Katana ! Mirai Botnet

A greatly enhanced variant of the powerful Mirai botnet is already infecting IoT devices even though it’s operating in a test environment.

Researchers discovered samples of the variant, dubbed “Katana,” that have Layer 7 distributed denial-of-service capability, separate encryption keys for each source, fast self-replication and secure connection to its command-and-control servers,

Katana is infecting hundreds of IoT devices each day, Avira researchers say. The top three devices targeted by the botnet include D-Link’s DSL-7740C router, the DOCSIS 3.1 wireless gateway and Dell’s PowerConnect 6224 switch.

Attack Methods

Researchers discovered the new Katana botnet when the company’s honeypots captured a wave of unknown malware binaries. They found the botnet, like Mirai, uses remote code execution and command injection to exploit security vulnerabilities in older Linksys and GPON routers as well as attack IoT devices, according to the report.

It includes classic Mirai functions, such as running a single instance, random process name and manipulating the watchdog to prevent the device from restarting. It binds different ports, such as 53168, 57913, 59690, 62471 and 63749.

Avira’s researchers found a page on GitHub saying “Katana HTTP Botnet coming soon.”

Hungary hit by an Asian DDoS . It’s powerful

Hungarian banking and telecommunication services were briefly disrupted by a powerful cyber attack on Thursday launched from computer servers in Russia, China and Vietnam, telecoms firm Magyar Telekom MTEL.BU said on Saturday.

The event was a (DDoS) attack, a cyber attack in which hackers attempt to flood a network with unusually high volumes of data traffic in order to paralyse it.

The volume of data traffic in the attack was 10 times higher than the amount usually seen in DDoS events. One of the heaviest in Hungary

“Russian, Chinese and Vietnamese hackers tried to launch a DDoS attack against Hungarian financial institutions, but they tried to overwhelm the networks of Magyar Telekom as well,” the company added in a statement.

The attack, which took place in several waves, disrupted the services of some of the country’s banks and caused lapses in Magyar Telekom’s services in certain parts of the capital, Budapest, being impelled after a while

Hungarian bank OTP Bank OTPB.BU confirmed it had been affected by the attack.

Meanwhile SIM Swap with a remote monitoring tool phished in another banking attack which drained the handful banking customer accounts

NZ share market DDoS’ed

New zealand share markets halted for 3rd consecutive day. It’s been a wild run by the foreign threat actors

New Zealand’s stock exchange is battling to restore services after cyber attacks shuttered the market for a third straight day, frustrating investors who were unable to trade amid a busy company earnings season.

The NZ$204 billion ($135 billion) market, which is nearing a record high, was unable to reopen Thursday after the exchange’s website was again hit with a distributed-denial-of-service attack that floods a network with Internet traffic and disrupts services. Officials have declined to speculate on the source of the attack, other than saying it’s coming from offshore.

“We continue to address the threat and work with cyber-security experts,” exchange operator NZX said in a statement. “We are doing everything we can to resume normal trading tomorrow.”

The disruptions come at the worst possible time, with companies such as national carrier Air New Zealand reporting their first annual results since the outbreak of the coronavirus pandemic. No internal systems have been compromised and trading information has not been breached, a spokesman for the regulator said.

Cyber-security experts appear baffled by the attacks, saying New Zealand isn’t typically a target and that it’s unclear whether the hackers are criminals or state-based actors.

Fancy Bear

The government’s cyber security agency CERT NZ said in November it had received reports of extortion emails targeting the financial sector. The emails claimed to be from a Russian group called “Fancy Bear/Cozy Bear” and demanded a ransom to avoid denial-of-service attacks. CERT declined to comment when contacted Thursday.

While New Zealand “is not a high profile target,” the incident raised “question marks over how much experience” the country has in dealing with such attacks, he said.

The attacks are impacting the NZX website, meaning investors without direct market access can’t see company announcements.

The exchange is yet to respond about what steps it’s taking to prevent further attacks and whether it has received any demands in conjunction with them. A spokesman wouldn’t say whether NZX was exchanging intelligence on the issues with other stock exchanges.

Korea’s stock exchange said its own website didn’t work for almost three hours on Wednesday after suffering from a DDoS attack.

Tor Finally fixed a bug that annoyed of DDoS

Launching DDoS attacks against dark web sites could soon be a little more difficult to pull off now Tor Project is preparing to fix a bug that has been abused by attackers for years.

A bug that annoyed for so many years . The bug itself is a denial of service (DoS) issue that an attacker can exploit to initiate thousands of connections to a targeted dark web site. 

The remote Onion service needs to negotiate a complex circuit through the Tor network to secure the connection between a user and the site’s server. As this process is very CPU resource intensive, initiating thousands of these connections can quickly overload a site’s server to the point where it can’t accept any new connections.

This is known and Tor Developers not released any patches or fix to overcome this obstacle

“The attacks exploit the inherent asymmetric nature of the onion service rendezvous protocol, and that makes it a hard problem to defend against. During the rendezvous protocol, an evil client can send a small message to the service while the service has to do lots of expensive work to react to it. This asymmetry opens the protocol to DoS attacks, and the anonymous nature of our network makes it extremely challenging to filter the good clients from the bad.”

To make matters worse, a tool named Stinger-Tor was uploaded to GitHub more than four years ago which allows anyone to carry out a DoS attack on a Dark Web site just by running a Python script. There are other tools like this one out there that exploit the bug in Tor and cyber crime groups have been selling them on underground forums.

Members of the Dread community have been encouraging users to donate to the Tor Project. These donations seem to have done the trick as developing a fix for this vulnerability is now being prioritized. The proposed fix won’t completely deal with the issue but it will make DoS attacks less effective against Dark Web sites.

The fix is scheduled to arrive with the upcoming Tor protocol 0.4.2 release and it should make things a bit easier for sites running on the Tor network.