture, expect more large-scale attacks After the success of DDoSing outfits like DD4BC and Armada Collective, an unknown copycat that’s using the Armada Collective name but asking for astronomical payments has appeared. A report from Recorded Future, a real-time threat intelligence protection company, shows that DDoS-for-Bitcoin extortion schemes are here to stay, with more and more attacks being launched solely for this reason. DD4BC have launched a new type of extortion scheme This trend can be tracked down to an Akamai report released over the summer that documented the actions of a hacking group known as DD4BC (DDoS 4 Bitcoin). This group launched DDoS attacks on companies around the world, requesting small payments in Bitcoin for each target. The group’s scheme was a simple one. They would send threatening emails to business owners, saying they would launch powerful DDoS attacks if a ransom was not paid in due time to a specific Bitcoin wallet. To prove their point, a small 15-minute DDoS was launched to showcase their capabilities. DD4BC’s scheme proved to be extremely lucrative and allowed them to rack up Bitcoin over the past year in over 140 DDoS attacks. The group was active since late 2014 and suddenly stopped its activity after the Akamai report was released, probably to avoid getting caught by law enforcement authorities alerted to their scheme. Enter Armada Collective Soon after, the first DD4BC copycat arose, in the form of the Armada Collective hackers, carrying out DDoS attacks on small businesses in Switzerland. They then expanded to email providers, and their name became known around the world in the famous ProtonMail incident. The incident is very well documented in one of our previous stories , but we’ll give you a small summary. Basically, Armada Collective followed the DD4BC regular tactics, sending an email and launching a small 10-15 Gbps DDoS attack on ProtonMail. Armada Collective returning ransom to ProtonMail As soon as the attack ended, ProtonMail revealed what happened, and more serious attacks took place, with ProtonMail paying the ransom in the end. Armada Collective denied any involvement and even went as far as to return the ProtonMail ransom, putting the blame on a state-sponsored actor with capabilities that far exceeded its own. Enter the unknown copycat But something else happened recently that made the Recorded Future team stop and ponder about the bigger picture, and that’s the DDoS-for-Bitcoin attacks on three major Greek banks . With DD4BC and Armada Collective always launching small-scale attacks and requesting modest ransoms (the equivalent of a few thousand dollars), this new group attacking Greek banks does not fit the bill. While the attacks of DD4BC and Armada Collective seem to be the work of script kiddies, the ones that brought down ProtonMail and the three major Greek banks were massive in scale. Coupled with the fact that this new group also requests ransoms in the order of millions of dollars, there are clear signs that they are a copycat that’s trying to remain hidden by passing as Armada Collective (as stated in the email sent to the Greek banks). With the number of DDoS-for-Bitcoin attacks on the rise, this type of cyber-threat is about to evolve from the work of script kiddies to the normal MO of larger cyber-criminal syndicates.

Continue reading here:
Unknown Copycat Using Armada Collective Name for DDoS-for-Bitcoin Extortions

Sputnik Türkiey website became the target of a DDoS attack

Access to the site was blocked for an hour due to a distributed denial-of-service (DDoS) attack carried out by unknown perpetrator(s). The website’s IT specialists managed to quickly deal with the attack and Sputnik Türkiye has already resumed operations. The resources of Rossiya Segodnya International Information Agency, including the Sputnik website and newswire, had already become a target for a major DDoS attack in October, when the agency’s websites and mailing services were unavailable to users for two hours. DDoS attacks are caused by a large number of Internet users or software programs simultaneously sending requests to a website until it exceeds its capacity to handle Internet traffic. Source: http://sputniknews.com/middleeast/20151208/1031410680/sputnik-turkey-ddos-attack.html

View article:
Sputnik Türkiey website became the target of a DDoS attack

UK research network Janet still being slapped by DDoS attack

DNS services appear to be targeted, switching may work Members of UK’s academic community from freshers to senior academics are facing more connection issues today as a persistent and continuous DDoS attack against the academic computer network Janet continues to stretch resources. Janet first came under a Distributed Denial of Service (DDoS) attack yesterday, and the same attack has continued through to today forcing much of the academic community offline. Initially, Jisc’s engineers and security teams identified the cause as a DDoS attack and worked to identify the source of the assault and implement blocks. However, after some suggestions of network stabilisation, further problems were seen. Janet reported that it would cease providing updates on its Twitter page following the attack, as the information seemed to be providing the attackers with hints about how to adjust their attacks. For those who find Janet’s DNS services sluggish to respond, it may be possible to work around the issue by switching to Google Europe’s DNS. Boffins from various field have somehow managed to take to Twitter to share their woes about the outage. Vision and Office 365 are also being reported as offline. The Register understands no ransom notice has been delivered to Jisc as of writing. DDoS-for-ransom attacks are almost always preceded by the ransom request, as an early payment saves the attackers money. Source: http://www.theregister.co.uk/2015/12/08/uk_research_network_janet_ddos/

View original post here:
UK research network Janet still being slapped by DDoS attack

White hats, FBI and cops team up for Dorkbot botnet takedown

Your four-year reign of terror is (temporarily) over Operations of the Dorkbot botnet have been disrupted following an operation that brought together law enforcement agencies led by the FBI, Interpol and Europol, and various infosec firms.…

Visit link:
White hats, FBI and cops team up for Dorkbot botnet takedown

Ponmocup is the ’15 million’ machine botnet you’ve never heard of

Skilled VXers have built 25 plugins, made 4000 variants, say crack security team Botconf   One of the world’s most successful, oldest, and largest botnets is an underestimated and largely-unknown threat that has over time infected 15 million machines and made millions plundering bank accounts.…

Read more here:
Ponmocup is the ’15 million’ machine botnet you’ve never heard of

Warnings over Node.js flaw that could lead to DoS attacks

TheNode.js Foundation has revealed a couple of bugs within its JavaScript software that could lead to major denial of service attacks against websites using the code. The issues affects versions of Node.js from version 0.12 up to version 5. In a bulletin issued by the Foundation, the popular server-id JavaScript platform has two vulnerabilities. One covers “a high-impact denial-of-service vulnerability” while the other is a “low-impact V8 out-of-bounds access vulnerability.” V8 is the JavaScript engine developed by Google and used by Node.js. The DoS issue is labelled as CVE 2015-8027, while the access problem is identified as CVE-2015-6764. According to the bulletin, the first bug could allow a hacker to launch a denial of service. The second bug could enable a hacker to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The issues were disclosed last week with patches due to be released yesterday. However, the Foundation announced that it will now delay releasing the patches until Friday. It said this was because of dependencies on OpenSSL, which itself has been found to contain further vulnerabilities. “Node.js versions v0.10.x and v0.12.x depend on OpenSSL v1.0.1 and versions v4.x (LTS Argon) and v5.x depend on OpenSSL v1.0.2,” stated an advisory on the Node.js website. “As the Node.js build process statically links OpenSSL into binaries, we will be required to release patch-level updates to all of our actively supported versions to include the upstream fixes. While we are unaware of the exact nature of the OpenSSL vulnerabilities being fixed, we must consider it likely that Node.js releases will be required in order to protect users.” It said the move to Friday was “unfortunate” but has to take into account of “the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical.” “Please be aware that patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release,” the organisation said. Wim Remes, strategic services manager EMEA at Rapid7, said vulnerabilities in Node.js “impacts organisations across verticals, from ecommerce websites, over healthcare organisations, to critical infrastructure.” “Hackers will leverage any vulnerability that allows them to gain control over a target. Denial of Service vulnerabilities are mostly used for targeted hacktivism or extortion purposes. The out-of-bounds access vulnerability, as it provides direct access to an infrastructure, would be a welcome tool in the arsenal of any digital criminal,” he said. “With access to part of the infrastructure, an attacker can pivot further through the infrastructure, destroy information, exfiltrate information, install spying software, etc.  A vulnerability that provides direct access is the first tool an attacker needs to achieve their goals.” Remes added that in this case patching is about the only thing an organisation can do. “There are obviously ways to stop attacks using Web Application Firewalls or Intrusion Prevention Systems but given the severity of the issues, I would definitely recommend to prioritise patching. Additionally, making sure that any system which doesn’t need to be on the internet is not reachable by external users is something that makes sense too,” said Remes. Source: http://www.scmagazineuk.com/warnings-over-nodejs-flaw-that-could-lead-to-dos-attacks/article/457205/

See more here:
Warnings over Node.js flaw that could lead to DoS attacks

Greek Banks Hit by DDoS Attacks, Hackers Ask for Bitcoin Ransoms to Stop

Armada Collective, the hackers that launched DDoS attacks on ProtonMail, are back and are targeting several Greek banks, using the same DDoS-for-Bitcoin extortion scheme. Unlike the ProtonMail debacle, when the secure email provider agreed to pay the hackers’ ransom, this time around, bankers contacted local law enforcement, as Greek newspaper Kathimereini is reporting. The attacks started on Thursday, November 26, and continued through this week. Three unnamed Greek banks were targeted, and Armada Collective hackers asked for 20,000 Bitcoin ($7,210,000 / €6,790,000) from each of them. Yanni Koutsomitis, Eurozone analyst and managing director at Imperial Media, said that, on Monday, Greek authorities brought in FBI specialists to help with the investigation and countering the cyber-attack. During the DDoS on ProtonMail, after the initial attacks that convinced ProtonMail management to pay the ransom, subsequent DDoS attacks grew in intensity. Armada Collective denied responsibility for the subsequent attacks, which were many times stronger than the early ones. Many believed the hackers’ explanation and suspected that a state-sponsored actor quietly got on the line and was taking revenge on the secure email provider labeled as “NSA-proof.” The attacks on the Greek banks now confirm that Armada Collective is a serious threat and has the power to cripple an entire nation’s financial institution. Previous Armada Collective targets include Hushmail, Runbox, and a few Internet Service Providers from Switzerland. None of them paid the ransom. Source: http://news.softpedia.com/news/greek-banks-hit-by-ddos-attacks-hackers-ask-for-bitcoin-ransoms-to-stop-496966.shtml

Read this article:
Greek Banks Hit by DDoS Attacks, Hackers Ask for Bitcoin Ransoms to Stop

Tux Machines Again Faces DDoS Attacks

The popular website Tux Machines has evidently fallen victim to a DDoS attack that made the site unavailable for part of the day on Friday. The announcement of the attack was initially made in a blog notice posted on the site late Friday morning GMT which opened with the line “Tux Machines has been mostly offline this morning.” According to the blog post, the attack was at first thought to have been initiated by the Chinese web services company Baidu, but a later update indicated that turned out not to be the case. “…Baidu was [not] at fault but botmasters who used ‘Baidu’ to masquerade themselves, hiding among some real and legitimate requests from Baidu (with Baidu-owned IP addresses).” At this time, it’s not known who’s behind the attack. Roy Schestowitz, who with his wife Rianne publishes both Tux Machines and the politically oriented FOSS blog site Techrights, told FOSS Force, “We’ve suspected EPO seeking revenge, which makes sense for Techrights, not Tux Machines.” EPO refers to the European Patent Office which recently threatened Schestowitz with civil action over an article which claimed the EPO purposefully gives priority to patent applications from large corporations. This isn’t the first time the outspoken Schestowitz’s sites have come under DDoS attacks. In September and October of 2014, both sites came under a crippling attack that lasted for several weeks and which left both sites unreachable for long stretches of time. Indications are that this current attack isn’t nearly as damaging, although Schestowitz said that he and his wife had been working to keep Tux Machines functional throughout the weekend. Many websites use the services of a content delivery network (CDN), in part as protection against all but the most robust DDOS attacks. Schestowitz told us that no CDN is used by either of his sites. “I wrote a lot about this before,” he said. “Performance, Tor, privacy issues, JavaScript and so on. So no, CDNs are out of the question.” We sent Tux Machines an email this morning to determine the current status but have not received a reply. However, at the time of publication the site was responsive, as was Techrights. Source: http://fossforce.com/2015/11/tux-machines-again-face-ddos-attacks/

More:
Tux Machines Again Faces DDoS Attacks

Netherlands public broadcaster hit in worst-ever DDoS attack

The Netherlands public broadcaster NPO was hit by the largest DDoS attack ever, leaving the NOS site and app unreachable for some time on Sunday night. Other national and regional broadcasters’ sites were still online, but difficult to reach. During a DDoS attack a computer system is bombarded with an extreme number of visits. “We are used to large groups of users with big news, but this number surpassed everything. And all at the same time”, NPO said, according to NOS. The public broadcaster is considering which measures to implement, on top of the measures already in place, to prevent similar disturbances in future. The perpetrators behind the attack have not yet been identified. Source: http://www.nltimes.nl/2015/11/30/netherlands-public-broadcaster-hit-in-worst-ever-ddos-attack/

Read More:
Netherlands public broadcaster hit in worst-ever DDoS attack

It’s Black Friday: Do you know who is DDoSing your servers? And how to stop them

Today is Black Friday in the U.S. a retail holiday where numerous, extravagant deals are revealed to a ravenous public. In the brick and mortar universe, this can become a free-for-all when shoppers will camp out for days in front of a store just to get in on the first deals. In the cyber universe the same greatly increase traffic can be seen and this also makes it hunting season for hackers and extortionists attempting to get a cut. On the Internet, the easiest and lowest form of disruption is the distributed denial of service (DDoS) attack and we’ve seen it employed throughout the year by for various reasons to take down websites. To get a better understanding of what e-retailers can expect now on Black Friday and the upcoming Cyber Monday, SiliconANGLE reached out to Nexusguard (Nexusguard Limited), DDoS protection experts, and spoke with their Chief Scientist Terrence Gareau. “Risk from cyberattack is a trend repeating every year,” says Gareau. “No doubt retailers all experience an uptick in attacks [during Black Friday]. Attackers are definitely taking advantage of the uptick and e-tailers need to put in more resources to boost their websites’ security.” This year DDoS attacks hit record highs, according to the State of the Internet report from Akamai for Q2 2015. The number of attacks grew by 132 percent compared to the same time in 2014 and 12 attacks occurred that exceeded 1,000 gigabits per second (Gbps). Nexusguard’s own overwatch on DDoS showed that during 2015 Q3 attack numbers rose by 53 percent over Q2, higher than any quarter over the past two years. E-commerce at more risk than ever from DDoS attacks Most DDoS attacks that make it to the news are being done my Internet mayhem groups looking for fame and attention. The most recent example is the attack committed by Lizard Squad on Christmas Day, December 26, 2014 against the Xbox LIVE and PlayStation networks that knocked the gaming services offline for millions of customers However, Gareau says that not all DDoS attacks come from people seeking attention—some are seeded with greed and extortion. Especially when it comes to the lesser-known attacks that services and e-retailers suffer around this time of year. When asked if competitors might use DDoS to knock out or weaken sales from other e-retailers, Nexusguard’s chief scientist would only say that it does appear that competitors do attack each other this time of year. That said, more danger appears to be coming from extortion rackets this time of year than from greedy competitors. The usual strategy is to hit an outlet with a DDoS attack (a short one) and then send an e-mail requesting some sort of ransom payment or the attack comes back. A few more blasts might come along to get the target’s attention. “Hackers are aware that the holidays are a prime time for online retailers. Therefore, they would do anything to break through any defenses,” says Gareau. This time of year criminals know that stores and e-retailers are looking to make as much money as possible off traffic. As well, increased traffic makes servers even more vulnerable to DDoS because it means they’re already working at capacity. Attackers see this as low-hanging fruit because first it’s easier and second an e-retailer will lose a great deal of money for even ten minutes of time offline during the sales rush. “One of the most sophisticated attacks focused on the login prompt,” Gareau adds, when asked for an example of how hackers attempt to knock sites offline. “In fact, on Thanksgiving and Christmas last year, we saw a hacker craft specific requests to the login form, preventing visitors from logging on.” Cold advice about DDoS extortion: “…don’t f**ing pay ‘em.” “We expect to see an increase in fraud and extortion, directly linked to DDoS as seen over the last few years,” Gareau says. When it comes to handling the potential of (or ongoing) DDoS attacks, Gareau suggests getting a proper team on board, he works for such a team at Nexusguard after all, but he also has an opinion on extortion and it’s a very simple one: “…And don’t f**ing pay ‘em,” he adds. This year has a perfect example of why paying DDoS extortion is a losing bet. In early November Switzerland-based ProtonMail, a provider of end-to-end encrypted e-mail, was struck by a powerful DDoS attack and the attackers demanded a ransom of $6,000 to relent. (The amount requested was 15 bitcoins, which at the time came out to approximately $5,850.) ProtonMail paid the ransom but then paid the price: the ProtonMail website and service were washed away by a DDoS attack anyway. Paying extortion to make a DDoS attacker go away does not necessarily make them go away. Just like any other criminal enterprise, knowing that a payment will come is a good way to make sure they will come back. Worse, it will fund the criminals to build out or increase their total power, which means they can go after other targets more frequently. In many cases that ransom requested by the criminals behind the DDoS could be paid to an anti-DDoS outfit and used to lessen the impact of the attack. The result is that the criminals get nothing but time wasted firing off their attack tools. Source: http://siliconangle.com/blog/2015/11/27/its-black-friday-do-you-know-who-is-ddosing-your-servers-and-how-to-stop-them/

Read more here:
It’s Black Friday: Do you know who is DDoSing your servers? And how to stop them