Jan 15, 2024NewsroomServer Security / Cyber Attack

The environmental services industry witnessed an “unprecedented surge” in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for half of all its HTTP traffic.

This marks a 61,839% increase in DDoS attack traffic year-over-year, web infrastructure and security company Cloudflare said in its DDoS threat report for 2023 Q4 published last week.

“This surge in cyber attacks coincided with COP 28, which ran from November 30th to December 12th, 2023,” security researchers Omer Yoachimik and Jorge Pacheco said, describing it as a “disturbing trend in the cyber threat landscape.”

The uptick in HTTP attacks targeting environmental services websites is part of a larger trend observed annually over the past few years, specifically during COP 26 and COP 27, as well as other United Nations environment-related resolutions or announcements.

“This recurring pattern underscores the growing intersection between environmental issues and cyber security, a nexus that is increasingly becoming a focal point for attackers in the digital age,” the researchers said.

Despite the environmental services sector becoming a new target in Q4 2023, the cryptocurrency industry continues to be the primary casualty in terms of the volume of HTTP DDoS attack requests.

With more than 330 billion HTTP requests targeting it, the attack traffic represents more than 4% of all HTTP DDoS traffic for the quarter. Gaming and gambling and telecommunications emerged as the second and third most attacked industries.

On the other end of the spectrum are the U.S. and China, acting as the main sources of HTTP DDoS attack traffic. It’s worth noting that the U.S. has been the largest source of HTTP DDoS attacks for five consecutive quarters since Q4 2022.

“Together, China and the U.S. account for a little over a quarter of all HTTP DDoS attack traffic in the world,” the researchers said. “Brazil, Germany, Indonesia, and Argentina account for the next 25%.”

The development comes amid a heavy onslaught of DDoS attacks targeting Palestinian banking, information technology (IT), and internet platforms following the onset of the Israel-Hamas War and Israel’s counteroffensive codenamed Operation Iron Swords.

The percentage of DDoS attack traffic targeting Palestinian websites grew by 1,126% quarter-over-quarter, Cloudflare said, adding DDoS attack traffic targeting Taiwan registered a 3,370% growth amidst the Taiwanese presidential elections and rising tensions with China.

Akamai, which also published its own retrospective on DDoS Trends in 2023, said “DDoS attacks became more frequent, longer, highly sophisticated (with multiple vectors), and focused on horizontal targets (attacking multiple IP destinations in the same attack event).”

The findings also follow a report from Cloudflare about the increasing threat posed by unmanaged or unsecured API endpoints, which could enable threat actors to exfiltrate potentially sensitive information.

“HTTP anomalies — the most frequent threat toward APIs — are common signals of malicious API requests,” the company said. “More than half (51.6%) of traffic errors from API origins comprised ‘429’ error codes: ‘Too Many Requests.'”

Dec 18, 2023NewsroomMalware / Cybersecurity

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network.

Microsoft, which made the discovery, described it as a low-volume campaign that began on December 11, 2023, and targeted the hospitality industry.

“Targets received a PDF from a user masquerading as an IRS employee,” the tech giant said in a series of posts shared on X (formerly Twitter).

“The PDF contained a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI led to Qakbot being invoked using export ‘hvsi’ execution of an embedded DLL.”

Microsoft said that the payload was generated the same day the campaign started and that it’s configured with the previously unseen version 0x500.

Zscaler ThreatLabz, in a post shared on X, described the resurfaced QakBot as a 64-bit binary that utilizes AES for network encryption and sends POST requests to the path /teorema505.

QakBot, also called QBot and Pinkslipbot, was disrupted as part of a coordinated effort called Operation Duck Hunt after the authorities managed to gain access to its infrastructure and instructed the infected computers to download an uninstaller file to render the malware ineffective.

Traditionally distributed via spam email messages containing malicious attachments or hyperlinks, QakBot is capable of harvesting sensitive information as well as delivering additional malware, including ransomware.

In October 2023, Cisco Talos revealed that QakBot affiliates were leveraging phishing lures to deliver a mix of ransomware, remote access trojans, and stealer malware.

The return of QakBot mirrors that of Emotet, which also resurfaced in late 2021 months after it was dismantled by law enforcement and has remained an enduring threat, albeit at a lower level.

While it remains to be seen if the malware will return to its former glory, the resilience of such botnets underscores the need for organizations to avoid falling victim to spam emails used in Emotet and QakBot campaigns.

“It is not unusual to see malware return after law enforcement actions, the two most prominent being TrickBot and Emotet,” Selena Larson, senior threat intelligence analyst at Proofpoint, said in a statement shared with The Hacker News.

“While the return of Qbot to email threat data is notable, it has not been observed at the same volume and scale of previous campaigns. The law enforcement disruption appears to still be having an impact on Qbot’s operations.”