MySQL Servers, Docker Hosts Infected With DDoS Malware
Attackers are targeting MySQL servers and Docker hosts to plant malware capable of launching distributed denial-of-service (DDoS) attacks, according to a warning from researchers at the AhnLab Security Emergency Response Center.
According to AhnLab, attacks targeting MySQL on Windows have increased in frequency with vulnerable MySQL servers infected with ‘Ddostf’, a DDoS-capable botnet of Chinese origin that has been around since at least 2016.
Malicious attackers, AhnLab warns, scan the internet for publicly-accessible MySQL servers using the TCP port 3306, and then attempt to compromise them either using weak credentials or exploiting known vulnerabilities.
The attackers then upload a malicious DLL as a UDF (User-Defined Function) library, which allows them to execute commands on the infected system and to deploy and execute the Ddostf malware.
Targeting both Linux and Windows environments, Ddostf achieves persistence and then collects system information and sends it to the command-and-control (C&C) server. It then waits for commands to launch DDoS attacks such as SYN, UDP, and HTTP GET/POST floods.
“Although most of the commands supported by Ddostf are similar to those from typical DDoS bots, a distinctive feature of Ddostf is its ability to connect to a newly received address from the C&C server and execute commands there for a certain period,” AhnLab explained.
The malware appears to be designed solely for launching DDoS attacks and the researchers believe the threat actor is operating a DDoS-for-hire service.
OracleIV DDoS-capable malware
Advertisement. Scroll to continue reading.
Separately, Cado Security is warning in a new report that Docker hosts are being targeted with the OracleIV DDoS-capable malware, via the Docker Engine API, an HTTP API served by Docker Engine.
Attackers are scanning for publicly-exposed instances of the Docker Engine API to deploy a malicious container that hosts Python malware compiled as an ELF executable.
According to Cado, the accidentally exposed Docker Engine API instances have been a popular target for attackers in recent years, especially for deploying cryptocurrency miners. “Once a valid endpoint is discovered, it’s trivial to pull a malicious image and launch a container from it to carry out any conceivable objective. Hosting the malicious container in Dockerhub, Docker’s container image library, streamlines this process even further,” the company said.
Cado said it observed attackers making HTTP POST requests to retrieve a malicious image from Dockerhub and spawn a container from it. The malicious Docker image, Cado says, has over 3,000 pulls and appears to be updated regularly.
Baked within the image, OracleIV supports commands for UDP, UDP_PPS, SSL, SYN, HTTP/GET, and SLOW flood attacks, although some of the functions are not working.
The ransomware and data extortion group RansomedVC announced plans to shut down the project and sell parts of its infrastructure.
RansomedVC has only been around for a few months, operating under the ransomware-as-a-service (RaaS) business model. The group has listed more than 40 organizations on its leak site, demanding ransom payments of up to $1 million, depending on the victim’s size.
The group mainly focuses on organizations in Europe, but recently claimed responsibility for attacks on Sony and the District of Columbia Board of Elections (DCBOE). According to cybersecurity firm ZeroFox, the group started engaging in extortion activities in August.
On October 30, the RansomedVC operators announced on the group’s Telegram channel that they were ceasing operations, and have since closed the project’s leak websites.
However, the gang’s dark web forum, which has been used to manage the operation, remains active, supposedly to assist with the selling of assets and infrastructure, ZeroFox notes.
On its Telegram channel, the gang announced that it was selling its two leak websites and the dark web forum, social media accounts, an allegedly undetectable ransomware builder, malware source code, access to affiliate groups, the Telegram channel, VPN access to 11 victims, 37 databases, and a control panel for the file-encrypting malware.
Initially, the gang provided no explanation for the move, but a November 8 post revealed that six individuals associated with RansomedVC may have been arrested and that all 98 affiliates were immediately fired.
The RansomedVC shutdown, ZeroFox says, will likely have very little impact on the ransomware landscape, as affiliates are expected to migrate to other RaaS operations.
Advertisement. Scroll to continue reading.
“Threat actors (not limited to extortion collectives) will likely be motivated to purchase the infrastructure to target victims, create spin-off extortion operations, or leverage for further malicious activity,” ZeroFox notes.
Operations at Major Australian Ports Significantly Disrupted by Cyberattack
DP World, Australia’s largest container terminal and supply chain operator, has been hit by a cyberattack that resulted in significant disruptions at several major Australian ports.
In response to the attack, DP World disconnected its systems from the internet and shut down land operations at ports in Sydney, Melbourne, Fremantle and Brisbane.
Ships could still unload their containers, but the incident has prevented freight from leaving the port. However, the company can still access sensitive freight at the ports, for instance, if it’s necessary due to a medical emergency, according to Darren Goldie, Australia’s national cyber security coordinator.
The Australian government is assisting the shipping giant in restoring operations.
“DP World’s IT system remains disconnected from the internet, significantly impacting their operations in Brisbane, Sydney, Melbourne and Fremantle,” Goldie said on Sunday on X, formerly Twitter. “DP World today advised the Australian Government that the timeframe for interruptions to continue is likely to be a number of days, rather than weeks.”
DP World has not shared any information about the attack itself. While shutting systems down is often done in response to a ransomware attack, The Sydney Morning Herald learned from a source that this was not a ransomware attack.
On the other hand, Kevin Beaumont, a reputable researcher, reported that it was in fact a ransomware attack and the threat actor leveraged a recently disclosed Citrix Netscaler vulnerability dubbed CitrixBleed, which has been widely exploited in attacks, for initial access.
It’s worth pointing out that organizations may say a cyberattack is not a ransomware attack if it does not involve file-encrypting malware. Several major ransomware operations now only steal valuable data from victims to convince them to pay a ransom.
Advertisement. Scroll to continue reading.
“While I understand there is interest in determining who may be responsible for the cyber incident, our primary focus at this time remains on resolving the incident and supporting DP World to restore their operations,” Goldie said.
In Italia nel primo semestre del 2023 gli attacchi informatici sono cresciuti del 40%. Il report
Nel primo semestre del 2023 gli attacchi cyber in Italia sono cresciuti del 40% rispetto allo stesso periodo dell’anno precedente.
È questo il dato che emerge dalla presentazione del Rapporto Clusit 2023 sui dati del 1° semestre 2023 e gli incidenti di cyber più significativi avvenuti a livello globale e in Italia nei primi sei mesi dell’anno e il confronto con i 4 anni precedenti.
Attacchi cyber: +40% nel 2023
Secondo il rapporto, la media mensile, dopo aver registrato nei primi anni di analisi un valore abbastanza contenuto, passa da 15,7 attacchi al mese rilevati nel 2022 a ben 22 attacchi al mese nel primo semestre 2023. Tale tasso di crescita, si legge, è uno dei principali elementi di preoccupazione per il nostro Paese: in tutto il 2022 erano stati rilevati 188 attacchi, che costituivano già un record negativo per il nostro Paese, segnando una crescita del 169%, quando a livello mondiale si registrava una (già grave) impennata del 21% anno su anno, come emerge dalla fig.22.
Il primo semestre 2023 segna una riduzione della crescita degli attacchi a livello globale, che torna ad attestarsi all’11%, poco sopra al trend anno su anno registrato dal 2019 al 2021.
In Italia, al contrario, nel I semestre 2023 registriamo ancora una crescita del 40%, quasi 4 volte superiore al dato globale, analogamente a quanto avvenuto nel 2021. Se da un certo punto di vista si potrebbe asserire che stiamo osservando un miglioramento rispetto al 2022, analizzando il grafico di Fig. 23 è possibile notare come dal 2019 a oggi la crescita percentuale anno su anno in Italia è sempre stata maggiormente sostenuta rispetto al resto del mondo, passando da 3,2 volte la crescita mondiale 2019 su 2018, a 5 volte nel 2021, ben 8 volte tanto il ritmo di crescita nel mondo nel 2022, per tornare a 3,7 volte del I semestre 2023. È in conseguenza di tale ritmo di crescita che l’incidenza dei dati italiani ha assunto valori preoccupanti sul campione complessivo mondiale: già nel 2022 il dato italiano rappresentava il 7,6% del totale degli attacchi considerati a livello globale, mentre nei primi 6 mesi del 2023 gli attacchi in Italia rappresentano il 9,6% di quelli censiti nel periodo.
Government e Manufacturing i settori più colpiti
Guardando alla distribuzione delle vittime, ancora una volta la categoria merceologica per cui si rileva un maggior numero di attacchi è “Government” (23% del totale), seguita a breve distanza da “Manufacturing” (17%).
La ripartizione è significativamente diversa rispetto a quella del campione a livello mondiale, in cui le due categorie raccolgono rispettivamente il 12% e il 5% degli attacchi (ricoprendo la terza e la settima posizione). Gli incidenti rivolti al “Manufacturing” rilevati in Italia, in particolare, rappresentano il 34% del totale degli attacchi censiti a livello globale nei confronti di questo settore.
Il settore che registra il maggiore incremento di incidenti gravi rilevati è “Financial / Insurance” (Fig. 27), che balza al quarto posto, con il 9% di attacchi (era il 3,7% nel 2022). Il numero di attacchi rivolti a vittime in questo ambito nei primi 6 mesi dell’anno supera il totale degli attacchi avvenuti in tutto il 2022.
Il report evidenzia come “Analizzando gli attacchi, uno dei fattori che incide maggiormente su questo trend negativo è la comparsa di un numero sempre più elevato di attori (ad esempio le cosiddette fintech) e il ricorso sempre più ampio all’esternalizzazione di processi e servizi bancari e assicurativi, che rendono questo mercato sempre più frammentato e vulnerabile ad azioni non più rivolte alle organizzazioni più blasonate, che per entità di investimenti e competenze sarebbero probabilmente meno vulnerabili. Se questo andamento si confermasse anche per il prossimo semestre, il tasso di crescita annuo sarebbe del 243%. Significativo anche l’aumento riscontrato dalla categoria “Multiple Targets”, che passa dal 10,6% del 2022 al 16,7% del primo semestre 2023; tale aumento è in contro-tendenza rispetto al resto del mondo, che vede una riduzione dal 22% del 2022 al 20% nel I semestre 2023″.
Il malware la principale tecnica utilizzata per gli attacchi cyber
Rispetto a quanto rilevato nel 2022, il malware continua a rappresentare la principale tecnica di attacco utilizzata dai criminali (31%), ma in modo molto meno consistente (era pari al 53% nel 2022) e di 4 punti percentuali inferiore al dato globale.
In valore assoluto, il numero di attacchi malware non subisce un calo significativo, tuttavia la minore percentuale è indicativa del fatto che stiamo osservando, per la prima volta da quando è esploso il fenomeno del ransomware, un cambiamento rilevante nelle modalità nelle finalità perseguite dagli attaccanti, che evidentemente riescono a ottenere con maggiore efficacia i loro scopi utilizzando tecniche diverse.
A riprova di questo fatto, sono invece i DDoS a registrare una notevole crescita, passando dal 4% del 2022 allo spaventoso 30% del primo semestre 2023, una quota 5 volte superiore.
L’incidenza di attacchi di questa tipologia in Italia è estremamente più elevata rispetto a quella registrata nel campione complessivo, che si ferma al 7,9%: le vittime italiane hanno subito un numero maggiore di attacchi DDoS, tanto da registrare circa il 37% del totale di tali eventi censito nel campione.
Gli attacchi DDoS sono una delle tecniche più utilizzate dagli hacktivist per raggiungere i loro obiettivi ed è quindi evidente, nel panorama italiano, la correlazione tra l’aumento di attacchi che sfruttano questa tecnica e la crescita della quota di incidenti riconducibile proprio alla tipologia “Hacktivism”. Come noto, gli attacchi DDoS mirano a rendere inaccessibile/inutilizzabile un servizio online sovraccaricandone le risorse (di rete, di elaborazione, di memorizzazione, …).
Gli hacktivist possono utilizzare questa tecnica per interrompere le attività di un’azienda o di un’istituzione, con lo scopo di attirare l’attenzione mediatica su una causa politica o sociale, esercitando così pressione sulla vittima e mettendone in luce la scarsa capacità di difesa. Aumenta anche il dato degli attacchi di tipo phishing e ingegneria sociale, che – diversamente da quanto rilevato nel 2022 – in Italia risulta incidere in maniera maggiore rispetto al resto del mondo (14% vs 8,6% globale), indice di una forte necessità di sensibilizzazione e aumento della consapevolezza rispetto alle minacce cyber da parte degli utenti che hanno quotidianamente a che fare con i sistemi informatici.
Diminuisce la percentuale di incidenti basati su vulnerabilità note (4% vs 6% nel 2022), mentre compare una quota, seppur contenuta, di “web based attack” (1,5%). Sempre tenendo conto l’elevata quantità di situazioni dove non è stato possibile identificare la tecnica primaria dell’attacco (Unknown, 18% rispetto al 21% nel mondo), tali attacchi sono certamente presenti, ma ancora in quantità limitata.
OpenAI has confirmed that ChatGPT and its API experienced a major outage on Wednesday due to what appeared to be a distributed denial-of-service (DDoS) attack.
The artificial intelligence organization first reported seeing problems with its LLM-based chatbot and API on November 7. The disruptions were initially described as partial outages, but a major outage was reported on November 8.
In an update shared late on Wednesday, OpenAI revealed that the outages were caused by “an abnormal traffic pattern reflective of a DDoS attack”.
The hacker group Anonymous Sudan has taken credit for the ChatGPT outage on its Telegram channel. The hackers claim to have targeted OpenAI for several reasons, including for being an American organization, as well as for its alleged cooperation with Israel and its anti-Palestine stance.
Anonymous Sudan claims to be a hacktivist group motivated by religious and political causes, targeting many organizations with disruptive DDoS attacks, including major companies such as Microsoft, X (formerly Twitter), and Telegram.
In reality, the group does not appear to have any ties to Sudan and instead seems to be linked to Russian hackers, including the notorious KillNet group. Some members of the cybersecurity industry believe Anonymous Sudan may even be affiliated with the Russian government.
ChatGPT appears to be working at the time of writing. Only a handful of major outages were reported over the past 90 days, according to OpenAI’s status page.
US Sanctions Russian National for Helping Ransomware Groups Launder Money
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Friday announced sanctions against Ekaterina Zhdanova, a Russian national allegedly involved in money laundering for ransomware affiliates and Russian elites.
Zhdanova, the US Treasury says, uses virtual currency exchange transfers, fraudulent accounts and purchases, and connections to international money launderers to aid her clients in moving funds.
She also uses traditional businesses, such as a luxury watch company, to maintain access to the international financial system.
According to the US Treasury, in 2021, Zhdanova helped a Ryuk ransomware affiliate launder more than $2.3 million of suspected victim payments.
Believed to had been operated by Russian threat actors, Ryuk was a file-encrypting ransomware that emerged in 2018, and which was replaced with Conti.
In April 2023, another Russian national, Denis Mihaqlovic Dubnikov, was sentenced in the US for laundering money for the Ryuk ransomware group between 2018 and August 2021.
Zhdanova, the US Treasury says, was heavily involved in helping Russian oligarchs transfer their wealth to Western Europe and other countries, providing them with access to a financial market that may otherwise be blocked due to prohibitions.
Advertisement. Scroll to continue reading.
“This type of illicit financial activity can be used to evade the multilateral U.S. and international sanctions that impose costs on Russia for its unprovoked war and deny the access of sanctioned Russian individuals and entities to the international financial system,” the department notes.
Zhdanova allegedly helped a Russian client transfer over $2.3 million through fraudulent investment accounts and real estate purchases, and transferred over $100 million to the United Arab Emirates on behalf of a Russian oligarch.
She also provided her Russian clients with United Arab Emirates tax residency, identification cards, and bank accounts, the US Treasury says. Cash and virtual currency payments were made to a Dubai bank account, and then transferred to foreign bank accounts.
The sanctions against Zhdanova mean that all her property and interests in the US are blocked and that US entities and individuals are prohibited from engaging in transactions with her.
In Other News: Airport Taxi Hacking, Post-Quantum Crypto Guidance, Stanford Breach
Noteworthy stories that might have slipped under the radar: US airport taxi hacking by Russians, Stanford ransomware attack, and post-quantum crypto guidance.
Florida SIM Swapper Sentenced to Prison for Cryptocurrency Theft
A Florida man was sentenced to prison last week for his role in a hacking scheme that resulted in the theft of approximately $1 million in cryptocurrency.
The 20–year-old Orlando man, identified as Jordan Dave Persad, was found guilty of hacking into victims’ email accounts and hijacking their phone numbers to gain access to cryptocurrency accounts, the US Department of Justice said.
Persad and his co-conspirators employed a tactic referred to as SIM swapping, where attackers convince representatives of the victim’s mobile carrier to transfer the victim’s phone number of a SIM card in the attackers’ possession.
Once in control of the phone number, the attackers typically initiate password resets and take over the victim’s online accounts.
Between March 2021 and September 2022, Persad and his co-conspirators targeted dozens of victims, stealing roughly $1 million worth of cryptocurrency from their accounts.
The perpetrators then divided the proceeds between themselves, with Persad keeping approximately $475,000 of the stolen money, the Justice Department said.
According to the documents presented in court, some of these funds were recovered when investigators executed a search warrant at Persad’s home in Orlando.
Advertisement. Scroll to continue reading.
Persad, who admitted in court to his role in the hacking scheme, was sentenced to 30 months in prison, followed by three years of supervised release, and was ordered to pay $945,833 in restitution.
In July, Amir Hossein Golshan, of Los Angeles, pleaded guilty to using SIM swapping to perpetrate various cybercrime schemes that caused roughly $740,000 in losses.
