Malware with bricking capabilities poses major threat after infecting 500,000+ networking device

A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.

Researchers from Cisco Systems’ Talos threat intelligence unit warn that the newly discovered malware, dubbed VPNFilter, has overlapping code with BlackEnergy, an APT trojan capable of DDoS attacks, information wiping, and cyber espionage that Russia allegedly used in past cyberattacks to disable the Ukrainian power grid.

The campaign’s connection to BlackEnergy, combined with its heavy emphasis on infecting Ukrainian hosts using a command-and-control infrastructure specifically dedicated to that country, leads Talos experts to believe Ukraine may again be the primary target of an imminent cyber assault.

Talos observed markedly heavy infection activity in Ukraine on May 8 and again on May 17. Meanwhile, Symantec, posted its own take on the threat, informing SC Media in emailed comments that while VPNFilter has spread widely, honeypot and sensor data seem to indicate that it is not scanning and infecting indiscriminately.

The malware compromises devices so that attackers can potentially spy on and collect their network traffic (including website credentials) and monitor Modbus supervisory control and data acquisition (SCADA) protocols used with industrial control systems.

It can even “brick” devices — individually or, far worse, en masse –rendering them unusable by overwriting a portion of the firmware and forcing a reboot. “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” the Talos blog post explains.

“This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware,” the post continues. “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.

Affected products include Linksys, MikroTik, NETGEAR and TP-Link small and home office networking equipment, and QNAP NAS devices.

“The type of devices targeted by this actor are difficult to defend, They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Talos warns in its blog post. “We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”

The modular malware is comprised of three stages. The first stage, which establishes persistence, is unique among IoT malware programs in that it can survive a reboot. It also uses multiple redundant command-and-control mechanisms to discover the current stage-two deployment server’s IP address.

Stage two is in charge of file collection, command execution, data exfiltration and device management, and also possesses the “kill” function” that can brick devices. Stage three acts as a plug-in that provides the remaining known capabilities. “The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways,” Talos reports.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend,” warns Talos, which does suggest several mitigation techniques in its report. “Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.”

In a security advisory, NETGEAR has advised running the latest firmware on routers, changing default admin passwords and ensuring that remote management is turned off.

“Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, in emailed comments. “This will remove any second- and third-stage malware from their devices, since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with law enforcement’s efforts to take down the known command-and-control infrastructure and the efforts by security vendors who provide equipment to internet service providers, the threat should be partially mitigated.”

Derek Manky, global security strategist at Fortinet, said in emailed comments that VPNFilter reminds him of a BrickerBot, a wormable IoT malware capable of knocking unsecured IoT devices offline.

“Last year we talked about while the BrickerBot was not a worm with mass adoption yet, it was a precursor of things to come,” said Manky. Forward to today, VPNFilter is the real deal, in the wild, and in full force, which makes it a much larger threat and quite concerning. This is a true brick, overwriting the first 5,000 bytes of memory,” resulting in a “dead state.”


  • 0

2018 Is the Worst Year for Corporate Security; Executives Lack Cohesive Security Plan

Security executives fear cyberattacks will heavily target critical infrastructures in the near future, but they don’t seem to be doing much about enforcing security policies that also cover IoT devices. Despite the major threat they pose, connected devices have so far been overlooked in security policies. It appears that in general, in spite of the increasing awareness of high-profile cyberattacks and threats, enterprises tend to look the other way rather than invest properly in a cybersecurity strategy.

2018 appears to be the worst year in terms of corporate security, according to current research rom the Pwnie Express. In interviews with more than 500 security executives, IoT security has proven a major common concern as enterprises understand the growing risks of the threat landscape. However, if hit by a cyberattack, companies would mostly worry about the negative publicity their brand would receive.

One in three security professionals worry their businesses are not yet prepared to detect and contain IoT threats, while almost half fear the threats posed by consumer IoT devices because less can actually monitor them.

As many as 85 percent of security executives worry their countries will go through a crucial infrastructure attack in the next five years. However, although they believe IoT security is among their responsibilities, security professionals say they are rarely consulted when device purchasing decisions are made.

More than half of organizations dealt with malicious attacks in 2017. Contrary to expectations, small to medium-sized companies are more observant regarding employee practices and more security-aware than larger businesses. 80 percent of executives named the BYOD trend a key concern because it is very difficult to keep track of activity. According to the report, larger companies are not even aware of the number of devices connected to their infrastructure, while SMOs are more aware of the actual number of entry points created into their network.

The number of attacks has gone up so far in 2018, as new classes of threats and more sophisticated attacks have been detected compared with previous years. The attack on Schneider Electric proved how cybercriminals “might cause physical damage to a plant, or even kill people by sabotaging safety systems before attacking industrial plants,” Reuters is quoted as saying in the report.

The report indicates malware (59 percent) and ransomware (32 percent) were not the only threats businesses dealt with in 2018. One-third of security executives said they struggled with DDoS attacks caused by IoT botnets. In addition, over 22 percent detected attacks on wireless communications of access points. For the rest of the year and 2019, the attack surface will probably increase and more devastating attacks will take place on critical sectors such as healthcare, public health and energy, which have so far done a poor job in network security.


  • 0

How to Stop Advanced Persistent Threats

A security professional’s guide to advanced persistent threats and how to stop and prevent them.

An advanced persistent threat can be as scary as it sounds. Gone undetected in an enterprise, these network breaches can lead to fraud, intellectual property theft or a headline-grabbing data breach.

Here’s what CISOs and IT security pros should know about this worrisome cybersecurity trend.

What are advanced persistent threats?

As you may have already guessed, an advanced persistent threat (APT) is no run-of-the-mill cybersecurity hazard. It involves cyber criminals penetrating your network and probing it for valuable data and other vulnerabilities. The average APT can last for many months and can do untold damage to an enterprise in stolen data and trade secrets. In 2016, attackers were lying in wait for six months, undiscovered within the networks of Ukrenergo, Ukraine’s national power company, before plunging Kiev into darkness in what would become an alarming reminder of the cybersecurity risks faced by the operators of critical infrastructure.

An advanced persistent threat is less of a “what” and more of a “who,” according to Keith McCammon, chief security officer and co-founder of Red Canary. As tempting as it is to ascribe the APT label to pernicious forms of malware, there’s something more human at play in an APT.

Muddied somewhat over the years by marketers and the media, advanced persistent threats represent an ongoing danger to organizations, beyond the latest malware strain or software vulnerability. APT describes “a determined, capable and deep-pocketed adversary,” said McCammon. “Note that evidence of an active, human adversary is a requirement; APT is not and has never been a malware classification.”

Over the past few years, APT has come to represent a wider set of attackers. “As the tactics, techniques and procedures (TTPs) of the ‘true APT’ have proliferated,” McCammon observed, “it is becoming increasingly difficult to tell whether an attack is perpetrated by a national actor, organized crime or an individual.”

In short, APTs are often characterized by sustained, sophisticated and multi-pronged efforts to gain access to an organization’s network and the computers and servers connected to it.

Advanced persistent threat examples

“Advanced persistent threats are threats that use advanced techniques to avoid detection, like anti-sandboxing, polymorphism and multiple-stage payloads, and also guarantee persistence on a compromised host across reboots by registering as a service, adding registry run entries” and the like, said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “There are countless examples in the wild – GootKit banking Trojan, LockPoS point-of-sale malware, LokibotInfostealer – to name just a few.”

GootKit is notable for its evasiveness and the stealthy way it steals confidential data and sends it back to the operators of its command and control (C&C) server. Primarily targeting European bank account holders, the malware has been known capture to videos of victims’ desktops and dynamically inject fraudulent web content into the browsing sessions of users when they attempt to access their banking websites. To prevent detection by security tools, it checks for the presence of virtual machines that may be used by cybersecurity researchers to study the malware’s behavior.

Attackers use several methods to keep the pressure on enterprise networks and their users.

They often rely on botnets – historically networks of infected PCs but now can also be comprised of legions of Internet of Things (IoT) devices – to establish a foothold on a comprised network, not to mention spread malware and spam. In many cases, they are used to launch distributed denial of service (DDoS) attacks that overwhelm a company’s internet-facing servers, often knocking the organization’s online services offline. It’s a blunt instrument compared to some stealthier APT tools, but it’s staggeringly effective in causing harm.

Spear phishing is a common tactic used by APTs. Instead of the shotgun approach used by most spammers, this type of attack uses social engineering and targets victims with specially crafted email messages that coax recipients into infecting their machines by clicking on malicious attachments. Betting that users will jump at seemingly legitimate emails from their bosses, attackers may research a company’s organizational structure, identify the leaders of various departments (finance, HR, etc.) and send out convincing emails urgently requesting that they review attached files or take some other action.

Of course, APTs don’t stop at the infiltration phase. Living up to the “persistent” part of advanced persistent threats, victims can expect an attacker’s foothold to expand over time. Eventually, infected systems begin to siphon data out of a network on an ongoing basis, a process that often goes undetected for extended periods of time.

How to prevent APTs

Now that you know what an APT is, here’s how to stop it.

Employee training

Apart from an organization’s IT professionals, it’s likely that cybersecurity is a low priority for rank-and-file employees just trying to earn a paycheck. Proper training can open their eyes to the severity of the threats they may face at work and help instill a security-first culture. Confirm the training with phishing simulations, periodic refreshers and tough policies that discourage unsafe behaviors.

Access control

As a general rule, APTs can’t harm what they can’t touch.

Network access control (NAC) enables IT departments to block attacks using a variety of access policies and parameters. If a device on a network fails an automatic security check (the presence of anti-virus software, outdated or unpatched operating system, etc.), an NAC solution will block access, preventing APT from spreading.

Meanwhile, identity and access management (IAM) can help keep attackers from hopping from system to system by using stolen credentials.

Administrator controls

Here are some strategies that systems administrators can take to take the bite out of APTs.

Given the prevalence of attacks that exploit buggy code, vulnerability assessments and rigorous patch management practices are a must. Echoing the NAC concept above, user access management should be tightly controlled. As a rule of thumb, only IT administrators and qualified personnel should be granted administrator access.

In terms of bulking up one’s defenses, intrusion detection and prevention solutions detect the signs of possible attacks, allowing security personnel to take corrective action fast. Erecting a web application firewall will help keep the ever-increasing amount of sensitive data stored in web-facing applications out of the hands of wrongdoers.

Although this is not an exhaustive collection of APT-blocking technologies and techniques, it’s a good starting point.

Penetration testing

One way to see how susceptible your network is to an APT is to act like one.

Penetration testing is a tried-and-true way of unearthing an organization’s security shortcomings. Whether conducted internally using red teams (attackers) and blue teams (defenders) or with an outside penetration testing service, the exercise can be used to shore up an organization’s cyber-defenses and keep IT security teams on their toes. So set up a threat-hunting team and establish ongoing testing of your vulnerabilities.

How to detect APTs

It’s already been established that APTs are often characterized by their stealthy and evasive nature. Fortunately, there are cybersecurity tools that can help unmask them.

User behavior analytics

User and entity behavior analytics (UEBA) is an indispensable tool in uncovering APTs. Increasingly employing artificial intelligence (AI), they monitor and analyze how users interact with an organization’s IT systems and can detect when they engage in anomalous behavior, often a sign that their accounts were hacked and an attacker has infiltrated the network.

Deception technology

Turning the table on attackers, deception technology lures attackers into attacking fake servers, services and many other networked IT resources that are found in the typical enterprise network. Whey attackers waste time and energy attempting to exfiltrate valuable data, security researchers gather valuable information about the methods they use, including insights into an attacker’s kill chain, and adjust their network defenses accordingly.

Network monitoring

Just like user behavior analytics, network monitoring can expose the suspicious activities that signal an APT.

“Detection of payloads can be done using network APT detection solutions, as well as endpoint AV engines,” Hahad explained. “Post-infection detection relies on Command and Control communication detection and anomaly-based detection combined with automated threat analytics platforms.”

How to respond to APTs

If you discover that you’ve been a victim of an APT, you need to fight back hard and fast.

It’s critical to collect all the relevant information, document the evidence, which may be in the form of log files or reports from security forensics tools, and report it to the proper personnel. With luck, the APT will be discovered early in the kill chain, especially if you’re using the right detection tools, which will allow IT security professionals to boot attackers, enact new policies, tighten controls, restrict access or take other actions to mitigate the APT and minimize the damage.

If an APT has burrowed deep into the network, take the affected systems offline and restore from a clean backup to effectively prevent attackers from accessing critical data, if they haven’t already done so. Before bringing affected system back online, ensure that the vulnerability, malware or other cause of the breach has been addressed. Finally, prepare a formal report based on the lessons learned, along with policy recommendations to prevent a repeat.

APT solutions

On some level, nearly all security vendors can claim to be an APT vendor for the role their solutions play in detecting, responding to or preventing the spread of this type of threat. Combating APTs requires a combination of tools and techniques that ideally work in a somewhat synergistic manner, so looking at your overall security posture is a good place to start.

Fortunately, a number of advanced threat detection and prevention vendors that offer products that check many boxes, although many enterprises will likely use various solutions from multiple vendors, tied together by a security information and event management (SIEM) product, to keep APTs at bay. Here’s a sampling, in alphabetical order.

  • Barracuda
  • Cisco
  • Fidelis
  • FireEye
  • Forcepoint
  • Fortinet
  • Kaspersky
  • McAfee
  • Red Canary
  • Symantec
  • Sophos
  • Trend Micro
  • Webroot


  • 0

Verge [XVG]’s DDOS attack dampens the process of their blocks

According to a recent tweet by Vergecurrency, there has been a delay in their blockchain due to a DDOS attack which raises questions of security concerns in the community. Currently, there is a FUD in the Verge community. There has been chaos as they have seen such hacks and crashes even in the past.

Verge tweet.

Despite the attack, investors are expecting the temporary decrease in the prices as an opportunity rather than a threat in their investment. In its Twitter community, there have been witty responses and genuine concerns.

toefur, a Twitter user commented:

“Full faith in the Verge Devs !! #vergefam . mean while I’ll keep buying the dip.”

Verger Army [XVG] commented:

“Doing some research maybe we should ask all the mining pools to impliment Response Rate Limiting(RRL) walls in their code.”

Daniel Eberhardt, an optimistic twitter user commented:

“This is gonna cause a temporary decrease in price. The few that see this as an opportunity instead of a threat are the ones that will reap the rewards in the future.”

However, despite the vulnerability of the community at present, Vergecurrency posted in the comment section about their current competition, a giveaway of 10,000 ETH. The investors are expecting a new price discount on the token. In the cryptocurrency world, DDOS attacks are common causing technical handicaps in the mining pool, thereby creating FUDs in the market.

24-hour value graph.

Verge [XVG] is trading at a price of $0.052 with a market capital value of $785.42 million at the time of writing. It has experienced a decrease of 0.36% in the last hour on 22nd of May 2018 and a drop of 6.71% in the last 24-hours in the market. Verge [XVG] holds the 31st position in the global market of cryptocurrency as per CoinMarketCap.


  • 0

Is the Internet of Things impossible to secure?

Device manufacturers can no longer afford to take a back seat when it comes to IoT security.

The use of Internet of Things (IoT) technology is growing rapidly as more consumers and businesses recognise the benefits offered by smart devices. The range of IoT hardware available is huge, including everything from smart doorbells and connected kettles to children’s toys. What’s more, this is not only limited to smart home tech for consumers. IoT sensors are being increasingly used by businesses of all sizes across numerous industries including healthcare and manufacturing. However, despite its life-enhancing and cost-saving benefits, the IoT is a security minefield. So, is it even possible to secure the IoT?

This was one of the themes discussed at this year’s Mobile World Congress (MWC). IoT technology featured heavily at the trade show, with connected items ranging from a passenger drone to the next generation of smart city technology, and IoT security taking centre stage. One session focused on how blockchain might help to secure IoT devices in the future. Best known as the backbone of cryptocurrency Bitcoin, blockchain is a shared ledger where data is automatically stored across multiple locations. The indisputable digital paper trail makes it ideal for financial applications, but it could also be applied to IoT.

IoT devices increase the amount of entry points into a home or business network, which in turn could give hackers access to devices such as computers that contain sensitive data. Using blockchain technology could reduce the risk of IoT devices being put at risk by a security breach at a single point. By getting rid of a central authority in IoT networks, blockchain would enable device networks to validate and protect themselves. For example, devices in a common group could potentially stop or alert the user if asked to carry out tasks that appear unusual, such as being commandeered by hackers to carry out Distributed Denial of Service (DDoS) attacks.

IoT security and drones

Also highlighted at MWC was the importance of securing IoT technology for use by drones. Drone technology is a rapidly emerging sector within IoT and the risk of hacking could not only cause a data breach, it could also pose a major risk to public safety. Thanks to their versatile application and access to real-time data, commercial drones are used across a wide variety of sectors including agriculture, military, construction and have even been used to deliver packages, while consumer drones have also grown in popularity in recent years. However, as with many IoT devices, security is often an afterthought leaving many drones vulnerable to hackers.

If a drone’s own telemetry data is accessed, hackers could take control of it while in the air. This could place people in physical danger if the drone was purposely crashed or hijacked to carry harmful substances such as explosives or chemical agents. A hacked drone could also be used for spying through on-board cameras, or malware could be installed enabling hackers to strip out sensitive data collected by the drone, including pictures and video.

While there is an increasing amount of drone legislation being introduced, much of the focus is on air space and where drones are allowed to fly. However, the importance of securing the network that drones submit data on should not be underestimated.

Why is securing IoT technology such a big challenge?

Securing IoT devices is challenging for a number of reasons. A rapidly increasing number of gadgets are being turned into smart devices and as manufacturers roll out new products more quickly, little priority is given to security. Eventually we could see almost every home device connected to the Internet, not necessarily with any consumer benefit but instead geared towards data collection, which is incredibly valuable for manufacturers. A lack of awareness among consumers and businesses is also a major obstacle to security, with the convenience and cost-saving benefits of IoT tech appearing to outweigh the potential risks.

Another challenge is securing not only the IoT devices but also the networks over which their data is transferred. In the past, businesses haven’t always focused on building end-to-end security into the network. This is set to change as attitudes evolve, with 46 per cent of organisations ranking ‘securing IoT within the organisation’ as a high priority for 2018, according to the Hiscox Cyber Readiness Report.

What happens next?

So, is it really impossible to secure the Internet of Things? While it’s certainly a challenge, the industry is developing new ways to protect IoT devices from increasingly sophisticated hackers, and there will be significant opportunities for those working in the IoT security space. Blockchain may well be part of the solution, though a group effort will be needed to ensure that IoT technology evolves in a way that is both beneficial to consumers and businesses and secure from hackers.

Education is also key and makers of IoT devices, ISPs and the government must play a vital role in boosting awareness of IoT security among consumers and businesses. At a government level, it may also be necessary to provide education to boost the digital literacy of policymakers. More regulation and standardisation is needed to ensure that IoT devices adhere to a certain level of security, while manufacturers must develop clear privacy policies for their IoT devices and ensure that consumers know how to adjust the security settings. Even simple steps such as not setting default passcodes as ‘0000’ or ‘1234’ could help keep devices more secure in the future.

While security has too often taken a back seat in the development of IoT technology, manufacturers must begin to build protection into their devices. Network providers can also help address the IoT security threat by creating end-to-end infrastructure that meets industry-wide standards. Providers that offer a secure network will have a competitive advantage in the long run.


  • 0

Man Sentenced to 15 Years in Prison for DDoS Attacks, Firearm Charges

A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot,, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.

Gammell took measures to avoid exposing his real identity online, including through the use of cryptocurrencies to pay for the DDoS attacks and VPNs. However, a couple of taunting emails he sent to his victims during the DDoS attacks – asking if they had any IT issues he could help with – were sent from Gmail and Yahoo addresses that had been accessed from his home IP address.

The man initially rejected a plea deal and his attorney sought the dismissal of the case, but in January he pleaded guilty to one count of conspiracy to commit intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm. Gammell, a convicted felon, admitted having numerous firearms and hundreds of rounds of ammunition.

In addition to the 180-month prison sentence, Gammell will have to pay restitution to victims of his DDoS attacks, but that amount will be determined at a later date.


  • 0

Vulnerable connected devices posing immense security risk to organisations

Even though thousands of smart devices are being regularly connected to enterprise networks, many organisations do not have security policies for connected devices, or their employees do not follow existing policies by the book.

In October last year, security researchers at both Check Point and Chinese security company Qihoo 360 Netlab discovered a new IoT botnet that they said was “more sophisticated than Mirai” and had been found on millions of IoT devices including routers and IP cameras from companies including GoAhead, D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys and Synology.
The researchers warned that threat actors behind the botnet could cause greater damage than Mirai and could essentially take down the Internet by recruiting IoT devices in the millions.
If we go by a new report from Infoblox, even though organisations are embracing IoT devices on a grand scale, most of them are either impervious to such warnings or do not believe that hackers can truly cause havoc by hacking into IoT devices.
A survey carried out by the firm revealed that in the UK, the United States and Germany, 35 percent of large organisations had more than 5,000 non-business devices connecting to their networks each day, and 10 percent of them had over 10,000 such devices connecting to their networks on average.
Over half of small businesses with 50 to 99 employees had more than 1,000 business devices connecting to their networks and similar was the case with one in every four small businesses with 10 to 49 employees, signifying how reliant organisations are on IoT devices for increased performance and efficiency.
In the UK and the US, around 39 percent of employees connect IoT devices to their organisations’ networks to access social media, 24 percent do so to download apps, 13 percent to download games and seven percent to download films. External devices connected to enterprise networks range from fitness trackers such as FitBit or Gear Fit, digital assistants such as Amazon Alexa and Google Home, smart TVs, smart kitchen devices, and games consoles such as Xbox and PlayStation.
Even though thousands of such smart devices are being regularly connected to enterprise networks, a significant percentage of organisations either do not have security policies for connected devices, or their employees do not follow existing policies by the book.
While 24 percent of IT leaders from the US and UK surveyed by Infoblox did not know if their organisation had a security policy, 20 percent of them in the UK said they rarely, or never followed such policies. According to researchers, such non-adherence to security policies is exposing organisations to social engineering hacks, phishing, and malware injection.
“Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices, like Shodan. Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP, and SNMP services.
“And, as identifying devices is the first step in accessing devices, this provides even lower level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities,” they warned, highlighting the fact that in March, there were 5,966 identifiable cameras deployed in the UK, 1,571 identifiable Google Home deployed in the US, and 2,346 identifiable Smart TVs deployed in Germany.
Not only can vulnerable connected devices be exploited by hackers to infiltrate an enterprise network and to exfiltrate data via DNS port, they can also be hijacked to leverage DDoS attacks by sending repeated and frequent queries that bombard the Domain Name Server (DNS), thereby inhibiting the ability of a network to process legitimate queries.
For instance, the Mirai botnet leveraged over 600,000 IoT devices to target DNS service provider Dyn in 2016. This resulted in the repeated interruption to Dyn’s services and shutting down of popular websites including Twitter, Netflix, Reddit, and CNN.
“IoT devices are not protected by nature. We need them to improve our businesses and life, but they are a very easy attack surface, and by far the easiest way to get into an organisation, enabling hackers to scan your network, install malware, conduct reconnaissance, and exfiltrate data by bypassing other security mechanisms,” said Daniel Moscovici, co-founder of Cy-oT, to SC Media UK.
“The real risk is the fact that these devices are an open door in and out of an organisation. For example, if a hacker is able to infiltrate a video camera, they would be able to steal your pictures and videos; however, this is not the main issue. More importantly, the hacker can reach your more sensitive assets by accessing your network though an insecure device.”
The report also revealed that a number of organisations, especially those in the healthcare industry, are now taking steps to strengthen the security of their enterprise networks. While 85 percent of them have increased their cybersecurity spending over the past year, 60 percent and 57 percent of them invested heavily on antivirus software and firewalls.
At the same time, half of organisation have invested in network monitoring, one third have invested in DNS security solutions to disrupt DDoS attacks and data exfiltration, 37 percent have taken steps to secure their web applications, operating systems, and software, and a third of them are investing in employee education, email security solutions and threat intelligence. However, Moscovici believes these steps aren’t enough.
“We have seen organisations investing a lot of money in mechanisms to protect their networks, perimeters, and endpoints, so attackers will use the path of least resistance in terms of attack surface – connected devices, especially in a wireless environment. However, organisations are unaware that it’s not only the corporate network that is in danger; its airspace is also under threat. Hackers can connect via P2P directly to these assets and, from there, get into the corporate network.
He added that while many connected devices have built-in vulnerabilities, they can also be exposed through unsecured cloud or web application services, and sometimes wireless networks surrounding IoT devices are also highly unprotected.
“What is needed is a dedicated cyber-security solution that monitors both the IoT device and its activity 24 x 7, and can neutralise the threat. By doing this, an organisation will be able to detect when and which devices are at risk, as well as mitigate the threat in real time without physically looking for it. The answer does not lie within the device itself, but with a solution that brings your Security Operations Team visibility and control,” he added.
Commenting on the widespread use of vulnerable connected devices, Alex Hinchliffe, threat intelligence analyst at Unit 42 of Palo Alto Networks, said that the proliferation of IoT expands the attack surface for enterprise networks.
“Our own research recently into the Satori malware family demonstrates that IoT malware is evolving all the time from the simple password brute force attack to the vulnerability exploit attack. It would be a notable trend if IoT malware authors continue to rely on using more known vulnerabilities or discovering zero-day vulnerabilities to attack IoT devices.
“Complete visibility is crucial for security teams trying to prevent these attacks. You cannot prevent attacks you cannot see. Visibility and zero-trust network design are critical, to safe guard users, their devices and other corporate assets and to see who’s doing what, where and with which devices.
“The move to a classic zero-day attack against unknown, unpatched vulnerabilities is a logical next step on the part of attackers, which is why security policies for connected devices are essential, and these have to be correctly communicated to staff as well as being built into security systems. Enforcing policies requires a mix of company processes and technology to successfully implement them,” he added.
  • 0

Cybercrime Poses a Mounting Problem in Taiwan

“White hat” hackers and cyber-cops fight crime in Taiwan’s heavily attacked cyberspace.

Cybercrime is a growing problem in Taiwan and around the world, cybersecurity experts and law enforcement officers agree.

“It’s absolutely on the rise because everything is connected to the internet – you can shop online, can do anything,” says Wu Fu-mei, acting director of the Information and Communications Security Division within the Ministry of Justice Investigation Bureau. Along with network and mobile devices, the proliferation of connected IoT (internet of things) devices has created a vastly expanded pool of potential targets, many of which are only lightly protected from infection.

Incidences of software supply chains being infected with malware rose 200% last year, while targeted attacks were up 10% and mobile malware rose by 54% in 2017 in annual comparisons, according to global cybersecurity firm Symantec. The company notes that ransomware, in which an organization’s data is infected and encrypted by a hacker – to be decrypted only after payment of a ransom – has become so routine that the average amount of ransom demanded has dropped to only US$522 in 2017, less than half the 2016 average.

The Dark Web and the sudden rise of cryptocurrencies are key enablers of cybercrime. The Dark Web, that part of the internet accessible only through encrypted browsers such as TOR, provides criminals with an untraceable space for conducting illicit business ranging from hiring killers to obtaining illegal drugs – and buying and selling personal data stolen in data breaches. These transactions are now mostly done in Bitcoin or other cryptocurrencies, which use transparent blockchain technology but are anonymous.

“Both the Dark Web and digital currency are very difficult to trace,” notes MJIB’s Wu. “When we are investigating crimes we need to find two things: the cash flow and the information flow. The use of digital currency can hide the cash flow, and use of the Dark Web can hide the information flow.”

She adds that the relative ease and safety of cybercrime contributes to its appeal. “It’s a fairly easy way of doing crime. You don’t have to invest a lot, and you can commit a lot of crime by just sitting at a desk,” she says.

To cybersecurity experts, Taiwan’s digital landscape is a dystopian cyber-wilderness where malware bots hunt; hackers blackmail, rob, and vandalize; and our connected devices are able to be possessed by viruses and turn against us.

Shaking the doorknob

Taiwan receives tens of millions of attacks every month, most of them little more than “shaking the doorknob” to see if somebody forgot to secure an entry point. Many full-on attacks also occur that have resulted in massive data breaches and ransom payments. A lack of basic password protection on the part of an alarming number of firms and individuals means that hackers need not bother searching for back doors when the front door is wide open for intrusion and infestation.

Once inside, the malware takes increasing control over the device or server, often without impacting its usual functions. Cases of IP cameras that continue to record video even after being turned off and IoT household appliances recruited into a virtual army for distributed denial of service (DDOS) attacks at the behest of unseen masters have been widely reported in the media.

Doing battle against these hidden attackers is Taiwan’s army of “white hat” hackers in both the government cybersecurity agencies and the private sector. “It’s like a war,” says Allen Own, co-founder and CEO of cybersecurity consulting startup Devcore. “And there is an information disparity. The attackers always know more than the enterprise.”

Malware bots are endlessly scanning the internet for system and device vulnerabilities, and even the smallest lapse in password protection, coding, or design can result in a wholesale invasion. “Security is decided by the least secured links, which are everywhere,” says Steven Chen, CEO and co-founder of PFP Cybersecurity startup in Silicon Valley which has entered the Taiwan market.

Cybersecurity systems and technologies have advanced to the point that firewall, APT (Advanced Persistent Threats) deterrence, and other cybersecurity defense systems are now capable of fending off even the most sophisticated hacks. What is generally behind successful cyber-attacks is the weak link of the human factor. Symantec says that 71 % of successful hacks are due to phishing, in which people open up a bogus email that exposes their computer and thus their organization’s servers to infestation. Phishing attacks have brought down even the most internet-savvy people.

According to Hans Barre of Silicon Valley-based digital and social cybersecurity firm RiskIQ, corporate executives and brands from Taiwan and around the world are at huge risk of being “counterfeited.” An individual or organization may set up a profile on LinkedIn, for example, purporting to be a company executive. When this fraudulent identity makes contact with other industry professionals, they are easily fooled into exchanging emails and inviting the hacker right into their corporate networks, exposing all of their private data to theft.

Devcore deals with human error of a different kind, often involving website developers and programmers who make sloppy or inadvertent errors in their product, leaving them exposed to hackers. When programmers code websites with languages such as Java, PHP, or Ruby, mistakes or carelessness in the code might leave the site vulnerable to infection. Such errors can expose the site or other SQL (Structured Query Language) databases to infection, allowing hackers to access databases and basically wreak havoc on the system.

“These mistakes are the fault of the developer,” Own notes, adding that although he and the other 12 consultants at Devcore “might not be as good in these programming languages as actual developers are, “we are good in finding vulnerabilities.”

Devcore’s assignment is to act as the Red Team hackers, a term borrowed from military jargon used in war games, where the Red Team plays the role of attacker, while the Blue Team plays defense. Own’s team hacks the client’s website searching for vulnerabilities, which they usually find not in the main websites, but in developer-created websites that the company might not even be aware of.

Often website developers make a second website that mirrors the main site and is used as a practice and work site for future development. However, the second site is generally not protected as well as the first one, and can be a major point of system infection.

“The enterprise will defend the most important website that they own but the hackers will attack their other, less well-protected sites – the security level is lower,” explains Own. “They know that they have several websites but they don’t know which ones are vulnerable. But we know every website that they have, even if the company itself doesn’t know.”

Own says that along with his role operating his company, he has also been one of the organizers of HITCON – the “Hacks in Taiwan” conference – for 14 years. The main purpose of the conference is to “teach the government and enterprise what security is, and how to keep your website secure.” This year’s HITCON is scheduled for July 27-28 at the Taipei Nankang Exhibition Center.

Benson Wu, co-founder of Taiwanese cybersecurity startup CyCarrier Security, aims to solve the problem of human error by removing humans from the security system as far as possible, relying instead on Artificial Intelligence (AI) for monitoring. He notes that even top-line cybersecurity platforms are only as good as their operators, with most requiring well-trained staff. “But the reality is that you often can’t find such experts because that talent is already working directly in the cybersecurity industry,” he says.

Industry insiders say that AI and Machine Learning (ML) are already being deployed on both sides of the cybercrime battle. Wu says that his company’s system never gets tired, never misses a warning, and can reduce the time for discovery of a system breach from months to a matter of days. As such efficiency doesn’t come cheap, Wu says CyCarrier Security is targeting only the top-tier companies in Taiwan and abroad that have the money and awareness to pay for a top-line cybersecurity platform. He adds that he doesn’t need to do much of sales pitch. He simply sets up the platform to evaluate how many times and for how long the company has been breached. “They sign up right away after they see the results,” he says.

Threats against Taiwan are usually attributed to China, but recent experience shows that is not always true, including the heists of First Bank by Russian hackers and the Far Eastern Bank by the North Korean-linked Lazarus gang. Taiwan produces its own home-grown hackers as well, as a recent case cited by the MJIB cybercrimes unit attests.

In that case, securities firms were threatened with a DDOS attack if they didn’t pay a ransom in Bitcoin to the hacker. “Most companies paid the ransom, but one did not and his whole computer system was hacked and paralyzed,” says MJIB’s Wu. The MJIB was called in and traced the hacker through the email that he had sent to the company. The culprit turned out to be a 20-year-old Taiwanese who told investigators that he had pulled off similar attacks numerous times, but had already spent the money he gained. He now faces up to five years in prison.

With the threat of cyberattacks now being taken more seriously in Taiwan, demand for cybersecurity talent is increasing and salaries are rising accordingly. But Taiwan’s cybersecurity professionals are also fervently committed to the cause.

“Making money is necessary, but doing business is not my only concern,” says Devcore’s Own. “My company and I are passionate about cybersecurity in Taiwan.”


  • 0

Frequency & Costs of DNS-Based Attacks Soar

The average cost of a DNS attack in the US has climbed 57% over the last year to $654,000 in 2018, a survey from EfficientIP shows.

The frequency of Domain Name System (DNS) attacks and the costs associated with addressing them are both increasing sharply, a new survey by EfficientIP shows.

The DNS management vendor recently had research firm Coleman Parkes poll about 1,000 IT managers in North America, Asia, and Europe on the causes and responses to DNS-based threats.

The results showed that the global average costs of DNS attacks have surged 57% over 2017 to $715,000 in 2018. In the past 12 months, organizations faced an average of seven DNS attacks. Some of the victims ended up paying more than $5 million in associated costs. One in five (22%) organizations suffered business losses to DNS attacks.

The costs per DNS attack associated with remediation, recovery, and business disruption tended to vary by region. In North America, organizations in the US had the highest average costs, at around $654,000. Companies in the region also experienced the steepest year-over-year increase in costs at 82%. Overall, though, organizations in France had higher costs associated with DNS attacks than anywhere else, with victims spending an average of $974,000 on one.

“DNS attacks cost so much because consequences are instantaneous, broad, and very difficult to mitigate without the appropriate technology,” says Ronan David, senior vice president of strategy for EfficientIP. “In modern networks, DNS is routing access to almost all applications.”

Contributing to the high attack costs and overall complexity is the fact that DNS is both an attack vector and a target, he says. Attackers can use the DNS infrastructure as a vector for stealing data, for communicating with command and control servers, for setting up malicious phishing and spam domains, and for enabling other kinds of malicious activity. Other attacks, though, are targeted at disrupting DNS services directly, such as DNS distributed denial-of-service (DDoS) attacks.

DDoS attacks against DNS infrastructure in particular can be very costly to remediate, chiefly because such attacks are asymmetric, says Cricket Liu, chief DNS architect at Infoblox. “An attacker just needs to hire a botnet for a few hours to launch the attack, but the organization targeted needs to build excess capacity and maintain it year-round,” in addition to possibly using a DDoS mitigation service, Liu says.

The five most common DNS-based attacks in EfficientIP’s survey included those in which DNS is used as an attack vector and those in which an organization’s DNS infrastructure is the target. Topping the list for 2018 is DNS-based malware followed by phishing, DNS tunneling, domain lock-up, and DNS-based DDoS attacks.

“With 33% of people having suffered data theft, DNS is certainly one of the most powerful attack vectors,” says EfficientIP’s David from. At the same time, the survey also showed that 40% of cloud-based application downtime is caused by attacks aimed at DNS servers and service.

Hackers are developing sophisticated new multivector, multistage, and distributed DNS attacks. The exponential rise of connected devices, Web-based applications, and interconnected networks is giving them a broader surface to attack as well, David says. “DNS is, therefore, a primary vector and target leading to higher damage costs.”

Merike Kaeo, CTO at Farsight Security, says DNS is a more fundamental and complex protocol than most people realize. “It is critical to not only name and address resolution but can also be utilized to define email servers associated with a domain name, identify service locations, specify type of OS or CPU on a host, and other Internet-related activities.”

As attacks against DNS increase and become more sophisticated, it’s no surprise that remediation costs are increasing as well, Kaeo says. What surveys like those by EfficientIP show is that organizations need to start paying attention to their DNS infrastructure, she says.

“Know which domains you use and what can potentially be abused,” Kaeo notes. Pay attention to the security practices of registries and registrars and implement controls for determining changes in DNS traffic patterns and for blocking unknown domains, she says.

Review your existing mechanisms for dealing with DNS threats as well, says David. Most are simply workarounds that are not designed specifically for dealing with DNS threats. As an example, he points to data exfiltration attacks via DNS. The appropriate detection capacity requires real-time and context-aware DNS traffic analysis for behavioral threat detection, he says.

“DNS is by design an open service on the network which is not correctly monitored, and for which a traditional security solution cannot protect efficiently,” he notes. “DNS is mission-critical. When it goes down, the business is down.”


  • 0

Hackers behind Mirai botnet & DYN DDoS attacks plead guilty

A group of three hackers have pleaded guilty to their role in developing, spreading and using Mirai malware botnet to conduct large-scale Distributed Denial of Service (DDoS) attacks on some of the Internet’s most popular websites and Dyn DNS, a prominent Domain Name Servers (DNS) service provider.

Pleading guilty

In a proceeding that took place in US District Court for Alaska on November 28th, Paras Jha pleaded guilty to six charges including developing and operating Mirai botnet while Dalton Norman and Josiah White, his partners in crime also pleaded guilty to their role in the campaign in which Mirai was used for criminal activities.

In January this year, Jha’s father Anand Jha denied his son’s role in Mirai’s scheme and said “I know what he is capable of. Nothing of the sort of what has been described here has happened.” However, according to the court documents released on Tuesday, Jha admitted his crime.

Furthermore, court documents revealed that Jha erased the device he used to run Mirai on. Paras Jha “securely erased the virtual machine used to run Mirai on his device. Jha posted the Mirai code online in order to create plausible deniability if law enforcement found the code on computers controlled by Jha or his co­-conspirators,” said one of the court documents.

Damage caused by Mirai

On October 21st, 2016, Mirai malware caused havoc by hijacking millions of IoT devices including security cameras and hit some of the most popular websites on the Internet including the servers of Dyn. The sites that were forced to go offline included Reddit, Amazon, New York Time, Twitter and hundreds of others.

As a result, Internet services in the United States, India, Japan and some parts of Europe suffered major interruption. Like other botnets, Mirai also compromised Internet of Things (IoT) devices including security cameras and DVRs to carry attacks against DYN, Brian Krebs’ blog and OVH hostings servers in France.

Hackers also conducted click fraud through Mirai and made nearly 100 bitcoin that is more than $1.6 million today due to a massive increase in Bitcoin’s value. But the trio did not stop there, soon after targeting DYN, the source code for Mirai was leaked online that was later used by several other hackers to carry DDoS attacks.

A list of usernames and passwords included in the Mirai source code.

The person who claimed to leak the source code stated his name as Anna-senpai however, on October 4th, 2016, security journalist Brian Krebs claimed Senpai is actually Jha, but Jha denied the allegation and his role in the development of Mirai botnet.

According to Department of Justice’s press release, Paras Jha has also admitted his responsibility for multiple hacks of the Rutgers University computer system.

“Paras Jha has admitted his responsibility for multiple hacks of the Rutgers University computer system,” said Acting U.S. Attorney Fitzpatrick. “These computer attacks shut down the server used for all communications among faculty, staff, and students, including assignment of coursework to students, and students’ submission of their work to professors to be graded. The defendant’s actions effectively paralyzed the system for days at a time and maliciously disrupted the educational process for tens of thousands of Rutgers’ students. Today, the defendant has admitted his role in this criminal offense and will face the legal consequences for it.”

Plea agreements

According to document (PDF) sharted by Brian Krebs, under Jha’s click fraud guilty plea agreement, he would hand over 13 bitcoin to the United States government. White, on the other hand, has agreed to pay 33 bitcoin. The current price of 33 Bitcoin is more than $547,469 while 13 Bitcoin is $215,669.


  • 0