How to Prevent DDoS Attacks: 6 Tips to Keep Your Website Safe

Falling victim to a distributed denial of service (DDoS) attack can be catastrophic: The average cost to an organization of a successful DDoS attack is about $100,000 for every hour the attack lasts, according to security company Cloudflare.

There are longer term costs too: loss of reputation, brand degradation and lost customers, all leading to lost business. That’s why it is worth investing significant resources to prevent a DDoS attack, or at least minimize the risk of falling victim to one, rather than concentrating on how to stop a DDoS attack once one has been started.

In the first article in this series, we discussed how to stop DDoS attacks. If you’re fortunate enough to have survived an attack – or are simply wise enough to think ahead – we will now address preventing DDoS attacks.

Understanding DDoS attacks

A basic volumetric denial of service (DoS) attack often involves bombarding an IP address with large volumes of traffic. If the IP address points to a Web server, legitimate traffic will be unable to contact it and the website becomes unavailable. Another type of DoS attack is a flood attack, where a group of servers are flooded with requests that need processing by the victim machines. These are often generated in large numbers by scripts running on compromised machines that are part of a botnet, and result in exhausting the victim servers’ resources such as CPU or memory.

A DDoS attack operates on the same principles, except the malicious traffic is generated from multiple sources, although orchestrated from one central point. The fact that the traffic sources are distributed – often throughout the world – makes DDoS attack prevention much harder than preventing DoS attacks originating from a single IP address.

Another reason that preventing DDoS attacks is a challenge is that many of today’s attacks are “amplification” attacks. These involve sending out small data packets to compromised or badly configured servers around the world, which then respond by sending much larger packets to the server under attack. A well-known example of this is a DNS amplification attack, where a 60 byte DNS request may result in a 4,000 byte response being sent to the victim – an amplification factor of around 70 times the original packet size.

More recently, attackers have exploited a server feature called memcache to launch memcached amplification attacks, where a 15 byte request can result in a 750 kb response, a amplification factor of more than 50,000 times the original packet size. The world’s largest ever DDoS attack, launched against Github in earlier this year, was a memcached amplification attack that peaked at 1.35 Tbps of data hitting Github’s servers.

The benefit to malicious actors of amplification attacks is that they need only a limited amount of bandwidth at their disposal to launch far larger attacks on their victims than they could do by attacking the victims directly.

Six steps to prevent DDoS attacks

1. Buy more bandwidth

Of all the ways to prevent DDoS attacks, the most basic step you can take to make your infrastructure “DDoS resistant” is to ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity.

In the past it was possible to avoid DDoS attacks by ensuring that you had more bandwidth at your disposal than any attacker was likely to have. But with the rise of amplification attacks, this is no longer practical. Instead, buying more bandwidth now raises the bar which attackers have to overcome before they can launch a successful DDoS attack, but by itself, purchasing more bandwidth is not a DDoS attack solution.

2. Build redundancy into your infrastructure

To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country.

For this strategy to be truly effective, it’s necessary to ensure that the data centers are connected to different networks and that there are no obvious network bottlenecks or single points of failure on these networks.

Distributing your severs geographically and topographically will make it hard for an attacker to successfully attack more than a portion of your servers, leaving other servers unaffected and capable of taking on at least some of the extra traffic that the affected servers would normally handle.

3. Configure your network hardware against DDoS attacks

There are a number of simple hardware configuration changes you can take to help prevent a DDoS attack.

For example, configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) can help prevent certain DNS and ping-based volumetric attacks.

4. Deploy anti-DDoS hardware and software modules

Your servers should be protected by network firewalls and more specialized web application firewalls, and you should probably use load balancers as well. Many hardware vendors now include software protection against DDoS protocol attacks such as SYN flood attacks, for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value.

Specific software modules can also be added to some web server software to provide some DDoS prevention functionality. For example, Apache 2.2.15 ships with a module called mod_reqtimeout to protect itself against application-layer attacks such as the Slowloris attack, which opens connections to a web server and then holds them open for as long as possible by sending partial requests until the server can accept no more new connections.

5. Deploy a DDoS protection appliance

Many security vendors including NetScout Arbor, Fortinet, Check Point, Cisco and Radware offer appliances that sit in front of network firewalls and are designed to block DDoS attacks before they can take effect.

They do this using a number of techniques, including carrying out traffic behavioral baselining and then blocking abnormal traffic, and blocking traffic based on known attack signatures.

The main weakness of this type of approach of preventing DDoS attacks is that the appliances themselves are limited in the amount of traffic throughput they can handle. While high-end appliances may be able to inspect traffic coming in at a rate of up to 80 Gbps or so, today’s DDoS attacks can easily be an order of magnitude greater than this.

6. Protect your DNS servers

Don’t forget that a malicious actor may be able to bring your web servers offline by DDoSing your DNS servers. For that reason it is important that your DNS servers have redundancy, and placing them in different data centers behind load balancers is also a good idea. A better solution may even be to move to a cloud-based DNS provider that can offer high bandwidth and multiple points-of-presence in data centers around the world. These services are specifically designed with DDoS prevention in mind. For more information, see How to Prevent DNS Attacks.


Cyber Attacks Cost Korean Firms US$72 billion Last Year: Report

Cyber attacks cost Korean companies US$72 billion last year, according to a survey released by Microsoft Korea on June 18.

The Cyber Security Threat Report, produced jointly with Frost & Sullivan, a global consulting firm, assumes that 90 percent of the damage was indirect losses, which included losses from losing customers, tarnished corporate reputations, and job losses. The report referred to this phenomenon as an “iceberg effect” where indirect losses eclipse direct losses.

This report also covered the status of Korean companies’ security awareness. Among the Korean companies which participated in the survey, 29 percent said they did not even know whether or not a cyber attack occurred. In addition, 35 percent of them said they were postponing digitalization because they were concerned about cyber attacks.

Meanwhile, according to semi-annual “Security Intelligence Report” released by Microsoft Korea, three types of cybercrime were used in combination — botnets, phishing, and ransomware.

A botnet is a method of infecting multiple PCs as zombie PCs through the internet to perform distributed denial-of-service attack (DDoS attack), steal data and send spam. Phishing refers to deceiving users and making them make a mistake by disguising a malicious website or e-mail as a secure website or e-mail. Ransomware is a malicious code that encrypts data in your computer and demand money in exchange for a password.

“In the rapidly changing digital world, companies must make cybersecurity a top priority for their organization,” said Kim Gui-ryeon, chief security officer at Microsoft Korea.


Six years on from the official launch, just how secure is IPv6?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?

The world launch of IPv6 happened back in June 2012, and World IPv6 Day is on Friday 8 June. But just how secure is IPv6 some six years after that fanfare deployment?
Development of IPv6 first started in the early 1990’s when it was realised that the physical limitation of 4.3 billion unique IP addresses in the IPv4 protocol wasn’t going to be enough to support Internet growth. And that was before the Internet of Things had even been thought about. IPv6 addresses the problem, if you’ll excuse the pun, by providing 340 trillion, trillion, trillion unique addresses.
The newly published Internet Society State of IPv6 Deployment report for 2018 points to the success of IPv6 deployment. More than 25 percent of all Internet-connected networks advertise IPv6 connectivity, for example. If you combine the top 15 ISPs across the world, nearly half a billion people are using IPv6 already. Six years ago, less than one in every 100 connections to Google were using IPv6, today that is one in four. The report does admit, however, that “enterprise operations tend to be the elephant in the room when it comes to IPv6 deployment.”
Internet Society Chief Internet Technology Officer, Olaf Kolkman says that IPv6 is “increasingly seen as a competitive advantage, a market differentiator and an essential tool for forward-looking Internet applications and service providers of all kinds.” But the question for enterprise security teams remains, just how secure is IPv6?
“In the sense of the protocol, IPv4 and IPv6 are roughly similar in terms of security” says Dr. Stephen Strowes, Senior Researcher at the RIPE NCC in conversation with SC Media UK. “The difference comes from other layers” Dr Strowes adds “it’s the tools used and training that network operators get that makes all the difference.”
Cricket Liu, VP of Infrastructure at Infoblox, agrees. “IPv6 isn’t inherently more or less secure than IPv4.” However, speaking to SC Media Liu suggests that the major security implications of moving to IPv6 are that “network administrators have substantially less experience managing the protocol than they do with IPv4.” Throw in that network equipment vendors, security vendors,and so on often don’t support IPv6 as completely as they do IPv4 and “the chance of making configuration mistakes increases, as does the likelihood that some whizzy feature of your firewall, IDS or IPS that works great over IPv4 isn’t supported at all over IPv6.”
Wicus Ross, Security Researcher with SecureData, admits that “It’s possible that there are more misconfigurations present on IPv6 due to the relative lesser usages compared to IPv4.” However, to balance that there’s the small matter of the huge size of the IPv6 address space where a single IPv6 subnet can contain the entire IPv4 address space. “As such” Ross continues “IP Address enumeration or scanning through the IPv6 address space sequentially using current capability is not feasible.” This should be good news, as it makes it less efficient for attackers to hunt for vulnerable devices.
Earlier this year, DDoS protection experts Neustar experienced and successfully mitigated its first recorded native IPv6 DDoS attack. This targeted the authoritative DNS service on the Neustar network, and originated from around 1,900 native IPv6 hosts on more than 650 different networks. “IPv6 attacks present a particular set of challenges that, at this moment, cannot easily be rectified” Barrett Lyon, General Manager of DDoS at Neustar, told SC media UK. “For example, the massive number of addresses available to an attacker allows them to exhaust the memory of modern day security appliances” Lyon continues “as a result, the potential volume of an IPv6 attack has the opportunity to create a mess.”
Lyon concludes that, going forward “a great deal of work will need to be undertaken by security professionals to ensure that IPv6 is protected and that we are ahead of the curve when it comes to predicting a hacker’s next move.”

The platform is under extreme load:’ Cyber attack brings major cryptocurrency exchange to its knee

  • One of the largest cryptocurrency exchanges shut Tuesday morning because of a cyber attack.
  • “The platform is under extreme load,” Bitfinex said at 9:39 a.m. ET.
  • Bitcoin was trading slightly lower at $7,421 a coin, according to Markets Insider data.
 Bitfinex, one of the largest cryptocurrency exchanges by trading volumes, was down Tuesday morning after it experienced a cyber attack.According to its incident page, the exchange shut early Tuesday morning after it experienced problems with its trading engine. For a short period the exchange was back online after the issue was addressed. But the exchange was then hit with a so-called denial-of-service attack, which is when a network of virus-infected computers overwhelm websites with massive amounts of data.

“The platform is under extreme load,” the exchange said at 9:39 a.m. ET. “We are investigating. Seems a DDoS attack was launched soon after we relaunched the platform.”

Still, clients’ funds were not impacted, according to a statement by Kasper Rasmussen, head of marketing at Bitfinex.

“The attack only impacted trading operations, and user accounts and their associated funds/account balances were not at risk at any point during the attack,” Rasmussen said in a statement. “We will continue to update our user base on any further disruptions to service.”

Crypto exchange outages were common at the end of 2017 as bitcoin soared to all-time highs near $20,000, but have been less common in 2018 as prices and volumes across the digital coin market have fallen back to earth.

In 2017, the breakneck growth of the market forced some exchanges to stop onboarding new users altogether. A flash crash at Bitfinex in December left customers demanding answers and refunds.

Hacks and cyber attacks have long been a problem for the crypto space. Notably, Mt. Gox, which was the world’s largest bitcoin exchange, witnessed a massive DDoS attack in 2013. It shut in 2014 after a $450 million hack. JPMorgan estimates that a third of bitcoin exchanges have been hacked.

“Running an exchange is one of the most complex server-side operations out there,” Kyle Samani, a crypto fund manager, told Business Insider.

“On an exchange, everyone wants real time, all the time, globally and the bots are hitting the APIs every few milliseconds both to get order book updates and to trade,” Samani added. “Doing this at scale is much harder than almost any other application.”

Still, Gabor Gurbacs, the director of digital asset strategy at VanEck, told Business Insider he thinks exchanges are getting better at handling technical issues and communicating with clients.

“Recently, exchanges started to halt trading, especially important for margin trades, and provided timely and more transparent notes to customers in cases of service disruptions,” Gurbacs said. “It’s a sign of maturation in my view.”

2018’s less volatile trading environment has given exchanges an opportunity to catch their breath. Bitfinex didn’t experience any technical incidents in the entire month of May.

Bitcoin was trading lower in the aftermath of the DDos attack. The cryptocurrency was down 1.04% at $7,421 a coin, according to Markets Insider data.


Internet of Things: when objects threaten national security

We all know personal devices can be hacked, but a whole country’s security could be at risk too. With the rise of the so-called Internet of Things (IoT), and against the backdrop of cyberwarfare, digital surveillance and digital subversion, the risk to national security is increasing. Earlier this year the head of the UK National Cyber Security Centre publicly stated that a major cyber-attack on the country’s essential services was a question of “when, not if”.

The IoT comprises of the billions of online objects embedded in our homes, workplaces and cities, that are constantly collecting, analysing and transmitting data. Some IoT devices, such as personal fitness trackers or smartphones, are carried with us wherever we go. Others we interact with remotely, such as domestic heating controls. Many are invisible, operating silently to modulate traffic flows, industrial control systems, and much more.

IoT devices are not so much things with computers in them, but computers with things attached to them. Because no computer is perfectly secure, that means that neither is your smart fridge or your virtual assistant. Like all things online, these objects form part of massively distributed networks. If someone wanted to hack into these global information networks, IoT devices provide billions of extra entry points.

It is relatively easy to hack an IoT device, as many cheap products do not have adequate security. Even devices with advanced security, such as driverless cars, are vulnerable. This means that IoT technologies are widely regarded as a major cyber-security problem. Pacemakers being hacked, air traffic control systems going down, and all out “cyber-war” are just some worst case scenarios. Vulnerabilities, if exploited, could lead to damage, injury and death.

Cyber-attacks on critical national infrastructure are already a very real threat. In 2015, the Ukranian power grid was affected by a cyber-attack that left Kiev without electricity for several hours. More recently in 2017, the UK’s NHS was compromised for weeks due to the malicious software (malware) WannaCry.

These incidents show just how disruptive cyber-attacks can be and the fact that IoT attacks are proliferating and diversifying is a cause to worry. One major internet security company reported that IoT attacks increased 600% in 2016-17. This is an exponential rise and is expected to persist, not least as the number of IoT devices increase. Devices already outnumbered humans in 2017 but may top 20 billion by 2020.

The rise of the botnet

A botnet is a network of internet connected devices that have been hacked, hijacked and controlled remotely. The problem is that poorly secured IoT accounts make perfect targets for hackers attempting to develop and weaponise botnets. With the right malware, hackers can use botnets to perform distributed denial-of-service (DDoS) attacks against specific targets. The malware uses thousands of devices to flood internet servers with traffic and disable access to online resources. Billions of IoT devices make it easier for hackers to take control of large botnets and attack even the most robust targets.

The Mirai malware exploited vulnerabilities in IoT devices, such as CCTV cameras and routers, to do just this. In October 2016, Mirai launched a DDoS against Dyn, Inc, the company that provides access to major platforms like Twitter, Amazon and Netflix. The DDoS prevented consumers from accessing these platforms for several hours. Of course, it is difficult to calculate the financial implications of such incidents but Mirai showed how essential services can be attacked by exploiting IoT devices.

States or non-state actors could try and use an IoT botnet to attack a country’s health, energy, transport or finance sector. If a botnet were directed against critical national infrastructure, the effects could be severe. Speculation in the absence of evidence is rarely wise but it is not hard to imagine what might happen if financial services were taken offline, or rail transport networks sabotaged. No cyber-attack has yet collapsed the global financial system, or killed anyone, thankfully, but these are the fears of policymakers and cyber-security professionals.

Attribution is not easy either but it’s getting better. Were a state or terrorist group identified as the perpetrator of a major attack, national security apparatuses should swing into action to counter them. For NATO members, a cyber-attack might even trigger a collective political and military response.

How are governments responding?

So far both the US and the UK have stopped short of introducing regulation, but instead are putting pressure on businesses to make their products more secure. However, these policies do not address the overarching problem: companies will keep on selling products with poor security because consumers are willing to buy them. It is supply and demand. There are presently few incentives for firms to bring IoT products to market that meet high security standards. In global supply chains, the picture is even more complicated because national initiatives cannot resolve transnational problems.

The market will not solve this problem, so more robust government regulation is all but inevitable. Few bureaucracies relish the challenge. In policy terms, this is a “wicked problem”. Even if a solution was obvious, it would likely be impossible due to key players’ competing motives and the dynamism of the technical environment.

A more radical approach is to address why the IoT exists in the first place. It is the product of both laudable aims (energy efficiency, public welfare) and an obsession with connectivity for connectivity’s sake. As is well-established, complex systems generate unpredictable effects. If we are to minimise the risks of wiring up our world, we need to consider prioritising devices that are truly necessary over ones that are simply desirable. This will require a fundamental shift in mindset, putting the public good before profit and political expediency.


Weekly Cyber Risk Roundup: FBI Advises Home Router Resets

What’s Everyone Talking About? Trending Cybercrime Events

The big news for this week was the CISCO warning of 500,000 routers being hacked by Russian criminal hackers in a bid to attack Ukraine. According to CNBC, “Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.”

In subsequent reporting, the FBI has issued a statement and recommendation that all users with home or small-business router turn off the device and turn it back on. The reboot is meant to counter the Fancy Bear linked malware mentioned above.

Further details are being released as they are available. The details of the warnings were: “at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.”


Screen Shot 2018-05-29 at 5.00.06 AM

Other trending cybercrime events from the week include:

  • State data breach notifications: In October 2017, criminal hackers obtained the credentials for two employee accounts for Worldwide Insurance Services. A phishing campaign was used to steal credentials and may have resulted in private insurance details of their customers being viewed by unauthorized parties. In December 2017, a former employee of Muir Medical Group took personal details of clients with them before their employment ended. This could have resulted in the leak of personal identifiable information of clients. In March 2018, a contractor for the California Department of Public Health experienced a robbery where documents and a laptop were stolen.
  • Altcoin Experienced Second Hack: The alternative cryptocurrency Verge, experienced its second hack in recent months. $1.4 Million (USD) was stolen in this recent attack which started as a distributed denial-of-service (DDoS) attack. In the last event, the cryptocurrency suffered a 25% loss.
  • Bitcoin Gold Suffers Attack: In a similar attack to the previous report with Verge, Bitcoin Gold suffered a 51% attack resulting in the loss of $18 million in Bitcoin Gold. Also known as double spending this type of attack works very similar to DDoS attacks in which they tie up the network resources of the targets.
  • Fourteen Vulnerabilities Found in BMWs: In a recent security test, researchers found fourteen vulnerabilities as they hacked BMW cars. The reported vulnerabilities were, “the flaws could be exploited to gain local and remote access to infotainment (a.k.a head unit), the Telematics Control Unit (TCU or TCB) and UDS communication, as well as to gain control of the vehicles’ CAN bus.”
  • App Leaks Passwords in Plaintext: Researchers discovered two servers owned by the app TeenSafe, which is an app parents and guardians can use to monitor phone activity of a child, were hosted without passwords to access data being stored. Over 10,000 accounts were exposed on the AWS hosted servers.

Cyber Risk Trends From the Past Week

A new report from security researchers this week is touting a new kind of banking malware. Researchers are calling the malware Backswap anddiscovered it attacking Polish banks. According to the report, “We have discovered a new banking malware family that uses an innovative technique to manipulate the browser: instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”

The malware was first noticed in January 2018, and the first samples were analyzed in March 2018. According to the report, “the banker is distributed through malicious email spam campaigns that carry an attachment of a heavily obfuscated JavaScript downloader from a family commonly known as Nemucod. The spam campaigns are targeting Polish users.” As users see everyday, just because a malware strain is targeting a specific bank or country doesn’t mean it hasn’t started to spread or won’t be turned to other targets later.


Screen Shot 2018-05-29 at 5.02.34 AM


DDoS used to oust competition in crypto market

n the last 12 months, cyber criminals have been using distributed denial-of-service (DDoS) attacks to target crypto-currencies.

That’s according to Alex Cruz Farmer, product manager at Cloudflare, who spoke at the ITWeb Security Summit 2018 event this week.

Criminal perpetrators of DDoS attacks often target sites or hosted on high-profile Web servers such as banks or credit card payment . Revenge, blackmail and activism can motivate these attacks.

However, when targeting crypto-currencies with DDoS attacks, “it’s not for the good old ransom, it’s a way to run the competition out of town”.

Cloudflare is one of the biggest DDoS mitigation platforms in the world, serving over eight million domains across more than 150 data centres.

Soon to be the norm

A crypto-currency marketplace customer, who had migrated to Cloudflare, had an attack which according to Farmer demonstrated the complexities of modern day attacks, which he believes will soon be the norm.

“The customer noticed that there were a huge number of sign-ups to their Web site, way more than usual, and had assumed this was spam or some other scam. After a week or two, they found that thousands and thousands of these accounts were logging in, and repeatedly checking their account balances, which in turn caused their database platform to grind to a halt.”

He explained that within a very short period of time, it was identified and the attack was dealt with, but the attackers did not stop there.

“Further application-based attacks occurred, focusing on almost every endpoint possible, to find another area of weakness. Fortunately, we were wise to these games, and our security teams were able to put adequate protections in place to block any further attacks.”

DDoS evolution

He pointed out that DDoS attacks have evolved over the years, noting that the first ever DDoS was in 1988 caused by the Morris Worm, written by Robert Morris.

“It was a complete accident, the purpose was to gauge the size of the Internet. However, due to an oversight in the code, it ended up taking down the Internet, causing huge amounts of damage, leading to the first ever cyber-related felony in the US.”

From then, he said DDoS attacks inherently were focused on exhausting CPU or other resources.

“For example, a simple TCP SYN attack on an Apache server would exhaust open sockets, rendering servers useless, causing any new connections to timeout. The only resolution was to restart the Web server.”

TCP SYN flood (aka SYN flood) is a type of DDoS attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

“Unfortunately for the attackers, there were quick and easy solutions for server administrators to protect themselves from SYN attacks, so naturally, the evolution was to find the next destructive option; exhaust the network.

“Come to 2003, we had one of the most epic DDoS attacks ever seen, caused by the infamous SQL Slammer virus. Not only did these attacks cripple the target server, they also crippled the network, and in some cases even their upstream ISP,” Farmer said.

Fast forward five to 10 years, we then saw the birth of User Datagram Protocol (UDP) based reflection attacks, primarily utilising NTP services (the service which sets the time on a computer, mobile phone or any other connected device), he pointed out.

“But, like always, patches are created, and the community came together to build necessary protections. It was UDP-based, so it was easy to block for most networks.”

According to Farmer, 2016 is when things really changed. “Mirai was born, with its debut attack of 540Gb/sec targeting the Rio Olympics, then a few weeks later generating the largest attack the world had seen against security blogger Brian Krebs.”

He explained that Mirai was orchestrated used IOT devices to generate the attacks. “While these devices may seem harmless, under the hood they run a real, fully-loaded operating system, mostly Linux. This means an attacker is able to run whatever script they wish, have it call home, update its firmware and most importantly, lock out the owner.”


“Hide and Seek” Becomes First IoT Botnet Capable of Surviving Device Reboots

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.

This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.

The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains.

“Hide and Seek” malware copies itself to /etc/init.d/

But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices.

By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.

The malware strain that achieved something that even the Mirai strain couldn’t is called Hide and Seek (HNS) —also spelled Hide ‘N Seek.

HNS botnet has evolved considerably in the past few months

Bitdefender experts first spotted the HNS malware and its adjacent botnet in early January, this year, and the botnet grew to around 32,000 bots by the end of the same month. Experts say HNS has infected 90,000 unique devices from the time of discovery until today.

Crooks used two exploits to create their initial botnet, which was unique from other IoT botnets active today because it used a custom P2P protocol to control infected systems.

Now, experts have found new HNS versions that have added support not only for two other exploits [1, 2] but also for brute-force operations.

What this means is that HNS infected devices will scan for other devices that have an exposed Telnet port and attempt to log into that device using a list of preset credentials.

Researchers say that HNS authors have also had time to fine-tune this brute-forcing scheme, as the malware can identify at least two types of devices and attempt to log into those systems using their factory default credentials, instead of blindly guessing passwords.

Furthermore, the HNS codebase also received updates, and the bot now has ten different binaries for ten different device architectures.

Not all HNS bots are boot persistent

But HNS is not capable of gaining boot permission on all infected devices. According to Bitdefender senior e-threat analyst Bogdan Botezatu, “in order to achieve persistence, the infection must take place via Telnet, as root privileges are required to copy the binary to the init.d directory.”

The security expert also adds that the HNS botnet is still a work-in-progress, and the malware still doesn’t support launching DDoS attacks.

Nonetheless, the functions to steal data and execute code on infected devices are still there, which means the botnet supports a plugin/module system and could be expanded at any point with any type of malicious code.


DDoSer Who Terrorized German and UK Firms Gets Off Without Jail Time

A German hacker who launched DDoS attacks and tried to extort ransom payments from German and UK firms was sentenced last month to one year and ten months of probation.

The hacker, identified by authorities only as 24-year-old Maik D., but known online as ZZb00t, was fingered for attacking companies such as,,,,,,,, but also some UK firms.

Hacker would launch DDoS attacks and then extort victims

ZZb00t would act following the same pattern. He’d first warn companies via Twitter, and then launch DDoS attacks, taking down services from hours to up to a day.

Maik, who in real life was an IT security consultant, would often criticize companies for their poor security practices.

“Sadly but true @[REDACTED] your servers just sucks,” he wrote in one tweet. “Never thought that [REDACTED] was so extremely poorly protected. It’s more than embarrassing,” he wrote in another.

He’d often claim his actions were only for the purpose of exposing security weakness, claiming he was a vulnerability hunter.

But Maik wouldn’t launch DDoS attacks just out of the kindness of the kindness of his heart so that companies would improve security. The hacker would often send emails promising to stop attacks for a payment in Bitcoin.

Hacker arrested after one company pressed charges

His DDoS and extortion campaigns have been tracked all last year by German blog [1, 2, 3, 4]. A recently released Link11 report details the hacker’s tactics.

The hacker was active at the same time as another DDoS extortion team named XMR Squad, and Link11 claims in its report that there was a working relationship and coordination of attacks between ZZb00t and XMR Squad members.

Link11 says it documented over 300 of ZZb00t’s tweets related to attacks he carried out before German authorities arrested the suspect on May 23, last year, putting an end to his attacks.


FOI Request Rings Alarm Bells on Critical Infrastructure Security

With just eight days to go until the EU’s Network and Information Systems (NIS) Directive becomes legally enforceable, a Freedom of Information (FOI) request to 312 critical infrastructure providers across the UK is ringing industry alarm bells.

The FOI requests, submitted by DDoS attack solutions provider Corero Network Security, found that 70% of these institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – have had service outages in their IT systems within the last two years; many blamed on cyberattacks.

The implication for these institutions under the new directive would be the enforcement of hefty fines. Under the NIS directive – which aims to raise levels of the overall security and resilience of network and information systems across the EU – these outages need to be reported and addressed.

Penalties Could be Severe

Failure to do so could result in financial penalties of up to £17 Million being imposed. Corero estimates that if the NIS directive was in place two years ago the financial penalties faced by critical UK infrastructure would have amounted to over £2.5 billion.

Out of the 221 critical infrastructure organisations that responded to the FOI, 155 reported that they had suffered a downtime in their IT network leading to loss of services in the last two years. Worryingly over a third of the reported incidents are suspected to be caused by cyber-attacks.

However due to the nature of these critical institutions the real concern is the loss of services to the public and the state.

Andrew Lloyd President of Corero Network Security who undertook the FOI request stated that: “Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life disruption by preventing access to essential services such as power, transport and the emergency services. The fact that so many infrastructure organisations have suffered from service outages points to an alarming lack of resilience within organisations that are critical to the functioning of UK society.”

Not a Just a Tick Box Exercise

This information comes on the back of the National Audit Office’s investigation into the WannaCry cyber-attack last year which attacked NHS organisations. The investigation found that much of the damage by the ransomware attack could have been negated if a software patch available two months prior to the attack had been implemented into NHS IT systems.

Corero fears that only the basic NIS requirements will be enacted to ensure compliance. Andrew Lloyd said: “As things stand, there is genuine risk that the legislation may be viewed as a mere ‘tick-box’ exercise which requires the bare minimum to be done, rather than fulfilling its promise for the UK to set world-leading standards in this area.”

In the UK the National Cyber Security Centre is the lead contact point for EU partners on NIS, and is acting as a key source of technical expertise. Its guidance on NIS compliance can be found here.