Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 02-Dec-2024 18:45:31 JST Kevin Beaumont

   NoName057(16) back to targeting UK this week, they're going to run all week. Thread for the week.

   Current DDoS config, 17 orgs, UK councils and transport. Approx 70% success rate.

   #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 02-Dec-2024 18:55:50 JST Kevin Beaumont

     in reply to

     Tracking for UK councils https://stats.uptimerobot.com/TlxHfUlrvc

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 02-Dec-2024 19:01:37 JST Kevin Beaumont

     in reply to

     Here's the NoName blurb to go with the DDoS. #NoName #threatintel

   • Embed this notice
     Kal Feher (kalfeher@infosec.exchange)'s status on Monday, 02-Dec-2024 20:19:29 JST Kal Feher

     in reply to

     @GossiTheDog wait weren't they supposed to be attacking Aus? I had my doona all ready to hide under.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 02-Dec-2024 20:26:31 JST Kevin Beaumont

     in reply to

     Council websites generally host this kind of thing, if you want to know why they get targeted - it's local support basically.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 00:13:26 JST Kevin Beaumont

     in reply to

     UK Councils doing a much better job at coming back online this time around compared to last month's NoName attacks - 8 out of the 9 targeted (which are still in the botnet DDoS config, so attacks continue) are back online, only eastsuffolk.gov.uk remains down.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 02:21:32 JST Kevin Beaumont

     in reply to

     So far every council we've mentioned the issues has pretended it's a generic issue, lol #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 02:35:38 JST Kevin Beaumont

     in reply to

     To bring this to life btw about why NoName is so successful in terms of bringing things down - this is entire config for eastsuffolk.gov.uk, which has been down since 7am UK time.

     There's no packet flood. There's no large packets. There's nothing like that. It's a layer 7, application layer attack.

     All they do is send lots of web search requests with gibberish -- $_1 and $_5 are just large random strings. It's enough to CPU and memory exhaust most webservers.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 02:39:25 JST Kevin Beaumont

     in reply to

     Also if anybody is wondering it's less than a thousand attacking IPs, and they're largely volunteer's PCs and mobile phones - this isn't an infected router botnet.

     A group of us has been aggressively taking down the config C2s for about a year which cuts off the volunteers, the numbers are down about 8 times from a year ago, but NoName have become better at their target config.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 18:14:18 JST Kevin Beaumont

     in reply to

     NoName changed yesterday's UK council targets today at 7am, they're all back online.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 18:18:26 JST Kevin Beaumont

     in reply to

     New UK targets, they intend to expand this later today. #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 18:22:17 JST Kevin Beaumont

     in reply to

     Impacts and tracker: https://stats.uptimerobot.com/TlxHfUlrvc

     #noname #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 18:24:39 JST Kevin Beaumont

     in reply to

     Keighley.gov.uk is down despite being behind Cloudflare as the host has an opsec error - NoName attack the origin IP which is open to the internet, to bypass Cloudflare.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 03-Dec-2024 18:37:35 JST Kevin Beaumont

     in reply to

     Private company tracker https://stats.uptimerobot.com/fseoaKBaYk

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 01:08:26 JST Kevin Beaumont

     in reply to

     https://keighley.gov.uk have come up with a unique NoName DNS solution today - they redirected their site to Keighley-ddos.gov.uk, which doesn't exist.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 01:18:20 JST Kevin Beaumont

     in reply to

     NoName UK impact for the day - 3 of the 5 council websites targeted are still down

     For some reason NoName still target liverpool.gov.uk, which has had working mitigations for well over a year. They still pretend to their supporters they DDoS that one, but never do. They don't even bother to change their attack config.

     Keighley literally redirected their site to a site with "DDoS" in the name.

     In private companies/orgs, 3 of the 8 orgs are still down. Albion 8% uptime.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 01:26:23 JST Kevin Beaumont

     in reply to

     IMHO, NCSC UK should use NoName to get budget for expanding Active Cyber Defence to include a managed WAF for councils (that can be expanded to other public services later).

     Cloudflare don't do anything too fancy, just nginx proxies basically - the protection could be recreated without too much cost to shield orgs centrally and give assistance and intelligence on demand.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 04:17:30 JST Kevin Beaumont

     in reply to

     One other observable from the #NoName activity - same problem as last time they targeted UK: Azure Application Gateway sites folded immediately and never returned.

     I’d be really careful if you use that service, NoName definitely know it is weak AF.

     #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 19:15:23 JST Kevin Beaumont

     in reply to

     NoName UK targets today, I'm 4 hours late.

     9 councils, all new

     National Rail

     Ministry of Defence Police

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 19:18:38 JST Kevin Beaumont

     in reply to

     From yesterday, the DDoS has stopped but Keighley council's website has been suspended by their webhost.

     Albion Water's website has been deleted apparently.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 19:31:31 JST Kevin Beaumont

     in reply to

     UK public service impact tracker https://stats.uptimerobot.com/TlxHfUlrvc

     UK private company impact tracker https://stats.uptimerobot.com/fseoaKBaYk

     #NoName #threatintel

   • Embed this notice
     Kristen (kristen@know.me.uk)'s status on Wednesday, 04-Dec-2024 19:37:24 JST Kristen

     in reply to

     @GossiTheDog what’s the best way for them to protect themselves against stuff like this?

   • Embed this notice
     Kristen (kristen@know.me.uk)'s status on Wednesday, 04-Dec-2024 19:38:26 JST Kristen

     @GossiTheDog thank you

   • Embed this notice
     Fafner [_KeyZee_] (f_kz_@infosec.exchange)'s status on Wednesday, 04-Dec-2024 20:32:59 JST Fafner [_KeyZee_]

     in reply to

     @GossiTheDog hehehe but no worry, a bot with a name is still at time ;-)

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 04-Dec-2024 23:37:32 JST Kevin Beaumont

     in reply to

     https://www.mod.police.uk/ is on 7 hours of downtime, their host appears to have deleted them now. #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 00:34:44 JST Kevin Beaumont

     in reply to

     Portsmouth City Council have stuck Azure WAF in front of their Azure Application Gateway site and managed to get it back online! https://www.portsmouth.gov.uk/

     #threatintel #NoName

   • Embed this notice
     Anne at Millrace (annehargreaves@ioc.exchange)'s status on Thursday, 05-Dec-2024 00:49:25 JST Anne at Millrace

     in reply to

     @GossiTheDog What is mod.police?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 00:53:28 JST Kevin Beaumont

     in reply to

     This is a good blog for NoName defence if you use Azure Application Gateway or Azure Front Door

     https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/leveraging-azure-ddos-protection-with-waf-rate-limiting/4210135

     tl;dr you need to put Azure Web Application Firewall in front, and config specific rate limiting rules, and set them to block. Azure DDoS Protection doesn't work for NoName due to it being layer 7.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 00:59:35 JST Kevin Beaumont

     in reply to

     UK Police website has been redirected by, I'm guessing, their provider to a domain that doesn't exist. Similar situation to that council yesterday.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 02:01:46 JST Kevin Beaumont

     in reply to

     As a review of the NoName UK activity for the day

     13 sites targeted

     3 down at end of day (MOD Police, City of Ely Council, North East Combined Authority)

     Councils did a really good job - Belfast City, Crewe Town Council, Eastleigh, Northeast and Leicester had no downtime at all. Dover, Southampton and Portsmouth recovered during the day.

     National Rail had zero downtime. HHA (Harwich Haven Authority) recovered a few hours ago.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 07:44:02 JST Kevin Beaumont

     in reply to

     NoName’s main Russian Telegram channel has been shut down this evening.

     If anybody from NCA/NCSC etc that are dealing with Telegram follow me, get them to nuke:

     https://t.me/noname05716engver
     https://t.me/CyberArmyofRussiaReborn
     https://t.me/+LpLxgU4upoYxMzQ8
     https://t.me/+c6nkFWrv5XA3OTU0
     https://t.me/Not_Realy_DDoSia_Bot
     https://t.me/c/2013394917/1/4069

     Email account:
     noname057_16_official@proton.me

     This is 100% of their messaging infrastructure.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 20:08:31 JST Kevin Beaumont

     in reply to

     • NoName57Bot

     NoName UK targets for today. I'm many hours late again as been busy doing actual work, @NoName57Bot for live config updates.

     All of these are prior targets from prior months, with the same config as before.

     I'll set up the uptime tracking now so we see how many implemented mitigations from previous runs or ignored it/didn't have the budget to do anything.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 20:12:27 JST Kevin Beaumont

     in reply to

     In terms of yesterday's targets, https://www.mod.police.uk is still down, along with https://www.cityofelycouncil.org.uk/

     Ministry of Defence Police have not mentioned it anywhere

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 20:33:38 JST Kevin Beaumont

     in reply to

     Medway.gov.uk have done a really good trick to evade NoName - they've disabled their search function. NoName just stuff search with random strings which overloads CPU, it's a really good way to mitigate the problem quickly.

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 05-Dec-2024 20:39:29 JST Kevin Beaumont

     in reply to

     Here's today's #NoName impact tracking

     Public services: https://stats.uptimerobot.com/TlxHfUlrvc

     Private companies/orgs: https://stats.uptimerobot.com/fseoaKBaYk

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 06-Dec-2024 03:05:36 JST Kevin Beaumont

     in reply to

     NoName UK impact for the day

     9 UK council websites targeted
     3 still down at end of day

     4 had no downtime at all

     2 disabled search to keep services online 🙌 which is by far the most effective temp mitigation, which was done by sharing the botnet attack config

     Of the 4 private business/org sites targeted, 2 stayed 100% online - G4S (physical security org) and Parker Meggit (a Fortune 250 motion and control company).

     West Atlantic air freight = 50% downtime.

     Lewes county town = still offline

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 06-Dec-2024 03:11:46 JST Kevin Beaumont

     in reply to

     And yes, if you're wondering, https://www.mod.police.uk/ is still down 2 days later

   • Embed this notice
     CryptoMoose (cryptomoose@infosec.exchange)'s status on Friday, 06-Dec-2024 07:59:06 JST CryptoMoose

     in reply to

     @GossiTheDog to be fair Lewis has not been on line for years, it merged with another council...

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 06-Dec-2024 20:21:21 JST Kevin Beaumont

     in reply to

     NoName UK run continues. Targets for today:

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 06-Dec-2024 20:41:41 JST Kevin Beaumont

     in reply to

     Impact tracker: https://stats.uptimerobot.com/TlxHfUlrvc

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 06-Dec-2024 20:44:17 JST Kevin Beaumont

     in reply to

     Gotta say, things look much improved on NoName front with councils compared to prior month's run. Considering they basically don't have a pot to piss in budget wise, they're doing a pretty good job.

   • Embed this notice
     Dr J. Wallace (jeawallace@topspicy.social)'s status on Friday, 06-Dec-2024 23:45:19 JST Dr J. Wallace

     in reply to

     @GossiTheDog at this stage it's basically pattern recognition, surely? It's not like there's a drastic change in MO each go around.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 07-Dec-2024 02:47:48 JST Kevin Beaumont

     in reply to

     NoName impact summary for the day is basically the same as it began, the sites online and offline is still the same as when the attacks began for the day.

     https://www.mod.police.uk/ is still down

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 07-Dec-2024 18:54:05 JST Kevin Beaumont

     in reply to

     NoName have moved on to France, as… Trump is there 🫡 or something.

     I’ll stop tracking threads now as I’m selfish. Although I do enjoy being an undercover Russian, and Russian sense of humour is pretty good (and odd).

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 12-Dec-2024 23:58:20 JST Kevin Beaumont

     in reply to

     MOD Police’s website is still down, 8 days later.

     https://www.mod.police.uk

     #NoName #threatintel

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 22-Dec-2024 21:42:53 JST Kevin Beaumont

     in reply to

     MOD Police’s website is still down 18 days later. The latest is they’ve tried to move it behind Cloudflare, but don’t know how to configure DNS.

     https://www.mod.police.uk/

     #NoName #threatintel

   • Embed this notice
     KR3ST3N 🌻 (kr3st3n@infosec.exchange)'s status on Wednesday, 25-Dec-2024 19:36:12 JST KR3ST3N 🌻

     in reply to

     @GossiTheDog The organization I work for was on DDoSias target list in december and during the attack we mapped +13.000 IPs following the same pattern as described in the target lists.

     A lot of those IPs belongs to VPS providers…