A Kremlin spokesman said that the St. Petersburg International Economic Forum accreditation and admissions systems were shut down by a DDoS attack.

Billed as the "Russian Davos," the St. Petersburg Economic Forum was stalled on Friday by a distributed denial-of-service (DDoS) attack, delaying a speech from Russian President Vladimir Putin for more than an hour.

The attack was confirmed by Kremlin spokesman Dmitry Peskov, who told Reuters that the admissions and accreditation systems were shut down by the DDoS attack. He did not place blame on any specific individual or group, but as Reuters reported, the "situation in Ukraine loomed large."

About 100 minutes after its scheduled start time, Reuters reported that Putin gave his remarks and lashed out at the West's sanctions put in place following the Russian invasion of Ukraine, which he called a "blitzkrieg" on his country's economy.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

DDoS Attacks Delay Putin Speech at Russian Economic Forum

Matthew Gatrel has been found guilty of three counts of computer-related crime. His partner in crime, Juan "Severon" Martinez, pleaded guilty before the trial.
The post DDoS-for-hire service provider jailed appeared first on Malwarebytes Labs.

Matthew Gatrel, a 33-year-old man from St. Charles, Illinois, has been sentenced to two years in prison for running websites that provide powerful distributed denial-of-service (DDoS) attacks against internet users and websites. This sentencing resulted in the seizure of his websites, making the internet a little safer from DDoS attacks.

Gatrel was the administrator and owner of DownThem.org and AmpNode.com, two DDoS-for-hire websites with thousands of clients which launched attacks against more than 200,000 targets. He was convicted of three charges, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer.

“Gatrel ran a criminal enterprise designed around launching hundreds of thousands of cyberattacks on behalf of hundreds of customers,” prosecutors wrote in a sentencing memorandum. More from that memorandum:

> “He also provided infrastructure and resources for other cybercriminals to run their own businesses launching these same kinds of attacks. These attacks victimized wide swaths of American society and compromised computers around the world.”

Prosecutors said that DownThem.org was a subscription-based service that allowed paying customers to launch DDoS attacks at targets of their choice.

AmpNode.com was a “bulletproof” server hosting service provider “with an emphasis on ‘spoofing’ servers that could be pre-configured with DDoS attack scripts and lists of vulnerable ‘attack amplifiers’ used to launch simultaneous cyberattacks on victims”.

Gatrel’s services helped launch attacks against targets worldwide, including homes, schools, universities, financial institutions, and local government websites. Many clients of AmpNode also operated DDoS-for-hire services.

This website seizure splash screen appears when you visit DownThem.

Prosecutors also said that Gatrel offered expert advice and guidance to clients of both services, ranging from different methods to “down” different types of computers to bypassing DDoS protection services. To get potential clients to buy in, he used DownThem to launch a DDoS attack against these clients’ intended victims and provide proof that their internet connection had been severed.

Juan “Severon” Martinez from Pasadena, California, Gatrel’s co-defendant and criminal partner, pleaded guilty to the unauthorized impairment of a protected computer. He was sentenced to five years’ probation.

DDoS-for-hire service provider jailed

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.
The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (

The U.S. Department of Justice (DoJ) on Thursday disclosed that it took down the infrastructure associated with a Russian botnet known as RSOCKS in collaboration with law enforcement partners in Germany, the Netherlands, and the U.K.

The botnet, operated by a sophisticated cybercrime organization, is believed to have ensnared millions of internet-connected devices, including Internet of Things (IoT) devices, Android phones, and computers for use as a proxy service.

Botnets, a constantly evolving threat, are networks of hijacked computer devices that are under the control of a single attacking party and are used to facilitate a variety of large-scale cyber intrusions such as distributed denial-of-service (DDoS) attacks, email spam, and cryptojacking.

"The RSOCKS botnet offered its clients access to IP addresses assigned to devices that had been hacked," the DoJ said in a press release. "The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic."

Besides home businesses and individuals, several large public and private entities, including a university, a hotel, a television studio, and an electronics manufacturer, have been victimized by the botnet to date, the prosecutors said.

Customers wanting to avail proxies from RSOCKS could rent access via a web-based storefront for different time periods at various price points ranging from $30 per day for access to 2,000 proxies to $200 per day for access to 90,000 proxies.

Once purchased, criminal actors could then redirect malicious internet traffic through the IP addresses associated with the compromised victim devices to conceal their true intent, which was to carry out credential stuffing attacks, access compromised social media accounts, and send out phishing messages.

The action is the culmination of an undercover operation mounted by the Federal Bureau of Investigation (FBI) in early 2017, when it made covert purchases from RSOCKS to map out its infrastructure and its victims, allowing it to determine roughly 325,000 infected devices.

"Through analysis of the victim devices, investigators determined that the RSOCKS botnet compromised the victim device by conducting brute force attacks," the DoJ said. "The RSOCKS backend servers maintained a persistent connection to the compromised device."

The disruption of RSOCKS arrives less than two weeks after it seized an illicit online marketplace known as SSNDOB for trafficking personal information such as names, dates of birth, credit card numbers, and Social Security numbers of about 24 million individuals in the U.S.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Authorities Shut Down Russian RSOCKS Botnet That Hacked Millions of Devices

All versions of package pg-native; all versions of package libpq are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed.

**Note:**
pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings
to the actual C libpq library. This means that problems found in pg-native  may transitively impact 
npm's libpq.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-LIBPQ-2392366
    
*   **published**
    
    14 Jun 2022
    
*   **disclosed**
    
    3 Feb 2022
    
*   **credit**
    
    Cristian-Alexandru Staicu, Snyk Security Labs
    

**How to fix?**

There is no fixed version for libpq.

**Overview**

libpq is a node native bindings to the PostgreSQL libpq C client library.

Affected versions of this package are vulnerable to Denial of Service (DoS) when the addons attempt to cast the second argument to an array and fail. This happens for every non-array argument passed.

**Note:** pg-native is a mere binding to npm's libpq library, which in turn has the addons and bindings to the actual C libpq library. This means that problems found in pg-native may transitively impact npm's libpq.

**PoC**

    //pg-native -> poc.js
    
    let Client = require('pg-native') 
    let client = new Client(); 
    client.connectSync(); 
    client.query('some str', 1, function() {});
    
    //libpq -> poc.js
    
    var Libpq = require('libpq') 
    const pq = new Libpq(); 
    pq.sendQueryParams("some str", 1) 
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25852: Denial of Service (DoS) in libpq | CVE-2022-25852 | Snyk

All versions of package @discordjs/opus are vulnerable to Denial of Service (DoS) when trying to encode using an encoder with zero channels, or a non-initialized buffer. This leads to a hard crash.



Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-DISCORDJSOPUS-2403100
    
*   **published**
    
    16 Jun 2022
    
*   **disclosed**
    
    16 Feb 2022
    
*   **credit**
    
    Cristian-Alexandru Staicu
    

**How to fix?**

There is no fixed version for @discordjs/opus.

**Overview**

@discordjs/opus is a native bindings to libopus.

Affected versions of this package are vulnerable to Denial of Service (DoS) when trying to encode using an encoder with zero channels, or a non-initialized buffer. This leads to a hard crash.

**PoC**

// Zero channels:

    const { OpusEncoder } = require('@discordjs/opus');
     const encoder = new OpusEncoder(48000, 0);
     try {
         const encoded = encoder.encode(Buffer.from("aaa"));
     } catch(e) {
    console.log("This will never run")
         // never executed because of the hard crash
     }
    

// Non-initialized buffer:

    const { OpusEncoder } = require('@discordjs/opus');
    const encoder = new OpusEncoder(48000, 2);
    try {
         const encoded = encoder.encode(null);
    } catch(e) {
    // never executed because of the hard crash
    }
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-25345: Denial of Service (DoS) in @discordjs/opus | CVE-2022-25345 | Snyk

All versions of package fast-string-search are vulnerable to Denial of Service (DoS) when computations are incorrect for non-string inputs. One can cause the V8 to attempt reading from non-permitted locations and cause a segmentation fault due to the violation.




Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

*   **snyk-id**
    
    SNYK-JS-FASTSTRINGSEARCH-2392367
    
*   **published**
    
    15 Jun 2022
    
*   **disclosed**
    
    3 Feb 2022
    
*   **credit**
    
    Cristian-Alexandru Staicu
    

**How to fix?**

There is no fixed version for fast-string-search.

**Overview**

fast-string-search is a module that can search substrings in a string by using N-API and boyer-moore-magiclen.

Affected versions of this package are vulnerable to Denial of Service (DoS) when computations are incorrect for non-string inputs. One can cause the V8 to attempt reading from non-permitted locations and cause a segmentation fault due to the violation.

**PoC**

    const fss = require('fast-string-search');
    
    let res1 = fss.indexOfSkip("no way this will", "w");
    let res2 = fss.indexOfSkip(1, 1); 
    
    console.log(res1);
    console.log(res2);
    
    // you can also crash it after a very long useless computation, by running this instead of lines 6-11: 
    let a = new Array(10000)
    let res2 = fss.indexOfSkip(1, 1); // segfaults after 5 seconds
    

**Details**

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

*   High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
    
*   Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

CVE-2022-22138: Denial of Service (DoS) in fast-string-search | CVE-2022-22138 | Snyk

Proietti Tech srl Planet Time Enterprise 4.2.0.1,4.2.0.0,4.1.0.0,4.0.0.0,3.3.1.0,3.3.0.0 is vulnerable to Remote code execution via the Viewstate parameter.

**Cloud Cyber Security PlatformEuropean Cyber Research TeamThreat Intelligence PlatformThe Cyber Security Partner**

La piattaforma di Security Testing e Threat Intelligence e il Cyber Competence Center di Swascan per il Cyber Security Framework Aziendale.  
Sicurezza Predittiva. Sicurezza Preventiva. Sicurezza Proattiva.

Prova il Free Trial

**In evidenza**

**Webinar - Framework Nazionale per la Cyber Security e la Data Protection: how to**

All'interno del panorama nazionale italiano, il Framework Nazionale per la Cybersecurity e la Data Protection, rappresenta un punto di riferimento adottato da realtà fortemente eterogenee come strumento per l’organizzazione della propria strategia di difesa rispetto alle minacce informatiche.

Iscriviti

**Corso propedeutico alla certificazione CISSP**

La certificazione CISSP non è solo un riconoscimento oggettivo di eccellenza, ma uno standard riconosciuto a livello globale per i professionisti e i manager chiamati a gestire le problematiche di Cyber Security e Information Security. Registrati al corso e frequenta le lezioni a partire dal 05 settembre 2022.

Scopri di più

**Report Cyber Risk Indicators: Sanità Italiana 2022 e 2021 a confronto**

ll servizio di Cyber Risk Indicators determina e misura il potenziale rischio cyber del settore oggetto di analisi. In questa analisi abbiamo preso in esame il livello di esposizione al rischio cyber delle infrastrutture critiche italiane. Gli indicatori sono stati identificati con il servizio di Domain Threat Intelligence (DTI) e Cyber Threat Intelligence (CTI).

Scopri di più

**Cyber Security Framework**

Il Cyber Security Framework è il fondamento della postura di sicurezza della tua azienda. Un insieme di processi e tecnologie che operano all’unisono per ridurre al minimo l’esposizione al rischio cyber. Si fonda sulla sicurezza predittiva, preventiva e proattiva.

**Sicurezza Predittiva**

La Sicurezza Predittiva opera a livello di Threat Intelligence. Attraverso l’analisi di fonti OSINT e CLOSINT, a livello di Web, Dark Web e Deep Web identifica minacce, rischi e informazioni relativi all’azienda target. La Sicurezza Predittiva permette di anticipare le criticità impostando correttamente la sicurezza preventiva e proattiva.

**Sicurezza Preventiva**

La Sicurezza Preventiva agisce in termini di Analisi del Rischio tecnologico, umano e di processo. Attività che rientrano negli obblighi legislativi e in termini di best practice internazionale. Le attività fanno riferimento a penetration test, vulnerability assessment, ransomware attack simulation, phishing simulation, formazione, CIS, NIST, ISO27001, GDPR Assessment.

**Sicurezza Proattiva**

La Sicurezza Proattiva permette l’adozione degli approcci relativi alla security by detection e alla security by reaction. Attraverso l’adozione di security operation center (SOC) permette di monitorare, identificare, analizzare, gestire e bloccare eventuali minacce in essere all’interno dell’azienda. La componente incident response management garantisce la corretta gestione degli incidenti aziendali attraverso l’utilizzo di Team specializzati e competenti.

Scopri i nostri servizi

**La Piattaforma di Swascan**

Swascan è la prima suite interamente in Cloud di Security Testing e Threat Intelligence: scopri tutti i servizi disponibili ora!

Domain Threat Intelligence

Cyber Threat Intelligence

Phishing Attack Simulation

Smishing Attack Simulation

Prova il Free Trial

**Cyber Security Competence Center**

**Cyber Incident Response**

Un Cyber team dedicato di pronto intervento Cyber per la gestione di Cyber Incident, attacchi DDOS, Data Breach e Attacchi Ransomware.

**Soc as a Service**

Il servizio dedicato di Monitoring & Early Warning di Swascan per la corretta gestione della sicurezza proattiva e sicurezza preventiva.

**Penetration Test**

Le attività di Penetration Test sono svolte Penetration Tester certificati e in linea con gli standard internazionali OWASP, PTES e OSSTMM.

**GRC Management**

Servizi di Security Advisory  a livello consulenziale e a livello operativo per supportare i clienti nei piani di remediation, gestione della Cyber Security, Compliance Management e Risk Management.

**Cyber Academy**

Corsi di formazione dedicati di Cybersecurity in aula o tramite Webinar. Attività di Awareness per il personale tecnico, per i dipendenti e per i Top Manager.

**Cloud Security**

Un Cyber Competence Center dedicato al mondo Cloud per le attività di governance, supporto e tutela dell’ intero insieme di tecnologie, protocolli e best practice degli ambienti cloud computing.

**24/7 Cyber Security Operation Center**

Un team dedicato nell’attività di Sicurezza Proattiva e Reattiva delle minacce informatiche sulle reti locali, ambienti cloud, applicazioni ed endpoint aziendali. Il nostro team di Security Analyst monitora i dati e le risorse, H24, 7 giorni su 7 per 365 giorni all’anno.

Threat Detection & Analysis

Valutazione minacce e vulnerabilità

Endpoint detection and response (EDR)

Network detection response

Event Correlation / Log Management

**Penetration Testing**

Il team offensive di Swascan è certificato ISO27001 e ISO9001  
Tutte le attività rispettano gli standard OWASP, PTES e OSSTMM.

**Cyber Academy**

Nella sicurezza informatica sono indubbiamente i comportamenti umani a fare la differenza, prima ancora che la tecnologia.  
La nostra Cyber Academy offre una vasta gamma di percorsi formativi strutturati per rispondere a differenti livelli di esperienza e di specializzazione tecnica.

Scopri i nostri Corsi

**Cyber Threat Intelligence**

Il servizio di Cyber Threat Intelligence di Swascan ha lo scopo e l’obiettivo di individuare le eventuali informazioni pubbliche disponibili a livello Web, Dark Web e Deep Web relative ad un determinato target. L’attività prevede la raccolta e l’analisi delle informazioni relative ad una serie di macro aree critiche quali:

Domain Threat Intelligence

**Diventa Partner Swascan**

Scopri di più sullo Swascan Partner Program, grazie al quale i nostri partner servono al meglio i clienti, forniscono soluzioni rapide e ne promuovono la crescita.

Scopri il Partner Program

CVE-2022-30422: Home - Swascan

By Deeba Ahmed
The DDoS attack originated from 121 countries and was powered by a small botnet of only 5,067 hacked…
This is a post from HackRead.com Read the original post: Cloudflare Thwarted Largest Ever HTTPS DDoS Attack

****The DDoS attack originated from 121 countries and was powered by a small botnet of only 5,067 hacked IoT devices.****

Cloudflare has reported stopping a record-breaking HTTPS DDoS attack (distributed denial of service attack) this month. The company claims this attack peaked at 26 million requests per second (RPS), making it the largest ever HTTPS DDoS flood recorded.

It is worth noting that in April 2022, Cloudflare reported stopping a similar attack that peaked at 15.3 million rps. Evidently, the latest attack is significantly larger than the previous one. Cloudflare is an American DDoS mitigation, SSL certificate service, and content delivery network. 

**An Unusual Attack**

Cloudflare’s product manager, Omer Yoachimik, noted that the target was a customer using a Free plan. The previous largest DDoS attack reported by the company was also targeted against one of its customers.

The latest attack is far more unusual than the one it mitigated in April. That’s because of several factors, such as the size and the fact that attackers used junk HTTPS requests. 

Moreover, the attack came from Cloud Service Providers instead of Residential ISPs, and virtual servers and machines were hijacked to launch this attack rather than low-bandwidth, infected IoTs (internet of things) devices.

The company reaffirmed that all the customers using its Free and Pro plans are protected against DDoS and similar attacks regardless of the attack duration or size.

**Further Details**

Cloudflare explained that a relatively tiny but powerful botnet was used to carry out this DDoS attack. Surprisingly, the botnet comprised only 5,067 devices. The attack originated from 121 countries, and each node made 5,200 rps at its peak moment. 

Within 30 seconds, the botnet generated 212 million requests over 1,500 networks, which is more powerful than other botnets the company has tracked so far, some of which even comprised over 730,000 devices at an average of 1.3rps/device. 

Most requests came from Indonesia, Brazil, the USA, and Russia. Conversely, around 3% of this attack was carried through TOR connections. Since the attack involved HTTPS, it cost attackers more money to launch it, and the company bore a massive financial burden for mitigating it.

> “HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection. Therefore, it costs the attacker more to launch the attack, and for the victim to mitigate it. We’ve seen very large attacks in the past over (unencrypted) HTTP, but this attack stands out because of the resources it required at its scale.”
> 
> Cloudflare – Blog post 

**More DDoS Attack News**

*   Imperva mitigated a series of massive ransom DDoS attacks
*   DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
*   Growing Threat of Ransom DDoS Attacks Requires Effective Mitigation
*   Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attacks
*   Admin of DDoS-For-Hire Service “DownThem” Gets 2 Years Prison Sentence

Cloudflare Thwarted Largest Ever HTTPS DDoS Attack

The number and power of DDoS attacks keep growing at an incredible rate year over year. Recently a new HTTPS DDoS attack record was broken.
The post Record breaking HTTPS DDoS attack appeared first on Malwarebytes Labs.

Last week, Cloudflare blocked the largest HTTPS DDoS attack on record. The attack amassed some 26 million requests per second (rps). The previous record for a HTTPS DDoS attack was 15.3 million rps.

The attack targeted an unnamed Cloudflare customer and originated mostly from Cloud Service Providers.

**DDoS over HTTPS**

DDoS stands for Distributed Denial of Service. This type of attack involves sending large amounts of traffic from multiple sources to a service or website, intending to overwhelm it and make it inaccessible for regular users. DDoS attacks have been growing considerably in number and scale over the past years.

DDoS attacks require traffic to come from many sources. Large numbers can be found in IoT botnets, but given the necessary computational resources needed to pull off an attack this powerful, there is no IoT botnet strong enough. This attack originated from a small but powerful botnet of 5,067 devices. This and the fact that the attack originated from Cloud Service Providers indicates the use of hijacked virtual machines and powerful servers to generate the attack.

What makes the HTTPS DDoS attack more expensive, in terms of required computational resources, is the fact that such an attack requires a secure TLS encrypted connection. The advantage of using such a HTTPS DDoS attack is that it also costs the victim more to mitigate it.

**The attack**

Within less than 30 seconds, this botnet generated more than 212 million HTTPS requests from over 1,500 networks in 121 countries.

Even though 30 seconds is not that long, such an attack can disrupt an unprotected internet property like a network or online service for a long time. DDoS attacks can cripple some online businesses for a period of time long enough to set them back considerably, or even put them out of business completely for the length of the attack and some period afterwards.

Without knowing who the target was it is hard to guess at the reason behind the attack. Application-layer denial-of-service attacks disrupt web servers and other kinds of networked software by making them unable to process legitimate requests.

The goal usually is the disruption itself or to abuse the vulnerable state in which it leaves the internet property.

**Good news**

International cooperation between the Federal Bureau of Investigation (FBI), the United Kingdom National Crime Agency, and the Dutch Police has brought an end to a DDoS platform that gave threat actors short-term access to malicious infrastructure, enabling them to carry out damaging attacks by renting and selecting DDoS attacks they would like to launch. In this case an Illinois man running the websites DownThem.org and AmpNode.com was sentenced to 24 months in federal prison.

> “Records from the DownThem service revealed more than 2,000 registered users and more than 200,000 launched attacks, including attacks on homes, schools, universities, municipal and local government websites, and financial institutions worldwide.”

The system was set up to use one or more of their own dedicated attack servers to appropriate the resources of hundreds or thousands of other servers connected to the internet in reflected amplification attacks.

A reflection amplification attack is a technique that allows attackers to both magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic.

**Mitigation**

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on internet-facing servers. Without an automated defense, the attack would very likely have ended even before you noticed. But the damage would have been done.

Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

*   On-premise protection (e.g. identifying, filtering, detection, and network protection)
*   Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing)

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to a cloud-based solution when it reaches a volume that the on-premise solution cannot handle.

Stay safe, everyone!

Record breaking HTTPS DDoS attack

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

In response to a comment about the Prophet Mohammed, a hacktivist group in Malaysia has unleashed a wave of cyber attacks in India.

According to a new advisory from Radware, a hacktivist group called DragonForce Malaysia, “with the assistance of several other threat groups, has begun indiscriminately scanning, defacing and launching denial-of-service attacks against numerous websites in India.” In addition to DDoS, their targeted campaign – dubbed “OpsPatuk” – involves advanced threat actors “leveraging current exploits, breaching networks and leaking data.”

DragonForce Malaysia – best known for their hacktivism in support of the Palestinian cause – have turned their attention on India this time, in response to a controversial comment made by a Hindu political spokesperson about the Prophet Mohammed.

According to the advisory, OpsPatuk remains ongoing today.

**The Casus Belli**

In a televised debate last month, Nupur Sharma – a spokesperson for the Hindu nationalist Bharatiya Janata Party (BJP) – made controversial remarks regarding the age of the Prophet Mohammed’s third wife, Aisha. Widespread outrage followed, involving statements from leaders in the Muslim world, widespread protests, and the outsting of Sharma herself from BJP.

Then, beginning on June 10, DragonForce Malaysia entered the fray. Their new offensive against the government of India was first enshrined in a tweet:

_Greetings The Government of India._ _We Are DragonForce Malaysia._ _This is a special operation on the insult of our Prophet Muhammad S.A.W._ _India Government website hacked by DragonForce Malaysia. We will never remain silent._ _Come Join This Operation !_ _#OpsPatuk Engaged_

(image from @DragonForceIO on Twitter)

The new advisory confirms that the group has used DDoS to perform “numerous defacements across India,” pasting their logo and messaging to targeted websites.

The group also “claimed to have breached and leaked data from various government agencies, financial institutions, universities, service providers, and several other Indian databases.”

The researchers also observed other hacktivists – ‘Localhost’, ‘M4NGTX’, ‘1887’, and ‘RzkyO’ – joining the party, “defacing multiple websites across India in the name of their religion.”

**Who are DragonForce Malaysia?**

DragonForce Malaysia is a hacktivist group in the vein of Anonymous. They’re connected by political goals, with a penchant for sensationalism. Their social media channels and website forums – used for everything “ranging from running an eSports team to launching cyberattacks” – are visited by tens of thousands of users.

In the past, DragonForce have launched attacks against organizations and government entities across the Middle East and Asia. Their favorite target has been Israel, having launched multiple operations – #OpsBedil, #OpsBedilReloaded and #OpsRWM – against the nation and its citizens.

According to the authors of the advisory, DragonForce are “not considered an advanced or a persistent threat group, nor are they currently considered to be sophisticated. But where they lack sophistication, they make up for it with their organizational skills and ability to quickly disseminate information to other members.” Like Anonymous and the Low Orbit Ion Cannon, DragonForce weaponizes their own open source DoS tools –  Slowloris, DDoSTool, DDoS-Ripper, Hammer, and more – in choreographed, flashy website defacements.

Some members, “over the last year, have demonstrated the ability and desire to evolve into a highly sophisticated threat group.” Among other things, that’s included leveraing publicly disclosed vulnerabilities. In OpsPatuk, for example, they’ve been working with the recently discovered CVE-2022-26134.

“DragonForce Malaysia and its associates have proven their ability to adapt and evolve with the threat landscape in the last year,” concluded the authors. With no signs of slowing down, “Radware expects DragonForce Malaysia to continue launching new reactionary campaigns based on their social, political, and religious affiliations in the foreseeable future.”

Tag

#ddos