GDPR: A tool for your enemies?st

Every employee at your organisation should be prepared to deal with right to be forgotten requests.

It’s estimated that 75% of employees will exercise their right to erasure now GDPR (General Data Protection Regulation) has come into effect. However, less than half of organisations believe that they would be able to handle a ‘right to be forgotten’ (RTBF) request without any impact on day-to-day business.

These findings highlight the underlying issues we’re seeing in the post-GDPR era and how the new regulations put businesses at risk of being non-compliant. What is also worrying, is that there are wider repercussions for organisations not being prepared to handle RTBF requests.

No matter how well business is conducted, there is always the possibility of someone who holds a grudge against the company and wants to cause disruption to daily operations. One way to do this, without resorting to a standard cyber-attack, is through inundating an organisation with RTBF requests. Especially when the company struggles to complete one request, this can drain a company’s resources and grind the business to a halt. In addition to this, failing to comply with the requests in a timely manner can result in a non-compliance issue – a double whammy.

An unfortunate consequence of the new GDPR regulations is that the right to erasure is free to submit, meaning it is more likely customers or those with a grudge will request to have their data removed. There are two ways this can be requested. The first is a simple opt-out, to remove the name – usually an email address – from marketing campaigns. The other is a more time consuming, complex discovery and removal of all applicable data. It is this second type of request where there is a potential for hacktivists, be-grudged customers, or other cyber-attackers to weaponise the regulation requirement.

One RTBF request is relatively easy to handle – as long as the company knows where its data is stored of course – and the organisation actually has a month to complete the request from the day it was received. However, if a company is inundated with requests coming in on the same or consecutive days, it becomes difficult to manage and has the potential to heavily impact daily operations. This kind of attack is comparable to Distributed Denial of Service (DDoS) attacks – for example the attack on the UK National Lottery last year which saw its entire online and mobile capabilities knocked out for hours because cyber criminals flooded the site with traffic – with companies becoming overloaded with so many requests that it has to stop their services entirely.

When preparing for a flood of RTBF requests, it is essential that all organisations have a plan in place that streamlines processes for discovery and deletion of customer data, making it as easy as possible to complete multiple requests simultaneously.

Don’t let your weakest link be your downfall

The first thing to consider is whether or not the workforce is actually aware of what to do should a RTBF request come in (let alone hundreds). Educating all employees on what to do should a request be made – including who in the company to notify and how to respond to the request – is essential in guaranteeing an organisation is prepared. It will mean that any RTBF request is dealt with both correctly and in a timely manner. The process must also have clearly defined responsibilities and actions able to be audited. For companies with a DPO (Data Protection Officer) or someone who fulfils that role, this is the place to begin this process.

Discovering data is the best defence

The key to efficiency in responding to RTBF requests is discovering the data. This means the team responsible for the completion of requests is fully aware of where all the data for the organisation is stored. Therefore, a complete list of where the data can be found – and how to find it – is crucial. While data in structured storage such as a database or email is relatively simple to locate and action, it is the unstructured data, such as reports and files, which is difficult to find and is the biggest culprit of draining time and resources.

Running a ‘data discovery’ exercise is invaluable in helping organisations achieve an awareness of where data is located, as it finds data on every system and device from laptops and workstations to servers and cloud drives. Only when you know where all critical data is located, can a team assess its ability to delete it and, where applicable, remove all traces of a customer. Repeating the exercise will highlight any gaps and help indicate where additional tools may be required to address the request. Data-At-Rest scanning is frequently found as one part of a Data Loss Prevention (DLP) solution.

Stray data – a ticking time bomb

Knowing where data is stored within the organisation isn’t the end of the journey however. The constant sharing of information with partners and suppliers also has to be taken into account – and for this, understanding the data flow into and out of the company is important. Shared responsibility clauses within GDPR rules means that all partners involved with critical data are liable should a breach happen or a RTBF request cannot be completed. If critical data sitting with a partner is not tracked by the company that received the RTBF request, it makes it impossible to truly complete it and the organisation could face fines of up to 20 million EUR (or 4% of their global turnover). Therefore, it’s even more important to know how and where critical data is moving at all times, minimising the sharing of information to only those who really need to know.

While there is no silver bullet to prevent stray data, there are a number of technologies which can help to control the data which is sent both in and out of a company. Implementing automated solutions, such as Adaptive Redaction and document sanitisation, will ensure that no recipient receives unauthorised critical data. This will build a level of confidence around the security of critical data for both the organisation and the customer.

With the proper processes and technologies in place, dealing with RTBF requests is a straightforward process, whether it is a legitimate request, or an attempt by hacktivists or disgruntled customers to wreak havoc on an organisation. Streamlining data discovery processes and controlling the data flowing in and out of the company will be integral in allowing a business to complete a RTBF request and ultimately defend the organisation against a malicious use of GDPR.

Source: https://www.itproportal.com/features/gdpr-a-tool-for-your-enemies/

Hackers replacing volumetric DDoS attacks with “low and slow” attacks

By the middle of last year, organisations across the UK had woken up to the threat of DDoS attacks that had, by November, increased in frequency by a massive 91 percent over Q1 2017 and 35 percent over Q2 figures.

By the middle of last year, organisations across the UK had woken up to the threat of DDoS attacks that had, by November, increased in frequency by a massive 91 percent over Q1 2017 and 35 percent over Q2 figures. A report by CDNetworks in October revealed that more than half of all organisations had ended up as victims of DDoS attacks that regularly took their website, network or online apps down.
To deter cyber-criminals from launching powerful DDoS attacks, organisations began pouring in huge investments to shore up their defences against DDoS attacks. According to CDNetworks, average annual spending on DDoS mitigation in the UK rose to £24,200 last year, with 20 percent of all businesses investing more than £40,000 in the period.
Such investments also resulted in increased confidence amongst businesses in defending against business continuity threats such as DDoS attacks, but unfortunately, increased investments did little to stop the flow of such attacks. Kaspersky Lab’s Global IT Security Risks Survey 2017 noted that the number of DDoS attacks on UK firms doubled since 2016, affecting 33 percent of all firms.
An analysis of DDoS attacks published by Alex Cruz Farmer, security product manager at Cloudflare, has revealed that while organisations in the UK have certainly upped their spending on DDoS mitigation, cyber-criminals are now responding by switching to Layer 7 based DDoS attacks which impact applications and the end-user while ignoring traditional Layer 3 and 4 attacks whose effectiveness is no longer guaranteed. This has ensured the unabated continuance of DDoS attacks on enterprises.
“The key difference to these (Layer 7) attacks is they are no longer focused on using huge payloads (volumetric attacks), but based on Requests per Second to exhaust server resources (CPU, Disk and Memory),” he said, adding that by their very nature, Layer 7 based DDoS attacks, such as credential stuffing and content scraping, do not last too long and do not flood networks with hundreds of gigabytes of junk network traffic per second like traditional DDoS attacks.
Farmer added that Layer 7 based DDoS attacks have become so popular among hackers that Cloudflare detected around 160 attacks occurring each day, with some days spiking up to over 1000 attacks. For example, hackers are frequently carrying out enumeration attacks by identifying expensive operations in apps and hammering at them with bots to tie up resources and slow down or crash such apps. For instance, a database platform was targeted with over 100,000,000 bad requests in just 6 hours!
Indeed, the first signs of short duration yet persistent DDoS attacks were observed in May last year. Imperva Incapsula’s Global DDoS Threat Landscape Report, which analysed more than 17,000 network and application layer DDoS attacks, concluded that 80 percent of DDoS attacks lasted less than an hour, occurred in bursts, and three-quarters of targets suffered repeat assaults, in which 19 percent were attacked 10 times or more.
“These attacks are a sign of the times; launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service. Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber-vandalism in what is essentially a form of internet trolling,” said Igal Zeifman, Incapsula security evangelist at Imperva to SC Media UK.
Sean Newman, director of Corero Network Security told SC Media UK that reports of increasing application layer DDoS attacks are only to be expected, as attackers continue to look for alternate vectors to meet their objectives.
“A perception that volumetric DDoS attacks are on the decline, is understandable, especially if that is your only lens on the problem.  However, when your view is based on having deployed the latest generation of always-on, real-time, DDoS protection, you will find a rather different story.
““With this lens on the problem, you will find that there is a significantly increasing trend for smaller, more calculated, volumetric DDoS attacks. In fact, Corero customers saw in increase in volumetric attacks of 50 percent compared to a year ago, with over 90 percent of those attacks being less than 5Gbps in size and over 70 percent lasting less than 10 minutes in duration,” he added.
According to Joseph Carson, chief security scientist at Thycotic, organisations are adopting various mitigation techniques to defend against targeted and repeated DDoS attacks, but many a times, such technologies also consume a lot of bandwidth and system memory and thereby interfere with smooth functioning of databases and apps.
“A Target DDoS attack is something that is very challenging to mitigate against though luckily they are periodic meaning as they occur for a short amount of time usually from days to a few weeks. Techniques that are commonly used today are mitigation techniques using Access Control Lists, Rate Limiting and filtering source IP Addresses, though each of these are resource intensive and can prevent legitimate users from getting access to your services.
“A few important lessons can be learned from Estonia’s DDoS experience back in 2007, be very careful as to what mitigation techniques you use as some companies’ responses can be more costly than the DDoS attack itself so always respond to each attack with the appropriate mitigation response.
“Though the best way to really defend and protect against future DDoS attacks is to think in terms of geographic distribution and not have any centrally dependent location of service. Estonia learned this in 2007 and has now distributed itself beyond its own country’s borders using Data Embassies,” he added.
Source: https://www.scmagazineuk.com/hackers-replacing-volumetric-ddos-attacks-with-low-and-slow-attacks/article/767988/

Danish Railway Company DSB Suffers DDoS Attack

Danish rail travelers found buying a ticket difficult yesterday, following a DDoS attack on the railway company DSB.

DSB has more than 195 million passengers every year but, as reported by The Copenhagen Post, the attack on Sunday made it impossible for customers to purchase a ticket via the DSB app, on the website, at ticket machines and certain kiosks at stations – though passengers were able to buy tickets from staff on trains.

“We have all of our experts on the case,” said DSB spokesperson Aske Wieth-Knudsen, with all systems apparently working as normal this morning.

“The DDoS attack seen in Denmark this weekend on critical national infrastructure is precisely the type of attack that EU Governments are seeking to protect citizens against with last week’s introduction of the Network and Information Systems Directive (NIS),” said Andrew Lloyd, president, Corero Network Security.

“Keeping the control systems (e.g. railway signaling, power circuits and track movements) secure greatly reduces the risk of a catastrophic outcome that risks public safety. That said, a successful attack on the more vulnerable management systems can cause widespread disruption. This DDoS attack on Danish railways ticketing site can be added to a growing list of such cyber-attacks that include last October’s DDoS attack on the Swedish Railways that took out their train ordering system for two days resulting in travel chaos.

The lessons are clear, Lloyd added; transportation companies and other operators of essential services have to invest in proactive cybersecurity defenses to ensure that their services can stay online and open for business during a cyber-attack.

Source: https://www.infosecurity-magazine.com/news/danish-railway-ddos-attack/

DDoS Attacks Ebb and Flow After Webstresser Takedown

Shortly after Infosecurity Magazine reported that administrators of the world’s largest DDoS-as-a-service website had been arrested, Link11 wrote a blog post, concluding that “In the short period of time since that date, the Link11 Security Operation Center (LSOC) has seen a roughly 60% decline in DDoS attacks on targets in Europe.”

The reported deduction differs significantly from the findings of Corero Network Security. President Andrew Lloyd questioned the conclusions drawn by Link11, saying, “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action.”

In stark contrast to the LSOC findings, Corero noticed a spike in distributed denial-of-service (DDoS) attacks around 17 April but said, “Since then, European attacks have remained higher in the second half of the month versus the first half of April and the year as a whole.”

The news that law enforcement agencies had closed down Webstresser.org was a big win for cybercrime fighters. “But even so, the number of attacks will only decrease temporarily,” said Onur Cengiz, head of the Link11 security operation center. “Experience has shown in recent years that for every DDoS attack marketplace taken out, multiple new platforms will pop up like the heads of a hydra.”

A Kaspersky Lab study released on 26 April, on the heels of the Webstreser takedown, gives evidence that supports the changing tides of DDoS attack types and the ebb and flow of attacks Cengiz’s alluded to in his statement.

According to the Kaspersky Lab DDoS report, Q1 revealed an increased number of DDoS attacks and targets, but there are distinctions among the different attack methods. “Amplified” attacks were beginning to wane but had a bit of a boost in momentum, while network time protocol (NTP) and DNS-based boosting had almost disappeared after most vulnerable services were patched.

DDoS attacks as a means of personal revenge grew more popular in Q1 2018. Also trending were Memcached attacks that resemble a typical DDoS attack; however, according to the Kaspersky report, “Cybercriminals will likely seek out other non-standard amplification methods besides Memcached.”

As server owners patch vulnerabilities, there will be dips in certain types of attacks. “That being the case, DDoS masterminds will likely seek out other amplification methods, one of which could be LDAP services,” the Kaspersky report authors wrote.

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-ebb-flow-after/

Why DDoS Just Won’t Die

Distributed denial-of-service attacks are getting bigger, badder, and ‘blended.’ What you can (and can’t) do about that.

Most every organization has been affected by a distributed denial-of-service (DDoS) attack in some way: whether they were hit directly in a traffic-flooding attack, or if they suffered the fallout from one of their partners or suppliers getting victimized.

While DDoS carries less of a stigma than a data breach in the scheme of security threats, a powerful flooding attack can not only take down a company’s network, but also its business. DDoS attacks traditionally have been employed either to merely disrupt the targeted organization, or as a cover for a more nefarious attack to spy on or steal data from an organization.

The April takedown by the UK National Crime Agency and Dutch National Police and other officials of the world’s largest online market for selling and launching DDoS attacks, Webstresser, was a big win for law enforcement. Webstresser boasted more than 136,000 registered users and supported some four million DDoS attacks worldwide.

But in the end, Webstresser’s demise isn’t likely to make much of a dent in DDoS attack activity, experts say. Despite reports that the takedown led to a significant decline in DDoS attacks, Corero Network Security saw DDoS attacks actually rise on average in the second half of the month of April. “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action,” said Andrew Lloyd, president of Corero.

Even without a mega DDoS service, it’s still inexpensive to wage a DDoS attack. According to Symantec, DDoS bot software starts as low as a dollar to $15, and less than one-hour of a DDoS via a service can go from $5 to $20; a longer attack (more than 24 hours) against a more protected target, costs anywhere from $10 to $100.

And bots are becoming even easier to amass and in bigger numbers, as Internet of Things (IoT) devices are getting added to the arsenal. According to the Spamhaus Botnet Threat Report, the number of IoT botnet controllers more than doubled last year. Think Mirai, the IoT botnet that in October of 2016 took down managed DNS provider Dyn, taking with it big names like Amazon, Netflix, Twitter, Github, Okta, and Yelp – with an army of 100,000 IoT bots.

Scott Tierney, director of cyber intelligence at Infoblox, says botnets increasingly will be comprised of both traditional endpoints—Windows PCs and laptops—as well as IoT devices. “They are going to be blended,” he said in an interview. “It’s going to be harder to tell the difference” in bots.

The wave of consumer products with IP connections without software or firmware update capabilities will exacerbate the botnet problem, according to Tierney.

While IoT botnets appear to be the thing of the future, some attackers have been waging old-school DDoS attacks: in the first quarter of this year, a long-tail DDoS attack lasted more than 12 days, according to new Kaspersky Lab research. That type of longevity for a DDoS was last seen in 2015.

Hardcore heavy DDoS attacks have been breaking records of late: the DDoS attack on Github recently, clocked at 1.35 terabytes, was broken a week later by a 1.7TB DDoS that abused the Memcached vulnerability against an undisclosed US service provider. “That Github [DDoS] record didn’t even last a week,” Tierney said in a presentation at Interop ITX in Las Vegas last week.

The DDoS attack employed Memcached servers exposed on the public Internet. Memcached, an open-source memory-caching system for storing data in RAM for speeding access times, doesn’t include an authentication feature, so attackers were able to spoof requests and amplify their attack. If properly configured, a Memcached server sits behind firewalls or inside an organization.

“Memcached amplification attacks are just the beginning” of these jacked-up attacks, Tierney said. “Be ready for multi-vector attacks. Rate-limiting is good, but alone it’s not enough. Get ready for scales of 900Mbps to 400Gbps to over a Terabyte.”

Tierney recommended ways to prepare for a DDoS attack, including:

  • Establish a security policy, including how you’ll enact and enforce it
  • Track issues that are security risks
  • Enact a business continuity/disaster recovery plan
  • Employ good security hygiene
  • Create an incident response plan that operates hand-in-hand with a business continuity/disaster recovery plan
  • Have a multi-pronged response plan, so that while you’re being DDoSed, your data isn’t also getting stolen in the background
  • Execute tabletop attack exercises
  • Hire external penetration tests
  • Conduct user security awareness and training
  • Change all factory-default passwords in devices
  • Know your supply chain and any potential risks they bring
  • Use DDoS traffic scrubbers, DDoS mitigation services

Source: https://www.darkreading.com/endpoint/privacy/why-ddos-just-wont-die/d/d-id/1331734

What Security Risks Should MSPs Expect in 2018

As IT operations are becoming more complex and require both advanced infrastructure and security expertise to increase the overall security posture of the organization, the managed service provider (MSP) industry is gaining more traction and popularity.

Estimated to grow from USD $152.45 billion in 2017 to USD $257.84 billion by 2022, at a CAGR of 11.1%, the MSP industry offers greater scalability and agility to organizations that have budget constraints and opt for a cloud-based IT deployment model.

“The cloud-based technology is the fastest-growing deployment type in the managed services market and is expected to grow at the highest CAGR during the forecast period from 2017 to 2022,” according to ResearchandMarkets. “IT budget constraints for installation and implementation of required hardware and software, limited IT support to manage and support managed services, and need for greater scalability are major factors that are likely to drive the adoption of cloud managed services in the coming years. The cloud-based deployment model offers higher agility than the on-premises deployment model.”

However, MSPs are expected to also become more targeted by threat actors than in the past. Supply chain attacks are becoming a common practice, as large organizations have stronger perimeter defenses that increase the cost of attack, turning MSPs into “low-hanging fruit”
that could provide access into infrastructures belonging to more than one victim. In other words, MSPs hold the keys to the kingdom.

Since MSPs are expected to provide around-the-clock security monitoring, evaluation, and response to security alters, they also need to triage and only escalate resources when dealing with advanced threats.

1. Wormable military-grade cyber weapons

Leveraging leaked, zero-day vulnerabilities in either operating systems or commonly deployed applications, threat actors could make the WannaCry incident a common occurrence. As similarly-behaving threats spread across infrastructures around internet-connected endpoints – both physical and virtual – MSPs need to quickly react with adequate countermeasures to defend organizations.
While MSPs may not be directly targeted, their role in protecting organizations will become far more important as they’ll need to reduce reaction time to new critical threats to a bare minimum, on an ongoing basis. Consequently, network security and threat mitigation will become commonplace services for MSPs.

2. Next-Level Ransomware

The rise of polymorphism-as-a-service (PaaS) will trigger a new wave of ransomware samples that will make it even more difficult for security solutions to detect. Coupled with new encryption techniques, such as leveraging GPU power to expedite file encryption, ransomware will continue to plague organizations everywhere. Backup management and incident response that provides full data redundancy need to be at the core of MSP offerings when dealing with these new ransomware variants.

While traditional ransomware will cause serious incidents, threat actors might also hold companies at gunpoint by threatening to disrupt services with massive distributed-denial-of-service (DDoS) attacks performed by huge armies of IoT botnets.

3. OSX Malware

The popular belief that Apple’s operating system is immune to malware was recently put to the test by incidents such as the ransomware disseminating Transmission app and advanced remote access Trojans (RATs) that have been spying on victims for years. With Apple devices making their way into corporate infrastructures onto C-level’s desks, managing and securing them is no longer optional, but mandatory.

Security experts have started finding more advanced threats gunning for organizations that have specific MacOS components, meaning that during 2018 threat actors will continue down this alley. Regardless of company size, vertical, or infrastructure, MSPs need to factor in MacOS malware proliferation and prepare adequate security measures.

4. Virtualization-Aware Threats

Advanced malware has been endowed with virtualization-aware capabilities, making it not just difficult to identify and spot by traditional endpoint security solutions, but also highly effective when performing lateral movement in virtual infrastructures. MSPs need to identify and plan to deploy key security technologies that are not just designed from the ground up to defend virtual infrastructures, but also hypervisor-agnostic, offer complete visibility across infrastructures, and detect zero-day vulnerabilities.

Focusing on proactive security technologies for protecting virtual workloads against sophisticated attacks will help MSPs offer unique value to their services.

5. Supply Chain Attacks

MSPs could also become the target of attack for threat actors, which is why deploying strong perimeter defense on their end should also be a top priority. Having access and managing security aspects to remote infrastructures turns MSPs into likely candidates for advanced attacks. Either by directly targeting their infrastructure or by “poisoning” commonly-deployed tools, MSPs should treat the security of their own infrastructure with the utmost scrutiny.

Source: https://securityboulevard.com/2018/04/what-security-risks-should-msps-expect-in-2018/

Record-setting Australian DDoS attack is a reminder to get your IoT security in order

As IoT devices proliferate, security spend is becoming a corporate compliance issue.

Internet of things (IoT) security will become a key corporate compliance issue as growing adoption opens up new avenues for cybersecurity compromise, experts have warned as analysis of traffic analysis confirmed that the Memcached attack delivered Australia’s largest-ever distributed denial of service (DDoS) attack in February.

Growing DDoS attacks have been tied directly to the spread of IoT, with recent Mirai and derivative attacks leveraging insecurities in IoT devices to amplify DDoS traffic on a global basis.

As hackers continue to experiment with and refine their ability to use potentially crippling IoT botnets, Gartner research director Ruggero Contu has predicted that IoT security will rapidly become a key investment priority for businesses that are rushing to embrace the myriad sensors and other smart devices now flooding the market.

“Organisations often don’t have control over the source and nature of the software and hardware being utilised by smart connected devices,” Contu wrote.

“We expect to see demand for tools and services aimed at improving discovery and asset management, software and hardware security assessment, and penetration testing. In addition, organizations will look to increase their understanding of the implications of externalizing network connectivity. “

As a result, Gartner has forecasted IoT security spending to grow dramatically, surging 28 percent over 2017 levels to reach $US1.5 billion ($A1.94b) this year.

Spending on IoT-related gateway security will double between 2018 and 2021 to $US415m ($A537m), Gartner’s forecasts have predicted, while professional-services spend will grow from $US946m ($A1.23b) to $US2.071b ($2.68b) by 2021.

A lack of security best practices and tools in IoT planning will create drag on IoT spending plans – challenging plans to build a unified corporate defence due to haphazard, business unit-led implementations of poorly or non-integrated products that still lack common, interoperable industry security frameworks.

“Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed,” Contu said.

“However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider’s alliances with partners or the core system that the devices are enhancing or replacing.”

Better IoT security can’t come too soon: new DDoS traffic figures from NETSCOUT Arbor found that DDoS traffic surged to 335Gbps and 29.4 million packets per second (Mpps) on 27 February – a record for an Australian DDoS attack and approximately 10 times the average traffic flow for the rest of the month.

This coincided with a world record-setting attack of 1.35Tbps against code-hosting company GitHub, which was itself surpassed days later by a 1.7Tbps attack that led NETSCOUT Arbor to declare that “the terabit attack era is upon us”.

Sources of the attacks on Australia were closely split between the United States (accounting for 28.86 percent of attacks), Russia (24.83 percent), China (24.16 percent), and India (22.15 percent). And the total number of DDoS attacks was down overall, at just 6200 over the previous six months – compared with around 11,000 attacks in the six months to September 2017.

The figures support predictions that DDoS volumes would continue to surge in the leadup to the Pyeongchang Winter Olympics in February, and indeed the record-setting attack came just hours after the Olympics closing ceremony on 25 February. At the time, NETSCOUT Arbor country manager Tim Murphy told CSO Australia the firm was already seeing signs of an uptick in DDoS activity – presaging the record-setting Memcached attack.

Telecommunications carriers were asserting their roles as front-line defenders against DDoS attacks, Murphy said, noting that telcos such as Telstra had established distributed DDoS detection and cleansing facilities around the world.

“In Australia, thankfully, we are very lucky that our Tier-1 telcos are quite prepared for large DDoS attacks,” he said. “That doesn’t mean that enterprises are well prepared – but that from a core perspective, we are very well prepared as a nation. We see bigger and nastier perpetrators every week – so businesses need to be more nimble not only in their ability to detect these, but their ability to mitigate them.”

Source: https://www.cso.com.au/article/635876/record-setting-australian-ddos-attack-reminder-get-your-iot-security-order/

Hospitals Exposed by Connected Devices

At any one time the world’s connected hospitals could be running as many as 80,000 exposed devices, putting hospital operations, data privacy and patient health at risk, according to Trend Micro.

The security giant’s latest report, Securing Connected Hospitals, claimed medical devices, databases, digital imaging systems, admin consoles, protocols, industrial controllers and systems software have significantly increased the average provider’s attack surface.

This puts them at risk of DDoS, ransomware attack and data theft. The report used the DREAD threat assessment model to find that DDoS is actually the biggest risk, followed by ransomware.

The latter has impacted hospitals worldwide, particularly NHS Trusts, which were severely affected by the WannaCry attack of 2017.

Senior threat researchers and report authors Numaan Huq and Mayra Rosario Fuentes claimed that hospital cybersecurity may be lacking because of several reasons.

These include: a lack of dedicated IT security staff, limited budget, diagnostic equipment which is outdated, and can’t be taken offline to patch and large numbers of mobile workers who need seamless access to systems.

The report also claimed that hospital supply chains are increasingly opening them up to cyber-risk, with 30% of breaches publicly reported to the US Department of Health and Human Services (HHS) in 2016 due to breaches of business associates and third-party vendors.

“Supply chain threats are potential risks associated with suppliers of goods and services to healthcare organizations where a perpetrator can exfiltrate confidential or sensitive information, introduce an unwanted function or design, disrupt daily operations, manipulate data, install malicious software, introduce counterfeit devices, and affect business continuity,” explained Huq and Fuentes.

“Third-party vendors have credentials that include log-ins, passwords, and badge access which can be compromised. These vendors can also store physical records, medical devices, and office equipment. Hospitals need to be supplied by a robust supply chain to ensure uninterrupted service to patients, and thus protecting the hospital supply chain against cyber-attacks becomes a critical necessity.”

Source: https://www.infosecurity-magazine.com/news/hospitals-exposed-by-connected/

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Just a week after code repository GitHub was knocked offline by the world’s largest recorded distributed denial-of-service (DDoS) attack, the same technique has been used to direct an even bigger attack at an unnamed US service provider.

According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

Last week Arbor, Cloudflare and Akamai reported an uptick in amplification attacks that abuse memcached servers to ramp up by traffic by a factor of 50,000.

Within a day of Cloudflare reporting that attackers were abusing open memcached servers to power DDoS attacks, GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps.

Memcached is a caching system to optimize websites that rely on external databases. Memcached-enabled servers shouldn’t be left exposed to the internet, although at any given time over 100,000 are, according to Rapid7.

The attacks involve spoofing a target’s IP address to the default UDP port on available memcached amplifiers, which return much larger responses to the target.

The attacks appear to be getting larger by the day. Before the attack on GitHub, Arbor Networks reported seeing attacks exceeding 500Gbps.

Arbor Networks’ Carlos Morales predicts memcached attacks won’t be going away any time soon because of the number of exposed memcached servers.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” he wrote.

Morales’ colleague, Roland Dobbins believes the memcached DDoS attacks were initially used exclusively by skilled attackers who launched attacks manually, but now they’ve been automated via rental ‘booter’ or ‘stressor’ botnets.

He notes that the potential for abusing memcached servers in application attacks was revealed by Chinese researchers in November 2017, but that as early as 2010 researchers had discovered widespread insecure memcached servers across the world.

As Ars Technica reports, some people attacking memcached servers are attaching a ransom note instructing targets to “Pay 50 XMR” or the equivalent of $18,415 to a specified wallet.

memcached-earth.png
Rapid7’s internet-wide Project Sonar scanner found over 100,000 exposed memcached servers at any given time.

Image: Rapid7

Source: http://www.zdnet.com/article/new-world-record-ddos-attack-hits-1-7tbps-days-after-landmark-github-outage/

Interpol Tests Global Cops with IoT Simulation

Interpol last week held a simulated training exercise for global investigators designed to help overcome Internet of Things (IoT) skills shortages.

The international police organization’s annual Digital Security Challenge saw 43 cybercrime investigators and digital forensics experts from 23 countries face a simulated cyber-attack on a bank launched through an IoT device.

During the course of the simulation, investigators found that the malware was sent in an email attachment via a hacked webcam, and not direct from a computer.

Interpol claimed this is an increasingly popular tactic designed to obfuscate the source of attacks, but warned that police may not have the skills to forensically examine IoT devices.

“The ever-changing world of cybercrime is constantly presenting new challenges for law enforcement, but we cannot successfully counter them by working in isolation,” said Noboru, Nakatani, executive director of the Interpol Global Complex for Innovation.

“A multi-stakeholder approach which engages the expertise of the private sector is essential for anticipating new threats and ensuring police have access to the technology and knowledge necessary to detect and investigate cyber-attacks.”

The first two Digital Security Challenge exercises in 2016 and 2017 simulated cyber-blackmail involving Bitcoin and a ransomware attack, so the new focus on IoT is reflective of the changing nature of threats.

Last week, Trend Micro claimed in its 2017 roundup report that IoT devices are increasingly being “zombified” to mine crypto-currency and launch cyber-attacks like DDoS.

Hackers can target exposed IoT endpoints to infiltrate corporate networks, conscript into botnets or even interfere with critical infrastructure.

However, nearly half (49%) of all IoT “events” observed by the security vendor last year — amounting to a total of 45.6 million — involved crypto-currency mining.

Adam Brown, security solutions manager at Synopsys, argued that IoT attacks will continue until firmware flaws are addressed.

“Good practices by vendors around configuration and authentication need to be initiated or matured to prevent this in future,” he added.

“I would love to see certification for IoT devices become commonplace so that consumers can know that the devices are cyber-safe, much in the same way that if you buy a toy with a CE mark you know it has been through a process of assessment and it won’t, for example, poison anyone because it has lead in its paint.”

Source: https://www.infosecurity-magazine.com/news/interpol-tests-global-cops-with/