Categories: Cybercrime
Categories: News
Tags: KillNet

Tags:  CISA

Tags:  DDoS

Tags:  HC3

According to CISA, the pro-Russian KillNet group is actively targeting the US and European healthcare sectors with DDoS attacks.



(Read more...)




The post KillNet hits healthcare sector with DDoS attacks appeared first on Malwarebytes Labs.

At the end of January, the Health Sector Cybersecurity Coordination Center warned that the KillNet group is actively targeting the US healthcare sector with distributed denial-of-service (DDoS) attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) says it helped dozens of hospitals respond to these DDoS incidents.

**DDoS**

A distributed denial-of-service attack uses numerous systems to send network communication requests to one specific target. Often the attackers use enslaved computers, "bots", to send the requests. The result is that the receiving server is overloaded by nonsense requests that either crash the server or keep it so busy that normal users are unable to connect to it.

This type of attack has been popularized by numerous hacker groups, and has been used in state-sponsored attacks conducted by governments. Why? Because they are easy to pull off and hard to defend against.

**KillNet**

KillNet is a pro-Russian group that has been notably active since January 2022. Until the Russian invasion of Ukraine, KillNet was known as a DDoS-for-hire group. Now they are better known for the DDoS campaigns launched against countries supporting Ukraine. In previous campaigns the gang has targeted sites belonging to US airlines, the British royal family, Lithuanian government websites, and many others, but now their main focus has shifted to the healthcare sector. Not for the first time by the way—the group has targeted the US healthcare industry in the past too.

These attacks are not limited to the US. Recently, the University Medical Center Groningen (UMCG) in the Netherlands saw its website flooded with traffic. That attack was attributed to KillNet by the country’s healthcare computer emergency response team, Z-CERT.

The KillNet group runs a Telegram channel which allows pro-Russian sympathizers to volunteer their participation in cyberattacks against Western interests. This sometimes makes it hard to attribute the attacks to this particular group since the attacks will originate from different sources.

**The attacks**

KillNet’s DDoS attacks don't usually cause major damage, but they can cause service outages lasting several hours or even days. For healthcare providers, long outages can result in appointment delays, electronic health records (EHRs) being unavailable, and ambulance diversions.

According to CISA, only half of the KillNet attacks have been able to knock websites offline. CISA says it worked with several tech companies to provide free resources to under-funded organizations that can help them reduce the impact of DDoS attacks. It also plans to continue working with the US Department of Health and Human Services (HHS) to communicate with hospitals about government assistance and third-party services.

**Mitigation**

Although it can be difficult to mitigate DDoS risks, the Health Sector Cybersecurity Coordination Center (HC3) is encouraging healthcare organizations to enable firewalls to mitigate application-level DDoS attacks and use content delivery networks (CDN).

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. So, if you don’t have an “always-on” type of protection, make sure you at least have a plan or protocols in place that you can follow if an attack occurs.

Depending on the possible consequences that would do the most harm to your organization, the chosen solution should offer you one or more of these options:

*   Allow users to use the site as normally as possible.
*   Protect your network from breaches during an attack.
*   Offer an alternative system to work from.

The least you should do is make sure you're aware of the fact that an attack is ongoing. The sooner you know what's going on, the faster you can react in an appropriate manner. Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

*   On-premise protection (e.g. identifying, filtering, detection, and network protection).
*   Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing).

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to the cloud-based solution when it reaches a volume that the on-premise solution cannot handle. Some DDoS protection solutions use DNS redirection to persistently reroute all traffic through the protectors’ network, which is cloud-based and can be scaled up to match the attack. From there, the normal traffic can be rerouted to the target of the attack or their alternative architecture.

CISA encourages all network defenders and leaders to review these three documents:

*   Joint guide: nderstanding and Responding to Distributed Denial-of-Service Attacks
*   CEG: Additional DDoS Guidance for Federal Agencies
*   Tip: Understanding Denial-of-Service Attacks

**Ransomware warning**

Several security agencies and providers have warned that DDoS attacks are being used as cover for actual intrusions involving ransomware and data theft. In these attacks, the DDoS acts as a smokescreen, drawing attention from the far greater danger posed by the ransomware.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

KillNet hits healthcare sector with DDoS attacks

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

@@ -16,6 +16,7 @@  
from modoboa.core.password\_hashers import get\_password\_hasher from modoboa.core.utils import check\_for\_updates from modoboa.lib.throttle import UserLesserDdosUser, LoginThrottle, PasswordResetApplyThrottle, PasswordResetRequestThrottle, PasswordResetTotpThrottle from modoboa.parameters import tools as param\_tools  
from smtplib import SMTPException @@ -25,9 +26,20 @@ logger \= logging.getLogger("modoboa.auth")  
  
def delete\_cache\_key(class\_target, throttles, request): """Attempt to delete cache key from throttling on login/password reset success."""  
for throttle in throttles: if type(throttle) \== class\_target: throttle.reset\_cache(request) return  
  
class TokenObtainPairView(jwt\_views.TokenObtainPairView): """We overwrite this view to deal with password scheme update."""  
throttle\_classes \= \[LoginThrottle\]  
def post(self, request, \*args, \*\*kwargs): serializer \= self.get\_serializer(data\=request.data) try: @@ -42,6 +54,10 @@ def post(self, request, \*args, \*\*kwargs):  
user \= serializer.user login(request, user)  
\# Reset login throttle delete\_cache\_key(LoginThrottle, self.get\_throttles(), request)  
logger.info( \_("User '%s' successfully logged in"), user.username ) @@ -85,6 +101,8 @@ class EmailPasswordResetView(APIView): An Api View which provides a method to request a password reset token based on an e-mail address. """  
throttle\_classes \= \[PasswordResetRequestThrottle\]  
def post(self, request, \*args, \*\*kwargs): serializer \= serializers.PasswordRecoveryEmailSerializer( data\=request.data, context\={'request': request}) @@ -96,6 +114,7 @@ def post(self, request, \*args, \*\*kwargs): "type": "email", "reason": "Error while sending the email. Please contact an administrator." }, 503)  
\# Email response return response.Response({"type": "email"}, 200)  
@@ -114,13 +133,16 @@ def post(self, request, \*args, \*\*kwargs): serializer.is\_valid(raise\_exception\=True) except serializers.NoSMSAvailable: return super().post(request, \*args, \*\*kwargs)  
\# SMS response return response.Response({"type": "sms"}, 200)  
  
class PasswordResetSmsTOTP(APIView): """ Check SMS Totp code. """  
throttle\_classes \= \[PasswordResetTotpThrottle\]  
def post(self, request, \*args, \*\*kwargs): try: if request.data\["type"\] \== "confirm": @@ -140,12 +162,15 @@ def post(self, request, \*args, \*\*kwargs): "id": serializer\_response\[1\], "type": "confirm" }) delete\_cache\_key(PasswordResetTotpThrottle, self.get\_throttles(), request) return response.Response(payload, 200)  
  
class PasswordResetConfirmView(APIView): """ Get and set new user password. """  
throttle\_classes \= \[PasswordResetApplyThrottle\]  
def post(self, request, \*args, \*\*kwargs): serializer \= serializers.PasswordRecoveryConfirmSerializer( data\=request.data) @@ -159,12 +184,15 @@ def post(self, request, \*args, \*\*kwargs): data.update({"errors": errors}) return response.Response(data, 400) serializer.save() delete\_cache\_key(PasswordResetApplyThrottle, self.get\_throttles(), request) return response.Response(status\=200)  
  
class ComponentsInformationAPIView(APIView): """Retrieve information about installed components."""  
throttle\_classes \= \[UserLesserDdosUser\]  
@extend\_schema(responses\=serializers.ModoboaComponentSerializer(many\=True)) def get(self, request, \*args, \*\*kwargs): status, extensions \= check\_for\_updates()

CVE-2023-0777: Merge pull request #2767 from modoboa/api-throttling · modoboa/modoboa@47d17ac

Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.

A threat actor recently uploaded four "mods" containing malicious code into the catalog in the official Steam store that players of the popular Dota 2 online game use for downloading community-developed game additions and other custom items.

Mods, short for "modifications," offer in-game content that players create rather than the developers.

Users who installed the mods ended up with a backdoor on their systems that the threat actor used to download an exploit for a vulnerability (CVE-2021-38003) in the V8 open source JavaScript engine version present in a framework called Panorama that players use to develop custom items in Dota 2.

Researchers from Avast discovered the issue and reported it to Valve, the developer of the game. Valve immediately updated the game's code to a new (patched) version of V8, and took down the rogue game mods from its Steam online store. The gaming company — whose portfolio includes Counter-Strike, Left 4 Dead, and Day of Defeat — also notified the small handful of users who downloaded the backdoor about the issue and implemented unspecified "other measures" to reduce Dota 2's attack surface, Avast said.

Valve did not immediately respond to a Dark Reading request for comment.

**Taking Advantage of Dota 2's Customization Features**

The attack that Avast discovered is somewhat similar in approach to the numerous incidents where a threat actor has uploaded malicious applications to Google Play and Apple's App Store, or malicious code blocks to repositories like npm or PyPI.

In this case, the individual who uploaded the code to Valve's Steam store took advantage of the fact that Dota 2 allows players to customize the game in many ways. Dota's game engine gives anyone with even basic programming skills the ability to develop custom items such as wearables, loading screens, chat emojis, and even entire custom game modes — or new games, Avast said. They can then upload those custom items to the Steam store, which vets the offerings for unsuitable content, and then publishes them for other players to download and use. 

However, because the Steam vetting process is more focused on moderation than security, bad actors can sneak malicious code into the store without too much trouble, the researchers warned. "We believe the verification process exists mostly for moderation reasons to prevent inappropriate content from getting published," according to Avast's blog post. "There are many ways to hide a backdoor within a game mode, and it would be very time-consuming to attempt to detect them all during verification."

Boris Larin, lead security researcher at Kaspersky's global research and analysis team, says that while game companies are not directly responsible for malicious code embedded into third-party modifications, incidents like these still harm the company's reputation. This is especially true when modifications are distributed through special repositories owned by the game developer that may contain vulnerabilities.

"In this particular case, the timely updating of third-party components would have helped to protect the players," Larin says. "JavaScript engines and built-in Web browsers also require special attention as they often contain vulnerabilities that can be exploited for remote code execution."

**Gaming Industry Continues to Be a Massive Target**

The incident at Valve is the latest in a string of attacks that have targeted online gaming companies and players in recent years — and especially since the COVID-19 outbreak, when social distance mandates drove a surge in online gaming. In early January, attackers broke into Riot Games' systems and stole source code for the company's League of Legends and Teamfight Tactics games. The attackers demanded $10 million from Riot Games in return for not publicly leaking the source code. In another incident, an attacker breached systems at Rockstar Games last year and downloaded early footage of the next version of the company's popular Grand Theft Auto game.

A report that Akamai released last year showed a 167% increase in Web application attacks on player accounts and gaming companies last year. A plurality of these Web application attacks — 38% — involved local file inclusion attacks; 34% were SQL injection attacks, and 24% involved cross-site scripting. Akamai's survey also showed that the gaming industry accounted for some 37% of all distributed denial-of-service (DDoS) attacks, which was double that of the second-most-targeted sector.

Akamai, like others previously, attributed the major attacker interest in gaming to the highly lucrative nature of the industry as a whole, and to the billions of dollars that users spend via in-game microtransactions while playing games. In 2022, PwC pegged gaming industry revenues at $235.7 billion for the year. The consulting firm estimated that industry revenues will grow at some 8.4% through 2026 at least.

The attacks have put growing pressure on gaming companies to ramp up their security processes. Industry experts have previously noted how gaming companies that experience major security incidents face the risk of losing player trust and player engagement on their platforms.

"Gaming companies should regularly update and scan their systems and employ a comprehensive defensive concept that equips, informs, and guides their team in their fight against the most sophisticated and targeted cyberattacks," Larin says.

"All repositories, whether an app store, an open source package repository, or even game modification repositories, should be automatically checked for malicious content," he says. This should include static checks for obfuscated or dangerous functionality and scanning with an antivirus engine SDK, he notes.

Larin adds: "Open source code repository poisoning has become more widespread in recent years and its early detection can prevent larger incidents."

Malicious Game Mods Target Dota 2 Game Users

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation.
The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka

In a first-of-its-kind coordinated action, the U.K. and U.S. governments on Thursday levied sanctions against seven Russian nationals for their affiliation to the TrickBot, Ryuk, and Conti cybercrime operation.

The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix).

"Current members of the TrickBot group are associated with Russian Intelligence Services," the U.S. Treasury Department noted. "The TrickBot group's preparations in 2020 aligned them to Russian state objectives and targeting previously conducted by Russian Intelligence Services."

TrickBot, which is attributed to a threat actor named ITG23, Gold Blackburn, and Wizard Spider, emerged in 2016 as a derivative of the Dyre banking trojan and evolved into a highly modular malware framework capable of distributing additional payloads. The group most recently shifted focus to attack Ukraine.

The infamous malware-as-a-service (MaaS) platform, up until its formal closure early last year, served as a prominent vehicle for countless Ryuk and Conti ransomware attacks, with the latter eventually taking over control of the TrickBot criminal enterprise prior to its own shutdown in mid-2022.

Over the years, Wizard Spider has expanded its custom tooling with a set of sophisticated malware such as Diavol, BazarBackdoor, Anchor, and BumbleBee, while simultaneously targeting multiple countries and industries, including academia, energy, financial services, and governments.

"While Wizard Spider's operations have significantly reduced following the demise of Conti in June 2022, these sanctions will likely cause disruption to the adversary's operations while they look for ways to circumvent the sanctions," Adam Meyers, head of intelligence at CrowdStrike, said in a statement.

"Often, when cybercriminal groups are disrupted, they will go dark for a time only to rebrand under a new name."

Per the Treasury Department, the sanctioned persons are said to be involved in the development of ransomware and other malware projects as well as money laundering and injecting malicious code into websites to steal victims' credentials.

Kovalev has also been charged with conspiracy to commit bank fraud in connection with a series of intrusions into victim bank accounts held at U.S.-based financial institutions with the goal of transferring those funds to other accounts under their control.

The attacks, which occurred in 2009 and 2010 and predate Kovalev's tryst with Dyre and TrickBot, are said to have led to unauthorized transfers amounting to nearly $1 million, out of which at least $720,000 was transferred overseas.

What's more, Kovalev is also said to have worked closely on Gameover ZeuS, a peer-to-peer botnet that was temporarily dismantled in 2014. Vyacheslav Igorevich Penchukov, one of the operators of the Zeus malware, was arrested by Swiss authorities in November 2022.

U.K. intelligence officials further assessed that the organized crime group has "extensive links" to another Russia-based outfit known as Evil Corp, which was also sanctioned by the U.S. in December 2019.

The announcement is the latest salvo in an ongoing battle to disrupt ransomware gangs and the broader crimeware ecosystem, and comes close on the heels of the takedown of Hive infrastructure last month.

The efforts are also complicated as Russia has long offered a safe haven for criminal groups, enabling them to carry out attacks without facing any repercussions as long as the assaults don't single out domestic targets or its allies.

The sanctions "give law enforcement and financial institutions the mandates and mechanisms needed to seize assets and cause financial disruption to the designated individuals while avoiding criminalizing and re-victimising the victim by placing them in the impossible position of choosing between paying a ransom to recover their business or violating sanctions," Don Smith, vice president of threat research at Secureworks, said

According to data from NCC Group, ransomware attacks witnessed a 5% decline in 2022, dropping from 2,667 the previous year to 2,531, even as victims are increasingly refusing to pay up, leading to a slump in illicit revenues.

"This decline in attack volume and value is probably in part due to an increasingly hardline, collaborative response from governments and law enforcement, and of course the global impact of the war in Ukraine," Matt Hull, global head of threat intelligence at NCC Group, said.

Despite the dip, ransomware actors are also turning out to be "effective innovators" who are "willing to find any opportunity and technique to extort money from their victims with data leaks and DDoS being added to their arsenal to mask more sophisticated attacks," the company added.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.K. and U.S. Sanction 7 Russians for TrickBot, Ryuk, and Conti Ransomware Attacks

Avast researchers also discovered and reported two zero-day vulnerabilities, and observed the spread of information-stealing malware, remote access trojans, and botnets.

**TEMPE, Ariz.** **and** **PRAGUE****,** **Feb. 9, 2023** **/PRNewswire/ --** Avast, a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), saw an increase in threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, during Q4 of the calendar year 2022. Cybercriminals also remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people's contact details. Avast threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. These insights are covered in the Avast Q4/2022 Threat Report.

"At the end of 2022, we have seen an increase in human-centered threats, such as scams tricking people into thinking their computer is infected, or that they have been charged for goods they didn't order. It's human nature to react to urgency, fear and try to regain control of issues, and that's where cybercriminals succeed," said Jakub Kroustek, Avast Malware Research Director. "When people face surprising pop-up messages or emails, we recommend they stay calm and take a moment to think before they act. Threats are so ubiquitous today that it's hard for consumers to keep up. It is our mission to help protect people by detecting threats and alerting users before they can do any harm, using the latest AI-based technology."

**Growth in refund and invoice fraud, and tech support scams**

The Avast threat labs also saw an increase in tech support scam activity. Top affected countries include the United States, Brazil, Japan, Canada, and France. These scams often start with a pop-up window that alerts people of an alleged malware infection and urges them to call a helpline to resolve the issue. Scammers will convince the caller to set up a remote connection to their computer, opening the door to theft of personal information and money, as the criminals try to access people's bank accounts or crypto wallets, and ask for a payment for their services.

"We recommend people ignore such pop-up messages and close the window with the escape key, or if that's not possible, restart their computer," advises Kroustek. "Also, never give remote access to your computer to somebody you don't know."

The Avast threat labs also saw an uptick in refund and invoice fraud of 14% from October to November 2022, and another increase of 22% in December. Refund fraud works in a comparable way to tech support scams, and often comes in the form of an email that looks like it was sent from a trusted company. People will receive an email including a fake receipt making them believe they were charged for a purchase they didn't make. People are then tricked into calling a phone number, where an agent asks them to create a remote connection to their computer and open their banking account, so the person can see how the refund is done. The goal of the attacker is to steal the person's money. In the case of invoice fraud, people, and more often businesses, receive bills for goods or services the business never ordered or received.

"To avoid invoice fraud, people need to pay close attention to invoices they receive. Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be," said Kroustek.

**Information stealing adware, remote access trojans and bots**

Web-based adware was also prevalent in the quarter, not only annoying people with intrusive ads, but also trying to steal their personal data. For example, people are asked to take part in a lottery, spinning a roulette wheel to win, and are then asked to enter their contact information and pay a "handling fee" using their credit card or Google Pay or Apple Pay account. Avast researchers also saw a flood of DealPly adware, which comes as a Google Chrome extension and sends statistical and search information to the attackers. The risk to get infected by DealPly increased around the world, most significantly in the Americas, in Europe, and South and Southeast Asia.

Avast researchers saw a significant increase of 437% in the global spread of the Arkei information stealer, which is known for stealing data from browsers' autofill forms, passwords and other sources. There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.

Avast telemetry also shows that the global spread of LimeRAT tripled in Q4. LimeRAT is a remote access trojan capable of stealing passwords, cryptocurrencies, driving Distributed Denial of Service (DDoS) attacks and installing ransomware on a victim's computer. It was mostly active in South and Southeast Asia and Latin America. The Emotet botnet, also a malware distributor with a wide variety of capabilities to steal information and spread malware, has evolved its technique of evading detection by antivirus software in the past few months through the use of timers to incrementally continue the payload's execution. The Qakbot information stealer botnet has also evolved further and started using "HTML smuggling" to hide an encoded malicious script within an email attachment. For example, the threat actors have started abusing SVG images to hide malicious payloads and the code used for its reassembly.

**Zero-day exploits in the wild**  
Two sophisticated zero-day exploits were also discovered by Avast researchers in the quarter. Avast protected its users as both were exploited in the wild. The first, CVE-2022-3723, was a type confusion in V8 and used to do a 'get Remote Code Execution' (RCE) against Google Chrome. Avast reported this vulnerability to Google who quickly rolled out a patch in just two days, on October 27, 2022. The second zero-day CVE-2023-21674, was an LPE vulnerability in ALPC that allowed attackers to get from the browser sandbox all the way into the Windows kernel. Microsoft patched this exploit in the January 2023 Patch Tuesday update. In addition, the Avast Q4/2022 Threat Report from the Avast Threat Labs shares insights into spyware, and the latest in mobile banking Trojans and Trojan SMS. Avast helps protect its users from all threats covered in the report. The Avast Q4/2022 Threat Report can be found on the Decoded blog: https://decoded.avast.io/threatresearch/avast-q4-2022-threat-report

**About Avast:** 

Avast is a leader in digital security and privacy, and a brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands. Avast protects hundreds of millions of users from online threats with a threat detection network that is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, SE Labs and others. Avast is a member of the Coalition Against Stalkerware, No More Ransom and Internet Watch Foundation. Visit: www.avast.com.

SOURCE Avast Software, Inc.

Avast Threat Report: Consumers Plagued With Refund Fraud, Tech Support Scams, and Adware

By Habiba Rashid
Has your Tor browser been slow for the past few months? Well, you are not alone; the ongoing DDoS attacks on the Tor network are keeping it slow worldwide.
This is a post from HackRead.com Read the original post: Tor Network Hit By a Series of Ongoing DDoS Attacks

The Tor Project revealed that its network has been suffering from “several different types of ongoing DDoS attacks (Distributed Denial of Service attacks) for at least seven months.

For Tor Browser users who have been wondering why the onion has been having network connectivity and performance issues lately, you are not alone; many others have had problems with the sites loading altogether. 

The Tor Project’s Executive Director, Isabela Dias Fernandes, reported on Tuesday that the network has been targeted by a wave of DDoS attacks (Distributed Denial of Service attacks) for at least the past seven months.

“At some points, the attacks impacted the network severely enough that users could not load pages or access onion services,” Fernandes said on Tuesday.

“We have been working hard to mitigate the impacts and defend the network from these attacks. The methods and targets of these attacks have changed over time and we are adapting as these attacks continue.”

Fernandes also promises that the Tor team will keep tweaking and improving the network defences to counter the ongoing issue. However, they have not yet discovered the goal of these attacks or the identity of the attackers behind them. The Tor Network team will also be expanded to include two new members focusing on .onion service development.

“To clarify, our services have not been down, but on occasion slow for some users, and it is important to note that the user experience is affected by a variety of factors, including what onion services are being used, or which relays get picked when they build a circuit through Tor.”

**_Quick FAQs_****What is Tor Browser?**

Tor Browser or “The Onion Router,” is a free, open-source web browser that allows users to browse the internet anonymously. It was originally developed for US Naval Intelligence in the mid-1990s and was released into the public domain in October 2002.

It is worth noting that the Tor browser utilizes multi-layered encryption of data packets, making it difficult, but not impossible, for anyone to track or monitor user activity on the internet.

The core concept behind Tor is that it creates a network of nodes with each layer acting as an encrypted tunnel so that when a user sends out information, they are virtually untraceable. With every node encrypted; no one can trace where the data originated from or who may have accessed it during transmission. As such, this makes Tor ideal for those looking to keep their online activities private and secure especially journalists and whistleblowers.

**What is a DDoS Attack?**

A DDoS attack stands for Distributed Denial-of-Service attack. It is a type of cyberattack that uses multiple compromised Internet of Things (IoT) or smart devices including computers, routers, cameras, etc. to create a botnet and send massive amounts of traffic to a single targeted server or website to overwhelm it and make it inaccessible for regular users.

1.  23% of Tor browser relays steal Bitcoin
2.  Tor Browser Flaw Leaks Your Real IP Address
3.  Best Dark Web Search Engines for Tor Browser
4.  Fake Tor Browser Spreads Malware Via YouTube
5.  Download official Tor browser on Android devices
6.  What Are Dark Web Search Engines – How to Find Them?

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tor Network Hit By a Series of Ongoing DDoS Attacks

By Deeba Ahmed
The recovery tool is available on GitHub for free.
This is a post from HackRead.com Read the original post: CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help victims of ESXiArgs ransomware. It has been dubbed SXiArgs-Recover.

According to CISA, SXiArgs-Recover is an open-source tool designed to help ransomware attack victims recover virtually any VMs (VMware virtual machines) that have been impacted by the currently active attack campaign involving the use of **ESXiArgs ransomware**. CISA noted that some organizations had used this tool to recover files without paying a ransom.

Alleged ESXiArgs Ransomware ransom note

CISA has developed this **tool** entirely using publicly available resources, such as a tutorial by Enes Sonmez and Ahmet Aykac. It does the job by reconstructing VM metadata from virtual disks that the malware didn’t encrypt. In its **technical advisory**, the agency stated that,

> “Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review it to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.”
> 
> CISA

**Ransomware Attack Details**

We reported earlier that threat actors are exploiting a high-severity ESXi remote code execution vulnerability, which VMware had patched back in 2021. The vulnerability was tracked as CVE-2021-21974 and is now being used to deploy file-encrypting malware targeting VMs.

This legacy bug allows attackers to perform remote code execution on ESXi hypervisors by initiating a heap-overflow issue in OpenSLP. Cybercriminals are threatening to leak the stolen data, but there hasn’t been any leak.

**Ransomwhere** is a ransomware payment tracker, according to which the number of victims targeted in this new attack wave is 3800, and four payments have been made worth a total amount of $88,000.

**VMware’s Response**

**According to VMware**, only unpatched and out-of-date products are targeted with known vulnerabilities like this; therefore, the company advised its customers to upgrade to the latest vSphere components.

It has also recommended that users disable the OpenSLP service in ESXi. It is worth noting that the ESXiArgs malware has not yet been linked to any known ransomware group, but the malware could be derived from the **Babuk** source code leaked in 2021.

1.  **Decryptor key for Sodinokibi, REvil ransomware**
2.  **Decrypt data from Hakbit & Jigsaw ransomware**
3.  **List of Proxy IPs Exposed to Block Killnet’s DDoS Bots**

CISA Offers Recovery Tool for ESXiArgs Ransomware Victims

### Workarounds
* forbid request genesis through network request
* forbid requesting duplicate data  through network request



**Nervos CKB vulnerable to low-resource flood DDoS attacks through network message**

Low severity GitHub Reviewed Published Feb 8, 2023 in nervosnetwork/ckb • Updated Feb 8, 2023

GHSA-p2gm-ffr3-w2xw: Nervos CKB vulnerable to low-resource flood DDoS attacks through network message

By Waqas
Kallnet is a pro-Russian group known for targeting hospitals and other critical infrastructure in countries unfriendly to Russia.
This is a post from HackRead.com Read the original post: List of Proxy IPs Exposed to Block Killnet’s DDoS Bots

A list of proxy IPs used by Killnet and other network spamming gangs to target unsuspecting users means it is now possible to prevent the attack to some degree.

Killnet is a hacker group that has openly supported the Russian invasion of Ukraine. Although many other groups are siding with Russia in the ongoing conflict, Killnet is definitely one of the most prominent ones.

The U.S. government has warned about an expected increase in Killnet’s network flooding attacks using DDoS bots against health clinics and hospitals. The warning comes after Killnet claimed responsibility for attacks against fourteen US hospitals’ websites, forcing them to go offline in late January of 2023.

The impacted facilities include the University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai. Other targets of Killnet’s DDoS attacks include the FBI (allegedly), the European Parliament, businesses in the United Kingdom, Lockheed Martin (allegedly), the Lithuanian government, and more.

SecurityScorecard’s threat researchers have created and released online a list of proxy IPs used by Killnet and other network spamming gangs to target unsuspecting users. It is now possible to prevent the attack to some degree.

The Killnet blocklist is available on GitHub and has around 17,746 IP addresses listed. According to the threat analysis firm, SecurityScoreCard, companies can improve their security measures against DDoS bots through this list.

“To help organizations better protect themselves, SecurityScorecard has published a list of proxy IPs to help block the Killnet DDoS bot,” the company stated in its **blog post**.

The hacker group’s open proxy IP blocklist currently contains tens of thousands of proxy IP addresses that Russian hacktivists use in their network traffic flooding attacks. According to the FBI, the group’s DDoS attacks are actually publicity gimmicks that have gained limited success.

The group mainly relies on Telegram for its operations, and its Telegram channel has over 92,000 followers. Though their DDoS attacks usually don’t cause significant damage, they may disrupt services for hours or knock websites offline. This could affect healthcare organizations and their millions of patients, since bots can flood network traffic, preventing doctors and patients from sending or receiving health-related information online.

Moreover, patients may not be able to schedule appointments. Nevertheless, you can check the full blocklist of proxy IPs here.

1.  **Decryptor key for Sodinokibi, REvil ransomware**
2.  **Decrypt data from Hakbit & Jigsaw ransomware**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

List of Proxy IPs Exposed to Block Killnet’s DDoS Bots

Security teams can use a blocklist containing tens of thousands of proxy IP addresses used by the pro-Russian hacktivist group to defend their organizations from DDoS attacks.

SecurityScorecard has pulled together a list of proxy IP addresses used by KillNet to launch distributed denial-of-service attacks (DDoS) against various entities around the world over the past year.

KillNet has taken responsibility for DDoS attacks against US-based hospitals and airports, as well as financial and government organizations in Germany. The pro-Russian group is targeting countries supporting Ukraine, especially NATO countries.

In a DDoS attack, the attack group cause thousands of connection requests and packets to be sent to the targeted entity's server or website per minute. The attack is made possible by bots – compromised systems that are being harnessed by the attack group. The sheer volume and size of these requests and packets can slow down the targeted system or even overwhelm it to the point where it is no longer available.

In January, KillNet's attacks took websites for 14 hospitals offline; affected organizations included University of Michigan Hospitals and Health Centers, Stanford Hospital, Duke University, and Cedars-Sinai. Knocking websites offline for days or disrupting network connectivity can interfere with patient care: Patients may be prevented from scheduling appointments and doctors may be unable to send and receive health information online. Both the US Department of Health and Human Services (HHS) and the American Hospital Association released warnings that KillNet posed a threat to healthcare organizations.

"While KillNet’s DDoS attacks usually do not cause major damage, they can cause service outages lasting several hours or even days," AHA said.

SecurityScorecard's blocklist, which lists tens of thousands of proxy IP addresses used by the hacktivists in previous DDoS attacks, can be particularly helpful for defenders at healthcare organizations. Security teams can use the list, which is regularly updated by SecurityScorecard's team of researchers, and deploy firewall rules to block malicious traffic from even entering the network. The list can also support network monitoring and investigations to identify and track attacker activities.

Right now, it is just DDoS attacks, but there is also the worry that other criminal groups – such as ransomware gangs – sharing KillNet's political views will join in to target these organizations.

"It is likely that pro-Russian ransomware groups or operators, such as those from the defunct Conti group, will heed KillNet's call and provide support," HHS warned. "This likely will result in entities KillNet targeted also being hit with ransomware or DDoS attacks as a means of extortion, a tactic several ransomware groups have used."

Cloudflare's analysis shows an increase in DDoS activity against healthcare organizations and that there may already be multiple threat actors acting on behalf of KillNet.

"The attacks observed by the Cloudflare global network do not show a clear indication that they are originating from a single botnet and the attack methods and sources seem to vary," Cloudflare said last week. "This could indicate the involvement of multiple threat actors acting on behalf of Killnet, or it could indicate a more sophisticated, coordinated attack."

Tag

#ddos