The evolution of DDoS attacks – and defences

Aatish Pattni, regional director, UK & Ireland, Link11, explores in Information Age how DDoS attacks have grown in size and sophistication over the last two decades.

What is the biggest cyber-threat to your company? In April 2018, the UK’s National Crime Agency answered that question by naming DDoS attacks as the joint leading threat facing businesses, alongside ransomware. The NCA noted the sharp increase in DDoS attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the potential attacks.

It’s no surprise that DDoS is seen as such a significant business risk. Every industry sector is now reliant on web connectivity and online services. No organisation can afford to have its systems offline or inaccessible for more than a few minutes: business partners and consumers expect seamless, 24/7 access to services, and being forced offline costs a company dearly. A Ponemon Institute study found that each DDoS incident costs $981,000 on average, including factors such as lost sales and productivity, the effect on customers and suppliers, the cost of restoring IT systems, and brand damage.

So how have DDoS attacks evolved from their early iterations as stunts used by attention-seeking teens, to one of the biggest threats to business? What techniques are attackers now using, and how can organisations defend themselves?

Early days of DDoS

The first major DDoS attack to gain international attention was early in 2000, launched by a 15-year-old from Canada who called himself Mafiaboy. His campaign effectively broke the internet, restricting access to the web’s most popular sites for a full week, including Yahoo!, Fifa.com, Amazon.com, eBay, CNN, Dell, and more.

DDoS continued to be primarily a tool for pranks and small-scale digital vandalism until 2007, when a range of Estonian banking, news, and national government websites were attacked. The attack sparked nationwide riots and is widely regarded as one of the world’s first nation-state acts of cyberwar.

The technique is also successful as a diversion tactic, to draw the attention of IT and security teams while a second attack is launched: another security incident accompanies up to 75% of DDoS attacks.

Denial of service has also been used as a method of protest by activist groups including Anonymous and others, to conduct targeted take-downs of websites and online services. Anonymous has even made its attacks tools freely available for anyone to use. Recent years have also seen the rise of DDoS-on-demand services such as Webstresser.org. Before being shut down by international police, Webstresser offered attack services for as little as £11, with no user expertise required – yet the attacks were powerful enough to disrupt operations at seven of the UK’s biggest banks.

Amplified and multi-vector attacks

In October 2016, a new method for distributing DoS attacks emerged – using a network of Internet of Things (IoT) devices to amplify attacks. The first of these, the Mirai botnet infected thousands of insecure IoT devices to power the largest DDoS attack witnessed at the time, with volumes over a Terabyte. By attacking Internet infrastructure company Dyn, Mirai brought down Reddit, Etsy, Spotify, CNN and the New York Times.

This was just a signpost showing how big attacks could become. In late February 2018, developer platform Github was hit with a 1.35 Tbps attack, and days later a new record was set with an attack volume exceeding 1.7 Tbps. These massive attacks were powered by artificial intelligence (AI) and self-learning algorithms which amplified their scale, giving them the ability to disrupt the operations of any organisation, of any size.

Attacks are not only getting bigger but are increasingly multi-vector. In Q4 2017, Link11 researchers noted that attackers are increasingly combining multiple DDoS attack techniques. Over 45% of attacks used 2 or more different techniques, and for the first time, researchers saw attacks which feature up to 12 vectors. These sophisticated attacks are difficult to defend against, and even low-volume attacks can cause problems, as happened in early 2018 when online services from several Dutch banks, financial and government services were brought to a standstill.

Staying ahead of next-generation AI-based attacks

As DDoS attacks now have such massive scale and complexity, traditional DDoS defences can no longer withstand them. Firewalls, special hardware appliances and intrusion detection systems are the main pillars of protection against DDoS, but these all have major limitations. Current attack volume levels can easily overload even high-capacity firewalls or appliances, consuming so many resources that that reliable operation is no longer possible.

Extortion by DDoS

The next iteration of attackers set out to use DDoS as an extortion tool, threatening organisations with an overwhelming attack unless they meet the attacker’s demand for cryptocurrency. Notable extortionists included the original Armada Collective, which targeted banks, web hosting providers, data centre operators as well as e-commerce and online marketing agencies in Greece and Central Europe.

Between January and March 2018, Link11’s Security Operation Centre recorded 14,736 DDoS attacks, an average of 160 attacks per day, with multiple attacks exceeding 100 Gbps. Malicious traffic at these high volumes can simply flood a company’s internet bandwidth, rendering on-premise network security solutions useless.

What’s needed is to deploy a cloud-native solution that can use AI to filter, analyse, and block web traffic if necessary before it even reaches a company’s IT systems. This can be done by routing the company’s Internet traffic via an external, cloud-based protection service. With this approach, incoming traffic is subject to granular analysis, with the various traffic types being digitally ‘fingerprinted’.

Each fingerprint consists of hundreds of properties, including browser data, user behaviour, and its origin. The solution builds up an index of both normal and abnormal, or malicious traffic fingerprints. When known attack patterns are detected in a traffic flow, the attack ‘client’ is blocked immediately and automatically in the cloud, before it even reaches customers’ networks – so that only clean; legitimate traffic reaches the organisation. However, regular traffic is still allowed, enabling a business to continue unaffected, without users being aware of the filtering process.

The solution’s self-learning AI algorithms also help to identify and block attacks for which there is no current fingerprint within a matter of seconds, to minimise the impact on the organisation’s website or web services. This means each new attack helps the system improve its detection capabilities, for the benefit of all users. Furthermore, this automated approach to blocking attacks frees up IT and security teams, enabling them to focus on more strategic work without being distracted by DDoS attempts.

In conclusion, DDoS attacks will continue to evolve and grow, simply because with DDoS-for-hire services and increasingly sophisticated methods, they are relatively easy and cheap to do – and they continue to be effective in targeting organisations. But by understanding how attacks are evolving and implementing the protective measures described here, organisations will be better placed to deny DDoS attackers.

Source: https://www.information-age.com/evolution-of-ddos-123473947/

FCC Admits It Lied About the DDoS Attack During Net Neutrality Comment Process – Ajit Pai Blames Obama

During the time the Federal Communications Commission (FCC) was taking public comments ahead of the rollback of net neutrality rules, the agency had claimed its comments system was knocked offline by distributed denial-of-service (DDoS) attacks.

These attacks were used to question the credibility of the comment process, where millions of Americans had voiced against the net neutrality rollback. The Commission then chose to ignore the public comments altogether.

FCC now admits it’s been lying about these attacks all this time

No one bought the FCC’s claims that its comment system was targeted by hackers during the net neutrality comment process. Investigators have today validated those suspicions revealing that there is no evidence to support the claims of DDoS attacks in 2017. Following the investigation that was carried out after lawmakers and journalists pushed the agency to share the evidence of these attacks, the FCC Chairman Ajit Pai has today released a statement, admitting that there was no DDoS attack.

This statement would have been surprising coming from Pai – an ex-Verizon employee who has continued to disregard public comments, stonewall journalists’ requests for data, and ignore lawmakers’ questions – if he hadn’t thrown the CIO under the bus, taking no responsibility whatsoever for the lies. In his statement, Pai blamed the former CIO and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

He went on to say that the CIO’s subordinates were scared of disagreeing with him and never approached Pai. If all of that is indeed true, the Chairman hasn’t clarified why he wouldn’t demand to see the evidence despite everyone out of the agency already believing that the DDoS claim was nothing but a lie to invalidate the comment process.

“It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission’s career IT staff were hesitant to express disagreement with the Commission’s former CIO in front of FCC management. Thankfully, I believe that this situation has improved over the course of the last year. But in the wake of this report, we will make it clear that those working on information technology at the Commission are encouraged to speak up if they believe that inaccurate information is being provided to the Commission’s leadership.”

The statement comes as the result of an independent investigation by the Government Accountability Office that is to be published soon. However, looking at Pai’s statement it is clear what this report is going to say.

As a reminder, the current FCC leadership didn’t only concoct this story of the DDoS attack. It had also tried to bolster its false claims by suggesting that this wasn’t the first such incident as the FCC had suffered a similar attack in 2014 under the former chairman Tom Wheeler. It had also tried to claim that Wheeler had lied about the true nature of the attack back in 2014 to save the agency from embarrassment. The former Chairman then went on record to call on Pai’s FCC for lying to the public as there was no cyberattack under his leadership.

Pai throws CIO under the bus; takes no responsibility

And now it appears the FCC was also lying about the true nature of the failure of comment system in 2017. In his statement released today, Pai is once again blaming [PDF] the Obama administration for feeding him inaccurate information.

I am deeply disappointed that the FCC’s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.

It remains unclear why the new team that replaced Bray nearly a year ago didn’t debunk what is being called a “conspiracy theory” and came clean about it.

Some redacted emails received through the Freedom of Information Act (FOIA) by the American Oversight had previously revealed that the false theory around 2014 cyberattack in order to justify 2017 attack also appeared in a draft copy of a blog post written on behalf of Pai. That draft was never published online to keep Pai’s hands clean since there was no evidence to support FCC’s claims of a malicious attack. These details were then instead sent out to media through which this narrative was publicized.

“The Inspector General Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,” FCC Commissioner Jessica Rosenworce wrote. “What happened instead is obvious – millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”

Source: https://wccftech.com/fcc-admits-lied-ddos-ajit-pai-obama/

How to Prevent DDoS Attacks: 6 Tips to Keep Your Website Safe

Falling victim to a distributed denial of service (DDoS) attack can be catastrophic: The average cost to an organization of a successful DDoS attack is about $100,000 for every hour the attack lasts, according to security company Cloudflare.

There are longer term costs too: loss of reputation, brand degradation and lost customers, all leading to lost business. That’s why it is worth investing significant resources to prevent a DDoS attack, or at least minimize the risk of falling victim to one, rather than concentrating on how to stop a DDoS attack once one has been started.

In the first article in this series, we discussed how to stop DDoS attacks. If you’re fortunate enough to have survived an attack – or are simply wise enough to think ahead – we will now address preventing DDoS attacks.

Understanding DDoS attacks

A basic volumetric denial of service (DoS) attack often involves bombarding an IP address with large volumes of traffic. If the IP address points to a Web server, legitimate traffic will be unable to contact it and the website becomes unavailable. Another type of DoS attack is a flood attack, where a group of servers are flooded with requests that need processing by the victim machines. These are often generated in large numbers by scripts running on compromised machines that are part of a botnet, and result in exhausting the victim servers’ resources such as CPU or memory.

A DDoS attack operates on the same principles, except the malicious traffic is generated from multiple sources, although orchestrated from one central point. The fact that the traffic sources are distributed – often throughout the world – makes DDoS attack prevention much harder than preventing DoS attacks originating from a single IP address.

Another reason that preventing DDoS attacks is a challenge is that many of today’s attacks are “amplification” attacks. These involve sending out small data packets to compromised or badly configured servers around the world, which then respond by sending much larger packets to the server under attack. A well-known example of this is a DNS amplification attack, where a 60 byte DNS request may result in a 4,000 byte response being sent to the victim – an amplification factor of around 70 times the original packet size.

More recently, attackers have exploited a server feature called memcache to launch memcached amplification attacks, where a 15 byte request can result in a 750 kb response, a amplification factor of more than 50,000 times the original packet size. The world’s largest ever DDoS attack, launched against Github in earlier this year, was a memcached amplification attack that peaked at 1.35 Tbps of data hitting Github’s servers.

The benefit to malicious actors of amplification attacks is that they need only a limited amount of bandwidth at their disposal to launch far larger attacks on their victims than they could do by attacking the victims directly.

Six steps to prevent DDoS attacks

1. Buy more bandwidth

Of all the ways to prevent DDoS attacks, the most basic step you can take to make your infrastructure “DDoS resistant” is to ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity.

In the past it was possible to avoid DDoS attacks by ensuring that you had more bandwidth at your disposal than any attacker was likely to have. But with the rise of amplification attacks, this is no longer practical. Instead, buying more bandwidth now raises the bar which attackers have to overcome before they can launch a successful DDoS attack, but by itself, purchasing more bandwidth is not a DDoS attack solution.

2. Build redundancy into your infrastructure

To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country.

For this strategy to be truly effective, it’s necessary to ensure that the data centers are connected to different networks and that there are no obvious network bottlenecks or single points of failure on these networks.

Distributing your severs geographically and topographically will make it hard for an attacker to successfully attack more than a portion of your servers, leaving other servers unaffected and capable of taking on at least some of the extra traffic that the affected servers would normally handle.

3. Configure your network hardware against DDoS attacks

There are a number of simple hardware configuration changes you can take to help prevent a DDoS attack.

For example, configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) can help prevent certain DNS and ping-based volumetric attacks.

4. Deploy anti-DDoS hardware and software modules

Your servers should be protected by network firewalls and more specialized web application firewalls, and you should probably use load balancers as well. Many hardware vendors now include software protection against DDoS protocol attacks such as SYN flood attacks, for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value.

Specific software modules can also be added to some web server software to provide some DDoS prevention functionality. For example, Apache 2.2.15 ships with a module called mod_reqtimeout to protect itself against application-layer attacks such as the Slowloris attack, which opens connections to a web server and then holds them open for as long as possible by sending partial requests until the server can accept no more new connections.

5. Deploy a DDoS protection appliance

Many security vendors including NetScout Arbor, Fortinet, Check Point, Cisco and Radware offer appliances that sit in front of network firewalls and are designed to block DDoS attacks before they can take effect.

They do this using a number of techniques, including carrying out traffic behavioral baselining and then blocking abnormal traffic, and blocking traffic based on known attack signatures.

The main weakness of this type of approach of preventing DDoS attacks is that the appliances themselves are limited in the amount of traffic throughput they can handle. While high-end appliances may be able to inspect traffic coming in at a rate of up to 80 Gbps or so, today’s DDoS attacks can easily be an order of magnitude greater than this.

6. Protect your DNS servers

Don’t forget that a malicious actor may be able to bring your web servers offline by DDoSing your DNS servers. For that reason it is important that your DNS servers have redundancy, and placing them in different data centers behind load balancers is also a good idea. A better solution may even be to move to a cloud-based DNS provider that can offer high bandwidth and multiple points-of-presence in data centers around the world. These services are specifically designed with DDoS prevention in mind. For more information, see How to Prevent DNS Attacks.

Source: https://www.esecurityplanet.com/network-security/how-to-prevent-ddos-attacks.html

Cyber Attacks Cost Korean Firms US$72 billion Last Year: Report

Cyber attacks cost Korean companies US$72 billion last year, according to a survey released by Microsoft Korea on June 18.

The Cyber Security Threat Report, produced jointly with Frost & Sullivan, a global consulting firm, assumes that 90 percent of the damage was indirect losses, which included losses from losing customers, tarnished corporate reputations, and job losses. The report referred to this phenomenon as an “iceberg effect” where indirect losses eclipse direct losses.

This report also covered the status of Korean companies’ security awareness. Among the Korean companies which participated in the survey, 29 percent said they did not even know whether or not a cyber attack occurred. In addition, 35 percent of them said they were postponing digitalization because they were concerned about cyber attacks.

Meanwhile, according to semi-annual “Security Intelligence Report” released by Microsoft Korea, three types of cybercrime were used in combination — botnets, phishing, and ransomware.

A botnet is a method of infecting multiple PCs as zombie PCs through the internet to perform distributed denial-of-service attack (DDoS attack), steal data and send spam. Phishing refers to deceiving users and making them make a mistake by disguising a malicious website or e-mail as a secure website or e-mail. Ransomware is a malicious code that encrypts data in your computer and demand money in exchange for a password.

“In the rapidly changing digital world, companies must make cybersecurity a top priority for their organization,” said Kim Gui-ryeon, chief security officer at Microsoft Korea.

Source: http://www.businesskorea.co.kr/news/articleView.html?idxno=23084

Weekly Cyber Risk Roundup: FBI Advises Home Router Resets

What’s Everyone Talking About? Trending Cybercrime Events

The big news for this week was the CISCO warning of 500,000 routers being hacked by Russian criminal hackers in a bid to attack Ukraine. According to CNBC, “Cisco’s Talos cyber intelligence unit said it has high confidence that the Russian government is behind the campaign, dubbed VPNFilter, because the hacking software shares code with malware used in previous cyber attacks that the U.S. government has attributed to Moscow.”

In subsequent reporting, the FBI has issued a statement and recommendation that all users with home or small-business router turn off the device and turn it back on. The reboot is meant to counter the Fancy Bear linked malware mentioned above.

Further details are being released as they are available. The details of the warnings were: “at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.”

 

Screen Shot 2018-05-29 at 5.00.06 AM

Other trending cybercrime events from the week include:

  • State data breach notifications: In October 2017, criminal hackers obtained the credentials for two employee accounts for Worldwide Insurance Services. A phishing campaign was used to steal credentials and may have resulted in private insurance details of their customers being viewed by unauthorized parties. In December 2017, a former employee of Muir Medical Group took personal details of clients with them before their employment ended. This could have resulted in the leak of personal identifiable information of clients. In March 2018, a contractor for the California Department of Public Health experienced a robbery where documents and a laptop were stolen.
  • Altcoin Experienced Second Hack: The alternative cryptocurrency Verge, experienced its second hack in recent months. $1.4 Million (USD) was stolen in this recent attack which started as a distributed denial-of-service (DDoS) attack. In the last event, the cryptocurrency suffered a 25% loss.
  • Bitcoin Gold Suffers Attack: In a similar attack to the previous report with Verge, Bitcoin Gold suffered a 51% attack resulting in the loss of $18 million in Bitcoin Gold. Also known as double spending this type of attack works very similar to DDoS attacks in which they tie up the network resources of the targets.
  • Fourteen Vulnerabilities Found in BMWs: In a recent security test, researchers found fourteen vulnerabilities as they hacked BMW cars. The reported vulnerabilities were, “the flaws could be exploited to gain local and remote access to infotainment (a.k.a head unit), the Telematics Control Unit (TCU or TCB) and UDS communication, as well as to gain control of the vehicles’ CAN bus.”
  • App Leaks Passwords in Plaintext: Researchers discovered two servers owned by the app TeenSafe, which is an app parents and guardians can use to monitor phone activity of a child, were hosted without passwords to access data being stored. Over 10,000 accounts were exposed on the AWS hosted servers.

Cyber Risk Trends From the Past Week

A new report from security researchers this week is touting a new kind of banking malware. Researchers are calling the malware Backswap anddiscovered it attacking Polish banks. According to the report, “We have discovered a new banking malware family that uses an innovative technique to manipulate the browser: instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.”

The malware was first noticed in January 2018, and the first samples were analyzed in March 2018. According to the report, “the banker is distributed through malicious email spam campaigns that carry an attachment of a heavily obfuscated JavaScript downloader from a family commonly known as Nemucod. The spam campaigns are targeting Polish users.” As users see everyday, just because a malware strain is targeting a specific bank or country doesn’t mean it hasn’t started to spread or won’t be turned to other targets later.

 

Screen Shot 2018-05-29 at 5.02.34 AM

Source: https://securityboulevard.com/2018/05/weekly-cyber-risk-roundup-fbi-advises-home-router-resets/

DDoS used to oust competition in crypto market

n the last 12 months, cyber criminals have been using distributed denial-of-service (DDoS) attacks to target crypto-currencies.

That’s according to Alex Cruz Farmer, product manager at Cloudflare, who spoke at the ITWeb Security Summit 2018 event this week.

Criminal perpetrators of DDoS attacks often target sites or hosted on high-profile Web servers such as banks or credit card payment . Revenge, blackmail and activism can motivate these attacks.

However, when targeting crypto-currencies with DDoS attacks, “it’s not for the good old ransom, it’s a way to run the competition out of town”.

Cloudflare is one of the biggest DDoS mitigation platforms in the world, serving over eight million domains across more than 150 data centres.

Soon to be the norm

A crypto-currency marketplace customer, who had migrated to Cloudflare, had an attack which according to Farmer demonstrated the complexities of modern day attacks, which he believes will soon be the norm.

“The customer noticed that there were a huge number of sign-ups to their Web site, way more than usual, and had assumed this was spam or some other scam. After a week or two, they found that thousands and thousands of these accounts were logging in, and repeatedly checking their account balances, which in turn caused their database platform to grind to a halt.”

He explained that within a very short period of time, it was identified and the attack was dealt with, but the attackers did not stop there.

“Further application-based attacks occurred, focusing on almost every endpoint possible, to find another area of weakness. Fortunately, we were wise to these games, and our security teams were able to put adequate protections in place to block any further attacks.”

DDoS evolution

He pointed out that DDoS attacks have evolved over the years, noting that the first ever DDoS was in 1988 caused by the Morris Worm, written by Robert Morris.

“It was a complete accident, the purpose was to gauge the size of the Internet. However, due to an oversight in the code, it ended up taking down the Internet, causing huge amounts of damage, leading to the first ever cyber-related felony in the US.”

From then, he said DDoS attacks inherently were focused on exhausting CPU or other resources.

“For example, a simple TCP SYN attack on an Apache server would exhaust open sockets, rendering servers useless, causing any new connections to timeout. The only resolution was to restart the Web server.”

TCP SYN flood (aka SYN flood) is a type of DDoS attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

“Unfortunately for the attackers, there were quick and easy solutions for server administrators to protect themselves from SYN attacks, so naturally, the evolution was to find the next destructive option; exhaust the network.

“Come to 2003, we had one of the most epic DDoS attacks ever seen, caused by the infamous SQL Slammer virus. Not only did these attacks cripple the target server, they also crippled the network, and in some cases even their upstream ISP,” Farmer said.

Fast forward five to 10 years, we then saw the birth of User Datagram Protocol (UDP) based reflection attacks, primarily utilising NTP services (the service which sets the time on a computer, mobile phone or any other connected device), he pointed out.

“But, like always, patches are created, and the community came together to build necessary protections. It was UDP-based, so it was easy to block for most networks.”

According to Farmer, 2016 is when things really changed. “Mirai was born, with its debut attack of 540Gb/sec targeting the Rio Olympics, then a few weeks later generating the largest attack the world had seen against security blogger Brian Krebs.”

He explained that Mirai was orchestrated used IOT devices to generate the attacks. “While these devices may seem harmless, under the hood they run a real, fully-loaded operating system, mostly Linux. This means an attacker is able to run whatever script they wish, have it call home, update its firmware and most importantly, lock out the owner.”

Source: https://www.itweb.co.za/content/VgZey7JAZa8vdjX9

“Hide and Seek” Becomes First IoT Botnet Capable of Surviving Device Reboots

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise.

This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device.

The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains.

“Hide and Seek” malware copies itself to /etc/init.d/

But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices.

By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.

The malware strain that achieved something that even the Mirai strain couldn’t is called Hide and Seek (HNS) —also spelled Hide ‘N Seek.

HNS botnet has evolved considerably in the past few months

Bitdefender experts first spotted the HNS malware and its adjacent botnet in early January, this year, and the botnet grew to around 32,000 bots by the end of the same month. Experts say HNS has infected 90,000 unique devices from the time of discovery until today.

Crooks used two exploits to create their initial botnet, which was unique from other IoT botnets active today because it used a custom P2P protocol to control infected systems.

Now, experts have found new HNS versions that have added support not only for two other exploits [1, 2] but also for brute-force operations.

What this means is that HNS infected devices will scan for other devices that have an exposed Telnet port and attempt to log into that device using a list of preset credentials.

Researchers say that HNS authors have also had time to fine-tune this brute-forcing scheme, as the malware can identify at least two types of devices and attempt to log into those systems using their factory default credentials, instead of blindly guessing passwords.

Furthermore, the HNS codebase also received updates, and the bot now has ten different binaries for ten different device architectures.

Not all HNS bots are boot persistent

But HNS is not capable of gaining boot permission on all infected devices. According to Bitdefender senior e-threat analyst Bogdan Botezatu, “in order to achieve persistence, the infection must take place via Telnet, as root privileges are required to copy the binary to the init.d directory.”

The security expert also adds that the HNS botnet is still a work-in-progress, and the malware still doesn’t support launching DDoS attacks.

Nonetheless, the functions to steal data and execute code on infected devices are still there, which means the botnet supports a plugin/module system and could be expanded at any point with any type of malicious code.

source: https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/

One year on, the WannaCry scare hasn’t made healthcare security any better

Cybersecurity in the healthcare sector was put under the spotlight after the WannaCry ransomware attacks that hit in May 2017, and it painted a vivid picture of how threats can paralyse real-world processes.

That’s according to Trend Micro and HITRUST’s latest research on how connected hospitals can be exploited – and researchers believe that the WannaCry scare has only made matters worse.

The research paper, titled Securing Connected Hospitals, looks at how internet-connected medical devices are often exposed due to misconfigured networks or software interfaces.

Connected devices can include surgical equipment, office applications, inventory systems, monitoring equipment, and imaging equipment.

Using search website Shodan, researchers were able to pinpoint devices connected to the Internet of Things and gather information about the devices’ geographic locations, hostnames, operating systems, and other information.

“An adversary can also use Shodan to perform detailed surveillance and gather intelligence about a target, which is why Shodan has been called the World’s Most Dangerous Search Engine,” the report says.

Beyond Shodan, exposed devices can also be profiled using network tools. Attackers could potentially access sensitive data, webcam feeds, compromise assets to conduct DDoS attacks or botnets, demand ransoms and much more.

The paper also looked at how supply chain attacks, including associates and third-party contractors, also play a dangerous role – 30% of healthcare breaches in 2016 were due to third parties.

“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,” the report says.

“Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their own products and software for cybersecurity risks, and may also be outsourcing resources as well. This allows perpetrators to exploit sensitive information across the supply chain.”

There are seven major supply chain threat vectors that attackers can use against the healthcare sector:

Firmware  attacks, mHealth mobile application compromises, source code compromise during the manufacturing process, insider threats from hospital and vendor staff, website/EHR and internal hospital software compromise, spearphishing, and third party vendor credentials.

The report points out that source code compromise during the manufacturing process can be extremely dangerous because hospitals tend not to test device security before installing it on their networks.

While no data on incidents involving medical devices was publicly disclosed in 2017, tablets, phones and even USB devices have been compromised in the past.

“In 2016, a healthcare organization unknowingly sent 37,000 malware-infected USB thumb drives to their offices nationwide. The manual of procedure codes for that year included the flash drive on the back pocket,” the report says.

The paper draws on qualitative risk analysis of various attack vectors to give an overview of some of the most pressing threats in healthcare.

Those threats include insecure devices that can be used to access a network, DDoS attacks, spear phishing, and unpatched systems.

“Having effective alert, containment, and mitigation processes are critical. The key principle of defense is to assume compromise and take countermeasures.”

  • Quickly identify and respond to ongoing security breaches.
  • Contain the security breach and stop the loss of sensitive data.
  • Pre-emptively prevent attacks by securing all exploitable avenues.
  • Apply lessons learned to further strengthen defenses and prevent repeat incidents.

Source:https://securitybrief.asia/story/one-year-wannacry-scare-hasnt-made-healthcare-security-any-better/

DoubleDoor Botnet Chains Exploits to Bypass Firewalls

Crooks are building a botnet that for the first time is bundling two exploits together in an attempt to bypass enterprise firewalls and infect devices.

Discovered by researchers from NewSky Security, the botnet has been cleverly named DoubleDoor. According to Ankit Anubhav, NewSky Security Principal Researcher, the DoubleDoor malware attempts to execute exploits that take advantage of two backdoors:

CVE-2015–7755 – backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded password <<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.
CVE-2016–10401 – backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device.

Anubhav says DoubleDoor attackers are using the first exploit to bypass Juniper Netscreen firewalls and then scan internal networks for ZyXEL routers to exploit with the second exploit.

First time an IoT botnet chains two exploits

In a conversation with Bleeping Computer, Anubhav says this is the first time that a botnet has chained two exploits together in an attempt to infect devices.

“For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall,” the expert told Bleeping Computer. “Such multiple layers of attack/evasion are usually a Windows thing.”

“Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices,” Anubhav said. “If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit,” Anubhav added showing the simple exploitation logic that most IoT malware employed in the past.

DoubleDoor botnet is not a major threat, yet

Scans and exploitation attempts for this botnet were spotted between January 18 and January 27, all originating from South Korean IP addresses.

But the botnet is not a major danger just yet. Anubhav says DoubleDoor looks like a work in progress and still under heavy development.

“The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t,” he said.

The NewSky Security expert says the smaller attack numbers are likely because the botnet only targets a small subset of devices, either Internet-exposed ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise-grade Juniper Netscreen firewall.

“Such setups are usually found in corporations,” Anubhav said, raising a sign of alarm of what targets the DoubleDoor author may be trying to infect.

DoubleDoor doesn’t do anything, for the moment

The good news is that DoubleDoor doesn’t do anything special after compromising ZyXEL devices. It just merely adds them to a botnet structure.

“Probably it’s a test run or they are just silently recruiting devices for something bigger down the road,” Anubhav said.

But as Anubhav points out, because DoubleDoor appears to still be under development, we may soon see its author expand it with even more exploits that target other types of devices, such as those from Dlink, Huawei, Netgear, and others.

Further, the botnet may try to carry out DDoS attacks, spread malware to internal Windows networks, or something more intrusive.

But even if DoubleDoor dies down and is never seen again, its double-exploit firewall bypass technique has already attracted the attention of other IoT botnet operators, and we may see it pretty soon with other malware strains as well. The cat’s out of the bag, as they say.

Source: https://www.bleepingcomputer.com/news/security/doubledoor-botnet-chains-exploits-to-bypass-firewalls/

Dutch Central Bank warns for phishing emails after DDoS attacks on banks

The Dutch Central Bank (DNB) has issued warnings to consumers about phishing e-mails, following a series of DDoS attacks on banks. ABN Amro, ING and Rabobank were the victims of long-term DDoS attacks on several occasions last weekend and earlier this week; these led to the disruption of online services. The Tax and Customs Administration and Dutch national ID system DigiD were also affected.

DNB said there is a chance that the number of phishing emails will now increase, following these DDoS attacks. “It is not unusual for DDoS attacks on banks to be followed by an increase in phishing mail to account holders. Criminals often attempt to use the agitation around digital attacks to make people feel vulnerable, and to then extract sensitive bank account details.

The recent DDoS attacks on the banks were advanced, according to the DNB. Banks have in place strong defensive measures to ensure that services are available through websites and internet banking. The banks have been in constant consultation with each other during the few last days and have worked together with the authorities, including the DNB and the National Cyber ​​Security Center. For such situations, multiple consultation structures have been set up, aimed at normalising payment transactions as quickly as possible.

Source:https://www.telecompaper.com/news/dutch-central-bank-warns-for-phishing-emails-after-ddos-attacks-on-banks–1230205