What Security Risks Should MSPs Expect in 2018

As IT operations are becoming more complex and require both advanced infrastructure and security expertise to increase the overall security posture of the organization, the managed service provider (MSP) industry is gaining more traction and popularity.

Estimated to grow from USD $152.45 billion in 2017 to USD $257.84 billion by 2022, at a CAGR of 11.1%, the MSP industry offers greater scalability and agility to organizations that have budget constraints and opt for a cloud-based IT deployment model.

“The cloud-based technology is the fastest-growing deployment type in the managed services market and is expected to grow at the highest CAGR during the forecast period from 2017 to 2022,” according to ResearchandMarkets. “IT budget constraints for installation and implementation of required hardware and software, limited IT support to manage and support managed services, and need for greater scalability are major factors that are likely to drive the adoption of cloud managed services in the coming years. The cloud-based deployment model offers higher agility than the on-premises deployment model.”

However, MSPs are expected to also become more targeted by threat actors than in the past. Supply chain attacks are becoming a common practice, as large organizations have stronger perimeter defenses that increase the cost of attack, turning MSPs into “low-hanging fruit”
that could provide access into infrastructures belonging to more than one victim. In other words, MSPs hold the keys to the kingdom.

Since MSPs are expected to provide around-the-clock security monitoring, evaluation, and response to security alters, they also need to triage and only escalate resources when dealing with advanced threats.

1. Wormable military-grade cyber weapons

Leveraging leaked, zero-day vulnerabilities in either operating systems or commonly deployed applications, threat actors could make the WannaCry incident a common occurrence. As similarly-behaving threats spread across infrastructures around internet-connected endpoints – both physical and virtual – MSPs need to quickly react with adequate countermeasures to defend organizations.
While MSPs may not be directly targeted, their role in protecting organizations will become far more important as they’ll need to reduce reaction time to new critical threats to a bare minimum, on an ongoing basis. Consequently, network security and threat mitigation will become commonplace services for MSPs.

2. Next-Level Ransomware

The rise of polymorphism-as-a-service (PaaS) will trigger a new wave of ransomware samples that will make it even more difficult for security solutions to detect. Coupled with new encryption techniques, such as leveraging GPU power to expedite file encryption, ransomware will continue to plague organizations everywhere. Backup management and incident response that provides full data redundancy need to be at the core of MSP offerings when dealing with these new ransomware variants.

While traditional ransomware will cause serious incidents, threat actors might also hold companies at gunpoint by threatening to disrupt services with massive distributed-denial-of-service (DDoS) attacks performed by huge armies of IoT botnets.

3. OSX Malware

The popular belief that Apple’s operating system is immune to malware was recently put to the test by incidents such as the ransomware disseminating Transmission app and advanced remote access Trojans (RATs) that have been spying on victims for years. With Apple devices making their way into corporate infrastructures onto C-level’s desks, managing and securing them is no longer optional, but mandatory.

Security experts have started finding more advanced threats gunning for organizations that have specific MacOS components, meaning that during 2018 threat actors will continue down this alley. Regardless of company size, vertical, or infrastructure, MSPs need to factor in MacOS malware proliferation and prepare adequate security measures.

4. Virtualization-Aware Threats

Advanced malware has been endowed with virtualization-aware capabilities, making it not just difficult to identify and spot by traditional endpoint security solutions, but also highly effective when performing lateral movement in virtual infrastructures. MSPs need to identify and plan to deploy key security technologies that are not just designed from the ground up to defend virtual infrastructures, but also hypervisor-agnostic, offer complete visibility across infrastructures, and detect zero-day vulnerabilities.

Focusing on proactive security technologies for protecting virtual workloads against sophisticated attacks will help MSPs offer unique value to their services.

5. Supply Chain Attacks

MSPs could also become the target of attack for threat actors, which is why deploying strong perimeter defense on their end should also be a top priority. Having access and managing security aspects to remote infrastructures turns MSPs into likely candidates for advanced attacks. Either by directly targeting their infrastructure or by “poisoning” commonly-deployed tools, MSPs should treat the security of their own infrastructure with the utmost scrutiny.

Source: https://securityboulevard.com/2018/04/what-security-risks-should-msps-expect-in-2018/

Is Blockchain Causing More Cybersecurity Attacks in the Financial Industry?

There’s a lot of misunderstanding about blockchain. A recent study by HSBC, for example, found that 59 percent of customers around the world had never heard of it. Yet, while that alone is quite telling, it’s probably more alarming to consider the fact that very same poll revealed that 80 percent of people who had hard of blockchain did not understand what it is.

This level of confusion isn’t confined to the general population either. Politicians in charge of setting the law around this sort of technology and some traders who are perfectly at home with currency futures are equally in the dark about what this technology is and what it means for the financial industry.

There are some who fear that this technology – a digital transaction ledger in which each block is protected by cryptography – poses a security risk. That hasn’t been helped, it has to be said, by a number of scams in this market which have caused some to associate blockchain with risk.

CoinDesk, for example, demonstrates seven key incidents that attracted attention in 2017 alone. The incidents it highlights — including wallet hacks, ICO fraud and software bugs — cost investors nearly $490 million.

But, while it’s understandable that these sorts of incidents cause alarm, the general fear around blockchain is misplaced, probably not helped by the fact that this technology is proving ‘disruptive’ to the old order, promising drastic change to the speed and ease of money transfers.

Far from being the cause of problems for the financial industry, this technology might well offer a solution to make the industry safer.

Medium writer Redactor demonstrates four key ways in which blockchain technology is improving cybersecurity. These are:

  • Mitigating attacks such as DDoS with a decentralized structure and by not having a single point of failure
  • Protection for IoT devices, which can communicate with enterprise-defined ledgers based on blockchain
  • Providing transparency with permanent records that cannot be altered without creating a data trail (in order for transactions to be finalized they need to be approved more than half of the systems in a network and, when this occurs, the block is given a time stamp and is immutable)
  • Allowing for digital identities, greater encryption and more robust authentication

It’s fair to say that blockchain is here to stay. It isn’t ‘just’ the technology that underpins Bitcoin and other cryptocurrencies — although this is probably what its most known for — but it is a form of technology that has much wider potential for use in the finance sector and beyond.

Rather than ignore it — or treat it as a security threat — the industry needs to identify the potential of blockchain and set to work to use this as a way to add security. This, increasingly, is the case, with banks and big tech firms working on ways to harness blockchain to shelter the data of financial firms and customers alike.

Clearly scams shouldn’t be ignored — and work needs to be done to crack down on these — but nor should the positive potential of blockchain as a force for security.

Source: http://www.circleid.com/posts/20180416_is_blockchain_causing_more_cyberattacks_in_financial_industry/

Command and control: A fight for the future of government hacking

Following years of effort and billions of dollars’ worth of research and planning, the nation finally has a fully operational force of cyberwarriors at U.S. Cyber Command. Yet, as those troops confront adversaries around the world, there’s uncertainty across government about how to best make use of them.

While lawmakers push the Trump administration to exact revenge for years of cyberattacks on U.S. targets, a quiet but constant tug of war is raging between the intelligence community and the military over the future of government-backed hacking operations.

Congress, the White House and the nation’s spy agencies all have something at stake, but the tension is perhaps most intensely felt at the National Security Agency, which serves as a partner agency to U.S. Cyber Command. The NSA is not the only intel agency challenged by the warfare unit’s increasingly influential role: The CIA, the FBI and the Pentagon’s other intelligence agencies are also trying to shape Cyber Command’s future. Each agency understands offensive hacking in its own way, and that dissonance only intensifies the debate, according to current and former U.S. officials.

CyberScoop spoke with 13 current and former U.S. intelligence officials, three lawmakers and dozens of congressional aides for this story. Some chose to speak only on condition of anonymity to discuss the opinions circulating in government about who should be managing covert offensive cyber-operations that cross the line of everyday digital espionage.

The chief question is: If the U.S. is going to strike back at foreign targets in cyberspace, when should the soldiers or the spies lead the charge? Things may now finally be leaning in favor of the military after the intelligence community dominated for more than a decade, sources say. The U.S. has engaged in cyber-espionage since at least the 1990s, and there are historic cases of allied intelligence agencies launching offensive, destructive-style cyberattacks dating back to at least 2011.

Since then, both the Obama and Trump administrations have made decisions allowing Cyber Command to escape NSA’s shadow. And yet at the same time, the government appears to be desperately avoiding an all out cyber conflict with Russia or any other entity aside from ISIS.

An analyst for the U.S. government described the changing dynamic by saying: “NSA went into this thinking that they were going to be the top dog. Now they are paranoid that they may have eaten a massive tapeworm instead.”

Pressure to use Cyber Command’s full capabilities only increases as more stories surface of interference in U.S. networks by Russian, Chinese and other foreign hacking groups. Any decision to expand the military’s use of cyberwarriors will be a pivotal point in the relationship between the nation’s spies and the Pentagon, further drawing the bureaucratic boundary that separates stealthy digital espionage activities from more overt cyberwarfare operations.

The rise of the ‘gray zone’

Founded in 2009, the Fort Meade, Maryland-based Cyber Command was created through the leadership of then-NSA Director Gen. Keith Alexander. Some of its architects believe it was supposed to be a collaborative extension of NSA, but it has gained stature and influence far beyond what Alexander might have intended, insiders say.

Alexander, through a spokesperson, declined to comment for this story.

Today, U.S. Cyber Command is currently in the process of becoming a unified combatant command on par with the likes of Strategic Command (STRATCOM), which handles the nuclear program, or Special Operations Command (SOCOM), which handles high-profile combat operations. In less than a year, Cyber Command could also gain additional power through a separation from NSA that would call for a new and separate leadership structure, ending the current “dual hat” arrangement for the NSA director.

The elevation process and potential formal split from NSA could eventually give Cyber Command more leeway to plan and recommend cyberattacks, with a direct line to the White House. Launching these types of cyberattacks usually requires direct presidential approval, and the authority flows through NSA leadership. But that may too change.

In a congressional hearing Feb. 27, the current head of NSA and Cyber Command, Adm. Mike Rogers, acknowledged that there’s an ongoing “policy discussion” about giving Cyber Command more authority. Lawmakers needled him over the Trump’s administration’s lackluster response to Russian meddling in the 2016 presidential election. His responses were cagey, but he had a reason.

Cyber Command is quite limited in what operations it can pursue because, among other reasons, it is designated as a combat force that operates under Title 10 of the U.S. Code. That law dictates that such a unit can only operate within the confines of a declared war zone — a statue complicated by the internet’s global reach. The intelligence community, like the NSA and CIA, operate under Title 50, which permits them to conduct espionage in nearly any foreign country, a condition that’s especially advantageous when exploiting computers spread around the world.

How Title 10 exactly applies to cyberspace remains an open-ended question, former U.S. intelligence officials say. Some academics have described the current situation where military-backed cyberattacks occur as a sort of legal “gray zone.” That description is driven by the fact that the international Rules of Engagement for cyberwarfare remains largely undefined.

Even so, Secretary of Defense James Mattis has become a leading voice lobbying the White House to at least give Cyber Command more flexibility.

“[Mattis] has been very aggressive in articulating this concerns him, that there’s an ongoing discussion at the moment, that I hope is going to come to a way ahead in the near term,” Rogers recently told lawmakers.

It’s unclear exactly which additional authorities Mattis is seeking.

Cyber Command was recently granted the ability to foward deploy its forces to combatant commands across the world, sources told CyberScoop. Previously, so-called Cyber Mission Force teams would only be assigned to U.S. bases, like Fort Meade. Now they can be located within other combatant commands like U.S. Central Command, integrating with the military on physical front lines. This follows in line with the SOCOM model, which allows elite military personnel to be quickly grouped and deployed rapidly to accomplish very specific objectives.
That decision could open the door for new opportunities to hack enemy networks, but it does not necessarily provide Cyber Command with any additional license to independently launch attacks.
When military leaders push to do more with hackers, they usually meet some form of resistance from Pentagon lawyers.
A recent operation underscores the complexities surrounding Cyber Command’s ability to run offensive operations in the gray zone.
According to prior reporting by the Washington Post, the Obama administration angered the German government when Cyber Command hacked into a server hosting ISIS propaganda that was located in Germany. Though the terrorist group is most active in the Middle East, the group’s digital content is sometimes hosted by shared systems located inside allied countries and not war zones. The Pentagon reportedly notified its German counterparts of the counterterrorism mission to remove ISIS material, but the hacking still upset a wary ally.
The debate about what checks and balances should exist to control the use of offensive cyber operations is especially important due to the fragile nature of the internet. With militaries looking to disrupt each other through the world wide web, innocent users will inevitably be caught up in the chaos.
In 2016, a single distributed denial of service (DDoS) attack against Dyn, a internet gateway company, knocked out dozens of major internet retailers; leading to millions of dollars in lost revenue. That attack was later attributed to several American university students; a group obviously far less equipped than a conventional army.
New spin on an old fight
While ambiguity may surround the legal framework for military-led cyberattacks, how these missions affect the intelligence community’s own computer spying efforts poses another difficult proposition.
It’s not one that’s been easily handled in the past.

“This tug of war is not a new one,” described Rhea Siers, a 30-year NSA veteran who during her time at the agency worked in multiple administrative roles. “Collecting intelligence versus taking out the target has been a key tactical and strategic discussion between the military and intelligence agencies for decades — first about SIGINT [Signal Intelligence], now about cyber-operations as well.”

With Cyber Command in the spotlight, some military leaders have pushed for permission to “engage the enemy” online more often, a U.S. official told CyberScoop. But there are U.S. intelligence officials who still worry about what Cyber Command’s rise will mean for espionage missions.

In short, spies fear that their more covert digital intrusions will be negatively impacted by a spike in “louder,” purposefully disruptive cyberattacks from military operators, who are usually more interested in immediate outcomes. The concern stems from the issue of parallel discovery — where both a spy agency and military unit are hiding in the same compromised network, allowing the detection of one attacker to expose the other.

“There is an inherent conflict between military-like cyber operations and clandestine espionage operations,” explained Jason Kichen, a former intelligence officer who was focused on computer hacking strategy. “Sometimes the military’s needs to gain their own access can put the already present espionage-focused access at risk.”

Historically, NSA’s relationship to Cyber Command has generally tended to be collaborative. The partnership is complicated because each organization is responsible for a unique mission that’s sometimes drastically different yet requires nearly identical tools and talent — both of which are finite. 

The clashes can be over which hacking tools are used, who should be handling them and whom they should be used against.

At the moment, the NSA is the government’s primary collector of information about software vulnerabilities that can be exploited by hackers. That title is held closely and with pride.

“A lot of what we ran into during the Obama administration involved the IC bucking at plans strung up by Cyber Command because they worried about intel gain-loss,” said Eric Rosenbach, former Pentagon chief of staff to Defense Secretary Ashton Carter. “The missions of Cyber Command and NSA should be complimentary, but too often they are competitive and collide with one another.”

Nearly everyone who spoke to CyberScoop said that the unified combatant command’s rise under the Trump administration will inevitably challenge the NSA’s franchise on software vulnerabilities and other hacking tools. Until recently, the intelligence community usually has taken the lead in helping decide whether to deploy some of the government’s elite hacking capabilities, according to two former U.S. senior defense officials. 

But that hegemony is now increasingly challenged by a younger, military-minded Cyber Command that’s pushing for changes to the status quo.

“NSA has had a major role in this space since at least 1997, when [then-Secretary of Defense William] Cohen assigned them the mission to develop offensive techniques,” said Jason Healey, a former director for Cyber Infrastructure Protection at the White House from 2003 to 2005. “Twenty years on, they’re used to ruling the roost, especially since they’ve been not just developing but using offensive capabilities since 2005. Losing [some] of those responsibilities was always going to sting and meet bureaucratic resistance.”

Untangling the policy knot

Empowering Cyber Command appears to have bipartisan support. Multiple current and former defense officials are pushing for a win after years of apparent stagnation. And multiple former officials who worked in past administrations told CyberScoop, in general terms, that they welcomed changes that could help Cyber Command contribute to national security.

Creating the tools and policies that give Cyber Command independence from other U.S. intelligence or defense agencies has helped solve some bureaucratic issues. But not all of them.

In recent months, aides for the House Armed Services Committee and Senate Armed Services Committee have been meeting with government “working groups” to stop the military and intelligence community from butting heads. With people in the room representing both sides’ interests, lawmakers hope to quell any problems that have come with impending changes to the hierarchy.

Several aides told CyberScoop that the people representing Cyber Command have grown increasingly frustrated in these recent meetings. The representatives told the committees that the unit’s growth has been curbed by a reluctant bureaucracy that’s continuing to voice skepticism about scaling up hacking operations beyond the intelligence community.

In one meeting held in mid-February, Rogers’ Combined Action Group (CAG) held a meeting with congressional staffers, military academics and other officials from Fort Meade to discuss some of the issues. The gathering’s purpose was not necessarily to come up with immediate solutions, but to flesh out each side’s concerns that have come with Cyber Command’s maturation. Insights from the nearly eight-hour-long meeting were later provided to Rogers, who used them to prepare for a congressional hearing.

In that Capitol Hill appearance, Rogers maintained that Cyber Command should eventually be split from NSA, which would give it more autonomy.

The peacemaker?

President Donald Trump recently nominated Army Cyber Commander Gen. Paul Nakasone to be the combined leader of NSA and Cyber Command. Nakasone is a well-respected military leader with a history of working in cybersecurity-focused positions. However, he is not a career intelligence official.

Nakasone has been heralded for his time in service by former superiors, including Rosenbach and Alexander. He is widely considered one of the most experienced generals in managing military-led hacking operations.

The congressmen with perhaps the most experience dealing with NSA told CyberScoop that managing some of the conflicting equities between the two brotherly organizations will almost entirely fall on Nakasone.

“It’s really going to be up to leadership, they’re responsible for making sure it goes right,” said Rep. Dutch Ruppersberger, D-Md. “You need to have the right leader to negotiate these things, to listen to both sides and figure it out … If we don’t have good leadership for this position then it can be bad.”

Managing the tug of war in government represents just one of many challenges for the NSA director.

“That’s a very, very tough job,” he continued. “With everything that’s gone on recently, maybe one of the most difficult [jobs] in government.”

Michael Sulmeyer, a former cybersecurity policy adviser in the Office of the Secretary of Defense, said he believed Nakasone would make it a “fair fight.” Sulmeyer told CyberScoop that Cyber Command’s development may have been stunted by the dual-hat leadership arrangement, which he contends had benefited the intelligence community more.

“In the past, the IC would usually win these internal arguments … the resolution process requires consulting with the leaders of each organization. So it was a really circular, you could efficient way of dealing with it. But certainly slanted,” Rosenbach explained.

Nakasone recently told lawmakers that he planned to provide a recommendation within 90 days of being confirmed to Mattis about whether or not to split Cyber Command from NSA. Rogers, his predecessor, has said a split is inevitable. CyberScoop previously reported that Director of National Intelligence Dan Coats preferred keeping the dual hat in place for the immediate future.

In a brief interview with CyberScoop following a public speaking appearance in D.C., current White House Cybersecurity Coordinator Rob Joyce said he believed Cyber Command should be separated from NSA as it becomes more capable. He provided no timeline, but said that some predictable “friction” would likely follow a split as the two organization readjust to a new relationship. “That’s only normal,” Joyce described.

Fighting into the future

Lawmakers are generally unsure by how Cyber Command’s evolution will pan out. But several expect a bumpy road forward.

“There’s always going to be that rub between the operators and the intel collectors. I think that’s very true right now just because probably NSA is much more mature organization and certainly CIA also weighs in as well and they want to err towards protecting their capabilities,” said Congressman Jim Langevin, D-R.I.. “I certainly get that. But sometimes they can be over-protective and it slows things down. Maybe we’re missing out on opportunities to make a [cyberwarfare] operation more effective.”

Sen. Mike Rounds, R-S.D., the chairman of the Senate Armed Services cybersecurity subcommittee, told CyberScoop that he has also been involved in helping to ensure that Cyber Command’s elevation to a unified combatant command happens quickly and in a well-managed fashion.

“After listening to a lot of discussion internally, I think we’re moving in the right direction by separating the hats,” Rounds, said in an interview with CyberScoop following a congressional hearing. “Those folks operating under Title 50 really want to be deep in and not be discovered. At the same time, under Title 10 and what we would want in terms of persistence, you have to be able to show ourselves every once in awhile and that we are actually doing things in cyber to deter those who are causing the problems. It may easier to do using two hats rather than a dual hat.”

Whether the current system disproportionately handicaps Cyber Command remains a tough question to answer.

“The benefit of having a dual-hat between NSA and U.S. Cyber Command is clear — you have one person who can make a fully informed decision about the tradeoffs between the potential capability loss associated with using an intelligence asset to conduct an offensive cyber-operation,” explained Jamil Jaffer, former senior counsel to the House Intelligence Committee.

With Nakasone set to take the helm of both Cyber Command and NSA later this month following his expected confirmation, the debate will be immediately in front of him.

“Many have raised concerns that such an arrangement is a one-way ratchet and doesn’t full account for all equities,” Jaffer said. “What can be said for certain is that if you split the current dual-hat arrangement, you’re going to be teeing up a lot more debates for the National Security Council to have on individual operations and that is likely to be its own can of worms. After all, fighting a war by committee is hardly a good way to go.”

Source: https://www.cyberscoop.com/us-cyber-command-nsa-government-hacking-operations-fight/

One year on, the WannaCry scare hasn’t made healthcare security any better

Cybersecurity in the healthcare sector was put under the spotlight after the WannaCry ransomware attacks that hit in May 2017, and it painted a vivid picture of how threats can paralyse real-world processes.

That’s according to Trend Micro and HITRUST’s latest research on how connected hospitals can be exploited – and researchers believe that the WannaCry scare has only made matters worse.

The research paper, titled Securing Connected Hospitals, looks at how internet-connected medical devices are often exposed due to misconfigured networks or software interfaces.

Connected devices can include surgical equipment, office applications, inventory systems, monitoring equipment, and imaging equipment.

Using search website Shodan, researchers were able to pinpoint devices connected to the Internet of Things and gather information about the devices’ geographic locations, hostnames, operating systems, and other information.

“An adversary can also use Shodan to perform detailed surveillance and gather intelligence about a target, which is why Shodan has been called the World’s Most Dangerous Search Engine,” the report says.

Beyond Shodan, exposed devices can also be profiled using network tools. Attackers could potentially access sensitive data, webcam feeds, compromise assets to conduct DDoS attacks or botnets, demand ransoms and much more.

The paper also looked at how supply chain attacks, including associates and third-party contractors, also play a dangerous role – 30% of healthcare breaches in 2016 were due to third parties.

“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,” the report says.

“Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their own products and software for cybersecurity risks, and may also be outsourcing resources as well. This allows perpetrators to exploit sensitive information across the supply chain.”

There are seven major supply chain threat vectors that attackers can use against the healthcare sector:

Firmware  attacks, mHealth mobile application compromises, source code compromise during the manufacturing process, insider threats from hospital and vendor staff, website/EHR and internal hospital software compromise, spearphishing, and third party vendor credentials.

The report points out that source code compromise during the manufacturing process can be extremely dangerous because hospitals tend not to test device security before installing it on their networks.

While no data on incidents involving medical devices was publicly disclosed in 2017, tablets, phones and even USB devices have been compromised in the past.

“In 2016, a healthcare organization unknowingly sent 37,000 malware-infected USB thumb drives to their offices nationwide. The manual of procedure codes for that year included the flash drive on the back pocket,” the report says.

The paper draws on qualitative risk analysis of various attack vectors to give an overview of some of the most pressing threats in healthcare.

Those threats include insecure devices that can be used to access a network, DDoS attacks, spear phishing, and unpatched systems.

“Having effective alert, containment, and mitigation processes are critical. The key principle of defense is to assume compromise and take countermeasures.”

  • Quickly identify and respond to ongoing security breaches.
  • Contain the security breach and stop the loss of sensitive data.
  • Pre-emptively prevent attacks by securing all exploitable avenues.
  • Apply lessons learned to further strengthen defenses and prevent repeat incidents.


Record-setting Australian DDoS attack is a reminder to get your IoT security in order

As IoT devices proliferate, security spend is becoming a corporate compliance issue.

Internet of things (IoT) security will become a key corporate compliance issue as growing adoption opens up new avenues for cybersecurity compromise, experts have warned as analysis of traffic analysis confirmed that the Memcached attack delivered Australia’s largest-ever distributed denial of service (DDoS) attack in February.

Growing DDoS attacks have been tied directly to the spread of IoT, with recent Mirai and derivative attacks leveraging insecurities in IoT devices to amplify DDoS traffic on a global basis.

As hackers continue to experiment with and refine their ability to use potentially crippling IoT botnets, Gartner research director Ruggero Contu has predicted that IoT security will rapidly become a key investment priority for businesses that are rushing to embrace the myriad sensors and other smart devices now flooding the market.

“Organisations often don’t have control over the source and nature of the software and hardware being utilised by smart connected devices,” Contu wrote.

“We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organizations will look to increase their understanding of the implications of externalizing network connectivity. “

As a result, Gartner has forecasted IoT security spending to grow dramatically, surging 28 percent over 2017 levels to reach $US1.5 billion ($A1.94b) this year.

Spending on IoT-related gateway security will double between 2018 and 2021 to $US415m ($A537m), Gartner’s forecasts have predicted, while professional-services spend will grow from $US946m ($A1.23b) to $US2.071b ($2.68b) by 2021.

A lack of security best practices and tools in IoT planning will create drag on IoT spending plans – challenging plans to build a unified corporate defence due to haphazard, business unit-led implementations of poorly or non-integrated products that still lack common, interoperable industry security frameworks.

“Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed,” Contu said.

“However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider’s alliances with partners or the core system that the devices are enhancing or replacing.”

Better IoT security can’t come too soon: new DDoS traffic figures from NETSCOUT Arbor found that DDoS traffic surged to 335Gbps and 29.4 million packets per second (Mpps) on 27 February – a record for an Australian DDoS attack and approximately 10 times the average traffic flow for the rest of the month.

This coincided with a world record-setting attack of 1.35Tbps against code-hosting company GitHub, which was itself surpassed days later by a 1.7Tbps attack that led NETSCOUT Arbor to declare that “the terabit attack era is upon us”.

Sources of the attacks on Australia were closely split between the United States (accounting for 28.86 percent of attacks), Russia (24.83 percent), China (24.16 percent), and India (22.15 percent). And the total number of DDoS attacks was down overall, at just 6200 over the previous six months – compared with around 11,000 attacks in the six months to September 2017.

The figures support predictions that DDoS volumes would continue to surge in the leadup to the Pyeongchang Winter Olympics in February, and indeed the record-setting attack came just hours after the Olympics closing ceremony on 25 February. At the time, NETSCOUT Arbor country manager Tim Murphy told CSO Australia the firm was already seeing signs of an uptick in DDoS activity – presaging the record-setting Memcached attack.

Telecommunications carriers were asserting their roles as front-line defenders against DDoS attacks, Murphy said, noting that telcos such as Telstra had established distributed DDoS detection and cleansing facilities around the world.

“In Australia, thankfully, we are very lucky that our Tier-1 telcos are quite prepared for large DDoS attacks,” he said. “That doesn’t mean that enterprises are well prepared – but that from a core perspective, we are very well prepared as a nation. We see bigger and nastier perpetrators every week – so businesses need to be more nimble not only in their ability to detect these, but their ability to mitigate them.”

Source: https://www.cso.com.au/article/635876/record-setting-australian-ddos-attack-reminder-get-your-iot-security-order/

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Just a week after code repository GitHub was knocked offline by the world’s largest recorded distributed denial-of-service (DDoS) attack, the same technique has been used to direct an even bigger attack at an unnamed US service provider.

According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

Last week Arbor, Cloudflare and Akamai reported an uptick in amplification attacks that abuse memcached servers to ramp up by traffic by a factor of 50,000.

Within a day of Cloudflare reporting that attackers were abusing open memcached servers to power DDoS attacks, GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps.

Memcached is a caching system to optimize websites that rely on external databases. Memcached-enabled servers shouldn’t be left exposed to the internet, although at any given time over 100,000 are, according to Rapid7.

The attacks involve spoofing a target’s IP address to the default UDP port on available memcached amplifiers, which return much larger responses to the target.

The attacks appear to be getting larger by the day. Before the attack on GitHub, Arbor Networks reported seeing attacks exceeding 500Gbps.

Arbor Networks’ Carlos Morales predicts memcached attacks won’t be going away any time soon because of the number of exposed memcached servers.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” he wrote.

Morales’ colleague, Roland Dobbins believes the memcached DDoS attacks were initially used exclusively by skilled attackers who launched attacks manually, but now they’ve been automated via rental ‘booter’ or ‘stressor’ botnets.

He notes that the potential for abusing memcached servers in application attacks was revealed by Chinese researchers in November 2017, but that as early as 2010 researchers had discovered widespread insecure memcached servers across the world.

As Ars Technica reports, some people attacking memcached servers are attaching a ransom note instructing targets to “Pay 50 XMR” or the equivalent of $18,415 to a specified wallet.

Rapid7’s internet-wide Project Sonar scanner found over 100,000 exposed memcached servers at any given time.

Image: Rapid7

Source: http://www.zdnet.com/article/new-world-record-ddos-attack-hits-1-7tbps-days-after-landmark-github-outage/

Californian may not see stars for years after conviction for DDoS attack against telescope retailer

A California man was convicted of launching distributed denial of service (DDoS) attacks against telescope retailer Astronomics and the online astronomy forum the company runs called Cloudy Nights.

David Chesley Goodyear, of El Segundo, Calif., was found guilty by a jury last week of hitting both the Norman, Okla.-based retailer and forum in August 2016, reported Robert J. Troester, Acting United States Attorney for the Western District of Oklahoma. Troester presented evidence to the jury that Goodyear had belonged to the Cloudy Nights forum, but twice had been blocked from the site for violating its terms of service, which included sending threats to users, administrators, and moderators.

Goodyear used two aliases to place posts on Cloudy Nights on August 9 and 13, 2016. In these posts he threatened to “talk with his contacts and hit the forum and Astronomics with a DoS attack, Troester said.

“Evidence further showed that DDoS attacks against Astronomics and Cloudy Nights commenced that night and continued intermittently until the end of August 2016, when Goodyear was interviewed by law enforcement and admitted he was responsible for the attacks,” Troester said.

Goodyear faces up to 10 years in prison and a $250,000 fine.

Source: https://www.scmagazine.com/california-man-convicted-of-ddos-attack-against-telescope-retailer/article/745248/

The risks of DDoS and why availability is everything

DDoS attacks bring significant risk to organisations that depend on their networks and websites as an integral part of their business. And these days, that’s just about everyone. Think about online banking, retailing, travel reservations, medical patient portals, telecommunications, B2B e-commerce – virtually every business model today includes a significant online transactional component or, in some cases, has shifted online entirely.

We’ve all experienced the feeling of frustration, or even desperation, when the online services we expect are not available to us instantly when we want or need them. Imagine that happening to thousands or even millions of customers worldwide, simultaneously, and you can understand the potential impact of a single DDoS attack on your organisation. Maintaining availability of digital platforms, networks, applications and services is not simply a security issue – it is a business risk and continuity issue.

It doesn’t take much to take down a substantial section of the internet. In November 2016, an accidental misconfiguration at a major internet infrastructure company led to outages at several large carriers. Although the “route leak” was accidental and not malicious, the resulting 90-minute lack of availability was still painful for the carriers and their customers alike.

A concerted attack can have far more damaging consequences. Unlike advanced threats or data breaches, which are designed for stealth to exfiltrate data of value, a successful DDoS attack is instantly recognisable. The symptoms range from poor performance and intermittent outages, to a stream of customer complaints, all the way to sudden and complete unavailability. Whatever the motive, disruption or denial of service is the goal.

Have threat capabilities leapfrogged your protection capacity?

DDoS attacks have been around just as long as e-commerce itself. Established organisations with a significant online presence have always taken measures to ensure availability. Ask yourself, however, if the protection you may have put in place several years ago is still adequate for a modern-day attack. DDoS threat capabilities have become more complex, dynamic and multi-vector. Increasingly, attackers employ a combination of attack methodologies, on the assumption that at least one will succeed while the others divert defences. These attack types include:

  • Volumetric: Large bandwidth-consuming attacks that essentially “flood” network pipes and router interfaces.
  • TCP State Exhaustion: Attacks that use up all available transmission control protocol (TCP) connections in internet infrastructure devices such as firewalls, load balancers and web servers.
  • Application Layer: “Low and slow” attacks indented to gradually wear down resources in application servers.

Moreover, attacks today are much easier for less sophisticated threat actors to launch, owing to the ready availability of inexpensive do-it-yourself attack tools and DDoS-for-hire services. The threat landscape has been further exacerbated by the rapid proliferation of inadequately secured Internet of Things (IoT) devices, which are being consumed into botnets and weaponised to launch multi-vector DDoS attacks.

Evaluating risks and defences

With the increase in multi-vector attacks, security experts agree that reducing the risk from DDoS attacks requires a defence-in-depth or layered approach utilising multiple, synchronised mitigation approaches.

Firewalls have long stood as the first line of defence, as policy enforcement solutions designed to prevent unauthorised data access. Unfortunately, firewalls are not very effective when it comes to availability threats like the modern-day, multi-vector DDoS attack.

Modern firewalls perform stateful packet inspection—maintaining records of all connections passing through the firewall. They determine whether a packet is the start of a new connection, part of an existing connection or invalid. But as stateful and inline devices, firewalls add to the attack surface and can be DDoS targets.

They have no inherent capability to detect or stop DDoS attacks because attack vectors use open ports and protocols. As a result, firewalls are prone to become the first victims of DDoS as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.

Finally, because they are stateful, they are susceptible to resource-exhausting attacks such as Transmission Control Protocol synchronous (TCP SYN) floods and spoofed Internet Control Message Protocol (ICMP) ping floods.

Intelligent DDoS Mitigation Solutions (IDMS) are purpose built for DDoS defence, they’re deployed on-premise, in front of the firewall. These solutions can handle the majority of attacks, in fact, 80% of DDoS attacks are less than 1Gbps in attack size.

However, they are not adequate for the growing number of large-scale attacks intended to overwhelm internet bandwidth. These larger attacks are best mitigated in the cloud. Best practice defence today is intelligently integrated combination of on-premise and cloud-based solutions.

Recognising that denial of availability is a business risk, it makes sense to undergo a risk analysis to assess your vulnerabilities, understand the impact of a DDoS attack under various scenarios, and determine the measures you need to have in place for optimal risk mitigation.

Today’s DDoS threat is not the same as it was ten or even five years ago. If availability is paramount to your business, then defences need to be updated to match today’s threat.e:

Source: https://securitybrief.co.nz/story/risks-ddos-and-why-availability-everything/

DoubleDoor Botnet Chains Exploits to Bypass Firewalls

Crooks are building a botnet that for the first time is bundling two exploits together in an attempt to bypass enterprise firewalls and infect devices.

Discovered by researchers from NewSky Security, the botnet has been cleverly named DoubleDoor. According to Ankit Anubhav, NewSky Security Principal Researcher, the DoubleDoor malware attempts to execute exploits that take advantage of two backdoors:

CVE-2015–7755 – backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded password <<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.
CVE-2016–10401 – backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device.

Anubhav says DoubleDoor attackers are using the first exploit to bypass Juniper Netscreen firewalls and then scan internal networks for ZyXEL routers to exploit with the second exploit.

First time an IoT botnet chains two exploits

In a conversation with Bleeping Computer, Anubhav says this is the first time that a botnet has chained two exploits together in an attempt to infect devices.

“For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall,” the expert told Bleeping Computer. “Such multiple layers of attack/evasion are usually a Windows thing.”

“Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices,” Anubhav said. “If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit,” Anubhav added showing the simple exploitation logic that most IoT malware employed in the past.

DoubleDoor botnet is not a major threat, yet

Scans and exploitation attempts for this botnet were spotted between January 18 and January 27, all originating from South Korean IP addresses.

But the botnet is not a major danger just yet. Anubhav says DoubleDoor looks like a work in progress and still under heavy development.

“The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t,” he said.

The NewSky Security expert says the smaller attack numbers are likely because the botnet only targets a small subset of devices, either Internet-exposed ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise-grade Juniper Netscreen firewall.

“Such setups are usually found in corporations,” Anubhav said, raising a sign of alarm of what targets the DoubleDoor author may be trying to infect.

DoubleDoor doesn’t do anything, for the moment

The good news is that DoubleDoor doesn’t do anything special after compromising ZyXEL devices. It just merely adds them to a botnet structure.

“Probably it’s a test run or they are just silently recruiting devices for something bigger down the road,” Anubhav said.

But as Anubhav points out, because DoubleDoor appears to still be under development, we may soon see its author expand it with even more exploits that target other types of devices, such as those from Dlink, Huawei, Netgear, and others.

Further, the botnet may try to carry out DDoS attacks, spread malware to internal Windows networks, or something more intrusive.

But even if DoubleDoor dies down and is never seen again, its double-exploit firewall bypass technique has already attracted the attention of other IoT botnet operators, and we may see it pretty soon with other malware strains as well. The cat’s out of the bag, as they say.

Source: https://www.bleepingcomputer.com/news/security/doubledoor-botnet-chains-exploits-to-bypass-firewalls/

Tracking Bitcoin Wallets as IOCs for Ransomware

By understanding how cybercriminals use bitcoin, threat analysts can connect the dots between cyber extortion, wallet addresses, shared infrastructure, TTPs, and attribution.

Cryptocurrency, particularly bitcoin, has captured the attention of Wall Street and Silicon Valley over the past few months. It seems like everybody wants to talk about bitcoin as if it is something brand new.

The truth is that cryptocurrencies have been the norm on the Dark Web for quite some time. Bitcoin has been payment method of choice for ransomware and cyber extortion because it allows bad actors to operate under a cloak of anonymity. But that could be changing. Threat intelligence analysts are beginning to incorporate bitcoin wallet addresses into their investigations, and we’ll soon be able to recognize attack patterns and track attribution. One thing we’ve noticed is the ability to track, to some degree, the correlations and connections between cyberattacks by following bitcoin transactions.

In order to understand why tracking bitcoin wallet addresses as indicators of compromise (IOCs) is so valuable, we need to understand why cybercriminals use bitcoin in the first place. There are three primary reasons.

Anonymity: Bitcoin provides anonymity when payments are received and when they are cashed out. That’s because bitcoin accounts and money transfers are difficult to trace and depend largely on the cybercriminal being sloppy with operations security.

Global Currency: Hackers typically prey on out-of-country targets and need a fast, untraceable method to transfer funds across nations without worrying about account freezes. Bitcoin is used as a global currency because you don’t need to worry about the exchange rates between your home country’s currency and US dollars.

Ease of Payments: In the past, hackers used to rely on gift cards for payment. This was troublesome on many levels — for instance, gift cards can’t be used globally, and criminals needed to come up with a mailing addresses that can’t be traced. Bitcoin and the higher profile of cryptocurrency have contributed to the rise in ransomware, as well as hackers’ ability to use extortion to elicit payments. One example occurred after the Ashley Madison website breach, when hackers threatened some users with a bitcoin ransom or have their identities revealed as adulterers. Another tactic involved using malicious emails to threaten a distributed denial-of-service attack on an organization’s network unless a bitcoin payment was made.

By tracking bitcoin wallet addresses as an IOC, we’ve been able to connect the dots between ransomware, wallet addresses, and shared infrastructure, TTPs (tactics, techniques, and procedures), and attribution.

Here is an example of how bitcoin is used in a ransomware campaign: A new piece of ransomware gives you a bitcoin address for payment. You can then make correlations that connect across sectors, like retail, energy, or technology groups based on the blockchain and/or reuse of the same address. With WannaCry, there were hard-coded bitcoin addresses that made it easy to correlate what you are dealing with and which sectors were being affected. The more bitcoin addresses are shared, the more you can identify addresses to which bitcoins are forwarded.

The ability to track transactions through the blockchain allows you to connect different ransomware campaigns. Cybercriminals don’t typically share bitcoin wallets as they might share the same exploit kit, but by tracking blockchain transactions, analysts have another investigation point from which they can pivot and dig for more.

Bitcoin Addresses Reported by Multiple Sectors

Addresses are often unique to each target or a small set of targets, but you can track where the money goes by looking at the blockchain (the transactions) to see which addresses deliver funds to the same final addresses before being cashed out.

Addresses are often unique to each target or a small set of targets, but you can track where the money goes by looking at the blockchain (the transactions) to see which addresses deliver funds to the same final addresses before being cashed out.

Why is it important to be able to track bitcoin wallets as IOCs? With the ability to track payments, you can determine if bitcoins are going to specific wallet addresses, and then narrow that down to determine if they are the same two or three addresses over time. This will give you some idea of where and when cybercriminals are cashing out.

The value of the metadata as an indicator for malicious activity is because, although there are many variants of ransomware, the number of variants does not necessarily represent separate campaigns or cybercriminal groups. If you can follow the transactions through the blockchain, you can see how or if these variants are connected, and identify specific campaigns.

There is a well-known saying that if you want to know where trouble is coming from, follow the money. It’s hard to follow bitcoins, but all of those bitcoin wallets can help you see how ransomware is connected.

This research was provided by the TruSTAR Data Science Unit.

Source: https://www.darkreading.com/threat-intelligence/tracking-bitcoin-wallets-as-iocs-for-ransomware-/a/d-id/1331016?