DDoS Defense Archive

The website of the National Union of Journalists of the Philippines has again come under a distributed denial of service (DDoS) attack on Monday, February 11, 2019, and already been taken down twice since this morning.

The DDoS displays the same characteristics as the earlier attack that shut down our site twice last Friday.

Between 8-10 a.m. Monday, we were hit with a 76 gb DDoS attack. Although our digital security auditors managed to restore the site Monday morning, another spike in access requests was recorded mid-afternoon, shutting the site a second time.

The website was back online at 4:15 p.m.

According to the initial report of our security auditors, the attackers’ most requested URL path ishttps://nujp.org/?s=duterte, a page that appears when keyword “Duterte” is searched on the website.

Since Friday, the site has been subjected to total of 615 gigabytes of traffic, peaking at 468gb.

Like the previous attack, we strongly believe this is part of an orchestrated campaign to silence critical outfits and organizations that has also targeted alternative news sites such as those of our affiliates, Bulatlat, Kodao Productions, AlterMidya and its latest target, Pinoy Weekly.

Aside from the DDoS attacks, all these organizations, including the NUJP, have also been subjected to red-tagging.


Source: https://www.mindanews.com/statements/2019/02/statement-ddos-attacks-on-nujp-alternative-media-continue/

When there’s a DDoS attack against your voice network, are you ready to fight against it?

An estimated 240 million calls are made to 911 in the US each year. With the US population estimated at more than 328 million people as of November 2018, this means each US resident makes, on average, more than one 911 call per year. 911 is a critical communications service that ensures the safety and individual welfare of our nation’s people.

So, what happens when the system goes down?

Unfortunately, answers can include delays in emergency responses, reputational damage to your brand or enterprise by being associated with an outage, and even loss of life or property. We have seen very recent examples of how disruption in 911 services can impact municipalities. For example, days after Atlanta was struck by a widespread ransomware attack, news broke of a hacking attack on Baltimore’s computer-assisted dispatch system, which is used to support and direct 911 and other emergency calls. For three days, dispatchers were forced to track emergency calls manually as the system was rebuilt — severely crippling their ability to handle life-and-death situations.

In 2017, cybersecurity firm SecuLore Solutions reported that there had been 184 cyberattacks on public safety agencies and local governments within the previous two years. 911 centers had been directly or indirectly attacked in almost a quarter of those cases, most of which involved distributed denial-of-service (DDoS) attacks.

Unfortunately, these kinds of DDoS attacks will continue unless we make it a priority to improve the security of voice systems, which remain dangerously vulnerable. This is true not just for America’s emergency response networks, but also for voice networks across a variety of organizations and industries.

The Evolving DDoS Landscape
In today’s business world, every industry sector now relies on Internet connectivity and 24/7 access to online services to successfully conduct sales, stay productive, and communicate with customers. With each DDoS incident costing $981,000 on average, no organization can afford to have its systems offline.

This is a far cry from the early days of DDoS, when a 13-year-old studentdiscovered he could force all 31 users of the University of Illinois Urbana-Champaign’s CERL instruction system to power off at once. DDoS was primarily used as a pranking tool until 2007, when Estonian banks, media outlets, and government bodies were taken down by unprecedented levels of Internet traffic, which sparked nationwide riots.

Today, DDoS techniques have evolved to use Internet of Things devices, botnets, self-learning algorithms, and multivector techniques to amplify attacks that can take down critical infrastructure or shut down an organization’s entire operations. Last year, GitHub experienced the largest-ever DDoS attack, which relied on UDP-based memcached traffic to boost its power. And just last month, GitHub experienced a DDoS attack that was four times larger.

As these attacks become bigger, more sophisticated, and more frequent, security measures have also evolved. Organizations have made dramatic improvements in implementing IP data-focused security strategies; however, IP voice and video haven’t received the same attention, despite being equally vulnerable. Regulated industries like financial services, insurance, education, and healthcare are particularly susceptible — in 2012, a string of DDoS attacksseverely disrupted the online and mobile banking services of several major US banks for extended periods of time. Similarly, consider financial trading — since some transactions are still done over the phone, those jobs would effectively grind to a halt if a DDoS attack successfully took down their voice network.

As more voice travels over IP networks and as more voice-activated technologies are adopted, the more DDoS poses a significant threat to critical infrastructure, businesses, and entire industries. According to a recent IDC survey, more than 50% of IT security decision-makers say their organization has been the victim of a DDoS attack as many as 10 times in the past year.

Say Goodbye to DDoS Attacks
For the best protection from DDoS attacks, organizations should consider implementing a comprehensive security strategy that includes multiple layers and technologies. Like any security strategy, there is no panacea, but by combining the following solutions with other security best practices, organizations will be able to better mitigate the damages of DDoS attacks:

  • Traditional firewalls: While traditional firewalls likely won’t protect against a large-scale DDoS attack, they are foundational in helping organizations protect data across enterprise networks and for protection against moderate DDoS attacks.
  • Session border controllers (SBCs): What traditional firewalls do for data, SBCs do for voice and video data, which is increasingly shared over IP networks and provided by online services. SBCs can also act as session managers, providing policy enforcement, load balancing and network/traffic analysis. (Note: Ribbon Communications is one of a number of companies that provide SBCs.)
  • Web application firewalls: As we’ve seen with many DDoS attacks, the target is often a particular website or online service. And for many companies these days, website uptime is mission-critical. Web application firewalls extend the power of traditional firewalls to corporate websites.

Further, when these technologies are paired with big data analytics and machine learning, organizations can better predict normative endpoint and network behavior. In turn, they can more easily identify suspicious and anomalous actions, like the repetitive calling patterns representative of telephony DoS attacks or toll fraud.

DDoS attacks will continue to be a threat for organizations to contend with. Cybercriminals will always look toward new attack vectors, such as voice networks, to find the one weak spot in even the most stalwart of defenses. If organizations don’t take the steps necessary to make voice systems more secure, critical infrastructure, contact centers, healthcare providers, financial services and educational institutions will certainly fall victim. After all, it only takes one overlooked vulnerability to let attackers in.

Source: https://www.darkreading.com/attacks-breaches/when-911-goes-down-why-voice-network-security-must-be-a-priority-/a/d-id/1333782

The internet of things (IoT) brings has opened new horizons, from smart-city advancements to transforming how industries produce goods. For example, by connecting assets in a factory, manufacturers can have better insight into the health of their machinery and predict any major problems with their hardware before it happens, allowing them to stay one step ahead of their systems and keep costly outages to a minimum.

But, despite its life-enhancing and cost-saving benefits, IoT has proven to be a minefield to secure.

There are several reasons why. First and foremost is a general lack of awareness among consumers and businesses. The convenience and cost-saving benefits of IoT tech appear to outweigh the potential risks.

Another challenge is securing not just the IoT devices but also the networks over which their data is transferred. IoT devices increase the amount of entry points into a home or business network, which in turn could give hackers access to devices such as computers that contain sensitive data.

Eventually we could see almost every home device connected to the internet, not necessarily with any consumer benefit but instead geared toward data collection. And IoT sensors increasingly are being used by businesses of all sizes across numerous industries including health care and manufacturing. This setup can be incredibly valuable for businesses, but is also highly susceptible to penetration by hackers.

In the past, businesses haven’t always focused on building end-to-end security into the network. This is set to change as attitudes evolve. In fact, thanks to emerging tech platforms, the industry is developing new ways to protect IoT devices from increasingly sophisticated hackers and there will be significant opportunities for those working in the IoT security space.

Let’s look at the impact of some emerging platforms on the security space:

Using blockchain technology can reduce the risk of IoT devices being put at risk by a security breach at a single point. By getting rid of a central authority in IoT networks, blockchain would enable device networks to validate and protect themselves. For example, devices in a common group could stop or alert the user if asked to carry out tasks that appear unusual, such as being commandeered by hackers to carry out distributed denial of service (DDoS) attacks.

Artificial intelligence can help to speed up the process of identifying potential risks. AI is set to be so integral to cybersecurity in the future that it is estimated that the global AI security market will reach $18.2 billion by 2023, according to a recent report.

Meanwhile, just as new technology platforms have opened doors for hackers, new security platforms are being developed to combat the threat. Interactive visual walls, dashboard displays, 3D object recognition and a virtual reality experience provide a glimpse of the security capabilities that can help organizations build and monitor cybersecurity platforms, as suited to their business needs.

Be Ready for Anything

At this point, security breaches have become almost inevitable, rather than something that can be completely avoided. Without adequate security, even innocuous items that generally pose no threat can be transformed into something far more sinister—for example, traffic lights that tell cars and pedestrians to go at the same time.

As a result, it’s important that organizations take time to think about how they can work together to create an end-to-end infrastructure that can deal with the influx of new devices. With this increased threat, the focus is shifting from prevention to resilience.

Education is key and makers of IoT devices, ISPs and the government all must play a vital role in boosting awareness of IoT security among consumers and businesses. At a government level, it also may be necessary to provide education to boost the digital literacy of policymakers. More regulation and standardization are needed to ensure that IoT devices adhere to a certain level of security, while manufacturers must develop clear privacy policies for their IoT devices and ensure that consumers know how to adjust the security settings. Even simple steps such as not setting default passcodes as “0000” or “1234” could help keep devices more secure in the future.

Businesses must talk openly about vulnerabilities, promoting awareness and accountability. Resources that are currently focused on prevention need to be redeployed toward the timely detection of and response to potential security hacks.

The best way to approach this is a layered security solution. That means security at the device level, over the air and once it gets to the network. This approach can secure the end device, over the air like a VPN, the pipe between a device and the network and once it gets onto the network.

With emerging technological platforms such as cloud computing and IoT offering more gateways to hackers, it is now more critical than ever for companies to institute holistic security platforms to deal with these threats. Only with everyone working together toward a common goal will the new technology platforms that have the power to improve our lives be used only to do good.

Source: https://securityboulevard.com/2019/02/the-evolving-approach-to-iot-security/

Cayosin brings together multiple strands of botnet tech and hacker behavior for a disturbing new threat.

 When botnet-as-a-service meets social media marketing, you have a threat poised to rapidly spread. That’s precisely what researchers have found in a quickly evolving botnet called Cayosin (Kay-OH-sin), which combines the most dangerous features of multiple previous botnets and makes them available to a broad audience at a low price.

When researchers at Perch were going through customer telemetry last month, they found strings they hadn’t seen before. In looking through the signatures, Perch senior threat researcher Paul Scott found leads on a Reddit forum dedicated to Linux malware that showed Cayosin was “actually a custom piece of malware developed from multiple public sources,” Scott explains. “So it’s kind of a Frankenstein between Qbot, Marai, and a few other pieces of software. The actors kind of cobbled them all together to make a new thing.”

This new thing is a botnet for hire that draws marketing and support techniques from the best of legitimate commercial activity. “They were primarily renting spots or having subscribers sign up for an account when it was still in early development, and they were charging a very low amount of money, like $5 a spot,” Scott says. Since Cayosin has matured and become more full-featured, though, the developing syndicate (or individual) has raised the price.

Cayosin has been marketed through “legitimate” social media platforms rather than the Dark Web. One of the first marketing instruments was a YouTube video showing its operation. “[Then] in the comments of the YouTube video, they started talking about an Instagram account that was selling it,” Scott says.

The Instagram account of a user called “unholdable” contains multiple articles and videos explaining how to lease space on the Cayosin botnet, how to best use the malware, and how to purchase source code for the original version of the botnet software. “You can kind of see the development of not only Cayosin but other tools that this threat actor has published” in the Instagram posts, Scott says.

Following the social media accounts led researchers to the additional malware and botnets, including Yowai, a botnet described by researchers at Trend Micro. And tThe social media accounts are allowing the developer of Cayosin to engage in market research and customers support on a commercial scale.

“If you were to click on [the post], you can see that he’s like, ‘Hey, can you give me some feedback on the service I’ve been providing to you?'” Scott says. “I mean, he’s very good on customer service — top notch — and his marketing game and advertising is on point. I mean, he is letting everybody see everything through the Instagram Stories that he’s publishing here.”

Cayosin is evolving in both its ability to infect new systems and the payloads it can distribute, he adds. “It’s got a lot of different vulnerabilities packaged into it. It is looking for vulnerabilities in Linux Web servers, Internet of Things devices, and a number of routers,” Scott says.

With the evolution comes increasing business success. “This is just the newest iteration, and they’re actually starting to build up a following and a real service and business for their customers,” he says. “As each of these tools gets burned out because everybody learns the infrastructure, they just republish it under a new name.”

While Cayosin has primarily been used to launch distributed denial-of-service (DDoS) attacks, Scott says the evolving payloads show it’s beginning to see action as a tool for exfiltrating sensitive information, stealing credentials, and other activities that may have a greater economic impact than simple DDoS.

While an individual attack using the new botnet may have an impact, Scott indicates that the greater threat may come from the new business model Cayosin represents. “There’s a whole culture here,” he says. “So this is a generation that’s very comfortable with social media. They’re just making it part of their infrastructure. We’re moving out of the Darknet and into the light.”


DDoS attackers who bought and sold services and kits offered in the defunct marketplace webstresser.org are now being targeted for prosecution by authorities in 20 countries.

Following up on the April 2018 takedown of the now disabled webstresser.org in the effort known as Operation Power OFF, investigators are now tracking its 151,000 registered users, reported Europol, which is coordinating efforts with the Joint Cybercrime Action Taskforce (J-CAT), with the support of the Dutch Politie and the British National Crime Agency.

Europol said in a press release that the marketplace was responsible for launching more than 4 million attacks by hackers paying as little as €15 (US$17) a month.

Countries engaged in the Operation Power OFF follow-up include Belgium, Croatia, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Lithuania, Portugal, Romania, Slovenia, Sweden, Australia, Colombia, Serbia, Switzerland, Norway and the U.S.

Raj Samani, London-based chief scientist and McAfee fellow, commented to SC that these investigations indicate an intention by “law enforcement to unmask [Webstresser] customers.” In addition, the latest actions show “anonymity in a username simply does not exist,” Samani added.

Samani’s colleague at McAfee, John Fokker, the company’s head of cyber investigations, noted globally coordinated takedowns and prosecutions isn’t a new development. “What is remarkable about Operation Power OFF is the level of active collaboration from several industry stakeholders to gain better insights into the malicious nature of the Booter/Stresser sites,” Fokker added.

Recent examples of actions resulting from Operation Power OFF include:

• In the U.K., more than 250 former Webstresser users face prosecution over their DDoS attacks, and more than 60 personal electronic devices have been seized as evidence after an investigation by the U.K.’s National Crime Agency (NCA). Another 400 former customers of the site are being targeted by NCA.

• A hacker received a sentence of three years in a British prison for carrying out DDoS missives in Liberia that crashed the country’s entire internet access, resulting in millions of dollars in damage

• In the U.S., the FBI on Dec. 15 seized other DDoS-for-hire services Downthem and Quantum Stresser

• Romanian authorities have also seized DDoS platforms and information about their users

“Taking down botnet crime masters heavily relies on international cooperation of various federal agencies,” commented Ondrej Krehel, CEO and founder of the cyber forensics firm LIFARS.  “Threat actors have clear understanding that it takes time to come close to them, and prosecution is often lacking evidence,” he noted.

Krehel pointed out to SC that the dark internet still offers many renting locations for DDoS attacks, and infrastructure for cybercrime is “very affordable, often cents per compromised IP based systems.”

Visitors now to the URL Webstresser.org are told that the domain has been seized by the U.S. Department of Defense, Defense Criminal Investigative Service, Cyber Field Office in accordance with a warrant issued by the United States District Court for the Eastern District of Virginia.

Source: https://www.scmagazine.com/home/security-news/webstresser-takedowns-151000-ddos-minded-users-targeted-by-authorities-in-20-countries/