What Security Risks Should MSPs Expect in 2018

As IT operations are becoming more complex and require both advanced infrastructure and security expertise to increase the overall security posture of the organization, the managed service provider (MSP) industry is gaining more traction and popularity.

Estimated to grow from USD $152.45 billion in 2017 to USD $257.84 billion by 2022, at a CAGR of 11.1%, the MSP industry offers greater scalability and agility to organizations that have budget constraints and opt for a cloud-based IT deployment model.

“The cloud-based technology is the fastest-growing deployment type in the managed services market and is expected to grow at the highest CAGR during the forecast period from 2017 to 2022,” according to ResearchandMarkets. “IT budget constraints for installation and implementation of required hardware and software, limited IT support to manage and support managed services, and need for greater scalability are major factors that are likely to drive the adoption of cloud managed services in the coming years. The cloud-based deployment model offers higher agility than the on-premises deployment model.”

However, MSPs are expected to also become more targeted by threat actors than in the past. Supply chain attacks are becoming a common practice, as large organizations have stronger perimeter defenses that increase the cost of attack, turning MSPs into “low-hanging fruit”
that could provide access into infrastructures belonging to more than one victim. In other words, MSPs hold the keys to the kingdom.

Since MSPs are expected to provide around-the-clock security monitoring, evaluation, and response to security alters, they also need to triage and only escalate resources when dealing with advanced threats.

1. Wormable military-grade cyber weapons

Leveraging leaked, zero-day vulnerabilities in either operating systems or commonly deployed applications, threat actors could make the WannaCry incident a common occurrence. As similarly-behaving threats spread across infrastructures around internet-connected endpoints – both physical and virtual – MSPs need to quickly react with adequate countermeasures to defend organizations.
While MSPs may not be directly targeted, their role in protecting organizations will become far more important as they’ll need to reduce reaction time to new critical threats to a bare minimum, on an ongoing basis. Consequently, network security and threat mitigation will become commonplace services for MSPs.

2. Next-Level Ransomware

The rise of polymorphism-as-a-service (PaaS) will trigger a new wave of ransomware samples that will make it even more difficult for security solutions to detect. Coupled with new encryption techniques, such as leveraging GPU power to expedite file encryption, ransomware will continue to plague organizations everywhere. Backup management and incident response that provides full data redundancy need to be at the core of MSP offerings when dealing with these new ransomware variants.

While traditional ransomware will cause serious incidents, threat actors might also hold companies at gunpoint by threatening to disrupt services with massive distributed-denial-of-service (DDoS) attacks performed by huge armies of IoT botnets.

3. OSX Malware

The popular belief that Apple’s operating system is immune to malware was recently put to the test by incidents such as the ransomware disseminating Transmission app and advanced remote access Trojans (RATs) that have been spying on victims for years. With Apple devices making their way into corporate infrastructures onto C-level’s desks, managing and securing them is no longer optional, but mandatory.

Security experts have started finding more advanced threats gunning for organizations that have specific MacOS components, meaning that during 2018 threat actors will continue down this alley. Regardless of company size, vertical, or infrastructure, MSPs need to factor in MacOS malware proliferation and prepare adequate security measures.

4. Virtualization-Aware Threats

Advanced malware has been endowed with virtualization-aware capabilities, making it not just difficult to identify and spot by traditional endpoint security solutions, but also highly effective when performing lateral movement in virtual infrastructures. MSPs need to identify and plan to deploy key security technologies that are not just designed from the ground up to defend virtual infrastructures, but also hypervisor-agnostic, offer complete visibility across infrastructures, and detect zero-day vulnerabilities.

Focusing on proactive security technologies for protecting virtual workloads against sophisticated attacks will help MSPs offer unique value to their services.

5. Supply Chain Attacks

MSPs could also become the target of attack for threat actors, which is why deploying strong perimeter defense on their end should also be a top priority. Having access and managing security aspects to remote infrastructures turns MSPs into likely candidates for advanced attacks. Either by directly targeting their infrastructure or by “poisoning” commonly-deployed tools, MSPs should treat the security of their own infrastructure with the utmost scrutiny.

Source: https://securityboulevard.com/2018/04/what-security-risks-should-msps-expect-in-2018/

Website security firm Sucuri hit by large scale volumetric DDoS attacks

Another day, another series of DDoS attacks – This time Sucuri and its customers have been hit by a series of attacks worldwide.

The California based website security provider Sucuri has suffered a series of massive DDoS attacks (distributed denial-of-service) causing service outage in West Europe, South America and parts of Eastern United States.

The attacks began on April 12th, 2018 at approximately 11 pm (PST) when Sucuri network came under non-stop DDoS attacks. The company then worked with Tier 1 providers to mitigate the attacks.

In an email to HackRead, Sucuri spokesperson said that “The attack was big enough that caused some of our ports to be pretty close to capacity, causing very high latency and packet loss. In some other regions, it caused temporary latency and packet loss.”

The company’s Status page also kept the customers updated revealing that Sucuri “worked with its upstream providers, our NOC and partners to help mitigate the attack and re-route the affected regions. Unfortunately, due to the size of the attack, it took a lot longer than expected to get it fully handled.”

image 1

The exact size of DDoS attacks is still unknown, the same goes for its culprits and their motives, however, lately, there has been a surge in large-scale DDoS attacks. Last month, malicious hackers used Memcached vulnerability to carry out world’s largest ever DDoS attacks of 1.7 Tbps on an American firm and 1.35 Tbps attack on Github.

The vulnerability was also used to hit Amazon, Google, NRA, Play Station, and several other high-profile targets.

As for Sucuri, the good news is that the attacks have been successfully mitigated and at the time of publishing this article Sucuri services and customer websites were back online.

Source: https://www.hackread.com/website-security-firm-sucuri-hit-by-ddos-attacks/

Is Blockchain Causing More Cybersecurity Attacks in the Financial Industry?

There’s a lot of misunderstanding about blockchain. A recent study by HSBC, for example, found that 59 percent of customers around the world had never heard of it. Yet, while that alone is quite telling, it’s probably more alarming to consider the fact that very same poll revealed that 80 percent of people who had hard of blockchain did not understand what it is.

This level of confusion isn’t confined to the general population either. Politicians in charge of setting the law around this sort of technology and some traders who are perfectly at home with currency futures are equally in the dark about what this technology is and what it means for the financial industry.

There are some who fear that this technology – a digital transaction ledger in which each block is protected by cryptography – poses a security risk. That hasn’t been helped, it has to be said, by a number of scams in this market which have caused some to associate blockchain with risk.

CoinDesk, for example, demonstrates seven key incidents that attracted attention in 2017 alone. The incidents it highlights — including wallet hacks, ICO fraud and software bugs — cost investors nearly $490 million.

But, while it’s understandable that these sorts of incidents cause alarm, the general fear around blockchain is misplaced, probably not helped by the fact that this technology is proving ‘disruptive’ to the old order, promising drastic change to the speed and ease of money transfers.

Far from being the cause of problems for the financial industry, this technology might well offer a solution to make the industry safer.

Medium writer Redactor demonstrates four key ways in which blockchain technology is improving cybersecurity. These are:

  • Mitigating attacks such as DDoS with a decentralized structure and by not having a single point of failure
  • Protection for IoT devices, which can communicate with enterprise-defined ledgers based on blockchain
  • Providing transparency with permanent records that cannot be altered without creating a data trail (in order for transactions to be finalized they need to be approved more than half of the systems in a network and, when this occurs, the block is given a time stamp and is immutable)
  • Allowing for digital identities, greater encryption and more robust authentication

It’s fair to say that blockchain is here to stay. It isn’t ‘just’ the technology that underpins Bitcoin and other cryptocurrencies — although this is probably what its most known for — but it is a form of technology that has much wider potential for use in the finance sector and beyond.

Rather than ignore it — or treat it as a security threat — the industry needs to identify the potential of blockchain and set to work to use this as a way to add security. This, increasingly, is the case, with banks and big tech firms working on ways to harness blockchain to shelter the data of financial firms and customers alike.

Clearly scams shouldn’t be ignored — and work needs to be done to crack down on these — but nor should the positive potential of blockchain as a force for security.

Source: http://www.circleid.com/posts/20180416_is_blockchain_causing_more_cyberattacks_in_financial_industry/

Command and control: A fight for the future of government hacking

Following years of effort and billions of dollars’ worth of research and planning, the nation finally has a fully operational force of cyberwarriors at U.S. Cyber Command. Yet, as those troops confront adversaries around the world, there’s uncertainty across government about how to best make use of them.

While lawmakers push the Trump administration to exact revenge for years of cyberattacks on U.S. targets, a quiet but constant tug of war is raging between the intelligence community and the military over the future of government-backed hacking operations.

Congress, the White House and the nation’s spy agencies all have something at stake, but the tension is perhaps most intensely felt at the National Security Agency, which serves as a partner agency to U.S. Cyber Command. The NSA is not the only intel agency challenged by the warfare unit’s increasingly influential role: The CIA, the FBI and the Pentagon’s other intelligence agencies are also trying to shape Cyber Command’s future. Each agency understands offensive hacking in its own way, and that dissonance only intensifies the debate, according to current and former U.S. officials.

CyberScoop spoke with 13 current and former U.S. intelligence officials, three lawmakers and dozens of congressional aides for this story. Some chose to speak only on condition of anonymity to discuss the opinions circulating in government about who should be managing covert offensive cyber-operations that cross the line of everyday digital espionage.

The chief question is: If the U.S. is going to strike back at foreign targets in cyberspace, when should the soldiers or the spies lead the charge? Things may now finally be leaning in favor of the military after the intelligence community dominated for more than a decade, sources say. The U.S. has engaged in cyber-espionage since at least the 1990s, and there are historic cases of allied intelligence agencies launching offensive, destructive-style cyberattacks dating back to at least 2011.

Since then, both the Obama and Trump administrations have made decisions allowing Cyber Command to escape NSA’s shadow. And yet at the same time, the government appears to be desperately avoiding an all out cyber conflict with Russia or any other entity aside from ISIS.

An analyst for the U.S. government described the changing dynamic by saying: “NSA went into this thinking that they were going to be the top dog. Now they are paranoid that they may have eaten a massive tapeworm instead.”

Pressure to use Cyber Command’s full capabilities only increases as more stories surface of interference in U.S. networks by Russian, Chinese and other foreign hacking groups. Any decision to expand the military’s use of cyberwarriors will be a pivotal point in the relationship between the nation’s spies and the Pentagon, further drawing the bureaucratic boundary that separates stealthy digital espionage activities from more overt cyberwarfare operations.

The rise of the ‘gray zone’

Founded in 2009, the Fort Meade, Maryland-based Cyber Command was created through the leadership of then-NSA Director Gen. Keith Alexander. Some of its architects believe it was supposed to be a collaborative extension of NSA, but it has gained stature and influence far beyond what Alexander might have intended, insiders say.

Alexander, through a spokesperson, declined to comment for this story.

Today, U.S. Cyber Command is currently in the process of becoming a unified combatant command on par with the likes of Strategic Command (STRATCOM), which handles the nuclear program, or Special Operations Command (SOCOM), which handles high-profile combat operations. In less than a year, Cyber Command could also gain additional power through a separation from NSA that would call for a new and separate leadership structure, ending the current “dual hat” arrangement for the NSA director.

The elevation process and potential formal split from NSA could eventually give Cyber Command more leeway to plan and recommend cyberattacks, with a direct line to the White House. Launching these types of cyberattacks usually requires direct presidential approval, and the authority flows through NSA leadership. But that may too change.

In a congressional hearing Feb. 27, the current head of NSA and Cyber Command, Adm. Mike Rogers, acknowledged that there’s an ongoing “policy discussion” about giving Cyber Command more authority. Lawmakers needled him over the Trump’s administration’s lackluster response to Russian meddling in the 2016 presidential election. His responses were cagey, but he had a reason.

Cyber Command is quite limited in what operations it can pursue because, among other reasons, it is designated as a combat force that operates under Title 10 of the U.S. Code. That law dictates that such a unit can only operate within the confines of a declared war zone — a statue complicated by the internet’s global reach. The intelligence community, like the NSA and CIA, operate under Title 50, which permits them to conduct espionage in nearly any foreign country, a condition that’s especially advantageous when exploiting computers spread around the world.

How Title 10 exactly applies to cyberspace remains an open-ended question, former U.S. intelligence officials say. Some academics have described the current situation where military-backed cyberattacks occur as a sort of legal “gray zone.” That description is driven by the fact that the international Rules of Engagement for cyberwarfare remains largely undefined.

Even so, Secretary of Defense James Mattis has become a leading voice lobbying the White House to at least give Cyber Command more flexibility.

“[Mattis] has been very aggressive in articulating this concerns him, that there’s an ongoing discussion at the moment, that I hope is going to come to a way ahead in the near term,” Rogers recently told lawmakers.

It’s unclear exactly which additional authorities Mattis is seeking.

Cyber Command was recently granted the ability to foward deploy its forces to combatant commands across the world, sources told CyberScoop. Previously, so-called Cyber Mission Force teams would only be assigned to U.S. bases, like Fort Meade. Now they can be located within other combatant commands like U.S. Central Command, integrating with the military on physical front lines. This follows in line with the SOCOM model, which allows elite military personnel to be quickly grouped and deployed rapidly to accomplish very specific objectives.
That decision could open the door for new opportunities to hack enemy networks, but it does not necessarily provide Cyber Command with any additional license to independently launch attacks.
When military leaders push to do more with hackers, they usually meet some form of resistance from Pentagon lawyers.
A recent operation underscores the complexities surrounding Cyber Command’s ability to run offensive operations in the gray zone.
According to prior reporting by the Washington Post, the Obama administration angered the German government when Cyber Command hacked into a server hosting ISIS propaganda that was located in Germany. Though the terrorist group is most active in the Middle East, the group’s digital content is sometimes hosted by shared systems located inside allied countries and not war zones. The Pentagon reportedly notified its German counterparts of the counterterrorism mission to remove ISIS material, but the hacking still upset a wary ally.
The debate about what checks and balances should exist to control the use of offensive cyber operations is especially important due to the fragile nature of the internet. With militaries looking to disrupt each other through the world wide web, innocent users will inevitably be caught up in the chaos.
In 2016, a single distributed denial of service (DDoS) attack against Dyn, a internet gateway company, knocked out dozens of major internet retailers; leading to millions of dollars in lost revenue. That attack was later attributed to several American university students; a group obviously far less equipped than a conventional army.
New spin on an old fight
While ambiguity may surround the legal framework for military-led cyberattacks, how these missions affect the intelligence community’s own computer spying efforts poses another difficult proposition.
It’s not one that’s been easily handled in the past.

“This tug of war is not a new one,” described Rhea Siers, a 30-year NSA veteran who during her time at the agency worked in multiple administrative roles. “Collecting intelligence versus taking out the target has been a key tactical and strategic discussion between the military and intelligence agencies for decades — first about SIGINT [Signal Intelligence], now about cyber-operations as well.”

With Cyber Command in the spotlight, some military leaders have pushed for permission to “engage the enemy” online more often, a U.S. official told CyberScoop. But there are U.S. intelligence officials who still worry about what Cyber Command’s rise will mean for espionage missions.

In short, spies fear that their more covert digital intrusions will be negatively impacted by a spike in “louder,” purposefully disruptive cyberattacks from military operators, who are usually more interested in immediate outcomes. The concern stems from the issue of parallel discovery — where both a spy agency and military unit are hiding in the same compromised network, allowing the detection of one attacker to expose the other.

“There is an inherent conflict between military-like cyber operations and clandestine espionage operations,” explained Jason Kichen, a former intelligence officer who was focused on computer hacking strategy. “Sometimes the military’s needs to gain their own access can put the already present espionage-focused access at risk.”

Historically, NSA’s relationship to Cyber Command has generally tended to be collaborative. The partnership is complicated because each organization is responsible for a unique mission that’s sometimes drastically different yet requires nearly identical tools and talent — both of which are finite. 

The clashes can be over which hacking tools are used, who should be handling them and whom they should be used against.

At the moment, the NSA is the government’s primary collector of information about software vulnerabilities that can be exploited by hackers. That title is held closely and with pride.

“A lot of what we ran into during the Obama administration involved the IC bucking at plans strung up by Cyber Command because they worried about intel gain-loss,” said Eric Rosenbach, former Pentagon chief of staff to Defense Secretary Ashton Carter. “The missions of Cyber Command and NSA should be complimentary, but too often they are competitive and collide with one another.”

Nearly everyone who spoke to CyberScoop said that the unified combatant command’s rise under the Trump administration will inevitably challenge the NSA’s franchise on software vulnerabilities and other hacking tools. Until recently, the intelligence community usually has taken the lead in helping decide whether to deploy some of the government’s elite hacking capabilities, according to two former U.S. senior defense officials. 

But that hegemony is now increasingly challenged by a younger, military-minded Cyber Command that’s pushing for changes to the status quo.

“NSA has had a major role in this space since at least 1997, when [then-Secretary of Defense William] Cohen assigned them the mission to develop offensive techniques,” said Jason Healey, a former director for Cyber Infrastructure Protection at the White House from 2003 to 2005. “Twenty years on, they’re used to ruling the roost, especially since they’ve been not just developing but using offensive capabilities since 2005. Losing [some] of those responsibilities was always going to sting and meet bureaucratic resistance.”

Untangling the policy knot

Empowering Cyber Command appears to have bipartisan support. Multiple current and former defense officials are pushing for a win after years of apparent stagnation. And multiple former officials who worked in past administrations told CyberScoop, in general terms, that they welcomed changes that could help Cyber Command contribute to national security.

Creating the tools and policies that give Cyber Command independence from other U.S. intelligence or defense agencies has helped solve some bureaucratic issues. But not all of them.

In recent months, aides for the House Armed Services Committee and Senate Armed Services Committee have been meeting with government “working groups” to stop the military and intelligence community from butting heads. With people in the room representing both sides’ interests, lawmakers hope to quell any problems that have come with impending changes to the hierarchy.

Several aides told CyberScoop that the people representing Cyber Command have grown increasingly frustrated in these recent meetings. The representatives told the committees that the unit’s growth has been curbed by a reluctant bureaucracy that’s continuing to voice skepticism about scaling up hacking operations beyond the intelligence community.

In one meeting held in mid-February, Rogers’ Combined Action Group (CAG) held a meeting with congressional staffers, military academics and other officials from Fort Meade to discuss some of the issues. The gathering’s purpose was not necessarily to come up with immediate solutions, but to flesh out each side’s concerns that have come with Cyber Command’s maturation. Insights from the nearly eight-hour-long meeting were later provided to Rogers, who used them to prepare for a congressional hearing.

In that Capitol Hill appearance, Rogers maintained that Cyber Command should eventually be split from NSA, which would give it more autonomy.

The peacemaker?

President Donald Trump recently nominated Army Cyber Commander Gen. Paul Nakasone to be the combined leader of NSA and Cyber Command. Nakasone is a well-respected military leader with a history of working in cybersecurity-focused positions. However, he is not a career intelligence official.

Nakasone has been heralded for his time in service by former superiors, including Rosenbach and Alexander. He is widely considered one of the most experienced generals in managing military-led hacking operations.

The congressmen with perhaps the most experience dealing with NSA told CyberScoop that managing some of the conflicting equities between the two brotherly organizations will almost entirely fall on Nakasone.

“It’s really going to be up to leadership, they’re responsible for making sure it goes right,” said Rep. Dutch Ruppersberger, D-Md. “You need to have the right leader to negotiate these things, to listen to both sides and figure it out … If we don’t have good leadership for this position then it can be bad.”

Managing the tug of war in government represents just one of many challenges for the NSA director.

“That’s a very, very tough job,” he continued. “With everything that’s gone on recently, maybe one of the most difficult [jobs] in government.”

Michael Sulmeyer, a former cybersecurity policy adviser in the Office of the Secretary of Defense, said he believed Nakasone would make it a “fair fight.” Sulmeyer told CyberScoop that Cyber Command’s development may have been stunted by the dual-hat leadership arrangement, which he contends had benefited the intelligence community more.

“In the past, the IC would usually win these internal arguments … the resolution process requires consulting with the leaders of each organization. So it was a really circular, you could efficient way of dealing with it. But certainly slanted,” Rosenbach explained.

Nakasone recently told lawmakers that he planned to provide a recommendation within 90 days of being confirmed to Mattis about whether or not to split Cyber Command from NSA. Rogers, his predecessor, has said a split is inevitable. CyberScoop previously reported that Director of National Intelligence Dan Coats preferred keeping the dual hat in place for the immediate future.

In a brief interview with CyberScoop following a public speaking appearance in D.C., current White House Cybersecurity Coordinator Rob Joyce said he believed Cyber Command should be separated from NSA as it becomes more capable. He provided no timeline, but said that some predictable “friction” would likely follow a split as the two organization readjust to a new relationship. “That’s only normal,” Joyce described.

Fighting into the future

Lawmakers are generally unsure by how Cyber Command’s evolution will pan out. But several expect a bumpy road forward.

“There’s always going to be that rub between the operators and the intel collectors. I think that’s very true right now just because probably NSA is much more mature organization and certainly CIA also weighs in as well and they want to err towards protecting their capabilities,” said Congressman Jim Langevin, D-R.I.. “I certainly get that. But sometimes they can be over-protective and it slows things down. Maybe we’re missing out on opportunities to make a [cyberwarfare] operation more effective.”

Sen. Mike Rounds, R-S.D., the chairman of the Senate Armed Services cybersecurity subcommittee, told CyberScoop that he has also been involved in helping to ensure that Cyber Command’s elevation to a unified combatant command happens quickly and in a well-managed fashion.

“After listening to a lot of discussion internally, I think we’re moving in the right direction by separating the hats,” Rounds, said in an interview with CyberScoop following a congressional hearing. “Those folks operating under Title 50 really want to be deep in and not be discovered. At the same time, under Title 10 and what we would want in terms of persistence, you have to be able to show ourselves every once in awhile and that we are actually doing things in cyber to deter those who are causing the problems. It may easier to do using two hats rather than a dual hat.”

Whether the current system disproportionately handicaps Cyber Command remains a tough question to answer.

“The benefit of having a dual-hat between NSA and U.S. Cyber Command is clear — you have one person who can make a fully informed decision about the tradeoffs between the potential capability loss associated with using an intelligence asset to conduct an offensive cyber-operation,” explained Jamil Jaffer, former senior counsel to the House Intelligence Committee.

With Nakasone set to take the helm of both Cyber Command and NSA later this month following his expected confirmation, the debate will be immediately in front of him.

“Many have raised concerns that such an arrangement is a one-way ratchet and doesn’t full account for all equities,” Jaffer said. “What can be said for certain is that if you split the current dual-hat arrangement, you’re going to be teeing up a lot more debates for the National Security Council to have on individual operations and that is likely to be its own can of worms. After all, fighting a war by committee is hardly a good way to go.”

Source: https://www.cyberscoop.com/us-cyber-command-nsa-government-hacking-operations-fight/

One year on, the WannaCry scare hasn’t made healthcare security any better

Cybersecurity in the healthcare sector was put under the spotlight after the WannaCry ransomware attacks that hit in May 2017, and it painted a vivid picture of how threats can paralyse real-world processes.

That’s according to Trend Micro and HITRUST’s latest research on how connected hospitals can be exploited – and researchers believe that the WannaCry scare has only made matters worse.

The research paper, titled Securing Connected Hospitals, looks at how internet-connected medical devices are often exposed due to misconfigured networks or software interfaces.

Connected devices can include surgical equipment, office applications, inventory systems, monitoring equipment, and imaging equipment.

Using search website Shodan, researchers were able to pinpoint devices connected to the Internet of Things and gather information about the devices’ geographic locations, hostnames, operating systems, and other information.

“An adversary can also use Shodan to perform detailed surveillance and gather intelligence about a target, which is why Shodan has been called the World’s Most Dangerous Search Engine,” the report says.

Beyond Shodan, exposed devices can also be profiled using network tools. Attackers could potentially access sensitive data, webcam feeds, compromise assets to conduct DDoS attacks or botnets, demand ransoms and much more.

The paper also looked at how supply chain attacks, including associates and third-party contractors, also play a dangerous role – 30% of healthcare breaches in 2016 were due to third parties.

“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,” the report says.

“Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their own products and software for cybersecurity risks, and may also be outsourcing resources as well. This allows perpetrators to exploit sensitive information across the supply chain.”

There are seven major supply chain threat vectors that attackers can use against the healthcare sector:

Firmware  attacks, mHealth mobile application compromises, source code compromise during the manufacturing process, insider threats from hospital and vendor staff, website/EHR and internal hospital software compromise, spearphishing, and third party vendor credentials.

The report points out that source code compromise during the manufacturing process can be extremely dangerous because hospitals tend not to test device security before installing it on their networks.

While no data on incidents involving medical devices was publicly disclosed in 2017, tablets, phones and even USB devices have been compromised in the past.

“In 2016, a healthcare organization unknowingly sent 37,000 malware-infected USB thumb drives to their offices nationwide. The manual of procedure codes for that year included the flash drive on the back pocket,” the report says.

The paper draws on qualitative risk analysis of various attack vectors to give an overview of some of the most pressing threats in healthcare.

Those threats include insecure devices that can be used to access a network, DDoS attacks, spear phishing, and unpatched systems.

“Having effective alert, containment, and mitigation processes are critical. The key principle of defense is to assume compromise and take countermeasures.”

  • Quickly identify and respond to ongoing security breaches.
  • Contain the security breach and stop the loss of sensitive data.
  • Pre-emptively prevent attacks by securing all exploitable avenues.
  • Apply lessons learned to further strengthen defenses and prevent repeat incidents.


Record-setting Australian DDoS attack is a reminder to get your IoT security in order

As IoT devices proliferate, security spend is becoming a corporate compliance issue.

Internet of things (IoT) security will become a key corporate compliance issue as growing adoption opens up new avenues for cybersecurity compromise, experts have warned as analysis of traffic analysis confirmed that the Memcached attack delivered Australia’s largest-ever distributed denial of service (DDoS) attack in February.

Growing DDoS attacks have been tied directly to the spread of IoT, with recent Mirai and derivative attacks leveraging insecurities in IoT devices to amplify DDoS traffic on a global basis.

As hackers continue to experiment with and refine their ability to use potentially crippling IoT botnets, Gartner research director Ruggero Contu has predicted that IoT security will rapidly become a key investment priority for businesses that are rushing to embrace the myriad sensors and other smart devices now flooding the market.

“Organisations often don’t have control over the source and nature of the software and hardware being utilised by smart connected devices,” Contu wrote.

“We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organizations will look to increase their understanding of the implications of externalizing network connectivity. “

As a result, Gartner has forecasted IoT security spending to grow dramatically, surging 28 percent over 2017 levels to reach $US1.5 billion ($A1.94b) this year.

Spending on IoT-related gateway security will double between 2018 and 2021 to $US415m ($A537m), Gartner’s forecasts have predicted, while professional-services spend will grow from $US946m ($A1.23b) to $US2.071b ($2.68b) by 2021.

A lack of security best practices and tools in IoT planning will create drag on IoT spending plans – challenging plans to build a unified corporate defence due to haphazard, business unit-led implementations of poorly or non-integrated products that still lack common, interoperable industry security frameworks.

“Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed,” Contu said.

“However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider’s alliances with partners or the core system that the devices are enhancing or replacing.”

Better IoT security can’t come too soon: new DDoS traffic figures from NETSCOUT Arbor found that DDoS traffic surged to 335Gbps and 29.4 million packets per second (Mpps) on 27 February – a record for an Australian DDoS attack and approximately 10 times the average traffic flow for the rest of the month.

This coincided with a world record-setting attack of 1.35Tbps against code-hosting company GitHub, which was itself surpassed days later by a 1.7Tbps attack that led NETSCOUT Arbor to declare that “the terabit attack era is upon us”.

Sources of the attacks on Australia were closely split between the United States (accounting for 28.86 percent of attacks), Russia (24.83 percent), China (24.16 percent), and India (22.15 percent). And the total number of DDoS attacks was down overall, at just 6200 over the previous six months – compared with around 11,000 attacks in the six months to September 2017.

The figures support predictions that DDoS volumes would continue to surge in the leadup to the Pyeongchang Winter Olympics in February, and indeed the record-setting attack came just hours after the Olympics closing ceremony on 25 February. At the time, NETSCOUT Arbor country manager Tim Murphy told CSO Australia the firm was already seeing signs of an uptick in DDoS activity – presaging the record-setting Memcached attack.

Telecommunications carriers were asserting their roles as front-line defenders against DDoS attacks, Murphy said, noting that telcos such as Telstra had established distributed DDoS detection and cleansing facilities around the world.

“In Australia, thankfully, we are very lucky that our Tier-1 telcos are quite prepared for large DDoS attacks,” he said. “That doesn’t mean that enterprises are well prepared – but that from a core perspective, we are very well prepared as a nation. We see bigger and nastier perpetrators every week – so businesses need to be more nimble not only in their ability to detect these, but their ability to mitigate them.”

Source: https://www.cso.com.au/article/635876/record-setting-australian-ddos-attack-reminder-get-your-iot-security-order/

Hospitals Exposed by Connected Devices

At any one time the world’s connected hospitals could be running as many as 80,000 exposed devices, putting hospital operations, data privacy and patient health at risk, according to Trend Micro.

The security giant’s latest report, Securing Connected Hospitals, claimed medical devices, databases, digital imaging systems, admin consoles, protocols, industrial controllers and systems software have significantly increased the average provider’s attack surface.

This puts them at risk of DDoS, ransomware attack and data theft. The report used the DREAD threat assessment model to find that DDoS is actually the biggest risk, followed by ransomware.

The latter has impacted hospitals worldwide, particularly NHS Trusts, which were severely affected by the WannaCry attack of 2017.

Senior threat researchers and report authors Numaan Huq and Mayra Rosario Fuentes claimed that hospital cybersecurity may be lacking because of several reasons.

These include: a lack of dedicated IT security staff, limited budget, diagnostic equipment which is outdated, and can’t be taken offline to patch and large numbers of mobile workers who need seamless access to systems.

The report also claimed that hospital supply chains are increasingly opening them up to cyber-risk, with 30% of breaches publicly reported to the US Department of Health and Human Services (HHS) in 2016 due to breaches of business associates and third-party vendors.

“Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity,” explained Huq and Fuentes.

“Third-party vendors have credentials that include log-ins, passwords, and badge access which can be compromised. These vendors can also store physical records, medical devices, and office equipment. Hospitals need to be supplied by a robust supply chain to ensure uninterrupted service to patients, and thus protecting the hospital supply chain against cyber-attacks becomes a critical necessity.”

Source: https://www.infosecurity-magazine.com/news/hospitals-exposed-by-connected/

A new Mirai-style botnet is targeting the financial sector

The researchers say it’s the largest attack since the Mirai-powered cyberattack in October 2016 that took down large swathes of the Western internet.

A botnet made up of hijacked internet-connected televisions and web cameras has a new target, security researchers have found.

Three financial sector institutions have become the latest victims of distributed denial-of-service (DDoS) attacks in recent months. New research by Recorded Future’s Insikt Group published Thursday points to what’s likely to be the IoTroop botnet, used to pummel financial firms with internet traffic to overload servers and disrupt services.

The researchers say it’s the largest attack since the Mirai-powered cyberattack in October 2016 that took down large swathes of the Western internet.

Botnets appear all the time and can rapidly grow and ensnare thousands of devices. Many lay dormant for months, quietly gathering pace but ready to cause disruption at a moment’s notice. Although several botnets have appeared in the past year, none have resulted in any sizable attacks.

But that changed in January, when three DDoS attacks were launched within a few hours of each other.
The first was a DNS amplification attack that peaked at a traffic volume of 30Gbps per second. That may pale in comparison to a recent 1.7 Tbps attack — some fifty times larger– but can still cause considerable damage for companies not investing in DDoS mitigation protections.

It’s thought that the botnets are built off Mirai’s code, which was open-sourced and publicly released just weeks before the October 2016 attacks. Mirai was fairly simple compared to other botnets, which aggressively infected devices by using a list of pre-determined default usernames and passwords.

But the code’s release opened the door for other botnets to spring to life.

It’s believed that the more aggressive and advanced Reaper malware is thought to be behind the IoTroop botnet targeting financial institutions, said Priscilla Moriuchi, who co-authored the report with Sanil Chohan.

“This botnet is different than Mirai in composition and exploitation vector, likely compromising new bots based on vulnerabilities and not via unchanged administrator credentials,” said Moriuchi, in an email.

Unlike Mirai, Reaper has become a large botnet that can run complex attack scripts to exploits flaws in the code of vulnerable devices, making it difficult to detect infections. The botnet exploits over a dozen known vulnerabilities in nine internet-connected products — including some of the flaws that were originally used in Mirai.

Netlab said that the botnet had about 28,000 infected devices connected to one of the botnet’s controllers as of its discovery in October — and was ballooning in size.

This new botnet targeting financial sector companies has over 13,000 devices — each with a unique IP address, the report said.

Most of the compromised devices are routers made by MikroTik, a Latvia-based networking company. It’s thought that the attackers are leveraging the manufacturer’s router bandwidth testing feature. The majority of infected devices were found in Russia, Brazil, and Ukraine — a point that the researchers said is “likely to just be a reflection of the popularity” of the infected devices.

Moriuchi said that at least one of the companies affected by the attack had its customer services temporarily disrupted, but the extent of the financial or network damage wasn’t known.

The researchers would not name the companies targeted by the botnet in their report, but said they were global Fortune 500 firms. It’s also not known who is behind the attacks, they said.

But the botnet is likely not done. Although botnet attack activity has been largely quiet since January, the researchers said the botnet will grow in size and may be able to launch larger DDoS attacks against the financial sector in the future.

“It will become increasingly important to monitor the potential controllers and identify new IoT devices being added to the botnet in preparation for further attacks,” the researchers said.

Source: https://www.zdnet.com/article/new-mirai-style-botnet-targets-the-financial-sector/

Insurance may not be enough to stop hackers

NEARLY two dozen ransomeware attacks were made against Jersey businesses in the first three months of this year, according to research by just one local IT company.

Logicalis also logged more than seven Office 365 break ins, 21 examples of attackers exploiting vulnerabilities caused by user errors, three DDoS attacks from hackers using company bandwidths, 20 compromised systems because of poor configuration, and 50 examples of hackers using credentials from the dark web to log in.

All told, the Logicalis Security Operations Centre detected 124 cyber-attacks in the Island in three months, which Logicalis say must be a fraction of the real level of attacks.

The message, according to Ricky Magalhaes, Managed Security Services Director at Logicalis, is that companies will loose out if they rely on insurance to cover the costs of those attacks. He fears that up to 80% of businesses would not be covered by their cyber insurance policies in the event of a cyber-attack because they are not following correct security protocols.

‘Many companies think cyber insurance is an alternative to good cyber security practices; however, if you

don’t have correct controls in place, your insurance will not cover you,’ Mr Magalhaes said.

‘Up to 80% of companies with cyber insurance are not following basic cyber security procedures, which means if they suffer a loss, it will be hard for them to claim because they have been negligent.’

Even if the user follows correct procedures and an insurance company pays out, the real costs of a cyber-attack could be well beyond the financial compensation they receive. For example, US drug maker Merck, lost $750m in the NotPetya attacks last year, but received only $275m in insurance.

‘Proper security monitoring, simple procedures such as

using two-factor authentication, and regular training and testing of staff to help prevent security breaches in the first place, are vital, whether you are insured or not,’ Mr Magalhaes said.

‘A lot of cyber-attacks happen because of behaviour of staff, rather than because of the technology, which makes it very hard to assess risks. One thing is certain, though, the risks of cyber-crime are higher than ever.”

Source: https://jerseyeveningpost.com/news/business/2018/04/03/insurance-may-not-be-enough-to-stop-hackers/

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Just a week after code repository GitHub was knocked offline by the world’s largest recorded distributed denial-of-service (DDoS) attack, the same technique has been used to direct an even bigger attack at an unnamed US service provider.

According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

Last week Arbor, Cloudflare and Akamai reported an uptick in amplification attacks that abuse memcached servers to ramp up by traffic by a factor of 50,000.

Within a day of Cloudflare reporting that attackers were abusing open memcached servers to power DDoS attacks, GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps.

Memcached is a caching system to optimize websites that rely on external databases. Memcached-enabled servers shouldn’t be left exposed to the internet, although at any given time over 100,000 are, according to Rapid7.

The attacks involve spoofing a target’s IP address to the default UDP port on available memcached amplifiers, which return much larger responses to the target.

The attacks appear to be getting larger by the day. Before the attack on GitHub, Arbor Networks reported seeing attacks exceeding 500Gbps.

Arbor Networks’ Carlos Morales predicts memcached attacks won’t be going away any time soon because of the number of exposed memcached servers.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” he wrote.

Morales’ colleague, Roland Dobbins believes the memcached DDoS attacks were initially used exclusively by skilled attackers who launched attacks manually, but now they’ve been automated via rental ‘booter’ or ‘stressor’ botnets.

He notes that the potential for abusing memcached servers in application attacks was revealed by Chinese researchers in November 2017, but that as early as 2010 researchers had discovered widespread insecure memcached servers across the world.

As Ars Technica reports, some people attacking memcached servers are attaching a ransom note instructing targets to “Pay 50 XMR” or the equivalent of $18,415 to a specified wallet.

Rapid7’s internet-wide Project Sonar scanner found over 100,000 exposed memcached servers at any given time.

Image: Rapid7

Source: http://www.zdnet.com/article/new-world-record-ddos-attack-hits-1-7tbps-days-after-landmark-github-outage/