A new botnet named Roboto is targeting Linux servers running Webmin app, according to security researchers at 360 Netlab. Roboto is a peer-to-peer botnet that has been active since summer and is exploiting a vulnerability in the Webmin app. The app offers a web-based remote management system for Linux servers and is installed on as many as 215,000 servers.

The vulnerability, identified as CVE-2019-15107, allows bad actors to compromise older Webmin servers by running malicious code and gaining root privileges. The vulnerability was identified and patched by the company behind Webmin. However, many users have not installed the latest version with the patch, and Roboto botnet is targeting such servers.

According to security researchers, the Roboto botnet has DDoS attack capability in its code, and it is the main feature of the botnet. The bad actors behind the botnet aim to expand it by conducting DDoS attacks via vectors such as HTTP, ICMP, UDP, and TCP.

Also, once the botnet compromises a Linux system running the older version of the Webmin app, it can perform actions like collecting system, network, and process information. It further uploads collected data to a remote server, executes Linux commands, and initiates a file downloaded from a remote URL.

What makes Roboto botnet unique is its peer-to-peer network structure.Roboto linux

To evade this attack, we recommend our users to update the Webmin app to version 1.930, or you can disable the ‘user password change’ option in the app.


Source: https://fossbytes.com/linux-servers-webmin-targeted-ddos-attacks/

An Illinois man who has been hacking since he was a teenager was sentenced last week to 13 months in prison and ordered to forfeit $542,925 for operating a service that charged subscription fees to hackers who launched millions of cyberattacks from 2015 to 2017, the U.S. Justice Department announced.

Federal prosecutors say Sergiy Petrovich Usatyuk, 21, of Orland Park, conspired with an unidentified resident of Canada to operate illegal “booter services” that launched distributed denial-of-service attacks against websites to make them slow or inaccessible from around August 2015 through November 2017. He pleaded guilty on February 27 to conspiracy to cause damage to protected computers and agreed to forfeit all the money he had earned through the crime, as well as hand over dozens of computer servers that were used to carry out the DDoS attacks.

Cybersecurity expert and author Brian Krebs, a former Washington Post journalist, reported on is blog in February that Usatyuk’s arrest is part of a crackdown by the FBI against “DDoS-for-hire” services. Federal prosecutors in Los Angeles charged in January that Matthew Gatrel from St. Charles, Illinois and Juan Martinez of Pasadena, Calif. sold continuously updated lists of Internet addresses tied to devices that could be used by booter services to make more effective attacks against websites. That criminal case has not yet gone to trial.

Curiously, Krebs himself was an early victim of Usatyuk. Krebs wrote that after his website, KrebsonSecurity, was attacked in 2014 that he tracked down the culprit through posts that Usatyuk wrote on a website called Hackforums. He said he interviewed both Usatyuk, who was 15 at the time, and his father, an assistant professor at the University of Chicago. Sergiy denied that he was the attacker, but the FBI thought differently and told him that his DDoS attacks are illegal, according to a pre-sentencing report.

Prosecutors had recommended that Usatyuk be sentenced to 57 months in prison, the amount called for under federal guidelines. The U.S. Attorney’s office noted that Usatyuk had been warned and had promised to discontinue his cyber attacks.

“The defendant’s promises proved hollow,” the report says. “Within two years of the FBI’s visits to his home, the defendant not only elected to resume launching DDoS attacks; but dramatically escalated the seriousness and scope of his criminal conduct by unveiling services that could help thousands of other cyber criminals do the same.”

Prosecutors say Usatyuk’s booter service was used to attack U.S. military webpages, law enforcement agencies, large and small corporations and residential communities. In a victim impact statement, MCNC, a nonprofit technology provider for North Carolina schools, said DDoS attacks disrupt business operations by overwhelming networks with bogus traffic, preventing legitimate requests from getting through. The organization has spent $4 million since 2015 on hardware, software and maintenance to protect itself from cyber attacks, stated Chris Beal, chief information security officer.

Beal said that DDoS attacks are similar to pulling a fire alarm to disrupt classes.

“Students utilize DDoS attack (or ‘Booter’ services because they make DDoS attacks very inexpensive, and very little technical skill is required to implement an attack,” Beal said. “These services can make it trivial for students to launch these attacks against their schools, and the attacks can be highly disruptive.”

The FBI says Usatyuk created a Delaware corporation called OkServers that offered a “booter” service that allowed hackers to launch DDoS attacks in exchange for subscription fees. He and his Canadian co-conspirator operated domains including exostress.in, ipbooters.com and databooter.com that launched attacks from servers in Chicago and Bucharest, Romania.

Usatyuk told one ExoStresser user, “You can DDOS any IP you want, we don’t care,” according to the criminal information.

Prosecutors said Usatyuk’s servers were used for at least three DDoS attacks against the Franklin Regional School District in the Pittsburgh, Pennsylvania that disrupted the school district’s network and also the computer systems of more than 17 organizations that shared the same infrastructure in Westmoreland County.

A manufacturer of Internet games was also targeted by OkServers’s equipment and had to pay $164,000 to resume operations after a DDoS attack, according to charging papers.

The Justice Department said that in the first 13 months of the conspiracy, 385,863 separate users made 3,829,812 DDos attacks. Computer logs for the final 14 months of the conspiracy had been deleted and were no longer available, according to court documents.

U.S. District Judge imposed the 13-months prison sentence on Friday. On Monday, the judge ordered Usatyuk to report to prison on Jan. 2.

Source: https://www.claimsjournal.com/news/national/2019/11/19/294156.htm

Party understood to be subject of second distributed denial of service (DDoS) attack on Tuesday afternoon.

The Labour party has faced a second cyber-attack, a day after experiencing what it called a “sophisticated and large-scale” attempt to disrupt its digital systems.

It is understood the party was the subject of a second distributed denial of service (DDoS) attack on Tuesday afternoon. Such attacks use “botnets” – networks of compromised computers – to flood a server with requests that overwhelm it.

A Labour spokeswoman said: “We have ongoing security processes in place to protect our platforms, so users may be experiencing some differences. We are dealing with this quickly and efficiently.”

Labour has not said who it suspects is behind the attacks, but said it was confident its security systems ensured there was no data breach.

Party officials have reported the initial attack, which took place on Monday, to the National Cyber Security Centre, the government agency that supports and advises organisations on such incidents.

Labour has not said which digital platforms were targeted, but it is understood some of them were election and campaigning tools, which would contain details about voters. The party has sent a message to campaigners to say what happened and to explain why the systems were working slowly on Monday.

A party spokeswoman said: “We have experienced a sophisticated and large-scale cyber-attack on Labour digital platforms. We took swift action and these attempts failed due to our robust security systems. The integrity of all our platforms was maintained and we are confident that no data breach occurred.

“Our security procedures have slowed down some of our campaign activities, but these were restored this morning and we are back up to full speed. We have reported the matter to the National Cyber Security Centre.”

Whitehall sources said the initial indications were that the attack was carried out by a “non-state actor”.

The party’s head of campaigns, Niall Sookoo, wrote: “Yesterday afternoon our security systems identified that, in a very short period of time, there were large-scale and sophisticated attacks on Labour party platforms which had the intention of taking our systems entirely offline.

“Every single one of these attempts failed due to our robust security systems and the integrity of all our platforms and data was maintained. I would I like to pay tribute to all the teams at Labour HQ who identified this risk and acted quickly to protect us.”

DDoS attacks can vary in sophistication, but are generally easily mitigated. Web records show Labour is a customer of Cloudflare, which provides DDoS protection services to a large proportion of the web. The company protects customers from DDoS attacks by providing extra capacity as needed, filtering traffic so that only legitimate requests are dealt with and storing “cached” versions of websites on its own servers.

Even when DDoS attacks succeed, they rarely have implications beyond enforced downtime, as the target waits for the attack to end or secures extra bandwidth to deal with the new traffic. At their simplest, DDoS attacks can be hard to distinguish from legitimate traffic rises, as when cinema websites collapse when a new film is released.

DDoS attacks are cheap to pull off. Multiple criminal actors offer “DDoS as a service”, selling time on their botnets. One report from 2017 found a 300-secattack, with a total bandwidth of 125Gbps, could be purchased for €5; a longer attack, aimed at knocking a website offline for an hour, for €90. Others were even cheaper, offering three hours of downtime for $60.

Brian Higgins, a security specialist at Comparitech.com, said: “[The attacks] don’t normally represent any threat to data or information and can be defended against and recovered from quite easily if the victim has robust cybersecurity policies in place. It’s hardly surprising that the Labour party has been targeted given the current political landscape in the UK.”

Source: https://www.theguardian.com/politics/2019/nov/12/labour-reveals-large-scale-cyber-attack-on-digital-platforms

The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks.

The last 30 days has seen a renewed increase in distributed denial-of-service (DDoS) activity, according to researchers, who said that they have observed a number of criminal campaigns mounting TCP reflection DDoS attacks against corporations.

Researchers at Radware said that the list of victims include a number of large companies, including Amazon, IBM subsidiary SoftLayer, Eurobet Italia SRL, Korea Telecom, HZ Hosting and SK Broadband.

The first major event in October took the Eurobet network down. Eurobet, an online sports gambling website, suffered a campaign that persisted for days and impacted several other betting networks, according to Radware.

Then, later in October, amid a flurry of DDoS attacks targeting companies in nearly every vertical around the world, the firm identified another large-scale multi-vector campaign surfaced that targeting the financial and telecommunication industry in Italy, South Korea and Turkey.

“This attack was noticed by the security community due to the reflective nature of one of the attack vectors,” the researchers noted. “In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of [the infrastructure of Turkish provider] Garanti Bilisim Teknolojisi ve Ticaret TR.A.S. were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”

The activity is a continuation of an uptick in attackers leveraging TCP reflection attacks that began in 2018, according to the firm. These tend to be low bandwidth, but they generate high packet rates (increased volumes of packets per second) that require large amounts of resources from network devices to process the traffic and cause outages. That’s why large corporate and telecom networks are often targets, Radware researchers explained.

The specific type of TCP attack used in the recent spate of DDoS efforts were TCP SYN-ACK reflection attacks. In this scenario, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. If the victim does not respond, the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification. The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which can be defined by the attacker.

Most of the targeted networks did not respond properly to the spoofed requests, which would have disabled the TCP retransmit amplification, according to the analysis.

The impact range of these kinds of campaigns is significant, according to Radware, degrading service at the targeted networks as well as reflection networks across the world.

“Not only do the targeted victims, who are often large and well-protected corporations, have to deal with floods of TCP traffic, but randomly selected reflectors, ranging from smaller businesses to homeowners, have to process the spoofed requests and potential legitimate replies from the target of the attack,” researchers wrote in a recent post. “Those that are not prepared for these kinds of spikes in traffic suffer from secondary outages, with SYN floods one of the perceived side-effects by the collateral victims.”

In the more recent TCP reflection attacks, the firm’s forensics showed that the attackers leveraged a large majority of the internet IPv4 address space as reflector, with a spoofed source originating from either bots or servers hosted on subnets and by without IP source address verification.

The 2019 activity follows an 11 percent dip in the number of DDoS attacks in the fourth quarter of 2018, following the FBI’s crackdown on 15 DDoS-for-hire sites.

Source: https://threatpost.com/massive-ddos-amazon-telecom-infrastructure/150096/

The need for bot management is fueled by the rise in automated attacks. In the early days, the use of bots was limited to small scraping attempts or spamming. Today, things are vastly different. Bots are being used to take over user accounts, perform DDoS attacks, abuse APIs, scrape unique content and pricing information and more. In its “Hype Cycle for Application Security 2018,” Gartner mentioned bot management at the peak of inflated expectations under the high benefit category.

Despite serious threats, are enterprise businesses adopting bot management solutions? The answer is, no. Many are still in denial.  These businesses are trying to restrain bots using in-house resources/solutions, putting user security at risk. In a recent study, Development of In-house Bot Management Solutions and their Pitfalls, security researchers from ShieldSquare found that managing bots through in-house resources is doing more harm than the good.

Against 22.39% of actual bad bot traffic, advanced in-house bot management solutions detected only 11.54% of bad bots. Not only did these solutions fail at detecting most of the bad bots, but nearly 50% of the 11.54% detected were also false positives.

Bot management
Figure 1: Bots Detected by In-house Bot Management Solutions vs. Actual Bad Bot Percentage

So why do in-house bot management solutions fail? Before we dive deeper into finding out the reasons behind the failure of in-house bot management solutions, let’s look at a few critical factors.

More Than Half of Bad Bots Originate From the U.S.

As figure 2 shows (see below), 56.4% of bad bots originated from the U.S. in Q1 2019. Bot herders know that the U.S. is the epicenter of business and showing their origin from the U.S. helps them in escaping geography-based traffic filtration. For example, many organizations that leverage in-house resources to restrain bots often block the countries where they don’t have any business. Or, they block countries such as Russia, suspecting that’s where most of the bad bots originate. The fact is contrary: Only 2.6% of total bad bots originated from Russia in Q1 2019.

bot management
Figure 2: Origin of Bad Bots by country


Cyber attackers now leverage advanced technologies to sift through thousands of IPs and evade geography-based traffic filtration. When bots emanate from diverse geographical locations, solutions based on IP-based or geographical filtering heuristics are becoming useless. Detection requires understanding the intent of your visitors to nab the suspected ones.

One-Third of Bad Bots Can Mimic Human Behavior

In Q1 2019 alone, 37% of bad bots were human-like. These bots can mimic human behavior (such as mouse movements and keystrokes) to evade existing security systems (Generation 3 and Generation 4 bad bots, as shown in figure 3).

bot management
Figure 3:  Bad Bot Traffic by Generation

Sophisticated bots are distributed over thousands of IP addresses or device IDs and can connect through random IPs to evade detection. These stealthy detection-avoiding actions don’t stop there. The programs of these sophisticated bots understand the measures that you can take to stop them. They know that apart from random IP addresses, geographical location is another area that they can exploit. Bots leverage different combinations of user agents to evade in-house security measures.

In-house solutions don’t have visibility into different types of bots, and that’s where they fail. These solutions work based on the data collected from internal resources and lack global threat intelligence. Bot management is a niche space and requires a comprehensive understanding and continuous research to keep up with notorious cybercriminals. Organizations that are working across various industries deploy in-house measures as their first mitigation step when facing bad bots. To their dismay, in-house solutions often fail to recognize sophisticated bot patterns.


Deploy Challenge-Response Authentication

Challenge-response authentication helps you filter first-generation bots. There are different types of challenge-response authentications, CAPTCHAs being the most widely used. However, challenge-response authentication can only help in filtering outdated user agents/browsers and basic automated scripts and can’t stop sophisticated bots that can mimic human behavior.

Implement Strict Authentication Mechanism on APIs

With the widespread adoption of APIs, bot attacks on poorly protected APIs are increasing. APIs typically only verify the authentication status, but not the authenticity of the user. Attackers exploit these flaws in various ways (including session hijacking and account aggregation) to imitate genuine API calls. Implementing strict authentication mechanisms on APIs can help to prevent security breaches.

Monitor Failed Login Attempts and Sudden Spikes in Traffic

Cyber attackers deploy bad bots to perform credential stuffing and credential cracking attacks on login pages. Since such approaches involve trying different credentials or a different combination of user IDs and passwords, it increases the number of failed login attempts.  The presence of bad bots on your website suddenly increases the traffic as well. Monitoring failed login attempts and a sudden spike in traffic can help you take pre-emptive measures before bad bots penetrate your web applications.

Deploy a Dedicated Bot Management Solution

In-house measures, such as the practices mentioned above, provide basic protection but do not ensure the safety of your business-critical content, user accounts and other sensitive data. Sophisticated third- and fourth-generation bots, which now account for 37% of bad-bot traffic, can be distributed over thousands of IP addresses and can attack your business in multiple ways. They can execute low and slow attacks or make large-scale distributed attacks that can result in downtime. A dedicated bot management solution facilitates real-time detection and mitigation of such sophisticated, automated activities.

Source: https://securityboulevard.com/2019/11/why-organizations-are-failing-to-deal-with-rising-bot-attacks/