NETSCOUT en Fri, 27 Jan 2023 11:07:44 -0500 Remembering SQL Slammer Twenty years ago SQL Slammer Worm devastated the then known internet, resulting in widespread outages and disruptions. What happened? Why was it successful? Can it happen again? Follow along as NETSCOUT explores the events and aftermath of arguably one of the most catastrophic events impacting the majority of the known internet at the time. Fri, 27 Jan 2023 11:07:44 -0500 Richard Hummel DDoS Threat Landscape - Russia Since mid-February of 2022, the NETSCOUT Arbor Security Engineering and Response Team (ASERT) has been monitoring the situation in Russia and Ukraine. We recently published an update to our initial technical analysis of the ongoing high-profile DDoS attacks targeting organizations, networks, applications, and services in Ukraine. Wed, 23 Mar 2022 11:30:00 -0400 Richard Hummel DDoS Threat Landscape - Ukraine The ongoing DDoS attack campaign against Ukraine increased significantly. We anticipate that DDoS activity targeting Ukraine will continue over the duration of the conflict, and will continue to disrupt Internet operations not only within Ukraine, but surrounding neighbors. Organizations should implement industry-standard best current practices (BCPs) and appropriate DDoS defenses in order to ensure their resilience against attack. Mon, 21 Mar 2022 15:00:00 -0400 Richard Hummel TP240PhoneHome Reflection/Amplification DDoS Attack Vector A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Tue, 08 Mar 2022 09:32:24 -0500 Richard Hummel The Anatomy of the DDoS Attack Campaign Targeting Organizations in Ukraine Overview Beginning on 13 February 2022, multiple governmental, military, and financial organizations within Ukraine reported that their public-facing Web sites, applications, and ancillary supporting infrastructure were being targeted in an orchestrated DDoS attack campaign. Significant direct impact to these... Thu, 17 Feb 2022 14:00:00 -0500 Richard Hummel What Happened in the Second Half of 2021? Executive Summary The second half of 2021 finally saw much of the world returning to normal, at least until the recent Omicron variant sent us packing back home. The premature return to normal coincided with a welcome respite in overall DDoS Attack numbers, but unfortunately adversaries used innovation and perseverance... Fri, 04 Feb 2022 13:46:19 -0500 Richard Hummel Mēris & Dvinis Botnets Threat adversaries leverage exploitable Mikrotik routers with two different botnets, Mēris and Dvinis, to launch high request-per-second attacks against targets. Thu, 18 Nov 2021 09:51:49 -0500 Richard Hummel A Tale of Two Botnets NETSCOUT's ASERT Team tracks Mēris and Dvinis DDoS Botnets. The blog covers the number of botted nodes observed, how they are propagating, and where they are distributed geographically. We also disclose characteristics of the bots and how to recognize them on a network. Thu, 28 Oct 2021 08:55:46 -0400 Richard Hummel High-Profile DDoS Extortion Attacks Against SIP/RTP VoIP Providers Beginning in September 2021, aggressive threat actors have targeted multiple Voice-over-IP (VoIP) communication providers with a campaign of high-impact DDoS extortion attack Fri, 22 Oct 2021 09:18:50 -0400 Richard Hummel The Long Tail of Adversary Innovation Latest Threat Intelligence Report from NETSCOUT details extensive global impact of cyberattacks on private and public sector organizations. Tue, 21 Sep 2021 10:00:00 -0400 Carol Hildebrand HTTP Reflection/Amplification via Abusable Internet Censorship Systems Learn more about this distributed denial-of-service (DDoS) attack vector which abuses middlebox systems for HTTP reflection/amplification. Fri, 20 Aug 2021 09:45:24 -0400 Richard Hummel Our New DDoS Normal Isn’t All That Normal Attack frequency has dropped, but we are nowhere near the numbers considered normal prior to COVID-19: Threat actors launched approximately 5.4 million DDoS attacks in the first half of 2021. Tue, 27 Jul 2021 10:38:04 -0400 Richard Hummel DHCPDiscover Reflection/Amplification DDoS Attack Mitigation Recommendations DHCPDiscover, a UDP-based JSON protocol used to manage DVRs, can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication. Wed, 07 Jul 2021 09:30:10 -0400 Richard Hummel Fancy Lazarus DDoS Extortion Campaign ASERT Threat Summary Date/Time: 17June2021 1300UTC Severity: Warning Distribution: TLP: WHITE Categories: Availability Contributors: Jon Belanger, Richard Hummel. Executive Summary In May 2021, self-designated threat actor(s) ‘Fancy Lazarus’ began a new campaign of distributed denial-of-service (DDoS) extortion attacks... Tue, 22 Jun 2021 08:54:19 -0400 Richard Hummel Session Traversal Utilities for NAT (STUN) Reflection/Amplification Adversaries weaponize STUN servers by incorporating the protocol into DDoS-for-Hire services. Approximately 75k abusable STUN servers give DDoS attackers ample opportunity to launch single-vector STUN attacks as large as 441 Gbps, or use the protocol in multi-vector attacks of a significantly greater size. Learn how to mitigate attacks leveraging STUN in our analysis. Wed, 02 Jun 2021 10:30:00 -0400 Richard Hummel The Beat Goes On The beat goes on: Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020. Mon, 17 May 2021 11:14:05 -0400 Richard Hummel TsuNAME Zone Cyclic Dependency-Induced Recursive DNS Query Cascade In mid-May 2021, security researchers at SIDN Labs, InternetNZ, and USC/ISI released a research paper describing a sabotage-based DDoS attack methodology dubbed ‘TsuNAME’ that targeted authoritative DNS server. Wed, 12 May 2021 10:25:23 -0400 Richard Hummel Datagram Transport Layer Security (D/TLS) Reflection/Amplification DDoS Attack Mitigation Recommendations Datagram Transport Layer Security (D/TLS) is a variant of the TLS encryption protocol implemented atop User Datagram Protocol (UDP), it is utilized to secure datagram-based applications to prevent eavesdropping, tampering, or message forgery. As a result of some misconfigured D/TLS implementations attackers can abuse the protocol to launch D/TLS reflection/amplification DDoS attacks. Tue, 16 Mar 2021 13:09:37 -0400 Richard Hummel Plex Media SSDP (PMSSDP) Reflection/Amplification DDoS Attack Mitigation Recommendations Amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from ports UDP port 32414 and/or UDP port 32410 on abusable Plex Media Server instances and directed towards attack target(s); each amplified response packet ranges from 52 bytes – 281 bytes in size, for an average amplification factor of ~4.68:1 Thu, 04 Feb 2021 08:39:33 -0500 Richard Hummel Crossing the 10 Million Mark: DDoS Attacks in 2020 For the first time, we observed DDoS attacks rise above 10 million annually in 2020, nearly 1.6 million more attacks than seen in 2019. Tue, 26 Jan 2021 09:02:00 -0500 Richard Hummel Microsoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack Mitigation Recommendations - January 2021 Recently observed DDoS attacks leverage abusable Microsoft RDP service to launch UDP Reflection/Amplification attacks with an 85.9:1 amplification factor. Wed, 20 Jan 2021 16:21:57 -0500 Richard Hummel Lazarus Bear Armada DDoS Extortion Campaign — December 2020 DDoS Extortion Update: As previously reported, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks in mid-August 2020, largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers. Read this latest update. Tue, 29 Dec 2020 18:00:00 -0500 Richard Hummel Dropping the Anchor Trickbot has long been one of the key banking malware families in the wild. Despite recent disruption events, the operators continue to drive forward with the malware and have recently begun porting portions of its code to the Linux operating system. Mon, 26 Oct 2020 13:47:50 -0400 Richard Hummel High-Profile DDoS Extortion Attacks — September 2020 Starting in mid-August 2020, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers. Thu, 03 Sep 2020 08:24:01 -0400 Richard Hummel Lucifer’s Spawn ASERT researchers have uncovered new information about Lucifer, which is a cryptojacking and distributed denial of service (DDoS) bot, originally found to exploit and run on Windows based systems. Wed, 19 Aug 2020 09:19:08 -0400 Richard Hummel Last Week in DDoS... By all indications, the events of last week brought have brought the importance of DDoS defense into focus for many individuals and organizations. DDoS attacks aren’t something to be taken lightly... Tue, 23 Jun 2020 12:46:27 -0400 Richard Hummel UK in Focus Summary Based on a case study in our most recent blog, the observed global DDoS attack count (frequency), bandwidth (BPS), and throughput (PPS) all saw significant increases since the start of the global COVID-19 pandemic in mid-March. Focusing in at a country level – in this case, the UK – we see that attacks have... Fri, 12 Jun 2020 09:00:00 -0400 Richard Hummel Measuring the Cruellest Month Summary One of the more esoteric aspects of working in the DDoS defense space is the analysis of data. We look at data about attack bandwidth (bps) and throughput (pps); connections per second (cps) and queries per second (qps); source and destination CIDRs and ASNs; mitigation capacities and attack vectors... Tue, 21 Apr 2020 09:23:07 -0400 Richard Hummel Evolution of a New DDoS Technique Summary In October of 2019, high-impact TCP reflection/amplification DDoS attacks hit organizations in Scandinavia and Southern Europe. These attacks leveraged servers belonging to organizations unaffiliated with the actual targets of the attack, which were running well-known services such as telnet, HTTP, HTTPS, SMB... Thu, 02 Apr 2020 12:12:07 -0400 Richard Hummel Availability in the Time of COVID-19 Overview The self-quarantine and social distancing guidance provided by governments around the world in response to the COVID-19 pandemic is leading to a rapid and wholesale switch to remote work for many organizations and significant populations of their employees worldwide. To varying degrees, organizations have been... Fri, 20 Mar 2020 10:16:56 -0400 Richard Hummel NETSCOUT Threat Intelligence Report—Powered by ATLAS 8.4 MILLION, that is the number of DDoS attacks NETSCOUT Threat Intelligence saw last year alone: more than 23,000 attacks per day, 16 every minute. Tue, 18 Feb 2020 08:28:16 -0500 Richard Hummel DDoS Attack Vectors Live or Die Executive Summary Dozens of known attack vectors ranging from obscure or little-used protocols (Citrix-ICA) to very common and vastly used protocols (DNS and NTP) give DDoS attackers a smorgasbord of available vectors to choose from. Some of these vectors are relatively new, such as ARMS, COAP, and WS-DD (as noted in... Tue, 04 Feb 2020 09:43:13 -0500 Richard Hummel Nation State APT & The Business World A recent article, which NETSCOUT had the opportunity to participate in, highlights the importance the corporate world holds for Nation State APT adversaries. As the article duly notes, there used to be a handful of countries publicly named for acts of cyber espionage spanning across borders. The reality today is that any nation can, and does, incorporate their own methods of cyber warfare. Ranging from simple spam messaging to sophisticated, custom malware capable of evading even the best anti-virus signatures in existence. Mon, 16 Dec 2019 14:12:49 -0500 Richard Hummel Emotet - What's Changed? Executive Summary Emotet, a banking trojan turned downloader, continues to make waves in the downloader scene despite recent hibernations. Emotet is a modular malware, first reported in 2014 as a banking trojan that quickly evolved into its current modular form which supports everything from spamming to theft of emails... Tue, 05 Nov 2019 13:03:23 -0500 Richard Hummel Air APT Executive Summary Airlines and the airport industry in general are highly lucrative targets for APT groups; they are rife with information that other countries would find useful. NETSCOUT data from 2019 shows airport and airline targeting remains strong and steady, with Russian, Chinese, and Iranian APT groups... Thu, 12 Sep 2019 09:08:01 -0400 Richard Hummel NETSCOUT Threat Intelligence Report "It’s hard to express the scale of today’s cyber threat landscape, let alone its global impact." - Hardik Modi, Senior Director of Threat Intelligence Executive Summary In the past six months, there were nearly four million DDoS attacks around the world and that attack frequency grew by 39 percent in the first half of... Mon, 05 Aug 2019 05:46:48 -0400 Richard Hummel A Call to ARMS: Apple Remote Management Service UDP Reflection/Amplification DDoS Attacks Key Takeaways: - A new UDP reflection/amplification DDoS vector is observed in the wild. - The surprising nature of the abusable reflectors/amplifiers. - Recommended DDoS Defense and Best Current Practices (BCPs) for ARMS. Wed, 26 Jun 2019 17:00:00 -0400 ASERT Team Realtek SDK Exploits on the Rise from Egypt Executive Summary ASERT’s IoT honeypot network continuously monitors known exploit vectors and we recently detected a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability in consumer-based routers from the end of April 2019 until the first half of May 2019. The attacks originated from Egypt... Wed, 29 May 2019 12:29:24 -0400 Richard Hummel LUCKY ELEPHANT Campaign Masquerading In early March 2019, ASERT Researchers uncovered a credential harvesting campaign targeting mostly South Asian governments. The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments, telecommunications, and military. Fri, 22 Mar 2019 14:20:46 -0400 Jill Sopko Introducing the NETSCOUT Threat Intelligence Report – Findings from Second Half 2018 NETSCOUT Threat Intellgience Report - Security Findings from Second Half 2018. Special Report powered by ATLAS. Wed, 27 Feb 2019 14:00:00 -0500 Hardik Modi IoT Exploits: Around The World In 120 Days Internet of Things (IoT) botnets commonly propagate by exploiting vulnerabilities in IoT devices. Telemetry from our IoT honeypots show the number of exploit attempts originating from bots continues to increase. Thu, 07 Feb 2019 13:56:02 -0500 ASERT Team CoAP Attacks In The Wild Attackers have recently begun launching CoAP reflection/amplification DDoS attacks, a protocol primarily used today by mobile phones in China, but expected to grow with the explosion of Internet of Things (IoT) devices. Thu, 31 Jan 2019 10:00:00 -0500 ASERT Team LoJax: Fancy since 2016 In May of last year, ASERT Researchers reported on LoJax, a double-agent leveraging legitimate software to phone home to malicious command and control (C2) servers. Since the publication of our research, we’ve monitored a number of new malware samples. Wed, 16 Jan 2019 09:50:26 -0500 ASERT Team Danabot's Travels, A Global Perspective First discovered in May of 2018, Danabot is a Delphi written banking trojan that has been under active development throughout the year. Wed, 19 Dec 2018 10:00:48 -0500 ASERT Team Fast & Furious IoT Botnets: Regifting Exploits Internet of Things (IoT) botnet authors are adapting to a shift in more secure IoT devices, which has diverted attacker’s focus to exploiting vulnerabilities in IoT devices, either to supplement brute-forcing factory default passwords or completely supplant it. Wed, 12 Dec 2018 10:01:19 -0500 ASERT Team STOLEN PENCIL Campaign Targets Academia ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018. Wed, 05 Dec 2018 10:00:06 -0500 ASERT Team Mirai: Not Just for IoT Anymore Botmasters have taken the lessons from developing Internet of Things (IoT) malware and shifted their focus to targeting commodity Linux servers. Wed, 21 Nov 2018 09:59:13 -0500 ASERT Team Dipping Into The Honeypot Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Tue, 23 Oct 2018 08:59:43 -0400 ASERT Team Tunneling Under the Sands ASERT recently came across spear-phishing emails targeting the Office of the First Deputy Prime Minister of Bahrain. Fri, 14 Sep 2018 18:13:28 -0400 ASERT Team Double the Infection, Double the Fun Executive Summary Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT... Thu, 30 Aug 2018 11:54:53 -0400 ASERT Team A New Twist In SSDP Attacks Arbor ASERT has uncovered a new class of SSDP abuse where naïve devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets have ephemeral source and destination ports, making mitigation more difficult - a SSDP diffraction attack. This behavior appears to... Wed, 27 Jun 2018 12:10:57 -0400 ASERT Team Kardon Loader Looks for Beta Testers Key Findings ASERT researchers discovered Kardon Loader being advertised on underground forums. Kardon Loader features functionality allowing customers to open their own botshop, which grants the purchaser the ability to rebuild the bot and sell access to others. Kardon Loader is in early stages of development, public... Tue, 19 Jun 2018 12:00:34 -0400 ASERT Team OMG - Mirai Minions are Wicked Executive Summary Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in... Thu, 31 May 2018 13:24:33 -0400 ASERT Team The Importance of Being Accurate: SSDP Diffraction Attacks, UDP Refraction Attacks, and UPnP NAT Bypass Written by Roland Dobbins, ASERT Principal Engineer & Matt Bing, ASERT Security Analyst. In this article: SSDP Diffraction Attacks aren’t new; they’ve been observed in the wild since 2015. ‘Evasive Amplification’ attacks, aren’t. UPnP NAT Bypass is real. SSDP Diffraction Attacks - Targeting ISP and Enterprise Networks... Tue, 22 May 2018 14:52:26 -0400 Lojack Becomes a Double-Agent Executive Summary ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically... Tue, 01 May 2018 09:44:30 -0400 ASERT Team Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files Overview ASERT recently identified a campaign targeting commercial manufacturing in the US and potentially Europe in late 2017. The threat actors used phishing and downloader(s) to install a Remote Access Trojan (RAT) ASERT calls InnaputRAT on the target's machine. The RAT contained a series of commands that includes... Wed, 04 Apr 2018 16:02:23 -0400 ASERT Team Panda Banker Zeros in on Japanese Targets Key Findings A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan. Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations. It is likely a new campaign or... Tue, 27 Mar 2018 17:25:40 -0400 ASERT Team Donot Team Leverages New Framework Authors: Dennis Schwarz and Jill Sopko Special thanks to Richard Hummel and Hardik Modi for their contributions on this post. Figure 1: Pakistan themed decoy document Key Findings ASERT discovered a new modular malware framework, we call yty, that focuses on file collection, screenshots, and keylogging. We believe the... Thu, 08 Mar 2018 09:39:42 -0500 ASERT Team NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us Last week, after Akamai confirmed a 1.3Tbps DDoS attack against Github, I published a blog that looked at the last five years of reflection/amplification attack innovation. I hope that it provides a helpful backgrounder on how we got here to the terabit attack era. Mon, 05 Mar 2018 12:34:31 -0500 Carlos Morales 1 Terabit DDoS Attacks Become a Reality; Reflecting on Five Years of Reflections Special thanks to Hardik Modi, Steve Siadak and Roland Dobbins for their contributions on this post. Reflection amplification is a technique that allows cyber attackers to both magnify the amount of malicious traffic they can generate, and obfuscate the sources of that attack traffic. For the past five years, this... Thu, 01 Mar 2018 14:24:40 -0500 Carlos Morales memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations ASERT Threat Summary: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations Date/Time: 27022018 2325UTC Title/Number: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations - February 2018 - v1.4. Severity: Critical Distribution: TLP WHITE (see... Tue, 27 Feb 2018 11:08:24 -0500 Musical Chairs Playing Tetris February 20, 2018: This blog has been amended since it was originally published on February 15, 2018. This version removes the association with the APT group responsible for the Night Dragon campaign that we had incorrectly made. We thank the research team at Palo Alto Networks for graciously bringing this to our... Thu, 15 Feb 2018 16:23:40 -0500 ASERT Team The ARC of Satori Authors: Pete Arzamendi, Matt Bing, and Kirk Soluk. Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word "satori" means "enlightenment" or "understanding" in Japanese, but the evolution of the Satori malware has brought anything but clarity. Each new... Thu, 18 Jan 2018 21:03:24 -0500 ASERT Team MedusaHTTP DDoS Slithers Back into the Spotlight Executive Summary MedusaHTTP is a HTTP-based DDoS botnet written in .NET, that surfaced in early 2017. MedusaHTTP is based off of MedusaIRC which leveraged IRC for its command and control communications instead of HTTP. MedusaIRC botnet has been advertised on various underground hacker marketplaces since 2015, while... Mon, 18 Dec 2017 10:00:20 -0500 ASERT Team Reaper Madness On October 19th, a team of security researchers warned of a new IoT Botnet that had already infected “an estimated million organizations” and that was poised to “take down the internet”. This report was subsequently picked up by the press and spread quickly via social media. ASERT has been actively analyzing the Reaper... Thu, 26 Oct 2017 09:42:29 -0400 ASERT Team SnatchLoader Reloaded Executive Summary SnatchLoader is a “downloader” malware—a type of malware that specializes in distributing (or loading) other malware onto infected computers. We first started seeing it in the wild around January 2017, but after a few months it went dormant. Recently, development of the malware has picked up again and... Wed, 25 Oct 2017 14:01:32 -0400 ASERT Team The Flusihoc Dynasty, A Long Standing DDoS Botnet Since 2015, ASERT has observed and followed a DDoS Botnet named Flusihoc. To date very little has been published about this family, despite numerous anti-virus and intrusion detection signatures created by various vendors. Flusihoc has remained persistent with multiple variants, over 500 unique samples in our malware... Tue, 03 Oct 2017 13:56:51 -0400 ASERT Team The Formidable FormBook Form Grabber More and more we’ve been seeing references to a malware family known as FormBook. Per its advertisements it is an infostealer that steals form data from various web browsers and other applications. It is also a keylogger and can take screenshots. The malware code is complicated, busy, and fairly obfuscated--there are... Wed, 20 Sep 2017 09:20:52 -0400 ASERT Team Down to the WireX Over the course of the last few weeks, a botnet comprised mainly of Android mobile devices has been utilized to launch a high-impact DDoS extortion campaign against multiple organizations in the travel and hospitality sector. This botnet, dubbed ‘WireX’, is only the second mobile botnet to have been confirmed to date... Thu, 31 Aug 2017 11:18:00 -0400 LockPoS Joins the Flock While revisiting a Flokibot campaign that was targeting point of sale (PoS) systems in Brazil earlier this year, we discovered something interesting. One of the command and control (C2) servers that had been dormant for quite some time had suddenly woken up and started distributing what looks to be a new PoS malware... Wed, 12 Jul 2017 08:11:56 -0400 ASERT Team Patching Not Enough to Stop Petya Voluminous amounts of information have already been disseminated regarding the “Petya” (or is it “NotPetya”? [1]) ransomware that hit the Ukraine hard [2] along with organizations such as “the American pharmaceutical giant Merck, the Danish shipping company AP Moller-Maersk, the British advertising firm WPP, Saint... Tue, 27 Jun 2017 20:30:01 -0400 Pivoting off Hidden Cobra Indicators On June 13th 2017, US-CERT issued a joint Technical Alert (TA17-164A) entitled Hidden Cobra – North Korea’s DDoS Botnet Infrastructure. The alert, which was the result of analytic efforts between the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), included a list of IP addresses “linked... Sun, 18 Jun 2017 18:05:56 -0400 Another Banker Enters the Matrix This post takes a look at a new banking malware that has, so far, been targeting financial institutions in Latin America—specifically, Mexico and Peru. Initially, we’ve called it “Matrix Banker” based on its command and control (C2) login panel, but it seems that “Matrix Admin” is a template available for the Bootstrap... Fri, 09 Jun 2017 09:37:16 -0400 ASERT Team Zyklon Season The ASERT research team has recently done some work reverse engineering a family of malware called "Zyklon H.T.T.P." that is written using the .Net framework. Zyklon (German for “cyclone”) is a large, multi-purpose trojan that includes support for a variety of malicious activities, including several different forms of... Thu, 25 May 2017 10:21:32 -0400 ASERT Team WannaCry Information regarding the WannaCry ransomware is spreading as quickly as the malware itself and is expected to do so throughout the weekend. This blog provides some information from our malware processing system that may, or may not be, available elsewhere. The WannaCry ransomware propagates by exploiting a remote code... Sat, 13 May 2017 01:12:53 -0400 ASERT Team Greenbug’s DNS-isms Over the past few months there has been a lot of research and press coverage on the Shamoon campaigns. These have been the attacks on Saudi Arabian companies where a destructive malware known as Disttrack was deployed. The malware, using stolen credentials, spreads throughout the targeted networks and then at a set... Mon, 01 May 2017 11:55:37 -0400 ASERT Team Observed Spike in DDoS Attacks Targeting Hong Kong Introduction Each week ASERT produces a weekly threat intelligence bulletin for Arbor customers. In addition to providing insights into the week's security news and reviewing ASERT's threat research activities, we also summarize the weeks DDoS attack data as reported by over 330 global Internet Service Providers that... Sun, 23 Apr 2017 20:39:41 -0400 ASERT Team Acronym: M is for Malware A malware researcher known as Antelox recently tweeted about an unknown malware sample that caught our eye. Upon further investigation, it is a modular malware known as Acronym and could possibly be associated with the Win32/Potao malware family and the Operation Potao Express campaign. This post takes a look at our... Wed, 15 Mar 2017 09:00:19 -0400 ASERT Team Change All Your Passwords, Right Now! by Steinthor Bjarnason, Senior ASERT Security Analyst & Roland Dobbins, ASERT Principal Engineer CloudFlare are probably best known as a DDoS mitigation service provider, but they also operate one of the largest Content Delivery Networks (CDNs) on the Internet. Many popular Web sites, mobile apps, etc. make use of the... Fri, 24 Feb 2017 13:09:03 -0500 ASERT Team Additional Insights on Shamoon2 IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon. Their research showcased a... Tue, 21 Feb 2017 17:19:46 -0500 ASERT Team Non-Government Organization in Support of Government Hopes Red Team analysis is the process of viewing a situation from the perspective of an adversary thus providing insights beyond those that might otherwise be limited by normative biases. Thu, 22 Dec 2016 13:22:13 -0500 ASERT Team Dismantling a Nuclear Bot A recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on underground marketplaces. Its price starts around $2500 which is more than double the price of another recent entry to the marke Mon, 19 Dec 2016 14:54:48 -0500 ASERT Team On the Economics, Propagation, and Mitigation of Mirai In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source code. Wed, 14 Dec 2016 15:46:00 -0500 ASERT Team Analysis of CryptFile2 Ransomware Server This report describes several elements of a ransomware staging system using the Nemucod malware to deliver CryptFile2 (aka Hydracrypt.A and Win32/Filecoder.HydraCrypt.C) ransomware, an ongoing threat since at least mid-March of 2016. This report reveals TTP’s (tactics, techniques, procedures) of threat actors... Wed, 14 Dec 2016 12:07:41 -0500 ASERT Team Diving Into Buhtrap Banking Trojan Activity Cyphort recently published an article about the Buhtrap banking trojan [], targeting users of Russian and Ukrainian banks as reported in March of 2016 by Group-IB []. Cyphort’s insightful article... Mon, 21 Nov 2016 13:35:01 -0500 ASERT Team FlokiBot: A Flock of Bots? In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. It took some time before a sample was found in the wild, but a researcher known as hasherezade flagged one on VirusTotal in early November. She also wrote an analysis of its dropper here... Mon, 21 Nov 2016 11:50:47 -0500 ASERT Team Flying Dragon Eye: Uyghur Themed Threat Activity DOWNLOAD FULL REPORT HERE DOWNLOAD INDICATORS OF COMPROMISE (IOCs) HERE This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for... Tue, 01 Nov 2016 14:42:21 -0400 ASERT Team Mirai IoT Botnet Description and DDoS Attack Mitigation Since its inception in August of 2016, the Mirai ‘Internet-of-Things’ (IoT) botnet, comprised largely of internet-enabled digital video recorders (DVRs), surveillance cameras, and other Internet-enabled embedded devices, has been utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services Wed, 26 Oct 2016 14:55:18 -0400 TrickBot Banker Insights A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian authorities. Dyreza was used to target customers of over 1000 U.S. and U.K. banks and other companies during the peak of operations. Tue, 25 Oct 2016 16:17:01 -0400 ASERT Team How to create a Full Packet Capture Once you’ve decided that you’d like to start doing full packet capture, You may well ask how? Learn about these basic steps in performing full packet captures. Tue, 19 Feb 2013 08:39:00 -0500 DDoS Attacks on SSL: Something Old, Something New SSL (or TLS) secures web services such as banking, online purchases, email and remote access. Popular services such as Twitter, Hotmail and Facebook are increasingly migrating to SSL to improve security and address privacy concerns. As more transactions and services are protected by SSL, DDoS attacks on SSL secured... Tue, 24 Apr 2012 08:40:43 -0400 Attack of the Shuriken: Many Hands, Many Weapons A visual sample of Distributed Denial of Service (DDoS or DoS) attack tools & services compiled by Curt Wilson - Research Analyst, Arbor Networks ASERT There are a variety of popular Denial of Service attack tools that have received a fair amount of attention by the security research community, but there are many other... Tue, 07 Feb 2012 09:18:09 -0500 ASERT Team IPv6 Fragmentation Fragmentation has been a frequent source of security vulnerabilities in IPv4, and for good reason. With fragmented IPv4 packets, the layer 4 header information is not available in the second through the last fragment. The process of fragmentation and fragment reassembly can create unexpected and harmful behaviors in... Mon, 25 Jul 2011 09:51:08 -0400 ASERT Team