Sierra AirLink Routers Have 21 Vulnerabilities

As Forescout Vedere researchers describe in their research, the AirLink lineup of devices contains 21 software vulnerabilities. Among them, only one issue got the CVSS score over 9, which is considered critical. RCE vulnerabilities and a couple of ones that may allow for unauthorized access are rated 8.1 to 8.8. Several other noteworthy issues, particularly ones that cause Denial of Service, are rated at CVSS 7.5.

Researchers did a detailed description of the potential exploitation cases for two of the most critical vulnerabilities. For CVE-2023-41101, a hacker can take over the router by overflowing the buffer in OpenNDS captive portal. Using the lack of length limitation in GET requests, it is possible to make the router execute arbitrary code. By controlling the router, adversaries can disrupt the operations related to the mentioned interface.

#2 in the list, CVE-2023-40463, requires an attacker to possess a router similar to the one it tries to attack. By digging through the device’s software elements and applying some hash cracking magic, it is possible to obtain the diagnostic shell password. Further, using a bit of social engineering, adversaries may connect to the actual router and enter its diagnostic interface using the password they’ve obtained earlier. With such access, it is possible to inject malware to the router, force it to malfunction, or execute your commands remotely.

Available Mitigations

Despite such a worrying amount of exploits, all of them allegedly receive a fix in the latest version of the firmware for AirLink devices. ALEOS 4.17.0 should address all the flaws, and, if some incompatibilities are in the way, customers may stick to version 4.9.9. The latter is not vulnerable to named vulnerabilities except for ones that touch OpenNDS captive portals.

Researchers who found all the issues also offer their own mitigation for the vulnerabilities that allow delaying the patch installation. Though, as it usually happens to all the stopgap solutions, they are not ideal and do not guarantee the effect.

1. Disable unused captive portals and related services, or put them under restricted access. This reduces the attack surface for vulnerabilities that target OpenNDS.
2. Use a web app firewall to filter the requests and block the packets of a suspicious source. This mitigation works against XSS and DoS vulnerabilities.
3. Change the default SSL certificates. Forescout recommends doing this to all the routers, not only to Sierra Wireless ones.
4. Implement an intrusion detection system that monitors IoT/OT devices as well. This allows for controlling both connections from outside the network and ones within it.

What are Sierra AirLink Routers?

Have you ever wondered, how does the Wi-Fi in a public transport function? Or how all the machinery in a huge workshop is connected and centrally managed even though it is not static? Well, Sierra’s devices are the answer. Their routers are industrial-grade wireless connectivity devices that are used in dozens of industries – starting from public transportation and all the way up to aerospace & defense.

What is particularly concerning for this story is the extensive use of AirLink routers in critical infrastructure. Factories, transportation – they are important, though not as continuously demanded as water treatment, emergency services and energy management. And since IoT more and more often attracts hackers’ attention, the actions should be taken immediately. Considering the extensive use of vulnerable AirLink devices in the US, it may be the perfect Achilles’ heel for cyberattacks that target critical infrastructure and even government.

The post Sierra AirLink Vulnerabilities Expose Critical Infrastructure appeared first on Gridinsoft Blog.

Vulnerability Overview

Tracked with a CVSS score of 7.5, the vulnerability in question exposes a DoS weakness within the Service Location Protocol. The flaw allows unauthenticated remote attackers to register services and utilize spoofed UDP traffic to orchestrate a DoS attack with a notable amplification factor. SLP is a protocol facilitating communication and discovery among systems on a local area network (LAN). It becomes a potential avenue for malicious actors to exploit.

And while before this threat was mostly a paper tiger, these days it is not just about theoretical possibilities. There are real cyber crooks out there making use of CVE-2023-29552. And the less time you give them to find out that you’re using a vulnerable SLP version – the less is the possibility that it will be used for malicious purposes.

The nature of the DoS amplification attack leveraging CVE-2023-29552 is relatively straightforward yet potent. Instead of going head-on and bombarding a target server with requests, the cyber crooks take a more sly route. They send tiny requests to a middleman server, but here’s the twist – these requests are like magic spells, making the middleman server send back way bigger responses. And the key move here is faking the source of the request, making it look like it’s coming from the target’s IP. Now, here’s where it gets wild. Thanks to this trick, these bad actors can flood even the most guarded targets with traffic.

Mitigation Measures

In response to the real-world exploits of this vulnerability, federal agencies are mandated to implement mitigations promptly. CISA has set a deadline of November 29, 2023, for federal agencies to secure their networks by applying necessary measures. The recommended mitigations include disabling the SLP service on systems operating in untrusted network environments.

Unfortunately, there is no dedicated solution meant to stop the exploitation without sacrificing any functionality. However, there is the ability to make the exploitation much harder, if not entirely impossible, with the usage of modern security software.

• EDR/XDR
  Think of EDR as your vigilant guardian, keeping a watchful eye on endpoint activities. It’s the first line of defense, swiftly responding to any suspicious behavior to thwart potential ransomware threats. XDR extends its vigilant reach beyond endpoints. It’s like having a superhero with enhanced senses, covering a broader spectrum of detection and response capabilities against evolving cyber threats.
• SIEM/SOAR
  SIEM aggregates and organizes security event logs, providing you with a comprehensive overview of your cybersecurity landscape. It’s the strategic hub for informed decision-making. SOAR steps in to automate incident responses, ensuring swift and precise actions in the face of emerging threats. It’s the sidekick that streamlines your defense mechanisms.
• Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
• Staying informed through reading the news and studying current material on cybersecurity and related topics is paramount in today’s dynamic and interconnected digital landscape. Reading the news and studying current material on cybersecurity is not just a habit. It’s a proactive approach to staying ahead in the ever-evolving world of digital security.

The post SLP DDoS Amplification Vulnerability Actively Exploited appeared first on Gridinsoft Blog.

Unveiling the Wise Remote Stealer

Revelations from cybersecurity experts have shed light on a concerning development in the underbelly of the internet—a burgeoning menace known as “Wise Remote“. This pernicious malware, operating as a Malware-as-a-Service (MaaS), has emerged as a highly adaptable and insidious tool. Its capabilities encompass remote access, DDoS botnet recruitment, data theft, and even extortion, raising the alarm for organizations and individuals alike.

The Stealthy Proliferation of Wise Remote Stealer

Since its initial appearance in early June, Wise Remote Stealer has been making waves across hacker forums such as HF and cracked-io. Its shadowy creators tirelessly refine and enhance their creation, showcasing its malevolence on platforms like Discord and Telegram. Disturbingly, these demonstrations have ensnared and impacted the lives of over a thousand unsuspecting victims, cementing its reputation as a significant threat.

Engineered using a combination of programming languages, including Go, C++, C#, and Python, Wise Remote primarily targets Windows systems—versions 8/10, and 11—in its crosshairs. Its developers exhibit an astute ability to elude conventional antivirus measures, employing various evasion techniques. To further cloak their operations, all communication with the command-and-control (C2) server, stationed in the secure confines of Switzerland, remains encrypted, ensuring anonymity.

The Tactical Ingenuity of Wise Remote

Wise Remote operates with calculated precision, showcasing a level of sophistication that sets it apart from other malicious tools. Through cloud-based module imports and strategic data storage within the victim’s disk, it carefully conceals its activities. Once the sensitive information has been exfiltrated, the malware meticulously erases all traces, leaving behind no digital footprints.

Subscribers to this nefarious service gain access to a comprehensive builder, allowing for customization and fine-tuning of the malware’s appearance and behavior. Remarkably, the resulting payloads rarely exceed 100 kilobytes, facilitating rapid dissemination and maximizing its reach.

The existing capabilities of Wise Remote Stealer are indeed alarming:

• Systematic collection of extensive system information, providing cybercriminals with a wealth of valuable data.
• Creation of a potent reverse shell, granting complete remote access and control over the compromised system.
• Facilitation of additional malicious file downloads and executions, enabling expansion of the attack surface.
• Extraction of critical data from web browsers, encompassing saved passwords, cookies, banking credentials, bookmarks, browsing history, and installed extensions, resulting in a treasure trove of personal information.
• Theft of funds from unsuspecting victims’ cryptocurrency wallets, inflicting significant financial damage.
• Seamless covert operation, opening and interacting with websites undetected, masquerading as legitimate user activity.
• Stealthy capture of screenshots, potentially compromising sensitive and confidential information.
• Utilization of the AppData folder as a discreet repository for surreptitiously uploaded files.
• Empowerment of attackers to customize and tailor malicious agents and modules to suit specific targets and preferred attack vectors.
• Camouflaging its tracks by manipulating system logs, erasing any trace of malicious activities, evading detection.

The Command Hub of Wise Remote

Serving as the central command hub, Wise Remote boasts a potent control panel that bestows unprecedented oversight and control over a vast network of up to 10,000 infected machines. With a single command, the operator can unleash devastating DDoS attacks or orchestrate a range of malicious activities, amplifying the disruptive potential of this malware.

As the cybersecurity community races to counter this emerging threat, the significance of Wise Remote becomes increasingly evident. Its adaptability, sophistication, and capacity for stealth underline the need for robust security measures and unwavering vigilance in today’s rapidly evolving digital landscape.

The post Wise Remote Trojan: Infostealer, RAT, DDoS Bot, and Ransomware appeared first on Gridinsoft Blog.

DDoS-for-hire services became particularly popular over the last years. We recently did the review of of the most popular ones. And if you are interested in criminal records, Cloudflare Recorded the Most Powerful DDoS Attack in the History of Observations.

What is DDoSIA project?

DDoSIA project appeared back in fall 2022. Then the Radware company announced that the project was launched in August 2022 by the group NoName057(16). The latter, however, appeared only in March 2023, as a pro-Russian hacker group. They created a DDoSia project in Telegram, where the operators posted a link to GitHub with instructions for potential “volunteers”.

These “volunteers” were offered to register via Telegram to receive a ZIP-archive with malware (dosia.exe). Archive contains a unique ID for each user. The most interesting feature of this project was the fact that participants could link their ID with a cryptocurrency wallet and receive money for participating in DDoS attacks. And the payment was proportional to the capacities provided by the concrete participant.

As Sekoia experts say now, the DDoSia platform has grown significantly over the past year and now has about 10,000 active participants who contribute to DDoS attacks. At the same time, more than 45,000 people have already subscribed to the main Telegram channels of hackers (all seven of them). In addition to just comments (what to do with DDoSia ataks), the platform has improved its toolkit and Tebera welcomes banaries for all OS programs, selling audience controls.

How that works?

Registration of new users is fully automated through the Telegram bot, which supports only the Russian language. New participants start by providing a TON (Telegram Open Network) wallet address to receive cryptocurrency, and in response the bot creates a unique client ID and provides a text file for help.

Next, new participants receive a ZIP-archive containing a tool for attacks. As of April 19, 2023, the archive included the following files:

1. d_linux_amd64 – executable file ELF 64-bit LSB, x86-64;
2. d_linux_arm — 32-bit executable file ELF LSB, ARM;
3. d_mac_amd64 — Mach-O x86-64 64-bit executable file;
4. d_mac_arm64 — Mach-O arm64 64-bit executable file;
5. d_windows_amd64.exe — executable file PE32+ (console) x86-64 for Microsoft Windows;
6. d_windows_arm64.exe — executable file PE32+ (console) Aarch64 for Microsoft Windows.

To perform these useful loads, the text file with the client ID must be placed in the same folder as the payloads themselves, which makes it difficult for unauthorized execution of files by IT experts and other «outsiders».

After that, the DDoSia client launches a command line invitation. There, participants receive a list of targets in an encrypted form. They can pick a specific target to attack. Experts studied the 64-bit Windows executable file and found that it is a binary written in Go, using AES-GCM encryption algorithms to communicate with the control server. The C&C server transmits the DDoSia target ID, host IP address, request type, port and other attack parameters to the client in an encrypted form, and all of this is then decrypted locally.

DDoSIA Massively Attacks Lithuania, Ukraine and Poland

Sekoia researchers collected data about some DDoSia targets for the period from May 8 to June 26, 2023, which were communicated by the server controlling the attacks. Basically, the groups and their «volunteers» were organizations from Lithuania, Ukraine and Poland, which accounted for 39% of the total activity of the project.

Analysts noted that DDoSia attacked a total of 486 different sites. In May and June, crooks focused on attacks on educational platforms, possibly to disrupt end-of-school exams. In summary, the DDoSia project has already reached a sufficiently large size to create serious problems for its targets. Who knows what will happen when they will grow even more?

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

Condi Botnet Resides In TP-Link Routers

This problem was discovered at the Pwn2Own hacker competition last December, and in March 2023, TP-Link developers released a firmware update to version 1.1.4 Build 20230219, where the bug was fixed. It is worth noting that the Mirai botnet had already exploited this vulnerability at the end of April.

Let me also remind you that we wrote that Mirai Botnet RapperBot Conducts DDoS Attacks on Game Servers, and also that New MDBotnet Malware Rapidly Expands a DDoS Network. AX1800 is a popular 1.8Gbps (2.4GHz and 5GHz) Linux-based Wi-Fi 6 router model, most commonly used by home users, small offices, shops, cafes and so on. The researchers report notes that the attackers behind Condi not only rent out the power of their botnet, but also sell the source code of their malware, that is, they are engaged in very aggressive monetization, which will result in the emergence of numerous forks of malware with various functions.

What is Condi Malware?

Since the mentioned vulnerability is not exclusively used by Condi, the malware has a mechanism that eliminates any processes belonging to competing botnets, and also stops its own old versions. Originally, Condi does not have a system sticking mechanism and is not saved after a device reboot. To avoid this, its authors came up with the idea of deleting the following files. Without them, devices will simply fail to shut down or restart:

1. /usr/sbin/reboot
2. /usr/bin/reboot
3. /usr/sbin/shutdown
4. /usr/bin/shutdown
5. /usr/sbin/poweroff
6. /usr/bin/poweroff
7. /usr/sbin/halt
8. /usr/bin/halt

In order to infect vulnerable routers, TP-Link malware scans public IP addresses with open ports 80 or 8080 and sends hard-coded requests to download and execute a remote shell script that infects the device.

The researchers also mention that some Condi samples use not only CVE-2023-1389 to spread, but also other bugs, that is, it seems that hackers are experimenting with the infection mechanism. In addition, analysts found samples that use a shell script with ADB (Android Debug Bridge), which means that malware also seems to spread through devices with an open ADB port (TCP/5555). It is assumed that this is a consequence of the fact that other hackers have already bought the Condi source code and adjusted it to their needs.

The post Condi Malware Builds a Botnet from TP-Link Routers appeared first on Gridinsoft Blog.

What are DDoS attacks?

DDoS, or Distributed Denial of Service, is a network attack aimed at overflowing the server’s bandwidth by sending it more requests than it can withstand. During such an attack, a large number of network requests are sent by machine method, i.e. by bots. Because of this, ordinary users cannot use the services provided by this server. A lot of methods for such attacks exist, as well as a wide variety of ways to make certain machines send these requests.

The first DDoS attack in history that was made public happened in 1996. Then the Panix campaign (to this day one of the oldest companies providing Internet services) was attacked and did not function for several days due to an SYN-flood (a type of denial-of-service attack, now considered a classic method of DDoS attacks).

The largest DDoS attack occurred in 2017. Then a team of Google engineers recorded a record UDP amplification attack from several Chinese ISPs. This attack lasted more than six months and its speed reached 2.5 Tbit/s (the previous recorded record was 623 Gbps). The state-sponsored high-throughput attack was carried out by Chinese hackers and involved 167 Mpps (millions of packets per second) on 180,000 exposed servers, all of which then sent a large number of responses to Google. Interestingly enough Google released data about this attack only three years later, in 2020.

Why do DDoS attacks get more popular?

Every year, the number of different services on the Internet grows, which increases competition. And since DDoS attacks are a cheap and effective method to fight against competitors, less than honest actors apply using them to mischief. It is expected that in 2023 the number of attacks will increase by 300%. Every minute of downtime can cost companies thousands of dollars, and restarting a process can cost more than $100,000. There were even cases when attacks became fatal for a business and ended up with restructuring.

However, attacks between competing businesses are not the most widespread case. A great number of such attacks are caused by political conflicts, elections, etc. Sometimes people unintentionally overload certain sites – like the elections results page, which is down most of the time because of folks trying to access it. Politically motivated attacks spiked after the start of the Russia-Ukrainian war in 2022, and continue to happen from time to time even after almost a year.

Examples of large DDoS attacks

There have been many attacks over the past year, but we’ll take a look at some of the biggest and ones that started some new trends.

2022 became notable by a huge rise of attacks on gaming companies. Reportedly, they increased by 405% year-to-year. In September, Activision Blizzard admitted that it faced a DDoS attack. Their servers were down for about 4 hours. During this time, players around the world have been experiencing issues playing games including Call of Duty, World of Warcraft, and Overwatch.

As we mentioned above, attacks are sometimes politically motivated, so last year the pro-Russian Killnet group attacked about 200 sites in Estonia, including the ESTO AS payment system. Lithuania has also suffered from pro-Russian attacks, including the Ignitis Group energy campaign.

2023 is not a DDoS-clean year either. In January 2023, Danish banks were hit by DDoS attacks, among them were the country’s three largest banks, Jyske Bank, Sydbank, and Arbejdernes Landsbank. On the morning of January 10, Arbejdernes Landsbank announced this on its Facebook page. Users of these banks did not have access to the website for several hours, and this incident affected a very large number of users.

At this point you can assume that no one is immune from DDoS attacks. All you can do is be prepared for them. Creating a DDoS response plan and ensuring a high level of network security, constant traffic monitoring, and regular penetration testing will raise the chance of successfully mirroring the attack by orders of magnitude.

Services for DDoS protection

The good news is that many hosting companies today have started offering DDoS protection, which can help protect websites from this type of attack. This protection works by carefully filtering website traffic so that dangerous requests don’t get through and safe requests get through without significant delays. Some hosting companies also offer to notify website owners of an attempted DDoS attack so that they have detailed records of when the attack was attempted, its size, and other important information. Some of these services offer a free trial period of several months, which is usually enough to fend off an attack and evaluate all the features.

Popular DDoS Defense Solutions include:

• Akamai DDoS Mitigation
• Amazon Web Service (AWS)
• Cloudflare DDoS Protection
• Imperva DDoS Protection
• Microsoft Azure DDoS Protection

Apparently, the current scale of DDoS attacks will get even worse in the following years. Fortunately, the ways of counteraction are unified regardless of their motive. Hence, you can choose the one more convenient to you, and prevent your business from struggling.

The post How DDoS Can Badly Hurt Your Business appeared first on Gridinsoft Blog.

The free social detective Goose Goose Duck, which recently broke the Among Us record for the number of users simultaneously in the game, is constantly under DDoS attacks.

The developers said they have already engaged third-party cybersecurity specialists to help them deal with this problem.

Let me remind you that we also wrote that Mirai Botnet RapperBot Conducts DDoS Attacks on Game Servers, and also that the Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies.

The specialized media also reported that A 2.5 TB/sec DDoS Attack Detected Targeting a Minecraft Server.

Although Goose Goose Duck, created by Gaggle Studios, was released back in October 2021, during a long time users hardly noticed it. Only at the end of 2022, the game suddenly became a real hit, repeating and surpassing the success of Among Us, of which it is, in fact, a free clone.

So, according to SteamDB, the peak online among Among Us in 2020 was 447,476 players, but Goose Goose Duck in early January 2023 set a record of 702,845 users simultaneously in the game, which makes it one of the most popular games on Steam.

However, the developers of the game write that over the past two months, Goose Goose Duck servers have been constantly subjected to DDoS attacks, and this has become a big problem. Because of the attacks, failures and shutdowns of gaming services began to occur regularly.

The creators of Goose Goose Duck say that in the end they were forced to hire third-party information security specialists, who now have to help the company to cope with constant attacks and stabilize the operation of game servers.

Who exactly was involved in solving this problem, and what measures were offered to developers by hired cyber specialists, is not yet reported, since the company “does not want to disclose the strategy” and provide additional information to DDoSers.

The post Goose Goose Duck Game Servers Are DDoS-Attacked Every Day appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Google revealed the most powerful DDoS attack in history, and also that MooBot Botnet Attacks D-Link Routers.

For the first time, RapperBot malware was discovered by Fortinet analysts in August last year. Then it was reported that RapperBot has been active since May 2021, uses SSH brute force and is distributed on Linux servers.

RapperBot Campaigns

The new version of the malware that researchers have now discovered uses a self-propagation mechanism via Telnet, which is more similar to the original Mirai that underlies this malware. In addition, the goals of the RapperBot operators have become more obvious in the current campaign: in the new version, the malware is clearly adapted for attacks on game servers.

Experts were able to study the new version of RapperBot using C&C communications artifacts collected during previous campaigns (that is, this aspect of the botnet’s operation has not changed). It turned out that the new version has several differences, including support for Telnet brute force using the following commands:

1. registration (used by the client);
2. keep-alive (do nothing);
3. stop DDoS and shut down the client;
4. carry out a DDoS attack;
5. leave all DDoS attacks;
6. restart Telnet brute force;
7. stop Telnet brute force.

Now the malware tries to brute force new devices using weak credentials from a hard-coded list, whereas previously such a list was loaded from the control server.

If the accounted data is successfully guessed, the malware reports this to the cybercriminals’ control server via port 5123, and then tries to obtain and install a payload binary suitable for the architecture of the attacked device. The currently supported architectures are ARM, MIPS, PowerPC, SH4, and SPARC.

In addition, the functionality of RapperBot has been replenished with an extensive set of commands for DDoS attacks, including:

1. UDP flood;
2. TCP SYN flood;
3. TCP ACK flood;
4. TCP STOMP flood;
5. UDP SA:MP (targets Grand Theft Auto: San Andreas game servers)
6. GRE Ethernet flood;
7. GRE IP flood;
8. TCP flood.

Since the malware uses the Generic Routing Encapsulation (GRE) tunneling protocol and UDP, the researchers say that Grand Theft Auto: San Andreas Multi Player (SA:MP) servers are clearly one of the targets of the attackers.

Fortinet experts believe that all RapperBot campaigns were most likely organized by the same operators, since the new malware variants are clearly created by people who have access to the malware source code. Moreover, the C&C communications protocol and the credential lists used remain unchanged.

The post Mirai Botnet RapperBot Conducts DDoS Attacks on Game Servers appeared first on Gridinsoft Blog.

KmsdBot strikes, using security vulnerabilities

The experts called the malware KmsdBot. It is developed on the basis of Golang and is aimed at various companies – from gaming to automotive brands and security firms. GoLang gains popularity among malware developers, as it is quite hard to reverse engineer this language. The botnet infects systems via an SSH connection using “weak” login credentials. KmsdBot does not remain persistent on the infected system to avoid detection.

The malware gets its name from the “kmsd.exe” executable, which is downloaded from a remote server after a successful compromise. It is also designed to support multiple architectures – Winx86, Arm64, mips64 and x86_64. KmsdBot can perform scan and self-propagation operations by downloading a list of username/password combinations. The botnet is also able to control mining processes and malware updates. The control is possible through the communications with C2 server.

According to Akamai, the first detected target of KmsdBot was the gaming company FiveM, a multiplayer mod for GTA V that allows players to access custom role-playing servers. Botnet DDoS attacks include OSI Layer 4 and 7 attacks, in which a flood of TCP, UDP, or HTTP GET requests are sent to overwhelm the target server’s resources and bring it into a denial of service state. It is noteworthy that the KmsdBot botnet began as a bot for a gaming application, but turned into a tool for attacking worldwide-known names.

Is KmsdBot dangerous?

As any other malware, KmsdBot is not a pleasant addition to the infected system. It brings coin mining and DDoS capabilities, which creates enough problems with PC usage, regardless of the task. Mining supposes high hardware utilisation rates, which makes it problematic even to use basic apps. DDoS attacks, on the other hand, not just take a lot of bandwidth, but can also lead to bans for the IP address of an infected PC on the attacked sites.

The other edge of danger for this malware is the way it spreads into the users’ computers. Aside from the fact that exploitation is not a typical thing for malware that aims at single users, it also opted for a disguise of a bot for the game – GTA V. Gamers are known as not the most careful users, as they are the common public for cracks, patches, and different automatisation tools like bots. Since GTA V is not the sole game that makes the bot usage profitable, it will be obvious to see the KmsdBot spreading surge in the nearest weeks.

The post KmsdBot malware combines DDoS-attacks and coin mining appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that Fake DDoS App Targets Pro-Ukrainian Hacktivists.

The researchers note that DDoS attacks have long become a powerful weapon in the hands of hacktivists from various countries, because such attacks are easy to organize and carry out, and the damage caused by interruptions in the work of companies and organizations can lead to both financial losses and more serious consequences.

However, usually volunteers involved in DDoS attacks are not rewarded for their “work”, so the discovery of a DDOSIA project is a rather unusual event.

According to Radware, the project was launched in August 2022 by the NoName057(16) group, which appeared in March this year.

This hack group was first mentioned in a September report by Avast, which described a module for DDoS attacks loaded by the Bobik remote access trojan (this malware has been known since 2020 and is distributed by the RedLine stealer). Avast experts observed NoName057(16) for three months, from June to September of this year, and came to the conclusion that the group is carrying out DDoS attacks against Ukrainian organizations, although only about 40% of them are successful.

As Radware analysts now say, relatively recently, the group launched the DDOSIA project on Telegram, where operators posted a link to GitHub with instructions for potential “volunteers”. To date, the group’s main Telegram channel has more than 13,000 subscribers.

Sometimes DDOSIAs attack the same targets set by the pro-Russian hack group KillNet, the researchers say. In particular, they took part in a recent large-scale DDoS attack on major airports in the United States.

DDOSIA volunteers register via Telegram to receive a ZIP archive with malware (dosia.exe) that contains a unique ID for each user. The most interesting feature of this project is the fact that participants can link their ID to a cryptocurrency wallet and receive money for participating in DDoS attacks. Moreover, payment is proportional to the capacities provided by a particular participant.

Distribution of “prizes”

The best participants in each wave of attacks receive: 80,000 rubles (approximately $1,255) for first place, 50,000 rubles (approximately $785) for second place, and 20,000 rubles (approximately $315) for third place. In addition, during the attacks on American airports, DDOSIA operators announced that they would distribute additional payments among the Top 10 participants.

Experts summarize that DDOSIA currently has about 400 members and remains a semi-closed invite-only group that regularly attacks more than 60 military and educational organizations.

At the same time, Radware expresses concern that the financial incentive will allow NoName057(16) to attract a lot of volunteers to DDoS attacks, and may set a trend for other DDoS groups.

The post Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies appeared first on Gridinsoft Blog.