{"id":20632,"date":"2025-01-25T07:00:00","date_gmt":"2025-01-25T05:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/ulbricht-as-bait-a-new-ddos-record-and-other-cybersecurity-news\/"},"modified":"2025-01-25T07:00:00","modified_gmt":"2025-01-25T05:00:00","slug":"ulbricht-as-bait-a-new-ddos-record-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/ulbricht-as-bait-a-new-ddos-record-and-other-cybersecurity-news\/","title":{"rendered":"Ulbricht as bait, a new DDoS record, and other cybersecurity news"},"content":{"rendered":"<p>We compiled the week\u2019s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>News about Ross Ulbricht inspired a fresh malware campaign.<\/li>\n<li>A record DDoS attack peaked at 5.6 Tbps.<\/li>\n<li>The Mamont virus spread on Telegram under the pretext of video downloads.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\"><strong>News about Ross Ulbricht became the lure for a fresh malware campaign<\/strong><\/h2>\n<p>Attackers exploited reports of the <a href=\"https:\/\/u1f987.com\/en\/news\/donald-trump-pardons-ross-ulbricht\">release from prison<\/a> of Silk Road darknet market founder Ross Ulbricht to draw users into fraudulent Telegram channels. The attack was spotted by vx-underground.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Ross Ulbricht&#8217;s Xitter is being spammed with accounts which appear to be associated with him (image 1). However, the accounts are not. When you try to view the &#8220;official&#8221; Ross Ulbricht Telegram channel it asks to verify your identity (image 2). <\/p>\n<p>It gives free malware! \u2665\ufe0f\u2665\ufe0f\u2665\ufe0f <a href=\"https:\/\/t.co\/PWHm7Nlsf2\">pic.twitter.com\/PWHm7Nlsf2<\/a><\/p>\n<p>\u2014 vx-underground (@vxunderground) <a href=\"https:\/\/twitter.com\/vxunderground\/status\/1881946956806926351?ref_src=twsrc%5Etfw\">January 22, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Those who click the link face a fake verification request via a mini app. It tricks them into running PowerShell code that installs remote-access malware, which can then be used for extortion or data theft.<\/p>\n<p>A Telegram representative told <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/telegram-captcha-tricks-you-into-running-malicious-powershell-scripts\/\">Bleeping Computer<\/a> the platform monitors public-facing areas and removes malicious content when found.<\/p>\n<h2 class=\"wp-block-heading\"><strong>A record DDoS attack hit 5.6 Tbps<\/strong><\/h2>\n<p>Cloudflare <a href=\"https:\/\/blog.cloudflare.com\/ddos-threat-report-for-2024-q4\/\">mitigated<\/a> a new hyper-volumetric <span data-descr=\"distributed denial-of-service\" class=\"old_tooltip\">DDoS<\/span> attack that lasted 80 seconds and peaked at 5.6 Tbps. The incident occurred on October 29, 2024, but has only now been disclosed.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXc3qYgpKN8_iCsBM9RXhpMdVQASXDeMqyxnwQ9blCuUxseHCfCKswdYXOLE-zh2tRsCVmV3IpC2YDnlUetVsyR-5U73drU9rTlOSpYFOpyeF8S1QaTpqZbQpNXpqj9JABQJdeQcKQ?key=5TKs7JsSCq21HMqEbMMzewwg\" alt=\"Ulbricht as bait, a new DDoS record, and other cybersecurity news\"\/><figcaption class=\"wp-element-caption\">Contribution of each IP to the attack. Source: Cloudflare.<\/figcaption><\/figure>\n<p>The <span data-descr=\"User Datagram Protocol \u2014 user datagram protocol\" class=\"old_tooltip\">UDP<\/span>-based attack was launched by a Mirai-based botnet of 13,000 compromised devices. The target was an internet service provider in East Asia.<\/p>\n<p>Detection and mitigation were fully autonomous.<\/p>\n<p>Cloudflare had previously mitigated a record DDoS of 3.8 Tbps lasting 65 seconds <a href=\"https:\/\/u1f987.com\/en\/news\/cybersecurity-highlights-ddos-attacks-fraudulent-apps-and-more\">in early October 2024<\/a>.\u00a0<\/p>\n<h2 class=\"wp-block-heading\"><strong>The Mamont virus spread on Telegram under the guise of video downloads<\/strong><\/h2>\n<p>Russia\u2019s Interior Ministry <a href=\"https:\/\/t.me\/cyberpolice_rus\/2975\">warned<\/a> of Mamont malware being distributed via Telegram; it can read push notifications, SMS messages and photos from a gallery.<\/p>\n<p>Most often, the Trojan-laced app is sent disguised as a video file.\u00a0<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXcPzDqwkScCcqKNLDD8G-phT4ViGAncxUIs0kFXOjoGsouEJP4frY58AxyPtg7O2QPcr9VHvBHZxPzeb3tcrFqnEjSM-Y8cX831TxqWliN8XxK81v_pmLid2FtCq0bFdtoddz9-HA?key=5TKs7JsSCq21HMqEbMMzewwg\" alt=\"Ulbricht as bait, a new DDoS record, and other cybersecurity news\"\/><figcaption class=\"wp-element-caption\">Source: Russia\u2019s Interior Ministry.<\/figcaption><\/figure>\n<p>The ultimate goal is to gain access to payment instruments and potentially use personal data and other information from the smartphone.\u00a0<\/p>\n<p>Mamont can also auto-forward the malicious file to all contacts on Telegram.<\/p>\n<h2 class=\"wp-block-heading\"><strong>A Cloudflare vulnerability exposed user geolocation via an image<\/strong><\/h2>\n<p>A researcher known as hackermondev discovered a flaw in Cloudflare\u2019s <span data-descr=\"Content Delivery Network \u2014 content delivery network\" class=\"old_tooltip\">CDN<\/span> that allows tracking users\u2019 approximate locations by sending them an image and then analysing which servers cached it. Among services suitable for the attack are the private messenger Signal and the Discord platform.\u00a0<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"zxx\" dir=\"ltr\"><a href=\"https:\/\/t.co\/1yLNEPKcGg\">https:\/\/t.co\/1yLNEPKcGg<\/a><\/p>\n<p>\u2014 daniel (@hackermondev) <a href=\"https:\/\/twitter.com\/hackermondev\/status\/1881714371010957784?ref_src=twsrc%5Etfw\">January 21, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Typically, to speed up media delivery Cloudflare caches assets via the nearest <span data-descr=\"data centers\" class=\"old_tooltip\">data centers<\/span> to the user. But an error in the Workers platform lets an attacker force specific ones to handle the request. Responses obtained via the custom Cloudflare Teleport tool include the code of the airport nearest to the data center.<\/p>\n<p>Tracking accuracy is 50\u2013300 miles (80\u2013480 km), depending on the region and the number of Cloudflare data centers nearby.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXf2de-FLpq_MyQT6tqC_iJphpKQCi5w2ZgdK60bAZ-b3iIeH6Ih1Liqz4_P6WI0FcGUo_zusbY7llue_DENhWFCKA5GwJlrN0DaZqOZ2zQq2XrtxTRPRqSn_sr2k0515rpv3FJIkw?key=5TKs7JsSCq21HMqEbMMzewwg\" alt=\"Ulbricht as bait, a new DDoS record, and other cybersecurity news\"\/><figcaption class=\"wp-element-caption\">Screenshot from hackermondev\u2019s profile. Source: GitHub.<\/figcaption><\/figure>\n<p>Because many apps automatically fetch images for push notifications, a target can be tracked without interaction.\u00a0<\/p>\n<p>Hackermondev shared the findings with Cloudflare, Signal and Discord. Cloudflare said it had fixed the issue and paid the researcher $200. The other two said implementing anonymity at the network level lies outside their mission.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Viber was ordered to share information with the FSB<\/strong><\/h2>\n<p>On January 21, Roskomnadzor <a href=\"https:\/\/97-fz.rkn.gov.ru\/organizer-dissemination\/viewregistry\/#searchform\">added<\/a> Viber\u2019s developer, Luxembourg-based Viber Media S.a.r.l., to the register of <span data-descr=\"organisers of information dissemination\" class=\"old_tooltip\">ORI<\/span>. Inclusion on the list imposes obligations to exchange information with law enforcement.<\/p>\n<p>Viber must now store users\u2019 messages in Russia for six months and provide the FSB with their passport data, logins, accounts in third-party services, IP addresses and other details.\u00a0<\/p>\n<p>Yet since mid-December 2024, access to the messenger for Russian users has been <a href=\"https:\/\/u1f987.com\/en\/news\/cybersecurity-highlights-russia-bans-viber-telegrams-terrorist-tally-and-more\">restricted<\/a>.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Rostelecom confirmed a data leak at a contractor<\/strong><\/h2>\n<p>The Silent Crow group claimed it hacked Rostelecom by stealing databases from company.rt.ru and zakupki.rostelecom.ru. This was <a href=\"https:\/\/t.me\/dataleak\/3457\">reported<\/a> by the Telegram channel \u201cData leaks\u201d.<\/p>\n<p>As evidence, the attackers provided several tables listing registered users and their submissions via the website form. The information is dated September 20, 2024.\u00a0<\/p>\n<p>The dumps contain 154,000 unique email addresses and 101,000 phone numbers.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh7-qw.googleusercontent.com\/docsz\/AD_4nXcZLiJvbuy4Y9vG3QhbGp_DU5U2E9MNA2WIsaBy0o94oKd1_Bs7_1dOQwrMtSODVExVu6hY66o8azL-eCiNZiF8p4c6dMS-QsZaVlBP6ub94eW8Dn8iDrox7_GUNQjVaM4M1kt9Ew?key=5TKs7JsSCq21HMqEbMMzewwg\" alt=\"Ulbricht as bait, a new DDoS record, and other cybersecurity news\"\/><figcaption class=\"wp-element-caption\">Source: Telegram channel \u201cData leaks\u201d.<\/figcaption><\/figure>\n<p>Rostelecom told <a href=\"https:\/\/t.me\/kommersant\/77518\">Kommersant<\/a> the leak came from a contractor\u2019s infrastructure. The company is examining the databases but said no especially sensitive information was affected.\u00a0<\/p>\n<p>Even so, users were advised to reset passwords and enable two-factor authentication where possible.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>WazirX will discuss compensation with clients affected by the hack.<\/li>\n<li>Losses from the Phemex exchange hack exceeded $70 million. North Korean hackers were suspected.<\/li>\n<li>The X account of <a href=\"https:\/\/u1f987.com\/en\/news\/nasdaqs-x-account-compromised-to-promote-fake-memecoin\">Nasdaq was hacked<\/a> to pump a fake memecoin.<\/li>\n<li>A court <a href=\"https:\/\/u1f987.com\/en\/news\/court-overturns-sanctions-against-tornado-cash-mixer\">overturned sanctions<\/a> against the Tornado Cash mixer.<\/li>\n<li>Market maker CLS Global admitted to <a href=\"https:\/\/u1f987.com\/en\/news\/market-maker-cls-global-admits-to-sham-trading-of-fbis-ai-token\">fake trading of an AI token<\/a> to the FBI.<\/li>\n<li>Linea filtered out <a href=\"https:\/\/u1f987.com\/en\/news\/linea-eliminates-over-half-a-million-sybil-addresses-ahead-of-airdrop\">more than half a million<\/a> Sybil addresses ahead of its airdrop.<\/li>\n<li>Cuba\u2019s \u201cofficial\u201d memecoin turned out to be a scam.<\/li>\n<li>In Kazakhstan, the operators of an exchange received <a href=\"https:\/\/u1f987.com\/en\/news\/kazakhstan-jails-operators-of-illicit-bitcoin-exchange-seizes-assets\">prison terms<\/a> with confiscation.<\/li>\n<li>A controversial activist <a href=\"https:\/\/u1f987.com\/en\/news\/controversial-activist-offloads-50-of-tiktok-memecoin-supply\">dumped 50% of the supply<\/a> of the TIKTOK memetoken.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\"><strong>What to read this weekend?<\/strong><\/h2>\n<p>We explain Crimeware-as-a-Service\u2014illegal cyberattack services offered by subscription.\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We compiled the week\u2019s most important cybersecurity news. News about Ross Ulbricht inspired a fresh malware campaign. A record DDoS attack peaked at 5.6 Tbps. The Mamont virus spread on Telegram under the pretext of video downloads. News about Ross Ulbricht became the lure for a fresh malware campaign Attackers exploited reports of the release [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":20631,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-20632","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"39","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/20632","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=20632"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/20632\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/20631"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=20632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=20632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=20632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}