Cyberattacks Archive

A Chinese government-backed DDoS operation has been resurrected to disrupt pro-democracy supporters in Hong Kong, according to AT&T Cybersecurity.

The firm revealed in a new blog post yesterday that it spotted activity from the so-called “Great Cannon” starting on August 31, with the most recent DDoS attempts coming on November 25.

Specifically, it was observed trying to take offline the LIHKG website, which is used by Hong Kongers to share info and plan protests across the Special Administrative Region (SAR) of China wracked by unrest over the past few months.

The Great Cannon works by intercepting traffic from websites hosted in China and inserting malicious JavaScript in legitimate analytics scripts, thereby forcing users’ machines to covertly make requests against targeted sites.

The code not only attempts to repeatedly request the LIHKG home page but also multiple sites and memes that appear on the forum, so as to blend in with normal traffic, according to Chris Doman of AT&T Cybersecurity’s Alien Vault business.

“It is unlikely these sites will be seriously impacted. Partly due to LIHKG sitting behind an anti-DDoS service, and partly due to some bugs in the malicious JavaScript code that we won’t discuss here,” he explained.

“Still, it is disturbing to see an attack tool with the potential power of the Great Cannon used more regularly, and again causing collateral damage to US-based services.”

The tool itself first came to prominence around four years ago when it was used to target anti-censorship organization The researchers that revealed the cannon for the first time claimed it was co-located with China’s notorious Great Firewall censorship infrastructure.

Global anger spread after the Great Cannon was then turned on developer site Github, which at the time hosted anti-censorship tools.

Researchers warned that the same tool could very easily be repurposed to deliver malware rather than DDoS attacks.


A distributed denial of service attack can turn a retailer’s holiday season from merry to miserable. Learn how to protect yourself.

No, Virginia, there’s no denying there is a Santa Claus. There’s also no denying the threat that distributed denial of service (DDoS) presents to retailers and eCommerce sites during the holidays.

Nothing says “happy holidays” like a multivector DDoS attack against your digital properties during the busiest shopping season of the year. Like holiday spending activity, industry DDoS attack metrics are difficult to predict. Volumes can trend upward and then mysteriously die off. The trends are only obvious after the attack campaigns have ended.

As part of our Holiday 2019 retail series, Researcher Madeline Cyr interviewed Forrester security and risk analysts David Holmes and Joseph Blankenship to help retailers understand the threat of DDoS attacks during the upcoming holiday retail season.

Q. Last year, DDoS attacks on eCommerce sites peaked during Black Friday weekend. Could a DDoS attack wipe out Black Friday/Cyber Monday online sales?

Joseph: DDoS attacks happen against eCommerce digital properties every year, though it’s usually impossible to predict who the exact victims will be.
We’ve heard from DDoS service protection vendor Radware that the typical reasons for service outages involving retailers/eCommerce include:

  • Self-inflected DoS: that is, simply not having the proper resources to deal with a burst of natural traffic
  • DDoS: Criminal attack to prevent/restrict access under ransom denial of service (RDoS) threat
  • DDoS: Criminal attack to impact sales
  • DDoS: Criminal attack to divert shoppers to other sites during an outage
  • DDoS: Hacktivist attack for political reasons that are direct or indirect
  • Bots: Criminals trying to purchase an item and flood system resources in the process; prevents others from checking out

Q. What strategy and technology protections do retailers need to have in place now to thwart DDoS attacks?

David: The most important advice is that retailers should seek a DDoS protection agreement before an attack occurs and to work with the service to set up your clean traffic tunnels during business as usual. Trying to combat a DDoS attack with no protection in place is a stress-inducing nightmare that no IT team wants to contemplate during peak season. There’s also the potential impact on sales if a site is unresponsive or slow during the critical buying season. And many DDoS protection providers charge a five-figure premium to put protections in place during an attack; configuring the protection is much more difficult when the retail services cannot be reached.

Q. If you are hit with an attack, how do you get your site back online?

David: Most modern eCommerce retailers will have migrated to a cloud service or content delivery network (CDN), and these services usually have integrated DDoS protection. In some cases, the attached protection services are gratis, though Forrester has heard that their quality can be inconsistent.


Distributed denial-of-service (DDoS) attacks have become more common, more powerful, and more useful to attackers. Here’s how to fight back.

On the flip side of the proliferation of Internet of Things (IoT) devices, the quest for increased connectivity and bandwidth (think 5G) and skyrocketing cloud adoption, IT is increasingly being weaponized to unleash cyberattacks in an unprecedented order of magnitude. Coupled with the emergence and anonymous nature of both the Dark Web and cryptocurrencies, illicit transactions have never been easier or more convenient. Distributed denial-of-service (DDoS) attacks have become more common, more powerful, and more useful to attackers. They have advanced from mere botnet-based approaches to artificial intelligence (AI) and data-driven models.

Scholars at the University of Cambridge last year published a research notedescribing how they used data science to shed light on criminal pathways and ferret out the key players linked to illegality in one of the biggest and oldest underground forums. Perhaps surprisingly, they found that most cybercrime is committed by people who aren’t technical geniuses. Many of them offer so-called “booter” services — basically, they’re hired DDoS guns — and they have become so widespread that they even include school-age children.

While not all of these attacks are spotlighted in the media, they cause significant financial blowback for companies in the form of paid-out ransoms, business downtime, lost revenue, and reputational losses, among other costs. This havoc is perpetrated by the members of a busy underground economy where cyberattack services are traded and monetized.

Attacks on the Rise
Europol’s “Internet Organised Crime Threat Assessment 2019″ report outlines how DDoS attacks are among the biggest threats reported in the business world. The favorite DDoS targets of criminals in 2019 were banks and other financial institutions, along with public organizations such as police departments and local governments. Travel agents, Internet infrastructure, and online gaming services were also in the cybercriminals’ crosshairs. Some arrests were made, but they had no noticeable impact on the growth rate of DDoS attacks or on the Dark Web infrastructure that makes them possible, according to Europol.

While many DDoS attacks go unreported and unnoticed, some are making the news. In October, a major DDoS attack roughly eight hours long struck Amazon Web Services (AWS), making it impossible for users to connect because AWS miscategorized their legitimate customer queries as malicious. Google Cloud Platform experienced a range of problems at about the same time, but the company says the incident was unrelated to DDoS. A few weeks earlier, a number of DDoS attacks crippled an ISP in South Africa for an entire day.

Everybody Is Vulnerable
Interestingly, it’s not just legitimate organizations that are plagued with DDoS attacks. Anyone familiar with Dark Web market listing service will know that markets are usually listed with an “uptime,” with the main reason for any downtime being DDoS attacks.

These hidden services are open to DDoS attacks because of certain characteristics of the Tor browser, which is commonly used to access the Dark Web. Earlier this year, the three biggest Dark Web markets all suffered serious and extended DDoS attacks. The operators of Dream Market were reportedly taken for $400,000, which illustrates that even the criminals are vulnerable to attacks by DDoS extortionists.

APIs Move into the Spotlight
But the DDoS problem is moving beyond infrastructure. As part of their digital strategy, many organizations are turning to cloud-native applications, and — as part of the Fourth Industrial Revolution — manufacturing, logistics, and utility companies are equipping their production lines, warehouses, factories, and other facilities with wireless connectivity and sensors. Each of these require an API in order to work.

However, while APIs simplify architecture and delivery, they can also become bottlenecks that open up companies to a spectrum of risks and vulnerabilities. When a business-critical application or API is compromised, it knocks out all the operations related to the business and initiates a chain reaction. Thus, simply protecting OSI layers 3/4 is no longer sufficient; layer-7 attacks create more damage with less total bandwidth.

Job #1: Building Cyber Resilience
In digital business, there is no room for outages. That’s why organizations of all sizes must do everything they can to safeguard the resilience, integrity, and uptime of their digital platforms and services. As network bandwidth and computing power multiply, they enable black hats to leverage the increased resources to launch more powerful attacks. DDoS against national infrastructure networks can wreak major real-life havoc and shut down access to the services that grease the wheels of our economy and society. The US Department of Homeland Security (DHS) reports that in the past five years the size of attacks has increased by a factor of 10, and that “it is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale.”

Upgrading the Arsenal
The increase in attack frequency, added risk of APIs, and cost of downtime have combined to create a threat greater than the sum of its parts. This evolution of the threat landscape necessitates a similar evolution in defense methods. An organization would be naive to think that the preparedness posture that worked a decade ago can still work unchanged against modern threats.

“To address the increased frequency of attack, a modern defense must be efficient,” says Andrew Shoemaker, a DDoS veteran and founder of NimbusDDoS, a pen-testing provider that vets DDoS mitigation solutions. “This means embracing automated mitigation approaches, and moving away from slow manual processes,” he adds. “Manual approaches may have been effective in the past when an organization was only attacked a few times per year, but the administrative burden of manual mitigation becomes overwhelming when attacks are happening monthly or weekly.”


Internet service providers in South Africa fell prey to massive distributed denial of service (DDoS) attacks this past weekend.

RSAWEB subscribers were among the first to feel it, with the company issuing a notice at 01:56 on Friday morning stating that it was under attack. By 12:38, RSAWEB reported that the DDoS attack had abated and that services were stable.

Cool Ideas was next to be hit. It sent out a notice to subscribers on Saturday morning to say that it was experiencing problems on its network.

It later confirmed that it was facing the largest DDoS attack it had ever seen on its network. Cool Ideas co-founder Paul Butschi told MyBroadband that the size of the attack exceeded 300Gbps.

Butschi said the attack traffic statistics came from Cogent Communications and Hurricane Electric in London. Of the total traffic hitting their network, roughly 40Gbps was legitimate.

Attack on Afrihost, Axxess, and Webafrica

On the evening of Saturday, 23 November, the upstream provider supplying services to Afrihost, Axxess, and Webafrica came under attack. All three ISPs use Echo Service Provider.

Echo, in turn, appears to have a partnership with Liquid Telecom for international transit — Internet traffic that goes outside South Africa.

During previous attacks on Echo SP, Liquid Telecom helped to mitigate the attack. MyBroadband asked Liquid Telecom for details regarding the attack that crippled Afrihost, Axxess, and Webafrica on Saturday.

“Liquid Telecommunications can confirm that during the course of [Saturday] night an attack was initiated against one of our South African clients,” a spokesperson for the company said.

“This attack was similar in size and scale to previous attacks reported on. The attack was mitigated within minutes of being seen and the network has been stable without incident since the mitigation was performed.”

The previous attack on Echo SP on 27 October was in excess of 100Gbps. Liquid Telecom’s comments suggest that the most recent attack was around the same size.

Afrihost clients continued to complain that they were having trouble connecting to international services on Saturday evening.

On Sunday morning, MyBroadband forum members noticed that outbound international traffic from Afrihost was no longer flowing over Liquid Telecom’s network, but Telkom’s.

Another forum member found that Echo SP had only switched away from Liquid Telecom for outbound international traffic from South Africa. Inbound traffic from international sources was still being routed over Liquid Telecom’s network.

MyBroadband asked Afrihost, Webafrica, and Echo Service Provider for comment, but they did not respond by the time of publication.

Distributed denial of service and carpet bombing

A DDoS attack is a flood of garbage Internet traffic sent to servers, routers, and other computers on a network with the aim of making it impossible to communicate with them.

Under ordinary circumstances, generating 100Gbps or 300Gbps of traffic would require tremendous resources.

However, techniques such as DNS Amplification have made it easier and cheaper for attackers to generate large volumes of attack traffic than ever before.

DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic. If the flood of bogus traffic is able to overwhelm the computer, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.

Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.

DNS servers are a popular choice for such attacks because they are critical Internet infrastructure designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.

Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term “DNS Amplification”.

When the target of such an attack is a web server or critical network infrastructure, such a DDoS attack causes an outage. Network providers have developed methods to mitigate such attacks, and so attackers have found new ways of launching effective assaults.

One such technique is “carpet bombing“, where an Internet service provider’s individual customers are sent large volumes of garbage network traffic.

In some cases, the individual connections of customers are flooded. However, even when the traffic is not enough to flood a subscriber’s connection, the overall traffic on the network eventually adds up to a point where the ISP’s core network infrastructure can not cope with the load.

Carpet bombing attacks are specifically used against organisations like ISPs with the aim of bringing down their whole network.

Data centre operators, web hosting companies, and large corporate networks – anyone who runs their own pool of IP addresses – are also examples of potential targets of carpet bombing attacks.


A new botnet named Roboto is targeting Linux servers running Webmin app, according to security researchers at 360 Netlab. Roboto is a peer-to-peer botnet that has been active since summer and is exploiting a vulnerability in the Webmin app. The app offers a web-based remote management system for Linux servers and is installed on as many as 215,000 servers.

The vulnerability, identified as CVE-2019-15107, allows bad actors to compromise older Webmin servers by running malicious code and gaining root privileges. The vulnerability was identified and patched by the company behind Webmin. However, many users have not installed the latest version with the patch, and Roboto botnet is targeting such servers.

According to security researchers, the Roboto botnet has DDoS attack capability in its code, and it is the main feature of the botnet. The bad actors behind the botnet aim to expand it by conducting DDoS attacks via vectors such as HTTP, ICMP, UDP, and TCP.

Also, once the botnet compromises a Linux system running the older version of the Webmin app, it can perform actions like collecting system, network, and process information. It further uploads collected data to a remote server, executes Linux commands, and initiates a file downloaded from a remote URL.

What makes Roboto botnet unique is its peer-to-peer network structure.Roboto linux

To evade this attack, we recommend our users to update the Webmin app to version 1.930, or you can disable the ‘user password change’ option in the app.