All news with #ddos surge tag

Aisuru Botnet Floods U.S. ISPs in Record DDoS Attack

🛰️ Aisuru, now the world’s largest IoT botnet, is drawing the majority of its attack volume from compromised consumer devices hosted by U.S. ISPs such as AT&T, Comcast and Verizon. In early October the botnet briefly generated a near‑30 terabit-per-second traffic flood, underscoring its rapidly expanding scale and destructive reach. The attacks have targeted gaming-focused networks and protection providers, causing widespread collateral congestion and forcing providers to reassess outbound mitigation. Built on Mirai-derived code, Aisuru is also being marketed as a residential proxy service, complicating attribution and remediation.

Hacktivist Group TwoNet Targets Critical Infrastructure

🔍 Forescout observed pro‑Russian hacktivist group TwoNet compromise a realistic water‑treatment honeypot in September, moving from initial access to disruptive actions in roughly 26 hours. The attackers used default credentials and SQL enumeration, then exploited a stored XSS (CVE-2021-26829) to display the message "Hacked by Barlati," altered HMI PLC setpoints and disabled real‑time updates and logs. Researchers urge strong authentication, network segmentation, IP-based ACLs for admin interfaces, and protocol-aware detection to spot exploitation and HMI changes.

Responding to Cloud Incidents: Investigation and Recovery

🔍 Unit 42 outlines a structured approach to investigating and responding to cloud incidents, noting that 29% of 2024 incident investigations involved cloud or SaaS environments. The guidance emphasizes a shift from endpoint-centric forensics to focus on identities, misconfigurations and service interactions. It recommends enabling and centralizing logs, retaining them for at least 90 days, and preparing for rapid evidence collection and VM/container imaging. The article stresses identity forensics, behavioral baselining and surgical containment to avoid alerting adversaries.

ENISA: Phishing Drives Most EU Cyber Intrusions in 2024–25

📣 The EU security agency's ENISA Threat Landscape 2025 report, analyzing 4,875 incidents from 1 July 2024 to 30 June 2025, finds phishing was the initial access vector in 60% of intrusions, with vulnerability exploitation at 21%. Botnets and malicious applications accounted for 10% and 8% respectively, and 68% of intrusions led to follow-up malware deployment. ENISA highlights AI-powered phishing exceeded 80% of social engineering globally by early 2025 and warns of attacks aimed at critical digital supply chain dependencies and high-value targets such as outdated mobile and OT systems.

EU Agency: Cyber Threat Landscape in Europe Worsens

⚠️ ENISA reports the EU cyber threat landscape has worsened, identifying ransomware as the single most damaging threat due to widespread encryption and costly recoveries. By frequency, DDoS incidents dominate (77% of reported cases), though they typically cause shorter-lived outages. The agency's analysis of 4,875 incidents from July 2024 to June 2025 also highlights concentrated attacks on public administration and a rapid rise in AI-assisted social engineering.

Secure Network Architectures for Generative AI on AWS

🔐 This post explains how to design defense-in-depth network architectures for generative AI workloads using AWS services. It outlines common external threats — including layer 4 and layer 7 DDoS, web request floods, application-specific exploits, and malicious bots — and maps mitigations to AWS capabilities. The guidance recommends private connectivity via Amazon Bedrock and AWS PrivateLink, edge protections with AWS WAF and AWS Shield, subnet-level controls using AWS Network Firewall, and continuous detection and response with GuardDuty, Inspector, and CloudWatch.

Weekly Recap: Cisco 0-day, Record DDoS, New Malware

🛡️ Cisco firewalls were exploited in active zero-day attacks that delivered previously undocumented malware families including RayInitiator and LINE VIPER by chaining CVE-2025-20362 and CVE-2025-20333. Infrastructure and cloud environments faced major pressure this week: Cloudflare mitigated a record 22.2 Tbps DDoS while misconfigured Docker instances enabled ShadowV2 bot operations. Researchers also disclosed Supermicro BMC flaws that could allow malicious firmware implants, and ransomware actors increasingly abuse exposed AWS keys. Prioritize patching, firmware updates, and cloud identity hygiene now.

AWS WAF Bot, Fraud & DDoS Rule Group Expands Regions

🔒 AWS WAF's Targeted Bot Control, Fraud, and DDoS Prevention Rule Group are now available in Asia Pacific (Taipei), Asia Pacific (Bangkok), and Mexico (Central). These managed rule groups deliver detection and mitigations for sophisticated bots, application-layer DDoS, and account-takeover attacks at the web edge. Customers can deploy them to improve application resilience, reduce fraudulent activity, and limit resource consumption during attack campaigns.

Cisco IOS/IOS XE SNMP Stack Overflow — Patch Immediately

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

ShadowV2 Turns Misconfigured Docker into DDoS Service

🛡️ Darktrace researchers uncovered a ShadowV2 campaign that leverages exposed Docker APIs on AWS EC2 to provision containers and run a Go-based remote access trojan, converting misconfigured cloud containers into distributed DDoS nodes. The attackers create containers on victim hosts rather than importing malicious images, likely to reduce forensic traces, and use the Python Docker SDK to interact with exposed daemons. ShadowV2 operators employ advanced techniques including HTTP/2 rapid reset and Cloudflare evasion, and the platform includes APIs, a Tailwind/FastAPI UI and operator logins that turn botnet control into a commercialized DDoS-as-a-Service offering.

Tech Surpasses Gaming as Top DDoS Target Q1-Q2 2025

🛡️ The Gcore Radar Q1–Q2 2025 report shows a 41% year-on-year rise in DDoS attacks, with total incidents reaching 1.17 million and a record 2.2 Tbps peak. Attacks are getting longer, more sophisticated, and increasingly multi-vector, with technology (≈30%) overtaking gaming (19%) as the primary target. Gcore emphasizes integrated WAAP and global filtering capacity to mitigate these risks.

ShadowV2 Botnet Highlights Growth of DDoS-as-a-Service

🛡️ Darktrace has uncovered a ShadowV2 campaign that combines a GitHub CodeSpaces-hosted Python command-and-control framework, a Docker-based spreader, and a Go-based RAT to operate a DDoS-as-a-service platform. Attackers target exposed Docker daemons on AWS EC2 to build on-victim images and deploy malware via environment variables, reducing forensic artifacts. The platform exposes an OpenAPI-driven UI and multi-tenant API enabling HTTP/HTTP2 floods, UAM bypasses, and other configurable attack options.

US Secret Service Disrupts Massive SIM Farm Network

📵 The U.S. Secret Service says it disrupted a large network of SIM farms near New York City that officials warn could have disabled cellular service during the U.N. General Assembly. Agents seized more than 300 SIM servers and roughly 100,000 SIM cards across sites in New York, New Jersey and Connecticut. Authorities say the equipment could have texted the entire U.S. population within minutes, launched DDoS attacks, and interfered with emergency communications. The agency attributed the operation to nation-state actors working with organised crime, while specific locations and perpetrators remain undisclosed.

Cell Tower Hacking Network Dismantled Near UN Event

🔒 The US Secret Service has seized and dismantled a network of electronic devices across the New York tristate area that could be used to disrupt cellular service ahead of the United Nations General Assembly in New York City. Authorities recovered 300 co-located SIM servers and 100,000 SIM cards, equipment capable of enabling DoS attacks, disabling towers and facilitating anonymous encrypted communications. The operation was led by the agency’s Advanced Threat Interdiction Unit, which says early analysis identified contacts between individuals tied to the network and known nation-state threat actors; the investigation remains ongoing with multiple federal and local partners.

Cloudflare Mitigates Record 22.2 Tbps DDoS Attack Again

🚨 Cloudflare reported that it mitigated a massive volumetric DDoS attack that peaked at 22.2 Tbps and 10.6 billion packets per second, lasting roughly 40 seconds. The traffic surge equated to streaming about one million 4K videos simultaneously and generated a packet rate roughly equal to 1.3 web page refreshes per person on Earth. Such extreme packet velocities strain firewalls, routers, and load balancers even where aggregate bandwidth may be handled. Cloudflare has provided limited technical detail on this and recent record attacks.

US Secret Service Seizes 300 SIM Servers, 100,000 Cards

🚨 The U.S. Secret Service announced it dismantled a network of more than 300 co-located SIM servers and roughly 100,000 SIM cards across the New York tri-state area ahead of the United Nations General Assembly. The devices, concentrated within a 35-mile radius of the UN gathering, were used to issue anonymous threats to senior U.S. officials and could be weaponized to disrupt telecommunications or enable encrypted communications. The agency's Advanced Threat Interdiction Unit is leading the investigation and said early evidence shows cellular links between nation-state actors and individuals known to federal law enforcement.

ShadowV2 Industrializes DDoS via Misconfigured Docker

🚨 ShadowV2 is a new botnet campaign that converts misconfigured Docker containers on AWS into a DDoS-for-hire platform. Darktrace’s analysis shows attackers exploiting exposed Docker daemons via the Python Docker SDK, building containers on victims' hosts and deploying a Go-based RAT that polls operators and launches large HTTP floods. The operation is highly professionalized, offering APIs, dashboards, operator logins and modular attack options that make DDoS easily rentable.

ShadowV2 Botnet Targets Misconfigured AWS Docker Containers

⚠️ Researchers at Darktrace disclosed ShadowV2, a DDoS-focused botnet that exploits misconfigured Docker daemons on AWS EC2 instances to deploy a Go-based RAT and enlist hosts as attack nodes. The campaign uses a Python spreader to spawn an Ubuntu setup container, build a custom image, and run an ELF payload that checks in with a Codespaces-hosted C2. Operators leverage HTTP/2 Rapid Reset floods, a Cloudflare UAM bypass via ChromeDP, and a FastAPI/Pydantic operator API, signaling a modular DDoS-for-hire service.

API Attacks Surge: 40,000 Incidents in H1 2025 Report

🔒 Thales' Imperva analysed telemetry from over 4,000 environments and reported about 40,000 API incidents in H1 2025, finding APIs now attract 44% of advanced bot traffic. Key findings included a 40% rise in credential-stuffing and account-takeover attempts against APIs without adaptive MFA, plus data scraping (31%) and coupon/payment fraud (26%). Financial services, telecoms and travel were among the most targeted sectors, and Thales warned the pace and sophistication of attacks will continue to increase.

Stark Industries Rebrands to Evade EU Sanctions, Persists

🔁 In May 2025 the EU sanctioned Moldova-based PQ Hosting and its owners, the Neculiti brothers, for alleged links to Kremlin hybrid warfare. Recorded Future and KrebsOnSecurity reporting show Stark Industries quickly rebranded to the[.]hosting under Dutch WorkTitans BV on 24 June 2025 while key address space and assets moved to PQ Hosting Plus S.R.L. Netherlands-based MIRhosting appears to host and manage the new entities, suggesting the sanctions achieved little lasting disruption.