distributed denial of service Archives - IT Security Guru

‘Dalhousie is under fire’: Anonymous attacks websites over claimed inaction after alleged frat-house rape

The Gurus — Mon, 18 Apr 2016 09:50:54 +0000

Anonymous, a global hacktivist group, attacked websites associated with Halifax’s Dalhousie University in retaliation for claimed inaction by the school and local police over an alleged frat-house rape.
As the distributed denial-of-service (DDoS) attacks were launched last week and over the weekend, members of a Halifax-based cell of Anonymous released a video statement again naming the alleged attacker and suggesting his family’s influence within Halifax may be the reason charges have not been laid.
“Dalhousie is under fire,” a spokesman for Halifax Nova Scotia Anonymous told the National Post. “Doing nothing is not an option. Every day that goes by without charges being laid tells the women of Halifax not to go forward with their complaints of rape.”

Original Source: The National Post
View the full story here

The post ‘Dalhousie is under fire’: Anonymous attacks websites over claimed inaction after alleged frat-house rape appeared first on IT Security Guru.

What's a Russian DDoS Booter Making for its Proprietors?

The Gurus — Thu, 03 Mar 2016 15:58:16 +0000

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS service.
It Starts With an Advertisement
In this marketplace, it almost always starts with an advertisement for a DDoS booter service on one of the many public Russian language forums. In this case study, a threat actor known as “Forceful” runs the service. Searching for their ICQ number and/or Jabber address returns a number of advertisements starting circa November 2014. Here is an example advertisement (Google translated):

These types of ads typically contain:

A fancy logo, banner, or motto
Short explanation of what DDoS is
Type of DDoS attacks they support
Pricing
Reputation information
Contact details

Then Pivots on an OPSEC Mistake
What these ads usually don’t contain, however, are the command and control (C2) details of their botnets used to carry out the purchased DDoS attacks. Making the jump from ad to botnet usually requires the threat actor making a public operational security (OPSEC) mistake. These mistakes come in a number of flavors and this was one of Forceful’s:

The actor was participating in a forum discussion about a crypter–a tool used to encrypt/obfuscate malware executables to help evade antivirus detection and hinder analysis. As with the other participants in the thread, Forceful posted a screenshot of the results of a virus scanning service to test how effective the crypter was on a malware sample. At the bottom of the screenshot, it lists the following hashes of the crypted executable:

cf87f70901a1f16015bd10c289e8c3ed (MD5)
d361e3ddfc4e6f03ed7bad5586934854478708a5 (SHA1)
Compilation Date: 2015-09-19 12:39:43

Forceful’s mistake was that instead of deleting the test executable, it was distributed into the wild. Once released, it was picked up by ASERT’s malware zoo and others.
The Malware
This malware’s C2 domain is “kypitest[.]ru” and its phone home looks like:

The HTTP request exhibits telltale signs of the G-Bot DDoS bot. Visiting the bot’s C2 panel confirms this suspicion:

The following sample is also related:

7ab6d627c7149ec88909a90bd64ce6e1 (MD5)
SHA1: 4fab28b1bbce94f077861ca2d9d8299b005fa961 (SHA1)
Compilation Date: 2015-07-02 12:57:16

The Attacks
ASERT keeps tabs on DDoS botnets and their attack activity with our BladeRunnerbotnet monitoring system and kypitest[.]ru is no exception. The first attack we logged for this botnet was on July 9, 2015 and there’s been steady activity since:

At the time of this writing, attacks have been observed on 108 unique target hosts/IPs in the following countries:

Attacks can be categorized into the following types:

A Second OPSEC Mistake Helps Corroborate
While a self identified DDoS threat actor posting an MD5 hash of a known DDoS malware feels like a solid link between a DDoS-as-a-service advertisement and a DDoS botnet; a second OPSEC mistake by the threat actor has helped strengthen their association with kypitest[.]ru. On November 11, 2015 Forceful started a forum thread (including ICQ instant messaging logs) complaining that another forum (tophope[.].ru) had unfairly deleted their DDoS advertisement:

The Google translation of the thread wasn’t great, but a colleague fluent in Russian provided helpful translations of some of the more interesting parts:

So, I’ve decided to bring up my old thread [link] today and found out that it was deleted without any notification. Tried to contact someone in chat – no response, tried to contact admin guy “Nerom” – no response either. Well, I’ve decided to “charge” their forum for 1-2 hours, just to test. In the couple minutes angry admin contacts me
…
Nerom: You disclosed yourself
Nerom: I’ll get to the police department today
Nerom: to make a statement about it
555762555: Well, you wanted a test
555762555: how this is not a test?
Nerom: Well, the test wasn’t valid
Nerom: You attacking the server without protection
…
Nerom: I’ve made a statement
Nerom: your IP is being checked
Nerom: someone will pay you a visit tomorrow

Two days later, on November 11, 2015, BladeRunner observed the following:

This is a multi-pronged DDoS attack ordered by the kypitest[.]ru C2 on the above referenced forum and its hosting IP address.
The Estimation
Before running the numbers, let’s take a look at a specific attack. Starting on August 8, 2015 at around 08:47 an “.httpflood” attack was launched against a crypto currency mining pool. The attack continued for two days and about 21 hours until August 11, 2015 at around 06:07. Per an August 8th post to the mining pool’s Reddit, it looks as if this attack was unfortunately successful:

The threat actor’s pricing is available in the DDoS booter ad:

Daily – $60
Weekly – $400
10% discount on orders of $500
15% discount on orders of $1000

An hourly price isn’t specified in the ad, so a price of $2.50 ($60/24 hours = $2.50) is used here. With these prices, the estimated revenue generated by the above attack was:

2 days x $60 + 21 hours x $2.50 = $172.50 (rounded to $173)

Using this methodology on the other observed attacks, the following estimations were made:

BladeRunner polls botnets about once an hour, so attack durations of less than one hour are not as precise. In addition, per Forceful’s ad they offer a free 5-10 minute test, so it is feasible that many of these entries are quick tests. For these two reasons they are not counted towards revenue estimation.
Related domains and IPs in the same timeframe were grouped together in the same attack. Attacks highlighted in yellow are on the same target, but were performed multiple days apart.
In the end, the total estimated revenue for the 82 attacks from July 9, 2015 to October 18, 2015 was $5,408. The mean estimated revenue per attack was $66 and the mean estimated revenue per day was $54.
Conclusion
As we see in Arbor’s most recent Worldwide Infrastructure Security Report (WISR), the average cost to the victim of a DDoS attack is around $500 per minute. And as we’ve seen above, the mean cost to the attacker is only $66 per attack. This finding highlights both the extreme asymmetry of the economics of DDoS attackers vs. those of the victims of DDoS attacks, as well as the importance of robust DDoS defenses to all organizations which depend upon their online presence for revenue, customer support, and other important business functions. The cost to launch a DDoS attack is so low that the barrier to entry for attackers is practically nil – and that means that *any* organization can potentially be the target of a DDoS attack, since the investment required to launch an attack is so low.
Additionally, it’s important to understand that the economics of the booter/stresser operator are extremely favorable. The booter/stresser operator is leveraging PCs, servers, and IoT devices such as home broadband routers to set up a DDoS-as-a-service enterprise with zero infrastructure and bandwidth costs, because the booter/stresser service is clandestinely and illegally leveraging infrastructure and connectivity which belongs to others; the booter/stresser operator doesn’t pay taxes on the illicit proceeds of the service; and hundreds or even thousands of attackers can simultaneously utilize the booter/stresser service to launch DDoS attacks, thus boosting the tax-free/cost-free revenues of the service considerably.

The post What's a Russian DDoS Booter Making for its Proprietors? appeared first on IT Security Guru.

BTCC Bitcoin Trader Blackmailed with DDoS Attacks

The Gurus — Mon, 04 Jan 2016 09:57:04 +0000

BTCC is the latest victim of the Bitcoin-for-DDoS extortion scheme, but unfortunately for the attacker, the company was financially capable of implementing better DDoS protection measures and make the attacker go away.

The first DDoS attack took place on December 31, as Crypto Currency News reports, and seemed to be quite small in capacity. As soon as the attack ended, the company, a well-known Bitcoin trader, received a ransom email from the (currently unknown) attacker.

The email warned the company of more DDoS attacks unless they’d pay a ransom of 1 Bitcoin (around $425). On January 1, the attacker continued its assault, launching a 10 Gbps attack.

Original source: Softpedia

View the full story here

The post BTCC Bitcoin Trader Blackmailed with DDoS Attacks appeared first on IT Security Guru.

BBC, Trump web attacks "just the start," says hacktivist group

The Gurus — Mon, 04 Jan 2016 09:49:02 +0000

The group that claimed responsibility for taking down the BBC’s global website last week has said the attack was “just the start.”
On Saturday, a group calling itself New World Hacking also claimed responsibility for an attack that downed Republican presidential candidate Donald Trump’s campaign website for about an hour.
The cause of the attack was a massive distributed denial-of-service (DDoS) attack, which relies on pummeling a web server with so much traffic that it crumbles under the weight and stops responding.
DDoS attacks are widely used, and simple to carry out, often by online groups with the aim of bringing down websites for extended periods.

Original source: ZDNet
View the full story here

The post BBC, Trump web attacks "just the start," says hacktivist group appeared first on IT Security Guru.

Kremlin hit by "very powerful" DDoS attack

The Gurus — Fri, 18 Sep 2015 11:14:50 +0000

The Kremlin has reportedly been hit by what they have described as a “very powerful” distributed denial of service attack – also known as a DDoS attack. The attack is reported to have targeted the nation’s electoral commission.
A similar attack was made on Sunday, which targeted the official website of Russian president, Vladimir Putin.
As many as 50,000 requests per minute were made in the attacks, according to Vladimir Churov, chairman of Russia’s electoral commission. Churov also announced that the attack was based in the United States, saying that a company in San Francisco has already been identified as the source of the attack.
DDoS attacks work by flooding a network with requests, resultantly bringing applications or websites down as they are unable to cope with the heavy traffic. Additionally, experts such as Dave Larson, CTO at Corero Network Security, have said in the past that DDoS attacks can mask other nefarious activities such as network profiling, aiding hackers in their next attack.
more IT security news at www.itsecurityguru.org

The post Kremlin hit by "very powerful" DDoS attack appeared first on IT Security Guru.

Kremlin hit by "very powerful" DDoS attack

The Gurus — Fri, 18 Sep 2015 10:12:56 +0000

The post Kremlin hit by "very powerful" DDoS attack appeared first on IT Security Guru.

GitHub DDoSed!

The Gurus — Wed, 26 Aug 2015 11:15:13 +0000

In today’s news: Web-based Git repository service GitHub has been under a distributed denial of service, or DDoS attack. The service’s status page reported a ‘brief capacity overload’ before the site identified the DDoS attack on Tuesday morning.
More IT security news at www.itsecurityguru.org
@IT_SecGuru

The post GitHub DDoSed! appeared first on IT Security Guru.

Cisco IOS-XE update time: Squash that DoS bug

The Gurus — Thu, 30 Jul 2015 09:06:31 +0000

Bad error message handling has opened up Cisco’s IOS-XE versions prior to 3.13S to a remote denial-of-service (DoS) attack.
The company’s threat advisory hints that the exploit was brought to Cisco’s attention by an independent researcher, since it states that “functional exploit code exists; however, the code is not known to be publicly available.”
IOS XE is a Linux daemon version of the Borg’s operating system that abstracts routing functions away from platform-specific interfaces.
The problem Cisco has now patched deals with how the daemon triggers error messages for packets it can’t reassemble. “When an affected device fails to successfully perform reassembly, instead of silently dropping the fragments, the ATTN-3-SYNC_TIMEOUT error message may be triggered,” it explains.

view the full story here

The post Cisco IOS-XE update time: Squash that DoS bug appeared first on IT Security Guru.

Planned Parenthood reports second website hack in a week

The Gurus — Thu, 30 Jul 2015 09:04:42 +0000

Planned Parenthood said electronic traffic to its websites was snarled by computer hackers on Wednesday in the second cyber attack mounted against the healthcare organization this week amid a controversy over alleged sales of aborted fetal tissue.
Websites operated by Planned Parenthood and its political branch, Planned Parenthood Action, were clogged by a wide-scale “distributed denial-of-service,” or DDoS, attack, the organization said.
In such attacks, a web server is deliberately flooded with massive amounts of data to block access from legitimate users.
Service was restored shortly after the attack, but the group opted to keep its websites offline for the remainder of the day “to ensure that we are fully protected,” Dawn Laguens, executive vice president of the Planned Parenthood Federation of America, said in a statement.
Visitors to Planned Parenthood sites, which serve some 200,000 people a day seeking information on reproductive health, birth control, sexually transmitted diseases, parenting, abortion and other topics, were being redirected to its Facebook pages for the time being, Laguens said.
The cyber attack, she said, “only shows how far opponents of safe and legal abortion will go.”
It was the second time in as many days Planned Parenthood’s websites were reported to have been breached by hackers.
The group said on Tuesday it had notified the FBI that “extremists who oppose Planned Parenthood’s mission and services” had launched an attack on its information systems.

view the full story here

The post Planned Parenthood reports second website hack in a week appeared first on IT Security Guru.

ITSG News – Routers Enslaved by DDoS Attackers

The Gurus — Mon, 06 Jul 2015 09:25:35 +0000

Attackers are reportedly carrying out DDoS attacks by using version one of the routing information protocol.
More on this story and others at www.itsecurityguru.org
@IT_SecGuru

The post ITSG News – Routers Enslaved by DDoS Attackers appeared first on IT Security Guru.