GDPR: A tool for your enemies?st

Every employee at your organisation should be prepared to deal with right to be forgotten requests.

It’s estimated that 75% of employees will exercise their right to erasure now GDPR (General Data Protection Regulation) has come into effect. However, less than half of organisations believe that they would be able to handle a ‘right to be forgotten’ (RTBF) request without any impact on day-to-day business.

These findings highlight the underlying issues we’re seeing in the post-GDPR era and how the new regulations put businesses at risk of being non-compliant. What is also worrying, is that there are wider repercussions for organisations not being prepared to handle RTBF requests.

No matter how well business is conducted, there is always the possibility of someone who holds a grudge against the company and wants to cause disruption to daily operations. One way to do this, without resorting to a standard cyber-attack, is through inundating an organisation with RTBF requests. Especially when the company struggles to complete one request, this can drain a company’s resources and grind the business to a halt. In addition to this, failing to comply with the requests in a timely manner can result in a non-compliance issue – a double whammy.

An unfortunate consequence of the new GDPR regulations is that the right to erasure is free to submit, meaning it is more likely customers or those with a grudge will request to have their data removed. There are two ways this can be requested. The first is a simple opt-out, to remove the name – usually an email address – from marketing campaigns. The other is a more time consuming, complex discovery and removal of all applicable data. It is this second type of request where there is a potential for hacktivists, be-grudged customers, or other cyber-attackers to weaponise the regulation requirement.

One RTBF request is relatively easy to handle – as long as the company knows where its data is stored of course – and the organisation actually has a month to complete the request from the day it was received. However, if a company is inundated with requests coming in on the same or consecutive days, it becomes difficult to manage and has the potential to heavily impact daily operations. This kind of attack is comparable to Distributed Denial of Service (DDoS) attacks – for example the attack on the UK National Lottery last year which saw its entire online and mobile capabilities knocked out for hours because cyber criminals flooded the site with traffic – with companies becoming overloaded with so many requests that it has to stop their services entirely.

When preparing for a flood of RTBF requests, it is essential that all organisations have a plan in place that streamlines processes for discovery and deletion of customer data, making it as easy as possible to complete multiple requests simultaneously.

Don’t let your weakest link be your downfall

The first thing to consider is whether or not the workforce is actually aware of what to do should a RTBF request come in (let alone hundreds). Educating all employees on what to do should a request be made – including who in the company to notify and how to respond to the request – is essential in guaranteeing an organisation is prepared. It will mean that any RTBF request is dealt with both correctly and in a timely manner. The process must also have clearly defined responsibilities and actions able to be audited. For companies with a DPO (Data Protection Officer) or someone who fulfils that role, this is the place to begin this process.

Discovering data is the best defence

The key to efficiency in responding to RTBF requests is discovering the data. This means the team responsible for the completion of requests is fully aware of where all the data for the organisation is stored. Therefore, a complete list of where the data can be found – and how to find it – is crucial. While data in structured storage such as a database or email is relatively simple to locate and action, it is the unstructured data, such as reports and files, which is difficult to find and is the biggest culprit of draining time and resources.

Running a ‘data discovery’ exercise is invaluable in helping organisations achieve an awareness of where data is located, as it finds data on every system and device from laptops and workstations to servers and cloud drives. Only when you know where all critical data is located, can a team assess its ability to delete it and, where applicable, remove all traces of a customer. Repeating the exercise will highlight any gaps and help indicate where additional tools may be required to address the request. Data-At-Rest scanning is frequently found as one part of a Data Loss Prevention (DLP) solution.

Stray data – a ticking time bomb

Knowing where data is stored within the organisation isn’t the end of the journey however. The constant sharing of information with partners and suppliers also has to be taken into account – and for this, understanding the data flow into and out of the company is important. Shared responsibility clauses within GDPR rules means that all partners involved with critical data are liable should a breach happen or a RTBF request cannot be completed. If critical data sitting with a partner is not tracked by the company that received the RTBF request, it makes it impossible to truly complete it and the organisation could face fines of up to 20 million EUR (or 4% of their global turnover). Therefore, it’s even more important to know how and where critical data is moving at all times, minimising the sharing of information to only those who really need to know.

While there is no silver bullet to prevent stray data, there are a number of technologies which can help to control the data which is sent both in and out of a company. Implementing automated solutions, such as Adaptive Redaction and document sanitisation, will ensure that no recipient receives unauthorised critical data. This will build a level of confidence around the security of critical data for both the organisation and the customer.

With the proper processes and technologies in place, dealing with RTBF requests is a straightforward process, whether it is a legitimate request, or an attempt by hacktivists or disgruntled customers to wreak havoc on an organisation. Streamlining data discovery processes and controlling the data flowing in and out of the company will be integral in allowing a business to complete a RTBF request and ultimately defend the organisation against a malicious use of GDPR.

Source: https://www.itproportal.com/features/gdpr-a-tool-for-your-enemies/

Meet MyloBot malware turning Windows devices into Botnet

The IT security researchers at deep learning cybersecurity firm Deep Instinct have discovered a sophisticated malware in the wild targeting Microsoft’s Windows-based computers.

Adding devices to Botnet

The malware works in such a way that upon infecting, it allows hackers to take over the device and make it part of a botnet to carry out different malicious activities including conducting Distributed Denial of Service (DDoS) attacks, spreading malware or infecting the system with ransomware etc.

A Botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.

Apart from these, the malware not only steals user data, it also disables the anti-virus program and removes other malware installed on the system. Dubbed MyloBot by Deep Instinct; based on its capabilities and sophistication, researchers believe that they have “never seen” such a malware before.

Furthermore, once installed, MyloBot starts disabling key features on the system including Windows Updates, Windows Defender, blocking ports in Windows Firewall, deleting applications and other malware on the system.

“This can result in loss of the tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises. The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for the leak of sensitive data as well, following the risk of keyloggers/banking trojans installations,” researchers warned.

Dark Web connection

Further digging of MyloBot sample reveals that the campaign is being operated from the dark web while its command and control (C&C) system is also part of other malicious campaigns.

Although it is unclear how MyloBot is being spread, researchers discovered the malware on one of their clients’ system sitting idle for 14 days which is one of its delaying mechanisms before accessing its command and control servers.

It is not surprising that Windows users are being targeted with MyloBot. Last week, another malware called Zacinlo was caught infecting Windows 10, Windows 7 and Windows 8 PCs. Therefore, if you are a Windows user watch out for both threats, keep your system updated, run a full anti-virus scan, refrain from visiting malicious sites and do not download files from unknown emails.

Deep Instinct is yet to publish research paper covering Mylobot from end to end.

Source: https://www.hackread.com/meet-mylobot-malware-turning-windows-devices-into-botnet/

The platform is under extreme load:’ Cyber attack brings major cryptocurrency exchange to its knee

  • One of the largest cryptocurrency exchanges shut Tuesday morning because of a cyber attack.
  • “The platform is under extreme load,” Bitfinex said at 9:39 a.m. ET.
  • Bitcoin was trading slightly lower at $7,421 a coin, according to Markets Insider data.
 Bitfinex, one of the largest cryptocurrency exchanges by trading volumes, was down Tuesday morning after it experienced a cyber attack.According to its incident page, the exchange shut early Tuesday morning after it experienced problems with its trading engine. For a short period the exchange was back online after the issue was addressed. But the exchange was then hit with a so-called denial-of-service attack, which is when a network of virus-infected computers overwhelm websites with massive amounts of data.

“The platform is under extreme load,” the exchange said at 9:39 a.m. ET. “We are investigating. Seems a DDoS attack was launched soon after we relaunched the platform.”

Still, clients’ funds were not impacted, according to a statement by Kasper Rasmussen, head of marketing at Bitfinex.

“The attack only impacted trading operations, and user accounts and their associated funds/account balances were not at risk at any point during the attack,” Rasmussen said in a statement. “We will continue to update our user base on any further disruptions to service.”

Crypto exchange outages were common at the end of 2017 as bitcoin soared to all-time highs near $20,000, but have been less common in 2018 as prices and volumes across the digital coin market have fallen back to earth.

In 2017, the breakneck growth of the market forced some exchanges to stop onboarding new users altogether. A flash crash at Bitfinex in December left customers demanding answers and refunds.

Hacks and cyber attacks have long been a problem for the crypto space. Notably, Mt. Gox, which was the world’s largest bitcoin exchange, witnessed a massive DDoS attack in 2013. It shut in 2014 after a $450 million hack. JPMorgan estimates that a third of bitcoin exchanges have been hacked.

“Running an exchange is one of the most complex server-side operations out there,” Kyle Samani, a crypto fund manager, told Business Insider.

“On an exchange, everyone wants real time, all the time, globally and the bots are hitting the APIs every few milliseconds both to get order book updates and to trade,” Samani added. “Doing this at scale is much harder than almost any other application.”

Still, Gabor Gurbacs, the director of digital asset strategy at VanEck, told Business Insider he thinks exchanges are getting better at handling technical issues and communicating with clients.

“Recently, exchanges started to halt trading, especially important for margin trades, and provided timely and more transparent notes to customers in cases of service disruptions,” Gurbacs said. “It’s a sign of maturation in my view.”

2018’s less volatile trading environment has given exchanges an opportunity to catch their breath. Bitfinex didn’t experience any technical incidents in the entire month of May.

Bitcoin was trading lower in the aftermath of the DDos attack. The cryptocurrency was down 1.04% at $7,421 a coin, according to Markets Insider data.

Source: http://www.businessinsider.com/bitfinex-hit-by-cyber-attack-2018-6

Hackers replacing volumetric DDoS attacks with “low and slow” attacks

By the middle of last year, organisations across the UK had woken up to the threat of DDoS attacks that had, by November, increased in frequency by a massive 91 percent over Q1 2017 and 35 percent over Q2 figures.

By the middle of last year, organisations across the UK had woken up to the threat of DDoS attacks that had, by November, increased in frequency by a massive 91 percent over Q1 2017 and 35 percent over Q2 figures. A report by CDNetworks in October revealed that more than half of all organisations had ended up as victims of DDoS attacks that regularly took their website, network or online apps down.
To deter cyber-criminals from launching powerful DDoS attacks, organisations began pouring in huge investments to shore up their defences against DDoS attacks. According to CDNetworks, average annual spending on DDoS mitigation in the UK rose to £24,200 last year, with 20 percent of all businesses investing more than £40,000 in the period.
Such investments also resulted in increased confidence amongst businesses in defending against business continuity threats such as DDoS attacks, but unfortunately, increased investments did little to stop the flow of such attacks. Kaspersky Lab’s Global IT Security Risks Survey 2017 noted that the number of DDoS attacks on UK firms doubled since 2016, affecting 33 percent of all firms.
An analysis of DDoS attacks published by Alex Cruz Farmer, security product manager at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks which impact applications and the end-user while ignoring traditional Layer 3 and 4 attacks whose effectiveness is no longer guaranteed. This has ensured the unabated continuance of DDoS attacks on enterprises.
“The key difference to these (Layer 7) attacks is they are no longer focused on using huge payloads (volumetric attacks), but based on Requests per Second to exhaust server resources (CPU, Disk and Memory),” he said, adding that by their very nature, Layer 7 based DDoS attacks, such as credential stuffing and content scraping, do not last too long and do not flood networks with hundreds of gigabytes of junk network traffic per second like traditional DDoS attacks.
Farmer added that Layer 7 based DDoS attacks have become so popular among hackers that Cloudflare detected around 160 attacks occurring each day, with some days spiking up to over 1000 attacks. For example, hackers are frequently carrying out enumeration attacks by identifying expensive operations in apps and hammering at them with bots to tie up resources and slow down or crash such apps. For instance, a database platform was targeted with over 100,000,000 bad requests in just 6 hours!
Indeed, the first signs of short duration yet persistent DDoS attacks were observed in May last year. Imperva Incapsula’s Global DDoS Threat Landscape Report, which analysed more than 17,000 network and application layer DDoS attacks, concluded that 80 percent of DDoS attacks lasted less than an hour, occurred in bursts, and three-quarters of targets suffered repeat assaults, in which 19 percent were attacked 10 times or more.
“These attacks are a sign of the times; launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service. Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber-vandalism in what is essentially a form of internet trolling,” said Igal Zeifman, Incapsula security evangelist at Imperva to SC Media UK.
Sean Newman, director of Corero Network Security told SC Media UK that reports of increasing application layer DDoS attacks are only to be expected, as attackers continue to look for alternate vectors to meet their objectives.
“A perception that volumetric DDoS attacks are on the decline, is understandable, especially if that is your only lens on the problem.  However, when your view is based on having deployed the latest generation of always-on, real-time, DDoS protection, you will find a rather different story.
““With this lens on the problem, you will find that there is a significantly increasing trend for smaller, more calculated, volumetric DDoS attacks. In fact, Corero customers saw in increase in volumetric attacks of 50 percent compared to a year ago, with over 90 percent of those attacks being less than 5Gbps in size and over 70 percent lasting less than 10 minutes in duration,” he added.
According to Joseph Carson, chief security scientist at Thycotic, organisations are adopting various mitigation techniques to defend against targeted and repeated DDoS attacks, but many a times, such technologies also consume a lot of bandwidth and system memory and thereby interfere with smooth functioning of databases and apps.
“A Target DDoS attack is something that is very challenging to mitigate against though luckily they are periodic meaning as they occur for a short amount of time usually from days to a few weeks. Techniques that are commonly used today are mitigation techniques using Access Control Lists, Rate Limiting and filtering source IP Addresses, though each of these are resource intensive and can prevent legitimate users from getting access to your services.
“A few important lessons can be learned from Estonia’s DDoS experience back in 2007, be very careful as to what mitigation techniques you use as some companies’ responses can be more costly than the DDoS attack itself so always respond to each attack with the appropriate mitigation response.
“Though the best way to really defend and protect against future DDoS attacks is to think in terms of geographic distribution and not have any centrally dependent location of service. Estonia learned this in 2007 and has now distributed itself beyond its own country’s borders using Data Embassies,” he added.
Source: https://www.scmagazineuk.com/hackers-replacing-volumetric-ddos-attacks-with-low-and-slow-attacks/article/767988/

Man Sentenced to 15 Years in Prison for DDoS Attacks, Firearm Charges

A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.

Gammell took measures to avoid exposing his real identity online, including through the use of cryptocurrencies to pay for the DDoS attacks and VPNs. However, a couple of taunting emails he sent to his victims during the DDoS attacks – asking if they had any IT issues he could help with – were sent from Gmail and Yahoo addresses that had been accessed from his home IP address.

The man initially rejected a plea deal and his attorney sought the dismissal of the case, but in January he pleaded guilty to one count of conspiracy to commit intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm. Gammell, a convicted felon, admitted having numerous firearms and hundreds of rounds of ammunition.

In addition to the 180-month prison sentence, Gammell will have to pay restitution to victims of his DDoS attacks, but that amount will be determined at a later date.

Source: https://www.securityweek.com/man-sentenced-15-years-prison-ddos-attacks-firearm-charges

Danish Railway Company DSB Suffers DDoS Attack

Danish rail travelers found buying a ticket difficult yesterday, following a DDoS attack on the railway company DSB.

DSB has more than 195 million passengers every year but, as reported by The Copenhagen Post, the attack on Sunday made it impossible for customers to purchase a ticket via the DSB app, on the website, at ticket machines and certain kiosks at stations – though passengers were able to buy tickets from staff on trains.

“We have all of our experts on the case,” said DSB spokesperson Aske Wieth-Knudsen, with all systems apparently working as normal this morning.

“The DDoS attack seen in Denmark this weekend on critical national infrastructure is precisely the type of attack that EU Governments are seeking to protect citizens against with last week’s introduction of the Network and Information Systems Directive (NIS),” said Andrew Lloyd, president, Corero Network Security.

“Keeping the control systems (e.g. railway signaling, power circuits and track movements) secure greatly reduces the risk of a catastrophic outcome that risks public safety. That said, a successful attack on the more vulnerable management systems can cause widespread disruption. This DDoS attack on Danish railways ticketing site can be added to a growing list of such cyber-attacks that include last October’s DDoS attack on the Swedish Railways that took out their train ordering system for two days resulting in travel chaos.

The lessons are clear, Lloyd added; transportation companies and other operators of essential services have to invest in proactive cybersecurity defenses to ensure that their services can stay online and open for business during a cyber-attack.

Source: https://www.infosecurity-magazine.com/news/danish-railway-ddos-attack/

DDoS Attacks Ebb and Flow After Webstresser Takedown

Shortly after Infosecurity Magazine reported that administrators of the world’s largest DDoS-as-a-service website had been arrested, Link11 wrote a blog post, concluding that “In the short period of time since that date, the Link11 Security Operation Center (LSOC) has seen a roughly 60% decline in DDoS attacks on targets in Europe.”

The reported deduction differs significantly from the findings of Corero Network Security. President Andrew Lloyd questioned the conclusions drawn by Link11, saying, “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action.”

In stark contrast to the LSOC findings, Corero noticed a spike in distributed denial-of-service (DDoS) attacks around 17 April but said, “Since then, European attacks have remained higher in the second half of the month versus the first half of April and the year as a whole.”

The news that law enforcement agencies had closed down Webstresser.org was a big win for cybercrime fighters. “But even so, the number of attacks will only decrease temporarily,” said Onur Cengiz, head of the Link11 security operation center. “Experience has shown in recent years that for every DDoS attack marketplace taken out, multiple new platforms will pop up like the heads of a hydra.”

A Kaspersky Lab study released on 26 April, on the heels of the Webstreser takedown, gives evidence that supports the changing tides of DDoS attack types and the ebb and flow of attacks Cengiz’s alluded to in his statement.

According to the Kaspersky Lab DDoS report, Q1 revealed an increased number of DDoS attacks and targets, but there are distinctions among the different attack methods. “Amplified” attacks were beginning to wane but had a bit of a boost in momentum, while network time protocol (NTP) and DNS-based boosting had almost disappeared after most vulnerable services were patched.

DDoS attacks as a means of personal revenge grew more popular in Q1 2018. Also trending were Memcached attacks that resemble a typical DDoS attack; however, according to the Kaspersky report, “Cybercriminals will likely seek out other non-standard amplification methods besides Memcached.”

As server owners patch vulnerabilities, there will be dips in certain types of attacks. “That being the case, DDoS masterminds will likely seek out other amplification methods, one of which could be LDAP services,” the Kaspersky report authors wrote.

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-ebb-flow-after/

Why DDoS Just Won’t Die

Distributed denial-of-service attacks are getting bigger, badder, and ‘blended.’ What you can (and can’t) do about that.

Most every organization has been affected by a distributed denial-of-service (DDoS) attack in some way: whether they were hit directly in a traffic-flooding attack, or if they suffered the fallout from one of their partners or suppliers getting victimized.

While DDoS carries less of a stigma than a data breach in the scheme of security threats, a powerful flooding attack can not only take down a company’s network, but also its business. DDoS attacks traditionally have been employed either to merely disrupt the targeted organization, or as a cover for a more nefarious attack to spy on or steal data from an organization.

The April takedown by the UK National Crime Agency and Dutch National Police and other officials of the world’s largest online market for selling and launching DDoS attacks, Webstresser, was a big win for law enforcement. Webstresser boasted more than 136,000 registered users and supported some four million DDoS attacks worldwide.

But in the end, Webstresser’s demise isn’t likely to make much of a dent in DDoS attack activity, experts say. Despite reports that the takedown led to a significant decline in DDoS attacks, Corero Network Security saw DDoS attacks actually rise on average in the second half of the month of April. “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action,” said Andrew Lloyd, president of Corero.

Even without a mega DDoS service, it’s still inexpensive to wage a DDoS attack. According to Symantec, DDoS bot software starts as low as a dollar to $15, and less than one-hour of a DDoS via a service can go from $5 to $20; a longer attack (more than 24 hours) against a more protected target, costs anywhere from $10 to $100.

And bots are becoming even easier to amass and in bigger numbers, as Internet of Things (IoT) devices are getting added to the arsenal. According to the Spamhaus Botnet Threat Report, the number of IoT botnet controllers more than doubled last year. Think Mirai, the IoT botnet that in October of 2016 took down managed DNS provider Dyn, taking with it big names like Amazon, Netflix, Twitter, Github, Okta, and Yelp – with an army of 100,000 IoT bots.

Scott Tierney, director of cyber intelligence at Infoblox, says botnets increasingly will be comprised of both traditional endpoints—Windows PCs and laptops—as well as IoT devices. “They are going to be blended,” he said in an interview. “It’s going to be harder to tell the difference” in bots.

The wave of consumer products with IP connections without software or firmware update capabilities will exacerbate the botnet problem, according to Tierney.

While IoT botnets appear to be the thing of the future, some attackers have been waging old-school DDoS attacks: in the first quarter of this year, a long-tail DDoS attack lasted more than 12 days, according to new Kaspersky Lab research. That type of longevity for a DDoS was last seen in 2015.

Hardcore heavy DDoS attacks have been breaking records of late: the DDoS attack on Github recently, clocked at 1.35 terabytes, was broken a week later by a 1.7TB DDoS that abused the Memcached vulnerability against an undisclosed US service provider. “That Github [DDoS] record didn’t even last a week,” Tierney said in a presentation at Interop ITX in Las Vegas last week.

The DDoS attack employed Memcached servers exposed on the public Internet. Memcached, an open-source memory-caching system for storing data in RAM for speeding access times, doesn’t include an authentication feature, so attackers were able to spoof requests and amplify their attack. If properly configured, a Memcached server sits behind firewalls or inside an organization.

“Memcached amplification attacks are just the beginning” of these jacked-up attacks, Tierney said. “Be ready for multi-vector attacks. Rate-limiting is good, but alone it’s not enough. Get ready for scales of 900Mbps to 400Gbps to over a Terabyte.”

Tierney recommended ways to prepare for a DDoS attack, including:

  • Establish a security policy, including how you’ll enact and enforce it
  • Track issues that are security risks
  • Enact a business continuity/disaster recovery plan
  • Employ good security hygiene
  • Create an incident response plan that operates hand-in-hand with a business continuity/disaster recovery plan
  • Have a multi-pronged response plan, so that while you’re being DDoSed, your data isn’t also getting stolen in the background
  • Execute tabletop attack exercises
  • Hire external penetration tests
  • Conduct user security awareness and training
  • Change all factory-default passwords in devices
  • Know your supply chain and any potential risks they bring
  • Use DDoS traffic scrubbers, DDoS mitigation services

Source: https://www.darkreading.com/endpoint/privacy/why-ddos-just-wont-die/d/d-id/1331734

IoT botnet actively exploiting Drupal CMS bug

Botnet uses compromised systems to spread infection. Security researchers have discovered a large botnet that is using a severe flaw in the Drupal CMS in order to infect other systems.

Security researchers have discovered a large botnet that is using a severe flaw in the Drupal CMS in order to infect other systems.
According to a blog post by researchers at Qihoo 360 Netlab, bots have been scanning for systems with the  CVE-2018-7600 vulnerability, AKA Drupalgeddon 2 bug. The vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target.
Researchers said that scanning started on 13 April this year and they believed that at least three groups of malware campaigns are exploiting this bug. One group has worm-propagation behaviour and was dubbed Muhstik, as this name kept appearing in binary file names and a communications IRC channel. The malware is also an update of the Tsunami malware that has been used in the past to infect tens of thousands of Unix and Linux servers since 2011.
They said that Muhstik uses the following two sets of attack payloads, which contributes around 80 percent of all the payloads observed. The botnet can install multiple malicious payloads, including cryptocurrency miners (such as the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency) and software to launch DDoS attacks. The botnet uses 11 separate command-and-control domains and IP addresses to keep online as much as possible. It also uses the IRC protocol to communicate sending different instructions via different channels.
Muhstik is also exploiting flaws in other applications such as Webdav, WebLogic, Webuzo, and WordPress. It scans ports 80, 8080, 7001, and 2004.The worm propagates by scanning for susceptible server apps and searching servers for weak secure-shell, or SSH, passwords.
The security team at Drupal patched up Drupalgeddon2 last month when it released Drupal 7.58 and Drupal 8.5.1. Sites running the CMS have been advised to update to these versions as soon as possible.
Dr Kevin Curran, senior IEEE member and professor of Cyber-security at Ulster University, told SC Media UK that we are likely to see other Content Management Systems compromised in the future, in part, simply due to their popularity.
“Hackers have accumulated many CMS vulnerabilities and there exists a host of CMSs which have neglected to update to more secure versions – thus leaving them susceptible to these well known flaws. Weak admin passwords can also be brute forced. The other main weakness in CMSs which lead to hacks is the plugin ecosystem. Here there are, again, well known attacks in the wild for plugins which also lead to full system hack,” he said.
Paul Ducklin, senior technologist at Sophos, told SC Media UK that the good news about the Drupal CVE-2018-7600 vulnerability is that it isn’t a zero-day because there are already patches available. “If you’ve applied the patches, you can’t be exploited. The bad news is that if you haven’t patched, or if you think you’ve patched but didn’t do it properly, then it might as well be a zero-day, because the crooks can and will attack you. Don’t make yourself an easy target: patch early, patch often!” he said.
Source: https://www.scmagazineuk.com/iot-botnet-actively-exploiting-drupal-cms-bug/article/760331/

Routers Prove to Be an Easy Target for Russian Hackers

You may unknowingly be part of a Russian hacking campaign.

No, I’m not talking about election tampering; this is a different, but ongoing, tactic. Hackers are targeting the types of routers and firewalls, including those used in homes and small businesses. The U.S. Computer Emergency Readiness Team (US-CERT) released an unusual joint warning with the U.K.’s National Cyber Security Center to announce this risk.

Russians and Routers: What’s Happening

Since 2015, Russians have been targeting network infrastructure devices that use outdated and unencrypted protocols, are misconfigured or are so old they no longer receive security patches. Once they find these weak devices, the hackers have access to all types of critical data, including login credentials and other vulnerable devices that connect to the network.

Theft of sensitive information and intellectual property is only one of the goals here. Because it is Russia, talks of espionage and nation-state attacks are a concern.

“The compromised routers are only part of the attack and eventual impact,” said David Ginsburg, vice president of Marketing at Cavirin. “Look at both Mirai and Reaper, where the ultimate goal was a DDoS attack against other assets, most notably the Dyn attack that took down many internet properties in the U.S. and Europe. This type of attack, against servers or the internet infrastructure itself, is the most probable scenario, with the routers managed as a botnet against corporate or government assets.”

Taking Advantage of Our Own Failures

This particular hacking campaign doesn’t rely on a sophisticated attack vector, cutting-edge techniques or much ingenuity at all. They’re not using a stockpile of zero-day vulnerabilities that no one has previously discovered. Rather, we are opening the door and giving them free access to our routers because of our own bad behaviors. They are, as Nathan Wenzler, chief security strategist at AsTech explained, simply taking advantage of the poor effort we all make to ensure that devices we attach to the internet are configured well and secured.

“This is something the security community has been talking about for many years, but from a cultural standpoint, we simply don’t care enough to secure these devices properly and prevent these kinds of attacks from happening,” Wenzler stated.

The neglect of network device security is a multi-tiered problem. Manufacturers don’t have the incentive to add security software into routers and firewalls. The responsibility to set up security is left to the user, and most users don’t know how to get into their router and configure it properly. The device comes with a default user password, and we never change it. We ignore or forget to download firmware updates that include patches. And network devices, especially in the home or small business, are forgotten about until they don’t work or network services are being upgraded. They aren’t like smartphones, wherein obtaining the latest and greatest model is a high priority.

“We’ve been setting ourselves up for an attack like this for a long time,” said Wenzler, “and now we’re starting to see the cusp of what this problem will look like.”

Have I Been Hacked?

Unfortunately, most of us won’t know if our routers were compromised. Because the hackers aren’t taking advantage of a real exploit, it’s likely that everything will appear normal.

It is time, however, to step up security practices to better protect your router and the assets that connect to it. If you own your own router, make sure that the firmware is up to date. (If you rent your router from your internet service provider, updates should be handled by the provider.) If you still use the default password that came with the device, change it now to something unique. You may want to rename the device name, as well, to make connections between router and password more difficult to detect. You don’t want outsider to log in and configure the device any way they want.

“What we need more than anything else is for the consumer base to start making secure devices a priority and demanding that manufacturers release their products in a secure-by-default configuration,” said Wenzler. “Until we change the fundamentals of how we connect to the internet, we will continue to be at risk from the kinds of dangers represented by this official alert.”

Source: https://securityboulevard.com/2018/04/routers-prove-to-be-an-easy-target-for-russian-hackers/