Kevin Beaumont
Kingdom Bank in the UK have got their online banking available in the past 30 minutes by... changing the URL. It's now https://onl1ne44.kingdom.bank
As before it's behind Microsoft Azure Application Gateway.
Many of the NoName victims over the last few days use Azure Application Gateway. I've been in touch with a few - they have DDoS mitigation enabled in the Azure service, but it doesn't work against NoName doing basic attacks. This includes councils etc.
Kevin Beaumont
NoName057(16) are targeting their DDoS infrastructure at the UK and will announce shortly.
So far none of the attacks are successful as they’re being defended against.
They may do a cheesy video to go with it. #threatintel
Kevin Beaumont
If you’re wondering what they’re targeting their “DDoS missiles”at, it’s some tram and ferry information websites #threatintel #noname
Kevin Beaumont
NoName announcement went out. #threatintel #noname
Kevin Beaumont
NoName continue to send “DDoS missiles” to the UK - they’re unsuccessfully targeting bus information websites in two towns.
They plan announcement of their attack later today.
Kevin Beaumont
Or how the cyber industry assesses NoName #threatintel #noname
Kevin Beaumont
Noname are upset at UK gov today, targets - they may have some success as most are new.
* www.mossley-council.co.uk
* oneonline.bradford.gov.uk
* www.bradford.gov.uk
* resident.dacorum.gov.uk
* www.keighley.gov.uk
* youraccount.salford.gov.uk
* www.tameside.gov.uk
* www.bury.gov.uk
* www.dacorum.gov.uk
* www.southampton.gov.uk
* www.liverpool.gov.uk
* my.trafford.gov.uk
* www.salford.gov.uk
* www.hertfordshire.gov.uk
* www.stalbans.gov.uk
* www.dudley.gov.uk
Kevin Beaumont
If any of the targeted councils want a hand give me a shout, I can give you the botnet config which will give you an idea what to block (you’ll need a WAF first).
Normally they recycle the same old, already mitigated config for the UK - they finally made a new one today. #threatintel #noname
Kevin Beaumont
Announcement is out. #threatintel #noname
OSPF110 ☕
@GossiTheDog Lol always makes me laugh when I see Keighley and Bradford on these lists. Didn't realise those big power houses of the north had so much say in foreign policy 😂
gwire
@GossiTheDog I guess Dacorum Borough Council is going to have to reassess their foreign policy?
lp0 on fire :unverified:
@GossiTheDog, “Prime Minister KEIRA Starmer”‽ (insert really bad-taste joke here)
jascar
@GossiTheDog what would be the best way to contact you?
Kevin Beaumont
NoName’s config is still targeting those UK councils. Makes a change from bus shed websites. #threatintel #noname
Kevin Beaumont
Today #NoName are upset with three orgs in Ukraine, 3 financial services orgs in the UK, BAE and 3 UK councils. #threatintel
Kevin Beaumont
Only the two councils are impacted still.
Eastleigh are using Azure App Service, which collapsed for them.
Trafford Council are using on prem webserver, which couldn't cope with load.
The problematic DDoS configs attached, $_1 is a variable for random gibberish - they basically stuff the search feature.
Kevin Beaumont
#NoName continue to be mad at UK county councils.
They're rotating through different councils and will be having much success this week, I imagine they will do a victory lap by Friday.
Councils - contact the NCSC for assistance. I can give you the full botnet configs if it helps - kevin.beaumont@gmail.com
The long story short is turn off the search feature or put a WAF - Web Application Firewall - in front of your services and use it to filter out the requests in the botnet conf.
Kevin Beaumont
One other thing for UK councils to note, NoName store the configs and rotate them. E.g. by tomorrow morning, around 6am UK time, they'll likely change to different councils.
But they will periodically rotate back to the same attack config whenever "Keira" (they can't spell the PMs name) does something they don't like. E.g. they've been doing the same attack at liverpool.gov.uk for over a year intermittently, despite it being mitigated nowadays. So have a process on how to deal the next time.
Kevin Beaumont
#NoName setting up for UK runs again today - they’re stopping councils and reconfiguring for transport and financial services. They usually go for obviously weakly protected systems.
Kevin Beaumont
This is the advanced* DDoS btw, see if you can spot how the rate limiting in Azure Front Door WAF isn't exactly well equipped for NoName arriving with 20k source IP addresses from Ddosia.
In other news, you may have noticed Microsoft have shifted many of their customer facing services from Azure Front Door to behind Akamai in recent times.
Kevin Beaumont
The other pattern for the past week is orgs with on prem systems, either just directly internet exposed or - more likely - behind BIG-IP.
Having a big link and DDoS scrubbing doesn't work on prem if you allow inbound web requests unfiltered - NoName just send valid HTTP requests from 20k systems at the same time 24/7 to search pages.
Orgs need cloud WAFs.
Another thought - somebody like the NCSC needs to provide a managed, central WAF service to councils. They can't deal with this stuff.
Bálint Szilakszi
@GossiTheDog 20k isn’t even a large number of systems, i regularly see probing ddos attempts with many multiples of that
Councils definitely can’t self-manage ddos mitigation
Kevin Beaumont
NoName is back to targeting 15 UK council sites this weekend, they've recycled config from earlier in the week.
Unfortunately a majority have fallen over again.
Councils should contact NCSC for assistance (what assistance there is I don't know). I can give you configs for what pages are being targeted if needed.
Kevin Beaumont
Btw, if you use Azure's anti-DDoS - it doesn't work against NoName because the rate limiting in Front Door sucks. The best move right now is disable or change the URL they are targeting. It's usually a search page.
NoName can adapt the config to change to a different URL.. but they usually don't bother, e.g. they use the same config that doesn't work on Liverpool.gov.uk for over a year, even today.
Kevin Beaumont
#NoName UK targeting today - 12 councils, 4 UK banks.
They're targeting my.kingdom.bank - which you may remember up thread, doesn't exist any more as the bank changed the URL. So their online banking remains online today.
Kevin Beaumont
If anybody is interested, out of the 12 councils targeted today, 7 are okay, 5 have websites down for past 4 hours.
Kevin Beaumont
The same five UK council websites have been down for 10 hours consecutively now. #NoName #threatintel
Hambone Fakenamington
@GossiTheDog cardiff loads for me.
Kevin Beaumont
Cardiff.gov.uk returned a few hours ago, burnley.gov.uk in the past 5 minutes. #NoName #threatintel
Kevin Beaumont
#NoName have moved on to South Korea, probably for the rest of the week.
Any UK orgs hit during the prior week, they'll return with same config later whenever PM upsets them - they always do. So do some mitigations in advance.
Kevin Beaumont
The Return of The Councils
Kevin Beaumont
swcouncils.gov.uk just came back online, after several days outage. #NoName #threatintel
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.