Looks like #NoName057 went after Israeli websites. Was it the first time? Any clues what could have provoked it?

There's another variation of the NoName copycat shakedowns -

there's a group who aren't doing any DDoS, they're just getting the list of actual NoName victims, then emailing them as "NoName057" demanding Bitcoin for the attacks to stop.

Again, it's very unlikely it's actually NoName - the play appears to be, because NoName are super successful (by just doing layer 7), people are surfing off it for money from confused victims who don't even know what NoName is.

PSA for defenders, somebody appears to be copying NoName and doing shakedowns for Bitcoin payment.

They do a copycat layer 7 attack (the tooling real NoName use is basically lifted from Github), and then follow up with an email from "NoName057" for payment.

I'd strongly advise not paying and make sure your sites are behind a cloud WAF with rate limiting configured, and have origin IP not internet accessible

It's very unlikely the people doing this one are actually NoName

Ministry of Defence Police’s website is still down 18 days later. The latest is they’ve tried to move it behind Cloudflare, but don’t know how to configure DNS.

https://www.mod.police.uk/

New configuration detected for DDosia. Hosts:
* group.vattenfall.com
* www.tunap.com
* www.pfleiderer.com
* www.schwarzbeck.de
* www.vng.de
* shop.semikron-danfoss.com
* carl-walther.de
* www.mc-bauchemie.de
* eshop.tunap.de
* cvd.bundesregierung.de
* www.semikron-danfoss.com
* www.sefe-energy.eu
* www.bundesregierung.de
* www.vattenfall.de
* still.de
* www.meyle.com #ThreatIntel #Ddosia #NoName
* https://witha.name/data/2024-12-17_07-35-02_DDoSia-target-list-full.json
*

NoName Germany tracking thread for the week outsourced 😅 #noname #threatintel

Shockingly high effectiveness today — most sites are down.
#DDoS #threatintel

NoName have started testing against Germany. Targets so far are all banks, remarkably successful too - they’re targeting the origin IP to avoid WAF.

NoName trying to get their supporters to find German media contacts, I’m guessing next week is Germany week.

MOD Police’s website is still down, 8 days later.

https://www.mod.police.uk

After targeting Fr websites this week-end #Noname switched this morning to Dk websites…

NoName have moved on to France, as… Trump is there 🫡 or something.

I’ll stop tracking threads now as I’m selfish. Although I do enjoy being an undercover Russian, and Russian sense of humour is pretty good (and odd).

NoName impact summary for the day is basically the same as it began, the sites online and offline is still the same as when the attacks began for the day.

https://www.mod.police.uk/ is still down

Impact tracker: https://stats.uptimerobot.com/TlxHfUlrvc

NoName UK run continues. They're reusing same targets and target config from prior attacks.

Config snapshot for today:

Here's today's NoName impact tracking

Public services: https://stats.uptimerobot.com/TlxHfUlrvc

Private companies/orgs: https://stats.uptimerobot.com/fseoaKBaYk

Medway.gov.uk have done a really good trick to evade NoName - they've disabled their search function. NoName just stuff search with random strings which overloads CPU, it's a really good way to mitigate the problem quickly.

In terms of yesterday's targets, https://www.mod.police.uk is still down, along with https://www.cityofelycouncil.org.uk/

Ministry of Defence Police have not mentioned it anywhere

NoName UK targets for today. I'm many hours late again as been busy doing actual work, @NoName57Bot for live config updates.

All of these are prior targets from prior months, with the same config as before.

I'll set up the uptime tracking now so we see how many implemented mitigations from previous runs or ignored it/didn't have the budget to do anything.

NoName’s main Russian Telegram channel has been shut down this evening.

If anybody from NCA/NCSC etc that are dealing with Telegram follow me, get them to nuke:

https://t.me/noname05716engver
https://t.me/CyberArmyofRussiaReborn
https://t.me/+LpLxgU4upoYxMzQ8
https://t.me/+c6nkFWrv5XA3OTU0
https://t.me/Not_Realy_DDoSia_Bot
https://t.me/c/2013394917/1/4069

Email account:
noname057_16_official@proton.me

This is 100% of their messaging infrastructure.

As a review of the NoName UK activity for the day

13 sites targeted

3 down at end of day (MOD Police, City of Ely Council, North East Combined Authority)

Councils did a really good job - Belfast City, Crewe Town Council, Eastleigh, Northeast and Leicester had no downtime at all. Dover, Southampton and Portsmouth recovered during the day.

National Rail had zero downtime. HHA (Harwich Haven Authority) recovered a few hours ago.

This is a good blog for NoName defence if you use Azure Application Gateway or Azure Front Door

https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/leveraging-azure-ddos-protection-with-waf-rate-limiting/4210135

tl;dr you need to put Azure Web Application Firewall in front, and config specific rate limiting rules, and set them to block. Azure DDoS Protection doesn't work for NoName due to it being layer 7.

The big caveat is you'd have to manually identify and configure rate limited IPs - which is about a thousand and change as they're driven by volunteer's PCs

Portsmouth City Council have stuck Azure WAF in front of their Azure Application Gateway site and managed to get it back online! https://www.portsmouth.gov.uk/

https://www.mod.police.uk/ is on 7 hours of downtime, their host appears to have deleted them now.

UK public service impact tracker https://stats.uptimerobot.com/TlxHfUlrvc

UK private company impact tracker https://stats.uptimerobot.com/fseoaKBaYk

From yesterday, the DDoS has stopped but Keighley council's website has been suspended by their webhost.

Albion Water's website has been deleted apparently.