One year on, the WannaCry scare hasn’t made healthcare security any better

Cybersecurity in the healthcare sector was put under the spotlight after the WannaCry ransomware attacks that hit in May 2017, and it painted a vivid picture of how threats can paralyse real-world processes.

That’s according to Trend Micro and HITRUST’s latest research on how connected hospitals can be exploited – and researchers believe that the WannaCry scare has only made matters worse.

The research paper, titled Securing Connected Hospitals, looks at how internet-connected medical devices are often exposed due to misconfigured networks or software interfaces.

Connected devices can include surgical equipment, office applications, inventory systems, monitoring equipment, and imaging equipment.

Using search website Shodan, researchers were able to pinpoint devices connected to the Internet of Things and gather information about the devices’ geographic locations, hostnames, operating systems, and other information.

“An adversary can also use Shodan to perform detailed surveillance and gather intelligence about a target, which is why Shodan has been called the World’s Most Dangerous Search Engine,” the report says.

Beyond Shodan, exposed devices can also be profiled using network tools. Attackers could potentially access sensitive data, webcam feeds, compromise assets to conduct DDoS attacks or botnets, demand ransoms and much more.

The paper also looked at how supply chain attacks, including associates and third-party contractors, also play a dangerous role – 30% of healthcare breaches in 2016 were due to third parties.

“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,” the report says.

“Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their own products and software for cybersecurity risks, and may also be outsourcing resources as well. This allows perpetrators to exploit sensitive information across the supply chain.”

There are seven major supply chain threat vectors that attackers can use against the healthcare sector:

Firmware  attacks, mHealth mobile application compromises, source code compromise during the manufacturing process, insider threats from hospital and vendor staff, website/EHR and internal hospital software compromise, spearphishing, and third party vendor credentials.

The report points out that source code compromise during the manufacturing process can be extremely dangerous because hospitals tend not to test device security before installing it on their networks.

While no data on incidents involving medical devices was publicly disclosed in 2017, tablets, phones and even USB devices have been compromised in the past.

“In 2016, a healthcare organization unknowingly sent 37,000 malware-infected USB thumb drives to their offices nationwide. The manual of procedure codes for that year included the flash drive on the back pocket,” the report says.

The paper draws on qualitative risk analysis of various attack vectors to give an overview of some of the most pressing threats in healthcare.

Those threats include insecure devices that can be used to access a network, DDoS attacks, spear phishing, and unpatched systems.

“Having effective alert, containment, and mitigation processes are critical. The key principle of defense is to assume compromise and take countermeasures.”

  • Quickly identify and respond to ongoing security breaches.
  • Contain the security breach and stop the loss of sensitive data.
  • Pre-emptively prevent attacks by securing all exploitable avenues.
  • Apply lessons learned to further strengthen defenses and prevent repeat incidents.

Source:https://securitybrief.asia/story/one-year-wannacry-scare-hasnt-made-healthcare-security-any-better/

DoubleDoor Botnet Chains Exploits to Bypass Firewalls

Crooks are building a botnet that for the first time is bundling two exploits together in an attempt to bypass enterprise firewalls and infect devices.

Discovered by researchers from NewSky Security, the botnet has been cleverly named DoubleDoor. According to Ankit Anubhav, NewSky Security Principal Researcher, the DoubleDoor malware attempts to execute exploits that take advantage of two backdoors:

CVE-2015–7755 – backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded password <<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.
CVE-2016–10401 – backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device.

Anubhav says DoubleDoor attackers are using the first exploit to bypass Juniper Netscreen firewalls and then scan internal networks for ZyXEL routers to exploit with the second exploit.

First time an IoT botnet chains two exploits

In a conversation with Bleeping Computer, Anubhav says this is the first time that a botnet has chained two exploits together in an attempt to infect devices.

“For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall,” the expert told Bleeping Computer. “Such multiple layers of attack/evasion are usually a Windows thing.”

“Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices,” Anubhav said. “If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit,” Anubhav added showing the simple exploitation logic that most IoT malware employed in the past.

DoubleDoor botnet is not a major threat, yet

Scans and exploitation attempts for this botnet were spotted between January 18 and January 27, all originating from South Korean IP addresses.

But the botnet is not a major danger just yet. Anubhav says DoubleDoor looks like a work in progress and still under heavy development.

“The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t,” he said.

The NewSky Security expert says the smaller attack numbers are likely because the botnet only targets a small subset of devices, either Internet-exposed ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise-grade Juniper Netscreen firewall.

“Such setups are usually found in corporations,” Anubhav said, raising a sign of alarm of what targets the DoubleDoor author may be trying to infect.

DoubleDoor doesn’t do anything, for the moment

The good news is that DoubleDoor doesn’t do anything special after compromising ZyXEL devices. It just merely adds them to a botnet structure.

“Probably it’s a test run or they are just silently recruiting devices for something bigger down the road,” Anubhav said.

But as Anubhav points out, because DoubleDoor appears to still be under development, we may soon see its author expand it with even more exploits that target other types of devices, such as those from Dlink, Huawei, Netgear, and others.

Further, the botnet may try to carry out DDoS attacks, spread malware to internal Windows networks, or something more intrusive.

But even if DoubleDoor dies down and is never seen again, its double-exploit firewall bypass technique has already attracted the attention of other IoT botnet operators, and we may see it pretty soon with other malware strains as well. The cat’s out of the bag, as they say.

Source: https://www.bleepingcomputer.com/news/security/doubledoor-botnet-chains-exploits-to-bypass-firewalls/

Dutch Central Bank warns for phishing emails after DDoS attacks on banks

The Dutch Central Bank (DNB) has issued warnings to consumers about phishing e-mails, following a series of DDoS attacks on banks. ABN Amro, ING and Rabobank were the victims of long-term DDoS attacks on several occasions last weekend and earlier this week; these led to the disruption of online services. The Tax and Customs Administration and Dutch national ID system DigiD were also affected.

DNB said there is a chance that the number of phishing emails will now increase, following these DDoS attacks. “It is not unusual for DDoS attacks on banks to be followed by an increase in phishing mail to account holders. Criminals often attempt to use the agitation around digital attacks to make people feel vulnerable, and to then extract sensitive bank account details.

The recent DDoS attacks on the banks were advanced, according to the DNB. Banks have in place strong defensive measures to ensure that services are available through websites and internet banking. The banks have been in constant consultation with each other during the few last days and have worked together with the authorities, including the DNB and the National Cyber ​​Security Center. For such situations, multiple consultation structures have been set up, aimed at normalising payment transactions as quickly as possible.

Source:https://www.telecompaper.com/news/dutch-central-bank-warns-for-phishing-emails-after-ddos-attacks-on-banks–1230205

Test your cyber defenses with DIY DDoS

CANADIAN cybersecurity company DOSarrest has released a new service which allows organizations to test their systems’ resilience against distributed denial of service attacks.

The Cyber Attack Preparation Platform (CAPP) allows anyone to choose from a variety of options which specify the attack type, velocity, duration, and vector. The service is paid for according to the options chosen, and can be used by anyone – previously, only DOSarrest’s clients had access to this type of facility.

The attacking machines are distributed across the world and employ a variety of methods, thus accurately emulating an attack “in the wild.”

The company’s literature states that in some cases, larger hosts (such as cloud provider services like AWS or Google Cloud) simply scale up their hosted sites’ provisions in order to mitigate an attack: in short, when the going gets tough, the tough throw resources.

However, this style of mitigation can cost companies large sums of money if they are funding their cloud computing activities on the basis of pay-as-you-use.

Users of DOSarrest’s service can choose to pick specific attack types from a range of TCP attacks, plus a focussed range of attacks usually aimed at web services.

DOSarrest’s CTO, Jag Bains commented:

“It’s interesting to see how different systems react to attacks; CAPP not only shows you the traffic to the victim but also shows you the traffic response from the victim. A small attack [on] a target can actually produce a response back that’s 500 times larger […] This is the best tool I’ve seen to fine tune your cybersecurity defenses, if you fail you can make changes and launch the exact same attack again, to see if you can stop the attack.”

The company advises that attacks are chosen carefully as it is plainly possible to bring down an entire enterprise’s systems – by equal measures alarming and reassuring that large attacks can be emulated.

The company provides a handy pricing calculator by which interested parties can scope out what their testing might cost them: a ballpark of $US1,500 might be considered a bare minimum.

Of course, the cost of an attack by unknown actors will be much more, by some significant factor, and DOSarrest’s facility should hopefully go some way in mitigating the chances of such an attack being successful.

Source: http://techwireasia.com/2018/01/test-your-cyber-defenses-with-diy-ddos/

Hackers Will Target Small Business Through the Internet of Things in 2018, New Report Says

A new report finds hackers are poised to target small businesses that use Internet of Things (IoT) technology to gain access to data from larger global firms in 2018. The  2018 Cybersecurity Predictions by Aon’s Cyber Solutions predicts a small business Internet of Things (IoT) breach will create a domino effect that damages a larger company.

2018 Cybersecurity Predictions

The report also found that while  55 percent of small businesses were breached between 2015 and 2016,  only a small minority see cybersecurity as a critical issue. This is despite the fact that the overall money spent on cybersecurity in 2017 was $86.4 billion, an increase of 7 percent over 2016.

New Threat

The Internet of Things (IoT) is at heart of this new threat.  It’s loosely defined as all software enabled devices we use (from appliances to smartphone sand computers) that can exchange data.

Criminals hijacked hundreds of thousands of Internet of Things (IoT) devices worldwide in 2017. They’ve even fine tuned  social engineering and spear-phishing tactics according to the report.

Jason J. Hogg, CEO of Aon Cyber Solutions explains the looming threat as small businesses use this technology.

“IoT is notoriously unsecured: manufacturers often lack necessary security expertise, constant product innovation creates vulnerabilities, and companies frequently overlook proper patch management programs. Hackers exploit this reality, targeting IoT as a pivot point to enter systems and take control of physical operations.”

Botnets

The report found that hackers favored botnets like “Hajime” and “IoT_reaper” last year. The growing trend caused concerns about DDoS attacks and other issues. DDoS attacks occur when hackers flood servers with bogus data and websites and networks get shut down.

High Cost

Any attack can really harm a small businesses’ operations as well as a larger organization.  There’s always a high cost to having your business shut down for any amount of time. What’s more, there’s lasting reputational damage because these smaller firms are working more and more with big organizations that have a large reach.

Hogg also says there are some other reasons why small businesses are ripe for this new Internet of Things (IoT) cybersecurity threat.

“Small businesses, lacking resources and/or awareness to effectively secure their systems, are particularly vulnerable to cyber attacks on IoT,” he says. “The breach will serve as a wake-up call for small and midsized businesses to implement better security measures so as not to risk losing business.”

Passwords

The report also predicts passwords will continue to be hacked. Multifactor authentication will become critical as hackers learn to get around biometrics.  Larger businesses will adopt standalone cyber insurance policies and chief risk officers will play a larger role.

The report also sees the spotlight on regulation strengthening and widening as calls for a harmonized approach to cyber security get more intense.  It points to the EU’s attempt to set  a universal standard for consumer data privacy and Global Data Protection Regulation (GDPR), that oversees companies collecting data from EU citizens.

Criminals will also target transactions that use points as currency like retailers who use rewards, gift and loyalty programs.  The use of cryptocurrencies will encourage an increase in ransomware attacks in 2018 like the WannaCry ransomware that affected 200,000 computers in 150 countries in 2017.

Source: https://smallbiztrends.com/2018/01/2018-cybersecurity-predictions.html

New year, new defence: Cybersecurity help and predictions for 2018

Organisations will adopt AI and other emerging technologies to help fight this year’s growing cyber threats.

With 2017 seeing an enormous number of data breaches, businesses should be looking at their cybersecurity processes and planning how to effectively monitor their network security in the year to come. With massive developments in monitoring and AI providing unmissable cybersecurity opportunities, here are five predictions of what we expect to see in 2018.

1. Organisations will increasingly adopt AI-based systems to help with Cybersecurity

In 2018, we’ll see companies using AI-based tools to benchmark their networks to ensure that companies know exactly what systems should ‘normally’ look like, allowing abnormalities to be identified faster before cyber incidents become full-blown attacks.

Despite hackers constantly evolving their attack methods to target new vulnerability points and bypass existing defence systems, AI-based tools can use real-time analytical models to search for anomalies. While analysts still need to decide whether these anomalies require urgent action or not, AI can help make them more productive.

We can also expect to see AI being used more to evaluate and prioritise security alerts. This will automate the more routine procedures that analysts have to undertake, and may even reduce threat related ‘false positives’ alerts in networks. Many companies are relying on rule-sets provided by third-party providers to deal with false positives, and they often don’t have the ability to tune and change the rules. This means that they either suffer the false positives and ignore them, or turn off that rule if the false positives are too prevalent – neither of which is an effective strategy.

AI-based systems can help by filtering out the noise of false positives, making it easier for analysts to identify, and focus on, the real threats.

2. Companies will handle breach communication much better than they did in 2017

PayPal is a great example of this. The company should be commended for implementing good hygiene practices that resulted in identifying and announcing the breach at TIO on 4th December, and for showing leadership in claiming responsibility for dealing with the outcome. We’re set to see a big difference between those companies that try and sweep breaches under the carpet, and those that are set up with the right processes to investigate breaches and respond appropriately. Those who attempt to hide breaches – we’re looking at you Uber – will be treated with contempt by customers and the media, as indicated by surveys that indicate as many as 85% of respondents wouldn’t do business with firms that had suffered a data breach.

Of course, on 25th May, 2018, the General Data Protection Regulation (GDPR) will come into effect, which means companies will have to notify the Information Commissioner’s Office (ICO) of a breach within 72 hours, or a fine of up to 4% of global revenue.

Sensible organisations will look to implement stronger protection using application whitelisting, encryption and other techniques and improve their detection capability. They should also look to collect and store more definitive evidence about what takes place on their networks – in the form of more verbose log data, NetFlow history and full packet capture. Without this, organisations will find it impossible to investigate a breach quickly enough to satisfy regulatory obligations.

3. Retailers will be far more risk averse during holidays

Companies have begun to accept that optimised monitoring needs to take place all year-round, and Christmas will be no exception. However, companies will become more risk adverse, and whether it’s a bank or a retailer, as the holiday period approaches, often there’s a “blackout” period during which network and security teams are not allowed to make updates and changes to their networks other than urgent patches.

Threat actors may step their activity during the holiday period because there is a higher chance of evading identification and more to gain. This year, Shopify revealed that at the peak of Black Friday, online shoppers were making 2,800 orders per minute, worth approximately US$1million. Had Shopify experienced an outage of just five minutes during this busy period, it would have cost them US$5million in revenue. Protecting against outages – such as might result from a Distributed Denial Of Service (DDOS) attack – is critical at these times. Additionally, this volume of online activity makes it easy for hackers to hide their movements while everyone’s focus is on making sure systems stay up and handle the load.

4. New housekeeping and the end of BYOD

Basic house-keeping will play a big role in cybersecurity in 2018. We’ll see a lot more staff training, and more focus on patching and standardisation so that companies avoid attacks like the widespread ransomware outbreaks we saw this year.

We’re also likely to see more companies moving away from BYOD. The reality is that BYOD has simply proven too hard to regulate and the risk it poses too difficult to protect against. In sensitive networks, with a lot at stake, this risk is not acceptable any longer.

5. Increasing use of strong encryption, and attacks over encrypted connections.

We already know that encryption of network traffic is being used more frequently by attackers as way to hide evidence of their activity. Analysts and their detection tools can’t see into the payload of encrypted traffic.

Unless, of course, they have the encryption keys. If operators force all SSL connections to pass through a proxy, they can decrypt the traffic and see inside the payload. This allows the proxy to provide a clear-text version of the traffic to security tools for analysis, or to full packet capture appliances like the EndaceProbe Network Recorder.

 We should expect to see the adoption of SSL proxy appliances increasing in 2018 – great news for companies like Ixia, Gigamon, Bluecoat, Juniper and others that make these appliances.

Conclusion

So, will 2018 be just as unpredictable when it comes to cybersecurity, data breaches and network infiltration? Chances are, most likely it will. However, with the right plans, practices and network monitoring in place, companies can at least prepare themselves for the worst, and prevent any possible breaches from being anywhere near as extensive as those that took place in 2017.

Source: https://www.itproportal.com/features/new-year-new-defence-cybersecurity-help-and-predictions-for-2018/

Old Vulnerabilities still available to be exploited ROBOT

Old Vulnerabilities still available to be exploited
R.O.B.O.T:
Return Of Bleichenbacher’s Oracle Threat

A joint study by researchers from Ruhr-Universitat Bochum/Hackmanit GmbH and Tripwire VERT has revealed a re-tread of an old vulnerability from 1998 that allows an attacker to leverage RSA decryption and cryptographic operations. It does so by using the private key configured on the vulnerable TLS servers. This latest CVE, dubbed ROBOT (Return Of Bleichenbacher’s Oracle Threat) has a surprisingly large target area, affecting almost a third of the top 100 domains (according to ALEXA).

I won’t detail the history and specifics of the exploit; there is a pretty good overview over at The Hacker News and of course at the researchers own website, where they have provided an online and downloadable tool for testing for this exploit.

What I will bring to attentionare the hardware vendors that are identified as being susceptible to this exploit even today , as it contains some of the biggest names in the IT industry: Cisco, F5, Citrix, and the most surprising isRadware, who specialize in building cybersecurity products. Granted some of the listed platforms are older legacy platforms, but given that the RSA cipher has been deprecated for over a decade, one would assume that patches to remove it would have been offered and applied years ago. One may be led to believe that this type of negligence is one way to incentivize customers to continually spend on expensive hardware upgrades, but of course we all know better than that…..

With regards to DOSarrest and R.O.B.O.T, we’ve long known about the weakness of using RSA ciphers, and only use strong, hardened cipher suites in our operations.

If you are using one of the affected hardware vendors, we can help. With our DDoS Proxy Defense Network, we can take all HTTPS connections and ensure your origin server/s are protected from this CVE, as well as many other vulnerabilities.

Jag Bains, CTO

DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/old-vulnerabilities-still-available-to-be-exploited-robot/

Throwing Caution to the Cloud?

The Hidden Costs of Moving IT operations onto the Cloud

As the CTO of a Cloud DDoS Protection Service, it would seem that I would be shooting myself in the foot by raising alarms about hidden costs in moving onto the cloud. After all, shouldn’t everything IT (including Security) be moved to cloud, with it’s promises of low cost, high flexibility and immediate scalability? On the surface, this sounds like a great opportunity for CIO’s and CSO’s who are trying to deal with a volatile budget, but like anything else in life, it’s best to take a closer look before committing.

When I speak with our customers, many of whom have been transitioning their system and storage to a cloud provider, we’ll often have discussions about support of their new setups within Amazon, Azure, etc. These migrations pose no problems for the DOSarrest service, and the conversations will invariably pivot into a Q&A on ideal hosting setups within these popular platforms, as I have had experience working with cloud hosting in my past lives. What I have noticed in conversing with these customers is that the same mistakes of the past are still occurring with high frequency even now, which is the pursuit of short term saving without fully auditing their existing setups and requirements. IT managers are still often attempting to take a snapshot of their server inventory and attempt to replicate it in the cloud during a migration, without fully appreciating that they have excess server capacity. This results in buying extra capacity when it is not required. What’s even worse are when IT managers are blissfully ignorant of the resources and processes operating within their environment that typically have little cost, and have no idea what that will look like on the invoice sheet when those same processes get moved into the cloud. Some good examples of areas that get overlooked in the migration are:

  1. CPU & Memory – it’s a safe bet you could walk into any enterprise datacenter and the vast majority of the systems will be running idle with the occasional 10% CPU load and minimal RAM. Yet each system will have robust specs (eg. 8 core, 32 Gb/s of RAM). Do you really need to replicate those specs in the cloud, even if it is cheaper than buying the actual server yourself?
  2. Storage –Similar to point 1, you will see a lot of disk space being unused in a datacenter. We all have to deal with growing and shrinking volumes, but have you recorded peak disk usages on a system for 1 day, 1 month, 1 year? Doing so would help ensure you don’t simply get the 5 TB option when it’s not needed
  3. Data Transfer/Bandwidth – it’s surprising to me how bandwidth generated by a server farm is often ignored by IT managers. BW plans with their upstreams will allow them to be ignorant of that I suppose. However, when moving to the cloud, you could end up with a hefty bill if you are unsure how much traffic your systems can generate during peak loads. You should also be aware of charges for data transfer between regions and zones.

When it comes to Security in the cloud, there are again other considerations one should account for to avoid paying extra costs.

a) Service Level Agreements – Does the cloud service provider have triple 9’s, Quadruple 9’s? More importantly, does the SLA have a limit to the size of attacks it will support? Is there a different price for each tier of SLA’s?

b) Throughput – the Service provider may say that they have Tb/s of capacity, but is there extra charges if there is a sustained attack over 50 Gb/s? 100 Gb/s? 500 Gb/s?

c) Tiered Support – often you will see a different price schedule for the types of support. 30 minute response versus 15. Phone support being extra

d) Cost for features – Are their additional charges for CDN? How about Web Application Firewall? Machine Learning for identifying anomalous traffic patterns?

At DOSarrest we recognize the cost risk for IT managers, and put all services under one fixed price, simplifying their budgetary exercises and minimizing potential cost over runs in the face of an unknown threat landscape. I know that if a customer of ours is fully using the services we offer that have no extra cost to them they can save thousands of dollars a month on a cloud hosting platform invoice.

In summary, do your due diligence. The cloud can be incredibly powerful with significant savings, but understand what your requirements are.

Jag Bains

CTO, DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/throwing-caution-to-the-cloud/

Bitfinex restored after DDoS attack

Bitcoin exchange Bitfinex says its systems have been restored after the company was hit by a second denial of service attack in just over a week.

Bitfinex, which claims to be the world’s largest and most advanced cryptocurrency exchange, says it has restored its systems after coming under a “heavy” distributed denial of service (DDoS) attack.

Despite claiming on its website that Bitfinex is “protected by automatic distributed denial of service” systems, the company has been affected twice in December 2017 and once in November by DDoS attacks.

According to Bitfinex, the attackers created “hundreds of thousands of new accounts,” causing stress on the Bitfinex’s infrastructure. The exchange said it took about 12 hours to restore normal operations and that new user signups had been suspended temporarily to reduce demand on its infrastructure.

The latest DDoS attack on Bitfinex comes just days after an Imperva report showed that the bitcoin industry was one of the top ten industries most targeted by DDoS attacks in the third quarter of 2017.

Cyber security industry analysts say the increased interest in Bitcoin as its value continues to surge is making it a prime target for cyber criminals either for extortion or theft.

Igal Zeifman, director at Imperva Incapsula, extortionists and other cyber criminals are commonly drawn to successful online industries, especially emerging ones that are less likely to be well protected.

“Specifically for bitcoin, the DDoS attacks we mitigated could also have been attempts to manipulate the price of bitcoin and other cryptocurrency, something we know offenders had tried in the past,” he said.

According to the Imperva report, organisations targeted by DDoS campaigns in the third quarter spent an average of 12 hours under attack.

This latest DDoS attack on Bitfinex underlines how increased prominence can make businesses more vulnerable to DDoS attacks, said Kirill Kasavchenko, principal security technologist for Europe at Arbor Networks.

“The bitcoin market has been a hot topic over the past week, which has led to a surge in buyers,” he said. “Hackers are notoriously opportunistic, so it makes sense that they’re seizing this opportunity to make it difficult for Bitfinex to maintain usual business activities.”

Businesses which rely on their website as a route to market, said Kasavchenko, must learn lessons from this, and evaluate whether their current DDoS protection could work harder for their business.

“In response to bitcoin’s growth, attackers might launch DDoS attacks against exchanges not only as extortion threat, but also as a way to manipulate cryptocurrency rates by making trading platforms unavailable.

“Last but not least, cryptocurrencies do not have any legal status in most countries,” he said. “This means prosecution of attackers is often problematic not only from technical, but also from a legal point of view.”

Targeting bitcoin exchanges

In line with the trend of targeting bitcoin exchanges, cyber criminals stole nearly $80m worth of bitcoin from bitcoin mining and exchange service NiceHash.

According to NiceHash, the attackers – believed to be from outside the EU – accessed the company’s systems at around 00:18 GMT on 7 December, and began stealing bitcoin three and a half hours later.

This is the latest in a string of cryptocurrency heists in 2017, and security researchers are predicting the trend will only intensify in 2018.

As the bitcoin value continues to soar, its attractiveness to attackers – both at a criminal and nation state level – will increase in proportion, according to Richard Ford, chief scientist at security firm Forcepoint.

Source: http://www.computerweekly.com/news/450431741/Bitfinex-restored-after-DDoS-attack

Bitcoin industry enters top 10 DDoS targets

The bitcoin industry has become one of the top 10 industries most targeted by distributed denial of service attacks, a report has revealed

A spike in the number of bitcoin-related sites targeted by distributed denial of service (DDoS) attacks coincided with a spike in the value of the cryptocurrency of $4,672 in the third quarter, according to Imperva’s latest global DDoS report.

The report is based on data from 3,920 network layer and 1,755 application layer DDoS attacks on websites using Imperva Incapsula services between 1 July and 30 September 2017.

The data shows that 73.9% of all bitcoin exchanges and related sites on the Imperva Incapsula service were attacked during the quarter, ahead of the cryptocurrency’s meteoric rise to more than $11,600 in the first week of December.

As a result of the third-quarter spike, the relatively small and young bitcoin industry made it into the top 10 most attacked industries during the three-month period, taking eighth spot above the transport and telecoms sectors.

The most-attacked sector was gambling (34.5%), followed by gaming (14.4%) and internet services (10.8%).

Igal Zeifman, director at Imperva Incapsula, said the large number of attacks on bitcoin exchange sites is a clear example of DDoS attackers following the money.

“As a rule, extortionists and other cyber criminals are commonly drawn to successful online industries, especially emerging ones that are less likely to be well-protected,” he said.

“Specifically for bitcoin, the DDoS attacks we mitigated could also have been attempts to manipulate the price of bitcoin and other cryptocurrency, something we know offenders have tried in the past.”

According to the report, organisations targeted by DDoS campaigns in the third quarter spent an average of 12 hours under attack, half of network layer targets were hit at least twice, and almost 30% were attacked more than 10 times.

Nearly one-third of DDoS targets in the third quarter were attacked 10 or more times, with an interval of at least an hour between assaults.

Hong Kong topped Imperva’s list of the most targeted countries for network layer assaults during the quarter, mainly because of a persistent attack on a local hosting service that was hit hundreds of times in the quarter.

The largest application layer assault targeted a financial services company headquartered in Europe, which was hit multiple times with attacks above 100,000 requests per second.

The quarter also saw high packet rate attacks, in which the packet forwarding rate escalates above 50 million packets per second (Mpps), becomes more common, with 5% of all network layer assaults above 50 Mpps, and the largest attack peaking at 238 Mpps.

This is a cause for concern, the report said, because many mitigation systems are ill-equipped to process packets at such a high rate.

In November 2017, Harshil Parikh, director of security at software-as-a-service platform firm Medallia, told the IsacaCSX Europe 2017 conference in London that any business dependent on the internet should use tried and tested ways of detecting and mitigating DDoS.

He said it is important that such organisations take time and effort to build their DDoS defence capabilities because DDoS attacks are fairly easy and cheap for attackers to carry out.

“With the advent of botnet-based DDoS attack services that will be effective against most companies, anyone can target an organisation for just a few bitcoins,” said Parikh.

source: http://www.computerweekly.com/news/450431318/Bitcoin-industry-enters-top-10-DDoS-targets