Category Archives: DDoS

Crooks exploit exposed Docker APIs to build AESDDoS botnet

Cybercriminals are attempting to exploit an API misconfiguration in Docker containers to infiltrate them and run the Linux bot AESDDoS.

Hackers are attempting to exploit an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community to infiltrate containers and run the Linux bot AESDDoS (Backdoor.Linux.DOFLOO.AA).

Threat actors are actively scanning the Internet for exposed Docker APIs on port 2375 and use them to deliver a malicious code that drops the AESDDoS Trojan.

“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” reads the analysis published by Trend Micro. “Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.”

The AESDDoS malware is active since at least since 2014 and it was used to build large DDoS botnet. in some cases, it was also used in cryptojacking campaigns.

In recent months, threat actors focused their attention on misconfigured Docker services that could be abused for several malicious purposes.

“A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file.” states the report. “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.

We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.”

The malware also collects system information and send it back to the C2, depending on the specific hardware configuration the attackers can choose which kind of activity to carry out (i.e. launching DDoS attacker, mining cryptocurrency, etc.)

In the campaign observed by Trend Micro, the bot was deployed using the docker exec command to misconfigured containers.

The malware could allow the attackers to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.

The analysis published by Trend Micro includes technical details of the attacks and a list of Indicators of Compromise (IOCs).

In March, hundreds of Docker hosts were compromised in cryptojacking campaigns exploiting the CVE-2019-5736 runc vulnerability disclosed in February.

In order to secure Docker hosts admins should allow only trusted sources to access the Docker API, below some recommendations provided by Trend Micro.

“Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.” concludes the report.

“To prevent container-based incidents from happening, organizations can follow these guidelines:

  • Check API configuration. 
  • Implement the principle of least privilege. 
  • Follow recommended best practices. 
  • Employ automated runtime and image scanning to gain further visibility into the container’s processes (e.g., to determine if it has been tampered with or has vulnerabilities).”

Pierluigi Paganini

(SecurityAffairs – containers, hacking)


The post Crooks exploit exposed Docker APIs to build AESDDoS botnet appeared first on Security Affairs.

Massive DDos attack hit Telegram, company says most of junk traffic is from China

Encrypted messaging service Telegram was hit by a major DDoS attack apparently originated from China, likely linked to the ongoing political unrest in Hong Kong.

Telegram was used by protesters in Hong Kong to evade surveillance and coordinate their demonstrations against China that would allow extraditions from the country to the mainland.

The country is facing the worst political crisis ùsince its 1997 handover from Britain to China.

While protesters in the country are involved in violent demonstrations repressed by the police with tear gas and rubber bullets.

At the same time, Telegram suffered a massive Distributed Denial of Service (DDoS) attack, users mainly in South and North America were affected by a significant outage, anyway, problems were observed by other users worldwide.

Hackers used a huge botnet to generate the traffic that made Telegram servers inaccessible.

However, users in other locations were also affected, as some people in Australia reported problems with loading video content.

telegram down

According to Pavel Durov, Telegram’s CEO, most of the junk traffic was originated from China.

Telegram constantly updated its users via Twitter, at the time it has restored an ordinary operation.

Telegram is one of the most popular encrypted instant messaging apps that currently has over 200 million monthly active users.

Telegram is currently blocked in China by country’s Great Firewall. Many people fear that the government of Beijing would increase influence on Hong Kong.

“The city’s special status under its handover agreement allows freedoms unseen in mainland China, but many fear they are under threat as Beijing exerts increasing influence on Hong Kong.” states the AFP.

“The current protests were sparked by fears that the proposed law would allow extraditions to China and leave people exposed to the mainland’s politicised and opaque justice system.”

Pierluigi Paganini

(SecurityAffairs – Hong Kong, DDoS)

The post Massive DDos attack hit Telegram, company says most of junk traffic is from China appeared first on Security Affairs.

Global communications service providers struggling to fend off growing number of DDoS attacks

Global communications service providers, whose businesses are predicated on continuous availability and reliable service levels, are struggling to fend off a growing number of DDoS attacks against their networks. A lack of timely and actionable intelligence is seen as a major obstacle to DDoS protection, according to A10 Networks. The critical need for DDoS protection The A10 Networks study conducted by the Ponemon Institute highlights the critical need for DDoS protection that provides higher levels … More

The post Global communications service providers struggling to fend off growing number of DDoS attacks appeared first on Help Net Security.

How to Secure Your Information on AWS: 10 Best Practices

The 2017 Deep Root Analytics incident that exposed the sensitive data of 198 million Americans, or almost all registered voters at the time, should remind us of the risks associated with storing information in the cloud. Perhaps the most alarming part is that this leak of 1.1 terabytes of personal data was avoidable. It was […]… Read More

The post How to Secure Your Information on AWS: 10 Best Practices appeared first on The State of Security.

Cyber Security Roundup for April 2019

The UK government controversially gave a green light to Huawei get involved with the building of the UK's 5G networks, although the Chinese tech giant role will be limited to non-sensitive areas of the network, such as providing antennas. This decision made by Theresa May came days after US intelligence announced Huawei was Chinese state funded, and amidst reports historical backdoors in Huawei products, stoking up the Huawei political and security row even further this month, and has resulted in the UK Defence Secretary, Gavin Williamson, being sacked. 
The National Cyber Security Centre (NCSC) launched a free online tool called "Exercise in a Box", designed by the UK cyber intelligence boffins to help organisations prepare in managing major cyber attacks.  The premise, is the tool will help UK organisations avoid scenarios such as the 2017’s Wannacry attacks, which devastated NHS IT systems and placed patient lives at risk.
 
German drug manufacturing giant, Beyer, found a malware infection, said to originate from a Chinese group called "Wicked Panda".  The malware in question was WINNIT, which is known in the security industry and allows remote access into networks, allowing hackers to deliver further malware and to conduct exploits. In my view, the presence of WINNIT is a sure sign a covert and sustained campaign by a sophisticated threat actor, likely focused on espionage given the company's sector.  Beyer stressed there was no evidence of data theft, but were are still investigating. 
 
Another manufacturing giant severely hit by a cyber attack this month was Aebi Schmidt. A ransomware outbreak impacted its business' operations globally, with most of the damage occurring at their European base. The ransomware wasn't named, but it left multiple Windows systems, on their presumably flat network infrastructure, paralyzed.
 
Facebook may have announced the dawn of their "privacy evolution" at the end of April, but their privacy woes still continue, after Upguard researchers found and reported 540 Million Facebook member records on an unsecured AWS S3 bucket. The "Cultura Colectiva" dataset contained 146GB of data with 540 million records showing comments, likes, reactions, account names, Facebook IDs and more. Looks like Facebook really have their work cut in restoring their consumer's faith in protecting their privacy.
 
UK businesses saw a significant increase in cyber attacks in 2019 according to a report by insurer Hiscox, with 55% of respondents reporting they had faced a cyber attack in 2019, up from 40% from last year.
 
A survey by the NCSC concluded most UK users are still using weak passwords. Released just before CyberUK 2019 conference in Glasgow, which I was unable attend due work commitments, said the most common password on breached accounts was"123456", used by 23.2 million accounts worldwide. Next on the list was "123456789" and "qwerty", "password" and "1111111".  Liverpool was the most common Premier League Football team used as a password, with Blink 182 the most common music act. The NCSC also published a separate analysis of the 100,000 most commonly re-occurring passwords that have been accessed by third parties in global cyber breaches. So password still remains the biggest Achilles' heel with our security.

The UK hacktivist threat came back to the fore this month, after the Anonymous Group took revenge on the UK government for arresting WikiLeaks founder Julian Assange, by attacking Yorkshire Councils. I am not sure what Yorkshire link with Assange actually is, but the website for Barnsley Council was taken down by a DDoS attack, a tweet from the group CyberGhost404 linked to the crashed Barnsley Council website and said "Free Assange or chaos is coming for you!". A tweet from an account called 'Anonymous Espana' with an image, suggested they had access to Bedale Council's confidential files, and were threatening to leak them. 
 
Microsoft Outlook.com, Hotmail and MSN users are reported as having their accounts compromised. TechCrunch revealed the breach was caused due to the hackers getting hold of a customer support tech's login credentials. Over two million WiFi passwords were found exposed on an open database by the developer of WiFi Finder. The WiFi Finder App helps to find and log into hotspots.  Two in every three hotel websites leak guest booking details and personal data according to a report. Over 1,500 hotels in 54 countries failed to protect user information.
 
Finally, but not lest, a great report by Recorded Future on the raise of the dark web business of credential stuffing, titled "The Economy of Credential Stuffing Attacks". The report explains how low-level criminals use automated 'checkers' tools to validate compromised credentials, before selling them on.

I am aware of school children getting sucked into this illicit world, typically starts with them seeking to take over better online game accounts after their own account is compromised, they quickly end up with more money than they can spend. Aside from keeping an eye on what your children are up to online as a parent, it goes to underline the importance of using unique complex passwords with every web account (use a password manager or vault to help you - see password security section on the Security Expert website). And always use Multi-Factor Authentication where available, and if you suspect or have are informed your account 'may' have compromised, change your password straight away.

BLOG
 NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

What’s the greater risk to UK 5G, Huawei backdoors or DDoS?

Have we been focusing too much on the Huawei backdoor threat instead of the DDoS threat facing the incoming 5G network infrastructure? Lee Chen, CEO at A10 networks thinks so.

The size and sophistication of distributed denial-of-service (DDoS) attacks have risen at an ever-accelerating pace. As new 5G networks become operational, we expect the size of attacks will dwarf these records. This is primarily due to the increase in IoT devices that 5G will introduce, with the number set to reach 4.1 billion globally by 2024. Each device is a perfect nest for botnets carrying malware, offering a new DDoS weapon for hackers to take advantage of.

Service providers will need to evolve rapidly with these growing threats and adopt intelligent automation to detect and mitigate security anomalies in a matter of seconds. Sophisticated DDoS threat intelligence, combined with real-time threat detection and automated signature extraction, will allow the marketplace to defend against even the most massive multi-vector DDoS attacks, no matter where they originate.


The Huawei threat remains a political football, there is still uncertainty on whether the Chinese telecoms giant's network devices will be banned in the UK or not. I have updated my post - Is Huawei a Threat to UK National Security? with the latest developments.