World Cup could lead to surge in cyber threats

With the Group Stage of the 2018 FIFA World Cup now well underway, security companies are warning that cybercriminals are likely to use the interest stirred up by the event to launch cyber attacks.

Network and endpoint security company Sophos noted that cyber attacks often go hand in hand with major sporting events, including the World Cup, as criminals exploit the fevered interest stirred up in incautious sporting fans.

There has already been a long history of World Cup cyber threats, including a virus with a backdoor sent under the pretence of free tickets during Germany 2006, a blackmail of online betting sites with threats of DDoS attacks during South Africa 2010.

A virus deployed during France 1998 also had users gamble on the winner of the Cup, with the wrong choice leading to all data being wiped from a victim’s drive, while in South Korea 2002, a virus posing as a web utility giving up-to-the-minute updates was distributed via email and IM.

Sophos noted that awareness is generally greater this year, with teams including the English Football Association warning players not to use public Wi-Fi in Russia due to fears of hacking.

But the company noted that it is important that organisations and people remain vigilant at all times about the increased threat.

Meanwhile, Akamai Technologies Director of Security Technology Patrick Sullivan noted that the company has historically noticed declines in cyber attacks while games are actually underway — until there’s a clear winner.

“Once games are well in hand, attacks from the losing team’s nation spike well above normal. This often takes the form of attacks designed to take down news stories in the victor’s country that tout a home-team win,” he said.

“Activists also frequently use various forms of cyber attacks during major sporting events to protest the host nation — often targeting sponsors to get their point across. For example, protesters at the recent Brazilian World Cup that were upset with the amount of money spent.”


How CIA can improve your cyber security

The threat of cyber-attack is increasing every year.

According to the Online Trust Alliance, 2017 was the worst yet in terms attacks on business. Figures indicate that attacks doubled from 82,000 incidents in 2016 to over 159,000 – and that’s just the ones we know about.

Keeping up to date with the latest cyber security threats is an almost impossible task. The time between vulnerability disclosure and attack launch is getting shorter all the time, and it’s easy for a hacker to change a line of code in the program, and then fire off another (ever so slightly different) attack.

Just to prove the point, in 2016, ransomware peaked at 40,000 attacks a day, with over 400,000 variations found. Imagine trying to keep on top of all that?

Effective cyber security is knowing what’s important to you and protecting it to the best of your abilities. Think of it in three elements – the CIA triad:

  • Confidentiality
  • Integrity
  • Availability

Confidentiality – who really needs access to the information?

Confidentiality is all about privacy and works on the basis of ‘least privilege’. Only those who require access to specific information should be granted it, and measures need to be put in place to ensure sensitive data is prevented from falling into the wrong hands.

The more critical the information, the stronger the security measures need to be.

Measures that support confidentiality can include data encryption, IDs and passwords, two-factor authentication, biometric verification, air-gapped systems (physically isolating a secure computer network from unsecured networks such as the public internet) or even disconnected devices for the most sensitive of information.

Integrity – how do you ensure the accuracy of your data?

The integrity of your information is essential, and organisations need to take the necessary steps to ensure that it remains accurate throughout its entire life cycle, whether at rest or during transit.

Access privileges and version control are always useful to prevent unwanted changes or deletion of your information. Back-ups should be taken at regular intervals to ensure that any data can be restored.

When it comes to integrity of information in transit, one-way hashes – an algorithm that turns messages or text into a fixed string of digits, making it nearly impossible to derive the original text from the string – can be utilised to ensure that the data has remained unchanged.

Availability – how do you keep your business up and running?

Keeping your business operational is critical and you need to ensure that those who need access to hardware, software, equipment or even information can maintain this access at any time.

Disaster planning is essential for this and organisations need to plan ahead to prevent any loss of availability, should the worst happen.

Examples of disaster planning include preparing to deal with cyber-attacks (such as DDoS), data centre power loss or even potential natural disasters.

Getting the combination right

All three of the CIA elements listed above are required to ensure you remain protected. If one aspect fails, it could provide a way in for hackers to compromise your network and your data.

However, the mix between the three elements is down to the individual company, the project or asset it is being deployed on. Some companies may value confidentiality above all, others may place most value on availability.

Whatever the combination, it’s important that the CIA triad is considered at all times and by doing so you protect your organisation against a range of threats, without having to spend too much time keeping up with the latest threats.


Cyber Attacks Cost Korean Firms US$72 billion Last Year: Report

Cyber attacks cost Korean companies US$72 billion last year, according to a survey released by Microsoft Korea on June 18.

The Cyber Security Threat Report, produced jointly with Frost & Sullivan, a global consulting firm, assumes that 90 percent of the damage was indirect losses, which included losses from losing customers, tarnished corporate reputations, and job losses. The report referred to this phenomenon as an “iceberg effect” where indirect losses eclipse direct losses.

This report also covered the status of Korean companies’ security awareness. Among the Korean companies which participated in the survey, 29 percent said they did not even know whether or not a cyber attack occurred. In addition, 35 percent of them said they were postponing digitalization because they were concerned about cyber attacks.

Meanwhile, according to semi-annual “Security Intelligence Report” released by Microsoft Korea, three types of cybercrime were used in combination — botnets, phishing, and ransomware.

A botnet is a method of infecting multiple PCs as zombie PCs through the internet to perform distributed denial-of-service attack (DDoS attack), steal data and send spam. Phishing refers to deceiving users and making them make a mistake by disguising a malicious website or e-mail as a secure website or e-mail. Ransomware is a malicious code that encrypts data in your computer and demand money in exchange for a password.

“In the rapidly changing digital world, companies must make cybersecurity a top priority for their organization,” said Kim Gui-ryeon, chief security officer at Microsoft Korea.


Cyber attack warnings highlight need to be prepared

Fresh warnings about the vulnerability of national infrastructure to cyber attacks show the need for securing and monitoring associated control systems connected to the internet.

The commander of Britain’s Joint Forces Command has warned that UK traffic control systems and other critical infrastructure could be targeted by cyber adversaries – but industry experts say this is nothing new and something organisations should be preparing for.

According to Christopher Deverell, these systems could be targeted by countries such as Russia. “There are many potential angles of attack on our systems,” he told the BBC’s Today programme.

Other vulnerable control systems that are connected to the internet are used in power stations, for air traffic control and for rail and other transport systems.

Sean Newman, director at Corero Network Security, said there is nothing new in the claims. “The potential for such attacks has been growing for several years as more systems become connected,” he said.

“There are many good reasons for connecting operational and information networks, including efficiency and effectiveness. However, this opens up operational controls to potential attacks from across the internet, where previously they were completely isolated and only accessible from the inside.”

According to Newman, the question is no longer whether such attacks are theoretically possible, but who is bold enough to carry out such assaults and risk the likely repercussions.

“It is reasonable to assume that it’s more a matter of time than if, so the operators of such systems need to be fully cognisant of the potential risks and deploy all reasonable protection to minimise it,” he said.

“This includes preventing remote access to such systems, as well as real-time defences against DDoS [distributed denial of service] attacks which could disrupt their operation or prevent legitimate access for operation and control purposes.”

Andrea Carcano, chief product officer at Nozomi Networks, said the reality is that the UK’s infrastructure, and those in every developed country around the world, is being continually poked and probed, not just by nation states but by criminals, hacktivists and even curious hobbyists.

“We have seen the damage that can be done from hacks in the Ukraine, where attackers were able to compromise systems and turn the lights out,” he said. “With each incursion, both successful and those that are thwarted, the attackers will learn what has worked, what hasn’t, and what can be improved for the next attempt.

“The challenge for those charged with protecting our critical infrastructure is visibility, as you can’t protect what you don’t know exists.”
According to Carcano, 80% of the industrial facilities Nozomi visits do not have up-to-date lists of assets or network diagrams.

“Ironically, this doesn’t pose a problem to criminals who are using readily available open source tools to query their targets and build a picture of what makes up their network environment and is potentially vulnerable – be it a power plant, factory assembly line, or our transport infrastructure,” he said.

Nozomi researchers created a security testing and fuzzing tool, using open source software, that is capable of automatically finding vulnerabilities in proprietary protocols used by industrial control system (ICS) devices.

“Using just this tool, and in a limited time period, they identified eight zero-day vulnerabilities that, if exploited, could be used to shut down the controllers, making the devices unmanageable, and even potentially corrupt normal processes, which could be extremely serious or even fatal,” said Carcano.

“As the cyber security risk to critical infrastructure and manufacturing organisations increases, it is important for enterprises to actively monitor and secure operational technology [OT] networks. An important aspect of this is having complete visibility to OT networks and assets and their cyber security and process risks.”

However, Deverell suggested that as well as making sure cyber security is continually improving, the UK should also have an offensive capability to respond to attacks on critical infrastructure if necessary, reports The Telegraph.

His comments echo those by UK attorney general Jeremy Wright, who recently suggested that the UK has a legal right to retaliate against aggressive cyber attacks in the same way as it would to armed attacks.

“Cyber operations that result in, or present, an imminent threat of death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self defence,” he said.

According to Wright, if a hostile state interfered with the operation of one of the UK’s nuclear reactors, resulting in the widespread loss of life, the fact that the act was carried out via a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack.
“States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them,” he said.

The UK has previously indicated that it is building cyber-offensive capabilities, but in January 2018, Ciaran Martin, head of the National Cyber Security Centre (NCSC), said that while this will be an “increasing part of the UK’s security toolkit”, a cyber attack would not necessarily trigger a retaliatory cyber attack, but a range of responses would be considered, including sanctions.

Commenting on calls by UK defence chief of general staff Nick Carter for increased defence spending to help the country keep up with its adversaries, particularly in light of the fact that cyber attacks that target military and civilian operations are one of the biggest threats facing the country, Martin confirmed that some of these attacks were aimed at identifying vulnerabilities in infrastructure for potential future disruption, but added that there had been no successful attacks on UK infrastructure.

A report by the Kosciuszko Institute, published in January, predicts that 2018 could be a year of cyber attacks on critical infrastructure.

In the report, Paul Timmers, an academic at Oxford University and former director of the European Commission’s Sustainable & Secure Society Directorate, noted that attacks on systems that are crucial for the functioning of the state and society, including logistics, health and energy, date from 2016.

Timmers believes that the risk of attacks in 2018 may spread to other sectors of the economy, such as transport. An important element of the potential incidents, he said, will be their predicted international and cross-sector nature, which creates an urgent need for cooperation between international organisations, governments and companies.

Sean Kanuck, director of future conflict and cyber security at the International Institute for Strategic Studies and formerly the first US national intelligence officer for cyber issues, predicted a period of intense use of sanctions as a diplomatic tool against entities that undertake offensive actions in the cyber space.

The growing likelihood of ever-escalating conflicts in the cyber space makes it necessary to address standards of operation in the digital space, the report said.


Tech Network Security in the Age of the Internet of Things

There are a lot of changes taking place in the business world today. One of the things that all businesses need to go out of their way to keep up with is cyberattacks. Most of these target traditionally unconnected devices. As we enter into a new generation of using connected, intelligent devices in the workplace, businesses are growing more productive, serving customers in more efficient ways, and also expanding into new markets. While this is good news, as it happens it brings more smart devices into the burgeoning Internet of Things (IoT). This transition has scrambled the historical notion of the corporate endpoint. Now the world has been forced to move beyond the realm of desktop and laptop computers. Modern life has also been forced to move beyond the use of mobile phones and tablets. Today, there are millions of “things” that are connected. These “things” populate enterprise’s far-flung networks. They also send and receive a lot of valuable data across the internet

Understanding the Role of Digital Disruption

Although digital disruption is important and has its role in business culture today, it also comes with a price. This is because with each new device there is a potential entry point for cybercriminals. When this is viewed from a security perspective it is easy to imagine some very nasty sci-fi scenarios. Some companies even got a real life, sneak peek at one of these scenarios last year when they had their digital video cameras compromised by the Mirai botnet-powered massive distributed denial-of-service (DDoS) attack that hackers launched against important parts of the internet. This incident stunned the security world. It made a lot of people stand up and take notice of how successful some cyber attackers were at finding new ways to infect devices that were not susceptible in the past. Symantec said this shows how enterprises are now faced with the threat of defending against attacks that start with hacks of management interfaces on devices that were not even connected to the internet in the past, things like video cameras, fish tanks, and coffee machines.

There are many new challenges that arise due to the emergence of the IoT. One of the main challenges is learning how to handle security when it comes to endpoints, networks, and data in a world that is now full of a lot more connected devices. Attacks on these things can come from any vector. In the connected world in which society exists today, it is important to be aware of these new vulnerabilities.

Living in the Age of Smart Devices

Today, most people realise that their computers and its software are vulnerable to cybersecurity threats. As such, they will take adequate steps to protect these items. While this is great, at the same time they, unfortunately, seem to forget about all the different smart devices they have directly connected to the same network that their computer is running on. This is something that is important for people to never overlook though because hackers can find their way into those systems through a lack of attention. While cutting-edge technologies are helpful for business many of them were never designed to protect themselves against a digital attack. This is why they are so vulnerable to various threats, including malware and IoT botnets.

Many people do not understand what IoT botnets are though. This is because they are still relatively new, only having been first created in 2016. However, these are something that everyone should familiarise themselves with since there will be 6.4 billion connected devices by 2020. Every computer in this compromised network (along with any and all internet-connected device) was hijacked by these cyber attackers who are now using them for unapproved or illegal purposes, including denial of service attacks.

Botnets are not only growing in number today, they are also becoming much more advanced. This is because now they are able to target a lot more devices all at the same time. Today’s cyber attackers are able to use new code that lets them create new types of malware. These cyber attackers are now unleashing their attacks on new targets as well. This is because there are new, more obvious targets available. This includes things like Wi-Fi cameras and security systems, things that offer them an easier way in which to circumnavigate a lot of things, even when users have taken all the necessary, normal precautions.

Clearly, this means that IoT devices are much more vulnerable than those more traditional devices. According to Fortinet, there are two primary reasons why IoT devices are so commonly compromised. These include:

  • There is a lack of regulation surrounding the IoT industry today. While this may sound surprising to some people, it is important to understand how this will directly impact business instead of ignoring it or taking a “wait and see” attitude. This is something people need to understand because this means that many brands are not obligated to even think about cyber security threats and actions they can take to protect devices. Since this is the prevailing attitude today, many coders do not even think twice about using things like trash code, hard coded passwords, backdoors, or any other type of design flaw that could compromise them. In fact, they treat these things as though they are trivial.
  • Unfortunately, a lot of IoT manufacturers do not even have a Product Security and Incident Response Team (PSIRT) in place. Even those who do have one are not able to respond quickly to any new vulnerabilities that may arise. This means that even if they are able to detect a threat, they do not have anyone to whom they could report the issues, which means that not much can be done about them. As time goes on, this is going to become an even bigger problem, especially for businesses who should be taking a proactive approach to all of these things instead of waiting to simply react to them instead.

How to Protect Devices

The importance of protecting devices is not something that can be emphasised enough. This is growing more important today as new technologies are being deployed everywhere, in both homes and businesses alike. Many processes have also evolved recently as well, which is making modern life even more convenient but at the same time it is also placing users at an even greater risk of being “attacked.” This is not something that most people think of or pay attention to today.

When people have some of these devices linked up in a network, they need to take some time to prepare themselves for attacks. They can start by making sure that they have strong authentication set up at access points. This will let users see and track devices. They should also keep track of their devices, including their manufacturers and software versions, so they can quickly identify how vulnerable these devices are when they uncover a threat. Additionally, establishing network segmentation and micro segmentation strategies will help make sure that any devices that are at risk are kept separate from critical production resources. These steps will help ensure that businesses get back on track soon after any attack occurs.


How employee behavior impacts cybersecurity effectiveness

A recent OpenVPN survey discovered 25 percent of employees, reuse the same password for everything. And 23 percent of employees admit to very frequently clicking on links before verifying they lead to a website they intended to visit.

Sabotaging corporate security initiatives

Whether accidental or intentional, an employee’s online activities can make or break a company’s cybersecurity strategy. Take password usage as one example. Employees create passwords they can easily remember, but this usually results in weak security that hackers can bypass with brute force attacks. Similarly, individuals who use the same password to protect multiple portals — like their bank account, email and social media — risk compromising both their personal and work information.

To reinforce strong password habits, some employers have adopted biometric passwords, combining ease-of-use with security. A reported 77 percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes. But even among those who trust things like fingerprint scans and facial recognition, user adoption is lagging — just a little more than half of employees (55 percent) use biometric passwords.

Convenience also plays a factor in determining how employees approach cybersecurity behaviors. Unfortunately, some individuals are unwilling to trade the convenience of basic passwords and certain technologies for secure cyber habits. Employees are reluctant to abandon things like voice-activated assistants, for example, even though 24 percent of them believe it has the potential to be hacked.

In fact, only 3 percent of employees have actually stopped using their Alexas and Google Homes out of fear of being hacked. This signals to employers that even when employees know the security risks associated with a certain technology, they will ignore the warning signs and continue to use it because of its convenience.

Developing safe cyber hygiene practices

Employers have a responsibility to teach their employees good cyber habits to protect themselves and business operations from malicious actors. Simply telling people to avoid visiting infected websites isn’t enough — more than half (57%) of Millennials admit to frequently clicking on links before verifying they lead to a website they were intending to visit.

Unlike traditional approaches to cybersecurity, a cyber hygiene routine encourages employees to proactively think about the choices they make on the internet. In addition to thorough security education and clear communications, employers can implement the following tips to help employees develop good cyber habits.

Promote positive reinforcement when employees make smart decisions

Employees may be a company’s first line of security, but many fail to report cyber attacks out of fear of retribution. Instead of employing fear tactics to scare employees off weak passwords and phishing schemes, employers should consider rewarding or acknowledging individuals who embrace good cyber strategies. Employees are less likely to shy away from security training and are more incentivized to change their approach to cybersecurity when they are sent encouraging messages for safe internet behavior.

Offer continuous training on best practices. Hackers work year round to catch companies off guard, using tools like phishing to man-in-the-middle to DDoS attacks to breach defense mechanisms in place. While employers can’t predict what they will face next, they can offer routine training to employees to keep them up-to-date with the latest security threats. This can help employees recognize and deal with evolving threats like smishing, a fairly recent scam targeting individuals with smartphones and other mobile devices.

Building a work culture centered around good cyber hygiene takes time, but will ultimately protect companies in the long run from online threats. When smart online habits become second nature, both employers and employees can better prevent hackers from taking advantage of otherwise stagnant security environments.


Most Risk to Internet Originates from US

“America first” isn’t always a good thing, particularly when it comes to cyber-risk. Still, the US was number one on the list of nations from which the most risk to the internet originated, according to the third annual National Exposure Index released today by Rapid7.

Analysis of the current state of internet exposure revealed which geopolitical regions are most at risk for deliberate, wide-scale attacks on core services. “A country with a higher percentage of exposed services in relation to its total allocated IP address space will tend to score higher on National Exposure,” according to the report. North America, China, South Korea and the UK top the list of nations most vulnerable to cyber-attacks.

Combined, those nations control over 61 million servers listening on at least one of the surveyed ports. The report also found that nearly half a million exposed Microsoft Server Message Block (SMB) servers in the US, Taiwan, Japan, Russia, and Germany are targeted today.

“There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL. Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss in a coordinated attack,” the report said.

This year has already made record for having the largest distributed denial-of-service (DDoS) attack using unsecured memcached user datagram protocol (UDP) servers; however, approximately 40,000 unpatched, out-of-date memcached servers remain at risk of being drafted into the next record-breaking DDoS attack.

While the report noted that it is nearly impossible to identify the country with the lowest risk exposure, the Federated States of Micronesia ranked 187 out of 187 countries on the list.

Rapid7 aims to use these statistics to identify the nations that can reduce their exposure to nefarious actors – particularly nation-state actors – by making improvements to their local infrastructures. According to the report, “This indicates to us that national internet service providers in these countries can use these findings to understand the risks of internet exposure, and that they, along with policymakers and other technical leaders, are in an excellent position to make significant progress in securing the global internet.”


Canada third most exposed country to possible cyber attacks, says vendor study

After hours of thankless work on their systems every day infosec pros in this country are among the best in securing their systems, right? Not according to a new report.

Canada ranks third on a list of worst countries whose organizations and users have unsecured Internet services open to cyber attacks, says a security vendor survey.

The National Exposure Index, released Thursday by Rapid7, rates the United States first and China second as the countries with the biggest exposure to likely attack, exposure to pervasive monitoring and exposure to amplification abuse.

After Canada comes South Korea, Great Britain, France, the Netherlands, Japan, Germany and Mexico.

Countries are ranked based in part on a scan of open ports to certain services (see below) relative to the number of allocated IPv4 addresses, So, for example, a country that has 1,000 computers and 100 per cent of them are exposing old versions of Windows SMB (server message block) it won’t score as high in the exposure rankings as a country with a million computers where only 10 per cent are exposing SMB.

There is also some weighing. A country with a higher percentage of exposed services in relation to its total allocated IP address space will tend to score higher. In addition, countries that have confirmed Microsoft SMB exposed to the internet are weighted even higher.

As a result Russia ranks 14th.

Among other findings:

• There are 13 million exposed endpoints associated with direct database access, half of which are associated with MySQL. Along with millions of exposed PostgreSQL, Oracle DB, Microsoft SQL Server, Redis, DB2, and MongoDB endpoints, this exposure presents significant risk of crucial data loss to a co-ordinated attack;
• While the number of exposed Microsoft SMB Servers dropped considerably after the WannaCry attack of 2017, there remain about a half a million targets today, primarily in the U.S., Taiwan, Japan, Russia, and Germany.
• Amplification-based distributed denial of service (DDoS-A) remains a powerful technique for harming enterprises and providing cover for more sophisticated attacks. While the number of exposed UDP-based memcached servers is less than 4,000, there are about 40,000 unpatched, out-of-date memcached servers, which are at risk of being drafted into the next record-breaking DDoS attack.

Memcached is an open source high-performance, distributed memory object caching system originally intended for use in speeding up dynamic web applications by alleviating database load. But in March hackers leveraged misconfigured or unprotected memcached servers to launch huge distributed denial of service (DDoS) attacks.


7 Variants (So Far) of Mirai

Mirai is an example of the newest trend in rapidly evolving, constantly improving malware. These seven variants show how threat actors are making bad malware worse.


Where Mirai is relatively broad in scope, able to plant itself on many different routers and devices, Satori is quite specific. Discovered in December 2017, Satori takes advantage of vulnerabilities in two devices: Realtek’s UPNP SOAP interface and Huawei’s home gateway.

In addition to the device changes, Satori differs from Mirai (in at least some versions) by changing the way it propagates. Whereas Mirai uses the venerable telnet protocol, several Satori versions take advantage of device-specific communications protocols to spread to new targets.

With Satori, malware developers have added targets and communication protocols to a functional core of capabilities.


Unlike Satori, Okiru — based, in part, on Satori’s improvements to Mirai — is broad in its scope. Okiru targets systems with an Argonaut RISK Core (ARC) processor and uses executable and linkable format (ELF) distribution files.

The ARC target is important because ARC processors are used in a vast number of IoT devices. In addition, ELF files are commonly used as a distribution source for Linux applications; using them for Okiru brings into reach IoT devices running a Linux variant as the embedded OS.

Some researchers consider Okiru, first identified in January 2018, to be a version of Satori. But the advances in target architecture and distribution method show the kind of evolution that gives Okiru a name of its own.


Malware can exploit vulnerabilities in many things, but threat actors love a protocol exploit because it can hit so many targets. Masuta and its PureMasuta subvariant take advantage of SOAP to convince targeted devices to run commands issued by the threat actor.

Masuta is presumed to have been created by the same developer who built the Satori botnet, but the code for Masuta demonstrates “professional development” both in the additional functionality and in the way the programmer covered identifying tracks left in the code.

The development in Masuta shows not only the evolution of an exploit family but the evolution of an individual programmer — and is typical of the kind of skills development researchers are seeing more frequently in the malware world.


Where Masuta widened Mirai’s (and Satori’s) scope with more SOAP, PureMasuta bring it back to a specific vulnerability first found on D-Link routers in 2015. PureMasuta exploits a known vulnerability in HNAP (Home Network Administration Protocol), which is based on SOAP.

Once again, PureMasuta shows how a hacker develops skill, building exploit on exploit and trying new targets. PureMasuta’s programmer, Nexus Zeta, has so far specialized in SOAP exploits. That’s a trivial limitation, though, given SOAP’s ubiquity in the modern Internet world.


The old saying goes, “There’s more than one way to skin a cat.” There’s also more than one way to monetize a botnet, and the OMG Mirai variant takes a commercial tack that is far removed from the original.

Where all the variants of Mirai discussed so far were DDoS engines, OMG, just like the original, uses 3proxy, an open source proxy server, to turn any infected device into a proxy server that can then be used for a variety of purposes. OMG even goes so far as to check for, and rewrite, firewall rules to ensure that the ports used by the new proxy server can transit the network perimeter with no trouble.

OMG provides a network of proxy servers that can be rented out for use by a huge number of clients, whether they’re looking for DDoS generators, a SPAM network, crypto-jacker scheme, or ransomware empire. No matter the demand, the OMG proxy network can provide the illicit proxy.


Like many family trees, Mirai has branches that shoot directly from the original root and others that are a bit farther out in the canopy. IoTroop is one of the latter, but it’s curving back to rejoin the main stem, making it more interesting than your average third cousin, twice removed.

IoTroop has Mirai code as its foundation, but it is a variant that has taken a huge leap from its roots. It begins with the way that IoTroop infects a device. Whereas Mirai uses brute force user ID and password guessing, IoTroop searches for vulnerabilities to exploit.

Then come the big changes: IoTroop doesn’t place a Mirai-style DDoS engine on a device. Instead, it places a loader that constantly communicates with a C&C server. The server can then pass any one of a number of payloads to the victim device, turning the network into whatever illicit form someone is willing to pay for.

Wicked Mirai

Wicked Mirai is the most recent major variation on a theme, and it adds a dangerous capability to the Mirai family tree: persistence.

Wicked Mirai takes many of the advances in other variants, such as vulnerability scanning and a payload downloaded on demand from a C&C server, and adds code to the firmware in many common residential routers that makes the malware persistent – that is, able to remain on the device through reboots.

Mirai will likely continue to evolve and develop. It has also shown to the malware market the possibility of rapid code evolution and an agile mindset. The question for the security world is whether the defender can evolve as quickly, or as effectively, as the attacker.


Six years on from the official launch, just how secure is IPv6?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?
Development of IPv6 first started in the early 1990’s when it was realised that the physical limitation of 4.3 billion unique IP addresses in the IPv4 protocol wasn’t going to be enough to support Internet growth. And that was before the Internet of Things had even been thought about. IPv6 addresses the problem, if you’ll excuse the pun, by providing 340 trillion, trillion, trillion unique addresses.
The newly published Internet Society State of IPv6 Deployment report for 2018 points to the success of IPv6 deployment. More than 25 percent of all Internet-connected networks advertise IPv6 connectivity, for example. If you combine the top 15 ISPs across the world, nearly half a billion people are using IPv6 already. Six years ago, less than one in every 100 connections to Google were using IPv6, today that is one in four. The report does admit, however, that “enterprise operations tend to be the elephant in the room when it comes to IPv6 deployment.”
Internet Society Chief Internet Technology Officer, Olaf Kolkman says that IPv6 is “increasingly seen as a competitive advantage, a market differentiator and an essential tool for forward-looking Internet applications and service providers of all kinds.” But the question for enterprise security teams remains, just how secure is IPv6?
“In the sense of the protocol, IPv4 and IPv6 are roughly similar in terms of security” says Dr. Stephen Strowes, Senior Researcher at the RIPE NCC in conversation with SC Media UK. “The difference comes from other layers” Dr Strowes adds “it’s the tools used and training that network operators get that makes all the difference.”
Cricket Liu, VP of Infrastructure at Infoblox, agrees. “IPv6 isn’t inherently more or less secure than IPv4.” However, speaking to SC Media Liu suggests that the major security implications of moving to IPv6 are that “network administrators have substantially less experience managing the protocol than they do with IPv4.” Throw in that network equipment vendors, security vendors,and so on often don’t support IPv6 as completely as they do IPv4 and “the chance of making configuration mistakes increases, as does the likelihood that some whizzy feature of your firewall, IDS or IPS that works great over IPv4 isn’t supported at all over IPv6.”
Wicus Ross, Security Researcher with SecureData, admits that “It’s possible that there are more misconfigurations present on IPv6 due to the relative lesser usages compared to IPv4.” However, to balance that there’s the small matter of the huge size of the IPv6 address space where a single IPv6 subnet can contain the entire IPv4 address space. “As such” Ross continues “IP Address enumeration or scanning through the IPv6 address space sequentially using current capability is not feasible.” This should be good news, as it makes it less efficient for attackers to hunt for vulnerable devices.
Earlier this year, DDoS protection experts Neustar experienced and successfully mitigated its first recorded native IPv6 DDoS attack. This targeted the authoritative DNS service on the Neustar network, and originated from around 1,900 native IPv6 hosts on more than 650 different networks. “IPv6 attacks present a particular set of challenges that, at this moment, cannot easily be rectified” Barrett Lyon, General Manager of DDoS at Neustar, told SC media UK. “For example, the massive number of addresses available to an attacker allows them to exhaust the memory of modern day security appliances” Lyon continues “as a result, the potential volume of an IPv6 attack has the opportunity to create a mess.”
Lyon concludes that, going forward “a great deal of work will need to be undertaken by security professionals to ensure that IPv6 is protected and that we are ahead of the curve when it comes to predicting a hacker’s next move.”