NETSCOUT https://www.netscout.com/ en Thu, 18 Nov 2021 09:51:49 -0500 Mēris & Dvinis Botnets https://www.netscout.com/blog/asert/meris-dvinis-botnets Threat adversaries leverage exploitable Mikrotik routers with two different botnets, Mēris and Dvinis, to launch high request-per-second attacks against targets. Thu, 18 Nov 2021 09:51:49 -0500 Richard Hummel https://www.netscout.com/blog/asert/meris-dvinis-botnets A Tale of Two Botnets https://www.netscout.com/blog/asert/tale-two-botnets NETSCOUT's ASERT Team tracks Mēris and Dvinis DDoS Botnets. The blog covers the number of botted nodes observed, how they are propagating, and where they are distributed geographically. We also disclose characteristics of the bots and how to recognize them on a network. Thu, 28 Oct 2021 08:55:46 -0400 Richard Hummel https://www.netscout.com/blog/asert/tale-two-botnets High-Profile DDoS Extortion Attacks Against SIP/RTP VoIP Providers https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-against-siprtp-voip Beginning in September 2021, aggressive threat actors have targeted multiple Voice-over-IP (VoIP) communication providers with a campaign of high-impact DDoS extortion attack Fri, 22 Oct 2021 09:18:50 -0400 Richard Hummel https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-against-siprtp-voip The Long Tail of Adversary Innovation https://www.netscout.com/blog/asert/the-long-tail-adversary-innovation Latest Threat Intelligence Report from NETSCOUT details extensive global impact of cyberattacks on private and public sector organizations. Tue, 21 Sep 2021 10:00:00 -0400 Carol Hildebrand https://www.netscout.com/blog/asert/the-long-tail-adversary-innovation HTTP Reflection/Amplification via Abusable Internet Censorship Systems https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship Learn more about this distributed denial-of-service (DDoS) attack vector which abuses middlebox systems for HTTP reflection/amplification. Fri, 20 Aug 2021 09:45:24 -0400 Richard Hummel https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship Our New DDoS Normal Isn’t All That Normal https://www.netscout.com/blog/asert/our-new-ddos-normal-isnt-all-normal Attack frequency has dropped, but we are nowhere near the numbers considered normal prior to COVID-19: Threat actors launched approximately 5.4 million DDoS attacks in the first half of 2021. Tue, 27 Jul 2021 10:38:04 -0400 Richard Hummel https://www.netscout.com/blog/asert/our-new-ddos-normal-isnt-all-normal DHCPDiscover Reflection/Amplification DDoS Attack Mitigation Recommendations https://www.netscout.com/blog/asert/dhcpdiscover-reflectionamplification-ddos-attack-mitigation DHCPDiscover, a UDP-based JSON protocol used to manage DVRs, can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication. Wed, 07 Jul 2021 09:30:10 -0400 Richard Hummel https://www.netscout.com/blog/asert/dhcpdiscover-reflectionamplification-ddos-attack-mitigation Fancy Lazarus DDoS Extortion Campaign https://www.netscout.com/blog/asert/fancy-lazarus-ddos-extortion-campaign ASERT Threat Summary Date/Time: 17June2021 1300UTC Severity: Warning Distribution: TLP: WHITE Categories: Availability Contributors: Jon Belanger, Richard Hummel. Executive Summary In May 2021, self-designated threat actor(s) ‘Fancy Lazarus’ began a new campaign of distributed denial-of-service (DDoS) extortion attacks... Tue, 22 Jun 2021 08:54:19 -0400 Richard Hummel https://www.netscout.com/blog/asert/fancy-lazarus-ddos-extortion-campaign Session Traversal Utilities for NAT (STUN) Reflection/Amplification https://www.netscout.com/blog/asert/session-traversal-utilities-nat-stun Adversaries weaponize STUN servers by incorporating the protocol into DDoS-for-Hire services. Approximately 75k abusable STUN servers give DDoS attackers ample opportunity to launch single-vector STUN attacks as large as 441 Gbps, or use the protocol in multi-vector attacks of a significantly greater size. Learn how to mitigate attacks leveraging STUN in our analysis. Wed, 02 Jun 2021 10:30:00 -0400 Richard Hummel https://www.netscout.com/blog/asert/session-traversal-utilities-nat-stun The Beat Goes On https://www.netscout.com/blog/asert/beat-goes The beat goes on: Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020. Mon, 17 May 2021 11:14:05 -0400 Richard Hummel https://www.netscout.com/blog/asert/beat-goes TsuNAME Zone Cyclic Dependency-Induced Recursive DNS Query Cascade https://www.netscout.com/blog/asert/tsuname-zone-cyclic-dependency-induced-recursive-dns-query In mid-May 2021, security researchers at SIDN Labs, InternetNZ, and USC/ISI released a research paper describing a sabotage-based DDoS attack methodology dubbed ‘TsuNAME’ that targeted authoritative DNS server. Wed, 12 May 2021 10:25:23 -0400 Richard Hummel https://www.netscout.com/blog/asert/tsuname-zone-cyclic-dependency-induced-recursive-dns-query Datagram Transport Layer Security (D/TLS) Reflection/Amplification DDoS Attack Mitigation Recommendations https://www.netscout.com/blog/asert/datagram-transport-layer-security-dtls-reflectionamplification Datagram Transport Layer Security (D/TLS) is a variant of the TLS encryption protocol implemented atop User Datagram Protocol (UDP), it is utilized to secure datagram-based applications to prevent eavesdropping, tampering, or message forgery. As a result of some misconfigured D/TLS implementations attackers can abuse the protocol to launch D/TLS reflection/amplification DDoS attacks. Tue, 16 Mar 2021 13:09:37 -0400 Richard Hummel https://www.netscout.com/blog/asert/datagram-transport-layer-security-dtls-reflectionamplification Plex Media SSDP (PMSSDP) Reflection/Amplification DDoS Attack Mitigation Recommendations https://www.netscout.com/blog/asert/plex-media-ssdp-pmssdp-reflectionamplification-ddos-attack Amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from ports UDP port 32414 and/or UDP port 32410 on abusable Plex Media Server instances and directed towards attack target(s); each amplified response packet ranges from 52 bytes – 281 bytes in size, for an average amplification factor of ~4.68:1 Thu, 04 Feb 2021 08:39:33 -0500 Richard Hummel https://www.netscout.com/blog/asert/plex-media-ssdp-pmssdp-reflectionamplification-ddos-attack Crossing the 10 Million Mark: DDoS Attacks in 2020 https://www.netscout.com/blog/asert/crossing-10-million-mark-ddos-attacks-2020 For the first time, we observed DDoS attacks rise above 10 million annually in 2020, nearly 1.6 million more attacks than seen in 2019. Tue, 26 Jan 2021 09:02:00 -0500 Richard Hummel https://www.netscout.com/blog/asert/crossing-10-million-mark-ddos-attacks-2020 Microsoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack Mitigation Recommendations - January 2021 https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification Recently observed DDoS attacks leverage abusable Microsoft RDP service to launch UDP Reflection/Amplification attacks with an 85.9:1 amplification factor. Wed, 20 Jan 2021 16:21:57 -0500 Richard Hummel https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification Lazarus Bear Armada DDoS Extortion Campaign — December 2020 https://www.netscout.com/blog/asert/lazarus-bear-armada-ddos-extortion-campaign-december-2020 DDoS Extortion Update: As previously reported, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks in mid-August 2020, largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers. Read this latest update. Tue, 29 Dec 2020 18:00:00 -0500 Richard Hummel https://www.netscout.com/blog/asert/lazarus-bear-armada-ddos-extortion-campaign-december-2020 Dropping the Anchor https://www.netscout.com/blog/asert/dropping-anchor Trickbot has long been one of the key banking malware families in the wild. Despite recent disruption events, the operators continue to drive forward with the malware and have recently begun porting portions of its code to the Linux operating system. Mon, 26 Oct 2020 13:47:50 -0400 Richard Hummel https://www.netscout.com/blog/asert/dropping-anchor High-Profile DDoS Extortion Attacks — September 2020 https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-september-2020 Starting in mid-August 2020, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks largely directed towards regional financial and travel-industry targets such as regional banks, stock exchanges, travel agencies, currency exchanges, and, in some cases, their upstream internet transit providers. Thu, 03 Sep 2020 08:24:01 -0400 Richard Hummel https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-september-2020 Lucifer’s Spawn https://www.netscout.com/blog/asert/lucifers-spawn ASERT researchers have uncovered new information about Lucifer, which is a cryptojacking and distributed denial of service (DDoS) bot, originally found to exploit and run on Windows based systems. Wed, 19 Aug 2020 09:19:08 -0400 Richard Hummel https://www.netscout.com/blog/asert/lucifers-spawn Last Week in DDoS... https://www.netscout.com/blog/asert/last-week-ddos By all indications, the events of last week brought have brought the importance of DDoS defense into focus for many individuals and organizations. DDoS attacks aren’t something to be taken lightly... Tue, 23 Jun 2020 12:46:27 -0400 Richard Hummel https://www.netscout.com/blog/asert/last-week-ddos UK in Focus https://www.netscout.com/blog/asert/uk-focus Summary Based on a case study in our most recent blog, the observed global DDoS attack count (frequency), bandwidth (BPS), and throughput (PPS) all saw significant increases since the start of the global COVID-19 pandemic in mid-March. Focusing in at a country level – in this case, the UK – we see that attacks have... Fri, 12 Jun 2020 09:00:00 -0400 Richard Hummel https://www.netscout.com/blog/asert/uk-focus Measuring the Cruellest Month https://www.netscout.com/blog/asert/measuring-cruellest-month Summary One of the more esoteric aspects of working in the DDoS defense space is the analysis of data. We look at data about attack bandwidth (bps) and throughput (pps); connections per second (cps) and queries per second (qps); source and destination CIDRs and ASNs; mitigation capacities and attack vectors... Tue, 21 Apr 2020 09:23:07 -0400 Richard Hummel https://www.netscout.com/blog/asert/measuring-cruellest-month Evolution of a New DDoS Technique https://www.netscout.com/blog/asert/evolution-new-ddos-technique Summary In October of 2019, high-impact TCP reflection/amplification DDoS attacks hit organizations in Scandinavia and Southern Europe. These attacks leveraged servers belonging to organizations unaffiliated with the actual targets of the attack, which were running well-known services such as telnet, HTTP, HTTPS, SMB... Thu, 02 Apr 2020 12:12:07 -0400 Richard Hummel https://www.netscout.com/blog/asert/evolution-new-ddos-technique Availability in the Time of COVID-19 https://www.netscout.com/blog/asert/availability-time-covid-19 Overview The self-quarantine and social distancing guidance provided by governments around the world in response to the COVID-19 pandemic is leading to a rapid and wholesale switch to remote work for many organizations and significant populations of their employees worldwide. To varying degrees, organizations have been... Fri, 20 Mar 2020 10:16:56 -0400 Richard Hummel https://www.netscout.com/blog/asert/availability-time-covid-19 NETSCOUT Threat Intelligence Report—Powered by ATLAS https://www.netscout.com/blog/asert/netscout-threat-intelligence-report-powered-atlas 8.4 MILLION, that is the number of DDoS attacks NETSCOUT Threat Intelligence saw last year alone: more than 23,000 attacks per day, 16 every minute. Tue, 18 Feb 2020 08:28:16 -0500 Richard Hummel https://www.netscout.com/blog/asert/netscout-threat-intelligence-report-powered-atlas DDoS Attack Vectors Live or Die https://www.netscout.com/blog/asert/ddos-attack-vectors-live-or-die Executive Summary Dozens of known attack vectors ranging from obscure or little-used protocols (Citrix-ICA) to very common and vastly used protocols (DNS and NTP) give DDoS attackers a smorgasbord of available vectors to choose from. Some of these vectors are relatively new, such as ARMS, COAP, and WS-DD (as noted in... Tue, 04 Feb 2020 09:43:13 -0500 Richard Hummel https://www.netscout.com/blog/asert/ddos-attack-vectors-live-or-die Nation State APT & The Business World https://www.netscout.com/blog/asert/nation-state-apt-business-world A recent article, which NETSCOUT had the opportunity to participate in, highlights the importance the corporate world holds for Nation State APT adversaries. As the article duly notes, there used to be a handful of countries publicly named for acts of cyber espionage spanning across borders. The reality today is that any nation can, and does, incorporate their own methods of cyber warfare. Ranging from simple spam messaging to sophisticated, custom malware capable of evading even the best anti-virus signatures in existence. Mon, 16 Dec 2019 14:12:49 -0500 Richard Hummel https://www.netscout.com/blog/asert/nation-state-apt-business-world Emotet - What's Changed? https://www.netscout.com/blog/asert/emotet-whats-changed Executive Summary Emotet, a banking trojan turned downloader, continues to make waves in the downloader scene despite recent hibernations. Emotet is a modular malware, first reported in 2014 as a banking trojan that quickly evolved into its current modular form which supports everything from spamming to theft of emails... Tue, 05 Nov 2019 13:03:23 -0500 Richard Hummel https://www.netscout.com/blog/asert/emotet-whats-changed Air APT https://www.netscout.com/blog/asert/air-apt Executive Summary Airlines and the airport industry in general are highly lucrative targets for APT groups; they are rife with information that other countries would find useful. NETSCOUT data from 2019 shows airport and airline targeting remains strong and steady, with Russian, Chinese, and Iranian APT groups... Thu, 12 Sep 2019 09:08:01 -0400 Richard Hummel https://www.netscout.com/blog/asert/air-apt NETSCOUT Threat Intelligence Report https://www.netscout.com/blog/asert/netscout-threat-intelligence-report "It’s hard to express the scale of today’s cyber threat landscape, let alone its global impact." - Hardik Modi, Senior Director of Threat Intelligence Executive Summary In the past six months, there were nearly four million DDoS attacks around the world and that attack frequency grew by 39 percent in the first half of... Mon, 05 Aug 2019 05:46:48 -0400 Richard Hummel https://www.netscout.com/blog/asert/netscout-threat-intelligence-report A Call to ARMS: Apple Remote Management Service UDP Reflection/Amplification DDoS Attacks https://www.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp Key Takeaways: - A new UDP reflection/amplification DDoS vector is observed in the wild. - The surprising nature of the abusable reflectors/amplifiers. - Recommended DDoS Defense and Best Current Practices (BCPs) for ARMS. Wed, 26 Jun 2019 17:00:00 -0400 ASERT Team https://www.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp Realtek SDK Exploits on the Rise from Egypt https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt Executive Summary ASERT’s IoT honeypot network continuously monitors known exploit vectors and we recently detected a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerability in consumer-based routers from the end of April 2019 until the first half of May 2019. The attacks originated from Egypt... Wed, 29 May 2019 12:29:24 -0400 Richard Hummel https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt LUCKY ELEPHANT Campaign Masquerading https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading In early March 2019, ASERT Researchers uncovered a credential harvesting campaign targeting mostly South Asian governments. The actors behind this campaign we call LUCKY ELEPHANT use doppelganger webpages to mimic legitimate entities such as foreign governments, telecommunications, and military. Fri, 22 Mar 2019 14:20:46 -0400 Jill Sopko https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading Introducing the NETSCOUT Threat Intelligence Report – Findings from Second Half 2018 https://www.netscout.com/blog/asert/introducing-netscout-threat-intelligence-report-findings-second NETSCOUT Threat Intellgience Report - Security Findings from Second Half 2018. Special Report powered by ATLAS. Wed, 27 Feb 2019 14:00:00 -0500 Hardik Modi https://www.netscout.com/blog/asert/introducing-netscout-threat-intelligence-report-findings-second IoT Exploits: Around The World In 120 Days https://www.netscout.com/blog/asert/iot-exploits-around-world-120-days Internet of Things (IoT) botnets commonly propagate by exploiting vulnerabilities in IoT devices. Telemetry from our IoT honeypots show the number of exploit attempts originating from bots continues to increase. Thu, 07 Feb 2019 13:56:02 -0500 ASERT Team https://www.netscout.com/blog/asert/iot-exploits-around-world-120-days CoAP Attacks In The Wild https://www.netscout.com/blog/asert/coap-attacks-wild Attackers have recently begun launching CoAP reflection/amplification DDoS attacks, a protocol primarily used today by mobile phones in China, but expected to grow with the explosion of Internet of Things (IoT) devices. Thu, 31 Jan 2019 10:00:00 -0500 ASERT Team https://www.netscout.com/blog/asert/coap-attacks-wild LoJax: Fancy since 2016 https://www.netscout.com/blog/asert/lojax-fancy-2016 In May of last year, ASERT Researchers reported on LoJax, a double-agent leveraging legitimate software to phone home to malicious command and control (C2) servers. Since the publication of our research, we’ve monitored a number of new malware samples. Wed, 16 Jan 2019 09:50:26 -0500 ASERT Team https://www.netscout.com/blog/asert/lojax-fancy-2016 Danabot's Travels, A Global Perspective https://www.netscout.com/blog/asert/danabots-travels-global-perspective First discovered in May of 2018, Danabot is a Delphi written banking trojan that has been under active development throughout the year. Wed, 19 Dec 2018 10:00:48 -0500 ASERT Team https://www.netscout.com/blog/asert/danabots-travels-global-perspective Fast & Furious IoT Botnets: Regifting Exploits https://www.netscout.com/blog/asert/fast-furious-iot-botnets-regifting-exploits Internet of Things (IoT) botnet authors are adapting to a shift in more secure IoT devices, which has diverted attacker’s focus to exploiting vulnerabilities in IoT devices, either to supplement brute-forcing factory default passwords or completely supplant it. Wed, 12 Dec 2018 10:01:19 -0500 ASERT Team https://www.netscout.com/blog/asert/fast-furious-iot-botnets-regifting-exploits STOLEN PENCIL Campaign Targets Academia https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018. Wed, 05 Dec 2018 10:00:06 -0500 ASERT Team https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia Mirai: Not Just for IoT Anymore https://www.netscout.com/blog/asert/mirai-not-just-iot-anymore Botmasters have taken the lessons from developing Internet of Things (IoT) malware and shifted their focus to targeting commodity Linux servers. Wed, 21 Nov 2018 09:59:13 -0500 ASERT Team https://www.netscout.com/blog/asert/mirai-not-just-iot-anymore Dipping Into The Honeypot https://www.netscout.com/blog/asert/dipping-honeypot Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation. Tue, 23 Oct 2018 08:59:43 -0400 ASERT Team https://www.netscout.com/blog/asert/dipping-honeypot Tunneling Under the Sands https://www.netscout.com/blog/asert/tunneling-under-sands ASERT recently came across spear-phishing emails targeting the Office of the First Deputy Prime Minister of Bahrain. Fri, 14 Sep 2018 18:13:28 -0400 ASERT Team https://www.netscout.com/blog/asert/tunneling-under-sands Double the Infection, Double the Fun https://www.netscout.com/blog/asert/double-infection-double-fun Executive Summary Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizations, often with the use of ATM malware. Researchers also believe they are responsible for a series of attacks on the SWIFT... Thu, 30 Aug 2018 11:54:53 -0400 ASERT Team https://www.netscout.com/blog/asert/double-infection-double-fun A New Twist In SSDP Attacks https://www.netscout.com/blog/asert/new-twist-ssdp-attacks Arbor ASERT has uncovered a new class of SSDP abuse where naïve devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets have ephemeral source and destination ports, making mitigation more difficult - a SSDP diffraction attack. This behavior appears to... Wed, 27 Jun 2018 12:10:57 -0400 ASERT Team https://www.netscout.com/blog/asert/new-twist-ssdp-attacks Kardon Loader Looks for Beta Testers https://www.netscout.com/blog/asert/kardon-loader-looks-beta-testers Key Findings ASERT researchers discovered Kardon Loader being advertised on underground forums. Kardon Loader features functionality allowing customers to open their own botshop, which grants the purchaser the ability to rebuild the bot and sell access to others. Kardon Loader is in early stages of development, public... Tue, 19 Jun 2018 12:00:34 -0400 ASERT Team https://www.netscout.com/blog/asert/kardon-loader-looks-beta-testers OMG - Mirai Minions are Wicked https://www.netscout.com/blog/asert/omg-mirai-minions-are-wicked Executive Summary Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services in... Thu, 31 May 2018 13:24:33 -0400 ASERT Team https://www.netscout.com/blog/asert/omg-mirai-minions-are-wicked The Importance of Being Accurate: SSDP Diffraction Attacks, UDP Refraction Attacks, and UPnP NAT Bypass https://www.netscout.com/blog/asert/importance-being-accurate-ssdp-diffraction-attacks-udp Written by Roland Dobbins, ASERT Principal Engineer & Matt Bing, ASERT Security Analyst. In this article: SSDP Diffraction Attacks aren’t new; they’ve been observed in the wild since 2015. ‘Evasive Amplification’ attacks, aren’t. UPnP NAT Bypass is real. SSDP Diffraction Attacks - Targeting ISP and Enterprise Networks... Tue, 22 May 2018 14:52:26 -0400 https://www.netscout.com/blog/asert/importance-being-accurate-ssdp-diffraction-attacks-udp Lojack Becomes a Double-Agent https://www.netscout.com/blog/asert/lojack-becomes-double-agent Executive Summary ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community and the U.S. government have both attributed Fancy Bear activity to Russian espionage activity. Fancy Bear actors typically... Tue, 01 May 2018 09:44:30 -0400 ASERT Team https://www.netscout.com/blog/asert/lojack-becomes-double-agent Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files https://www.netscout.com/blog/asert/innaput-actors-utilize-remote-access-trojan-2016-presumably Overview ASERT recently identified a campaign targeting commercial manufacturing in the US and potentially Europe in late 2017. The threat actors used phishing and downloader(s) to install a Remote Access Trojan (RAT) ASERT calls InnaputRAT on the target's machine. The RAT contained a series of commands that includes... Wed, 04 Apr 2018 16:02:23 -0400 ASERT Team https://www.netscout.com/blog/asert/innaput-actors-utilize-remote-access-trojan-2016-presumably Panda Banker Zeros in on Japanese Targets https://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets Key Findings A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan. Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations. It is likely a new campaign or... Tue, 27 Mar 2018 17:25:40 -0400 ASERT Team https://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets Donot Team Leverages New Framework https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia Authors: Dennis Schwarz and Jill Sopko Special thanks to Richard Hummel and Hardik Modi for their contributions on this post. Figure 1: Pakistan themed decoy document Key Findings ASERT discovered a new modular malware framework, we call yty, that focuses on file collection, screenshots, and keylogging. We believe the... Thu, 08 Mar 2018 09:39:42 -0500 ASERT Team https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us https://www.netscout.com/blog/asert/netscout-arbor-confirms-17-tbps-ddos-attack-terabit-attack-era Last week, after Akamai confirmed a 1.3Tbps DDoS attack against Github, I published a blog that looked at the last five years of reflection/amplification attack innovation. I hope that it provides a helpful backgrounder on how we got here to the terabit attack era. Mon, 05 Mar 2018 12:34:31 -0500 Carlos Morales https://www.netscout.com/blog/asert/netscout-arbor-confirms-17-tbps-ddos-attack-terabit-attack-era 1 Terabit DDoS Attacks Become a Reality; Reflecting on Five Years of Reflections https://www.netscout.com/blog/asert/1-terabit-ddos-attacks-become-reality-reflecting-five-years Special thanks to Hardik Modi, Steve Siadak and Roland Dobbins for their contributions on this post. Reflection amplification is a technique that allows cyber attackers to both magnify the amount of malicious traffic they can generate, and obfuscate the sources of that attack traffic. For the past five years, this... Thu, 01 Mar 2018 14:24:40 -0500 Carlos Morales https://www.netscout.com/blog/asert/1-terabit-ddos-attacks-become-reality-reflecting-five-years memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations https://www.netscout.com/blog/asert/memcached-reflectionamplification-description-and-ddos-attack ASERT Threat Summary: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations Date/Time: 27022018 2325UTC Title/Number: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations - February 2018 - v1.4. Severity: Critical Distribution: TLP WHITE (see... Tue, 27 Feb 2018 11:08:24 -0500 https://www.netscout.com/blog/asert/memcached-reflectionamplification-description-and-ddos-attack Musical Chairs Playing Tetris https://www.netscout.com/blog/asert/musical-chairs-playing-tetris February 20, 2018: This blog has been amended since it was originally published on February 15, 2018. This version removes the association with the APT group responsible for the Night Dragon campaign that we had incorrectly made. We thank the research team at Palo Alto Networks for graciously bringing this to our... Thu, 15 Feb 2018 16:23:40 -0500 ASERT Team https://www.netscout.com/blog/asert/musical-chairs-playing-tetris The ARC of Satori https://www.netscout.com/blog/asert/arc-satori Authors: Pete Arzamendi, Matt Bing, and Kirk Soluk. Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word "satori" means "enlightenment" or "understanding" in Japanese, but the evolution of the Satori malware has brought anything but clarity. Each new... Thu, 18 Jan 2018 21:03:24 -0500 ASERT Team https://www.netscout.com/blog/asert/arc-satori MedusaHTTP DDoS Slithers Back into the Spotlight https://www.netscout.com/blog/asert/medusahttp-ddos-slithers-back-spotlight Executive Summary MedusaHTTP is a HTTP-based DDoS botnet written in .NET, that surfaced in early 2017. MedusaHTTP is based off of MedusaIRC which leveraged IRC for its command and control communications instead of HTTP. MedusaIRC botnet has been advertised on various underground hacker marketplaces since 2015, while... Mon, 18 Dec 2017 10:00:20 -0500 ASERT Team https://www.netscout.com/blog/asert/medusahttp-ddos-slithers-back-spotlight Reaper Madness https://www.netscout.com/blog/asert/reaper-madness On October 19th, a team of security researchers warned of a new IoT Botnet that had already infected “an estimated million organizations” and that was poised to “take down the internet”. This report was subsequently picked up by the press and spread quickly via social media. ASERT has been actively analyzing the Reaper... Thu, 26 Oct 2017 09:42:29 -0400 ASERT Team https://www.netscout.com/blog/asert/reaper-madness SnatchLoader Reloaded https://www.netscout.com/blog/asert/snatchloader-reloaded Executive Summary SnatchLoader is a “downloader” malware—a type of malware that specializes in distributing (or loading) other malware onto infected computers. We first started seeing it in the wild around January 2017, but after a few months it went dormant. Recently, development of the malware has picked up again and... Wed, 25 Oct 2017 14:01:32 -0400 ASERT Team https://www.netscout.com/blog/asert/snatchloader-reloaded The Flusihoc Dynasty, A Long Standing DDoS Botnet https://www.netscout.com/blog/asert/flusihoc-dynasty-long-standing-ddos-botnet Since 2015, ASERT has observed and followed a DDoS Botnet named Flusihoc. To date very little has been published about this family, despite numerous anti-virus and intrusion detection signatures created by various vendors. Flusihoc has remained persistent with multiple variants, over 500 unique samples in our malware... Tue, 03 Oct 2017 13:56:51 -0400 ASERT Team https://www.netscout.com/blog/asert/flusihoc-dynasty-long-standing-ddos-botnet The Formidable FormBook Form Grabber https://www.netscout.com/blog/asert/formidable-formbook-form-grabber More and more we’ve been seeing references to a malware family known as FormBook. Per its advertisements it is an infostealer that steals form data from various web browsers and other applications. It is also a keylogger and can take screenshots. The malware code is complicated, busy, and fairly obfuscated--there are... Wed, 20 Sep 2017 09:20:52 -0400 ASERT Team https://www.netscout.com/blog/asert/formidable-formbook-form-grabber Down to the WireX https://www.netscout.com/blog/asert/down-wirex Over the course of the last few weeks, a botnet comprised mainly of Android mobile devices has been utilized to launch a high-impact DDoS extortion campaign against multiple organizations in the travel and hospitality sector. This botnet, dubbed ‘WireX’, is only the second mobile botnet to have been confirmed to date... Thu, 31 Aug 2017 11:18:00 -0400 https://www.netscout.com/blog/asert/down-wirex LockPoS Joins the Flock https://www.netscout.com/blog/asert/lockpos-joins-flock While revisiting a Flokibot campaign that was targeting point of sale (PoS) systems in Brazil earlier this year, we discovered something interesting. One of the command and control (C2) servers that had been dormant for quite some time had suddenly woken up and started distributing what looks to be a new PoS malware... Wed, 12 Jul 2017 08:11:56 -0400 ASERT Team https://www.netscout.com/blog/asert/lockpos-joins-flock Patching Not Enough to Stop Petya https://www.netscout.com/blog/asert/patching-not-enough-stop-petya Voluminous amounts of information have already been disseminated regarding the “Petya” (or is it “NotPetya”? [1]) ransomware that hit the Ukraine hard [2] along with organizations such as “the American pharmaceutical giant Merck, the Danish shipping company AP Moller-Maersk, the British advertising firm WPP, Saint... Tue, 27 Jun 2017 20:30:01 -0400 https://www.netscout.com/blog/asert/patching-not-enough-stop-petya Pivoting off Hidden Cobra Indicators https://www.netscout.com/blog/asert/pivoting-hidden-cobra-indicators On June 13th 2017, US-CERT issued a joint Technical Alert (TA17-164A) entitled Hidden Cobra – North Korea’s DDoS Botnet Infrastructure. The alert, which was the result of analytic efforts between the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI), included a list of IP addresses “linked... Sun, 18 Jun 2017 18:05:56 -0400 https://www.netscout.com/blog/asert/pivoting-hidden-cobra-indicators Another Banker Enters the Matrix https://www.netscout.com/blog/asert/another-banker-enters-matrix This post takes a look at a new banking malware that has, so far, been targeting financial institutions in Latin America—specifically, Mexico and Peru. Initially, we’ve called it “Matrix Banker” based on its command and control (C2) login panel, but it seems that “Matrix Admin” is a template available for the Bootstrap... Fri, 09 Jun 2017 09:37:16 -0400 ASERT Team https://www.netscout.com/blog/asert/another-banker-enters-matrix Zyklon Season https://www.netscout.com/blog/asert/zyklon-season The ASERT research team has recently done some work reverse engineering a family of malware called "Zyklon H.T.T.P." that is written using the .Net framework. Zyklon (German for “cyclone”) is a large, multi-purpose trojan that includes support for a variety of malicious activities, including several different forms of... Thu, 25 May 2017 10:21:32 -0400 ASERT Team https://www.netscout.com/blog/asert/zyklon-season WannaCry https://www.netscout.com/blog/asert/wannacry Information regarding the WannaCry ransomware is spreading as quickly as the malware itself and is expected to do so throughout the weekend. This blog provides some information from our malware processing system that may, or may not be, available elsewhere. The WannaCry ransomware propagates by exploiting a remote code... Sat, 13 May 2017 01:12:53 -0400 ASERT Team https://www.netscout.com/blog/asert/wannacry Greenbug’s DNS-isms https://www.netscout.com/blog/asert/greenbugs-dns-isms Over the past few months there has been a lot of research and press coverage on the Shamoon campaigns. These have been the attacks on Saudi Arabian companies where a destructive malware known as Disttrack was deployed. The malware, using stolen credentials, spreads throughout the targeted networks and then at a set... Mon, 01 May 2017 11:55:37 -0400 ASERT Team https://www.netscout.com/blog/asert/greenbugs-dns-isms Observed Spike in DDoS Attacks Targeting Hong Kong https://www.netscout.com/blog/asert/observed-spike-ddos-attacks-targeting-hong-kong Introduction Each week ASERT produces a weekly threat intelligence bulletin for Arbor customers. In addition to providing insights into the week's security news and reviewing ASERT's threat research activities, we also summarize the weeks DDoS attack data as reported by over 330 global Internet Service Providers that... Sun, 23 Apr 2017 20:39:41 -0400 ASERT Team https://www.netscout.com/blog/asert/observed-spike-ddos-attacks-targeting-hong-kong Acronym: M is for Malware https://www.netscout.com/blog/asert/acronym-m-malware A malware researcher known as Antelox recently tweeted about an unknown malware sample that caught our eye. Upon further investigation, it is a modular malware known as Acronym and could possibly be associated with the Win32/Potao malware family and the Operation Potao Express campaign. This post takes a look at our... Wed, 15 Mar 2017 09:00:19 -0400 ASERT Team https://www.netscout.com/blog/asert/acronym-m-malware Change All Your Passwords, Right Now! https://www.netscout.com/blog/asert/change-all-your-passwords-right-now by Steinthor Bjarnason, Senior ASERT Security Analyst & Roland Dobbins, ASERT Principal Engineer CloudFlare are probably best known as a DDoS mitigation service provider, but they also operate one of the largest Content Delivery Networks (CDNs) on the Internet. Many popular Web sites, mobile apps, etc. make use of the... Fri, 24 Feb 2017 13:09:03 -0500 ASERT Team https://www.netscout.com/blog/asert/change-all-your-passwords-right-now Additional Insights on Shamoon2 https://www.netscout.com/blog/asert/additional-insights-shamoon2 IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. Researchers showcased a potential malware lifecycle which started with spear phishing and eventually led to the deployment of the disk-wiping malware known as Shamoon. Their research showcased a... Tue, 21 Feb 2017 17:19:46 -0500 ASERT Team https://www.netscout.com/blog/asert/additional-insights-shamoon2 Non-Government Organization in Support of Government Hopes https://www.netscout.com/blog/asert/non-government-organization-support-government-hopes Red Team analysis is the process of viewing a situation from the perspective of an adversary thus providing insights beyond those that might otherwise be limited by normative biases. Thu, 22 Dec 2016 13:22:13 -0500 ASERT Team https://www.netscout.com/blog/asert/non-government-organization-support-government-hopes Dismantling a Nuclear Bot https://www.netscout.com/blog/asert/dismantling-nuclear-bot A recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on underground marketplaces. Its price starts around $2500 which is more than double the price of another recent entry to the marke Mon, 19 Dec 2016 14:54:48 -0500 ASERT Team https://www.netscout.com/blog/asert/dismantling-nuclear-bot On the Economics, Propagation, and Mitigation of Mirai https://www.netscout.com/blog/asert/economics-propagation-and-mitigation-mirai In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source code. Wed, 14 Dec 2016 15:46:00 -0500 ASERT Team https://www.netscout.com/blog/asert/economics-propagation-and-mitigation-mirai Analysis of CryptFile2 Ransomware Server https://www.netscout.com/blog/asert/analysis-cryptfile2-ransomware-server This report describes several elements of a ransomware staging system using the Nemucod malware to deliver CryptFile2 (aka Hydracrypt.A and Win32/Filecoder.HydraCrypt.C) ransomware, an ongoing threat since at least mid-March of 2016. This report reveals TTP’s (tactics, techniques, procedures) of threat actors... Wed, 14 Dec 2016 12:07:41 -0500 ASERT Team https://www.netscout.com/blog/asert/analysis-cryptfile2-ransomware-server Diving Into Buhtrap Banking Trojan Activity https://www.netscout.com/blog/asert/diving-buhtrap-banking-trojan-activity Cyphort recently published an article about the Buhtrap banking trojan [https://www.cyphort.com/banking-malware-buhtrap-caught-action/], targeting users of Russian and Ukrainian banks as reported in March of 2016 by Group-IB [http://www.group-ib.com/brochures/gib-buhtrap-report.pdf]. Cyphort’s insightful article... Mon, 21 Nov 2016 13:35:01 -0500 ASERT Team https://www.netscout.com/blog/asert/diving-buhtrap-banking-trojan-activity FlokiBot: A Flock of Bots? https://www.netscout.com/blog/asert/flokibot-flock-bots In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. It took some time before a sample was found in the wild, but a researcher known as hasherezade flagged one on VirusTotal in early November. She also wrote an analysis of its dropper here... Mon, 21 Nov 2016 11:50:47 -0500 ASERT Team https://www.netscout.com/blog/asert/flokibot-flock-bots Flying Dragon Eye: Uyghur Themed Threat Activity https://www.netscout.com/blog/asert/flying-dragon-eye-uyghur-themed-threat-activity-0 DOWNLOAD FULL REPORT HERE DOWNLOAD INDICATORS OF COMPROMISE (IOCs) HERE This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for... Tue, 01 Nov 2016 14:42:21 -0400 ASERT Team https://www.netscout.com/blog/asert/flying-dragon-eye-uyghur-themed-threat-activity-0 Mirai IoT Botnet Description and DDoS Attack Mitigation https://www.netscout.com/blog/asert/mirai-iot-botnet-description-and-ddos-attack-mitigation Since its inception in August of 2016, the Mirai ‘Internet-of-Things’ (IoT) botnet, comprised largely of internet-enabled digital video recorders (DVRs), surveillance cameras, and other Internet-enabled embedded devices, has been utilized by attackers to launch multiple high-profile, high-impact DDoS attacks against various Internet properties and services Wed, 26 Oct 2016 14:55:18 -0400 https://www.netscout.com/blog/asert/mirai-iot-botnet-description-and-ddos-attack-mitigation TrickBot Banker Insights https://www.netscout.com/blog/asert/trickbot-banker-insights A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian authorities. Dyreza was used to target customers of over 1000 U.S. and U.K. banks and other companies during the peak of operations. Tue, 25 Oct 2016 16:17:01 -0400 ASERT Team https://www.netscout.com/blog/asert/trickbot-banker-insights How to create a Full Packet Capture https://www.netscout.com/blog/asert/how-create-full-packet-capture Once you’ve decided that you’d like to start doing full packet capture, You may well ask how? Learn about these basic steps in performing full packet captures. Tue, 19 Feb 2013 08:39:00 -0500 https://www.netscout.com/blog/asert/how-create-full-packet-capture DDoS Attacks on SSL: Something Old, Something New https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new SSL (or TLS) secures web services such as banking, online purchases, email and remote access. Popular services such as Twitter, Hotmail and Facebook are increasingly migrating to SSL to improve security and address privacy concerns. As more transactions and services are protected by SSL, DDoS attacks on SSL secured... Tue, 24 Apr 2012 08:40:43 -0400 https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new Attack of the Shuriken: Many Hands, Many Weapons https://www.netscout.com/blog/asert/attack-shuriken-many-hands-many-weapons A visual sample of Distributed Denial of Service (DDoS or DoS) attack tools & services compiled by Curt Wilson - Research Analyst, Arbor Networks ASERT There are a variety of popular Denial of Service attack tools that have received a fair amount of attention by the security research community, but there are many other... Tue, 07 Feb 2012 09:18:09 -0500 ASERT Team https://www.netscout.com/blog/asert/attack-shuriken-many-hands-many-weapons IPv6 Fragmentation https://www.netscout.com/blog/asert/ipv6-fragmentation Fragmentation has been a frequent source of security vulnerabilities in IPv4, and for good reason. With fragmented IPv4 packets, the layer 4 header information is not available in the second through the last fragment. The process of fragmentation and fragment reassembly can create unexpected and harmful behaviors in... Mon, 25 Jul 2011 09:51:08 -0400 ASERT Team https://www.netscout.com/blog/asert/ipv6-fragmentation