Posted on February 24, 2021 at 7:26 PM
Hackers Abuse Powerhouse VPN Products for DDoS Attacks
The servers of VPN provider Powerhouse have been compromised by Botnet operators to launch Distributed Denial of Service (DDoS), reports reveal.
An anonymous security researcher shared details of the attack with ZDNet last week. Powerhouse has not responded to emails sent to the company for more comments about the DDoS attack.
The report claimed that hackers have already weaponized the compromised VPN servers and have been used in real-world attacks.
About 1,500 Powerhouse VPN servers have been compromised as a result of the DDoS attack.
The researcher also said that it’s not clear about the main cause of the new DDoS attack vector. But it has been confirmed that the vector runs on UDP port 2081 on the company’s servers.
The researcher also revealed that the attackers used a one-byte request to ping the port. However, the service usually responds with packets that are more than 35 times the original size of the packet.
Pockets can be modified
The researcher revealed that the UDP-based pockets can be revised to contain the wrong return IP address. As a result, the threat actor can send the single-byte UDP packets to the Powerhouse VPN server with ease. It then increases the potency and impact before sending to the Victim’s IP address.
Admins should block traffic from 20811 ports
The anonymous researcher also shared his findings on GitHub. The researcher also pointed out that Powerhouse has thousands of servers all over the world. But the most servers at risk are the ones based in Hong Kong, Vienna, and the UK.
Since Powerhouse has not responded to the attack yet, the researcher has advised admins to block any traffic coming from port 20811 to reduce the risk of getting their servers affected by a DDoS attack.
ZDNet has also contacted Powerhouse management to make sure a patch is provided to keep servers secure from future DDoS attacks.
Another solution has been recommended by the researcher. The solution doesn’t block genuine traffic coming from all Powerhouse users. It only blocks “reflected” packets that are generally part of the DDoS attack.
The researcher’s discovery is another addition to a long list of DDoS amplification vectors security researchers have revealed within the past three months
Other incidences include the attacks on Plex Media Server, Windows RPD servers, as well as Citrix ADC gateways.
Threat actors taking advantage of internet-exposed devices
Both the Plex Media attacks and Windows RDP attacks occurred last month. For the Plex media attack, threat actors found ways to amplify DDoS attacks.
The company alerted owners of the devices that work through Plex servers about the attack. Plex Media is a web application for Linux, Mac, and Windows systems. It is used for audio and video streaming as well as multimedia asset management.
The threat actors also get their targets easily, as they only require scanning of internet-enabled devices and abuse them to amplify web traffic.
About two weeks after the attack on Plex media, hackers also infiltrated Windows Remote Desktop Protocol (RDP) systems to amplify junk traffic.
However, some RDP servers were still resistant, especially those servers with RDP authentication on UDP port 3389.
The Nescout researchers who discovered the attack stated that the threat actors can send misinformed UDP packets to the server’s UPD ports. This will have a reflection on the DDoS target. It will also be amplified in size, leading to enormous junk traffic reaching the victim’s system.
The DDoS amplification factor enables threat actors to have access to limited resources to execute large-scale DDoS attacks. They use internet-exposed systems as tools to amplify junk traffic.
