Resources
Plans
Research and publish the best content.
Try Business
177.6K views | +107 today
Curated by David Thomas
Scooped by David Thomas
Scooped by David Thomas
December 30, 2016 11:40 PM
January 30, 2017 10:25 PM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2017/01/31/emsisoft-website-hitddos-attack-company-releases-ransomware-decrypter/ TAGS: DDoS attacks, ransomware In the past week, two security firms, Dr.Web and Emsisoft, suffered DDoS attacks at the hands of cyber-criminals who attempted to bring down their websites as payback for meddling with their illegal activities. The first attack hit Russian security firm Dr.Web, who revealed over the weekend that a DDoS attack hit its Russian and Ukrainian domains (drweb.ru & drweb.ua). According to the company, the attack arrived at a rate that ranged between 200,000 to 500,000 packets per second, and it lasted for over two days until its engineers managed to keep it under control and restore full service to its servers. The DDoS attack hit the company on January 25, a day after the security firm published research which exposed a botnet that numbered thousands of infected Linux devices, which crooks were using to relay malicious traffic and hide their IPs. DDoS attacks hit Emsisoft over the weekend Three days later, on Saturday, January 28, Emsisoft suffered a similar fate, when a DDoS attack hit a specific section of the company's portal, the place where Emsisoft hosts ransomware decrypters. Speaking to Bleeping Computer, Emsisoft's CTO Fabian Wosar said the attack clocked in at around 80 Gbps, and its defenses held up just fine, with no downtime to its website. "They didn't manage to take the site down," Wosar said. "According to our provider it was a smaller attack of about 80 GBit. It was [...] kinda slow." MRCR ransomware author behind the attack "The last [DDoS attack] was almost definitely related to MRCR because it coincided with the malware author showing up in our forums," Wosar also added. MRCR is an alternative name for the Merry Christmas (or Merry X-Mas) ransomware that popped up at the start of the year, and for which Emsisoft released a decrypter. On Saturday, the company released an update for the MRCR decrypter, targeting the ransomware's latest version. Moments later, the DDoS attack hit. "The attack itself started on Saturday around 10:00 AM CET, hitting the decrypter site, our email infrastructure, and our self-help portal," said Wosar. "It went on for about 8 hours." Wosar's suspicion that the MRCR author was behind the DDoS attack was confirmed a few hours later when a person using the name COMODO Security signed up on the Emsisoft forum and made preposterous accusations that using Emsisoft decrypters will install ransomware or damage users' computers. In his message, this person used one of the email addresses at which the MRCR ransomware demanded users to get in contact to discuss ransom payment details. According to Wosar, this wasn't the first time the company's decrypter hosting portal was hit by a DDoS attack. "We had a bigger one just a couple of weeks ago of 640 GBps," he said. "Multiple [attacks] actually." The Emsisoft researcher never discovered who was behind those attacks, but he says that at the time, he released three ransomware decrypters in a very short period at the time. More precisely, one of the attacks hit on December 2, shortly after Emsisoft released a free decrypter for the NMoreira ransomware. Cyber-security professionals targeted in the past This is not the first time antivirus companies have been hit by DDoS attacks, according to Andy Shoemaker, founder and CEO of NimbusDDoS, a vendor of DDOS simulation and testing services. Just like Dr.Web and Emsisoft, Kaspersky Lab was too, hit by DDoS attacks in the past, after exposing malware campaigns, Shoemaker told Bleeping Computer. Another case is famous infosec journalist Brian Krebs, who was the target of several mammoth DDoS attacks in the fall of 2016, after exposing a DDoS-for-hire service called vDos. Source:https://www.bleepingcomputer.com/ Information Security Newspaper http://www.securitynewspaper.com/2017/01/31/emsisoft-website-hitddos-attack-company-releases-ransomware-decrypter/ more...
Tweet
Scooped by David Thomas
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/12/31/another-misguidedteen-arrested-ddosing-high-school-network/ TAGS: DDoS attacks Police in Shelton, Connecticut have arrested a teenager for launching DDoS attacks on his/her former high school's network. According to a Shelton Police press release, the yet unnamed teenager was arrested on Thursday and was set to appear in court today. Police say the teenager, now a former student who attended the Shelton High School, launched DDoS attacks against the school network between November and December 2015 and March and April of 2016. Per Shelton Police Detective Richard Bango, the teenager allegedly used a mobile phone application to launch and control the DDoS attacks. This is nothing out of the ordinary because most DDoS booter services today also provide self-standing Android or iOS apps that allow buyers to launch DDoS attacks while away from their computer. The DDoS attacks launched by the teen caused the school's network to crash. Police have now charged the former student with computer crimes 3rd degree, which is a felony in Connecticut. The Shelton High School was able to recover following the DDoS attacks. Further, the school has also upgraded its network infrastructure to deal with similar attacks. During the past year, several teenagers have been arrested and charged with crimes relating to DDoS attacks on their schools. The last case was an 18-year-old student from Pennsylvania who attacked her high-school using a similar mobile app for the BetaBooter DDoS-for-hire service. Source:https://www.bleepingcomputer.com Information Security Newspaper http://www.securitynewspaper.com/2016/12/31/another-misguidedteen-arrested-ddosing-high-school-network/ more...
Tweet
Scooped by David Thomas
November 19, 2016 11:49 AM
SOURCE: Information Security Newspaper
http://www.securitynewspaper.com/2016/11/19/mirai-botnet-hackssecurity-camera-seconds/ TAGS: DDoS attacks, security camera The popular security expert Robert Graham, CEO of Errata Security, has explained how the Mirai botnet could hack a security camera in a few seconds. The recent string of attacks powered with the Mirai botnet has demonstrated to the security industry the potential effects of DDoS attacks on the global Internet backbone. Experts who investigated the threat confirmed that the Mirai botnet is composed of hundred thousand compromised IoT devices, such as CCTVs and DVRs. This week, Robert Graham, CEO of Errata Security, has explained how the Mirai botnet could hack a security camera. Graham used a $55 JideTech security camera that was behind a Raspberry Pi router that the experts configured to isolate the surveillance device from his home network. “ ” “I’m setting up a little test network for IoT devices, one isolated a bit from my home network. This is a perfect job for a computer like the Raspberry Pi (or similar computers, such as the Odroid-C2, which is what I’m actually using here)” wrote Graham in a blog post. Graham published a series of Twitter posts to document his experiment, he confirmed that his camera was compromised by the Mirai botnet in just 98 seconds. “Actually, it took 98 seconds for first infection” wrote the expert. The IoT malware runs a brute force password attack via telnet using a list of 61 default credentials to gain access to the target device. Once the Mirai component gains access to the target IoT device, it connects out to download the full virus and runs it. Then it starts sending out SYN packets at a high rate of speed, looking for other potential victims. Once again let me highlight the importance to properly configure IoT devices, for example by changing default passwords and disabling unnecessary services. Source:http://securityaffairs.co/ Information Security Newspaper http://www.securitynewspaper.com/2016/11/19/mirai-botnet-hackssecurity-camera-seconds/ more...
Tweet
Scooped by David Thomas
December 16, 2016 10:46 PM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/12/17/security-firms-almostbrought-massive-mirai-botnet/ TAGS: DDoS attacks, malware Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down. Last week, security researchers from Qihoo 360's NetLab discovered a variant of the Mirai IoT malware that used a DGA (Domain Generation Algorithm) as a backup communications system to its command and control (C&C) servers. Typically, all Mirai variants used a list of domains hardcoded in the malware's source code to tell infected devices to report to the attacker's server, so he can keep track of active infections, and send commands to launch DDoS attacks. When NetLab researchers spotted the DGA, and later researchers from OpenDNS, this came as a surprise. DGA systems are highly complex and are often found in top-shelf malware, such as banking trojans, sophisticated backdoors used for cyber-espionage operations, or top ransomware families such as Locky or CryptoLocker. DGA-based malware botnets are hard to take down A DGA is an algorithm that generates a random domain name, which the malware uses to talk to its C&C server. DGA algorithms are configurable, so they can generate new domain names at regular intervals. Only the malware's author knows how this a DGA works, and they use it to predict which domains the DGA will generate, buy the domain names in advance, and then install the C&C server backend in advance, waiting for the infected bots to switch to the new domain. Because the C&C changes at a regular period, it's very hard for law enforcement authorities to shut down these types of botnets. This usually involves buying hundreds or thousands of domains in advance and requires a high-level of coordination between law enforcement, security firms, and domain registrars. You can see the advantages of running malware with a DGA, even if used as a backup system. Chinese researchers crack Mirai Botnet #14's DGA Besides spotting new Mirai variants, NetLab researchers have also broken the malware's DGA algorithm. In a blog post from last week, the Chinese security researchers published details about how the DGA worked, and all the domains this Mirai variant was about to use in the upcoming weeks. Mirai DGA domains calculated by NetLab researchers [Source: NetLab] According to security researcher MalwareTech, this wasn't a random Mirai variant, but the one responsible for building the biggest Mirai botnet known to date, which at one point in late November, early December, reached 3.2 million infected bots. Nicknamed Botnet #14, or Annie, this is the same botnet that attempted a huge DDoS attack against several Liberian ISPs and attempted to hijack 900,000 routers from German ISP Deutsche Telekom. Similarly, a few days later, Mirai Botnet #14 also attempted to hijack 100,000 routers from UK ISPs Postal Office and TalkTalk. Adding a DGA to this massive botnet gave researchers the shivers, most knowing they would have a monumental task ahead of them if they ever wanted to shut it down. Botnet #14 removes DGA to everyone's surprise But to everyone's surprise, in less than a week, the DGA feature had been removed, as the same MalwareTech had also observed. Bleeping Computer had been in contact with BestBuy, the name of the hacker that manages Botnet #14. BestBuy had previously been renting access to his botnet. "We don't use it anymore, it does not matter," BestBuy told Bleeping Computer in a private conversation in regards to NetLab researchers cracking the DGA. "It was used from [December] the 4th until the 10th," he added. "One variant still had it by mistake." Furthermore, BestBuy said researchers might have made an error in their calculations when cracking the DGA. "They practically bought 365 wrong domains," the hacker said. DGA was used only a week to avoid a takedown attempt "It was just temporarily," BestBuy also said about the DGA, "it had no authentication method or anything, meaning anyone could take control of those bots." The hacker also shot down any theory that this was just a test. "No, not a test," he said. "Level3 and other's were all over us. We just needed to assure control during those days, that's all." But BestBuy is certainly not new at this. The hacker knows very well that botnets that rely on hardcoded domains are easy pickings. In fact, that was what Level3 and others were trying to do. As a result, he created the C&C server backup communications channel. First, he used the DGA, now he uses something else. Botnet #14 switches to Tor "Smart [security] firms will see the Tor variant kicking in," he said. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server." "Try to shut down .onion 'domains' over Tor," BestBuy boasted, hinting at the difficult task of finding servers hidden on the Tor network, something that the FBI has had a hard time tracking for years. Contacted by Bleeping Computer, Jamz Yaneza, Trend Micro’s Threat Research Manager, provided the same insight. "The use (or rather the abuse) of the Onion network is quite common as it provides a measure of anonymity for the bot-herder," Yaneza said. "It also poses significant challenges to anyone trying to identify the real culprit behind DDoS attacks." This isn't something new. The Trend Micro expert pointed us to a talk at the Defcon 18 security conference that took place back in 2010 when researchers first detailed the usage of Tor for a botnet's communications channel. https://youtu.be/mLJRS5rh0w8 Some users, commenting on an article about Mirai on the KrebsOnSecurity blog, had expected this. "The cyber-criminals will just start using TOR to connect to a command and control server via a proxy, which then take downs will be next to impossible," a user wrote. On the other side of the spectrum, there are some people that will doubt BestBuy's comments, saying that IoT devices don't have the physical resources to run Tor's software package. No Mirai + Tor variant detected by security firms, as of yet To be fair, no security firm or individual researcher has reported seeing a Mirai variant that uses Tor as a backup C&C system. Bleeping Computer has reached out to several security firms this week, in the hopes of confirming BestBuy's comments, but we haven't received an answer to our inquiries. Nevertheless, the fact that Botnet #14 is still standing serves as a testament to BestBuy's coding skills. A botnet that has launched several high-profile DDoS attacks and router hijacking attempts, and is still standing, surely has one or more tricks up its sleeve. According to BestBuy's yet unconfirmed claims, one of them is the usage of Tor to control the bots when security firms take down his main C&C domains. If this is true or just a false claim remains to be determined, but Botnet #14 is still standing, and Christmas is getting closer for Steam, Xbox, and the PlayStation Network. Source:https://www.bleepingcomputer.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/12/17/security-firms-almostbrought-massive-mirai-botnet/ more...
Tweet
Scooped by David Thomas
November 11, 2016 6:41 AM
SOURCE: Information Security Newspaper
http://www.securitynewspaper.com/2016/11/11/low-bandwidthblacknurse-ddos-attacks-can-disrupt-firewalls/ TAGS: DDoS attacks, Disrupt Firewalls Researchers warn that certain types of low bandwidth distributed denial-of-service (DDoS) attacks can cause some widely used enterprise firewalls to enter a temporary DoS condition. While analyzing DDoS attacks aimed at their customers, experts at the security operations center of Danish telecom operator TDC noticed that some attacks based on the Internet Control Message Protocol (ICMP) can cause serious disruptions even over low bandwidths. ICMP attacks, also known as ping flood attacks, are highly common, but they typically rely on Type 8 Code 0 packets. The attacks that caught TDC’s attention are based on ICMP Type 3 Code 3 packets. The attacks, dubbed by the company “BlackNurse,” can be highly effective even at bandwidths as low as 15-18 Mbps and they can cause disruptions to firewalls even if the victim has an Internet connection of 1 Gbps. “The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send /receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops,” TDC explained in a report detailing BlackNurse attacks. “We know that a small number (1 to many) of internet connections with uplink speed of around 15-18 Mbit/s can keep large companies or organisations under DoS / DDoS until they mitigate the attack,” it added. Experts pointed out that this type of attack has been around for more than 20 years, but they believe organizations are not sufficiently aware of the risks. A scan of the Danish IP address space revealed that there were over 1.7 million devices responding to ICMP pings, which means these attacks can have a significant impact. Researchers have so far confirmed that BlackNurse attacks work against Cisco ASA and SonicWall firewalls, but they likely also affect products from Palo Alto Networks and other vendors. The Iptables firewall utility for Linux, MikroTik products and OpenBSD are not affected. While in some cases attacks might be possible due to a vulnerability in the firewall, some vendors blamed a configuration problem. Detection rules and proof-of-concept (PoC) code have been made available to allow users to identify attacks and test their equipment. SecurityWeek has reached out to affected vendors, including Cisco, Palo Alto Networks and SonicWall, for comment. “We suspect that this is a misconfiguration as our firewalls have robust ICMP flood and DoS protection mechanisms. However, we are conducting an internal investigation to confirm,” said a SonicWall spokesperson. Cisco was notified about these attacks in June, but TDC said the company decided not to classify the issue as a security flaw. This suggests that the networking giant is also treating it as a configuration problem. In the case of Cisco ASA firewalls, TDC recommends denying ICMP Type 3 messages sent to the product’s WAN interface or upgrading to more high-end ASA firewalls that have multiple CPU cores as BlackNurse attacks are not as effective against these types of systems. Attacks can also be mitigated using professional anti-DDoS services. Source:http://www.securityweek.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/11/11/low-bandwidthblacknurse-ddos-attacks-can-disrupt-firewalls/ more...
Tweet
Scooped by David Thomas
November 3, 2016 12:13 PM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/11/03/william-hill-websiteknocked-offline-sophisticated-ddos-attack/ TAGS: DDoS attacks, WILLIAM HILL UPDATE: As of late Wednesday night, William Hill’s websites remain offline. Sounding more than a little defeated, the company’s official Twitter feed could offer only the following: “We’re calling it a day but we know it’s not been our best. Techies will be working through the night & Live Chat will answer your queries.” UK bookmaker William Hill is struggling to reboot its website following a “sophisticated’ distributed denial of service (DDoS) attack on Tuesday. The Williamhill.co.uk website went dark Tuesday afternoon, preventing bettors from placing wagers on the evening’s UEFA Champions League matches featuring Arsenal and Manchester City. The company said the site had been laid low following a “sophisticated” DDoS attack by unspecified “third parties.” The company claimed that while “the attempt at disruption is ongoing,” its technical teams were able to restore services by Tuesday night. However, Hills’ official Twitter feed later confirmed that “we’ve got some services back but we’re still not at 100%.” As of Wednesday afternoon, the company says connectivity remains “intermittent.” For the moment, Hills is directing customers to use its betting app, while reassuring customers that the site’s problems do not extend to any “security related issues.” Hills issued a statement saying the attack on its website followed “a significant increase in DDoS activity experienced by a number of online companies over recent weeks.” Last month, a major DDoS attack targeted servers operated by the US-based Dyn, causing worldwide outages for users of Twitter, Reddit, Netflix and other major online firms. The Dyn outage was the latest in a series of mammoth DDoS attacks utilizing a new botnet comprising hundreds of thousands of Internet of Things devices such as security cameras, digital video recorders and the like. The source code for the Miral botnet was posted online in late September, equipping countless malicious actors with significant new capabilities for online mayhem. Online gambling remains a top focus of DDoS attacks, and sportsbooks are particularly tempting targets, given their reliance on increased wagering activity surrounding sporting events, the time and date of which are publicized well in advance. Suffice it to say, this 2017 Super Bowl will prove a trying time for sportsbook security teams. Source:http://calvinayre.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/11/03/william-hill-websiteknocked-offline-sophisticated-ddos-attack/
November 9, 2016 10:41 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/11/09/gchq-belives-ispscan-prevent-ddos-attacks/ TAGS: DDoS attacks, GCHQ The head of of the GCHQ believes that distributed denial of service (DDoS) attacks could be eliminated completely if internet service providers (ISPs) were to completely rewrite their software and its code. The technical director of GCHQ's National Cyber Security Centre, Ian Levy, is already preparing to engage in talks with ISPs, such as BT, over how they could be the key to ending DDoS attacks. After the cyber attacks that occurred as a result of the Mirai malware were made public, GCHQ made it a priority to prevent further attacks that could be launched using the same measures. In a recent interview with The Sunday Telegraph, Levy offered further details on his plan to end DDoS attacks once and for all, saying: "We think we can get to a point where we can say a UK machine can't participate in a DDoS attack. We think that we can fix the underpinning infrastructure of the internet through implementation changes with ISPs and CSPs". However, according to the UK Internet Service Providers Association (ISPA), Levy is taking on a quite serious problem with a "we can fix it -- it's easy" approach that fails to highlight the complexity of the issue in its entirety. An earlier blog post from Levy made it clear that he and the GCHQ truly believe that such a move could be successful, saying: "I'd like to be able to say that UK machines will not be able to easily participate in a scaled DDoS attack. Once we have proved this works, we intend to work with the international ISP and IX community to have similar protections built into other major exchanges to make DDoS and prefix hijacks globally much harder prospects". As cyber attacks have increased in scope and severity in recent years, organisations and businesses from around the world are continually looking at ways to mitigate the damage they can cause. Levy may be examining the issue from an overly simplistic viewpoint but at least the GCHQ has recognized the danger that these attacks pose to businesses and citizens. Source:http://betanews.com Information Security Newspaper http://www.securitynewspaper.com/2016/11/09/gchq-belives-ispscan-prevent-ddos-attacks/ more...
Tweet
Scooped by David Thomas
October 30, 2016 11:13 PM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/10/31/problems-reappeariot-devices-owners-discovery-new-ddos-trojan/ TAGS: DDoS attacks, malware Security researchers discovers IRCTelnet malware. A new malware family written by what appears to be an experienced coder is aiming for Linux-based IoT devices, with the main purpose of adding those devices to a botnet and carrying out DDoS attacks. Discovered by security researcher MalwareMustDie, this new malware family is named Linux/IRCTelnet and is written in C++. The researcher says the malware works by infecting Linux-based devices that expose Telnet ports to the Internet and use weak passwords. IRCTelnet borrows from other IoT malware IRCTelnet brute-forces a device's Telnet ports, infects the equipment's OS, and adds it to a botnet that's controlled through IRC. This means that every infected bot connects to an IRC channel, and reads commands posted in the main chatroom. The concept is not new by any stretch of the imagination, with many IoT, Linux, and Windows malware operating in the same way. MalwareMustDie says IRCTelnet takes a lot of inspiration from other IoT malware. The concept of using IRC for managing the bots is obviously borrowed from Kaiten, the malware that had the most success with it. Similarly, the Telnet scanner and brute-forcing system is borrowed from GafGyt (also known as Torlus, Lizkebab, Bashlite, or Bashdoor), while the list of default Telnet credentials is taken from the more recent Mirai malware. IRCTelnet has support for IPv6 floods MalwareMustDie says this malware is capable of infecting any device running a Linux Kernel version 2.6.32 or above. Support is included for launching DDoS attacks with spoofed IPv4 and IPv6 addresses, but the Telnet scanner can only find and bruteforce IPs via IPv4. MalwareMustDie says that there are multiple places in the malware's source code where its author had used the Italian language, more to be than just a random copy-paste. Botnet currently has only 3,400 bots Detection rate on VirusTotal is currently low, with very few vendors identifying it as a standalone malware, and not some sort of GafGyt clone. MalwareMustDie reports that initial scans that spread this malware came from IPs located in Turkey, Moldova, and the Philippines. When he connected to the botnet's IRC channel, he says he found around 3,400 bots. Source:http://news.softpedia.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/10/31/problems-reappeariot-devices-owners-discovery-new-ddos-trojan/ more...
Tweet
Scooped by David Thomas
October 15, 2016 5:02 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/10/15/beware-powerfulddos-malware-infecting-cellular-gateways-feds-warn/ TAGS: DDoS attacks, malware Sierra Wireless confirms that devices it manufactures were infected by Mirai. This week, the US government-backed ICS-CERT warned that the troubling new generation of computer attacks is powered by malware that can infect cellular modems used to connect automotive and industrial equipment to the Internet. An advisory published Wednesday listed five industrial control devices manufactured by Sierra Wireless that are vulnerable to malware known as Mirai when default passwords that ship with the equipment aren't changed on the gateways. The advisory referenced a separate notice from Sierra Wireless (PDF) that reported infections have succeeded against actual devices by connecting to the ACEmanager, a graphical interface used to remotely administer and configure them. The Sierra Wireless post stated: Sierra Wireless has confirmed reports of the "Mirai" malware infecting AirLink gateways that are using the default ACEmanager password and are reachable from the public internet. The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself. Wednesday's CERT advisory urged device owners who haven't changed factory default login credentials to do so immediately. Sierra Wireless also recommended customers disable various types of remote access on the devices if they're not needed. When such access is required, the company suggested customers use a measure known as port forwarding and disable settings known as DMZ Host and Public Mode whenever possible. Over the past month or so, Mirai has infected hundreds of thousands of networked cameras and other so-called Internet of Things devices. It then corrals them into networks that bombard websites with so much data they can't be accessed by legitimate visitors. Mirai is currently one of two known IoT botnet engines that has infected at least 1.2 million devices and is creating some of the biggest distributed denial-of-service attacks ever recorded. The Mirai source code was released to the public two weeks ago, an event that could make the scourge even worse. Earlier this week, content delivery network Akamai reported that malicious hackers are expanding the types of activities carried out by the IoT devices they infect. Whereas once-compromised devices were mainly used in DDoS attacks, Akamai researchers have unearthed evidence that millions of devices are being used to break into corporate networks using a technique known as credential stuffing. Neither the CERT advisory nor the Sierra Wireless report mentioned Bashlight, the other IoT malware contributing to the record DDoS attacks. It's a fair bet that, if Mirai can infect the wireless gateways, its Bashlight rival can, too. Don't be surprised if wireless gateways from other manufacturers are similarly vulnerable. The CERT advisory says once Mirai infects a gateway it deletes itself and runs only in memory. That means users can disinfect a device by restarting it. The group warned, however, that the device will likely be reinfected unless its default password is changed. The only obvious signs a device has been compromised are the presence of abnormal traffic flowing over ports 23 and 48101 and, in the event the device is participating in a DDoS attack, a large amount of outbound traffic. The specific Sierra models covered in the CERT advisory are: LS300, GX400, GX/ES440, GX/ES450, and RV50 The Shodan search engine showed more than 30,000 of the affected Sierra Wireless devices were connected to the Internet, some of which were remotely accessible by telnet or similar protocols. [embed]https://www.youtube.com/watch?v=QiypA-2w0mk[/embed] Source:http://arstechnica.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/10/15/beware-powerfulddos-malware-infecting-cellular-gateways-feds-warn/ more...
Tweet
Scooped by David Thomas
more...
Tweet
Scooped by David Thomas
September 26, 2016 3:47 AM
October 29, 2016 10:38 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/10/29/hacking-forum-cutssection-allegedly-linked-ddos-attacks/ TAGS: DDoS attacks HackForums.net has shut down its "Server Stress Testing" section. An online hackers' forum has deleted a section that allegedly offered paid distributed denial-of-service attacks, following last Friday's massive internet disruption. HackForums.net will be shutting down the "Server Stress Testing" section, the site's admin Jesse "Omniscient" LaBrocca said in a Friday posting. "I do need to make sure that we continue to exist and given the recent events I think it's more important that the section be permanently shut down," he wrote. The section was designed to let members offer so-called stress testing services for websites as a way to check their resiliency. However, security firms claim Hack Forums was actually promoting DDoS-for-hire services that anyone can use to launch cyber attacks. Hack Forums has been in the news lately following the emergence of Mirai, a malware blamed for a string of recent distributed denial-of-service attacks, including one last Friday that disrupted access to dozens of sites in the U.S. Although it's still unclear who pulled off the attack, the Mirai source code has been publicly available on Hack Forums since Sept. 30, when an anonymous user named "Anna-senpai" posted the code to the site. According to security firms, copycat hackers have been detected taking advantage of the Mirai source code to launch new DDoS attacks. HackForums.netHack Forums has removed its Server Stress Testing section. In announcing the closure, Hack Forums admin LaBrocca said, "Unfortunately, once again the few ruin it for the many." "I am sure this is going to upset some members, but also please many, some of whom aren't even members," he wrote. Hack Forums has also been distancing itself from any connection with last Friday's attack and the Mirai malware that's believed to be involved. "The link between the Mirai Botnet and HF (Hack Forums) is inaccurately being reported," LaBrocca said in an email. Annasenpai, the user who posted the Mirai source code, has only been a site member for three months and doesn't represent the entire community, LaBrocca said. Earlier this week, security firm Flashpoint stated that users on Hack Forums may have been involved in launching last Friday's DDoS attack. Hackers on the site have been known to create DDoS-for-hire services as a way to earn cash, the firm alleged. In an email, LaBrocca said there are legal and legitimate uses for website stress-testing tools. These tools can be designed to verify whether a website can withstand cyber attacks. "We're an open online forum which allows discussion and content other sites might not allow," LaBrocca said. "We're to the freedom of technology information what WikiLeaks is to government and corporate information." Hack Forum's Server Stress Testing section prohibited posts related to websites that offer DDoS attacks. But despite that, critics have said the site's Server Stress Testing section was a top destination to buy DDoS-for-hire services. "There are page upon page upon page of these products," FBI agent Elliott Peterson said during a presentation at the BlackHat conference in August. Many of these DDoS-for-hire services offered through Hack Forums look professional and appear legitimate but advertise the capability to take down websites and servers, Peterson said at the time. Legal experts have also said that Hack Forums can be held liable for promoting DDoS attacks if there's evidence proving illegal activity. "It comes down to what's actually happening, and not what's just being advertised or described," said Marcus Christian, a lawyer for Mayer Brown who specializes in cybersecurity. He questioned whether Hack Forums was financially benefiting from the alleged DDoS-for-hire providers. The Hack Forums site had said that for $80 a week, it would promote sellers' listings in the Server Stress Testing section. LaBrocca said on Friday the section will never return, even when the "drama" dies down. "I'm personally disappointed that this is the path I have to take in order to protect the community," he wrote. "I loathe having to censor material that could be beneficial to members." In an email, LaBrocca said Hack Forums was similar to Twitter, Github or Reddit with its approach to content. "The content on the site is member created and reflects the topics they are interested in discussing," he said. Source:http://www.pcworld.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/10/29/hacking-forum-cutssection-allegedly-linked-ddos-attacks/
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/09/26/nation-state-actortesting-methods-massive-takedown-internet/ TAGS: DDoS attacks, malware According to the popular cyber security experts an unknown nation state actor may be running tests for taking down the entire internet infrastructure. What happens if someone shuts down the Internet? Is it possible? Our society heavily depends on technology and the Internet is the privileged vector of the information today. Blocking the Internet could paralyze countless services in almost any industry, from finance to transportation. Early September the popular cyber security expert Bruce Schneier published an interesting post titled “Someone Is Learning How to Take Down the Internet” that reveals an escalation of cyber attacks against service providers and companies responsible for the basic infrastructure of the Internet. We are referring to coordinated attacks that experts consider a sort of tests to evaluate the resilience of most critical nodes of the global Internet. The attacks experienced by the companies request a significant effort and huge resources, a circumstance that suggests the involvement of a persistent attacker like a government, and China is the first suspect. “Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing.” wrote Schneier. “I am unable to give details, because these companies spoke with me under a condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular toplevel Internet domains, like .com and .net. If it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn’t have the level of detail I heard from the companies I spoke with, the trends are the same: “in Q2 2016, attacks continued to become more frequent, persistent, and complex.” It is clear that attackers aim to cause a global blackout of the most common top-level domains paralyzing a large portion of the Internet. Schneier, who has spoken with companies that faced the attacks, pointed out powerful DDoS attacks that attacks that stand out of the ordinary for their methodically escalating nature. The attacks start with a certain power that increases as time goes by forcing the victims to deploy all its countermeasures to mitigate the threat. The report mentioned by Schneier, titled “VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2016” confirms that companies are experiencing a wave of DDoS attacks even more sophisticated. “DDoS Attacks Become More Sophisticated and Persistent DDoS attacks are a reality for today’s web-reliant organizations. In Q2 2016, DDoS attacks continued to become more frequent, persistent and complex.” states the report. Schneier also reported other types of attacks against the Internet infrastructure, such as numerous attempts to tamper with Internet addresses and routing. “One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.” continues Schneier. Who is behind the attacks? Schneier believes that the attacks are launched by someone with cyber capabilities of a government, and he seems to exclude the efforts of hacktivists or cyber criminals, and I agree. “It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors.” explains Schneier. The attribution of the attacks is very difficult by data suggests that China is behind them, let me add also that Russia has similar cyber abilities and is able to hide its operations online. Both countries are largely investing in building infrastructures that would be resilient to such kind of mass attacks. Source:http://securityaffairs.co Information Security Newspaper http://www.securitynewspaper.com/2016/09/26/nation-state-actortesting-methods-massive-takedown-internet/ more...
Tweet
Scooped by David Thomas
more...
Tweet
Scooped by David Thomas
September 22, 2016 11:42 AM
September 28, 2016 6:27 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/09/28/150000-iot-devicesbehind-1tbps-ddos-attack-ovh/ TAGS: DDoS attacks The hosting provider OVH continues to face massive DDoS attacks launched by a botnet composed at least of 150000 IoT devices. Last week, the hosting provider OVH faced 1Tbps DDoS attack, likely the largest one ever seen. The OVH founder and CTO Octave Klaba reported the 1Tbps DDoS attack on Twitter sharing an image that lists the multiple sources of the attack. “Last days, we got lot of huge DDoS. Here, the list of “bigger that 100Gbps” only. You can see the simultaneous DDoS are close to 1Tbps !” said Klaba. Klaba explained that the servers of its company were hit by multiple attacks exceeding 100 Gbps simultaneously concurring at 1 Tbps DDoS attack. One of the attacks documented by the OVH reached 93 MMps and 799 Gbps. Klaba speculated the attackers used an IoT botnet composed also of compromised CCTV cameras. Now we have more information on the Now Klaba added further information on the powerful DDoS attacks, the CTO of the OVH claimed that the botnet used by attackers is powered by more than 150,000 Internet of Things (IoT) devices, including cameras and DVRs. The overall botnet is capable of launching attacks that exceed 1.5 Tbps. The bad news for the OVH company is that attacks are still ongoing and the size of the botnet is increasing. “+6857 new cameras participated in the DDoS last 48H.” added Klaba. The company was targeted by various types of traffic, including Generic Routing Encapsulation (GRE) traffic, a novelty in the DDoS landscape. Unfortunately, such kind of DDoS attacks will be even more frequent, it is too easy for hackers gain control of poorly configured, or vulnerable, IoT devices. Last week experts observed another massive DDoS that targeted the website of the popular cyber security expert Brian Krebs. Krebsonsecurity was targeted by a DDoS attack of 665 Gbps. Source:http://securityaffairs.co/ Information Security Newspaper http://www.securitynewspaper.com/2016/09/28/150000-iot-devicesbehind-1tbps-ddos-attack-ovh/ more...
Tweet
Scooped by David Thomas
September 24, 2016 6:52 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/09/24/top-10-passwordsused-hijack-iot-devices-stupid-think/ TAGS: DDoS attacks, Hijack IoT malware and IoT botnets are becoming a real problem. Malware targeting Internet of Things (IoT) devices is becoming more and more prevalent, with new families discovered every month, all working in the same way. IoT malware, usually targeting various Linux flavors used to power these devices, is rarely a danger to the people or companies behind these devices, but everyone else. All IoT malware discovered in the past two years has been seen doing the same thing. The infection starts with a crook or automated service employing brute-force attacks, trying to guess the IoT device's admin password by trying thousands of username-password combinations. Default device passwords help IoT botnets grow If users haven't changed their device's default credentials, then crooks usually get access to the device after a few seconds. At this point, the malware alters the device by adding special code to communicate with one of its command and control servers, ensnaring it into a worldwide botnet, mainly used to execute DDoS attacks, relay proxy traffic for crooks, and brute-force other IoT devices. In August, Kaspersky discovered that Linux-based botnets had become the most popular DDoS botnets on the market. Only in targeted attacks, you'll see someone use an IoT device as a pivot point inside a network, but generally, in the vast majority of cases, IoT devices are used as bots for DDoS attacks. All of this is simplified by device owners who don't secure their devices with custom passwords. According to Symantec, the table below shows the most often encountered passwords in IoT devices around the world. Top usernames Top passwords root admin admin root DUP root 123456 ubnt 12345 access ubnt DUP admin password test 1234 oracle test postgres qwerty pi raspberry As you can see for yourself, most are easy guesses and are the standard passwords for equipment running on Raspberry Pi platforms, Ubuntu, or others. According to Symantec, most of today's IoT malware comes with cross-platform support, and can target all major IoT hardware platforms such as x86, ARM, MIPS, and MIPSEL platforms. In some cases, there were malware families that went beyond these popular platforms and also targeted PowerPC, SuperH and SPARC architectures. Modern IoT malware can spread on its own Using tools like Shodan and automated brute-forcing scripts, attackers rarely have to infect IoT devices manually anymore, even if there are cases where this is still required. Recent malware even has wormable features that allow it to spread to other devices, such as the Ubiquiti worm. With self-replication features, IoT malware can help crooks build massive botnets, some reaching over 25,000 bots, and in some cases reaching over 120,000 infected devices. Level 3 estimates that there are over one million compromised IoT devices available online. These botnets are often combined to launch different types of DDoS attacks on their targets. Just this week, infosec journalist Brian Krebs reported a DDoS attack that clocked at 620 Gbps after exposing a DDoS-for-Hire service. Krebs said early indicators show this was the work of a massive botnet of IoT devices. Symantec says the most popular IoT malware families are Linux.Darlloz (aka Zollard), Linux.Aidra (Linux.Lightaidra), Linux.Xorddos (aka XOR.DDos), Linux.Gafgyt (aka GayFgt, Bashlite), Linux.Ballpit (aka LizardStresser), Linux.Moose, Linux.Dofloo (aka AES.DDoS, Mr. Black), Linux.Pinscan / Linux.Pinscan.B (aka PNScan), Linux.Kaiten / Linux.Kaiten.B (aka Tsunami), Linux.Routrem (aka Remainten, KTN-Remastered, KTNRM), Linux.Wifatch (aka Ifwatch), and Linux.LuaBot. On top of these, you can also add Rex, Mirai, Linux.BillGates, and Linux.BackDoor.Irc. The IoT landscape is fraught with unprofessional vendors Based on telemetry data, most of these devices are located in China (34 percent) and the US (28 percent). The blame in most cases usually relies with one company. For example, the 25,000-strong botnet we mentioned earlier was caused by a Chinese company that sold white label DVRs, for which it failed to issue a firmware update. The DVRs were bought and sold by 70 other companies, who slapped their own logo on top. Users who discovered their DVRs were insecure couldn't patch their devices since the seller was and is still waiting on the Chinese company to fix its flaws. Countries with most infected IoT devices Source: http://news.softpedia.com Information Security Newspaper http://www.securitynewspaper.com/2016/09/24/top-10-passwordsused-hijack-iot-devices-stupid-think/ more...
Tweet
Scooped by David Thomas
September 16, 2016 12:34 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/09/16/us-911-emergencyservices-can-shut-ddos-attacks-mobile-botnets/ TAGS: DDoS attacks, US 911 Research published last week by the Cyber-Security Research Center at the Ben-Gurion University of the Negev in Israel reveals that it only takes about 6,000 smartphones infected with malware to launch a DDoS attack capable of shutting down 911 emergency services in a US state. To cripple 911 services across the entire US, attackers would need a botnet with as little as 200,000 devices, which is a pretty large number, but something that nation-state attackers would be willing to invest and create. Researchers say that in its current state, the 911 emergency system has no defenses to protect itself against such attacks. Mobile operators are required by current FCC regulations to forward any 911 call to emergency call centers, called public safety answering points (PSAP), regardless of the caller's IMSI or IMEI identifiers. There is currently no system in place to blacklist repeated callers. Nation-states could build huge botnets During their investigation, Israeli researchers said that attacks can come from mobile phones infected with malware belonging to legitimate users, or from special laboratories, specifically built to carry out attacks. The cost of a botnet of 6,000 smartphones capable of launching attacks would be around $100,000, researchers estimated. To scale the number to 200,000 smartphones, an attacker would have to invest between $3.3 and $3.4 million to build a DDoS cannon capable of shutting down the US 911 system and causing havoc around the country. Taking into account that countries invest billions of dollars in military budgets, the initial investment is a low figure, and threat actors could build bigger botnets if they chose to, for better results. Attacks can be anonymous, impossible to detect Researchers that worked on the attack methodology also say that attacks can be carried out anonymously by using malware embedded in the phone's baseband firmware. The malware would randomize the phone's IMSI (SIM card-related) and IMEI (phone-related) identifiers for each attack, so mobile operators would not be able to blacklist the callers at their level. If 911 call centers implement a blacklisting system in the future, these randomized identifiers would be able to bypass them as well. The architecture of the 911 DDoS bot within the firmware of the baseband processor To make the attack even more powerful, researchers configured the malware they developed for their own tests to dial the 911 number continually. As soon as the previous connection was closed, the malware would start another. The malware would also insert audio inside the call, in an attempt to keep 911 operators busy as much as possible and deny service for real users. Full 911 shutdown is possible with enough determination and mobile bots Tests with the 6,000 mobile botnet revealed that the DDoS attack blocked 911 access to 50 percent of users inside a state. If the attacker would want a complete service shutdown with a 90 percent denial rate, then the botnet's size would have to be increased to 50,000. 911 DDoS attacks on the whole US level with the 200,000 botnet yielded a 33.3 percent denial rate for users across the country. The 911 emergency system, according to the Department of Homeland Security, is one of the 16 critical services across the US, which should be protected and safeguarded at all times, not just in times of war. Defensive measures need to be taken since mobile botnets have been spotted in the wild by CloudFlare.In September 2015, a mobile botnet of 650,000 smartphones, mostly located in China, launched classic HTTP DDoS attacks against local websites. Source:http://www.bleepingcomputer.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/09/16/us-911-emergencyservices-can-shut-ddos-attacks-mobile-botnets/ more...
Tweet
Scooped by David Thomas
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/09/22/iot-devicesincreasingly-used-ddos-attacks/ TAGS: DDoS attacks, Wi-Fi network access (WPA) Malware is infesting a growing number of IoT devices, but their owners may be completely unaware of it. Malware targeting the Internet of Things (IoT) has come of age and the number of attack groups focusing on IoT has multiplied over the past year. 2015 was a record year for IoT attacks, with eight new malware families emerging. More than half of all IoT attacks originate from China and the US. High numbers of attacks are also emanating from Russia, Germany, the Netherlands, Ukraine and Vietnam. Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected. Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords. IoT attacks have long been predicted, with plenty of speculation about possible hijacking of home automation and home security devices. However, attacks to date have taken a different shape. Attackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform distributed denial of service (DDoS) attacks. Just this month the security vendor Sucuri reported on a large DDoS attack launched from 3 different types of botnets (CCTV botnet, home router botnet and compromised web servers). While not commonly seen in the past, attacks originating from multiple IoT platforms simultaneously may be seen more often in the future, as the amount of the embedded devices connected to the Internet rises. Figure 1. New IoT malware families by year. The number IoT threats jumped in 2015 and many of these threats continue to be active into 2016 Vulnerable devices Most IoT malware targets non-PC embedded devices. Many are Internet-accessible but, because of their operating system and processing power limitations, they may not include any advanced security features. Embedded devices are often designed to be plugged in and forgotten after a very basic setup process. Many don’t get any firmware updates or owners fail to apply them and the devices tend to only be replaced when they’ve reached the end of their lifecycle. As a result, any compromise or infection of such devices may go unnoticed by the owner and this presents a unique lure for the remote attackers. Majority of attacks originate in US and China Analysis of a Symantec honeypot which collects IoT malware samples found that the highest number of IoT attacks originated in China, which accounted for 34 percent of attacks seen in 2016. Twenty-six percent of attacks stemmed from the US, followed by Russia (9 percent), Germany (6 percent), the Netherlands (5 percent), and Ukraine (5 percent). Vietnam, the UK, France, and South Korea rounded out the top ten. These figures represent the location of IP addresses used to launch malware attacks on Symantec’s honeypot. In some cases, IP addresses used may be proxies used by attackers to hide their true location. The threats seen most frequently on Symantec’s IoT honeypot this year were Linux.Kaiten.B and Linux.Lightaidra. Figure 2. Top ten attack origins on monitored IoT honeypot in 2016, by count of unique attackers Top passwords Attacks on Symantec’s honeypot also revealed what the most common passwords IoT malware used to attempt to log into devices. Not surprisingly, the combination of ‘root’ and ‘admin’ leads the chart, indicating that default passwords are frequently never changed. The default Ubiquiti credentials (user name: ubnt and password: ubnt) also feature highly. As reported in May 2016, an old vulnerability in Ubiquiti routers allowed the worms targeting embedded devices to spread across thousands of Ubiquiti Networks routers running outdated firmware. It looks like the attackers behind IoT malware still count on the presence of unpatched Ubiquiti routers in the wild. Further down the charts we see the default credential combination for the Raspberry Pi devices (user name: pi and password: raspberry), which indicates a growing trend of attackers specifically targeting this platform. Top user names Top passwords root admin admin root DUP root 123456 ubnt 12345 access ubnt DUP admin password test 1234 oracle test postgres qwerty pi raspberry Table 1. Top 10 brute-force usernames and passwords used against IoT devices IoT malware – common traits While IoT malware is becoming more sophisticated, the fact that it is being used mostly for DDoS attacks allows us to distinguish several common traits that are seen within the variety of existing malware families. As far as malware distribution goes, attackers take a straightforward approach. While some malware variants need to be manually installed on the device, the most common method consists of a scan for random IP addresses with open Telnet or SSH ports, followed by a brute-force attempt to login with commonly used credentials. Because of the variety of CPU architectures that embedded devices run on, IoT malware may try to randomly download bot executables for multiple architectures and run them one by one until successful. In other cases, malware may also include a module that performs a check for the existing devices’ platform and download just the correct bot binary. A common tactic by attackers is using a wget or tftp command to download a shell script (.sh) that in turn downloads the bot binaries. In one case we came across a shell script where the malware author used drug street names to differentiate between the bot binaries for different architectures. Figure 3. Shell script used to download the bot binaries for different architectures Once the bot binary is executed, it will establish a connection to a hardcoded command and control (C&C) server and await commands from the remote bot master. The communication might be established through an IRC channel and the malware may also include functionality to encrypt the traffic to the remote C&C server. Cross-platform malware It is quite simple for the attackers to cross-compile their malware for a variety of architectures. While the most common targets are the x86, ARM, MIPS, and MIPSEL platforms, attackers continue to expand the number of potential targets and have also been creating variants for PowerPC, SuperH and SPARC architectures. By doing so, the list of the potentially vulnerable devices increases, with more web servers, routers, modems, NAS devices, CCTV systems, ICS systems, and other devices added to the list of potential targets One interesting feature seen on a variety of IoT malware is the ability to kill other processes, specifically processes belonging to other known malware variants. In some older variants this feature might have been used just to eliminate the potential malware competitor from the infected device. We believe that the most common reason for it lies in the fact that the embedded devices come with very limited system resources and the malware tries to make sure that these are not shared with other CPU or memory-intensive processes. To achieve the same goal but through a more sophisticated approach, the malware may also change iptable rules on the infected device so that only specific external access attempts are allowed. A change like this would effectively block access to the device for other malicious actors but could potentially also lock out the legitimate admins (blocked telnet port). An overview of IoT malware families Below are the most recognizable and prevalent malware families targeting embedded devices: Linux.Darlloz (aka Zollard) Linux.Darlloz is a worm discovered by Symantec that spreads to vulnerable systems by exploiting the PHP 'php-cgi' Information Disclosure Vulnerability (CVE-2012-1823), an old vulnerability patched in 2012. The Darlloz variants found in the wild were initially designed only for computers running on x86 chip architecture, but later versions of the malware also target devices using ARM, PPC, MIPS, and MIPSEL architectures. An interesting trait of the worm is that it scans for and deletes any files associated with another piece of IoT malware, Linux.Aidra. It will also attempt to block the communications port used by the latter. Once the targeted device is infected with Darlloz, a backdoor on a TCP port will open that allows remote command execution. The worm will also block users from connecting to the infected device by dropping Telnet traffic and terminating the telnetd process. Linux.Aidra / Linux.Lightaidra Linux.Aidra and its latest variant Linux.Lightaidra, is a worm that spreads through Telnet services on TCP port 23 and uses common username / password combinations in order to login into the device. The worm opens a back door on the compromised computer or device and awaits commands from the remote C&C server. Each infected device is added to a botnet that is being used to perform DDoS attacks. DDoS attacks from devices compromised by Aidra may be floods of Transmission Control Protocol (TCP) packets, User Datagram Protocol (UDP) packets, or domain name system (DNS) requests. Linux.Xorddos (aka XOR.DDos) Linux.Xorddos opens a back door on the compromised computer or device. The name of the threat comes from the fact that it uses heavy XOR encryption both in the malware code as well as in the C&C server communication. Xorddos comes in variants compiled both for x86 as well as ARM architectures. Aside from the main function to conduct DDoS attacks, additional functionalities of the Trojan include downloading and execution of files, services removal, and installation of additional modules. Xorddos might be installed alongside a rootkit component that hides network traffic or files. In order to perform any such tasks on the infected device, the Trojan might send IOCTL requests to the rootkit component. Linux.Gafgyt (aka GayFgt, Bashlite) Linux.Gafgyt is usually distributed through a successful exploitation of the Shellshock Vulnerability (CVE-2014-6271). Once installed, it becomes a part of a botnet and is used to launch DDoS attacks (either UDP or TCP floods). Shellshock affected devices may include web servers or Linux-based routers that have a web interface using CGI. Gafgyt also contains functionality to brute-force routers with common username/password combinations and can collect CPU information from the infected device. Linux.Ballpit (aka LizardStresser) Linux.Ballpit was created by the infamous APT group known as Lizard Squad. The worm has the ability to launch DDoS attacks from the compromised device using floods of TCP or UDP packets. Similar to many other IoT malware families, the worm is distributed by scanning public IP addresses for Telnet services. Once an appropriate open connection is found, Ballpit will attempt a variety of hard-coded common usernames and passwords in order to login. A successful logon attempt will be reported back to the C&C server and the bot client will await further instructions from the attacker. Linux.Moose In contrast to many IoT malware families described here, Linux.Moose does not have any DDoS capabilities and seems to be more a reconnaissance type of malware. The worm spreads to targeted Linux-based routers and embedded ARM- or MIPS-based devices by first scanning for nearby IP addresses and then by bruteforcing weak Telnet login credentials. The first stage after infection consist of eavesdropping on network traffic on the compromised device. Alongside eavesdropping the worm may also capture the traffic, collect information about the devices’ CPU, and report the collected data back to a remote C&C server. Additional functionality of Moose includes periodic checks of any running processes belonging to competing IoT botnet clients and killing these if located. Bases on the configuration file received from the C&C server the worm may also change the DNS server settings on the compromised host. Linux.Dofloo (aka AES.DDoS, Mr. Black) Linux.Dofloo is a Trojan horse for Linux-based systems on x86, ARM, or MIPS architectures. The threat is also known as AES.DDoS, which comes from the fact that the AES algorithm is used to encrypt the communication with the C&C server. The Trojan opens a backdoor on the compromised device and awaits commands from the remote attacker. Dofloo is used to carry out DDoS attacks, but it might also collect information about the CPU, memory and network traffic of the compromised device and send this data back to the attacker. Linux.Pinscan / Linux.Pinscan.B (aka PNScan) Linux.Pinscan is a Trojan horse developed for various CPU architectures including x86, ARM, MIPS, and MIPSEL. Pinscan may scan a network segment for devices with an open Port 22 and attempt a brute-force login with common usernames and passwords. It might also try to get access to the devices by exploiting vulnerabilities. It does not have any DDoS capabilities, but once it successfully obtains access to a targeted device, it may further download additional malware binaries such as Linux.Kaiten. Linux.Kaiten / Linux.Kaiten.B (aka Tsunami) Linux.Kaiten and its later variant Linux.Kaiten.B is a Trojan horse used to DDoS attacks. Depending on the variant it may modify the /etc/init.d/rc.local file in order to get run each time a user logs in, or the /etc/rc.d/rc.local file to ensure it is executed on boot-up. Once installed Kaiten will join a hardcoded IRC channel and listen for commands from the remote attacker. Besides launching DDoS attacks it may also kill processes, download and execute other arbitrary files, or spoof the IP address of the compromised device. Linux.Routrem (aka Remainten, KTN-Remastered, KTN-RM) Since Linux.Routrem contains many elements of the Linux.Kaiten code, it is also as KTN (Kaiten)-Remastered. Once executed, Routrem will identify the architecture used on the compromised router and deploy the correct module (ARM, MIPS, or x86). Similar to Kaiten, Routrem may download additional files, launch a variety of DDoS attacks or scan nearby IP addresses for open Telnet ports. It is designed to target and infect standalone router devices and, as with Kaiten, receives commands from the remote attacker through the IRC channel. Linux.Wifatch (aka Ifwatch) Linux.Wifatch is considered an Internet-of-Things vigilante among the IoT malware families. According to its author, it has been designed for educational purposes. Wifatch’s code is written in the Perl programming language and it targets several different architectures – ARM, MIPS, Sh4, PowerPC, and x86. It does not launch DDoS attacks, exploit vulnerabilities, or distribute malware payloads, but instead some of its hardcoded routines attempt to improve the security of the compromised device. For example, Wifatch may present warning messages to the administrators about the potential danger of open Telnet ports or leave recommendations to change passwords and update the device’s firmware. Wifatch also includes a module that will attempt to find and kill any processes belonging to other known families of IoT malware present on the same device. Linux.LuaBot Linux.Luabot is the first malware targeting the ARM architecture written in the LUA programming language. The known capabilities of Luabot include launching DDoS attacks. Attackers flocking to soft targets The current IoT threat landscape shows that it does not require much to exploit an embedded device. While we have come across several malware variants exploiting device vulnerabilities – such as Shellshock or the flaw in Ubiquiti routers - the majority of the threats simply take advantage of weak built-in defenses and default password configurations in embedded devices. DDoS attacks remain the main purpose of IoT malware. With the rapid growth of IoT, increased processing power in devices may prompt a change of tactics in future, with attackers branching out into cryptocurrency mining, information stealing, and network reconnaissance. Staying protected Research the capabilities and security features of an IoT device before purchase Perform an audit of IoT devices used on your network Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks. Don’t use common or easily guessable passwords such as “123456” or “password” Use a strong encryption method when setting up Wi-Fi network access (WPA) Many devices come with a variety of services enabled by default. Disable features and services that are not required Disable Telnet login and use SSH where possible Modify the default privacy and security settings of IoT devices according to your requirements and security policy Disable or protect remote access to IoT devices when not needed Use wired connections instead of wireless where possible Regularly check the manufacturer’s website for firmware updates Ensure that a hardware outage does not result in an unsecure state of the device Source:http://www.symantec.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/09/22/iot-devicesincreasingly-used-ddos-attacks/ more...
Tweet
Scooped by David Thomas
August 21, 2016 10:02 PM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/08/22/around-four-fivednssec-servers-can-hijacked-ddos-attacks/ TAGS: DDoS attacks, DNSSEC DNSSEC is the best tool to protect against DNS hijacking and DNS cache poisoning but can be hijacked for DDoS attacks. Network security firm Neustar says that around 80 percent of DNSSEC servers have been improperly configured, and attackers can hijack them to carry out above-average reflection DDoS attacks DNSSEC is an extension of the DNS protocol that uses digital signatures to authenticate and verify DNS queries. DNSSEC is the recommended DNS implementation to deploy on modern servers, but just like any other product that employs cryptographic operations, webmasters can sometimes muddle up the process and leave servers vulnerable after getting them to run. Number of DNSSEC-based DDoS attacks is on the rise DNSSEC was not intended to protect against attackers hijacking servers for reflection DDoS attacks. Security experts recommend that webmasters deploy DNSSEC to protect against DNS hijacking and DNS cache poisoning attacks. As companies started deploying this DNS protocol extension, network security firms began to see more attacks using this vector. The first to report on this rising trend was Akamai, who said at the start of the year that it detected over 400 reflection DDoS attacks in Q4 2015. After seeing a rise in DNSSEC-based DDoS attacks itself, Neustar analyzed over 1,349 domains that use DNSSEC from just one industry vertical. Neustar researchers discovered that 1,084 of the analyzed domains contained vulnerabilities that allowed attackers to use DNSSEC to reflect and amplify their DDoS attacks. Attackers exploit DNSSEC ANY command Researchers say that attackers send DNSSEC requests to a domain name server signed with the ANY command, which forces the DNSSEC server to gather all the DNS info about that domain and respond to the query. Additionally, the server will attach its digital signature to the response, adding more weight to the DNS server response. Because DNSSEC server queries can be spoofed with a fake sender IP address, the attackers are tricking the server into responding to the victim's IP address, sending junk traffic to the wrong person (the target of the DDoS attack). Neustar explains that it costs an attacker only 80 bytes to send the initial DNSSEC query, but the server would reply (because of the ANY command) with a minimum of 2,313 bytes, the size of a basic ANY-based DNSSEC response. Of course, based on the information included in the response, the return packet would sometimes have a bigger size. Neustar reported seeing some servers responding to specific domains with responses as big as 17,377 bytes. DNSSEC DDoS attacks have an above-average amplification factor This means that a DNSSEC-based reflection DDoS attack has an amplification factor that ranges from 28.9 to a whopping 217.2. The average amplification factor for reflection DDoS attacks is around 10, making DNSSEC a clear-cut favorite for running such attacks. Taking into account that around 80 percent of DNSSEC servers are improperly configured, attackers have a huge attack surface to work with for their operations, which also explains why more and more DDoS tools will exploit it, as more DNS servers start deploying DNSSEC. To mitigate the possibility of having their server hijacked for DDoS attacks, webmasters should configure DNSSEC servers to ignore DNS queries with the ANY parameter. Neustar's DNSSEC: How Savvy Attackers Are Using Our Defenses Against Us report is available for download if you want to take a closer look at how DNSSEC DDoS attacks work. Source:http://news.softpedia.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/08/22/around-four-fivednssec-servers-can-hijacked-ddos-attacks/ more...
Tweet
Scooped by David Thomas
July 23, 2016 3:38 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/07/23/meet-oneanonymous-hackers-bombarding-isis-websites-ddos-attacks/ TAGS: DDoS attacks Softpedia spoke with Rebirth, co-founder of BinarySec. The Anonymous #OpISIS campaign seemed at one point to have slowly died out after the Charlie Hebdo, Paris, and Belgium attacks, but i is once again in the news following the gruesome attacks in Istanbul, Baghdad, Nice, Würzburg, and yesterday in Munich. Unknown to many is that this Anonymous hacktivism campaign has continued, in the shadows, albeit in much smaller numbers than November 2015 - March 2016, when it was at its fullest. Softpedia spoke with Rebirth, one of the founding admins of BinarySec, an Anonymous division that's been busy hacking and launching DDoS attacks against pro-ISIS websites, but also finding and reporting new ISIS Twitter accounts via its Binary Report Tool account. When did you join #OpISIS? Rebirth: I embarked on this campaign shortly after the Charlie Hebdo shooting. Besides DDoS attacks, did you participate in other types of attacks? Rebirth: Me and my fellow members not only attack these sites, but we work on exploiting them and extracting information from them, along side getting them removed from the clear web. We exhaust every resource we can to get these sites down and their owners brought to justice. We also have a bot that tweets out ISIS accounts (@tool_binary), but we mainly jack them because we find it more productive, and we can get intel on them. Have you ever dumped databases from the attacked websites? Rebirth: Yes, we have dumped many databases from the attacked sites. For example, last week our member Cyric dumped database of the radical Islamist preacher Dr. Zaghloul El Naggar's site: [REDACTED]. Do you have a headcount of all hacked and DDoSed websites? Rebirth: We have a list of sites that need to be targeted, but at this time we do not have a number of how many radical sites we have attacked. My estimate would be over 150. Besides BinarySec, how many other hackers or groups are participating in these attacks? Rebirth: Besides BinarySec there are individuals participating, and a few groups such as FantomNet, but I truly believe that BinarySec is the driving force of OpISIS. Has any government official ever approached you? Rebirth: We have only been in contact with the government officials when it comes to sending the ISIS supporters information to get them arrested, otherwise we do not have contact with them. Looking back at what you have done, do you feel you've accomplished something? Rebirth: I do feel we have accomplished so much over this past year and a half as we have disrupted communications of ISIS and exposed their supporters' locations. Even though ISIS is moving to Telegram, their channels are being shut down before they can tell supporters their new one. Do you know anything about ISIS and their operations that the world hasn't yet found out? Rebirth: We have made most of the information public about the things that governments and the public were not aware of, such as the US-born ISIS weapon maker in Brazil. I also believe the world has seen ISIS for everything that they are and how sick and twisted their ideology is. Screenshot of data taken from radical Islamist preacher Dr. Zaghlou Source:http://news.softpedia.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/07/23/meet-oneanonymous-hackers-bombarding-isis-websites-ddos-attacks/ more...
Tweet
Scooped by David Thomas
June 30, 2016 12:08 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/06/30/100-ddos-botnetsbased-lizard-squads-lizardstresser/ TAGS: DDoS attacks, Lizard Squad Lizard Squad's tool becomes very popular thanks to the millions of unsecured IoT devices ready for the taking. Security experts from Arbor Networks have uncovered over 100 botnets that are controlled using various variations of LizardStresser, the DDoS stresser created by the original Lizard Squad members. While most of Lizard Squad's first members are in jail or hiding and hoping that law enforcement won't come knocking on their door, the group continues to live on through new members, new attacks, but also through the LizardStresser toolkit, which they leaked online at the start of 2015. The toolkit was heavily forked and adapted, as many other hacking groups sought to use it to create their own botnets to use for DDoS attacks, either just to annoy people, extort companies or hacktivism activities. LizardStresser is geared towards infecting IoT devices Arbor Networks says that LizardStresser is not extremely complicated, and is nothing more than a DDoS attack toolkit that uses the ancient IRC protocol to communicate between the C&C server and the client-side component. Because LizardStresser is coded in C and designed to run on Linux architectures, Arbor Networks says that a lot of groups that are deploying new LizardStresser instances are taking advantage of unsecured IoT devices running on platforms such as x86, ARM, and MIPS, where a stripped-down Linux version is the preferred OS. We touched on this topic last year when Lizard Squad's new members were having trouble with their own botnet after unknown security researchers were trying to hijack some of these infected IoT systems. Webcams make the bulk of the LizardStresser-based botnets According to Arbor Networks, most of these infected IoT devices are Internet-connected webcams, accessible through a page broadcasting the "NETSurveillance WEB" title, and using their default access passwords. In a DDoS attack of over 400 Gbps aimed at a gaming site, Arbor says that 90% of the bots that participated in the attack were these type of webcams. The DDoS attacks are extremely simple and don't even use traffic amplification/reflection techniques. LizardStresser was created to launch direct DDoS attacks, meaning the bots send UDP or TCP floods directly to the target. LizardStresser launches direct DDoS attacks, no protocol amplification Because of the massive amount of unsecured IoT devices, groups that use LizardStresser can launch massive DDoS attacks, previously thought to be unachievable without UDP-based amplification protocols such as NTP or SNMP. Furthermore, LizardStresser also includes a telnet brute-forcing feature that's used to test new devices for default passwords and inform the C&C server about possible new victims. All of these make features make LizardStresser a popular choice when hacking outfits and hacktivism groups are looking for tools to build or broaden their DDoS capabilities. Overall, there's a growing trend in terms of hacking groups adopting LizardStresser. "LizardStresser is becoming the botnet-du-jour for IOT devices given how easy it is for threat actors to make minor tweaks to telnet scanning," says Matthew Bing of Arbor Networks. "With minimal reseach [sic] into IOT device default passwords, they are able to enlist an exclusive group of victims into their botnets." Number of C&C servers using LizardStresser in 2016 Source:http://news.softpedia.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/06/30/100-ddos-botnetsbased-lizard-squads-lizardstresser/ more...
Tweet
Scooped by David Thomas
May 26, 2016 12:10 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/05/26/major-dns-providerhit-mysterious-focused-ddos-attack/ TAGS: DDoS attacks, DNS Attack on NS1 sends 50 million to 60 million lookup packets per second. Unknown attackers have been directing an ever-changing army of bots in a distributed denial of service (DDoS) attack against NS1, a major DNS and traffic management provider, for over a week. While the company has essentially shunted off much of the attack traffic, NS1 experienced some interruptions in service early last week. And the attackers have also gone after partners of NS1, interrupting service to the company's website and other services not tied to the DNS and traffic-management platform. While it's clear that the attack is targeting NS1 in particular and not one of the company's customers, there's no indication of who is behind the attacks or why they are being carried out. NS1 CEO Kris Beevers told Ars that the attacks were yet another escalation of a trend that has been plaguing DNS and content delivery network providers since February of this year. "This varies from the painful-but-boring DDoS attacks we've seen," he said in a phone interview. "We'd seen reflection attacks [also known as DNS amplification attacks] increasing in volumes, as had a few content delivery networks we've talked to, some of whom are our customers." In February and March, Beevers said, "we saw an alarming rise in the scale and frequency of these attacks—the norm was to get them in the sub-10 gigabit-per-second range, but we started to see five to six per week in the 20 gigabit range. We also started to see in our network—and other friends in the CDN space saw as well—a lot of probing activity," attacks testing for weak spots in NS1's infrastructure in different regions. But the new attacks have been entirely different. The sources of the attacks shifted over the week, cycling between bots (likely running on compromised systems) in eastern Europe, Russia, China, and the United States. And the volume of the attacks increased to the 30Gbps to 50Gbps range. While the attacks rank in the "medium" range in total volume, and are not nearly as large as previous huge amplification attacks, they were tailored specifically to degrading the response of NS1's DNS structure. Rather than dumping raw data on NS1's servers with amplification attacks—where an attacker sends spoofed DNS requests to open DNS servers that will result in large blocks of data being sent in the direction of the target—the attackers sent programmatically generated DNS lookup requests to NS1's name servers, sometimes at rates of 50 million to 60 million packets per second. The packets looked superficially like genuine requests, but they were for resolution of host names that don't actually exist on NS1's customers' networks. NS1 has shunted off most of the attack traffic by performing upstream filtering of the traffic, using behaviorbased rules that differentiate the attacker's requests from actual DNS lookups. Beevers wouldn't go into detail about how that was being done out of concern that the attackers would adapt their methods to overcome the filtering. But the attacks have also revealed a problem for customers of the major infrastructure providers in the DNS-based traffic management space. While the DNS specification has largely gone unchanged since it was created from a client perspective, NS1 and other providers have carried out a lot of proprietary modification of how DNS works behind the scenes, making it more difficult to use multiple DNS providers for redundancy. "We've moved a bit away from the interoperable nature of DNS," Beevers said. "You can't slave one DNS service to another anymore. You're not seeing DNS zone transfers, because features and functionality of the [DNS provider] networks have diverged so much that you can't transfer that over the zone transfer mechanism." To overcome that issue, Beevers said, "people are pulling tools in-house to translate configurations from one provider to another—that did work very well for some of our customers [in shifting DNS during the attack]." NS1, like some of its competitors, also provides a service that allows customers to run the company's DNS technology on dedicated networks. "so if our network gets hit by a big DDoS attack, they can still have access." Fixing the interoperability problem will become more urgent as attacks like the most recent one become more commonplace. But Beevers said that it's not likely that the problem will be solved by a common specification for moving DNS management data. "DNS has not evolved since the '80s, because there's a spec," he said. "But I do believe there's room for collaboration. DNS is done by mostly four or five companies— this is one of those cases where we have a real opportunity because community is small enough and because the traffic management that everyone uses needs a level of interoperability." As companies with big online presences push for better ways to build multi-vendor and multi-network DNS systems to protect themselves from outages caused by these kinds of attacks, he said, the DNS and content delivery network community is going to have to respond. Source:http://arstechnica.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/05/26/major-dns-providerhit-mysterious-focused-ddos-attack/ more...
Tweet
Scooped by David Thomas
March 18, 2016 6:33 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/03/18/malware-botnet-canabused-launch-ddos-attacks/ TAGS: DDoS attacks, Malware Botnet DDoS attacks can have an amplification factor of 26.5. An independent security researcher that goes by the name of MalwareTech has discovered a way in which he could abuse the ZeroAccess malware's botnet to launch reflection DDoS attacks with an above-average amplification factor. ZeroAccess is a trojan that infects Windows computers and then starts communication with a C&C (command and control), which in turn tells the trojan to download various types of other, more dangerous malware, usually clickfraud bots or Bitcoin mining software, operating hidden from the user's view. The ZeroAccess botnet appeared in 2011, and because of an effective rootkit component and P2P-like structure, it even managed to survive a takedown attempt orchestrated by Microsoft in December 2013. ZeroAccess botnet used for amplifying DDoS attacks MalwareTech discovered that ZeroAccess allowed its bots to relay messages from one to another, some acting like smaller servers (supernodes) while the rest were just end-points (workers). To relay orders from the C&C server to supernodes and workers, ZeroAccess used simple UDP packets. Because of its complex mesh structure, when a UDP packet arrived at a supernode, the bot would add more information to the packet, containing various details about the network's structure. The supernode would add 408 bytes on top of the original 16, for a total of 242 bytes. Since UDP packets can have their destination address spoofed, an attacker that managed to map ZeroAccess' bot network would be able to send UDP packets to its bots, some of which would then amplify the traffic by 26.5, sending it back to the spoofed destination (the victim's IP). This scenario is your typical reflection DDoS attack, carrying a 26.5 amplification factor, which is more than double the typical 2-10 amplification factor seen in other types of reflection DDoS attacks. DDoS attacks worked even if bots were behind NATs Theoretically, this wouldn't have been a problem, since most bots infect users that are sitting behind NATs (Network Address Translation), software programs that translate public IPs to private IP addresses, in order to maximize IPv4 address space usage. That meant that a vast majority of the ZeroAccess botnet wouldn't have been accessible to a person carrying DDoS attacks via this technique. Unfortunately, MalwareTech found a way around this issue as well, allowing him to involve ZeroAccess supernode bots into DDoS attacks even if sitting behind a router. All of this is only theoretical since the researcher did not want to commit a crime just to test out his theory. Source:http://news.softpedia.com/ Information Security Newspaper http://www.securitynewspaper.com/2016/03/18/malware-botnet-canabused-launch-ddos-attacks/ more...
Tweet
August 23, 2016 7:39 AM
SOURCE: Information Security Newspaper http://www.securitynewspaper.com/2016/08/23/threat-intelligencereport-telecommunications-industry/ TAGS: DDoS attacks, telecommunications The telecommunications industry keeps the world connected. Telecoms providers build, operate and manage the complex network infrastructures used for voice and data transmission – and they communicate and store vast amounts of sensitive data. This makes them a top target for cyber-attack. According to PwC’s Global State of Information Security, 2016, IT security incidents in the telecoms sector increased 45% in 2015 compared to the year before. Telecoms providers need to arm themselves against this growing risk. In this intelligence report, we cover the main IT security threats facing the telecommunications industry and illustrate these with recent examples. Our insight draws on a range of sources. These include: The latest telecoms security research by Kaspersky Lab experts. Kaspersky Lab monitoring systems, such as the cloud antivirus platform, Kaspersky Security Network (KSN), our botnet tracking system and multiple other internal systems including those used to detect and track sophisticated targeted (advanced persistent threat, APT) attacks and the corresponding malware. Underground forums and communities. Centralized, specialized security monitoring systems (such as Shodan). Threat bulletins and attack reports. Newsfeed aggregation and analysis tools. Threat intelligence is now a vital weapon in the fight against cyberattack. We hope this report will help telecoms providers to better understand the cyber-risk landscape so that they can develop their security strategies accordingly. We can provide more detailed sector and company-specific intelligence on these and other threats. For more information on our Threat Intelligence Reporting services please email
[email protected]. Executive summary Telecommunications providers are under fire from two sides: they face direct attacks from cybercriminals intent on breaching their organization and network operations, and indirect attacks from those in pursuit of their subscribers. The top threats currently targeting each of these frontlines feature many classic attack vectors, but with a new twist in terms of complexity or scale that place new demands on telecoms companies. These threats include: Distributed Denial of Service (DDoS) attacks. DDoS attacks continue to increase in power and scale and, according to the 2016 Data Breach Investigations Report, the telecommunications sector is hit harder than any other. Kaspersky Lab’s research reveals that in Q2, 2016, the longest DDoS attack lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days), with vulnerable IoT devices increasingly used in botnets. Direct DDoS attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are hit. They can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. The exploitation of vulnerabilities in network and consumer devices. Our intelligence shows that vulnerabilities in network devices, consumer or business femtocells, USBs and routers, as well as root exploits for Android phones, all provide new channels for attacks – involving malware and technologies that individuals, organisations and even basic antivirus solutions cannot always easily remove. Compromising subscribers with social engineering, phishing or malware. These classic techniques remain popular and can easily be mastered by entry-level cybercriminals, although 2016 sees changes in how more sophisticated attackers conduct their campaigns. Growing numbers of cyber-attackers now combine data sets from different sources, including open sources, to build up detailed pictures of potential targets for blackmail and social engineering purposes. Insider threat is growing. Detailed profiles of targets are also used to recruit insiders to help perpetrate cybercrime. Some insiders help voluntarily, others are cooerced through blackmail. Insiders from cellular service providers are recruited mainly to provide access to data, while staff working for Internet service providers are chosen to support network mapping and man-in-the-middle attacks. Other threats facing telecommunications companies include targeted attacks; poorly configured access controls, particularly where interfaces are publicly available to any Internet user; inadequate security for 2G/3G communications; and the risk of telecoms providers being drawn into unrelated attacks that exploit telecoms resources, and suffering collateral damage as a result. Typical threats targeting telecoms Overview We can divide the main threats facing the telecommunications industry into two, interrelated, categories: Threats targeting telecommunication companies directly. These include DDoS attacks, targeted attacks (APT campaigns), network device vulnerabilities and human-related threats like insider access, social engineering and the risk of allowing third parties to access information. Threats targeting subscribers of telecoms services – particularly the customers of cellular service providers (CSPs) and Internet service providers (ISPs). These include malware for mobile devices, subscriber data harvesting, end-user device vulnerabilities, and more. Threats directed at telecoms companies DDoS DDoS (distributed denial of service) attacks remain a serious threat to telecoms providers around the world as attackers discover ever more ways of boosting the power and scale of attacks. Kaspersky Lab’s DDoS intelligence report for Q2, 2016 notes that websites in 70 countries were targeted with attacks. By far the most affected country was China, with South Korea and the US also among the leaders. 70.2% of all detected attacks were launched from Linux botnets, with cybercriminals paying close attention to financial institutions working with cryptocurrency. Another trend observed in Q2 was the use of vulnerable IoT devices in botnets to launch DDoS attacks. The telecommunications sector is particularly vulernable to DDoS attacks. According to the 2016 Data Breach Investigations Report, the telecommunications sector was hit around twice as hard as the second placed sector (financial exchanges), with a median DDoS packet count of 4.61 million packets per second (compared to 2.4 Mpps for exchanges.) The impact of a DDoS attack should not be underestimated. Direct attacks can reduce network capacity, degrade performance, increase traffic exchange costs, disrupt service availability and even bring down Internet access if ISPs are affected. With a growing number of connected devices and systems supporting missioncritical applications in areas such as healthcare and transport, unexpected downtime could be life threatening. Further, DDoS attacks can be a cover for a deeper, more damaging secondary attack, or a route into a key enterprise subscriber or large-scale ransomeware attack. A good example of the first is the 2015 cyber-attack on the UK telecoms company, TalkTalk. The hack, alledgedly perpetrated by a couple of teenagers, resulted in the loss of around 1.2 million customers’ email addresses, names and phone numbers, as well as many thousands of customer dates of birth and financial information – all ideal for use in financially-motivated social engineering campaigns. The forensic investigation revealed that the hackers had used a smokescreen DDoS attack to conceal their main activities. DDoS attacks are also evolving. 2015 saw attackers amplify the power of DDoS attacks by turning them into DrDoS (Distributed reflection Denial of Service) attacks through the use of standard network protocols like NTP, RIPv1, NetBIOS (Network Basic Input/Output System) and BGP (Border Gateway Patrol). Another approach that is becoming more commonplace is the compromise of end-user routers via network-scanning malware and firmware vulnerabilities. Today’s faster mobile data transfer speeds and the growing adoption of 4G are also making smartphone-based botnets more useful for implementing DDoS attacks. The worrying thing is that even inexperienced attackers can organize quite an effective DDoS campaign using such techniques. Targeted attacks The core infrastructure of a telecommunications company is a highly desirable target for cybercriminals, but gaining access is extremely difficult. Breaking into the core requires a deep knowledge of GSM architecture, rarely seen except among the most skilled and resourced cybercriminals. Such individuals can generally be found working for advanced, international APT groups and nation-state attackers, entities that have a powerful interest in obtaining access to the inner networks of telecommunication companies. This is because compromised network devices are harder to detect by security systems and they offer more ways to control internal operations than can be achieved through simple server/workstation infiltration. Once inside the core infrastructure, attackers can easily intercept calls and data, and control, track and impersonate subscibers. Other APTs with telecommunications on their radar The Regin APT campaign, discovered in 2014, remains of the most sophisticated ever seen and has the ability to infiltrate GSM networks, while the Turla group, has developed the ability to hijack satellite-based Internet links as part of it’s Command & Control process, successfully obscuring its actual location. Others, such as Dark Hotel and a new cyber-espionage threat actor likely to be of Chinese origin, exploit telecoms networks in their targeted campaigns. In these cases, the telecoms providers often suffer collateral damage even though they are not directly related to the attack. Further details on these can be found on Kaspersky Lab’s expert Securelist blog or through a subscription to the Kaspersky APT Threat Intelligence Reporting service. Unaddressed software vulnerabilities Despite all the high profile hacks and embarrassing data leaks of the last 12 months, attackers are still breaching telecoms defenses and making off with vast quantities of valuable, personal data. In many cases, attackers are exploiting new or under-protected vulnerabilities. For example, in 2015, two members of the hacker group, Linker Squad gained access to Orange Spain through a company website vulnerable to a simple SQL injection, and stole 10 million items of customer and employee data. SQL injection vulnerability on Orange Spain web site The impact of service misconfiguration In many cases, the hardware used by by the telecommunications industry carries configuration interfaces that can be accessed openly via HTTP, SSH, FTP or telnet. This means that if the firewall is not configured correctly, the hardware in question becomes an easy target for unauthorized access. The risk presented by publicly exposed GTP/GRX (GPRS Tunneling Protocol/GPRS Roaming Exchange) ports on devices provides a good example of this. As CSPs encrypt the GPRS traffic between the devices and the Serving GPRS Support Node (SGSN), it is difficult to intercept and decrypt the transferred data. However, an attacker can bypass this restriction by searching on Shodan.io for devices with open GTP ports, connecting to them and then encapsulating GTP control packets into the created tunnel. Table 1. Top 10 countries with GTP/GRX ports exposed to Internet access # Country Number of GTP/GRX 1 China 52.698 2 Turkey 8.591 3 United States of America 6.403 4 Canada 5.807 5 Belgium 5.129 6 Colombia 2.939 7 Poland 2.842 8 Morocco 1.585 9 Jamaica 862 10 United Arab Emirates 808 The Border Gateway Protocol (BGP) is the routing protocol used to make decisions on routing between autonomous systems. Acceptance and propagation of routing information coming from other peers can allow an attacker to implement man-in-the-middle (MITM) attacks or cause denial of service. Any route that is advertised by a neighboring BGP speaker is merged in the routing database and propagated to all the other BGP peers. Table 2. Top five countries with BGP protocol exposed to Internet access # Country Number of devices (end of 2015) 1 Republic of Korea 16.209 2 India 8.693 3 United States of America 8.111 4 Italy 2.909 5 Russian Federation 2.050 An example of such an attack took place in March 2015, when Internet traffic for 167 important British Telecom customers, including a UK defense contractor that helps to deliver the country’s nuclear warhead program, was illegally diverted to servers in Ukraine before being passed along to its final destinations. To avoid probable attacks against BGP from unauthorized remote malefactors, we recommend that companies provide network filtering, allowing only a limited number of authorized peers to connect to BGP services. To protect against malicious re-routing and hijacking initiated through authorized autonomous systems we recommend that they monitor anomalies in BGP communications (this can be done through specialized software solutions or by subscribing to alerts from vendors providing this kind of monitoring.) Vulnerabilities in network devices Routers and other network devices are also primary targets for attacks against telecommunications companies. In September 2015, FireEye researchers revealed the router malware “SYNful knock”, a combination of leaked privilege (root) credentials and a way of replacing device firmware that targets Cisco 1841, 2811 and 3825 routers (see Cisco advisory here). Put simply, SYNful knock is a modified device firmware image with backdoor access that can replace the original operating system if the attacker has managed to obtain privileged access to the device or can physically connect to it. SYNful is not a pure software vulnerability, but a combination of leaked privileged credentials combined with a certain way of replacing device firmware. Still, it is a dangerous way of compromising an organization’s IT infrastructure. SYNful knock backdoor sign-in credentials request Worldwide distribution of devices with the SYNful knock backdoor The latest information on the number of potentially compromised devices is available through the linkhttps://synfulscan.shadowserver.org/stats/. A second Cisco vulnerability, CVE-2015-6389 enables attackers to access some sensitive data, such as the password file, system logs, and Cisco PCA database information, and to modify data, run internal executables and potentially make the system unstable or inaccessible. Cisco Prime Collaboration Assurance Software releases prior to 11.0 are vulnerable. Follow this Cisco bulletin for remediation actions. For further information on Cisco fixes for its devices see https://threatpost.com/cisco-warning-of-vulnerabilities-in-routersdata-center-platforms/115609. Juniper, another network device manufacturer has been found to carry vulnerabilities in its operating system for its NetScreen VPN appliances, enabling third-party access to network traffic. The issue was reported by the vendor in the security advisory JSA10713 on December 18th, 2015, along with the release of the patch. It appears that the additional code with hardcoded password was planted in the source code in late 2013. The backdoor allows any user to log in with administrator privileges using hard-coded password “