Man Ordered to Pay $8.6 Million for Launching DDoS Attacks against Rutgers University

A New Jersey man received a court order to pay $8.6 million for launching a series of distributed denial-of-service (DDoS) attacks against Rutgers University.

On October 26, the U.S. Attorney’s Office for the District of New Jersey announced the sentence handed down by U.S. District Judge Michael Shipp to Paras Jha, 22, of Fanwood, New Jersey.

According to court documents, Jha targeted Rutgers University with a series of DDoS attacks between November 2014 and September 2016. The attacks took down the education institution’s central authentication server that maintains the gateway portal used by staff, faculty and students. In so doing, the DDoS campaigns disrupted students’ and faculty members’ ability to exchange assignments and assessments.

The FBI assisted Rutgers in its investigation of the attacks. In August 2015, the university also hired three security firms to test its network for vulnerabilities.

Jha’s criminal efforts online didn’t stop at Rutgers. In the summer and fall of 2016, Jha created the Mirai botnet with Josiah White, 21, of Washington, Pennsylvania and Dalton Norman, 22, of Metairie, Louisiana. The trio spent the next few months infecting more than 100,000 web-connected devices. They then abused that botnet to commit advertising fraud.

In December 2017, the three individuals pleaded guilty in the District of Alaska for conspiring to violate the Computer Fraud & Abuse Act by operating the Mirai botnet. It was less than a year later that a federal court in Alaska ordered the men to serve five-year probation periods, complete 2,500 hours of community service, pay restitution in the amount of $127,000 and voluntarily relinquish cryptocurrency seized by law enforcement during an investigation of their crimes.

Judge Shipp passed down his sentence to Jha within a Trenton federal court. As part of that decision, Jha must serve six months of home incarceration, complete five years of supervised release and perform 2,500 hours of community service for violating the Computer Fraud & Abuse Act.

Source: https://www.tripwire.com/state-of-security/security-data-protection/man-ordered-to-pay-8-6-million-for-launching-ddos-attacks-against-rutgers-university/

How to secure your online business from cyber threats?

Ecommerce revenue worldwide amounts to more than 1.7 trillion US dollars, in the year 2018 alone. And the growth is expected to increase furthermore.

However, with growth comes new challenges. One such problem is cybersecurity. In 2017, there were more than 88 million attacks on eCommerce businesses. And a significant portion includes small businesses.

Moreover, online businesses take a lot of days to recover from the attacks. Some businesses completely shut down due to the aftermath of the security breaches.

So, if you are a small business, it is essential to ensure the safety and security of your eCommerce site. Else, the risks pose a potential threat to your online business.

Here we discuss some basics to ensure proper security to your eCommerce site.

Add an SSL certificate

An SSL Certificate ensures that the browser displays a green padlock or in a way shows to the site visitors that they are safe; and that their data is protected with encryption during the transmission.

To enable or enforce an SSL certificate on your site, you should enable HTTPS—secured version of HyperText Transfer Protocol (HTTP)—across your website.

In general, HTTP is the protocol web browsers use to display web pages.

So, HTTPS and SSL certificates work hand in hand. Moreover, one is useless without the other.

However, you have to buy an SSL certificate that suits your needs. Buying a wrong SSL certificate would do no good for you.

Several types of SSL certificates are available based on the functionality, validation type, and features.

Some common SSL certificates based on the type of verification required are:

  1. Domain Validation SSL Certificate: This SSL certificate is issued after validating the ownership of the domain name.
  2. Organization Validation SSL Certificate: This SSL certificate additionally requires you to verify your business organization. The added benefit is it gives the site visitors or users some more confidence. Moreover, small online businesses should ideally opt for this type of SSL certificate.
  3. Extended Validation SSL Certificate: Well, this type of SSL certificate requires you to undergo more rigorous checks. But when someone visits your website, the address bar in the browser displays your brand name. It indicates users that you’re thoroughly vetted and highly trustworthy.

Here are some SSL certificate types based on the features and functionality.

  1. Single Domain SSL Certificate: This SSL certificate can be used with one and only one domain name.
  2. Wildcard SSL Certificate: This SSL certificate covers the primary and all the associated subdomains.
    Every subdomain along with the primary domain example.com will be covered under a single wildcard SSL certificate.
  3. Multi-Domain SSL Certificate: One single SSL certificate can cover multiple primary domains. The maximum number of domains covered depends on the SSL certificate vendor your purchase the certificate from. Typically, a Multi-Domain SSL Certificate can support up to 200 domain names.

Nowadays, making your business site secure with SSL certificate is a must. Otherwise, Google will punish you. Yes, Google ranks sites with HTTPS better than sites using no security.

However, if you are processing online payments on your site, then SSL security is essential. Otherwise, bad actors will misuse your customer information such as credit card details, eventually leading to identity theft and fraudulent activities.

Use a firewall

In general, a firewall monitors incoming and outgoing traffic on your servers, and it helps you to block certain types of traffic—which may pose a threat—from interacting or compromising your website servers.

Firewalls are available in both virtual and physical variants. And it depends on the type of environment you have in order to go with a specific firewall type.

Many eCommerce sites use something called a Web Application Firewall (WAF).

On top of a typical network firewall, a WAF gives more security to a business site. And it can safeguard your website from various types of known security attacks.

So, putting up a basic firewall is essential. Moreover, using a Web Application Firewall (WAF) is really up to the complexity of the website or application you have put up.

Protect your site from DDoS attacks

A type of attack used to bring your site down by sending huge amounts of traffic is nothing but denial-of-service-attack. In this attack, your site will be bombarded with spam requests in a volume that your website can’t handle. And the site eventually goes down, putting a service disruption to the normal/legitimate users.

However, it is easy to identify a denial-of-service-request, because too many requests come from only one source. And by blocking that source using a Firewall, you can defend your business site.

However, hackers have become smart and highly intelligent. They usually compromise various servers or user computers across the globe. And using those compromised sources, hackers will send massive amounts of requests. This type of advanced denial-of-service attack is known as distributed-denial-of-service-attack. Or simply put a DDoS attack.

When your site is attacked using DDoS, a common Firewall is not enough; because a firewall can only defend you from bad or malicious requests. But in DDoS, all requests can be good by the definition of the Firewall, but they overwhelm your website servers.

Some advanced Web Application Firewalls (WAF) can help you mitigate the risks of DDoS attacks.

Also, Internet Service Providers (ISPs) can detect them and stop the attacks from hitting your website servers. So, contact your ISP and get help from them on how they can protect your site from DDoS attacks.

If you need a fast and straightforward way to secure your website from distributed-denial-of-service attacks, services like Cloud Secure from Webscale Networks is a great option.

In the end, it is better to have strategies in place to mitigate DDoS attacks. Otherwise, your business site may go down and can damage your reputation—which is quite crucial in the eCommerce world.

Get malware protection

A Malware is a computer program that can infect your website and can do malicious activities on your servers.

If your site is affected by Malware, there are a number of dangers your site can run into. Or, the user data stored on your servers might get compromised.

So, scanning your website regularly for malware detection is essential. Symantec Corporation provides malware scanning and removal tools. These tools can help your site stay safe from various kinds of malware.

Encrypt data

If you are storing any user or business related data, it is best to store the data in encrypted form, on your servers.

If the data is not encrypted, and when there is a data breach, a hacker can easily use the data—which may include confidential information like credit card details, social security number, etc. But when the data is encrypted, it is much hard to misuse as the hacker needs to gain access to the decryption key.

However, you can use a tokenization system. In which, the sensitive information is replaced with a non-sensitive data called token.

When tokenization implemented, it renders the stolen data useless. Because the hacker cannot access the Tokenization system, which is the only component that can give access to sensitive information. Anyhow, your tokenization system should be implemented and isolated properly.

Use strong passwords

Use strong passwords that are at least 15 character length for your sites’ admin logins. And when you are remotely accessing your servers, use SSH key-based logins wherever possible. SSH key-based logins are proven to be more secure than password-based logins.

Not only you, urge your site users and customers to use strong password combinations. Moreover, remind them to change their password frequently. Plus, notify them about any phishing scams happening on your online business name.

For example, bad actors might send emails to your customers giving lucrative offers. And when a user clicks on the email, he will be redirected to a site that looks like yours, but it is a phishing site. And when payment details are entered, the bad actor takes advantage and commits fraudulent activities with the stolen payment info.

So, it is important to notify your user base about phishing scams and make your customers knowledgeable about cybersecurity.

Avoid public Wi-Fi networks

When you are working on your business site or logging into your servers, avoid public wifi networks. Often, these networks are poorly maintained on the security front. And they can become potential holes for password leaks.

However, public wifi networks can be speedy. So, when you cannot avoid using a public wifi network, use VPN services like ProtonVPN, CyberGhost VPN, TunnelBear VPN, etc, to mitigate the potential risks.

Keep your software update

To run an online business, you have to use various software components, from server OS to application middleware and frameworks.

Ensure that all these components are kept up to date timely and apply the patches as soon as they are available. Often these patches include performance improvements and security updates.

Some business owners might feel that this is a tedious process. But remember, one successful cyber attack has the potential to push you out of business for several days, if not entirely.

Conclusion

In this 21st century, web technology is growing and changing rapidly. So do the hackers from the IT underworld.

The steps mentioned above are necessary. But we cannot guarantee that they are sufficient. Moreover, each business case is different. You always have to keep yourself up to date. And it would help if you took care of your online business security from time to time. Failing which can make your business site a victim of cyber attacks.

Source: https://londonlovesbusiness.com/how-to-secure-your-online-business-from-cyber-threats/

Over third of large Dutch firms hit by cyberattack in 2016 – CBS

Large companies are hit by cyberattacks at an above average rate, according to the Cybersecurity Monitor of Dutch statistics bureau CBS for 2018. Among companies of 250+ employees, 39 percent were hit at least once by a cyberattack in 2016, such as a hack or DDoS attack. By contrast, around 9 percent of small companies (2-10 employees) were confronted with such an ICT incident.

Of the larger companies, 23 percent suffered from failure of business processes due to the outside cyberattacks. This compares to 6 percent for the smaller companies. Of all ICT incidents, failures were most common, for all sizes, though again, the larger companies were more affected (55%) than the smaller ones (21%). The incidents led to costs for both groups of companies.

Chance of incident bigger at large company

CBS noted that ICT incidents can arise from both from an outside attack and from an internal cause, such as incorrectly installed software or hardware or from the unintentional disclosure of data by an employee. The fact that larger companies suffer more from ICT incidents can be related to the fact that more people work with computers; this increases the chance of incidents. In addition, larger companies often have a more complex ICT infrastructure, which can cause more problems.

The number of ICT incidents also varies per industry. For example, small businesses in the ICT sector (12%) and industry (10%) often suffer from ICT incidents due to external attacks. Small companies in the hospitality sector (6%) and health and welfare care (5%) were less often confronted with cyberattacks.

Internal cause more common at smaller companies

Compared to larger companies, ICT incidents at small companies more often have an internal cause: 2 out 3, compared to 2 out of 5 for larger companies. ICT incidents at small companies in health and welfare care most often had an internal cause (84%). In the ICT sector, this share was 60 percent.

About 7 percent of companies with an ICT incident report them to one or more authorities, including police, the Dutch Data Protection Authority AP, a security team or their bank. The largest companies report ICT incidents much more often (41%) than the smallest companies (6%). Large companies report these ICT incidents most frequently to the AP, complying with law. After that, most reports are made to the police. The smallest companies report incidents most often to their bank.

Smaller: less safe

Small businesses are less often confronted with ICT incidents and, in comparison with large companies, take fewer security measures. Around 60 percent of small companies take three or more measures. This goes to 98 percent for larger companies.

Source: https://www.telecompaper.com/news/over-third-39-of-large-dutch-firms-hit-by-cyberattack-in-2016-cbs–1265851

Cybercrime-as-a-Service: No End in Sight

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.

Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques.

Line Between Illicit and Legitimate E-Commerce Is Blurring
The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products.

The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks.

Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites.

From Niche to Mass Market
In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate.

There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities.

Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers
The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each.

Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize.

Cybercrime Infrastructure-as-a-Service
The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example.

Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post.

The New Reality
Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services.

The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay.

Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

Central planning bureau finds Dutch cybersecurity at high level

Dutch businesses and the public sector are well protected against cybersecurity threats compared to other countries, according to a report from the Central Planning Bureau on the risks for cybersecurity. Dutch websites employ encryption techniques relatively often, and the ISPs take measures to limit the impact of DDoS attacks, the report said.

Small and medium-sized businesses are less active than large companies in protecting their activities, employing techniques such as data encryption less often, the CPB found. This creates risks for small business and consumers that could be avoided.

The report also found that the Dutch are more often victims of cybercrime than other forms of crime. This implies a high cost for society to ensure cybersecurity. In 2016, already 11 percent of businesses incurred costs due to a hacking attempt.

The threat of DDoS attacks will only increase in the coming years due to the growing number of IoT devices. This was already evident in the attacks against Dutch bank websites earlier this year. A further risk is that over half the most important banks in the world use the same DDoS protection service.

According to the paper Financieele Dagblad, this supplier is Akamai. The company provides DDoS protection for 16 of the 30 largest banks worldwide. The Dutch banks ABN Amro, ING and Rabobank said they were not dependent on a single provider.

The CPB report also found that the often reported shortage of qualified ICT staff is less of a threat than thought. The number of ICT students has risen 50 percent in four years and around 100,000 ICT jobs have been added in the country since 2008. Already 5 percent of all jobs are in ICT. This puts the Netherlands at the top of the pack in Europe, alongside the Nordic countries.

Source: https://www.telecompaper.com/news/central-planning-bureau-finds-dutch-cybersecurity-at-high-level–1264818

DDoS Attack on German Energy Company RWE

Protesters in Germany have been camping out at the Hambach Forest, where the German energy company RWE has plans to mine for coal. Meanwhile, it’s been reported that RWE’s website was under attack as police efforts to clear the protesters from the woods were underway.

According to Deutsche Welle, unknown attackers launched a large-scale distributed denial-of-service (DDoS), which took down RWE’s website for virtually all of Tuesday. No other systems were attacked, but efforts to clear away the protesters have been ongoing for the better part of the month, and activists have reportedly made claims that they will be getting more aggressive in their tactics.

Activists have occupied the forest in hopes of preventing RWE from moving forward with plans to expand its coal mining operations, which would effectively clear the forest. In addition to camping out in the forest, the protesters have reportedly taken to YouTube to spread their message.

Reports claim that a clip was posted last week by Anonymous Deutsch that warned, “If you don’t immediately stop the clearing of the Hambach Forest, we will attack your servers and bring down your web pages, causing you economic damage that you will never recover from,” DW reported.

“Together, we will bring RWE to its knees. This is our first and last warning,” the voice from the video reportedly added.

DDoS attacks are intended to cripple websites, and the attack on RWE allowed the activists to make good on their threat, at least for one day.

““This is yet another example that illustrates the DDoS threat to [softer targets in] CNI [critical network infrastructure].  RWE is an operator of an essential service (energy) in Germany. The lights didn’t go out but their public-facing website was offline as a result of this attack,” said Andrew Llyod, president, Corero Network Security.

In a recent DDoS report, Corero researchers found that “after facing one attack, one in five organizations will be targeted again within 24 hours.”

Source: https://www.infosecurity-magazine.com/news/ddos-attack-on-german-energy/

3 Drivers Behind the Increasing Frequency of DDoS Attacks

What’s causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices.

Source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824

Hackers behind Mirai botnet could be sentenced to working for the FBI

This comes after more than 18 months of already helping the FBI stop cyberattacks

Three young hackers went from believing they were “untouchable” to helping the FBI stop future cyberattacks.

The trio of hackers behind the Mirai botnet — one of the most powerful tools used for cyberattacks — has been working with the FBI for more than a year, according to court documents filed last week.

Now the government is recommending they be sentenced to continue assisting the FBI, instead of a maximum five years in prison and a $250,000 fine.

“By working with the FBI, the defendants assisted in thwarting potentially devastating cyberattacks and developed concrete strategies for mitigating new attack methods,” US attorneys said in a motion filed Sept. 11. “The information provided by the defendants has been used by members of the cybersecurity community to safeguard US systems and the Internet as a whole.”
Originally, a probation officer on the case recommended that all three defendants be sentenced to five years’ probation and 200 hours of community service.

Because of the hackers’ help, prosecutors have asked that the community service requirement be bumped up to 2,500 hours, which would include “continued work with the FBI on cybercrime and cybersecurity matters.”

The three defendants are set to be sentenced by a federal judge in Alaska. The sentencing plea Tuesday was earlier reported by Wired.

Hacker rehab

Governments have taken a new approach with young, first-offender hackers, in the hopes of rehabilitating them and recruiting them to help defend against future attacks. The UK offers an alternative called the “cybercrime intervention workshop,” essentially a boot camp for young hackers who have technical talent but poor judgment.

The three defendants — Josiah White, Paras Jha and Dalton Norman — were between the ages of 18 and 20 when they created Mirai, originally to take down rival Minecraft servers with distributed denial-of-service attacks.

DDoS attacks send massive amounts of traffic to websites that can’t handle the load, with the intention of shutting them down. Mirai took over hundreds of thousands of computers and connected devices like security cameras and DVRs, and directed them for cyberattacks and traffic scams.

In one conversation, Jha told White that he was “an untouchable hacker god” while talking about Mirai, according to court documents.

The botnet was capable of carrying out some of the largest DDoS attacks ever recorded, including one in 2016 that caused web outages across the internet. The three defendants weren’t behind the massive outage, but instead were selling access to Mirai and making thousands of dollars, according to court documents.

Helping the FBI

The three hackers pleaded guilty in December, but had been helping the government with cybersecurity for 18 months, even before they were charged. Prosecutors estimated they’ve worked more than 1,000 hours with the FBI — about 25 weeks in a typical workplace.

That includes working with FBI agents in Anchorage, Alaska, to find botnets and free hacker-controlled computers, and building tools for the FBI like a cryptocurrency analysis program.

In March, the three hackers helped stop the Memcached DDoS attack, a tool that was capable of blasting servers with over a terabyte of traffic to shut them down.

“The impact on the stability and resiliency of the broader Internet could have been profound,” US attorneys said in a court document. “Due to the rapid work of the defendants, the size and frequency of Memcache DDoS attacks were quickly reduced such that within a matter of weeks, attacks utilizing Memcache were functionally useless.”

According to US officials, the three hackers also last year helped significantly reduce the number of DDoS attacks during Christmas, when activity usually spikes. Along with helping the FBI, the three defendants have also worked with cybersecurity companies to identify nation-state hackers and assisted on international investigations.

Jha now works for a cybersecurity company in California while also attending school. Dalton has been continuing his work with FBI agents while attending school at the University of New Orleans, and White is working at his family’s business.

Prosecutors heavily factored their “immaturity” and “technological sophistication” as part of the decision.

“All three have significant employment and educational prospects should they choose to take advantage of them rather than continuing to engage in criminal activity,” the court documents said.

Source: https://www.cnet.com/news/hackers-behind-mirai-botnet-could-be-sentenced-to-working-for-the-fbi/

The evolution of DDoS attacks – and defences

Aatish Pattni, regional director, UK & Ireland, Link11, explores in Information Age how DDoS attacks have grown in size and sophistication over the last two decades.

What is the biggest cyber-threat to your company? In April 2018, the UK’s National Crime Agency answered that question by naming DDoS attacks as the joint leading threat facing businesses, alongside ransomware. The NCA noted the sharp increase in DDoS attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the potential attacks.

It’s no surprise that DDoS is seen as such a significant business risk. Every industry sector is now reliant on web connectivity and online services. No organisation can afford to have its systems offline or inaccessible for more than a few minutes: business partners and consumers expect seamless, 24/7 access to services, and being forced offline costs a company dearly. A Ponemon Institute study found that each DDoS incident costs $981,000 on average, including factors such as lost sales and productivity, the effect on customers and suppliers, the cost of restoring IT systems, and brand damage.

So how have DDoS attacks evolved from their early iterations as stunts used by attention-seeking teens, to one of the biggest threats to business? What techniques are attackers now using, and how can organisations defend themselves?

Early days of DDoS

The first major DDoS attack to gain international attention was early in 2000, launched by a 15-year-old from Canada who called himself Mafiaboy. His campaign effectively broke the internet, restricting access to the web’s most popular sites for a full week, including Yahoo!, Fifa.com, Amazon.com, eBay, CNN, Dell, and more.

DDoS continued to be primarily a tool for pranks and small-scale digital vandalism until 2007, when a range of Estonian banking, news, and national government websites were attacked. The attack sparked nationwide riots and is widely regarded as one of the world’s first nation-state acts of cyberwar.

The technique is also successful as a diversion tactic, to draw the attention of IT and security teams while a second attack is launched: another security incident accompanies up to 75% of DDoS attacks.

Denial of service has also been used as a method of protest by activist groups including Anonymous and others, to conduct targeted take-downs of websites and online services. Anonymous has even made its attacks tools freely available for anyone to use. Recent years have also seen the rise of DDoS-on-demand services such as Webstresser.org. Before being shut down by international police, Webstresser offered attack services for as little as £11, with no user expertise required – yet the attacks were powerful enough to disrupt operations at seven of the UK’s biggest banks.

Amplified and multi-vector attacks

In October 2016, a new method for distributing DoS attacks emerged – using a network of Internet of Things (IoT) devices to amplify attacks. The first of these, the Mirai botnet infected thousands of insecure IoT devices to power the largest DDoS attack witnessed at the time, with volumes over a Terabyte. By attacking Internet infrastructure company Dyn, Mirai brought down Reddit, Etsy, Spotify, CNN and the New York Times.

This was just a signpost showing how big attacks could become. In late February 2018, developer platform Github was hit with a 1.35 Tbps attack, and days later a new record was set with an attack volume exceeding 1.7 Tbps. These massive attacks were powered by artificial intelligence (AI) and self-learning algorithms which amplified their scale, giving them the ability to disrupt the operations of any organisation, of any size.

Attacks are not only getting bigger but are increasingly multi-vector. In Q4 2017, Link11 researchers noted that attackers are increasingly combining multiple DDoS attack techniques. Over 45% of attacks used 2 or more different techniques, and for the first time, researchers saw attacks which feature up to 12 vectors. These sophisticated attacks are difficult to defend against, and even low-volume attacks can cause problems, as happened in early 2018 when online services from several Dutch banks, financial and government services were brought to a standstill.

Staying ahead of next-generation AI-based attacks

As DDoS attacks now have such massive scale and complexity, traditional DDoS defences can no longer withstand them. Firewalls, special hardware appliances and intrusion detection systems are the main pillars of protection against DDoS, but these all have major limitations. Current attack volume levels can easily overload even high-capacity firewalls or appliances, consuming so many resources that that reliable operation is no longer possible.

Extortion by DDoS

The next iteration of attackers set out to use DDoS as an extortion tool, threatening organisations with an overwhelming attack unless they meet the attacker’s demand for cryptocurrency. Notable extortionists included the original Armada Collective, which targeted banks, web hosting providers, data centre operators as well as e-commerce and online marketing agencies in Greece and Central Europe.

Between January and March 2018, Link11’s Security Operation Centre recorded 14,736 DDoS attacks, an average of 160 attacks per day, with multiple attacks exceeding 100 Gbps. Malicious traffic at these high volumes can simply flood a company’s internet bandwidth, rendering on-premise network security solutions useless.

What’s needed is to deploy a cloud-native solution that can use AI to filter, analyse, and block web traffic if necessary before it even reaches a company’s IT systems. This can be done by routing the company’s Internet traffic via an external, cloud-based protection service. With this approach, incoming traffic is subject to granular analysis, with the various traffic types being digitally ‘fingerprinted’.

Each fingerprint consists of hundreds of properties, including browser data, user behaviour, and its origin. The solution builds up an index of both normal and abnormal, or malicious traffic fingerprints. When known attack patterns are detected in a traffic flow, the attack ‘client’ is blocked immediately and automatically in the cloud, before it even reaches customers’ networks – so that only clean; legitimate traffic reaches the organisation. However, regular traffic is still allowed, enabling a business to continue unaffected, without users being aware of the filtering process.

The solution’s self-learning AI algorithms also help to identify and block attacks for which there is no current fingerprint within a matter of seconds, to minimise the impact on the organisation’s website or web services. This means each new attack helps the system improve its detection capabilities, for the benefit of all users. Furthermore, this automated approach to blocking attacks frees up IT and security teams, enabling them to focus on more strategic work without being distracted by DDoS attempts.

In conclusion, DDoS attacks will continue to evolve and grow, simply because with DDoS-for-hire services and increasingly sophisticated methods, they are relatively easy and cheap to do – and they continue to be effective in targeting organisations. But by understanding how attacks are evolving and implementing the protective measures described here, organisations will be better placed to deny DDoS attackers.

Source: https://www.information-age.com/evolution-of-ddos-123473947/

Department of Labour denies server compromise in recent cyberattack

The government department says the attack did not expose any sensitive or confidential information.

The South African Department of Labour has confirmed a recent cyberattack which disrupted the government agency’s website.

In a statement, the Department of Labour said that a distributed denial-of-service (DDoS) attack was launched against the organization’s front-facing servers over the weekend.

According to the department’s acting chief information officer Xola Monakali, the “attempt was through the external Domain Name Server (DNS) server which is sitting at the State Information Technology Agency,” and “no internal servers, systems, or client information were compromised, as they are separated with the relevant protection in place.”

The government agency has asked external cybersecurity experts to assist in the investigation.

DDoS attacks are often launched through botnets, which contain countless enslaved devices — ranging from standard PCs to IoT devices — which are commanded to flood a domain with traffic requests.