Microsoft on Thursday flagged a cross-platform botnet that's primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers.
Called MCCrash, the botnet is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.
"The botnet spreads by

Microsoft on Thursday flagged a cross-platform botnet that's primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers.

Called **MCCrash**, the botnet is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices," the company said in a report. "Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet."

This also means that the malware could persist on IoT devices even after removing it from the infected source PC. The tech giant's cybersecurity division is tracking the activity cluster under its emerging moniker DEV-1028.

A majority of the infections have been reported in Russia, and to a lesser extent in Kazakhstan, Uzbekistan, Ukraine, Belarus, Czechia, Italy, India, and Indonesia. The company did not disclose the exact scale of the campaign.

The initial infection point for the botnet is a pool of machines that have been compromised through the installation of cracking tools that claim to provide illegal Windows licenses.

The software subsequently acts as a conduit to execute a Python payload that contains the core features of the botnet, including scanning for SSH-enabled Linux devices to launch a dictionary attack.

Upon breaching a Linux host using the propagation method, the same Python payload is deployed to run DDoS commands, one of which is specifically set up to crash Minecraft servers ("ATTACK\_MCCRASH").

Microsoft described the method as "highly efficient," noting it's likely offered as a service on underground forums.

"This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure," researchers David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, and Ross Bevington said.

The findings come days after Fortinet FortiGuard Labs revealed details of a new botnet dubbed GoTrim, which has been observed brute-forcing self-hosted WordPress websites.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Minecraft Servers Under Attack: Microsoft Warns About Cross-Platform DDoS Botnet

Sweeping operation took down around 50 popular DDoS platforms, just one of which was used in 30M attacks, Europol says.

About 50 of the most popular platforms available for hire to launch distributed denial-of-service (DDoS) attacks against critical Internet infrastructure have been shut down, their operators arrested in a massive international law enforcement crackdown called Operation Power Off.

Europol, along with law enforcement from the UK, US, the Netherlands, Poland, and Germany participated in the takedown targeting DDoS-for-hire services, also called "booter services."

Seven administrators have been arrested, according to Europol's announcement, adding that just one of the services shut down by Operation Power Off was responsible for more than 30 million DDoS attacks.

"DDoS booter services have effectively lowered the entry barrier into cybercrime: for a fee as low as EUR 10, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks by barraging them with traffic," Europol's announcement of the success of Operation Power Off said. "The damage they can do to victims can be considerable, crippling businesses financially and depriving people of essential services offered by banks, government institutions and police forces."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Attack Platforms Shut Down in Global Law Enforcement Operation

By Waqas
Authorities have also arrested six individuals accused of running DDoS-for-hire services.
This is a post from HackRead.com Read the original post: 48 DDoS-hiring Services Busted by FBI in Major Sweep

The seizure is a part of a coordinated operation dubbed Operation PowerOFF conducted in collaboration with the UK, Europol, and the Netherlands.

On Wednesday, December 14th, the US Department of Justice (DoJ) announced seizing 48 domains and charging six suspects for being involved in Stresser, aka **Booter services**.

These services offered malicious actors a platform to carry out DDoS attacks (distributed denial of service attacks).

The seizure is a part of a coordinated operation dubbed Operation PowerOFF conducted in collaboration with the UK, Europol, and the Netherlands. The operation is targeted against globally active DDoS-for-hire infrastructure.

**Seized Domains Details**

According to the DoJ, the Federal Bureau of Investigation (FBI) seized 48 domains offering to conduct **DDoS for hire services** on behalf of other cybercriminals in exchange for payment in cryptocurrency.

The seized websites reportedly claimed to offer the service of testing the resilience of web infrastructure but actually offered DDoS for hire services. The platforms had targeted victims worldwide, including in the USA. Their key targets were government agencies, educational institutions, and gaming platforms.

*   Bootersx
*   IPStressercom
*   SecurityTeamio
*   Astrostresscom
*   RoyalStressercom
*   TrueSecurityServicesio

According to the DoJ’s **press release**, millions of users were targeted via these platforms. Just on one platform (IPStressercom), over a million registered users carried out at least 30 million **DDoS attacks** between 2014-2022.

Seizure notice on the sites taken over by authorities (Image: Hackread.com)

**What are Booter Platforms?**

Booters are digital platforms that threat actors can carry out **DDoS attacks against IoT devices** and websites after paying a fee to boot off their target from the internet.

Further, users of these platforms can seek help in launching **powerful DDoS attacks** and flooding the targeted networks/computers with information so that the system stops functioning and has to go offline.

**According to** the FBI, “established booter/stresser services” provide an easy platform to threat actors for conducting DDoS attacks and “obscure attribution of DDoS activity.”

**Who are the Suspects?**

Along with seizing the domains, the FBI has charged six individuals suspected of involvement in operating the seized platforms. The charged suspects include the following:

*   Joshua Laing (32)
*   John M. Dobbs (32)
*   Shamar Shattock (19)
*   Cory Anthony Palmer (22)
*   Angel Manuel Colon Jr. (37)
*   Jeremiah Sam Evans Miller (23)

The defendants are charged with running stresser services and violating the computer fraud and abuse act.

**DDoS attacks – A Growing Concern**

DDoS attacks are a growing concern among businesses and organizations around the world. These malicious cyber attacks involve flooding an organization’s network with large amounts of traffic, making it difficult or impossible for legitimate users to access the services they need.

While DDoS attacks can be difficult to prevent, there are several steps organizations can take to protect themselves against such threats. The first step is to ensure that all software and applications used by the organization are updated regularly with the latest security patches.

Organizations should also consider investing in firewalls and other security solutions that can detect and **block DDoS attacks** before they have a chance to affect operations. Additionally, having security protocols in place for authenticating user accounts is important in order to ensure that malicious actors cannot gain unauthorized access.

1.  **Teen hires attacker to DDoS his school district**
2.  **Authorities seize 15 popular DDoS-for-hire websites**
3.  **World’s largest DDoS-for-hire service & seize its domain**
4.  **Dutch Police Seizes 15 DDoS-for-hire services in one week**
5.  **No prison for the crook duo behind vDOS DDoS for hire service**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

48 DDoS-hiring Services Busted by FBI in Major Sweep

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 48 domains that offered services to conduct distributed denial-of-service (DDoS) attacks on behalf of other threat actors, effectively lowering the barrier to entry for malicious activity.
It also charged six suspects – Jeremiah Sam Evans Miller (23), Angel Manuel Colon Jr. (37), Shamar Shattock (19), Cory Anthony Palmer

Cyber Attack / DDoS-for-Hire

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 48 domains that offered services to conduct distributed denial-of-service (DDoS) attacks on behalf of other threat actors, effectively lowering the barrier to entry for malicious activity.

It also charged six suspects – Jeremiah Sam Evans Miller (23), Angel Manuel Colon Jr. (37), Shamar Shattock (19), Cory Anthony Palmer (22), John M. Dobbs (32), and Joshua Laing (32) – for their alleged ownership in the operation.

The websites "allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet," the DoJ said in a press statement.

The six defendants have been charged with various running booter (or stresser) services, including RoyalStresser\[.\]com, SecurityTeam\[.\]io, Astrostress\[.\]com, Booter\[.\]sx, IPStresser\[.\]com, and TrueSecurityServices\[.\]io. They have also been accused of violating the computer fraud and abuse act.

These websites, although claiming to provide testing services to assess the resilience of a paying customer's web infrastructure, are believed to have targeted several victims in the U.S. and elsewhere, such as educational institutions, government agencies, and gaming platforms.

The DoJ noted that millions of individuals were attacked using the DDoS-for-hire platforms. According to court documents, over one million registered users of IPStresser\[.\]com conducted or attempted to carry out more than 30 million DDoS attacks between 2014 and 2022.

An analysis of communications between the booter site administrators and their customers undertaken by the U.S. Federal Bureau of Investigation (FBI) shows that the services are obtained through a cryptocurrency payment.

"Established booter and stresser services offer a convenient means for malicious actors to conduct DDoS attacks by allowing such actors to pay for an existing network of infected devices, rather than creating their own," the FBI said. "Booter and stresser services may also obscure attribution of DDoS activity."

The development comes four years after the DoJ and FBI took similar steps in December 2018 to seize 15 domains that advertised computer attack platforms like Critical-boot\[.\]com, RageBooter\[.\]com, downthem\[.\]org, quantumstress\[.\]net, Booter\[.\]ninja, and Vbooter\[.\]org.

The domain takedowns are part of an ongoing coordinated law enforcement effort codenamed Operation PowerOFF in collaboration with the U.K., the Netherlands, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms

The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.

The **U.S. Department of Justice** (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.

The booter service OrphicSecurityTeam\[.\]com was one of the 48 DDoS-for-hire domains seized by the Justice Department this week.

The DOJ said the 48 domains it seized helped paying customers launch millions of digital sieges capable of knocking Web sites and even entire network providers offline.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Prosecutors in Los Angeles say the booter sites **supremesecurityteam\[.\]com** and **royalstresser\[.\]com** were the brainchild of **Jeremiah Sam Evans Miller**, a.k.a. “John the Dev,” a 23-year-old from San Antonio, Texas. Miller was charged this week with conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). The complaint against Miller alleges Royalstresser launched nearly 200,000 DDoS attacks between November 2021 and February 2022.

Defendant **Angel Manuel Colon Jr.**, a.k.a Anonghost720 and Anonghost1337, is a 37-year-old from Belleview, Fla. Colon is suspected of running the booter service **securityteam\[.\]io**. He was also charged with conspiracy and CFAA violations. The feds say the SecurityTeam stresser service conducted 1.3 million attacks between 2018 and 2022, and attracted some 50,000 registered users.

Charged with conspiracy were **Corey Anthony Palmer**, 22, of Lauderhill, Fla, for his alleged ownership of **booter\[.\]sx**; and **Shamar Shattock**, 19, of Margate, Fla., for allegedly operating the booter service **astrostress\[.\]com**, which had more than 30,000 users and blasted out some 700,000 attacks.

Two other alleged booter site operators were charged in Alaska. **John M. Dobbs**, 32, of Honolulu, HI is charged with aiding and abetting violations of the CFAA related to the operation of **IPStresser\[.\]com**, which he allegedly ran for nearly 13 years until last month. During that time, IPstresser _launched approximately 30 million DDoS attacks_ and garnered more than two million registered users.

**Joshua Laing**, 32, of Liverpool, NY, also was charged with CFAA infractions tied to his alleged ownership of the booter service **TrueSecurityServices\[.\]io**, which prosecutors say had 18,000 users and conducted over 1.2 million attacks between 2018 and 2022.

Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

Dobbs, the alleged administrator of IPStresser, gave an interview to ZDNet France in 2015, in which he asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.

“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks.

“None of these sites ever required the FBI to confirm that it owned, operated, or had any property right to the computer that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose),” reads an affidavit (PDF) filed by **Elliott Peterson**, a special agent in the FBI’s Anchorage field office.

“Analysis of data related to the FBI-initiated attacks revealed that the attacks launched by the SUBJECT DOMAINS involved the extensive misuse of third-party services,” Peterson continued. “All of the tested services offered ‘amplification’ attacks, where the attack traffic is amplified through unwitting third-party servers in order to increase the overall attack size, and to shift the financial burden of generating and transmitting all of that data away from the booter site administrator(s) and onto third parties.”

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The charges unsealed today stemmed from investigations launched by the FBI’s field offices in Los Angeles and Alaska, which spent months purchasing and testing attack services offered by the booter sites.

A similar investigation initiating from the FBI’s Alaska field office in 2018 culminated in a takedown and arrest operation that targeted 15 DDoS-for-hire sites, as well as three booter store defendants who later pleaded guilty.

The Justice Department says its trying to impress upon people that even buying attacks from DDoS-for-hire services can land Internet users in legal jeopardy.

“Whether a criminal launches an attack independently or pays a skilled contractor to carry one out, the FBI will work with victims and use the considerable tools at our disposal to identify the person or group responsible,” said **Donald Alway**, the assistant director in charge of the FBI’s Los Angeles field office.

“Potential users and administrators should think twice before buying or selling these illegal services,” said **Special Agent Antony Jung** of the FBI Anchorage field office. “The FBI and our international law enforcement partners continue to intensify efforts in combatting DDoS attacks, which will have serious consequences for offenders.”

The United Kingdom, which has been battling its fair share of domestic booter bosses, in 2020 started running online ads aimed at young people who search the Web for booter services. And in Europe, prosecutors have even gone after booter customers.

In conjunction with today’s law enforcement action, the FBI and the Netherlands Police joined authorities in the U.K. in announcing they are now running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

“The purpose of the ads is to deter potential cyber criminals searching for DDoS services in the United States and around the globe, as well as to educate the public on the illegality of DDoS activities,” the DOJ said in a press release.

Here is the full list of booter site domains seized (or in the process of being seized) by the DOJ:

api-sky\[.\]xyz  
astrostress\[.\]com  
blackstresser\[.\]net  
booter\[.\]sx  
booter\[.\]vip  
bootyou\[.\]net  
brrsecurity\[.\]org  
buuter\[.\]cc  
cyberstress\[.\]us  
defconpro\[.\]net  
dragonstresser\[.\]com  
dreams-stresser\[.\]io  
exotic-booter\[.\]com  
freestresser\[.\]so  
instant-stresser\[.\]com  
ipstress\[.\]org  
ipstress\[.\]vip  
ipstresser\[.\]com  
ipstresser\[.\]us  
ipstresser\[.\]wtf  
ipstresser\[.\]xyz  
kraysec\[.\]com  
mcstorm\[.\]io  
nightmarestresser\[.\]com  
orphicsecurityteam\[.\]com  
ovhstresser\[.\]com  
quantum-stresser\[.\]net  
redstresser\[.\]cc  
royalstresser\[.\]com  
securityteam\[.\]io  
shock-stresser\[.\]com  
silentstress\[.\]net  
stresser\[.\]app  
stresser\[.\]best  
stresser\[.\]gg  
stresser\[.\]is  
stresser\[.\]net/stresser\[.\]org  
stresser\[.\]one  
stresser\[.\]shop  
stresser\[.\]so  
stresser\[.\]top  
stresserai\[.\]com  
sunstresser\[.\]com  
supremesecurityteam\[.\]com  
truesecurityservices\[.\]io  
vdos-s\[.\]co  
zerostresser\[.\]com

Six Charged in Mass Takedown of DDoS-for-Hire Sites

Akamai issued an update to resolve the flaw several months ago

Charlie Osborne 14 December 2022 at 12:01 UTC  
Updated: 14 December 2022 at 12:04 UTC

Akamai issued an update to resolve the flaw several months ago

A researcher has disclosed a technique that bypassed Akamai web application firewalls (WAF) running Spring Boot, potentially leading to remote code execution (RCE).

Akamai’s WAF, which was patched several months ago, has been designed to mitigate the risk of Distributed Denial-of-Service (DDoS) attacks and uses adaptive technologies to block known web security threats.

Security researcher Peter H, who also goes by the pseudonym ‘pmnh’, said the attack used Spring Expression Language (SpEL) injection.

The bug bounty hunter found the bypass with the assistance of Synack pentester Usman Mansha during an engagement with a private Bugcrowd program.

**Server-side template injection**

A server-side template injection (SSTI) is at the core of the bypass, a technical write-up by Peter H reveals. Vulnerable versions of Spring Boot throw up error messages in a SpEL expression with whitelabel error pages, they explained. When a vulnerable framework is used, this injection is evaluated server-side – opening a potential pathway for abuse.

Akamai’s WAF blocked the SSTI during testing. However, the team persisted in looking for ways of utilizing SpEL to invoke an operating system command – likely via Java.

RELATED JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs

The most obvious route was to find a way to the class, starting with SpEL reference , but this was blocked by Akamai’s software.

“I suspected this would not work, but when trying to work around a WAF it’s really important to build up from small things that you know work, to larger and more complex payloads,” the researcher said.

The next stage was finding a reference to an arbitrary class, which Peter H said would allow “direct method invocation or reflection-based invocation to get at the method we want”.

Peter H and Mansha used a reflection method to obtain access to , built an arbitrary String with the value, accessed the method, and created another string to access – thus enabling development of a workable RCE payload.

The final payload was under 3kb and was accepted by the server as a GET request.

**Elusive entry point**

However, bypassing the WAF was by no means an easy task. Peter H noted it took approximately 500 crafted attempts and over 14 hours to find an entry point.

The researcher declined to supply a final payload in a text format to prevent blind copycats.

“In this case, deep knowledge of Java and SpEL capabilities was required to construct a payload that would both bypass the Akamai WAF as well as work in the context where it was executing,” they noted.

**Akamai response**

When approached for comment, Akamai told The Daily Swig that the bypass was only possible as the researchers used an old version of the Akamai WAF protection engine.

A patch was issued on July 25, 2022. As a result, customers running the latest engine version are not at risk of exploitation.

Read more of the latest web application firewall news

Akamai said: “Akamai is aware of the findings of a security researcher who has claimed to have bypassed Akamai’s WAF. This issue was discovered and an update was issued several months prior to this blog post being published.

“The Akamai Threat Research team is always on the lookout for new attack types and works to proactively update protections on a regular basis. Akamai recommends that all customers ensure that Adaptive Security Engine, the protection engine that powers Akamai WAF, is up to date, ideally via automatic updates.”

The Daily Swig has reached out to the researchers involved and we will update this article if and when they comment.

DON’T MISS Black Hat Europe 2022: Hacking tools showcased at annual security conference

Akamai WAF bypassed via Spring Boot to trigger RCE

API attacks are on the rise. One of their major targets is eCommerce firms like yours. 
APIs are a vital part of how eCommerce businesses are accelerating their growth in the digital world. 
ECommerce platforms use APIs at all customer touchpoints, from displaying products to handling shipping. Owing to their increased use, APIs are attractive targets for hackers, as the following numbers expose

API attacks are on the rise. One of their major targets is eCommerce firms like yours.

APIs are a vital part of how eCommerce businesses are accelerating their growth in the digital world.

ECommerce platforms use APIs at all customer touchpoints, from displaying products to handling shipping. Owing to their increased use, APIs are attractive targets for hackers, as the following numbers expose:

*   API attack traffic increased by 681% in 2021
*   77% of retail respondents experienced API security incidents in 2021– according to Noname security

If left unaddressed, API abuse can damage your reputation, harm consumers, and affect the bottom line. Hence **API security** is worthy of consideration for eCommerce stakeholders.

****Why do eCommerce companies need APIs?****

API makes it easy for retailers and eCommerce platforms to handle product listings and orders. It transformed the static website into a completely customizable headless store. Retailers use APIs for various functions, including login, product catalog, shipping, and subscription.

It empowers businesses to enhance customer experience. While making purchases, one service handles orders; another calculates tax; another enables shipping, and so on.

But customers have no idea what is happening behind the screen. API connects these decoupled elements and helps to share data seamlessly.

****Key benefits of APIs in eCommerce****

*   It streamlines operations and ensures seamless customer engagements
*   It is effective for data monitoring and analytics, a vibrant factor for retailers
*   It enables communication with chatbots
*   Connects eCommerce platform with 3rd party marketplaces

****Why Is API Security Crucial for Ecommerce?****

APIs are easy to use and integrate for businesses. Even though most APIs are not intended for public use, they often have full access to all sensitive assets and information.

Customers enter PII while purchasing on online sites like emails, passwords, credit card details, and phone numbers. They also share transaction details like bonuses, balances, and rewards. This increases the opportunity for attackers to steal the data.

They are easy to expose if not designed and tuned for robust, ongoing security. Inadequate security testing and a lack of business logic have resulted in an overall rise in API security risks.

Important factors that drive API security concerns are

****Authentication Flaw****

Many APIs not properly checking if the request comes from a legitimate user. Hackers find coding errors in authentication and escalate privileges. They further use enumerated technologies to compromise users' accounts.

For instance, some eCommerce platforms integrate with external logistics systems to pass on shipping details. In this situation, if there is an insufficient authentication chain, API can leak PII via replay attacks.

****Automated Attacks****

Automated attacks on insecure APIs are increasing with the widespread adoption of APIs. Rather than exploiting vulnerabilities in APIs code, hackers exploit business logic flaws within APIs.

They may feed malicious scripts into bots to access your product details at scale.

With bad bots overwhelming your site, your genuine user cannot shop on your site. For example, they can snatch the complete inventory of high-demand products within seconds.

Volumetric attacks against eCommerce API without rate limiting (#4 in **OWASP API Security Top 10**) can cause shopping apps non-responsive, resulting in user dissatisfaction.

****Shadow and Zombie APIs****

Still, many businesses struggle to separate real transactions from fake. They are also blindsided by unprotected shadow APIs.

Equally, Zombie APIs are the most common method of attack. Zombie APIs may longer be unmonitored. They can contain malicious codes or may expose sensitive data or functionality.

****Third-party APIs****

E-commerce businesses integrate with 3rd parties like shipping and payment systems. Third-party APIs are challenging to manage. These are the ones that attackers typically target.

For example, shopping cart API is a prime target as it offers entry points into the business. A leading UK retailer experienced attacks more than 1000 times a day on this API. The attack increased 10-fold times when special offers were running.

****Traditional Security Tools****

Most businesses lack adequate defense capabilities to protect against the ever-evolving API risks. API threats are highly sophisticated and persistent, and traditional methods are ineffective against them.

Legacy WAF or API gateways need more real-time ability to understand bad from good API activity.

Hackers can manipulate the discount and promotion APIs during peak times. These tools find it hard to protect against such attacks.

You will need comprehensive **API protection solutions like AppTrana** to protect your website and customers' sensitive information.

****API Security Best Practices for Ecommerce****

The API threats to eCommerce security are potentially devastating to retailers and customers. For this reason, you must take appropriate measures to address them.

****API Discovery****

The first step is to understand what you have in your API landscape. An inventory of all APIs, including undocumented APIs, is essential if you want to secure what you don't know about.

API discovery involves finding and inventorying APIs. 67% of the retail respondents say they lack visibility on API inventory. A good API security solution offers strong API discovery features. It automatically inventories all APIs, including Zombie and shadow APIs.

Make sure zombie APIs are turned off. After the last customer stops integrating with a deprecated API, ensure the API is turned off. If you're going to publish API documentation externally, make sure it's valid and tested, and it's not exposing vulnerabilities.

****API Security Testing and Penetration Testing****

Integrate API security at the early stage of the development process. Security enhancement and vulnerability management are key aspects of your API development. Use API security scanners (e.g., Infinite API Scanner) for smooth API vulnerability scans. Make sure to patch the identified vulnerabilities immediately.

In addition to automated API scanning tools, manual pen testing is vital. It helps you to detect misconfiguration that could otherwise go unseen.

****Proper Authentication and Authorization****

Validating purchasers who they are and only allowing access to specific resources they have permission for is essential in API security.

OAuth 2.0, API keys, and Token based authentication are a few API authentication methods to verify users' identity.

****API Rate Limiting****

According to data, there were 28 API endpoints in 2020 and 89 in 2021, a three-fold increase in API endpoints. A similar increase in API calls is logical. There was a 141% increase in API calls in H1 2021. There has been a corresponding increase in attack surfaces.

Attackers can make eCommerce sites unavailable for legitimate purchasers with DDoS attacks. With API rate limiting, you can limit the number of requests from overwhelming system resources. It can throttle the request that exceeds the limits. It enables you to make your site available for purchasers without impacting performance.

****API Behaviour and Analytics****

Leverage API protection solution to look for abnormal behaviour in API traffic. Differentiating malicious traffic from normal API traffic can help to detect attacks in progress.

It also highlights system misbehaviors and other malicious disruptions to your service. It analyzes traffic metadata to pinpoint the attack source. You can use this information to stop the incident and fix the issue in API.

****Tips to protect your eCommerce Site****

*   Make sure all third-party integrations and plugins are regularly inspected
*   Help your customers to create strong, unique passwords
*   Ensure that only necessary customer data is stored
*   Always keep your site up-to-date
*   Secure your website with HTTPS
*   Keep a backup of your data

****Ecommerce Security: Plan Ahead to Stay Safe****

An increase in API usage has increased the attack surface, which leaves eCommerce businesses vulnerable. It calls for the immediate requirement to mitigate the API security risks mentioned above.

Failing to secure an eCommerce platform can directly impact sales. It ruins your reputation. Take immediate measures to win your API security platform.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Why is Robust API Security Crucial in eCommerce?

At Black Hat Europe, a security researcher details the main evasion techniques attackers are currently using in the cloud.

BLACK HAT EUROPE 2022 – London - CoinStomp. Watchdog. Denonia.

These cyberattack campaigns are among the most prolific threats today targeting cloud systems — and their ability to evade detection should serve as a cautionary tale of potential threats to come, a security researcher detailed here today.

"Recent cloud-focused malware campaigns have demonstrated that adversary groups have intimate knowledge of cloud technologies and their security mechanisms. And not only that, they are using that to their advantage," said Matt Muir, threat intelligence engineer for Cado Security, who shared details on those three campaigns his team has studied.

While the three attack campaigns are all about cryptomining at this point, some of their techniques could be used for more nefarious purposes. And for the most part, these and other attacks Muir's team has seen are exploiting misconfigured cloud settings and other mistakes. That for the most part means defending against them lands in the cloud customer camp, according to Muir.

"Realistically for these kinds of attacks, it has more to do with the user than the \[cloud\] service provider," Muir tells Dark Reading. "They are very opportunistic. The majority of attacks we see have more to do with mistakes" by the cloud customer, he said.

Perhaps the most interesting development with these attacks is that they are now targeting serverless computing and containers, he said. "The ease of which cloud resources can be compromised has made the cloud an easy target," he said in his presentation, "Real-World Detection Evasion Techniques in the Cloud."

**DoH, It's a Cryptominer**

Denonia malware targets AWS Lambda serverless environments in the cloud. "We believe it's the first publicly disclosed malware sample to target serverless environments," Muir said. While the campaign itself is about cryptomining, the attackers employ some advanced command and control methods that indicate they're well-studied in cloud technology.

The Denonia attackers employ a protocol that implements DNS over HTTPS (aka DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. That gives the attackers a way to hide within encrypted traffic such that AWS can't view their malicious DNS lookups. "It's not the first malware making use of DoH, but it certainly isn't a common occurrence," Muir said. "This prevents the malware to trigger an alert" with AWS, he said.

The attackers also appeared to have tossed in more diversions to distract or confuse security analysts, thousands of lines of user agent HTTPS request strings.

"At first we thought it was might be a botnet or DDoS ... but in our analysis it was not actually used by malware" and instead was a way to pad the binary in order to evade endpoint detection & response (EDR) tools and malware analysis, he said.

**More Cryptojacking With CoinStomp and Watchdog**

CoinStomp is cloud-native malware targeting cloud security providers in Asia for cryptojacking purposes. Its main _modus operandi_ is timestamp manipulation as an anti-forensics technique, as well as removing system cryptographic policies. It also uses a C2 family based on a dev/tcp reverse shell to blend into cloud systems' Unix environments.

Watchdog, meanwhile, has been around since 2019 and is one of the more prominent cloud-focused threat groups, Muir noted. "They are opportunistic in exploiting cloud misconfiguration, \[detecting those mistakes\] by mass scanning."

The attackers also rely on old-school steganography to evade detection, hiding their malware behind image files.

"We're at an interesting point in cloud malware research," Muir concluded. "Campaigns still are lacking somewhat in technicality, which is good news for defenders."

But there's more to come. "Threat actors are becoming more sophisticated" and likely will move from cryptomining to more damaging attacks, according to Muir.

3 Ways Attackers Bypass Cloud Security

At AWS re:Invent last week, the cloud giant previewed security services including Amazon Security Lake for security telemetry, Verified Permissions for developers, and a VPN bypass service.

Cloud threats will continue to grow and proliferate in 2023, but organizations can meet the challenges head-on with the right security fundamentals in place, Amazon Web Services CISO CJ Moses said during AWS re:Invent 2022 conference last week.

Malicious activity is on the rise: The volume of DDoS events in AWS between January and September of this year rose 35% compared with the same period in 2021. AWS saw a 256% increase in compromised instances compared with the fourth quarter of 2021.

AWS unveiled new security tools to help enterprise security teams with analyzing security telemetry, permissions management, and key management.

**Gathering Threat Telemetry**

First up was Amazon Security Lake to manage threat intelligence data. AWS CEO Adam Selipsky said Amazon Security Lake would allow organizations to gather security telemetry and data from many sources, clean it up, and make it accessible for analysis. The challenge lies in the fact that security data exists in multiple formats. The new Open Cybersecurity Schema Framework standard, announced last August during Black Hat USA, can be used to normalize security logs and events data across a wide range of products and services, Selipsky said.

Asked whether supporting OCSF members have conducted comprehensive interoperability tests or certification efforts, Splunk distinguished engineer Paul Agbabian explained to Dark Reading how the data is normalized. 

"For an event class to be considered in OCSF, there must be a real implementation of the class via one of the member's example logs," he said. "In addition, OCSF uses a server that can test each implementation of the schema for validation, which includes showing notable errors and violations."

"Increasing threats and risks continue driving the shift to the cloud, where security will be built into everything organizations do up and down their technology stack and across their teams," Moses said. "More and more security can be thought of as a data science problem."

AWS said FINRA, Salesforce, and Tinder are the first customers using Amazon Security Lake. Fernando Montenegro, a senior principal analyst at Omdia, said Amazon Security Lake was the most significant new security offering announced at last week's conference.

"Security Lake is obviously notable as it addresses some of the security 'undifferentiated heavy lifting' that AWS likes to address," Montenegro told Dark Reading. "It's still early, but the expectation is that it can help simplify security analytics at scale. The use of the OCSF standard is also notable, as it can herald easier data integration even outside of AWS environments."

**Verified Permissions for Developers**

A preview of Amazon Verified Permissions is now available, which Moses described as a scalable, fine-grained permissions management and authorization service for custom applications. 

"It gives developers a consistent way to define and manage fine-grained permissions across applications, simplifies changing permission roles without a need to change code, while also improving visibility to permissions," he explained.

Amazon Verified Permissions gives application administrators "a comprehensive audit capability that scales millions of policies using automated reasoning," Moses added. "Authorization requests running through Amazon Verified Permissions are evaluated in milliseconds to provide dynamic real-time decisions."

**Remote Access Without a VPN**

Amazon also released the preview of AWS Verified Access, a new connectivity service that provides secure remote access to corporate applications without requiring a VPN. According to AWS, the new service only grants access to applications if users and their devices meet defined security requirements.

AWS noted that Verified Access validates each application request, regardless of user or network, before granting access. 

"AWS Verified Access should help with the burden of accessing AWS resources in a 'zero trust' manner,'" Omdia's Montenegro said.

**External Key Store (XKS) for AWS KMS**

Amazon also announced its AWS Digital Sovereignty Pledge, which the company describes "as its commitment to offering all AWS customers the most advanced set of sovereignty controls and features available in the cloud."

Previously, customers have had to choose between "the full power of AWS and a feature-limited sovereign cloud solution that could hamper their ability to innovate, transform, and grow. We firmly believe that customers shouldn't have to make this choice," explained AWS senior VP Matt Garman in a blog post.

Effectively, AWS is promising to enable its complete offerings to maintain the growing set of digital sovereignty industry and regional regulations. Moses said the new External Key Store (XKS) for the AWS Key Management Service (KMS) supports the pledge because it lets organizations store and utilize their encryption keys outside of AWS.

"Customers can now store AWS KMS customer-managed keys outside of AWS on hardware security modules, whether they operate on-premises or anywhere else they would like to do so," he said. "XKS supports all the critical features of KMS and works with the over 100 AWS services that already integrate with KMS customer keys."

A user can encrypt data with external keys for most AWS services that support AWS KMS customer-managed keys, including Amazon EBS, AWS Lambda, Amazon S3, Amazon DynamoDB, and over 100 more services. The external key store forwards API calls to securely connect with a customer's hardware security module (HSM). According to an AWS blog post, the data describing the key never leaves the HSM.

Key Security Announcements From AWS re:Invent 2022

By Habiba Rashid
The bank confirmed that it had "experienced an unprecedented cyber attack from abroad."
This is a post from HackRead.com Read the original post: IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack

Russia’s second-largest bank experienced the largest cyber attack (**DDoS attack**) in its history. The government-controlled St Petersburg-based VTB financial institution announced on Tuesday that it was experiencing an “unprecedented cyber attack from abroad.”

The bank warned customers of temporary difficulties in accessing its mobile app and website due to the ongoing DDoS attack (distributed denial of service attack) but assured them that their data remained safe. VTB stores its customer data in the internal perimeter of its infrastructure which the attackers did not breach.

According to the bank’s internal analysis and as **reported** by local Russian media, this DDoS attack was pre-planned and orchestrated to cause hindrance in the bank’s functionalities and to inconvenience its customers. Despite the bank’s online portals being inaccessible, all other core banking services are operating as usual.  

VTB stated that they identified most of the malicious DDoS requests from “foreign segments of the internet,” but some network-flooding traffic also originated from Russian IP addresses which the bank noted was “of particular concern.” 

Either foreign actors used local proxies for some of the attacks or they managed to recruit local dissidents in their **DDoS campaign**. The bank stated that it will hand over all the information regarding the Russian IP addresses to law enforcement for criminal investigation. 

What makes this DDoS attack particularly interesting in light of the recent political events is that VTB is 61% state-owned, implying that the attackers made an indirect blow at the Russian government. 

On Dec 6, 2022, in a **tweet**, the pro-Ukraine hacktivist group, going by the name ‘IT Army of Ukraine,’ claimed responsibility for the DDoS attacks against VTB, announcing the campaign on Telegram and Twitter.

According to the IT Army of Ukraine, over 900 Russian entities, including stores selling military equipment and drones, the Central Bank of Russia, the National Center for the Development of Artificial Intelligence, and Alfa Bank, have been targeted by the group since they started being more active in November. 

It is worth noting that the IT Army of Ukraine along with the hacktivist group Anonymous also took responsibility for **September 2022’s social engineering attack** in which the Russian Yandex taxi app was hacked to cause a massive traffic jam in Moscow.

On the other hand, Microsoft **warns** Europe to be on alert for cyber attacks from Russia because this attack follows a series of cyber campaigns launched against Russian organizations. 

Last week, **reports of data-wiping trojan** deployed against Russian mayors’ and courts’ computers surfaced. The media reported that the wiper poses as ransomware and demands half a million rubles and deletes files regardless of whether the organization pays the amount or not. 

With the latest round of wiper and DDoS attacks, GM of Microsoft’s Digital Threat Analysis Centre Clint Watts warns Europe that Russia is likely to expand its “hybrid-war” efforts beyond Ukraine. He further stated that the Kremlin might use such state-sponsored attacks to disrupt foreign supply chains. 

European nations and the US should also brace for more Kremlin-backed influence operations – preying on citizens’ concerns about rising energy prices and inflation, and pushing pro-Russian narratives, Watts wrote. 

1.  **Anonymous Hacktivists Leak 1TB of Top Russian Law Firm Data**
2.  **Ukraine Busts Pro-Russia Hackers Who Stole 30M EU Citizens’ data**
3.  **OldGremlin Gang Known for Targeting Russia Launches Linux Malware**
4.  **Russian Ministry Website Hacked to Display “Glory To Ukraine” Message**
5.  **Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#ddos