Cyberespionage Campaign in Ukraine Uses Free and Custom RATs

Security researchers have been tracking a sustained cyberespionage campaign against Ukrainian government institutions that uses a combination of free and custom-made remote access Trojans (RATs).

The malware programs involved in the years-long campaign are Quasar RAT, Sobaken RAT and Vermin and have been documented before, either as standalone threats or together. However, security researchers from ESET have now established clear links between the attacks in Ukraine that use these tools, which could suggest that a single group is behind them.

“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time,” the ESET researchers said in a paper. “We were able to trace attacker activity back to October 2015; however, it is possible that the attackers have been active even longer.”

Quasar RAT is the oldest and most well-known of the three programs because it is open source and available on GitHub. Sobaken is a heavily modified and improved version of Quasar, while Vermin is a custom-made backdoor that first appeared sometime in 2016.

All three programs are written in .NET and are actively used by this group of attackers against different targets at the same time. ESET has identified a few hundred victims in different organizations in Ukraine and established that the malware samples associated with this campaign share parts of their infrastructure and command-and-control servers.

Vermin, which is the newest and most sophisticated of the three RATs, supports 24 main commands and has several optional components that add functionality such as audio recording, keylogging and password stealing.

The attackers have implemented sandbox detection methods and obfuscate their malware’s code using .NET code protection tools such as .NET Reactor or ConfuserEx. Their RATs refuse to run on systems that don’t have Russian or Ukrainian keyboard layouts installed or an IP address from those countries.

What’s interesting about this group is its success despite an apparent lack of sophistication. The distribution campaigns use basic right-to-left text override tricks to obscure the real extension of malicious email attachments, self-extracting RAR archives and, in rare cases, Word documents carrying known exploits.

“These attackers haven’t received much public attention compared to others who target high-profile organizations in Ukraine,” the ESET researchers said in a blog post. “However, they have proved that with clever social engineering tricks, cyberespionage attacks can succeed even without using sophisticated malware. This underscores the need for training staff in cybersecurity awareness, on top of having a quality security solution in place.”

Creator of Remote Administration Tool Admits It Was Really a Trojan

A Kentucky man admitted to creating and distributing a remote access Trojan called LuminosityLink that was used by thousands of users from around the world to access other people’s computers without authorization.

According to the guilty plea, the man, named Colton Grubbs, marketed LuminosityLink as a tool for system administrators and sold it to more than 6,000 customers for $39.99.

Developing and selling remote administration tools is not illegal. However, Grubbs also used the handle “KFC Watermelon” to advertise the program on, a well-known cybercriminal forum, and actively assisted buyers to access computers without authorization.

“Defendant claimed that LuminosityLink was a legitimate tool for systems administrators, but knew that many customers were using his software to remotely access and control computers without their victims’ knowledge or permission,” the plea agreement reads. “Defendant’s marketing emphasized these malicious features of LuminosityLink, including that it could be remotely installed without notification, record the keys that a victim pressed on their keyboard, surveil victims using their computer cameras and microphones, view and download the computer’s files, steal names and passwords used to access websites, mine and earn virtual currency using victim computers and electricity, use victim computers to launch DDoS attacks against other computers, and prevent anti-malware software from detecting and removing LuminosityLink.”

The practice of Trojan developers marketing their creations as legitimate tools to avoid responsibility for how they’re used is not new. In February, Taylor Huddleston, 27, of Hot Springs, Arkansas, was sentenced to 33 months in prison for creating a RAT called NanoCore. He, too, initially claimed the program was a legitimate remote administration tool, but later admitted that he marketed it on Hack Forums and knew that some buyers intended to use it for malicious purposes.


  • 0

DDoS Attacks Get Bigger, Smarter and More Diverse

DDoS attacks are relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet’s oldest nemeses.

Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.

Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.

However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks. They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.

“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing – and the landscape is moving quickly.”

Terabit Era Dawns

One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub—setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.

The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers — by as much as 51,200x. That in turn means that malefactors can use fewer resources.  For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.

The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.

“These are big and obvious and relatively easy to mitigate,” said Chong. “Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature – it just goes away. So, it’s not as scary as it seems.”

However, criminals are almost certainly looking for the next major reflector source.

“Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,” said Martin McKeay, global security advocate at Akamai. “This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.”

He added that the implications of being able to reach such dizzying attack heights could be profound going forward.

“The undersea cable between Europe and the U.S. is 3.2 terabits,” said McKeay. “If you try to send that amount of traffic through that pipe, you’re going to gum up the works for a very long time, for a lot of companies. A lot of countries don’t even have 1.3 terabits coming in in total, so we’re starting to look at attacks that can take whole countries offline for a good amount of time.”

This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows – easily overwhelming the fiber’s capacity and knocking the country offline.

Rising Sophistication

While big, splashy volumetric attacks make headlines, the reality is that smaller, more sophisticated attacks are perhaps the greater concern.

“DDoS has historically been pretty unsophisticated – it doesn’t require a closed-loop response where you steal data and need to get it back to you,” said Sean Newman, director of product management at Corero Network Security. “Typically, you just send out the traffic to a pipe with the goal of filling it up. But, what we’ve seen recently is that those very large unsophisticated attacks [now] represent a small proportion of the [campaigns] that go on. Across all the DDoS efforts that we see, the majority, just over 70 percent, are [now] less than 1 GB in size. And that’s because the attackers are moving away from using simplistic brute force, to using more sophisticated techniques. Modern DDoS toolkits can launch both infrastructure-based (i.e., volumetric) and application-based payloads; application-layer attacks in particular are sneakier and can be very targeted, researchers said.

Rather than just look to overwhelm a company’s broadband connection or DNS infrastructure, as was the norm in the past, application-layer attacks focus on one aspect of the target’s communications, such as, say, a VoIP server. These look to exhaust specific server resources by monopolizing processes and transactions.

“Attacks use just enough traffic to be successful,” Chong explained. “Most of the enterprises out there in the market have around 100 Mbps of bandwidth coming into their location, so you don’t need a 1-terabit attack to be effective. These are small, specially crafted campaigns where threat actors first examine where a service is hosted, such as a data center, in the cloud or at a hosting provider – and then they launch a small attack that just overwhelms the limits of the target’s bandwidth. This approach is much more precise and effective, requires fewer resources, and often flies under the radar because the bad traffic’s volume is close in size to the normal traffic going into that enterprise.”

An example of this is the attacks mounted during protests in the wake of the 2009 Iranian presidential election. That’s when several high-impact and relatively low bandwidth efforts were launched against Iranian government-run sites. Since then, the method has gained popularity. Meanwhile, the large, “big-bang” efforts that still make up 30 percent of the campaigns seen in the wild are sometimes used as a distraction, Chong added, acting as a smokescreen to mask other activities, such as a data exfiltration effort. F5 for example noted last year that almost 50 percent of attacks fell into this category.

To carry this out, higher-end threat actors can use partial link saturation, designed to leave just enough bandwidth available for a secondary attack. In this scenario, a distracting DDoS attack consumes resources in enough security layers to allow a targeted malware attack through. Often the IT staff is so busy dealing with the DDoS attack, which causes damage to revenue and reputation on its own, to notice that another intrusion is taking place through other channels.

IoT Factor

While both volumes and sophistication are on the rise, the impact of DDoS botnets that are built from tens of thousands of compromised internet-of-things (IoT) devices remains perhaps the biggest story in this particular crime sector, representing a rapidly expanding threat surface.

“The explosion of IoT devices is an attack vector that’s going to be around and of interest for a long while,” said Newman. “Consumers and businesses are buying these devices for the coolness factor and the ability to automate your life. And vendors are much more incentivized to get the latest thing to market ASAP instead of spending time on security.”

Elias Bou-Harb, research assistant professor at Florida Atlantic University and a cyber-threat researcher, added: “While the focus was on functionality and accessibility, security is and continue to be an afterthought. Vendors should be vigilant about this and emphasize security in their design, early on. This is especially factual if those IoT devices are deployed and being operated in critical infrastructure.”Meanwhile, for many consumer and business IoT users, security remains low on the list of concerns, making for little pressure on vendors to clean up their act. That’s because owners of compromised IoT devices rarely end up feeling like victims, Newman added.

“The small amount of traffic being requested from each device may be only 1 megabit each, and you’re unlikely to feel that on your home network in terms of performance degradation,” Newman explained. For that reason, IoT botnets continue to be responsible for widespread infections, which can be easily marshalled for DDoS attacks.

“IoT is kind of the sweet spot for DDoS botnets, because these devices are prevalent, but no one really controls them – they’re almost unmanaged,” said Jeremy Kennelly, manager of threat intelligence analysis at FireEye. “Cameras and routers and things are just left out there, not being updated, and meanwhile the non-expert population gets used to what they think are just glitches – they don’t think they might be compromised.”

While Mirai kicked off the era of the IoT botnet on 2016, two of the latest events on the bot scene include the rise of the Satori botnet, which infected more than 100,000 internet-connected D-Link routers in just 12 hours, and the VPNFilter IoT botnet, which infected almost a million consumer-grade internet routers (i.e., Linksys, MikroTik, Netgear, and TP-Link) in more than 50 countries in a very short amount of time. VPNFilter is particularly nasty, capable of DDoS as well as delivering malware and stealing data.

Others meanwhile are appearing all the time.

“Very recently, June 18-June 22, we tracked a botnet (which was never reported before) composed of more than 50,000 IoT bots, distributed over 170 countries and hosted in more than 30 business sectors,” said Bou-Harb. “We are seeing excessive IoT exploitations targeting home and business routers, storage devices, cameras, voice over IP phones and more.”

Bot herders are also in a race to expand their IoT infrastructure – something that’s all too easy. IoT botnets are either built through simplistic compromises involving common, hard-coded, default passwords for devices that are easy to search for on the internet; or via the exploit of known vulnerabilities.

“The recent compromise of GPON home routers came down to a couple of specific vulnerabilities in the code that were never patched,” Newman said.

Code-reuse is also rife in IoT devices, meaning that putting effort into exploiting vulnerabilities can be a valuable vector with a lot of payoff. The Satori botnet for example was created by exploiting a known buffer overflow technique in generic code, Newman added.

Beyond existing IoT, the actors behind botnets are always looking to also commandeer new classes of devices from which to carry out attacks. In the future, things such as sensor networks or devices for smart-city applications could vastly expand the attack infrastructure.

“We haven’t seen the peak of what IoT botnets are capable of yet, and you can be sure there are more pools of resources out there to be found,” McKeay. “For instance, we’re not monitoring IPv6 as closely as we should – and I wouldn’t be surprised if there’s something lurking there that can be harnessed for this.”

All of the bad actors’ frenetic expansion activity is driven by basic market economics. “We continue to see competition for the infrastructure,” said Kennelly. “That’s one of the reasons that the peak sizes for DDoS are decreasing. The bad guys are all competing for the same set of resources. As members of the community trade tips and exploit code, certain botnets become more popularized, and they start competing for access to it. As the resources are consumed, peak sizes level out.”


DDoS is traditionally seen as a tool used by politically and religiously motivated hacktivists to make a point. However, DDoS intentions are evolving, particularly with the advent of DDoS-as-a-service. Put simply, IoT botnets have paved the way for a new generation of cheap on-demand services. These dramatically lower the barriers to entry for attackers by eliminating the requirement to have technical knowledge to carry out an offensive.

“Anyone with a PayPal account can make a quick purchase on a WebStresser-like site,” said McKeay. “You could be a 12-year-old that saw a tutorial on a YouTube channel – there’s not a huge amount of technical skills needed to DDoS someone.”

This low bar to entry has given rise to new actors with new kinds of motivations behind attacks. For instance, as with most things in cybercrime, there’s an emerging financial aspect to attacks thanks to the fantastic ROI that some campaigns can offer.

“We are starting to see ransom-driven attacks shifting to DDoS,” explained Newman. “For $10 an hour you can cause enough damage to take a website down. So, you craft a few ransom emails from an anonymous account and ask for Bitcoin in exchange for sparing the target a DDoS attack. You have nothing to lose, really. In the likelihood you get a good hit rate – say one in 1,000, even one in 10,000 – you can be making good money as an individual on the back of that.”

Some DDoS-as-a-service providers even have a “try before you buy” function. As a consequence, person-to-person attacks are also on the rise.

“Many of these are gaming attacks,” explained Darren Anstee, CTO NETSCOUT Arbor. “If I’m a serious player of game X and I want to slow down gameplay for opponents, it’s easy to launch a small, short-lived attack for no money. A lot of people will use it for a social-media beef or gaming issue, or really any personal slight.”

Winning Poker Network CEO Phil Nagy for instance in September 2017 said that his site was hit with a series of 26 separate DDoS attacks over three days – he said they were being carried out by a rival poker room. However, on the other end of the spectrum adaptive adversaries have appeared. Those type bad guys are capable of turning a DDoS attack into something akin to a game of chess.

“In a recent campaign we looked at incoming traffic and identified unique strings and started blocking it – but then we saw the attacker to change the type of traffic, or change the strings, essentially adapting to the defenses,” said McKeay. “The attackers finally started hitting the DNS server—and if you take that offline then you’ve taken the company offline.”

The level of sophistication indicated a different type of opponent as well.

“Reflection tactics and botnets make attribution almost impossible,” McKeay said. “But someone modifying code and traffic on the fly like that is probably organized crime or a nation-state actor, demonstrating training and skills that aren’t everyday things in the DDoS world. They’re doing stuff with the code and reconfiguring tools as time goes by—across a multi-day project.”

That’s not to say that hacktivism doesn’t still play an important role in fomenting DDoS. NETSCOUT Arbor’s 2017 Worldwide Infrastructure Security Report showed that vandalism together with political and ideological disputes were among the top three motivators of DDoS attacks.

In the build up to Mexico’s presidential elections, for instance, the website of the country’s National Action Party was hit by DDoS after it published documents critical of the leading candidate. NETSCOUT Arbor saw more than 300 attacks per day in Mexico during the period of June 12 and 13, which was 50 percent higher than the normal frequency in the country.

Whether we discuss tactics, motivation or sheer capability, the DDoS threat landscape is becoming more sophisticated and varied over time. And, thanks to the rise of the IoT botnet phenomenon, it’s not an area that’s shrinking in terms of the dangers it poses to both businesses and consumers. The good news is that effective mitigations exist, from basic security awareness on the part of consumers (i.e., change those default passwords), to higher-end traffic inspection and in-stream cleaning functions for enterprises; better collaboration between researchers and law enforcement and the emergence of ISPs getting into the filtering act are also helping.


  • 0

Ubisoft Games Hit by Massive DDoS Attacks

France based video game publisher Ubisoft suffered a series of massive DDoS attacks (distributed denial-of-service). As a result, several Ubisoft gaming servers including Ghost Recon Wildlands, For Honor and Far Cry 5 were facing connectivity issues.

The DDoS attacks began on Tuesday, July 17th when Ubisoft used its customer support Twitter handle to confirm the outage and that the company is working on to mitigate the attacks.

“We’re currently monitoring DDoS attacks impacting Ubisoft services and causing players to be unable to connect to games. The attacks are focused on our games connections and server latency, which we are working on mitigating. Thank you for your patience as we resolve this,” the tweet read.

image 5

One of the Ubisoft’s players wondered if the DDoS attacks pose any risk to their personal information or whether there is a need to change their password. In response, Ubisoft said that “We haven’t had any indication that any information would be at risk.”

During the DDoS attacks, an attacker sends overwhelming traffic from multiple sources to the targeted server which eventually forces it to go offline. Usually, DDoS attacks do not pose any risk to user data unless attackers have already exploited some vulnerability to gain access to admin panel of the server.

Another user shared a screenshot of the error message displayed on their device stating that “The For Honor servers are unreachable at this time. Plase, try again later.”

It is unclear who was behind the attack or what were the motives but this is not the first time when a gaming giant has suffered large-scale DDoS attacks. Last week Blizzard games were also hit by a cyber attack which caused service outage for Overwatch, Heroes of the Storm and World of Warcraft players.

As for Ubisoft, there has been no official tweet confirming if the service outage has been fixed. However, some of the company’s tweets to users suggest that the DDoS attacks have been mitigated.


  • 0

GDPR Hurts Security but Publicity Might Help

A survey of 900 security professionals conducted by AlienVault at Infosecurity Europe found that spending on GDPR compliance efforts has hindered threat detection but cybersecurity publicity might actually benefit the industry. Additionally, the survey reflected the strong belief that cybersecurity is becoming entrenched in politics.

Of the professionals that participated in the survey, 51% said the additional resources their organization are spending on GDPR compliance takes vital resources away from detecting threats.

In addition, the report noted that not all security publicity is bad. An overwhelming majority (84%) of respondents said that the increased cyber-threat publicity has been very useful. Without offering reasons as to how all of the press coverage is useful, the report stated, “It is likely that large public breaches raise awareness for the need of cybersecurity.”

A majority (56%), believe cybersecurity has become a political pawn, with only 17% disagreeing with that perception. “It’s easy to see why many professionals feel this way. Encryption, in particular, finds itself at the forefront of many discussions, polarizing opinion as to whether or not law enforcement should have ‘back doors’ or other means of accessing communication to crack down on crime,” the report wrote.

Cloud security threats will be the most concerning external threat moving forward, followed by distributed denial-of-service (DDoS) attacks and the international threat landscape, including threats of nation-state attacks.

Phishing is the most concerning internal threat, with 55% of respondents expressing concern that their organization will fall victim to a phishing attack. Ransomware came in at a close second, with 45% of participants ranking it as the most concerning internal threats.

Respondents were asked to select their top threat concerns. More than a quarter (29%) of respondents worry about a shortage of skilled staff, and 27% are concerned about nonmalicious insider mistakes. Less than a quarter (23%) of security professionals fear social media threats.

“The human element of phishing is what makes it attractive to attackers and [a] concern for security departments. No single control can defend against a phishing attack, and ultimately, humans make mistakes. In fact, human error can be traced back to the root cause of many breaches,” the report stated.

AlienVault said user awareness and education are important but don’t go far enough in preparing for these types of attacks. To fortify their overall security posture, companies should create a layered defense comprising of people, technology and process, according to the report.


  • 0

Top cyber security risks for business

AIG’s 2017 cyber claims statistics reveal business’s key vulnerabilities, and indicate areas of focus for risk committees and business continuity providers, says Roxanne Griffiths, Financial Lines Underwriting Manager, AIG South Africa.

he recent release of AIG’s cyber claims statistics for 2017 reveal the trends that businesses should be watching into the future. AIG’s statistics show cyber threats are escalating: claims notifications for 2017 equalled the total claims for the previous four years. On average, in 2017, AIG’s cyber claims staff was handling the equivalent of one claim per working day.

“Our statistics confirm that business’s increasing reliance on digital platforms has created a large group of vulnerabilities that must be addressed. This is not news to business, but it is good to have it confirmed, and perhaps the extent of the growth in successful attacks (and thus claims) may surprise many,” says Roxanne Griffiths, Financial Lines Underwriting Manager, AIG South Africa. “The statistics also make it clear that ransomware remains the top cause of loss in cyber claims. This was probably expected, but it’s less well understood that business interruption is the key impact of a ransomware attack.”

Another important trend is that the incidence of cyber claims is spreading more broadly across a range of industry sectors. In the past, financial services companies were the major source of cyber claims, but their percentage of claims dropped from 23% in 2013-16 to 18% in 2017, with professional services growing strongly. The retail/wholesale sector made up 12% of cyber claims, with business services and manufacturing both at 10%.

The growth in the percentage of claims from professional services firms, up from 6% in 2013-2016 to 18% indicates they are becoming more of a target. Lawyers and accountants, in particular, have large databases of sensitive client information that are attractive to hackers. AIG predicts the European Union’s General Data Protection Regulations (GDPR), which recently came into effect, will make firms more vulnerable to extortion, and the same trend could emerge in South Africa when the Protection of Personal Information Act (POPI) comes into force.

Another worrying trend is that the professionalism associated with ransomware attacks is diminishing, along with the certainty that those who pay the ransom will get their data back.

“Ransomware is becoming commoditised and automated. In line with this, attacks seem to be becoming indiscriminate, so even if you don’t think you have any valuable data or are too small, you can still be targeted and suffer business interruption,” says Griffiths.

AIG expects claims trends over the next 12 months to continue to be affected by the commoditisation of ransomware and more data breaches due to the influence of GDPR. Given the ongoing political uncertainty globally, actions by various state or quasi-state actors could also drive cyber attacks and thus claims.

Based on its analysis of these claims statistics, AIG has identified the top cyber security risks for companies in the Europe, Middle East and Africa region:

* External servers with remote access combined with weak passwords. This offers an opportunity for the introduction of malware and ransomware. Remote access should be carefully controlled.
* Lack of user awareness permits hacking by phishing for passwords. The user engages with the content of a phishing e-mail and is directed to a fake login page, where credentials are harvested, opening the victim’s account to hackers. Any request for login details is a red flag for phishing.
* Weak login protocols. The risk from phishing is eliminated if two-factor authentication is enabled, requiring a secondary code for account login. As a minimum, this should be adopted for business directors and partners, and employees involved in payments.
* Failure to install DDOS (distributed denial of service) defences. DOS attacks are an attempt to make a company’s servers unreachable by increasing the online traffic to the site. The flood of traffic can cause the Web site to shut down completely, and this type of attack is an increasing threat, especially as poorly protected devices on the Internet of things are easily harnessed by hackers to create botnet armies capable of pushing out huge amounts of data.

For the detailed report, please follow the link below


  • 0

Your IoT Is Probably Not A-OK

A few weeks ago, major retailers stopped selling toys from the company CloudPets after more than 2 million recorded messages were leaked in a major security breach. Internet of things (IoT) security breaches are as prevalent as they’re varied. From medical devices and traffic lights to automobiles and toys, each hitherto unconnected device that now joins the big bad world wide web brings additional security mysteries to the fore. And with over 20 billion connected devices projected to be in use by 2020, these are mysteries we must unravel.

There are plenty of reasons for the current gaps in IoT security including a lack of regulation, market failures and stakeholder indifference, although none of these are insurmountable. Even considering these challenges, there are concrete steps that we can take to avoid future IoT mishaps and eventual attacks by an animatronic locust swarm.

IoT Security Challenges

Square Pegs In Round Holes

It’s difficult for organizations to achieve competence in multiple fields. Whenever product companies make an IoT-enabled device, they struggle to reconcile their expertise in their original industry with their unfamiliarity in internet connectivity and security. This results in manufacturers having outdated (if at all) OS and patching features on their products, being lax with password protection and changes and having no regular software update mechanisms to communicate to their customers.

Moreover, many physical products have complex supply chains with outsourced production, cost-saving exercises and clearly defined team structures. It’s an expensive and — from the companies’ point of view — unnecessary undertaking to weave device security into the process when there’s no requirement for it.

And there’s no requirement because of…

Lack Of Regulation

There have been welcome strides in IoT security regulation in recent years. While the IoT Cybersecurity Improvement Act of 2017 is a good start, the industry still lacks a unifying, robust piece of legislation that puts the onus on vendors to comply with requirements or face consequences. And it’s understandable why that’s the case: with IoT still an evolving field, most innovation is carried out by startups that would be hamstrung by having to comply with labyrinthine regulations from the get-go.

Additionally, since IoT sits at the intersection of technology and a bevy of other industries, it’s a challenge to enact legislation that intersects across these industries and doesn’t impose unfair restrictions but also doesn’t leave requirements too lax to make any difference.

Attack By Proxy

In 2016, major websites experienced outages because of a large DDoS (Distributed Denial of Service) attack. This happened because their domain name provider, Dyn, was forced offline by a botnet that included traditional computing devices as well as IoT devices like webcams and digital video recorders. This incident set a dangerous precedent for how innocuous devices could be “recruited” by attackers and used for malicious purposes without the device owners ever knowing about it.

The range of dangers posed by IoT hacks is so great because of their interconnected and dual nature. Because the devices serve an “offline” purpose (like a TV or fridge) but are also connected to the internet, they can be compromised without affecting their original purpose, making the compromise harder to spot. And because they’re interconnected, one loose stone can quickly lead to an avalanche.

What Can We Do?

Network Segmentation

It’s vital to protect and secure the networks connecting IoT devices to the wilderness of the internet. Because IoT network security is a greater challenge owing to the multitude of protocols, standards and device capabilities at play, its implementation is often incomplete and thus draws the eyes of attackers. A combination of traditional endpoint security features like antivirus software as well as firewalls/IPS features will go a long way toward deterring the use of IoT devices as attack entry points.

Stakeholder Proactivity

Consumers have been trained to care about the security of their computing devices (relatively), but it’s easy for them to forget updating the OS on their toaster, to everyone’s detriment. IoT device users should be proactive in changing passwords from their default (and changing them afterward as well), checking that patches and updates are regularly installed and report unusual activities to the relevant authorities immediately.

For their part, IoT device manufacturers should comply with the IoT Cybersecurity Improvement Act by regularly patching software on their devices, providing users the option to change default passwords and communicating with their users about other security best practices as and when they come to light.

Authentication And Encryption

IoT communication often doesn’t have a human in the loop with machine-to-machine “conversations” taking place in the back-end. In this scenario, it becomes vital for the data to be strongly encrypted (along with full key life cycle management) while in transit between devices. Even if the devices themselves are secure, a stray credential key on the public domain can be sniffed out by attackers and become the keyhole they need to jimmy the door.

Automate For Fast Response

Following the “hope for the best, prepare for the worst” adage, enterprises need to be prepared for an IoT breach to occur. Key tools needed here would be a SIEM/detection platform that identifies any anomalies that occur with IoT device behavior, and a security orchestration platform that weaves together data and actions from multiple products to automate incident response.

Platforms that can connect to on-premise security tools, as well as IoT devices through APIs, can make it easier for security teams to recognize the root cause of the attack and execute actions on the IoT devices directly.


  • 0

Critical infrastructure remains insecure

Organisations can no longer afford to leave their systems unprotected from increasingly advanced cyber threats.

The threat to our critical national infrastructure (CNI) system is at an unprecedented high with reported cyber-attacks from a number of factions, suspected infiltrations from nation states, and the NCSC warning that these systems remain a high-profile target and exceptionally vulnerable.

Earlier this month, researchers found that just four lines of code implanted in a device on a factory floor could identify and list networks, trigger controllers and stop processes and production lines. In fact, responding to Corero’s Freedom of Information requests, 70% of critical infrastructure institutions – ranging from police forces to NHS trusts, energy suppliers and water authorities – confirmed they’d experienced service outages in their IT systems within the last two years.

Service outages and cyber-attacks against critical infrastructure have the potential to inflict significant, real-life, disruption by preventing access to essential services such as power, transport and the emergency services. Recognizing the damaging impact they can inflict, malicious actors have started crafting malware specifically to target these systems and many believe the next attack is just around the corner.

With the heightened threat, and possibility of significant fines under the new Networks and Information Systems (NIS) directive which came into effect in early May, it’s crucial that organizations implement security measures before damage is done.

Industrial control systems at risk

In recent months, we have seen a greater number of sophisticated cyber threats against all parts of critical infrastructure. Indeed, last October a DDoS attack on the Swedish Railway took out their train ordering system for two days, causing travel chaos.  Similarly, last May’s Wannacry ransomware attack caused many NHS systems to be unavailable (e.g. access to patients’ medical records) causing operations to be cancelled. There is no doubt that a successful attack on the more vulnerable management systems can cause widespread disruption. Moreover, such attacks can result in network downtime, which in turn can have a serious economic impact as it can affect production, impact output, cause physical damage and even put people’s lives in danger.

In a separate Corero study last year, we found that most UK critical infrastructure organizations (51%) are potentially vulnerable, due to failure to detect or mitigate short-duration surgical DDoS attacks on their networks and deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators, because even a short amount of downtime or latency can significantly impact the delivery of essential services. Indeed, DDoS attacks can disrupt the availability of critical services we use as part of our everyday life, while potentially allowing attackers to plant weaponized malware. Critical infrastructure operators, including energy, transport, communications and emergency services should not be leaving DDoS attack protection to chance.

Attackers are taking advantage of the escalating number of industrial IoT devices, which underscore the growing risk of very large botnet-based DDoS attacks. These devices are transforming industrial sectors by reducing costs and providing better visibility of networks, processes and security. However, despite their benefits, these devices suffer from basic security vulnerabilities and it is precisely this lack of security that makes them such an attractive target for hackers.

NIS Directive introduces changes to critical infrastructure security

Protecting critical infrastructure from cyber-attacks has become a top government priority. The EU’s NIS Directive, adopted into UK law as the NIS Regulation, aims to raise levels of security and resilience of network and information systems. Indeed, now that the legislation is implemented into UK law, critical infrastructure outages will have to be reported to regulators, who have the power to impose financial penalties of up to £17 million to providers of infrastructure services that fail to protect against cyber-attacks on their networks. Consequently, operators of essential services and industrial control systems need to up their game to be resilient to today’s cyber-threats. However, rather than being seen as just more red-tape, or a financial telling off for non-compliance, the regulation should be seen as a golden opportunity to improve the UK’s cyber-security posture.

Best practices

Despite the huge fines and multiple warnings, 11% of the critical infrastructure organizations that responded to Corero’s 2018 study admitted that they do not always ensure that patches for critical vulnerabilities are routinely implemented within 14 days, as recommended within the Government’s 10 Steps to Cyber Security guidance. Paradoxically, almost all the organizations that responded to the request (98%) are following government advice about network security, by adhering to the Network Security section of the 2012 guidance.

To reduce the risk of a catastrophic outcome that risks public safety, organizations need to ensure their industrial control systems are secure.

Organizations need to take a serious look at their own operating model and ensure that robust protection against cyberthreats are in place. It is not acceptable that service and data loss should be excused, under any circumstances, when the technology and services to provide proper protection is available today.

One of the biggest challenges that organisations running critical infrastructure systems now have, is that they are increasingly connecting those networks to the broader IT infrastructure, for reasons of operational efficiency and effectiveness.  The potential for hackers being able to access these devices from the outside and potentially change settings or, launch DDoS attacks to block local changes taking effect, could be very damaging indeed, depending on the systems being targeted. Organisations vulnerable to such attacks need to ensure they are putting the right protection in place, including real-time automatic DDoS protection, as even small attacks getting through, for even a short period of time, could have serious implications.

In addition, to avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices.

Organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Businesses can certainly protect their networks from DDoS attacks fueled by IoT-driven botnets by deploying an always-on, automated solution at the network edge, which can detect unusual network activity and eliminate threats from entering a network, in real-time.


  • 0

The rise of artificial intelligence DDoS attacks

The leaves may change color, but the roots are the same. Are you ready for AI-based DDoS attacks?

What keeps me awake at night is the thought of artificial intelligence lying in wait in the hands of bad actors. Artificial intelligence combined with the powers of IoT-based attacks will create an environment tapped for mayhem. It is easy to write about, but it is hard for security professionals to combat. AI has more force, severity, and fatality which can change the face of a network and application in seconds.

When I think of the capabilities artificial intelligence has in the world of cybersecurity I know that unless we prepare well we will be like Bambi walking in the woods. The time is now to prepare for the unknown. Security professionals must examine the classical defense mechanisms in place to determine if they can withstand an attack based on artificial intelligence.

Fail to prepare, prepare to fail

The arrival of new technologies comes with an abundance of security threats. New products are released to cover the inadequacies in protocols. With today’s attack surface, no one can ever be fully secure. Being almost secure is good enough for most and security teams work on the basis that it’s not a matter of if, it’s a matter of when.

There are well-known mechanisms to combat distributed denial of service (DDoS) attacks. We can spread the perimeter, offload to a scrubbing center, and tackle the problem head-on. Then along came IoT-based attacks that raised the bar causing respectable networks to fall flat. However, there is only so much bandwidth out there and the headlines are often worse than the capabilities.

What I haven’t heard too much about is the repercussions of artificial intelligence in the hands of bad actors. A combination that will inevitably unlock a more powerful form of DDoS attack. A machine does not stop, get tired, lose concentration or panic. AI-based attacks keep their cool maintaining constant momentum while under pressure from defense mechanisms.

The only way to fight a machine is with another machine. Any other way is useless. Unless you want to be left blindfolded, security professionals must look to introduce artificial intelligence on the defense side and not rely on traditional defense mechanisms. An AI-based defense comes in two flavors, unsupervised learning, and supervised machine learning systems. Unsupervised learning being the superior defense mechanism of the two. L7Defense is a pioneer in the ability to defend from attacks in real-time using unsupervised machine learning.

From scripts with loops to automated AI-based attacks

Did you know the first DoS attack was carried out in 1974? It went mainstream with Classical Bots that started in the early 2000’s and consisted of a manual Denial of Service (DoS) approach. Essentially, DoS is when a bad actor sends traffic to overwhelm a system. Back then, they were pretty basic. Even if tools were not readily available those with medium technicality could carry out an attack. A single machine would send a single attacking signature. The automation was essentially done by manual keyboard entries.

This proved to be inefficient and bad actors quickly moved from manual to semi-manual. For example, this may include a simple script combined with a number of loops enabling a level of automation. However, we still only had a limited number of attacking signatures that were preconfigured in the script and only one IP source was used. The attack surface and vectors used were limited.

We then moved into a semi-automated wave consisting of multiple attacking IP sources. The introduction of command & control (C&C) servers presented a new shift in DoS, known as distributed denial of service (DDoS). C&C servers are centralized machines controlled by bad actors that are able to send commands and receive outputs. The C&C servers were not sophisticated, but they could control a number of infected end host computers, spreading the attack source. These infected computers were known as botnets.

The botnets would receive predefined commands from the C&C servers and carry out a set pattern of attack signatures. The signatures were set in stone regardless of how well the defense side was doing. The botnets were still static because the C&C Servers issue similar commands to each of them. The scale of the attack increased but the intelligence didn’t. We experienced more spread and a larger attacking surface but with the same intelligence.

Malware automation

The major turning point in the evolution of DDoS came with the automatic spreading of malware. Malware is a phrase you hear a lot of and is a term used to describe malicious software. The automatic spreading of malware represented the major route for automation and marked the first phase of fully automated DDoS attacks. Now, we could increase the distribution and schedule attacks without human intervention. Malware could automatically infect thousands of hosts and apply laterally movement techniques infecting one network segment to another. Moving from network segments is known as beacheading and malware could beachhead from one part of the world to another.

There was still one drawback. And for the bad actor, it was a major drawback. The environment was still static, never dynamically changing signatures based on responses from the defense side. The botnets were not variable by behavior. They were ordered by the C&C servers to sleep and wake up with no mind for themselves.

As I said, there is only so much bandwidth out there. So, these type of network attacks started to become less effective. Bad actors started to side step a little and target the application layer instead of the network infrastructure. Reflection style attacks started to appear along with its enhancement known as the amplification. Distributed reflection denial of service attacks was the worse at that time. Reflection attacks are used to abuse user datagram protocol (UDP) services. UDP by design is connectionless in which the receiver does not validate the IP of the source. This is the address of the client requesting a service. The lack of validation makes it possible for someone to pretend to be you using your IP as the source, known as IP spoofing.

Unknowingly the legitimate source that has it’s IP address spoofed is overwhelmed when the UDP server sends back requests. The UDP server is essentially acting as the reflector hiding the identity of the bad actor. Amplification exploits the fact that the size of responses is generally much larger than the size of server requests. A simple request sent to can include a response with many IP addresses along with additional information. If a DNS server can amplify requests to a factor of 200 a bad actor with bandwidth of 100Mbps using both amplification and reflection techniques can generate an attack of 200Gbps. Now, can you imagine what happens if there are thousands of reflectors?

Different variations of layer 3, 4 and 7 based attacks were well underway with readily available tools. It became easy and cheap to launch an attack. The major difference between these attack variations is the ability to create a session, for example, a secure sockets layer (SSL) session for the victim with an attempt to cause session exhaustion higher up in the stack. Alternatively, the bad actor may send a flood of internet control message protocol (ICMP) messages without waiting for a reply, making no attempt to take over the session.

Eventually, a combination developed to form a dangerous mix of layer 3, 4 and 7 based attacks. The classical volumetric was often combined with a layer 7 focusing on the application. The volumetric would simply act as a cover for the layer 7 based attack. Application attacks are heaven for bad actors. Each web application represents an infinite number of attack possibilities with so much variation for them to pick and choose from. There are so many tools available out there that can generate random pages attacks along with randomization techniques. Web security companies are on the back foot. They have the capability to scan and detect for hundreds of thousands of vulnerabilities but not for an infinite number of signatures.

Things got a bit more serious when bad actors started to combine the automatic spreading of malware with IoT. We experienced a mega-attack scale and solid networks started to hit the floor. While traditional C&C’s are not very sophisticated, the big brother IoT C&C servers are more dynamic and can control botnets with a number of optimizations that can change every few seconds based on the defense response.

They are heaps more intelligent than the classical C&C’s. The botnets are no longer static. Each botnet now controls its own unit of work representing many small armies working in isolation attacking a single destination.

The rise of artificial intelligence

Today, we are entering into a different wave of DDoS attack. This new era has all the power of IoT-based attacks along with artificial intelligence combined with various feedback loops and automatic optimizations.

Artificial intelligence is constantly optimizing, changing parameters and signatures automatically in response to the defense without any human interaction. It works alone keeping security professionals up all night unless the right precautions are in place.

There are two flavors of AI-based defenses; supervised and unsupervised machine learning. Supervised learning is similar to having a teacher with a predefined curriculum including specific questions and answers. With unsupervised learning, there is no teacher or a narrow curriculum. The curriculum is developing itself based on changing student’s needs.

Supervised learning needs to be fed with examples in order to deal with the situation. After enough examples, it becomes a closed problem. However, this represents a number of drawbacks in the world of AI-based attacks. If you have malware different from the current exampled one, will the system identify and appropriately deal with it? Probably not and this is where false positives start to increase.

Unsupervised learning is superior in the sense that you don’t need to feed the system with examples. This represents a major shift in how you protect against a machine that is constantly changing in response to the defense side. Unsupervised learning has the ability to change and adapt as the problem itself changes. The real issue hitting supervised learning is that traffic patterns are by their very nature, unpredictable. The source and destination IP endpoints may remain unchanged but there can be numerous alterations in the headers and message body. The variations are a major problem for supervised learning.

No one can predict and create examples for all application traffic profiles and potential attack vectors. As a result, we cannot cover the entire space and feed a supervised machine learning system with enough examples to cover every possible angle. If you can’t cover the entire space, then you need a system that can by itself analyze the environment and figure out by itself without human intervention the best possible path of action while still keep false positives to a minimum. A system that can dynamically learn and adapt to known and unknown environments.

Supervised learning can help to a certain extent but in a world that is full of dynamic variables, you really need a system that can adapt to these changes and predict the unknown future that AI-based attacks will bring.

Within the cybersecurity realm attackers are moving fast. Similar to moving from ice to water, yet the ice is not moving, so you need now, not a hammer for the ice but a device that can analyze the water to determine a poison ingredient in disguise. This is why you need to move from supervised to unsupervised learning.


  • 0

Cloud Security For The Healthcare Industry: A No-Brainer

The healthcare industry has become one of the likeliest to suffer cyber-attacks, and there’s little wonder why. Having the financial and personal information of scores of patients makes it a very appetizing target for attackers.

Just over a year ago, the WannaCry ransomware attack wreaked havoc on the UK National Health Service (NHS), ultimately disrupting a third of its facilities and causing a rash of canceled appointments and operations.

As healthcare organizations face the prospect of increasing attack, their security teams look to cybersecurity experts with comprehensive, tested products to protect the sensitive information they hold. ALYN Woldenberg Family Hospital, Israel’s only pediatric rehabilitation facility, is no exception.

With a database of more than 70,000 patients and a website hosted in four languages and across three different domains; ALYN Hospital’s IT team was concerned that their content management system (CMS) could be vulnerable. The team didn’t feel their cybersecurity vendor was updating the security on their CMS as often as they should, leading them to go looking for a new vendor.

Initially checking out on-premise WAF systems, ALYN’s team kept coming up against the cost of securing their sites and; because of strict government regulations, they were initially hesitant to move to a cloud-based system. Ultimately, however, they decided that the Imperva Incapsula cloud-based WAF was just the thing.

“We looked at community reviews and talked with colleagues at other hospitals and got the impression that Incapsula is one of the best in terms of cost-benefit ratio, which is important to us, in addition to robustness, ease-of-use, and integration, which was very smooth. It all proved to be correct, for which I am very glad,” said Uri Inbar, Director of IT for ALYN Hospital.

Setting up the system took less than a day and ALYN Hospital still manages its servers in-house, with a staff member who is now dedicated to security. Imperva Incapsula has been low maintenance from the start, so, while customer support was with them every step of the way at the beginning; they haven’t needed any for the last few years because the system has been running smoothly on its own.

“It gives us peace of mind to know that someone has dedicated themselves to the subject and keeps us updated. It’s one less worry to take care of.”

Since making the switch, ALYN Hospital has seen some significant improvements:

  • Increased visibility for monitoring security threats: The Imperva Incapsula dashboard is easy to use and provides information that helps ALYN Hospital keep its systems secure. And for their special projects, they can even see which countries are generating the most traffic.
  • Good cost-benefit ratio: One of the most important aspects of any new security system for ALYN, the costs were reasonable, especially given the security benefits they received from the Incapsula system.
  • Faster content delivery: While no formal studies were done, the IT staff has heard from some users that their CDN is delivering content faster than before.


  • 0

Concern Mounts for SS7, Diameter Vulnerability

The same security flaws that cursed the older SS7 standard and were used with 3G, 2G and earlier are prevalent in the Diameter protocol used with today’s 4G (LTE) telephony and data transfer standard, according to researchers at Positive Technologies and the European Union Agency For Network and Information Security (ENISA).

Network security is built on trust between operators and IPX providers, and the Diameter protocol that replaced SS7 was supposed to be an improved network signaling protocol. But when 4G operators misconfigure the Diameter protocol, the same types of vulnerabilities still exist.

“As society continues to leverage mobile data capabilities more and more heavily, from individual users performing more tasks directly on their smartphones, to IoT devices which use it when regular network connections are not available (or not possible), service providers need to take the security of this important communications channel more seriously,” said Sean Newman, director of product management for Corero Network Security.

Given that the Diameter protocols are slated to be used in 5G, reports of critical security capabilities not being enabled in the Diameter protocol used for 4G mobile networks are worrisome. Of particular concern is the potential that misconfigurations that lead to the vulnerability could result in distributed denial of service (DDoS) attacks for critical infrastructure relying on mobile access. An attacker would not need to harness any large-scale distributed attack capabilities.

“The latest generation of denial of service protection solutions are critical for any organization that relies on always-on internet availability, but this can only be effective if service providers are ensuring the connectivity itself is always-on,” Newman said.

Concerns over the threats from smartphones have even been presented to Congress with pleas that they should act immediately to protect the nation from cybersecurity threats in SS7 and Diameter.

“SS7 and Diameter were designed without adequate authentication safeguards. As a result, attackers can mimic legitimate roaming activity to intercept calls and text messages, and can imitate requests from a carrier to locate a mobile device. Unlike cell-site simulator attacks, SS7 and Diameter attacks do not require any physical proximity to a victim,” wrote Jonathan Mayer, assistant professor of computer science and public affairs, Princeton University, in his testimony before the Committee on Science, Space, and Technology of 27 June.


  • 0