Popular VPN service hijacked to carry out massive DDoS attacks

(Image credit: Shutterstock.com)

Update, 24 Feb, 2021: A spokeswoman for Powerhouse informs us that they've patched the vulnerability within an hour of discovery, and after analyzing their infrastructure, report that their servers weren't breached. The company pins the blame for the vulnerability on the Chameleon protocol that helps circumvent VPN blocks. 

She adds, “Powerhouse currently has measures in place within the software development process to identify and mitigate potential security vulnerabilities or exploits. The company continues its evaluation and is updating its practices to detect and mitigate these types of vulnerabilities in the future.”

The original article continues below

Botnet operators have managed to infiltrate the servers of VPN provider Powerhouse Management and are exploiting them to launch Distributed Denial of Service (DDoS) attacks.

Details about the compromised servers were shared by an anonymous security researcher with ZDNet last week.

Even as Powerhouse failed to answer emails both by the security researcher and ZDNet, the latter has learnt that the compromised VPN servers have already been weaponized and are in use in real-world attacks - although TechRadar Pro has been unable to verify the authenticity of these claims.

Thousands of servers at risk

As per the anonymous security researcher, who shared his findings publicly on GitHub, the threat actors have managed to find and exploit a service running on UDP port 20811 on Powerhouse’s servers.

“Powerhouse Management products - either Outfox (a latency reduction VPN service) or VyprVPN (a general vpn service) are exposing an interesting port - port 20811 which provides a massive data and packet amplification factor when probed with any single byte request,” the researcher observed.

What this means is that attackers can use this port to bounce an amplified packet to the IP address of the victim of the DDoS attack. The researcher notes that a scan reveals there are over 1500 Powerhouse VPN servers with their UDP port 20811 exposed and can potentially be used to launch a DDoS attack. 

The researcher told ZDNet that while Powerhouse has servers all over the world, the most vulnerable seem to be "in the UK, Vienna, and Hong Kong.”

Until Powerhouse responds and addresses the issue, the researcher suggests that network admins block any traffic that comes from port 20811, in order to mitigate the risk of a DDoS attack against their networks.

Via: ZDNet

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.