Ticketmaster testified in the Senate that a cyberattack was to blame for the high-profile Taylor Swift concert sales collapse, but some senators aren't so sure.

When armies of Taylor Swift fans in November were locked out of being able to purchase tickets for her upcoming The Eras tour, the so-called "Swifties" demanded answers.

And the Senate agreed.

This week, Ticketmaster testified in Senate Judiciary Committee hearings that it's not the company's monopoly on the live music market that caused the Swifty sales collapse — it was instead a cyberattack, executives said.

"There was unprecedented demand for Taylor Swift tickets," according to the opening testimony, shared ahead of the hearing with Dark Reading. "We knew bots would attack that on-sale, and planned accordingly."

However, Ticketmaster added that it received triple the amount of bot traffic that it had ever experienced, with bots both attempting to purchase tickets as well as breach the ticket sales servers for access codes.

"While the bots failed to penetrate our systems or acquire any tickets, the attack required us to slow down and even pause our sales," according to the company, which added that the difference in this instance is that instead of bots attempting to beat humans to the tickets, these bots were also attacking the system itself.

Some senators, including Marsha Blackburn, a Republican from Tennessee, didn't agree with Ticketmaster's assessment that the company was prepared in advance for the Taylor Swift swarm.

"This is unbelievable," Blackburn said during the hearing. She added, "Why is it that you have not developed an algorithm to sort out what is a bot and what is a consumer?"

Ticketmaster asked the Senate to consider stronger anti-bot legislation, enforcement, and penalties, but that does little to help shore up systems for future blockbuster tour event sales against an increasingly aggressive legion of shopper bots.

"It is absolutely an ever-growing arms in race in terms of fighting the bots," Berchtold said in response to Senator Blackburn's questioning. "These are bots that are trying to impersonate people on an automated basis. They are faster and putting American consumers at a disadvantage."

**When Bot Traffic Looks Like a DDoS Attack**

Rather than a targeted, intentional distributed denial-of-service (DDoS) attack, Ticketmaster's outage was simply the result of the system getting crushed under a tidal wave of traffic. But the result was the same: disruption.

"Botnets are often used to launch DDoS attacks; they're also used to do other things such as attempting to quickly (and unfairly!) snap up tickets to popular events the moment they go on sale," Roland Dobbins, a DDoS expert and principal engineer with Netscout, explains to Dark Reading. 

He adds, "Even though the intent in the latter scenario isn’t to cause an outage — which defeats the purpose of the bot-driven purchases — high levels of aggressive, bot-driven, 'flash crowd' transactions can effectively constitute an unintentional application-layer DDoS attack against the online ticket vending system, if all the key elements in the system’s service delivery chain haven’t been designed with resilience, scale, and defense against application-layer DDoS attacks in mind."

**SeatGeek Had Similar, but Not as Serious, Swift Sales Problems**

Although it was also bogged down under a similar traffic spike, Ticketmaster competitor Seat Geek was able to sell tickets to 52 Taylor Swift concerts without the same technical failures, the company explained to Politico, blaming Ticketmaster's troubles on its market monopoly.

"Ticketmaster’s outage, recovery time, and continued lack of a solution are the results of a monopoly’s complacency," SeatGeek said in a statement. "No competition means no incentive to innovate and iron out problems that they’ve experienced in the past."

**Bot & DDoS Attack Defense Differ**

Online retailers trying to protect against both bots and DDoS attacks need to adopt different approaches for each, Boaz Gelbord, senior vice president and chief security officer at Akamai, explains to Dark Reading in reaction to the Ticketmaster Senate testimony.

"Organizations face an increasing array of cyber-threats during 'hype events' such as flash sales or online commercial events," Gelbord says. "These can include both DDoS attacks aimed at bringing down the event and bots that aim to subvert the legitimate sales process. The goals of these attacks differ and they also require different protection."

DDoS protection is about putting up infrastructure and application defenses prior to an attack, while thwarting bots requires "a deeper understanding of the behavior to determine which traffic is legitimate and which is automated," Gelbord explains.

**Battling the Bot Problem**

Online brands experienced a 71% increase in bot attacks in 2022 over 2021, with bad bots making up nearly a third of online traffic, Michael Pezely points out in response to the Ticketmaster hearing.

"All these trends were reflected in Ticketmaster’s own experience with the Taylor Swift tour," Pezely adds. "While 3.5 million fans preregistered as verified fans, according to Ticketmaster, 3.5 billion purchase attempts were made."

Pezely urges online retailers to consider a holistic artificial intelligence (AI) approach to battling the bot problem.

"Fighting AI with AI will continue to be part of the solution. Merchants, whether they’re selling PlayStations, sneakers, or tickets, can counter the bots with learning machines that provide the intelligence to understand the identity and intent behind each order," Pezely explains. "That understanding allows merchants to turn to automation to block illegitimate orders."

Ticketmaster Blames Bots in Taylor Swift 'Eras' Tour Debacle

When EVs and smart chargers plug in to critical infrastructure, what can go wrong? Plenty.

With more countries reaching the tipping point for electric vehicle (EV) adoption, it's more urgent than ever for the public and private sectors to invest in EV charging infrastructure. A robust and highly secure EV charging ecosystem is essential for ensuring network availability and stability, providing a seamless charging experience to drivers, and achieving zero-emission transportation.

The good news is that EV charging infrastructure build-out is gaining momentum. The downside is that cybersecurity risks are growing along with the charging infrastructure, and cybercriminals are starting to take notice.

Today, EV chargers themselves are the primary target, with hacks ranging from planting ransomware to hijacking charger message screens with politically motivated or objectionable content. In a major wakeup call to manufacturers, a white-hat security specialist demonstrated EV charger hardware and software vulnerabilities. Recent hacks have also shown that EVs, too, are at risk.

**The Vulnerabilities Are Broader Than Chargers and EVs**

The communications networks that connect chargers with their management system, the personal data that travels across those networks, the charge-point operators collecting payments, and the grid itself are increasingly vulnerable as the EV ecosystem grows and the attack surface expands. The risks include (but are not limited to):

*   Disruption of operations for public charger networks, rendering large numbers of chargers unusable and interfering with transportation
*   Takeover of charger networks to use the chargers as bots in massive distributed denial-of-service (DDoS) attacks
*   Theft of customers’ personal identifiable information (PII), including payment card information
*   Fraudulent payments for electricity used in EV charging
*   Disruption to the power grid, leading to blackouts and equipment damage
*   Damage to the EV charging provider's reputation

As IT security experts know, whenever you have digital communications between two points, you have a potential vulnerability. When an EV plugs in to a networked charger, a cascade of bidirectional communications between multiple computers ensues — between the vehicle and the charger, the charger and the driver's mobile app, the charger and the grid, the charger and the back-end management system, the management system and a payment gateway, and the management system and the charge-point operator. That's a broad attack surface.

It takes coordination and commitment across the EV charging ecosystem to achieve the end-to-end security needed for protecting EV charging networks, personal and payment data, and the grid.

**Standards and Protocols Offer a Way Forward**

EV charging and energy management solution providers must commit to industry protocols and standards — developed by global consortiums such as the Open Charge Alliance (OCA) and the International Organization for Standardization (ISO) — and the protections they provide. So do other industry players, such as EV charger manufacturers and their sub-suppliers, automotive manufacturers, and utilities.

Key to network security is Open Charge Point Protocol (OCPP). It governs communications between charging stations and a central management system. The latest version incorporates standards for secure connection setup, security events and logging, and secure firmware updates.

Another essential measure is ISO 27001, a comprehensive framework that covers legal, physical, and technical controls involved in a company's information security and risk management processes Compliance ensures all relevant processes, procedures, and tools are implemented and monitored to protect the EV charging platform.

ISO 15118.20 is an international standard that was updated in 2022 to tighten security requirements for bidirectional communications between a charging station and an EV. The standard provides for plug-and-charge capability, which uses security certificates to automatically identify the EV to the charger and authenticate a payment method. It also governs the exchange of data required for vehicle-to-grid (V2G), which sends energy stored in the EV battery back to the power grid.

**IT Security Best Practices Provide Multilayered Protection**

The first IT security best practice that EV charging ecosystem companies should consider is organizational: Hire a chief information security officer (CISO). With a broad attack surface to defend and the need to protect data from internal and external attacks, the CISO should work closely with the chief technology officer (CTO) to coordinate IT security and EV charging infrastructure security.

The communications and data exchange between management software in the cloud, EV chargers, EVs, and the grid can be protected by IT security best practices such as X.509 public key infrastructure (PKI), transport layer security (TLS), secure "tunneling" across the Internet, and data encryption.

EV charging infrastructure providers must also be concerned with data privacy regulations specific to PII. Any organization transporting, handling, or storing PII should comply with the General Data Protection Regulation (GDPR) in the EU, the Act on the Protection of Personal Information (APPI) in Japan, the California Consumer Privacy Act (CCPA), and the new California Privacy Rights Act (CPRA).

Compliance with Payment Card Industry Data Security Standards (PCI DSS) and SOC 1 security standards provides the security controls and measures to protect credit and debit card transactions during transmission and storage. Controls include using tokens rather than readable data and storing only the final four digits of a credit card. Intelligent safeguards for billing management systems should recognize and prevent fraudulent payment.

Endpoint detection and response (EDR) systems continuously monitor devices connected to the EVcharging management platform, identify intrusions, and enable rapid response so cybercriminals cannot penetrate the network and pivot to other components, whether that is the management software, the car, or the grid.

And conducting annual infrastructure and application penetration tests is essential to discovering potential vulnerabilities and building a solid plan to resolve them.

**The Final Takeaway**

Protecting the EV charging infrastructure from cybercriminals is a job for every participant in the ecosystem. Whether you're considering hosting EV chargers at your place of business or you're an active participant in the ecosystem, security must remain top of mind. A key takeaway from the IT security industry is the recognition that this will be a perpetual battle. The larger the EV charging ecosystem grows, the more monetary value it offers to cybercriminals. The challenge of staying ahead of bad actors, and responding quickly when unknown threats become known, never ends.

Security and the Electric Vehicle Charging Infrastructure

**Woburn, MA – January 23, 2023 –** According to Kaspersky research experts’ predictions for challenges in Security Operation Centers (SOCs) in 2023, the number of incidents in government and mass media segments will increase this year. SOCs from these and other industries are likely to face more reoccurring targeted attacks, as will supply chain attacks via telecommunication providers. Another threat awaiting SOCs will be more initial compromises through public-facing applications. Organizations that are threatened by ransomware attacks might also encounter data destruction. 

**More reoccurring targeted attacks by state-sponsored actors**   

In 2022, Kaspersky experts saw the average number of incidents in the mass media sector double in growth from 263 in 2021, to 561 in 2022.  Throughout the last year, a number of high-profile cases occurred including when Iranian state TV broadcasting was interrupted by hackers during protests in the country. Media outlets were also subject to DDoS attacks like those in Czech Republic. 

Alongside the government sector where the average number of incidents increased by 36% in 2022, mass media became the prime target for cybercriminals among the 13 other analyzed segments including industrial, food, development, financial, and others.

This growth will continue in 2023, with reoccurring targeted attacks by state-sponsored actors.While this is normally relevant for government organizations, the mass media segment has been increasingly targeted during international conflicts that are traditionally accompanied by information warfare where mass media inevitably play an important role.

_“Large businesses and government agencies have always been targets of cybercriminals and state-sponsored actors, but geopolitical turbulence increased attackers’ motivations and enlivened hacktivism, which cybersecurity specialists have not regularly encountered until 2022,”_ said Sergey Soldatov, head of security operation center (SOC) at Kaspersky. “_The new wave of politically-motivated attacks is especially relevant for the government and mass media sectors. To effectively protect a company, it’s necessary to implement a comprehensive threat detection and remediation provided through Managed Detection and Response services._”

**Supply chain attacks via telecommunication providers** 

In 2023, perpetrators may increase supply chain strikes by attacking telecommunication companies. For the first time in 2021, the telecom industry saw a prevalence of high severity incidents throughout the year. While in 2022 the average share of high severity incidents was lower (79 in 2021 per 10k systems monitored, versus roughly 12 in 2022), these companies remain attractive targets for cybercriminals. 

**Ransomware destroyers;** **initial compromises via public-facing applications** 

Throughout 2022, Kasperksy observed a new ransomware trend that will continue in 2023: ransomware actors will not only encrypt companies’ data but also destroy it. This is relevant for organizations which are subject to politically-driven attacks. 

Another threat awaiting SOCs is more initial compromises through public-facing applications. Penetration from the perimeter requires less preparation than phishing and old vulnerabilities are still exposed.

**What SOCs will face internally? Processes and efficiency** 

In 2023, it will be imperative for SOCs to develop the skills of their team to counter the increasing amount of threats. Trainings such as incident response or any form of SOC exercises such as TTX, purple teaming, and advisory attack simulations, will be of vital importance. 

The growing threat landscape leads to increasing budgets and demand for more efficiencies. Increasing numbers of incidents and threats transforms into a need to predict attacks and techniques, raising the value of threat intelligence and hunting. 

To read the full report on SOC challenges in 2023, please visit Securelist.com. Click here to read other KSB pieces.

To protect from the relevant threats, Kaspersky researchers recommend implementing the following measures:

*   Always keep software updated on all the devices you use to prevent attackers from infiltrating your network by exploiting vulnerabilities. Install patches for new vulnerabilities as soon as possible. Once it is downloaded, threat actors can no longer abuse the vulnerability. 
*   Dedicated services can help combat high-profile attacks. The Kaspersky Managed Detection and Response service can help identify and stop intrusions in their early stages, before the perpetrators achieve their goals.  If you encounter an incident, Kaspersky Incident Response service will help you respond and minimize the consequences. In particular, identify compromised nodes and protect the infrastructure from similar attacks in the future.
*   Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.
*   Choose a reliable endpoint security solution such as Kaspersky Endpoint Security for Business that is equipped with behavior-based detection and anomaly control capabilities for effective protection against known and unknown threats.

**About Kaspersky**

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelli-gence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

SOCs to Face Greater Challenges From Cybercriminals Targeting Governments and Media in 2023

By Habiba Rashid
The Ohio-based airline, CommuteAir, responsible for the incident confirmed the legitimacy of the data to the media.
This is a post from HackRead.com Read the original post: The U.S. ‘No Fly List’ Found On the Open Internet

The No Fly List and other sensitive files were discovered by Maia Arson Crimew, a Swiss security researcher and hacker, while searching for Jenkins servers on Shodan.

A Swiss hacker by the name of Maia Arson Crimew discovered an unsecured server run by the Ohio-based airline, CommuteAir, a United Express carrier. The hacker claims they found the server while searching for Jenkins servers on **Shodan**, a specialized search engine used by cybersecurity researchers to locate exposed servers and misconfigured databases on the Internet.

After a while of skimming through the files, Crimew claimed to have found a file labelled “NoFly.csv,” which turned out to be a legitimate U.S. no-fly, **terrorist** watch list from 2019.

The 80-MB exposed file, first reported on by the Daily Dot, is a smaller subset of the U.S. government’s Terrorist Screening Database, maintained and used by the DOJ, FBI, and Terrorist Screening Center (TSC).

With over 1.5 million entries, the file contains the first names, last names, and dates of birth of people with suspected or known ties to terrorist organizations.

This should not come as a surprise, since the US (along with China) **topped the 2021 list of countries** that exposed the most misconfigured databases online.

The leak of the No Fly List should not be a jaw-dropper, as **in August 2021**, the US government’s secret terrorist watchlist with two million records was exposed online. However, the watchlist was exposed on a misconfigured server hosted on a Bahrain IP address instead of a US one.

As for the latest breach, CommuteAir confirmed the legitimacy of the data, stating that it was a version of the federal no-fly list from approximately four years ago. CommuteAir **told** the Daily Dot that the unsecured server had been used for testing purposes and was taken offline before the Daily Dot published their article.

They have also reported the data exposure to the Cybersecurity and Infrastructure Security Agency (**CISA**).CommuteAir further confirms that the server did not expose any customer information, based on an initial investigation. However, the same cannot be said for the safety of the employees’ data.

On the other hand, the hacker, Crimew claims in their **report** to have found extensive personally identifiable information (PII) about 900 of the crewmates including their full names, addresses, phone numbers, passport numbers, pilot’s license numbers and much more. User credentials to more than 40 **Amazon S3 buckets** and servers run by CommuteAir were also exposed, said crime.

Screenshot from the exposed data (Credit: Maia Arson Crimew)

The list contained notable figures such as the Russian arms dealer Victor Bout who was recently freed in exchange for the WNBA star Brittney Griner. Since the list contained over 16 potential aliases for him, many other entries in the list are likely aliases of the same person and the number of individuals is far less than 1.5 million. 

Certain names on the list also belong to suspected members of the IRA, the Irish paramilitary organization. The list contained someone as young as 8 years old, based on their birth date, according to crime. 

The majority of the names, however, appeared to be of Arabic or Middle Eastern descent, along with Hispanic and Anglican-sounding names. The entire dataset is available on the official website of DDoSecrets, upon request.

Screenshot from the DDoSecrets website

Although it is rare for this list to be leaked and is considered highly secretive, it is not labelled as a classified document due to the number of agencies and individuals that access it. 

In a statement to the Daily Dot, TSA stated that it was “aware of a potential cybersecurity incident with CommuteAir, and we are investigating in coordination with our federal partners.”

1.  UN: Terrorists can access WMDs via Dark Web
2.  Dow Jones’ screening watchlist data exposed online
3.  US disrupts 3 crypto campaigns run by terror groups
4.  Muslim Hackers Hack ISIS site; expose subscribers’ list
5.  Server leaked US military’s social media spying campaign

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

The U.S. ‘No Fly List’ Found On the Open Internet

The growing use of mobile devices for MFA and the proliferation of 5G and VoIP in general could result in more attacks in future, experts say.

The growing use of mobile devices for multifactor authentication increasingly has made telecom providers a juicy target for cybercrime. An ongoing SIM card-swapping campaign by a Chinese threat actor called "Scattered Spider" is just the latest example of that trend.

Scattered Spider is an APT group that researchers from CrowdStrike have been tracking for the past several months. The group has been targeting telecom companies and business-process outsourcing (BPO) firms that support these telecom companies with the objective of gaining access to their respective carrier networks.

**SIM-Jacking Via the Carrier Network**

In at least two instances where the threat actor gained that access, they used it to do SIM swapping, a process where an adversary essentially transfers another person's phone number to their SIM card. Attackers can then use the hijacked phone number to access bank accounts or any other account where the legitimate user might have registered the phone as a second form of authentication. SIM jacking also gives attackers a way to register and associate rogue devices to accounts on compromised networks.

Bud Broomhead, CEO at Viakoo, says the wide use of mobile networks for multifactor authentication has painted a big target on telecom providers. "While there have always been efforts to breach telecom systems, the increased reliance on them for security has increased the frequency of attacks against them," he says.

In the campaigns that CrowdStrike observed, Scattered Spider gained initial access to a targeted telecom or BPO network by impersonating IT personnel and convincing individuals working at these organizations to part with their credentials or to grant remote access to their computers. Once inside the target environment the threat actors moved laterally across it — often using legitimate tools such as Windows Management Instrumentation — till they gained access to the carrier network.

The group has targeted multiple telecom firms since at least June 2022 and has simply kept moving to different targets each time it gets booted from one, prompting CrowdStrike to describe the campaign as an "extremely persistent and brazen" threat. Recently, CrowdStrike observed Scattered Spider deploy a malicious kernel driver via a vulnerability exploit as part of its attack chain.

Adam Meyers, senior vice president of intelligence at CrowdStrike, says Scattered Spider's campaign appears to be financially motivated and therefore different from the many attacks on carrier networks focused on cyber espionage.

"Based on what we have seen, they are focused on SIM swapping," Meyers says. "When you have two factor-authentication and do a SIM swap, you can bypass that authentication."

**Crime v. Espionage**

Campaigns like Scattered Spider represent a relatively new kind of attack on carrier networks. In recent years, many campaigns that targeted telecom companies have focused on some form of intelligence-gathering activity and have often involved advanced persistent threat groups from countries such as China, Iran, and Turkey, Meyers notes. The goal usually is to intercept communications and to harvest the detailed information available in call data records (CDRs), he says. CDRs can be very powerful for monitoring and tracking individuals, he says.

Back in 2019, Cybereason reported on one such campaign that it dubbed Operation Soft Cell, where a Chinese APT group infiltrated carrier networks belonging to a major telecommunication company to steal CDRs. The security vendor assessed at the time that the campaign had been active since at least 2012, giving the threat actor access to data that would have helped the government target politicians, foreign intelligence agencies, dissidents, law enforcement, and others.

In 2021, CrowdStrike reported on a multi-year campaign where a threat actor called Light Basin broke into at least 13 telecom networks worldwide and systematically stole Mobile Subscriber Identity (IMSI) data and call metadata on users. The threat actor installed tools on the carrier networks that allowed it to intercept call and text messages, call information, and records for tracking and monitoring targeted individuals.

More recently, Bitdefender reported observing a Chinese threat actor targeting a telecom firm in the Middle East in a cyber-espionage campaign. "The attack carries the hallmarks of BackdoorDiplomacy, a known APT group with ties to China," says Danny O’Neill, director of MDR operations at Bitdefender. The initial compromise used binaries vulnerable to side-loading techniques and likely involved an exploit of the ProxyShell vulnerability in Microsoft Exchange Server, he says.

"Once inside, the APT used multiple tools — some legit and some custom — and malware to spy, move laterally across the environment, and evade detection," he says.

**Catalysts for More Attacks?**

Meyers and others expect that the proliferation of 5G networks and VoIP services in general in coming years will make it easier for threat actors to execute these attacks on telecommunication companies. Newer telecom services such as 5G are susceptible to cyberattacks because everything — including the core networks — are software designed, O'Neill says. That means all the risks associated with software technologies will manifest on carrier networks as well, he says.

"There are going to be a greater number of cells, pico-cells, and micro-cells required to deliver the coverage given the much higher operating frequencies of 5G," O'Neill points out. From an attacker's perspective, this equates to more access and entry points, he says.

"The almost universal adoption of voice over IP technology has made pretty much every network a data network and blurred the lines between mediums," says Mike Parkin, senior technical engineer at Vulcan Cyber. "It's hard to separate old school voice telecommunication from today’s data networks," he says.

**Why Disruptive Cyberattacks Remain Rare**

One notable aspect of attacks on carrier networks is that very few so far have involved attempts to cause widespread service outages or sabotage — a major concern with attacks on organizations in other critical infrastructure sectors. In its 2019 report, Cybereason in fact had noted how the attackers could have used their access on the telecom network to do pretty much anything they had wanted: "A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network."

That is an assessment that Meyers shares about the Scattered Spider campaign as well.

One reason why disruptive cyberattacks on telecom infrastructure might not have happened so far is because they are really not necessary.

"The primary motivation for attacks on signal-carrying networks is espionage," says John Bambenek, principal threat hunter at Netenrich. "Certainly, there are sabotage interests, but those are usually correlated to the proximity of physical conflict." As an example, he points to Russian attacks on Ukraine's telecom infrastructure at the start of the war.

Pulling off a disruptive cyberattack on a telecom network often is not needed because other, more straightforward options are available. "What we see many examples of is disruption due to physical means. Getting a little out of hand with a backhoe in the wrong place has disrupted communications for entire metropolitan areas," he says.

The shift to VoIP means old school tactics such as DDoS attacks could soon become an effective way to disrupt a carrier network, adds Parkin. Even so, other methods are easier, he says.

"A crowbar can gain access to a wiring trunk, and a pair of bolt cutters can make short work of the cables inside," Parkin says. "Taking out wireless communications takes more sophisticated equipment, but a couple of signal jammers could take down a surprisingly large area."

**Regs to the Rescue**

Going forward, governments and regulatory bodies will have to take a more active role in ensuring the security of the telecom sector against cyberattacks. Parkin points to recent steps by the US, UK, and other governments to mitigate against perceived "high risk" vendors and equipment manufacturers that sit at the core of telco networks as an example of what's needed in future.

"Government influence in achieving end-to-end cybersecurity should focus foremost on governance and regulatory requirements," O'Neill notes. "Existing policies and standards need to be developed and strengthened to incorporate new services like 5G."

He fears that operators, if left unchecked, could default to focusing on availability and convenience at the expense of security.

Cybercriminals Target Telecom Provider Networks

Threat actors are diversifying across all aspects to attack critical infrastructure, muddying the threat landscape, and forcing industrial organizations to rethink their security.

The motive of financial and political gain — fueled partially by the ongoing conflict in Ukraine — has emboldened threat actors to barrage industrial control systems (ICS) with ever more disruptive cyberattacks, diversifying the threat landscape for critical infrastructure, new research shows.

This trend is expected to continue throughout 2023 with attackers arming themselves with new tactics and malware, forcing ICS operators to level up if they want to protect their networks, according to Nozomi Networks' "OT/IoT Security Report: A Deep Look Into the ICS Threat Landscape" for the second half of 2022, published Jan. 18.

It used to be that nation-state actors were the leading perpetrators of attacks against ICS, primarily using remote access Trojans (RATs) to drop malware payloads and gain remote access to networks, as well as mounting distributed denial-of-service (DDoS) attacks to cause "inconvenient" disruption, says Roya Gordon, security research evangelist at Nozomi Networks. "Historically, critical infrastructure disruptions were seen as a nation-state tactic," she says.

However, the now-infamous Colonial Pipeline attack in May 2021 marked a significant shift in this trend. In that incident, a ransomware attack that started with a stolen password caused panic and gas shortages across the eastern United States, and attackers realized how disruptive and potentially lucrative new attack vectors could be, she says.

"The Colonial Pipeline attack demonstrated how cybercriminals can leverage ransomware attacks on critical infrastructure — since they tend to depend heavily on real-time data, and have the means to meet ransom demands — for financial gain," Gordon notes.

Then with Russia's attack on Ukraine last February, attacks on ICS got political, with hacktivists, traditionally known for data breaches and DDoS attacks, wielding destructive wiper malware to disrupt transportation systems such as railroads and other critical infrastructure in the Ukraine for political gain, she says.

This marked a shift in not only who was attacking ICS, but how and for what motive they were launching these attacks, Gordon says. "All in all, this unprecedented level of activity across all fronts should cause us concern."

**Top ICS Cyberattack Trends**

The report identified top trends in the ICS threat landscape based on a compilation of information from various sources including open source media, CISA ICS-CERT advisories, and Nozomi Networks telemetry, as well as on exclusive IoT honeypots that Nozomi researchers employ for "a deeper insight into how adversaries are targeting OT and IoT, furthering the understanding of malicious botnets that attempt to access these systems," Gordon says.

What researchers observed over the last six months was a significant uptick in attacks that caused disruption to a number of industries, with transportation and healthcare being among the top new sectors finding themselves in the crosshairs of adversaries among more traditional targets.

Attackers are using various methods of initial entry to ICS networks, although some common weak security links that have historically plagued not just ICS but the entire enterprise IT sector — weak/cleartext passwords and weak encryption — continue to be the top access threats.

Still, “Root” and “admin” credentials are most often used as a way for threat actors to gain initial access and escalate privileges once in the network, the findings show. Other ways threat actors find their way in include brute-force attacks and DDoS attempts.

In terms of malware, RATs remain the most common malware detected against ICS, while DDoS malware and unusually high and still-rising IoT botnet activity continued to be the top threat for IoT devices on a network. The use of default credentials to hack IoT devices was the primary means of entry for IoT botnets, the researchers found.

Over the second half of last year, attacks on ICS spiked in July, October, and December, with more than 5,000 unique attacks in each of those months. Manufacturing and energy remained the most vulnerable industries, followed by water/wastewater, healthcare, and transportation systems.

Interestingly, despite the uptick in targeting Ukraine, the top attacker IP addresses observed in the second half of 2023 didn't come from Russia nor countries that side with Russia, the researchers found. Instead, the main IP addresses associated with ICS attacks were in China, the US, South Korea, and Taiwan, according to Nozomi's data.

**The Look Ahead**

Top among ICS/IoT threats to watch out for: adversaries will use hybrid threat tactics that don't follow what operators may have seen in the past, which means "it will become increasingly difficult to categorize types of threat actors based on TTPs and motives," according to the report.

Organizations in the healthcare sector — which saw a spike in attacks when COVID-19 hit that has continued even as the pandemic largely wanes — should be mindful to stay on top of medical-device updates, according to Nozomi. Threat actors will likely use exploits to access medical systems that aggregate device data, a manipulation that can have dire and even life-threatening consequences for patients, potentially leading to malfunctions, misreadings, or even overdoses in automatic release of medication.

Another new threat on the horizon is from AI-driven chatbots that attackers will use for malicious purposes, such as writing code or developing exploits for vulnerabilities. They also can use them to generate more accurate phishing/social engineering texts that can be used as entry access to ICS networks, the researchers said.

"All this could reduce the time it takes to develop targeted threat campaigns, thus increasing the frequency of cyberattacks," according to the report.

Though the news appears gloomy, securing ICS against oncoming threats can be as simple as practicing "basic cyber hygiene," employing typical IT security practices that any organization already should be using, Gordon says.

"While threat actors may have the capability to access OT and IoT directly, it's one of their long-standing strategies to first breach IT and pivot into OT," she says. "Therefore, taking steps to secure IT is key."

ICS Confronted by Attackers Armed With New Motives, Tactics, and Malware

Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.

****0x00****概述****

百度智云盾团队在2021年1月首次捕获到利用Plex（媒体播放平台）的网络服务发起的DDoS反射攻击。据现有资料表明，这种反射攻击方式尚属全网首次出现，智云盾系统在2秒内识别攻击，实时对流量做了隔离和清洗，保障用户免遭DDoS的伤害。

本次攻击事件中黑客利用了基于Plex服务发起的DDoS反射攻击，Plex是一套媒体播放平台，基于UDP协议提供服务，由于UDP协议的不可靠性质，导致开启该服务的主机容易被黑客利用作为反射源进行DDoS反射攻击。

****0x01****反射原理****

攻击者采用反射方式实施DDoS攻击时，不是直接攻击受害者IP，而是伪造了大量受害者IP的请求发给相应的开放服务，通常这类开放服务不对源进行校验而是立即完成响应，这样更大更多的响应数据包发送到受害者IP，从而实现了流量的反射，这类开放服务就是反射源。

原理如下图所示：

图1 反射攻击原理示意图

图1中攻击者P伪造了请求包BA并发送到PA，但BA的源IP是PV，所以PA响应的时候发送BV给到PV。

反射攻击一方面隐藏了攻击IP，同时还有一个重要特征是放大，上述原理图中的BV往往是BA的好几倍，甚至是成千上万倍。正是有了这样的特性，黑客组织乐此不疲的使用这一攻击方式，并不断的研究新型反射攻击增强攻击效果。

****0x02****攻击分析****

智云盾系统检测到攻击时，自动对攻击流量进行采样，安全专家对采样包及时进行了深层次的分析和演练。本次攻击事件共涉及反射源2451个。

**攻击包分析**

通过分析智云盾的攻击采样包发现，反射流量的端口来自于32414端口，下图红色箭头指向的是反射源端口：

图2 采样包内攻击来源端口图

采样包中udp携带的攻击载荷如下图所示：

图3 攻击载荷

数据包中的攻击载荷固定包含plex/media-server，通过搜索分析，这是一套媒体播放平台的服务器软件。攻击载荷如下图所示：

图4 格式化后的攻击载荷

**攻击模拟**

为了进一步分析，我们在一台纯净的ubuntu16.04上安装了Plex服务，安装完成后查看服务绑定的端口号，如下图所示：

图5

可以看到Plex服务监听32410、32412、32413和32414四个udp端口，通过对攻击载荷的分析，并借鉴设备查询请求的消息格式，我们编写软件向这几个端口发送攻击载荷为M-SEARCH \* HTTP/1.1的udp数据包，并针对反射源IP进行抓包，最后发现32410与32414均有响应。复现攻击如下图所示：

图6 反射源的响应

图7 抓包结果

我们在模拟攻击请求的验证中，发出一个载荷长度为20字节，获取到的响应包载荷为258字节。

**放大倍数**

按照我们前期对反射倍数的研究结果，科学的统计放大倍数，应当包括数据包协议头和网络帧间隙。详细的方案可以参阅《MEMCACHED DRDoS攻击趋势》一文。

协议头和网络帧间隙计算为：14（以太头）+20（IP头）+8（UDP头）+4（FCS头）+20（帧间隙）=66字节，所以计算实际响应的数据包大小为258+66=324字节，请求包大小为20+66=86字节。

最终我们计算得到的放大倍数为324/86=3.77倍。

对比udpflood可以伪造大数据包攻击，3.77倍的放大攻击实际能达到的效果并不理想，攻击者之所以热衷于此类探索，一方面是反射攻击是个『技术活』，另一方面他们还有一个倍数『更大』的计算方法，业内也比较流行，就是只计算请求响应的载荷比。这里的Plex反射则可以达到258/20=12.9倍，放大倍数一下就超过了10倍。

****0x03****反射源分析******Plex服务介绍**

Plex是一套全面的影音媒体播放平台，包括一整套媒体播放器及服务器软件，个人用户可以利用这个平台整理电脑、NAS、XBOX等设备上的电影、音乐、电视和图片文件，并可以方便的在朋友间分享。Plex服务向个人用户免费开放，支持大多数平台，随着家庭影音的普及，相信未来部署Plex服务系统或设备会越来越多。

**全网数据**

我们在shodan、zoomeye等全网扫描数据库中查询32410、32414等端口获取到的IP数据非常少，说明当前Plex服务受关注度还比较低。

受限于其他原因，我们没有对Plex服务进行全网扫描。

**反射源分析**

对参与此次攻击的反射源进行了调查分析，其中被利用的反射源主要来源于海外。下图是IP分布情况：

图8 反射源IP分布

通过分析攻击包载荷中的name字段（主机标识）可以发现，主机标识大多数不重复，且未使用默认的主机标识，多数为个人用户配置使用。下图展示了此次攻击的反射源主机信息：

图9 反射源的主机信息

****0x04****防范建议****

反射攻击与传统的flood攻击相比，能更好的隐藏攻击者，并且产生的流量更大，因而反射攻击越来越受到黑客青睐。

建议参考以下方式提升防护能力。

*   对互联网服务应避免被滥用，充当黑客攻击的帮凶
    
    1.  禁用UDP服务，不能禁用时，应确保响应与请求不要有倍数关系
        
    2.  启用的UDP服务应采取授权认证，对未授权请求不予响应
        
*   对企业用户应做好防范，减少DDoS对自有网络和业务的影响
    
    1.  如果没有UDP相关业务，可以在上层交换机或者本机防火墙过滤UDP包
        
    2.  寻求运营商提供UDP黑洞的IP网段做对外网站服务
        
    3.  选择接入DDoS云防安全服务对抗大规模的DDoS攻击
        

**DDoS攻击防护：https://anquan.baidu.com/productDetail/1**

CVE-2021-33959: 预警：基于Plex媒体播放平台的DDoS反射攻击来袭 - FreeBuf网络安全行业门户

Most people who operate DDoS-for-hire services attempt to hide their true identities and location. Proprietors of these so-called “booter” or “stresser” services — designed to knock websites and users offline — have long operated in a legally murky area of cybercrime law. But until recently, their biggest concern wasn’t avoiding capture or shutdown by the feds: It was minimizing harassment from unhappy customers or victims, and insulating themselves against incessant attacks from competing DDoS-for-hire services.

And then there are booter store operators like John Dobbs, a 32-year-old computer science graduate student living in Honolulu, Hawaii. For at least a decade until late last year, Dobbs openly operated IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania.

The only work experience Dobbs listed on his resume was as a freelance developer from 2013 to the present day. Dobbs’s resume doesn’t name his booter service, but in it he brags about maintaining websites with half a million page views daily, and “designing server deployments for performance, high-availability and security.”

In December 2022, the U.S. Department of Justice seized Dobbs’s IPStresser website and charged him with one count of aiding and abetting computer intrusions. Prosecutors say his service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.

Most people who operate DDoS-for-hire businesses attempt to hide their true identities and location. Proprietors of these so-called “booter” or “stresser” services — designed to knock websites and users offline — have long operated in a legally murky area of cybercrime law. But until recently, their biggest concern wasn’t avoiding capture or shutdown by the feds: It was minimizing harassment from unhappy customers or victims, and insulating themselves against incessant attacks from competing DDoS-for-hire services.

And then there are booter store operators like **John Dobbs**, a 32-year-old computer science graduate student living in Honolulu, Hawaii. For at least a decade until late last year, Dobbs openly operated **IPStresser\[.\]com**, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania.

Dobbs, in an undated photo from his Github profile. Image: john-dobbs.github.io

The only work experience Dobbs listed on his resume was as a freelance developer from 2013 to the present day. Dobbs’s resume doesn’t name his booter service, but in it he brags about maintaining websites with half a million page views daily, and “designing server deployments for performance, high-availability and security.”

In December 2022, the U.S. Department of Justice seized Dobbs’s IPStresser website and charged him with one count of aiding and abetting computer intrusions. Prosecutors say his service attracted more than two million registered users, and was responsible for launching _a staggering 30 million distinct DDoS attacks_.

The government seized four-dozen booter domains, and criminally charged Dobbs and five other U.S. men for allegedly operating stresser services. This was the Justice Department’s second such mass takedown targeting DDoS-for-hire services and their accused operators. In 2018, the feds seized 15 stresser sites, and levied cybercrime charges against three men for their operation of booter services.

Dobbs’s booter service, IPStresser, in June 2020. Image: archive.org.

Many accused stresser site operators have pleaded guilty over the years after being hit with federal criminal charges. But the government’s core claim — that operating a booter site is a violation of U.S. computer crime laws — wasn’t properly tested in the courts until September 2021.

That was when a jury handed down a guilty verdict against **Matthew Gatrel**, a then 32-year-old St. Charles, Ill. man charged in the government’s first 2018 mass booter bust-up. Despite admitting to FBI agents that he ran two booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by court-appointed attorneys.

Prosecutors said Gatrel’s booter services — downthem\[.\]org and ampnode\[.\]com — helped some 2,000 paying customers launch debilitating digital assaults on more than 20,000 targets, including many government, banking, university and gaming websites.

Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. He was sentenced to two years in prison.

Now, it appears Dobbs is also planning to take his chances with a jury. On Jan. 4, Dobbs entered a plea of not guilty. Neither Dobbs nor his court-appointed attorney responded to requests for comment.

But as it happens, Dobbs himself provided some perspective on his thinking in an email exchange with KrebsOnSecurity back in 2020. I’d reached out to Dobbs because it was obvious he didn’t mind if people knew he operated one of the world’s most popular DDoS-for-hire sites, and I was genuinely curious why he was so unafraid of getting raided by the feds.

“Yes, I am the owner of the domain you listed, however you are not authorized to post an article containing said domain name, my name or this email address without my prior written permission,” Dobbs replied to my initial outreach on March 10, 2020 using his email address from the University of Hawaii at Manoa.

A few hours later, I received more strident instructions from Dobbs, this time via his official email address at ipstresser\[.\]com.

“I will state again for absolute clarity, you are not authorized to post an article containing ipstresser.com, my name, my GitHub profile and/or my hawaii.edu email address,” Dobbs wrote, as if taking dictation from a lawyer who doesn’t understand how the media works.

When pressed for particulars on his business, Dobbs replied that the number of IPStresser customers was “privileged information,” and said he didn’t even advertise the service. When asked whether he was concerned that many of his competitors were by then serving jail time for operating similar booter services, Dobbs maintained that the way he’d set up the business insulated him from any liability.

“I have been aware of the recent law enforcement actions against other operators of stress testing services,” Dobbs explained. “I cannot speak to the actions of these other services, but we take proactive measures to prevent misuse of our service and we work with law enforcement agencies regarding any reported abuse of our service.”

What were those proactive measures? In a 2015 interview with _ZDNet France_, Dobbs asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.

“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”

Dobbs told KrebsOnSecurity his service didn’t generate much of a profit, but rather that he was motivated by “filling a legitimate need.”

“My reason for offering the service is to provide the ability to test network security measures before someone with malicious intent attacks said network and causes downtime,” he said. “Sure, some people see only the negatives, but there is a long list of companies I have worked with over the years who would say my service is a godsend and has helped them prevent tens of thousands of dollars in downtime resulting from a malicious attack.”

“I do not believe that providing such a service is illegal, assuming proper due diligence to prevent malicious use of the service, as is the case for IPstresser\[.\]com,” Dobbs continued. “Someone using such a service to conduct unauthorized testing is illegal in many countries, however, the legal liability is that of the user, not of the service provider.”

Dobbs’s profile on GitHub includes more of his ideas about his work, including a curious piece on “software engineering ethics.” In his January 2020 treatise “My Software Engineering Journey,” Dobbs laments that nothing in his formal education prepared him for the reality that a great deal of his work would be so tedious and repetitive (this tracks closely with a 2020 piece here called Career Choice Tip: Cybercrime is Mostly Boring).

“One area of software engineering that I think should be covered more in university classes is maintenance,” Dobbs wrote. “Projects are often worked on for at most a few months, and students do not experience the maintenance aspect of software engineering until they reach the workplace. Let’s face it, ongoing maintenance of a project is boring; there is nothing like the euphoria of completing a project you have been working on for months and releasing it to the world, but I would say that half of my professional career has been related to maintenance.”

**Allison Nixon** is chief research officer at the New York-based cybersecurity firm Unit 221B. Nixon is part of a small group of researchers who have been closely tracking the DDoS-for-hire industry for years, and she said Dobbs’s claim that what he’s doing is legal makes sense given that it took years for the government to recognize the size of the problem.

“These guys are arguing that their services are legal because for a long time nothing happened to them,” Nixon said. “It’s difficult to argue something is illegal if no one has ever been arrested for it before.”

Nixon says the government’s fight against the booter services — and by extension other types of cybercrimes — is hampered by a legal system that often takes years to cycle through cybercrime cases.

“With cybercrime, the cycle between the crime and investigation and arrest can often take a year or more, and that’s for a really fast case,” Nixon said. “If someone robbed a store, we’d expect a police response within a few minutes. If someone robs a bank’s website, there might be some indication of police activity within a year.”

Nixon praised the 2022 and 2018 booter takedown operations as “huge steps forward,” but added that “there need to be more of them, and faster.”

“This time lag is part of the reason it’s so difficult to shut down the pipeline of new talent going into cybercrime,” she said. “They think what they’re doing is legal because nothing has happened, and because of the amount of time it takes to shut these things down. And it’s really a big problem, where we see a lot of people becoming criminals on the basis that what they’re doing isn’t really illegal because the cops won’t do anything.”

In December 2020, Dobbs filed an application with the state of Hawaii to withdraw IP Stresser Inc. from its roster of active companies. But according to prosecutors, Dobbs would continue to operate his DDoS-for-hire site until at least November 2022.

Two months after our 2020 email interview, Dobbs would earn his second bachelor’s degree (in computer science; his resume says he earned a bachelor’s in civil engineering from Drexel University in 2013). The federal charges against Dobbs came just as he was preparing to enter his final semester toward a master’s degree in computer science at the University of Hawaii.

Nixon says she has a message for anyone involved in operating a DDoS-for-hire service.

“Unless you are verifying that the target owns the infrastructure you’re targeting, there is no legal way to operate a DDoS-for-hire service,” she said. “There is no Terms of Service you could put on the site that would somehow make it legal.”

And her message to the customers of those booter services? It’s a compelling one to ponder, particularly now that investigators in the United States, U.K. and elsewhere have started going after booter service customers.

“When a booter service claims they don’t share logs, they’re lying because logs are legal leverage for when the booter service operator gets arrested,” Nixon said. “And when they do, you’re going to be the first people they throw under the bus.”

Thinking of Hiring or Running a Booter Service? Think Again.

By Waqas
The data is now available for download on DDoSecrets and the official website Enlace Hacktivista.
This is a post from HackRead.com Read the original post: Hacktivists Leak 1.7TB of Cellebrite, 103GB of MSAB Data

According to the Enlace Hacktivista group, the Cellebrite and MSAB data (both are smartphone forensic firms) was provided to them by an “anonymous whistleblower.”

The Israeli mobile forensics firm, **Cellebrite**, has apparently suffered yet another data breach in which hackers managed to steal 1.7 TB of data. The hackers are also claiming to have stolen 103 GB of data from MSAB, a Sweden-based forensics firm.

In both cases, the trove of information is available for download on DDoSecrets and the official website **Enlace Hacktivista**. It is worth noting that, according to Enlace Hacktivista, the Cellebrite and MSAB data was provided to them by an “anonymous whistleblower.”

**Cellebrite Data Leak Details**

The Petah Tikva, Israel-based Cellebrite is **frequently criticized** for aiding governments with its tools and spyware to monitor the activities of human rights activists, officials, dissidents, and journalists.

Cellebrite UFED (Universal Forensics Extraction Device) is among its most famous services availed by intelligence agencies and law enforcement authorities globally to access data from mobile devices seized during investigations.

This time, however, the company has become a target of the data breach. The data was later posted online by Enlace Hacktivista and DDoSecrets. Further analysis revealed that 103 GB of data from MSAB, a Sweden-based forensics firm, was also leaked. The firm is **criticised for** providing services to repressive regimes including Myanmar’s security forces.

Both databases are currently being offered for downloading through torrents and direct downloads from **DDoSecrets** and **Enlance Hacktivista**.

Here, it is worth mentioning that Cellebrite is known for breaking into passcode-secured smartphones, including Android and iOS devices, and extracting their data. In fact, **in 2019, the company claimed** its new tool could unlock “almost any iOS and Android device.

Reportedly, Cellebrite also played a major role in unlocking the iPhone device of San Bernardino back in 2016. Nevertheless, the apparent hack should not come as surprise since Cellebrite has a history of data breaches.

**Previous Cellebrite Data Breaches**

1.  Cellebrite Hacked; 900 GB data stolen
2.  Anonymous Source Leaks 4TB of Cellebrite Data
3.  Signal CEO hacks Cellebrite cellphone hacking tool
4.  iPhone hacking tool Cellebrite is being sold on eBay
5.  Hacker Dumps Hacking Tools Stolen from Cellebrite

**Who Stole the Data?**

Enlance Hactivista’s homepage revealed that they received the data from an anonymous whistleblower. They received it on January 13th, 2023. However, DDoSecrets and Enlance Hacktivista hadn’t made any claims about the source of data, its validity, and the sender’s identity.

**What Data is Leaked?**

An analysis of the 1.7TB archive indicated that it contained the full suite of Cellebrite programs. This includes its flagship software UFED, the Physical Analyser, Physical Analyser Ultra, license tools, and the Cellebrite Reader.

Moreover, there were technical guides and files used to localize the software. Customer documents were also part of the archive, dated from November 19th to December 3rd, 2022.

It is reported that sensitive data wasn’t leaked, and Cellebrite’s systems or customer information wasn’t impacted. Most of the leaked files are world maps and translation packs.

1.  Clearview AI firm with photos of billions of HACKED
2.  US govt gets its hand on $15,000 iPhone cracking device
3.  Textalyzer Tells Police Everything Users Do on Smartphone
4.  Securus firm that lets US Cops track cellphone users is hacked
5.  Leaked info confirms in-house hacking capabilities of Cellebrite

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hacktivists Leak 1.7TB of Cellebrite, 103GB of MSAB Data

By Deeba Ahmed
NoName057(16) is a group that has been targeting NATO and Czech presidential election candidates' websites recently.
This is a post from HackRead.com Read the original post: GitHub Disables Pages of Pro-Russia DDoS Group NoName057(16)

NoName057(16) utilized GitHub for hosting most of its malicious activities, including hosting its DDoS page.

NoName057(16) is a pro-Russia hacktivist collective known for targeting several businesses and organizations in European countries, including Poland and Lithuania. The group had its accounts **disabled by GitHub** for attempting to launch DDoS attacks against the Czech presidential election candidates’ websites last week.

As per the analysis of SentinelOne cybersecurity researchers, the campaigns were launched through public Telegram channels. The group used a DDoS payment program supported by volunteers, GitHub, and a multi-OS compatible toolkit.

One of the GitHub repositories used by the group (Image credit: SentinelOne)

According to SentinelOne’s senior threat researcher, Tom Hegel, NoName057(16) utilized GitHub for hosting most of its malicious activities, including hosting its DDoS website, and the associated **GitHub repositories** were used for hosting the latest versions of their tools.

Additionally, researchers noted that the pro-Russia hacktivists were focused on disrupting sites of countries critical to the **Russian invasion of Ukraine** since initial attacks were focused on Ukrainian news platforms. Later, they targeted NATO-linked entities, including attacks against Denmark’s central bank and several other financial institutions.

“For example, the first disruption the group claimed responsibility for were the March 2022 DDoS attacks on Ukraine news and media websites Zaxid, Fakty UA, and others. Overall the centre of the motivations around silencing what the group deems to be anti-Russian,” SentinelOne **report** read.

Researchers notified GitHub Trust & Safety team about this issue. The platform responded quickly and removed all the malicious accounts on Tuesday. The company’s spokesperson stated that the accounts were disabled per **GitHib’s Acceptable Use Policies**.

“We disabled the accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attacks or uses GitHub as a means to deliver malicious executables,” the spokesperson said.

1.  Pro-Russian Killnet group hits UK firms with DDoS attacks
2.  US Blacklists Tornado Cash, GitHub Removes its Co-Founder
3.  Russian Killnet Group Hit Top Lithuanian sites with DDoS attack
4.  Russian electronic voting system hit by 19 DDoS attacks in one day
5.  DDoS App Meant to Hit Russia Infected Android Phones of Ukrainians

Tag

#ddos