In 2023, a barrage of cyber assaults against Sweden signaled a massive shift in global dynamics. As Sweden worked towards joining NATO and supporting Ukraine with arms and humanitarian aid, we sa...
https://www.netscout.com/blog/asert/sweden-continues-be-prime-ddos-target-they-join-nato
Because adversaries leverage compromised and abusable online resources belonging to legitimate organizations and individuals to launch DDoS attacks, the tangible cost to attackers is nil, while t...
https://www.netscout.com/blog/asert/unbearable-asymmetry-ddos
While there are many obvious threats like hacktivists, nation-state adversaries and ransomware operators, there also lies a constant ever-growing undercurrent that we call nuisance traffic. The t...
https://www.netscout.com/blog/asert/nuisance-network-traffic
Carpet-bombing (Spread Spectrum, Subnet DDoS) attacks take place when an adversary targets a range of addresses or subnets simultaneously to saturate networks with garbage traffic while also avoi...
Since late December, Poland has been the target of several groups as new Prime Minister Tusk was sworn in. The most notable group targeting Poland is NoName057. They have targeted several types o...
https://www.netscout.com/blog/asert/ddos-attacks-against-poland-skyrocket-wake-new-prime-ministers
NoName057(16) relies heavily on HTTPS application-layer DDoS attacks, with many attacks repeatedly sourced from the same attack harness, networks, and targeting similar countries and industries.
NETSCOUT observed an unprecedented rise in compromised devices performing reconnaissance scans, signaling a dangerous new wave of large-scale cyberattacks leveraging weaponized cloud infrastructu...
https://www.netscout.com/blog/asert/unprecedented-growth-malicious-botnets-observed
Anonymous Sudan is a highly prolific threat actor conducting distributed denial-of-service attacks (DDoS) to support their pro-Russian, anti-Western agenda. Although the attacks attributed to thi...
Typically, application-layer protocols such as HTTP/s, QUIC, SIP, and others receive the lion’s share of attention in most discussions of internet traffic. But it’s the Domain Name System (DN...
In a joint disclosure by several well-known cloud computing, SaaS, and CDN operators, a new HTTP/2 application-layer DDoS attack vector (CVE-2023-44487) has been described which has been used in ...
https://www.netscout.com/blog/asert/http2-rapid-reset-application-layer-ddos-attacks-targeting
The phrase Bulletproof hosting suggests technical sophistication, infrastructure resiliency, and a platform with elaborate redundancy. However, for the internet security community its connotation...
https://www.netscout.com/blog/asert/bulletproof-hosting-bph-taxonomy
Summary NETSCOUT and ASERT have observed massive increases in DDoS attacks against Indian targets. This near doubling of DDoS attacks since the beginning of 2023 has been fueled by a rallying cal...
https://www.netscout.com/blog/asert/100-increase-ddos-attacks-against-india
With the computing power and internet transit capacity available to a substantial proportion of abusable SLP reflectors/amplifiers, attackers can potentially launch extremely high-volume, high-im...
https://www.netscout.com/blog/asert/slp-reflectionamplification-ddos-attack-vector
As the effects of COVID-19 and inflated numbers of DDoS attacks have settled into some semblance of normalcy, it has been all out DDoS war for Finland, Hungary, and Turkey.
https://www.netscout.com/blog/asert/ddos-attacks-targeting-nato-members-increasing
On December 15, 2022, The U.S. Federal Bureau of Investigation (FBI), in cooperation with several international law enforcement partners, seized 49 domain names and arrested six individuals for t...
https://www.netscout.com/blog/asert/global-ddos-hire-takedown
Twenty years ago SQL Slammer Worm devastated the then known internet, resulting in widespread outages and disruptions. What happened? Why was it successful? Can it happen again? Follow along as N...
Since mid-February of 2022, the NETSCOUT Arbor Security Engineering and Response Team (ASERT) has been monitoring the situation in Russia and Ukraine. We recently published an update to our initi...
https://www.netscout.com/blog/asert/ddos-threat-landscape-russia
The ongoing DDoS attack campaign against Ukraine increased significantly. We anticipate that DDoS activity targeting Ukraine will continue over the duration of the conflict, and will continue to ...
https://www.netscout.com/blog/asert/ddos-threat-landscape-ukraine
A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to laun...
https://www.netscout.com/blog/asert/tp240phonehome-reflectionamplification-ddos-attack-vector
Overview Beginning on 13 February 2022, multiple governmental, military, and financial organizations within Ukraine reported that their public-facing Web sites, applications, and ancillary suppor...
https://www.netscout.com/blog/asert/ddos-attack-campaign-targeting-multiple-organizations-ukraine
Executive Summary The second half of 2021 finally saw much of the world returning to normal, at least until the recent Omicron variant sent us packing back home. The premature return to normal co...
https://www.netscout.com/blog/asert/what-happened-second-half-2021
Threat adversaries leverage exploitable Mikrotik routers with two different botnets, Mēris and Dvinis, to launch high request-per-second attacks against targets.
NETSCOUT's ASERT Team tracks Mēris and Dvinis DDoS Botnets. The blog covers the number of botted nodes observed, how they are propagating, and where they are distributed geographically. We also ...
Beginning in September 2021, aggressive threat actors have targeted multiple Voice-over-IP (VoIP) communication providers with a campaign of high-impact DDoS extortion attack
https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-against-siprtp-voip
Latest Threat Intelligence Report from NETSCOUT details extensive global impact of cyberattacks on private and public sector organizations.
https://www.netscout.com/blog/asert/the-long-tail-adversary-innovation
Learn more about this distributed denial-of-service (DDoS) attack vector which abuses middlebox systems for HTTP reflection/amplification.
https://www.netscout.com/blog/asert/http-reflectionamplification-abusable-internet-censorship
Attack frequency has dropped, but we are nowhere near the numbers considered normal prior to COVID-19: Threat actors launched approximately 5.4 million DDoS attacks in the first half of 2021.
https://www.netscout.com/blog/asert/our-new-ddos-normal-isnt-all-normal
DHCPDiscover, a UDP-based JSON protocol used to manage DVRs, can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication.
https://www.netscout.com/blog/asert/dhcpdiscover-reflectionamplification-ddos-attack-mitigation
ASERT Threat Summary Date/Time: 17June2021 1300UTC Severity: Warning Distribution: TLP: WHITE Categories: Availability Contributors: Jon Belanger, Richard Hummel. Executive Summary In May 2021, s...
https://www.netscout.com/blog/asert/fancy-lazarus-ddos-extortion-campaign
Adversaries weaponize STUN servers by incorporating the protocol into DDoS-for-Hire services. Approximately 75k abusable STUN servers give DDoS attackers ample opportunity to launch single-vector...
https://www.netscout.com/blog/asert/session-traversal-utilities-nat-stun
The beat goes on: Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.
In mid-May 2021, security researchers at SIDN Labs, InternetNZ, and USC/ISI released a research paper describing a sabotage-based DDoS attack methodology dubbed ‘TsuNAME’ that targeted author...
https://www.netscout.com/blog/asert/tsuname-zone-cyclic-dependency-induced-recursive-dns-query
Datagram Transport Layer Security (D/TLS) is a variant of the TLS encryption protocol implemented atop User Datagram Protocol (UDP), it is utilized to secure datagram-based applications to preven...
https://www.netscout.com/blog/asert/datagram-transport-layer-security-dtls-reflectionamplification
Amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from ports UDP port 32414 and/or UDP port 32410 on abusable Plex Media Server instances and directed towards attack ...
https://www.netscout.com/blog/asert/plex-media-ssdp-pmssdp-reflectionamplification-ddos-attack
For the first time, we observed DDoS attacks rise above 10 million annually in 2020, nearly 1.6 million more attacks than seen in 2019.
https://www.netscout.com/blog/asert/crossing-10-million-mark-ddos-attacks-2020
Recently observed DDoS attacks leverage abusable Microsoft RDP service to launch UDP Reflection/Amplification attacks with an 85.9:1 amplification factor.
https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification
DDoS Extortion Update: As previously reported, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks in mid-August 2020, largely directed towards regional finan...
https://www.netscout.com/blog/asert/lazarus-bear-armada-ddos-extortion-campaign-december-2020
Trickbot has long been one of the key banking malware families in the wild. Despite recent disruption events, the operators continue to drive forward with the malware and have recently begun port...
Starting in mid-August 2020, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks largely directed towards regional financial and travel-industry targets such ...
https://www.netscout.com/blog/asert/high-profile-ddos-extortion-attacks-september-2020
ASERT researchers have uncovered new information about Lucifer, which is a cryptojacking and distributed denial of service (DDoS) bot, originally found to exploit and run on Windows based systems...
By all indications, the events of last week brought have brought the importance of DDoS defense into focus for many individuals and organizations. DDoS attacks aren’t something to be taken ligh...
Summary Based on a case study in our most recent blog, the observed global DDoS attack count (frequency), bandwidth (BPS), and throughput (PPS) all saw significant increases since the start of th...
Summary One of the more esoteric aspects of working in the DDoS defense space is the analysis of data. We look at data about attack bandwidth (bps) and throughput (pps); connections per second (c...
https://www.netscout.com/blog/asert/measuring-cruellest-month
Summary In October of 2019, high-impact TCP reflection/amplification DDoS attacks hit organizations in Scandinavia and Southern Europe. These attacks leveraged servers belonging to organizations ...
https://www.netscout.com/blog/asert/evolution-new-ddos-technique
Overview The self-quarantine and social distancing guidance provided by governments around the world in response to the COVID-19 pandemic is leading to a rapid and wholesale switch to remote work...
https://www.netscout.com/blog/asert/availability-time-covid-19
8.4 MILLION, that is the number of DDoS attacks NETSCOUT Threat Intelligence saw last year alone: more than 23,000 attacks per day, 16 every minute.
https://www.netscout.com/blog/asert/netscout-threat-intelligence-report-powered-atlas
Executive Summary Dozens of known attack vectors ranging from obscure or little-used protocols (Citrix-ICA) to very common and vastly used protocols (DNS and NTP) give DDoS attackers a smorgasbor...
https://www.netscout.com/blog/asert/ddos-attack-vectors-live-or-die
A recent article, which NETSCOUT had the opportunity to participate in, highlights the importance the corporate world holds for Nation State APT adversaries. As the article duly notes, there used...
https://www.netscout.com/blog/asert/nation-state-apt-business-world
Executive Summary Emotet, a banking trojan turned downloader, continues to make waves in the downloader scene despite recent hibernations. Emotet is a modular malware, first reported in 2014 as a...
Executive Summary Airlines and the airport industry in general are highly lucrative targets for APT groups; they are rife with information that other countries would find useful. NETSCOUT data fr...
"It’s hard to express the scale of today’s cyber threat landscape, let alone its global impact." - Hardik Modi, Senior Director of Threat Intelligence Executive Summary In the past six months...
https://www.netscout.com/blog/asert/netscout-threat-intelligence-report
Key Takeaways: - A new UDP reflection/amplification DDoS vector is observed in the wild. - The surprising nature of the abusable reflectors/amplifiers. - Recommended DDoS Defense and Best Current...
https://www.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp
Executive Summary ASERT’s IoT honeypot network continuously monitors known exploit vectors and we recently detected a spike in exploit attempts targeting the Realtek SDK miniigd SOAP vulnerabil...
https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt
In early March 2019, ASERT Researchers uncovered a credential harvesting campaign targeting mostly South Asian governments. The actors behind this campaign we call LUCKY ELEPHANT use doppelganger...
https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading
NETSCOUT Threat Intellgience Report - Security Findings from Second Half 2018. Special Report powered by ATLAS.
https://www.netscout.com/blog/asert/introducing-netscout-threat-intelligence-report-findings-second
Internet of Things (IoT) botnets commonly propagate by exploiting vulnerabilities in IoT devices. Telemetry from our IoT honeypots show the number of exploit attempts originating from bots contin...
https://www.netscout.com/blog/asert/iot-exploits-around-world-120-days
Attackers have recently begun launching CoAP reflection/amplification DDoS attacks, a protocol primarily used today by mobile phones in China, but expected to grow with the explosion of Internet ...
In May of last year, ASERT Researchers reported on LoJax, a double-agent leveraging legitimate software to phone home to malicious command and control (C2) servers. Since the publication of our r...
First discovered in May of 2018, Danabot is a Delphi written banking trojan that has been under active development throughout the year.
https://www.netscout.com/blog/asert/danabots-travels-global-perspective
Internet of Things (IoT) botnet authors are adapting to a shift in more secure IoT devices, which has diverted attacker’s focus to exploiting vulnerabilities in IoT devices, either to supplemen...
https://www.netscout.com/blog/asert/fast-furious-iot-botnets-regifting-exploits
ASERT has learned of an APT campaign, possibly originating from DPRK, we are calling STOLEN PENCIL that is targeting academic institutions since at least May 2018.
https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia
Botmasters have taken the lessons from developing Internet of Things (IoT) malware and shifted their focus to targeting commodity Linux servers.
https://www.netscout.com/blog/asert/mirai-not-just-iot-anymore
Brute-forcing factory default usernames and passwords remains a winning strategy for Internet of Things (IOT) botnet propagation.
ASERT recently came across spear-phishing emails targeting the Office of the First Deputy Prime Minister of Bahrain.
Executive Summary Cobalt Group (aka TEMP.Metastrike), active since at least late 2016, have been suspected in attacks across dozens of countries. The group primarily targets financial organizatio...
https://www.netscout.com/blog/asert/double-infection-double-fun
Arbor ASERT has uncovered a new class of SSDP abuse where naïve devices will respond to SSDP reflection/amplification attacks with a non-standard port. The resulting flood of UDP packets have e...
Key Findings ASERT researchers discovered Kardon Loader being advertised on underground forums. Kardon Loader features functionality allowing customers to open their own botshop, which grants the...
https://www.netscout.com/blog/asert/kardon-loader-looks-beta-testers
Executive Summary Mirai, seen as revolutionary for malware that targets the Internet of Things (IoT), has wrought destruction around the globe and popularized IoT based malware. Mirai was utilize...
https://www.netscout.com/blog/asert/omg-mirai-minions-are-wicked
Written by Roland Dobbins, ASERT Principal Engineer and Matt Bing, ASERT Security Analyst. In this article: SSDP Diffraction Attacks aren’t new; they’ve been observed in the wild since 2015. ...
https://www.netscout.com/blog/asert/importance-being-accurate-ssdp-diffraction-attacks-udp
Executive Summary ASERT recently discovered Lojack agents containing malicious C2s. These hijacked agents pointed to suspected Fancy Bear (a.k.a. APT28, Pawn Storm) domains. The InfoSec community...
https://www.netscout.com/blog/asert/lojack-becomes-double-agent
Overview ASERT recently identified a campaign targeting commercial manufacturing in the US and potentially Europe in late 2017. The threat actors used phishing and downloader(s) to install a Remo...
https://www.netscout.com/blog/asert/innaput-actors-utilize-remote-access-trojan-2016-presumably
Key Findings A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan. Based on our data and analysis th...
https://www.netscout.com/blog/asert/panda-banker-zeros-japanese-targets
Authors: Dennis Schwarz and Jill Sopko Special thanks to Richard Hummel and Hardik Modi for their contributions on this post. Figure 1: Pakistan themed decoy document Key Findings ASERT discovere...
https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia
Last week, after Akamai confirmed a 1.3Tbps DDoS attack against Github, I published a blog that looked at the last five years of reflection/amplification attack innovation. I hope that it provide...
https://www.netscout.com/blog/asert/netscout-arbor-confirms-17-tbps-ddos-attack-terabit-attack-era
Special thanks to Hardik Modi, Steve Siadak and Roland Dobbins for their contributions on this post. Reflection amplification is a technique that allows cyber attackers to both magnify the amount...
https://www.netscout.com/blog/asert/1-terabit-ddos-attacks-become-reality-reflecting-five-years
ASERT Threat Summary: memcached Reflection/Amplification Description and DDoS Attack Mitigation Recommendations Date/Time: 27022018 2325UTC Title/Number: memcached Reflection/Amplification Descri...
https://www.netscout.com/blog/asert/memcached-reflectionamplification-description-and-ddos-attack
February 20, 2018: This blog has been amended since it was originally published on February 15, 2018. This version removes the association with the APT group responsible for the Night Dragon camp...
https://www.netscout.com/blog/asert/musical-chairs-playing-tetris
Authors: Pete Arzamendi, Matt Bing, and Kirk Soluk. Satori, the heir-apparent to the infamous IOT malware Mirai, was discovered by researchers in December 2017. The word "satori" means "enlighten...
Executive Summary MedusaHTTP is a HTTP-based DDoS botnet written in .NET, that surfaced in early 2017. MedusaHTTP is based off of MedusaIRC which leveraged IRC for its command and control communi...
https://www.netscout.com/blog/asert/medusahttp-ddos-slithers-back-spotlight
On October 19 th, a team of security researchers warned of a new IoT Botnet that had already infected “an estimated million organizations” and that was poised to “take down the internet”....
Executive Summary SnatchLoader is a “downloader” malware—a type of malware that specializes in distributing (or loading) other malware onto infected computers. We first started seeing it in...
Since 2015, ASERT has observed and followed a DDoS Botnet named Flusihoc. To date very little has been published about this family, despite numerous anti-virus and intrusion detection signatures ...
https://www.netscout.com/blog/asert/flusihoc-dynasty-long-standing-ddos-botnet
More and more we’ve been seeing references to a malware family known as FormBook. Per its advertisements it is an infostealer that steals form data from various web browsers and other applicati...
https://www.netscout.com/blog/asert/formidable-formbook-form-grabber
Over the course of the last few weeks, a botnet comprised mainly of Android mobile devices has been utilized to launch a high-impact DDoS extortion campaign against multiple organizations in the ...
While revisiting a Flokibot campaign that was targeting point of sale (PoS) systems in Brazil earlier this year, we discovered something interesting. One of the command and control (C2) servers t...
Voluminous amounts of information have already been disseminated regarding the “Petya” (or is it “NotPetya”? ) ransomware that hit the Ukraine hard along with organizations such as “th...
https://www.netscout.com/blog/asert/patching-not-enough-stop-petya
On June 13th 2017, US-CERT issued a joint Technical Alert (TA17-164A) entitled Hidden Cobra – North Korea’s DDoS Botnet Infrastructure. The alert, which was the result of analytic efforts bet...
https://www.netscout.com/blog/asert/pivoting-hidden-cobra-indicators
This post takes a look at a new banking malware that has, so far, been targeting financial institutions in Latin America—specifically, Mexico and Peru. Initially, we’ve called it “Matrix Ba...
https://www.netscout.com/blog/asert/another-banker-enters-matrix
The ASERT research team has recently done some work reverse engineering a family of malware called "Zyklon H.T.T.P." that is written using the .Net framework. Zyklon (German for “cyclone”) is...
Information regarding the WannaCry ransomware is spreading as quickly as the malware itself and is expected to do so throughout the weekend. This blog provides some information from our malware p...
Over the past few months there has been a lot of research and press coverage on the Shamoon campaigns. These have been the attacks on Saudi Arabian companies where a destructive malware known as ...
Introduction Each week ASERT produces a weekly threat intelligence bulletin for Arbor customers. In addition to providing insights into the week's security news and reviewing ASERT's threat resea...
https://www.netscout.com/blog/asert/observed-spike-ddos-attacks-targeting-hong-kong
A malware researcher known as Antelox recently tweeted about an unknown malware sample that caught our eye. Upon further investigation, it is a modular malware known as Acronym and could possibly...
by Steinthor Bjarnason, Senior ASERT Security Analyst and Roland Dobbins, ASERT Principal Engineer CloudFlare are probably best known as a DDoS mitigation service provider, but they also operate ...
https://www.netscout.com/blog/asert/change-all-your-passwords-right-now
IBM analysts recently unveiled a first look at how threat actors may have placed Shamoon2 malware on systems in Saudi Arabia. Researchers showcased a potential malware lifecycle which started wit...
https://www.netscout.com/blog/asert/additional-insights-shamoon2
Red Team analysis is the process of viewing a situation from the perspective of an adversary thus providing insights beyond those that might otherwise be limited by normative biases.
https://www.netscout.com/blog/asert/non-government-organization-support-government-hopes
A recent tweet mentioned that a new banking malware called “Nuclear Bot” has started to appear for sale on underground marketplaces. Its price starts around $2500 which is more than double th...
In late November of 2016, a new Mirai variant emerged that leveraged a propagation mechanism different from the Telnet-based brute forcing mechanism originally provided in the leaked Mirai source...
https://www.netscout.com/blog/asert/economics-propagation-and-mitigation-mirai
This report describes several elements of a ransomware staging system using the Nemucod malware to deliver CryptFile2 (aka Hydracrypt.A and Win32/Filecoder.HydraCrypt.C) ransomware, an ongoing th...
https://www.netscout.com/blog/asert/analysis-cryptfile2-ransomware-server
Cyphort recently published an article about the Buhtrap banking trojan , targeting users of Russian and Ukrainian banks as reported in March of 2016 by Group-IB . Cyphort’s insightful article.....
https://www.netscout.com/blog/asert/diving-buhtrap-banking-trojan-activity
In early October, Flashpoint released an analysis of an underground forum advertisement for a new malware family known as FlokiBot. It took some time before a sample was found in the wild, but a ...
DOWNLOAD FULL REPORT HERE DOWNLOAD INDICATORS OF COMPROMISE (IOCs) HERE This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being atte...
https://www.netscout.com/blog/asert/flying-dragon-eye-uyghur-themed-threat-activity-0
Since its inception in August of 2016, the Mirai ‘Internet-of-Things’ (IoT) botnet, comprised largely of internet-enabled digital video recorders (DVRs), surveillance cameras, and other Inter...
https://www.netscout.com/blog/asert/mirai-iot-botnet-description-and-ddos-attack-mitigation
A new banking trojan, TrickBot, has seemingly risen from the ashes left behind by the November 2015 takedown of Dyreza/Dyre infrastructure and the arrests of threat actors identified by Russian a...
https://www.netscout.com/blog/asert/trickbot-banker-insights
Once you’ve decided that you’d like to start doing full packet capture, You may well ask how? Learn about these basic steps in performing full packet captures.
https://www.netscout.com/blog/asert/how-create-full-packet-capture
SSL (or TLS) secures web services such as banking, online purchases, email and remote access. Popular services such as Twitter, Hotmail and Facebook are increasingly migrating to SSL to improve s...
https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new
A visual sample of Distributed Denial of Service (DDoS or DoS) attack tools and services compiled by Curt Wilson - Research Analyst, Arbor Networks ASERT There are a variety of popular Denial of ...
https://www.netscout.com/blog/asert/attack-shuriken-many-hands-many-weapons
Fragmentation has been a frequent source of security vulnerabilities in IPv4, and for good reason. With fragmented IPv4 packets, the layer 4 header information is not available in the second thro...