What Security Risks Should MSPs Expect in 2018

As IT operations are becoming more complex and require both advanced infrastructure and security expertise to increase the overall security posture of the organization, the managed service provider (MSP) industry is gaining more traction and popularity.

Estimated to grow from USD $152.45 billion in 2017 to USD $257.84 billion by 2022, at a CAGR of 11.1%, the MSP industry offers greater scalability and agility to organizations that have budget constraints and opt for a cloud-based IT deployment model.

“The cloud-based technology is the fastest-growing deployment type in the managed services market and is expected to grow at the highest CAGR during the forecast period from 2017 to 2022,” according to ResearchandMarkets. “IT budget constraints for installation and implementation of required hardware and software, limited IT support to manage and support managed services, and need for greater scalability are major factors that are likely to drive the adoption of cloud managed services in the coming years. The cloud-based deployment model offers higher agility than the on-premises deployment model.”

However, MSPs are expected to also become more targeted by threat actors than in the past. Supply chain attacks are becoming a common practice, as large organizations have stronger perimeter defenses that increase the cost of attack, turning MSPs into “low-hanging fruit”
that could provide access into infrastructures belonging to more than one victim. In other words, MSPs hold the keys to the kingdom.

Since MSPs are expected to provide around-the-clock security monitoring, evaluation, and response to security alters, they also need to triage and only escalate resources when dealing with advanced threats.

1. Wormable military-grade cyber weapons

Leveraging leaked, zero-day vulnerabilities in either operating systems or commonly deployed applications, threat actors could make the WannaCry incident a common occurrence. As similarly-behaving threats spread across infrastructures around internet-connected endpoints – both physical and virtual – MSPs need to quickly react with adequate countermeasures to defend organizations.
While MSPs may not be directly targeted, their role in protecting organizations will become far more important as they’ll need to reduce reaction time to new critical threats to a bare minimum, on an ongoing basis. Consequently, network security and threat mitigation will become commonplace services for MSPs.

2. Next-Level Ransomware

The rise of polymorphism-as-a-service (PaaS) will trigger a new wave of ransomware samples that will make it even more difficult for security solutions to detect. Coupled with new encryption techniques, such as leveraging GPU power to expedite file encryption, ransomware will continue to plague organizations everywhere. Backup management and incident response that provides full data redundancy need to be at the core of MSP offerings when dealing with these new ransomware variants.

While traditional ransomware will cause serious incidents, threat actors might also hold companies at gunpoint by threatening to disrupt services with massive distributed-denial-of-service (DDoS) attacks performed by huge armies of IoT botnets.

3. OSX Malware

The popular belief that Apple’s operating system is immune to malware was recently put to the test by incidents such as the ransomware disseminating Transmission app and advanced remote access Trojans (RATs) that have been spying on victims for years. With Apple devices making their way into corporate infrastructures onto C-level’s desks, managing and securing them is no longer optional, but mandatory.

Security experts have started finding more advanced threats gunning for organizations that have specific MacOS components, meaning that during 2018 threat actors will continue down this alley. Regardless of company size, vertical, or infrastructure, MSPs need to factor in MacOS malware proliferation and prepare adequate security measures.

4. Virtualization-Aware Threats

Advanced malware has been endowed with virtualization-aware capabilities, making it not just difficult to identify and spot by traditional endpoint security solutions, but also highly effective when performing lateral movement in virtual infrastructures. MSPs need to identify and plan to deploy key security technologies that are not just designed from the ground up to defend virtual infrastructures, but also hypervisor-agnostic, offer complete visibility across infrastructures, and detect zero-day vulnerabilities.

Focusing on proactive security technologies for protecting virtual workloads against sophisticated attacks will help MSPs offer unique value to their services.

5. Supply Chain Attacks

MSPs could also become the target of attack for threat actors, which is why deploying strong perimeter defense on their end should also be a top priority. Having access and managing security aspects to remote infrastructures turns MSPs into likely candidates for advanced attacks. Either by directly targeting their infrastructure or by “poisoning” commonly-deployed tools, MSPs should treat the security of their own infrastructure with the utmost scrutiny.

Source: https://securityboulevard.com/2018/04/what-security-risks-should-msps-expect-in-2018/

Command and control: A fight for the future of government hacking

Following years of effort and billions of dollars’ worth of research and planning, the nation finally has a fully operational force of cyberwarriors at U.S. Cyber Command. Yet, as those troops confront adversaries around the world, there’s uncertainty across government about how to best make use of them.

While lawmakers push the Trump administration to exact revenge for years of cyberattacks on U.S. targets, a quiet but constant tug of war is raging between the intelligence community and the military over the future of government-backed hacking operations.

Congress, the White House and the nation’s spy agencies all have something at stake, but the tension is perhaps most intensely felt at the National Security Agency, which serves as a partner agency to U.S. Cyber Command. The NSA is not the only intel agency challenged by the warfare unit’s increasingly influential role: The CIA, the FBI and the Pentagon’s other intelligence agencies are also trying to shape Cyber Command’s future. Each agency understands offensive hacking in its own way, and that dissonance only intensifies the debate, according to current and former U.S. officials.

CyberScoop spoke with 13 current and former U.S. intelligence officials, three lawmakers and dozens of congressional aides for this story. Some chose to speak only on condition of anonymity to discuss the opinions circulating in government about who should be managing covert offensive cyber-operations that cross the line of everyday digital espionage.

The chief question is: If the U.S. is going to strike back at foreign targets in cyberspace, when should the soldiers or the spies lead the charge? Things may now finally be leaning in favor of the military after the intelligence community dominated for more than a decade, sources say. The U.S. has engaged in cyber-espionage since at least the 1990s, and there are historic cases of allied intelligence agencies launching offensive, destructive-style cyberattacks dating back to at least 2011.

Since then, both the Obama and Trump administrations have made decisions allowing Cyber Command to escape NSA’s shadow. And yet at the same time, the government appears to be desperately avoiding an all out cyber conflict with Russia or any other entity aside from ISIS.

An analyst for the U.S. government described the changing dynamic by saying: “NSA went into this thinking that they were going to be the top dog. Now they are paranoid that they may have eaten a massive tapeworm instead.”

Pressure to use Cyber Command’s full capabilities only increases as more stories surface of interference in U.S. networks by Russian, Chinese and other foreign hacking groups. Any decision to expand the military’s use of cyberwarriors will be a pivotal point in the relationship between the nation’s spies and the Pentagon, further drawing the bureaucratic boundary that separates stealthy digital espionage activities from more overt cyberwarfare operations.

The rise of the ‘gray zone’

Founded in 2009, the Fort Meade, Maryland-based Cyber Command was created through the leadership of then-NSA Director Gen. Keith Alexander. Some of its architects believe it was supposed to be a collaborative extension of NSA, but it has gained stature and influence far beyond what Alexander might have intended, insiders say.

Alexander, through a spokesperson, declined to comment for this story.

Today, U.S. Cyber Command is currently in the process of becoming a unified combatant command on par with the likes of Strategic Command (STRATCOM), which handles the nuclear program, or Special Operations Command (SOCOM), which handles high-profile combat operations. In less than a year, Cyber Command could also gain additional power through a separation from NSA that would call for a new and separate leadership structure, ending the current “dual hat” arrangement for the NSA director.

The elevation process and potential formal split from NSA could eventually give Cyber Command more leeway to plan and recommend cyberattacks, with a direct line to the White House. Launching these types of cyberattacks usually requires direct presidential approval, and the authority flows through NSA leadership. But that may too change.

In a congressional hearing Feb. 27, the current head of NSA and Cyber Command, Adm. Mike Rogers, acknowledged that there’s an ongoing “policy discussion” about giving Cyber Command more authority. Lawmakers needled him over the Trump’s administration’s lackluster response to Russian meddling in the 2016 presidential election. His responses were cagey, but he had a reason.

Cyber Command is quite limited in what operations it can pursue because, among other reasons, it is designated as a combat force that operates under Title 10 of the U.S. Code. That law dictates that such a unit can only operate within the confines of a declared war zone — a statue complicated by the internet’s global reach. The intelligence community, like the NSA and CIA, operate under Title 50, which permits them to conduct espionage in nearly any foreign country, a condition that’s especially advantageous when exploiting computers spread around the world.

How Title 10 exactly applies to cyberspace remains an open-ended question, former U.S. intelligence officials say. Some academics have described the current situation where military-backed cyberattacks occur as a sort of legal “gray zone.” That description is driven by the fact that the international Rules of Engagement for cyberwarfare remains largely undefined.

Even so, Secretary of Defense James Mattis has become a leading voice lobbying the White House to at least give Cyber Command more flexibility.

“[Mattis] has been very aggressive in articulating this concerns him, that there’s an ongoing discussion at the moment, that I hope is going to come to a way ahead in the near term,” Rogers recently told lawmakers.

It’s unclear exactly which additional authorities Mattis is seeking.

Cyber Command was recently granted the ability to foward deploy its forces to combatant commands across the world, sources told CyberScoop. Previously, so-called Cyber Mission Force teams would only be assigned to U.S. bases, like Fort Meade. Now they can be located within other combatant commands like U.S. Central Command, integrating with the military on physical front lines. This follows in line with the SOCOM model, which allows elite military personnel to be quickly grouped and deployed rapidly to accomplish very specific objectives.
That decision could open the door for new opportunities to hack enemy networks, but it does not necessarily provide Cyber Command with any additional license to independently launch attacks.
When military leaders push to do more with hackers, they usually meet some form of resistance from Pentagon lawyers.
A recent operation underscores the complexities surrounding Cyber Command’s ability to run offensive operations in the gray zone.
According to prior reporting by the Washington Post, the Obama administration angered the German government when Cyber Command hacked into a server hosting ISIS propaganda that was located in Germany. Though the terrorist group is most active in the Middle East, the group’s digital content is sometimes hosted by shared systems located inside allied countries and not war zones. The Pentagon reportedly notified its German counterparts of the counterterrorism mission to remove ISIS material, but the hacking still upset a wary ally.
The debate about what checks and balances should exist to control the use of offensive cyber operations is especially important due to the fragile nature of the internet. With militaries looking to disrupt each other through the world wide web, innocent users will inevitably be caught up in the chaos.
In 2016, a single distributed denial of service (DDoS) attack against Dyn, a internet gateway company, knocked out dozens of major internet retailers; leading to millions of dollars in lost revenue. That attack was later attributed to several American university students; a group obviously far less equipped than a conventional army.
New spin on an old fight
While ambiguity may surround the legal framework for military-led cyberattacks, how these missions affect the intelligence community’s own computer spying efforts poses another difficult proposition.
It’s not one that’s been easily handled in the past.

“This tug of war is not a new one,” described Rhea Siers, a 30-year NSA veteran who during her time at the agency worked in multiple administrative roles. “Collecting intelligence versus taking out the target has been a key tactical and strategic discussion between the military and intelligence agencies for decades — first about SIGINT [Signal Intelligence], now about cyber-operations as well.”

With Cyber Command in the spotlight, some military leaders have pushed for permission to “engage the enemy” online more often, a U.S. official told CyberScoop. But there are U.S. intelligence officials who still worry about what Cyber Command’s rise will mean for espionage missions.

In short, spies fear that their more covert digital intrusions will be negatively impacted by a spike in “louder,” purposefully disruptive cyberattacks from military operators, who are usually more interested in immediate outcomes. The concern stems from the issue of parallel discovery — where both a spy agency and military unit are hiding in the same compromised network, allowing the detection of one attacker to expose the other.

“There is an inherent conflict between military-like cyber operations and clandestine espionage operations,” explained Jason Kichen, a former intelligence officer who was focused on computer hacking strategy. “Sometimes the military’s needs to gain their own access can put the already present espionage-focused access at risk.”

Historically, NSA’s relationship to Cyber Command has generally tended to be collaborative. The partnership is complicated because each organization is responsible for a unique mission that’s sometimes drastically different yet requires nearly identical tools and talent — both of which are finite. 

The clashes can be over which hacking tools are used, who should be handling them and whom they should be used against.

At the moment, the NSA is the government’s primary collector of information about software vulnerabilities that can be exploited by hackers. That title is held closely and with pride.

“A lot of what we ran into during the Obama administration involved the IC bucking at plans strung up by Cyber Command because they worried about intel gain-loss,” said Eric Rosenbach, former Pentagon chief of staff to Defense Secretary Ashton Carter. “The missions of Cyber Command and NSA should be complimentary, but too often they are competitive and collide with one another.”

Nearly everyone who spoke to CyberScoop said that the unified combatant command’s rise under the Trump administration will inevitably challenge the NSA’s franchise on software vulnerabilities and other hacking tools. Until recently, the intelligence community usually has taken the lead in helping decide whether to deploy some of the government’s elite hacking capabilities, according to two former U.S. senior defense officials. 

But that hegemony is now increasingly challenged by a younger, military-minded Cyber Command that’s pushing for changes to the status quo.

“NSA has had a major role in this space since at least 1997, when [then-Secretary of Defense William] Cohen assigned them the mission to develop offensive techniques,” said Jason Healey, a former director for Cyber Infrastructure Protection at the White House from 2003 to 2005. “Twenty years on, they’re used to ruling the roost, especially since they’ve been not just developing but using offensive capabilities since 2005. Losing [some] of those responsibilities was always going to sting and meet bureaucratic resistance.”

Untangling the policy knot

Empowering Cyber Command appears to have bipartisan support. Multiple current and former defense officials are pushing for a win after years of apparent stagnation. And multiple former officials who worked in past administrations told CyberScoop, in general terms, that they welcomed changes that could help Cyber Command contribute to national security.

Creating the tools and policies that give Cyber Command independence from other U.S. intelligence or defense agencies has helped solve some bureaucratic issues. But not all of them.

In recent months, aides for the House Armed Services Committee and Senate Armed Services Committee have been meeting with government “working groups” to stop the military and intelligence community from butting heads. With people in the room representing both sides’ interests, lawmakers hope to quell any problems that have come with impending changes to the hierarchy.

Several aides told CyberScoop that the people representing Cyber Command have grown increasingly frustrated in these recent meetings. The representatives told the committees that the unit’s growth has been curbed by a reluctant bureaucracy that’s continuing to voice skepticism about scaling up hacking operations beyond the intelligence community.

In one meeting held in mid-February, Rogers’ Combined Action Group (CAG) held a meeting with congressional staffers, military academics and other officials from Fort Meade to discuss some of the issues. The gathering’s purpose was not necessarily to come up with immediate solutions, but to flesh out each side’s concerns that have come with Cyber Command’s maturation. Insights from the nearly eight-hour-long meeting were later provided to Rogers, who used them to prepare for a congressional hearing.

In that Capitol Hill appearance, Rogers maintained that Cyber Command should eventually be split from NSA, which would give it more autonomy.

The peacemaker?

President Donald Trump recently nominated Army Cyber Commander Gen. Paul Nakasone to be the combined leader of NSA and Cyber Command. Nakasone is a well-respected military leader with a history of working in cybersecurity-focused positions. However, he is not a career intelligence official.

Nakasone has been heralded for his time in service by former superiors, including Rosenbach and Alexander. He is widely considered one of the most experienced generals in managing military-led hacking operations.

The congressmen with perhaps the most experience dealing with NSA told CyberScoop that managing some of the conflicting equities between the two brotherly organizations will almost entirely fall on Nakasone.

“It’s really going to be up to leadership, they’re responsible for making sure it goes right,” said Rep. Dutch Ruppersberger, D-Md. “You need to have the right leader to negotiate these things, to listen to both sides and figure it out … If we don’t have good leadership for this position then it can be bad.”

Managing the tug of war in government represents just one of many challenges for the NSA director.

“That’s a very, very tough job,” he continued. “With everything that’s gone on recently, maybe one of the most difficult [jobs] in government.”

Michael Sulmeyer, a former cybersecurity policy adviser in the Office of the Secretary of Defense, said he believed Nakasone would make it a “fair fight.” Sulmeyer told CyberScoop that Cyber Command’s development may have been stunted by the dual-hat leadership arrangement, which he contends had benefited the intelligence community more.

“In the past, the IC would usually win these internal arguments … the resolution process requires consulting with the leaders of each organization. So it was a really circular, you could efficient way of dealing with it. But certainly slanted,” Rosenbach explained.

Nakasone recently told lawmakers that he planned to provide a recommendation within 90 days of being confirmed to Mattis about whether or not to split Cyber Command from NSA. Rogers, his predecessor, has said a split is inevitable. CyberScoop previously reported that Director of National Intelligence Dan Coats preferred keeping the dual hat in place for the immediate future.

In a brief interview with CyberScoop following a public speaking appearance in D.C., current White House Cybersecurity Coordinator Rob Joyce said he believed Cyber Command should be separated from NSA as it becomes more capable. He provided no timeline, but said that some predictable “friction” would likely follow a split as the two organization readjust to a new relationship. “That’s only normal,” Joyce described.

Fighting into the future

Lawmakers are generally unsure by how Cyber Command’s evolution will pan out. But several expect a bumpy road forward.

“There’s always going to be that rub between the operators and the intel collectors. I think that’s very true right now just because probably NSA is much more mature organization and certainly CIA also weighs in as well and they want to err towards protecting their capabilities,” said Congressman Jim Langevin, D-R.I.. “I certainly get that. But sometimes they can be over-protective and it slows things down. Maybe we’re missing out on opportunities to make a [cyberwarfare] operation more effective.”

Sen. Mike Rounds, R-S.D., the chairman of the Senate Armed Services cybersecurity subcommittee, told CyberScoop that he has also been involved in helping to ensure that Cyber Command’s elevation to a unified combatant command happens quickly and in a well-managed fashion.

“After listening to a lot of discussion internally, I think we’re moving in the right direction by separating the hats,” Rounds, said in an interview with CyberScoop following a congressional hearing. “Those folks operating under Title 50 really want to be deep in and not be discovered. At the same time, under Title 10 and what we would want in terms of persistence, you have to be able to show ourselves every once in awhile and that we are actually doing things in cyber to deter those who are causing the problems. It may easier to do using two hats rather than a dual hat.”

Whether the current system disproportionately handicaps Cyber Command remains a tough question to answer.

“The benefit of having a dual-hat between NSA and U.S. Cyber Command is clear — you have one person who can make a fully informed decision about the tradeoffs between the potential capability loss associated with using an intelligence asset to conduct an offensive cyber-operation,” explained Jamil Jaffer, former senior counsel to the House Intelligence Committee.

With Nakasone set to take the helm of both Cyber Command and NSA later this month following his expected confirmation, the debate will be immediately in front of him.

“Many have raised concerns that such an arrangement is a one-way ratchet and doesn’t full account for all equities,” Jaffer said. “What can be said for certain is that if you split the current dual-hat arrangement, you’re going to be teeing up a lot more debates for the National Security Council to have on individual operations and that is likely to be its own can of worms. After all, fighting a war by committee is hardly a good way to go.”

Source: https://www.cyberscoop.com/us-cyber-command-nsa-government-hacking-operations-fight/

A new Mirai-style botnet is targeting the financial sector

The researchers say it’s the largest attack since the Mirai-powered cyberattack in October 2016 that took down large swathes of the Western internet.

A botnet made up of hijacked internet-connected televisions and web cameras has a new target, security researchers have found.

Three financial sector institutions have become the latest victims of distributed denial-of-service (DDoS) attacks in recent months. New research by Recorded Future’s Insikt Group published Thursday points to what’s likely to be the IoTroop botnet, used to pummel financial firms with internet traffic to overload servers and disrupt services.

The researchers say it’s the largest attack since the Mirai-powered cyberattack in October 2016 that took down large swathes of the Western internet.

Botnets appear all the time and can rapidly grow and ensnare thousands of devices. Many lay dormant for months, quietly gathering pace but ready to cause disruption at a moment’s notice. Although several botnets have appeared in the past year, none have resulted in any sizable attacks.

But that changed in January, when three DDoS attacks were launched within a few hours of each other.
The first was a DNS amplification attack that peaked at a traffic volume of 30Gbps per second. That may pale in comparison to a recent 1.7 Tbps attack — some fifty times larger– but can still cause considerable damage for companies not investing in DDoS mitigation protections.

It’s thought that the botnets are built off Mirai’s code, which was open-sourced and publicly released just weeks before the October 2016 attacks. Mirai was fairly simple compared to other botnets, which aggressively infected devices by using a list of pre-determined default usernames and passwords.

But the code’s release opened the door for other botnets to spring to life.

It’s believed that the more aggressive and advanced Reaper malware is thought to be behind the IoTroop botnet targeting financial institutions, said Priscilla Moriuchi, who co-authored the report with Sanil Chohan.

“This botnet is different than Mirai in composition and exploitation vector, likely compromising new bots based on vulnerabilities and not via unchanged administrator credentials,” said Moriuchi, in an email.

Unlike Mirai, Reaper has become a large botnet that can run complex attack scripts to exploits flaws in the code of vulnerable devices, making it difficult to detect infections. The botnet exploits over a dozen known vulnerabilities in nine internet-connected products — including some of the flaws that were originally used in Mirai.

Netlab said that the botnet had about 28,000 infected devices connected to one of the botnet’s controllers as of its discovery in October — and was ballooning in size.

This new botnet targeting financial sector companies has over 13,000 devices — each with a unique IP address, the report said.

Most of the compromised devices are routers made by MikroTik, a Latvia-based networking company. It’s thought that the attackers are leveraging the manufacturer’s router bandwidth testing feature. The majority of infected devices were found in Russia, Brazil, and Ukraine — a point that the researchers said is “likely to just be a reflection of the popularity” of the infected devices.

Moriuchi said that at least one of the companies affected by the attack had its customer services temporarily disrupted, but the extent of the financial or network damage wasn’t known.

The researchers would not name the companies targeted by the botnet in their report, but said they were global Fortune 500 firms. It’s also not known who is behind the attacks, they said.

But the botnet is likely not done. Although botnet attack activity has been largely quiet since January, the researchers said the botnet will grow in size and may be able to launch larger DDoS attacks against the financial sector in the future.

“It will become increasingly important to monitor the potential controllers and identify new IoT devices being added to the botnet in preparation for further attacks,” the researchers said.

Source: https://www.zdnet.com/article/new-mirai-style-botnet-targets-the-financial-sector/

Insurance may not be enough to stop hackers

NEARLY two dozen ransomeware attacks were made against Jersey businesses in the first three months of this year, according to research by just one local IT company.

Logicalis also logged more than seven Office 365 break ins, 21 examples of attackers exploiting vulnerabilities caused by user errors, three DDoS attacks from hackers using company bandwidths, 20 compromised systems because of poor configuration, and 50 examples of hackers using credentials from the dark web to log in.

All told, the Logicalis Security Operations Centre detected 124 cyber-attacks in the Island in three months, which Logicalis say must be a fraction of the real level of attacks.

The message, according to Ricky Magalhaes, Managed Security Services Director at Logicalis, is that companies will loose out if they rely on insurance to cover the costs of those attacks. He fears that up to 80% of businesses would not be covered by their cyber insurance policies in the event of a cyber-attack because they are not following correct security protocols.

‘Many companies think cyber insurance is an alternative to good cyber security practices; however, if you

don’t have correct controls in place, your insurance will not cover you,’ Mr Magalhaes said.

‘Up to 80% of companies with cyber insurance are not following basic cyber security procedures, which means if they suffer a loss, it will be hard for them to claim because they have been negligent.’

Even if the user follows correct procedures and an insurance company pays out, the real costs of a cyber-attack could be well beyond the financial compensation they receive. For example, US drug maker Merck, lost $750m in the NotPetya attacks last year, but received only $275m in insurance.

‘Proper security monitoring, simple procedures such as

using two-factor authentication, and regular training and testing of staff to help prevent security breaches in the first place, are vital, whether you are insured or not,’ Mr Magalhaes said.

‘A lot of cyber-attacks happen because of behaviour of staff, rather than because of the technology, which makes it very hard to assess risks. One thing is certain, though, the risks of cyber-crime are higher than ever.”

Source: https://jerseyeveningpost.com/news/business/2018/04/03/insurance-may-not-be-enough-to-stop-hackers/

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Just a week after code repository GitHub was knocked offline by the world’s largest recorded distributed denial-of-service (DDoS) attack, the same technique has been used to direct an even bigger attack at an unnamed US service provider.

According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

Last week Arbor, Cloudflare and Akamai reported an uptick in amplification attacks that abuse memcached servers to ramp up by traffic by a factor of 50,000.

Within a day of Cloudflare reporting that attackers were abusing open memcached servers to power DDoS attacks, GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps.

Memcached is a caching system to optimize websites that rely on external databases. Memcached-enabled servers shouldn’t be left exposed to the internet, although at any given time over 100,000 are, according to Rapid7.

The attacks involve spoofing a target’s IP address to the default UDP port on available memcached amplifiers, which return much larger responses to the target.

The attacks appear to be getting larger by the day. Before the attack on GitHub, Arbor Networks reported seeing attacks exceeding 500Gbps.

Arbor Networks’ Carlos Morales predicts memcached attacks won’t be going away any time soon because of the number of exposed memcached servers.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” he wrote.

Morales’ colleague, Roland Dobbins believes the memcached DDoS attacks were initially used exclusively by skilled attackers who launched attacks manually, but now they’ve been automated via rental ‘booter’ or ‘stressor’ botnets.

He notes that the potential for abusing memcached servers in application attacks was revealed by Chinese researchers in November 2017, but that as early as 2010 researchers had discovered widespread insecure memcached servers across the world.

As Ars Technica reports, some people attacking memcached servers are attaching a ransom note instructing targets to “Pay 50 XMR” or the equivalent of $18,415 to a specified wallet.

Rapid7’s internet-wide Project Sonar scanner found over 100,000 exposed memcached servers at any given time.

Image: Rapid7

Source: http://www.zdnet.com/article/new-world-record-ddos-attack-hits-1-7tbps-days-after-landmark-github-outage/

Interpol Tests Global Cops with IoT Simulation

Interpol last week held a simulated training exercise for global investigators designed to help overcome Internet of Things (IoT) skills shortages.

The international police organization’s annual Digital Security Challenge saw 43 cybercrime investigators and digital forensics experts from 23 countries face a simulated cyber-attack on a bank launched through an IoT device.

During the course of the simulation, investigators found that the malware was sent in an email attachment via a hacked webcam, and not direct from a computer.

Interpol claimed this is an increasingly popular tactic designed to obfuscate the source of attacks, but warned that police may not have the skills to forensically examine IoT devices.

“The ever-changing world of cybercrime is constantly presenting new challenges for law enforcement, but we cannot successfully counter them by working in isolation,” said Noboru, Nakatani, executive director of the Interpol Global Complex for Innovation.

“A multi-stakeholder approach which engages the expertise of the private sector is essential for anticipating new threats and ensuring police have access to the technology and knowledge necessary to detect and investigate cyber-attacks.”

The first two Digital Security Challenge exercises in 2016 and 2017 simulated cyber-blackmail involving Bitcoin and a ransomware attack, so the new focus on IoT is reflective of the changing nature of threats.

Last week, Trend Micro claimed in its 2017 roundup report that IoT devices are increasingly being “zombified” to mine crypto-currency and launch cyber-attacks like DDoS.

Hackers can target exposed IoT endpoints to infiltrate corporate networks, conscript into botnets or even interfere with critical infrastructure.

However, nearly half (49%) of all IoT “events” observed by the security vendor last year — amounting to a total of 45.6 million — involved crypto-currency mining.

Adam Brown, security solutions manager at Synopsys, argued that IoT attacks will continue until firmware flaws are addressed.

“Good practices by vendors around configuration and authentication need to be initiated or matured to prevent this in future,” he added.

“I would love to see certification for IoT devices become commonplace so that consumers can know that the devices are cyber-safe, much in the same way that if you buy a toy with a CE mark you know it has been through a process of assessment and it won’t, for example, poison anyone because it has lead in its paint.”

Source: https://www.infosecurity-magazine.com/news/interpol-tests-global-cops-with/

Californian may not see stars for years after conviction for DDoS attack against telescope retailer

A California man was convicted of launching distributed denial of service (DDoS) attacks against telescope retailer Astronomics and the online astronomy forum the company runs called Cloudy Nights.

David Chesley Goodyear, of El Segundo, Calif., was found guilty by a jury last week of hitting both the Norman, Okla.-based retailer and forum in August 2016, reported Robert J. Troester, Acting United States Attorney for the Western District of Oklahoma. Troester presented evidence to the jury that Goodyear had belonged to the Cloudy Nights forum, but twice had been blocked from the site for violating its terms of service, which included sending threats to users, administrators, and moderators.

Goodyear used two aliases to place posts on Cloudy Nights on August 9 and 13, 2016. In these posts he threatened to “talk with his contacts and hit the forum and Astronomics with a DoS attack, Troester said.

“Evidence further showed that DDoS attacks against Astronomics and Cloudy Nights commenced that night and continued intermittently until the end of August 2016, when Goodyear was interviewed by law enforcement and admitted he was responsible for the attacks,” Troester said.

Goodyear faces up to 10 years in prison and a $250,000 fine.

Source: https://www.scmagazine.com/california-man-convicted-of-ddos-attack-against-telescope-retailer/article/745248/

The risks of DDoS and why availability is everything

DDoS attacks bring significant risk to organisations that depend on their networks and websites as an integral part of their business. And these days, that’s just about everyone. Think about online banking, retailing, travel reservations, medical patient portals, telecommunications, B2B e-commerce – virtually every business model today includes a significant online transactional component or, in some cases, has shifted online entirely.

We’ve all experienced the feeling of frustration, or even desperation, when the online services we expect are not available to us instantly when we want or need them. Imagine that happening to thousands or even millions of customers worldwide, simultaneously, and you can understand the potential impact of a single DDoS attack on your organisation. Maintaining availability of digital platforms, networks, applications and services is not simply a security issue – it is a business risk and continuity issue.

It doesn’t take much to take down a substantial section of the internet. In November 2016, an accidental misconfiguration at a major internet infrastructure company led to outages at several large carriers. Although the “route leak” was accidental and not malicious, the resulting 90-minute lack of availability was still painful for the carriers and their customers alike.

A concerted attack can have far more damaging consequences. Unlike advanced threats or data breaches, which are designed for stealth to exfiltrate data of value, a successful DDoS attack is instantly recognisable. The symptoms range from poor performance and intermittent outages, to a stream of customer complaints, all the way to sudden and complete unavailability. Whatever the motive, disruption or denial of service is the goal.

Have threat capabilities leapfrogged your protection capacity?

DDoS attacks have been around just as long as e-commerce itself. Established organisations with a significant online presence have always taken measures to ensure availability. Ask yourself, however, if the protection you may have put in place several years ago is still adequate for a modern-day attack. DDoS threat capabilities have become more complex, dynamic and multi-vector. Increasingly, attackers employ a combination of attack methodologies, on the assumption that at least one will succeed while the others divert defences. These attack types include:

  • Volumetric: Large bandwidth-consuming attacks that essentially “flood” network pipes and router interfaces.
  • TCP State Exhaustion: Attacks that use up all available transmission control protocol (TCP) connections in internet infrastructure devices such as firewalls, load balancers and web servers.
  • Application Layer: “Low and slow” attacks indented to gradually wear down resources in application servers.

Moreover, attacks today are much easier for less sophisticated threat actors to launch, owing to the ready availability of inexpensive do-it-yourself attack tools and DDoS-for-hire services. The threat landscape has been further exacerbated by the rapid proliferation of inadequately secured Internet of Things (IoT) devices, which are being consumed into botnets and weaponised to launch multi-vector DDoS attacks.

Evaluating risks and defences

With the increase in multi-vector attacks, security experts agree that reducing the risk from DDoS attacks requires a defence-in-depth or layered approach utilising multiple, synchronised mitigation approaches.

Firewalls have long stood as the first line of defence, as policy enforcement solutions designed to prevent unauthorised data access. Unfortunately, firewalls are not very effective when it comes to availability threats like the modern-day, multi-vector DDoS attack.

Modern firewalls perform stateful packet inspection—maintaining records of all connections passing through the firewall. They determine whether a packet is the start of a new connection, part of an existing connection or invalid. But as stateful and inline devices, firewalls add to the attack surface and can be DDoS targets.

They have no inherent capability to detect or stop DDoS attacks because attack vectors use open ports and protocols. As a result, firewalls are prone to become the first victims of DDoS as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.

Finally, because they are stateful, they are susceptible to resource-exhausting attacks such as Transmission Control Protocol synchronous (TCP SYN) floods and spoofed Internet Control Message Protocol (ICMP) ping floods.

Intelligent DDoS Mitigation Solutions (IDMS) are purpose built for DDoS defence, they’re deployed on-premise, in front of the firewall. These solutions can handle the majority of attacks, in fact, 80% of DDoS attacks are less than 1Gbps in attack size.

However, they are not adequate for the growing number of large-scale attacks intended to overwhelm internet bandwidth. These larger attacks are best mitigated in the cloud. Best practice defence today is intelligently integrated combination of on-premise and cloud-based solutions.

Recognising that denial of availability is a business risk, it makes sense to undergo a risk analysis to assess your vulnerabilities, understand the impact of a DDoS attack under various scenarios, and determine the measures you need to have in place for optimal risk mitigation.

Today’s DDoS threat is not the same as it was ten or even five years ago. If availability is paramount to your business, then defences need to be updated to match today’s threat.e:

Source: https://securitybrief.co.nz/story/risks-ddos-and-why-availability-everything/

Europe in the firing line of evolving DDoS attacks

The Europe, Middle East and Africa region accounts for more than half the world’s distributed denial of service attacks, a report from F5 Labs reveals.

The past year has seen a 64% rise in distributed denial of service (DDoS) attacks and greater tactical diversity from cyber criminals, according to customer data from F5’s Poland-based Security Operations Center (SOC).

However, more than 51% of attacks globally were targeted at organisations in Europe, the Middle East and Africa (Emea), and 66% involved multiple attack vectors, requiring sophisticated mitigation tools and knowledge, the report said.

The F5 report comes less than two weeks after several waves of powerful DDoS attacks hit banks and other organisations in the Netherlands.

Reflecting the spike in activity, F5 reported 100% growth for Emea customers deploying web application firewall (WAF) technology in the past year, while the adoption of anti-DDoS technology increased by 58%.

A key discovery was the relative drop in power for single attacks. In 2016, the F5 SOC logged multiple attacks of over 100Gbps, with some surpassing 400Gbps.

In 2017, the top attack stood at 62Gbps. This suggests a move towards more sophisticated Layer 7 (application layer) DDoS attacks that are potentially more effective and have lower bandwidth requirements.

“DDoS threats are on the rise in Emea and we’re seeing notable changes in their scope and sophistication compared with 2016,” said Kamil Wozniak, F5 SOC manager.

“Businesses need to be aware of the shift and ensure, as a matter of priority, that the right solutions are in place to halt DDoS attacks before they reach applications and adversely impact on business operations. Emea is clearly a hotspot for attacks on a global scale, so there is minimal scope for the region’s decision-makers to take their eyes off the ball,” he said.

Disruptive attacks

Last year started with a bang, the report said, with F5 customers facing the widest range of disruptive attacks recorded to date in the first quarter of 2017.

User Diagram Protocol (UDP) floods stood out, representing 25% of all attacks. Attackers typically send large UDP packets to a single destination or random ports, disguising themselves as trustworthy entities before stealing sensitive data. The next most common attacks were DNS reflection (18%) and SYN flood attacks (16%).

The first quarter of 2017 was also the peak for Internet Control Message Protocol (ICMP) attacks, whereby cyber criminals overwhelm businesses with rapid “echo request” (ping) packets without waiting for replies. In stark contrast, the first-quarter attacks in 2016 were evenly split between UDP and Simple Service Discovery Protocol (SSDP) floods.

The second quarter of 2017 proved equally challenging, the report said, with SYN floods moving to the front of the attack pack (25%), followed by network time protocol and UDP floods (both 20%).

The attackers’ momentum continued into the third quarter, the report said, with UDP floods leading the way (26%). NTP floods were also prevalent (rising from 8% during the same period in 2016 to 22%), followed by DNS reflection (17%).

The year wound down with more UDP flood dominance (25% of all attacks). It was also the busiest period for DNS reflection, which accounted for 20% of all attacks (compared to 8% in 2016 during the same period).

“Attack vectors and tactics will only continue to evolve in the Emea region. It is vital that businesses have the right systems and services in place to safeguard apps wherever they reside”

Kamil Wozniak, F5 SOC

Another key discovery during the fourth quarter of 2017, and one that underlines cyber criminals’ capacity for agile reinvention, was how the Ramnit trojan dramatically extended its reach. Initially built to hit banks, F5 Labs found that 64% of Ramnit’s targets during the holiday season were US-based e-commerce sites.

Other new targets included sites related to travel, entertainment, food, dating and pornography. Other observed banking trojans extending their reach included Trickbot, which infects its victims with social engineering attacks, such as phishing or malvertising, to trick unassuming users into clicking malware links or downloading malware files.

“Attack vectors and tactics will only continue to evolve in the Emea region,” said Wozniak. “It is vital that businesses have the right systems and services in place to safeguard apps wherever they reside. 2017 showed that more internet traffic is SSL/TLS encrypted, so it is imperative that DDoS mitigation systems can examine the nature of these increasingly sophisticated attacks.

“Full visibility and greater control at every layer are essential for businesses to stay relevant and credible to customers. This will be particularly important in 2018 as the EU General Data Protection Regulation comes into play,” he said.

Source: http://www.computerweekly.com/news/252434746/Europe-in-the-firing-line-of-evolving-DDoS-attacks

Dutch Central Bank warns for phishing emails after DDoS attacks on banks

The Dutch Central Bank (DNB) has issued warnings to consumers about phishing e-mails, following a series of DDoS attacks on banks. ABN Amro, ING and Rabobank were the victims of long-term DDoS attacks on several occasions last weekend and earlier this week; these led to the disruption of online services. The Tax and Customs Administration and Dutch national ID system DigiD were also affected.

DNB said there is a chance that the number of phishing emails will now increase, following these DDoS attacks. “It is not unusual for DDoS attacks on banks to be followed by an increase in phishing mail to account holders. Criminals often attempt to use the agitation around digital attacks to make people feel vulnerable, and to then extract sensitive bank account details.

The recent DDoS attacks on the banks were advanced, according to the DNB. Banks have in place strong defensive measures to ensure that services are available through websites and internet banking. The banks have been in constant consultation with each other during the few last days and have worked together with the authorities, including the DNB and the National Cyber ​​Security Center. For such situations, multiple consultation structures have been set up, aimed at normalising payment transactions as quickly as possible.