Technology Powerhouse VPN products can be abused for large-scale DDoS attacks

07:35  23 february  2021
07:35  23 february  2021 Source:   zdnet.com

FBI, Europol take down a VPN service aimed at criminals

  FBI, Europol take down a VPN service aimed at criminals Virtual private networks are often forces for good that keep your data secure, but how that service is offered appears to matter to law enforcement. TorrentFreakreports that the FBI and Europol worked together to shut down Safe-Inet (also known as Insorg), a VPN service apparently tailor-made for criminals. The “bulletproof” service was not only advertised on crime-focused forums, but was reportedly used often for practices like card skimming, ransomware and account hijacking.

Botnet operators are abusing VPN servers from VPN provider Powerhouse Management as a way to bounce and amplify junk traffic part of DDoS attacks.

  Powerhouse VPN products can be abused for large-scale DDoS attacks © ZDNet

This new DDoS vector has been discovered and documented by a security researcher who goes online as Phenomite, who shared his findings with ZDNet last week.

The researcher said the root cause of this new DDoS vector is a yet-to-be-identified service that runs on UDP port 20811 on Powerhouse VPN servers.

Phenomite says that attackers can ping this port with a one-byte request, and the service will often respond with packets that are up to 40 times the size of the original packet.

How Parler is trying to get back online

  How Parler is trying to get back online Parler tried to seek a hosting alternative to Amazon Web Services from at least six different potential providers once it became clear Amazon would no longer work with the social media platform — but was turned away, according to a court filing. © Olivier Douliery/AFP/Getty Images This illustration picture shows the social media website from Parler displayed on a computer screen in Arlington, Virginia on July 2, 2020. - Amid rising turmoil in social media, recently formed social network Parler is gaining with prominent political conservatives who claim their voices are being silenced by Silicon Valley giants.

Since these packets are UDP-based, they can also be modified to contain an incorrect return IP address. This means that an attacker can send a single-byte UDP packet to a Powerhouse VPN server, which then amplifies it and sends it to the IP address of a victim of a DDoS attack —in what security researchers call a reflected/amplified DDoS attack.

Attacks already detected in the wild

Both Phenomite and ZDNet have reached out to Powerhouse Management to notify the company about its products' behavior, seeking to ensure that a patch is deployed to its servers that would prevent its VPN infrastructure from being abused in future DDoS attacks.

However, the company has not responded to any of our emails.

Furthermore, we also learned today that threat actors have also discovered this DDoS attack vector, which they have already weaponized in real-world attacks, some of which have reached as much as 22 Gbps, sources have told ZDNet.

Google Fi's VPN is coming to the iPhone this spring

  Google Fi's VPN is coming to the iPhone this spring Google Project Fi’s VPN service has only been available to Android users in beta so far, but that’s about to change. “We’re expanding access to the VPN to iPhone, so that it will be available for all users on Fi,” the company announced in a press release. “We plan to roll out the VPN to iPhone users starting this spring.” In addition, the VPN service is officially coming to all Android users, after being in beta for the last couple of years. “After listening to your feedback and making performance improvements, we’re taking the Fi VPN out of beta for Android phone users.

Around 1,520 Powerhouse VPN servers ready to be abused

According to a scan performed by Phenomite last week, currently, there are around 1,520 Powerhouse servers that expose their 20811 UDP port, meaning they can be abused by DDoS threat groups.

While servers are located all over the world, most vulnerable systems appear to be "in the UK, Vienna, and Hong Kong," the researcher told ZDNet.

Until Powerhouse fixes this leak, the researcher has recommended that companies block any traffic that comes from the VPN provider's networks (AS21926 and AS22363) or block any traffic where "srcport" is 20811.

The second solution is recommended, as it doesn't block legitimate VPN traffic from all Powerhouse VPN users but only "reflected" packets that are most likely part of a DDoS attack.

Phenomite's discovery comes to add to a long list of new DDoS amplification vectors that have been disclosed over the past three months. Previous disclosures included the likes of:

The best mobile browser you should be using right now (it's not what you think)

  The best mobile browser you should be using right now (it's not what you think) After weeks of testing mobile browsers, Jack Wallen has finally concluded which of those apps is the best of the best. Before I divulge which browser I landed on, let me explain my criteria. This is where it gets tricky. Every user values different features and has different needs. For some, it's reliability; others might place a higher premium on security. While I believe both reliability and security are very high on the must-have list (with security clearly at the top), I've come to realize that most mobile web browsers do as good a job as the competition at securing data that is always under threat.

  • Citrix ADC gateways
  • Windows RDP servers
  • Plex media servers


  • Every Google Chrome user should click this button now
  • Cyber security 101: Protect your privacy from hackers, spies, and the government
  • The best antivirus software and apps
  • The best VPNs for business and home use
  • The best security keys for two-factor authentication
  • DDoS attacks and ransomware: How to protect yourself against them (ZDNet YouTube)

Critical security alert: If you haven't patched this old VPN vulnerability, assume your network is compromised .
Hundreds of organisations that haven't applied a Fortinet VPN security update released in 2019 should assume that cyber criminals are trying to take advantage, NCSC warns.Cyber criminals and nation-state cyber-espionage operations are actively scanning for unpatched vulnerabilities in Fortinet VPNs; organisations that use Fortigate firewalls on their network, and have yet to apply a critical security update released almost two years ago, should assume they've been compromised and act accordingly.

usr: 3
This is interesting!