IPStorm Bots are Anonymous

While botnets have been used for anything from performing DDoS attacks to stealing data and even sending spam, Researchers have found signs that the Interplanetary Storm botnet could be used for different purposes

This Golang-written botnet could be used as an anonymization proxy-network-as-a-service and potentially rented using a subscription-based model.

While the botnet has come under previous scrutiny, constant monitoring of the development lifecycle of Interplanetary Storm has revealed that threat actors are both proficient in using Golang and development best practices, and well-versed at concealment of management nodes.

Interplanetary Storm also has a complex and modular infrastructure designed to seek and compromise new targets, push and synchronize new versions of the malware, run arbitrary commands on the infected machine and communicate with a C2 server that exposes a web API.

IPStorm propagates by attacking Unix-based systems (Linux, Android and Darwin) that run Internet-facing SSH servers with weak credentials or unsecured ADB servers.

Key findings:

  • Botnet potentially rented as an anonymous proxy network
  • Built to use compromised devices as proxies
  • Botnet mapping reveals global presence
  • Rented using multi-tier subscription-based pricing model
  • More than 100 code revisions to date
  • Detailed analysis of the infrastructure behind the Interplanetary Storm botnet

Hungary hit by an Asian DDoS . It’s powerful

Hungarian banking and telecommunication services were briefly disrupted by a powerful cyber attack on Thursday launched from computer servers in Russia, China and Vietnam, telecoms firm Magyar Telekom MTEL.BU said on Saturday.

The event was a (DDoS) attack, a cyber attack in which hackers attempt to flood a network with unusually high volumes of data traffic in order to paralyse it.

The volume of data traffic in the attack was 10 times higher than the amount usually seen in DDoS events. One of the heaviest in Hungary

“Russian, Chinese and Vietnamese hackers tried to launch a DDoS attack against Hungarian financial institutions, but they tried to overwhelm the networks of Magyar Telekom as well,” the company added in a statement.

The attack, which took place in several waves, disrupted the services of some of the country’s banks and caused lapses in Magyar Telekom’s services in certain parts of the capital, Budapest, being impelled after a while

Hungarian bank OTP Bank OTPB.BU confirmed it had been affected by the attack.

Meanwhile SIM Swap with a remote monitoring tool phished in another banking attack which drained the handful banking customer accounts

NZ share market DDoS’ed

New zealand share markets halted for 3rd consecutive day. It’s been a wild run by the foreign threat actors

New Zealand’s stock exchange is battling to restore services after cyber attacks shuttered the market for a third straight day, frustrating investors who were unable to trade amid a busy company earnings season.

The NZ$204 billion ($135 billion) market, which is nearing a record high, was unable to reopen Thursday after the exchange’s website was again hit with a distributed-denial-of-service attack that floods a network with Internet traffic and disrupts services. Officials have declined to speculate on the source of the attack, other than saying it’s coming from offshore.

“We continue to address the threat and work with cyber-security experts,” exchange operator NZX said in a statement. “We are doing everything we can to resume normal trading tomorrow.”

The disruptions come at the worst possible time, with companies such as national carrier Air New Zealand reporting their first annual results since the outbreak of the coronavirus pandemic. No internal systems have been compromised and trading information has not been breached, a spokesman for the regulator said.

Cyber-security experts appear baffled by the attacks, saying New Zealand isn’t typically a target and that it’s unclear whether the hackers are criminals or state-based actors.

Fancy Bear

The government’s cyber security agency CERT NZ said in November it had received reports of extortion emails targeting the financial sector. The emails claimed to be from a Russian group called “Fancy Bear/Cozy Bear” and demanded a ransom to avoid denial-of-service attacks. CERT declined to comment when contacted Thursday.

While New Zealand “is not a high profile target,” the incident raised “question marks over how much experience” the country has in dealing with such attacks, he said.

The attacks are impacting the NZX website, meaning investors without direct market access can’t see company announcements.

The exchange is yet to respond about what steps it’s taking to prevent further attacks and whether it has received any demands in conjunction with them. A spokesman wouldn’t say whether NZX was exchanging intelligence on the issues with other stock exchanges.

Korea’s stock exchange said its own website didn’t work for almost three hours on Wednesday after suffering from a DDoS attack.

Tor Finally fixed a bug that annoyed of DDoS

Launching DDoS attacks against dark web sites could soon be a little more difficult to pull off now Tor Project is preparing to fix a bug that has been abused by attackers for years.

A bug that annoyed for so many years . The bug itself is a denial of service (DoS) issue that an attacker can exploit to initiate thousands of connections to a targeted dark web site. 

The remote Onion service needs to negotiate a complex circuit through the Tor network to secure the connection between a user and the site’s server. As this process is very CPU resource intensive, initiating thousands of these connections can quickly overload a site’s server to the point where it can’t accept any new connections.

This is known and Tor Developers not released any patches or fix to overcome this obstacle

“The attacks exploit the inherent asymmetric nature of the onion service rendezvous protocol, and that makes it a hard problem to defend against. During the rendezvous protocol, an evil client can send a small message to the service while the service has to do lots of expensive work to react to it. This asymmetry opens the protocol to DoS attacks, and the anonymous nature of our network makes it extremely challenging to filter the good clients from the bad.”

To make matters worse, a tool named Stinger-Tor was uploaded to GitHub more than four years ago which allows anyone to carry out a DoS attack on a Dark Web site just by running a Python script. There are other tools like this one out there that exploit the bug in Tor and cyber crime groups have been selling them on underground forums.

Members of the Dread community have been encouraging users to donate to the Tor Project. These donations seem to have done the trick as developing a fix for this vulnerability is now being prioritized. The proposed fix won’t completely deal with the issue but it will make DoS attacks less effective against Dark Web sites.

The fix is scheduled to arrive with the upcoming Tor protocol 0.4.2 release and it should make things a bit easier for sites running on the Tor network.