{"id":586545,"date":"2025-03-12T08:19:14","date_gmt":"2025-03-12T06:19:14","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=586545"},"modified":"2025-03-12T08:19:20","modified_gmt":"2025-03-12T06:19:20","slug":"x-cyberattack-targeted-vulnerable-servers","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/586545-x-cyberattack-targeted-vulnerable-servers.html","title":{"rendered":"X cyberattack targeted vulnerable servers"},"content":{"rendered":"\n

A cyberattack that brought down Elon Musk\u2019s X targeted servers that were insufficiently protected from malicious traffic, according to cybersecurity analysts.<\/p>\n\n\n\n

Users of the social media platform faced intermittent outages through Monday, which Musk blamed on a \u201clarge, coordinated group\u201d or country waging a \u201cmassive cyberattack.\u201d <\/p>\n\n\n\n

He didn\u2019t provide any additional specifics to bolster his claim.<\/p>\n\n\n\n

J\u00e9r\u00f4me Meyer, security researcher with Nokia Deepfield, a business unit within Nokia Oyj, said X had been targeted in a distributed denial-of-service attack, or DDoS, which floods a website with traffic and forces it offline. <\/p>\n\n\n\n

Meyer said he was able to track the attack by reviewing data collected through Nokia\u2019s Deepfield, which is deployed inside telecommunications companies and provides analytics and DDoS protection.\u00a0<\/p>\n\n\n\n

The waves of traffic targeted particular \u201corigin servers,\u201d which process and respond to incoming internet requests, he said. <\/p>\n\n\n\n

Those servers were vulnerable to attack because it appears they weren\u2019t shielded behind technology that blocks DDoS attacks, Meyer said. <\/p>\n\n\n\n

They \u201cshould not be exposed on the internet,\u201d said Meyer, who added that one of the servers attacked on Monday were still isolated and vulnerable to attack on Tuesday morning.<\/p>\n\n\n\n

A representative for X didn\u2019t immediately respond to a request for comment. A pro-Palestinian \u201chacktivist\u201d group called Dark Storm Team took responsibility for the attack without providing any evidence. <\/p>\n\n\n\n

Bloomberg News wasn\u2019t able to independently verify the group\u2019s claims.<\/p>\n\n\n\n

Ciaran Martin, former head of the UK\u2019s National Cyber Security Centre, said in a BBC radio interview on Tuesday that it \u201clooks like X didn\u2019t implement Cloudflare properly,\u201d referring to the company that offers DDoS protection services. <\/p>\n\n\n\n

Martin also said that X had \u201cleft some of its servers in front of rather than behind\u201d Cloudflare\u2019s protection. <\/p>\n\n\n\n

\u201cIt\u2019s a bit like having four doors, putting state-of-the-art locks on three of them, and leaving one unlocked,\u201d he said. Martin didn\u2019t respond to a request for further comment.<\/p>\n\n\n\n

A representative for Cloudflare didn\u2019t immediately respond for a request for comment.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

David Mound, senior penetration tester at cybersecurity firm SecurityScorecard, said most large websites have strong protections against such attacks, including web application firewalls and other security technologies that protect their origin servers from being directly accessed via the internet.<\/p>\n\n\n\n

\u201cIf X\u2019s origin servers were exposed or lacked adequate filtering, that would be a fundamental security oversight,\u201d he said. <\/p>\n\n\n\n

Protecting origin servers is a well-established best practice for any large-scale web service, Mound said.<\/p>\n\n\n\n

Musk suggested in a Fox Business interview Monday that his company had traced IP addresses to the \u201cUkraine area.\u201d However, cybersecurity experts have cast doubt on that claim.<\/p>\n\n\n\n

The majority of the devices used to flood X with traffic were located in the US, Mexico, Spain, Italy and Brazil, according to Nokia\u2019s Meyer. <\/p>\n\n\n\n

These devices were likely under the control of an attacker who could have been located in another country, hiding behind multiple layers of obfuscation to conceal their true identity, he said.<\/p>\n\n\n\n

Jason Kikta, a former official with US Cyber Command, said hackers faking the location of web traffic in attacks that overwhelm servers is \u201ctrivial and routine.\u201d<\/p>\n\n\n\n

\u201cThe IP addresses a victim sees in a DDoS attack is about as meaningful as describing what kind of ski mask a bank robber was wearing,\u201d said Kikta, now chief information security officer at IT automation firm Automox Inc. <\/p>\n\n\n\n

\u201cIt\u2019s a starting point, but not terribly useful.\u201d<\/p>\n\n\n\n

Meyer said the attack was linked to a botnet \u2013 computers infected by malicious software and under the control of a hacker \u2013 that included between 10,000 and 20,000 IP addresses. <\/p>\n\n\n\n

These were associated with security cameras and network video recorders, which were likely compromised by malicious software, he said.<\/p>\n\n\n\n

Many of the devices used in the attack on X were linked to a botnet known as \u201cEleven11bot,\u201d which has previously carried out denial-of-service attacks against communications service providers and gaming hosting infrastructure, said Meyer, who has been tracking the botnet for several weeks.<\/p>\n\n\n\n

Following Musk\u2019s acquisition of Twitter in 2022, which he later rebranded as X, more than 100 people working on security and privacy teams left the company, halving the number of personnel who were responsible for protecting its infrastructure from cyberattacks and data breaches, Bloomberg News previously reported.<\/p>\n","protected":false},"excerpt":{"rendered":"

A cyberattack that brought down Elon Musk\u2019s X targeted servers that were insufficiently protected from malicious traffic.<\/p>\n","protected":false},"author":341034,"featured_media":528041,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[11373,99101,99099,99100,405,12761,41650],"class_list":["post-586545","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-elon-musk","tag-jason-kikta","tag-jerome-meyer","tag-nokia-deepfield","tag-twitter","tag-twitter-outage","tag-x"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/586545"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341034"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=586545"}],"version-history":[{"count":3,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/586545\/revisions"}],"predecessor-version":[{"id":586552,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/586545\/revisions\/586552"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/528041"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=586545"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=586545"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=586545"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}