SIDN, NBIP warn small businesses of increased risk of DDoS attacks

Small and medium-sized businesses are much more at risk of DDoS attacks than many think, according to research by the Dutch domain registrar SIGN and the internet providers group NBIP. The two groups conducted research on the .nl websites affected by such attacks and the organisations affected. In total, 237 DDoS attacks were identified in the year to June 2018.

Web shops selling consumer goods such as clothes, cosmetics and garden equipment have a bigger chance of being hit by DDoS attacks, the research found. On average the resulting damage costs EUR 1.8 million.

A common cause is the use of shared hosting. To save costs, small online sellers often share a server with other websites. They are then affected if another site on the server is hit by an attack. The chance of collateral damage is 35 times higher in such a case.

The public sector and larger banks remain the most likely target of direct attacks. The study estimates the direct damage cost EUR 59.6 million, while collateral effects cost another EUR 10 million.

The damages are based on the 237 attacks identified and estimates for the consequences if the attacks succeeded. If no protective measures are taken, the total cost to society from DDoS attacks is estimated at EUR 1 billion per year.

Source: https://www.telecompaper.com/news/sidn-nbip-warn-small-businesses-of-increased-risk-of-ddos-attacks–1269808

  • 0

Data will be flowing through the retail systems this Black Friday

Resellers that support the retail sector will be keeping a keen eye on how their customers react to the huge amounts of data that will be generated this coming weekend.

Resellers selling into the retail sector are about to go through one of the most stressful weeks of the year as their customers gear up for Black Friday.

With this weekend marking one of the main moments consumers spend big before Christmas the emphasis might be on getting the best deals but for those with an eye on the IT the next few days is going to be about data.

On the one hand that means making use of the data around offers and stock to ensure that customers get current information about what a retailer can offer.

“Last year Black Friday itself was worth a total of £2.5bn in sales to the UK economy. However, if retailers fail to stand out against the intense competition, Black Friday could well be a Bleak Friday for them,” said Chris Haines, director of consulting at Amplience.

“To make the most out of the week and the increasingly important Cyber Monday, retailers should be focusing on their digital content. Retail is steadily marching towards the web, and Black Friday this year will be fought out online and on mobile,” he added.

But it is also about ensuring that data is protected, particularly over some of the busiest days of the year.

“Thanks to the popularity of ecommerce sites and credit card payments, the Black Friday shopping season has become synonymous with a peak in credit card thefts, site spoofing and DDoS attacks. It’s as much an occasion for cyber criminals as it is for consumers looking for a bargain,” said Spencer Young, rvp EMEA at Imperva.

“Retailers must also take responsibility for investing time and effort in testing their security measures ahead of the season,” he added.

There are also dangers that some retailers will get caught out by different shopping patterns and Ajmal Mahmood, customer solution architect, KCOM, warned against wrongly interpreting the sales the go through the tills.

“Buying habits change during big sales events, with some consumers making more impulse purchases, some stocking up on discounted items and some simply shopping as usual. It’s prudent for retailers to isolate the data collected during sales events, to ensure that they don’t significantly affect their personalisation algorithms across the year,” he said.

Source: https://www.computerweekly.com/microscope/news/252452793/Data-will-be-flowing-through-the-retail-systems-this-Black-Friday

  • 0

Bots on a plane? Bad bots cause unique cybersecurity issues for airlines

While bots are a common tool of cybercriminals for carrying out DDoS attacks and mining cryptocurrencies, a recent report found they may also be indirectly increasing the price of your airline tickets.

Distil Research Lab’s Threat report, “How Bots Affect Airlines,” found the airline industry has unique cybersecurity challenges when dealing with bad bots, which comprise 43.9 percent of traffic on airlines websites, mobile apps, and APIs, which is more than double the average bad bot traffic across all industries in which only make up an average of 21.8 percent.

One European airline saw a whopping 94.58 percent of its traffic from bad bots, according to the report which analyzed 7.4 billion requests from 180 domains from 100 airlines internationally.

Cybercriminals launch bots to compromise loyalty rewards programs, steal credentials, steal payment information, steal personal information, carry out credit card fraud, and to launch credential stuffing attacks.

When threat actors infiltrates loyalty programs they can potentially shake customer confidence to the point where they no longer use the airlines.

“Once a customer has been locked out of their account by a criminal changing their password, the airline has a customer service problem to solve,” the report said. “The forensics to investigate what happened inside the account is time consuming and costly.”

Researchers added that the costs of reimbursements for the damages are also a negative impact of these bad bots.

The only industry which had a worse bot problem was the gambling industry with an average of 53.08 percent of its traffic coming from bad bots.

These malicious bots are working around the clock in the airline industry as their activity appears consistent every day throughout the week except Friday when there is a peak in traffic. The majority of the traffic comes from the USA as it’s responsible for 25.58 percent of bad bot traffic worldwide, followed by Singapore in second place with 15.21 percent, and China in third with 11.51 percent.

 

Researchers also learned that of the nearly 30 percent of the domains they reviewed, bad bots encompassed more than half of all traffic with 48.87 of bad bots reportedly using Chrome as their users’ agent.

Not all bots are evil however, some of the bots are used by travel aggregators such as Kayak and other online travel agencies to scrape prices and flight information or even competitive Airlines looking to gather up-to-the-minute market intelligence but even these can hassles.

Some of these unauthorized (OTAs) however may use bots to scrape prices and flight information seeking to gather ‘free’ information from the airline rather than pay for any associated fees by entering into any commercial arrangement requiring a service level agreement, researchers said in the report.

To combat the bad bots, researchers recommend airlines block or CAPTCHA outdated user agents/browsers, block known hosting providers and proxy servers which host malicious activity, block all access points, investigate traffic spikes, monitor failed login attempts, and pay attention to public data breaches.

Source: https://www.scmagazine.com/home/security-news/bots-on-a-plane-bad-bots-cause-unique-cybersecurity-issues-for-airlines/

  • 0

Universities seeing rise in DDoS attacks

Kaspersky Lab has noticed an overall decline in the number of DDoS attacks this year, which may be due to many bot owners reallocating the computing power of their bots to a more profitable and relatively safe way of making money: cryptocurrency mining.

However, there is still a risk of DDoS attacks causing disruption, despite attackers not seeking financial gain.

The Kaspersky Lab DDoS Q3 report marked a continued trend in attacks aimed at educational organisations, as they open their doors after a long summer and students head back to school.

Attackers were most active during the third quarter in August and September, proven by the number of DDoS attacks on educational institutions increasing sharply at the start of the academic year.

This year, the most prominent attacks hit the websites of one of the UK’s leading universities – the University of Edinburgh – and the US vendor Infinite Campus, which supports the parent portal for numerous city public schools.

Analysis from Kaspersky Lab experts has found that the majority of these DDoS attacks were carried out during term time and subsided during the holidays.

More or less the same result was obtained by the British organisation Jisc.

After collecting data about a series of attacks on universities, it determined that the number of attacks fell when students were on holiday.

The number of attacks also decreases outside of study hours, with DDoS interference in university resources mainly occurring between 9am and 4pm.

Overall, between July and September, DDoS botnets attacked targets in 82 countries.

China was once again first in terms of the number of attacks.

The US returned to second after losing its place in the top three to Hong Kong in Q2.

However, third place has now been occupied by Australia – the first time it’s reached such heights since Kaspersky Lab DDoS reports began.

There have also been changes in the top 10 countries with the highest number of active botnet C&C servers.

As in the previous quarter, the US remained in first place, but Russia moved up to second, while Greece came third.

Kaspersky DDoS protection business development manager Alexey Kiselev says, “The top priority of any cybercriminal activity is gain.

“However, that gain doesn’t necessarily have to be financial. The example of DDoS attacks on universities, schools and testing centres presumably demonstrates attempts by young people to annoy teachers, institutions or other students, or maybe just to postpone a test.

“At the same time, these attacks are often carried out without the use of botnets, which are, as a rule, only available to professional cybercriminals, who now seem to be more concerned with mining and conducting only well-paid attacks.

“This sort of ‘initiative’ shown by students and pupils would be amusing if it didn’t cause real problems for the attacked organisations which, in turn, have to prepare to defend themselves against such attacks,” Kiselev says.

Source: https://datacentrenews.eu/story/universities-seeing-rise-in-ddos-attacks

  • 0

Players affected as online game ‘Final Fantasy XIV’ hit by ‘unprecedented’ cyberattacks

Servers for Square Enix Co.’s popular online game “Final Fantasy XIV” has been hit by a series of cyberattacks since early October, preventing some users from accessing the service, its publisher said Thursday.

The distributed denial of service (DDoS) attacks, in which multiple hacked computers are used to flood the target system, were carried out to an “unprecedented extent” against data centers in Japan, North America and Europe, Square Enix said.

The identities of the attackers are not yet known, although information security experts suspect links to cheap online services that carry out so-called DDoS attacks.

Two major attacks in early October and late October prevented game players from logging in to the service or cut off their connections for up to 20 hours, according to the company.

Square Enix has taken steps against the attacks but the servers were attacked again Tuesday night, disrupting the service for some 50 minutes.

“FFXIV” had previously been subjected to DDoS attacks. A study by a U.S. internet company has showed that some 80 percent of DDoS attacks worldwide are targeted at game services.

“The attacks may have been carried out by people who commit the offense for pleasure, hold a grudge against the company or seek money,” said Nobuhiro Tsuji, an information security expert.

“The attacks have extended over a long period, and, while it is costly, there is no choice but to boost countermeasures,” the expert at SoftBank Technology Corp. said.

In 2014, a high school student in Kumamoto Prefecture was found to have used an online DDoS attack service to disrupt a different game company’s operations after he became frustrated with the way the game services were managed. He was referred to prosecutors the same year.

Source: https://www.japantimes.co.jp/news/2018/11/01/business/tech/players-affected-online-game-final-fantasy-xiv-hit-unprecedented-cyberattacks/#.W9yKTuIpCUk

  • 0

30 years ago, the world’s first cyberattack set the stage for modern cybersecurity challenges

Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.

The program worked well – too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through.

His program became the first of a particular type of cyber attack called “distributed denial of service,” in which large numbers of internet-connected devices, including computers, webcams and other smart gadgets, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked.

As the chair of the integrated Indiana University Cybersecurity Program, I can report that these kinds of attacks are increasingly frequent today. In many ways, Morris’s program, known to history as the “Morris worm,” set the stage for the crucial, and potentially devastating, vulnerabilities in what I and others have called the coming “Internet of Everything.”

Unpacking the Morris worm

Worms and viruses are similar, but different in one key way: A virus needs an external command, from a user or a hacker, to run its program. A worm, by contrast, hits the ground running all on its own. For example, even if you never open your email program, a worm that gets onto your computer might email a copy of itself to everyone in your address book.

In an era when few people were concerned about malicious software and nobody had protective software installed, the Morris worm spread quickly. It took 72 hours for researchers at Purdue and Berkeley to halt the worm. In that time, it infected tens of thousands of systems – about 10 percent of the computers then on the internet. Cleaning up the infection cost hundreds or thousands of dollars for each affected machine.

In the clamor of media attention about this first event of its kind, confusion was rampant. Some reporters even asked whether people could catch the computer infection. Sadly, many journalists as a whole haven’t gotten much more knowledgeable on the topic in the intervening decades.

Morris wasn’t trying to destroy the internet, but the worm’s widespread effects resulted in him being prosecuted under the then-new Computer Fraud and Abuse Act. He was sentenced to three years of probation and a roughly US$10,000 fine. In the late 1990s, though, he became a dot-com millionaire – and is now a professor at MIT.

Rising threats

The internet remains subject to much more frequent – and more crippling – DDoS attacks. With more than 20 billion devices of all types, from refrigerators and cars to fitness trackers, connected to the internet, and millions more being connected weekly, the number of security flaws and vulnerabilities is exploding.

In October 2016, a DDoS attack using thousands of hijacked webcams – often used for security or baby monitors – shut down access to a number of important internet services along the eastern U.S. seaboard. That event was the culmination of a series of increasingly damaging attacks using a botnet, or a network of compromised devices, which was controlled by software called Mirai. Today’s internet is much larger, but not much more secure, than the internet of 1988.

Some things have actually gotten worse. Figuring out who is behind particular attacks is not as easy as waiting for that person to get worried and send out apology notes and warnings, as Morris did in 1988. In some cases – the ones big enough to merit full investigations – it’s possible to identify the culprits. A trio of college students was ultimately found to have created Mirai to gain advantages when playing the “Minecraft” computer game.

Fighting DDoS attacks

But technological tools are not enough, and neither are laws and regulations about online activity – including the law under which Morris was charged. The dozens of state and federal cybercrime statutes on the books have not yet seemed to reduce the overall number or severity of attacks, in part because of the global nature of the problem.

There are some efforts underway in Congress to allow attack victims in some cases to engage in active defense measures – a notion that comes with a number of downsides, including the risk of escalation – and to require better security for internet-connected devices. But passage is far from assured

There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world’s first Cyber Emergency Response Team, which has been replicated in the federal government and around the world. Some policymakers are talking about establishing a national cybersecurity safety board, to investigate digital weaknesses and issue recommendations, much as the National Transportation Safety Board does with airplane disasters.

More organizations are also taking preventative action, adopting best practices in cybersecurity as they build their systems, rather than waiting for a problem to happen and trying to clean up afterward. If more organizations considered cybersecurity as an important element of corporate social responsibility, they – and their staff, customers and business partners – would be safer.

In “3001: The Final Odyssey,” science fiction author Arthur C. Clarke envisioned a future where humanity sealed the worst of its weapons in a vault on the moon – which included room for the most malignant computer viruses ever created. Before the next iteration of the Morris worm or Mirai does untold damage to the modern information society, it is up to everyone – governments, companies and individuals alike – to set up rules and programs that support widespread cybersecurity, without waiting another 30 years.

Source:http://theconversation.com/30-years-ago-the-worlds-first-cyberattack-set-the-stage-for-modern-cybersecurity-challenges-105449

  • 0

Server Configuration Is Top Healthcare Software Vulnerability

Server configuration is the top healthcare software vulnerability, followed by information leakage and cryptographic issues, according to Veracode’s State of Software Security (SOSS) study.

Other top vulnerabilities for healthcare include faulty deployment considerations, cross-site scripting holes, credentials management issues, and code quality.

“The highly regulated healthcare industry got high marks in many of this year’s SOSS metrics,” the report noted.

Healthcare scored highest on percentage of applications passing the OWASP Top 10 guidelines, considered a measure of industry best practices for software security. A full 55.3 percent of healthcare apps passed the OWASP test, compared to 27.7 percent of applications for all industries, based on scans conducted by Veracode.

“Flaw persistence analysis shows that when looking at all found vulnerabilities, this industry is statistically closing the window on app risk more quickly than any other sector,” the report concluded.

The report offered four key takeaways for security professionals, app developers, and business executives from its analysis of software security across industries.

First, the faster organizations close software vulnerabilities, the less risk applications pose over time.

Second, organizations need to prioritize which software security flaws to fix first, given the sheer volume of open software flaws. “While many organizations are doing a good job prioritizing by flaw severity, data this year shows that they’re not effectively considering other risk factors such as the criticality of the application or exploitability of flaws,” the report noted.

Third, DevSecOps has a positive effect on software security. The more often an organization scans software per year, the faster security fixes are made. “The frequent, incremental changes brought forth by DevSecOps makes it possible for these teams to fix flaws lightning fast compared to the traditional dev team,” it noted.

Fourth, organizations are still struggling with vulnerable open source components in their software. “As organizations tackle bug-ridden components, they should consider not just the open flaws within libraries and frameworks, but also how those components are being used,” the report observed.

A major software security concern for healthcare organizations is securing application programming interfaces (APIs). The June 2018 HIMSS Healthcare and Cross-sector Cybersecurity Report warned that hackers will be exploiting APIs more to gain access to healthcare organizations and stealing sensitive data.

API attack vectors include man in the middle attacks, session cookie tampering, and distributed denial of service (DDoS) attacks, the report noted.

To address the risks that unsecured APIs pose for healthcare, the American Hospital Association (AHA) recommended that stakeholders in the mobile healthcare environment develop a secure app ecosystem for sharing health data.

“To ensure a robust, secure set of tools for individuals to engage with hospitals and health systems via apps, stakeholders will need to work together to build an app ecosystem that is based on a rigorous and continuous vetting process that takes into account evolving risks. This could be done in the public sector, through certification, or through a public-private partnership,” AHA said.

AHA cited the example of the Payment Card Industry Data Security Standard (PCI DSS), which is an industry-developed standard that includes security requirements companies must adhere to if they want to process credit and debit cards.

The federal government should also develop a consumer education program to make it clear that commercial providers of health apps may not be subject to the HIPAA Privacy Rule, according to the association.

“Commercial app companies generally are not HIPAA-covered entities. Therefore, when information flows from a hospital’s information system to an app, it likely no longer will be protected by HIPAA,” said AHA.

“Most individuals will not be aware of this change and may be surprised when commercial app companies share their sensitive health information obtained from a hospital, such as diagnoses, medications or test results, in ways that are not allowed by HIPAA,” the association noted.

Source: https://healthitsecurity.com/news/server-configuration-is-top-healthcare-software-vulnerability

  • 0

81.5M Voter Records For Sale On Dark Web Ahead Of Midterm Elections

The quarterly incident response (IR) threat report from Carbon Black isn’t usually such an exciting read, aggregating as it does data from across a number of partners in order to provide actionable intelligence for business leaders. The latest report, published today, is a politically charged exception. Not only does it reveal that nation-state politically motivated cyberattacks are on the up, with China and Russia responsible for 41.4% of all the reported attacks, but that voter databases from Alabama to Washington (and 18 others) are for sale on the dark web. These databases cover 21 states in all, with records for 81,534,624 voters that include voter IDs, names and addresses, phone numbers and citizenship status. Tom Kellerman, Carbon Black’s chief cybersecurity officer, describes the nation-state attackers as not “just committing simple burglary or even home invasion, they’re arsonists.” Nobody relishes their house burning down, even figuratively speaking. Which is why, according to another newly published report, this time from Unisys, suggests one in five voters may stay at home during the midterms as they fear their votes won’t count if systems suffer a cyberattack.

Amongst the key findings of the Carbon Black report, however, is the fact that China and Russia were responsible for 41.4% of the investigated attacks analyzed by researchers. The two also lead the pack when it comes to which countries incident response teams are seeing cyberattacks originating from. China was top of the table on 68% with Russia second on 59%. While the continent of North America (the report does not contain statistics that break this down to attacks from the United States alone) was third on 49%$, Iran, North Korea and Brazil were next in line. Earlier this year, Venafi surveyed security professionals with regards to election infrastructure risk. That research revealed that 81% of them thought threat actors will target election data as it is transmitted by voting machines. Worryingly, only 2% were ‘very confident’ in the capability of local, state and federal government to detect such attacks and only 3% thought the same about their abilities to block those attacks.

It’s just as well, then, that it has been reported the United States Cyber Command has now started what is believed to be the first cyber-operation to protect against election interference from Russia. “The attack surface in the US is incredibly broad and fragmented making security highly challenging” says Simon Staffell, head of public affairs at Nominet, who continues “but the response that has taken place in the US is also of an entirely different magnitude to anything seen before.” Yet this response does not appear to target Chinese threat actors. Some may find this omission a surprise, considering that Vice President Pence stated earlier this month that “what the Russians are doing pales in comparison to what China is doing across this country” and suggested that China wants to turn Trump voters against the administration.

Fraser Kyne, EMEA CTO at Bromium, would not be amongst the surprised though. He tells me that Bromium researchers have been working with Dr Mike McGuire to look into the impact of fake news on the US midterms. Early indications appear to suggest accusations against China are most likely unfounded. “Whilst China is funding local campaigns like the advertising taken out in US newspapers to promote US-Chinese trade” Kyne says “there is little evidence at the moment to suggest China is attempting to subvert democracy and influence the midterm elections.”

Meanwhile, some 68% of respondents to the Carbon Black report, representing a cross-section of some of the leading cybersecurity professionals across the globe, believe that cyberattacks will influence the midterms. This isn’t any kind of surprise when you take in the amount of election hacking and meddling resources that those same researchers found to be on sale through the dark web. These range from the aforementioned voter databases, through to social media election influence kits to target thousands of Instagram, Facebook, Twitter and YouTube accounts as well as the services of freelance hackers for hire who are offering to target government entities “for the purposes of database manipulation, economic/corporate espionage, DDoS attacks and botnet rentals.”

So, what kind of cyberattacks can we expect to see from state-sponsored actors as far as the midterms are concerned? Tony Richards, group CISO at Falanx Group, expects there will be some minor and likely not state sanctioned hacking attempts on electronic voting machines. “The fallout if a nation state was identified as the perpetrator would be considerable” Richards told me “so this would have to be a deniable operation.” It would also have to be done by someone with physical access to the voting machines in order to exploit many of the vulnerabilities that have been identified by researchers. “Voting machines are not usually connected to the Internet” explains Rafael Amado, senior strategy and research analyst at Digital Shadows, which means “the ability for attackers to tamper with voting ballots and results is greatly hindered.”

Some go as far as suggesting that to take the hacking concern out of the equation, elections should look back rather than forwards. The ‘right’ solution, according to Ryan Kalember, senior vice-president, Cybersecurity Strategy at Proofpoint, is paper. “An election system can be extremely resilient to fraud if there are paper records for registration and the votes themselves” Kalember insists, agreeing that this “may seem anti-modern, but is where we find ourselves in 2018.” Other cybersecurity experts suggest that the focus, when it comes to mitigating risk of interference in the midterm elections, simply needs to extend beyond voter registration and voting machine security altogether. “It’s important to take a look at the entire digital voting system” says Cindy Provin, CEO at Thales eSecurity, “how citizens register, how they find their polling places, how they check in, how they cast their ballots and how they find out who won.” This is an argument that is also made by Joseph Carson, chief security scientist & advisory CISO with Thycotic, who told me that the biggest challenge is that cybersecurity is only taken seriously in the voting infrastructure “when it is lacking in candidate campaigns, leaving the US open to serious cyber influence from foreign nation states.”

Maybe the notion of cyberattacks during the election process itself is something of a red-herring altogether? Especially given that there is such a global media appetite for Russian meddling stories, which will surely lead to this being such a high risk maneuver that it’s unlikely to be executed in any meaningful way. “The main effort will likely be in attempting to generate genuine conversations with organizations and individuals that have influence over a significant audience” says James Monckton, strategic communications director at Verbalisation, who thinks that the ‘influencing the influencers’ approach would be a highly effective method with a low level of attribution risk. The idea of shaping the debate by amplifying a particular viewpoint isn’t new news, but it is the most obvious meddling methodology we will see. Or rather, not see. “In the long term, it spreads mistrust as it becomes harder to distinguish the true from the fake” concludes Emily Orton, co-founder and director at Darktrace, “and has profound effects on democratic societies…”

One thing is for sure, according to Michael O’Malley, vice president of marketing with Radware, and that’s the threat of election interference will continue unabated until the US moves from the current fragmented state-by-state model to a nationwide election system. “We need a one person one vote approach and the US must make the necessary security upgrades to prevent voter fraud, foreign influence campaigns and hacking of our election infrastructure” O’Malley insists, warning that “Federal legislation needs to be introduced to make this happen…”

Source: https://www.forbes.com/sites/daveywinder/2018/10/30/81-5m-voter-records-for-sale-on-dark-web-ahead-of-midterm-elections/#1dca850f2a0c

  • 0

82% of security pros fear hackers using AI to attack their company

Artificial intelligence (AI) is poised to impact every industry in the near future—including the lucrative business of malicious hacking and the cybersecurity industry working to defend against those attacks.

Enterprise IT and security professionals recognize AI’s potential in cybersecurity, according to a new report from Neustar: 87% of the 301 senior technology and security workers surveyed agreed that AI will make a difference in their company’s defenses. However, 82% said they are also afraid of attackers using AI against their company, the report found.

In a cyberattack, IT and security professionals said they most fear stolen company data (50%), loss of customer trust (19%), unstable business performance (16%), and the cost implications (16%).

Despite the risks, 59% of security pros said they remain apprehensive about adopting AI for security purposes, the report found.

“Artificial intelligence has been a major topic of discussion in recent times – with good reason,” Rodney Joffe, head of the the Neustar International Security Council and Neustar senior vice president and fellow, said in a press release. “There is immense opportunity available, but as we’ve seen today with this data, we’re at a crossroads. Organizations know the benefits, but they are also aware that today’s attackers have unique capabilities to cause destruction with that same technology. As a result, they’ve come to a point where they’re unsure if AI is a friend or foe.”

In terms of threats, security professionals said they were most concerned about DDoS attacks (22%), system compromise (20%), and ransomware (15%). Nearly half of organizations surveyed (46%) said they had been on the receiving end of a DDoS attack in Q3 2018, a higher proportion than in years past, the report found.

“What we do know is that IT leaders are confident in AI’s ability to make a significant difference in their defenses,” Joffe said in the release. “So what’s needed now is for security teams to prioritize education around AI, not only to ensure that the most efficient security strategies have been implemented, but to give organizations the opportunity to embrace – and not fear – this technology.”

The big takeaways for tech leaders:

  • 82% of security professionals said they are afraid of attackers using AI in cyberattacks against their company. — Neustar, 2018
  • Security professionals said they were most concerned about DDoS attacks (22%), system compromise (20%), and ransomware (15%). — Neustar, 2018

Source:https://www.techrepublic.com/article/82-of-security-pros-fear-hackers-using-ai-to-attack-their-company/

  • 0

Are you using Hadoop for data analytics? If so, know that a new bot is targeting Hadoop clusters with the intention of performing DDoS attacks powered by the strength of cloud infrastructure servers. Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.

Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.

It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

Hadoop YARN Exploits

Radware Research has been tracking malicious actors exploiting a Hadoop YARN unauthenticated remote command execution for which proof of concept code was first published here in March of this year. YARN, Yet Another Resource Negotiator, is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. YARN exposes a REST API which allows remote applications to submit new applications to the cluster. The exploit requires two steps:

  • Request an application-id using POST to URI http://x.x.x.x:8088/ws/v1/cluster/apps/new-application
  • Use the ‘application-id’ from the response in step 1 and submit a new task to the cluster manager using the POST method to URI http://x.x.x.x:8088/ws/v1/cluster/apps and with the body containing the following JSON encoded data structure:

Our deception network recorded repeated attempts for /ws/v1/cluster/apps/new-application, slowly starting end of September and growing to over 1 million attempts per day for most of October.

The number of unique IPs from where the requests originated grew from a few servers to over 70 servers this week.

Older exploits from servers that are offline by now were referencing a well-known Mirai variant Owari, infamous because of the weak password used by the hackers for securing their command and control database:

More recently, however, we found Owari to be replaced by a new bot:

This new ‘bash’ binary was added to the server on Sunday Oct 21st. The same server also hosts the typical shell script we came to expect from multiplatform IoT malwares:

While the botnet comes with all the typical indicators of Yet-Another-Mirai-Botnet, a closer look at the binaries revealed to be different enough to continue the investigation.

DemonBot v1 – © Self-Rep-NeTiS

The reversing of the unstripped ‘bash’ binary revealed some unfamiliar function names and an atypical string which provided a unique fingerprint for the botnet code:

Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’. Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.

Both DemonBot.c and DemonCNC.c had an identical signature:

DemonCNC

The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:

  • A bot command and control listener service – allowing bots to register and listen for new commands form the C2
  • A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet

Starting the C2 service requires 3 arguments: a bot listener port, the number of threads and a port for the remote access CLI.

Credentials for remote users are stored in a plain text file ‘login.txt’ in the format “username password” using one line per credential pair.

Upon connecting to the remote access CLI (port 8025 in our demo setup) using telnet, the botnet greets us and asks for a username followed by a password prompt. If the provided credentials match one of the lines in the login.txt file, the user is given access to the bot control interface.

The HELP command reveals the botnet commands which will be discussed below in the section about DemonBot itself.

DemonBot

DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP.

Once successfully connected, DemonBot sends information about the infected device to the C2 server in the format:

Bot_ip

The public IP address of the device or server infected with DemonBot:

Port

Either 22 or 23 depending on the availability of python or perl and telnetd on the device/server:

Build

“Python Device”, “Perl Device”, “Telnet Device” or “Unknown” depending on the availability of a Python or Perl interpreter on the device server:

Arch

The architecture, determined at build time and depending on the executing binary on the compromised platform – supported values for Arch are: x86_64 | x86_32 | Arm4 | Arm5 | Arm6 | Arm7 | Mips | Mipsel | Sh4 (SuperH) | Ppc (PowerPC) | spc (Sparc) | M68k | Arc

OS

Limited identification of the host OS running the bot based on package installer configuration files. Value is either “Debian Based Device”, “REHL Based Device” or “Unknown OS”

Malicious payloads

The bot supports the following commands:

If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP.

The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets:

Fixed payload used by the STD UDP attack:

IOC

8805830c7d28707123f96cf458c1aa41  wget
1bd637c0444328563c995d6497e2d5be  tftp
a89f377fcb66b88166987ae1ab82ca61  sshd
8b0b5a6ee30def363712e32b0878a7cb  sh
86741291adc03a7d6ff3413617db73f5  pftp
3e6d58bd8f10a6320185743d6d010c4f  openssh
fc4a4608009cc24a757824ff56fd8b91  ntpd
d80d081c40be94937a164c791b660b1f  ftp
b878de32a9142c19f1fface9a8d588fb  cron
46a255e78d6bd3e97456b98aa4ea0228  bash
53f6451a939f9f744ab689168cc1e21a  apache2
41edaeb0b52c5c7c835c4196d5fd7123  [cpu]

Source:https://securityboulevard.com/2018/10/new-demonbot-discovered/

  • 0