CyberSecurity news

FlagThis - #ddos

@www.dhs.gov //

US organizations hit by Iranian Hacktivist Cyberattacks - Iran-aligned hacktivist groups launched DDoS attacks on U.S. organizations, including U.S. Air Force websites and financial services, following U.S. airstrikes on Iranian nuclear sites.
Following U.S. airstrikes on Iranian nuclear sites on June 21, 2025, a wave of cyberattacks has been launched against U.S. organizations by Iran-aligned hacktivist groups. Cyble threat intelligence researchers reported that in the first 24 hours after the strikes, 15 U.S. organizations and 19 websites were targeted with DDoS attacks. Groups such as Mr Hamza, Team 313, Keymous+, and Cyber Jihad have claimed responsibility, targeting U.S. Air Force websites, aerospace and defense companies, and financial services organizations.

The attacks have been framed as retaliation for U.S. involvement in the ongoing Israel-Iran conflict, with the groups using the hashtag #Op_Usa to deface websites and leak credentials. The U.S. Department of Homeland Security (DHS) issued a bulletin on June 22, 2025, warning of likely low-level cyber attacks against U.S. networks by pro-Iranian hacktivists, noting that cyber actors affiliated with the Iranian government may also conduct attacks. This warning highlights the escalating cyber warfare activity between the two nations.

In a notable incident, Donald Trump's social media platform, Truth Social, was paralyzed by a DDoS attack just hours after the U.S. airstrikes. The hacker group “313 Team” claimed responsibility, stating the attack was in response to President Trump's announcement of the successful strikes on Iranian nuclear sites. The DHS emphasizes that this cyber activity reflects an increasing shift of geopolitical tensions into the digital space, further intensifying the cyber security concerns.

Recommended read:
References :
  • The Hacker News: The United States government has warned of cyber attacks mounted by pro-Iranian groups after it launched airstrikes on Iranian nuclear sites as part of the Iran–Israel war that commenced on June 13, 2025.
  • www.cybersecuritydive.com: Federal officials are warning that pro-Iran hacktivists or state-linked actors may target poorly secured U.S. networks.
  • www.scworld.com: Feds tell companies to prepare for cyberattacks on U.S. systems.
  • Cyber Florida at USF: CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity
  • cyble.com: The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.
  • thecyberexpress.com: Iran-aligned hacktivists launched DDoS attacks against 15 U.S. organizations and 19 websites in the first 24 hours after the U.S. bombed Iranian nuclear targets on June 21, Cyble threat intelligence researchers reported today.
  • www.dhs.gov: U.S. entry into the conflict has drawn retaliation from hacktivist groups, with attack claims ranging from credible to questionable. In the wake of the U.S. involvement, the Department of Homeland Security (DHS) on June 22 that “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and affiliated with the Iranian government may conduct attacks against US networks.
  • www.esecurityplanet.com: US Warns of Iranian Cyber Threats as Tensions Rise Over Middle East Conflict
  • www.cybersecuritydive.com: DHS Warns of Heightened Cyber Threat as US Enters Iran Conflict
  • techcrunch.com: Homeland Security warns of Iran-backed cyberattacks targeting US networks
info@thehackernews.com (The@The Hacker News //

Flodrix Botnet Exploits Langflow AI Server Vulnerability - A new Flodrix botnet variant is exploiting CVE-2025-3248 in Langflow AI servers to launch DDoS attacks, leading to full system compromise; organizations should patch immediately.
A new Flodrix botnet variant is actively targeting vulnerable Langflow AI servers by exploiting a critical remote code execution (RCE) vulnerability tracked as CVE-2025-3248. Langflow, a Python-based visual framework used for building artificial intelligence (AI) applications, contains a missing authentication vulnerability that enables unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Cybersecurity researchers at Trend Micro have highlighted this ongoing campaign, revealing that attackers are leveraging the flaw to execute downloader scripts on compromised Langflow servers. These scripts then fetch and install the Flodrix malware, ultimately leading to full system compromise.

Trend Micro's analysis reveals that attackers are exploiting CVE-2025-3248, which has a CVSS score of 9.8, by using publicly available proof-of-concept (PoC) code to target unpatched, internet-exposed Langflow instances. The vulnerability lies in the lack of input validation or sandboxing within Langflow, allowing malicious payloads to be compiled and executed within the server's context. The downloader scripts retrieve the Flodrix botnet malware from a specified host and, once installed, Flodrix establishes communication with a remote server via TCP to receive commands for launching distributed denial-of-service (DDoS) attacks against targeted IP addresses. Flodrix also supports connections over the TOR anonymity network.

The Flodrix botnet is considered an evolution of the LeetHozer botnet, linked to the Moobot group. This improved variant incorporates stealth techniques, including the ability to discreetly remove itself, minimize forensic traces, and obfuscate command-and-control (C2) server addresses, making analysis more challenging. Further enhancements include new, encrypted DDoS attack types. Organizations using Langflow are urged to immediately patch their systems to version 1.3.0 or later, which addresses CVE-2025-3248. Furthermore, implementing robust network monitoring is crucial to detect and mitigate any botnet activity resulting from this vulnerability.

Recommended read:
References :
  • The Hacker News: New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks
  • securityaffairs.com: News Flodrix botnet targets vulnerable Langflow servers
  • securityonline.info: Langflow Under Attacks: CVE-2025-3248 Exploited to Deliver Stealthy Flodrix Botnet
  • Virus Bulletin: Trend Micro uncovers an active campaign exploiting CVE-2025-3248 in Langflow versions before 1.3.0 that deploys the Flodrix botnet, enabling threat actors to achieve full system compromise, initiate DDoS attacks, and potentially exfiltrate sensitive data.
@www.euractiv.com //

Sweden Under Cyberattack, PM Sounds Alarm - Sweden is experiencing a surge in cyberattacks, particularly DDoS attacks, targeting public TV broadcaster SVT and government websites, following Sweden’s NATO membership and suspected Russian involvement, aiming to disrupt services and undermine trust.
References: bsky.app , databreaches.net ,
Sweden is currently facing a significant surge in cyberattacks, prompting Prime Minister Ulf Kristersson to sound the alarm. The attacks, primarily Distributed Denial-of-Service (DDoS) events, have targeted critical infrastructure, including SVT, Sweden's public television broadcaster, government websites, and key organizations. These disruptions have raised serious concerns about the resilience and security of Sweden's digital systems. The Prime Minister addressed the situation, acknowledging the severity and widespread nature of the cyber assaults impacting essential services.

The cyber offensive follows Sweden's recent entry into NATO in 2024, leading many to suspect potential involvement from Russia. While Prime Minister Kristersson refrained from explicitly naming the perpetrators, he alluded to previous reports from the Swedish Security Service identifying Russia, China, and Iran as frequent actors behind similar cyber operations. The focus of these attacks appears to be on disruption and undermining trust in institutions rather than data theft or ransomware, highlighting a strategy aimed at demonstrating cyber warfare capabilities.

Authorities are actively investigating the attacks and working to enhance the nation's cybersecurity defenses. The disruptions serve as a stark reminder of the evolving landscape of modern warfare, where cyberattacks can be leveraged to destabilize countries and critical infrastructure. The situation underscores the importance of international cooperation and vigilance in addressing cyber threats.

Recommended read:
References :
  • bsky.app: 🇸🇪 Sweden's PM says it is under cyberattack Swedish Prime Minister Ulf Kristersson says his country is under attack, after days of hard-hitting DDoS attacks against SVT Sweden's public TV broadcaster, government websites, and other key organisations.
  • databreaches.net: Sweden under cyberattack: Prime minister sounds the alarm
  • Graham Cluley: Sweden joined NATO in 2024, and has seen a dramatic rise in DDoS attacks ever since. Unsurprisingly all eyes are on Russia 🇷🇺 as likely culprits for the attacks.
info@thehackernews.com (The@The Hacker News //

Mirai Botnets Exploit Wazuh Server Vulnerability Launch Attacks - A critical security flaw in the Wazuh server (CVE-2025-24016) is being actively exploited by threat actors to deploy Mirai botnet variants for DDoS attacks.
A critical remote code execution vulnerability, CVE-2025-24016, affecting the Wazuh security platform is being actively exploited by Mirai botnets to launch distributed denial-of-service (DDoS) attacks. Akamai discovered this exploitation in late March 2025, revealing that threat actors are using this flaw to deploy Mirai botnet variants. The vulnerability, an unsafe deserialization issue, exists within the Wazuh API, specifically in how parameters within the DistributedAPI are handled.

The vulnerability stems from the deserialization of JSON data using the `as_wazuh_object` function in the `framework/wazuh/core/cluster/common.py` file. Attackers can inject malicious JSON payloads to execute arbitrary Python code remotely. CVE-2025-24016 affects Wazuh server versions 4.4.0 through 4.9.0, and has been assigned a critical CVSS score of 9.9. The flaw was patched in February 2025 with the release of Wazuh version 4.9.1, which replaced the unsafe `eval` function with `ast.literal_eval`.

Akamai has observed two distinct botnets exploiting this vulnerability. In both cases, a successful exploit leads to the execution of a shell script that downloads a Mirai botnet payload from an external server. The first botnet deploys variants of LZRD Mirai, a botnet that has been active since 2023, and has also been recently used in attacks targeting GeoVision IoT devices. The second botnet delivers a Mirai variant known as Resbot (aka Resentual). Security researchers emphasize the rapidly decreasing time-to-exploit for newly published CVEs by botnet operators.

Recommended read:
References :
  • The Hacker News: Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks
  • Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • cvereports.com: CVE-2025-24016 - unsafe deserialization vulnerability in Wazuh leading to remote code execution
  • Virus Bulletin: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • securityaffairs.com: Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai warned.
  • infosec.exchange: InfoSec Exchange post regarding Mirai botnets exploiting Wazuh vulnerability
  • Help Net Security: Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform, Akamai researchers have warned.
  • gbhackers.com: Exploitation of Critical Wazuh Server RCE Vulnerability Leads to Mirai Variant Deployment
  • The Register - Security: Critical Wazuh bug exploited in growing Mirai botnet infection
  • www.helpnetsecurity.com: Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016)
  • hackread.com: Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.
  • bsky.app: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • nvd.nist.gov: Cybersecurity Vulnerability details CVE-2025-24016.
  • Wazuh: Addressing the CVE-2025-24016 vulnerability
  • sra.io: Wazuh server vulnerability CVE-2025-24016 exploited in the wild, patch has since been released.
  • wazuh.com: Addressing the CVE-2025-24016 vulnerability
  • securityaffairs.com: U.S. CISA adds Wazuh, and WebDAV flaws to its Known Exploited Vulnerabilities catalog
Mike Moore@techradar.com //

Mirai and BadBox Malware Target IoT Devices - A new Mirai botnet variant targets TBK DVR devices with CVE-2024-3721, while BadBox 2.0 malware infects IoT devices like smart TVs and projectors, creating botnets for malicious activities.
A new wave of cyberattacks is targeting Internet of Things (IoT) devices through both the Mirai botnet and BadBox 2.0 malware. Cybersecurity researchers have discovered a new variant of the Mirai botnet that exploits a critical vulnerability, CVE-2024-3721, in TBK DVR devices. This vulnerability allows attackers to remotely deploy malicious code on digital video recording systems commonly used for surveillance. Kaspersky GReAT experts have described the new features of this Mirai variant, noting that the latest botnet infections specifically target TBK DVR devices.

Simultaneously, the FBI has issued a warning about the dangerous BadBox 2.0 malware, which has already infected over a million devices, including smart TVs, streaming boxes, digital projectors, and tablets. These devices, often cheap, off-brand, Android-powered units, are being hijacked to form a global botnet used for malicious activities such as ad fraud, click fraud, and distributed denial-of-service (DDoS) attacks. The compromised devices are turned into residential proxies, which are then sold or provided for free to cybercriminals, enabling a wide range of illicit activities.

The Mirai botnet leverages a vulnerability in TBK DVR devices, enabling unauthorized system command execution. Attackers send targeted POST requests to vulnerable endpoints, containing encoded shell commands to download and execute ARM32 binary payloads. This streamlined approach allows for efficient infection, bypassing traditional reconnaissance phases. Meanwhile, BadBox 2.0 often comes preloaded on devices or is transferred through malicious firmware updates and Android applications. Once infected, devices become part of a botnet that cybercriminals exploit for various nefarious purposes, highlighting the persistent threat IoT devices pose to cybersecurity.

Recommended read:
References :
  • cyberpress.org: New Mirai Botnet Variant Exploits TBK DVR Vulnerability to Deploy Malicious Code
  • The Record: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Securelist: Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
  • cyberinsider.com: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • therecord.media: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Cyber Security News: Cybersecurity researchers have discovered a new variant of the notorious Mirai botnet that exploits a critical vulnerability in TBK DVR devices to deploy malicious code remotely.
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • BleepingComputer: A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.
  • CyberInsider: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • securityaffairs.com: BadBox 2.0 botnet infects millions of IoT devices worldwide, FBI warns
  • securityaffairs.com: New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721
  • fortiguard.fortinet.com: TBK DVRs Botnet Attack

Posts

Blogs

Research Tools