20 Thousands Ubiquiti G4 Cameras Susceptible to DDoS Attacks

As far as the research goes, there are two privileged processes that are exposed through UDP to the global Internet. While sounding like not a big deal, these exposed processes allow dumping information about the device, which may further result in a DoS attack or device compromise.

By contacting the camera through the UDP protocols 10001 and 7004, the CheckPoint research team found the discovery protocol of the camera. Contacting the device resulted in the latter sending back its information – software version, IP address and the platform name. This is achievable without any authentication, which is already not a good sign, as this gives the full information about the company, addresses and other details about the device owner.

Another interesting detail is that the size of the response packet, that the camera sends back, is much larger than the input package. That opens the gates for amplification and so-called reflected DDoS attacks. By sending ping requests with a packet that contains a spoofed sender IP address, it is possible to direct the response to a network or a system that should be DDoS-ed. At the same time, forcing the cameras to send response packages creates a certain load, too, which creates the field for even more attack scenarios.

Are Ubiquiti Users and Cameras in Danger?

Not really. Compared to the half a million devices found in Rapid7’s research from 2019, the current 20,000 devices that the CPR team managed to locate is not too much to worry about. Still, a free-to-use selection of devices available for usage in Reflect DDoS attacks is a point of concern. Hackers typically pay serious money for getting a configured botnet for this purpose, and be sure – they will not ignore the opportunity to use one for free.

From the perspective of device owners, it is a rather irresponsible behavior. The base flaw – CVE-2017-0938 – got a fix from Ubiquiti long, long ago. The fact that there were a lot of devices running an outdated firmware version in 2019 is concerning, but not too bad. But 7 years later, in 2024, that just should not happen. And since it is not only about the opaque DDoS probability, but also about collecting information about the owner, that is also a privacy risk. Using it, hackers can plan on further attacks, building conclusions about the structure of the internal network.

The post Ubiquiti G4 Vulnerability Discovered, Allowing for DDoS Attacks appeared first on Gridinsoft Blog.

What is an IP Stresser?

IP stresser is a special tool that tests a network or server for stress tolerance. The administrator can run the stress test to check whether the current resources (bandwidth, CPU power, or so) are sufficient to handle the additional load. Testing your network or server is a legitimate use of a stress test. However, running a stress test against someone else’s network or server, resulting in a denial of service to their legitimate users, is illegal in most countries.

What are booter services?

Booters (also known as bootloaders) are on-demand DDoS (Distributed Denial of Service) attacks that cybercriminals offer to shut down networks and websites. Consequently, booters are illegal uses of IP stressers. Illegal IP stresses often conceal the identity of the attacker’s server by using proxy servers. The proxy redirects the attacker’s connection by masking the attacker’s IP address.

Booters are often available as SaaS (Software-as-a-Service) and are accompanied by email support and YouTube tutorials. Packages can offer one-time service, several attacks over some time, or even “lifetime” access. A basic one-month package costs a tiny sum. Payment methods can include credit cards, Skrill, PayPal, or bitcoins.

The difference between IP Stresser and botnets

In contrast to IP Stresser, the owners of computers that use botnets are unaware that their computers are infected with malware. Thus, they unwittingly become accomplices to Internet attacks. Booters are DDoS services for hire offered by enterprising hackers. Whereas in the past, you had to create your botnet to conduct a large-scale attack, now it is enough to pay a small amount of money.

Motivations DDoS attacks

The motives for such attacks can be varied: espionage¹ to sharpen skills, business competition, ideological differences, government-sponsored terrorism, or extortion. The preferred payment method is bitcoins, as it is impossible to uncover the wallet owner. However, it is harder to go in cash when you have your savings in cryptocurrency.

Amplification and reflection attacks

Reflection and amplification attacks use legitimate traffic to overwhelm the targeted network or server. IP spoofing involves the attacker spoofing the victim’s IP address and sending a message to a third party on behalf of the victim. The third party, in turn, cannot distinguish the victim’s IP address from the attacker’s one and replies directly to the victim. The victim, as well as the third-party server, cannot see the real IP address of the attacker. This process is called reflection. For example, take a situation where the attacker orders a dozen pizzas to the victim’s home on behalf of the victim. Now the victim has to pay the pizzeria money for the pizzas, which she didn’t even order.

Traffic amplification occurs when a hacker forces a third-party server to send responses to the victim with as much data as possible. The ratio between the size of the response and the request is the amplification factor. The greater this amplification, the more potential damage is done to the victim. In addition, because of the volume of spoofed requests that the third-party server has to handle, it is also disruptive for it. NTP Amplification is one example of such an attack.

Amplification and reflection IP Stresser explained

The most effective types of bootstrap attacks use both amplification and reflection. First, the attacker spoofs the target address, then sends a message to a third party. The receiver sends the response to the target’s address, which appears in a packet as the sender’s address. The response is much larger than the original message, which amplifies the attack’s size. The role of a single bot in such an attack is about the same as if a teenage attacker called a restaurant, ordered the entire menu, and asked for a callback to confirm each dish. But the number for the callback belongs to the victim. As a result, the victim gets a call from the restaurant about orders it didn’t make and has to hold a line for a long time.

The categories of denial-of-service attacks

There are dozens of possible variations of DDoS attacks, and some of them have multiple subspecies. Depending on the hackers’ targets and skills, the attack may simultaneously belong to several types. Let’s review each of them one by one.

Application-layer attacks target web applications and often use the most sophisticated techniques. These attacks exploit a vulnerability in the Layer 7 protocol stack. They connect to a target and drain server resources by monopolizing processes and transactions. Because of this, they are challenging to detect and mitigate. A typical example is the HTTP Flood attack.

Protocol-based attacks exploit weaknesses at layers 3 or 4 of the protocol stack. Such attacks consume the victim’s processing power or other essential resources (such as the firewall). This results in a service disruption. Examples of such attacks are Syn Flood and Ping of Death.

Volumetric Attacks send large volumes of traffic to fill the entire bandwidth of the victim. Attackers generate bulk attacks using simple amplification methods. This attack is the most common — for example, UDP Flood, TCP Flood, NTP Amplification, and DNS Amplification.

Common denial-of-service attacks

The goal of DoS or DDoS attacks is to consume as many server or network resources as possible so that the system stops responding to legitimate requests:

• SYN Flood: A sequence of SYN requests is sent to the target system in an attempt to overload it. This attack exploits vulnerabilities in TCP connection sequences, also known as three-way handshakes.
• HTTP Flood: an attack in which HTTP GET or POST requests are used to attack a web server.
• UDP Flood: A kind of attack in which random target ports are flooded with IP packets containing UDP datagrams.
• Ping of Death: Attacks involve sending IP packets more significantly than the IP protocol allows. TCP/IP fragmentation works with large packets by breaking them into smaller ones. Legacy servers often fail if the full packets exceed the 65,536 bytes allowed. This has been fixed mainly in newer systems. However, Ping flooding is the modern incarnation of this attack.
• ICMP Protocol Attacks: Attacks on the ICMP protocol are based on the fact that the server must process each request before a response is sent back. The Smurf attack, ICMP flooding, and ping flooding exploit this by flooding the server with ICMP requests without waiting for a response.
• Slowloris: this is an attack invented by Robert “RSnake” Hansen. It tries to keep multiple connections to the target web server open as long as possible. Thus, additional connection attempts from clients will be rejected.
• DNS Flood: An intruder fills the DNS servers of a certain domain to disrupt DNS resolution for that domain.
• Smurf Attack: This attack uses malware called smurf. Using a broadcast IP address, large numbers of Internet Control Message Protocol (ICMP) packets are sent to the computer network with a fake IP address of the victim.
• SNMP reflection: An attacker spoofs the victim’s IP address and sends multiple SNMP requests to the devices. The volume of responses can overwhelm the victim.
• DNS amplification: this reflection-based attack turns legitimate requests to DNS (domain name system) servers into much larger ones, thus consuming server resources.

Less popular DDOS methods

• NTP Reinforcement: A high volume reflection-based DDoS attack in which the attacker exploits the Network Time Protocol (NTP) server functionality to overload the target network or server with increased UDP traffic.
• SSDP: SSDP (Simple Service Discovery Protocol) attack is a reflection-based DDoS attack. It uses Universal Plug and Play (UPnP) network protocols to send an amplified traffic volume to the target victim.
• Teardrop Attack: An attack consists of sending fragmented packets to the target device. An error in TCP/IP prevents the server from reassembling such packets, resulting from which the packets overlapping each other, thus incapacitating the target device.
• Fraggle attack: the attack is similar to smurf, except that it uses UDP rather than ICMP.

What to do in case of a DDoS attack?

• Inform your data center and ISP immediately;
• Do not consider ransom – payment often results in escalating ransom demands;
• Notify law enforcement authorities;
• Monitor network traffic.

How to mitigate attacks?

• Install firewalls on the servers;
• Keep security patches up to date;
• Run antivirus software on a schedule;
• Monitor system logs regularly;
• Prevent SMTP traffic from being distributed by unknown mail servers;
• Causes of difficulty tracking the booter service.

Since the person buying these criminal services uses an external site to pay and receive instructions, the connection to the backend initiating the attack cannot be identified. Therefore, criminal intent can be challenging to prove. However, one way to identify criminal organizations is to track payment traces.

The post IP Stresser & DDoS Booter appeared first on Gridinsoft Blog.

Sierra AirLink Routers Have 21 Vulnerabilities

As Forescout Vedere researchers describe in their research, the AirLink lineup of devices contains 21 software vulnerabilities. Among them, only one issue got the CVSS score over 9, which is considered critical. RCE vulnerabilities and a couple of ones that may allow for unauthorized access are rated 8.1 to 8.8. Several other noteworthy issues, particularly ones that cause Denial of Service, are rated at CVSS 7.5.

Researchers did a detailed description of the potential exploitation cases for two of the most critical vulnerabilities. For CVE-2023-41101, a hacker can take over the router by overflowing the buffer in OpenNDS captive portal. Using the lack of length limitation in GET requests, it is possible to make the router execute arbitrary code. By controlling the router, adversaries can disrupt the operations related to the mentioned interface.

#2 in the list, CVE-2023-40463, requires an attacker to possess a router similar to the one it tries to attack. By digging through the device’s software elements and applying some hash cracking magic, it is possible to obtain the diagnostic shell password. Further, using a bit of social engineering, adversaries may connect to the actual router and enter its diagnostic interface using the password they’ve obtained earlier. With such access, it is possible to inject malware to the router, force it to malfunction, or execute your commands remotely.

Available Mitigations

Despite such a worrying amount of exploits, all of them allegedly receive a fix in the latest version of the firmware for AirLink devices. ALEOS 4.17.0 should address all the flaws, and, if some incompatibilities are in the way, customers may stick to version 4.9.9. The latter is not vulnerable to named vulnerabilities except for ones that touch OpenNDS captive portals.

Researchers who found all the issues also offer their own mitigation for the vulnerabilities that allow delaying the patch installation. Though, as it usually happens to all the stopgap solutions, they are not ideal and do not guarantee the effect.

1. Disable unused captive portals and related services, or put them under restricted access. This reduces the attack surface for vulnerabilities that target OpenNDS.
2. Use a web app firewall to filter the requests and block the packets of a suspicious source. This mitigation works against XSS and DoS vulnerabilities.
3. Change the default SSL certificates. Forescout recommends doing this to all the routers, not only to Sierra Wireless ones.
4. Implement an intrusion detection system that monitors IoT/OT devices as well. This allows for controlling both connections from outside the network and ones within it.

What are Sierra AirLink Routers?

Have you ever wondered, how does the Wi-Fi in a public transport function? Or how all the machinery in a huge workshop is connected and centrally managed even though it is not static? Well, Sierra’s devices are the answer. Their routers are industrial-grade wireless connectivity devices that are used in dozens of industries – starting from public transportation and all the way up to aerospace & defense.

What is particularly concerning for this story is the extensive use of AirLink routers in critical infrastructure. Factories, transportation – they are important, though not as continuously demanded as water treatment, emergency services and energy management. And since IoT more and more often attracts hackers’ attention, the actions should be taken immediately. Considering the extensive use of vulnerable AirLink devices in the US, it may be the perfect Achilles’ heel for cyberattacks that target critical infrastructure and even government.

The post Sierra AirLink Vulnerabilities Expose Critical Infrastructure appeared first on Gridinsoft Blog.

Vulnerability Overview

Tracked with a CVSS score of 7.5, the vulnerability in question exposes a DoS weakness within the Service Location Protocol. The flaw allows unauthenticated remote attackers to register services and utilize spoofed UDP traffic to orchestrate a DoS attack with a notable amplification factor. SLP is a protocol facilitating communication and discovery among systems on a local area network (LAN). It becomes a potential avenue for malicious actors to exploit.

And while before this threat was mostly a paper tiger, these days it is not just about theoretical possibilities. There are real cyber crooks out there making use of CVE-2023-29552. And the less time you give them to find out that you’re using a vulnerable SLP version – the less is the possibility that it will be used for malicious purposes.

The nature of the DoS amplification attack leveraging CVE-2023-29552 is relatively straightforward yet potent. Instead of going head-on and bombarding a target server with requests, the cyber crooks take a more sly route. They send tiny requests to a middleman server, but here’s the twist – these requests are like magic spells, making the middleman server send back way bigger responses. And the key move here is faking the source of the request, making it look like it’s coming from the target’s IP. Now, here’s where it gets wild. Thanks to this trick, these bad actors can flood even the most guarded targets with traffic.

Mitigation Measures

In response to the real-world exploits of this vulnerability, federal agencies are mandated to implement mitigations promptly. CISA has set a deadline of November 29, 2023, for federal agencies to secure their networks by applying necessary measures. The recommended mitigations include disabling the SLP service on systems operating in untrusted network environments.

Unfortunately, there is no dedicated solution meant to stop the exploitation without sacrificing any functionality. However, there is the ability to make the exploitation much harder, if not entirely impossible, with the usage of modern security software.

• EDR/XDR
  Think of EDR as your vigilant guardian, keeping a watchful eye on endpoint activities. It’s the first line of defense, swiftly responding to any suspicious behavior to thwart potential ransomware threats. XDR extends its vigilant reach beyond endpoints. It’s like having a superhero with enhanced senses, covering a broader spectrum of detection and response capabilities against evolving cyber threats.
• SIEM/SOAR
  SIEM aggregates and organizes security event logs, providing you with a comprehensive overview of your cybersecurity landscape. It’s the strategic hub for informed decision-making. SOAR steps in to automate incident responses, ensuring swift and precise actions in the face of emerging threats. It’s the sidekick that streamlines your defense mechanisms.
• Back up your data and store those backups offline or on a separate network for added protection. Backups are the ransomware attacks’ kryptonite, as they can do nothing if you just recover everything back.
• Staying informed through reading the news and studying current material on cybersecurity and related topics is paramount in today’s dynamic and interconnected digital landscape. Reading the news and studying current material on cybersecurity is not just a habit. It’s a proactive approach to staying ahead in the ever-evolving world of digital security.

The post SLP DDoS Amplification Vulnerability Actively Exploited appeared first on Gridinsoft Blog.

The campaign targets low-cost Android TV boxes such as Tanix TX6, MX10 Pro 6K, and H96 MAX X3. These devices have quad-core processors that can launch powerful DDoS attacks, even in small swarm sizes.

Mirai Botnet Aims Android-based TV Boxes

Mirai Botnet can infect devices via malicious firmware updates signed with publicly available test keys or malicious apps. Which undoubtedly distributed on domains that target users interested in pirated content. In the first case, firmware updates are either installed by resellers of the devices or users are tricked into downloading them from websites. Then, they promise unrestricted media streaming or better application compatibility.

The ‘boot.img‘ file contains the kernel and ramdisk components loaded during Android boot-up. It makes it an excellent persistence mechanism for the malicious service.

The second distribution channel involves the use of pirated content apps. They also offer access to collections of copyrighted TV shows and movies for free or at a low cost. Security experts have identified Android apps that spread the new Mirai malware variant to infected devices. Here is an example:

In this case, the malicious apps surreptitiously start the ‘GoMediaService‘ during the initial launch and set it to auto-start when the device boots up.

When the ‘gomediad.so‘ service is called, it unpacks multiple files, including a command-line interpreter that runs with elevated privileges (‘Tool.AppProcessShell.1‘) and an installer for the Pandora backdoor (‘.tmp.sh‘).

After being activated, the backdoor establishes communication with the C2 server, and replaces the HOSTS file. After that, it updates itself and then enters standby mode, waiting for instructions from its operators. The malware can launch DDoS attacks using the TCP and UDP protocols, such as generating SYN, ICMP, and DNS flood requests. It can also open a reverse shell, mount system partitions for modification, and perform other functionalities.

IoC Mirai Botnet

• Malware.U.Mirai.tr: 96b087abf05bb6c2c1dd6a1c9da460d57564cc66473ca011f85971752a112ce1
• Malware.U.Mirai.bot: 52a9207498821af8cffc629b19c18dc40b7512a56b13c8b32db6bdc009e0a422
• Malware.U.Mirai.bot: 5397ccdd490dc61f64a07968c283d21b76f87ad4c58cd19481f215fdf6aeeaa1
• Malware.U.Mirai.bot: 624f4966636968f487627b6c0f047e25b870c69040d3fb7c5fb4b79771931830
• Malware.U.Mirai.bot: 9936b597954aa7e1e7ef82c09bc3c039a239c3cd77ff7af5a079064138c467b0
• Malware.U.Mirai.bot: de883fb217df507b1acb5bbe637d5e8d19ac989b9e78242f7c22bae58c0f408c
• Malware.U.Mirai.bot: 78b477ae2bbaf19cf180aad168da4c84354140762ac33903bc40124be8d055da
• Malware.U.Mirai.bot: 613f03b52910acb8e25491ca0bfe7d27065221c180e25d16e7457e4647a73291
• Malware.U.Mirai.bot: 22f269a866c96f1eec488b0b3aebe9f8024ae455255a4062e6a5e031dfd16533

What devices are at risk?

Budget-friendly Android TV boxes often have an uncertain journey from manufacturer to consumer. It leaves the end-user unaware of their origins, potential firmware modifications, and the various hands they’ve been through.

Even cautious consumers who retain the original ROM and are selective about app installations face a lingering risk of preloaded malware on their devices. It is advisable to opt for streaming devices from trusted brands like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick.

Safety recommendations

For Android TV users, installing apps only from the official app store is advisable. It is also essential to pay attention to the permissions requested by the app. If your app requests access to your phonebook and geo-location, it is best to avoid using it as it could be malware. Additionally, it is crucial not to download or install any hacked apps, as their contents are often infected with malware of some kind.

The post Mirai variant “Pandora” infects Android TV for DDoS attacks. appeared first on Gridinsoft Blog.

Unveiling the Wise Remote Stealer

Revelations from cybersecurity experts have shed light on a concerning development in the underbelly of the internet—a burgeoning menace known as “Wise Remote“. This pernicious malware, operating as a Malware-as-a-Service (MaaS), has emerged as a highly adaptable and insidious tool. Its capabilities encompass remote access, DDoS botnet recruitment, data theft, and even extortion, raising the alarm for organizations and individuals alike.

The Stealthy Proliferation of Wise Remote Stealer

Since its initial appearance in early June, Wise Remote Stealer has been making waves across hacker forums such as HF and cracked-io. Its shadowy creators tirelessly refine and enhance their creation, showcasing its malevolence on platforms like Discord and Telegram. Disturbingly, these demonstrations have ensnared and impacted the lives of over a thousand unsuspecting victims, cementing its reputation as a significant threat.

Engineered using a combination of programming languages, including Go, C++, C#, and Python, Wise Remote primarily targets Windows systems—versions 8/10, and 11—in its crosshairs. Its developers exhibit an astute ability to elude conventional antivirus measures, employing various evasion techniques. To further cloak their operations, all communication with the command-and-control (C2) server, stationed in the secure confines of Switzerland, remains encrypted, ensuring anonymity.

The Tactical Ingenuity of Wise Remote

Wise Remote operates with calculated precision, showcasing a level of sophistication that sets it apart from other malicious tools. Through cloud-based module imports and strategic data storage within the victim’s disk, it carefully conceals its activities. Once the sensitive information has been exfiltrated, the malware meticulously erases all traces, leaving behind no digital footprints.

Subscribers to this nefarious service gain access to a comprehensive builder, allowing for customization and fine-tuning of the malware’s appearance and behavior. Remarkably, the resulting payloads rarely exceed 100 kilobytes, facilitating rapid dissemination and maximizing its reach.

The existing capabilities of Wise Remote Stealer are indeed alarming:

• Systematic collection of extensive system information, providing cybercriminals with a wealth of valuable data.
• Creation of a potent reverse shell, granting complete remote access and control over the compromised system.
• Facilitation of additional malicious file downloads and executions, enabling expansion of the attack surface.
• Extraction of critical data from web browsers, encompassing saved passwords, cookies, banking credentials, bookmarks, browsing history, and installed extensions, resulting in a treasure trove of personal information.
• Theft of funds from unsuspecting victims’ cryptocurrency wallets, inflicting significant financial damage.
• Seamless covert operation, opening and interacting with websites undetected, masquerading as legitimate user activity.
• Stealthy capture of screenshots, potentially compromising sensitive and confidential information.
• Utilization of the AppData folder as a discreet repository for surreptitiously uploaded files.
• Empowerment of attackers to customize and tailor malicious agents and modules to suit specific targets and preferred attack vectors.
• Camouflaging its tracks by manipulating system logs, erasing any trace of malicious activities, evading detection.

The Command Hub of Wise Remote

Serving as the central command hub, Wise Remote boasts a potent control panel that bestows unprecedented oversight and control over a vast network of up to 10,000 infected machines. With a single command, the operator can unleash devastating DDoS attacks or orchestrate a range of malicious activities, amplifying the disruptive potential of this malware.

As the cybersecurity community races to counter this emerging threat, the significance of Wise Remote becomes increasingly evident. Its adaptability, sophistication, and capacity for stealth underline the need for robust security measures and unwavering vigilance in today’s rapidly evolving digital landscape.

The post Wise Remote Trojan: Infostealer, RAT, DDoS Bot, and Ransomware appeared first on Gridinsoft Blog.

DDoS-for-hire services became particularly popular over the last years. We recently did the review of of the most popular ones. And if you are interested in criminal records, Cloudflare Recorded the Most Powerful DDoS Attack in the History of Observations.

What is DDoSIA project?

DDoSIA project appeared back in fall 2022. Then the Radware company announced that the project was launched in August 2022 by the group NoName057(16). The latter, however, appeared only in March 2023, as a pro-Russian hacker group. They created a DDoSia project in Telegram, where the operators posted a link to GitHub with instructions for potential “volunteers”.

These “volunteers” were offered to register via Telegram to receive a ZIP-archive with malware (dosia.exe). Archive contains a unique ID for each user. The most interesting feature of this project was the fact that participants could link their ID with a cryptocurrency wallet and receive money for participating in DDoS attacks. And the payment was proportional to the capacities provided by the concrete participant.

As Sekoia experts say now, the DDoSia platform has grown significantly over the past year and now has about 10,000 active participants who contribute to DDoS attacks. At the same time, more than 45,000 people have already subscribed to the main Telegram channels of hackers (all seven of them). In addition to just comments (what to do with DDoSia ataks), the platform has improved its toolkit and Tebera welcomes banaries for all OS programs, selling audience controls.

How that works?

Registration of new users is fully automated through the Telegram bot, which supports only the Russian language. New participants start by providing a TON (Telegram Open Network) wallet address to receive cryptocurrency, and in response the bot creates a unique client ID and provides a text file for help.

Next, new participants receive a ZIP-archive containing a tool for attacks. As of April 19, 2023, the archive included the following files:

1. d_linux_amd64 – executable file ELF 64-bit LSB, x86-64;
2. d_linux_arm — 32-bit executable file ELF LSB, ARM;
3. d_mac_amd64 — Mach-O x86-64 64-bit executable file;
4. d_mac_arm64 — Mach-O arm64 64-bit executable file;
5. d_windows_amd64.exe — executable file PE32+ (console) x86-64 for Microsoft Windows;
6. d_windows_arm64.exe — executable file PE32+ (console) Aarch64 for Microsoft Windows.

To perform these useful loads, the text file with the client ID must be placed in the same folder as the payloads themselves, which makes it difficult for unauthorized execution of files by IT experts and other «outsiders».

After that, the DDoSia client launches a command line invitation. There, participants receive a list of targets in an encrypted form. They can pick a specific target to attack. Experts studied the 64-bit Windows executable file and found that it is a binary written in Go, using AES-GCM encryption algorithms to communicate with the control server. The C&C server transmits the DDoSia target ID, host IP address, request type, port and other attack parameters to the client in an encrypted form, and all of this is then decrypted locally.

DDoSIA Massively Attacks Lithuania, Ukraine and Poland

Sekoia researchers collected data about some DDoSia targets for the period from May 8 to June 26, 2023, which were communicated by the server controlling the attacks. Basically, the groups and their «volunteers» were organizations from Lithuania, Ukraine and Poland, which accounted for 39% of the total activity of the project.

Analysts noted that DDoSia attacked a total of 486 different sites. In May and June, crooks focused on attacks on educational platforms, possibly to disrupt end-of-school exams. In summary, the DDoSia project has already reached a sufficiently large size to create serious problems for its targets. Who knows what will happen when they will grow even more?

The post Russian Hacker Project DDoSIA Grew by Multiple Times appeared first on Gridinsoft Blog.

Condi Botnet Resides In TP-Link Routers

This problem was discovered at the Pwn2Own hacker competition last December, and in March 2023, TP-Link developers released a firmware update to version 1.1.4 Build 20230219, where the bug was fixed. It is worth noting that the Mirai botnet had already exploited this vulnerability at the end of April.

Let me also remind you that we wrote that Mirai Botnet RapperBot Conducts DDoS Attacks on Game Servers, and also that New MDBotnet Malware Rapidly Expands a DDoS Network. AX1800 is a popular 1.8Gbps (2.4GHz and 5GHz) Linux-based Wi-Fi 6 router model, most commonly used by home users, small offices, shops, cafes and so on. The researchers report notes that the attackers behind Condi not only rent out the power of their botnet, but also sell the source code of their malware, that is, they are engaged in very aggressive monetization, which will result in the emergence of numerous forks of malware with various functions.

What is Condi Malware?

Since the mentioned vulnerability is not exclusively used by Condi, the malware has a mechanism that eliminates any processes belonging to competing botnets, and also stops its own old versions. Originally, Condi does not have a system sticking mechanism and is not saved after a device reboot. To avoid this, its authors came up with the idea of deleting the following files. Without them, devices will simply fail to shut down or restart:

1. /usr/sbin/reboot
2. /usr/bin/reboot
3. /usr/sbin/shutdown
4. /usr/bin/shutdown
5. /usr/sbin/poweroff
6. /usr/bin/poweroff
7. /usr/sbin/halt
8. /usr/bin/halt

In order to infect vulnerable routers, TP-Link malware scans public IP addresses with open ports 80 or 8080 and sends hard-coded requests to download and execute a remote shell script that infects the device.

The researchers also mention that some Condi samples use not only CVE-2023-1389 to spread, but also other bugs, that is, it seems that hackers are experimenting with the infection mechanism. In addition, analysts found samples that use a shell script with ADB (Android Debug Bridge), which means that malware also seems to spread through devices with an open ADB port (TCP/5555). It is assumed that this is a consequence of the fact that other hackers have already bought the Condi source code and adjusted it to their needs.

The post Condi Malware Builds a Botnet from TP-Link Routers appeared first on Gridinsoft Blog.

What is DDoS Attack?

In short, DDoS attacks are malicious attempts to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of traffic from multiple sources. A DDoS attack aims to exhaust the target’s resources, such as bandwidth, processing power, or memory, rendering it inaccessible to legitimate users. In a DDoS attack, the attacker typically controls a network of compromised computers and is called a botnet. Its compromised machines, often infected with malware, are used to launch coordinated attacks on the target. The attacker commands the botnet to send a massive volume of traffic to the target, overwhelming its capacity to handle requests and causing it to slow down or crash. First of all, it doesn’t take much. A DDoS attack can be launched by anyone with a computer and the Internet. Secondly, in the case of a botnet, the victim’s devices can participate in attacks, and their owners may not even be aware of it.

Hacktivism and DDoS Attacks

The reason for the recent uprising of DDoS attack and, particularly, DDoS-for-hire services, is hacktivists activity. Hacktivism has evolved from loosely structured groups to a more mature ecosystem with diverse motivations and sources. It got a massive punch particularly after the beginning of the Russia-Ukrainian war. As a result, hacktivist groups have become more organized and conduct military-like operations with precise positioning and clear objectives. Although there are different tools for hacktivists, as the practice has shown, they often use DDoS.

In general, the topic of DDoS is very popular among hacktivists, and for good reason. In most cases, to take part in a DDoS attack, you have to type a couple of commands into a terminal or download and run a utilit. The application will do the rest, and the user only needs to provide the resources of his device. However, DDoS-for-hire services, which provide massive power for some money and do not require the provision of your machine resources or the installation of anything in return, are becoming increasingly popular. In other words, the user pays money to the service and gives the address of the server/site to be attacked. As result, the service does everything without the user’s intervention. Next, we will examine the most popular DDoS services among hacktivists over the last year.

DDoS-for-hire tools and services used during 2023

DDoS-for-hire, also known as DDoS booter or IP stresser services, refer to renting out or purchasing DDoS attack services from cybercriminals. These services allow individuals or organizations to launch powerful Distributed Denial of Service (DDoS) attacks against targeted websites or online services. These services typically utilize botnets and networks of compromised computers to generate attack traffic and overwhelm the target’s resources. Here are DDoS tools and DDoS-for-hire services used by attackers and hacktivist groups in 2023 for their malicious campaigns against the government and individuals.

Cyberbooter.su DDoS Panel

Stressbot is a website that offers DDoS-for-hire services starting from $30 per month. It is operated by Aleksey Chekaldin, who also runs a Telegram channel promoting the service. The DDoS attack methods offered include layer 4 and layer 7 attacks. According to research evidence of the pro-Pakistani hacktivist group Team_insane_pk using Stressbot to target India and Israel. The group is allegedly led by ‘xxINSANExx’ and shares a link to a status-check website as Proof of Compromise.

Ziyaettin DDoS Botnet

Ziyaettin is a Telegram-based DDoS bot service that offers various attack methods, including layer 4 and 7 attacks. Their owner operates a public Telegram channel with over 1,500 subscribers. They recently launched a browser plugin for easy attacks with a 20-30K RPS capability. The service has been endorsed by hacktivist groups in Telegram channels.

Tesla Botnet

A DDoS botnet, Tesla, has been active since April 28, 2023, with services starting at USD 50 per month. The pro-Russian threat actor Radis operates the Telegram channel promoting their tool and two other channels for buyers to post reviews. They specialize in DDoS attacks on onion websites with their private method called ‘TOR-KILLER’. However, Tesla Bot offers other DDoS attack methods, such as MACAN-TLS, HTTP-FLOOD, and SMYKL-FLOOD. The TA recently launched a browser plugin feature and has targeted the United States Department of Defense websites, a Russian financial services provider, and the Central Intelligence Agency.

Neferian Empire DDoS Botnet

Neferian Empire is offering a command line-based DDoS tool that claims to bypass DDoS attack protection services provided by top companies. The tool can launch 50 million requests per second for a Layer 7 attack and up to 1.2 terabytes per second for a Layer 4 attack. They have marketed this tool on their Telegram channel, offering other malicious tools. To promote their tool, the group has shown live attacks on high-value organizations, including Interpol and the US Department of Defense.

SkyElite-Net DDoS

A DDoS bot called SkyElite-Net was launched on May 8, 2023, by the TA skyzz. They have two Telegram channels, one for private DDoS methods and services and the other for posting reviews. On May 22, they launched a new method called ‘Sky-Bypass’ that claims to bypass OVH and Cloudflare DDoS protection. The TA skyzz746 is also a member of the Khalifah cyber community.

Artemis C2 DDoS Botnet

Artemis C2 is a DDoS botnet, operating since May 1, 2023, with services starting at USD 15 per month. It specializes in launching DDoS attacks on Rainbow Six Siege and Minecraft servers. The botnet is maintained by cryptopsycho and ritz, who promote it on a Telegram channel with 141 subscribers. They plan to launch a Discord server, an Onion website, and a store on Sellix. Artemis offers amplification, layer 4, layer 7, and private DDoS attack methods. Team_insane_pk, a pro-Pakistani hacktivist group, has promoted Artemis for their DDoS campaigns targeting India. Still, sources suggest no links with the developer.

DDosia Project

NoName057(16) created DDosia, which uses Windows bots to perform DDoS attacks on those who support Ukraine. Volunteers download the bot and register at a cryptocurrency wallet for monetary benefits later. Then, the bot registers with the group’s command-and-control infrastructure and launches attacks on specified targets. The group also targets adversaries with Android devices and has two Telegram channels with thousands of subscribers.

DDoS Protection Recommendations

To prevent and minimize the impact of DDoS attacks, it’s essential to have a business continuity and disaster recovery plan ready. In addition, you should analyze your network’s daily traffic, monitor network activities and logs, and preserve attack logs. Also, employ multiple defense strategies, deploy appropriate DDoS prevention systems, scan for vulnerabilities, and patch them. Maintain contact with ISPs and vendors, implement filtering and bogon blocking, and allocate traffic to unaffected network paths. In case of an attack, block the attack sources, disable non-essential ports/services, and periodically check the integrity of critical application files.

The post DDoS-for-Hire: Booter, Stresser and DDoSer appeared first on Gridinsoft Blog.

MDBotnet Malware Description

Darknet posts that offer DDoS attacks services are not something ridiculous. MDBotnet developers published a copy-paste post that promotes their services for just 2,500 rubles (~$31). They promise the ability to attack any kind of web resource, and even offer testing their capacities in short attacks. The DDoS-as-a-Service model is still pretty new, so hackers likely attract clients by offering pretty low pricings, support and refunds. Strange detail here, however, is that right below the statement about the price they say that prices for all resources are individual.

All negotiations happen in the Telegram channel, which becomes a new trend. Moreover, hackers are not selling the malware itself – just the ability to use its botnet. This can make the reaction to the changes of this threat slightly harder. Fortunately, the samples of MDBotnet malware are widely available despite such a conspiracy.

MDBotnet analysis

The currently circulating samples of MDBotnet do not appear to be protected in any way. Neither encryption, nor encoding is applied; malware does not use any kind of obfuscation or PE section bloating. That, however, may be the outcome of the attempt to deliver the samples with dropper malware; on an already infected system, there’s no need to boggle the antivirus program. However, it could possibly be just an ignorance towards protective measures. Other malware families typically offer a suitable workaround for payload encryption, but I could not find any recommended or used with MDBotnet.

The payload assembly contains 2 sections and 3 modules; the Config section appears immediately after the initial C2 connection, where malware receives the configuration file. Modules, however, mostly say for themselves, as they are responsible for the key program functionality – DDoS attacks done with different methods. Malware is capable of performing SYN Flood attack and HTTP GET attack. It also carries an updater module, that periodically connects to the C2 and requests possible updates. This is an uncommon approach, as most malware typically have the updates initiation from the command server side.

DDoS attack capabilities

I’ve mentioned SYN Flood and HTTP GET attacks as ones MDBotnet can perform. The latter, however, is not very exciting, as there is nothing sophisticated or extraordinarily efficient about this attack. In this mode, malware simply sends an HTTP GET request to the target server, hoping to jam it. Though a botnet large enough can promptly jam even pretty big sites.

SYN attack, however, has some interesting details. Instead of sending the packets to the target server, malware in this mode will repeatedly request to establish the TCP connection with the target. In this attack course, during the TCP handshake, the target server will respond with the SYN-ACK packet, but never receive the ACK packet back from the attacker. That makes the connection establishment procedure stuck; by sending numerous connection requests, it is possible to seriously disrupt the server workflow.

The interesting detail about the MDBotnet configuration is the fact that SYN module addition may be disabled at the compilation. It may be the sign that this malware may receive more functions in future, and modules that allow other attack vectors will be delivered by a command from the C2 server.

Protection Against MDBotnet

The answer to the “how to protect” question here depends on the type of a threat you are trying to protect yourself from. Avoiding being a part of the botnet requires a different treatment than preventing DDoS attacks. Let’s review them one by one.

Avoid malware sources as hard as possible. These days, those are most often software cracks and email spam. While the former is pretty easy to reject, email spam may be tricky, as hackers sometimes do their best to make the email look more convincing. Though, they cannot repeat all the details at once – be attentive to email addresses and naming conventions.

Use anti-malware software. Having a proper protective tool will make it much easier to avoid the infection. Even if the threat is already running, an anti-malware software will make your system clean in just a few clicks. However, to make sure that even most evasive threats will not get away, you should use advanced solutions, like GridinSoft Anti-Malware. It is effective even against most novice threats that feature packing and encryption.

For corporate protection, there is a separate class of solutions. It is quite attractive for botnet masters to add an entire corporate network to their possession. To prevent this from happening, consider choosing an appropriate EDR/XDR solution, depending on the size and extensiveness of your network. Auxiliary solutions that will ease data collection and response orchestration will be a pleasant addition.

Apply network monitoring tools. This advice works both against an active threat within your network and attacks from outside. Even a simple firewall, when set up properly, can excise malignant traffic – regardless of where it comes from. Fortunately, IP addresses of large botnets that are currently active are commonly available in dedicated places. NDR solutions, on the other hand, will not only filter out the traffic, but also help with preventing further issues.

The post New MDBotnet Malware Rapidly Expands a DDoS Network appeared first on Gridinsoft Blog.