Tor Finally fixed a bug that annoyed of DDoS

Launching DDoS attacks against dark web sites could soon be a little more difficult to pull off now Tor Project is preparing to fix a bug that has been abused by attackers for years.

A bug that annoyed for so many years . The bug itself is a denial of service (DoS) issue that an attacker can exploit to initiate thousands of connections to a targeted dark web site. 

The remote Onion service needs to negotiate a complex circuit through the Tor network to secure the connection between a user and the site’s server. As this process is very CPU resource intensive, initiating thousands of these connections can quickly overload a site’s server to the point where it can’t accept any new connections.

This is known and Tor Developers not released any patches or fix to overcome this obstacle

“The attacks exploit the inherent asymmetric nature of the onion service rendezvous protocol, and that makes it a hard problem to defend against. During the rendezvous protocol, an evil client can send a small message to the service while the service has to do lots of expensive work to react to it. This asymmetry opens the protocol to DoS attacks, and the anonymous nature of our network makes it extremely challenging to filter the good clients from the bad.”

To make matters worse, a tool named Stinger-Tor was uploaded to GitHub more than four years ago which allows anyone to carry out a DoS attack on a Dark Web site just by running a Python script. There are other tools like this one out there that exploit the bug in Tor and cyber crime groups have been selling them on underground forums.

Members of the Dread community have been encouraging users to donate to the Tor Project. These donations seem to have done the trick as developing a fix for this vulnerability is now being prioritized. The proposed fix won’t completely deal with the issue but it will make DoS attacks less effective against Dark Web sites.

The fix is scheduled to arrive with the upcoming Tor protocol 0.4.2 release and it should make things a bit easier for sites running on the Tor network.

Docker @ rare instance .. docked by DDoS malware

XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014 it is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic.

The Kaiji botnet was discovered by security researcher MalwareMustDie and the experts at Intezer Labs in April while it was targeting Linux-based IoT devices via SSH brute-force attacks.

Two variants of existing Linux botnet malware types targeting exposed Docker servers; these are XORDDoS malware and Kaiji DDoS malware .

Botnet operators are looking for Docker servers that expose port 2375, which is one of the two ports of the Docker API and it’s used for unauthenticated and unencrypted communications.

Experts pointed out that there is a notable difference between the attack methods implemented by the two malware variants. While the XORDDoS bot infects all the containers hosted on the Docker server, the Kaiji bot deploys the DDoS malware in its own container.

Upon compromising a Docker server, XORDDoS will run a sequence of commands to identify containers and infect them with the DDoS malware. The malware can also gather information about the compromised system, and it can download and execute other payloads.

URL linked to the attacker, experts discovered other malware such as Backdoor.Linux.DOFLOO.AB targeting Docker containers.Operators of the Kaiji bot scan the web for exposed Docker servers and deploy an ARM container that executed its binary. Operators leverage on a script to download and execute the main payload, and to remove Linux binaries that are basic components of the operating system but are not necessary for its DDoS operation.

Kaiji is also able to collect information about the compromised system, and of course to launch various types of DDoS attacks, including ACK, IPS spoof, SSH, SYN, SYNACK, TCP and UDP attacks.

Recommendations for security Docker servers:

1. Secure the container host. Take advantage of monitoring tools, and host containers in a container-focused OS.

2.Secure the networking environment. Use intrusion prevention system (IPS) and web filtering to provide visibility and observe internal and external traffic.

3.Secure the management stack. Monitor and secure the container registry and lock down the Kubernetes installation.

4.Secure the build pipeline. Implement a thorough and consistent access control scheme and install strong endpoint controls.
Adhere to the recommended best practices.
Use security tools to scan and secure containers.

Lucifer Malware Propels

A new devilish malware is targeting Windows systems with cryptojacking and DDoS capabilities.

Security experts have identified a self-propagating malware, dubbed Lucifer, that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

The never-before-seen malware initially tries to infect PCs by bombarding them with exploits in hopes of taking advantage of an “exhaustive” list of unpatched vulnerabilities. While patches for all the critical and high-severity bugs exist, the various companies impacted by the malware had not applied the fixes.

Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms.

The vulnerabilities targeted by Lucifer include Rejetto HTTP File Server (CVE-2014-6287), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), Apache Struts (CVE-2017-9791), Laravel framework CVE-2019-9081), and Microsoft Windows (CVE-2017-0144, CVE-2017-0145, and CVE-2017-8464).

After successfully exploiting these flaws, the attacker then connects to the command-and-control (C2) server and executes arbitrary commands on the vulnerable device, said researchers. These commands include performing a TCP, UDP or HTTP DoS attack. Other commands allow the malware to drop an XMRig miner and launch cryptojacking attacks, as well as collecting interface info and sending the miner status to the C2.

The malware is also capable of self-propagation through various methods.

It scans either for open instances of TCP port 1433 or Remote Procedure Call (RPC) port 135. If either of these are open, the malware attempts to brute-force the login using a default administrator username and an embedded password list (a full list of the passwords used can be found on Unit 42’s analysis). It then copies and runs the malware binary on the remote host upon successful authentication.

In addition to brute-forcing credentials, the malware leverages exploitation for self-propagation. If the Server Message Block (SMB) protocol (a network file sharing protocol) is open, Lucifer executes several backdoors. These include the EternalBlue, EternalRomance, and DoublePulsar exploits.

Once these three exploits have been used, the certutil utility is then used to propagate the malware. Certutil.exe is a command-line program, installed as part of Certificate Services, that can be used to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates.

Lucifer has been discovered in a series of recent attacks that are still ongoing. The first wave occurred on June 10. The attackers then resumed their campaign on June 11 with an upgraded version of the malware. Researchers say these updates include the addition of an anti-sandbox capability, an anti-debugger technique, and new checks for device drivers, DLLs and virtual devices.

These added capabilities show that the malware is growing in sophistication, researchers warn. They say, enterprises can protect themselves with simply security measures such as applying patches and strengthening passwords.

DDoS Attacks on Rise..WFH

There is a rise in the internet usage pattern which in turn triggered the DDoS Attacks on a peak. Adopting to New normal WFH a challenge to most of the organisation

internet traffic patterns ddos

Growing stealth on internet

The pandemic effect was clear in traffic to specific websites, such as the 250% increase in queries for a popular collaboration platform as lockdowns commenced and the sharp rise in traffic to the website of  masks manufacturer.

A noticeable rise in traffic was noticed in mid-March correlating with the dates that schools and organizations began to implement isolation policies, and query numbers continued to rise afterward, with a sharp uptick about a month after isolation policies had begun to take hold.

There was a 14% increase in DNS query volumes between March 1 and May 3, as the full impact of the pandemic set in around the world.

Of course, not all industries have been affected equally. As might be expected, queries to retail companies and streaming services saw a large increase during the one-month period coinciding with the beginning of stay-at-home orders, while the travel industry saw decline initially but appears to be recovering.

Traffic patterns and increasing attacks

Concurrent with these changes in traffic patterns, there was dramatic rise in DDoS and other attacks across virtually every metric measured, including increases in the overall number of attacks; attack severity, which considers the volume of attack and attack intensity

“It’s no surprise that in this massive and unplanned shift of the global workforce now suddenly being reliant on home internet and corporate VPN connectivity, bad actors and cyber criminals would seek to take advantage of emerging network vulnerabilities,” .

internet traffic patterns ddos

The DNS hijacking threat

While many DDoS and other types of attacks focus on corporate assets, there has also been an increase in DNS hijacking a technique in which DNS settings are changed to redirect the user to a website that might look legitimate but often contains malware disguised as something useful.

Combined with the growing number of threats against the internet’s DNS infrastructure, the unexpected need to support a fully distributed workforce often exposes new vulnerabilities that are difficult for organizations to guard against, underscoring the importance of having effective cybersecurity measures like always-on DDoS protection services in place to ensure operational continuity.