By Waqas
The DDoS attacks also targeted the country’s largest airport, the Defence and Foreign Ministry. As US House Speaker…
This is a post from HackRead.com Read the original post: Taiwanese President and Top Govt Sites Hit by DDoS Attacks Amid Pelosi visit

****The DDoS attacks also targeted the country’s largest airport, the Defence and Foreign Ministry.****

As US House Speaker Nancy Pelosi began her visit to Taiwan, the island nation’s websites were hit with a series of **DDoS attacks** (Distributed Denial-of-Service attacks). While it is not yet clear who was behind the attacks, experts say that they could be the work of Chinese hackers.

Among the affected websites are the official website of the president of Taiwan Tsai Ing-wen, the website of the Foreign Affairs Ministry, the website of Taiwan Taoyuan International, the country’s largest airport, and the National Defense Ministry, etc.

According to the Presidential Palace spokesperson Chang Tun-Han **on Facebook**, the DDoS attack on the President’s website lasted for about 20 minutes. However, at the time of publishing this article, other than the website of the Ministry of National Defense, all known targeted sites were back online.

Taiwanese Presidential Palace spokesperson Chang Tun-Han on Facebook

For your information, **a DDoS attack** is a cyber-attack where multiple compromised devices, typically infected with a Trojan, are used to target a single system, service, or website. The aim of the attack is to saturate the target system or service with traffic, resulting in a denial of service for legitimate users.

John Hultquist, Vice President of Intelligence Analysis at Mandiant told Hackread.com that DDoS attacks on Taiwanese cyberinfrastructure come as no surprise. Hultquist anticipates that Chinese threat actors are also carrying out significant cyber espionage against targets in Taiwan and the U.S. to provide intelligence on the crisis.

> Chinese actors have responded with cyber attacks to political crises like the Belgrade embassy bombing and the Hainan island incident in the past, but compared to their peers, they have not heavily leveraged this capability. On rare occasions, Chinese state actors have been linked to DDoS capability, destructive attacks, and possible probing of critical infrastructure. Nonetheless, we believe China is capable of significant cyber attacks inside Taiwan and abroad.”
> 
> John Hultquist, Vice President of Intelligence Analysis at Mandiant.

This is not the first time that Taiwan has been targeted in a cyber attack; in fact, the island nation is often a target of Chinese hackers due to its strong relationship with the United States.

1.  China’s insidious surveillance against Uyghurs with Android malware
2.  Android malware HenBox hits Xiaomi devices & minority group in China
3.  Chinese Hackers Caught Spying on Taiwan Prior To Upcoming Elections
4.  Chinese Hackers Distributing Nim language Malware in SMS Bomber Tool

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Taiwanese President and Top Govt Sites Hit by DDoS Attacks Amid Pelosi visit

In Eclipse Californium versions 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

**Eclipse Californium denial of service (DoS) via Datagram Transport Layer Security (DTLS) handshake on parameter mismatch**

High severity GitHub Reviewed Published Jul 30, 2022 • Updated Aug 10, 2022

GHSA-qq3j-44gw-cf6r: Eclipse Californium denial of service (DoS) via Datagram Transport Layer Security (DTLS) handshake on parameter mismatch

In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.

CVE-2022-2576: 580018 – Denial-of-Service vulnerability in the DTLS stack

Machine learning should be considered an extension of — not a replacement for — existing security methods, systems, and teams.

Contrary to what you may have read, machine learning (ML) isn't magic pixie dust. In general, ML is good for narrowly scoped problems with huge datasets available, and where the patterns of interest are highly repeatable or predictable. Most security problems neither require nor benefit from ML. Many experts, including the folks at Google, suggest that when solving a complex problem you should exhaust all other approaches before trying ML.

ML is a broad collection of statistical techniques that allows us to train a computer to estimate an answer to a question even when we haven't explicitly coded the correct answer. A well-designed ML system applied to the right type of problem can unlock insights that would not have been attainable otherwise.

A successful ML example is natural language processing (NLP). NLP allows computers to "understand" human language, including things like idioms and metaphors. In many ways, cybersecurity faces the same challenges as language processing. Attackers may not use idioms, but many techniques are analogous to homonyms, words that have the same spelling or pronunciations but different meanings. Some attacker techniques likewise closely resemble actions a system administrator might take for perfectly benign reasons.

IT environments vary across organizations in purpose, architecture, prioritization, and risk tolerance. It's impossible to create algorithms, ML or otherwise, that broadly address security use cases in all scenarios. This is why most successful applications of ML in security combine multiple methods to address a very specific issue. Good examples include spam filters, DDoS or bot mitigation, and malware detection.

**Garbage in, Garbage Out**

The biggest challenge in ML is availability of relevant, usable data to solve your problem. For supervised ML, you need a large, correctly labeled dataset. To build a model that identifies cat photos, for example, you train the model on many photos of cats labeled "cat" and many photos of things that aren't cats labeled "not cat." If you don’t have enough photos or they're poorly labeled, your model won't work well.

In security, a well-known supervised ML use case is signatureless malware detection. Many endpoint protection platform (EPP) vendors use ML to label huge quantities of malicious samples and benign samples, training a model on "what malware looks like." These models can correctly identify evasive mutating malware and other trickery where a file is altered enough to dodge a signature but remains malicious. ML doesn't match the signature. It predicts malice using another feature set and can often catch malware that signature-based methods miss.

However, because ML models are probabilistic, there's a trade-off. ML can catch malware that signatures miss, but it may also miss malware that signatures catch. This is why modern EPP tools use hybrid methods that combine ML and signature-based techniques for optimal coverage.

**Something, Something, False Positives**

Even if the model is well-crafted, ML presents some additional challenges when it comes to interpreting the output, including:

*   **The result is a probability.** The ML model outputs the likelihood of something. If your model is designed to identify cats, you'll get results like "this thing is 80% cat." This uncertainty is an inherent characteristic of ML systems and can make the result difficult to interpret. Is 80% cat enough?
*   **The model can't be tuned**, at least not by the end user. To handle the probabilistic outcomes, a tool might have vendor-set thresholds that collapse them to binary results. For example, the cat-identification model may report that anything >90% "cat" is a cat. Your business’s tolerance for cat-ness may be higher or lower than what the vendor set.
*   **False negatives (FN)**, the failure to detect real evil, are one painful consequence of ML models, especially poorly tuned ones. We dislike false positives (FP) because they waste time. But there is an inherent trade-off between FP and FN rates. ML models are tuned to optimize the trade-off, prioritizing the "best" FP-FN rate balance. However, the "correct" balance varies among organizations, depending on their individual threat and risk assessments. When using ML-based products, you must trust vendors to select the appropriate thresholds for you.
*   **Not enough context for alert triage.** Part of the ML magic is extracting powerful predictive but arbitrary "features" from datasets. Imagine that identifying a cat happened to be highly correlated with the weather. No human would reason this way. But this is the point of ML — to find patterns we couldn't otherwise find and to do so at scale. Yet, even if the reason for the prediction can be exposed to the user, it's often unhelpful in an alert triage or incident response situation. This is because the "features" that ultimately define the ML system's decision are optimized for predictive power, not practical relevance to security analysts.

**Would "Statistics" by Any Other Name Smell as Sweet?**

Beyond the pros and cons of ML, there's one more catch: Not all "ML" is really ML. Statistics gives you some conclusions about your data. ML makes predictions about data you didn't have based on data you did have. Marketers have enthusiastically latched onto "machine learning" and "artificial intelligence" to signal a modern, innovative, advanced technology product of some kind. However, there's often very little regard for whether the tech even uses ML, never mind if ML was the right approach.

**So, Can ML Detect Evil or Not?**

ML can detect evil when "evil" is well-defined and narrowly scoped. It can also detect deviations from expected behavior in highly predictable systems. The more stable the environment, the more likely ML is to correctly identify anomalies. But not every anomaly is malicious, and the operator isn't always equipped with enough context to respond. ML's superpower is not in replacing but in extending the capabilities of existing methods, systems, and teams for optimal coverage and efficiency.

The Beautiful Lies of Machine Learning in Security

The increased proliferation of IoT devices paved the way for the rise of IoT botnets that amplifies DDoS attacks today. This is a dangerous warning that the possibility of a sophisticated DDoS attack and a prolonged service outage will prevent businesses from growing.

The increased proliferation of IoT devices paved the way for the rise of IoT botnets that amplifies DDoS attacks today. This is a dangerous warning that the possibility of a sophisticated DDoS attack and a prolonged service outage will prevent businesses from growing.

While data breaches and ransomware are still considered among the more significant concern for businesses, the threats sometimes come from a direction we weren’t expecting. Cybercriminals use botnets for various malicious purposes, most significantly for DDoS attacks against targets. The most important change is now the bot armies are increasingly made of IoT devices.

As the total installed base of IoT devices worldwide is expected to reach 30.9 billion by 2025, the IoT botnet threat and its overall power continue to expand.

Attackers seized the opportunity to create large botnets, to large complex DDoS attacks to disable or knock offline a target website. Although the IoT botnets can steal confidential data, as seen in the instance of the Torri botnet, most of the botnets have been used for DDoS attacks.

This is a dangerous warning for an online business to ensure they have effective anti-DDoS protection and bot takeover prevention.

**High-Level Anatomy of IoT DDoS Attack**

So, what is a botnet? – A botnet is a group of infected computers under the control of attackers used to perform various scams and cyber-attacks. Here, the attackers use malware to take control of vulnerable IoT devices to block legitimate users from accessing internet services by executing DDoS attacks.

A simple principle governs a DDoS attack: it takes down websites offline by consuming more resources or occupying all available bandwidth. Attackers with more hijacked IoT devices can consume more resources and launch a more damaging attack. The three main goals of attackers include:

*   *   To cause consumption of limited resources
    *   To cause destructive changes to network devices
    *   To change or destroy configuration information

**Why Are IoT Devices Easy Prey for Botnet Malware?**

The increased proliferation of IoT devices has become an attractive target for attackers. Further, most IoT devices include serious security issues like weak passwords, open access to management systems, default administrative credentials, or weak security configurations. As millions of IoT devices and their numbers continue to increase, they are not constantly updated to patch against security vulnerabilities.

Botnet attacks seize the opportunity of IoT vulnerabilities to take control of the devices and lead to disruptions in online services. They’re most placed on networks that are not monitored for the attack, making it easy for attackers to access them. Further, in most cases, the network where they reside offers a high-speed connection that enables a large amount of DDoS attack traffic.

**Major IoT Botnet DDoS Attack Trends**

IoT botnet DDoS attacks are not new; Mirai was the most prevalent and has continued to target IoT devices since 2016. Mirai made its debut on September 20, 2016, with a DDoS attack against cybersecurity expert Krebs’s blog. The next notable IoT botnet DDoS attack was in October 2016 against Dyn, a major DNS (Domain Name Service). The Mirai botnet assaulted the victim with one terabit traffic per second, which made a new record in a DDoS attack.

According to the ENISA threat landscape report, in 2019, the Mirai variants increased by 57%. The Verizon data breach investigations report recorded 103 699 botnet incidents primarily targeting professional, financial, and information services industry verticals.

A new variant of Mirai called Mozi accounted for the most observed flooded traffic in late 2019 through 2020. The Mirai and its variant continue to pose a threat in 2021; they broadened their attack with its significant new capabilities.

Attackers use multiple botnets based on Mirai and Mozi botnets like Echobot, BotenaGo, Moonet, and Loli to target devices. According to Sam’s report on the IoT security landscape, more than 1 billion IoT security attacks took place in 2021, nearly 62 million of which were IoT-related DDoS attacks.

**How Can You Protect Against IoT Botnet DDoS Attacks Today?**

As the botnet landscape expands and highly sophisticated threats become inevitable, enterprises must move beyond legacy security solutions.

The first step to addressing these ongoing security challenges is moving to comprehensive risk-based security solutions. In addition, advanced, automated endpoint detection and protection solutions must offer complete visibility into IoT devices and their security state.

As always, prevention steps should be implemented to stay protected from such attacks:

*   Monitor incoming and outgoing traffic on your network for malicious activities with a web application firewall. Next-gen WAF like Indusface AppTrana can block bad bots from specific IPs while ensuring a smooth transfer of legitimate bot traffics.
*   Monitor login attempts and create a lookout for spikes
*   Keep IoT devices on protected networks
*   Perform continuous security testing on IoT devices

**The Closure**

DDoS attacks are the standard intent of an IoT botnet. DDoS may be an unavoidable part of the new reality, but you don’t need to take it as the new norm. Architect robust security solutions to properly secure your businesses.

IoT Botnets Fuels DDoS Attacks – Are You Prepared?

New research shows how deep learning models trained for network intrusion detection can be bypassed

New research shows how deep learning models trained for network intrusion detection can be bypassed

Recent years have seen a growing interest in the use of machine learning and deep learning in cybersecurity, especially in network intrusion detection and prevention.

However, according to a study by researchers at the Citadel, a military college in South Carolina, US, deep learning models trained for network intrusion detection can be bypassed through adversarial attacks, specially crafted data that fools neural networks to change their behavior.

**DNS amplification attacks**

The study (PDF) focuses on DNS amplification, a kind of denial-of-service attack in which the attacker spoofs the victim’s IP address and sends multiple name lookup requests to a DNS server.

The server will then send all the responses to the victim. Since a DNS request is much smaller than the response, it results in an amplification attack where the victim is flooded with bogus traffic.

**RELATED** Adversarial attacks against machine learning systems – everything you need to know

“We decided to study deep learning in DNS amplification due to the increasing popularity of machine learning-based intrusion detection systems,” Jared Mathews, the lead author of the paper, told _The Daily Swig_.

“DNS amplification is one of the more popular and destructive forms of DoS attacks so we wanted to explore the viability and resilience of a deep learning model trained on this type of network traffic.”

**Attacking the model**

To test the resilience of network intrusion detection systems, the researchers created a machine learning model to detect DNS amplification traffic.

They trained a deep neural network on the open source KDD DDoS dataset. The model achieved above 98% accuracy in detecting malignant data packets.

Architecture of machine learning model for DNS amplification attacks

To test the resilience of the ML-based network intrusion detection system, the authors pitted it against Elastic-Net Attack on Deep Neural Networks (EAD) and TextAttack, two popular adversarial attack techniques.

“We chose TextAttack and Elastic-Net Attack due to their proven results in both natural language processing and image processing respectively,” Mathews said.

Read more of the latest information security research news

Although the attack algorithms were not initially intended to be applied to network packets, the researchers were able to adapt them for the purpose. They used the algorithms to generate DNS amplification packets that passed as benign traffic when processed by the target NIDS system.

Both attack techniques proved to be effective, significantly reducing the network intrusion detection system’s accuracy, and causing large amounts of both false positives and false negatives.

“While both attacks could easily generate adversarial examples with the DNS Amplification data we used, TextAttack was more suited for minimally perturbing the datatypes in the packet features,” Mathews said.

The researchers have not yet tested the attack on off-the-shelf intrusion detection systems, but plan to do so and report the findings in the future.

  
Structure of adversarial attack against ML-based network intrusion detection system

**Complexities of using ML in cybersecurity**

The researchers conclude that it is relatively easy to deceive a machine learning network intrusion detection systems with adversarial attacks, and it is possible to take adversarial algorithms that were initially meant for another application and adapt them to network classifiers.

“The biggest takeaway would be that using deep learning in network security is not a simple solution, and as a standalone NIDS, they are quite fragile,” Mathews said.

“For a classifier used to detect attacks on critical networks, there should be extensive testing. Using these DL models in conjunction with a rules-based NIDS as a secondary detector can prove to be very effective as well.”

The team is in the process of expanding their findings to other kinds of attacks, including IoT DDoS traffic.

**READ MORE** Zyxel firewall vulnerabilities left business networks open to abuse

Adversarial attacks can cause DNS amplification, fool network defense systems, machine learning study finds

Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.

Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.

“\[A.I.G.\] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.

The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.

****Unique Business Model****

This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.

“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.

A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.

Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.

****Anatomy of a Threat Group****

Researchers took a deep dive into how A.I.G. operates, communicates and manages its operations, as well observed the specific cybercriminal services it offers.

DDoS seems to be the group specialty, with Atlas providing solid proof of execution to customers for as little as 20 euros per victim, researchers said. The group also offers a popular data-leak services that focuses on anything that might be valuable to potential buyers, Gihon said.

A.I.G. has published leaked databases from all over the world for sale, with a starting price from 15 euros, researchers said. The group targeted various sectors in the breaches, including education, finance, government entities, manufacturing and technology, they said.

A.I.G. also has premium services that demand more skill and demonstrate the group’s sophistication, researchers said. One of these products is hacked panels and initial access to organizations, with prices for these services starting from about $1,000.

The group also offers “VIP services” that claim ties to people in law-enforcement positions across Europe that can give customers access to sensitive information about specific individuals, researchers said.

****Multi-Channel Communication****

Telegram is the communication platform of choice for A.I.G., with the group operating three different Telegram channels with thousands of subscribers, researchers said. One is a database marketplace for selling leaked databases, and another is a commercial channel that also includes announcements and updates from the group, they said.

Atlas also operates a unique Telegram channel in which Mr. Eagle and the group’s administrators publish the contracts that the group offers to those hired to perform attacks. This allows subscribers to sign up depending on what they can offer and helps the group recruit various cybercriminals, such as red teamers, social engineers and malware developers, researchers said.

Atlas sells its services primarily on an e-commerce store on the site Sellix.io, a forum that offers payment with cryptocurrency and acts as a broker, providing the privacy-conscious group with an extra layer of anonymity, Gihon said.

“Observing the behavior of the group in general and the leader in particular, it seems that operation security (OpSec) is a top priority,” he wrote.

****The (Mr.) Eagle Has Landed****

Indeed, the group’s leader is an enigmatic figure who appears to run a tight ship in terms of his overall maturity and professionalism, exhibiting logical and meticulous decision-making and behavior that leaves “no room for errors,” Gihon wrote.

“Mr.Eagle tends to have very strict rules in the management of the group, including banning and throwing \[out\] scammers and other threat actors that try to advertise their products,” he wrote. “It seems that Mr.Eagle maintains very high reliability among the group.”

This type of leadership apparently comes in handy when delegating tasks to general administrators, of which A.I.G. appears to have at least four—dubbed El Rojo, Mr.Shawji, S41T4M4 and Coffee, researchers said. The administrators carry out day-to-day advertising tasks as well as management of group operations and communication channels, researchers said.\\

The hired contractors, or “mercenaries,” who carry out the nefarious activities of the group are the lowest rung of the A.I.G. structural ladder. This part of the group is a revolving door of cybercriminals who are hired to work only on a particular campaign based on their skillset, researchers said.

**_\[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.\]_**

Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’

By Deeba Ahmed
The pro-Ukraine groups thought they were fighting back against Russia with a new DDoS app, but it turns…
This is a post from HackRead.com Read the original post: App Meant to Hit Russia with DDoS Attack Infected Android Phones of Ukraine Activists

****The pro-Ukraine groups thought they were fighting back against Russia with a new DDoS app, but it turns out the app itself is malware that has been infecting their devices, Google has confirmed.****

Google Threat Analysis Group (TAG) has published its findings on the activities of an Advanced Persistent Threat (APT) group Turla, aka Venomous Bear, Krypton, Uroburos, and Waterbug, against Ukrainian targets.

This APT group is affiliated with the Federal Security Service, Russia, and according to TAG security engineer Billy Leonard, it is deploying Android malware disguised as a DDoS attack tool.

It is worth noting that Turla is the same group that was found to control malware via Instagram posts of the popular American singer and dancer Britney Spears back in June 2017.

**Ukrainians Trapped with Fake DDoS Tools**

As per Google Tag’s report, Turla’s fake DDoS app is hosted on a spoofed version of the Ukrainian Azov Regiment (the country’s far-right inventory unit) identified as cyberazovcom.

Leonard explained that this is the first time they have seen Turla distributing Android malware. The fake apps weren’t delivered via the Google Play Store but on the spoofed domain, which the attackers controlled. They also used third-party messaging services to promote the domain.

However, according to Lab52, this is not the first time the Turla APT group has been caught spreading Android malware. In its report published in April 2022, the company stated that the Turla group has been distributing Android malware capable of tracking GPS location and spying on victims.

At the moment, Turla is focusing on targeting pro-Ukrainian activists, primarily those who enlisted to volunteer for the IT army to launch DDoS attacks against Russian IT infrastructure.

Screenshot of the fake website controlled by Tusla hackers to spread the malicious Android app disguised as the DDoS app (Image: Google’s TAG)

**Scam Details**

According to Google TAG’s blog post, the malicious Cyber Azov app is being distributed among Pro-Ukrainian activists and organizations to launch DDoS attacks against Russian sites from their smartphones quickly.

> “The app is distributed under the guise of performing Denial of Service (DoS) attacks against a set of Russian websites. However, the ‘DoS’ consists only of a single GET request to the target website, not enough to be effective.”
> 
> Billy Leonard – Google TAG

The final malicious payload is unclear, and Leonard noted that the number of installs is also relatively low. The fake app was detected in March 2022, after which TAG security researchers warned Ukrainian activities to remain cautious while downloading DDoS tools from unverified platforms.

In conclusion, be very careful about who you trust online. Russian hackers are highly sophisticated not only in developing and malware but in social engineering aimed at targeting their victims.

1.  Ukraine Thwart Russian Industroyer 2 Malware Attack on Energy Provider
2.  Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices
3.  Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks
4.  Russia’s Yandex hit by largest DDoS attack involving 200,000 hacked devices
5.  Google takes down sites with ties to hack-for-hire groups in UAE, Russia, India

App Meant to Hit Russia with DDoS Attack Infected Android Phones of Ukraine Activists

The rapidly growing Atlas Intelligence Group relies on cyber-mercenaries to carry out its missions.

A threat group calling itself the Atlas Intelligence Group (AIG, aka Atlantis Cyber-Army) has recently surfaced with what appears to be a somewhat different — and potentially trend-setting — cybercrime model.

Researchers from Cyberint who were the first to spot the group described the threat actor as selling a variety of services via its main website, including access to stolen databases, exclusive data leaks, distributed denial-of-service (DDoS) services, and initial access to enterprise networks via RDP clients and Web shells. Cyberint said this week that its researchers spotted AIG in May and have observed it growing rapidly since then.

What makes the threat actor different from the myriad others with similar offerings is the fact that the operators themselves appear to be entirely outsourcing the actual hacking activities to independent cyber-mercenaries who have no direct connection to the operation. For instance, when a client purchases AIG's DDoS, data theft, or malicious spam services, the group advertises for and hires independent contractors to execute the actual tasks. That's unlike most threat groups. which recruit and maintain the same team of hackers for different campaigns.

**A Model for OpSec**

AIG's model appears designed to ensure a high level of operations security for its leaders by keeping them segregated from those doing the criminal hacking activity, according to Cyberint.

"AIG is the first group I've seen that is using this business model," says Shmuel Gihon, security researcher with Cyberint. "Every team has its leaders, and every team has key members. But here it's different: we have one leader that controls everything and everyone."

AIG's business model appears designed to take advantage of the growing number of hacker-for-hire groups that have begun surfacing all over the world in recent years. The groups, many of which operate out of India, Russia, or the United Arab Emirates, specialize in breaking into target networks, stealing data, and carrying out a variety of other malicious activities on behalf of the clients who hire them. One example of such a group is Russia-based "Void Balaur," a cyber-mercenary group that researchers at Trend Micro and others have linked to attacks on thousands of organizations and individuals for several years.

Gihon says Cyberint's analysis of AIG's activities shows it is being run by a secretive individual using the handle "Mr. Eagle." This individual appears responsible for initiating all AIG campaigns and plans. Cyberint has so far been able to identify at least four other individuals that are operating under this leader, and who are responsible for tasks such as advertising the group's services, communicating with customers, and operating its Telegram channels.

"What makes them different is the fact that they are very good \[at\] making themselves anonymous and approaching this operation as entrepreneurs and not as technical people," Gihon says. The group's behavior suggests the core members — or at least its leader — were red teamers or malicious hackers that have decided to lead rather than operate.

"They have been around in the darknet and in the cybercrime industry for a while and observed how things are operating," he added.

**Telegram Communications**

Cyberint said it has observed the group use three different Telegram channels, with thousands of subscribers between them, for its operations.

One of the channels is a marketplace for leaked databases. The databases appear to belong to organizations in different sectors such as government, finance, manufacturing, and technology, from around the world. The collection of databases on sale via the Telegram channel suggests that AIG isn't focusing on any specific region or sector. Rather, the group appears to be targeting organizations that it thinks might be valuable for potential buyers.

Some of the databases are available for as little as 15 euros and contain information such as email and physical addresses, phone numbers, and other information likely of interest to distributors of malicious spam, spear-phishing groups, and hacktivists.

"AIG claims that these databases are exclusive, so the assumption is that they obtained it \[via\] their contractors," Gihon says. Given the low price, it is unlikely that AIG obtained them from a third-party and is reselling them, he says.

AIG has a second Telegram channel that it uses to publish ads for various hacking services that it might be looking for, and where hackers have an opportunity to bid for contracts. The channel serves as the threat group's source for finding malware developers, social engineers, red teamers, and other cyber-mercenaries.

AIG's third Telegram channel, which serves as its communication channel, is where the group posts announcements, lists of intended targets, and other information. The threat actor also maintains an e-commerce store where people can purchase AIG's services and stolen databases using cryptocurrency.

Gihon says AIG's business model gives it a level of flexibility that other threat groups do not have.

"The leader is not bound to any one of the members because they are all contractors," he says. "So, while other groups have their ups and downs given the fact that they are the same group of people most of the time, Mr. Eagle has the privilege to hire the best of the best anytime," he says. "This could make this team very lethal in the end game."

Tag

#ddos