A massive cyberattack that freezes computers and demands a ransom to open them has hit companies in the U.S. and elsewhere around the world today, U.S. officials and private cybersecurity analysts said.
Among the American targets are the giant Merck pharmaceutical company in New Jersey; the Mondelez food company, which produces Oreo cookies; and a major multinational law firm, DLA Piper.
The ransomware attack used a global spam campaign to trick computer users into downloading malicious software that locks them out of their devices until they pay $300 in Bitcoin. According to the cybersecurity firm Kaspersky Lab, the attack has affected about 2,000 users in at least 11 different countries so far, with organizations in Russia and the Ukraine the most affected.
While several researchers identified the virus as a derivative of the “Petya” ransomware, Kaspersky Lab, which congressional sources told ABC News is itself under FBI scrutiny, disputed that assessment, concluding that the virus was “a new ransomware that has not been seen before” and dubbing it “NotPetya.”
Unlike the WannaCry virus attack in May, which seized control of hundreds of thousands of computers and spread disruption around the world, researchers told ABC News that today’s ransomware has no known kill switch, which was used to limit the WannaCry attack.
The virus does, however, appear to be using the leaked hacking tools EternalBlue or DoublePulsar developed by the U.S. National Security Agency to exploit a vulnerability in Microsoft Windows to spread quickly throughout corporate networks with outdated security software.
“Many researchers are seeing evidence that the NSA exploits are being used to propagate this,” John Bambenek of Fidelis Cybersecurity told ABC News. “But in this case it’s a whack-a-mole defense. There’s nothing that would shut it down.”
Early reports indicated the virus affected major companies in Russia and Ukraine as well as the world’s largest shipping firm, Maersk, according to the affected companies and government sources.
Ukraine appears to have been particularly hard hit, with the country’s government reporting that some of its systems, as well as those of key institutions, including banks and telecom providers, were affected.
Merck confirmed on Twitter that its network was infected.
“We confirm our company’s computer network was compromised today as part of global hack,” the company tweeted. “Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more.”
Mondelez International, a New Jersey–based food and drink company, released a statement saying its networks were down.
“The Mondelez International network is experiencing a global IT outage. Our global special situations management team is in place, and they are working to resolve the situation as quickly as possible. We will update as we have more information.”
A spokesperson for DLA Piper, a global law firm with offices in Washington, D.C., confirmed that malware spread to its system, saying, “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.”
Both the Department of Homeland Security and the FBI issued statements indicating that officials were aware of the attack and working to contain it.
“The Department of Homeland Security is monitoring reports of cyber attacks affecting multiple global entities and is coordinating with our international and domestic cyber partners,” said the agency in a statement. “We stand ready to support any requests for assistance. Upon request, DHS routinely provides technical analysis and support. Information shared with DHS as part of these efforts, including whether a request has been made, is confidential.”
“The FBI is aware of the reported global cyber attacks and takes all potential cyber compromises seriously,” an FBI spokesperson told ABC News. “Threat mitigation, as well as bringing the perpetrators of cyber attacks to justice, are the FBI’s top priorities.”
Photos of screens of affected computers and ATMs sent to ABC News and other media outlets showed the following message: “If you see this text, then your files are no longer accessible because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
Maersk reported its IT systems were affected by the attack, with local media showing the same ransom message from the firm’s offices in Rotterdam, Reuters reported.
Russia’s state-owned energy giant Rosneft said it suffered a major attack and in a statement on Twitter said it succeeded in halting it. Workers at another major Russian oil company, Bashneft, told the Russian newspaper Vedomosti that the firm was affected. An analyst at IB-Group told the Russian news site RNS that at least 80 companies were affected in Russia and Ukraine.
In Ukraine the virus struck the country’s government administration. Vice Prime Minister Pavlo Rozenko wrote on Facebook that the Cabinet’s office computers were all locked out. Ukraine’s central bank said a number of banks in the country were hit, as well as a state energy company. Some ATMs in the country were blocked and displayed the lock-out screen. Ordinary Ukrainians reported being unable to use some banking services. Local Ukrainian media reported that the country’s Borispol airport and national rail company were also attacked.
In a post on his Facebook page, Anton Gerashchenko, an adviser to Ukraine’s Interior Ministry, called the cyberattack the worst in the country’s history.
Researchers told ABC News that they do not believe that a nation was behind the attack and suggested that it could have been launched by a lone cybercriminal.
“I think what’s happened here is someone is launching this tool to stock a Bitcoin wallet and is probably just surprised at how effective it is,” said Erik Rasmussen, a former deputy prosecuting attorney and special agent with the U.S. Secret Service who now works for the cybersecurity firm Kroll. “This attack doesn’t have a specific target, so it’s likely ransomware that’s gone awry and is just really good at doing damage.”
Bambenek suggested that the surprise success of the virus has made its creator a top target for law enforcement.
“This individual has just put himself on the top of everybody’s dinner menu,” he said.
The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies.
According to local media, seven banks have received emails that asked the organizations to pay ransoms of nearly $315,000 or suffer downtime via DDoS attacks.
Only five of the seven targets are publicly known, which are also the country’s biggest financial institutions: KB Kookmin Bank, Shinhan Bank, Woori Bank, KEB Hana Bank, and NH Bank.
Ransom demands made by Armada Collective
The ransom demands were signed by a group of “Armada Collective,” a name that has a long history behind it.
The group first appeared in 2015, and they are considered one of the hacker groups that popularized ransom DDoS (RDoS) attacks alongside another group known as DD4BC (DDoS-for-Bitcoin).
While Europol apprehended suspects behind the DD4BC group, the people behind Armada Collective were never caught, and their tactics seem to have evolved across time.
Armada Collective and RDoS attacks over time
Radware, a cyber-security company that tracks RDoS attacks on a consistent basis, says the group has gone through two main stages.
In the beginning, the group targeted a small number of targets, all from the same industry, and launched demo DDoS attacks to prove their claims and force the hand of victims into paying the ransom.
After a successful extortion of the ProtonMail secure email service in late 2015 that got a lot of media attention, the group appeared to have gone into hiding, but then returned in 2016.
This time around, the group’s tactics changed, and Armada Collective — or impostors posing as the group — only made empty threats, targeting a large number of companies, all at the same time, from different sectors, and rarely launched any DDoS attacks to prove their claims.
Armada Collective’s RDoS attacks in 2016 were hardly noticed. Because of the group and DD4BC’s success, numerous other actors entered the DDoS ransom market niche, such as New World Hackers, Lizard Squad (copycats), Kadyrovtsy, RedDoor, ezBTC, Borya Collective, and others.
Most of these groups issued empty threats, a common theme with RDoS groups in 2016, also continued in 2017, with new groups such as Stealth Ravens, XMR Squad, ZZb00t, Meridian Collective, Xball Team, and Collective Amadeus. Furthermore, empty DDoS threats from groups posing as Anonymous have been the norm for the past two years, with the most recent wave being detected just last week.
Nayana’s payment may lead to more attacks on South Korea
Last week, Armada Collective’s name resurfaced after a long period of silence. The ransom demands were sent — not surprisingly — just two days after news broke in the international press that a South Korean web hosting company paid over $1 million in a ransomware demand.
Nayana’s payment was the largest ransomware payment ever made and may have involuntarily put a giant bullseye on the backs of all South Korean businesses, now considered more willing to pay outrageous ransom demands to be left alone.
The Armada Collective ransom letters sent last week to South Korean banks said the group would launch DDoS attacks on the targeted banks today, June 26, and double their ransom demand.
At the time of writing, the attacks didn’t take place, based on evidence available in the public domain. Nonetheless, the attackers won’t be discouraged by this initial refusal, and if they truly have the ability to launch crippling DDoS attacks like the ones that targeted ProtonMail, then South Korean banks and other businesses are in for a long summer.
Looking for lots more answers on net neutrality docket.
If the FCC was subject to multiple DDoS attacks that affected input in the Open Internet comment docket, leading House Democrats say that raises questions about the FCC’s cybersecurity preparedness that need answers.
That came in letters to the FCC and National Cybersecurity and Communications Integration Center.
“We ask you to examine these serious problems and irregularities that raise doubts about the fairness, and perhaps even the legitimacy, of the FCC’s process in its net neutrality proceeding,” the Democratic legislators said. “Giving the public an opportunity to comment in an open proceeding such as this one is crucial – so that the FCC can consider the full impact of its proposals, and treat everyone who would be affected fairly.”
Democratic Sens. Ron Wyden of Oregon and Brian Schatz of Hawaii had asked FCC Chairnman Ajit Pai for an explanation of the attacks. But the response—that they were “non-traditional” attaocks–only created new questions, the letters to the FCC and NCCIC said.
•”What ‘additional solutions’ is the FCC pursuing to ‘further protect the system,’ as was mentioned in the FCC’s response?
•”According to the FCC, the alleged cyberattacks blocked ‘new human visitors … from visiting the comment filing system.’ Yet, the FCC, consulting with the FBI, determined that ‘the attack did not rise to the level of a major incident that would trigger further FBI involvement.’ What analysis did the FCC and the FBI conduct to determine that this was not a ‘major incident?’
•”What specific ‘hardware resources’ will the FCC commit to accommodate people attempting to file comments during high-profile proceedings? Does the FCC have sufficient resources for that purpose?
•”Is the FCC making alternative ways available for members of the public to file comments in the net neutrality proceeding?”
Signing on to the letters were Energy and Commerce Ranking Member Frank Pallone, Jr. (N.J.), Oversight and Government Reform (OGR) ranking member Elijah Cummings (Md.), E&C Communications and Technology Subcommittee Ranking Member Mike Doyle (Pa.), Oversight and Investigations Subcommittee ranking member Diana DeGette (Colo.), OGR Information Technology Subcommittee ranking member Robin Kelly (Ill.), and Government Operations Subcommittee ranking member Gerald Connolly (Va.)
Some of the same Dems have asked Republican leadership of the House E&C to hold a hearing on the FCC Web issues.
And last month, another group of Democrats called on the FBI to investigate the multiple DDoS attacks the FCC said it had suffered related to the docket.
Businesses should ensure that they are still securely protected against DDoS attacks, despite the recent growth of other trends such as ransomware.
That’s the warning from Arbor Networks, which is urging organisations of all sizes to make sure they stay safe online as DDoS attacks are still rife around the world.
Speaking to ITProPortal at the recent InfoSecurity Europe 2017 event in London, Arbor CTO Darren Anstee reinforced the need for businesses to maintain their DDoS protection, despite it being hard to predict who might be hit next.
“DDoS is all about targeting the availability of those services that modern businesses rely on,” he noted.
In order to combat this growing threat, the company recently revealed an updated version of its APS on-premise, distributed DDoS detection and mitigation platform for enterprise customers.
The new release includes Arbor’s latest Cloud Signalling tool, which can help reduce the time to attack mitigation, bringing together on-premise and hybrid cloud migration efforts.
The Internet of Things is also set to provide a major new threat landscape for DDoS attacks, Arbor Networks believes, with past attacks such as Mirai and Dyn showing the potential for chaos.
“There are a lot of IoT DDoS attacks going on out there”, Anstee says, noting that most people only hear about these assaults when a big brand is affected.
Poor regulation of IoT products has not helped with the spread of potential attacks, with many consumers unaware that the items they are buying will pose some kind of security risk.
But Anstee says that commercial pressure could instead play a big role in changing the current landscape, as vendors often return to market trends faster than regulatory pressure.
“If you want things to change quickly, you have to get people to get security implemented into their buying process,” he notes, adding that it is a “valid worry” that IoT attacks could scale to affect areas such as smart cities and infrastructure networks soon.
“We are going to see IoT devices being used for more nefarious purposes over the next few years…I don’t see the problem going away”.
As the recent WannaCry ransomware attack showed, however, businesses need to be protected against all kinds of threats.
Anstee noted that ransomware should remain a major concern for companies both large and small likely to be targeted.
“It’s a numbers game when it comes to ransomware,” he noted, “it is a very broad brush – if just one or two people pay, it makes it all worthwhile.”
In order to stay protected, there are several central steps that companies can take, Anstee added.
This includes network segmentation, which would allow infections such as WannaCry to be quickly and easily contained. “It’s not a sexy topic, but it needs to happen in many businesses,” he says. “We’ve all focused on agility, and flattening network infrastructure…but this is really important, as it can stop such attacks propagating within networks, if it’s done properly.”
But companies also need to ensure they have proper IT risk management systems, with Anstee noting that some infections WannaCry could have been blocked quickly if proper processes had been in place – and various departments had communicated properly.
“You can’t really blame anyone for this,” he concludes, “it really is a lot about talking to each other.”
Business is under assault from cybercriminals like never before, and the cost to companies is exploding. Here’s what you need to know about safeguarding your digital assets.
1. Under attack
In the summer of 2015, several of New York’s most prestigious and trusted corporate law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, found themselves under cyberattack. A trio of hackers in China had snuck into the firms’ computer networks by tricking partners into revealing their email passwords. Once inside the partners’ accounts, the thieves snooped on highly sensitive documents about upcoming mergers. Then, from computers halfway around the world, the cybercrooks allegedly traded on the purloined information, netting $4 million in stock market gains.
Like most other victims of corporate espionage, the firms preferred to keep mum about having been victimized. They feared antagonizing other digital thugs as well as damaging their reputations as keepers of clients’ secrets. Instead, word of the attack leaked in the press and then was confirmed by federal prosecutors and the firms themselves. The Feds made public their discoveries and trumpeted their efforts to bring the alleged perpetrators to justice. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” said Preet Bharara, then the U.S. Attorney in Manhattan. “You are and will be the targets of cyberhacking because you have information valuable to would-be criminals.”
It may have been a shock to the system for the legal community, but the incident only served to underscore a hard truth that CEOs, company directors, and network security experts have been grappling with for some time now: Business is under assault like never before from hackers, and the cost and severity of the problem is escalating almost daily.
The latest statistics are a call to arms: According to Cisco, the number of so-called distributed denial-of-service (DDoS) attacks—assaults that flood a system’s servers with junk web traffic—jumped globally by 172% in 2016. Cisco projects the total to grow by another two and a half times, to 3.1 million attacks, by 2021. Indeed, the pace of cyberassaults is only increasing. Internet security firm Nexusguard reports that it observed a 380% increase in the number of DDoS attacks in the first quarter of 2017 compared with a year earlier.
As the number and scale of network attacks grow, the toll on business is rising. The average total cost of a data breach in the U.S. in 2014 was $5.85 million, according to research from IBM and the Ponemon Institute, and this year it’s estimated to be $7.35 million. According to a report earlier this year from business insurer Hiscox, cybercrime cost the global economy more than $450 billion in 2016. The WannaCry ransomware attack alone, which crippled computers in more than 150 countries in May, could cost as much as $4 billion according to some estimates.
What is slowly dawning on corporate hacking victims is how vulnerable and defenseless they really are, even when their opponents may be three guys in a room halfway around the world. Expensive data-security systems and high-priced information security consultants don’t faze today’s hackers, who have the resources to relentlessly mount assaults until they succeed. In the New York law-firm case, for example, prosecutors said the attackers attempted to penetrate targeted servers more than 100,000 times over seven months.
It has become abundantly clear that no network is completely safe. Where once companies thought they could defend themselves against an onslaught, they’re now realizing that resistance is, if not futile, certainly less important than having a plan in place to detect and neutralize intruders when they strike.
But there remains a gaping chasm between awareness of the threat and readiness to address it: A survey last fall by IBM and Ponemon of 2,400 security and IT professionals found that 75% of the respondents said they did not have a formal cybersecurity incident response plan across their organization. And 66% of those who replied weren’t confident in their organization’s ability to recover from an attack.
Cybercrime is metastasizing for the same reason online services have become so popular with consumers and businesses alike: Ever-more-accessible technology. Hacking is easier than ever thanks to the ever-growing number of online targets and the proliferation of off-the-shelf attack software. The very Internet networks that were built for convenience and profit are exposing their users to a steady stream of new threats.
What’s more, the tense state of affairs is a glaring example of how the entire nature of business has changed in the digital age. In most cases, technology is much more than just a supplement to a company’s core operations. For scores of the world’s most valuable companies—from Alphabet to Amazon to Facebook to Uber—the assets that live on their networks are their core operations.
No sector of corporate America is safe. Hackers have plundered big retailers like Neiman Marcus and Home Depot for credit card and customer information. They’ve burrowed into banks like JPMorgan Chase. Even tech companies can’t seem to protect themselves. Yahoo’s ineptitude in repelling (or even being aware of) hackers forced it to reduce its sale price to Verizon. Google and Facebook recently fell victim to a hacker who conned their accountants into wiring him a total of more than $100 million. And OneLogin, a startup that bills itself as a secure password management service, recently lost certain customer data to hackers.
In one survey, 66% of security and I.T. professionals replied that they weren’t confident that their organization could recover from a cyberattack.
It’s not like companies aren’t trying to play defense. Accenture estimates that companies worldwide spent $84 billion in 2015 to protect against attacks. That spending is an acknowledgment that every company needs to safeguard its digital assets, which in turn requires knowing about the criminals that keep coming at them and what defenses they can build to minimize the damage.
2. A new breed of criminal
Hacking is particularly frustrating for corporate executives who don’t understand their enemy. Embezzlers or extortionists? Sure. But faceless gangs of nasty nerds? It’s often harder for CEOs to wrap their brains around the motivation of their antagonists—or their audacity. “At the C-level they feel violated,” says Jay Leek, a venture capitalist pursuing cybersecurity investments and a former chief information security officer at private equity giant Blackstone. “I witness this emotional ‘What just happened?’ You don’t walk in physically to a company and violate it.”
The brazenness Leek describes is a hallmark of hackers who—despite their mystique in popular culture—are basically everyday thieves, like bank robbers. Where hackers are different, however, is that they rarely meet in person. Instead, they convene in online forums on the “dark web,” an anonymous layer of the Internet that requires a special browser to access. Deep in the forums, crooks hatch hacking plots of all sorts: breaking into corporate databases or selling stolen Social Security numbers or purchasing inside information from unscrupulous employees.
Cybercriminals have proved adept at adopting successful corporate strategies of their own. A recent development has seen the cleverest crooks selling hacking tools to criminal small-fry. It’s analogous to semiconductor companies licensing their technology to device manufacturers. According to a report from security software giant Symantec, gangs now offer so-called ransomware as a service, a trick that involves licensing software that freezes computer files until a company pays up. The gangs then take their cut for providing the license to their criminal customers.
If it weren’t all blatantly illegal, the practices would be laudably corporate. “Cybercriminals no longer need all the skills to complete any particular crime,” says Nicole Friedlander, a former assistant U.S. Attorney in charge of the key Southern District of New York’s complex fraud and cybercrime unit. “Instead, they can hire other cybercriminals online who have those skills and do it together.” In that sense, hackers have become service providers like doctors or lawyers or anyone else, says Friedlander, who joined the New York office of law firm Sullivan & Cromwell last year.
But the bad guys aren’t all freelancers. In fact, some of the most sinister hacking outfits operating today are “state-sponsored” groups supported, or at least loosely supervised, by governments. That includes the Russians who are believed to have hacked into the Democratic National Committee last year and the North Korean team credited with unleashing the WannaCry malware as a moneymaking scheme.
3. Playing defense
In early March, the information security team at ride-hailing giant Uber leaped into action: An Uber employee had reported a suspicious email message, and similar reports were flooding in from all over the company.
Uber’s databases contain the email addresses and personal information of millions of riders around the world, making security a particularly pressing issue. And the company has had its share of problems as a caretaker of sensitive data. In 2014, Uber suffered a breach that exposed the insurance and driver’s license information of tens of thousands of drivers; it took the mega-startup months to discover and investigate the incident and fully notify its drivers.
As soon as the alarm was raised in March, Uber established an “incident commander” to manage the developing situation. The job of the incident commander—a term of art in cybersecurity circles—is to keep the company informed about potential attacks. It turned out that the attack was targeting users of Google’s Gmail service, not Uber itself. But anyone with a Gmail address was vulnerable. Later that same day Google fixed the vulnerability in its Gmail service, allowing Uber’s incident commander to stand down.
Uber’s reaction is an example of the vigilance with which companies must treat the torrent of threats coming at them every day. John “Four” Flynn, a former Facebook executive who now is chief information security officer for Uber, says the key to cybersecurity incidents—which he defines as everything from a data breach to a stolen laptop—is to have a clear communication strategy. “During an incident, the role of executives is to give support,” says Flynn. “There’s no room for confusion about who’s in charge.”
Flynn has every right to sound confident in his authority. The chief information security officer, or CISO, is possibly the hottest job in the C-suite today. Cybercrime is so serious that these formerly little-known and unloved executives now typically have a direct line to boards of directors—a big break from the past. Before, the CISO would report to the chief information officer, who was responsible for buying and operating computers, not obsessing over flies in the ointment. If the CISO sounded the alarm over a breach, too often he or she ended up being the one sacrificed to appease top management. “It was my job to tell my boss his baby was ugly,” one former information security executive laments.
These days, though, smart companies treat hacking threats like other existential risks to their business—recessions, terrorist attacks, and natural disasters come to mind—and plan accordingly. The CISO is pivotal in maintaining readiness. “If you’re a Fortune 500 company, you already have a response,” says Leek, the former executive at Blackstone, which had several portfolio companies that suffered breaches, including arts-and-crafts merchant Michaels Stores. “But people forget to take it out, blow the dust off, and recall: ‘Let’s do what we decided when we had a sound mind.’ ”
Having a clear line of authority and a good action plan take a company only so far. At some point it has to call the cops, specifically the Federal Bureau of Investigation or the U.S. Secret Service. Both agencies have reach and power that allow them to take the fight to foreign cybercrooks. On several occasions, U.S. law enforcement agents working undercover on the dark web have managed to lure presumed offenders out of hiding with phony deals, and then had them apprehended in and extradited to the U.S.
During the incident, the role of executives is to give support,” says Uber’s chief information officer. “There’s no room for confusion about who’s in charge.”
Calling law enforcement has downsides, however. The likely outcome—an investigation—imposes burdens on the victim company in terms of money and time. And it increases the chance that sensitive details about the hack will leak publicly. That’s why the best course of action is for companies to avoid FBI-level hacking incidents in the first place. A new, multibillion-dollar industry has sprung up to help.
4. An industry is born
The videoconference camera looked like any other. But unbeknownst to its corporate owner, the device was working overtime: Hackers had captured the microphone remotely and were using it to spy on every meeting that took place in the boardroom. The company, which does not want to be identified, finally got wise to the spying scheme thanks to Darktrace, a global cybersecurity company that uses artificial intelligence to detect aberrant activity on client networks. Darktrace CEO Nicole Eagan says her company noticed the camera had been gobbling abnormal amounts of data. This raised a red flag, enabling Darktrace to notify its client that something was amiss.
Darktrace is just one of hundreds of firms that offer help to combat the hacking epidemic. Once a stodgy corner of enterprise software, cybersecurity has become a hot sector for venture capitalists. Investors put some $3.5 billion into a total of 404 security startups last year, according to New York research firm CB Insights. That’s up from $1.8 billion for 279 investments in 2013.
For executives, all of this entrepreneurial activity translates into a dizzying array of security options. There are newcomers like Tanium, for instance, which offers a service that lets companies see who is on their network. Publicly traded Palo Alto Networks makes a kind of intelligent firewall that uses machine learning to thwart intruders. There are also a host of niche security firms such as Area 1 (which specializes in defending against phishing scams) and Lookout (which is a mobile-phone-focused security service).
With all of this firepower arrayed against it, how can cybercrime continue to grow so fast? One answer is that some of the glitzy defense systems don’t work as advertised. Security insiders grumble about firms bamboozling clients with “blinky lights” in order to sell “scareware”—software that plays to customers’ insecurities but doesn’t protect them.
At the end of the day, though, humans are as much to blame as software. “The weak underbelly of security is not tech failure but poor process implementation or social engineering,” says Asheem Chandna, an investor with Greylock Partners and a Palo Alto Networks director. Chandna notes that most hacking attacks come about in two ways, neither of which involves a high level of technical sophistication: An employee clicks on a booby-trapped link or attachment—perhaps in an email that appears to be from her boss—or someone steals an employee’s log-in credentials and gets access to the company network.
While cyberdefense tools can mitigate such attacks, some will always succeed. Humans are curious creatures and, in a big organization, there will always be someone who clicks on a message like, “Uh-oh. Did you see these pictures of you from the office party?” When it comes to hacking, a penny of offense can defeat a dollar’s worth of defense. That’s why the fight against hacking promises to be a never-ending battle.
Final Fantasy 14’s servers have been under intense strain this past weekend. It now seems that these issues are the direct result of distributed denial-of-service attacks, Square Enix stated today.
The attacks have apparently been going on since June 16, the first day that the game’s second expansion, Stormblood, went live for early access. This past weekend, early adopters were met with congested servers that were filled to capacity. Some queues just to log in surpassed 6,000 users. In the game proper, overwhelmed servers have lead to increased load times and made some quests impossible to complete.
Stormblood was officially released yesterday and as of today, massive amounts of access requests due to the alleged hack are continuing to occur.
Square Enix has stated that its technicians are doing all they can to defend against the attacks, but they are “continuing to take place by changing their methods at every moment.” The company also assured players that character data and private information associated with accounts have not been affected.
Microsoft has confirmed an outage in its Skype offering, which caused connectivity issues earlier this week and is allegedly the result of a Distributed Denial of Service attack.
Skype users started complaining about connectivity issues on Monday, with hours of downtime. The issues continued into Tuesday, with users losing connectivity and having trouble exchanging messages on the communications platform. The outage appeared to primarily affect Europe.
It is not clear if the connectivity issues affected just the consumer Skype application, or also Skype for Business.
Microsoft confirmed the issues with the service in a Tweet and on its blog, saying Monday that they were “aware of an incident where users will either lose connectivity to the application or may be unable to send or receive messages. Some users will be unable to see a black bar that indicates them that a group call is ongoing, and longer delays in adding users to their buddy list.” On Tuesday Microsoft updated the blog post to say it was “seeing improvements” but some users still were having issues with the service and the company was “working on that.”
Microsoft further updated the blog on Tuesday, saying it had made “some configuration corrections and mitigated the impact.”
“We are continuing to monitor and we will post an update when the issue is fully resolved,” Microsoft said.
Microsoft did not confirm reports at the time that the outage was the result of a DDoS attack. A hacker group, called CyberTeam, claimed responsibility for the attack in a tweet, saying “Skype Down by Cyberteam.”
Michael Goldstein, president and CEO of LAN Infotech, a Fort Lauderdale, Fla.-based Microsoft partner, called the incident “pretty scary,” assuming reports of a DDoS attack were true. He said it is concerning for small and medium businesses if a company as large as Microsoft can be hit by such an attack.
“It is definitely showing how the bad guys, how the dark side, is still looking to push [against big companies],” Goldstein said.
Goldstein said his company views Skype for Business as a “critical product” for both its own business and for its clients. He said he hopes Microsoft is working to bolster its Skype for Business product, as well as its consumer Skype product, against further attacks.
The reports of a DDoS attack against Microsoft come just a few months after a massive DDoS attack on Dyn caused significant Internet outages on the East Coast. The incident took down many popular websites, including Twitter and Netflix, as well as more than 1,200 other sites. The attacks in the October attack came from devices infected by the Mirai botnet – a malware that was revealed earlier in the month and spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
A recent survey by the Ponemon Insitute and the Shared Assessments Program of 553 people with a role in risk management in their organizations found that 94 percent of those surveyed said a security incident related to unsecured IoT devices or applications could be catastrophic.
Still, just 44 percent of respondents said their organization has the ability to protect their network or enterprise systems from risky IoT devices, and only 25 percent said their boards require assurances that IoT risks are being appropriately assessed, managed and monitored.
Additionally, 77 percent of respondents said they don’t consider IoT-related risks in their third party due diligence, and 67 percent don’t evaluate IoT security and privacy practices before engaging in a business relationship.
Just 30 percent of respondents said managing third-party IoT risks is a priority in their organization.
“Ready or not, IoT third party risk is here,” Shared Assessments senior vice president Charlie Miller said in a statement. “Given the proliferation of connected devices, today’s cyber climate is evolving and organizations have to shift their focus to the security of external parties, now more than ever.”
“In order to avoid becoming the next big headline, our security tactics have to evolve along with the threats,” Miller added. “New technology and practices are needed to ensure security, and this starts by communicating the risks to the right people and acknowledging potential devastating outcomes when engaging with a third party. Avoiding these problems can no longer be the solution.”
In response, the report urges organizations to take the following key steps:
Ensure inclusion of third-party and IoT risks occurs at all governance levels including the board.
Update asset management processes and inventory systems to include IoT devices, and understand the security characteristics of all inventoried devices. When devices are found to have inadequate security controls, replace them.
Continue to leverage and enhance contracts and policies and expand scope to include IoT specific requirements.
Expand third-party assessment techniques and processes to ensure presence and effectiveness of controls specific to IoT devices.
Develop specific sourcing and procurement requirements to ensure only IoT devices that are designed with security functions included and enabled are considered for product selection or acquisition.
Devise new strategies, technologies and tactics directed specifically at reducing threats posed by IoT devices.
Collaborate with industry experts, peers, associations and regulators to ensure IoT risk management best practices are devised, communicated and implemented.
Include IoT in communication, awareness and training at all levels: board, executive, corporate, business unit and third-party.
Recognize the increasing dependence on technology to support the business and the risk posed by this dependence.
Embrace new technologies and innovations, but not at the expense of security, and ensure security controls are included as fundamental and core requirements.
Seventy-two percent of respondents said the pace of innovation in IoT and the varying standards for security make it hard to ensure the security of IoT devices and applications, and 65 percent said the drive for innovation in the IoT ecosystem requires new approaches to IT strategies and tactics.
Breaches and DDoS Attacks
Strikingly, 78 percent of respondents said a data breach involving an unsecured IoT device is likely to occur within the next two years, and 76 percent said the same of a DDoS attack involving an unsecured IoT device.
The concerns come as DDoS attacks become more and more frequent — according to Nexusguard’s Q1 2017 DDoS Threat Report, DDoS attack frequency surged by 380 percent in the first quarter of 2017, compared to the same time period the previous year.
The percentage of days with attacks larger than 10 Gbps rose significantly between January 2017 (48.39 percent) and March 2017 (64.29 percent).
Radware vice president of security Carl Herberger told eSecurity Planet by email that the rapid proliferation of unsecured IoT devices is driving the increase in DDoS attacks. “The Mirai attack made headlines last year, but it should not be considered a one-off,” he said. “Instead, this event was a predictor of what is to come.”
“Hackers are constantly developing new ways to leverage connected devices with little to no security protections to form larger and larger botnets that are able to execute dangerous and sizable DDoS attacks,” Herberger added. “We’ve seen various botnets appear over the last year, including Hajime, BricketBot and Persirai, demonstrating that IoT devices have become a new battleground for hackers.”
“Until manufacturers, the government, and consumers take a hard look at IoT security, the threat of bigger, more frequent IoT-fueled DDoS attacks will only loom larger,” Herberger said.
Distributed Denial of Service (DDoS) attacks leverage compromised devices to generate a flood of traffic, overwhelming online services and rendering them unresponsive. DDoS services are widely available on the internet, with research by Trend Micro finding that the small cost of US$150 can buy a DDoS attack for a week. (It also brings organised crime into your life – but that’s a different point!)
The latest statistics from Cisco reveal that the number of DDoS attacks grew by 172% in 2016. Combine this with an average DDoS attack size of 1.2Gbps, capable of taking most organisations offline, and there is real cause for concern among cyber security experts. It is hard to trace DDoS attacks to their proprietors, as the majority of devices used in attacks belong to innocent users.
Organisations must understand the risk and impact posed by DDoS attacks, and implement mitigation strategies that promote business continuity in the face of these attacks. Industry peers must share knowledge where appropriate, and keep government agencies adequately informed, to deter hackers from launching a DDoS attack.
Cisco expects that the number of DDoS attacks in the future will only get worse, with 3.1 million predicted attacks in 2021 globally.
A group of hackers from Morocco allegedly tried to hack the US voting systems. In an attempt, they hacked four school districts from Florida.
According to reports, several hacking attempts were said to be made on the US voting system and culprits were mostly believed to be from Russia. However, it seems that another group also wanted to try and interfere with the election.
MoRo, a hacking group from Morocco, managed to breach defenses of four different school district networks. Their main goal was to try and find their way into the sensitive government systems from there. The UDT (United Data Technologies), which is a company that investigates such attacks, has stated that hackers managed to get into these networks via phishing attacks.
Miami Herald reports that they managed to infect school networks through malware by sending infected images via email. Unsuspecting workers clicked on images, which was enough for malware to infect the devices. A similar attack has also targeted one of the Florida city networks.
Upon entering school systems, hackers remembered to turn off logs that recorded who entered the systems. This has made it very difficult to discover what exactly they did once inside. Still, UDT analysts managed to find that hackers spent around three months in the system. They used this time to test defenses and map out the systems, and they even posted a photo of a man dressed as an ISIS fighter.
The only named one of these four districts which were Miami-Dade, which is also the largest one in Florida. It is believed that attackers that hacked this and other three districts initially intended to steal personal data from thousands of students. Then they realized that they could access much more than that.
Apart from personal information, the school also handles Social Security numbers for former and current students, and also their parents. Not to mention all of the school employees. Still, they seem to have failed in obtaining any of this data, despite the three months of access. Analysts even claim that hackers didn’t manage to access voting systems at all.
“They weren’t just looking for the names of kids and valuable Social Security numbers, UDT found. The hackers were also searching for some way to slip into other sensitive government systems, including state voting systems.”
This is only considered to be an attempted hack, and when it comes to attempts, there were seven of them. Despite the ISIS-related picture being posted on district’s website, Miami-Dade claims that there is no evidence of any access or malware in their computer systems.
It is believed that the first attack occurred in the fall. It was in November when the ISIS-inspired photo appeared, and it stayed up for 24 hours. That same photo appeared on another school district’s website a month later.
UDT claims that schools were only an entry point to the city and county systems. And even those systems would only serve as aiding in their search of a backdoor to the bigger, government systems. The National Cyber Security Alliance’s executive director, Michael Kaiser, has stated that it’s not unusual for school district networks to be connected to bigger networks.
Therefore, it would make sense for a hacking group to go for an easy target and then make their way to the main one. According to UDT, hackers even bragged about their achievements online. They even mentioned their plans of getting into voting systems and wanting to bring it down. The weird part is that this happened a month after the voting was over, in December.
Still, the FBI was contacted by the UDT, and malware was re-engineered. There was no evidence of stolen data, but the FBI still refused to comment on this incident. Whatever the point of these attacks was, the awareness of security’s importance in the school districts was raised.