Category Archives: DDoS

US authorities Have Pardoned Authors of Mirai Ransomware in Return For Government “Cooperation”

The authors of the Mirai botnet have been pardoned and have avoided jail since they have helped the FBI in

US authorities Have Pardoned Authors of Mirai Ransomware in Return For Government “Cooperation” on Latest Hacking News.

Kaspersky: Attacks on Smart Devices Rise Threefold in 2018

Attacks against smart devices are surging, with both old and new threats targeting connected devices that remain largely unsecured, according to researchers at Kaspersky Lab. Kaspersky researchers observed three times as many malware samples against smart devices in the first half of 2018 than they did in all of 2017, according to new findings...

Read the whole entry... »

Related Stories

Report: Financial industry in crosshairs of credential-stuffing botnets

Botnets mounting credential-stuffing attacks against the financial industry are on the rise, with a more than 20-percent uptick in a two-month period, a new report from Akamai has found. Bad actors from the United States, Russia and Vietnam are using credential stuffing attacks to try to compromise financial services firms, Akamai says in its...

Read the whole entry... »

Related Stories

A guide to cyber attacks: Denial of Service – Part 3

To conclude this 3-part series on cyber attacks, Information Age examines the various types of DoS within the cyber space. DoS is a more forceful method of cyber attack than

The post A guide to cyber attacks: Denial of Service – Part 3 appeared first on The Cyber Security Place.

Teen arrested for DDoS attack on ProtonMail & making fake bomb threats

By Waqas

ProtonMail, a Swiss-based end-to-end email encryption service, has announced the name of one of the attackers involved in the DDoS attack against the company earlier this year. Due to the attack, the email service of ProtonMail stopped responding for a minute several times despite having adequate mitigation measures in place. The identified hacker, a teenager […]

This is a post from HackRead.com Read the original post: Teen arrested for DDoS attack on ProtonMail & making fake bomb threats

Cyber Security Roundup for August 2018

The largest data breach disclosed this month was by T-Mobile, the telecoms giant said there had been "unauthorised access" to potentially 2 million of their 77 million customer accounts. According to the media, a hacker took advantage of a vulnerability in a T-Mobile API (application programming interface). It was a vulnerable API used by Air Canada mobile App which was also exploited, resulting in the compromise of 20,000 Air Canada customer accounts. Air Canada promptly forced a password change to all of its 77 million customer accounts as a result, however, the airline faced criticism from security experts for advising a weak password strength. Namely, a password length of 8, made up of just characters and digits. Both of these hacks underline the importance of regularly penetration testing Apps and their supporting infrastructure, including their APIs.

Hackers stole up to 34,000 Butlin guest records, reportedly breaching the UK holiday camp firm through a phishing email. Dixons Carphone upped the estimated number of customer records breached in a hack last year from 1.2 million to 10 million, which includes 5.9 million payment cards. There was no explanation offered by Dixons to why it had taken so long to get a grip on the scale of the data breach, which was reported as occurring in July 2017.

Huawei continues to face scrutiny over the security of their products after the UK National Cyber Security Centre (NCSC) issued a warning about using the Chinese tech manufacturing giant's devices in a security report. Huawei recently took over from Apple as the world's second largest provider of smartphones. A 16 year old Australian 'Apple fanboy' found himself in court after hacking into Apple's network.

On the international scene, Microsoft announced it had thwarted Russian data-stealing attacks against US anti-Trump conservative groups, by taking down six domains which hosted mimicked websites, which were likely to be used in future phishing campaigns. The Bank of Spain's website was taken out by a DDoS attack, and a Chinese Hotel Group's 140Gb customer database was found for sale on the dark web. The PGA golf championship was hit by a ransomware, and the FBI arrested three key members of the notorious FIN7 hacking group, the group is said to be responsible for stealing millions of credit card and customer details from businesses across the world.

On the personal front, the EC-Council confirmed my Computer Hacking Forensic Investigation (CHFI) certification had been renewed until 2021. I dropped into B-Sides Manchester this month, the highlight was a demonstration of a vulnerability found by Secarma researches, namely a PHP flaw which places CMS sites at risk of remote code execution

There was plenty of critical security patches released by the usual suspects, such as Microsoft, Cisco, and Adobe, the latter firm released several out-of-band patches during August. A critical update was released for Apache Struts (popular web server) and a reminder that Fax machines and all-in-one devices network devices could be used as a way into corporate networks by hackers.

Finally, there were a couple of interesting cybercrime articles posted on the BBC's news website this month,  Cyber-Attack! Would your firm handle it better than this? and Unpicking the Cyber-Crime Economy

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Explained: regular expression (regex)

Regular expression, or “regex” for short, is a mathematical term for the theory used to describe regular languages. But in computing, regexes are used to search for patterns in files and databases, and their functionality is incorporated into many modern programming languages. Regex search patterns make wildcards look like clumsy clowns because they offer a whole slew of additional options.

Regex overview

The simplest and most common method of searching is to look for a specific string or character in a text file, for example, by using F3 on a website. This is basically what you use when you apply the “Search” or “Search and Replace” functions in Notepad.

Like we said, regex can do a lot more. But to achieve this, a few special characters have to be defined. It is good to know these so-called meta characters because syntax errors are the most common cause for failed searches.

The most used special characters are:

Square brackets []

Square brackets are used to specify a character set—at least one of which must be a match, but no more than one unless otherwise specified.

Example: Malwareb[yi]es will be a match for Malwarebytes and Malwarebites, not for Malwarebyites.

The minus sign –

The minus sign or hyphen is used to specify a range of characters.

Example: [0-9] will be a match for any single digit between 0 and 9.

Curly brackets {}

Curly brackets are used to quantify the number of characters.

Example: [0-9]{3} matches for any number sequence between 000 and 999

Parentheses ()

Parentheses are used to group characters. Matches contain the characters in their exact order.

Example: (are) gives a match for malware, but not for aerial because the following order of the characters is different from the specification.

Slash |

The slash, as in many languages, stands for the logical “or” operator.

Example: Most|more will be a match for both of the specified words.

Period .

The dot or period acts as a wildcard. It matches any single character, except line break characters.

Example: Malwareb.tes will be a match for Malwarebytes, Malwarebites, Malwarebotes, and many others, but still not for Malwarebyites.

Backslash \

The backslash is used to escape special characters and to give special meaning to some characters that follow it.

Examples: \d matches for one whole number (0 – 9).

\w matches for one alphanumeric character.

Asterisk *

The asterisk is a repeater. It matches when the character preceding it matches 0 or more times.

Example: cho*se will match for chose and choose, but also for chse (zero match).

Asterisk and period .*

The asterisk is used in combination with the period to match for any character 0 or more times.

Example: Malware.* will match for Malware, Malwarebytes, and any misspelled version that starts with Malware.

Plus sign +

The plus sign matches when the character preceding + matches 1 or more times.

Example: cho+se will match for chose and choose, but not for chse.

There are quite a few more meta characters, but it is outside the scope of this post to explain them all in detail. For those interested, there are many basic and advanced regex tutorials available. One of them will certainly fit your specific wishes.

Responsible use

Sophisticated regexes look intimidating and confusing at first sight, but once you have constructed a few yourself, you will start recognizing what others have tried to accomplish—especially if you take them apart one piece at a time. But we do advise caution when using your own regexes on public-facing servers or apps. An inexperienced publisher could be digging his own grave by doing so.

For most common tasks, there are many examples to be found on code repositories like GitHub. But you will have to choose carefully and ask yourself:

  • Security-wise, is it safe to use in production?
  • Is it well maintained? Does it get updated regularly, or will that become your future task?

The more contributors, the better is the rule of thumb here. More contributors mean not only more eyes that check for vulnerabilities, but also more people writing new code and improving existing code.

Abuse

As in many other programming languages, regex can be used in JavaScript as well. This capability is nice, but also poses a problem that has been known for several years. The first paper mentioning the possibilities of a regular expression denial of service (ReDoS) stems from 2012.

Basically, an attacker can prepare a specially-crafted and/or lengthy piece of text that he feeds into an input field of a JavaScript-based web server or app. Since JavaScript does not run multi-threaded, the targeted server or app is busy running its regex functions on the text. While it is doing that, it is unable to perform any other tasks, so the server or app will appear to be frozen. Other languages will take a long time to deal with such texts as well, but if they are multi-threaded, other requests can be dealt with at the same time and won’t have to wait until the regex functions are done processing the text.

Since it is not hard to figure out, or in some cases, it’s well-known what regexes will be performed, it is relatively easy to craft a text that will keep an unprotected server occupied for up to a few minutes.

For example, many servers use Node.js, a JavaScript runtime that has quite a few documented ReDoS vulnerabilities.

In other cases, attackers can search for so-called “evil regexes.” What makes a regex stand out as evil?

  • The regular expression applies repetition (“+”, “*”) to a complex subexpression.
  • For the repeated subexpression, there exists a match that is also a suffix of another valid match.

Prevention of ReDoS attacks

To prevent becoming a victim of a ReDoS attack, it is not enough to rely on the built-in security of the regex. Here are some tips:

  • Use atomic grouping in your regex. An atomic group is a group that, when the regex engine exits from it, automatically throws away all backtracking positions remembered by any tokens inside the group.
  • Keep tabs on your regexes. When a regex takes much longer then it should, kill it at once. You can inform the user that it was stopped for this reason and as a security measure.
  • Validate your input, and don’t allow users to use their own regexes. If there is no other way, then pre-format the regexes and only allow certain minimal deviations.
  • Only write your own regexes for production servers and apps if there are no other known reliable sources available.
  • Use one of the verification packages that are available for regexes to have your regex checked for vulnerabilities.

Popular does not equal safe

Even though Node.js is an immensely popular JavaScript runtime, it is not enough to rely on the security it provides. And even though regexes can be useful tools, using them should come with some precautions. Reportedly, there has been an uptick in web apps and servers that have been under ReDos attacks lately.

Sources

Understanding ReDoS Attack

JavaScript Web Apps and Servers Vulnerable to ReDoS Attacks

How a RegEx can bring your Node.js service down

Stay safe!

The post Explained: regular expression (regex) appeared first on Malwarebytes Labs.

Watch: An Account Takeover Attack Using Credential Stuffing, and How to Protect Against It [Video]

As cryptocurrencies continue to grow in diversity, so too do the threats they face, specifically those targeting the cryptocurrency exchange. Now, more than ever, cryptocurrency exchanges are facing security threats in the form of volumetric and application layer DDoS and account takeover (ATO) attacks.

Although the success of cryptocurrency exchanges makes them especially attractive to cybercriminals, attacks of late are taking exchanges by surprise, and they are often not scaled or have not built a secure enough environment to fend off threats.

First things first, what is credential stuffing?

Glad you asked; credential stuffing or credential abuse is the deliberate theft and use of stolen usernames and passwords to access sensitive or high-value data for personal gain, espionage, or other malicious intent. When we say theft, these credentials could also have been ‘bought’ following a data breach, because, you know… cybercrime.

Anyway, in the following two – short – clips, Imperva Security Engineer Jonathan Gruber and Enterprise Security Expert Tal Stern demonstrate a successful account takeover attack using the Hydra credential stuffing tool:

And show us how Imperva users can create tailored Incaprules that specifically block future credential stuffing attacks:

If you’d like to see Jonathan and Tal’s full demo, check it out on BrightTALK here.

Enhanced Infrastructure DDoS Protection Analytics: Targeted Visibility for Greater Accuracy

We’ve rolled out enhanced infrastructure protection analytics which shows top traffic patterns for traffic flowing through our Incapsula Infrastructure DDoS Protection service.

Imperva clients can now view network statistics categorized by source or destination IPs and ports, or by packet size for protected network ranges. This new addition to our data analytics helps our clients get in-depth visibility into their network usage during peacetime and when under a DDoS attack. Ultimately it will simplify forensics and help us provide a more accurate DDoS attack mitigation service. Check out the demo video to see how it works.

The Previous Dashboard

The prior infrastructure protection dashboard provided general attack traffic information, displaying rates of bits/packets in a time series chart as well as graphs showing passed/blocked traffic. The data on blocked traffic was based on pre-defined attack vectors.

From engaging with our clients, we learned that they wanted to be able to dive even deeper and to understand the mechanics of each and every attack.

Enhanced Metrics

The new infrastructure protection analytics take a big leap forward in terms of visibility, adding additional capabilities to our already stellar real-time dashboard and 15-second bucket historical view increments.

You can view statistics for your monitored IP ranges, examine emerging attacks in near real-time, or analyze historical attack data from the previous 90 days. This way you can look at behavior over time and better understand traffic patterns affecting the network – broken down by traffic type and showing peaks over a period of time. You can also get insight into bandwidth volume, packet rates, and PoP utilization.

Infrastructure protection clients can access the new infrastructure protection analytics through the infrastructure dashboard.

Example Use Case in Action

Until now, statistics were provided at the range level. When mitigation for the range took place, there wasn’t the depth of visibility to determine the exact resource that was under attack.

For a given range, we were able to display the size of the attack and the different attack vectors:

But other than the fact that we mitigated a lot of UDP traffic, it was impossible to dig deeper into the attack.

Now, with enhanced analytics, top Destination IPs can provide details of the servers that were targeted. We can clearly see that the attack was targeting specific servers rather than spread out on the full /24 range:

The top Source IPs show that the attack is distributed and that the top 10 source IPs make up a small portion of the full bandwidth (shown on the dotted line); hence, many more hosts were involved in the attack:

The top Destination Ports show that the attack was targeting a specific service (UDP Port 80):

And the top Source Ports reveal the true face of the attack – this is the infamous memcached attack, which earlier this year took down GitHub in the biggest DDoS attack to date:

We know that memcached has a very large amplification ratio, which means lots of very large packets, as can be seen in the packet size histogram:

Therefore, from a simplistic vector view, you can see how it’s possible to complete a full profiling of an attack, and how if your ranges are hosting multiple services, you can pinpoint the exact targeted service.

But that’s not all.

All this wealth of data is available for your clean traffic as well, since all data passing through the Incapsula service receives the same treatment. Profiling your network has never been easier.

The Importance of More Visibility

Visibility is crucial for network admins and security teams. With enhanced visibility, our clients can easily identify false positives, e.g. if traffic is blocked because of DDoS – or, say perhaps a new digital service has been introduced and suddenly many of your end users start using it.

Specific characteristics of an attack unveil actionable details. As an additional example, in the case of highly distributed traffic, that will usually mean a spoofed attack. And if a specific host is responsible for an attack, our clients can choose to modify the Access Control List (ACL) for that specific host.

Consider the benefits for the following users:

Network Admin

If you’re a network admin, you can now view clean analytics for your traffic without setting up alternative Netflow-based tools which consume router resources.

SOC Manager

Say you’re in charge of a very large network with hundreds of prefixes. Enhanced analytics provide you with better attack visibility when any one of your networks is attacked. If you receive an alert, you can determine which asset is being attacked and which IPS and ports are involved.

Head of IT Security

You can get a historical view of targeted services by destination IP and port.

How it Works

Dedicated hardware is deployed in each of our PoPs to perform the stream processing required in order to collect statistics at network speed. Probabilistic data structures are used in conjunction with deterministic counting in order to provide reliable top statistics. Analytics data is based on a 1:40 sampling resolution for DDoS traffic and a 1:1 sampling ratio for clean traffic, and data is collected in 15-second buckets.

Data is then sent for aggregation in a new, near real-time data store we call Watermill, which supports an end-to-end latency of less than 2 minutes.

If technical implementation details are your thing, we will be publishing a more technical blog post to go into even more detail, so stay tuned!

Customization

The views are customizable into table or graph format. You can customize the layout and choose to view the highest peak or average values for the selected time period. See the documentation for more information.

View Customization:

  • Dense View: All panes are packed together.

  • Aligned View: Bandwidth and packets-per-second graphs are aligned in two columns.

Data Customization:

  • Table View: See the distribution of blocked traffic for the highest values during the selected time period. Values over 10% are displayed in bold, which puts an emphasis on what’s important. For example, there may be a long tail of IPs/ports which may not be significant.
    • Peak View: Provides an indication for momentary spikes, i.e. an IP spiked at a single data point but went silent for the rest of the time range.
    • Average View: May eliminate peaks but provides a better metric for behavior over time.
  • Graph View: Drills down into the network behavior over time; supports up to 15-second granularity.

Going Forward

Infrastructure DDoS Analytics is available at no additional cost for all existing Infrastructure Protection clients. This expanded capability is just another way we’re continuing to focus on our goal of providing more in-depth visibility to our clients, so they have an easier job securing their enterprises.

Check out the new dashboard and let us know what you think!

Cyber Security Roundup for March 2018

In the wake of the global political fallout over the Salisbury nerve agent attack, there are reports of a growing threat of Russian state or Russian state-affiliated hacking groups conducting cyber attack reprisals against UK organisations, government officials have directly warned bosses at electricity, gas and water firms, Whitehall departments and NHS hospitals to prepare for a state-sponsored cyber assault


Large-scale data breaches were disclosed with Under Armour’s Fitness App MyFitnessPal (1.5 million personal records compromised), Orbitz (880k payment cards at risk), and at a Walmart partner (1.3 million personal records compromised). The latter was caused when an AWS S3 bucket holding a Walmart database was left with open access, which isn't the first time a cloud service misconfiguration has caused a major data breach.

TalkTalk were warned about their website’s poor security after a hacker known as 'B' disclosed a cross-site scripting vulnerability on the talktalk.co.uk website to Sky News. TalkTalk was given a record £400,000 fine by the Information Commissioner's Office following a major website breach in October 2015, which 157,000 customer details were stolen. And the company were told to "be more diligent and more vigilant” and was fined a further £100,000 after data belonging to 21,000 customers were exposed to "rogue" staff at an Indian call centre.

GitHub survived the largest ever DDoS attack recorded thanks to Akamai DDoS protection, which peaked at a massive 1.35 terabytes of data per second.

UK schools were warned they were soft targets for cybercriminals, experts believe many schools are ill-equipped to prevent cyber thefts, with sensitive data such as children’s medical records said to be lucrative on the dark web. There has been a number of security incidents disclosed involving UK schools in recent months.
Gwent Police are facing scrutiny by the Information Commissioner's Office for not informing 450 people that hackers may have accessed their personal information, after discovering the breach over a year ago.

A hacker alleged to be behind a gang the ran the Carbanak and Cobalt bank target malware has been arrested. The gang is reported to be responsible for the theft of up to billion euros through bank transfers and from cash machines, from over 100 banks since 2013


NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Weekly Cyber Risk Roundup: Record-Setting DDoS Attacks, Data Breach Costs

Last week, researchers observed a 1.35 Tbps distributed denial-of-service attack (DDOS) attack targeting GitHub. It was the largest DDoS attack ever recorded, surpassing the 1.2 Tbps attack against DNS provider Dyn in October 2016.

The attack leveraged a newly observed reflection and amplification vector known as memcached. Akamai researchers warned that other organizations experienced similar DDoS attacks using the new method following the GitHub attack and that even larger attacks may be possible in the future.

“Memcached can have both UDP and TCP listeners and requires no authentication,” the researchers wrote. “Since UDP is easily spoofable, it makes this service vulnerable to use as a reflector. Worse, memcached can have an amplification factor of over 50,000, meaning a 203 byte request results in a 100 megabyte response.”

The attack was mitigated within 10 minutes, GitHub said. The following day GitHub was the target of a second DDoS attack that disrupted availability for a 15-minute period, ThousandEyes reported.

“Because of its ability to create such massive attacks, it is likely that attackers will adopt memcached reflection as a favorite tool rapidly,” Akamai researchers wrote. “The good news is that providers can rate limit traffic from source port 11211 and prevent traffic from entering and exiting their networks, but this will take time.”

Wired reported there are approximately 100,000 memcached servers that currently have no authentication protection and can be abused by malicious attackers to carry out similar potentially massive, botnet-free DDoS attacks.

2018-03-03_ITTGroups

Other trending cybercrime events from the week include:

  • W-2 information breached: The University of Alaska said that 50 current and former employees and students had their personal information compromised when hackers gained access to their university accounts by answering security questions and resetting their passwords. The Association for Supervision and Curriculum Development is notifying employees that their W-2 information was compromised due to a spear phishing attack. Wallace Community College Selma said that current and former employees had their W-2 information compromised when an employee fell for a phishing scam. Curtis Lumber is notifying employees that their personal information was stolen in a spear phishing attack, and some of those employees have reported issues related to filing their federal taxes following the incident.
  • Ransomware infections continue: The Colorado Department of Transportation said that computers had been reinfected with ransomware eight days after an initial attack. Both the Children’s Aid Society of Oxford County and the Family and Children’s Services of Lanark, Leeds and Grenville in Canada were the victims of a ransomware infection. Jemison Internal Medicine is notifying 6,550 patients of a ransomware infection that may have compromised their personal information.
  • Payment card breaches and service disruptions: A number of Tim Hortons locations in Canada were temporarily shut down or were forced to close their drive-throughs after malware was discovered targeting Panasonic cash registers. NIS America said that customers of its online stores had their information compromised due to being redirected to a malicious site that would harvest their information during the checkout process. North 40 is notifying customers that their payment card information may have been compromised due to unauthorized access to its e-commerce website.
  • Notable data breaches: A hacker gained access to the intranet of Germany’s government and accessed confidential information. St. Peter’s Surgery and Endoscopy Center is notifying patients that their personal and medical information may have been compromised due to unauthorized access to its servers. Healthcare vendor FastHealth submitted a data breach notification regarding unauthorized access to its web server. Porsche Japan said that the information of customers was exposed due to a hack. Metro Wire Rope Corporation said that an employee email account was compromised after the employee opened a  malicious attachment with credential-stealing capabilities. The French news magazine L’Express exposed a database containing the personal information of readers and after being notified of the exposure took a month to secure the data. U.S. Marine Corps Forces Reserve may have compromised the personal information of 21,426 individuals due to sending an unencrypted email with an attachment to the wrong email distribution list.
  • Other notable events: The Financial Services Information Sharing and Analysis Center said that one of its employees was successfully phished, and the compromised email account was used to send further phishing messages to other members, affiliates, and employees. The recent hack of the PyeongChang Winter Olympics that led to Internet disruptions and website downtime was a false-flag operation carried out by Russian military spies to make it appear as if the attack was carried out by North Korea, U.S. intelligence officials said. An Arkansas man who developed the remote-access Trojan NanoCore and marketed it on Hack Forums has been sentenced to 33 months in prison.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of the top trending targets are shown in the chart below.

2018-03-03_ITT

Cyber Risk Trends From the Past Week

2018-03-03_Risk

Equifax was back in the news this week after announcing it had discovered an additional 2.4 million U.S. consumers who were affected by its massive 2017 data breach, bringing the total number of people impacted to 147.9 million.

“This is not about newly discovered stolen data,” said Paulino do Rego Barros, Jr., Interim chief executive officer in a press release. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

The company also said that it expects breach-related costs to hit $275 million in 2018, which Reuters noted could make the Equifax breach the most costly hack in corporate history:

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

Those breach-related costs could rise further once legal actions from consumers and regulators are finally resolved. However, Sen. Elizabeth Warren recently stated that “Equifax is still making money off their own breach” and that even consumers who do not want to do business with them may end up buying credit protection services from another company who “very well may be using Equifax to do the back office part.”

It’s the same criticism she waged in January when introducing a bill with Sen. Mark Warner to address problems related to credit agencies collecting data without strict protections in place to secure that information. As CNET noted, if such a bill was in place at the time of the Equifax breach, the company likely would have faced a fine of at least $14.3 billion.

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for October 2017

State-orchestrated cyber attacks have dominated the media headlines in October, with rogue state North Korea and its alleged 6,800 strong cyber force blamed for several cyber attacks. International intelligence scholars believe the North Korean leadership are using cyber warfare to up the political ante with their ongoing dispute with the United States. The North Koreans, as well as terrible security practices, were directly blamed by the UK National Audit Office for the recent NHS WannaCry attack (despite North Korea denying it). North Korea was also reported to be implicated in the stealing US War Plans from South Korea, and for a spear phishing campaign against the US Power Grid. The possible Russian manipulation of the US election with cyber attacks and rogue social media campaigns is still a story not going away, while the Chinese are alleged to be behind the data theft of Australian F-35 fighter jet, in what is described as an 'extensive' Cyberattack. The finger was pointed at Iran for the recent Parliamentary Emails cyber attacks in the UK, meanwhile, EU governments venting their cyber concern, warning that Cyber Attacks can be an Act of War.

Stephen Hawking caused controversy in both the science and tech industry last year when he said Artificial Intelligence could be a serious threat to human existence, could the plot of The Terminator really come to fruition? Perhaps so, as it was reported that AI had already defeated the Captcha Security Check system. Personally, I believe both AI and Quantum Computing will pose significant new threats to cybersecurity space in the next decade.

A far higher number of personal records were compromised in the Equifax data breach than was previously thought, with millions of UK citizens confirmed to be impacted by the US-based credit checking agency hack. Equifax’s now ex-CEO provided an interesting blow-by-blow account of the cyber-attack at a US government hearing, even though Equifax technical staff were specifically warned about a critical Apache Struts (web server) patch, it was ignored and not applied, which in turn allowed hackers to take full advantage of vulnerability to steal the Equifax data on mass. To make matters even worse, the Equifax consumer breach help website was found to be infecting visitors with spyware.

Yahoo revealed all 3 Billion of its user accounts had in fact been breached, in what is truly an astonishing mammoth sized hack, biggest in all history, so far. Elsewhere on the commercial hacking front, Pizza Hut's website was reported to be hacked with customer financial information taken, and Disqus said a 2012 breach it discovered in October exposed the information of 17.5 million its users from as far back as 2007.

It was a super busy month for security vulnerability notifications and patch releases, with Microsoft, Netgear, Oracle, Google, and Apple all releasing rafts of critical level patches. A serious weakness in the wireless networking WPA2 protocol was made public to great fanfare after researchers suggested all Wifi devices using WPA2 on the planet were vulnerable to an attack called Krack, which exploited the WPA2 weakness. Krack is a man-in-the-middle attack which allows an attacker to eavesdrop or redirect users to fake websites over Wifi networks secured using the WPA2 protocol. At the time of writing most wireless access point vendors and operating system providers had released patches to close the WPA2 vulnerability, and there have been no known exploits of the vulnerability reported in the wild.

BadRabbit is a new strain of ransomware which is emerging and is reported to be infecting systems and networks in Russia and the Ukraine at the moment. BadRabbit is the latest network self-propagating malware, like NotPeyta and WannaCry, to use the NSA EternalRomance hacking tool. A massive new IoT botnet was discovered, its continued growth is fuelled by malware said to be more sophisticated than previous IoT botnet king, Mirai. Russian based threat actor group APT28 is said to be targeting the exploitation of a recently patched Adobe vulnerability (CVE-2017-11292), in using malicious Microsoft Word attachment, so ensure you keep on top of your system patching and always be careful when opening email attachments. 

Finally, the UK National Cyber Security Centre (NCSC) released its first annual report, as it seeks to improve cybersecurity across the UK. Among NCSC achievements cited in the report are:
  • The launch of Active Cyber Defence, credited with reducing average time a phishing site is online from 27 hours to 1 hour
  • Led UK response to WannaCry
  • Advice website with up to 100,000 visitors per month
  • Three-day Cyber UK Conference in Liverpool
  • 43% increase in visits to the Cyber Security Information Sharing Partnership (CiSP)
  • Produced 200,000 physical items for 190 customer departments via UK Key Production authority to secure and protect communications of Armed Forces and national security
  • 1,000 youngsters on CyberFirst courses and 8,000 young women on CyberFirst Girls competition.
  • Worked with 50 countries, including signing Nato's MoU
NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

CoalaBot : http Ddos Bot



CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)

I found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.

2017-09-11: a witnessed infection chain to CoalaBot


A look inside :
CoalaBot: Login Screen
(August Stealer alike) 




CoalaBot: Statistics


CoalaBot: Bots


CoalaBot: Tasks
CoalaBot: Tasks


CoalaBot: New Taks (list)



CoalaBot: https get task details

CoalaBot: http post task details



CoalaBot: Settings
Here is the translated associated advert published on 2017-08-23 by a user going with nick : Discomrade.
(Thanks to Andrew Komarov and others who provided help here).
------------------------------------------
Coala Http Ddos Bot

The software focuses on L7 attacks (HTTP). Lower levels have more primitive attacks.

Attack types:
• ICMP (PING) FLOOD
• UDP FLOOD
• TCP FLOOD
• HTTP ARME
• HTTP GET *
• HTTP POST *
• HTTP SLOWLORIS *
• HTTP PULSE WAVE *

* - Supports SMART mode, i.e. bypasses Cloudflare/Blazingfast and similar services (but doesn’t bypass CAPTCHA). All types except ICMP/UDP have support for using SSL.


Binary:
• .NET 2.0 x86 (100% working capacity WIN XP - WIN 7, on later versions ОС .NET 2.0 disabled by default)
• ~100kb after obfuscation
• Auto Backup (optional)
• Low CPU load for efficient use
• Encryption of incoming/outgoing traffic
• No installation on machines from former CIS countries(RU/UA/BL/KZ/...)
• Scan time non-FUD. Contact us if you need a recommendation for a good crypting service.
• Ability to link a build to more than one gate.

Panel:
• Detailed statistics on time online/architecture/etc.
• List of bots, detailed information
• Number count of requests per second (total/for each bot)
• Creation of groups for attacks
• Auto sorting of bots by groups
• Creation of tasks, the ability to choose by group/country
• Setting an optional time for bots success rate

Other:

• Providing macros for randomization of sent data
• Support of .onion gate
• Ability to install an additional layer (BOT => LAYER => MAIN GATE)


Requirements:

• PHP 5.6 or higher
• MySQL
• Мodule for MySQLi(mysqli_nd); php-mbstring, php-json, php-mcrypt extensions

Screenshots:

• Created tasks - http://i.imgur.com/RltiDhl.png


Price:

• $300 - build and panel. Up to 3 gates for one build.
• $20 - rebuild
The price can vary depending on updates.
Escrow service is welcome.

Help with installation is no charge.
------------------------------------------

Sample:

VT link
MD5 f3862c311c67cb027a06d4272b680a3b
SHA1 0ff1584eec4fc5c72439d94e8cee922703c44049
SHA256 fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f

Emerging Threats rules :
2024531 || ET TROJAN MSIL/CoalaBot CnC Activity

Read More:
August in November: New Information Stealer Hits the Scene - 2016-12-07 - Proofpoint

Cyber Security Predictions for 2017

Pandalabs-summer16

Analysis

2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.


Ranking the top attacks of 2016

art-blog


Ransomware

We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.


Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.


Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.

smartphones-blog


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.


Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.

cybersecurity3


Cyberwarfare

2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


Cybercrime

In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.


DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.

pandasecurity-punkeyPOS-principal1


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.


Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.

blog


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Ransomware

Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Companies

Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.


Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


DDoS

The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.


Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


Cyberwarfare

We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on CyberSafety.co.za.

Cybercrime Surges in Q3

young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

The Quarter at a Glance

Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
graphs_cabecera-mediacenter
This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

The post Cybercrime Surges in Q3 appeared first on CyberSafety.co.za.