Przejdź do głównej zawartości
NoName057(16) are targeting the UK today, so I shall start monitoring them and naming their targets and attack types.

Their targeting: https://raw.githubusercontent.com/GossiTheDog/Monitoring/main/NoName/targets_2023_12_07_11am.txt

Currently:
pa.eastcambs.gov.uk
politics.leics.gov.uk
www.liverpool.gov.uk
www.mil.be
www.bollington-tc.gov.uk
www.cranbrooktowncouncil.gov.uk
cert.be
my.swiftcard.org.uk
www.monarchie.be
www.premier.be
www.david-clarinval.be
www.dekamer.be
www.senaat.be

#threatintel #noname
#threatintel #noname
Kevin Beaumont
Keep up, NoName. Edit: to be clear I mean catch up as I already named these.
Ten wpis został zedytowany (5 miesiące temu)
Kevin Beaumont
quick question - would publishing the NoName DDoS targets in a format like this each day be valuable?

I just had a quick workflow play, I think I can do it.

#threatintel
#threatintel
Kevin Beaumont
This is how NoName[16] are DDoSing West Yorkshire Metro.. apparently it's enough to cause Azure App Gateway to fall over.
Kevin Beaumont
I wrote this up: https://doublepulsar.com/tracking-russias-noname057-16-attempts-to-ddos-uk-public-services-057e8ab54fe4

Tracking Russia’s NoName057[16] attempts to DDoS UK public services

Today I noticed NoName057[16] — basically a poor man’s “Ukraine IT army” — attempting to DDoS various UK councils and transport services: They post about their exploits on Telegram, similar to those…
Kevin Beaumont (DoublePulsar)
Kevin Beaumont
Later today #NoName will announce they are attacking:

cts21.czechtrade.cz
www.mzv.cz
klient.czechtrade.cz
www.czechtrade.cz
exporters.czechtrade.cz
www.dpp.cz
www.pse.cz
www.moneta.cz
api.moneta.cz
www.rzp.cz
www.senat.cz
pspen.psp.cz
www.vlada.cz
www.mvcr.cz
www.financnisprava.cz
www.policie.cz
www.prg.aero
gate.prg.aero
newfids.prg.aero
ftp.prg.aero
fids.prg.aero
idc-portal-tas.prg.aero

Target list: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_08_10am.txt

#precrime #threatintel
#threatintel #precrime #noname
Ten wpis został zedytowany (5 miesiące temu)
Kevin Beaumont
Today's #NoName DDoS targets #threatintel

www.mtc.government.bg
www.port-varna.bg
port-burgas.bg
www.parliament.bg
customs.bg
bulbankonline.bg
dskbank.bg
www.dskdirect.bg
www.bnb.bg
www.procreditbank.bg
probanking.procreditbank.bg
www.ccbank.bg
www.fibank.bg
my.fibank.bg
testiam-idsext.customs.bg
ids.customs.bg
www.government.bg
www.president.bg

Target list: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_11_11am.txt
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets, UK and Norway. Includes a failed attempt at Rishi Sunak's website. #threatintel

www.horiba-mira.com
www.rotork.com
www.lcia.org
southendairport.com
www.stortinget.no
ruter.no
www.autopass.no
www.boreal.no
www.sj.no
bpsnord.no
ferde.no
www.nor-way.no
dskbank.bg
www.bnb.bg
probanking.procreditbank.bg
my.fibank.bg
testiam-idsext.customs.bg
www.government.bg
www.president.bg
www.rishisunak.com

Target list: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_11_3pm.txt
#threatintel #noname
Kevin Beaumont
Here's the full targeting for Rishi's site:
Kevin Beaumont
Here's the #NoName targets today. #threatintel

www.energy-community.org
www.zaporizhstal.com
uges.com.ua
portal.bank.gov.ua
cvp.tax.gov.ua
ssu.gov.ua
bank.gov.ua
kyiv.tax.gov.ua
www.umcc-titanium.com
smtp.energy-community.org
velta-ua.com
www.ztoe.com.ua
ztmc.zp.ua
mcs.energy-community.org
academy.ssu.gov.ua
mgate.energy-community.org
www.ztr.ua
uhe.gov.ua
smtp2.energy-community.org
tax.gov.ua
stockmarket.gov.ua
wvp.tax.gov.ua
www.mev.gov.ua

Target list: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel #noname
Kevin Beaumont
#NoName targets this afternoon. #threatintel

www.europarl.europa.eu
www.mil.be
cert.be
www.monarchie.be
www.premier.be
www.david-clarinval.be
www.dekamer.be
www.senaat.be
www.ecb.europa.eu
www.consilium.europa.eu
curia.europa.eu
www.eesc.europa.eu
www.europol.europa.eu
www.ebrd.com
mobilite-mobiliteit.brussels
idp.belgiantrain.be
www.belgiantrain.be
www.bruxelles.be
www.stib-mivb.be

Target list: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel #noname
Kevin Beaumont
#NoName targets this afternoon are the same as yesterday, apparently they took Friday off. Target list: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

They photoshopped ebrd being offline. https://www.ebrd.com/what-we-do/war-on-ukraine

#threatintel
#threatintel #noname
Ten wpis został zedytowany (5 miesiące temu)
Kevin Beaumont
#NoName reran a bunch of prior targets over the past 3 days, e.g. the targeting of the same UK sites again. #threatintel

Some new targets this morning:

www.vfgh.gv.at
immobilien.oebb.at
www.ris.bka.gv.at
www.railtours.oebb.at
bcc.oebb.at
authportal.oebb.at
www.oebb.at
www.e-steiermark.com
www.bmeia.gv.at
presse.oebb.at
bahnhofcitywienwest.oebb.at
shop.oebb.at
serviceline.oebb.at
presse-oebb.at
tsprodsam.oebb.at
apa.at
www.kelag.at

Target list: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#threatintel #noname
Kevin Beaumont
#NoName plan to announce Sweden as DDoS targets later today.

Targets:

www.sundsvallshamn.se
www.norrtag.se
www.vasttrafik.se
login.vasttrafik.se
www.polisen.se
www.msb.se
login.msb.se
www.transportstyrelsen.se
www.digg.se
www.sjofartsverket.se
international.stockholm.se
goteborg.se
malmo.se
www.uppsala.se
www.linkoping.se
www.orebro.se
www.vasteras.se
www.eskilstuna.se
www.vgregion.se

Target list and config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

I have all of NoName's targeting in Excel if data needed.
#noname
Kevin Beaumont
The screenshots are obviously the condensed version, they do webapp floods primarily, e.g.
Ten wpis został zedytowany (5 miesiące temu)
Kevin Beaumont
#NoName DDoS will be going to Italy today.

Their target list:
www.giorgiameloni.it
www.porto.trieste.it
port.taranto.it
www.sinfomar.it
amat.cloud.eleagol.it
www.sienamobilita.it
www.gtt.to.it
www.ctmcagliari.it
actv.avmspa.it
telematicoprova.adm.gov.it
richiestamodifiche.adm.gov.it
iampe.adm.gov.it
telematico.adm.gov.it
www.consob.it
www.assosim.it
www.agcm.it

Target list and config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_21_10am.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (5 miesiące temu)
Kevin Beaumont
#NoName DDoS Finland today, as usual they failed to DDoS most of their targets properly.

www.hsl.fi
portofhanko.fi
www.kyberturvallisuuskeskus.fi
www.expressbus.fi
www.ssvoy.fi
virtuaali.vayla.fi
sso.vayla.fi
extranet.vayla.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
eservices.traficom.fi
paarautatieasema.fi
www.ely-keskus.fi
www.op.fi
www.suomenpankki.fi
www.vero.fi
www.a-katsastus.fi

Target list and config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_22_11am.txt #threatintel
#threatintel #noname
Kevin Beaumont
Btw #NoName use hardcoded server 94.140.115.89 as a C2, and there's no auto update in their DDoS agent which volunteers install, if anybody wants to disrupt them to the point where they have to beg people to reinstall the agent.
#noname
Kevin Beaumont
#NoName swapped some of their targets

www.hsl.fi
portofhanko.fi
www.edi.admin.ch
www.sob.ch
www.kyberturvallisuuskeskus.fi
www.expressbus.fi
www.ssvoy.fi
virtuaali.vayla.fi
sso.vayla.fi
extranet.vayla.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
paarautatieasema.fi
www.op.fi
www.suomenpankki.fi
www.hotelleriesuisse.ch

Config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_22_8pm.txt #threatintel
#threatintel #noname
Ten wpis został zedytowany (5 miesiące temu)
Kevin Beaumont
#NoName are targeting the UK again today… but it’s the same targets for the last four weeks.

I think it is state sponsored operation as they’re trying to meet targets and look busy.. they make even cyber hacktivism boring. I imagine David Brent is the office manager, doing an OKR dance.

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS target list today

www.vfgh.gv.at
www.ris.bka.gv.at
pa.eastcambs.gov.uk
politics.leics.gov.uk
www.a1.group
www.e-steiermark.com
www.liverpool.gov.uk
www.bmeia.gv.at
www.oesterreich.gv.at
www.oebag.gv.at
apa.at
www.cranbrooktowncouncil.gov.uk
www.wymetro.com
travelsouthyorkshire.com
mytsy.travelsouthyorkshire.com

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_23_1pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for Xmas eve, mix of Sweden and Italy.

www.porto.trieste.it
port.taranto.it
www.sinfomar.it
www.norrtag.se
www.vasttrafik.se
login.vasttrafik.se
www.assosim.it
www.transportstyrelsen.se
www.digg.se
www.sjofartsverket.se
international.stockholm.se
goteborg.se
malmo.se
www.uppsala.se
www.orebro.se
www.vasteras.se
www.eskilstuna.se

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_24_6pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets on Xmas Day 🎄

Netherlands and Iceland, includes a bike shed.

over.gvb.nl
www.haestirettur.is
www.althingi.is
www.isavia.is
www.cert.is
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.ov-nl.nl
www.maa.nl
www.rijkswaterstaat.nl
www.bngbank.nl
www.snsbank.nl
mijn.belastingdienst.nl
services.belastingdienst.nl
bft-plein.bureauft.nl
9292.nl
www.macbike.nl
a-bike.nl
bikecity.nl

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_25_4pm.txt
#noname
Kevin Beaumont
#NoName DDoS targets today will be in Lithuania

www.siauliai-airport.com
avia.lt
www.adrem.lt
www.linava.lt
autobusustotis.lt
www.vv.lt
elpako.lt
eismoinfo.lt
www.klaipedatransport.lt
www.kvt.lt
www.ollex.lt
nlbus.lt
www.veza.lt
lakd.lt
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
tavo.cgates.lt
init.lt
sso.init.lt
www.balticum.lt
www.manobalticum.lt

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_26_1pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
If it helps anybody prepare for attacks like this, here's an example - init.lt is a telco in country, here's the attacker config.

The infrastructure is on prem.
#NoName don't have much bandwidth as Ddosia is small, what they rely on is webapps failing over under stress.

Each campaign NoName run has a unique ID - when they find an easily downable target, they save the target campaign details and rerun it in the future over and over again on different days to make themselves appear busy.
#noname
Kevin Beaumont
#NoName DDoS targets for today are in Czech Republic.

www.mfcr.cz
www.army.cz
aobp.cz
www.mpsv.cz
www.penize.cz
www.cssz.cz
mmr.gov.cz
www.kdpcr.cz
www.alv-cr.cz
www.egap.cz
www.kbp.cz
www.komora.cz
uohs.gov.cz
www.soud.cz
www.nku.cz
www.justice.cz
www.nkcr.cz

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_27_10am.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName will announce targeting of UK later today. Some new targets this time.

Targets:
pa.eastcambs.gov.uk
www.merlinscottassociates.co.uk
politics.leics.gov.uk
www.liverpool.gov.uk
www.britishchambers.org.uk
www.cranbrooktowncouncil.gov.uk
www.wymetro.com
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
www.northlinkferries.co.uk
www.justice.gov.uk
www.cbi.org.uk
www.scottishchambers.org.uk

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_28_10am.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
Well done to NoName for attempting to DDoS a website that doesn't even exist any more.
Kevin Beaumont
And there's the announcement. They're so upset at Rishi they stopped trying to DDoS his website, as they failed last time.
Kevin Beaumont
Does anybody have NCSC UK contacts who could give Cranbrook Town Council a heads up they need to hide their origin server?

They went behind Cloudflare as this is the 4th time, but they left their web server on Zen Internet exposed to everybody - so the attackers are still targeting that. It’s in the spreadsheet screenshot above.
Ten wpis został zedytowany (4 miesiące temu)
V is for...
FWIW I’m a Councillor there. Not responsible for the IT otherwise this wouldn’t still be outstanding.

But long/short is, they know, as does the IT company whose Zen reseller account server it’s on know.

But they all decided to go home for Christmas and leave it outstanding.

Not my dad’s pub… 🤦🏻‍♂️
Kevin Beaumont
#NoName DDoS targets today in Finland

www.kyberturvallisuuskeskus.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
extidp.traficom.fi
www.op.fi
www.suomenpankki.fi
www.tilastokeskus.fi
tem.fi
valtioneuvosto.fi
www.autotuojat.fi
intermin.fi
www.defmin.fi
helsinki.chamber.fi
www.wtc.fi
kauppakamari.fi
korkeinoikeus.fi
vnk.fi
arbitration.fi
paaomasijoittajat.fi

Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName DDoS targets today are Lithuania and Netherlands

www.adrem.lt
www.vv.lt
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.bngbank.nl
services.belastingdienst.nl
www.kvt.lt
9292.nl
a-bike.nl
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.manobalticum.lt

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_30_4pm.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName last DDoS targets of the year, really low effort stuff - just reruns of old campaigns again, largely unsuccessful.

www.army.cz
www.liverpool.gov.uk
www.cranbrooktowncouncil.gov.uk
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
aobp.cz
www.kdpcr.cz
www.alv-cr.cz
www.egap.cz
www.kbp.cz
www.komora.cz
www.nku.cz
www.nkcr.cz
www.justice.gov.uk
www.cbi.org.uk

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2023_12_31_3pm.txt
#noname
Kevin Beaumont
#NoName forgot to thank Latvia, who continue to support the hosting of their DDoS infrastructure. #threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for today, which is another rerun on Finland.

www.hsl.fi
www.kyberturvallisuuskeskus.fi
virtuaali.vayla.fi
extranet.vayla.fi
www.traficom.fi
extidpevaluointi.traficom.fi
extidptesti.traficom.fi
ikkuna.traficom.fi
www.op.fi
www.suomenpankki.fi
www.tilastokeskus.fi
helsinki.chamber.fi
kauppakamari.fi
arbitration.fi
paaomasijoittajat.fi

Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName
#noname
Kevin Beaumont
#NoName DDoS targets today.. Italy again, pretty lazy, same targets, not very successful again.

www.giorgiameloni.it
www.porto.trieste.it
port.taranto.it
www.sinfomar.it
amat.cloud.eleagol.it
www.sienamobilita.it
www.gtt.to.it
www.ctmcagliari.it
www.trentinotrasporti.it
telematicoprova.adm.gov.it
richiestamodifiche.adm.gov.it
iampe.adm.gov.it
telematico.adm.gov.it
www.consob.it
www.assosim.it
www.agcm.it

Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName DDoS targets in Poland today.

www.trentinotrasporti.it
www.skm.pkp.pl
epuap.gov.pl
ebok.gkpge.pl
metro.waw.pl
www.sejm.gov.pl
plusbank.pl
plusbank24.pl
www.pekao.com.pl
pfrventures.pl
www.pfrtfi.pl
www.rbinternational.com.pl
www.port.gdynia.pl
www.pkobp.sponsorpanel.pl
www.pekao-fs.com.pl
nbp.newamsterdam.pl
cert.pionier.gov.pl
kghm.com
polskieradio24.pl

Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName DDoS targets today.. Spain.

www.lamoncloa.gob.es
www.casareal.es
www.puertos.es
mpt.gob.es
www.isdefe.es
www.mjusticia.gob.es
www.tribunalconstitucional.es
sede.ine.gob.es
www.abanca.com
www.bancocooperativo.es
www.cajaruralgranada.es
www.grupocajarural.es
www.ine.es
www.metromadrid.es
www.metrovalencia.es
www.turgranada.es
metropolitanogranada.es
www.incibe.es
www.emtvalencia.es
www.transportepublico.es

Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName plan to announce attacks against banking in NATO countries and Ukraine later today, along with a few other 'hacktivist' groups.

They're starting with Ukraine, they will announce some of these.

Botnet config is long today: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_10_10am.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
Here is an alternative version of the screenshots #NoName post btw.
#noname
Kevin Beaumont
#NoName targets for today

www.adrem.lt
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.manobalticum.lt
www.ld.lt
www.ergo.lt
www.compensa.lt
www.if.lt
www.bta.lt
www.gjensidige.lt
www.pzu.lt
lrkt.lt
www.lvat.lt
www.nksc.lt
www.tietoevry.com

Botnet config: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName targets for today are all in Latvia - whose gov protect the host of the C2 server that is hardcoded into binaries (94.140.115.89)

myyk.inges.ee
tenders.blrt.ee
pasts.lv
www.evr.ee
marketplace.e-resident.gov.ee
www.saeima.lv
epp.energia.ee
www.mk.gov.lv
cert.lv
express.pasts.lv
www.tallinn.ee
www.nordica.ee
saraksti.rigassatiksme.lv
www.autoosta.lv
nasdaqbaltic.com
www.citadele.lv
www.rietumu.com
www.edoks.lv
www.mnt.ee
pilet.ee
www.ecaa.ee
company.inbox.lv
www.chamber.lv

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName targets for today - mix of Germany and Finland.

www.bzst.de
e-accounting.talanx.com
www.hamburger-feuerkasse.de
www.kyberturvallisuuskeskus.fi
www.mvg.de
www.rmv.de
www.vgn.de
www.balm.bund.de
www.op.fi
www.suomenpankki.fi
www.dortmund.de
www.bremen.de
www.rostock.de
www.bielefeld.de
kauppakamari.fi
energia.fi
www.tek.fi
oikeus.fi
www.kuntaliitto.fi
www.kuluttajariita.fi

Botnet config, 329 lines: https://github.com/GossiTheDog/Monitoring/tree/main/NoName

#threatintel
#threatintel #noname
Kevin Beaumont
Yesterday's #NoName targets - Ukraine and Lithuania

www.mtb.ua
accordbank.com.ua
www.adrem.lt
credit-agricole.ua
online.credit-agricole.ua
corpexpreprod.credit-agricole.ua
capluspro.credit-agricole.ua
premium.credit-agricole.ua
cabinet.credit-agricole.ua
www.pravex.com.ua
online.pravex.ua
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.compensa.lt
www.if.lt
www.bta.lt

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_14_3pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName have added www.bundesfinanzministerium.de to their target list. It didn't take the site offline.

Config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_15_3pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName didn't like Germany today.

www.deutschebahn.com
deutschlandticket.de
www.nordwestbahn.de
www.bundeskanzler.de
www.bmz.de
www.bundesfinanzministerium.de
www.afs-bund.de
www.mvg.de
www.rmv.de
www.vgn.de
www.spd.de
abo.bahn.de
www.bvl.de
www.dslv.org
www.dachser.com
www.bafin.de
portal.mvp.bafin.de
www.dbschenker.com
www.hellmann.com

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_16_8pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
It's that time of the day.. time to find out what #NoName tried to do!

Today, with the protection of Latvia, they DDoS'd Czech, Switzerland and Belgium.

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_17_6pm.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
If anybody from the NCSC wants access to my #NoName attack data, ping me. https://www.admin.ch/gov/en/start/documentation/media-releases.msg-id-99736.html

#threatintel

Several Federal Administration websites disrupted temporarily by DDoS attack

Current information from the Federal Administration. All press releases from the Federal Administration, the departments and offices.
www.admin.ch
#threatintel #noname
Kevin Beaumont
#NoName targets today - Estonia and Switzerland

myyk.inges.ee
marketplace.e-resident.gov.ee
epp.energia.ee
www.tallinn.ee
www.nordica.ee
www.sob.ch
www.post.ch
www.gva.ch
airport-grenchen.ch
www.bernairport.ch
engadin-airport.ch
peoples.ch
www.geneve.com
www.stadt-zuerich.ch
www.myswitzerland.com
www.postauto.ch
www.zvv.ch
www.mnt.ee
pilet.ee
lengmatta-davos.ch
alpenhof-davos.ch
www.davos-pischa.ch
europe-davos.ch
kajakallas.ee

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_18_11am.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets today, Ukraine and Switzerland

cvp.tax.gov.ua
kyiv.tax.gov.ua
tax.gov.ua
wvp.tax.gov.ua
www.vtg.admin.ch
www.swisshelicopter.ch
www.bs.ch
ekonto.egov.bs.ch
www.lausanne.ch
www.montreux.ch
www.stadt.sg.ch
www.bellinzona.ch
www.stadt-schaffhausen.ch
www.swissprivatebankers.com
www.juliusbaer.com
www.swissbanking.ch
www.geneve-finance.ch
www.nw.ch
www.stans.ch
www.buochs.ch
zir.tax.gov.ua
map.tax.gov.ua
ca.tax.gov.ua

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_19_3pm.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName's botnet is offline as their C2 server down.

They have published a new version of the client, and require all the users (about 10k) to redownload and reinstall - as such, their DDoS effectiveness will suck for a while.

New C2 server is 94.140.115.64 on port 80 - same ISP as before, Nano.lv in Latvia.

#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://pastebin.com/qeQCm74V

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_19_9pm.txt

NoName changes - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin
#noname #ddosia
Kevin Beaumont
#NoName have put out DDoS claims just now.. but you may notice the links are taken from 7am UTC, before their C2 server died.

No botnet config dump as it’s offline.

#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName DDoS client details and C2 server: https://pastebin.com/psKHZzVs

IP is 94.131.97.202 and hardcoded into client again - ISP https://stark-industries.solutions/ - registered in London https://find-and-update.company-information.service.gov.uk/company/13906017

They have only a fraction of hosts checking in so far, let's nuke from orbit. #threatintel

NoName changes 20/01/2024 - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName DDoS targets - France and Lithuania

www.adrem.lt
www.credit-agricole.com
eurolines.fr
www.star.fr
www.lignesdazur.com
www.lietuvoskeliai.lt
www.bite.lt
mano.bite.lt
www.cgates.lt
init.lt
www.balticum.lt
www.compensa.lt
www.if.lt
www.bta.lt
auth-aode.edf.fr
www.orano.group
www.enercoop.fr
mon-espace.enercoop.fr

C2 server: 94.131.97.202 (UK company)

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_20_3pm.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName DDoS targets - UK and Netherlands

pa.eastcambs.gov.uk
politics.leics.gov.uk
www.liverpool.gov.uk
over.gvb.nl
www.cranbrooktowncouncil.gov.uk
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.bngbank.nl
services.belastingdienst.nl
my.swiftcard.org.uk
ukfinanceproducationb2c.b2clogin.com
www.moneyhelper.org.uk
9292.nl
a-bike.nl
www.justice.gov.uk
www.cbi.org.uk

C2 server: 94.131.97.202 (UK front company, Czech location)

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_21_11am.txt

#threatintel
#threatintel #noname
Kevin Beaumont
Yes, #NoName can't even bring down Cranbook Town Council. One of the councillors replied to me on Mastodon just after Xmas and got their config DDoS proofed 🙌
#noname
Kevin Beaumont
In a sign that imposing cost on 'hacktivist' DDoS groups work - not a single one of the sites are offline.
Kevin Beaumont
How #NoName manipulate their audience (and probably bosses) - they post photoshopped screenshots of outages, and have links to check-host.net - which always show sites down.

E.g. I've attached the report for liverpool.gov.uk just now, which shows as down - but it's actually available.

The net effect is an audience of tens of thousands on Telegram cheering on nothing.

Another example is "Swift card authorization" shown on the list. That sounds bad, right? They mean a bus card.

#threatintel
#threatintel #noname
Ten wpis został zedytowany (4 miesiące temu)
Kevin Beaumont
#NoName DDoS targets for today, Romania.

New client info: https://pastebin.com/6xHh4n8B

New C2: 193.233.193.240 (Huize Telecom in Hong Kong)

dnsc.ro
gov.ro
www.presidency.ro
www.mae.ro
www.mapn.ro
www.cdep.ro
sts.ro
www.senat.ro
www.mai.gov.ro
mmuncii.ro
www.olgutavasilescu.ro
www.baneasa-airport.ro
www.metrorex.ro
www.pmb.ro
www.mt.ro
www.mfinante.gov.ro
www.mdlpa.ro

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_22_10am.txt

NoName Ddosia new client info - 22/01/2024 - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin
#noname
Kevin Beaumont
#NoName DDoS targets for today, Romania again.

New client again, info: https://pastebin.com/Ukckmgf8

New C2: 89.105.201.91 (Novoserve)

gov.ro
www.presidency.ro
www.mae.ro
sts.ro
mmuncii.ro
www.bnro.ro
www.bvb.ro
www.scj.ro
www.ccr.ro
www.just.ro
mobile.telekom.ro
www.gts.ro
www.orange.ro
www.petrom.ro
www.omvpetrom.com
www.kmginternational.com
www.rompetrol.com
www.omv.ro
molromania.ro
www.roviniete.ro

#threatintel

NoName Ddosia new client info - 23/01/2024 - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin
#threatintel #noname
Kevin Beaumont
New #NoName client

First version crashed on start

https://pastebin.com/nP7bTR9v

New C2: 5.44.42.29 (GIR Network)

#threatintel

NoName changes 23/01/2024 - update 2 - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for today, Poland. Only one site is offline due to disrupted capability.

C2: 5.44.42.29 (GIR Network)

www.skm.pkp.pl
epuap.gov.pl
metro.waw.pl
www.sejm.gov.pl
www.prezydent.pl
www.sn.pl
www.senat.gov.pl
polskieradio24.pl
banie.pl
pyrzyce.um.gov.pl
www.mysliborz.pl
kozielice.pl
lipiany.pl
trzcinsko-zdroj.pl
przelewice.pl

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_24_10am.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for today, France and Finland.

C2: 5.44.42.29 (GIR Network)

valtioneuvosto.fi
eureennormandie.fr
www.aude.fr
www.laregion.fr
www.bordeaux.fr
www.haute-saone.gouv.fr
www.poitiers.fr
www.vienne.gouv.fr
www.lehavre.fr
www.igares.com
www.gers.gouv.fr
vaalit.fi
www.finlex.fi
www.otakantaa.fi
www.aanestyspaikat.fi
www.pekkahaavisto.com
haavisto2024.fi
www.alexstubb.fi
ollirehn2024.fi
www.aaltola2024.fi
liandersson.fi

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_25_6pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://pastebin.com/WJaM0xyE #threatintel

NoName Ddosia new client info - 26/01/2024 - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin
#threatintel #noname #ddosia
Kevin Beaumont
#NoName DDoS targets for today, Finland.

C2: 195.35.19.138 (Hostinger)

supo.fi
www.eduskunta.fi
www.op.fi
www.suomenpankki.fi
www.tilastokeskus.fi
helsinki.chamber.fi
kauppakamari.fi
arbitration.fi
paaomasijoittajat.fi
www.finlex.fi
www.otakantaa.fi
www.nouvelle-aquitaine.fr
www.le64.fr
www.landes.fr
www.pau.fr
www.haute-garonne.fr
www.hautespyrenees.fr
metropole.toulouse.fr
www.tarbes.fr
www.tarn.gouv.fr
www.fine.fi
www.finanssiala.fi

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_26_6pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for today, Germany.

C2: 195.35.19.138 (Hostinger, Brazil)

www.bzst.de
www.nordwestbahn.de
polizei.thueringen.de
www.polizei-nds.de
tca.holding.talanx.com
e-accounting.talanx.com
www.hamburger-feuerkasse.de
www.zoll.de
www.afs-bund.de
www.mvg.de
www.rmv.de
www.vgn.de
www.balm.bund.de
frankfurt.de
www.dortmund.de
www.bremen.de
www.darmstadt.de
www.rostock.de
www.bielefeld.de

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_27_3pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for today, Ukraine and Finland.

C2: 195.35.19.138 (Hostinger, Brazil)

As part of "NATIONAL DEFENCE HACKATHON" alongside groups 22С, SKILLNET, CyberDragon, Federal Legion, People's Cyber Army, PHOENIX.

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_28_11am.txt

#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://pastebin.com/tCaArzYp

#threatintel

NoName Ddosia new client info - 29/01/2024 - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Pastebin
#threatintel #noname #ddosia
Kevin Beaumont
#NoName DDoS targets for today, Ukraine.

New C2: 185.255.123.84 (tinhat.se, physically in Nigeria)

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_29_1pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for today, Netherlands and Greece.

C2: 185.255.123.84 (tinhat.se, physically in Nigeria)

www.gvb.nl
www.government.nl
www.rijksoverheid.nl
www.houseofrepresentatives.nl
www.portofamsterdam.com
www.groningen-seaports.com
www.thpa.gr
www.ov-chipkaart.nl
login.ov-chipkaart.nl
www.maa.nl
www.lelystadairport.nl
www.rijkswaterstaat.nl
www.vlaardingen.nl
www.yme.gr
ministryofjustice.gr
www.cecl.gr
www.aia.gr
www.minoan.gr

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_30_9pm.txt

#threatintel
#threatintel #noname
Ten wpis został zedytowany (3 miesiące temu)
Kevin Beaumont
#NoName DDoS targets for today, Finland (they're DDoS'ing Tietoevry, who are currently dealing with a ransomware incident), Lithuania and Germany

C2: 185.255.123.84 (tinhat.se, physically in Nigeria)

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_01_31_5pm.txt
#noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://gist.github.com/GossiTheDog/dedcb8c68218782a735394f366d58658

#threatintel

NoName Ddosia new client info - 31-01-2024

NoName Ddosia new client info - 31-01-2024. GitHub Gist: instantly share code, notes, and snippets.
Gist
#threatintel #noname #ddosia
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://gist.github.com/GossiTheDog/9905962545501d00cd313ff91ea8d5a3

#threatintel

NoName Ddosia new client info - 01-02-2024

NoName Ddosia new client info - 01-02-2024. GitHub Gist: instantly share code, notes, and snippets.
Gist
#threatintel #noname #ddosia
Kevin Beaumont
#NoName DDoS targets for today, Finland.

New C2: 188.116.20.254 - ROKO Networks Ltd - abuse@iroko.net

www.kyberturvallisuuskeskus.fi
www.op.fi
www.suomenpankki.fi
kauppakamari.fi
www.hel.fi
oikeus.fi
www.kuntaliitto.fi
www.kuluttajariita.fi
www.patriagroup.com
www.insta.fi
millog.fi
securemail.millog.fi
akerarctic.fi
www.unikie.com
odoo15.unikie.com
people.unikie.com
support.unikie.com
www.espoo.fi
www.vantaa.fi
www.turku.fi
www.tampere.fi

#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2: https://gist.github.com/GossiTheDog/9137ecd51ad3b26f4a37dc7c80848bbc

NoName Ddosia new client info - 02-02-2024

NoName Ddosia new client info - 02-02-2024. GitHub Gist: instantly share code, notes, and snippets.
Gist
#noname #ddosia
Kevin Beaumont
#NoName DDoS targets for today, Finland again

New C2: 45.89.55.4 - Stark Industries Solutions

www.traficom.fi
extidpevaluointi.traficom.fi
arbitration.fi
energia.fi
www.tek.fi
www.businessfinland.fi
www.fine.fi
www.finanssiala.fi
www.jyvaskyla.fi
www.kuopio.fi
www.pori.fi
www.lappeenranta.fi
www.vaasa.fi
www.kotka.fi
www.porvoo.fi
www.lahti.fi
www.danskebank.fi
www.handelsbanken.fi
www.saastopankki.fi
www.ombudsman.fi
www.forex.fi
ek.fi

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_02_4pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets for today, France.

New C2: 193.233.193.90 -huize.asia, Hong Kong

www.bourgognefranchecomte.fr
www.normandie.fr
www.grandest.fr
www.insee.fr
www.iledefrance.fr
www.paysdelaloire.fr
www.isula.corsica
www.auvergnerhonealpes.fr
www.bretagne.bzh
www.regionguadeloupe.fr
www.hautsdefrance.fr
regionreunion.com
www.maregionsud.fr
www.ctguyane.fr

Botnet config:

https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_04_11pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName DDoS targets, Spain

C2: 193.233.193.90 -huize.asia, Hong Kong

sede.agenciatributaria.gob.es
www.lamoncloa.gob.es
www.cert.fnmt.es
www.tribunalconstitucional.es
www.bde.es
www.metrovalencia.es
www.policia.es
www.interior.gob.es
www.granada.org
metropolitanogranada.es
administracion.gob.es
www.incibe.es
www.ccn.cni.es
www.transportepublico.es
www.balearia.com
grupooesia.com
www.babelgroup.com
www.oneseq.es
s2grupo.es
unitel-tc.com

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_05.txt

#threatintel
#threatintel #noname
Kevin Beaumont
#NoName claim to have taken down the Spanish navy and airforce (lol) and their proof is check-host links to a ping request (lol). Both sites are online. Ddosia is not.

This is part of a common theme where they try to use the ping and traceroute option to try to prove a site is offline, to mislead people.
#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://gist.github.com/GossiTheDog/e56ffe64b9ecdbbc51d33d9e4bf67869

Russian branded version has been mothballed.

NoName Ddosia new client info - 06-02-2024

NoName Ddosia new client info - 06-02-2024. GitHub Gist: instantly share code, notes, and snippets.
Gist
#noname #ddosia
Kevin Beaumont
#NoName DDoS targets, Spain

New C2 185.234.66.126 - pq.hosting, Netherlands

www.mapa.gob.es
amaco.es
armada.defensa.gob.es
ejercitodelaire.defensa.gob.es
www.asambleamurcia.es
www.oepm.es
parlamentodenavarra.es
www.jgpa.es
www.euskadi.eus
www.legebiltzarra.eus
www.gobiernodecanarias.org
www.parcan.es
www.carm.es
scpc.gov.ua

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_06_1pm.txt
#noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://gist.github.com/GossiTheDog/6988b27da07e9d8ec1ca6bec5d06033a

Russian branded version is back.

No, this isn't nor was it ever running on toothbrushes.

#threatintel

NoName Ddosia new client info - 07-02-2024

NoName Ddosia new client info - 07-02-2024. GitHub Gist: instantly share code, notes, and snippets.
Gist
#threatintel #noname #ddosia
Ten wpis został zedytowany (3 miesiące temu)
Kevin Beaumont
#NoName DDoS targets, Spain

New C2 45.136.199.235 - IROKO Networks, Romania

www.cimsa.com
www.jomipsa.com
www.fecsa.net
www.aecid.es
www.amec.es
www.alimentacion.es
www.tussam.es
www.metro-sevilla.es
www.emtmalaga.es
www.vitrasa.es
alicante.vectalia.es
www.tgcomes.es
titsa.com
www.bilbao.eus
www.metrobilbao.eus
www.emtpalma.cat

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_07_4pm.txt

#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://gist.github.com/GossiTheDog/27e65024c71a94f1a06913b8fe74c9fd

#threatintel

NoName Ddosia new client info - 08-02-2024

NoName Ddosia new client info - 08-02-2024. GitHub Gist: instantly share code, notes, and snippets.
Gist
#threatintel #noname #ddosia
Kevin Beaumont
#NoName DDoS targets, Spain again

New C2 83.217.9.33 - iptk.ru, Turkey

www.sedigas.es
www.camaramadrid.es
tab.es
www.cofides.es
www.aecarretera.com
www.tranviasdezaragoza.es
www.vitoria-gasteiz.org
metrotenerife.com
www.valenciaport.com
www.portdebarcelona.cat
www.bilbaoport.eus
www.apba.es

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_08_10am.txt

#threatintel
#threatintel #noname
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://gist.github.com/GossiTheDog/9243528c7055b4b2d05e5daa9d03a83c

NoName Ddosia new client info - 08-02-2024 - round two

NoName Ddosia new client info - 08-02-2024 - round two - NoName Ddosia new client info - 08-02-2024 - round two
Gist
#noname #ddosia
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://gist.github.com/GossiTheDog/f8cbf0039b5463851f61009cea377f20

Yes, they're on their fourth client update today as all their nodes keep getting lost :(

#threatintel

NoName Ddosia new client info - 08-02-2024 - round four

NoName Ddosia new client info - 08-02-2024 - round four - NoName Ddosia new client info - 08-02-2024 - round four
Gist
#threatintel #noname #ddosia
Kevin Beaumont
New #NoName #Ddosia client file hashes and C2:

https://gist.github.com/GossiTheDog/f1079fe5486b2e7ac61d2e069caa67d4

#threatintel

NoName Ddosia new client info - 09-02-2024

NoName Ddosia new client info - 09-02-2024. GitHub Gist: instantly share code, notes, and snippets.
Gist
#threatintel #noname #ddosia
Kevin Beaumont
#NoName DDoS targets, Spain again

New C2 185.234.66.239 - pq.hosting

www.ineco.com
cornelia.apc.es
www.parlament.cat
www.apvigo.es
www.asambleamadrid.es
www.juntadeandalucia.es
www.puertomalaga.com
www.portsdebalears.com
www.apcoruna.com
www.portcastello.com
www.huelvaport.com
www.mapfre.es
www.occident.com
www.reale.es
www.axa.es

Botnet config: https://github.com/GossiTheDog/Monitoring/blob/main/NoName/targets_2024_02_09_2pm.txt

#threatintel
#threatintel #noname