Tag: MONTHS | Page 5

Meet the Windows servers that have been fueling massive DDoSes for months

October 30, 2022/in Internet Security

A small retail business in North Africa, a North American telecommunications provider, and two separate religious organizations: What do they have in common? They’re all running poorly configured Microsoft servers that for months or years have been spraying the Internet with gigabytes-per-second of junk data in distributed-denial-of-service attacks designed to disrupt or completely take down websites and services.

In all, recently published research from Black Lotus Labs, the research arm of networking and application technology company Lumen, identified more than 12,000 servers—all running Microsoft domain controllers hosting the company’s Active Directory services—that were regularly used to magnify the size of distributed-denial-of-service attacks, or DDoSes.

A never-ending arms race

For decades, DDoSers have battled with defenders in a never-ending arms race. Early on, DDoSers simply corralled ever-larger numbers of Internet-connected devices into botnets and then used them to simultaneously send a target more data than it could handle. Targets—be they games, new sites, or even crucial pillars of Internet infrastructure—often buckled at the strain and either completely fell over or slowed to a trickle.

Companies like Lumen, Netscout, Cloudflare, and Akamai then countered with defenses that filtered out the junk traffic, allowing their customers to withstand the torrents. DDoSers responded by rolling out new types of attacks that temporarily stymied those defenses. The race continues to play out.

One of the chief methods DDoSers use to gain the upper hand is known as reflection. Rather than sending the torrent of junk traffic to the target directly, DDoSers send network requests to one or more third parties. By choosing third parties with known misconfigurations in their networks and spoofing the requests to give the appearance that they were sent by the target, the third parties end up reflecting the data at the target, often in sizes that are tens, hundreds, or even thousands of times bigger than the original payload.

Some…

Source…

Vietnamese Hackers Reinvent the Ducktail Malware Twice in Three Months

October 20, 2022/in Computer Security

Hackers are targeting Facebook Business accounts, cryptocurrency, and credential information using a new PHP variant of the Ducktail malware. According to ZScaler, this new iteration of the malware is designed to carry out infostealing attacks like its predecessor but with certain operational differences.

Ducktail is an infostealer that originated in Vietnam a few years ago. It received upgrades in July 2022 for a new campaign to target LinkedIn users using social engineering as the vector, as documented by WithSecure.

Now, ZScaler discovered that the new PHP-based Ducktail variant shares its malicious intentions with the previous .NetCore-based variant of Ducktail, i.e., exfiltrating credentials-related information saved in web browsers, Facebook account information, and more.

The difference lies in how it approaches information theft. Instead of leveraging Telegram as the command and control (C2) channel to exfiltrate data, the PHP-based Ducktail exfiltrates and later stores stolen data on a newly-hosted website in JSON format.

The new Ducktail variant is being distributed through cracked or free versions of Office applications, games, subtitle files, porn-related files, etc., to target the general public instead of employees with specific organizational roles, indicating a shift in its usual modus operandi.

Threat actors behind the Ducktail malware are financially motivated and carefully select their targets, such as those in managerial roles or those from the finance/accounting, digital media or HR departments who may have access to an organization’s financial resources.

For instance, the malware will try to gain payment details of its victim’s Facebook Business Ads Manager and redirect them to its operators’ accounts. However, the threat actors have expanded the scope of who their victim can be, to now include the average user.

See More: Cybersecurity Awareness Month: Eight Security Insights That You Should Know

“It seems that the threat actors behind the Ducktail stealer campaign are continuously making changes or enhancements in the delivery mechanisms and approach to steal a wide variety of sensitive user and system information targeting…

Source…

Ransomware variants almost double in six months – FortiGuard

August 21, 2022/in Computer Security

Ransomware variants have almost doubled in the past six months, with exploit trends demonstrating the endpoint remains a target as work-from-anywhere continues, according to the latest semiannual FortiGuard Labs Global Threat Landscape Report.

“Cyber adversaries are advancing their playbooks to thwart defence and scale their criminal affiliate networks,” says Derek Manky, chief security strategist and VP global threat intelligence, FortiGuard Labs.

“They are using aggressive execution strategies such as extortion or wiping data as well as focusing on reconnaissance tactics pre-attack to ensure better return on threat investment,” he says.

“To combat advanced and sophisticated attacks, organisations need integrated security solutions that can ingest real-time threat intelligence, detect threat patterns, and correlate massive amounts of data to detect anomalies and automatically initiate a coordinated response across hybrid networks.”

Glenn Maiden, director of threat intelligence, Australia and New Zealand, Fortinet, adds, “The FortiGuard Labs Global Threat Landscape 1H 2022 report has found the number of ransomware variants has almost doubled over the previous six months while the volume of ransomware, which spiked in 2021, has remained steady.

“This means FortiGuard Labs has seen the same amount of ransomware attacks; however, there is double the diversity of ransomware variants,” he says.

One of the drivers for this increase in diversity is the popularity of Ransomware-as-a-Service (RaaS). RaaS can enable even a relatively unsophisticated criminal to execute a lucrative ransomware attack.

As organisations maintain remote and hybrid working models, cyber adversaries are focusing on concealing activity from end point security systems. Looking at the top tactics and techniques from the past six months of endpoint detection and response (EDR) telemetry, defence evasion is the top tactic employed by malware developers. Attackers are likely to use techniques like system binary proxy execution to hide malicious intentions.

Cyber affiliates are now much more sophisticated in selecting their targets. An attacker that conducts deeper pre-attack reconnaissance will lead…

Source…

The UN Security Council must reauthorize lifesaving UN cross-border response in one month’s time

June 9, 2022/in Mobile Security

New York, NY, June 9, 2022 — Today marks exactly one month until the UN Security Council must vote to renew a resolution that allows aid to be transferred across the northwestern border of Syria. Since 2014 this mechanism has been a lifeline to millions of people in Syria. Currently as many as 4.1 million people in the northwest of the country rely on it to meet their basic needs, such as access to food, shelter and healthcare.

Last year, the UN reached over 2.4 million people every month in the northwest through its cross-border response. A failure to renew will put access to food assistance for more than 1 million people at risk, as well as critical medical supplies and humanitarian assistance for many more. Due to the sheer scale of the UN’s cross-border response, NGOs, like IRC, simply will not be able to scale up and cover the gaps.

Tanya Evans, the IRC’s Country Director in Syria, said:

“Across the country, Syrians are facing the looming threat of hunger. In the northwest, the area most reliant on the UN’s cross-border support, already more than 70% of the population do not have access to sufficient food. The conflict in Ukraine has further compounded this desperate situation with supplies into the country heavily reliant on food imports.

The humanitarian case for cross-border assistance is more obvious today than ever before, and with no current viable alternative, the United Nations Security Council now has an important responsibility to ensure it continues for another 12 months from July 10th.”

In addition to devastating impacts on food security, should the resolution not be renewed, millions of Syrians risk losing access to vital health assistance. Supplies and funding from UN agencies enabled by the cross-border mechanism are a lifeline for thousands of Syrian health centers, providing over 4 million Syrians with essential vaccines, medicines and medical equipment.

The IRC calls on the UN Security Council to ensure aid reaches Syrians in a principled manner, wherever they are and based on needs alone, by reauthorizing the Cross-Border Resolution next month for at least another 12 months.

Note to editors

The IRC has been working in Syria since 2012,…

Source…

Tag Archive for: MONTHS

A never-ending arms race