Patched several months ago, researcher reports how they used Spring Boot to sneak past Akamai's firewall and remotely execute code.

Akamai's Web application firewall (WAF) is intended to fend off potential attacks like distributed denial-of-service (DDoS), but a researcher discovered a way to bypass its protections by using complex payloads to confuse its rules.

The researcher, known as Peter H., along with Usman Mansha, said Akamai has since patched against the vulnerability, which was not assigned a CVE number. In the write-up, Peter H. explained how he used a vulnerable version of Spring Boot to bypass WAF protections.

"We ended up able to bypass Akamai WAF and achieve Remote Code Execution (P1) using Spring Expression Language injection on an application running Spring Boot," the GitHub explanation of the Akamai WAF RCE find explained. "This was the 2nd RCE via SSTI we found on this program, after the 1st one, the program implemented a WAF which we were able to bypass in a different part of the application."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Researcher Bypasses Akamai WAF

Microsoft warns enterprises should pay attention to a new botnet used to launch DDoS attacks on private Minecraft Java servers.

The persistence and spread of a newly identified botnet targeting private Minecraft Java servers has far wider ramifications for enterprises than bumming out a Biome.

Microsoft researchers revealed in a report published Dec. 16 that this new botnet is used to launch distributed denial-of-service (DDoS) attacks on Minecraft servers, which might sound like kid stuff. But enterprises should take note because of the botnet's ability to target both Windows and Linux devices, spread quickly, and avoid detection, the Microsoft team added.

It starts with a user downloading a malicious downloads of "cracked" Windows licenses.

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices," the Defender team reported. "Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet."

The threat researchers suggest that organizations harden their device networks against these kinds of threats.

The group's analysis revealed most of the infected devices were in Russia.

**Enterprises Beware**

Factors including the sheer number of potential server targets and the general lack of cybersecurity protections on private Minecraft servers make this botnet something security teams should take seriously, Patrick Tiquet, vice president of security architecture at Keeper Security, tells Dark Reading.

"The concern in this scenario is that there are a large number of servers that can potentially be compromised and then weaponized against other systems, including enterprise assets," Tiquet explains. "Gaming servers such as Minecraft are typically managed by private individuals who may or may not be interested in or capable of patching and following cybersecurity best-practices. As a result, this vulnerability could continue unmitigated on a large scale for an extended period of time and could potentially be leveraged to target enterprises in the future."

Beyond this particular malware, Microsoft's recommendations are a good idea for protecting the enterprise from all sorts of botnets besides just the Minecraft-focused sort, according to Vulcan Cyber's Mike Parkin.

"They're industry best practices — restricting access, changing default passwords to strong ones, enabling multifactor authentication, etc. — and should be implemented regardless," Parkin says. "While some of the techniques can be challenging to implement on some low-power IoT devices, deploying to best practices is the absolute minimum that should be happening."

New Botnet Targeting Minecraft Servers Poses Potential Enterprise Threat

By Waqas
Dubbed "MCCrash" by Microsoft, the DDoS botnet is currently targeting private Minecraft servers globally.
This is a post from HackRead.com Read the original post: Microsoft Alert: DDoS Botnet Hit Private Minecraft Servers

According to Microsoft, this is an unusual DDoS botnet boasting a unique design that lets it infiltrate Linux systems despite the malware being downloaded from Windows devices.

Remember when, **earlier in January this year**, a massive DDoS attack targeted a Minecraft event, which took down the internet service of the entire country of Andora? Well, now, a new threat has surfaced, whose target is, yet again, Minecraft servers.

Microsoft has published a warning about a cross-platform botnet designed to launch **DDoS attacks** (distributed denial of service attacks) against private Minecraft servers.

MCCrash botnet targets users in Russia, Belarus, Czechia, Ukraine, Uzbekistan, Italy, Nigeria, India, Cameroon, Indonesia, Columbia, and Mexico. Microsoft is tracking the botnet’s activities under the moniker DEV-1028.

**MCCrash Capabilities**

According to Microsoft researchers David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, and Ross Bevington, this is an unusual botnet boasting a unique design that lets it **infiltrate Linux systems** despite the fact that the malware is downloaded from Windows devices.

When the malware is removed from the infected device, the MCCrash mechanism allows it remains persistent on the unmanaged IoT devices connected to the network and keep operating.

**How Does MCCrash Spread?**

MCCrash spread by numbering default credentials on internet-exposed SSH (secure shell) enabled devices. Since **IoT devices** are usually designed for remote configuration with insecure settings, these devices can be at risk of botnet attacks.

Microsoft didn’t disclose the exact scope of this campaign. The company noted that the botnet’s initial infection point is an array of compromised machines, which it infected using **cracking tools** that promise illegal Windows licenses. The software then executes a Python payload containing the core features of the botnet.

This includes scanning for SSH-enabled Linux devices to launch a dictionary attack. When the Linux host is breached through the propagation method, the same Python payload runs DDoS commands, one of which **attacks explicitly Minecraft servers** and crashes them. Microsoft claims it is highly effective and could be offered as a service on hacking forums.

Screenshot 1 shows cracking tools used to spread the DDoS botnet – Screenshot 2: The DDoS botnet attack flow (Credit: Microsoft)

“This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure,” Microsoft’s **blog post** noted.

1.  **Minecraft declared the most malware-infected game**
2.  **Malware-infected Minecraft modpacks hit Google Play Store**
3.  **RapperBot malware targets gaming servers with DDoS attacks**
4.  **50,000 Minecraft users infected with hard drive wiping malware**
5.  **Malicious Minecraft apps on Play Store scamming millions of users**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Microsoft Alert: DDoS Botnet Hit Private Minecraft Servers

Accelerating security challenges and the increasing footprint of edge and IoT devices call for zero-trust principles to drive cyber resiliency.

As businesses ramp up their adoption of edge and Internet of Things (IoT) infrastructure, security risks that already challenge IT organizations stand to become trickier than ever. The distributed nature of edge devices, the scale of IoT, and the limited compute capacity of devices at the edge heap on added difficulties to the increasingly shaky traditional security practices of yesteryear. In the era of edge, it simply won't be feasible anymore to cling to the castle-and-moat security tactics that practitioners have held on to for probably a decade too long as it was.  

Zero-trust principles are going to be key to meeting the security challenges of today and tomorrow — and fundamental to that will be architecting secure server hardware that stands at the bedrock of edge architecture.

**The Challenges Calling for Zero Trust**

Edge and IoT notwithstanding, security threats keep growing. Recent statistics show that global attack rates are up by 28% in the last year. Credential theft, account takeovers, lateral attacks, and DDoS attacks plague organizations of all sizes. And the costs of cybercrime keep ticking upward. Recent figures by the FBI's Internet Crime Complaint Center (IC3) found that cybercrime costs in the US topped $6.9 billion, up dramatically from $1.4 billion in 2017.

Throwing transformative technology architectures into this mix will only exacerbate matters if security isn't baked into the design. Without proper planning, securing assets and processes at the edge becomes more difficult to manage due to the rapidly proliferating pool of enterprise devices.

Market stats show that there are already more than 12.2 billion active IoT and edge endpoints worldwide, with expectations that by 2025 the figure will balloon to 27 billion. Organizations carry more risk because these devices are different than traditional on-premises IT devices. Devices at the edge — particularly IoT devices — frequently:

*   Process critical data away from data centers, with data including more private information
*   Are not supported or secured as strongly by many device manufacturers
*   Don't control passwords and authentication as strongly as traditional endpoints
*   Have limited compute capacity to implement security controls or updates
*   Are geographically distributed in nonsecured physical locations with no barbed wire, cameras, or barriers protecting them

All of this adds up to an enlarged attack surface that is extremely difficult to manage due to the sheer scale of devices out there. Policies and protocols are harder to implement and manage across the edge. Even something as "simple" as doing software updates can be a huge task. For example, often IoT firmware updates require manual or even physical intervention. If there are thousands or even tens of thousands of those devices run by an organization, this quickly becomes a quagmire for an IT team. Organizations need better methods for pushing out these updates, doing remote reboots, and performing malware remediation, not to mention monitoring and tracking the security status of all of these devices.

**More Than Authentication: The Promise of Zero Trust**

Zero trust is a set of guiding principles and an architectural approach to security that's well-suited to start addressing some of the edge security challenges outlined above. The heart of the zero-trust approach is in conditional access. The idea is that the right assets, accounts, and users are only granted access to the assets they need — when they're authorized, and when the situation is safely in line with the org's risk appetite. The architecture is designed to continually evaluate and validate all of the devices and behaviors in the IT environment before granting permissions and also periodically during use. It's great for the fluidity of the edge because it's not tied to the physical location of a device, network location, or asset ownership.

It's a sweeping approach, and one that can help reduce the risk surface at the edge when it is done right. Unfortunately, many organizations have taken a myopic view of zero trust, equating it solely as an authentication and authorization play. But there are a whole lot of other crucial elements to the architecture that enterprises need to get in place.

Arguably the most critical element of zero trust is the verification of assets before access is granted**.** While secure authentication and authorization is crucial, organizations also need mechanisms to ensure the security of the device that's connecting to sensitive assets and networks — including servers handling edge traffic. This includes verifying the status of the firmware in place, monitoring the integrity of the hardware, looking for evidence of compromised hardware, and more.

**Enabling Zero Trust With the Right Hardware**

While there is no such thing as zero-trust devices, organizations can set themselves up for zero-trust success by seeking out edge hardware that's more cyber resilient and enables easier verification of assets to stand up to the rigors of a strong zero-trust approach to security.

This means paying close attention to the way vendors architect their hardware. Ask questions to ensure they're paying more than just marketing lip service to the zero trust ideal. Do they follow a framework like the US Department of Defense's seven-pillar zero-trust standards? Looking for important controls for device trust, user trust, data trust, and software trust baked into the products that organizations choose to make up their edge architecture will in turn help them build zero trust into their own architecture.

Zero Trust in the Era of Edge

Categories: News
Global law enforcement agencies came together to take down popular DDoS services.



(Read more...)




The post Worldwide law enforcement action takes down major DDoS booter services appeared first on Malwarebytes Labs.

Criminals making use of booter services which execute Distributed Denial of Service (DDoS) attacks to take down websites will have to try a little bit harder today: A major international operation has taken no fewer than 48 of the most popular booter services offline.

The operation, known as “Power Off,” included law enforcement agencies from the UK, the US, the Netherlands, Germany, and Poland.

**Sites down, operators arrested**

The sites that were taken down by law enforcement have been replaced with seizure notices which read as follows:

_This website has been seized_

_The FBI has seized this website for operating as a DDoS-for-hire service. This action has been taken in conjunction with Operation Power Off, a coordinated international law enforcement effort to dismantle criminal DDoS-for-hire services worldwide. DDoS attacks are illegal._

Law enforcement agencies have seized databases and other information relating to these services. Anyone operating or utilizing a DDoS service is subject to investigation, prosecution, and other law enforcement action.

As a result of the operation, seven individuals have been arrested in the UK and US with “further actions planned” against users of the services.

The National Crime Agency (NCA) reports that one of those arrested is just 18 years of age. “Around a quarter” of referrals to the NCA involve the use of booter services.

**Why are booters so popular?**

Booting services typically have a low technical barrier to entry. Back in the days of Xbox360, especially around 2009, custom made booter services became very popular with gamers. If you wanted to ensure victory in an online session, you could pay a small fee and dedicated services would kick the other players out of the game or you could download and run the tools yourself.

This is one way in which DDoS made the leap from “people who have a decent idea of what they’re doing in order to take a website down” to “pay me $10 and push this button to win.” As it turns out, pushing that button to win is a lot less intensive than figuring out how to make people run your executable or set up a working phishing page.

The people running these booter services know this, and that’s why they’re so popular. Need a website kicked offline? A gamer you just can’t stand? A service playing host to people you just can’t stand? Off to the booter markets you go. More often than not, people don’t realize how much trouble they can get into by using these tools. This is especially true in situations where young children or teenagers are looking to these services.

**The long arm of the law**

As the various agencies involved in this operation point out, they will be going after users of these services as well as those who operated them. They’re very clear that if you’ve used the now offline booters, you can expect to be paid a visit down the line.

Previous versions of Operation Power Down have explicitly targeted the users of DDoS tools, with police visits to the home and device confiscation thrown into the mix for good measure.

If you’re tempted to use a DDoS tool of any kind, keep this in mind. “I only used it once because I was curious” is probably not going to save you from the law’s reach. As the NCA explains, a DDoS attack a crime under the UK’s Computer Misuse Act 1990. If you’re on the fringes of illegality where this is concerned, check out their Cyber Choices page as soon as possible for a solid explanation of the consequences of these actions, and how you can use your technical skills in a positive manner.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Worldwide law enforcement action takes down major DDoS booter services

Microsoft on Thursday flagged a cross-platform botnet that's primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers.
Called MCCrash, the botnet is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.
"The botnet spreads by

Microsoft on Thursday flagged a cross-platform botnet that's primarily designed to launch distributed denial-of-service (DDoS) attacks against private Minecraft servers.

Called **MCCrash**, the botnet is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices despite originating from malicious software downloads on Windows hosts.

"The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices," the company said in a report. "Because IoT devices are commonly enabled for remote configuration with potentially insecure settings, these devices could be at risk to attacks like this botnet."

This also means that the malware could persist on IoT devices even after removing it from the infected source PC. The tech giant's cybersecurity division is tracking the activity cluster under its emerging moniker DEV-1028.

A majority of the infections have been reported in Russia, and to a lesser extent in Kazakhstan, Uzbekistan, Ukraine, Belarus, Czechia, Italy, India, and Indonesia. The company did not disclose the exact scale of the campaign.

The initial infection point for the botnet is a pool of machines that have been compromised through the installation of cracking tools that claim to provide illegal Windows licenses.

The software subsequently acts as a conduit to execute a Python payload that contains the core features of the botnet, including scanning for SSH-enabled Linux devices to launch a dictionary attack.

Upon breaching a Linux host using the propagation method, the same Python payload is deployed to run DDoS commands, one of which is specifically set up to crash Minecraft servers ("ATTACK\_MCCRASH").

Microsoft described the method as "highly efficient," noting it's likely offered as a service on underground forums.

"This type of threat stresses the importance of ensuring that organizations manage, keep up to date, and monitor not just traditional endpoints but also IoT devices that are often less secure," researchers David Atch, Maayan Shaul, Mae Dotan, Yuval Gordon, and Ross Bevington said.

The findings come days after Fortinet FortiGuard Labs revealed details of a new botnet dubbed GoTrim, which has been observed brute-forcing self-hosted WordPress websites.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Minecraft Servers Under Attack: Microsoft Warns About Cross-Platform DDoS Botnet

Sweeping operation took down around 50 popular DDoS platforms, just one of which was used in 30M attacks, Europol says.

About 50 of the most popular platforms available for hire to launch distributed denial-of-service (DDoS) attacks against critical Internet infrastructure have been shut down, their operators arrested in a massive international law enforcement crackdown called Operation Power Off.

Europol, along with law enforcement from the UK, US, the Netherlands, Poland, and Germany participated in the takedown targeting DDoS-for-hire services, also called "booter services."

Seven administrators have been arrested, according to Europol's announcement, adding that just one of the services shut down by Operation Power Off was responsible for more than 30 million DDoS attacks.

"DDoS booter services have effectively lowered the entry barrier into cybercrime: for a fee as low as EUR 10, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks by barraging them with traffic," Europol's announcement of the success of Operation Power Off said. "The damage they can do to victims can be considerable, crippling businesses financially and depriving people of essential services offered by banks, government institutions and police forces."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Attack Platforms Shut Down in Global Law Enforcement Operation

By Waqas
Authorities have also arrested six individuals accused of running DDoS-for-hire services.
This is a post from HackRead.com Read the original post: 48 DDoS-hiring Services Busted by FBI in Major Sweep

The seizure is a part of a coordinated operation dubbed Operation PowerOFF conducted in collaboration with the UK, Europol, and the Netherlands.

On Wednesday, December 14th, the US Department of Justice (DoJ) announced seizing 48 domains and charging six suspects for being involved in Stresser, aka **Booter services**.

These services offered malicious actors a platform to carry out DDoS attacks (distributed denial of service attacks).

The seizure is a part of a coordinated operation dubbed Operation PowerOFF conducted in collaboration with the UK, Europol, and the Netherlands. The operation is targeted against globally active DDoS-for-hire infrastructure.

**Seized Domains Details**

According to the DoJ, the Federal Bureau of Investigation (FBI) seized 48 domains offering to conduct **DDoS for hire services** on behalf of other cybercriminals in exchange for payment in cryptocurrency.

The seized websites reportedly claimed to offer the service of testing the resilience of web infrastructure but actually offered DDoS for hire services. The platforms had targeted victims worldwide, including in the USA. Their key targets were government agencies, educational institutions, and gaming platforms.

*   Bootersx
*   IPStressercom
*   SecurityTeamio
*   Astrostresscom
*   RoyalStressercom
*   TrueSecurityServicesio

According to the DoJ’s **press release**, millions of users were targeted via these platforms. Just on one platform (IPStressercom), over a million registered users carried out at least 30 million **DDoS attacks** between 2014-2022.

Seizure notice on the sites taken over by authorities (Image: Hackread.com)

**What are Booter Platforms?**

Booters are digital platforms that threat actors can carry out **DDoS attacks against IoT devices** and websites after paying a fee to boot off their target from the internet.

Further, users of these platforms can seek help in launching **powerful DDoS attacks** and flooding the targeted networks/computers with information so that the system stops functioning and has to go offline.

**According to** the FBI, “established booter/stresser services” provide an easy platform to threat actors for conducting DDoS attacks and “obscure attribution of DDoS activity.”

**Who are the Suspects?**

Along with seizing the domains, the FBI has charged six individuals suspected of involvement in operating the seized platforms. The charged suspects include the following:

*   Joshua Laing (32)
*   John M. Dobbs (32)
*   Shamar Shattock (19)
*   Cory Anthony Palmer (22)
*   Angel Manuel Colon Jr. (37)
*   Jeremiah Sam Evans Miller (23)

The defendants are charged with running stresser services and violating the computer fraud and abuse act.

**DDoS attacks – A Growing Concern**

DDoS attacks are a growing concern among businesses and organizations around the world. These malicious cyber attacks involve flooding an organization’s network with large amounts of traffic, making it difficult or impossible for legitimate users to access the services they need.

While DDoS attacks can be difficult to prevent, there are several steps organizations can take to protect themselves against such threats. The first step is to ensure that all software and applications used by the organization are updated regularly with the latest security patches.

Organizations should also consider investing in firewalls and other security solutions that can detect and **block DDoS attacks** before they have a chance to affect operations. Additionally, having security protocols in place for authenticating user accounts is important in order to ensure that malicious actors cannot gain unauthorized access.

1.  **Teen hires attacker to DDoS his school district**
2.  **Authorities seize 15 popular DDoS-for-hire websites**
3.  **World’s largest DDoS-for-hire service & seize its domain**
4.  **Dutch Police Seizes 15 DDoS-for-hire services in one week**
5.  **No prison for the crook duo behind vDOS DDoS for hire service**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

48 DDoS-hiring Services Busted by FBI in Major Sweep

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 48 domains that offered services to conduct distributed denial-of-service (DDoS) attacks on behalf of other threat actors, effectively lowering the barrier to entry for malicious activity.
It also charged six suspects – Jeremiah Sam Evans Miller (23), Angel Manuel Colon Jr. (37), Shamar Shattock (19), Cory Anthony Palmer

Cyber Attack / DDoS-for-Hire

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of 48 domains that offered services to conduct distributed denial-of-service (DDoS) attacks on behalf of other threat actors, effectively lowering the barrier to entry for malicious activity.

It also charged six suspects – Jeremiah Sam Evans Miller (23), Angel Manuel Colon Jr. (37), Shamar Shattock (19), Cory Anthony Palmer (22), John M. Dobbs (32), and Joshua Laing (32) – for their alleged ownership in the operation.

The websites "allowed paying users to launch powerful distributed denial-of-service, or DDoS, attacks that flood targeted computers with information and prevent them from being able to access the internet," the DoJ said in a press statement.

The six defendants have been charged with various running booter (or stresser) services, including RoyalStresser\[.\]com, SecurityTeam\[.\]io, Astrostress\[.\]com, Booter\[.\]sx, IPStresser\[.\]com, and TrueSecurityServices\[.\]io. They have also been accused of violating the computer fraud and abuse act.

These websites, although claiming to provide testing services to assess the resilience of a paying customer's web infrastructure, are believed to have targeted several victims in the U.S. and elsewhere, such as educational institutions, government agencies, and gaming platforms.

The DoJ noted that millions of individuals were attacked using the DDoS-for-hire platforms. According to court documents, over one million registered users of IPStresser\[.\]com conducted or attempted to carry out more than 30 million DDoS attacks between 2014 and 2022.

An analysis of communications between the booter site administrators and their customers undertaken by the U.S. Federal Bureau of Investigation (FBI) shows that the services are obtained through a cryptocurrency payment.

"Established booter and stresser services offer a convenient means for malicious actors to conduct DDoS attacks by allowing such actors to pay for an existing network of infected devices, rather than creating their own," the FBI said. "Booter and stresser services may also obscure attribution of DDoS activity."

The development comes four years after the DoJ and FBI took similar steps in December 2018 to seize 15 domains that advertised computer attack platforms like Critical-boot\[.\]com, RageBooter\[.\]com, downthem\[.\]org, quantumstress\[.\]net, Booter\[.\]ninja, and Vbooter\[.\]org.

The domain takedowns are part of an ongoing coordinated law enforcement effort codenamed Operation PowerOFF in collaboration with the U.K., the Netherlands, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

FBI Charges 6, Seizes 48 Domains Linked to DDoS-for-Hire Service Platforms

The U.S. Department of Justice (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.

The **U.S. Department of Justice** (DOJ) today seized four-dozen domains that sold “booter” or “stresser” services — businesses that make it easy and cheap for even non-technical users to launch powerful Distributed Denial of Service (DDoS) attacks designed knock targets offline. The DOJ also charged six U.S. men with computer crimes related to their alleged ownership of the popular DDoS-for-hire services.

The booter service OrphicSecurityTeam\[.\]com was one of the 48 DDoS-for-hire domains seized by the Justice Department this week.

The DOJ said the 48 domains it seized helped paying customers launch millions of digital sieges capable of knocking Web sites and even entire network providers offline.

Booter services are advertised through a variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are generally priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.

Prosecutors in Los Angeles say the booter sites **supremesecurityteam\[.\]com** and **royalstresser\[.\]com** were the brainchild of **Jeremiah Sam Evans Miller**, a.k.a. “John the Dev,” a 23-year-old from San Antonio, Texas. Miller was charged this week with conspiracy and violations of the Computer Fraud and Abuse Act (CFAA). The complaint against Miller alleges Royalstresser launched nearly 200,000 DDoS attacks between November 2021 and February 2022.

Defendant **Angel Manuel Colon Jr.**, a.k.a Anonghost720 and Anonghost1337, is a 37-year-old from Belleview, Fla. Colon is suspected of running the booter service **securityteam\[.\]io**. He was also charged with conspiracy and CFAA violations. The feds say the SecurityTeam stresser service conducted 1.3 million attacks between 2018 and 2022, and attracted some 50,000 registered users.

Charged with conspiracy were **Corey Anthony Palmer**, 22, of Lauderhill, Fla, for his alleged ownership of **booter\[.\]sx**; and **Shamar Shattock**, 19, of Margate, Fla., for allegedly operating the booter service **astrostress\[.\]com**, which had more than 30,000 users and blasted out some 700,000 attacks.

Two other alleged booter site operators were charged in Alaska. **John M. Dobbs**, 32, of Honolulu, HI is charged with aiding and abetting violations of the CFAA related to the operation of **IPStresser\[.\]com**, which he allegedly ran for nearly 13 years until last month. During that time, IPstresser _launched approximately 30 million DDoS attacks_ and garnered more than two million registered users.

**Joshua Laing**, 32, of Liverpool, NY, also was charged with CFAA infractions tied to his alleged ownership of the booter service **TrueSecurityServices\[.\]io**, which prosecutors say had 18,000 users and conducted over 1.2 million attacks between 2018 and 2022.

Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.

Dobbs, the alleged administrator of IPStresser, gave an interview to ZDNet France in 2015, in which he asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.

“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”

But the DOJ says these disclaimers usually ignore the fact that most booter services are heavily reliant on constantly scanning the Internet to commandeer misconfigured devices that are critical for maximizing the size and impact of DDoS attacks.

“None of these sites ever required the FBI to confirm that it owned, operated, or had any property right to the computer that the FBI attacked during its testing (as would be appropriate if the attacks were for a legitimate or authorized purpose),” reads an affidavit (PDF) filed by **Elliott Peterson**, a special agent in the FBI’s Anchorage field office.

“Analysis of data related to the FBI-initiated attacks revealed that the attacks launched by the SUBJECT DOMAINS involved the extensive misuse of third-party services,” Peterson continued. “All of the tested services offered ‘amplification’ attacks, where the attack traffic is amplified through unwitting third-party servers in order to increase the overall attack size, and to shift the financial burden of generating and transmitting all of that data away from the booter site administrator(s) and onto third parties.”

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The charges unsealed today stemmed from investigations launched by the FBI’s field offices in Los Angeles and Alaska, which spent months purchasing and testing attack services offered by the booter sites.

A similar investigation initiating from the FBI’s Alaska field office in 2018 culminated in a takedown and arrest operation that targeted 15 DDoS-for-hire sites, as well as three booter store defendants who later pleaded guilty.

The Justice Department says its trying to impress upon people that even buying attacks from DDoS-for-hire services can land Internet users in legal jeopardy.

“Whether a criminal launches an attack independently or pays a skilled contractor to carry one out, the FBI will work with victims and use the considerable tools at our disposal to identify the person or group responsible,” said **Donald Alway**, the assistant director in charge of the FBI’s Los Angeles field office.

“Potential users and administrators should think twice before buying or selling these illegal services,” said **Special Agent Antony Jung** of the FBI Anchorage field office. “The FBI and our international law enforcement partners continue to intensify efforts in combatting DDoS attacks, which will have serious consequences for offenders.”

The United Kingdom, which has been battling its fair share of domestic booter bosses, in 2020 started running online ads aimed at young people who search the Web for booter services. And in Europe, prosecutors have even gone after booter customers.

In conjunction with today’s law enforcement action, the FBI and the Netherlands Police joined authorities in the U.K. in announcing they are now running targeted placement ads to steer those searching for booter services toward a website detailing the potential legal risks of hiring an online attack.

“The purpose of the ads is to deter potential cyber criminals searching for DDoS services in the United States and around the globe, as well as to educate the public on the illegality of DDoS activities,” the DOJ said in a press release.

Here is the full list of booter site domains seized (or in the process of being seized) by the DOJ:

api-sky\[.\]xyz  
astrostress\[.\]com  
blackstresser\[.\]net  
booter\[.\]sx  
booter\[.\]vip  
bootyou\[.\]net  
brrsecurity\[.\]org  
buuter\[.\]cc  
cyberstress\[.\]us  
defconpro\[.\]net  
dragonstresser\[.\]com  
dreams-stresser\[.\]io  
exotic-booter\[.\]com  
freestresser\[.\]so  
instant-stresser\[.\]com  
ipstress\[.\]org  
ipstress\[.\]vip  
ipstresser\[.\]com  
ipstresser\[.\]us  
ipstresser\[.\]wtf  
ipstresser\[.\]xyz  
kraysec\[.\]com  
mcstorm\[.\]io  
nightmarestresser\[.\]com  
orphicsecurityteam\[.\]com  
ovhstresser\[.\]com  
quantum-stresser\[.\]net  
redstresser\[.\]cc  
royalstresser\[.\]com  
securityteam\[.\]io  
shock-stresser\[.\]com  
silentstress\[.\]net  
stresser\[.\]app  
stresser\[.\]best  
stresser\[.\]gg  
stresser\[.\]is  
stresser\[.\]net/stresser\[.\]org  
stresser\[.\]one  
stresser\[.\]shop  
stresser\[.\]so  
stresser\[.\]top  
stresserai\[.\]com  
sunstresser\[.\]com  
supremesecurityteam\[.\]com  
truesecurityservices\[.\]io  
vdos-s\[.\]co  
zerostresser\[.\]com

Tag

#ddos