Wednesday, June 07, 2023

Bleeping Computer > Stay Vigilant

 Multiple Alerts + Warnings

Outlook.com hit by outages as hacktivists claim DDoS attacks

By 
 
  • June 6, 2023
    •  
  • 12:31 PM
    •  
  • 1

Outlook

Outlook.com is suffering a series of outages today after being down multiple times yesterday, with hacktivists known as Anonymous Sudan claiming to perform DDoS attacks on the service.

This outage follows two major outages yesterday, creating widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app.

Outlook users have taken to Twitter to complain about the spotty email service, stating that it is affecting their productivity.

Outlook webmail unable to display email
Outlook webmail unable to display email
Source: BleepingComputer

Microsoft says these outages are caused by a technical issue, posting to Twitter a series of updates switching between saying they mitigated the issues and saying that the problem is happening again. 

"We've identified that the impact has started again, and we're applying further mitigation," tweeted Microsoft.

"Telemetry indicates a reduction in impact relative to earlier iterations due to previously applied mitigations. Further details about the workstreams are in the admin center via MO572252."

Group claims to DDoS Microsoft Outlook

While Microsoft claims technical issues cause the outages, a group known as Anonymous Sudan is claiming to be behind them, warning that they are performing DDoS attacks on Microsoft to protest the US getting involved in Sudanese internal affairs.

"We can target any US company we want. Americans, do not blame us, blame your government for thinking about intervening in Sudanese internal affairs. We will continue to target large US companies, government and infrastructure," Anonymous Sudan posted to their Telegram channel yesterday.

"We hope you enjoyed it, Microsoft"

Since then, the group has been taunting Microsoft in statements about the repeated DDoS attacks on Microsoft Outlook and Microsoft 365 services.

"Microsoft, today we played football with your services. Let's play a fun game. The fate of your services, which is used by hundreds of millions of people everyday, is under our dominion and choice," Anonymous Sudan posted to their Telegram channel.

"You have failed to repel the attack which has continued for hours, so how about you pay us 1,000,000 USD and we teach your cyber-security experts how to repel the attack and we stop the attack from our end?"

Anonymous Sudan claiming DDoS attacks on Microsoft
Anonymous Sudan claiming DDoS attacks on Microsoft
Source: Telegram

From the check-host.net URLs shared by Anonymous Sudan, they say they are targeting "https://outlook.live.com/mail/0/," the main URL for the Outlook.com web service.

While these claims remain unverified, the service has been sluggish and plagued by a series of outages over the past 24 hours.

BleepingComputer contacted Microsoft about Anonymous Sudan's claims, but a response was not immediately available.

Related Articles:

Microsoft's Outlook.com is down again on mobile, web

Microsoft patches bypass for recently fixed Outlook zero-click bug

FBI seizes 13 more domains linked to DDoS-for-hire services

FBI seized domains linked to 48 DDoS-for-hire service platforms

New SLP bug can lead to massive 2,200x DDoS amplification attacks

 

 

MAYANK PARMAR  
Mayank Parmar is journalist covering technology news, but with a strong focus on Microsoft and Windows related stories. He is always poking under the hood of Windows looking for the latest secrets to reveal.
at No comments:

STEALTHY: A new PowerShell malware script named 'PowerDrop' has been discovered last month

NOTE: Organizations, particularly those in the aerospace defense industry, need to remain vigilant for this threat, monitoring PowerShell execution and looking for unusual WMI activity.

New 'PowerDrop' PowerShell malware targets U.S. aerospace industry

By 
 
  • June 6, 2023
    •  
  • 09:00 AM
    •  
  • 0

Airplane

"A new PowerShell malware script named 'PowerDrop' has been discovered to be used in attacks targeting the U.S. aerospace defense industry.

PowerDrop was discovered by Adlumin, who last month found a sample of the malware in the network of a defense contractor in the U.S.

  • The firm reports that PowerDrop uses PowerShell and WMI (Windows Management Instrumentation) to create a persistent RAT (remote access trojan) on the breached networks.
  • The malware's operation tactics stand between "off-the-shelf" malware and advanced APT techniques, while the timing and targets suggest that the aggressor is likely state-sponsored.

PowerDrop attack details

Adlumin identified PowerDrop using machine learning detection that scrutinizes PowerShell script execution content; however, the infection chain or initial compromise is unknown.

The analysts presume the attackers might have deployed the script using an exploit, phishing emails to targets, or spoofed software download sites.

PowerDrop is a PowerShell script executed by the Windows Management Instrumentation (WMI) service and encoded using Base64 to function as a backdoor or RAT.

  • By looking at the system logs, the researchers discovered that the malicious script was executed using previously registered WMI event filters and consumers named 'SystemPowerManager,' created by the malware upon system compromise using the 'wmic.exe' command-line tool.

PowerDrop registering as a WMI event filter
PowerDrop registering as a WMI event filter (Adlumin)

  • WMI is a built-in Windows feature that allows users to query local or remote computers for various information. In this case, it is being abused to trigger PowerShell command queries for updates to a performance-monitoring class.

The particular class is frequently updated with performance-related information such as processes, threads, system calls/sec, and queue length, so planting a malicious event trigger every two minutes is unlikely to raise suspicions.

"The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script," explains Adlumin in the report.

"Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated."

Once the PowerDrop script is active, it sends a hardcoded ICMP echo to its C2 server address, beaconing that a new infection is active.

The payload of the ICMP trigger is an unobfuscated UTF16-LE encoded string, which helps the C2 infrastructure distinguish it from random probes.

Once the beacon has been sent to the C2 server, the malware waits for 60 seconds for a response from the C2, typically an encrypted and padded payload containing a command for execution.

The malware decrypts the sent payload using a hardcoded 128-bit AES key and a 128-bit initialization vector and executes the contained command on the host.

Executing the decrypted command
Executing the decrypted command (Adlumin)

Next, PowerDrop sends the results of the command execution back to the C2 server, and if they are too large, it splits them into 128-byte chunks transmitted in a stream of multiple messages.

Breaking response into multiple data chunks
Breaking response into multiple data chunks (Adlumin)

Adlumin concludes that PowerShell and WMI, combined with the fact that PowerDrop never touches the disk as a ".ps1" script file, makes it particularly stealthy.

  • Its communications are AES encrypted, the ICMP protocol used for its beacon signaling is common in network communications, and the 120-second interval between malicious network traffic reduces the likelihood of detection.



Organizations, particularly those in the aerospace defense industry, need to remain vigilant for this threat, monitoring PowerShell execution and looking for unusual WMI activity."

Related Articles:

RomCom malware spread via Google Ads for ChatGPT, GIMP, more

New AhRat Android malware hidden in app with 50,000 installs

Stealthy SeroXen RAT malware increasingly used to target gamers

New PowerExchange malware backdoors Microsoft Exchange servers

‘Operation Magalenha’ targets credentials of 30 Portuguese banks

SOME OF LATEST ARTICLES

at No comments:

4 Chinese, 4 Russian warplanes enter S. Korea's air defense zone without prior notice

 

RELATED 
Military News Aljazeera 07 June 2023

S Korea, Japan scramble jets due to China-Russia joint air patrol

China’s defence ministry says joint patrol with Russian bomber aircraft was part of exercises that first started in 2019.

South Korean air force's F-15s, as pictured from the cockpit of a US military aircraft in July 2017

". . .Unlike a country’s airspace – the air above its territory and territorial waters – there are no international rules governing air defense zones.

South Korea’s Joint Chiefs of Staff said aircraft were expected to identify their presence when they enter the air defense zone “so as to prevent accidental clashes”, South Korea’s Yonhap News Agency reported on Tuesday.

“Our military identified the Chinese and Russian planes before their entry into the KADIZ and deployed Air Force fighters to conduct tactical steps in preparation against potential accidental situations,” Yonhap reported, citing a statement from the Joint Chiefs of Staff

  • . . . Japan also said it scrambled fighter jets on Tuesday in response to a pair of Russian bomber planes that were joined by two Chinese bombers over the Sea of Japan and flew together as far as the East China Sea, where they were then joined by two Chinese fighter planes.

China’s defense ministry said the joint patrol was part of a cooperation plan between Beijing and Moscow and was the sixth such exercise since 2019.

  • South Korea also scrambled fighter jets in November 2022 during China’s last joint aerial patrol with Russia when Chinese H-6K bombers and Russian TU-95 bombers and SU-35 fighter jets entered the KADIZ.

During a joint patrol in May 2022, Chinese and Russian warplanes neared Japan’s airspace as Tokyo was hosting a Quad summit with the leaders of the United States, India and Australia. The air exercise alarmed Japan though China said the patrol was not intended to intimidate.

Beijing and Moscow’s joint patrols are part of expanding ties between the two in what has been called a “no-limits” partnership.

China’s growing military footprint in the Asia-Pacific also coincides with increased military maneuvres and drills by the United States and its regional allies.

The White House has also recently warned of aggressive encounters between US and Chinese forces – ships and planes – in the Taiwan Strait and the South China Sea.

US Secretary of Defense Lloyd Austin told Asia’s top security summit – the Shangri-La Dialogue, which was held in Singapore over the weekend – that better communication was necessary between Beijing and Washington to avoid a crisis. . ."

  • South Korea’s defense ministry said on Wednesday that it had lodged a protest with the Chinese and Russian embassies in Seoul and expressed regret their military aircraft had flown near “sensitive areas close to our air space”, Yonhap reported. The ministry called on both countries to “take appropriate measures to prevent a recurrence, . .

China defended its actions saying that Washington had provoked such encounters by conducting close reconnaissance of Chinese territory.

SOURCE: AL JAZEERA AND NEWS AGENCIES
  •  noting that such a flight could cause regional tensions”, Yonhap added.
at No comments:

FLANKER: Finally!! Russia's Su-27 Fighter Jet Tests the Launch of the Deadliest New Missile

3,632 views Jun 7, 2023 #su27 #fighterjet #militarynews

Russia's Su-27 Fighter Jet Tests the Launch of the Deadliest New Missile. Russia's Su-27 multirole fighter jet recently conducted a test launch of its new missile during exercises in Russia's far west. The Su-27 fighter jet also known as Flanker is a long-range, highly maneuverable multirole all-weather fighter-interceptor developed by the Sukhoi Design Bureau.
at No comments:

Here's a Good One for Ya: New Browser Game

 

Techdirt Podcast Episode 353: Moderator Mayhem!

Content Moderation

from the swipe-left-swipe-right dept

Tue, Jun 6th 2023 01:30pm - 

Last month, in partnership with Engine, we launched our new browser game that puts you in the shoes of a frontline content moderation worker at a growing online platform: Moderator Mayhem. If you haven’t tried it yet, you can play it in your browser on mobile or desktop. The response to the game has been great, and this week Mike is joined on the podcast by myself, our game design partner Randy Lubin of Leveraged Play, and Engine executive director Kate Tummarello who spearheaded the project, to discuss how we built Moderator Mayhem and the impact it’s been having so far.

Follow the Techdirt Podcast on Soundcloud, subscribe via Apple Podcasts or Spotify, or grab the RSS feed. You can also keep up with all the latest episodes right here on Techdirt.

Filed Under: 

at No comments:
Subscribe to: Comments (Atom)

GREGORY BOVINO: Nazi Cosplay Time in Mineeapolis...Trump's ICE Enforcer

  UPDATE ON SUNDAY 25 JANUARY 2026 Top stories Federal agents fatally shoot Alex Pretti in Minneapolis Star Tribune Fact check: Video, witne...