Category Archives: DDoS

Majority of focused cyber-attacks are being stopped

Companies are getting better at spotting things like ransomware and DDoS.Companies are nowadays faced with more than double the amount of ‘focused attacks’, compared to last year. However, they are

The post Majority of focused cyber-attacks are being stopped appeared first on The Cyber Security Place.

5 cybersecurity questions retailers must ask to protect their businesses

The Target breach in 2013 may not be the biggest retail breach in history, but for many retailers, it was their watershed moment.

Point-of-sale (PoS) terminals were compromised for more than two weeks. 40 million card details and 70 million records of personal information swiped—part of which was “backlist,” historical transaction information dating back to more or less a decade ago. Card unions paid over $200 million in cost for card reissues. They then filed a class-action lawsuit against Target to regain this cost.

And the most mind-blowing fact of all? Target actually had (and still does have) cybersecurity measures in place and a security policy for employees to follow. How and why the breach even happened the way it happened remained the subject of discussion for a long time, and hard lessons were learned.

The good news for retailers is that it doesn’t (always) have to be this way.

Pose the right questions

Retailers of all shapes and sizes care about their businesses and clients. No merchant would want to be in the shoes of Target or TJX for a minute, post-breach. In fact, if they can keep something as big and messy and costly from happening to them, they would do anything.

It’s understandably challenging to add more to an already tall order of “things to do” in the retail industry; however, cybersecurity should no longer be seen as an afterthought, nor should it be treated like an option that one can get hyped up about today and then forget tomorrow. It has quickly become an integral part of any organization for the sake of business continuity, client retention, and brand integrity.

If you remain unconvinced whether you really need to incorporate cybersecurity in your business, perhaps this is a thought you can consider: If your organization uses any form of technology that connects to a data communication avenue and/or the Internet, chances are you need cybersecurity.

“Where do I start?” is probably not the right question to ask once you decide to kick off this journey, for you’ll most certainly receive an “I don’t know” or “I have no idea” just as instantly. Instead, be specific and practical. Come up with questions that you think you can answer. We have listed some below that you can use to guide you on your way.

What am I using in business that needs protecting?

Here, you can list down your valuable assets, beginning with the tangible (the retail store, CCTV cameras, mobile phones, point-of-sale machines, etc.) and then the intangible (your website, customer data, intellectual property, etc.). Once done, you can then find out ways to secure them individually according to your business’s needs. Most of the time, all you need to do is to configure your devices and peripherals to make the most use of security-related settings.

For example, installing smart CCTV cameras on-premise can both lessen the risk of physical theft and aid law enforcement in capturing criminals should something terrible happen in the shop. But who is watching your watcher? Better yet: Who else could be watching through your watcher? A lot of CCTV cameras can be accessed publicly via the Internet. You can secure these cameras and ensure that you and your staff are the only ones who can use them by setting them up to local-only mode and changing their admin names and passwords.

You may also decide to seek help from your service provider with more complicated devices and systems.


Read: Why you don’t need 27 different passwords


Should you wish to invest in software or tools, pick those that protect as many of your assets as possible. For example, many endpoint security solutions allow users to install it on multiple devices running on Windows.

What are the threats that can potentially affect my business?

Cybersecurity threats to retail businesses can come in the form of people or technology. We’re quite familiar with the former: from the petty thief to an organized crime group. There are also malicious insiders and basically anyone meaning to make money out of your business.

On the other hand, one thing merchants miss when identifying what could potentially introduce threats to their companies are the very technology (apps, modern payment systems, and others) they use or invest in to remain competitive. The dangers or risks introduced by these are usually accidental, and can be avoided entirely.

Customer data remains the primary target of fraud in the retail industry. For those who may not be in the know, one customer data may contain their credit or debit card details, spending patterns or habits, and loyalty behaviors, which can be retrieved from online shopping, digital marketing, and loyalty schemes they’re enrolled in.

Other threats retailers must keep in mind that they must defend themselves against malicious insiders, spear phishing, DDoS attacks, brute force attacks, reconnaissance and suspicious activity attacks, supply chain attacks, and more. If you’re a merchant that uses the omni-channel approach, be aware that there is now a new type of fraud in this environment. We’ll tackle this in depth in a future post.

How can I keep cybersecurity threats away from my business?

Merchants have gotten really good at handling traditional risks and threats to their businesses. But managing potential physical risks, which is fantastic, is one thing, and managing digital risks is another. For new and old merchants alike, thankfully they don’t have to start from scratch. There are already industry standards in place, such as the Payment Card Industry Security Council’s Data Security Standard (PCI DSS), that they can readily glean from. The Object Management Group (OMG), an international technology standards consortium, also has a cybersecurity standard that merchants may want to look into as well. And, oh, if you have clients in the UK and EU countries, let’s not forget GDPR.

As for other cybersecurity threats that need addressing, such as those that affect a merchant’s website, our Labs blog has a lot of great resources:

The National Federation of Retail Newsagents (NFRN), an organization composed of thousands of independent retailers in the UK and Northern Ireland, published a booklet that also serves as a checklist for merchants regarding assessing retail crime risk. This list includes physical security and cybersecurity.

Lastly, merchants must decide on a regular time to conduct a risk assessment—monthly, quarterly, biannually, or annually.

Should my employees get involved in mitigating cybersecurity risks?

Absolutely. When it comes to implementing good security practices in a retail business, merchants cannot do it alone. One way they can start employees off is by creating a culture of cybersecurity at the very beginning. Merchants can even incorporate awareness and basic cybersecurity concepts in their training process for new hires. Get them up to speed with the kinds of digital threats the business may come face-to-face with at some point in the future and provide them the steps on how to respond efficiently to red alert cases.


Read: How to create an intentional culture of cybersecurity


Note that training must be done on a regular basis and not just a one-off occurrence. It must also be relevant, practical, and engaging to employees. Use familiar case studies like the Target breach, or if your organization has experienced a form of cyberattack in the past, use that as a teaching moment, too.

What else can I do once I’ve secured the business’s assets?

Once you’ve done a great deal of securing, realize that the job doesn’t end there. There are still some things that need to be done:

  • Monitor your PCI environment on a regular basis. Doing so will notify you in real-time of potential intrusions in your payment system so you can nip the thread in the bud before the circumstance escalate.
  • Schedule a regular audit of security and compliance. This will ensure that your retail business remains in compliance with security and industry standards.
  • Join a community. Information sharing among fellow merchants is becoming a trend when it comes to cybersecurity. Firms learn from each other’s victories and mistakes. After all, cybercrime is not just a problem of one but of every organization in the industry. Cybersecurity, in this regard, is now a community effort.
  • Keep learning. Staying on top of the latest security news and industry challenges can help merchants familiarize themselves with tactics threat actors are using against retailers, assess their current situation, and make adjustments to their defenses and protocols accordingly.
  • Prioritize security and privacy when creating apps. Make sure that should you choose to develop software, such as apps, that you encourage your clients to install, make sure that you have security in mind in making these apps.
  • Create a security policy. This makes good computing practices not just feel like guidelines but actual procedures employees need to adhere to. Here are sample templates merchants can use as and tweak to their preference.

Stop chasing the wrong answers

Breaches are inevitable. This is a known fact and an often-repeated line by people in the cybersecurity industry. Companies have been advised to prepare.

That said, perhaps a merchant’s next and final question would be this: If a breach is inevitable, then what’s the point of doing all this?

It’s true that no one wants to invest a lot of time and money in security tools, services, and people to fight off breaches only to be told it’s not possible. The message they’re hearing is “the bad guys always win, and there’s nothing you can do about it.” However, this isn’t in-line with reality at all.

While there’s no such thing as perfect security, the protocols a multitude of companies have in place already helped them stop many breach attempts.

Unfortunately, sometimes threat actors do succeed in infiltrating a retailer’s network. In this case, the logical action is to contain it to prevent it from escalating and causing more damage. But containment and preventative steps cannot be done if proper security measures, guidelines, and a good security architecture aren’t in place, to begin with. Also, identifying what made it successful so the organization can make changes is part of the overall cybersecurity strategy. So putting them there isn’t really for naught.

The post 5 cybersecurity questions retailers must ask to protect their businesses appeared first on Malwarebytes Labs.

Real-time detection of consumer IoT devices participating in DDoS attacks

Could we detect compromised consumer IoT devices participating in a DDoS attack in real-time and do someting about it? A group of researchers Princeton University have presented some encouraging results showing that the first part of that equation can be relatively easily solved. As IoT traffic is often distinct from that of other Internet connected devices and as machine learning has proved promising for identifying malicious Internet traffic, they decided to use these facts to … More

The post Real-time detection of consumer IoT devices participating in DDoS attacks appeared first on Help Net Security.

Experts uncovered a proxy botnet composed of over 65,000 routers exposed via UPnP protocol

Security researchers at Akamai have discovered a proxy botnet composed of more than 65,000 routers exposed to the Internet via the Universal Plug and Play (UPnP) protocol.

Crooks have compromised the devices of this multi-purpose proxy botnet to conduct a wide range of malicious activities, including spamming and phishing, click fraud, account takeover and credit card fraud, distributed denial of service (DDoS) attacks, malware distribution, and also bypassing censorship,

While the researchers were investigating attacks against its customers they discovered that vulnerable devices have NAT injections that allow attackers to abuse them.

“While researching UPnP-enabled devices detected as participants in attacks against Akamai customers, we discovered that some devices appeared to be more susceptible to this vulnerability than others, and contained malicious NAT injections.” reads the analysis published by Akamai. “These injections were present on a handful of the devices found in the wild, and appeared to be part of an organized and widespread abuse campaign”

proxy botnet injection bypass

Akamai discovered over 4.8 million devices that were found to be vulnerable to simple UDP SSDP inquiries. Of these, roughly 765,000 (16% of total) were confirmed to also
expose their vulnerable TCP implementations while over 65,000 (1.3% of total) were discovered to have NAT injections.

“These injections appeared to point to multiple services and servers around the Internet. A majority of the injections appear to target TCP ports 53 (15.9M for DNS), 80 (9.5M for HTTP), and 443 (155K for HTTPS).” continues the analysis. “A wide range of devices are affected, most of them being consumer-grade networking hardware. “73 brands/manufacturers and close to 400 models [were affected].”

The UPnP communication protocol is widely adopted even if it is known to be vulnerable. In early 2013, researchers at Rapid7 published an interesting whitepaper entitled “Security Flaws in Universal Plug and Play” that evaluated the global exposure of UPnP-enabled network devices.

The report highlighted that over 23 million IPs related to Portable UPnP SDK were vulnerable to remote code execution just through a single UDP packet, over 6,900 product versions from over 1,500 vendors were vulnerable through UPnP due to the exposure of UPnP SOAP service to the internet.

Abusing the protocol attackers can control the traffic in and out the networks, UPnP allows the automated negotiation and configuration of port opening/forwarding within a NATed networking environment.

The malicious botnet uncovered by Akamai is composed of vulnerable devices including malicious NAT injections, it turns routers into proxies, for this reason, the experts called the injected devices UPnProxy.

“The injected NAT entries were designed to be working in sets across various devices. Thus, across the 65,000 infected devices, 17,599 unique endpoint IP addresses were discovered.” continues the report. “The most-identified IP was injected over 18.8 million times across 23,286 devices, while the second-most-injected IP appeared over 11 million times across 59,943 devices.”

According to Akamai, part of this proxy botnet was already discovered by researchers at Symantec while investigating into the “Inception Framework” used by an APT group, in that circumstance Symantec research confirmed that the UPnProxy instances were used obfuscate the operators’ true locations.

The APT associated with Inception Framework is still active and continuously evolved its arsenal and TTPs.

In order to check if your router has been compromised for UPnProxying is to scan the endpoint and audit your NAT table entries.

Many frameworks and libraries available online could be used for this purpose.

Pierluigi Paganini

(Security Affairs – UPnP, proxy botnet)

The post Experts uncovered a proxy botnet composed of over 65,000 routers exposed via UPnP protocol appeared first on Security Affairs.

New variant of the Mirai Botnet targets the financial industry

Early this year at least three European financial institutions were hit by DDoS attacks powered by a new variant of the Mirai botnet.

A variant of the Mirai botnet, composed at lease of 13,000 compromised IoT devices was used to launch a series of DDoS attacks against financial sector businesses. The DDoS attacks peaked at up to 30 Gbps, in volume, of malicious traffic.

Researchers at Insikt Group, the Recorded Future threat research team, reported this week the results of their analysis of the malware samples involved in the assaults linked the Mirai variant to IoTroop botnet, aka Reaper.

The latest attacks observed by Recorded Future took place between Jan. 27 through 28, the experts spotted three different attacks.

“The first attack occurred on January 28, 2018 at 1830 UTC. A second financial sector company experienced a DDoS attack the same day and time, likely utilizing the same botnet. A third financial sector company experienced a similar DDoS attack a few hours later at 2100 UTC the same day.” states the report published by Recorded Future.

The first DDoS attack implemented a DNS amplification technique and peaked at 30 Gbps. Researchers are unsure what the volumes of subsequent attacks were.

mirai botnet iot-3

According to the researchers, the botnet used in the first company attack was composed of 80 percent of compromised MikroTik routers and 20% various IoT devices (i.e. Apache and IIS web servers, webcams, DVRs, TVs, and routers).

The experts speculated about a possible evolution of the IoTroop botnet that was improved by including the code to trigger new vulnerabilities in IoT devices.

“If these attacks were conducted by IoTroop, then our observations indicate the botnet has evolved since October 2017 to exploit vulnerabilities in additional IoT devices and is likely to continue to do so to propagate the botnet and facilitate larger DDoS attacks,” continues the report.

The experts at Recorded Future found some differences between this latest variant of Mirai from the original Mirai and IoTroop bot.

The ability of the botnet of infecting devices from different manufacturers suggests a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed flaws in many IoT devices.

“While many of the IoT vendors and devices appeared in the (IoTroop) research published in October 2017, many of the devices such as Dahua CCTV DVRs, Samsung UE55D7000 TVs and Contiki-based devices were previously unknown to be vulnerable to Reaper/IoTroop malware,” researchers said.

The most important improvement of the Mirai variant used in the last attacks is the inclusion of the IoTroop code that allows the botmaster to update the malware on the fly.

“Reaper was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive in-place botnets to run new and more malicious attacks as soon as they become available,” continues the analysis.

The availability of the Mirai source code is allowing crooks to create their own versions of the botnet and rent it to other cybercriminals, it is to predict new attacks powered by improved versions of the original botnet.

Pierluigi Paganini

(Security Affairs – Mirai botnet, DDoS)

The post New variant of the Mirai Botnet targets the financial industry appeared first on Security Affairs.

Physician, protect thyself: An ounce of prevention is worth a pound of cure

In part one of our Physician, protect thyself series, we recognized significant security problems within the healthcare industry that need addressing. Health organizations moving from the paper to the ‘puter—a shift meant to improve care and overall patient experience—inadvertently introduced substantial privacy risks to healthcare records. They are suddenly accessible whenever and wherever the patient or medical staff is. Not only that, patient records are now as portable, transferable, alterable, and destructible as they can be—by both good and bad actors. The interconnectedness of devices and systems further compound the risk.

BYOD, the boom of mHealth apps, the cloud, and the lack of awareness among staff have made healthcare cybersecurity more challenging than ever.

These are challenges that, thankfully, two particular staff members of small- to medium-sized hospitals or clinics can tackle, with a little help from others: the Manager and the IT Specialist. They are the prime movers in turning things around for healthcare SMBs (with proper security guidance, of course).

So in part two of this series, we’ll provide them with tips to prepare for new responsibilities that directly affect the state of cybersecurity and privacy readiness.

Did someone say “CISO”?

Security consultants in the healthcare industry advise all organizations to hire their own Chief Information Security Officer (CISO), as health records being moved online calls for information security to be at the forefront of any strategy. Some larger hospitals can likely accommodate this position in their ranks; however, this may not be possible for smaller ones.

For one, healthcare organizations, like other industries, are seeing a shortage of IT security talent. This is because technologies are adopted at a quicker pace than people are getting trained to manage, maintain, and secure them. For another, a majority of healthcare facilities only devote a small budget for security. In this case, it’s not surprising to find that computer systems in SMB hospitals and clinics are ill-equipped to handle cyberattacks, much less have a dedicated IT person overseeing them.

With challenges like these, they could resort to looking into several low-cost alternatives:

  • Avail the service of a virtual CISO (vCISO), which some companies offer
  • Hire internally
  • Expand the job descriptions of particular individuals in the right positions

With point three in mind, the manager position is the likely role to be awarded additional tasks—and for a good reason. Managers have oversight on people, policies, organizational strategy, resources, and communication. And when it comes to introducing change, managers are responsible for planning the direction, communicating it, and overseeing the changes taking place.

The Health Information Manager (HIM), also known as the Health Information Administrator, is viewed as the information specialist in healthcare, as they are responsible for obtaining, examining, ensuring the accuracy of, and protecting patient medical information.

While it is great news that healthcare is now setting an exponentially higher budget for cybersecurity, this is mostly for buying technologies and solutions and not hiring. As such, there is still that need of having the right people to do the job that needs to be done.

And so, without further ado…

The Manager

To up their game, managers must begin thinking about cybersecurity and privacy, and find ways to incorporate them into the daily duties of staff within the facility.

Review current practices

A good place for managers to start is to review current physical security measures they practice within and without hospital or clinical premises. Now you might think, “Hang on, why should managers look into how they lock their doors first when we’re talking about cybersecurity?” What most of us may not realize is that computer security starts with physical security. Is it any wonder that some cybersecurity experts are also fond of lock picking?

Physical security is often overlooked and underestimated. Worse, it is seldom talked about within cybersecurity. With healthcare organizations and facilities that heavily rely on medical devices, systems, and health information all linked together in a network, the need for physical security becomes very real the moment when, say, a DDoS attack renders systems inoperable and causes a power outage that prevents doctors from performing serious care or emergency surgeries in the ICU.

It is imperative that managers think back and assess where the facility stands for compliance with industry standards and security frameworks they’ve adapted.

More importantly, managers must review the facility’s information lifecycle—the stages through which records go—from its creation to its archiving or destruction. Consider the following questions:

  • Have staff consistently followed proper protocol when it comes to the disposal of printed-out patient records and other medical documents? (e.g., Do they just dispose of them in public dumpsters or other containers that are accessible to the public or unauthorized persons?)
  • Have staff consistently followed proper protocol when it comes to the reuse of office furniture where physical or electronic records are kept and/or electronic media (such as CDs and USB sticks)?
  • Are confidential and non-confidential data stored in separate spaces?
  • Are stored records and other sensitive documents encrypted?
  • What’s the policy on data retention?

Identify feasible threats and vulnerabilities

The Manager must then identify what measures need improvement, what additional security procedures they should introduce, and what practices they can scrap (if any) and replace with something more efficient, sound, manageable, and repeatable. This process is called risk assessment. And the Manager may need to talk to staff and third-party vendors for their input.

Consider the following questions:

  • What could possibly happen if a member of staff lost his/her access cards and went unreported for a few days?
  • What could possibly happen if USB ports on computers and devices are left open?
  • How many external vendors have access to their records and/or facility?
  • Can staff access the open web on any computer terminal?
  • Should they consider getting an insurance policy in case of potential damages incurred in the event of a cyberattack?

Note that a regular review (e.g., once a year) of potential vulnerabilities is needed to be on top of critical weaknesses that need to be prioritized.

Introduce a culture of cybersecurity

Educating employees is the first step, but it doesn’t end there. Education is merely part of the security culture the Manager would want to incorporate into the bigger cultural setup in healthcare. His/her ultimate aim is to imbibe security practices to staff to the point that doing them comes naturally, whether they’re within the facility or outside it.

This is the foreseen outcome of an intentional culture of security: people think, act, and behave the same way no matter where they are or where they work. For example, if healthcare personnel are ingrained to treat links and attachments in emails as suspect, they would likely act the same way when they check emails at home.

I mentioned before that people generally have a negative perception about security, and the Manager must realize this. Doing so can help him/her change the tone and language to use when introducing this new culture in an already complicated setup.

As champion, the Manager must create a narrative focusing on the benefits of practicing basic security hygiene and playing their part in securing patient health records. In addition, he/she should be sure that training and awareness campaigns are in place not to hinder or delay them from caring for their patients but actually to increase patient satisfaction, as they have increased the likelihood that their PHI is safe.

Create a cybersecurity training plan

If the Manager doesn’t know where to start in drafting a training plan, the SANS Institute, a company specializing in cybersecurity training and information security, has a robust toolkit they can use to start this off. They may wish to cover the following topics in the plan:

  • Definition of terms, such as phishing
  • Social engineering tactics
  • Scams and fraud tactics
  • Extra: Good computing habits in the workplace
  • Extra: Workplace social media security

Update the hospital or clinic policy to include a section on cybersecurity

To further drive home the need for change and to foster accountability on everyone within the facility, the Manager must also update the current policies to include cybersecurity. At this point, he/she may already have an idea of what to add, given that they already did a review of current practices and assessed potential threats and vulnerabilities in the existing hospital or clinic setup.

Other items the Manager should include in the new section of the policy are:

  • What security software programs are/should be running on endpoints
  • For endpoints facing the open web, what browser and plugins should be installed
  • How and how often sensitive information or PHI are backed up
  • How and when software updates will be applied
  • Which users have admin rights on endpoints
  • Who is responsible for maintaining, enforcing, and reviewing the cybersecurity policy

The Manager must also address security concerns surrounding BYOD, the cloud, internal WiFi, and even working remotely, as many healthcare practitioners have already welcomed these.

Include acceptable usage guidelines, stressing the importance of locking machines, devices, and accounts using multi-factor authentication, and how to report security incidences should a staff encounter one. Furthermore, the policy must clearly state what would happen if a staff is found to be non-compliant, especially in the event of a breach.

After updating the policy, the Manager must then set a review period for the cybersecurity policy to maintain currency and relevancy.


Read: How to create a successful cybersecurity policy


The IT Specialist

For some SMBs, having a dedicated IT department or person is quite uncommon. Many believe that one wouldn’t really need one as long as there is someone responsible for overseeing IT support tasks and ensuring that sensitive information is stored and appropriately protected at all times. However, this may not be applicable to SMB hospitals and clinics due to the nature of their round-the-clock availability and care.

As the lack of a dedicated specialist could mean that such IT tasks may likely fall into the hands of the Manager, at this point, we highly suggest hiring for a specialized IT role. Not only would this ease the burden on managers, who apart from having a ton on their plate are also involved in the care of patients, this would also allow the IT person to focus on providing support for staff and patient needs that only an IT specialist can offer.

These tasks include (but are not limited to) installing and maintaining software on endpoints, configuring hardware to ensure they follow industry standards and internal policies, and monitoring the network for any form of intrusion.

Note that the IT role can be a temporary one, as nowadays, current technology has made it possible for SMBs to survive without an in-house specialist. Healthcare SMBs can also take this route if budget constraints continue to prevent them from keeping an IT person in the long run.

Should the healthcare facility require IT support, they can always avail services of third-parties who can do this for them. Outsourcing IT needs can also avoid a potentially high turnover of professionals, which is experienced by many healthcare SMBs, and address the constant monitoring and managing of BYOD devices. Of course, hiring IT under contract must be bound by the security policies of the facility for its safety and the safety of their patients’ sensitive information.

Regardless of who is wearing the IT tinfoil hat, we suggest the following to beef up the security of the healthcare facility and the scores of valuable data they house.

Introduce an identity and access management (IAM) system

An IAM is a framework that businesses of all sizes use to facilitate digital identities. It allows active employees to access various accounts without the need for multiple logins. With the guidance of the Manager, IT can limit the number of accounts a particular group of employees can access via an IAM.

Examples of such systems are Okta, OneLogin, Centrify, and SailPoint. It’s important for healthcare facilities to control who accesses what accounts or systems to foster accountability and minimize unauthorized access or disclosure of information, either done maliciously or as a result of negligence on the part of the staff.

Schedule regular backup and encryption of information

Now more than even, backing up files has become a necessity—thanks to the proliferation of ransomware. In a previous post, we provided you the 3-2-1 method of backing up that goes like this:

  • Make 3 different copies of your data
  • Store 2 copies in different forms of media
  • Store 1 copy offsite

Furthermore, do not just back up the data, but encrypt them as well.


Read: Backup and lockdown: when device theft strikes


Schedule regular software patching

Perhaps doing this alone would stop a large chunk of attacks, banking on the fact that most healthcare facilities, regardless of size, run on outdated OS and other software.

Disable USB ports on endpoints that do not need them

There are many ways things can go wrong if an endpoint has an open USB that anyone can just plug into. Sure, charging your smartphone device may be the most benign thing you can do with it, but open USB ports also encourage staff to plug in potentially risky external drives. It is safer to disable ports physically or via the Windows registry to mitigate the spread of malware and even the theft of highly-sensitive data.

Tackle issues surrounding free, in-house WiFi

It’s not uncommon for SMB hospitals and clinics to offer free WiFi to patients, visitors, and staff within the facility. The IT specialist must set up the network to meet the needs of both staff and non-staff, starting with making sure that:

  • The main network is separate from the guest network
  • The main network will be able to handle heavy traffic from multiple endpoints, including healthcare IoT devices, and support bandwidth-intensive transfers, such as voiceover wireless LAN
  • The main network is encrypted (WPA)
  • The main network must not be used by personal devices, such as smartphones, tablets, or laptops (but this can be on a case-to-case basis)
  • The guest network must have a limited bandwidth
  • The guest network must have certain websites blocked to discourage bandwidth hogging
  • The guest network must not be able to retrieve sensitive records belonging to patients or the facility
  • The guest network must be secured with a password
  • Users are informed about the facility’s Acceptable Use Policy

Draft a business continuity/disaster recovery plan

The IT Specialist must work with the Manager in creating a plan on what the hospital or clinic will do during and after a breach. After all, as we keep saying, “It’s no longer a matter of ‘if’ but ‘when’ a breach will happen,” so everyone must expect that it will at some point. If they need further help on this, there are guides and templates available online they can customize to their needs. Here’s one from SANS.

Consider using virtualization

Sensitive files leaving the facility’s servers has always been a great concern for healthcare. And for many, virtualization has helped mitigate this pain point. As healthcare is different from other industries, pros and cons to virtualization must be weighed carefully as welcoming virtualization may introduce other complexities the facility may not be equipped to handle. An example of a possible problem the facility might encounter is server or application downtime, which can potentially stop care operations for a period.

Conclusion

Benjamin Franklin once said that an ounce of prevention is worth a pound of cure. And this has never been truer today.

It is encouraging to find that current healthcare leaders are making mature and quick strides in cybersecurity. Studies have shown that majority of threats aimed at the healthcare industry are preventable, and can be mitigated with proper staff education, training, consistent follow-throughs, enforcement of security policies, and continuous compliance with industry standards.

If the Manager and the IT Specialist continue to work with staff and their own resources, they have already made that first difficult step towards a more secure healthcare facility.

The post Physician, protect thyself: An ounce of prevention is worth a pound of cure appeared first on Malwarebytes Labs.

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Radware Blog: Choosing the Right DDoS Solution – Part III: Always-On Cloud Service

This blog series dives into the different DDoS protection models, in order to help customers choose the optimal protection for their particular use-case. The first parts of this series covered premise-based appliances and on-demand cloud services. This installment will cover always-on cloud DDoS protection deployments, its advantages and drawbacks, and what use-cases are best for […]

The post Choosing the Right DDoS Solution – Part III: Always-On Cloud Service appeared first on Radware Blog.



Radware Blog

Do you have what it takes to withstand modern DDoS attacks?

As the latest record DDoS attack hit GitHub and threatened to overwhelm its edge network, the popular Git-repository hosting service quickly switched to routing the attack traffic to their DDoS mitigation service. In the end, GitHub ended up completely unavailable for five minutes and intermittently unavailable for four. But while the effect of the attack could have been worse, GitHub’s engineering team aims to do better next time they are hit. Robert Hamilton, Director of … More

The post Do you have what it takes to withstand modern DDoS attacks? appeared first on Help Net Security.

DDoS attacks are growing: What can businesses do?

Depending on the type and size of your organization, a DDoS (Distributed Denial of Service) attack can be anything from a small nuisance to something that can break your revenue stream and damage it permanently. A DDoS attack can cripple some online businesses for a period of time long enough to set them back considerably, or even put them out of business completely for the length of the attack and some period afterwards. Depending on the kind of attack, there can also be— intentional or not—side effects that can further hurt your business.

Let’s see what we are up against and what we can do about it.

Introduction

DDoS stands for Distributed Denial of Service. It is a network attack that involves hackers forcing numerous systems (usually infected with malware) to send network communication requests to one specific web server. The result is that the receiving server is overloaded by nonsense requests, and they either crash the server or distract it enough that normal users are unable to create a connection between their system and the server.

This type of attack has been popularized by numerous hacker groups as well as state-sponsored attacks conducted by governments against each other. Why? Because they are easy to pull of. Often the attackers use bots or otherwise enslaved computers and devices to overwhelm the target with requests.

Recent attacks are bigger than ever

Recent examples of DDoS attacks include the record-breaking DDoS attack on code repository Github a few weeks ago. GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps. That record did not last very long, because only one week after GitHub was knocked offline by the world’s largest distributed denial-of-service attack, the same technique was used to direct an even bigger attack against an unnamed US service provider. According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

These attacks use Internet-facing, Memcached-enabled servers to amplify their magnitude. While Memcached servers should technically not be left exposed to the Internet, there are so many of them that are exposed that this vulnerability will be available to attackers for some time to come.

Consequences

A DDoS attack can cause:

  • Disappointed users that may never return
  • Data loss
  • Loss of revenue
  • Compensation of damages
  • Lost work hours/productivity
  • Reputation damages

These are the things we don’t want to happen. So it’s time to look at the defense mechanisms that are available to us.

Possible defenses

Scrambling for a solution at the moment you find out that you are the target of a DDoS attack is not the best strategy, especially if your organization depends on Internet-facing servers. The reason why Github was able to survive the DDoS attack, for example, is because they were prepared. So, if you don’t have an “always-on” type of protection, make sure you at least have a plan or protocols in place that you can follow when the attack occurs.

Depending on the possible consequences that would do the most harm to your organization, the chosen solution should offer you one or more of these options:

  • Allow users to use the site normally as much as possible, even during the attack
  • Protect your network from breaches during an attack
  • Offer an alternative system to work from

The least you should do is make sure you’re aware of the fact that an attack is ongoing. The sooner you know what’s going on, the faster you can react in an appropriate manner. Ideally, you want to detect, identify, and mitigate DDoS attacks before they reach their target. You can do that through two types of defenses:

  • On-premise protection (e.g. identifying, filtering, detection, and network protection)
  • Cloud-based counteraction (e.g. deflection, absorption, rerouting, and scrubbing)

The best of both worlds is a hybrid solution that detects an attack on-premise early on and escalates to the cloud-based solution when it reaches a volume that the on-premise solution cannot handle. Some DDoS protection solutions use DNS redirection to persistently reroute all traffic through the protectors’ network, which is cloud-based and can be scaled up to match the attack. From there, the normal traffic can be rerouted to the target of the attack or their alternative architecture.

Other countermeasures

Besides defending ourselves from DDoS attacks, we should strive to limit the possible consequences. Have alternatives in place to keep the workflow, and ideally, the revenue going. Keep possible data of interest away from Internet-facing machines, so you don’t get added to the long list of data breaches.

Perform forensics after the fact. Knowing your enemy might help you stop the next attack.

Attack from multiple sides

Don’t be a part of the problem

The priority at this moment is to get the Memcached-enabled servers off the Internet, as these allow attackers to scale up their attacks by a huge factor. The attack on Github was about three times as powerful as the largest attack that didn’t use Memcached-enabled servers.

Businesses and consumers alike should also start worrying about securing their IoT devices in a manner that they can’t be used in a DDoS botnet.We have an excellent article called Internet of Things (IoT) security: what is and what should never be that explains in detail why and how you can make the IoT a safer place.

And maybe, just maybe, we should try and work out Internet protocols that are designed so that they do not offer opportunities for DDoS attacks. For example, some attacks saturate a server’s TCP buffers with bogus connections in a way that does not allow any new incoming requests. Essentially, your customer is standing in a line that does not move forward. SYN cookie protection is a step in the right direction to mitigate this problem. But there is not that much most companies can do about this, except maybe fund research.

Summary

DDoS attacks are so cheap ($10/hour) nowadays that anyone with a grudge can have an unprotected server taken down for a few days without spending a fortune. The possible scope of DDoS attacks has been increased significantly, now that attackers have started using Memcached-enabled servers. To put a stop to outrageously-large DDoS attacks, those servers should not be Internet-facing. Beyond that, organizations should take every step to be prepared for a possible DDoS attack so that it’s simply a blip in their day, instead of a business-ending fiasco.

Pieter Arntz

The post DDoS attacks are growing: What can businesses do? appeared first on Malwarebytes Labs.

Q4 2017 Global DDoS Threat Landscape Report

Today we are releasing our latest Global DDoS Threat Landscape Report, a statistical analysis of 5,055 network and application layer DDoS attacks mitigated by Imperva Incapsula services during Q4 2017.

In Q4, the number of application layer attacks nearly doubled, just as the number of network layer assaults declined. In both cases, however, we saw attacks grow more persistent.

Target wise, the cryptocurrency industry continued to draw the attention of DDoS offenders, ranking as the fifth most attacked industry this quarter alongside some of the more regular attack targets. Another notable development was the high number of network layer assaults against businesses in the APAC region. In the last quarter of the year, the region served as home to seven out of the top-ten attacked countries. Combined, they drew 68.9 percent of all network layer DDoS attacks.DDoS report_top attacked countriesFigure 1: Top attacked countries, by number of network layer attacks 

Read the full report >>

Report Highlights

Amidst Price Spike, Attacks on Cryptocurrency Industry Continue

Bitcoin was once again the eighth most targeted industry in Q4, after making its first appearance on the top-10 list in the prior quarter. Furthermore, it came in fifth place for the most attacks suffered, outscoring such established and commonly attacked business sectors as financials and publishing.DDoS report_top attacked industriesFigure 2: Top attacked industries, by number of network layer attacks

The increase in attacks against bitcoin-related sites is likely linked to a growth spike experienced by the industry late last year when cryptocurrency prices reached an all-time high. As prices have since subsided, it will be interesting to see if the overall number of attacks declines as well in the coming months.

Even after the recent price drop, there currently remains 190 active cryptocurrency exchanges, up from 70 in Q3. Of these, 24 exchanges have a daily turnover of more than 10 million USD. With an ever-increasing number of targets, despite the volatility in the price of bitcoin, we expect to see assaults directed at the cryptocurrency industry continue for the foreseeable future.

Application Layer Attacks Double, Assaults Become More Persistent

This quarter, we saw a spike in the number of application assaults, which increased 43 percent over their Q3 levels. Network layer attacks, on the other hand, fell by more than 50 percent since last quarter.

DDoS report_number of attacks per week

Figure 3: Number of weekly DDoS attacks QoQ

Interestingly, even as the number of application layer assaults went up and network layer attacks decreased, both became more persistent. Our data shows that 63.3 percent of application layer DDoS targets were subjected to repeat attacks, up from 46.7 last quarter.

DDoS report_repeat app layer attacks

Figure 4: Repeat application layer attacks Q0Q

In the case of network layer attacks, the number of repeat DDoS assaults went up to 67.4 percent, compared to 57.8 percent in Q3. However, the average number of attack decreased, as most of the repeat assaults consisted of two to five bursts.

DDoS report_repeat network layer attacks

Figure 5: Repeat network layer attacks Q0Q

The increase in attack persistence reflects the growing ease with which bad actors can launch multiple DDoS attacks. Today, even if a mitigation service is able to deflect an initial attack, perpetrators have every reason to try again and again, until they take down their target or grow bored and move on.

This obviously highlights the need for a hands-off mitigation solution that can be automatically activated to mitigate every repeat attack burst. In the absence of such a solution, a persistent DDoS campaign can quickly turn into a prolonged war of attrition, forcing an enterprise to spend money and man-hours to fight off a series of assaults.

Read the full report >>

Memcrashed – Memcached DDoS Exploit Tool

Memcrashed – Memcached DDoS Exploit Tool

Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.

This is related to the recent record-breaking Memcached DDoS attacks that are likely to plague 2018 with over 100,000 vulnerable Memcached servers showing up in Shodan.

What is Memcached?

Memcached is an in-memory key-value store for small chunks of arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Read the rest of Memcrashed – Memcached DDoS Exploit Tool now! Only available at Darknet.

Memcached DDoS Attacks Will Be BIG In 2018

Memcached DDoS Attacks Will Be BIG In 2018

So after the massive DDoS attack trend in 2016 it seems like 2018 is going to the year of the Memcached DDoS amplification attack with so many insecure Memcached servers available on the public Internet.

Unfortunately, it looks like a problem that won’t easily go away as there are so many publically exposed, poorly configured Memcached servers online (estimated to be over 100,000).

Honestly, Github handled the 1.3Tbps attack like a champ with only 10 minutes downtime although they did deflect it by moving traffic to Akamai.

Read the rest of Memcached DDoS Attacks Will Be BIG In 2018 now! Only available at Darknet.

World record broken again! DDoS attack exceeds 1.7 terabits per second

Just days after it was revealed that a distributed denial-of-service (DDoS) attack on GitHub had been measured at a record-breaking
peak of 1.35 terabits per second
, another attack has raced past, and claimed the world record at a mind-blowing 1.7 Tbps.

To give these figures some context, the notorious DDoS attack on the DNS provider Dyn in October 2016, which saw was speculated to have a magnitude in the range of 1.2 Tbps.

The Dyn attack was orchestrated by the Mirai botnet, which hijacked millions of poorly-secured IoT devices to bombard Dyn with unwanted traffic.

The attacks against GitHub, and the most recently announced world-record-breaking attack on an unnamed customer of a US-based service provider, are reflection/amplification attacks exploiting the many publicly accessible servers running memcached, an open-source distributed caching utility.

Memcached (pronounced “Mem-cache-dee”) is not supposed to be installed on servers that are exposed to the internet – because it simply doesn’t have security features to protect itself from malicious attackers in the first place.

Online criminals can exploit memcached database servers to amplify attacks against a targeted online service. An attacker spoofing the UDP address of their intended victim can send just a small packet of data to a memcached server, tricking it into blasting as much as 50,000 times more data in response.

The result? A data tsunami.

As an Arbor Networks blog post describes, it is critically important for companies to protect themselves as in all likelihood the problem isn’t going away:

While the internet community is coming together to shut down access to the many open mecached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit.

To make sure you aren’t part of the problem you need to ensure that perimeter firewalls are blocking UDP, or better yet that UDP is disabled entirely on memcached servers.

Weekly Cyber Risk Roundup: Record-Setting DDoS Attacks, Data Breach Costs

Last week, researchers observed a 1.35 Tbps distributed denial-of-service attack (DDOS) attack targeting GitHub. It was the largest DDoS attack ever recorded, surpassing the 1.2 Tbps attack against DNS provider Dyn in October 2016.

The attack leveraged a newly observed reflection and amplification vector known as memcached. Akamai researchers warned that other organizations experienced similar DDoS attacks using the new method following the GitHub attack and that even larger attacks may be possible in the future.

“Memcached can have both UDP and TCP listeners and requires no authentication,” the researchers wrote. “Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.”

The attack was mitigated within 10 minutes, GitHub said. The following day GitHub was the target of a second DDoS attack that disrupted availability for a 15-minute period, ThousandEyes reported.

“Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly,” Akamai researchers wrote. “The good news is that providers can rate limit traffic from source port 11211 and prevent traffic from entering and exiting their networks, but this will take time.”

Wired reported there are approximately 100,000 memcached servers that currently have no authentication protection and can be abused by malicious attackers to carry out similar potentially massive, botnet-free DDoS attacks.

2018-03-03_ITTGroups

Other trending cybercrime events from the week include:

  • W-2 information breached: The University of Alaska said that 50 current and former employees and students had their personal information compromised when hackers gained access to their university accounts by answering security questions and resetting their passwords. The Association for Supervision and Curriculum Development is notifying employees that their W-2 information was compromised due to a spear phishing attack. Wallace Community College Selma said that current and former employees had their W-2 information compromised when an employee fell for a phishing scam. Curtis Lumber is notifying employees that their personal information was stolen in a spear phishing attack, and some of those employees have reported issues related to filing their federal taxes following the incident.
  • Ransomware infections continue: The Colorado Department of Transportation said that computers had been reinfected with ransomware eight days after an initial attack. Both the Children’s Aid Society of Oxford County and the Family and Children’s Services of Lanark, Leeds and Grenville in Canada were the victims of a ransomware infection. Jemison Internal Medicine is notifying 6,550 patients of a ransomware infection that may have compromised their personal information.
  • Payment card breaches and service disruptions: A number of Tim Hortons locations in Canada were temporarily shut down or were forced to close their drive-throughs after malware was discovered targeting Panasonic cash registers. NIS America said that customers of its online stores had their information compromised due to being redirected to a malicious site that would harvest their information during the checkout process. North 40 is notifying customers that their payment card information may have been compromised due to unauthorized access to its e-commerce website.
  • Notable data breaches: A hacker gained access to the intranet of Germany’s government and accessed confidential information. St. Peter’s Surgery and Endoscopy Center is notifying patients that their personal and medical information may have been compromised due to unauthorized access to its servers. Healthcare vendor FastHealth submitted a data breach notification regarding unauthorized access to its web server. Porsche Japan said that the information of customers was exposed due to a hack. Metro Wire Rope Corporation said that an employee email account was compromised after the employee opened a  malicious attachment with credential-stealing capabilities. The French news magazine L’Express exposed a database containing the personal information of readers and after being notified of the exposure took a month to secure the data. U.S. Marine Corps Forces Reserve may have compromised the personal information of 21,426 individuals due to sending an unencrypted email with an attachment to the wrong email distribution list.
  • Other notable events: The Financial Services Information Sharing and Analysis Center said that one of its employees was successfully phished, and the compromised email account was used to send further phishing messages to other members, affiliates, and employees. The recent hack of the PyeongChang Winter Olympics that led to Internet disruptions and website downtime was a false-flag operation carried out by Russian military spies to make it appear as if the attack was carried out by North Korea, U.S. intelligence officials said. An Arkansas man who developed the remote-access Trojan NanoCore and marketed it on Hack Forums has been sentenced to 33 months in prison.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

2018-03-03_ITT

Cyber Risk Trends From the Past Week

2018-03-03_Risk

Equifax was back in the news this week after announcing it had discovered an additional 2.4 million U.S. consumers who were affected by its massive 2017 data breach, bringing the total number of people impacted to 147.9 million.

“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim chief executive officer in a press release. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

The company also said that it expects breach-related costs to hit $275 million in 2018, which Reuters noted could make the Equifax breach the most costly hack in corporate history:

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

Those breach-related costs could rise further once legal actions from consumers and regulators are finally resolved. However, Sen. Elizabeth Warren recently stated that “Equifax is still making money off their own breach” and that even consumers who do not want to do business with them may end up buying credit protection services from another company who “very well may be using Equifax to do the back office part.”

It’s the same criticism she waged in January when introducing a bill with Sen. Mark Warner to address problems related to credit agencies collecting data without strict protections in place to secure that information. As CNET noted, if such a bill was in place at the time of the Equifax breach, the company likely would have faced a fine of at least $14.3 billion.

DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path

At the end of January, the Netherlands was plagued by distributed denial of service (DDoS) attacks targeting various financial institutions, tech sites, and the Dutch tax authorities. At the time of the attacks it was unclear who was responsible, and this led to speculation among security experts.

Coincidentally, the attacks started a few days after it was announced in the media that the Dutch General Intelligence and Security Service, the AIVD, had played a major role in relaying crucial information to their American counterparts regarding attacks of suspected Russian state-sponsored hackers.

Thus, the hypothesis that the attacks were some kind a state-sponsored retaliation was quickly formed. Security experts deemed this hypothesis possible, but it remained unproven.

Arrest

Then on February 1, an 18-year-old suspect was arrested by the National High Tech Crime Unit of the Dutch police. The suspect carelessly left behind some crucial pieces of evidence, which ultimately led to his arrest. Through open-source research, the McAfee Advanced Threat Research team was also able to find links between the arrested suspect and another known DDoS actor. At this moment the police investigation is ongoing to determine the degree of guilt and whether the suspect acted independently. But one thing is certain: The wave of attacks has stopped since his arrest.

The relative ease with which the attack was carried out is striking. The individual had presumably bought a “stresser/booter service” capacity for about €40. The stresser enabled him to launch attacks with a volume of about 40Gbps.

(Stresser, or booter, services are websites that offer distributed denial of service capability as a paid service. These websites offer a way to stress-test a host by simply filling in its IP address. The traffic power these services need can be generated from legitimate or illegitimate sources. Attacking a host or website without legal consent is a highly illegal.)

McAfee Chief Scientist and Fellow Raj Samani has written “you can disrupt your competition for the price of a cup of coffee.” This attack suggests you can disrupt entire organizations or parts of a country for the price of a pound of good coffee beans.

Thus speculation of a possible state-sponsored retaliation dissolved into an inexpensive and relatively easy method of attack, performed by a teenager.

Earlier DDoS Attacks

This sequence of events reminds me of an earlier DDoS attack I personally investigated. In 2015 one of the largest internet service providers in the Netherlands suffered a DDoS attack for three consecutive days. This attack deprived roughly 1.8 million subscribers of Internet access. In a period of several weeks and after an extensive police investigation, a group of suspects was arrested. All but one of them were teenagers, with the youngest only 14 years old. Their methods were relatively simple as well, from basic Python scripts to the use of stresser/booter services.

I clearly recall that this group of suspects had a great affinity with online gaming. They were active on popular games such as Minecraft and Call of Duty and played a lot in groups or clans. Apparently, it was common practice for the suspects to knock their opponents offline during a game in order to win. Talk about fair play.

Could there be a connection between the gaming community and DDoS attacks, or is this purely a coincidence?

Gaming and DDoS

Who doesn’t remember the crippling Mirai DDoS attacks in the fall of 2016 on DNS provider Dyn, hosting provider OVH, and the popular security blog Krebs on Security?

Brian Krebs actively investigated the group behind the Mirai attacks against his site and published his findings online. During his research into the actors he described a fascinating world within the online gaming industry. In this industry it is big business to have powerful game servers, which attract many customers. This popularity makes those servers a target for the less successful, and their weapon of choice is often DDoS attacks. Game servers are apparently knocked offline daily to push gamers to migrate to the competition. All this distributed “violence” also gave birth to a lively and sometimes shady business in DDoS protection services.

So how would someone with only marginal technical knowledge go about knocking off websites? All it takes is simple search on one of the entry-level hacker forums. We found dozens of threads (some listed below) that discussed what it would take to attack (game) servers. Subsequently, the same forum was full of advertisements and reviews of various stresser and booter services offered online.

In February news surfaced that an online gaming service offered DDoS for hire. According to the article, the operators of a gaming service were behind the building of an IoT botnet named JenX and offered it as part of the game server rental scheme.

This shows there is a definite link between the online gaming community and the use of DDoS attacks. It is worrying to see that some individuals resort to such drastic measures out of pure frustration. We can only imagine the consequences when such an individual gets a low grade in school or has a disagreement with an online retailer.

End Note

As a former law enforcement official, I am troubled to see teenagers going down a criminal path. I can understand that for teens it is not always easy to foresee the consequences of their actions. One might think that knocking off websites is all fun and games or a way to show your frustration. But from my experience the fun definitely stops when the police come knocking at the door. Then it is literally game over.

 

The post DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path appeared first on McAfee Blogs.

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Weekly Cyber Risk Roundup: More Payment Card Breaches and Dark Web Arrests

Payment card breaches were back in the news again this week as Forever 21 announced that it is investigating a point-of-sale breach (POS) at some of its stores, and several other organizations issued breach announcements related to stolen payment card data.

2017-11-18_ITT.png

Forever 21 said that it received a report from a third party about potential unauthorized access to payment cards at some of the company’s stores, and the ongoing investigation is focusing on POS transactions made in stores between March 2017 and October 2017.

“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point of sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company wrote.

In addition, organizations continue to submit breach notification letters to various state attorneys general regarding the previously disclosed breach involving Sabre Hospitality Solutions SynXis Central Reservations system, including The Whitehall Hotel and JRK Hotel Group, both of which were impacted from August 10, 2016, through March 9, 2017. The Register also reported that Jewson Direct is notifying customers that their personal and payment card information may have been compromised due to the discovery of unauthorized code on its website. However, the company said the inclusion of card data in the notification was only “an advisory measure” as the investigation is ongoing.

The recent breaches, as well as other breaches such as Sonic, may have led to an increase in payment card fraud activity in the third quarter of 2017. Fraud activity is also expected to increase as consumers buy gift cards and other items over the holiday shopping season.

2017-11-18_ITTGroups

Other trending cybercrime events from the week include:

  • Organizations expose data: Researchers discovered a publicly exposed Apache Hive database belonging to ride-hailing company Fasten that contained the personal information of approximately one million users as well as detailed profiles of its drivers. A researcher said the Chinese drone maker DJI has exposed a variety of sensitive information via GitHub for up to four years, in addition to exposing customer information via insecure Amazon S3 buckets. Researchers discovered two insecure Amazon S3 buckets appearing to belong to the Australian Broadcasting Corporation’s commercial division,  including information regarding production services and stock files. The Maine Office of Information Technology said that approximately 2,100 residents who receive foster care benefits had their personal information temporarily posted to a public website after an employee at contractor Knowledge Services uploaded a file containing their data to a free file-comparison website without realizing that the information would become publicly accessible. Dignity Health is notifying employees that some of their personal information was accidentally exposed to other employees.
  • Employee email accounts compromised: ClubSport San Ramon and Oakwood Athletic Club is notifying employees that their W2 and tax statements were sent to a malicious actor following a phishing attack impersonating an executive. ABM Industries Incorporated is notifying employees that their personal information may have been compromised due a phishing attack that led to multiple email accounts being compromised. Saris Cycling Group is notifying employees that their personal information may have been compromised due a phishing email that led to an employee email account being compromised.
  • Extortion-related attacks: The website of Cash Converters was hacked, and the actors behind the attack said they would release the data of thousands of UK consumers unless a ransom is paid. Little River Healthcare Central Texas is notifying patients of a ransomware attack that may have accessed their information and led to some data being irretrievably deleted when the clinic tried to restore the files. Far Niente Winery is notifying individuals of a ransomware attack that may have compromised their personal information.
  • Other notable incidents: A group associated with Anonymous hacked the email accounts of an employee of Italy’s Defence Ministry and a member of the Italian police and then published a variety of information allegedly obtained from those accounts. Officials from Catawba County, North Carolina, said that malware shut down a number of county servers and caused temporary interruptions in service, as well as a number of spam emails being sent to county residents. Gallagher NAC is notifying individuals that their personal information may have been compromised due to “a small amount of data” being stolen from a database between June 18 and September 19. CafeMom is notifying customers that email addresses and passwords used to create accounts prior to July 2011 were compromised “at some point in the past.” AppDirect said that a phisher has been impersonating members of the company’s human resources, recruiting, and sales teams on job sites, and several people have applied to those fake listings and received fake job offers.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-11-18_ITTNew

Cyber Risk Trends From the Past Week

2017-11-18_RiskScoresDark Web markets continued to make headlines this week as a key player in AlphaBay’s operations was charged and cyber-attacks against other still-active dark web marketplaces temporarily disrupted operations.

Federal prosecutors allege that Ronald L. Wheeler III, of Streamwood, Illinois, worked as a spokesperson for the now-shuttered Dark Web marketplace AlphaBay. AlphaBay had grown to become the largest-ever Dark Web marketplace before it, along with the popular Hansa Market, were taken offline by law enforcement this past summer.

Wheeler is accused of working alongside Alexandre Cazes, a 25-year-old Canadian who was alleged to be the owner of AlphaBay known as “Alpha02.” Cazes reportedly committed suicide in his Thai jail cell a week after being arrested in July.

The Associated Press reported that Wheeler has pleaded not guilty to the AlphaBay-related charges, but prosecutors allege that he worked with Cazes using the name “Trappy” to moderate the AlphaBay forum on reddit, mediate sales disputes, and provide other non-technical assistance to users.

As SurfWatch Labs previously reported, the downfall of AlphaBay and Hansa Market elevated Dream Market to the temporary king of the Dark Web. However, Dream Market other popular markets have been the target of DDoS attacks over the past few weeks, making the sites difficult to access for some users. Those attacks can delay purchases beyond the already congested list of pending Bitcoin transactions, which is slowing down both legitimate and criminal transactions.

Prior to being seized, AlphaBay had grown to accept multiple payment options, including Ethereum and Monero; however, Dream Market still only accepts Bitcoin, and that restriction may help push some users towards other markets that have more, and quicker, payment options as the Dark Web marketplace continues to evolve in AlphaBay’s absence.

Cyber Security Roundup for October 2017

State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent NHS WannaCry attack (despite North Korea denying it). North Korea was also reported to be implicated in the stealing US War Plans from South Korea, and for a spear phishing campaign against the US Power Grid. The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of Australian F-35 fighter jet, in what is described as an 'extensive' Cyberattack. The finger was pointed at Iran for the recent Parliamentary Emails cyber attacks in the UK, meanwhile, EU governments venting their cyber concern, warning that Cyber Attacks can be an Act of War.

Stephen Hawking caused controversy in both the science and tech industry last year when he said Artificial Intelligence could be a serious threat to human existence, could the plot of The Terminator really come to fruition? Perhaps so, as it was reported that AI had already defeated the Captcha Security Check system. Personally, I believe both AI and Quantum Computing will pose significant new threats to cybersecurity space in the next decade.

A far higher number of personal records were compromised in the Equifax data breach than was previously thought, with millions of UK citizens confirmed to be impacted by the US-based credit checking agency hack. Equifax’s now ex-CEO provided an interesting blow-by-blow account of the cyber-attack at a US government hearing, even though Equifax technical staff were specifically warned about a critical Apache Struts (web server) patch, it was ignored and not applied, which in turn allowed hackers to take full advantage of vulnerability to steal the Equifax data on mass. To make matters even worse, the Equifax consumer breach help website was found to be infecting visitors with spyware.

Yahoo revealed all 3 Billion of its user accounts had in fact been breached, in what is truly an astonishing mammoth sized hack, biggest in all history, so far. Elsewhere on the commercial hacking front, Pizza Hut's website was reported to be hacked with customer financial information taken, and Disqus said a 2012 breach it discovered in October exposed the information of 17.5 million its users from as far back as 2007.

It was a super busy month for security vulnerability notifications and patch releases, with Microsoft, Netgear, Oracle, Google, and Apple all releasing rafts of critical level patches. A serious weakness in the wireless networking WPA2 protocol was made public to great fanfare after researchers suggested all Wifi devices using WPA2 on the planet were vulnerable to an attack called Krack, which exploited the WPA2 weakness. Krack is a man-in-the-middle attack which allows an attacker to eavesdrop or redirect users to fake websites over Wifi networks secured using the WPA2 protocol. At the time of writing most wireless access point vendors and operating system providers had released patches to close the WPA2 vulnerability, and there have been no known exploits of the vulnerability reported in the wild.

BadRabbit is a new strain of ransomware which is emerging and is reported to be infecting systems and networks in Russia and the Ukraine at the moment. BadRabbit is the latest network self-propagating malware, like NotPeyta and WannaCry, to use the NSA EternalRomance hacking tool. A massive new IoT botnet was discovered, its continued growth is fuelled by malware said to be more sophisticated than previous IoT botnet king, Mirai. Russian based threat actor group APT28 is said to be targeting the exploitation of a recently patched Adobe vulnerability (CVE-2017-11292), in using malicious Microsoft Word attachment, so ensure you keep on top of your system patching and always be careful when opening email attachments. 

Finally, the UK National Cyber Security Centre (NCSC) released its first annual report, as it seeks to improve cybersecurity across the UK. Among NCSC achievements cited in the report are:
  • The launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
  • Led UK response to WannaCry
  • Advice website with up to 100,000 visitors per month
  • Three-day Cyber UK Conference in Liverpool
  • 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
  • Produced 200,000 physical items for 190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
  • 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
  • Worked with 50 countries, including signing Nato's MoU
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

CoalaBot : http Ddos Bot



CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)

I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.

2017-09-11: a witnessed infection chain to CoalaBot


A look inside :
CoalaBot: Login Screen
(August Stealer alike) 




CoalaBot: Statistics


CoalaBot: Bots


CoalaBot: Tasks
CoalaBot: Tasks


CoalaBot: New Taks (list)



CoalaBot: https get task details

CoalaBot: http post task details



CoalaBot: Settings
Here is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
------------------------------------------
Coala Http Ddos Bot

The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.

Attack types:
• ICMP (PING) FLOOD
• UDP FLOOD
• TCP FLOOD
• HTTP ARME
• HTTP GET *
• HTTP POST *
• HTTP SLOWLORIS *
• HTTP PULSE WAVE *

* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.


Binary:
• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)
• ~100kb after obfuscation
• Auto Backup (optional)
• Low CPU load for efficient use
• Encryption of incoming/outgoing traffic
• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)
• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.
• Ability to link a build to more than one gate.

Panel:
• Detailed statistics on time online/architecture/etc.
• List of bots, detailed information
• Number count of requests per second (total/for each bot)
• Creation of groups for attacks
• Auto sorting of bots by groups
• Creation of tasks, the ability to choose by group/country
• Setting an optional time for bots success rate

Other:

• Providing macros for randomization of sent data
• Support of .onion gate
• Ability to install an additional layer (BOT => LAYER => MAIN GATE)


Requirements:

• PHP 5.6 or higher
• MySQL
• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions

Screenshots:

• Created tasks - http://i.imgur.com/RltiDhl.png


Price:

• $300 - build and panel. Up to 3 gates for one build.
• $20 - rebuild
The price can vary depending on updates.
Escrow service is welcome.

Help with installation is no charge.
------------------------------------------

Sample:

VT link
MD5 f3862c311c67cb027a06d4272b680a3b
SHA1 0ff1584eec4fc5c72439d94e8cee922703c44049
SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f

Emerging Threats rules :
2024531 || ET TROJAN MSIL/CoalaBot CnC Activity

Read More:
August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Cyber Security Roundup for August 2017

TalkTalk yet again made all the wrong cyber security headlines in the UK this month, after it was handed a £100,000 fine by the Information Commissioner's Office (ICO) for not adequately protecting customer records from misuse by its staff. The ICO investigated the Internet Service Provider after receiving complaints from customers, who said they received cold calls from scammers who knew their TalkTalk account information.

Second-hand goods firm CeX disclosed a compromise of up to 2 million online customer accounts due to a hack, however, CeX has yet to disclose any details about the cyber attack. My blog post and advice about this is here http://blog.itsecurityexpert.co.uk/2017/08/up-to-2-million-cex-customer-account.html

Hackers had a field day taking over social media accounts, from Real Madrid and FC Barcelona to Game of Thrones, much embarrassment could have been avoided if they had adopted multi-factor authentication on the accounts, aside from the spate of Instagram hacks which were caused by the exploitation of a software vulnerability, namely within Instagram's API.

In what looks like a follow on from the UK's Parliament's email brute force email account attack in June, the Scottish Parliament was hit by a very similar cyber attack, it was reported, as per the Westminister attack, many SMPs were found to be using weak passwords. Let's hope the Welsh Assembly have taken note and have learned the password security lessons.

A massive 'spambot' holding 711 million email addresses was found to be spreading malware by a security researcher. It was said to have been put together using stolen data from previous LinkedIn and Badoo data breaches. Using legitimate email addresses helps in the avoidance of anti-phishing and spam filters.

On the ransomware front, LG reported WannaCry caused a two-day shutdown of its business in South Korea. TNT customers were said to be furious after NotPeyta badly affected its ability to deliver hundreds of thousands of items, particularly within in the Ukraine. And Digital Shadows reported a trend in cyber criminals dropping Exploit kits for Ransomware, as there is simply a lot more money to be made out of ransomware attacks.

On the critical security patching, Microsoft released 25, Adobe released 43, and Drupal patched a critical bug. And there was an interesting article posted by Microsoft on Cyber Resilience worth reading.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Predictions for 2017

Pandalabs-summer16

Analysis

2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.


Ranking the top attacks of 2016

art-blog


Ransomware

We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.


Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.


Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.

smartphones-blog


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.


Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.

cybersecurity3


Cyberwarfare

2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


Cybercrime

In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.


DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.

pandasecurity-punkeyPOS-principal1


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.


Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.

blog


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Ransomware

Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Companies

Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.


Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


DDoS

The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.


Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


Cyberwarfare

We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on CyberSafety.co.za.

Cybercrime Surges in Q3

young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

The Quarter at a Glance

Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
graphs_cabecera-mediacenter
This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

The post Cybercrime Surges in Q3 appeared first on CyberSafety.co.za.

Defying the Madness: DDoS Bot Evaluation (Recorded Future Blog)

Interested in our Threat Intelligence malware data feed? Levi Gundert at Recorded Future gives a great mention:

Team Cymru’s malware intelligence platform identified two additional
samples from 2016 with two of the same AV verdicts respectively —
wi32.hllw.autoruner2.22958 and
deepscan:generic.malware.fp!dldpk!.68e4aeff. The associated metadata
from Team Cymru’s runtime analysis is included below in the IOC section.

Read full article here

Photo Credit, “Operator?” by Melanie Tata, used under Creative Commons license 2.0