All news with #ddos surge tag

Cisco IOS/IOS XE SNMP Stack Overflow — Patch Immediately

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

ShadowV2 Turns Misconfigured Docker into DDoS Service

🛡️ Darktrace researchers uncovered a ShadowV2 campaign that leverages exposed Docker APIs on AWS EC2 to provision containers and run a Go-based remote access trojan, converting misconfigured cloud containers into distributed DDoS nodes. The attackers create containers on victim hosts rather than importing malicious images, likely to reduce forensic traces, and use the Python Docker SDK to interact with exposed daemons. ShadowV2 operators employ advanced techniques including HTTP/2 rapid reset and Cloudflare evasion, and the platform includes APIs, a Tailwind/FastAPI UI and operator logins that turn botnet control into a commercialized DDoS-as-a-Service offering.

Tech Surpasses Gaming as Top DDoS Target Q1-Q2 2025

🛡️ The Gcore Radar Q1–Q2 2025 report shows a 41% year-on-year rise in DDoS attacks, with total incidents reaching 1.17 million and a record 2.2 Tbps peak. Attacks are getting longer, more sophisticated, and increasingly multi-vector, with technology (≈30%) overtaking gaming (19%) as the primary target. Gcore emphasizes integrated WAAP and global filtering capacity to mitigate these risks.

ShadowV2 Botnet Highlights Growth of DDoS-as-a-Service

🛡️ Darktrace has uncovered a ShadowV2 campaign that combines a GitHub CodeSpaces-hosted Python command-and-control framework, a Docker-based spreader, and a Go-based RAT to operate a DDoS-as-a-service platform. Attackers target exposed Docker daemons on AWS EC2 to build on-victim images and deploy malware via environment variables, reducing forensic artifacts. The platform exposes an OpenAPI-driven UI and multi-tenant API enabling HTTP/HTTP2 floods, UAM bypasses, and other configurable attack options.

US Secret Service Disrupts Massive SIM Farm Network

📵 The U.S. Secret Service says it disrupted a large network of SIM farms near New York City that officials warn could have disabled cellular service during the U.N. General Assembly. Agents seized more than 300 SIM servers and roughly 100,000 SIM cards across sites in New York, New Jersey and Connecticut. Authorities say the equipment could have texted the entire U.S. population within minutes, launched DDoS attacks, and interfered with emergency communications. The agency attributed the operation to nation-state actors working with organised crime, while specific locations and perpetrators remain undisclosed.

Cell Tower Hacking Network Dismantled Near UN Event

🔒 The US Secret Service has seized and dismantled a network of electronic devices across the New York tristate area that could be used to disrupt cellular service ahead of the United Nations General Assembly in New York City. Authorities recovered 300 co-located SIM servers and 100,000 SIM cards, equipment capable of enabling DoS attacks, disabling towers and facilitating anonymous encrypted communications. The operation was led by the agency’s Advanced Threat Interdiction Unit, which says early analysis identified contacts between individuals tied to the network and known nation-state threat actors; the investigation remains ongoing with multiple federal and local partners.

Cloudflare Mitigates Record 22.2 Tbps DDoS Attack Again

🚨 Cloudflare reported that it mitigated a massive volumetric DDoS attack that peaked at 22.2 Tbps and 10.6 billion packets per second, lasting roughly 40 seconds. The traffic surge equated to streaming about one million 4K videos simultaneously and generated a packet rate roughly equal to 1.3 web page refreshes per person on Earth. Such extreme packet velocities strain firewalls, routers, and load balancers even where aggregate bandwidth may be handled. Cloudflare has provided limited technical detail on this and recent record attacks.

US Secret Service Seizes 300 SIM Servers, 100,000 Cards

🚨 The U.S. Secret Service announced it dismantled a network of more than 300 co-located SIM servers and roughly 100,000 SIM cards across the New York tri-state area ahead of the United Nations General Assembly. The devices, concentrated within a 35-mile radius of the UN gathering, were used to issue anonymous threats to senior U.S. officials and could be weaponized to disrupt telecommunications or enable encrypted communications. The agency's Advanced Threat Interdiction Unit is leading the investigation and said early evidence shows cellular links between nation-state actors and individuals known to federal law enforcement.

ShadowV2 Industrializes DDoS via Misconfigured Docker

🚨 ShadowV2 is a new botnet campaign that converts misconfigured Docker containers on AWS into a DDoS-for-hire platform. Darktrace’s analysis shows attackers exploiting exposed Docker daemons via the Python Docker SDK, building containers on victims' hosts and deploying a Go-based RAT that polls operators and launches large HTTP floods. The operation is highly professionalized, offering APIs, dashboards, operator logins and modular attack options that make DDoS easily rentable.

ShadowV2 Botnet Targets Misconfigured AWS Docker Containers

⚠️ Researchers at Darktrace disclosed ShadowV2, a DDoS-focused botnet that exploits misconfigured Docker daemons on AWS EC2 instances to deploy a Go-based RAT and enlist hosts as attack nodes. The campaign uses a Python spreader to spawn an Ubuntu setup container, build a custom image, and run an ELF payload that checks in with a Codespaces-hosted C2. Operators leverage HTTP/2 Rapid Reset floods, a Cloudflare UAM bypass via ChromeDP, and a FastAPI/Pydantic operator API, signaling a modular DDoS-for-hire service.

API Attacks Surge: 40,000 Incidents in H1 2025 Report

🔒 Thales' Imperva analysed telemetry from over 4,000 environments and reported about 40,000 API incidents in H1 2025, finding APIs now attract 44% of advanced bot traffic. Key findings included a 40% rise in credential-stuffing and account-takeover attempts against APIs without adaptive MFA, plus data scraping (31%) and coupon/payment fraud (26%). Financial services, telecoms and travel were among the most targeted sectors, and Thales warned the pace and sophistication of attacks will continue to increase.

Stark Industries Rebrands to Evade EU Sanctions, Persists

🔁 In May 2025 the EU sanctioned Moldova-based PQ Hosting and its owners, the Neculiti brothers, for alleged links to Kremlin hybrid warfare. Recorded Future and KrebsOnSecurity reporting show Stark Industries quickly rebranded to the[.]hosting under Dutch WorkTitans BV on 24 June 2025 while key address space and assets moved to PQ Hosting Plus S.R.L. Netherlands-based MIRhosting appears to host and manage the new entities, suggesting the sanctions achieved little lasting disruption.

DDoS Mitigation Provider Hit by 1.5 Billion PPS Attack

🚨 A European DDoS mitigation provider was hit by a massive packet-rate flood that peaked at 1.5 billion packets per second. FastNetMon detected the assault, which originated from thousands of compromised customer premises devices, including IoT units and MikroTik routers across more than 11,000 networks. The malicious traffic was primarily a UDP flood and was mitigated in real time using the customer's scrubbing facility, ACLs on edge routers, and packet inspection. FastNetMon warned this trend requires ISP-level filtering to prevent large-scale abuse of consumer hardware.

Cloudflare Mitigates Record 11.5 Tbps UDP Flood Attack

🛡️ Cloudflare said it automatically mitigated a record-setting volumetric DDoS attack that peaked at 11.5 Tbps and reached 5.1 billion packets per second; the UDP flood lasted roughly 35 seconds and reportedly originated largely from Google Cloud. The company reported it has autonomously blocked hundreds of hyper‑volumetric L3/4 attacks in recent weeks, underscoring a sharp surge in such events. Security researchers warn these massive traffic floods can be used as a smoke screen for follow-on targeted exploits.

Cloudflare Blocks Record 11.5 Tbps UDP Flood DDoS Attack

🛡️ Cloudflare says it blocked the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The UDP flood, which Cloudflare attributes mainly to traffic originating from Google Cloud, lasted roughly 35 seconds and was part of a broader surge of hyper‑volumetric events. The mitigation highlights Cloudflare's automated scaling and defensive capabilities against short, extremely high‑bandwidth assaults.

Resurgence of Mirai-Based IoT Malware: Gayfemboy Campaign

🛡️ FortiGuard Labs reports the resurgence of a Mirai-derived IoT malware family, publicly known as “Gayfemboy,” which reappeared in July 2025 targeting vulnerabilities in DrayTek, TP-Link, Raisecom, and Cisco devices. The campaign delivers UPX-packed payloads via predictable downloader scripts named for product families and uses a modified UPX header and architecture-specific filenames to evade detection. At runtime the malware enumerates processes, kills competitors, implements DDoS and backdoor modules, and resolves C2 domains through public DNS resolvers to bypass local filtering. FortiGuard provides AV detections, IPS signatures, and web-filtering blocks; organizations should patch and apply network defenses immediately.

Oregon Man Charged Over Rapper Bot DDoS Service Probe

🔒 Federal agents arrested 22‑year‑old Ethan J. Foltz of Springfield, Ore., on Aug. 6, 2025, on suspicion of operating Rapper Bot, a global IoT botnet rented to extortionists for DDoS attacks. The complaint alleges Rapper Bot routinely generated attacks exceeding 2 terabits per second and at times surpassed 6 Tbps, including an attack tied to intermittent outages on Twitter/X. Investigators traced control infrastructure and payments through an ISP subpoena, PayPal records and Google data, recovered Telegram chats with a co‑conspirator known as 'Slaykings,' and say Foltz wiped logs regularly to hinder attribution. He faces one count of aiding and abetting computer intrusions, carrying a maximum statutory term of 10 years.

KrebsOnSecurity Featured in HBO Max 'Most Wanted' Series

📰 The HBO Max documentary Most Wanted: Teen Hacker features interviews with Brian Krebs and examines the criminal trajectory of Julius Kivimäki, a Finnish hacker convicted for extensive data breaches and later mass extortion. The four-part series traces his early role in the Lizard Squad, high-profile DDoS attacks, swatting incidents, and the Vastaamo psychotherapy breach and patient extortion. Directed by Sami Kieski and co-written by Joni Soila, episodes will stream weekly on Fridays throughout September.

CISA Alerts: Palo Alto PAN-OS Vulnerability Under Attack

🔔 CISA has warned that firewalls running Palo Alto Networks PAN-OS are under active attack and require immediate patching. The issue, tracked as CVE-2022-0028, can be abused without authentication to perform reflected and amplified TCP denial-of-service attacks using PA-Series, VM-Series and CN-Series devices. Palo Alto has released patches for multiple PAN-OS branches and CISA added the flaw to its Known Exploited Vulnerabilities Catalog, urging federal agencies to remediate by September 9. Administrators should review URL filtering profiles with blocked categories on externally facing interfaces and apply vendor fixes promptly.