The campaign targets low-cost Android TV boxes such as Tanix TX6, MX10 Pro 6K, and H96 MAX X3. These devices have quad-core processors that can launch powerful DDoS attacks, even in small swarm sizes.

Mirai Botnet Aims Android-based TV Boxes

Mirai Botnet can infect devices via malicious firmware updates signed with publicly available test keys or malicious apps. Which undoubtedly distributed on domains that target users interested in pirated content. In the first case, firmware updates are either installed by resellers of the devices or users are tricked into downloading them from websites. Then, they promise unrestricted media streaming or better application compatibility.

The ‘boot.img‘ file contains the kernel and ramdisk components loaded during Android boot-up. It makes it an excellent persistence mechanism for the malicious service.

The second distribution channel involves the use of pirated content apps. They also offer access to collections of copyrighted TV shows and movies for free or at a low cost. Security experts have identified Android apps that spread the new Mirai malware variant to infected devices. Here is an example:

In this case, the malicious apps surreptitiously start the ‘GoMediaService‘ during the initial launch and set it to auto-start when the device boots up.

When the ‘gomediad.so‘ service is called, it unpacks multiple files, including a command-line interpreter that runs with elevated privileges (‘Tool.AppProcessShell.1‘) and an installer for the Pandora backdoor (‘.tmp.sh‘).

After being activated, the backdoor establishes communication with the C2 server, and replaces the HOSTS file. After that, it updates itself and then enters standby mode, waiting for instructions from its operators. The malware can launch DDoS attacks using the TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests. It can also open a reverse shell, mount system partitions for modification, and perform other functionalities.

IoC Mirai Botnet

• Malware.U.Mirai.tr: 96b087abf05bb6c2c1dd6a1c9da460d57564cc66473ca011f85971752a112ce1
• Malware.U.Mirai.bot: 52a9207498821af8cffc629b19c18dc40b7512a56b13c8b32db6bdc009e0a422
• Malware.U.Mirai.bot: 5397ccdd490dc61f64a07968c283d21b76f87ad4c58cd19481f215fdf6aeeaa1
• Malware.U.Mirai.bot: 624f4966636968f487627b6c0f047e25b870c69040d3fb7c5fb4b79771931830
• Malware.U.Mirai.bot: 9936b597954aa7e1e7ef82c09bc3c039a239c3cd77ff7af5a079064138c467b0
• Malware.U.Mirai.bot: de883fb217df507b1acb5bbe637d5e8d19ac989b9e78242f7c22bae58c0f408c
• Malware.U.Mirai.bot: 78b477ae2bbaf19cf180aad168da4c84354140762ac33903bc40124be8d055da
• Malware.U.Mirai.bot: 613f03b52910acb8e25491ca0bfe7d27065221c180e25d16e7457e4647a73291
• Malware.U.Mirai.bot: 22f269a866c96f1eec488b0b3aebe9f8024ae455255a4062e6a5e031dfd16533

What devices are at risk?

Budget-friendly Android TV boxes often have an uncertain journey from manufacturer to consumer. It leaves the end-user unaware of their origins, potential firmware modifications, and the various hands they’ve been through.

Even cautious consumers who retain the original ROM and are selective about app installations face a lingering risk of preloaded malware on their devices. It is advisable to opt for streaming devices from trusted brands like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Safety recommendations

For Android TV users, installing apps only from the official app store is advisable. It is also essential to pay attention to the permissions requested by the app. If your app requests access to your phonebook and geo-location, it is best to avoid using it as it could be malware. Additionally, it is crucial not to download or install any hacked apps, as their contents are often infected with malware of some kind.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.

What is DDoS Attack?

In short, DDoS attacks are malicious attempts to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of traffic from multiple sources. A DDoS attack aims to exhaust the target’s resources, such as bandwidth, processing power, or memory, rendering it inaccessible to legitimate users. In a DDoS attack, the attacker typically controls a network of compromised computers and is called a botnet. Its compromised machines, often infected with malware, are used to launch coordinated attacks on the target. The attacker commands the botnet to send a massive volume of traffic to the target, overwhelming its capacity to handle requests and causing it to slow down or crash. First of all, it doesn’t take much. A DDoS attack can be launched by anyone with a computer and the Internet. Secondly, in the case of a botnet, the victim’s devices can participate in attacks, and their owners may not even be aware of it.

Hacktivism and DDoS Attacks

The reason for the recent uprising of DDoS attack and, particularly, DDoS-for-hire services, is hacktivists activity. Hacktivism has evolved from loosely structured groups to a more mature ecosystem with diverse motivations and sources. It got a massive punch particularly after the beginning of the Russia-Ukrainian war. As a result, hacktivist groups have become more organized and conduct military-like operations with precise positioning and clear objectives. Although there are different tools for hacktivists, as the practice has shown, they often use DDoS.

In general, the topic of DDoS is very popular among hacktivists, and for good reason. In most cases, to take part in a DDoS attack, you have to type a couple of commands into a terminal or download and run a utility. The application will do the rest, and the user only needs to provide the resources of his device. However, DDoS-for-hire services, which provide massive power for some money and do not require the provision of your machine resources or the installation of anything in return, are becoming increasingly popular. In other words, the user pays money to the service and gives the address of the server/site to be attacked. As result, the service does everything without the user’s intervention. Next, we will examine the most popular DDoS services among hacktivists over the last year.

DDoS-for-hire tools and services used during 2023

DDoS-for-hire, also known as DDoS booter or stresser services, refer to renting out or purchasing DDoS attack services from cybercriminals. These services allow individuals or organizations to launch powerful Distributed Denial of Service (DDoS) attacks against targeted websites or online services. These services typically utilize botnets and networks of compromised computers to generate attack traffic and overwhelm the target’s resources. Here are DDoS tools and DDoS-for-hire services used by attackers and hacktivist groups in 2023 for their malicious campaigns against the government and individuals.

Stressbot.io DDoS Panel

Stressbot is a website that offers DDoS-for-hire services starting from $30 per month. It is operated by Aleksey Chekaldin, who also runs a Telegram channel promoting the service. The DDoS attack methods offered include layer 4 and layer 7 attacks. According to research evidence of the pro-Pakistani hacktivist group Team_insane_pk using Stressbot to target India and Israel. The group is allegedly led by ‘xxINSANExx’ and shares a link to a status-check website as Proof of Compromise.

Ziyaettin DDoS Botnet

Ziyaettin is a Telegram-based DDoS bot service that offers various attack methods, including layer 4 and 7 attacks. Their owner operates a public Telegram channel with over 1,500 subscribers. They recently launched a browser plugin for easy attacks with a 20-30K RPS capability. The service has been endorsed by hacktivist groups in Telegram channels.

Tesla Botnet

A DDoS botnet, Tesla, has been active since April 28, 2023, with services starting at USD 50 per month. The pro-Russian threat actor Radis operates the Telegram channel promoting their tool and two other channels for buyers to post reviews. They specialize in DDoS attacks on onion websites with their private method called ‘TOR-KILLER’. However, Tesla Bot offers other DDoS attack methods, such as MACAN-TLS, HTTP-FLOOD, and SMYKL-FLOOD. The TA recently launched a browser plugin feature and has targeted the United States Department of Defense websites, a Russian financial services provider, and the Central Intelligence Agency.

RedStress.io DDoS Panel

RedStress is a web-based IP stresser service that allows users to launch anonymous DDoS attacks on a target server/website/IP. The service is operated by the threat actor Mercado and offers three pricing packages, starting from USD 35 per month. They claim to have 40 dedicated servers to support their methods. In addition to paid subscriptions, RedStress also offers a free method called ‘HTTP-Killer’ for threat actors to target small home networks or unsecured websites. The service has attracted over 21,000 registered users and launched over 1.2 million attacks. The DDoS attack methods include amplification attacks, layer 4 and 7 attacks, bypass, and private methods. The operators of RedStress have previously targeted game streaming services and cryptocurrency websites to demonstrate their capabilities.

Neferian Empire DDoS Botnet

Neferian Empire is offering a command line-based DDoS tool that claims to bypass DDoS attack protection services provided by top companies. The tool can launch 50 million requests per second for a Layer 7 attack and up to 1.2 terabytes per second for a Layer 4 attack. They have marketed this tool on their Telegram channel, offering other malicious tools. To promote their tool, the group has shown live attacks on high-value organizations, including Interpol and the US Department of Defense.

SkyElite-Net DDoS

A DDoS bot called SkyElite-Net was launched on May 8, 2023, by the TA skyzz. They have two Telegram channels, one for private DDoS methods and services and the other for posting reviews. On May 22, they launched a new method called ‘Sky-Bypass’ that claims to bypass OVH and Cloudflare DDoS protection. The TA skyzz746 is also a member of the Khalifah cyber community.

Artemis C2 DDoS Botnet

Artemis C2 is a DDoS botnet, operating since May 1, 2023, with services starting at USD 15 per month. It specializes in launching DDoS attacks on Rainbow Six Siege and Minecraft servers. The botnet is maintained by cryptopsycho and ritz, who promote it on a Telegram channel with 141 subscribers. They plan to launch a Discord server, an Onion website, and a store on Sellix. Artemis offers amplification, layer 4, layer 7, and private DDoS attack methods. Team_insane_pk, a pro-Pakistani hacktivist group, has promoted Artemis for their DDoS campaigns targeting India. Still, sources suggest no links with the developer.

DDosia Project

NoName057(16) created DDosia, which uses Windows bots to perform DDoS attacks on those who support Ukraine. Volunteers download the bot and register at a cryptocurrency wallet for monetary benefits later. Then, the bot registers with the group’s command-and-control infrastructure and launches attacks on specified targets. The group also targets adversaries with Android devices and has two Telegram channels with thousands of subscribers.

DDoS Protection Recommendations

To prevent and minimize the impact of DDoS attacks, it’s essential to have a business continuity and disaster recovery plan ready. In addition, you should analyze your network’s daily traffic, monitor network activities and logs, and preserve attack logs. Also, employ multiple defense strategies, deploy appropriate DDoS prevention systems, scan for vulnerabilities, and patch them. Maintain contact with ISPs and vendors, implement filtering and bogon blocking, and allocate traffic to unaffected network paths. In case of an attack, block the attack sources, disable non-essential ports/services, and periodically check the integrity of critical application files.

The post DDoS-For-Hire Services Used by Hacktivists in 2023 appeared first on Gridinsoft Blog.

MDBotnet Malware Description

Darknet posts that offer DDoS attacks services are not something ridiculous. MDBotnet developers published a copy-paste post that promotes their services for just 2,500 rubles (~$31). They promise the ability to attack any kind of web resource, and even offer testing their capacities in short attacks. The DDoS-as-a-Service model is still pretty new, so hackers likely attract clients by offering pretty low pricings, support and refunds. Strange detail here, however, is that right below the statement about the price they say that prices for all resources are individual.

All negotiations happen in the Telegram channel, which becomes a new trend. Moreover, hackers are not selling the malware itself – just the ability to use its botnet. This can make the reaction to the changes of this threat slightly harder. Fortunately, the samples of MDBotnet malware are widely available despite such a conspiracy.

MDBotnet analysis

The currently circulating samples of MDBotnet do not appear to be protected in any way. Neither encryption, nor encoding is applied; malware does not use any kind of obfuscation or PE section bloating. That, however, may be the outcome of the attempt to deliver the samples with dropper malware; on an already infected system, there’s no need to boggle the antivirus program. However, it could possibly be just an ignorance towards protective measures. Other malware families typically offer a suitable workaround for payload encryption, but I could not find any recommended or used with MDBotnet.

The payload assembly contains 2 sections and 3 modules; the Config section appears immediately after the initial C2 connection, where malware receives the configuration file. Modules, however, mostly say for themselves, as they are responsible for the key program functionality – DDoS attacks done with different methods. Malware is capable of performing SYN Flood attack and HTTP GET attack. It also carries an updater module, that periodically connects to the C2 and requests possible updates. This is an uncommon approach, as most malware typically have the updates initiation from the command server side.

DDoS attack capabilities

I’ve mentioned SYN Flood and HTTP GET attacks as ones MDBotnet can perform. The latter, however, is not very exciting, as there is nothing sophisticated or extraordinarily efficient about this attack. In this mode, malware simply sends an HTTP GET request to the target server, hoping to jam it. Though a botnet large enough can promptly jam even pretty big sites.

SYN attack, however, has some interesting details. Instead of sending the packets to the target server, malware in this mode will repeatedly request to establish the TCP connection with the target. In this attack course, during the TCP handshake, the target server will respond with the SYN-ACK packet, but never receive the ACK packet back from the attacker. That makes the connection establishment procedure stuck; by sending numerous connection requests, it is possible to seriously disrupt the server workflow.

The interesting detail about the MDBotnet configuration is the fact that SYN module addition may be disabled at the compilation. It may be the sign that this malware may receive more functions in future, and modules that allow other attack vectors will be delivered by a command from the C2 server.

Protection Against MDBotnet

The answer to the “how to protect” question here depends on the type of a threat you are trying to protect yourself from. Avoiding being a part of the botnet requires a different treatment than preventing DDoS attacks. Let’s review them one by one.

Avoid malware sources as hard as possible. These days, those are most often software cracks and email spam. While the former is pretty easy to reject, email spam may be tricky, as hackers sometimes do their best to make the email look more convincing. Though, they cannot repeat all the details at once – be attentive to email addresses and naming conventions.

Use anti-malware software. Having a proper protective tool will make it much easier to avoid the infection. Even if the threat is already running, an anti-malware software will make your system clean in just a few clicks. However, to make sure that even most evasive threats will not get away, you should use advanced solutions, like GridinSoft Anti-Malware. It is effective even against most novice threats that feature packing and encryption.

For corporate protection, there is a separate class of solutions. It is quite attractive for botnet masters to add an entire corporate network to their possession. To prevent this from happening, consider choosing an appropriate EDR/XDR solution, depending on the size and extensiveness of your network. Auxiliary solutions that will ease data collection and response orchestration will be a pleasant addition.

Apply network monitoring tools. This advice works both against an active threat within your network and attacks from outside. Even a simple firewall, when set up properly, can excise malignant traffic – regardless of where it comes from. Fortunately, IP addresses of large botnets that are currently active are commonly available in dedicated places. NDR solutions, on the other hand, will not only filter out the traffic, but also help with preventing further issues.

The post New MDBotnet Malware Rapidly Expands a DDoS Network appeared first on Gridinsoft Blog.

What is SLP?

First of all, let’s clear things up. SLP, or Service Location Protocol, is a legacy protocol that provides LAN devices interactivity. Simply put, it allows all the devices in the network to see the ways to interact with each other. It primarily intended to ease the setup of file servers, printers and stuff like that. Devices were informing about their presence and activity, and were accepting the commands via SLP. With time, other means of communication with such devices appeared – such as UPnP or DNS-SD. Nonetheless, the technology remains demanded, especially in places where old hardware is used.

BitSight researchers, who claimed the detection of a new vulnerability, detected more than 2000 organisations around the world that use this protocol. It includes ~54,000 instances of SLP protocol usage. Hence, this technology is hard to call “dead” or “unused”. And having the possibility to exploit it in any way may have disastrous consequences.

SLP Vulnerability Causes Unseen DDoS Amplification

DDoS attacks that rely on IoT devices are not a new thing. But using CVE-2023-29552, it is possible to push them to a completely different scale. This vulnerability allows an adversary to register services within the network that uses SLP, and send commands to it using a UDP connection. It does not have a serious potential for hackery purposes, but these pseudo-services can wreak havoc on networks. The only thing that limits hackers in their attacks is the max number of services supported by the protocol.

DDoS amplification attack is pretty simple in its essence. Instead of sending a direct request to a target server, crooks send a tiny request to an intermediary server. The request is picked specifically to call for a much bigger response package. And the key trick there is to spoof the request source IP and set – yes, you guessed it right – a target’s IP. Having extreme amounts of services in the network, ready to respond to requests, it is easy to jam even well-protected targets. Moreover, crooks can boost up the response package size to its limits – 65,000 bytes. Considering that, an amplification factor may reach 2200 – 500KB of traffic sent in requests will end up at 1.7GB in responses. To compare, one of the most massive DDoS attacks – against AWS in 2020 – had an amplification factor of 55X.

How to Protect Against This Breach?

Being a pretty popular and widely-used type of attack, DDoS forced the creation of a huge amount of counteraction measures. It can be implemented on all possible levels – from a specific network design to cloud services that will take the strike for you. However, in this specific case, the defensive strategy should build up from securing the SLP vulnerability.

The problem here is that this protocol does not receive updates itself, and vendors that develop their solutions for the use with SLP are the only place to rely. Some of the ones touched by the problem have already released patches. However, there are over 650 products that can use this protocol, and can be vulnerable to this breach. It could take months or even years for all of them to receive security updates. It is possible to mitigate the issue partially – by closing the 427 UDP port, used by SLP – but it causes a lot of inconvenience. If your network uses SLP, a much better option is to contact the software vendors whose products you use. Once they offer a patch, it is recommended to install it as soon as possible.

For that reason, a much better and faster solution is the use of specific network security methods. Most efficient ones against DDoS attacks are firewalls and network detection and response solutions (NDR). The former will restrict any external and unauthorised connections, making it impossible for hackers even to connect to your network. NDRs, on the other hand, act in a more complicated way. They are designed to track and log any network activities, detecting unusual activities and potentially dangerous connections. Such a software will not only block the attack attempt, but also provide extensive logs about events, giving the security team the ability to adjust their actions in future.

The post New SLP Vulnerability Allows 2200x DDoS Amplification appeared first on Gridinsoft Blog.

What are DDoS attacks?

DDoS, or Distributed Denial of Service, is a network attack aimed at overflowing the server’s bandwidth by sending it more requests than it can withstand. During such an attack, a large number of network requests are sent by machine method, i.e. by bots. Because of this, ordinary users cannot use the services provided by this server. A lot of methods for such attacks exist, as well as a wide variety of ways to make certain machines send these requests.

The first DDoS attack in history that was made public happened in 1996. Then the Panix campaign (to this day one of the oldest companies providing Internet services) was attacked and did not function for several days due to an SYN-flood (a type of denial-of-service attack, now considered a classic method of DDoS attacks).

The largest DDoS attack occurred in 2017. Then a team of Google engineers recorded a record UDP amplification attack from several Chinese ISPs. This attack lasted more than six months and its speed reached 2.5 Tbit/s (the previous recorded record was 623 Gbps). The state-sponsored high-throughput attack was carried out by Chinese hackers and involved 167 Mpps (millions of packets per second) on 180,000 exposed servers, all of which then sent a large number of responses to Google. Interestingly enough Google released data about this attack only three years later, in 2020.

Why do DDoS attacks get more popular?

Every year, the number of different services on the Internet grows, which increases competition. And since DDoS attacks are a cheap and effective method to fight against competitors, less than honest actors apply using them to mischief. It is expected that in 2023 the number of attacks will increase by 300%. Every minute of downtime can cost companies thousands of dollars, and restarting a process can cost more than $100,000. There were even cases when attacks became fatal for a business and ended up with restructuring.

However, attacks between competing businesses are not the most widespread case. A great number of such attacks are caused by political conflicts, elections, etc. Sometimes people unintentionally overload certain sites – like the elections results page, which is down most of the time because of folks trying to access it. Politically motivated attacks spiked after the start of the Russia-Ukrainian war in 2022, and continue to happen from time to time even after almost a year.

Examples of large DDoS attacks

There have been many attacks over the past year, but we’ll take a look at some of the biggest and ones that started some new trends.

2022 became notable by a huge rise of attacks on gaming companies. Reportedly, they increased by 405% year-to-year. In September, Activision Blizzard admitted that it faced a DDoS attack. Their servers were down for about 4 hours. During this time, players around the world have been experiencing issues playing games including Call of Duty, World of Warcraft, and Overwatch.

As we mentioned above, attacks are sometimes politically motivated, so last year the pro-Russian Killnet group attacked about 200 sites in Estonia, including the ESTO AS payment system. Lithuania has also suffered from pro-Russian attacks, including the Ignitis Group energy campaign.

2023 is not a DDoS-clean year either. In January 2023, Danish banks were hit by DDoS attacks, among them were the country’s three largest banks, Jyske Bank, Sydbank, and Arbejdernes Landsbank. On the morning of January 10, Arbejdernes Landsbank announced this on its Facebook page. Users of these banks did not have access to the website for several hours, and this incident affected a very large number of users.

At this point you can assume that no one is immune from DDoS attacks. All you can do is be prepared for them. Creating a DDoS response plan and ensuring a high level of network security, constant traffic monitoring, and regular penetration testing will raise the chance of successfully mirroring the attack by orders of magnitude.

Services for DDoS protection

The good news is that many hosting companies today have started offering DDoS protection, which can help protect websites from this type of attack. This protection works by carefully filtering website traffic so that dangerous requests don’t get through and safe requests get through without significant delays. Some hosting companies also offer to notify website owners of an attempted DDoS attack so that they have detailed records of when the attack was attempted, its size, and other important information. Some of these services offer a free trial period of several months, which is usually enough to fend off an attack and evaluate all the features.

Popular DDoS Defense Solutions include:

• Akamai DDoS Mitigation
• Amazon Web Service (AWS)
• Cloudflare DDoS Protection
• Imperva DDoS Protection
• Microsoft Azure DDoS Protection

Apparently, the current scale of DDoS attacks will get even worse in the following years. Fortunately, the ways of counteraction are unified regardless of their motive. Hence, you can choose the one more convenient to you, and prevent your business from struggling.

The post How DDoS Can Badly Hurt Your Business appeared first on Gridinsoft Blog.

KmsdBot strikes, using security vulnerabilities

The experts called the malware KmsdBot. It is developed on the basis of Golang and is aimed at various companies – from gaming to automotive brands and security firms. GoLang gains popularity among malware developers, as it is quite hard to reverse engineer this language. The botnet infects systems via an SSH connection using “weak” login credentials. KmsdBot does not remain persistent on the infected system to avoid detection.

The malware gets its name from the “kmsd.exe” executable, which is downloaded from a remote server after a successful compromise. It is also designed to support multiple architectures – Winx86, Arm64, mips64 and x86_64. KmsdBot can perform scan and self-propagation operations by downloading a list of username/password combinations. The botnet is also able to control mining processes and malware updates. The control is possible through the communications with C2 server.

According to Akamai, the first detected target of KmsdBot was the gaming company FiveM, a multiplayer mod for GTA V that allows players to access custom role-playing servers. Botnet DDoS attacks include OSI Layer 4 and 7 attacks, in which a flood of TCP, UDP, or HTTP GET requests are sent to overwhelm the target server’s resources and bring it into a denial of service state. It is noteworthy that the KmsdBot botnet began as a bot for a gaming application, but turned into a tool for attacking worldwide-known names.

Is KmsdBot dangerous?

As any other malware, KmsdBot is not a pleasant addition to the infected system. It brings coin mining and DDoS capabilities, which creates enough problems with PC usage, regardless of the task. Mining supposes high hardware utilisation rates, which makes it problematic even to use basic apps. DDoS attacks, on the other hand, not just take a lot of bandwidth, but can also lead to bans for the IP address of an infected PC on the attacked sites.

The other edge of danger for this malware is the way it spreads into the users’ computers. Aside from the fact that exploitation is not a typical thing for malware that aims at single users, it also opted for a disguise of a bot for the game – GTA V. Gamers are known as not the most careful users, as they are the common public for cracks, patches, and different automatisation tools like bots. Since GTA V is not the sole game that makes the bot usage profitable, it will be obvious to see the KmsdBot spreading surge in the nearest weeks.

The post KmsdBot malware combines DDoS-attacks and coin mining appeared first on Gridinsoft Blog.

What is an IP stresser?

IP stresser is a special tool that tests a network or server for stress tolerance. The administrator can run the stress test to check whether the current resources (bandwidth, CPU power, or so) are sufficient to handle the additional load. Testing your network or server is a legitimate use of a stress test. However, running a stress test against someone else’s network or server, resulting in a denial of service to their legitimate users, is illegal in most countries.

What are booter services?

Booters (also known as bootloaders) are on-demand DDoS (Distributed Denial of Service) attacks that cybercriminals offer to shut down networks and websites. Consequently, booters are illegal uses of IP stressers. Illegal IP stresses often conceal the identity of the attacker’s server by using proxy servers. The proxy redirects the attacker’s connection by masking the attacker’s IP address.

Booters are often available as SaaS (Software-as-a-Service) and are accompanied by email support and YouTube tutorials. Packages can offer one-time service, several attacks over some time, or even “lifetime” access. A basic one-month package costs a tiny sum. Payment methods can include credit cards, Skrill, PayPal, or bitcoins.

The difference between IP booters and botnets

In contrast to IP booters, the owners of computers that use botnets are unaware that their computers are infected with malware. Thus, they unwittingly become accomplices to Internet attacks. Booters are DDoS services for hire offered by enterprising hackers. Whereas in the past, you had to create your botnet to conduct a large-scale attack, now it is enough to pay a small amount of money.

Motivations DDoS attacks

The motives for such attacks can be varied: espionage¹ to sharpen skills, business competition, ideological differences, government-sponsored terrorism, or extortion. The preferred payment method is bitcoins, as it is impossible to uncover the wallet owner. However, it is harder to go in cash when you have your savings in cryptocurrency.

Amplification and reflection attacks

Reflection and amplification attacks use legitimate traffic to overwhelm the targeted network or server. IP spoofing involves the attacker spoofing the victim’s IP address and sending a message to a third party on behalf of the victim. The third party, in turn, cannot distinguish the victim’s IP address from the attacker’s one and replies directly to the victim. The victim, as well as the third-party server, cannot see the real IP address of the attacker. This process is called reflection. For example, take a situation where the attacker orders a dozen pizzas to the victim’s home on behalf of the victim. Now the victim has to pay the pizzeria money for the pizzas, which she didn’t even order.

Traffic amplification occurs when a hacker forces a third-party server to send responses to the victim with as much data as possible. The ratio between the size of the response and the request is the amplification factor. The greater this amplification, the more potential damage is done to the victim. In addition, because of the volume of spoofed requests that the third-party server has to handle, it is also disruptive for it. NTP Amplification is one example of such an attack.

Amplification and reflection attack explained

The most effective types of bootstrap attacks use both amplification and reflection. First, the attacker spoofs the target address, then sends a message to a third party. The receiver sends the response to the target’s address, which appears in a packet as the sender’s address. The response is much larger than the original message, which amplifies the attack’s size. The role of a single bot in such an attack is about the same as if a teenage attacker called a restaurant, ordered the entire menu, and asked for a callback to confirm each dish. But the number for the callback belongs to the victim. As a result, the victim gets a call from the restaurant about orders it didn’t make and has to hold a line for a long time.

The categories of denial-of-service attacks

There are dozens of possible variations of DDoS attacks, and some of them have multiple subspecies. Depending on the hackers’ targets and skills, the attack may simultaneously belong to several types. Let’s review each of them one by one.

Application-layer attacks target web applications and often use the most sophisticated techniques. These attacks exploit a vulnerability in the Layer 7 protocol stack. They connect to a target and drain server resources by monopolizing processes and transactions. Because of this, they are challenging to detect and mitigate. A typical example is the HTTP Flood attack.

Protocol-based attacks exploit weaknesses at layers 3 or 4 of the protocol stack. Such attacks consume the victim’s processing power or other essential resources (such as the firewall). This results in a service disruption. Examples of such attacks are Syn Flood and Ping of Death.

Volumetric Attacks send large volumes of traffic to fill the entire bandwidth of the victim. Attackers generate bulk attacks using simple amplification methods. This attack is the most common — for example, UDP Flood, TCP Flood, NTP Amplification, and DNS Amplification.

Common denial-of-service attacks

The goal of DoS or DDoS attacks is to consume as many server or network resources as possible so that the system stops responding to legitimate requests:

• SYN Flood: A sequence of SYN requests is sent to the target system in an attempt to overload it. This attack exploits vulnerabilities in TCP connection sequences, also known as three-way handshakes.
• HTTP Flood: an attack in which HTTP GET or POST requests are used to attack a web server.
• UDP Flood: A kind of attack in which random target ports are flooded with IP packets containing UDP datagrams.
• Ping of Death: Attacks involve sending IP packets more significantly than the IP protocol allows. TCP/IP fragmentation works with large packets by breaking them into smaller ones. Legacy servers often fail if the full packets exceed the 65,536 bytes allowed. This has been fixed mainly in newer systems. However, Ping flooding is the modern incarnation of this attack.
• ICMP Protocol Attacks: Attacks on the ICMP protocol are based on the fact that the server must process each request before a response is sent back. The Smurf attack, ICMP flooding, and ping flooding exploit this by flooding the server with ICMP requests without waiting for a response.
• Slowloris: this is an attack invented by Robert “RSnake” Hansen. It tries to keep multiple connections to the target web server open as long as possible. Thus, additional connection attempts from clients will be rejected.
• DNS Flood: An intruder fills the DNS servers of a certain domain to disrupt DNS resolution for that domain.
• Smurf Attack: This attack uses malware called smurf. Using a broadcast IP address, large numbers of Internet Control Message Protocol (ICMP) packets are sent to the computer network with a fake IP address of the victim.
• SNMP reflection: An attacker spoofs the victim’s IP address and sends multiple SNMP requests to the devices. The volume of responses can overwhelm the victim.
• DNS amplification: this reflection-based attack turns legitimate requests to DNS (domain name system) servers into much larger ones, thus consuming server resources.

Less popular DDOS methods

• NTP Reinforcement: A high volume reflection-based DDoS attack in which the attacker exploits the Network Time Protocol (NTP) server functionality to overload the target network or server with increased UDP traffic.
• SSDP: SSDP (Simple Service Discovery Protocol) attack is a reflection-based DDoS attack. It uses Universal Plug and Play (UPnP) network protocols to send an amplified traffic volume to the target victim.
• Teardrop Attack: An attack consists of sending fragmented packets to the target device. An error in TCP/IP prevents the server from reassembling such packets, resulting from which the packets overlapping each other, thus incapacitating the target device.
• Fraggle attack: the attack is similar to smurf, except that it uses UDP rather than ICMP.

What to do in case of a DDoS ransomware attack?

• Inform your data center and ISP immediately;
• Do not consider ransom – payment often results in escalating ransom demands;
• Notify law enforcement authorities;
• Monitor network traffic.

How to mitigate attacks?

• Install firewalls on the servers;
• Keep security patches up to date;
• Run antivirus software on a schedule;
• Monitor system logs regularly;
• Prevent SMTP traffic from being distributed by unknown mail servers;
• Causes of difficulty tracking the booter service.

Since the person buying these criminal services uses an external site to pay and receive instructions, the connection to the backend initiating the attack cannot be identified. Therefore, criminal intent can be challenging to prove. However, one way to identify criminal organizations is to track payment traces.

The post DDoS Booter & IP Stresser appeared first on Gridinsoft Blog.

What is a Smurf Attack?

A smurf attack is a pretty interesting type of DDoS attack. When we say “DDoS”, we usually imagine the request flooding attack. That type of threat is based on creating an enormous flow of requests, that just overloads the server. While being very easy to create, it is pretty easy to counteract. Smurf is similar to the mentioned attack type, but the channel flooding is done in a different way. The exact naming of this type of attack – smurfing – stands for the name of the malware that was first used to commit such an attack – Win32/DDoS.Smurf.

Smurf DDoS attack supposes the sending of ICMP packages to the broadband network, and rerouting the responses from all possible hosts to the target¹. One computer sends a package to the network, without choosing the final host, and all present hosts start responding. The traffic created by the responses is the main danger: the network may consist of hundreds of computers. To compare with real life, it is like posting a very attractive car selling offer on dozens of websites, and specifying the phone number of a person you want to piss off. If these sites are not moderated, the victim may receive calls regarding this offer for months, until it changes the phone number. Impressive effects, isn’t it? Smurf attacks on the Internet will not lead to changing the number, but you will surely see how the network is melting under the load.

How Was the Smurf DDoS Attack Conducted?

Just as in the case of any denial attack, smurf requires a chain of computers that will conduct your requests. However, the number of computers under the attacker’s control is not the only (and the main) variable parameter. Since crooks use the broadband network as an intermediary in this attack, the efficiency of the latter depends on how big is the network where the ICMP is sent. To prevent traffic filtering by the hosts in the network, it is better to send the pings to different ones. Such a step will also make the counteraction and attack tracing much harder.

Sure, the quantitative and qualitative characteristics of the botnet play a role as well. Because the smurf attack generally aims at stand-alone servers (for example, ones that belong to small companies) rather than big online resources, there is no need to spam the requests. It is possible to do everything with a minimal amount of resources, when you know the correct settings. For example, sending bigger packages multiplied on a large network you apply as an intermediary, will quickly create a bottleneck effect and make the target server inoperable. However, it is not so easy to find such a network, so crooks usually have to be content with larger botnets and smaller package sizes.

How Dangerous is the Smurf Attack?

Just as any DDoS attack, it has a main unpleasant effect – the targeted server becomes inoperable. Since this type of cyber security attack is usually aimed against smaller but more sensible targets, such as operational servers of software vendors. Having a server knocked for these companies means the disrupted, or even paralysed workflow. Exactly, that is one of the targets of such attacks – to cause disruptions to the rivals’ infrastructure. However, that is not a single purpose.

DDoS-attack, contrary to phishing or malware spreading, is pretty easy to track. Smurfing, on the other hand, allows the crooks to use a minimal amount of things they may be traced for. With proper settings and circumstances, it may be successful even with a dozen computers involved into the attack. That may be extremely profitable for cybercriminals who use DDoS attacks as a distraction for the other action – malware injection, for example, or data exfiltration.

To perform a smurf DDoS attack, cybercriminals who manage an advanced persistent threat can use a corporate network they have already infected. Again, it is not so easy to reach the ideal environment for such an attack, but using “spare” machines crooks may cut the costs for botnet renting or establishment. While the more classic DDoS attacks from the inside may be tracked and blocked pretty easily, smurf attacks are not that easy to mirror.

How to Protect from Smurf DDoS Attacks?

Fortunately for the server maintainers and everyone involved in it, the protection from smurf attacks is not too hard to establish. The functions crooks call for are known, and they may easily be counteracted with low-to-no functionality losses. Sure, you will not shut down the DDoS attack completely, but its efficiency by best expectations will fall to 1 request per 1 attacking computer, regardless of the number of computers in the arbitrary network.

• Disable the IP-directed broadcast. The inability to route the responses to your network makes it impossible to perform such an attack. However, it may be a problem for some functionality, for example, for FTP/SFTP connections. This setup is about to be done on the router.
• Forbid the ICMP responses received. That function will filter the ICMP response packages, which are generally used in smurf attacks. Meanwhile, hackers are not obliged to use this package type, therefore this is not an ideal solution.
• Configure the firewall to filter the pings from the outside. That is the most flexible solution that can provide minimal problems in the workflow. Inability to ping your server from the outside stops the packages routing (they just arrive nowhere) and will likely stop the cybercriminals who may try to brute force your domain controller.

The post What is a Smurf Attack? How Does It Work? appeared first on Gridinsoft Blog.

Knowing about cybersecurity threats is crucial because it livens up the safety measures. In addition, when you’re aware of what is up against you on the Internet, you understand the meaning of cybersecurity.

The following article is not a list of cybersecurity threats in a strictly scientific sense. Instead, we have gathered some of the trending phenomena from modern cyber-warfare (some of them are threats indeed) to present them in the form of an explanatory dictionary.

#1. Hacking Attacks

Any activity toward getting unauthorized access to and control over computers, data storage, online servers, websites, etc., is called “hacking”. The term is old, and hacking computer systems does not necessarily imply going online, although it mostly happens on the Internet nowadays.

Hacking cybersecurity threats may involve malicious software (malware¹) but not necessarily, since social engineering, i.e., trespassing digital security by deception, using human and not computer vulnerabilities, can be seen as a form of hacking.

Hacking started as idle entertainment but evolved into a lucrative cybercriminal industry. Counteracting potential crooks and developing anti-malware software is now an indispensable element of modern computer technology.

#2. Malware Attacks

“Malware” is a portmanteau for malicious software. There are different ways to classify unwanted programs. Some security specialists distinguish between software that does actual harm and annoying applications that can be easily detected and removed from a device by a standard procedure. Other experts consider unwanted programs and malware synonyms.

Harmful software can itself be classified according to different criteria. For example, Malware may be a file or non-file entity executed via scripts when no code is saved on the targeted device.

Malware files can be the ones that trespass the defenses of the victim system, or they can be downloaded later by the former. As for the infectious agents, these can be viruses, worms, or Trojans. Other types might emerge too, but these three are the most widespread. Besides, viruses ², which gave malware its first collective name, are obsolete nowadays. But do you know the difference between malware and virus?

The functions of malware are immense. It can collect data, destroy or tamper with it, flood users with unwanted advertising, etc. However, the vilest malware these days is arguably ransomware.

Trojan Horse (Cybersecurity Threat)

Trojan horse, or just Trojan³ is a term that describes the way malware ends up on the victim’s device. It is incorrect to say “Trojan virus,” as Trojans are essentially not computer viruses; the latter are self-replicating pieces of code. Trojans, unlike that, are shaped as “normal” files, and they do not clone themselves. What is specific about them is that users install Trojans themselves, mistaking them for what this malware tries to seem. This disguising is what gave Trojans their name (remember Odyssey’s clever way to get beyond the walls of Troy.)

When the Trojan is already “behind the enemy lines,” it can execute one of many possible functions. It can either deliver its malicious payload or download additional malware, and one doesn’t exclude the other.

#3. Ransomware Attacks

Ransomware⁴ are a kind of malware that encrypts data on the victim’s device. It provides instructions on how to pay ransom in cryptocurrency to the crooks, who promise to deliver a decryption key to the injured side in return.

Trojans usually deliver ransomware. Victims often catch this infection from email attachments, malicious links in messages, or unchecked downloads from dangerous websites. Ransomware encodes data files, such as text documents, images, and videos, after which all the encrypted files get an additional extension to their names. As a result, the user cannot read the files until they are decrypted.

Ransomware attacks have become a functioning business model for crooks within the last several years. State governments have started a real war on ransomware. The US authorities have started shutting down black markets where hackers have been selling ransomware as a service.

MedusaLocker Ransomware

MedusaLocker is classic ransomware with one mean peculiarity. Unlike the majority of ransomware operators, who would love to have the publicity of “trustworthy thieves,” racketeers behind MedusaLocker don’t give the decryption key to the victims, who pay ransom to them. Jeopardizing the whole business scheme, MedusaLocker developers are another illustration of the advice not to negotiate with the terrorist.

#4. Formjacking Cybersecurity Threat

A modern way of stealing money is to get a copy of the credit card details an unaware user inputs in a payment form, let us say, at an online shop. As the shopper confirms the credit card details, a copy of the entered data immediately goes right to the crooks. This vile procedure requires injecting a malicious JavaScript code into the third party’s payment form, usually not the website itself. Hackers can use the same technique to steal logins and passwords with the subsequent identity theft.

#5. Password Attacks

Password attacks are the sum of measures hackers may undertake to pick a password to a password-protected account or device, considering that they do not have that password and do not have any software to obtain it precisely. Therefore, password attacks are attempts to guess the password using computer powers to do it as fast as possible. The most “fair” method is a brute force attack when the machine bluntly tries all possible password variants until it guesses it.

A strong password might take thousands of years to break. But, of course, it is not about trying every value without any relation to what is being hacked. For example, There are usually sets of words and numbers that are more likely to be the correct password in every particular case. That is what the machine does: it realistically varies the entered values.

#6. Cryptojacking Malware

Since cryptocurrency strengthened its position in the world economy, hackers have been developing ways to benefit from other people’s resources. Bitcoins and other tokens are produced via mining – solving the cryptographic problems by the obtaining machine. Thus, criminals sought to enslave as many computers on the Web as possible for their remote mining farms. They found different methods for crypto-jacking (that’s what this process is called.)

The two most common ways to exploit remote machines for cryptocurrency mining are infecting them with so-called coin miners (mostly Trojans) or making them run coin-mining scripts. Precaution measures against these cybersecurity threats are known and familiar – be careful around questionable email attachments and links.

#7. Man-in-the-middle attack (MITM)

Spoofing a wi-fi networkname allows crooks to lure their victims into a network fitted with data-collecting software or even hardware. The user’s incoming and outbound traffic gets into the crooks’ possession. This spying scheme is called man-in-the-middle. It can equally serve criminals to attack a specific target or conduct identity theft of random persons, unlucky to fall into their trap.

#8. Cloud Vulnerabilities

Users consider cloud storage an excellent and convenient place to keep their data and have their hard drives back up there. That is true! But is the cloud safe? People seldom care about cloud data security because they do not expect anyone to hunt for their information. However, any company with competitors or an influential person should know that there are vulnerabilities in cloud services.

Some of them are trivial, like the absence of two-factor authentication, which can allow someone to get someone to benefit from a logged-in machine. Others involve commands written in inner script languages of the cloud services, DDoS attacks, compromising APIs, and other vulnerabilities that raise questions about the security of cloud services.

#9. Botnet Cybersecurity Threat

A botnet⁵ is a network of compromised computers that act in concert to perform various possible actions. Each botnet host is a computer with specialized software installed and running on it, usually unbeknownst to the user. Regardless of what the botnet does, the botnets, in general, are mostly vile. These networks are used for posting commentaries on social media, creating DDoS attacks, mining cryptocurrency, distributing malware, etc.

#10. Denial of Service (Dos) Attack

Denial of service Dos attack happens to a resource that is supposed to provide said service but gets overloaded by the enormous number of requests or receives crafted data that triggers the crash. This type of attack is usually undertaken against websites of business competitors, political opponents, ideological enemies, or other states’ critical resources by the cybersecurity threats from the opposing countries.

If a DoS assault involves multiple attackers (real people or a botnet), it is called distributed denial of service (DDoS.) An international hacktivist group Anonymous is well known for its capacity for quick organization of massive DDoS attacks. However, the usage of VPNs and onion routing makes tracking of attackers virtually impossible.

#11. Spam Cybersecurity Threat

Spam is a well-known practice of throwing unwanted and unneeded advertising at random users. However, if earlier spam was a type of advertising and fraud, the hackers later caught on and started using spam to spread malware. The combination of spam and malware distribution is called malspam. The difference between malspam and hacking attacks involving email is that the former is a wild distribution of dangerous attachments in random mailing sprees.

#12. Phishing Attack

Phishing is a hacking technique that does not necessarily involve malware at all! The attack’s name comes from the word “fishing,” with letters changed to distinguish it from real fishing. But the point is similar. Hackers use social engineering, in other words – skillful deception, to make victims think that people who address them are some trustworthy company or person. But it is very important not to confuse the difference between phishing and pharming!

After such a connection is established, criminals lure unaware users into providing their credentials (login, password, credit card details, etc.) Without knowing the real identity of the asker, victims can bear considerable losses up to identity theft. Therefore, education and vigilance are the best countermeasures to such attacks.

#13. Spoofing Cybersecurity Threats

Spoofing is undividable from phishing. For example, imagine someone who impersonates a police officer to make you lend him your car. That person says there is phishing, while his fake uniform and the policeman’s badge are spoofing. Likewise, email letterhead, email address, web page appearance, website address, wi-fi network name, browser shortcut and interface, and whatnot can be an object of spoofing.

Experienced users are likely to distinguish a genuine webpage from a spoofed one. There are also basic rules of Internet communication that can safeguard users from buying into deceptive baits. However, the problem is that phishing generally targets inexperienced users.

#14. SQL Injection (SQLi) Cybersecurity Threats

SQL code injection is one of the common ways of hacking websites and data-driven software. It exploits software vulnerabilities that allow a specially crafted piece of SQL code to override the intended principles of the program and grant hackers access to the data from a database to which they don’t have legal access.

The vulnerability emerges because the flaws in programming may result in SQL requests being read and executed as commands out of correct context in certain conditions. Knowing these conditions and how to exploit them makes SQL injection attack possible.

#15. Rootkit Malware Attack

Rootkits are the programs that perfectly fit the definition and popular idea of a hacking tool. Rootkits are strongly associated with malware. Cybercriminals use them to reach the data closed for the user with the current level of access. As the tool’s name reveals, it aims to provide its user with access to the very core of the system, its root.

This kind of software grants evil-doers a broad scope of opportunities: collecting information from the system, controlling the system, and masking the objects within it. Modern security software automatically clears the known rootkits attack, but it will be a problem for an average user to detect and delete.

#16. Advanced Persistent Threat (APT)

Nation-state threat actors gaining unauthorized access to computer systems and remaining undetected for a long time are designated as advanced persistent cybersecurity threats. APTs are among the most disturbing menaces in the modern digital world because they target countries’ vital industries like banks, electronic election systems, electric energy supply, etc. Moreover, being legalized in their own countries, nation-state threat actors are well-equipped, and they aim to harm , not make money like the ransomware operators. That radically distinguishes APTs from the other threats.

#17. Backdoor Attacks

A backdoor is a way of bypassing standard authentication or encryption processes in a device or a program. The item’s name in question speaks for itself; it is a vulnerability of a program, but it is left there on purpose. It allows hackers (who are, in the case of a backdoor, the very developers of the software containing it) to get quick and free access to data or even control over the system.

A backdoor is not necessarily a hacking instrument; it might be a tool for emergency troubleshooting. However, hackers use backdoors introduced via seemingly ordinary applications (in fact – Trojans) to fetch additional malware beyond the security perimeter of the operating system. Luckily, backdoors are recognizable, and anti-malware systems manage to detect them.

#18. Darknet Cybersecurity Threats

Darknet is not a cybersecurity threat, but it sounds menacing. However, it would be false to say that the darknet has no relation to cybersecurity threats. It is more of a place where designers and users of malware meet and communicate. Darknet is an anonymous overlay peer-to-peer file-sharing network (existing within the Internet) wherein connections are only established between trusted peers and via non-standard ports and protocols. Access to the darknet is only possible via special software, like Tor Browser. While the dark web is associated with illegal activity, accessing and browsing the dark web is legal. We recommend interesting useful tips for the darknet from Gridinsoft.

Darknet is associated with black markets, cybercrime, and terrorism, well-protected privacy, freedom of thought, and liberty from governmental control. Beware of these dangerous cybersecurity threats!

The post 20 Dangerous Types of Cybersecurity Threats appeared first on Gridinsoft Blog.

The Aviatorshchina Telegram channel was the first to report the attack, which wrote that as a result of a hacker attack, Russian Aviation lost files on servers and all documents.

It was reported that the attack allegedly occurred due to poor performance of contractual obligations by InfAvia LLC, which operates the IT infrastructure of the Federal Air Transport Agency.

The Federal Air Transport Agency does not have backup copies, “because the Ministry of Finance did not allocate money for this,” the source of the Telegram channel claims.

The channel also published a screenshot of a message from the head of the Federal Air Transport Agency, Alexander Neradko, telling that due to the lack of access to the Internet and a failure in the electronic document management system, the department is temporarily switching to paper document management, courier mail and Russian Post.

The attack was also commented on in the Anonymous group.

Recall that Anonymous hackers declared war on the Russian government.

The Kommersant publication writes that the Federal Air Transport Agency did not respond to their requests, but two sources close to the service confirmed the existence of problems and the fact of a hacker attack. They specified that specialists are now working on restoring access to the servers.

Interestingly, the fact of the attack was indirectly confirmed by the head of Russian Aviation, Alexander Neradko, although he denies the loss of terabytes of data and the transition to paper workflow. In an interview with MK journalists, Neradko said:

We also wrote that Hacker groups split up: some of them support Russia, others Ukraine.

The post Russian Aviation agency switched to paper documents due to a hacker attack appeared first on Gridinsoft Blog.