By Habiba Rashid
Has your Tor browser been slow for the past few months? Well, you are not alone; the ongoing DDoS attacks on the Tor network are keeping it slow worldwide.
This is a post from HackRead.com Read the original post: Tor Network Hit By a Series of Ongoing DDoS Attacks

The Tor Project revealed that its network has been suffering from “several different types of ongoing DDoS attacks (Distributed Denial of Service attacks) for at least seven months.

For Tor Browser users who have been wondering why the onion has been having network connectivity and performance issues lately, you are not alone; many others have had problems with the sites loading altogether. 

The Tor Project’s Executive Director, Isabela Dias Fernandes, reported on Tuesday that the network has been targeted by a wave of DDoS attacks (Distributed Denial of Service attacks) for at least the past seven months.

“At some points, the attacks impacted the network severely enough that users could not load pages or access onion services,” Fernandes said on Tuesday.

“We have been working hard to mitigate the impacts and defend the network from these attacks. The methods and targets of these attacks have changed over time and we are adapting as these attacks continue.”

Fernandes also promises that the Tor team will keep tweaking and improving the network defences to counter the ongoing issue. However, they have not yet discovered the goal of these attacks or the identity of the attackers behind them. The Tor Network team will also be expanded to include two new members focusing on .onion service development.

“To clarify, our services have not been down, but on occasion slow for some users, and it is important to note that the user experience is affected by a variety of factors, including what onion services are being used, or which relays get picked when they build a circuit through Tor.”

**_Quick FAQs_****What is Tor Browser?**

Tor Browser or “The Onion Router,” is a free, open-source web browser that allows users to browse the internet anonymously. It was originally developed for US Naval Intelligence in the mid-1990s and was released into the public domain in October 2002.

It is worth noting that the Tor browser utilizes multi-layered encryption of data packets, making it difficult, but not impossible, for anyone to track or monitor user activity on the internet.

The core concept behind Tor is that it creates a network of nodes with each layer acting as an encrypted tunnel so that when a user sends out information, they are virtually untraceable. With every node encrypted; no one can trace where the data originated from or who may have accessed it during transmission. As such, this makes Tor ideal for those looking to keep their online activities private and secure especially journalists and whistleblowers.

**What is a DDoS Attack?**

A DDoS attack stands for Distributed Denial-of-Service attack. It is a type of cyberattack that uses multiple compromised Internet of Things (IoT) or smart devices including computers, routers, cameras, etc. to create a botnet and send massive amounts of traffic to a single targeted server or website to overwhelm it and make it inaccessible for regular users.

1.  23% of Tor browser relays steal Bitcoin
2.  Tor Browser Flaw Leaks Your Real IP Address
3.  Best Dark Web Search Engines for Tor Browser
4.  Fake Tor Browser Spreads Malware Via YouTube
5.  Download official Tor browser on Android devices
6.  What Are Dark Web Search Engines – How to Find Them?

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tor Network Hit By a Series of Ongoing DDoS Attacks

By Deeba Ahmed
The recovery tool is available on GitHub for free.
This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help victims of ESXiArgs ransomware. It has been dubbed SXiArgs-Recover.

According to CISA, SXiArgs-Recover is an open-source tool designed to help ransomware attack victims recover virtually any VMs (VMware virtual machines) that have been impacted by the currently active attack campaign involving the use of **ESXiArgs ransomware**. CISA noted that some organizations had used this tool to recover files without paying a ransom.

Alleged ESXiArgs Ransomware ransom note

CISA has developed this **tool** entirely using publicly available resources, such as a tutorial by Enes Sonmez and Ahmet Aykac. It does the job by reconstructing VM metadata from virtual disks that the malware didn’t encrypt. In its **technical advisory**, the agency stated that,

> “Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review it to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.”
> 
> CISA

**Ransomware Attack Details**

We reported earlier that threat actors are exploiting a high-severity ESXi remote code execution vulnerability, which VMware had patched back in 2021. The vulnerability was tracked as CVE-2021-21974 and is now being used to deploy file-encrypting malware targeting VMs.

This legacy bug allows attackers to perform remote code execution on ESXi hypervisors by initiating a heap-overflow issue in OpenSLP. Cybercriminals are threatening to leak the stolen data, but there hasn’t been any leak.

**Ransomwhere** is a ransomware payment tracker, according to which the number of victims targeted in this new attack wave is 3800, and four payments have been made worth a total amount of $88,000.

**VMware’s Response**

**According to VMware**, only unpatched and out-of-date products are targeted with known vulnerabilities like this; therefore, the company advised its customers to upgrade to the latest vSphere components.

It has also recommended that users disable the OpenSLP service in ESXi. It is worth noting that the ESXiArgs malware has not yet been linked to any known ransomware group, but the malware could be derived from the **Babuk** source code leaked in 2021.

1.  **Decryptor key for Sodinokibi, REvil ransomware**
2.  **Decrypt data from Hakbit & Jigsaw ransomware**
3.  **List of Proxy IPs Exposed to Block Killnet’s DDoS Bots**

CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

### Workarounds
* forbid request genesis through network request
* forbid requesting duplicate data  through network request



**Nervos CKB vulnerable to low-resource flood DDoS attacks through network message**

Low severity GitHub Reviewed Published Feb 8, 2023 in nervosnetwork/ckb • Updated Feb 8, 2023

GHSA-p2gm-ffr3-w2xw: Nervos CKB vulnerable to low-resource flood DDoS attacks through network message

By Waqas
Kallnet is a pro-Russian group known for targeting hospitals and other critical infrastructure in countries unfriendly to Russia.
This is a post from HackRead.com Read the original post: List of Proxy IPs Exposed to Block Killnet’s DDoS Bots

A list of proxy IPs used by Killnet and other network spamming gangs to target unsuspecting users means it is now possible to prevent the attack to some degree.

Killnet is a hacker group that has openly supported the Russian invasion of Ukraine. Although many other groups are siding with Russia in the ongoing conflict, Killnet is definitely one of the most prominent ones.

The U.S. government has warned about an expected increase in Killnet’s network flooding attacks using DDoS bots against health clinics and hospitals. The warning comes after Killnet claimed responsibility for attacks against fourteen US hospitals’ websites, forcing them to go offline in late January of 2023.

The impacted facilities include the University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai. Other targets of Killnet’s DDoS attacks include the FBI (allegedly), the European Parliament, businesses in the United Kingdom, Lockheed Martin (allegedly), the Lithuanian government, and more.

SecurityScorecard’s threat researchers have created and released online a list of proxy IPs used by Killnet and other network spamming gangs to target unsuspecting users. It is now possible to prevent the attack to some degree.

The Killnet blocklist is available on GitHub and has around 17,746 IP addresses listed. According to the threat analysis firm, SecurityScoreCard, companies can improve their security measures against DDoS bots through this list.

“To help organizations better protect themselves, SecurityScorecard has published a list of proxy IPs to help block the Killnet DDoS bot,” the company stated in its **blog post**.

The hacker group’s open proxy IP blocklist currently contains tens of thousands of proxy IP addresses that Russian hacktivists use in their network traffic flooding attacks. According to the FBI, the group’s DDoS attacks are actually publicity gimmicks that have gained limited success.

The group mainly relies on Telegram for its operations, and its Telegram channel has over 92,000 followers. Though their DDoS attacks usually don’t cause significant damage, they may disrupt services for hours or knock websites offline. This could affect healthcare organizations and their millions of patients, since bots can flood network traffic, preventing doctors and patients from sending or receiving health-related information online.

Moreover, patients may not be able to schedule appointments. Nevertheless, you can check the full blocklist of proxy IPs here.

1.  **Decryptor key for Sodinokibi, REvil ransomware**
2.  **Decrypt data from Hakbit & Jigsaw ransomware**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

List of Proxy IPs Exposed to Block Killnet’s DDoS Bots

Security teams can use a blocklist containing tens of thousands of proxy IP addresses used by the pro-Russian hacktivist group to defend their organizations from DDoS attacks.

SecurityScorecard has pulled together a list of proxy IP addresses used by KillNet to launch distributed denial-of-service attacks (DDoS) against various entities around the world over the past year.

KillNet has taken responsibility for DDoS attacks against US-based hospitals and airports, as well as financial and government organizations in Germany. The pro-Russian group is targeting countries supporting Ukraine, especially NATO countries.

In a DDoS attack, the attack group cause thousands of connection requests and packets to be sent to the targeted entity's server or website per minute. The attack is made possible by bots – compromised systems that are being harnessed by the attack group. The sheer volume and size of these requests and packets can slow down the targeted system or even overwhelm it to the point where it is no longer available.

In January, KillNet's attacks took websites for 14 hospitals offline; affected organizations included University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai. Knocking websites offline for days or disrupting network connectivity can interfere with patient care: Patients may be prevented from scheduling appointments and doctors may be unable to send and receive health information online. Both the US Department of Health and Human Services (HHS) and the American Hospital Association released warnings that KillNet posed a threat to healthcare organizations.

"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," AHA said.

SecurityScorecard's blocklist, which lists tens of thousands of proxy IP addresses used by the hacktivists in previous DDoS attacks, can be particularly helpful for defenders at healthcare organizations. Security teams can use the list, which is regularly updated by SecurityScorecard's team of researchers, and deploy firewall rules to block malicious traffic from even entering the network. The list can also support network monitoring and investigations to identify and track attacker activities.

Right now, it is just DDoS attacks, but there is also the worry that other criminal groups – such as ransomware gangs – sharing KillNet's political views will join in to target these organizations.

"It is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet's call and provide support," HHS warned. "This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used."

Cloudflare's analysis shows an increase in DDoS activity against healthcare organizations and that there may already be multiple threat actors acting on behalf of KillNet.

"The attacks observed by the Cloudflare global network do not show a clear indication that they are originating from a single botnet and the attack methods and sources seem to vary," Cloudflare said last week. "This could indicate the involvement of multiple threat actors acting on behalf of Killnet, or it could indicate a more sophisticated, coordinated attack."

Keeping KillNet at Bay: Use the IP Address Blocklist

By Waqas
The infamous encrypted messenger service, Exclu, was hacked by Dutch police to spy on criminal gangs for over five months.
This is a post from HackRead.com Read the original post: Major Cybercrime Crackdown: Encrypted Messenger Exclu Seized

So far, authorities have arrested 48 people in connection with Exclu, discovered two drug labs and a cocaine-processing facility, and confiscated $4.3 million, several kilograms of drugs, and luxury items.

European law-enforcement authorities have seized Exclu, an encrypted communication service that cybercriminals used as their primary channel to carry out organized crime, mainly trading drugs.

**According to** authorities, 48 people have been arrested so far in connection with the service and seizure of guns, drugs, and millions in cash. Reportedly, police raided 79 locations in the Netherlands, Germany, and Belgium on Friday. The arrested individuals were operators, administrators, and users of Exclu.

The investigation into the encrypted communication service, identified as Exclu Messenger Service, was started in September 2020. Their probe revealed that Exclu was offered as a smartphone app and came with a 6-month license, costing around 800 euros or $860. The service had 3,000 users, of which around 750 were based in the Netherlands.

“Exclu made it possible to exchange messages, photos, notes, voice memos, chat conversations, and videos with other users,” Dutch police **revealed**. The service was popular among criminals for its high level of security.

After starting their investigation into the Exclu secret communication service, authorities hacked the platform and accessed the messages passed between criminal gangs for five months before carrying out the raids.

Dutch, French, Italian, and Swedish police participated in this investigation, which was supervised by Eurojust and Europol. At least two drug labs, a cocaine-processing facility, four million euros (or $4.3 million), several kilograms of drugs, and luxury goods were confiscated from the suspects.

> 👏👏 Another criminal #cryptoservice dismantled thanks to int'l police cooperation: #Exclu!
> 
> 👮 Europol provided key support from the early stages, including a dedicated investigative task force, secure information exchange & coordination of operational cross-border activities. https://t.co/C1LRVl7dnw
> 
> — Europol (@Europol) February 3, 2023

Exclu isn’t the only encrypted online chat platform shut down by law enforcement. **Back in June 2020**, encrypted communication provider EncroChat was forced to cease operations after suffering a malware attack.

In July 2020, however, authorities **dismantled the entire infrastructure of EncroChat** and arrested over 800 individuals, including some prominent crime figures, by using information acquired through EncroChat.

1.  **Europol Busts Crypto Fraud Call Centers**
2.  **DoubleVPN’s servers used by ransomware seized**
3.  **48 DDoS-hiring Sites Busted by FBI in Major Sweep**
4.  **iSpoof seized; UK’s largest bank call scam disrupted**
5.  **Online piracy hacker network Sparks Group dismantled**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Major Cybercrime Crackdown: Encrypted Messenger Exclu Seized

By Waqas
The leaked data apparently belongs to Convex, the leading Russian internet provider.
This is a post from HackRead.com Read the original post: Anonymous Leaks 128 GB of Data from Russian ISP Convex

Caxxii, an affiliate of Anonymous hacktivists, has released 128 GB of documents revealing the Russian government’s illegal surveillance tactics to spy on its citizens.

The hacktivist group **Anonymous** released 128 gigabytes of data from Convex, the leading Russian internet provider, detailing the Kremlin’s alleged illegal monitoring of its citizens across the country.

Such surveillance activities are classified as unauthorized wiretapping, espionage, and warrantless surveillance of civilians, which are against the country’s laws.

In 2015, in **Zakharov v. Russia**, the European Court of Human Rights warned that the laws governing the country’s System for Operative Investigative Activities surveillance system didn’t offer sufficient and impactful guarantees against arbitrariness and abuse of any secret surveillance system, urging Kremlin to circumvent the legal authorization requirements.

The passage of the **Yarovaya Law in 2016** allowed authorities to obtain communication information without needing a court order.

**What Data was Dumped?**

The alleged data reveals how the **Russian government** apparently spies on its citizens’ internet and phone usage, and exclusive details of the yet-undisclosed Green Atom surveillance program, which Anonymous claims. was operated by Russia’s Federal Security Service.

The data also contains records of thousands of Russian citizens who were customers of Russian corporations targeted by this program.

As per Anonymous, the Green Atom data provide evidence of the extent to which the Russian government abuses its legal structures, as Convex virtually captured the entire data. Anonymous also noted that they had more unreleased information on FSB’s intelligence-collecting activities.

**What is Green Atom Surveillance Program?**

In their **Twitter post**, Anonymous stated that the data was stolen from Convex, which led to the revelation that the company had been running a project named Green Atom involving installing and maintaining surveillance equipment for monitoring **Russian citizens** and private corporations’ online activities.

Through the Green Atom program, the government could perform wide-ranging surveillance activities, using the equipment from Convex to monitor their incoming and outgoing traffic.

At the time of publishing this article, the data was available on the official website of DDoSecrets.

**Anonymous – Russia and Ukraine Conflict**

The Ukraine-Russia conflict has reached a new level with Anonymous cyber attacks on Russian networks. Anonymous, the international hacktivist group that works to fight censorship and corruption, has so far claimed responsibility for several cyber and social engineering attacks against the Russian government and the private sector.

Some of the collective’s attacks include hacking the Yandex taxi app **(1)**, Payment processor Qiwi **(2)**, Ministry of Culture **(3)**, State-Run Broadcaster **(4)**, Central Bank of Russia **(5)**, unsecured printers **(6)**, security cameras **(7)**, media censoring agency Roskomnadzor **(8)**, 90% of Russian misconfigured databases **(9)**, TV transmissions **(10)**, Electic vehicle charging station **(11)** and more.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Anonymous Leaks 128 GB of Data from Russian ISP Convex

Julius "Zeekill" Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

**Julius “Zeekill” Kivimäki,** a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the **Vastaamo Psychotherapy Center**. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:

“Among those who grabbed a copy of the database was **Antti Kurittu**, a team lead at **Nixu Corporation** and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”

“It was a huge opsec \[operational security\] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.

Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

The DDoS-for-hire service allegedly operated by Kivimäki in 2012.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in **Adobe’s ColdFusion** software.

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the **U.S. Federal Bureau of Investigation** (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over **ssndob\[.\]ms**, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former **Sony Online Entertainment President John Smedley** that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.

Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

As I wrote in 2015 following Kivimäki’s trial:

> “The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.
> 
> Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”

Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.

Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — **Aleksanteri** (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.

“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”

Finland’s Most-Wanted Hacker Nabbed in France

By Deeba Ahmed
Although a fix is available to patch vulnerabilities, the EV industry is slow in applying the updates.
This is a post from HackRead.com Read the original post: EV Charging Stations at Risk of DoS Attacks

Threat actors can remotely carry out DDoS and DoS attacks on vulnerable Electric Vehicle (EV) Charge Points (CPs) to cause service outages and access sensitive and personal information of customers.

According to recent studies, 5.8 percent of all vehicles sold in 2022 were electric. This is a big number considering how new the technology is. However, hackers are also keeping eye on these developments and any potential vulnerability related to electric vehicles or their charging stations can create havoc.

As per the Israeli EV infrastructure provider SaiFlow, cybercriminals can abuse **Electric Vehicle (EV) Charge Point (CP**) to prompt service disruption. According to their findings, threat actors can exploit different versions of OCPP (Open Charge Point Protocol), which use WebSocket communications.

Researchers Lionel Richard Saposnik, SaiFlow’s research VP, and Doron Porat, software engineer at the company, wrote that their discovered attack method is a combination of two new vulnerabilities found in the OCPP standard. The exploitation would allow hackers to shut down EV charging stations remotely.

Moreover, they can manipulate docking stations to recharge EVs for free. Multiple vendors have confirmed the flaws. The hacker must obtain the charger’s identity first and then obtain information about the CMSM platform to which the charger is connected.

**What Causes the Issue?**

The security flaws are related to the communication between the CSMS (charging system management service) and the EV charge point (CP), particularly with the OCPP. EV chargers are connected to a management system platform, which is available on the Cloud platform, and lets operators track the stability of the infrastructure, energy management, handling billing, and EV charge requests.

Basically, the protocol doesn’t understand how to handle more than one CP connection, and attackers abuse this by opening a new connection to the CSMS. When the attacker opens a new connection to the CSMS on behalf of the charge point, the attacker can force the original connection to be closed or dysfunctional. The other issue is related to weak OCPP authentication and chargers’ identities policy. 

**Potential Threats**

According to SaiFlow’s **blog post**, when the embedded vulnerability is exploited using the OCPP protocol, a hacker can hijack the connection between the charger and the management platform. When this access is acquired, the hacker can shut down the entire group of chargers using the protocol, whether installed at a highway gas station or at home.

Using other identifiers, they can steal energy from the chargers and access the vehicle’s surrounding components, such as battery management systems, smart meters, other energy managers, and even distributed energy resources.

SaiFlow’s CEO Ron Tiberg-Shachar revealed that when an attacker exploits the two flaws, they can launch a **DoS attack** to disrupt or disconnect a single charger and access sensitive information like server credentials or payment card data. Or, they can execute a **DDoS attack** and take down/disconnect all chargers connected to that network. The flaw affects OCPP 1.6J.

He further noted that although a fix is available, the EV industry is slow at applying the updates. SaiFlow is working with some leading EV charger providers to address the issue.

1.  UK Experimenting with Roads that Wirelessly Charge EVs
2.  Brokenwire Attack Disrupts Electric Vehicles from Charging
3.  Gone in Seconds: Hackers Steal Mercedes Car without Key
4.  Internet-connected cars can be hacked to gridlock major cities
5.  Anonymous hacks EV charging station with pro-Ukraine slogan

EV Charging Stations at Risk of DoS Attacks

Two new security weaknesses discovered in several electric vehicle (EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft.
The findings, which come from Israel-based SaiFlow, once again demonstrate the potential risks facing the EV charging infrastructure.
The issues have been identified in version 1.6J of the Open Charge

Automotive Security / Vulnerability

Two new security weaknesses discovered in several electric vehicle (EV) charging systems could be exploited to remotely shut down charging stations and even expose them to data and energy theft.

The findings, which come from Israel-based SaiFlow, once again demonstrate the potential risks facing the EV charging infrastructure.

The issues have been identified in version 1.6J of the Open Charge Point Protocol (OCPP) standard that uses WebSockets for communication between EV charging stations and the Charging Station Management System (CSMS) providers. The current version of OCPP is 2.0.1.

"The OCPP standard doesn't define how a CSMS should accept new connections from a charge point when there is already an active connection," SaiFlow researchers Lionel Richard Saposnik and Doron Porat said.

"The lack of a clear guideline for multiple active connections can be exploited by attackers to disrupt and hijack the connection between the charge point and the CSMS."

This also means that a cyber attacker could spoof a connection from a valid charger to its CSMS provider when it's already connected, effectively leading to either of the two scenarios:

*   A denial-of-service (DoS) condition that arises when the CSMS provider closes the original the WebSocket connection when a new connection is established

*   Information theft that stems from keeping the two connections alive but returning responses to the "new" rogue connection, permitting the adversary to access the driver's personal data, credit card details, and CSMS credentials.

The forging is made possible owing to the fact that CSMS providers are configured to solely rely on the charging point identity for authentication.

"Combining the mishandling of new connections with the weak OCPP authentication and chargers identities policy could lead to a vast Distributed DoS (DDoS) attack on the \[Electric Vehicle Supply Equipment\] network," the researchers said.

OCPP 2.0.1 remediates the weak authentication policy by requiring charging point credentials, thereby closing out the loophole. That said, mitigations for when there are more than one connection from a single charging point should necessitate validating the connections by sending a ping or a heartbeat request, SaiFlow noted.

"If one of the connections is not responsive, the CSMS should eliminate it," the researchers explained. "If both connections are responsive, the operator should be able to eliminate the malicious connection directly or via a CSMS-integrated cybersecurity module."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos