A list of topics we covered in the week of October 7 to October 13 of 2024

October 10, 2024 - The Internet Archive has been hit hard by a data breach and several DDoS attacks all around the same time.

October 9, 2024 - While Google is experimenting on how its search results page looks like, we are reminded of what users need the most: indicators of confidence.

October 9, 2024 - Chatbot companion platform muah.ai was hacked and had its chatbot prompts stolen.

October 8, 2024 - Money transfer giant MoneyGram has notified customers about a data breach that has spilt sensitive customer information.

October 8, 2024 - This week on the Lock and Code podcast, we speak with Zach Hinkle and Pieter Arntz about the Facebook funeral livestream scam.

 A week in security (October 7 &#8211; October 13) 

Internet Archive suffered a massive cyberattack, leading to a data breach where 31 million user records were stolen…

Internet Archive suffered a massive cyberattack, leading to a data breach where 31 million user records were stolen and shared on HaveIBeenPwned (HIBP).

The internet’s historical treasure trove, the Internet Archive, has been hit by a devastating cyberattack leading to a data breach, compromising the personal information of 31 million users. The attack unfolded dramatically: Visitors to archive.org were greeted by a pop-up message, seemingly from the hackers themselves. It read:

> “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you on HIBP!”

This cryptic message hinted at the severity of the situation. Troy Hunt, founder of HaveIbeenPwned (HIBP), revealed that a hacker shared a 6.4GB database with him, containing authentication information for registered members. 

Screenshot from Archive.org displaying the message left by hackers

For your information, HIBP, short for “Have I Been Pwned,” is a website that allows users to check if their email addresses have been leaked in data breaches.

According to Troy, the 6.4GB database contains user information, including email addresses, usernames, timestamps of password changes (with the most recent being September 28th), and even encrypted passwords.

The attack went beyond data theft. The Internet Archive also faced a Distributed Denial-of-Service Attack (**DDoS Attack**), overwhelming the website with traffic and making it inaccessible to users.

A pro-Palestinian hacktivist group DarkMeta claimed responsibility for the DDoS attack in a post on X, citing the Archive’s supposed affiliation with the US government as the reason. However, the Internet Archive is a non-profit organization founded by Brewster Kahle (co-founder of Wayback Machine) and the site has no affiliation with the government.  

On their X (Twitter) account, Kehle confirmed DDoS attacks on the website. In a tweet at 2:08 AM, Oct 10, 2024, Kehle said they mitigated a DDoS attack. However, in a tweet sent out just 3 hours ago at 11:36 AM, Oct 10, 2024, Kehle revealed they are facing more DDoS attacks and the website **Archive.org** and **Openlibrary.org**, an online project intended to create “one web page for every book ever published” have been offline.

At the time of writing both sites were offline. Nevertheless, the full picture of the attack remains unclear as it is a developing story. While the DDoS attack and data breach seem coordinated, the connection is not definitive.

**Jake Moore**, Global Cybersecurity Advisor, ESET weighed in on the situation, highlighting the broader implications of the breach.“Hacking the past is usually technically impossible but this data breach is the closest we may ever come to it.”

“The stolen dataset includes personal information but at least the stolen passwords are encrypted, however, it’s a good reminder to make sure all your passwords are unique as even encrypted passwords can be cross-references against previous uses of it,” Jake explained.

“Have I Been Pwned is a fantastic free service that can be used after a breach. It securely contains millions of breached usernames and passwords for people to safely check their credentials against the database to check if they have ever been caught up in a breach.” “If you find your data in any known breaches, it would be a good idea to change those passwords and implement multi-factor authentication,” he advised.

Stay tuned, this article will be updated accordingly.

1.  **DDoS Attacks Hit France Over Telegram’s Pavel Durov Arrest**
2.  **Archive of Our Own Website Suffering Massive DDoS Attacks**
3.  **Panamorfi DDoS Attack Exploits Misconfigured Jupyter Notebooks**
4.  **Misconfigured AWS bucket exposed 421GB of Artwork Archive data**
5.  **Examining the US Government’s DDoS Protection Guidance Update**

Internet Archive (Archive.Org) Hacked: 31 Million Accounts Compromised

The Internet Archive has been hit hard by a data breach and several DDoS attacks all around the same time.

A non-profit that benefits millions of people has fallen victim to a data breach and a DDoS attack.

Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis.

Cybercriminals managed to breach the site and steal a user authentication database containing 31 million records. The stolen database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data.

Who stole the database and why is not yet known. An unverified source told Malwarebytes that login credentials for the Azure servers of the Internet Archive were found in an information stealer log shared on the Dark Web, which could have offered someone the opportunity for a minimum-effort attack.

To pile more grief onto the breach, a “hacktivist” group calling themselves SN\_BLACKMETA has launched several DDoS attacks against Internet Archive’s website archive.org for all the wrong reasons.

Their tweet which explains their motivation hasn’t gone down well among X users, with many commenting that the Internet Archive is not connected to the US Government and, in fact, a very useful tool.

Since the objective behind the DDoS attacks is no doubt attention-seeking, it is unlikely that the same group is behind the data breach as they haven’t claimed responsibility.

Internet Archive founder Brewster Kahle posted an update on X:

> What we know: DDOS attack–fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords.
> 
> What we’ve done: Disabled the JS library, scrubbing systems, upgrading security.
> 
> Will share more as we know it.

For now, anyone who suspects they’re affected by the data breach should follow our tips below. We’ll keep you updated on any developments in the story.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Internet Archive suffers data breach and DDoS 

The hack exposed the data of 31 million users as the embattled Wayback Machine maker scrambles to stay online and contain the fallout of digital—and legal—attacks.

An illicit JavaScript pop-up on the Internet Archive proclaimed on Wednesday afternoon that the site had suffered a major data breach. Hours later, the organization confirmed the incident.

Longtime security researcher Troy Hunt, who runs the data-breach-notification website Have I Been Pwned (HIBP) also confirmed that the breach is legitimate. He said it occurred in September and that the stolen trove contains 31 million unique email addresses along with usernames, bcrypt password hashes, and other system data. Bleeping Computer, which first reported the breach, also confirmed the validity of the data.

The Internet Archive did not return multiple requests for comment from WIRED.

“Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach?” the attackers wrote in Wednesday's Internet Archive pop-up message. “It just happened. See 31 million of you on HIBP!”

In addition to the breach and site defacement, the Internet Archive has been grappling with a wave of distributed denial-of-service attacks that have intermittently brought down its services.

Internet Archive founder Brewster Kahle provided a public update on Wednesday evening in a post on the social network X. “What we know: DDOS attack—fended off for now; defacement of our website via JS library; breach of usernames/email/salted-encrypted passwords. What we’ve done: Disabled the JS library, scrubbing systems, upgrading security. Will share more as we know it.” “Scrubbing systems” refer to services that offer DDoS attack protection by filtering malicious junk traffic so it can't deluge and disrupt a website.

The Internet Archive has faced aggressive DDoS attacks numerous times in the past, including in late May. As Kahle wrote on Wednesday: “Yesterday's DDoS attack on @internetarchive repeated today. We are working to bring http://archive.org back online.” The hacktivist group known as BlackMeta claimed responsibility for this week's DDoS attacks and said it plans to carry out more against the Internet Archive. Still, the perpetrator of the data breach is not yet known.

The Internet Archive has faced battles on many fronts in recent months. In addition to repeated DDoS attacks, the organization is also facing mounting legal challenges. It recently lost an appeal in _Hachette v. Internet Archive_, a lawsuit brought by book publishers, which argued that its digital lending library violated copyright law. Now it’s facing an existential threat in the form of another copyright lawsuit, this one from music labels, which may result in damages upwards of $621 million if the court rules against the archive.

HIBP's Hunt says that he first received the stolen Internet Archive data on September 30, reviewed it on October 5, and warned the organization about it on October 6. He says the group confirmed the breach to him the next day and that he planned to load the data into HIBP and notify its subscribers about the breach on Wednesday. “They get defaced and DDoS'd, right as the data is loading into HIBP,” Hunt wrote. “The timing on the last point seems to be entirely coincidental.”

Hunt added, too, that while he encouraged the group to publicly disclose the data breach itself before the HIBP notifications went out, the extenuating circumstances may explain the delay.

“Obviously I would have liked to see that disclosure much earlier, but understanding how under attack they are, I think everyone should cut them some slack,” Hunt wrote. “They're a nonprofit doing great work and providing a service that so many of us rely heavily on.”

Internet Archive Breach Exposes 31 Million Users

All across the Asia-Pacific region, large and diverse marketplaces for AI cybercrime tools have developed, with deepfakes proving most popular.

Source: dpa picture alliance via Alamy Stock Photo

Artificial intelligence-powered cyberattacks are rising exponentially in the Asia-Pacific region, particularly those involving deepfakes.

The United Nations Office on Drugs and Crime (UNODC) tracked a panoply of AI threats in its new report covering cybercrime in Southeast Asia. Cybercrime gangs have been using generative AI (GenAI) to create phishing messages in multiple languages, chatbots that manipulate victims, social media disinformation en masse, and fake documents for bypassing know-your-customer (KYC) checks. They've been using it to power polymorphic malware capable of evading security software, and to identify ideal targets, among other nefarious activities.

The standout threat, though, is deepfakes. From February to June 2024, UNODC tracked a 600% increase in mentions of deepfakes in cybercriminal Telegram channels and underground forums. And that's above and beyond the heavy activity from 2023, when deepfake crimes rose more than 1,500% compared with the year prior, and face swap injections rose 704% in the second half of the year compared with the first.

**Deepfake Attacks Proliferate**

Cybersecurity leaders in the Asia-Pacific are, like those around the world, anticipating a wave of AI-driven cyber troubles. In an Asia-focused Cloudflare survey published on Oct. 9, 50% of respondents said they expect AI will be used to crack passwords and encryption, 47% expect it will boost phishing and social engineering, 44% think it will boost distributed denial-of-service (DDoS) attacks too, and 40% see it being used to create deepfakes and support privacy breaches.

Most, if not all, of those concerns, though, are no longer theoretical, as some organizations can attest.

In January, for example, an employee at the Hong Kong office of Arup, a British engineering firm, received an email purporting to come from the company's chief financial officer (CFO) in London. The CFO instructed the employee to conduct a secret financial transaction. The employee later joined a videoconference with the CFO and other participants purporting to be from senior management, all of whom were, in fact, deepfakes. The result: In May, Arup reported losing 200 million Hong Kong dollars ($25.6 million).

Deepfakes of major political figures have spread widely, like the fake video and audio recordings of Singapore's prime minister and deputy prime minister in December 2023, and the fake video this past July showing a Southeast Asian head of state with illicit drugs. In Thailand, a female police officer was deepfaked in a campaign tricking victims into thinking they were speaking with actual law enforcement.

According to UNODC, half of all deepfake crimes reported in Asia in 2023 came from Vietnam (25.3%) and Japan (23.4%), but the most rapid rise in cases came from the Philippines, which experienced 4,500% more in 2023 than 2022.

It's all underpinned by a large ecosystem of malicious developers and buyers, on Telegram and in even shadier corners of the Deep Web. UNODC identified more than 10 deepfake software vendors that specifically serve cybercriminal groups in Southeast Asia. Their offerings sport the latest and greatest in deepfake tech, like Google's MediaPipe Face Landmarker — which captures detailed facial expressions in real time — the You Only Look Once v5 (YOLOv5) object detection model, and much more.

**Why Asia Suffers**

Though AI-driven cybercrime threatens organizations in every part of the world, it enjoys some particular advantages in Asia.

"Southeast Asia is very densely populated, and a large portion of the population doesn't know English, or English is not their first language," notes Shashank Shekhar, managing editor at India-based CloudSEK. The typical signs that might indicate a scam to a native English speaker might not translate to a non-native speaker. Besides that, he notes, "A lot of people are unemployed, looking for jobs, looking for opportunity."

Desperation has the effect of lowering victims' defenses. "There are some kinds of scams which only work well in this part of the world," says CloudSEK threat researcher Anirudh Batra. "Simpler scams are particularly prevalent because of the poverty that this region of the world has seen."

In the face of intractable socioeconomic forces, those old, tired lines about cyber education and hygiene may not feel like enough. Instead, cybercriminals will need to be stymied at the source: in those underground forums and channels where they trade their deepfake tools and cryptocurrency winnings. It's been done before.

"It's possible by collaborating: different countries coming together, sharing intelligence," Batra says. Though he warns, "Unless these guys are caught, another forum will come up tomorrow. It becomes really difficult to stop them, because the threat actors know that all three letter agencies are looking at the forums — everybody's crawling everything. So they keep a lot of backups. At any point of time, if \[their assets are\] seized, they'll start again with the mirror."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

AI-Powered Cybercrime Cartels on the Rise in Asia

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work…

Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected.

The cybersecurity researchers at Morphisec Threat Labs have uncovered and thwarted multiple variants of Lua malware specifically targeting the educational sector. These attacks exploit the popularity of **Lua-based gaming engine supplements**, which are widely used by student gamers. Even more concerning, the malware campaigns were observed targeting unsuspecting users globally including across North America, South America, Europe, Asia, and Australia.

The malware strain was first reported in March 2024 (do not confuse Lua malware with the infamous **Luabot DDoS malware** identified in 2016). Over the past months, the delivery methods of Lua malware have changed to become simpler, possibly to evade detection mechanisms. Instead of using compiled Lua bytecode, which can easily raise suspicion, the malware is now frequently delivered through obfuscated Lua scripts.

****Malicious ZIP Files****

The malware is typically distributed in the form of an installer or a ZIP archive and often disguised as game cheats or other gaming-related tools, making it particularly lucrative to students who are searching for ways to enhance their gaming experience.

According to Morphisec Threat Labs’ detailed technical **blog post** shared with Hackread.com ahead of publishing on Tuesday, when a user downloads the infected file, typically from platforms like GitHub, they receive a ZIP archive containing four key components: Lua51.dll: A runtime interpreter for Lua, Compiler.exe: A lightweight loader, Obfuscated Lua Script: The malicious code and Launcher.bat: A batch file that executes the Lua script.

Upon execution, the batch file runs the Compiler.exe, which loads the Lua51.dll and interprets the obfuscated Lua script. This script then establishes communication with a Command and Control (C2) server, sending detailed information about the infected machine. The C2 server responds with tasks, which can be categorized into two types: Lua Loader Tasks: Actions such as maintaining persistence or hiding processes. Task Payloads: Instructions to download and configure new payloads.

Attack flow (Via Morphisec Threat Labs)

****Lua Malware and SEO Poisoning****

The delivery techniques used in these attacks include **SEO poisoning**, where search engine results are manipulated to lead users to malicious websites. For instance, advertisements for popular cheating script engines like Solara and Electron, often associated with Roblox, have been found to direct users to GitHub repositories hosting various Lua malware variants. These repositories frequently use github.com/user-attachments push requests to distribute the malware.

****Additional InfoStealer Like Redline****

The infection chain does not end with Lua malware infection. The malware ultimately leads to the deployment of infostealers, notably Redline Infostealers. For your information, infostealers like **Redline, Vidar and Formbook** are gaining prominence as the harvested credentials are sold on the dark web **especially ChatGPT credentials**, opening the door to more attacks in the future.

SEO poisoning in action (Via Morphisec Threat Labs)

****Watch Out Students and Gamers****

Gamers, educational institutions, and students should be cautious of Lua and other malware threats by avoiding downloads from untrustworthy sources. Keeping security software up to date and informing users about the **cybersecurity risks of downloading game cheats** and unverified content can help reduce the chances of these attacks.

1.  **Fake League of Legends Download Ads Drop Lumma Stealer**
2.  **Global malspam targets hotels, spreading Redline, Vidar stealers**
3.  **Fake Windows site dropped Redline malware as Windows 11 upgrade**
4.  **Fake CAPTCHA Verification Pages Spreading Lumma Stealer Malware**
5.  **Ransomware Hidden as a Game: Kransom’s Attack Via DLL Side-Loading**

Lua Malware Targeting Student Gamers via Fake Game Cheats

The vast majority of organizations in the region saw more attacks in the past year, but most don't feel prepared for future incidents.

Source: Viacheslav Lopatin via Shutterstock

Organizations in Saudi Arabia, the United Arab Emirates, and Turkey suffered more than 10 attacks in the past year on average — and the vast majority of business and IT professionals expect the coming year to be worse — driving efforts by cybersecurity experts in those countries to simplify and modernize their cyber defenses and IT infrastructure.

Overall, less than half of organizations (46%) feel well-prepared to defend against future cyberattacks, according to a survey of nearly 1,000 security professionals in those three regions published by Internet-services provider Cloudflare. With geopolitical conflict on the rise and cybercriminals increasingly focused on the Middle East region and Turkey, Bashar Bashaireh, regional vice president at Cloudflare, said in a statement.

"Organizations across the Middle East and Türkiye are managing an increasingly complex cybersecurity landscape," he said. "With incidents on the rise in both volume and frequency, this balancing act becomes even more challenging, leaving leaders with a sense of diminishing control over their organizations’ technological and security frameworks."

Cyberattacks have become commonplace in the region, but each nation's threat profile is slightly different. While the vast majority of companies in the UAE, for example, have suffered cyberattacks in the past two years, approximately a quarter of those incidents were caused by insiders. Both Saudi Arabia and the UAE have seen an increase in attacks over the past year, with DDoS attacks alone leveled by hacktivists jumping 70%. And in another wrinkle, a group of cybercriminals recently targeted Turkish users with Android malware aimed at stealing accounts.

The three countries have all embarked on major investments in modernization, pursuing major initiatives such as Abu Dhabi's Economic Vision 2030 and Saudi Arabia's Vision 2030, but the countries also need to strengthen their cybersecurity efforts to protect their investments, Chris Murphy, managing director at FTI Consulting, said in a November 2023 analysis of Middle East firms' cyber-readiness.

"Threat actors will not pause their activities while these strategic plans unfold, and without the necessary security and preparedness measures in place, cyber risks will threaten the vitality of key sectors and the overall economic growth of the region," he said.

**Simplifying & Modernizing Cyber Defense**

The majority of organizations in the Middle East and Turkey plan to increase cybersecurity's share of their IT budgets. The top priority for businesses across the region is to consolidate and simplify their cybersecurity infrastructure, with half of all organizations ranking the effort as a Top 3 initiative, followed by almost half (47%) prioritizing the modernization of their applications, according to Cloudflare's report.

"Despite their plans, many feel they are still not ready for what lies ahead, and there is a 'confidence gap' in key areas for a large number of respondents," Cloudflare stated.

Those include the security of applications and data in the public cloud, a lack of oversight into their supply chain, and a lack of visibility and control over the devices that access their networks, Cloudflare stated in its report.

The good news is that some nations have made strong progress in securing their systems, to the point that the Kingdom of Saudi Arabia is ranked second, after the United States, in the International Telecommunication Union's Global Cybersecurity Index.

**Most Pessimistic Industries: Media, Telecom & Gaming**

According to Cloudflare, cyberattackers in the past year targeted financial services, IT firms, and companies providing business and professional services most often, and were more likely to target larger organizations. Yet, the sectors most worried about future cyberattacks are the media and telecom sector, and the gaming sector, with 97% and 92% of respondents, respectively, predicting a cybersecurity incident in the next 12 months.

Perhaps unsurprisingly, the telecom and media sectors are among the least staffed as well, with 39% of information-security roles remaining unfilled, according to a recent report by cybersecurity firm Kaspersky.

"The growth rate of the domestic IT market in some developing regions is changing so rapidly, the labor market cannot manage to educate and train the appropriate specialists with the necessary skills and expertise in such tight deadlines," Vladimir Dashchenko, a security evangelist with Kaspersky's ICS CERT, said in a statement.

Companies in each region have struggled to meet government-backed cybersecurity frameworks, with 62% of companies in Turkey meeting the requirements of the EU cybersecurity framework, 69% of Saudi firms meeting the Saudi Arabian Monetary Authority (SAMA) framework, and many UAE organizations falling short in complying with the National Electronic Security Authority (NESA) framework.

Yet, despite that, executives' commitment to cybersecurity remains lukewarm, Cloudflare stated in the report

"Interestingly, despite the increasing volume of attacks, many cite a lack of buy-in from leadership as a key challenge," the firm stated. "Perhaps this is a case of cybersecurity fatigue, but whatever the cause, senior leaders cannot afford to ignore the challenges facing their organizations."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters.
The incident took place on the night of October 7, VGTRK confirmed, describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters.

The incident took place on the night of October 7, VGTRK confirmed, describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally despite attempts to interrupt radio and TV broadcasts.

That said, Russian media outlet Gazeta.ru reported that the hackers wiped "everything" from the company's servers, including backups, citing an anonymous source.

A source told Reuters that "Ukrainian hackers 'congratulated' Putin on his birthday by carrying out a large-scale attack on the all-Russian state television and radio broadcasting company."

The attack is believed to be the work of a pro-Ukrainian hacker group called Sudo rm-RF. The Russian government has since said an investigation into the attack is ongoing and that it "aligns with the anti-Russian agenda of the West."

The development comes amid continued cyber attacks targeting both Russia and Ukraine against the backdrop of the Russo-Ukrainian war that commenced in February 2022.

Ukraine's State Service of Special Communications and Information Protection (SSSCIP), in a report published late last month, said it has observed an increase in the number of cyber attacks targeting security, defense, and energy sectors, with 1,739 incidents registered in the first half of 2024 reaching, up 19% from 1,463 in the previous half.

Forty-eight of those attacks have been deemed either critical or high in severity level. Over 1,600 incidents have been classified as medium and 21 have been tagged as low in severity. The number of critical severity incidents witnessed a drop from 31 in H2 2023 to 3 in H1 2024.

Over the past two years, adversaries have pivoted from staging destructive attacks to securing covert footholds to extract sensitive information, the agency said.

"In 2024, we observe a pivot in their focus towards anything directly connected to the theater of war and attacks on service provider — aimed at maintaining a low profile, sustaining a presence in systems related to war and politics," Yevheniya Nakonechna, head of State Cyber Protection Centre of the SSSCIP, said.

"Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations."

The attacks have been primarily attributed to eight different activity clusters, one of which includes a China-linked cyber espionage actor tracked as UAC-0027 that was observed deploying a malware strain called DirtyMoe to conduct cryptojacking and DDoS attacks.

SSSCIP has also highlighted intrusion campaigns staged by a Russian state-sponsored hacking group dubbed UAC-0184, pointing out its track record of initiating communications with prospective targets using messaging apps like Signal with the goal of distributing malware.

Another threat actor that has remained laser-focused on Ukraine is Gamaredon, a Russian hacking crew that's also known as Aqua Blizzard (previously Actinium), Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder.

"The intensity of the physical conflict has noticeably increased since 2022, but it's worth noting that the level of activity from Gamaredon has remained consistent – the group has been methodically deploying its malicious tools against its targets since well before the invasion began," Slovak cybersecurity firm ESET said in an analysis.

Notable among the malware families is an information stealer called PteroBleed, which also relies on an arsenal of downloaders, droppers, weaponizers, backdoors, and other ad hoc programs to facilitate payload delivery, data exfiltration, remote access, and propagation via connected USB drives.

"Gamaredon has also demonstrated resourcefulness by employing various techniques to evade network-based detections, leveraging third-party services such as Telegram, Cloudflare, and ngrok," security researcher Zoltán Rusnák said. "Despite the relative simplicity of its tools, Gamaredon's aggressive approach and persistence make it a significant threat."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday

Among those affected by all this monkeying around with DDoS in September were some 4,000 organizations in the US.

Source: Moviestore Collection Ltd via Alamy Stock Photo

Distributed denial-of-service (DDoS) attacks involving a new Mirai variant called GorillaBot surged sharply last month, launching 300,000 attacks, affecting some 20,000 organizations worldwide — including nearly 4,000 in the US alone.

In 41% of the attacks, the threat actor attempted to overwhelm the target network with a flood of User Datagram Protocol (UDP) packets, which are basically lightweight, connection-less units of data often associated with gaming, video streaming, and other apps. Nearly a quarter of the GorillaBot attacks were TCP ACK Bypass flood attacks, where the adversary's goal was to flood the target — often just one port — with a large number of spoofed TCP Acknowledgement (ACK) packets.

**GorillaBot, the Latest Mirai Variant**

"This Trojan is modified from the Mirai family, supporting architectures like ARM, MIPS, x86\_64, and x86," researchers at NSFocus said in report last week, after observing the threat actor behind GorillaBot launch its massive wave of attacks, between Sept. 4 and Sept. 27. "The online package and command parsing module reuse Mirai source code, but leave a signature message stating, 'gorilla botnet is on the device ur not a cat go away \[sic\],' hence we named this family GorillaBot."

NSFocus said it observed the botnet controller leverage five built-in command-and-control servers (C2s) in GorillaBot to issue a steady cadence of attack commands throughout each day. At its peak, the attack commands hit 20,000 in a single day. In all, the attacks targeted organizations in 113 countries with China being the hardest hit, followed by the US, Canada, and Germany, in that order.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

Though GorillaBot is based on Mirai code, it packs considerably more DDoS attack methods — 19 in all. The available attack methods in GorillaBot include DDoS floods via UDP packets and TCP Syn and ACK packets. Such multivector attacks can be challenging for target organizations to address, because each vector often requires a different mitigation approach.

For example, mitigating volumetric attacks such as UDP floods often involve rate limiting or restricting the number of UDP packets from a single source, blocking UDP traffic to unused ports, and distributing attack traffic across multiple servers to blunt the impact. SynAck flood mitigation on the other hand is about using stateful firewalls, SYN cookies, and intrusion-detection systems to track TCP connections and ensure that only valid ACK packets are processed.

**Bad Bots Rising**

Traffic related to so-called bad bots like GorillaBot has been steadily increasing over the past few years, and currently represents a significant proportion of all traffic on the Internet. Researchers at Imperva recently analyzed some 6 trillion blocked bad bot requests from its global network in 2023, and concluded that traffic from such bots currently accounts for 32% of all online traffic — a nearly 2% increase from the prior year. In 2013, when Imperva did a similar analysis, the vendor estimated bad bot traffic at 23.6% and human traffic as accounting for 57% of all traffic.

Related:Criminals Are Testing Their Ransomware Campaigns in Africa

Imperva's 2024 "Bad Bot Report" is focused entirely on the use of bad bots at the application layer and not specifically on volumetric DDoS attack on low-level network protocols. But 12.4% of the bad bot attacks that the company helped customers mitigate in 2023 were DDoS attacks. The security vendor found that DoS attacks in general were the biggest — or among the biggest — use cases for bad bots in some industries, such as gaming, and the telecom and ISP sector in healthcare and retail. Imperva found that threat actors often tend to use bad bots for DDoS attacks where any kind of system downtime or disruption can have significant impact on an organization's operations.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

GorillaBot Goes Ape With 300K Cyberattacks Worldwide

Critical security vulnerabilities exposed in DrayTek Vigor routers: Discover how to protect your network from these serious flaws.…

Critical security vulnerabilities exposed in DrayTek Vigor routers: Discover how to protect your network from these serious flaws. Learn about the risks, affected devices, and how to patch your router immediately. Secure your network now!

Censys research has revealed 14 vulnerabilities in **DrayTek Vigor routers**, with British Telecoms being one of the most vulnerable hosts followed by hosts in Vietnam, The Netherlands, and Taiwan. 

Businesses and home users worldwide commonly use routers. Therefore, these flaws pose a significant risk, allowing attackers to potentially take control of your network devices and launch further attacks. The vulnerabilities were publicly disclosed on 2 October 2024, while the users most impacted by the vulnerabilities include the following:

*   **Taiwan**
*   **Vietnam**
*   **Germany**
*   **Netherlands**
*   **United Kingdom**

****What are the vulnerabilities?****

Fourteen vulnerabilities were discovered, ranging from critical to medium severity. The most concerning ones are:

*   **CVE-2024-41592** (CVSS Score: 10.0): This critical buffer overflow vulnerability in the web interface can be exploited to crash the router (Denial-of-Service) or even gain complete control (Remote Code Execution) if chained with CVE-2024-41585. This buffer overflow can be triggered by sending a long query string to CGI pages.
*   **CVE-2024-41585** (CVSS Score: 9.1): This vulnerability is an OC command injection flaw, which allows attackers to inject malicious code into the router’s operating system, potentially granting full access to the device. The exploit chain impacts Vigor router models 3910 and 3912.

****High-Severity Vulnerabilities:****

*   **CVE-2024-41586**: A cross-site scripting (XSS) vulnerability in the router’s web interface could allow an attacker to inject malicious code into web pages visited by users, potentially leading to unauthorized access or data theft.
*   **CVE-2024-41587**: Another XSS vulnerability in the web interface could be exploited to steal sensitive information from users, such as login credentials.
*   **CVE-2024-41588**: A remote code execution vulnerability in the router’s Telnet service could allow an attacker to gain unauthorized access to the device and execute arbitrary commands.

****Why is this a big deal?****

According to Censys’ **repor**t shared with Hackread.com, over 700,000 (i-e 751,801) DrayTek Vigor routers are currently exposed directly to the internet, making them easy targets for attackers. The VigorConnect admin UI is exposed on 421,476 devices. The largest concentrations of these interfaces come from national ISPs and regional telecom providers, and Taiwan-based HINET is leading the list, as DrayTek is a Taiwanese company.

An exposed VigorConnect Admin Interface (Via Censys)

Exploiting these vulnerabilities can lead to a domino effect, allowing attackers to compromise your entire network. Moreover, DrayTek routers have been targeted in the past, with the **FBI reporting** (PDF) Chinese-sponsored botnet activity using older CVEs in DrayTek routers and **Volt Typhoon exploiting** SOHO networking equipment to carry out attacks last year, making patching a necessity.

DrayTek has **released patches** for all of these vulnerabilities. It is important to update your router’s firmware to the latest version to protect yourself from these threats. Additionally, it is recommended to follow the security best practices, such as disabling remote access to the router’s web interface and enabling two-factor authentication (**2FA**), to stay protected.

1.  **TheMoon Malware Returns: 6K Asus Routers Hacked in 72 Hours**
2.  **ASUS and NordVPN Partner to Integrate VPN Service into Routers**
3.  **New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers**
4.  **FBI Alert: Russian Hackers Target Ubiquiti Routers for Botnet Creation**
5.  **NETGEAR Router Vulnerability Allowed Access to Restricted Services**

Tag

#ddos