Interpol Tests Global Cops with IoT Simulation

Interpol last week held a simulated training exercise for global investigators designed to help overcome Internet of Things (IoT) skills shortages.

The international police organization’s annual Digital Security Challenge saw 43 cybercrime investigators and digital forensics experts from 23 countries face a simulated cyber-attack on a bank launched through an IoT device.

During the course of the simulation, investigators found that the malware was sent in an email attachment via a hacked webcam, and not direct from a computer.

Interpol claimed this is an increasingly popular tactic designed to obfuscate the source of attacks, but warned that police may not have the skills to forensically examine IoT devices.

“The ever-changing world of cybercrime is constantly presenting new challenges for law enforcement, but we cannot successfully counter them by working in isolation,” said Noboru, Nakatani, executive director of the Interpol Global Complex for Innovation.

“A multi-stakeholder approach which engages the expertise of the private sector is essential for anticipating new threats and ensuring police have access to the technology and knowledge necessary to detect and investigate cyber-attacks.”

The first two Digital Security Challenge exercises in 2016 and 2017 simulated cyber-blackmail involving Bitcoin and a ransomware attack, so the new focus on IoT is reflective of the changing nature of threats.

Last week, Trend Micro claimed in its 2017 roundup report that IoT devices are increasingly being “zombified” to mine crypto-currency and launch cyber-attacks like DDoS.

Hackers can target exposed IoT endpoints to infiltrate corporate networks, conscript into botnets or even interfere with critical infrastructure.

However, nearly half (49%) of all IoT “events” observed by the security vendor last year — amounting to a total of 45.6 million — involved crypto-currency mining.

Adam Brown, security solutions manager at Synopsys, argued that IoT attacks will continue until firmware flaws are addressed.

“Good practices by vendors around configuration and authentication need to be initiated or matured to prevent this in future,” he added.

“I would love to see certification for IoT devices become commonplace so that consumers can know that the devices are cyber-safe, much in the same way that if you buy a toy with a CE mark you know it has been through a process of assessment and it won’t, for example, poison anyone because it has lead in its paint.”

Source: https://www.infosecurity-magazine.com/news/interpol-tests-global-cops-with/

Californian may not see stars for years after conviction for DDoS attack against telescope retailer

A California man was convicted of launching distributed denial of service (DDoS) attacks against telescope retailer Astronomics and the online astronomy forum the company runs called Cloudy Nights.

David Chesley Goodyear, of El Segundo, Calif., was found guilty by a jury last week of hitting both the Norman, Okla.-based retailer and forum in August 2016, reported Robert J. Troester, Acting United States Attorney for the Western District of Oklahoma. Troester presented evidence to the jury that Goodyear had belonged to the Cloudy Nights forum, but twice had been blocked from the site for violating its terms of service, which included sending threats to users, administrators, and moderators.

Goodyear used two aliases to place posts on Cloudy Nights on August 9 and 13, 2016. In these posts he threatened to “talk with his contacts and hit the forum and Astronomics with a DoS attack, Troester said.

“Evidence further showed that DDoS attacks against Astronomics and Cloudy Nights commenced that night and continued intermittently until the end of August 2016, when Goodyear was interviewed by law enforcement and admitted he was responsible for the attacks,” Troester said.

Goodyear faces up to 10 years in prison and a $250,000 fine.

Source: https://www.scmagazine.com/california-man-convicted-of-ddos-attack-against-telescope-retailer/article/745248/

The risks of DDoS and why availability is everything

DDoS attacks bring significant risk to organisations that depend on their networks and websites as an integral part of their business. And these days, that’s just about everyone. Think about online banking, retailing, travel reservations, medical patient portals, telecommunications, B2B e-commerce – virtually every business model today includes a significant online transactional component or, in some cases, has shifted online entirely.

We’ve all experienced the feeling of frustration, or even desperation, when the online services we expect are not available to us instantly when we want or need them. Imagine that happening to thousands or even millions of customers worldwide, simultaneously, and you can understand the potential impact of a single DDoS attack on your organisation. Maintaining availability of digital platforms, networks, applications and services is not simply a security issue – it is a business risk and continuity issue.

It doesn’t take much to take down a substantial section of the internet. In November 2016, an accidental misconfiguration at a major internet infrastructure company led to outages at several large carriers. Although the “route leak” was accidental and not malicious, the resulting 90-minute lack of availability was still painful for the carriers and their customers alike.

A concerted attack can have far more damaging consequences. Unlike advanced threats or data breaches, which are designed for stealth to exfiltrate data of value, a successful DDoS attack is instantly recognisable. The symptoms range from poor performance and intermittent outages, to a stream of customer complaints, all the way to sudden and complete unavailability. Whatever the motive, disruption or denial of service is the goal.

Have threat capabilities leapfrogged your protection capacity?

DDoS attacks have been around just as long as e-commerce itself. Established organisations with a significant online presence have always taken measures to ensure availability. Ask yourself, however, if the protection you may have put in place several years ago is still adequate for a modern-day attack. DDoS threat capabilities have become more complex, dynamic and multi-vector. Increasingly, attackers employ a combination of attack methodologies, on the assumption that at least one will succeed while the others divert defences. These attack types include:

  • Volumetric: Large bandwidth-consuming attacks that essentially “flood” network pipes and router interfaces.
  • TCP State Exhaustion: Attacks that use up all available transmission control protocol (TCP) connections in internet infrastructure devices such as firewalls, load balancers and web servers.
  • Application Layer: “Low and slow” attacks indented to gradually wear down resources in application servers.

Moreover, attacks today are much easier for less sophisticated threat actors to launch, owing to the ready availability of inexpensive do-it-yourself attack tools and DDoS-for-hire services. The threat landscape has been further exacerbated by the rapid proliferation of inadequately secured Internet of Things (IoT) devices, which are being consumed into botnets and weaponised to launch multi-vector DDoS attacks.

Evaluating risks and defences

With the increase in multi-vector attacks, security experts agree that reducing the risk from DDoS attacks requires a defence-in-depth or layered approach utilising multiple, synchronised mitigation approaches.

Firewalls have long stood as the first line of defence, as policy enforcement solutions designed to prevent unauthorised data access. Unfortunately, firewalls are not very effective when it comes to availability threats like the modern-day, multi-vector DDoS attack.

Modern firewalls perform stateful packet inspection—maintaining records of all connections passing through the firewall. They determine whether a packet is the start of a new connection, part of an existing connection or invalid. But as stateful and inline devices, firewalls add to the attack surface and can be DDoS targets.

They have no inherent capability to detect or stop DDoS attacks because attack vectors use open ports and protocols. As a result, firewalls are prone to become the first victims of DDoS as their capacity to track connections is exhausted. Because they are inline, they can also add network latency.

Finally, because they are stateful, they are susceptible to resource-exhausting attacks such as Transmission Control Protocol synchronous (TCP SYN) floods and spoofed Internet Control Message Protocol (ICMP) ping floods.

Intelligent DDoS Mitigation Solutions (IDMS) are purpose built for DDoS defence, they’re deployed on-premise, in front of the firewall. These solutions can handle the majority of attacks, in fact, 80% of DDoS attacks are less than 1Gbps in attack size.

However, they are not adequate for the growing number of large-scale attacks intended to overwhelm internet bandwidth. These larger attacks are best mitigated in the cloud. Best practice defence today is intelligently integrated combination of on-premise and cloud-based solutions.

Recognising that denial of availability is a business risk, it makes sense to undergo a risk analysis to assess your vulnerabilities, understand the impact of a DDoS attack under various scenarios, and determine the measures you need to have in place for optimal risk mitigation.

Today’s DDoS threat is not the same as it was ten or even five years ago. If availability is paramount to your business, then defences need to be updated to match today’s threat.e:

Source: https://securitybrief.co.nz/story/risks-ddos-and-why-availability-everything/

DoubleDoor Botnet Chains Exploits to Bypass Firewalls

Crooks are building a botnet that for the first time is bundling two exploits together in an attempt to bypass enterprise firewalls and infect devices.

Discovered by researchers from NewSky Security, the botnet has been cleverly named DoubleDoor. According to Ankit Anubhav, NewSky Security Principal Researcher, the DoubleDoor malware attempts to execute exploits that take advantage of two backdoors:

CVE-2015–7755 – backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded password <<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.
CVE-2016–10401 – backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device.

Anubhav says DoubleDoor attackers are using the first exploit to bypass Juniper Netscreen firewalls and then scan internal networks for ZyXEL routers to exploit with the second exploit.

First time an IoT botnet chains two exploits

In a conversation with Bleeping Computer, Anubhav says this is the first time that a botnet has chained two exploits together in an attempt to infect devices.

“For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall,” the expert told Bleeping Computer. “Such multiple layers of attack/evasion are usually a Windows thing.”

“Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices,” Anubhav said. “If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit,” Anubhav added showing the simple exploitation logic that most IoT malware employed in the past.

DoubleDoor botnet is not a major threat, yet

Scans and exploitation attempts for this botnet were spotted between January 18 and January 27, all originating from South Korean IP addresses.

But the botnet is not a major danger just yet. Anubhav says DoubleDoor looks like a work in progress and still under heavy development.

“The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t,” he said.

The NewSky Security expert says the smaller attack numbers are likely because the botnet only targets a small subset of devices, either Internet-exposed ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise-grade Juniper Netscreen firewall.

“Such setups are usually found in corporations,” Anubhav said, raising a sign of alarm of what targets the DoubleDoor author may be trying to infect.

DoubleDoor doesn’t do anything, for the moment

The good news is that DoubleDoor doesn’t do anything special after compromising ZyXEL devices. It just merely adds them to a botnet structure.

“Probably it’s a test run or they are just silently recruiting devices for something bigger down the road,” Anubhav said.

But as Anubhav points out, because DoubleDoor appears to still be under development, we may soon see its author expand it with even more exploits that target other types of devices, such as those from Dlink, Huawei, Netgear, and others.

Further, the botnet may try to carry out DDoS attacks, spread malware to internal Windows networks, or something more intrusive.

But even if DoubleDoor dies down and is never seen again, its double-exploit firewall bypass technique has already attracted the attention of other IoT botnet operators, and we may see it pretty soon with other malware strains as well. The cat’s out of the bag, as they say.

Source: https://www.bleepingcomputer.com/news/security/doubledoor-botnet-chains-exploits-to-bypass-firewalls/

Tracking Bitcoin Wallets as IOCs for Ransomware

By understanding how cybercriminals use bitcoin, threat analysts can connect the dots between cyber extortion, wallet addresses, shared infrastructure, TTPs, and attribution.

Cryptocurrency, particularly bitcoin, has captured the attention of Wall Street and Silicon Valley over the past few months. It seems like everybody wants to talk about bitcoin as if it is something brand new.

The truth is that cryptocurrencies have been the norm on the Dark Web for quite some time. Bitcoin has been payment method of choice for ransomware and cyber extortion because it allows bad actors to operate under a cloak of anonymity. But that could be changing. Threat intelligence analysts are beginning to incorporate bitcoin wallet addresses into their investigations, and we’ll soon be able to recognize attack patterns and track attribution. One thing we’ve noticed is the ability to track, to some degree, the correlations and connections between cyberattacks by following bitcoin transactions.

In order to understand why tracking bitcoin wallet addresses as indicators of compromise (IOCs) is so valuable, we need to understand why cybercriminals use bitcoin in the first place. There are three primary reasons.

Anonymity: Bitcoin provides anonymity when payments are received and when they are cashed out. That’s because bitcoin accounts and money transfers are difficult to trace and depend largely on the cybercriminal being sloppy with operations security.

Global Currency: Hackers typically prey on out-of-country targets and need a fast, untraceable method to transfer funds across nations without worrying about account freezes. Bitcoin is used as a global currency because you don’t need to worry about the exchange rates between your home country’s currency and US dollars.

Ease of Payments: In the past, hackers used to rely on gift cards for payment. This was troublesome on many levels — for instance, gift cards can’t be used globally, and criminals needed to come up with a mailing addresses that can’t be traced. Bitcoin and the higher profile of cryptocurrency have contributed to the rise in ransomware, as well as hackers’ ability to use extortion to elicit payments. One example occurred after the Ashley Madison website breach, when hackers threatened some users with a bitcoin ransom or have their identities revealed as adulterers. Another tactic involved using malicious emails to threaten a distributed denial-of-service attack on an organization’s network unless a bitcoin payment was made.

By tracking bitcoin wallet addresses as an IOC, we’ve been able to connect the dots between ransomware, wallet addresses, and shared infrastructure, TTPs (tactics, techniques, and procedures), and attribution.

Here is an example of how bitcoin is used in a ransomware campaign: A new piece of ransomware gives you a bitcoin address for payment. You can then make correlations that connect across sectors, like retail, energy, or technology groups based on the blockchain and/or reuse of the same address. With WannaCry, there were hard-coded bitcoin addresses that made it easy to correlate what you are dealing with and which sectors were being affected. The more bitcoin addresses are shared, the more you can identify addresses to which bitcoins are forwarded.

The ability to track transactions through the blockchain allows you to connect different ransomware campaigns. Cybercriminals don’t typically share bitcoin wallets as they might share the same exploit kit, but by tracking blockchain transactions, analysts have another investigation point from which they can pivot and dig for more.

Bitcoin Addresses Reported by Multiple Sectors

Addresses are often unique to each target or a small set of targets, but you can track where the money goes by looking at the blockchain (the transactions) to see which addresses deliver funds to the same final addresses before being cashed out.

Addresses are often unique to each target or a small set of targets, but you can track where the money goes by looking at the blockchain (the transactions) to see which addresses deliver funds to the same final addresses before being cashed out.

Why is it important to be able to track bitcoin wallets as IOCs? With the ability to track payments, you can determine if bitcoins are going to specific wallet addresses, and then narrow that down to determine if they are the same two or three addresses over time. This will give you some idea of where and when cybercriminals are cashing out.

The value of the metadata as an indicator for malicious activity is because, although there are many variants of ransomware, the number of variants does not necessarily represent separate campaigns or cybercriminal groups. If you can follow the transactions through the blockchain, you can see how or if these variants are connected, and identify specific campaigns.

There is a well-known saying that if you want to know where trouble is coming from, follow the money. It’s hard to follow bitcoins, but all of those bitcoin wallets can help you see how ransomware is connected.

This research was provided by the TruSTAR Data Science Unit.

Source: https://www.darkreading.com/threat-intelligence/tracking-bitcoin-wallets-as-iocs-for-ransomware-/a/d-id/1331016?

Europe in the firing line of evolving DDoS attacks

The Europe, Middle East and Africa region accounts for more than half the world’s distributed denial of service attacks, a report from F5 Labs reveals.

The past year has seen a 64% rise in distributed denial of service (DDoS) attacks and greater tactical diversity from cyber criminals, according to customer data from F5’s Poland-based Security Operations Center (SOC).

However, more than 51% of attacks globally were targeted at organisations in Europe, the Middle East and Africa (Emea), and 66% involved multiple attack vectors, requiring sophisticated mitigation tools and knowledge, the report said.

The F5 report comes less than two weeks after several waves of powerful DDoS attacks hit banks and other organisations in the Netherlands.

Reflecting the spike in activity, F5 reported 100% growth for Emea customers deploying web application firewall (WAF) technology in the past year, while the adoption of anti-DDoS technology increased by 58%.

A key discovery was the relative drop in power for single attacks. In 2016, the F5 SOC logged multiple attacks of over 100Gbps, with some surpassing 400Gbps.

In 2017, the top attack stood at 62Gbps. This suggests a move towards more sophisticated Layer 7 (application layer) DDoS attacks that are potentially more effective and have lower bandwidth requirements.

“DDoS threats are on the rise in Emea and we’re seeing notable changes in their scope and sophistication compared with 2016,” said Kamil Wozniak, F5 SOC manager.

“Businesses need to be aware of the shift and ensure, as a matter of priority, that the right solutions are in place to halt DDoS attacks before they reach applications and adversely impact on business operations. Emea is clearly a hotspot for attacks on a global scale, so there is minimal scope for the region’s decision-makers to take their eyes off the ball,” he said.

Disruptive attacks

Last year started with a bang, the report said, with F5 customers facing the widest range of disruptive attacks recorded to date in the first quarter of 2017.

User Diagram Protocol (UDP) floods stood out, representing 25% of all attacks. Attackers typically send large UDP packets to a single destination or random ports, disguising themselves as trustworthy entities before stealing sensitive data. The next most common attacks were DNS reflection (18%) and SYN flood attacks (16%).

The first quarter of 2017 was also the peak for Internet Control Message Protocol (ICMP) attacks, whereby cyber criminals overwhelm businesses with rapid “echo request” (ping) packets without waiting for replies. In stark contrast, the first-quarter attacks in 2016 were evenly split between UDP and Simple Service Discovery Protocol (SSDP) floods.

The second quarter of 2017 proved equally challenging, the report said, with SYN floods moving to the front of the attack pack (25%), followed by network time protocol and UDP floods (both 20%).

The attackers’ momentum continued into the third quarter, the report said, with UDP floods leading the way (26%). NTP floods were also prevalent (rising from 8% during the same period in 2016 to 22%), followed by DNS reflection (17%).

The year wound down with more UDP flood dominance (25% of all attacks). It was also the busiest period for DNS reflection, which accounted for 20% of all attacks (compared to 8% in 2016 during the same period).

“Attack vectors and tactics will only continue to evolve in the Emea region. It is vital that businesses have the right systems and services in place to safeguard apps wherever they reside”

Kamil Wozniak, F5 SOC

Another key discovery during the fourth quarter of 2017, and one that underlines cyber criminals’ capacity for agile reinvention, was how the Ramnit trojan dramatically extended its reach. Initially built to hit banks, F5 Labs found that 64% of Ramnit’s targets during the holiday season were US-based e-commerce sites.

Other new targets included sites related to travel, entertainment, food, dating and pornography. Other observed banking trojans extending their reach included Trickbot, which infects its victims with social engineering attacks, such as phishing or malvertising, to trick unassuming users into clicking malware links or downloading malware files.

“Attack vectors and tactics will only continue to evolve in the Emea region,” said Wozniak. “It is vital that businesses have the right systems and services in place to safeguard apps wherever they reside. 2017 showed that more internet traffic is SSL/TLS encrypted, so it is imperative that DDoS mitigation systems can examine the nature of these increasingly sophisticated attacks.

“Full visibility and greater control at every layer are essential for businesses to stay relevant and credible to customers. This will be particularly important in 2018 as the EU General Data Protection Regulation comes into play,” he said.

Source: http://www.computerweekly.com/news/252434746/Europe-in-the-firing-line-of-evolving-DDoS-attacks

Final Fantasy network recovers after losing health points to DDoS attack

The network hosting the role-playing video game Final Fantasy XIV experienced significant disruptions for three hours yesterday as the result of a distributed denial of service (DDoS) attack.

A Feb. 5 posting on developer Square Enix’s online forum informed players that the company was able to fully restore the network and also reinforced its anti-DDoS defensive measures following the incident, which caused technical difficulties between 6:49 a.m. and 9:40 a.m. Eastern Time that day.

Earlier that same day, Square Enix acknowledged that gamers could be experiencing disconnections from and difficulties logging in to JP data center Worlds, as well as difficulties accessing, sending and receiving data from JP data centers.

In June 2017, Final Fantasy XIV was notably impacted by a multi-day DDoS attack campaign targeting the game’s North American data center.

“Online gaming companies are constantly under the barrage of DDoS attacks; sometimes there are dozens of attacks per day that range in size and scale,” said Stephanie Weagle, vice president of DDoS protection and mitigation company Corero Network Security. “Regardless of the motivation, or techniques used to execute the attacks, these cyber events lead to downtime, latency and availability issues… Any service downtime equates to drop-in visitors and a corresponding loss of revenue.”

Source: https://www.scmagazine.com/final-fantasy-network-recovers-after-losing-health-points-to-ddos-attack/article/742432/

Dutch Central Bank warns for phishing emails after DDoS attacks on banks

The Dutch Central Bank (DNB) has issued warnings to consumers about phishing e-mails, following a series of DDoS attacks on banks. ABN Amro, ING and Rabobank were the victims of long-term DDoS attacks on several occasions last weekend and earlier this week; these led to the disruption of online services. The Tax and Customs Administration and Dutch national ID system DigiD were also affected.

DNB said there is a chance that the number of phishing emails will now increase, following these DDoS attacks. “It is not unusual for DDoS attacks on banks to be followed by an increase in phishing mail to account holders. Criminals often attempt to use the agitation around digital attacks to make people feel vulnerable, and to then extract sensitive bank account details.

The recent DDoS attacks on the banks were advanced, according to the DNB. Banks have in place strong defensive measures to ensure that services are available through websites and internet banking. The banks have been in constant consultation with each other during the few last days and have worked together with the authorities, including the DNB and the National Cyber ​​Security Center. For such situations, multiple consultation structures have been set up, aimed at normalising payment transactions as quickly as possible.

Source:https://www.telecompaper.com/news/dutch-central-bank-warns-for-phishing-emails-after-ddos-attacks-on-banks–1230205

DUTCH BANKS, TAX AUTHORITY AGAIN TARGETED IN CYBER ATTACKS

ABN Amro, ING, Rabobank and the Tax Authority again faced DDoS attacks on Tuesday, though this time the financial services managed to deter them better than over the weekend. The attacks caused a short disruption in payment system iDeal, but the problems were quickly restored, NOS reports.

ABN Amro was troubled by attacks all day long, but they were mostly successfully fought off, a spokesperson said to the broadcaster. Around 5:30 p.m. the bank faced a short disruption.

ING reported a disruption on Twitter, and then reported that the problems were solved a short time later. “Due to a short-lived DDoS attack, our services were temporarily inaccessible. The problems have been solved: our services are again available for use. We apologize for the inconvenience.”

Rabobank faced an attack around 5:00 p.m. that lasted around 8 minutes. “Customers experienced a delay, opening the app took longer and there were errors. It is not comparable with [Monday]”, a spokesperson said to the broadcaster.

The Tax Authority’s website was offline for about 7 minutes on Tuesday. The DDoS attack lasted about half an hour after the site was restored, but did not affect the website’s performance, according to a spokesperson. The attack happened around 7:00 p.m.

SNS also faced a DDoS attack, but customers experienced no problems, NOS reports.

ABN Amro, ING, Rabobank and the Tax Authority all had problems with DDoS attacks between Saturday and Monday. In a DDoS attack, a website is bombarded with huge amounts of data, overloading the server and crashing the site. Security company ESET determined that the attacks that targeted the banks came from servers in Russia.

Screen Shot 2018-01-31 at 10.34.40

Screen Shot 2018-01-31 at 10.34.50

Screen Shot 2018-01-31 at 10.35.02

Source: https://nltimes.nl/2018/01/31/dutch-banks-tax-authority-targeted-cyber-attacks

RUSSIAN SERVERS LINKED TO DDOS ATTACK ON NETHERLANDS FINANCIAL NETWORK: REPORT

The DDoS attacks that hit ABN Amro, ING and Rabobank over the weekend and on Monday, came from servers in Russia, according to security company ESET. The company adds that this does not automatically mean that the perpetrators are also in Russia, the Telegraaf reports.

The perpetrators used a so-called botnet – an army of hijacked computers and smart devices – to commit the DDoS attacks. Using the program Zbot, they remotely ordered these devices to visit a certain site en masse, thereby overloading the site’s server and crashing the site. The command and control servers are mainly in Russia, ESET determined.

The motive for these attacks is still unknown. The security company points out that the perpetrators can be anyone ranging from bored teenagers to state hackers – DDoS attacks are easy to buy online.

The Tax Authority’s site was also hit by a DDoS attack on Monday morning, leaving the site unavailable for a short period. ESET can’t yet say whether this attack is linked to the attacks on the banks.

The Ministry of Justice and Security called the attacks on the Dutch institutions very advanced, according to BNR. “But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Source: https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-financial-network-report