⚡ Cybersecurity Webinar ▶ Defend, Adapt, Thrive: Top 5 Trends in Web Application Security Join the Webinar
#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
ThreatLocker Zero Trust Endpoint Protection Platform

ddos | Breaking Cybersecurity News | The Hacker News

ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

ShellBot Uses Hex IPs to Evade Detection in Attacks on Linux SSH Servers

Oct 12, 2023
The threat actors behind ShellBot are leveraging IP addresses transformed into their hexadecimal notation to infiltrate poorly managed Linux SSH servers and deploy the DDoS malware. "The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value," the AhnLab Security Emergency response Center (ASEC) said in a new report published today. ShellBot, also known by the name PerlBot, is known to breach servers that have weak SSH credentials by means of a dictionary attack , with the malware used as a conduit to stage DDoS attacks and deliver cryptocurrency miners . Developed in Perl, the malware uses the IRC protocol to communicate with a command-and-control (C2) server. The latest set of observed attacks involving ShellBot has been found to install the malware using hexadecimal IP addresses – hxxp://0x2763da4e/ which corresponds to 39.99.218[.]78 – in what's seen as an a
KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities

KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities

Aug 28, 2023 Internet of Things / Malware
An updated version of a botnet malware called  KmsdBot  is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for  Telnet scanning  and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar  said  in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a  DDoS-for-hire service  to other threat actors. The fact that it's being actively maintained indicates its effectiveness in real-world attacks. KmsdBot was  first documented  by the web infrastructure and security company in November 2022. It's mainly employed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites. The malware is designed to scan random IP addresses for open SSH ports and
cyber security

New SaaS Security Solution at a No-Brainer Price - Start Free, Decide Later

websitewing.securitySaaS Security / SSPM
Wing Security recently released "Essential SSPM" to make SaaS security easy and accessible to anyone.
U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services

U.S. Authorities Seize 13 Domains Offering Criminal DDoS-for-Hire Services

May 09, 2023 Cyber Crime / DDoS Attack
U.S. authorities have announced the seizure of 13 internet domains that offered DDoS-for-hire services to other criminal actors. The takedown is part of an ongoing international initiative dubbed  Operation PowerOFF  that's aimed at dismantling criminal DDoS-for-hire infrastructures worldwide. The development comes almost five months after a "sweep" in December 2022  dismantled 48 similar services  for abetting paying users to launch distributed denial-of-service (DDoS) attacks against targets of interest. This includes school districts, universities, financial institutions, and government websites, according to the U.S. Department of Justice (DoJ). Ten of the 13 illicit domains seized are "reincarnations" of booter or stresser services that were previously shuttered towards the end of last year. "In recent years, booter services have continued to proliferate, as they offer a low barrier to entry for users looking to engage in cybercriminal activity,
U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals

U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals

Mar 25, 2023 Cyber Crime / DDoS Attack
In what's a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to infiltrate the online criminal underground. "All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks," the law enforcement agency  said . "However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators." The effort is part of an ongoing international joint effort called Operation PowerOFF in collaboration with authorities from the U.S., the Netherlands, Germany, Poland, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide. DDoS-for-hire (aka "Booter" or "Stresser") services rent out access to a network of infected devices to other crim
New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers

Mar 21, 2023 Linux / Server Security
Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot. "ShellBot, also known as  PerlBot , is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server," AhnLab Security Emergency response Center (ASEC)  said  in a report. ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open. A list of known SSH credentials is used to initiate a dictionary attack to breach the server and deploy the payload, after which it leverages the Internet Relay Chat ( IRC ) protocol to communicate with a remote server. This encompasses the ability to receive commands that allows ShellBot to carry out DDoS attacks and exfiltrate harvested information. ASEC said it identified three different ShellBot versions – LiGhT's Modded perlbot v2, DDoS
Is Your EV Charging Station Safe? New Security Vulnerabilities Uncovered

Is Your EV Charging Station Safe? New Security Vulnerabilities Uncovered

Feb 03, 2023 Automotive Security / Vulnerability
Two new security weaknesses discovered in several electric vehicle (EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft. The findings, which come from Israel-based SaiFlow, once again demonstrate the  potential risks  facing the EV charging infrastructure. The issues have been identified in version 1.6J of the Open Charge Point Protocol ( OCPP ) standard that uses WebSockets for communication between EV charging stations and the Charging Station Management System (CSMS) providers. The current version of OCPP is 2.0.1. "The OCPP standard doesn't define how a CSMS should accept new connections from a charge point when there is already an active connection," SaiFlow researchers Lionel Richard Saposnik and Doron Porat  said . "The lack of a clear guideline for multiple active connections can be exploited by attackers to disrupt and hijack the connection between the charge point and the CSMS.&q
Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

Dec 22, 2022 Internet of Things / Patch Management
The  Zerobot  DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network. Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters. Zerobot,  first documented  by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras. "The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark ( CVE-2021-42013  and  CVE-2022-33891  respectively), and new DDoS attack capabilities," Microsoft researchers  said . Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised for sale on various social media networks.
FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms

FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms

Dec 15, 2022 Cyber Attack / DDoS-for-Hire
The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 48 domains that offered services to conduct distributed denial-of-service (DDoS) attacks on behalf of other threat actors, effectively lowering the barrier to entry for malicious activity. It also charged six suspects – Jeremiah Sam Evans Miller (23), Angel Manuel Colon Jr. (37), Shamar Shattock (19), Cory Anthony Palmer (22), John M. Dobbs (32), and Joshua Laing (32) – for their alleged ownership in the operation. The websites "allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet," the DoJ said in a press statement. The six defendants have been charged with running various booter (or stresser) services, including RoyalStresser[.]com, SecurityTeam[.]io, Astrostress[.]com, Booter[.]sx, IPStresser[.]com, and TrueSecurityServices[.]io. They have also been accused
Mantis Botnet Behind the Largest HTTPS DDoS Attack Targeting Cloudflare Customers

Mantis Botnet Behind the Largest HTTPS DDoS Attack Targeting Cloudflare Customers

Jul 15, 2022
The botnet behind the largest HTTPS distributed denial-of-service (DDoS) attack in June 2022 has been linked to a spate of attacks aimed at nearly 1,000 Cloudflare customers. Calling the powerful botnet  Mantis , the web performance and security company attributed it to more than 3,000 HTTP DDoS attacks against its users. The most attacked industry verticals include internet and telecom, media, gaming, finance, business, and shopping, of which over 20% of the attacks targeted U.S.-based companies, followed by Russia, Turkey, France, Poland, Ukraine, the U.K., Germany, the Netherlands, and Canada. Last month, the company said it  mitigated  a record-breaking DDoS attack aimed at an unnamed customer website using its Free plan that peaked at 26 million requests per second (RPS), with each node generating approximately 5,200 RPS. The tsunami of junk traffic lasted less than 30 seconds and generated more than 212 million HTTPS requests from more than 1,500 networks in 121 countries,
New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt

New EnemyBot DDoS Botnet Borrows Exploit Code from Mirai and Gafgyt

Apr 14, 2022
A threat group that pursues crypto mining and distributed denial-of-service (DDoS) attacks has been linked to a new botnet called Enemybot, which has been discovered enslaving routers and Internet of Things (IoT) devices since last month. "This botnet is mainly derived from  Gafgyt 's source code but has been observed to borrow several modules from  Mirai 's original source code," Fortinet FortiGuard Labs  said  in a report this week. The botnet has been attributed to an actor named Keksec (aka  Kek Security , Necro, and  FreakOut ), which has been linked to multiple botnets such as  Simps ,  Ryuk  (not to be confused with the ransomware of the same name), and  Samael , and has a history of targeting cloud infrastructure to carry out crypto mining and DDoS operations. Primarily targeting routers from Seowon Intech, D-Link, and iRZ to propagate its infections and grow in volume, an analysis of the malware specimen has highlighted Enemybot's obfuscation attemp
Beastmode DDoS Botnet Exploiting New TOTOLINK Bugs to Enslave More Routers

Beastmode DDoS Botnet Exploiting New TOTOLINK Bugs to Enslave More Routers

Apr 04, 2022
A variant of the Mirai botnet called Beastmode has been observed adopting newly disclosed vulnerabilities in TOTOLINK routers between February and March 2022 to infect unpatched devices and expand its reach potentially. "The Beastmode (aka B3astmode) Mirai-based DDoS campaign has aggressively updated its arsenal of exploits," Fortinet's FortiGuard Labs Research team  said . "Five new exploits were added within a month, with three targeting various models of TOTOLINK routers." The list of exploited vulnerabilities in TOTOLINK routers is as follows - CVE-2022-26210  (CVSS score: 9.8) - A command injection vulnerability that could be exploited to gain arbitrary code execution CVE-2022-26186  (CVSS score: 9.8) - A command injection vulnerability affecting TOTOLINK N600R and A7100RU routers, and CVE-2022-25075 to CVE-2022-25084  (CVSS scores: 9.8) - A command injection vulnerability impacting multiple TOTOLINK routers, leading to code execution The other e
New EwDoor Botnet Targeting Unpatched AT&T Network Edge Devices

New EwDoor Botnet Targeting Unpatched AT&T Network Edge Devices

Dec 01, 2021
A newly discovered botnet capable of staging distributed denial-of-service (DDoS) attacks targeted unpatched Ribbon Communications (formerly Edgewater Networks) EdgeMarc appliances belonging to telecom service provider AT&T by exploiting a four-year-old flaw in the network appliances. Chinese tech giant Qihoo 360's Netlab network security division, which detected the botnet first on October 27, 2021, called it  EwDoor , noting it observed 5,700 compromised IP addresses located in the U.S. during a brief three-hour window. "So far, the EwDoor in our view has undergone three versions of updates, and its main functions can be summarized into two main categories of DDoS attacks and backdoor," the researchers  noted . "Based on the attacked devices are telephone communication related, we presume that its main purpose is DDoS attacks, and gathering of sensitive information, such as call logs." Propagating through a flaw in EdgeMarc devices, EwDoor supports a
SOVA: New Android Banking Trojan Emerges With Growing Capabilities

SOVA: New Android Banking Trojan Emerges With Growing Capabilities

Sep 10, 2021
A mix of banking applications, cryptocurrency wallets, and shopping apps from the U.S. and Spain are the target of a newly discovered Android trojan that could enable attackers to siphon personally identifiable information from infected devices, including banking credentials and open the door for on-device fraud. Dubbed S.O.V.A. (referring to the Russian word for owl), the current version of the banking malware comes with myriad features to steal credentials and session cookies through web overlay attacks, log keystrokes, hide notifications, and manipulate the clipboard to insert modified cryptocurrency wallet addresses, with future plans to incorporate  on-device fraud through VNC , carry out DDoS attacks, deploy ransomware, and even intercept two-factor authentication codes. The malware was discovered in the beginning of August 2021 by researchers from Amsterdam-based cybersecurity firm ThreatFabric. Overlay attacks typically involve the theft of confidential user information us
Police Shut Down World's Biggest 'DDoS-for-Hire' Service–Admins Arrested

Police Shut Down World's Biggest 'DDoS-for-Hire' Service–Admins Arrested

Apr 25, 2018
In a major hit against international cybercriminals, the Dutch police have taken down the world's biggest DDoS-for-hire service that helped cyber criminals launch over 4 million attacks and arrested its administrators. An operation led by the UK's National Crime Agency (NCA) and the Dutch Police, dubbed " Power Off, " with the support of Europol and a dozen other law enforcement agencies, resulted in the arrest of 6 members of the group behind the " webstresser.org " website in Scotland, Croatia, Canada and Serbia on Tuesday. With over 136,000 registered users, Webstresser website lets its customers rent the service for about £10 to launch Distributed Denial of Service (DDoS) attacks against their targets with little or no technical knowledge. "With webstresser.org, any registered user could pay a nominal fee using online payment systems or cryptocurrencies to rent out the use of stressers and booters," Europol said. The service was also
Malware Hunter — Shodan's new tool to find Malware C&C Servers

Malware Hunter — Shodan's new tool to find Malware C&C Servers

May 02, 2017
Rapidly growing, insecure internet-connected devices are becoming albatross around the necks of individuals and organizations with malware authors routinely hacking them to form botnets that can be further used as weapons in DDoS and other cyber attacks. But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and Recorded Future. Shodan and Recorded Future have teamed up and launched Malware Hunter – a crawler that scans the Internet regularly to identify botnet command and control (C&C) servers for various malware and botnets. Command-and-control servers ( C&C servers ) are centralized machines that control the bots ( computers, smart appliances or smartphones ), typically infected with Remote Access Trojans or data-stealing malware, by sending commands and receiving data. Malware Hunter results have been integrated into Shodan – a search engine designed to gather and list information abo
FBI raids BlackShades RAT Malware Customers in Europe and Australia

FBI raids BlackShades RAT Malware Customers in Europe and Australia

May 16, 2014
When it comes to crime, whether it's an online or offline, FBI doesn't spare anyone. According to the French media reports and various announcements on underground forums by hacking groups, the FBI has started a large-scale operation of International raids with the help of local law enforcement authorities to arrest a particular group of cyber criminals and Hackers. The FBI has targeted the customers of a popular Remote Administration Tool (RAT) called ' blackshades ', which allows them to connect and manage thousands of remotely infected computers over the Internet. WHAT IS BLACKSHADES RAT?? ' Blackshades ' is a remote administration tool (RAT) which allows an attacker to control several clients from around the world.  Blackshades  malware   is fully equipped with Drive-by attacks, Java exploits, keylogger and it allows an attacker to steal usernames and passwords for email and Web services, instant messaging applications, FTP clients and lots more. In worst
Java based cross platform malware found in wild

Java based cross platform malware found in wild

Aug 02, 2013
Other than Windows, Now other platforms are becoming more popular every day and attracting bad guys who are starting to create malicious code for other systems.  Java applications can run on multiple platforms with ease, thus no surprise that malicious code written in Java that is designed to target more than one operating system are becoming increasingly common. Researchers at McAfee Labs spotted another sample of Java based trojan dubbed as JV/BackDoor-FAZY  that opens a back door for an attacker to execute commands and acts as a bot after infection. According to researcher, The key to decrypt the config file was encrypted with Base 64, Triple-DES algorithm and Hex. Decrypting the file provides information about the backdoor connection, includes IP address, port number, operating system, mutex information, and password for the connection. " On execution, the JAR file opens the backdoor connection to the IP address and the port mentioned in the plain config
Incapsula innovative DDoS Protection techniques

Incapsula innovative DDoS Protection techniques

Nov 22, 2012
Several weeks ago we reviewed Incapsula , a Cloud-based Security service which can significantly enhance the security of your website, while also boosting its performance. Following this review we've received many responses from our readers who wanted to learn more about Incapsula protection services. Specifically, we were asked to explain more about Incapsula Enterprise plan features. To answer these questions, today we are going to take a look at Incapsula DDoS Protection services. Distributed Denial of Service attacks If your business has a web presence, chances are that you've already heard about Distributed Denial of Service attacks. In case you didn't, a Distributed Denial of Service (DDoS) attack is a DoS attack that is usually carried out by a "botnet", a network of computers acting in concert to overwhelm the server by depleting all available resources. Recently we all witnessed a large DDos attacks on U.S. banks by Muslim hacker group , an attack which crippled th
Anonymous Hacker claims to have 20,000 debit card details from HSBC Cyberattack

Anonymous Hacker claims to have 20,000 debit card details from HSBC Cyberattack

Oct 21, 2012
One of Anonymous hacker groups " FawkesSecurity " who claim responsibility for a DDOS cyber attack on HSBC Bank says that they also manage to get 20,000 debit card details. When HSBC said , " This denial-of-service attack did not affect any customer data , but did prevent customers using HSBC online services, including Internet banking.", Anonymous tweeted on Friday. " We also managed to log 20,000 debit card details ." On asking, is there any proof of this claim , they replied ,"  We're debating whether to release them or not, HSBC knows debit details were intercepted, They probz won't admit it tho, ". On the other hand, A group that calls itself Izz ad-Din Al Qassam  , which has claimed responsibility for recent cyberattacks on at least nine other banks, also took responsibility for the assault on HSBC. Who ever the real hitman behind this, but according to hacker's warnings - RBS, Lloyds TSB and Barclays Banks are next targets.
HSBC hit by Anonymous denial-of-service attack

HSBC hit by Anonymous denial-of-service attack

Oct 19, 2012
The multinational bank HSBC has blamed a denial of service attack for the downtime of many of its websites worldwide on Thursday night and the Anonymous group has been quick to take credit. " Banks are the sole cause of our current worldwide economic problems. They deserve to get hit. RBS, Lloyds TSB and Barclays are next, " FawkesSecurity said . " This denial-of-service attack did not affect any customer data, but did prevent customers using HSBC online services, including Internet banking. We are taking appropriate action, working hard to restore service. We are pleased to say that some sites are now back up and running. We are cooperating with the relevant authorities and will cooperate with other organizations that have been similarly affected by such criminal acts. " HSBC said. The timing of the group's Twitter postings lends credence to its claims, but Twitter users claiming to be Anonymous members have falsely claimed responsibility for at
Cybersecurity Resources