CyberSecurity news

FlagThis - #ddos

@www.euractiv.com //
References: bsky.app , databreaches.net ,
Sweden is currently facing a significant surge in cyberattacks, prompting Prime Minister Ulf Kristersson to sound the alarm. The attacks, primarily Distributed Denial-of-Service (DDoS) events, have targeted critical infrastructure, including SVT, Sweden's public television broadcaster, government websites, and key organizations. These disruptions have raised serious concerns about the resilience and security of Sweden's digital systems. The Prime Minister addressed the situation, acknowledging the severity and widespread nature of the cyber assaults impacting essential services.

The cyber offensive follows Sweden's recent entry into NATO in 2024, leading many to suspect potential involvement from Russia. While Prime Minister Kristersson refrained from explicitly naming the perpetrators, he alluded to previous reports from the Swedish Security Service identifying Russia, China, and Iran as frequent actors behind similar cyber operations. The focus of these attacks appears to be on disruption and undermining trust in institutions rather than data theft or ransomware, highlighting a strategy aimed at demonstrating cyber warfare capabilities.

Authorities are actively investigating the attacks and working to enhance the nation's cybersecurity defenses. The disruptions serve as a stark reminder of the evolving landscape of modern warfare, where cyberattacks can be leveraged to destabilize countries and critical infrastructure. The situation underscores the importance of international cooperation and vigilance in addressing cyber threats.

Recommended read:
References :
  • bsky.app: 🇸🇪 Sweden's PM says it is under cyberattack Swedish Prime Minister Ulf Kristersson says his country is under attack, after days of hard-hitting DDoS attacks against SVT Sweden's public TV broadcaster, government websites, and other key organisations.
  • databreaches.net: Sweden under cyberattack: Prime minister sounds the alarm
  • Graham Cluley: Sweden joined NATO in 2024, and has seen a dramatic rise in DDoS attacks ever since. Unsurprisingly all eyes are on Russia 🇷🇺 as likely culprits for the attacks.

info@thehackernews.com (The@The Hacker News //
A critical remote code execution vulnerability, CVE-2025-24016, affecting the Wazuh security platform is being actively exploited by Mirai botnets to launch distributed denial-of-service (DDoS) attacks. Akamai discovered this exploitation in late March 2025, revealing that threat actors are using this flaw to deploy Mirai botnet variants. The vulnerability, an unsafe deserialization issue, exists within the Wazuh API, specifically in how parameters within the DistributedAPI are handled.

The vulnerability stems from the deserialization of JSON data using the `as_wazuh_object` function in the `framework/wazuh/core/cluster/common.py` file. Attackers can inject malicious JSON payloads to execute arbitrary Python code remotely. CVE-2025-24016 affects Wazuh server versions 4.4.0 through 4.9.0, and has been assigned a critical CVSS score of 9.9. The flaw was patched in February 2025 with the release of Wazuh version 4.9.1, which replaced the unsafe `eval` function with `ast.literal_eval`.

Akamai has observed two distinct botnets exploiting this vulnerability. In both cases, a successful exploit leads to the execution of a shell script that downloads a Mirai botnet payload from an external server. The first botnet deploys variants of LZRD Mirai, a botnet that has been active since 2023, and has also been recently used in attacks targeting GeoVision IoT devices. The second botnet delivers a Mirai variant known as Resbot (aka Resentual). Security researchers emphasize the rapidly decreasing time-to-exploit for newly published CVEs by botnet operators.

Recommended read:
References :
  • The Hacker News: Two Distinct Botnets Exploit Wazuh Server Vulnerability to Launch Mirai-Based Attacks
  • Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • cvereports.com: CVE-2025-24016 - unsafe deserialization vulnerability in Wazuh leading to remote code execution
  • Virus Bulletin: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • securityaffairs.com: Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai warned.
  • infosec.exchange: InfoSec Exchange post regarding Mirai botnets exploiting Wazuh vulnerability
  • Help Net Security: Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform, Akamai researchers have warned.
  • gbhackers.com: Exploitation of Critical Wazuh Server RCE Vulnerability Leads to Mirai Variant Deployment
  • The Register - Security: Critical Wazuh bug exploited in growing Mirai botnet infection
  • www.helpnetsecurity.com: Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016)
  • hackread.com: Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.
  • bsky.app: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • Catalin Cimpanu: Akamai has spotted two Mirai botnets abusing a recently patched RCE (CVE-2025-24016) in the Wazuh SIEM
  • nvd.nist.gov: Cybersecurity Vulnerability details CVE-2025-24016.
  • Wazuh: Addressing the CVE-2025-24016 vulnerability
  • sra.io: Wazuh server vulnerability CVE-2025-24016 exploited in the wild, patch has since been released.
  • wazuh.com: Addressing the CVE-2025-24016 vulnerability

Mike Moore@techradar.com //
A new wave of cyberattacks is targeting Internet of Things (IoT) devices through both the Mirai botnet and BadBox 2.0 malware. Cybersecurity researchers have discovered a new variant of the Mirai botnet that exploits a critical vulnerability, CVE-2024-3721, in TBK DVR devices. This vulnerability allows attackers to remotely deploy malicious code on digital video recording systems commonly used for surveillance. Kaspersky GReAT experts have described the new features of this Mirai variant, noting that the latest botnet infections specifically target TBK DVR devices.

Simultaneously, the FBI has issued a warning about the dangerous BadBox 2.0 malware, which has already infected over a million devices, including smart TVs, streaming boxes, digital projectors, and tablets. These devices, often cheap, off-brand, Android-powered units, are being hijacked to form a global botnet used for malicious activities such as ad fraud, click fraud, and distributed denial-of-service (DDoS) attacks. The compromised devices are turned into residential proxies, which are then sold or provided for free to cybercriminals, enabling a wide range of illicit activities.

The Mirai botnet leverages a vulnerability in TBK DVR devices, enabling unauthorized system command execution. Attackers send targeted POST requests to vulnerable endpoints, containing encoded shell commands to download and execute ARM32 binary payloads. This streamlined approach allows for efficient infection, bypassing traditional reconnaissance phases. Meanwhile, BadBox 2.0 often comes preloaded on devices or is transferred through malicious firmware updates and Android applications. Once infected, devices become part of a botnet that cybercriminals exploit for various nefarious purposes, highlighting the persistent threat IoT devices pose to cybersecurity.

Recommended read:
References :
  • cyberpress.org: New Mirai Botnet Variant Exploits TBK DVR Vulnerability to Deploy Malicious Code
  • The Record: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Securelist: Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
  • cyberinsider.com: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • therecord.media: TV streaming devices, digital projectors and other IoT devices are being infected with BadBox 2.0 malware after the original campaign was stifled by German law enforcement.
  • Cyber Security News: Cybersecurity researchers have discovered a new variant of the notorious Mirai botnet that exploits a critical vulnerability in TBK DVR devices to deploy malicious code remotely.
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • securityonline.info: New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
  • gbhackers.com: New Mirai Variant Exploits TBK DVR Flaw for Remote Code Execution
  • www.bleepingcomputer.com: A new variant of the Mirai malware botnet is exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 digital video recording devices to hijack them.
  • CyberInsider: New Mirai Botnet Variant Targets Flaw in 50,000 Exposed TBK DVRs
  • securityaffairs.com: BadBox 2.0 botnet infects millions of IoT devices worldwide, FBI warns
  • securityaffairs.com: New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721

Pierluigi Paganini@Security Affairs //
Pro-Russia hacktivist group NoName057(16) is actively targeting Dutch organizations with large-scale distributed denial of service (DDoS) attacks. These attacks are causing significant access problems and service disruptions for targeted entities across both the public and private sectors in the Netherlands. The country's National Cyber Security Center (NCSC) has issued a warning about these ongoing cyber activities. The NCSC confirmed that the attacks also affect European organizations alongside Dutch ones.

The attacks are part of a broader campaign of cyber-attacks claimed by the hacktivist group. These persistent DDoS attacks aim to overwhelm the targeted organizations' systems with malicious traffic, rendering them inaccessible to legitimate users. The goal of these attacks appears to be the disruption of services and potentially the undermining of confidence in the targeted organizations. BleepingComputer reported on this campaign, highlighting the severity and widespread impact of these attacks.

The National Cyber Security Center (NCSC), part of the Dutch Ministry of Justice, released a statement acknowledging the situation. The statement mentioned that both public and private entities within the Netherlands are being targeted by these large-scale DDoS attacks. The NCSC continues to monitor the situation and is working to mitigate the impact of these attacks.

Recommended read:
References :
  • bsky.app: Pro-Russia hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • securityaffairs.com: Pro-Russia hacktivist group NoName057(16) is targeting Dutch organizations
  • www.bleepingcomputer.com: Pro-Russia hacktivists bombard Dutch public orgs with DDoS attacks
  • BleepingComputer: Pro-Russian hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • bsky.app: Russian group NoName launched DDoS attacks and took down the public websites of several Dutch provinces.
  • www.bleepingcomputer.com: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • DataBreaches.Net: A large-scale cyberattack hit multiple Dutch municipalities and provinces on Monday morning, rendering the websites of more than twenty local governments inaccessible for several hours.
  • The DefendOps Diaries: Pro-Russian Hacktivists Target Dutch Public Organizations with DDoS Attacks
  • gbhackers.com: Multiple Dutch organizations have experienced significant service disruptions this week due to a series of coordinated Distributed Denial-of-Service (DDoS) attacks.
  • industrialcyber.co: Forescout reports rise of state-sponsored hacktivism, as geopolitics rewrites cyber threat landscape

Bill Toulas@BleepingComputer //
Cloudflare has released its 2025 Q1 DDoS Threat Report, revealing a staggering increase in Distributed Denial of Service (DDoS) attacks. The report highlights that Cloudflare mitigated 20.5 million DDoS attacks in the first quarter of 2025 alone. This represents a massive 358% year-over-year and 198% quarter-over-quarter increase, nearly matching the total number of attacks recorded throughout all of 2024. The escalating threat landscape underscores the critical need for robust and adaptive cybersecurity measures to protect online infrastructure from malicious actors.

One of the most significant incidents during this period was the mitigation of a record-breaking DDoS attack peaking at 4.8 billion packets per second (Bpps). This hyper-volumetric attack, part of a late-April campaign, presented a substantial technical challenge due to its immense scale and short duration, typically lasting between 35 and 45 seconds. Cloudflare also neutralized a 6.5 terabit-per-second (Tbps) UDP flood. Overall, the company recorded over 700 hyper-volumetric DDoS attacks, each exceeding either 1 Tbps or 1 Bpps, demonstrating the growing sophistication and intensity of these threats.

Network-layer DDoS attacks fueled much of this increase, totaling 16.8 million incidents between January and March 2025. A notable 6.6 million of these attacks targeted Cloudflare's own infrastructure. Attackers are increasingly deploying sophisticated multi-vector campaigns, leveraging tactics such as SYN floods, Mirai-botnet assaults, and SSDP amplification to overwhelm targets from multiple angles. Cloudflare identified two emerging threats: Connectionless Lightweight Directory Access Protocol (CLDAP) attacks, which saw a 3,488% quarter-over-quarter increase, and Encapsulating Security Payload (ESP) attacks, growing by 2,301% in the same period.

Recommended read:
References :
  • cyberpress.org: Cyberpress article on Cloudflare's 2025 DDoS Mitigation
  • The DefendOps Diaries: TheDefendOpsDiaries on Cloudflare's 2025 DDoS Mitigation Achievements
  • BleepingComputer: Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase.
  • www.scworld.com: SecurityWorld Article on Cloudflare's 2025 DDoS Mitigation
  • Blog: Cloudflare has reported a significant surge in distributed denial-of-service (DDoS) attacks, marking a new record in 2025.
  • Cyber Security News: Cloudflare mitigated a record 20.5 million DDoS attacks in the first quarter of 2025
  • Anonymous ???????? :af:: In 2025 Q1, Cloudflare blocked +20M attacks (a 358% YoY spike) along with 5.6 Tbps and 4.8 Bpps record-breaking attacks.
  • Cloudflare: DDoS attacks are surging. In 2025 Q1, Cloudflare blocked +20M attacks (a 358% YoY spike) along with 5.6 Tbps and 4.8 Bpps record-breaking attacks. Read more in our latest DDoS Threat Report 👉
  • The Cloudflare Blog: Targeted by 20.5 million DDoS attacks, up 358% year-over-year: Cloudflare’s 2025 Q1 DDoS Threat Report
  • BleepingComputer: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • The DefendOps Diaries: Pro-Russian hacktivists disrupt Dutch public services with DDoS attacks, highlighting vulnerabilities and resilience in digital infrastructure.
  • www.bleepingcomputer.com: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • bsky.app: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.