Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label DDoS Threats. Show all posts

35 yrs Of Imprisonment for the Administrator of 200,000 DDoS Attacks

 

After a 9-day trial, a California jury that held two distributed denial of service (DDoS) operations administrators, found him guilty. Matthew Gatrel, a 32 years old man, of Saint Charles, Illinois, operated two websites that enabled payment to users to launch over 200,000 DDoS attacks on private and public targets. 

Court filings disclose that since October 2014 Gatrel has operated DDoS services. DownThem and Ampnode are the two sites being used, which allowed the operation of DDoS attacks. Gatrel has used DownThem to sell DDOS services subscriptions (sometimes referred to as "booters" or "stressers") and AmpNode has supplied clients that wanted pre-configured servers with DDoS attack programs and lists of vulnerable systems that may magnify the attack. 

The researchers have discovered that they have over 2,000 registered clients in databases of the DownThem booter portal. As per the documents, more than 200,000 DDoS attacks are launched by users. The targets covered households and schools, universities, websites of municipal and local authorities, and financial organizations throughout the world. 

“Often called a “booting” service, DownThem itself relied upon powerful servers associated with Gatrel’s AmpNode bulletproof hosting service. Many AmpNode customers were themselves operating for-profit DDoS services” - the U.S. Department of Justice.

Several subscriptions can be used by clients, each with different attack and offensive capabilities like length, force, or the potential of competitor attacks. 

If the victim is accessible, the service would deploy "reflected amplification attacks" from AmpNode attack servers, employing "hundreds or thousands of other servers connected to the Internet." 

In this operation, Gatrel hadn't been alone. In 2018, Juan Martinez of Pasadena assisted him to operate the DownThem website. 

Gatrel is faced with a maximum statutory imprisonment of 35 years scheduled for January 27, 2022, where sentences for the federal prison for three crimes of which he was found guilty are : 

  • one count of conspiracy to commit unauthorized impairment of a protected computer.
  • one count of conspiracy to commit wire fraud.
  • one count of unauthorized impairment of a protected computer.

However, Juan Martinez has already pleaded guilty, unlike Gatrel, to his final hearing on 2nd December · he can face a statutory maximum term of imprisonment of 10 years in his final trial.

Scammers Use Fake DMCA Complaints, DDoS Threats to Deploy BazaLoader Malware

 

Threat actors responsible for the BazaLoader malware designed a brand-new bait to trick website owners into opening malicious files: fake notifications concerning the internet site being engaged in distributed denial-of-service (DDoS) assaults.

The notifications contain a legal risk and a file stored in a Google Drive directory that supposedly provides evidence of the source of the strike. 

Phony lawful threats 

The DDoS theme is a variation of another bait, a Digital Millennium Copyright Act (DMCA) infringement complaint, link to data that allegedly includes documentation of copyright infringement.

Brian Johnson, a website developer, and designer posted last week concerning his two clients receiving legal notifications about their websites being actually hacked to operate DDoS assaults versus a major company (Intuit, Hubspot). The sender was threatened with a lawsuit unless the recipients failed to “immediately clean” their website of the malicious files that assisted in deploying the DDoS attack. 

“I have shared the log file with the recorded evidence that the attack is coming from [example.com] and also detailed guidelines on how to safely deal with, find and clean up all malicious files manually in order to eradicate the threat to our network,” read the fake alert. 

The malicious sender also included a link to a file hosted in Google Drive claiming to provide evidence of the DDoS attack and its origin.

Earlier this year in April, Microsoft researchers warned about this technique used by attackers to deliver IcedID. At the time, only the lure and the payload were different. It was Matthew Mesa, a security researcher at Proofpoint, who unearthed that the campaign is sending out phishing emails that drop the BazaLoader malware.

Cybersecurity website BleepingComputer has received many of these breach alerts over the past few months with accusations of using shielded pictures without the owner’s consent. The notification provides a link to a file that supposedly lists the pictures used without authorization. The data is hosted in Google’s Firebase cloud storage. 

To make the matter seem urgent, the sender additionally points out that the website’s owner is “possibly be liable for statutory damage as high as $120,000.” However, it is all a stunt to deliver malware.

Cybersecurity researcher Brad Duncan analyzed the file and spotted it was a ZIP archive with JavaScript that gets the BazaLoader DLL, a backdoor associated with the TrickBot gang that generally leads to a ransomware infection. The malware then reaches its command and control (C2) server and gets Cobalt Strike, a penetration-testing tool largely exploited by attackers to maintain persistence and supply other payloads. 

The fake notifications are quite convincing and can increase the chances of receiving a "safe" mark from email security solutions. It is important to be vigilant and look for signs of malicious intent, such as incomplete contact information, poor grammar, and suspicious links to avoid falling into this social engineering trap, researchers advised.