The effectiveness of attacks largely depends on organizations' distributed denial-of-service defenses.

As Russian ground troops prepared to enter Ukraine in February 2021, Ukrainian governmental departments, online media organizations, financial firms, and hosting providers were slammed with a surge of distributed denial-of-service (DDoS) attacks. These attacks only increased in frequency and impact as Russian tanks rolled across the border, adding to the frenzy and chaos of that time.

Quick to hit back, Ukraine's IT Army sprang to life during the early days of the conflict. Much like Ukraine's volunteer army on the ground, recruits flooded in from all over the world to take part in the brewing war being waged online between Russia and Ukraine, with observed DDoS attacks focused on Russian targets increasing by 236% between February and March.

What seems clear is that whether issued by hacktivists or nation-states, DDoS attacks are often the opening salvo between opposing forces in today’s geopolitical conflicts. Compared with other types of cyberthreats, DDoS attacks can be launched relatively quickly. In addition, while DDoS attacks can cause significant disruption on their own, they can also mask or distract attention from more significant threats.

And, as seen in Ukraine and elsewhere, the use of DDoS attacks on the digital battlefield seems to be increasing. This article will examine the history of DDoS attacks for geopolitical conflict compared with recent attacks, providing insights that organizations can use to protect themselves from collateral damage.In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

**2022: A Record-Setting Year for DDoS**

The use of DDoS attacks to gain geopolitical advantage is nothing new, but the frequency at which these types of attacks are growing is noteworthy. In the latest "DDoS Threat Intelligence Report," Netscout reported more than 6 million attacks in the first half of 2022. Of these attacks, a majority corresponded with national or regional conflicts.

To continue with the Ukraine example, the frequency of DDoS attacks directed at Ukraine leveled off by April 2022, while cyberattacks ratcheted up against perceived allies of Ukraine. This likely is attributable to Ukrainian Internet properties migrating to countries like Ireland, as instability in the intra-Ukraine Internet forced many network segments to rely upon connectivity in other countries.

Echoes of this conflict continue to resonate across the global Internet. In March 2022, India experienced a measurable increase of DDoS attacks following its abstentions from United Nations Security Council and General Assembly votes condemning Russian actions in Ukraine. Similarly, during the first half of the year, Belize endured its single highest number of DDoS attacks on the same day that it made public statements in support of Ukraine.

Elsewhere, the nation of Finland — a close neighbor of Russia — experienced a 258% percent year-over-year increase in DDoS attacks coinciding with its announcement to apply for membership in NATO. Poland, Romania, Lithuania, and Norway, meanwhile, all were targeted with DDoS attacks by adversaries linked to Killnet, a group of online attackers aligned with Russia.

But these examples rooted in the conflict between Russia and Ukraine are not the only online battlegrounds where fights over geopolitics are being waged. As tensions between Taiwan and China and Hong Kong and China escalated during the first half of the year, DDoS attack campaigns often coincided with public events. For example, in the run-up to Nancy Pelosi's historic visit to Taiwan this summer, the website of Taiwan's presidential office and other government websites went dark due to DDoS attacks. And in Latin America, during a contentious election in Colombia this past year, waves of successive DDoS attacks were launched during the initial vote and the contested runoff.

One common thread is that many of these attacks use known attack vectors and readily available DDoS-for-hire services, also known as booter/stressor services, found on the Dark Web. These illicit services typically offer a restricted tier of free demonstration DDoS attacks to prospective customers, lowering the bar for would-be attackers to rapidly spin up attacks at very little to no cost. However, because these attack vectors are well-known, they can be easily mitigated in most circumstances.

**Don't Become Collateral Damage**

DDoS attacks have the potential to seriously disrupt Internet operations for their intended targets, but they can also cause a significant collateral impact footprint for bystander organizations and Internet traffic. This risk is particularly high as data hosting and services flow from war-torn regions like Ukraine to locations abroad.

In many of the examples listed above, the effectiveness of attacks largely depended upon whether targeted organizations had organized DDoS defenses. In Ukraine and other countries, disruption was quickly remedied for unprotected organizations as global DDoS defense companies stepped in to help Ukrainian organizations that needed it. However, ongoing defenses are still needed for most organizations.

Amid this environment, the most prudent course of action to prevent collateral damage is to regularly assess DDoS risk factors, especially related to direct service delivery elements, supply chain partners, and other dependencies. Organizations should ensure that critical public-facing servers, services, applications, content, and supporting infrastructure are adequately protected. They also should check to make sure DDoS defense plans reflect ideal current configurations and operational conditions, and that the plans are periodically tested to verify that they can be successfully implemented as required.

In summary, events during the last year have proven that DDoS attacks — whether launched by nation-states, ideological groups, or rogue individuals — will not diminish any time soon. DDoS remains an effective tool for disrupting networks and degrading the morale of countries embroiled in sociopolitical upheaval, with new attacks happening every day. To stay protected in this time of war and geopolitical conflict, organizations must remain vigilant in their defense.

War and Geopolitical Conflict: The New Battleground for DDoS Attacks

The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks.

With the pandemic evolving into an amorphous new phase and political polarization on the rise around the world, 2022 was an uneasy and often perplexing year in digital security. And while hackers frequently leaned on old chestnuts like phishing and ransomware attacks, they still found vicious new variations to subvert defenses.

Here's WIRED's look back on the year's worst breaches, leaks, ransomware attacks, state-sponsored hacking campaigns, and digital takeovers. If the first years of the 2020s are any indication, the digital security field in 2023 will be more bizarre and unpredictable than ever. Stay alert, and stay safe out there.

For years, Russia has pummeled Ukraine with brutal digital attacks causing blackouts, stealing and destroying data, meddling in elections, and releasing destructive malware to ravage the country's networks. Since invading Ukraine in February, though, times have changed for some of Russia's most prominent and most dangerous military hackers. Shrewd long-term campaigns and grimly ingenious hacks have largely given way to a stricter and more regimented clip of quick intrusions into Ukrainian institutions, reconnaissance, and widespread destruction on the network—and then repeated access over and over again, whether through a new breach or by maintaining the old access. The Russian playbook on the physical battlefield and in cyberspace seems to be the same: one of ferocious bombardment that projects might and causes as much pain as possible to the Ukrainian government and its citizens.

Ukraine has not been digitally passive during the war, though. The country formed a volunteer “IT Army” after the invasion, and it, along with other actors around the world, have mounted DDoS attacks, disruptive hacks, and data breaches against Russian organizations and services.

Over the summer, a group of researchers dubbed 0ktapus (also sometimes known as “Scatter Swine”) went on a massive phishing bender, compromising nearly 10,000 accounts within more than 130 organizations. The majority of the victim institutions were US-based, but there were dozens in other countries as well, according to researchers. The attackers primarily texted targets with malicious links that led to fake authentication pages for the identity management platform Okta, which can be used as a single sign-on tool for numerous digital accounts. The hackers' goal was to steal Okta credentials and two-factor authentication codes so they could get access to a number of accounts and services at once.

One company hit during the rampage was the communications firm Twilio. It suffered a breach at the beginning of August that affected 163 of its customer organizations. Twilio is a big company, so that only amounted to 0.06 percent of its clients, but sensitive services like the secure messaging app Signal, two-factor authentication app Authy, and authentication firm Okta were all in that slice and became secondary victims of the breach. Since one of the services Twilio offers is a platform for automatically sending out SMS text messages, one of the knock-on effects of the incident was that attackers were able to compromise two-factor authentication codes and breach the user accounts of some Twilio customers. 

As if that wasn't enough, Twilio added in an October report that it was also breached by 0ktapus in June and that the hackers stole customer contact information. The incident highlights the true power and menace of phishing when attackers choose their targets strategically to magnify the effects. Twilio wrote in August, “we are very disappointed and frustrated about this incident.”

In recent years, countries around the world and the cybersecurity industry have increasingly focused on countering ransomware attacks. While there has been some progress on deterrence, ransomware gangs were still on a rampage in 2022 and continued to target vulnerable and vital social institutions, including health care providers and schools. The Russian-speaking group Vice Society, for example, has long specialized in targeting both categories, and it focused its attacks on the education sector this year. The group had a particularly memorable showdown with the Los Angeles Unified School District at the beginning of September, in which the school ultimately took a stand and refused to pay the attackers, even as its digital networks went down. LAUSD was a high-profile target, and Vice Society may have bitten off more than it could chew, given that the system includes more than 1,000 schools serving roughly 600,000 students. 

Meanwhile, in November, the US Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services released a joint warning about the Russia-linked ransomware group and malware maker known as HIVE. The agencies said the group's ransomware has been used to target over 1,300 organizations around the world, resulting in roughly $100 million in ransom payments from victims. “From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors,” the agencies wrote, “including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health.”

The digital extortion gang Lapsus$ was on an intense hacking spree at the beginning of 2022, stealing source code and other sensitive information from companies like Nvidia, Samsung, Ubisoft, and Microsoft and then leaking samples as part of apparent extortion attempts. Lapsus$ has a sinister talent for phishing, and in March, it compromised a contractor with access to the ubiquitous authentication service Okta. The attackers appeared to be based primarily in the United Kingdom, and at the end of March, British police arrested seven people in association with the group and charged two at the beginning of April. In September, though, the group flared back to life, mercilessly breaching the ride-share platform Uber and seemingly the _Grand Theft Auto_ developer Rockstar as well. On September 23, police in the UK said they had arrested an unnamed 17-year-old in Oxfordshire who seems to be one of the individuals previously arrested in March in connection with Lapsus$.

The beleaguered password manager giant LastPass, which has repeatedly dealt with data breaches and security incidents over the years, said at the end of December that a breach of its cloud storage in August led to a further incident in which hackers targeted a LastPass employee to compromise credentials and cloud storage keys. The attackers then used this access to steal some users' encrypted password vaults—the files that contain customers' passwords—and other sensitive data. Additionally, the company says that “some source code and technical information were stolen from our development environment” during the August incident. 

LastPass CEO Karim Toubba said in a blog post that in the later attacks, hackers compromised a copy of a backup that contained customer password vaults. It is not clear when the backup was made. The data is stored in a “proprietary binary format" and contains both unencrypted data, like website URLs, and encrypted data, like usernames and passwords. The company did not provide technical details about the proprietary format. Even if LastPass's vault encryption is strong, hackers will attempt to brute-force their way into the password troves by attempting to guess the “master passwords” that users set to protect their data. With a strong master password, this may not be possible, but weak master passwords could be at risk of being defeated. And since the vaults have already been stolen, LastPass users can't stop these brute-force attacks by changing their master password. Users should instead confirm that they have deployed two-factor authentication on as many of their accounts as they can, so even if their passwords are compromised, attackers still can't break in. And LastPass customers should consider changing the passwords on their most valuable and sensitive accounts.

The Worst Hacks of 2022

This is what happens when a CISO gets tired of reacting to attacks and goes on the offensive.

Like a member of any profession, a chief information security officer (CISO) grows into their role. They exhibit a maturity curve that can be roughly split into five attitudes:

1.  **Protection:** When a CISO first steps into their role, they look to perfect the basics and build a fortress for themselves in the form of firewalls, server hardening, and the like.
2.  **Detection:** Once they determine how the framework is built, the CISO moves on to more and more sophisticated monitoring tools, incorporating in-depth monitoring and packet filtering.
3.  **Response:** The journeyman CISO will start crafting detailed response plans to various scenarios, weaving them into the overall BC/DR planning and making sure that the team is ready for anything.
4.  **Automation:** Next they'll focus on making everyone's life easier by incorporating automation, AI/ML learning, and third party intelligence into their already-robust defenses.

You may have seen or experienced this kind of four stage evolution yourself. But there's a much rarer _fifth stage_ that is reached much later in a CISO's career. Upon seeing the multitude of annoyances buzzing around them, probing, trying to gain access to _their_ territory ... they become restless. They get tired of waiting for their enemies to strike.

The fifth and final stage is proactivity. And it’s at this stage that CISOs go on the hunt, using techniques of modern defense.

**Leaving the Comfort Zone**

The demarcation point is traditionally where everything becomes "somebody else's problem." If anything breaks or gets hacked, it isn't on the company's dime.

At least, that's how it used to be. Veteran CISOs know that in the era of the cloud and heavy federation, nothing could be further from the truth. Every hack has ripples. Every DDoS has collateral damage. An attack on your ISP, on a federated partner, on your supply chain, on the company's bank, or on utility providers might as well be an attack on your turf.

Most importantly, social engineering and fraud ignore internal demarcations entirely! They don't respect traditional boundaries. If they need to use your federated partner to get in, they will. If they need to infiltrate your employees' social media to gain leverage, they won't hesitate.

But what can be done? Your tools, your monitoring ... absolutely everything you've built is designed to cover your own territory. How can you have an impact on the other side of the demarcation?

Part of the proactivity that comes with stage five of a CISO's career is the ability to process threats that have the potential to impact your business. This means combining the resources that are available to the entire cybersecurity community and the intelligence gleaned from your own monitoring efforts.

Now you're in what Tom Petty once called "The Great Wide Open." The bad news is that your activities are more exposed out here. The good news? You aren't alone.

**Resources for Fraud Prevention Beyond the Demarcation**

In order to get ahead of the curve, you need to work with others and assess emerging threats. Two traditional resources are still effective here: CERT and OWASP. These two organizations have been tirelessly tracking cybersecurity trends for over a generation.

But there are some newer kids on the block that can help you on your hunt. PortSwigger's BURP suite can help you to perform intelligent Web application and network analysis (just make sure you get permission from your business partners before you go full white-hat on their infrastructure). Some subscription advisory services like Black Duck can be worth their weight in gold.

But those are all solutions on the technical side, and fraud isn't always technical. To hit fraudsters where it hurts, you need to embrace the human element.

**A Global Defense Effort**

One of the advantages of using an antifraud suite such as that made by Human Security is that the breach information it gathers is shared anonymously across Human's entire client base. That means when a new fraud attempt is registered with any customer, updates to combat it are shared with all customers across every impacted system: training, automated scans, spam rejection, firewall rules, and packet filtering, to name a few.

Additionally, internal and external attempts to misuse or compromise corporate resources are compared to events taking place elsewhere on the Human network. If there's a pattern, the cybersecurity team is informed, and additional resources can be dedicated to monitoring the situation. MediaGuard can do the same for impersonation attempts or attacks on brand integrity.

**What Do You Do When You Catch Something?**

All of these resources allow you to hunt well beyond the demarcation point. But what do you do when you actually track something down?

When you find vulnerabilities in your supply chain or within a federated resource, you need to share them with your counterpart at the company in question. Assuming you've done everything above board and with their permission, this isn't a problem. If you accidentally hunted outside your domain without permission, see if the impacted business has an anonymous tip line for fraud or security.

Then, make sure your own detection and filtering process is adapted to deal with the new threat before the fraudsters or hackers can even make the attempt. Report any new technical vulnerabilities to your preferred advisory service, and then start planning your next hunt.

When CISOs Are Ready to Hunt

Throughout 2022, geopolitics has given rise to a new wave of politically motivated attacks with an undercurrent of state-sponsored meddling.

During its brutal war in Ukraine, Russian troops have burnt cities to the ground, raped and tortured civilians, and committed scores of potential war crimes. On November 23, lawmakers across Europe overwhelmingly labeled Russia a “state sponsor” of terrorism and called for ties with the country to be reduced further. The response to the declaration was instant. The European Parliament’s website was knocked offline by a DDoS attack.

The unsophisticated attack—which involves flooding a website with traffic to make it inaccessible—disrupted the Parliament’s website offline for several hours. Pro-Russian hacktivist group Killnet claimed responsibility for the attack. The hacktivist group has targeted hundreds of organizations around the world this year, having some limited small-scale successes knocking websites offline for short periods of time. It’s been one player in a bigger hacktivism surge. 

Following years of sporadic hacktivist activity, 2022 has seen the re-emergence of hacktivism on a large scale. Russia’s full-scale invasion of Ukraine spawned scores of hacktivist groups on both sides of the conflict, while in Iran and Israel, so-called hacktivist groups are launching increasingly destructive attacks. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.

“I’m not going to say that hacktivism was dying, but it was definitely withering for some time,” says Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne. For the past four or five years, Guerrero-Saade explains, hacktivism has often existed at extremes: low-level disruptions and more sophisticated attacks that could be cover for a nation-state’s hacking. “You have so many more players in the space and a much beefier middle ground between those two extremes,” Guerrero-Saade says of the current situation.

Russia’s invasion of Ukraine in February prompted a surge in hacktivism activity. Legacy hacktivist collective Anonymous was revitalized, but new groups were also formed. Ukraine’s unprecedented IT Army, a volunteer group of hackers from around the world, has continuously launched DDoS attacks against Russian targets that are outlined in its Telegram group. In June, a speech by Vladimir Putin was delayed after a cyberattack. Other hacktivist-linked groups have run huge hack-and-leak operations against Russian entities, resulting in hundreds of gigabytes of data from Russia being published online.

On the other side of the conflict, there are four main pro-Russian hacktivist groups, says Sergey Shykevich, threat intelligence group manager at security firm Check Point. These are: Killnet, NoName 057, From Russia With Love, and XakNet. Killnet is probably the most active of these groups, Shykevich says. “Since April, they have targeted around 650 targets—only about 5 percent of them were Ukraine.” Its targets, like the European Parliament, have largely been countries that oppose Russia. The group, which mostly uses DDoS attacks, is proactive on Telegram, media friendly, and appeals to Russian speakers.

DDoS attacks still have an outsize place within modern hacktivism. An FBI notification, issued in early November, says those behind DDoS attacks have “minimal operational impact” on their victims. “Hacktivists often select targets perceived to have a greater perceived impact rather than an actual disruption of operations,” the FBI said. In other words: The bark is often worse than the bite. 

Erica Lonergan, a research scholar at the Saltzman Institute of War and Peace Studies at Columbia University, says the impact of DDoS attacks is often overstated. Media reports can overemphasize the impact of DDoS, making it sound more severe than it is. “There’s this gap between the hyperbole of the language that’s used to talk about the types of attacks that these groups like Killnet are engaged in, and then the reality of their impact,” Lonergan says. 

But it isn’t all DDoS. In South America, the Guacamaya hacktivist group claims to have hacked mining companies and leaked their internal emails. The politically motivated Belarusian Cyber Partisans, which formed in 2020 following Alexander Lukashenko’s election, has innovated as it disrupts Russian and Belarusian efforts linked to the war. The highly organized group became the first to use ransomware for purely political objectives. It has also claimed to have taken data from Russian government organizations and mapped the data of government officials who have backed Lukashenko’s regime. 

Guerrero-Saade says the Cyber Partisans are part of a new style of hacktivists that use targeted sabotage and disruption. “To us, it looked very much like they’re an authentic group. They’re coordinating locally and trying out new ways to actually slow down or disrupt or inconvenience the local government away from supporting the war,” Guerrero-Saade says.

In Iran, the Predatory Sparrow group of hackers—which claims to be hacktivists—used a cyberattack to start a fire in a steel factory in July. The move was an incredibly rare use of a cyberattack to cause physical damage. In 2021, the Adalat Ali hacktivist group hacked and leaked CCTV footage from the notorious Evin political prison. The incidents were part of a larger series of cyberattacks between Iran and Israel. They show the potential extremes of hacktivism.

Check Point’s Shykevich says much of the hacktivism seen in 2022 can be classified as “state-affiliated” hacking. “In most cases, it’s difficult to tell if this group is guided or sponsored by a specific state organization,” Shykevich says. “But most of those groups, they have very clear pro or anti-regime narrative.”

Working out who is behind a cyberattack of any kind is always complex and difficult for organizations to do—attackers often try to disguise their activity or hide it from view. However, there is evidence some hacktivists are linked to individual countries. Researchers suspect Predatory Sparrow is linked to a government, for instance. Meanwhile, security firm Mandiant believes that the pro-Russian groups XakNet, Infoccentr, and Cyber Army of Russia all coordinate their operations with Russia’s GRU military hackers. The Cyber Army of Russia launched DDoS attacks against US organizations around the November midterm elections, with XakNet and KillNet also trying to influence the elections, Mandiant claims.

“They can be used in witting and unwitting ways by governments for political purposes,” Lonergan says. “Killnet for example, on the Russian side, has been pretty explicit in its Telegram channels of disavowing direct links with Moscow. But at the same time, they follow the implicit rules of the road of Russian cyber proxy groups.” Russian cybercrime groups rarely attack Russian targets, and the Kremlin has largely turned a blind eye to them.

The result is that while hacktivist groups are becoming more sophisticated and testing new tools, there’s increasing uncertainty about their origins. “There will be more hacktivism groups that will be more affiliated with governments,” Shykevich says. “Generally, this year the lines between what is governmental attack, hacktivism, and cybercrime have completely blurred.”

Hacktivism Is Back and Messier Than Ever

Securing videoconferencing solutions is just one of many IT security challenges small businesses are facing, often with limited financial and human resources.

It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.

But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.

Organizations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.

However, a recent Aite-Novarica Group report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.

Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.

"The risks include the potential for interruptions, unauthorized access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information," says Craig Lurey, CTO and co-founder at Keeper Security.

**Threats Targeting Video Communications Platforms Multiply**

The use of videoconferencing software by remote workers makes it an easy target for various types of attacks in the wild. For instance, "Zoom-bombing" and other attacks came to the fore in the wake of the first work-from-home wave during the pandemic.

Other threats include DDoS attacks, according to the FBI's Internet Crime Report, and malware. In May, for instance, threat hunters discovered a vulnerability chain in Zoom's chat functionality that could be exploited to allow zero-click remote code execution (RCE).

Security firm Vectra also recently discovered a vulnerability in Microsoft Teams, which found that the platform stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. The weakness gives attackers the ability to move through a company’s network much more easily.

But while zero-day exploits and other high-profile attacks get a lot of attention, Mike Parkin, senior technical engineer at Vulcan Cyber points out that many, if not most, attacks still target the users.

"That usually means phishing emails or other social engineering attacks that lead to compromise, or business email compromise attacks that can lead to direct losses through fraud," he says.

**SMBs at Particular Risk From Videoconferencing Threats**

The risk is especially piquant for small and medium-sized businesses (SMBs), researchers say. This segment relied heavily on video collaboration to cut travel costs even before the pandemic, and now represents a class of superusers.

At the same time, SMBs may not have the security awareness or in-house expertise necessary to shore up their defenses. Parkin says SMBs often wrestle to implement and manage a proper cybersecurity program.

"That lack of resources can manifest in not knowing, or being able to implement, proper security on their videoconferencing usage," he says.

George Waller, co-founder and executive vice president of Zerify, agrees that SMBs typically don't have the financial and technical resources that larger companies have.

"Therefore, they are far more vulnerable to even the most basic attacks such as email, phishing and ransomware," he says. "Post-pandemic, many SMBs are still working with limited staff and budgets. Therefore, it's easier to trip them up and cause a devastating data breach."

Meanwhile, this sector often faces financial constraints that could make a cyberattack an extinction-level event. According to a recent IBM breach report, the average size of a data breach in the US is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach.

"When cybercriminals steal sensitive, confidential, or classified data, they can make you pay a ransom to get it back," Waller explains. "They can also sell it to other nefarious people, who can use that data to embarrass or profit from your organization."

Unfortunately, amid the challenges, SMBs are often more of a target than they realize.

"While an attacker’s potential take is smaller, the effort is low, the risk is low, and SMB organizations often have less investment in cybersecurity than a larger organization," Parkin explains. "They can be particularly susceptible to ransomware and business email compromise attacks."

**2FA, Zero Trust Help Secure Video Conferencing**

Fortunately, there are some basic steps that businesses of any size can take to ensure the videoconferencing system they're using doesn't fall into the "low-hanging fruit" category for cybercriminals.

For one, they should ensure their platforms and apps offer two-factor authentication (2FA) for both the meeting creator as well as for the meeting participant, and make sure that login links cannot be shared; most videoconferencing platforms have such basic security features and offer advice on how to use them.

Ricardo Villadiego, CEO and founder of Lumu, says businesses for instance should enable security features such as ID and password and end-to-end encryption that allow SMBs to control access to conversations.

"Avoid repeating passwords, lock down microphones and speakers, and authenticate every user prior to entering a videoconference," he says. "Limit the kind of files and links that can be shared via videoconferencing tools, keep meeting recordings only accessible with a password, and don't discuss information that you wouldn't discuss over the telephone."

Waller adds that snooping on video calls via spyware is a threat that SMBs should be aware of, too.

"Make sure that your camera, microphone, and audio-out data streams are locked down and cannot be spied on with malware," he says. "Organizations should also use an anti-keylogging and anti-screen scraping technology and make sure that AV software is up to date."

Lurey, meanwhile, advises SMBs to protect videoconferencing platforms with a zero-trust security architecture that requires all users be authenticated, authorized, and continuously validated before they can access the application.

"Choose a provider wisely and check that it provides end-to-end encryption," he says. "Most major platforms do."

He adds that it's also imperative to configure the platform correctly by enabling built-in security capabilities and providing consistent enforcement to ensure those security features are never disabled.

Finally, Parkin advises that there are other vulnerabilities in some videoconferencing platforms that require specific steps to counter and stresses the importance of keeping the videoconferencing software up to date. Security teams should also proactively monitor network behavior for anomalous activity and make sure to read terms and conditions of the videoconferencing platform being used.

He adds that with a changing threat landscape, the challenge for SMBs in particular is finding the balance between defending against known threats, being positioned to stay ahead of emerging ones, and managing the risk specific to their environment.

"Small businesses are often resource restricted when it comes to cybersecurity, which means they need to be efficient with the resources they do have," he says. "But focusing on things like user education, which can deliver a lot of value for the investment, can help."

Videoconferencing Worries Grow, With SMBs in Cyberattack Crosshairs

By Habiba Rashid
Hackread.com can confirm that the InfraGard database is also circulating on several Russian cybercrime forums and Telegram groups.
This is a post from HackRead.com Read the original post: Sale or No Sale; Hacker Leaks FBI’s InfraGard database Online

After claiming not to sell data stolen from the FBI’s critical-infrastructure portal, InfraGard, the hacker has released the data publicly for download.

On December 14th, 2022, **HackRead.com reported** about a hacker who was selling a database belonging to InfraGard, an FBI-launched security program to develop physical and cyber threat information-sharing collaborations with the private sector.

The database leak came right after pro-Russian hackers from the KillNet group claimed to have **infiltrated the FBI’s database**, allegedly stealing the personal information of more than 10,000 US federal agents.

The InfraGard hacker, who goes by the handle “USDoD,” was selling the database for $50,000. It contained the contact details and personal information of more than 87,000 members registered with InfraGard.

However, **on December 16th, 2022**, the same hacker edited their post, announcing that they would no longer be selling the database, citing the harm it would cause to the victims.

“I would like to let you know that this data will no longer be posted for sale and won’t be used in the future. I realised that selling it would cause more harm to everyone than it would benefit me financially.”

Now, without even selling it to any individual, the hacker has made the database available to the public. It appears that they did not feel any guilt for their actions as was previously stated.

Hackread.com can confirm that the InfraGard database is also circulating on several Russian cybercrime forums and Telegram groups. The database in question contained the personal details of the InfraGard members including the following:

1.  Full names
2.  Email addresses
3.  Employment details
4.  Industry of employment
5.  Social media USERIDs and more.

3 posts from the InfraGard hacker (Image credit: Hackread.com)

**Brief History of InfraGard**

InfraGard was established in 1996 as a joint initiative of the **FBI**’s National Infrastructure Protection Center (NIPC) and the Information Systems Security Association (ISSA). InfraGard provides access to secure email systems, secure data storage platforms, web-based vulnerability assessment tools, password management solutions, and other security services.

Additionally, InfraGard offers educational seminars on topics such as cybersecurity best practices and emerging threats. These seminars are open to members of all sectors and help them stay informed about current security trends.

InfraGard also provides resources for identifying potential cybercrime victims or suspicious activities before they become major issues.

**Potential Threats to InfraGard Members**

The incident is concerning not only because it puts the security of these companies at risk but also because many of its members are federal agencies as well as state and local law enforcement agencies that handle sensitive materials on a regular basis.

With the leaked information in the wrong hands, cyber criminals could take advantage of this vulnerability and use it to gain access to confidential government records or even personal information belonging to members of the public.

1.  **US Govt’s secret terrorist watchlist exposed online**
2.  **Top US Federal Agencies Hacked by Russian Hackers**
3.  **Hacker accessed FBI server to send fake email threats**
4.  **48 DDoS-hiring Services Busted by FBI in Major Sweep**
5.  **Chinese hackers accessed NSA hacking tools before leak**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Sale or No Sale; Hacker Leaks FBI’s InfraGard database Online

By Habiba Rashid
It is still unclear who was behind the suspected ransomware attack on The Guardian.
This is a post from HackRead.com Read the original post: Media Giant Guardian Hit By Suspected Ransomware Attack

Although the online publishing at the Guardian remained unaffected, some of the company’s internal technology infrastructure was affected.

One of the most-read newspapers in the world, the Guardian, was hit by what is suspected to be a ransomware attack on Tuesday night. The London, England-based news organisation said that they believed it to be a **ransomware attack**, “but are continuing to consider all possibilities.”

Ransomware attacks are conducted by threat actors who hack into an organisation’s computer systems, encrypt the important files and then **demand a ransom** to restore the services or unlock the files. If the demand is not met, the data is leaked online in most cases.

Although the online publishing by the organisation has remained unaffected with stories continuing to be written and published on the Guardian website and app, some of the company’s internal technology infrastructure was affected. 

They also told the staff to work from home, following the routine used during the pandemic.  The Guardian Media Group chief executive, Anna Bateson, and the editor-in-chief, Katharine Viner, **told** the staff:

“We will continue to keep our staff and anyone else affected informed. We will update everyone again at the end of the day. With a few key exceptions, we would like everyone to work from home for the remainder of the week unless we notify you otherwise.”

“Thank you to everyone working hard throughout this incident to keep us publishing, looking after our readers, supporters and advertisers, and keeping our core systems available for colleagues.”

Journalists, media outlets and new organisations have become a much more frequent target for cyber attacks as compared to the past as they play a vital role in forming a public outlook and a national view. Media houses command a significant soft power to retain and spread their influence by advocating their agenda, gathering public opinion and shaping it. 

Therefore, it has become more important than ever before for journalists and news organisations to employ the **best cyber security practices** and protect themselves from breach campaigns. 

1.  **Ransomware Gang Leaks Medibank Data on Dark Web**
2.  **Royal Ransomware Uses Google Ads and Cracked Software**
3.  **University College London hit by a major ransomware attack**
4.  **CryWiper Masquerading as Ransomware to Target Russian Courts**
5.  **Pro-Russian Killnet group hits UK organizations with DDoS attacks**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Media Giant Guardian Hit By Suspected Ransomware Attack

Threat actors continue to evolve the malicious botnet, which has also added a list of new vulnerabilities it can use to target devices.

A recently discovered botnet that attacks organizations through Internet of things (IoT) vulnerabilities has added brute-forcing and distributed denial-of-service (DDoS) attack vectors, as well as the ability to exploit new flaws to its growing arsenal, Microsoft security analysts have found. 

The updates to Zerobot, a malware first observed earlier this month by Fortinet researchers, pave the way for more advanced attacks as the threat continues to evolve, according to the Microsoft Security Threat Intelligence Center (MSTIC).

MSTIC revealed in a blog post on Dec. 21 that the threat actors have updated Zerobot to version 1.1, which can now target resources through DDoS and make them inaccessible, widening the possibilities for attack and further compromise.

"Successful DDoS attacks may be used by threat actors to extort ransom payments, distract from other malicious activities, or disrupt operations," the researchers wrote in the post. "In almost every attack, the destination port is customizable, and threat actors who purchase the malware can modify the attack according to their target."

**Brute-Forcing and Other Tactics**

Fortinet researchers already had tracked two previous versions of Zerobot — one that was quite basic and another that was more advanced. The botnet's principal mode of attack originally was to target various IoT devices — including products from D-Link, Huawei, RealTek, TOTOLink, Zyxel, and more — through flaws found in those devices, and then spread to other assets connected on the network that way to propagate the malware and grow the botnet.

Microsoft researchers now have observed the botnet getting more aggressive in its attacks on devices, using a new brute-force vector to compromise weakly secured IoT devices rather than just trying to leverage a known vulnerability, the researchers revealed.

"IoT devices are often internet-exposed, leaving unpatched and improperly secured devices vulnerable to exploitation by threat actors," they wrote in the post. "Zerobot is capable of propagating through brute-force attacks on vulnerable devices with insecure configurations that use default or weak credentials."

The malware attempts to to gain device access by using a combination of eight common usernames and 130 passwords for IoT devices over SSH and telnet on ports 23 and 2323 to spread to devices, the researchers wrote. In their observations alone, the MSTIC team identified numerous SSH and telnet connection attempts on default ports 22 and 23, as well as attempts to open ports and connect to them by port-knocking on ports 80, 8080, 8888, and 2323.

**An Expanded Security Vulnerability Exploit List**

Zerobot hasn't abandoned its original way to access devices, however, and has even expanded this practice. Prior to its new version, Zerobot already could exploit more than 20 flaws in assorted devices, including routers, webcams, network-attached storage, firewalls, and other products from a host of well-known manufacturers.

The botnet has now added seven new exploits for flaws to its quiver, found in Apache, Roxy-WI, Grandstream, and other platforms, the researchers found.

MSTIC also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers, they added.

**Zerobot's Post-Compromise Behavior**

Researchers also observed more about Zerobot's behavior once it gains device access. For one, it immediately injects a malicious payload — which may be a generic script called "zero.sh" that downloads and attempts to execute the bot, or a script that downloads the Zerobot binary of a specific architecture, they said.

"The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds," the researchers wrote.

Once Zerobot achieves persistence, it scans for other devices exposed to the Internet that it can infect, by randomly generating a number between 0 and 255 and scanning all IPs starting with this value.

"Using a function called _new\_botnet\_selfRepo\_isHoneypot_, the malware tries to identify honeypot IP addresses, which are used by network decoys to attract cyberattacks and collect information on threats and attempts to access resources," the Microsoft researchers wrote. "This function includes 61 IP subnets, preventing scanning of these IPs."

Zerobot 1.1 uses scripts targeting various architectures, including ARM64, MIPS, and x86\_64. The researchers also have observed samples of the botnet on Windows and Linux devices, exhibiting different persistence methods based on the OS.

**Protecting the Enterprise**

Fortinet researchers already had stressed the importance of organizations immediately updating to the latest versions of any devices affected by Zerobot. Given that businesses are losing up to $250 million a year on unwanted botnet attacks, according to a report published last year from Netacea, the danger is real.

To help identify if an organization is vulnerable, Microsoft researchers included an updated list of CVEs that Zerobot can exploit in their post. The MSTIC team also recommended that organizations use security solutions with cross-domain visibility and detection capabilities to detect Zerobot malware variants and malicious behavior related to the threat.

Enterprises should also adopt a comprehensive IoT security solution that allows for visibility and monitoring of all IoT and operational technology (OT) devices, threat detection and response, and integration with SIEM/SOAR and extended detection and response (XDR) platforms, according to Microsoft.

As part of this strategy, they should ensure secure configurations for devices by changing default passwords to strong ones and blocking SSH from external access, as well as use least-privileges access including VPN service for remote access, the researchers said.

Another way to avoid compromise by Zerobot is to harden endpoints with a comprehensive security solution that manages the apps that employees can use and provides application control for unmanaged solutions, they said. This solution also should perform timely cleanup of unused and stale executables sitting on an organization's devices.

Zerobot Adds Brute Force, DDoS to Its IoT Attack Arsenal

The Zerobot DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.
Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.
Zerobot, first documented by Fortinet FortiGuard Labs earlier this month,

Internet of Things / Patch Management

The **Zerobot** DDoS botnet has received substantial updates that expand on its ability to target more internet-connected devices and scale its network.

Microsoft Threat Intelligence Center (MSTIC) is tracking the ongoing threat under the moniker DEV-1061, its designation for unknown, emerging, or developing activity clusters.

Zerobot, first documented by Fortinet FortiGuard Labs earlier this month, is a Go-based malware that propagates through vulnerabilities in web applications and IoT devices like firewalls, routers, and cameras.

"The most recent distribution of Zerobot includes additional capabilities, such as exploiting vulnerabilities in Apache and Apache Spark (CVE-2021-42013 and CVE-2022-33891 respectively), and new DDoS attack capabilities," Microsoft researchers said.

Also called ZeroStresser by its operators, the malware is offered as a DDoS-for-hire service to other criminal actors, with the botnet advertised on social media by its operators.

Microsoft said that one domain with connections to Zerobot – zerostresser\[.\]com – was among the 48 domains that were seized by the U.S. Federal Bureau of Investigation (FBI) this month for offering DDoS attack features to paying customers.

The latest version of Zerobot spotted by Microsoft not only targets unpatched and improperly secured devices, but also attempts to brute-force over SSH and Telnet on ports 23 and 2323 for spreading to other hosts.

The list of newly added known flaws exploited by Zerobot 1.1 is as follows -

*   **CVE-2017-17105** (CVSS score: 9.8) - A command injection vulnerability in Zivif PR115-204-P-RS
*   **CVE-2019-10655** (CVSS score: 9.8) - An unauthenticated remote code execution vulnerability in Grandstream GAC2500, GXP2200, GVC3202, GXV3275, and GXV3240
*   **CVE-2020-25223** (CVSS score: 9.8) - A remote code execution vulnerability in the WebAdmin of Sophos SG UTM
*   **CVE-2021-42013** (CVSS score: 9.8) - A remote code execution vulnerability in Apache HTTP Server
*   **CVE-2022-31137** (CVSS score: 9.8) - A remote code execution vulnerability in Roxy-WI
*   **CVE-2022-33891** (CVSS score: 8.8) - An unauthenticated command injection vulnerability in Apache Spark
*   **ZSL-2022-5717** (CVSS score: N/A) - A remote root command injection vulnerability in MiniDVBLinux

Upon successful infection, the attacks chain proceeds to download a binary named "zero" for a specific CPU architecture that enables it to self-propagate to more susceptible systems exposed online.

Additionally, Zerobot is said to proliferate by scanning and compromising devices with known vulnerabilities that are not included in the malware executable, such as CVE-2022-30023, a command injection vulnerability in Tenda GPON AC1200 routers.

Zerobot 1.1 further incorporates seven new DDoS attack methods by making use of protocols such as UDP, ICMP, and TCP, indicating "continuous evolution and rapid addition of new capabilities."

"The shift toward malware as a service in the cyber economy has industrialized attacks and has made it easier for attackers to purchase and use malware, establish and maintain access to compromised networks, and utilize ready-made tools to perform their attacks," the tech giant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Zerobot Botnet Emerges as a Growing Threat with New Exploits and Capabilities

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.
Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals

More zero knowledge attacks, more leaked credentials, more Gen-Z cyber crimes - 2022 trends and 2023 predictions.

Cybercrime remains a major threat to individuals, businesses, and governments around the world. Cybercriminals continue to take advantage of the prevalence of digital devices and the internet to perpetrate their crimes. As the internet of things continues to develop, cybercriminals will have access to a greater number of vulnerable devices, allowing them to carry out more sophisticated attacks. Cybercrime is expected to become increasingly profitable as criminals continue to find new and better ways to monetize their attack as entry barriers to cybercrime keep going down.

This article discusses key trends we've noticed in 2022 that will likely continue in 2023, which we'll also elaborate on in the upcoming webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th.

****Leaked credentials will continue to be the main attack vector for initial access****

According to IBM's cost of a breach 2022 report, use of stolen or compromised credentials remains the most common cause of a data breach.

The main source for leaked credentials in 2022 was Info-Stealers - a malware that can steal stored credentials from browsers, cookies (used for session hijacking and to bypass MFA), crypto wallets, and more. Redline Stealer, in particular, gained a lot of popularity among threat actors which led to the creation of several other stealers such as the "Luca stealer" and the "eternity stealer". The latter is part of an end-to-end offering named the eternity project, which allows threat actors to buy or rent any tool they need to launch an attack against a target of their choosing.

Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study. This trend is most likely to keep in its upward trajectory as a whopping 59% of organizations don't deploy zero-trust, incurring an average of 1 million USD in greater breach costs compared to those that do deploy. Until organizations' cybersecurity will mature, the volume and cost of breaches will continue to rise.

****A rise in zero-knowledge attacks****

Cybercrimes such as DDoS, malware, and ransomware are all offered as subscription services, lowering the entry barrier into cybercrime. For example, per the Microsoft Digital Defense Report 2022, phishing kits are offered on the dark web from as little as $6 and DDoS attack subscriptions for as little as $500. Ransomware-as-a-Service offered as an affiliates model is the preferred method by actors, this means "renting" an already made operation and splitting the revenue based on income and activity. The rise of "clearnet malware" - malware that can be purchased on everyday platforms like Telegram (Hello again eternity project!) helps simplify setting up a cybercrime campaign or operation. The proliferation of crypto payment platforms makes it even easier to trade in cybercrime products and services, pushing the entire cybercrime ecosystem even further.

****Younger threat actors - average age will continue to drop****

In terms of cyberattacks, 2022 was Gen Z's time to shine, leading with UK teen group Lapsus$ that went on a hacking spree targeting tech titans like Microsoft, Nvidia, Samsung, Ubisoft, and Okta. Generation Z is currently the largest generation on earth. Besides their strength in numbers, they are "digital natives", being born into a world with the internet, smartphones, cloud technologies, and social networks. Being young, they naturally crave social validation which they get in the digital sphere. Lapsus$'s main motivator was "Kudos" - they were "doing it for the lulz". The ease of launching zero-knowledge attacks, combined with Gen Z's digital nativeness and their need for social validation in the digital sphere will most likely contribute to the continuous drop in the average age of cyber criminals.

****We'll still need humans in the loop****

Enterprises invest billions of dollars deploying multi-layered security frameworks, platforms, and programs, but at the end of the day, enterprises are made of people, and people can be tricked.

Social engineering is an increasingly popular tactic used by cyberattackers to gain access to sensitive data. It involves exploiting human psychology to manipulate victims into providing confidential information or taking certain actions in order to gain access to a system or network.

LAPSUS$'s modus operandi was based on a text-book sim swapping scam. They bought credentials of the person with the right access to resources within an enterprise, called the phone provider, reporting the phone stolen, rerouted the sim to their own phone, triggered multi factor authentication on an enterprise access point (e.g. Office365 login page), and did a password reset. It was ridiculously simple and devastatingly efficient.

The best technology in the world can't completely remove the risk of human vulnerability. For that you need other humans trained in that. The cybersecurity workforce gap compelled enterprises to outsource this part of their cybersecurity to a managed detection and response (MDR) service. In fact, (according to Reportlinker.com) the global MDR market size is expected to grow from an estimated value of 2.6 billion USD in 2022 to 5.6 billion USD by 2027, at a Compound Annual Growth Rate (CAGR) of 16.0%. Technology is great, machines are great, but we still need humans.

Join Ronen Ahdut, Head of Cyber Threat Intelligence at Cynet for a webinar "The Rise of the Rookie Hacker - a new trend to reckon with" on January 11th at 10AM ET / 15:00 GMT. The webinar will deep-dive into 2023 cybersecurity trends, threats, and technology, including the need for human oversight in cybersecurity and how to detect these new threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ddos