Cyberattacks Archive

Wikipedia, the seventh most popular website in the world, went offline in several countries on Friday because of a cyber attack.

Wikipedia Hit By DDOS Attack

The online encyclopedia confirmed that a malicious attack was behind outages of the site in Europe and some parts of the Middle East.

The attack appears to have started before 7 p.m. BST on Friday and left the site inaccessible to users in the UK, France, Germany, The Netherlands, Italy, and parts of the Middle East.

In a tweet, Wikipedia said the Wikimedia server of Wikimedia Foundation that hosts Wikipedia was paralyzed due to a massive Distributed Denial of Service (DDOS) attack. Wikimedia Foundation, the nonprofit organization behind Wikipedia, corroborated this in an official statement.

“Today, Wikipedia was hit with a malicious attack that has taken it offline in several countries for intermittent periods,” Wikimedia Foundation said. “We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information.”

The attack was still ongoing when the statement was released on Friday, Sept. 7. Wikimedia Foundation said the Site Reliability Engineering team is still working to stop the attack and to restore access to the site.

DDOS Attack

A DDOS attack occurs when a server receives more access requests than it can handle, which disrupts its normal functioning and causes server performance to slow down, or eventually not able to work at all.

The botnets that try to access the website all at the same time can be composed of tens of thousands of computers that may have been compromised by hackers without the knowledge of their owners.


Wikipedia is one of the most popular websites based on Alexa’s ranking as of June 2019. It was initially an English language encyclopedia when it was launched in January 2001. Today, Wikipedia has more than 40 million articles in 301 different languages.


A 21-year-old Washington man has pleaded guilty to charges related to his role in developing and deploying the infamous Satori IoT botnet.

Kenneth Currin Schuchman, of Portland suburb Vancouver, pleaded guilty to one count of aiding and abetting computer intrusions.

Between July 2017 and October 2018, he’s said to have participated with at least two others in a conspiracy to develop the botnet and use it to launch DDoS attacks against a range of targets. The group is said to have monetized these efforts by selling access to the botnet to others.

Court documents claim Schuchman’s speciality was in finding new vulnerabilities in IoT devices which could be exploited to conscript them into the botnet.

Satori was originally developed using the source code for Mirai, which was released online in 2016. However, Schuchman — who went by the moniker “Nexus” and “Nexus-Zeta” — and co-conspirators “Vamp” and “Drake,” built upon that code with new features, eventually compromising 100,000 devices.

Continually improving the botnet, they gave new names to the new iterations, such as “Okiru” and “Masuta” — with the latter eventually infecting as many as 700,000 endpoints.

By around March 2018, the botnet had evolved into Tsunami/Fbot, supported by tens of thousands of compromised Goahead cameras and High Silicon DVR systems.

Schuchman doesn’t seem to have employed particularly effective OpSec during his work: the control server he used was registered in his name.

Even after being indicted in August 2018, he developed another IoT botnet, Qbot, while on supervised release, the court docs claim. He’s also said to have called in a swatting attack on “Vamp’s” home.

Several sources have told journalist Brian Krebs that UK-resident Vamp was involved in the 2015 attack on TalkTalk and the 2016 Mirai DDoS that overwhelmed DNS service provider Dyn, leading to some of the internet’s biggest websites crashing.


LIHKG, one of the most important websites used to organise pro-democracy protests in Hong Kong, has been hit with a DDoS attack that temporarily took the forum offline this past weekend. And while no one knows for sure who’s behind the attack, we can take an educated guess. The Chinese government is very unhappy, to say the least, about the protests in Hong Kong that have been raging since June.

The DDoS attack, first reported by Bloomberg News, flooded the website’s servers for hours over the weekend, making it impossible for people to log on. The website reports that “some of the attacks were from websites in China.”

LIHKG has been a crucial online forum for the protesters, who are demanding democratic rights under the region’s “one country, two systems” arrangement with China. Protesters even conduct polls on the site to settle disputes about tactics in the leaderless protest movement.

“LIHKG has been under unprecedented DDoS attacks in the past 24 hours,” a statement posted to LIHKG reads. “We have reasons to believe that there is a power, or even a national level power behind to organise such attacks as botnet from all over the world were manipulated in launching this attack.”

The website says that they were hit with 1.5 billion requests on 31 August over a 16 hour period and has urged users to switch to the mobile website version of the forum if the smartphone app isn’t working properly.

The Chinese government is believed to have been behind a similar attack on the messaging service Telegram that happened back in mid-June. The people of Hong Kong have been waiting with dread for China’s People’s Liberation Army (PLA) to invade the semi-autonomous region, as the military has amassed troops just over the border in Shenzhen. It’s not clear whether the PLA will actually invade, but there have been hints by top government leaders over the past few weeks.

LIHKG has been vital for the protesters who use the motto, “Be Water,” a reference to staging civil disobedience in one part of Hong Kong to attract attention before dispersing and quickly moving to another part of the city. The tactic forces police to respond in faraway places and the protesters are often gone by the time the authorities arrive. These fast-adapting methods of protest are only made possible through online organising on services like LIHKG.

YouTube recently dismantled what it called an “influence operation” that may have been operated by the Chinese government to sway western opinion about the protests. Chinese state media have also complained that they’re being discriminated against on US-run social media like Twitter and Facebook, a rather ironic complaint given the fact that mainland Chinese citizens aren’t allowed to access those websites. China’s largest state-run media outlet, Xinhua News, was buying ads on Facebook to smear protesters as violent hooligans before the social media company declared it would no longer take money from the organisation.

Hong Kong’s top politician, Carrie Lam, was caught on audio over the weekend saying that she wished she could quit the job, but was unable. Most Hong Kongers interpreted that to mean Beijing is in control and won’t let her quit. China’s leader, Xi Jinping, took power in 2012 and has done nothing to liberalise the country as some had hoped, instead his regime has delivered strong economic results under tight government control which has kept the wealthy happy.

The young people of Hong Kong realise that this may be their last opportunity to stand up for their rights before Beijing exerts total dominance on the region. And they’ve sworn that they won’t give up.

All we can say as outsiders is that we hear you, we see you, and we’re with you in spirit. Stay strong, Hong Kong.

New data shows that the smallest DDoS attacks are on the rise – and they’re dangerous.

When it comes to distributed denial-of-service (DDoS), it’s easy to focus on the goliath attacks. Overpowering major systems with data requires huge amounts of traffic, that traffic can create knock-on effects for the broader internet which impact individual users – and these big numbers ultimately attract big headlines.

Over the last few years, innovative attackers have developed methods which produce some truly staggering volumes of traffic. In an amplified DDoS attack, a hacker will send requests to a server while pretending to be the target of the attack. The server then sends its reply to the victim with significantly more traffic than the attacker sent in the first place.

This has the effect of both obscuring the source of the attack and significantly increasing the scale of the attack. In the case of one such method, Memcached, this amplification can boost the volume of data in the attack by up to 51,000 times; this is how one of the largest DDoS attacks yet verified, against Github in early 2018, reached traffic levels of 1.35Tbps. A similar attack in 2016 against DNS provider Dyn knocked out large parts of the internet for many users, including Amazon, Netflix, and Reddit.

The advent of under-the-radar DDoS attacks

When considering DDoS mitigation, then, we might expect cybersecurity professionals’ primary question to be whether or not their system can withstand the brute force of a major DDoS attack. Indeed, a number of vendors advertise how their total DDoS mitigation capacity dwarfs even the largest possible attacks – and this capability is an important component of an effective defence.

However, to view the threat posed by a DDoS attack as being based purely on its size risks overlooking the smaller, more targeted incursions – in fact, we are increasingly seeing DDoS as a matter of much more than just goliath brute force. As the cyberthreat landscape evolves, DDoS is turning into a more surgical tool which, when used alongside other methods, can lead to more damage more lasting than taking a website offline.

Indeed, the latest research from Neustar’s security operations centre shows that while large attacks of 100Gbps and above have fallen by 64 per cent over the last year, attacks below that size have risen. Compared to the same time last year, there was a startling 158 per cent increase in the smallest attacks of 5Gbps and below and a 37.5 per cent decrease in average attack size across the board.

This is not due to lack of capability. In reality, staging a major assault has never been less challenging. Where once an attacker may have needed to spend time and resources building out a botnet, hoping to scale it up to the necessary size without being detected, today a botnet can be rented for as little as £20 a day.

Stealth is the new strength

Performing a small-scale attack is a conscious, tactical choice designed to fly under the radar of traditional mitigation strategies.

For many of the most damaging DDoS attacks, the traffic flow involved is so small that not only does the server stay online, but the defensive tools aren’t even triggered. This stealth approach broadens the scope for more specific protocol attacks which target elements of the system that sit between the public internet and the target network. Sometimes these are designed to add undue load to the router’s CPU; sometimes they target load balancers to limit site usability; sometimes they fill up firewall state tables, leaving the system more vulnerable.

In this way, smaller, more precise DDoS methods can create opportunities for attackers to fulfil their actual goal, whether that is data theft, system intrusion, or business disruption. In some cases, degrading website performance over the long term, rather than disabling the website entirely and triggering a response to the threat, constitutes success from the attacker’s perspective. And given that, according to recent data from Neustar International Security Council members, just 28 per cent of organisations consider themselves to be ‘very likely’ to spot an attack of this size, the appeal of sub-5Mbps attacks is clear.

Consider the story of David and Goliath. It’s typically taken to be the archetypal underdog story, in which a smaller, weaker challenger overcomes overwhelming odds to come out on top. Of course, David’s great advantage in the battle is his sling; precise, rapid technology against which Goliath’s suit of armour affords no protection. In just the same way, the trend in the cyberthreat landscape is not towards meeting the enormous scale of DDoS mitigation technologies head-on with an equal and opposite force, but towards finding smarter, subtler routes to victory. Businesses, of course, will need to evolve their defensive methodologies to match, assessing how prepared they are to guard against attacks of all sizes, both large and small.

Goliath is impressive and intimidating, but you’ll always see him coming. It’s the David denial-of-service attacks that you really need to watch out for.


The issue impacts users of the vendor’s Cloud WAF product.

Imperva, the security vendor, has made a security breach public that affects customers using the Cloud Web Application Firewall (WAF) product.

Formerly known as Incapsula, the Cloud WAF analyzes requests coming into applications, and flags or blocks suspicious and malicious activity.

Users’ emails and hashed and salted passwords were exposed, and some customers’ API keys and SSL certificates were also impacted. The latter are particularly concerning, given that they would allow an attacker to break companies’ encryption and access corporate applications directly.

Imperva has implemented password resets and 90-day password expiration for the product in the wake of the incident.

Imperva said in a website notice that they learned about the exposure via a third party on August 20. However, the affected customer database contained old Incapsula records that go up to Sept. 15, 2017 only.


“We profoundly regret that this incident occurred and will continue to share updates going forward,” Imperva noted. “In addition, we will share learnings and new best practices that may come from our investigation and enhanced security measures with the broader industry. We continue to investigate this incident around the clock and have stood up a global, cross-functional team.”

Imperva also said that it “informed the appropriate global regulatory agencies” and is in the process of notifying affected customers directly.

When asked for more details (such as if this is a misconfiguration issue or a hack, where the database resided and how many customers are affected), Imperva told Threatpost that it is not able to provide more information for now.