New year, new defence: Cybersecurity help and predictions for 2018

Organisations will adopt AI and other emerging technologies to help fight this year’s growing cyber threats.

With 2017 seeing an enormous number of data breaches, businesses should be looking at their cybersecurity processes and planning how to effectively monitor their network security in the year to come. With massive developments in monitoring and AI providing unmissable cybersecurity opportunities, here are five predictions of what we expect to see in 2018.

1. Organisations will increasingly adopt AI-based systems to help with Cybersecurity

In 2018, we’ll see companies using AI-based tools to benchmark their networks to ensure that companies know exactly what systems should ‘normally’ look like, allowing abnormalities to be identified faster before cyber incidents become full-blown attacks.

Despite hackers constantly evolving their attack methods to target new vulnerability points and bypass existing defence systems, AI-based tools can use real-time analytical models to search for anomalies. While analysts still need to decide whether these anomalies require urgent action or not, AI can help make them more productive.

We can also expect to see AI being used more to evaluate and prioritise security alerts. This will automate the more routine procedures that analysts have to undertake, and may even reduce threat related ‘false positives’ alerts in networks. Many companies are relying on rule-sets provided by third-party providers to deal with false positives, and they often don’t have the ability to tune and change the rules. This means that they either suffer the false positives and ignore them, or turn off that rule if the false positives are too prevalent – neither of which is an effective strategy.

AI-based systems can help by filtering out the noise of false positives, making it easier for analysts to identify, and focus on, the real threats.

2. Companies will handle breach communication much better than they did in 2017

PayPal is a great example of this. The company should be commended for implementing good hygiene practices that resulted in identifying and announcing the breach at TIO on 4th December, and for showing leadership in claiming responsibility for dealing with the outcome. We’re set to see a big difference between those companies that try and sweep breaches under the carpet, and those that are set up with the right processes to investigate breaches and respond appropriately. Those who attempt to hide breaches – we’re looking at you Uber – will be treated with contempt by customers and the media, as indicated by surveys that indicate as many as 85% of respondents wouldn’t do business with firms that had suffered a data breach.

Of course, on 25th May, 2018, the General Data Protection Regulation (GDPR) will come into effect, which means companies will have to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours, or a fine of up to 4% of global revenue.

Sensible organisations will look to implement stronger protection using application whitelisting, encryption and other techniques and improve their detection capability. They should also look to collect and store more definitive evidence about what takes place on their networks – in the form of more verbose log data, NetFlow history and full packet capture. Without this, organisations will find it impossible to investigate a breach quickly enough to satisfy regulatory obligations.

3. Retailers will be far more risk averse during holidays

Companies have begun to accept that optimised monitoring needs to take place all year-round, and Christmas will be no exception. However, companies will become more risk adverse, and whether it’s a bank or a retailer, as the holiday period approaches, often there’s a “blackout” period during which network and security teams are not allowed to make updates and changes to their networks other than urgent patches.

Threat actors may step their activity during the holiday period because there is a higher chance of evading identification and more to gain. This year, Shopify revealed that at the peak of Black Friday, online shoppers were making 2,800 orders per minute, worth approximately US$1million. Had Shopify experienced an outage of just five minutes during this busy period, it would have cost them US$5million in revenue. Protecting against outages – such as might result from a Distributed Denial Of Service (DDOS) attack – is critical at these times. Additionally, this volume of online activity makes it easy for hackers to hide their movements while everyone’s focus is on making sure systems stay up and handle the load.

4. New housekeeping and the end of BYOD

Basic house-keeping will play a big role in cybersecurity in 2018. We’ll see a lot more staff training, and more focus on patching and standardisation so that companies avoid attacks like the widespread ransomware outbreaks we saw this year.

We’re also likely to see more companies moving away from BYOD. The reality is that BYOD has simply proven too hard to regulate and the risk it poses too difficult to protect against. In sensitive networks, with a lot at stake, this risk is not acceptable any longer.

5. Increasing use of strong encryption, and attacks over encrypted connections.

We already know that encryption of network traffic is being used more frequently by attackers as way to hide evidence of their activity. Analysts and their detection tools can’t see into the payload of encrypted traffic.

Unless, of course, they have the encryption keys. If operators force all SSL connections to pass through a proxy, they can decrypt the traffic and see inside the payload. This allows the proxy to provide a clear-text version of the traffic to security tools for analysis, or to full packet capture appliances like the EndaceProbe Network Recorder.

 We should expect to see the adoption of SSL proxy appliances increasing in 2018 – great news for companies like Ixia, Gigamon, Bluecoat, Juniper and others that make these appliances.

Conclusion

So, will 2018 be just as unpredictable when it comes to cybersecurity, data breaches and network infiltration? Chances are, most likely it will. However, with the right plans, practices and network monitoring in place, companies can at least prepare themselves for the worst, and prevent any possible breaches from being anywhere near as extensive as those that took place in 2017.

Source: https://www.itproportal.com/features/new-year-new-defence-cybersecurity-help-and-predictions-for-2018/

UK businesses fear DDoS attacks hijacking their devices

Businesses are afraid wireless devices could be hacked and used as DDoS weapons, report finds.

Businesses are afraid their wireless devices can be hacked and used at weapons in DDoS attacks.

A new report from the Neustar International Security Council (NISC) found that many businesses are becoming increasingly concerned with the current international security landscape, with system compromises seen as the biggest threat, following by ransomware and financial data theft.

But unlike with other similar reports, this time businesses aren’t just sitting idly on this information – they’re actually taking action.

What they usually do is keep a close eye on outgoing traffic, installing buffer servers that help them keep malware out, replace vulnerable access points, and make sure all members of staff are on the same page when it comes to safety guidelines and rules.

Almost half of businesses polled (43 per cent) hire specialist companies to help them with DDoS mitigation.

“As the cybersecurity landscape continues to evolve, and with businesses unsure about where the next attack will come from and what form it will take, there are clear challenges focusing their prevention and protection efforts,” said Rodney Joffe, head of NISC and Neustar senior vice president and fellow.

“But DDoS has long been seen as a severe threat to companies, reaping tremendous impacts and steadily increasing in incidence. The sheer volume of traffic caused by DDoS attacks make them hard, but not impossible, to mitigate and for businesses to have the best chance of success in fighting against them, they need to make them a priority”.

Source: https://www.itproportal.com/news/uk-businesses-fear-ddos-attacks-hijacking-their-devices/

If you have satellite TV, hackers have access to your network

Imagine if every single gadget in your life was “smart.” Your self-driving car could let your house know you’re on the way home so it can adjust the thermostat and kick on the lights.

Your fridge could detect that you’re out of milk and order more online before you even wake up. A drone delivers the milk just in time for your morning bowl of cereal. These are all super helpful features, but they do come with some digital risks.

Now, something as simple as satellite television can be targeted by hackers.

Who’s at risk?

If you are one of the millions of people with AT&T’s DirecTV service, you could be at risk of attack by hackers. That’s due to a vulnerability recently discovered by security researcher Ricky Lawshae.

He said the flaw was found in DirecTV’s Genie digital video recorder (DVR) system. More specifically, Linksys WVBRo-25 model. The vulnerability is located in the wireless video bridge that lets DirecTV devices communicate with the DVR.

Lawshae said that he discovered the flaw when trying to browse to the web server on the Linksys WVBRo-25. He was expecting to find a login page, but instead found a wall of text. It contained output of diagnostic scripts dealing with information about the bridge, including the WPS pin, connected clients, processes that were running, and more.

That means anyone who accesses the device can obtain sensitive information about it. Not only that but the device is able to accept commands as the “root” user.

Lawshae said, “It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability. It was at this point that I became pretty frustrated. The vendors involved here should have had some form of secure development to prevent bugs like this from shipping.”

If a hacker has root access, they can steal data or even turn the device into a botnet. Cybercriminals are not always trying to steal personal and banking information. Sometimes they are trying to create havoc.

Cybercriminals can use an army of internet of things (IoT) gadgets to disrupt services or shut down websites. This is called a distributed denial of services (DDoS) attack.

DDoS attacks occur when servers are overwhelmed with more traffic than they can handle. These types of attacks are performed by a botnet.

A botnet is a group of gadgets that hackers have taken over without the owner’s knowledge. The hackers seize control of unwitting gadgets with a virus or malware and then use the network of infected computers to perform large-scale hacks or scams.

How to resolve this issue

A spokesperson for Linksys told “Forbes” earlier this week that it had “provided the firmware fix to DirecTV and they are working to expedite software updates to the affected equipment.”

The good news is, once the software is pushed out, the flaw should be fixed. The bad news is, we don’t know how long it will take for DirecTV to send the updates.

As a DirecTV customer, you don’t need to do anything to receive the updates. As long as your satellite receiver is connected to the internet updates that are automatically installed behind the scenes.

Source: https://www.komando.com/happening-now/434022/if-you-have-satellite-tv-hackers-have-access-to-your-networ

The Internet of Things could easily be the Internet of Threat

In more devices connecting and communicating to each other, we run the risk of one particular threat on the Internet – that of botnets.

The Internet of Things (IoT), unlike SMAC (Social Mobile Analytics Cloud), moved faster from being an industry buzzword to reality. However, what needs to be examined is whether businesses are prepared to fully leverage IoT.

The McKinsey Quarterly for March of 2010defined IoT as: “sensors and actuators embedded in physical objects—from roadways to pacemakers—are linked through wired and wireless networks, often using the same Internet Protocol (IP) that connects the Internet. These networks churn out huge volumes of data that flow to computers for analysis. When objects can both sense the environment and communicate, they become tools for understanding complexity and responding to it swiftly.”

Essentially, vast volumes of information that, primarily, is exchanged between devices. This has several benefits to organizations. One use case to emphasize this is predictive maintenance.

Machines enabled with sensors and connectivity give businesses real-time capability to measure production equipment, allowing for cost-effective approaches to maintenance that can improve both factory productivity and capacity utilization by avoiding breakdowns. In effect, businesses can now move to a model of predict and prevent from repair and replace.

Predictive maintenance and city-wide systems are just two use cases. There are several more that straddle retail environments, offices, and vehicles.

However, in more devices connecting and communicating to each other, we run the risk of one particular threat on the Internet – that of botnets. A botnet is a group of computers/devices connected in a coordinated fashion for malicious purposes; wherein each node within the botnet is referred to as a bot.

Botnets give rise to DDoS (Distributed Denial of Service) attacks much like the one in 2016 that affected ISPs in India, which was in the range of 200 gigabytes per second. At Akamai, we have successfully defended against DDoS attacks exceeding 620 Gbps. What’s important to focus on is not only the size of the attacks but the prevalence of them. In an age where IoT is supposed to be making things better, scope for equally nefarious applications of useful technology exist.

In India, IoT adoption is growing. According to a NASSCOM report titled IoT in India: The Next Big Wave, the IoT market in India is poised to reach USD 15 billion by 2020 accounting for nearly five percent of the total global market.

As the number of devices connecting with each other increases, so does the attack surface. India is already a prime target (and source of) web application attacks – according to data in our Second Quarter, 2017 State of the Internet / Security Report, India is 2nd in the list of countries in Asia Pacific that sourced the most web application attack traffic with close to 12,000,000 (12 Million) web application attacks attributed as originating from the country after China.

While this is a significant number, India also ranks 8th in the list of target countries for Web Application Attacks, globally.

The growth and use cases in IoT are not all for naught, however. While the threat looms, there are ways out. What’s required is awareness and standardization of processes. Threats and remedies to internet-based vulnerabilities are constantly evolving and at times depend on the individual capabilities within organizations. Going forward, there should be a constant exchange of information across organizations.

At a broad level, organizations do collaborate with CERT-In, the Indian Computer Emergency Response Team. While it’s truly positive to see that there’s increased information sharing between individual organizations and the government entity tasked with the Nation’s cybersecurity effort, what would be more impactful is when organizations come together, as a collective, to address the problem and arrive at approaches on how best to move forward, to safeguard their IP and their users.

Source: https://tech.economictimes.indiatimes.com/news/corporate/the-internet-of-things-could-easily-be-the-internet-of-threats/61671652

DDoS attacks increasing once again

Major cyber assaults are seeing on the rise again, Kaspersky Lab report claims.

DDoS attacks are on the rise again as criminals turn to brute force attacks once more, new research has claimed.

The latest DDoS Intelligence report from Kaspersky Lab, covering the third quarter of 2017, says there has been an increase in the number of countries where resources have been targeted.

The number of attacks against gaming and new financial services has also grown.

Kaspersky Lab says resources in 98 countries were DDoSed this quarter, up from 86 the quarter before. Looking at the top ten countries in terms of number of targets, Russia is up from seventh to fourth place, while France and Germany pushed Australia and Italy out of the list.

The top 10 most popular host countries for botnet command servers include Italy and the UK, moving Canada and Germany out of the picture.

The share of Linux botnets is growing, and they are now accounting for 70 per cent of all attacks in Q3, up from 51 per cent in Q2.

The report also says cybercriminals are moving to more sophisticated attacks. It gives an example of the WireX botnet that spread via legitimate Android apps, or the Pulse Wave tech that increases the power of DDoS attacks through vulnearibilities in hybrid and cloud tech.

Kaspersky has also observed an increase in variety of targets.

“Entertainment and financial services – businesses that are critically dependent on their continuous availability to users – have always been a favourite target for DDoS attacks. For them, the downtime caused by an attack can result not only in significant financial losses but also reputational risks that could result in an exodus of customers to competitors,” says Kirill Ilganaev, Head of Kaspersky DDoS Protection at Kaspersky Lab.

“It’s not surprising that gaming services with multi-million turnovers attract the attention of criminals and that new types of financial sites have come under attack. What is surprising, however, is that many companies still don’t pay enough attention to professional protection against DDoS attacks. The recommended approach for these companies is to delegate protection from DDoS attacks to a reliable supplier with deep knowledge of cyberthreats and the methods of combating them, and to reassign the IT resources that are freed up to the development of the business.”

Source: https://www.itproportal.com/news/ddos-attacks-increasing-once-again/

Why securing apps is key to securing an organisation’s future

Cyber security must be a top-level priority for all organisations given today’s threat landscape.

The Current Threat Landscape

According to the European Commission’s State of the Union, digital threats and cyber-crime are continuing to evolve at a rapid pace. Over the past few years, ransomware attacks have increased by 300%, and the impact of cyber-crime has risen fivefold since 2013. Unfortunately, the U.K has already been witness to these effects first hand. Just last year, a DDoS attack performed by bots took down a significant chunk of the internet – including leading websites such as Twitter, the Guardian, Netflix, Reddit and CNN.

The worst part? This wave of hacking doesn’t seem to be going anywhere—and it’s only getting stronger. Today’s hackers are quickly becoming smarter, tougher, and more creative, aided by access to high powered commodity computing power. This level of sophistication has been particularly obvious in the way DDoS attacks have been surfacing.

In the past, cyber criminals would orchestrate a brute force DDoS attack to cause as much damage as possible within a short period of time. Today, cyber criminals are achieving higher levels of success against organisations through more targeted and frequent attacks.

According to Neustar’s recent Global DDoS Attacks & Cyber Security Insights Report, 52 percent of brands that suffered a DDoS attack also reported a virus, while 35 percent reported malware, 21 percent reported ransomware and 18 percent reported lost customer data. Beyond that, 75 percent of respondents recorded multiple DDoS attacks following an initial assault on their brand’s network.

The Next Wave of Attack

Unfortunately, volumetric attacks only form part of today’s internet security challenge. With the evolution of technology and the mass expansion of the internet, today’s average web hacker has the ability to carry out various attacks with minimal effort through undetected vulnerabilities and security gaps.

This has been especially apparent as IoT devices expand, with 76% of organisations suffering a DDoS attack though their IoT connections in the past year. And while DDoS attacks continue to command great attention amongst IT and cybersecurity professionals, cyber criminals have quite literally and figuratively managed to slip through the cracks, resulting in web application layer threats that are equally, if not more, damaging than a typical DDoS attack.

Web application layer attacks, or ‘layer 7’ attacks as they’re often called, are a direct result of a hacker spotting a vulnerability in an existing program within an organisations web presence. These attacks, often led by ‘black hat hackers’ are more specific than DDoS attacks, with a precisely crafted approach to damage vulnerable software. Application attacks are also the most difficult attacks to detect and provide little to no advance warning before they create chaos on an organisation’s application.

Effects on the Future

These sort of intense web attacks not only have devastating effects on the businesses involved, but they could cost the global economy upwards of $120bn (£92bn) – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.

On a slightly smaller scale, with the upcoming implementation of GDPR, businesses across Europe risk losing not only sensitive consumer data, but millions of euros in non-compliance related fees. This is due to the fact that once GDPR is implemented, businesses have the responsibility to follow tightly constructed cybersecurity practices that require top-notch data security. If this isn’t done, those businesses could be liable for upwards of €20 million in fees, or 4% of their total net income, depending on the company. Either way, it’s an amount that can be completely detrimental to the future success of any company.

The upcoming GDPR standards have put an extra level of pressure on businesses everywhere, many of which are now scrambling to be compliant in time, as well as mitigating the threat of inevitable attacks on their network, including those directed at the web application layer.

It is encouraging though, that most businesses seem to have taken the initiative and are starting to invest in proactive defense technologies. So much so that just this past year, protection against application layer threats has increased significantly with Web Application Firewall (WAF) solution deployments nearly tripling among respondents.

Protecting Against Attacks

There are various tools to combat web application layer threats and DDoS attacks. These include anything from using including appliance hardware to cloud services and hybrid deployments. With that said, layered defenses are considered to be the most common form of defense against these sorts of attacks. In addition, sophisticated investments involving appliances, third-party services, and hybrid configurations that use a combination of hardware and cloud-based mitigation, have increased in the past few years. So much so that 65% of respondents in the Neustar report, reported having at least one of these solutions in place.

However, what is quite noticeable is the steady rise in Layer 7 protection. Over the past twelve months, industry experts have seen a huge spike in the deployment of web application firewalls, or WAF. Quite simply, a web application firewall protects users by filtering, monitoring, and blocking HTTP traffic to and from a web application.

This defence has proven so popular that organisations that have added WAF have nearly tripled in the past seven months and more than quadrupled from this time last year, according to the report. This rise has solidified the necessity in needing protection from what has quite rapidly become the most exploited layer in the network stack, especially relative to the vulnerabilities beyond DDoS alone.

Overall, as the threat landscape evolves and attackers continue to refine their capabilities, it’s extremely important that business’s make cyber security a top-level priority. By utilising a combination of defences, including the latest transformative services in line with traditional approaches, businesses have the opportunity to stay one step ahead of cyber criminals. Not only will this protect businesses from losing millions of euros and critical consumer data, but it will preserve consumer confidence—something that every business can benefit from.

Source:https://www.itproportal.com/features/why-securing-apps-is-key-to-securing-an-organisations-future

Pulse-Wave DDoS Attacks Mark a New Tactic in Q2

A new tactic for DDoS is gaining steam: the pulse wave attack. It’s called such due to the traffic pattern it generates—a rapid succession of attack bursts that split a botnet’s attack output.

According to Imperva’s latest Global DDoS Threat Landscape Report, a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula’s services during Q2 2017, the largest network layer assault it mitigated peaked at 350Gbps. The tactic enables an offender to pin down multiple targets with alternating high-volume bursts. As such, it serves as the DDoS equivalent of hitting two birds with one stone, the company said.

“A DDoS attack typically takes on a wave form, with a gradual ramp-up leading to a peak, followed by either an abrupt drop or a slow descent,” the company explained. “When repeated, the pattern resembles a triangle, or sawtooth waveform. The incline of such DDoS waves marks the time it takes the offenders to mobilize their botnets. For pulse wave attacks, a lack of a gradual incline was the first thing that caught our attention. It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.”

Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds, Imperva noted. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.

“We realized it makes no sense to assume that the botnet shuts down during those brief ‘quiet times’,” the firm said. “Instead, the gaps are simply a sign of offenders switching targets on-the-fly, leveraging a high degree of control over their resources. This also explained how the attack could instantly reach its peak. It was a result of the botnet switching targets on-the-fly, while working at full capacity. Clearly, the people operating these botnets have figured out the rule of thumb for DDoS attacks: moments to go down, hours to recover. Knowing that—and having access to an instantly responsive botnet—they did the smart thing by hitting two birds with one stone.”

Pulse-wave attacks were carried out encountered on multiple occasions throughout the quarter, according to Imperva’s data.

In the plus column, this quarter, there was a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099 in Q1. However, don’t rejoice just quite yet.

“There is no reason to assume that the minor decline in the number of application layer assaults is the beginning of a new trend,” said Igal Zeifman, Incapsula security evangelist at Imperva—noting the change was minor at best.

Conversely, the quarter for the fifth time in a row saw a decrease in the number of network layer assaults, which dropped to 196 per week from 296 in the prior quarter.

“The persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape,” Zeifman said. “There are several possible reasons for this shift, one of which is the ever-increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.”

For instance one of the most prevalent trends Incapsula observed in the quarter was the increase in the amount of persistent application layer assaults, which have been scaling up for five quarters in a row.

In the second quarter of the year, 75.9% of targets were subjected to multiple attacks—the highest percentage Imperva has ever seen. Notably, US-hosted websites bore the brunt of these repeat assaults—38% were hit six or more times, out of which 23% were targeted more than 10 times. Conversely, 33.6% of sites hosted outside of the US saw six or more attacks, while “only” 19.5% saw more than 10 assaults in the span of the quarter.

“This increase in the number of repeat assaults is another clear trend and a testament to the ease with which application layer assaults are carried out,” Zeifman said. “What these numbers show is that, even after multiple failed attempts, the minimal resource requirement motivates the offenders to keep going after their target.

Another point of interest was the unexpected spike in botnet activity out of Turkey, Ukraine and India.

In Turkey, Imperva recorded more than 3,000 attacking devices that generated over 800 million attack requests, more than double the rate of last quarter.

In Ukraine and India, it recorded 4,300 attacking devices, representing a roughly 75% increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion DDoS requests for the quarter.

Meanwhile, as the origin of 63% of DDoS requests in Q2 2017 and home to over 306,000 attacking devices, China retained its first spot on the list of attacking countries.

Source: https://www.infosecurity-magazine.com/news/pulsewave-ddos-attacks-mark-q2/

As US launches DDoS attacks, N. Korea gets more bandwidth—from Russia

Fast pipe from Vladivostok gives N. Korea more Internet in face of US cyber operations.

As the US reportedly conducts a denial-of-service attack against North Korea’s access to the Internet, the regime of Kim Jong Un has gained another connection to help a select few North Koreans stay connected to the wider world—thanks to a Russian telecommunications provider. Despite UN sanctions and US unilateral moves to punish companies that do business with the Democratic People’s Republic of Korea, 38 North’s Martyn Williams reports that Russian telecommunications provider TransTelekom (ТрансТелеКо́m) began routing North Korean Internet traffic at 5:30pm Pyongyang time on Sunday.

The connection, Williams reported, offers a second route for traffic from North Korea’s Byol (“Star”) Internet service provider, which also runs North Korea’s cellular phone network. Byol offers foreigners in North Korea 1Mbps Internet access for €600 (US$660) a month (with no data caps).

Up until now, all Byol’s traffic passed through a single link provided by China Unicom. But the new connection uses a telecommunications cable link that passes over the Friendship Bridge railway bridge—the only connection between North Korea and Russia. According to Dyn Research data, the new connection is now providing more than half of the route requests to North Korea’s networks. TransTelekom (sometimes spelled TransTeleComm) is owned by Russia’s railroad operator, Russian Railways.

A Dyn Research chart showing the new routing data for North Korea's ISP.
A Dyn Research chart showing the new routing data for North Korea’s ISP.

According to a Washington Post report, The Department of Defense’s US Cyber Command had specifically targeted North Korea’s Reconnaissance General Bureau—the country’s primary intelligence agency—with a denial-of-service attack against the organization’s network infrastructure. That attack was supposed to end on Saturday, according to a White House official who spoke with the Post.

While the unnamed official said the attack specifically targeted North Korea’s own hacking operations, North Korea has previously run those operations from outside its borders—from China. So it’s not clear whether the attack would have had any impact on ongoing North Korean cyberespionage operations.

Source: https://arstechnica.com/information-technology/2017/10/as-us-launches-ddos-attacks-n-korea-gets-more-bandwidth-from-russia/

Apache Struts Vulnerabilities and The Equifax Hack, What Happened?

In the wake of the Equifax breach, a lot of people are wondering how the theft of personal information occurred and how it could have been prevented.

Equifax initially reported that a vulnerability in Apache Struts was used to infiltrate their public-facing web server. Apache Struts has faced its fair share of vulnerabilities with 21 having been discovered since the start of 2016.

Which Apache Struts vulnerability was used in the Equifax hack?

At DOSarrest we researched current and past Apache Strut vulnerabilities and determined that they likely were not hacked using the new CVE-2017-9805 but likely CVE-2017-5638.

Equifax released additional details on Sept 13th 2017 confirming that the vulnerability involved was CVE-2017-5638. The CVE-2017-5638 vulnerability dates back to March 2017, which is why people in the security industry are now questioning how they could be so far behind in patching this well-known exploit.

The two vulnerabilities, CVE-2017-5638 and the recently revealed CVE-2017-9805 are very similar in nature and are both considered Remote Code Execution (RCE) vulnerabilities .

How does a RCE vulnerability work and how can they be prevented?

A RCE vulnerability is exploited when an attacker crafts a packet or request containing arbitrary code or commands. The attacker uses a method to bypass security that causes a vulnerable server to execute the code with either user or elevated privileges.

Such vulnerabilities can be prevented with a two-fold approach to web application security:

1) New vulnerabilities will continually be discovered in any web application framework, and it is the duty of IT teams to keep the software patched. This requires regular audits and patches to vulnerable software. Even the most proactive IT teams will not be able to prevent a so-called zero-day attack by patching alone so more must be done to protect the web server from zero-day vulnerabilities.

2) Since there is always a delay between the time a vulnerability is discovered and when a patch is developed by the maintainer of that product, a means to protect your website from undiscovered zero-day vulnerabilities is needed. Web Application Firewall’s (WAF) that typically rely on signatures are unfortunately at a disadvantage because signatures for existing vulnerabilities in most cases do not match newer zero-day vulnerabilities.

If I cannot rely on signature-based WAF options, what can I rely on to protect my business?

At DOSarrest our WAF is different. The problem with relying on signatures is that it requires constant updates as new vulnerabilities become known. Instead our WAF looks for sets of characters (such as /}/,/“/, and /;/) or phrases (like “/bin/bash” or “cmd.exe”) that are known to be problematic for some web applications.

What makes DOSarrest’s WAF even more appealing is that it is fast. Much faster than signature-based solutions that require high CPU use to match signatures–such matching could result in a measurable impact on latency. With DOSarrest’s WAF there is no increase in latency, and vulnerabilities not yet discovered will still be mitigated.

Examples of how the Apache Strut vulnerabilities are performed:

For the benefit of more technical users, some sample requests will be analyzed below. The first example represents a normal non-malicious request sent by millions of people everyday and the following two exploit RCE vulnerabilities in Apache Struts:

We can note the following characteristics in the exploit of CVE-2017-5638:

1. The Content-Type Header starts with %{(, an incorrect format.

2. The payload contains a java function call, java.lang.ProcessBuilder, that is normally regarded as dangerous.

3. The payload contains both windows and Linux command line interpreters: “cmd.exe” (Windows Command Prompt) and “/bin/bash” (Linux Bash shell/terminal).

The RCE vulnerability used to infiltrate Equifax, CVE-2017-5638 exploits a bug in the way Apache Struts processes the “Content-Type” HTTP header. This allows attackers to run an XML script with elevated user access, containing the java.lang.ProcessBuilder is required to execute the commands the attacker has placed within the XML request.

CVE 2017-9805, announced September 2017, is very similar to the previous RCE vulnerability.

With CVE-2017-9805, we can note the following characteristics:

1. The Content-Type is application/xml with the actual content in the request body matching that of the Content-Type.

2) The payload also contains the java function call java.lang.ProcessBuilder.

3) The payload in this case is Linux specific and calls “/bin/bash -c touch ./CVE-2017-9805.txt” to confirm that the exploit works by creating a file, “CVE-2017-9805.txt”.

Are the payloads shown the exact ones used by attackers to obtain data from Equifax?

Although some of the commands may have been used together as part of the information gathering process, the actual commands used to obtain the data from Equifax may only be known by the attackers and possibly Equifax or an auditing security team directly involved in the case. The examples show how the vulnerability could be exploited in the wild and what methods might be used, e.g., setting Content-Type and sending an XML file with a payload. These examples do not represent the actual payload used to obtain the data from Equifax.

Since the payload itself can be completely arbitrary, an attacker can run any commands desired on the victim’s server. Any action the web server software is capable of could be performed by an attacker, which could allow for theft of information or intellectual property if it is accessible from the hacked server.

In the case of Equifax, there was likely an initial vulnerability scan that the attackers used to expose Equifax’s vulnerability to this particular attack. This would have been followed by an effort to determine what files were available or what actions could be performed from the Equifax public-facing web server.At some point the attackers came across a method for accessing personal credit details on millions of Americans and citizens from other countries who had credit checks performed on their identities within the United States.

If Equifax had been using the DOSarrest WAF, they could have avoided a costly mistake. Don’t let your business suffer a damaging security breach that could result in you being out of business for good. Talk to us about our services.

For more information on our services including our Web Application Firewall, see DOSarrest for more information on Security solutions.

Source: https://www.dosarrest.com/ddos-blog/apache-struts-vulnerabilities-and-the-equifax-hack-what-happened/

How Artificial Intelligence Will Make Cyber Criminals More ‘Efficient’

The era of artificial intelligence is upon us, though there’s plenty of debate over how AI should be defined much less whether we should start worrying about an apocalyptic robot uprising. The latter issue recently ignited a highly publicized dispute between Elon Musk and Mark Zuckerberg, who argued that it was irresponsible to “try to drum up these doomsday scenarios”.

In the near-term however, it seems more than likely that AI will be weaponized by hackers in criminal organizations and governments to enhance now-familiar forms of cyberattacks like identity theft and DDoS attacks.

A recent survey has found that a majority of cybersecurity professionals believe that artificial intelligence will be used to power cyberattacks in the coming year. Cybersecurity firm Cylance conducted the survey at this year’s Black Hat USA conference and found that 62 percent of respondents believe that “there is high possibility that AI could be used by hackers for offensive purposes.”

Artificial intelligence can be used to automate elements of cyber attacks, making it even easier for human hackers (who need food and sleep) to conduct a higher rate of attacks with greater efficacy, writes Jeremy Straub, an assistant professor of computer science at North Dakota State University who has studied AI-decision making. For example, Straub notes that AI could be used to gather and organize databases of personal information needed to launch spearphishing attacks, reducing the workload for cybercriminals. Eventually, AI may result in more adaptive and resilient attacks that respond to the efforts of security professionals and seek out new vulnerabilities without human input.

Rudimentary forms of AI, like automation, have already been used to perpetrate cyber attacks at a massive scale, like last October’s DDoS attack that shut down large swathes of the internet.

“Hackers have been using artificial intelligence as a weapon for quite some time,” said Brian Wallace, Cylance Lead Security Data Scientist, to Gizmodo. “It makes total sense because hackers have a problem of scale, trying to attack as many people as they can, hitting as many targets as possible, and all the while trying to reduce risks to themselves. Artificial intelligence, and machine learning in particular, are perfect tools to be using on their end.”

The flip side of these predictions is that, even as AI is used by malicious actors and nation-states to generate a greater number of attacks, AI will likely prove to be the best hope for countering the next generation of cyber attacks. The implication is that security professionals need to keep up in their arms race with hackers, staying apprised of the latest and most advanced attacker tactics and creating smarter solutions in response.

For the time being, however, cyber security professionals have observed hackers sticking to tried-and-true methods.

“I don’t think AI has quite yet become a standard part of the toolbox of the bad guys,” Staffan Truvé, CEO of the Swedish Institute of Computer Science said to Gizmodo. “I think the reason we haven’t seen more ‘AI’ in attacks already is that the traditional methods still work—if you get what you need from a good old fashioned brute force approach then why take the time and money to switch to something new?”

Source: https://www.idropnews.com/news/fast-tech/artificial-intelligence-will-make-cyber-criminals-efficient/49575/