One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8613654 |
| Date de publication | 2024-11-18 18:48:36 (vue: 2024-11-18 19:08:26) |
| Titre | Report on DDoSia Malware Launching DDoS Attacks Against Korean Institutions |
| Texte | ## Snapshot The Russian hacktivist group NoName057(16), along with pro-Russian groups Cyber Army of Russia Reborn and Alixsec, launched DDoS attacks against South Korean government agencies in November 2024. These attacks were in response to South Korean political statements regarding the supply of weapons to Ukraine. ## Description NoName057 utilizes DDoS bots like [DDoSia](https://sip.security.microsoft.com/intel-explorer/articles/fba88942) and operates a Telegram channel with tens of thousands of subscribers to coordinate attacks and offer cryptocurrency rewards for successful participation. DDoSia functions by downloading a "client\_id.txt" from the Telegram channel, which is then used to authenticate the user\'s system and collect basic system information. The bot connects to a C&C server to receive attack targets and report back the attack status. The C&C server address changes frequently, requiring participants to update their connection details. ## Microsoft Analysis and Additional OSINT Context The DDoSia project, launched on Telegram in early 2022, has rapidly grown in scope, attracting users who are incentivized through cryptocurrency payments for participating in DDoS attacks. [Security researchers](https://cert.cyberoo.com/en/noname05716-ddosia-tool-analysis-report/ "https://cert.cyberoo.com/en/noname05716-ddosia-tool-analysis-report/") in December 2023 identified that the recent versions of DDoSia employs AES-GCM encryption and robust authentication mechanisms, reflecting ongoing tool enhancements. NoName057(16) often [leverages HTTPS application-layer DDoS attacks](https://www.netscout.com/blog/asert/noname057-16 "https://www.netscout.com/blog/asert/noname057-16"), utilizing traffic originating from legitimate CDN and cloud networks to maximize disruption while complicating detection efforts. Hacktivism and DDoS attacks have increasingly become influential tools in real-world political struggles and events, often serving to amplify unrest and sway public opinion. These types of DDoS attacks, carrying explicit political messages, aim to disrupt services and create social unrest, using cyberspace to exert psychological pressure during military conflicts. Recent examples of this include Russian and Iranian-linked influence operation networks, like [Storm-1516](https://sip.security.microsoft.com/intel-profiles/6ec195e762a0a91ed376b81d0972e0f4efaa71ca11ff15c9bfda8aaf6c3841a1) and [Cotton Sandstorm](https://sip.security.microsoft.com/intel-profiles/ecc605ea0b003737e9d5280fe1b1320c2eb56ce4e7e984d442939af56f310815), [targeting U.S. elections](https://sip.security.microsoft.com/intel-explorer/articles/0d9fec7e) by attempting to undermine the legitimacy of the electoral process. Additionally, Russian hacktivist groups, such as the People\'s Cyber Army and HackNeT, launched DDoS attacks on French websites ahead of the [Paris Olympics](https://sip.security.microsoft.com/intel-explorer/articles/eb5f1088), aligning with broader campaigns against French institutions. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of this threat. - Avoid having a single virtual machine backend so that it is less likely to get overwhelmed. [Azure DDoS Protection](https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview?ocid=magicti_ta_learndoc "https://learn.microsoft.com/azure/ddos-protection/ddos-protection-overview?ocid=magicti_ta_learndoc") covers scaled-out costs incurred for all resources during an attack, so configure autoscaling to absorb the initial burst of attack traffic while mitigation kicks in. - Use [Azure Web Application Firewall](https://learn.microsoft.com/azure/web-application-firewall/overview?ocid=magicti_ta_learndoc "https://learn.microsoft.com/azure/web-application-firewall/overview?ocid=magicti_ta_learndoc") to protect web applications. When using Azure WAF: 1. Use the bot protection managed rule set for additional protections. See the article on [configuring bot protection](https://learn.microsoft.co |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | ### **© 1516 2022 2023 2024 2024** absorb accessed accuses additional additionally address addresses aes against agencies ahead ahnlab aim aligning alixsec all along amplify analysis antivirus any application applications are army article attack attacking attacks attempting attracting authenticate authentication autoscaling avoid azure back backdoor:macos/ddosia backend based basic become block bot bots broader burst c&c campaigns carrying cdn changes channel client cloud collect com/azure/ddos com/azure/web com/blog/asert/noname057 com/en com/en/84531/ com/en/noname05716 com/intel complicating components configure configuring conflicts connection connects consistent content context coordinate copyright costs cotton create creation cryptocurrency custom cyber cyberoo cyberspace ddos ddos:macos/multiverze ddosia december decision defender description details detection detections/hunting detects disrupt disruption distribution downloading during early efforts elections electoral employs encryption encyclopedia enhancements ensure events examples exert explicit explorer/articles/0d9fec7e explorer/articles/c4a88c5c explorer/articles/eb5f1088 explorer/articles/fba88942 firewall firewall/ag/bot firewall/ag/custom firewall/overview following french frequent frequently from functions gcm geographic get government group groups grown hackers hacknet hacktivism hacktivist has have having help http https https://asec https://cert https://learn https://sip https://www identified identify impact incentivized include increasingly incurred influence influential information initial institutions iranian kicks korean kremlin labs launched launching layer learndoc legitimacy legitimate less leverages like likely limit linked machine malicious malicious; malware malware: managed maximize mechanisms messages microsoft military mitigation mitigations monitor mtb name=backdoor:macos/ddosia name=ddos:macos/multiverze name=trojan:linux/multiverze netscout networks noname057 north november observed ocid=magicti offer often olympics ongoing on operates operation opinion origin; originating osint out over overview overwhelmed paris part participants participating participation partners patterns payments people perform permission political pressure pro process profiles/6ec195e762a0a91ed376b81d0972e0f4efaa71ca11ff15c9bfda8aaf6c3841a1 profiles/ecc605ea0b003737e9d5280fe1b1320c2eb56ce4e7e984d442939af56f310815 prohibited project protect protection protection/ddos protection/test protections psychological public queries ranges rapidly rate real reborn receive recent recommendations recommends redirect reduce references reflecting regarding regular report report/ reproduction requiring researchers reserved resources response rewards rights robust rule rules russia russian sandstorm scaled scope security see seoul server services serving set simulation simulations single site snapshot social south statements status storm struggles subscribers successful such supply sway system targeting targets telegram tens testing then thereof these thousands threat through tool tools traffic trojan:linux/multiverze troops txt types ukraine undermine unrest update us/azure/web us/wdsi/threats/malware use used user users using utilizes utilizing versions virtual waf waf: weapons web websites which who without world written ahn covers to when |
| Tags | Malware Tool Threat Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.