Category Archives: Distributed Denial-of-Service (DDoS)

Why You Need a BGP Hijack Response Plan

The vast majority of computer security incidents involve some sort of phishing or malware. Typically, this is the type of incident that receives the most attention from organizations, and for which security controls are established. And rightfully so — malware that exploits a vulnerability or human error can cause significant damage to an organization.

However, attacks targeting an organization’s network or internet infrastructure components — such as Border Gateway Protocol (BGP) — have been generally overlooked, even as they gain traction. BGP hijack attacks are still far less common than distributed denial-of-service (DDoS) attacks, but several recent events have turned this unusual method into headlines.

What Is BGP?

Some consider BGP the glue that ties the internet together. Purists might argue that it is the Domain Name System (DNS) that plays this role, given that there can be glue records in a zone file. However, without BGP, your packets would not arrive at their intended destinations.

BGP is the routing protocol of the internet. It is used to determine the most efficient way to route data between independently operated networks, known as autonomous systems (AS). In technical terms, an AS is a collection of IP prefixes that are assigned an Autonomous System Number (ASN).

Put simply, BGP is the road map to the internet, whereas DNS is the phone book.

How BGP Routing Works

A BGP router uses a large table called the routing information base (RIB), which describes the networks it can reach and what the most efficient paths to these networks are. BGP peers are systems (or neighbors) from which the router receives information (networks or prefixes). These are configured manually.

Basically, BGP peers tell the router that it should process or include the information received by other manually entered peers. By combing the information coming from different peers, the router can then work out the most efficient path to a destination.

What Is BGP Hijacking?

In short, a BGP attack is a configuration of an edge router to announce prefixes that have not been legitimately assigned to it. If the injected announcement is more specific (meaning more efficient) than the legitimate one, then the traffic will be rerouted to the injected announcement. In this way, an attacker can broadcast false prefix announcements, polluting the routing table of all its connected peers.

Because of the propagation of routes through connected networks, if one peer includes the malicious information in its routing table, this information can be quickly propagated to other peers. Routing announcements are accepted almost without any validation, making a successful BGP hijack relatively easy.

There are two primary types of attacks: A complete hijack attack overtakes a specific IP prefix, whereas in a partial hijack, the attacker competes with the legitimate source by announcing the same prefix with the same efficiency.

There are also unintentional cases. Human error can cause the same effect as a BGP hijack attack. This is often referred to as a route leak.

Recognize the Impact

The most obvious impact of BGP hijacking is that packets do not take their most optimal route, slowing down users’ connections to the network.

Far worse, attackers can black hole an entire network, including the organization’s services, thus resulting in an outage resembling a DDoS attack. Similarly, attackers can censor certain sources of information by black holing specific networks.

The rerouting makes the attacker a middleman of the network flow — meaning he or she can eavesdrop on certain parts of the communication, or in some cases even alter the traffic. They can also redirect traffic from your customers or users to malicious sites pretending to be part of your network. This can result in the theft of information or credentials or delivery of malware that exploits weaknesses.

In addition, spammers can abuse the good reputation of your ASN to conduct spam runs. This can have a negative effect on your network if it gets blocked by spam filters.

Watch for a Secondary Attack

In some cases, the BGP hijack might not be the attacker’s final objective. The goal might be to steal credentials or divert your users to sources that could potentially exploit their systems.

During the incident response phase, it’s important to be aware of this possibility and try to gather as much material as possible that could help you analyze these attacks. Valuable data sources include passive DNS, Secure Sockets Layer (SSL) certificate history and full packet captures.

How to Detect a BGP Hijack

One of the problems with BGP attacks is that they do not always last very long, so by the time you know an attack is taking place, the situation can already be restored to normal. This stresses the importance of implementing monitoring tools and establishing an efficient alerting workflow.

Start by monitoring the BGP routes that relate to your AS. You can set up your own monitoring solutions, but you can just as well rely on publicly available sources, such as BGPMon and Oracle Dyn, to do the heavy lifting for you.

Build an Incident Response Plan

Proper reaction to a BGP hijack starts with an incident response plan. Unfortunately, this isn’t the type of incident for which you can set up a simple fallback solution or defensive security control. Nor is it one that you can easily detect.

That’s because BGP attacks take place outside the network of an organization. A well-conducted BGP hijack can intervene with traffic without your users ever noticing something was wrong. You might be able to convince your ISP to remove the false route or request it to convince its peers to drop these announcements.

For BGP hijack attacks, the containment, eradication and recovery phases of an incident response plan glue together. Because the route announcements will spread very quickly, containment might be a real challenge.

If you can’t free up the resources to develop a dedicated incident response plan, then you can reuse parts of your plan for combating DDoS attacks.

Be Prepared

Most organizations do not have their own ASN and must rely on the measures of their upstream internet service provider (ISP). But there are ways to prepare:

  • Understand which network providers your organization uses. Does it rely on one single network provider or multiple? An AS relation model can give you insight on this.
  • Once you have listed your network providers, reach out and ask them what precautions or response plans they have with regard to BGP security. You could start by asking for a high-level overview of the peering policy and what agreements toward protection they have in place.
  • Build good working communication channels with your network providers. Next to the normal abuse contact, these should also include escalation paths.
  • Establish out-of-band communication channels via another network provider. Use these channels to inform your customers in case of an attack. Possible options would be social media or a communication page hosted at a cloud provider (take into account phishing).

If you own an ASN, there are some additional measures to take:

  • Write down your peering policy and make sure everyone understands the BGP interconnection policy.
  • Implement the BGP-peering BCPs.
  • Review and implement the best practices from Mutually Agreed Norms for Routing Security (MANRS).
  • Specify an AS path. Be aware that this can quickly backfire since the intent of the system is to find the best path automatically. Introducing manual paths will weaken the system.
  • Limit the amount of prefixes that can be received to prevent being flooded with announcements.
  • Implement route filtering.
  • Filter bogons, the IP prefixes that should not be allowed on the internet.
  • Use a form of authentication before accepting announcements.
  • Implement BGP time to live (TTL) checks, rejecting updates from routers located further away from you.

If you want to exercise your plan, you can, for example, make use of a virtual machine (VM) with the option to load +500k BGP routes.

Consider Automated Response Tools

A key element in fighting BGP hijacking is accurate and fast detection that enables flexible and equally fast mitigation of these events. This is where the Automatic and Real-Time dEtection and MItigation System (ARTEMIS) can provide future help.

ARTEMIS, presented in a research paper by the Center for Applied Internet Data Analysis (CAIDA), is a self-operated and unified detection and mitigation approach based on control-plane monitoring. Although still in development, the project shows potential to help network providers address these attacks.

The last phase in incident response — learning lessons — calls for collecting the necessary information to update and improve your plan, especially for the preparation and detection phases. Review whether all the communication channels worked as expected, the escalation paths gave the expected results and you were able to detect the attack in time. The best response plan is prevention.

The post Why You Need a BGP Hijack Response Plan appeared first on Security Intelligence.

Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks


Security researchers discovered that several new malware strains are targeting known Cloudera Hadoop vulnerabilities.

The malware variants, including XBash and DemonBot, target Hadoop clusters that are connected to the internet and do not use Kerberos authentication, according to Cloudera. This can lead to certain exploits such as bitcoin mining and distributed denial-of-service (DDoS) attacks, which can create significant negative performance impacts within client environments.

These vulnerability attacks can occur when your Cloudera Hadoop system is not properly configured and secured. For example, when Kerberos is not enabled clusterwide, your Hadoop clusters become yet another possible attack vector.

The good news is that the attack techniques in question are not sophisticated and utilize known exploits, meaning organizations can protect themselves by taking the right precautions.

Protect Yourself With Strong Kerberos Authentication

Countering such attacks requires the use of strong Kerberos authentication to identify the right access for privileged users. Without proper Kerberos authentication, any user can connect to Hadoop clusters, access the system and make bad choices.

To follow best practices, implement additional authentication steps to secure your Cloudera Hadoop clusters, including the following:

  • Secure default accounts and passwords.
  • Utilize Lightweight Directory Access Protocol (LDAP) authentication for Cloudera Manager.
  • Enable Sentry service using Kerberos.
  • Use a secure protocol such as Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
  • Secure default ports.

How do you know whether or not your environment is at risk to begin with? That’s where vulnerability scans come into play.

How to Identify if Your Cloudera Hadoop Clusters Are Affected

Vulnerability assessment solutions for Cloudera Hadoop can provide critical insight into your environment to help mitigate potential attacks. Advanced tools offer security checks and hardening rules to help customers secure their Hadoop clusters, provide rules to help identify Hadoop-specific vulnerabilities, and list detailed recommendations to fix and resolve the vulnerabilities.

To use vulnerability assessment tests to check whether a Cloudera authentication parameter is appropriately set to Kerberos — which is strongly recommended by Cloudera — an organization should take the following steps:

  1. Leverage a vulnerability assessment solution to run the following test: “Authentication method set to Kerberos.”
  2. If a cluster is properly configured, it will pass the test. Multiple systems can be connected to check for this test and get visibility into configuration statuses in minutes.
  3. After running the tests, organizations should attend to the clusters that did not pass. Note that such vulnerabilities can only be addressed with proper configuration, not by simply applying the latest security patches.
  4. Once the configurations have been updated and all nodes authenticate using Kerberos, the problem will be resolved.

As these recent attacks illustrate, vulnerability assessment is a critical piece of any comprehensive data protection program. Last year alone, more than 2 billion records were exposed due to misconfigurations — a number that could have been drastically reduced if teams had been leveraging vulnerability scanning tools.

Source: Cloudera

The post Latest Malware Strains Target Cloudera Hadoop for Bitcoin Mining and DDoS Attacks appeared first on Security Intelligence.

5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays

This is the second article in a two-part series about retail cybersecurity during the holidays. Read part one for the full list of recommendations.

The holiday shopping season offers myriad opportunities for threat actors to exploit human nature and piggyback on the rush to buy and sell products in massive quantities online. Our previous post covered some network security basics for retailers. Let’s take a closer look at how retailers can properly configure and monitor their networks to help mitigate cyberattacks and provide customers with a safe shopping experience during the holiday season.

1. Take a Baseline Measurement of Your Network Traffic

Baselining is the process of measuring normal amounts of traffic over a period of days or even weeks to discern any suspicious traffic peaks or patterns that could reveal an evolving attack.

Network traffic measurements should be taken during regular business hours as well as after hours to cover the organization’s varying activity phases. As long as the initial baseline is taken during a period when traffic is normal, the data can be considered reliable. An intrusion detection system (IDS) or intrusion prevention system (IPS) can then assist with detecting abnormal traffic volumes — for example, when an intruder is exfiltrating large amounts of data when offices are closed.

Below are some factors to consider when performing a baseline measurement that could be helpful in detecting anomalies:

  • Baseline traffic on a regular basis.
  • Look for atypical traffic during both regular and irregular times (e.g., after hours).
  • Set alarms on an IDS/IPS for high and low thresholds to automate this process. Writing signatures specific to your company’s needs is a key element to an IDS/IPS working effectively and should be carried out by trained security specialists to avoid false alarms.
  • Investigate any discrepancies upon initial discovery and adjust thresholds accordingly.
  • Consider using an endpoint detection and response (EDR) solution to help security teams better identify threats, and to allow operations teams to remediate endpoints quickly and at scale.

Listen to the podcast: Examining the State of Retail Security

2. Run a Penetration Test Before It’s Too Late

A key preventative measure for retailers with a more mature security posture is running a penetration test. Simply put, the organization’s security team can allow a white hat hacker, or penetration tester, to manually try to compromise assets using the same tactics, techniques and procedures (TTPs) as criminal attackers. This is done to ascertain whether protections applied by the organization are indeed working as planned and to find any unknown vulnerabilities that could enable a criminal to compromise a high-value asset.

Manual testing should be performed in addition to automated scanning. Whereas automated tools can find known vulnerabilities, manual testing finds the unknown vulnerabilities that tools alone cannot find. Manual testing also targets the systems, pieces of information and vulnerabilities most appealing to an attacker, and specifically focuses on attempting to exploit not just technical vulnerabilities within a system, but business logic errors and other functionality that, when used improperly, can grant unintended access and/or expose sensitive data.

The key to a penetration test is to begin by assessing vulnerabilities and addressing as many of them as possible prior to the test. Then, after controls are in place, decide on the type of test to carry out. Will it be a black box test, where the testers receive no information about the target’s code and schematics? Or will it be a white box test, where organizations fully disclose information about the target to give the tester full knowledge of how the system or application is intended to work? Will it be in a very specific scope and only include customer-facing applications?

It can be helpful to scope a penetration test by taking the following three steps prior to launching the testing period:

  1. Establish goals for the testing. Since penetration testing is intended to simulate a real-world attack, consider scenarios that are relevant to your organization. Giving thought to what type of data is at risk or what type of attacker you’re trying to simulate will allow the testers to more closely approximate threats relevant to your organization.
  2. Draft a thorough contract to state the expectations and scope of the project. For example, if there are specific areas a penetration tester should not access based on criticality or sensitivity, such as production servers or credit card data, outline these points in the contract. Also, define whether the penetration testers should attempt to compromise both physical access and remote access to compromise networks, or if just one is preferred. Consider if you wish to have social engineering included within the test as well.
  3. Have the vendor and its employees sign nondisclosure agreements (NDAs) to keep their findings confidential and ensure their exclusive use by the organization.

Penetration testers from reputable companies are thoroughly vetted before being allowed to conduct these tests. The retail industry can benefit from this type of testing because it mimics the actions of a threat actor and can reveal specific weaknesses about an organization. It can even uncover deficiencies in staff training and operational procedures if social engineering is included within the scope of the testing.

3. Check Your Log Files for Anomalies

Log data collected by different systems throughout an organization is critical in investigating and responding to attacks. Bad actors know this and, if they manage to breach an organization and gain elevated privileges, will work to cover up their tracks by tampering with logs.

According to IBM X-Force Incident Response and Intelligence Services (IRIS) research, one of the most common tactics malicious actors employ is post-intrusion log manipulation. In looking to keep their actions concealed, attackers will attempt to manipulate or delete entries, or inject fake entries, from log files. Compromising the integrity of security logs can delay defenders’ efforts to find out about malicious activity. Additional controls and log monitoring can help security teams avoid this situation.

Below are some helpful tips and examples of security logs that must be checked to determine whether anything is out of the ordinary.

  • Are your logs being tampered with? Look for altered timestamps, missing entries, additional or duplicate entries, and anomalous login attempts.
  • Transfer old log files to a restricted zone on your network. This can help preserve the data and create space for logs being generated overnight.
  • Use a security information and event management (SIEM) tool to assist with analyzing logs and identifying anomalies reported by your organization’s security controls.
  • To include as many sources of information as possible, plug in endpoint, server, network, transaction and security logs for analysis by a SIEM system. Look for red flags such as multiple failed logins, denied access to sensitive areas, ping sweeps, etc.

Knowing which logs to investigate is also critical to successful log analysis. For example, point-of-sale (POS) systems are often installed on Microsoft Windows or Linux systems. It is therefore critical to review operating system logs for these particular endpoints. When it comes to POS networks, where many of the devices are decentralized, daily usage, security and application logs are good places to look for anomalies.

For network security, use logs from network appliances to determine failed or excessive login attempts, increases or decreases in traffic flow, and unauthorized access by users with inadequate privilege levels.

4. Balance Your Network and Website Traffic

According to the National Retail Federation, online sales from November and December 2017 generated more than $138.4 billion, topping 2016 sales by 11.5 percent. This year is likely going to set its own record. With internet traffic volumes expected to be at their highest, online retailers that are unprepared could see the loss of sales and damaged reputation in the aftermath of the holiday season.

But preparing for extra shoppers is the least of retailers’ worries; attackers may take advantage of the festive time of year to extort money by launching distributed denial-of-service (DDoS) attacks against retail websites. These attacks work by flooding a website or network with more traffic than it can handle, causing it to cease accepting requests and stop responding.

To stay ahead of such attacks, online retailers can opt to use designated controls such as load balancers. Load balancers are an integral part of preventing DDoS attacks, which can affect POS systems storewide. With a well-coordinated DDoS attack, a malicious actor could shut down large parts of their target’s networks.

One best practice is to prepare before traffic peaks. Below are some additional tips for a more balanced holiday season.

  • Preventing a DDoS attack can be an imposing undertaking, but with a load balancing device, most of this work can be automated.
  • Load balancers can be either hardware devices or virtual balancers that work to distribute traffic as efficiently as possible and route it to the server or node that can best serve the customer at that given moment. In cases of high traffic, it may take several load balancers to do the work, so evaluate and balance accordingly.
  • Load balancers can be programmed to direct traffic to servers dedicated to customer-facing traffic. Using them can also enable you to move traffic to the proper location instead of inadvertently allowing access to forbidden areas.

Load balancers are typically employed by larger companies with a prominent web footprint. However, smaller companies should still consider employing them because they serve a multitude of purposes. Keeping the load on your servers balanced can help network and website activity run smoothly year-round and prevent DDoS attacks from doing serious damage to your organization’s operations or web presence.

5. Plan and Practice Your Incident Response Strategy

An incident response (IR) plan is essential to identifying and recovering from a security incident. Security incidents should be investigated until they have been classified as true or false positives. The more timely and coordinated an organization’s response is to an incident, the faster it can limit and manage the impact. A solid IR plan can help contain an incident rapidly and result in better protection of customer data, reduction of breach costs and preservation of the organization’s reputation.

If your enterprise does not have an IR plan, now is the time to create one. In the event that your enterprise already has a plan, take the time to get key stakeholders together to review it and ensure it is up-to-date. Most importantly, test and drill the plan and document its effectiveness so you’re prepared for the attack scenarios most relevant to your organization.

When evaluating an IR plan, consider the following tips to help accelerate your organization’s response time:

  • Threat actors who compromise retail cybersecurity will typically turn stolen data around quickly for a profit on the dark web. Use dark web search tools to look for customer data that may have been compromised. Sometimes, data can be identified by the vendor that lost it, leading to the detection of an ongoing attack.
  • Before an attack occurs, establish a dedicated IR team with members from different departments in the organization.
  • Make sure each team member knows his or her precise role in the case of an incident.
  • Keep escalation charts and runbooks readily available to responders, and make sure copies are available offline and duplicated in different physical locations.
  • Test your IR strategy under pressure in an immersive cyberattack simulation to find out where the team is strong and what may still need some fine-tuning.

Make Retail Cybersecurity a Year-Round Priority

Increased vigilance is important for retailers during the holiday season, but these network security basics and practices can, and should, be maintained throughout the year. Remember, attackers don’t just wait until the holiday season to strike. With year-round preparation, security teams can mitigate the majority of threats that come their way.

Read the latest IBM X-Force Research

The post 5 More Retail Cybersecurity Practices to Keep Your Data Safe Beyond the Holidays appeared first on Security Intelligence.

Easy Does It! A Timely Look Into Fraud TTPs in the Brazilian Financial Cybercrime Landscape

Financial cybercrime in Brazil is known as one of the most geospecific panoramas, where local cybercriminals attack local internet users. With close to 210 million residents in the country, criminals are in lavish turf. Some reports cite losses of nearly 70 billion Brazilian reals — which equates to about $18.6 billion — to fraud and online scams in 2017.

In following the evolution of cyber activity in Brazil, IBM Security sees this threat landscape as unique, where technical sophistication is neither the norm nor a requirement. In this first article of a two-part series, we expose some of our recent research on the typical malware and tactics, techniques and procedures (TTPs) used against Brazilian online banking users.

In contrast to rising sophistication in other parts of the globe, one of the most poignant characteristics of cybercrime in Brazil is its simplicity. Attackers will often use their familiarity with how local users browse the internet to take advantage of them and steal their money.

Internet Access Spreads Far and Wide in Brazil, But User Education Is Still Scarce

The majority of global internet users are located in East and South Asia, and China is the largest online market in the world. Fourth on the global chart, Brazil is the largest internet market in Latin America, with nearly 140 million internet users as of 2016, according to Statista.

Internet access has grown rapidly in Brazil in the past decade, with nearly 77 percent of residents accessing the internet from home in some of the more populated regions of the country.

Brazil malware landscape

Figure 1: A regional estimate of the percentage of homes with internet access in Brazil (Source: The Brazilian Institute of Geography and Statistics)

However, while more Brazilians than ever before have access to internet-enabled services, many users are still not well-versed in using them safely. Regardless of the browser or search engine, it’s not unusual for internet users to look up something they want to access and click the first result without thinking twice about it. When it comes to online banking, for example, some may not take the time to type their bank’s URL into the address bar and favor searching for it, then browsing to the top result they get back. Fraudsters rely on this behavior and serve up poisoned links as the top results on a search engine to trap those who are unaware of the risks.

When the Going Gets Tough…Become a Cybercriminal?

The drivers of crime in Brazil stem from socio-economic difficulty. In addition, laws are either nonexistent or not strict enough to deter people from becoming online thieves.

The minimum wage in Brazil stands at 969 reals (around $258) per month, as reported by The Rio Times. Brazilian Institute of Geography and Statistics (IBGE) data from 2017 shows that “more than 50 million Brazilians, nearly 25 percent of the population, live below the poverty line, and have family incomes of R$387.07 per month.”

Many Brazilians have never had it easy when it comes to their socio-economic situations. Since necessity is the mother of invention, that reality is also what makes Brazilians quite creative in problem solving. In many cases, the main problem for everyday people in Brazil is the lack of financial resources to sustain themselves and their families. That’s where creative thinking comes into play — sometimes in good ways and, unfortunately, sometimes in the shape of financial cybercrime.

Remote Overlay Malware Is the Way to Go

Financial threats targeting online banking users in Brazil are a rather monotonous bunch. Most code is based on overlay malware and written in the Delphi programming language — code that is neither elaborate nor modular. Why spend a chunk of money buying or building state-of-the-art malware, wrapping it up in end-to-end encryption and enabling it to gain rootkit privileges on devices, when you only need simple malware to trick users into unwittingly giving up their credentials?

With evolving controls that curb attackers’ ability to use phished credentials, using malware is the preferred method in Brazil, offering a better return on investment for less effort. But how are everyday fraudsters operating the malware supply chain without much technical savvy? That’s where creative thinking and being local come into play. It is also why so many fraudsters in Brazil use very similar malware codes that do mostly the same things — namely, remote overlay.

As its name suggests, remote overlay involves remotely plastering fake images and application interfaces on users’ screens to limit their access to an authenticated online banking session and trick them into divulging additional information. This type of malware is by far the most common used in Brazil nowadays, and threat actors have little reason to change it.

Brazilian Fraudsters Don’t Complicate Things When Easy Does It

Using malware is one thing, but first, it has to reach unsuspecting users. Without technical know-how, most Brazilian fraudsters do not operate exploit kits, which can be costly and often require technical support from cybercrime vendors. Recent attacks that our team analyzed show that most attackers prefer victims to come to them by putting a consumer spin on the watering hole attack tactic.

In Brazil, residents can download their monthly invoices and tax bills from the corresponding vendor’s website or government site. It is common practice for people to log in to an online utility account, for example, and download their bill. By setting up a malicious replica of such a site, criminals can attract a large number of users to that page and trick them into downloading a fake bill, thereby having them willingly fetch a Trojanized file and unknowingly launch the malware infection on their devices.

But without using an exploit kit or relying on high-traffic sites, how will that malicious infection zone become known to potential victims? Knowing that many people in Brazil are in the habit of searching for websites via search engines rather than typing their exact URL into the address bar, the obvious choice is to pay for a sponsored advertisement to have the malicious page top the search results. To keep their own identities out of sight, cybercriminals pay for sponsored ads with stolen credit card information, saving themselves both money and risk.

Posting malicious ads on popular search engines is no stroke of genius, but a surefire way to get those ads discovered by security controls and promptly taken down. Fraudsters using this tactic therefore rely on short, aggressive bouts of luring people to their phishing pages. Since they do not pay for the ads and can spin up a malicious page very quickly, they can still get enough clicks to make each attack worthwhile.

To further protect their malicious site for a long enough period to trap as many users as possible, fraudsters often use stolen payment cards to pay for legitimate services that optimize their site’s performance and mitigate the risk of a distributed denial-of-service (DDoS) attack.

Phising site in Brazil uses DDoS protection

Figure 2: Phishing site data on Virus Total

Malicious website public data

Figure 3: Phishing site uses DDoS protection

IBM X-Force noted that recent campaigns that spread malware using sponsored URLs were carefully targeted by focusing on a specific region on specific days. For example, these campaigns often impersonate a state’s power company around the due date of that month’s bill, exploiting the timely context for visitors trying to pay their invoice to infect victims with remote overlay Trojans.

As users attempt to download their invoices, they are actually accessing a ZIP file containing a shortcut file (.LNK) used by Microsoft Windows to point to an executable file. That file will then download additional malware components to infect the user’s device. Victims would only see a file that opens to nothing and may attempt to download the file again, which our researchers witnessed in many cases.

Need Help With Your Attack Campaign?

When it comes to financial cybercrime, technical sophistication, while not entirely absent, is not very common in the Brazilian threat landscape. In many cases, cybercriminals in the region are newcomers to the trade and need help to become familiar with the works of online fraud.

To fill in the gaps, these newcomers receive assistance from other criminals in the shape of tutorials, lessons, tools and wares to help them along — a marketplace that’s comparable to other dark web and underground forums across the globe.

In the images below, we can see that selling information and tools is a dynamic business in Brazil. Each of the following screen captures shows commodities offered to fraudsters, including compromised data, web resources and platforms to launch attacks, blackhat lead generation help, and cash-out services. The same types of vendors also offer malware for sale.

Brazil fraudster underground Brazilian fraudster service Brazilian fraud services Brazil fraud services

Figure 4: Cybercriminals often offer services and commodities to help other criminals along.

Dark web marketplaces spread knowledge and train more criminals on fraud tactics. Localized cybercrime ecosystems are more targeted, which boosts their efficiency and adverse effects.

A Word to the Wise: Top Tips for Safer Web Browsing

While it is easy for Brazilian users to get infected with malware, infections cannot occur without user interaction. This is in contrast to other parts of the world, where people can often get infected simply by visiting a compromised page through a drive-by download from an exploit kit, for example.

Below are some consumer tips for safer browsing, adapted to the popular infection scenarios in Brazil:

  • Don’t search for the homepage of important accounts. Poisoned search engine results can easily lead users to a malicious page. For important accounts, especially those involving payments, type the URL into the address bar or save the genuine website in the browser’s favorites list and access it from there.
  • Double-check the site before downloading files. Before clicking to download an invoice, double-check the domain and its credentials — a malicious site might be written with a spelling mistake or use a different top-level domain (TLD).
  • Make sure the site is secure. Since the update to Hypertext Transfer Protocol Secure (HTTPS), all websites feature encryption. Look for a lock icon in the address bar and click it to see that you are in the right place. Most popular web browsers will alert users to a site that is not secured, or worse, dangerous to visit. If that’s the case, close the page and contact the service provider directly to pay a bill.
  • Get genuine security software for your devices. Even though regular antivirus software can take longer to detect new banking malware, it can offer some protection against known threats, which are what hits users most often. Use and update an antivirus program on your home and mobile devices.
  • Keep your operating system (OS) and all applications up to date. Cybercriminals can take advantage of bugs and flaws in unpatched systems to compromise or infect them with malware. Apply patches and updates as soon as they become available to limit vulnerability.
  • Stay away from counterfeit software. All major software vendors have one, if not many, application security teams. Anyone offering up counterfeit software goes to great lengths to bypass the original vendor’s controls and, as a result, counterfeit applications are often weaker and open up backdoors to devices. Stay away from counterfeit applications and favor open source or freeware programs if you cannot afford to buy original software.
  • Last, but not least: education. One of the most important ways to help prevent malware infections and online banking fraud is user education. While security controls can help mitigate risks, they can’t replace user vigilance. Organizations and service providers alike should offer information that can help users become more aware of attack tactics and the risks associated with them.

Malware is prolific, but with the right risk management solution, you can prevent fraud while establishing digital identity trust throughout your customer’s online journey.

The post Easy Does It! A Timely Look Into Fraud TTPs in the Brazilian Financial Cybercrime Landscape appeared first on Security Intelligence.

DemonBot Targeting Hadoop Clusters to Perform DDoS Attacks

A new bot called DemonBot is targeting Hadoop clusters to execute distributed denial-of-service (DDoS) attacks.

The Radware Threat Research Center recently observed a threat actor exploiting a Hadoop Yet Another Resource Negotiator (YARN) unauthenticated remote command execution. This method of attack enables the malicious agent to infect clusters of Hadoop, an open source distributed processing framework that helps big data apps run in clustered systems, with DemonBot. Upon successful infection, the threat connects to its command-and-control (C&C) server and transmits information about the infected device.

Why Cloud Infrastructure Servers Are Juicy Targets

The threat’s goal is to leverage infected cloud infrastructure servers to conduct DDoS attacks. At this juncture, it is not exhibiting worm-like behavior akin to Mirai. Instead, it relies on 70 exploit servers for distribution, infrastructure that helps it perform 1 million exploits every day.

That being said, Radware found DemonBot to be binary-compatible with most Internet of Things (IoT) devices, which means the threat could spread to other types of products.

DemonBot isn’t the first bot to target cloud infrastructure servers like Hadoop clusters. In early October, a security researcher reported on Twitter that handlers of the Sora IoT botnet attempted to exploit the same YARN abused by DemonBot.

Radware attributed the growing interest in Hadoop to the fact that cloud infrastructure servers allow bad actors to stage larger and more stable DDoS attacks using multiple vectors, such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) floods.

How to Defend Against DemonBot

Security professionals can help protect their organizations against DemonBot by conducting a proper risk assessment on their cloud deployment. From there, they should enlist the help of penetration testers to map the vulnerabilities affecting their deployment.

Security teams should also look to invest in mitigation tools and services that specialize in defending against a DDoS attack.

Sources: Radware, Ankit Anubhav

The post DemonBot Targeting Hadoop Clusters to Perform DDoS Attacks appeared first on Security Intelligence.