Categories
Security

NoName057(16) potential DDoS January 2025

On January 20-24, 2025, we have the World Economic Forum in Switzerland. Last year this caused various DDoS attacks on Swiss websites. If this year we see DDoS activity again is yet unknown. Being only days away from the forum taking place, we might soon see if Switzerland is again in focus of NoName057(16) or other actors.

Preparations

The website witha.name is tracking NoName057(16) closely and is publishing the DDoSia configuration files. Those files contain valuable information for countermeasures as it makes isolating the requests faster to deploy effective blocking measures.

https://witha.name/ (2025-01-09), TLP:UNCLEAR

Newly, it seems there is also protected information about IP addresses used in the attacks. Sadly, I’m unaware of how to access this, but this would be very powerful information ahead of an attack.

https://www.reddit.com/r/cybersecurity/comments/1gjb85c/ddosia_access_to_target_list_withaname/ (2025-01-09)

Also on Reddit, the question popped up about how to get access, but with no responses.

Activity

Hackmaniac is collecting from public information data about cyberattacks and cyber threats and classified for the first days of 2025 that NoName057(16) was the most active or visible group in this area of well-known attacks.

https://hackmanac.com/news/hack-tuesday-week-01-07-january-2025 (2025-01-09)

Follow hack-tuesday for more.

Without knowing the background, there were very public DDoS campaigns ongoing already in January 2025.

NoName057(16)

The old channels over on Telegram seem to no longer exist, but there is a verified profile over on X (formerly Twitter) that is posting in the name.

https://x.com/Noname05716 (2025-01-09)

We also have a new Telegram channel posting in Cyrillic letters.

https://t.me/nnm057_16 (2025-01-09)

Plus one new Telegram channel posting in English.

https://t.me/noname05716engver (2025-01-09)

There is also a group called DDoSia, but it requires you to join. I did not join to see.

https://t.me/+LpLxgU4upoYxMzQ8 (2025-01-09)

UserAgent in Access Logs

The published user agents used by DDoSia didn’t change on witha.name which could help you find requests with this query for Azure Front Door access logs saved in a Log Analytics Workspace.

let userAgents = dynamic([
    "AppleCoreMedia/1.0.0.23A344 (Macintosh; U; Intel Mac OS X 14_0; da_dk)",
    "Dalvik/2.1.0 (Linux; U; Android 11; Tibuta_MasterPad-E100 Build/RP1A.201005.006)",
    "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021208 Debian/1.2.1-2",
    "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.6) Gecko/20050319",
    "Mozilla/5.0 (Linux; Android 11; SM-A115M Build/RP1A.200720.012; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/102.0.5005.125 Mobile Safari/537.36 Instagram 306.0.0.35.109 Android (30/11; 280dpi; 720x1411; samsung; SM-A115M; a11q; qcom; pt_BR; 530130405)",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 [LinkedInApp]/9.28.7586",
    "Mozilla/5.0 (Linux; Android 13; SM-F711U) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Mobile Safari/537.36 EdgA/114.0.1823.43",
    "Mozilla/5.0 (X11; U; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/115.0.5738.217 Chrome/115.0.5738.217 Safari/537.36",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/102.0.5143.178 Chrome/102.0.5143.178 Safari/537.36",
    "Mozilla/5.0 (Linux; Android 13; SAMSUNG SM-T220) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/23.0 Chrome/115.0.0.0 Mobile Safari/537.36",
    "Mozilla/5.0 (Linux; Android 9) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/119.0.6045.66 Mobile DuckDuckGo/1 Lilo/1.2.3 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36 Edg/118.0.2088.76 GLS/97.10.7399.100",
    "Mozilla/5.0 (X11; Linux x86_64; SMARTEMB Build/3.12.9076) AppleWebKit/537.36 (KHTML, like Gecko) Chromium/103.0.5060.129 Chrome/103.0.5060.129 Safari/537.36",
    "Mozilla/5.0 (iPhone; CPU iPhone OS 15_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/19G82 Instagram 306.0.0.20.118 (iPhone12,1; iOS 15_6_1; en_GB; en; scale=2.00; 828x1792; 529083166) NW/3",
    "Mozilla/5.0 (Linux; Android 6.0.1; SM-G532MT Build/MMB29T; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/99.0.4844.88 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/436.0.0.35.101;]",
    "Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1"
]);
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category contains "FrontDoorAccessLog"
| where TimeGenerated >= ago(30d)
| where userAgent_s in (userAgents)
| summarize count() by bin(TimeGenerated, 1h), userAgent_s
| render columnchart

end;

This post will be updated with further information if I have news.