Bitcoin giveaway scams have been around for more than two years, but a new twist in tactics has helped scammers make more than $2 million over the past two months from Elon Musk’s name. The new trick involves the use of Bitcoin vanity addresses in order to give the scam more credibility in the eyes […] More

Cloudflare released its Q3 DDoS Attack Trends report this week, capping a record-setting quarter that saw a number of devastating attacks on VoIP services. Cloudflare researchers said they saw the several “record-setting HTTP DDoS attacks, terabit-strong network-layer attacks and one of the largest botnets ever deployed (Meris),” noting the emergence of ransom DDoS attacks on voice over IP (VoIP) service providers. The attack on Bandwidth.com left dozens of companies scrambling to deal with outages. 

The US topped the list for the second quarter in a row of countries with the most targeted companies. But Cloudflare noted that companies in the UK and Canada also shot up the list. Computer software, gaming, gambling, IT and Internet companies saw an average increase in attacks of 573% compared to the previous quarter.Overall, DDoS attacks across the world increased by 44%, according to Cloudflare’s research, while the Middle East and Africa led the way with average attack increases of 80%. “Morocco recorded the highest DDoS activity in the third quarter globally — three out of every 100 packets were part of a DDoS attack. While SYN and RST attacks remain the dominant attack method used by attackers, Cloudflare observed a surge in DTLS amplification attacks — recording a 3,549% increase QoQ. Attackers targeted (and continue to target going into the fourth quarter this year) VoIP service providers with massive DDoS attack campaigns in attempts to bring SIP infrastructure down,” the researchers said. Cloudflare data showed that most DDoS attacks originated from devices and servers in China, the US and India, but the number of attacks from China decreased 30% throughout the quarter. 
Cloudflare

The report also takes time to discuss the Meris botnet, which is powered by Internet of Things (IoT) devices. IoT products, PCs, home gadgets — including cameras, VCRs, TVs, and routers — that are hijacked and become slave nodes in a botnet’s network are typically used in DDoS attacks.Cloudflare said Meris was “one of the most powerful botnets deployed to launch some of the largest HTTP DDoS attacks in history,” adding that in Q3 they saw “one of the largest recorded HTTP attacks — 17.2M rps (requests per second) — targeting a customer in the financial services industry.”Meris has been used to target networks and organizations around the world, including news sites like KrebsOnSecurity.”The Meris botnet infected routers and other networking equipment manufactured by the Latvian company MikroTik. According to MikroTik’s blog, a vulnerability in the MikroTik RouterOS (that was patched after its detection back in 2018) was exploited in still unpatched devices to build a botnet and launch coordinated DDoS attacks by bad actors,” Cloudflare stated, comparing it to the 2016 Mirai botnet.”While Mirai infected IoT devices with low computational power such as smart cameras, Meris is a growing swarm of networking infrastructure (such as routers and switches) with significantly higher processing power and data transfer capabilities than IoT devices — making them much more potent in causing harm at a larger scale.” 

Despite its power, Meris did not actually cause significant damage or outages, according to Cloudflare. The company noted that its customers on the Magic Transit and Spectrum services were targeted with network-layer attacks by a Mirai-variant botnet that “launched over a dozen UDP- and TCP-based DDoS attacks that peaked multiple times above 1 Tbps, with a max peak of approximately 1.2 Tbps.”The report notes that the number of attacks peaked in September but throughout the quarter, the number of large attacks increased, both in volume of traffic delivered and in the number of packets delivered. “QoQ data shows that the number of attacks of sizes ranging from 500 Mbps to 10 Gbps saw massive increases of 126% to 289% compared to the previous quarter. Attacks over 100 Gbps decreased by nearly 14%. The number of larger bitrate attacks increased QoQ (with the one exception being attacks over 100 Gbps, which decreased by nearly 14% QoQ). In particular, attacks ranging from 500 Mbps to 1 Gbps saw a surge of 289% QoQ and those ranging from 1 Gbps to 100 Gbps surged by 126%. This trend once again illustrates that, while (in general) a majority of the attacks are indeed smaller, the number of ‘larger’ attacks is increasing. This suggests that more attackers are garnering more resources to launch larger attacks,” the report found. “Most attacks remain under one hour in duration, reiterating the need for automated always-on DDoS mitigation solutions. As in previous quarters, most of the attacks are short-lived. To be specific, 94.4% of all DDoS attacks lasted less than an hour. On the other end of the axis, attacks over 6 hours accounted for less than 0.4% in Q3 ’21, and we did see a QoQ increase of 165% in attacks ranging 1-2 hours. Be that as it may, a longer attack does not necessarily mean a more dangerous one.”Cybercriminals typically use SYN floods as their method of attack but there was a 3,549% QoQ increase in attacks over DTLS. Vishal Jain, CTO at Valtix, told ZDNet that it’s not surprising to learn DDoS attacks are breaking records. For years, the cybersecurity community has been talking about how IoT devices will lead to larger botnets capable of stronger DDoS attacks, Jain said, adding that as the volume of vulnerable, compromised, and misconfigured IoT devices continue to grow — cloud service providers will be challenged to protect their customer’s services. “Organizations need to have an incident response plan in place that involves a DDoS mitigation service,” Jain said. “Being alerted to a possible DDoS attack and identifying what is impacted allows security teams to take a proactive approach instead of reacting to downed services. Businesses should use edge-based, volumetric L4 DDoS protections complementing L7 DDoS protections close to internet facing applications.”Digital Shadows cyber threat intelligence analyst Stefano De Blasi said that while DDoS attacks are commonly associated with technically unsophisticated attackers, recent events are a reminder that highly skilled adversaries can mount high-intensity operations that may result in severe consequences for their targets. In the past two years, De Blasi noted that Digital Shadows has frequently observed attackers combining DDoS attacks with cyber extortion tactics, potentially offering a glimpse into how the future of this cyber threat will look. “With the introduction of extortion, leading to a higher likelihood of financial gain, financially motivated threat actors likely see DDoS attacks as viable options, especially with success experienced by ransomware operators. In the coming years, cybercriminals will likely begin leveraging DDoS attacks to conduct financially motivated campaigns, while hacktivist groups will continue to use DDoS attacks for disruption purposes,” De Blasi said. “Nation-state groups primarily conduct attacks to gather competitive intelligence, which is more attainable through unauthorized network access through phishing, vulnerability exploitation, and ransomware deployment when coupled with data exfiltration.” More

ZDNETIn the name of beefing up Android security, Google has added a new feature called Identity Check that automatically locks sensitive settings behind biometric authentication. How Identity Check worksThe feature works when you carry your phone beyond trusted locations. Once Identity Check kicks in, you’ll need to use biometric authentication to access saved passwords and passkeys, autofill passwords in apps, change screen lock and biometrics, factory reset your device, turn off Find My Device and other anti-theft features, set up a new device, add or remove a Google account, and access developer options.Also: How to clear your Android phone’s cache and make it feel like new for 2025The goal of Identity Check is to prevent bad actors from taking control of your Google Account and accessing features that could then enable them to steal data or otherwise compromise the security of your device.How to enable Identity Check More

Every week there is a new organization facing a ransomware attack, but a new report from eSentire’s security research team and Dark Web researcher Mike Mayes says the incidents we see in the news are just a small slice of the true number of victims.The eSentire Ransomware Report says in 2021 alone, six ransomware groups compromised 292 organizations between Jan. 1 and April 31. The report estimates that the groups managed to bring in at least $45 million from these attacks and details multiple incidents that were never reported. The eSentire team and Mayes focused exclusively on the Ryuk/Conti, Sodin/REvil, CLOP, and DoppelPaymer ransomware groups, as well as two emerging but notable gangs in DarkSide and Avaddon. Each gang focuses on particular industries and regions of the world, according to the report. The Ryuk/Conti gang has attacked 352 organizations since 2018 and 63 this year, focusing mostly on manufacturing, construction and transportation companies. Dozens of their victims have never been publicized but the most notable organizations attacked include the Broward County School District and French cup company CEE Schisler, both of which did not pay the exorbitant ransoms, the report said. In addition to manufacturing, the group made waves in 2020 for attacking the IT systems of small governments across the United States like Jackson County, Georgia, Riviera Beach, Florida, and LaPorte County, Indiana. All three local governments paid the ransoms, which ranged from $130,000 to nearly $600,000. The group also spent much of 2020 attacking local hospitals as well. 

Like the Ryuk/Conti gang, the people behind the Sodin/REvil ransomware similarly focus on healthcare organizations while also devoting their efforts to attacking laptop manufacturers. Of their 161 victims, 52 were hit in 2021 and they made international news with attacks on Acer and Quanta, two of the world’s biggest technology manufacturers. Quanta, which produces Apple’s notebooks, was hit with a $50 million ransom demand. The company refused, and the Sodin/REvil gang leaked detailed designs of an Apple product in response. The gang threatened to leak more documents but pulled the photos and any other reference to the attack by May, according to the report, which noted that Apple has not spoken about the intrusion since. The DoppelPaymer/BitPaymer has made a name for itself by targeting government institutions and schools. The FBI released a notice in December specifically about the ransomware, noting that it was being used to attack critical infrastructure like hospitals and emergency services. The report adds that most of the group’s 59 victims this year have not been publicly identified other than the Illinois attorney general’s office, which was attacked on April 29.The Clop gang has focused its efforts on abusing the widely-covered vulnerability in Accellion’s file transfer system. The eSentire team and Mayes explain that the group used the vulnerability profusely, hitting the University of California, US bank Flagstar, global law firm Jones Day, Canadian jet manufacturer Bombardier, Stanford University, Dutch oil giant Royal Shell, the University of Colorado, the University of Miami, gas station company RaceTrac and many more. The report notes that the Clop gang became infamous for allegedly combing through an organization’s files and contacting customers or partners to demand that they pressure the victim into paying a ransom. The DarkSide gang has been in the news as of late for their attack on Colonial Pipeline, which set off a political firestorm in the United States and a run on gas stations in certain towns along the East Coast. The group is one of the newest of the leading ransomware groups, emerging in late 2020, according to the report. But they’ve wasted little time, racking up 59 victims since November and 37 this year. The report notes that the DarkSide group is one of the few that operates as a ransomware-as-a-service operation, offloading responsibility onto contractors who attack targets and split ransoms. eSentire said their research indicated that the people behind DarkSide were unaware of the Colonial attack before it happened and only found out from the news. They made waves last week when they allegedly shut down all of their operations due to increased law enforcement scrutiny. The ransomware has been implicated in multiple attacks on energy producers like one of Brazil’s largest electric utility companies, Companhia Paranaense de Energia, which they hit in February. The final group studied is the Avaddon gang, which was in the news this week for their attack on major European insurance company AXA. The attack was notable because AXA provides dozens of companies with cyberinsurance and pledged to stop reimbursing their customers in France for paid ransoms. In addition to AXA, the group has also attacked 46 organizations this year and operates as a ransomware-as-a-service operation like DarkSide. The report explains that the gang is notable for including a countdown clock on their Dark Web site and for the added threat of a DDoS attack if the ransom is not paid. The list of their victims includes healthcare organizations like Capital Medical Center in Olympia, Washington and Bridgeway Senior Healthcare in New Jersey. The eSentire team and Mayes added that the vast number of unreported attacks indicate that these gangs are “wreaking havoc against many more entities than the public realizes.””Another sobering realization is that no single industry is immune from this ransomware scourge,” the report said. “These debilitating attacks are happening across all regions and all  sectors, and it is imperative that all companies and private-sector organizations implement security protections to mitigate the damages stemming from of a ransomware attack.” More

The renewable energy industry is becoming more important as countries attempt to move away from fossil fuels, but the continued growth of the sector must be managed with cybersecurity in mind, or there’s the danger that vulnerabilities in everything from power plants down to smart meters could leave energy providers and their customers open to risk.The energy industry is already a high-profile target for hackers, including those looking to deploy espionage campaigns, ransomware and even attacks with the intent to sabotage systems to cut off power – and the rapid transition towards renewable energy could lead to additional avenues for cyber criminals to exploit.  

ZDNet Recommends

A new report by defence and security think tank the Royal United Services Institute (RUSI) has outlined some of the top cyber risks during the transition towards renewable energy from fossil fuels.  SEE: A winning strategy for cybersecurity (ZDNet special report) “Renewables offer huge opportunities for the UK to become more self-sufficient in energy production whilst mitigating effects of climate change. This transition has to be taken with cybersecurity in mind, cognisant of future cyber threats to society due to the massive digitalisation of the sector,” said Sneha Dawda, research fellow in cybersecurity at RUSI. One of the main targets for cyber attackers is the supervisory control and data acquisition (SCADA) systems responsible for managing industrial networks.There are two key security issues in SCADA systems – the first is that many of these networks are old, sometimes to the extent they can’t receive security updates, which means that if they’re linked to internet-facing areas of the network, they can potentially be infiltrated by cyber criminals.  

SCADA systems’ security can also be threatened if there’s a remote element to access, via cloud services and VPNs. Newer systems can lean heavily on remote access, but if secure login credentials or patch management isn’t looked after properly, this can provide another avenue for cyberattacks, particularly if automated systems that might not be intently monitored are involved. Some of the most common cybersecurity advice is to patch systems with security updates to protect against attacks. But the reality is that for many energy providers, the network is based on legacy systems – and in many cases, updating or replacing those systems could potentially affect services or involve rebuilding them completely.  According to the RUSI paper, another of the key concerns facing the renewable energy sector is cybersecurity risks in the supply chain.  “If one vendor within the supply chain is compromised, this can have widespread consequences for all connected organisations,” the report warns, citing the likes of the Kaseya and SolarWinds attacks as examples of how cyber attackers can cause massive disruption through the software supply chain. In order to combat this, some of those consulted by researchers suggest that energy providers should take a more careful approach with supply chains, asking questions of suppliers and even helping them improve their security in some cases.But it isn’t just energy providers themselves that could be affected directly by cybersecurity vulnerabilities – products and devices used in homes and businesses are also potentially at risk. One threat that the report warns about is Lithium-ion batteries, which use a battery management system (BMS) to monitor safety and reliability – and can be connected to networks. However, the paper warns that weaknesses in encryption, authorisation and remote access into these connected devices could be exploited by attackers. What’s more, these aren’t the only connected devices that potentially contain cybersecurity risks that need to be examined. The paper suggests that home car chargers are “a unique point of intrusion because they serve a very specific purpose”. Home chargers are becoming more common as hybrid and electric vehicles increase in popularity – but there’s already examples of connected chargers being found to have firmware vulnerabilities that attackers can exploit, either to gain access to networks or to rope the devices into a botnet. “While these vulnerabilities have been patched, they provide good examples of how this technology is lacking in industry standards,” says the paper. The final cybersecurity risk relating to renewable energy examined by the paper is IoT devices in smart homes and buildings.  Energy companies are increasingly encouraging customers to install smart meters and other sensors. However, smart meters and IoT devices can be vulnerable to cyberattacks, providing cyber criminals with a route into networks and the ability to build botnets. It can also be difficult for users to patch IoT devices – if they can be patched at all.  The paper suggests initiatives like the UK government’s ‘Secure by Design’ legislation could help improve the cybersecurity situation – and concludes that further research into risk-mitigation strategies and policy-focused recommendations are required. MORE ON CYBERSECURITY More