The new attack method allows hackers to shut down targets’ networks for longer periods while simultaneously conducting attacks on multiple targets.
Hackers have begun launching a new kind of DDoS attack designed to boost the scale of attacks by targeting soft spots in traditional DDoS mitigation tactics. Dubbed “Pulse Wave”, the new attack technique allows hackers to shut down targeted organisations’ networks for prolonged periods while simultaneously conducting attacks on multiple targets.
The new attacks may render traditional DDoS mitigation tactics useless, experts say. Some of the pulse wave DDoS attacks detected lasted for days and “scaled as high as 350 Gbps”, according to security researchers at Imperva, who first spotted the new threat.
“Comprised of a series of short-lived pulses occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017,” Imperva researchers said in a report.
The researchers said they believe that the pulse wave technique was “purposefully designed” by “skilled bad actors” to boost hackers’ attack scale and output by taking advantage of “soft spots in hybrid ‘appliance first, cloud second’ mitigation solutions.”
Traditional DDoS attacks involve a continuous barrage of assaults against a targeted network, while pulse wave involves short bursts of attacks that have a “highly repetitive pattern, consisting of one or more pulses every 10 minutes”. The new attacks last for at least an hour and can extend to even days. A single pulse is large and powerful enough to completely congest a network.
“The most distinguishable aspect of pulse wave assaults is the absence of a ramp-up period — all attack resources are committed at once, resulting in an event that, within the first few seconds, reaches a peak capacity that is maintained over its duration,” the Imperva researchers said.
ulse wave takes advantage of appliance-first hybrid mitigation solutions by preying on the “Achilles’ heel of appliance-first mitigation solutions”, – the devices’ incapability of dealing with sudden powerful attack traffic surges.
The Imperva researchers said the emergence of pulse wave DDoS attacks indicates a significant shift in the attack landscape. “While pulse wave attacks constitute a new attack method and have a distinct purpose, they haven’t emerged in a vacuum. Instead, they’re a product of the times and should be viewed in the context of a broader shift toward shorter-duration DDoS attacks,” researchers said.
The Imperva researchers predicted that such attacks will continue, becoming more persistent and growing, boosted via botnets.
Teenagers have typically not been known as the most motivated demographic, napping through classes and slouching through shifts at McDonald’s.
While yelling at a 16-year-old four times just to get him to unload the dishwasher is annoying, consider the other end of the spectrum: the ambitious 16-year-old who earned over $500,000 USD by building a DDoS stresser responsible for 1.7 million attacks, causing millions of dollars in damages.
It’s cool Brayden, you can unload the dishwasher later.
A successful distributed denial of service or DDoS attack is one in which a website or online service is overwhelmed by malicious traffic or requests, pushing the site or service offline so it’s unavailable to its users. DDoS attacks have been big news the last few years. Big news to website owners who have had users frustrated by downtime, to business owners who have suffered reputation damage and monetary losses, to the public at large who have been unable to use websites and services big and small because of these attacks, and big news to the media itself who have been devoting headlines to the ever-growing scourge of attacks.
One of the main reasons for the increase in attacks has been DDoS for hire servers, otherwise known as booters or stressers. For as little as a few dollars, anyone with an internet connection can buy access to a service that allows them to aim a DDoS attack at the targets of their choosing. Stressers are so named because they masquerade as a legitimate tool, one that stresses a server to test its reliability.
This is where Adam Mudd comes in.
In the Mudd
When Adam Mudd was just 16 years old he went to work on the computer in his bedroom and created what he called the Titanium Stresser. Mudd himself carried out 594 distributed denial of service attacks, including an attack against his former college, but those nearly 600 attacks were but a drop in the bucket compared to how busy his stresser got when he opened it up as a DDoS for hire service.
In just over two years the Titanium Stresser racked up 112,000 registered users who launched 1.7 million DDoS attacks against 660,000 IP addresses. There were obviously many repeat targets amongst those 660,000 IP addresses, perhaps most notably the company behind the online game RuneScape which was hit 25,000 times and led to the company spending roughly $10 million in mitigation efforts. Other notable targets of the Titanium Stresser included Sony, Xbox Live, Microsoft and Team Speak. Mudd reportedly earned over $500,000 from his stresser service.
It all came to an end for Mudd in March of 2015 when the police arrived at his parents’ house. Mudd refused to unlock his computer until his father intervened. He has since pleaded guilty to three charges under the United Kingdom Computer Misuse Act, and one charge of money laundering. He was sentenced to 24 months in jail.
The big picture
Mudd was nothing more than a teenager in the bedroom of his parents’ house, yet his stresser service caused millions of dollars in quantitative damages and untold further damages when it comes to lost productivity, lost user loyalty and lost revenue in both the short and long term. There are Adam Mudds all over the world, many more experienced, running stresser services that are just as successful as the Titanium Stresser and even more so.
Further, while Mudd’s arrest and conviction is a success for law enforcement, he joins a list of recent DDoS-related arrests that include members of the famed Lizard Squad, owners of the vDos botnet, and three dozen patrons of stresser services. Hackforums, the biggest hacking forums in the world, also recently banned DDoS for hire services. All seemingly good things. Yet the number of DDoS attacks being perpetrated hasn’t gone down. When the FBI or Interpol shuts down a stresser service, another stresser service simply scoops up its customers.
The lesson here has to be that DDoS attacks can be perpetrated by anyone and aren’t going anywhere anytime soon. With stresser services so affordable and accessible, almost every website on the internet is a potential target, and potentially a repeat target. Without professional DDoS protection, websites will be left picking up the pieces and paying exorbitant sums in order to do so.
Records request denied because FCC made no “written documentation” of attack.
The US Federal Communications Commission says it has no written analysis of DDoS attacks that hit the commission’s net neutrality comment system in May.
In its response to a Freedom of Information Act (FoIA) request filed by Gizmodo, the FCC said its analysis of DDoS attacks “stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation.” Gizmodo had asked for a copy of any records related to the FCC analysis that concluded DDoS attacks had taken place. Because there was no “written documentation,” the FCC provided no documents in response to this portion of the Gizmodo FoIA request.
The FCC also declined to release 209 pages of records, citing several exemptions to the FoIA law. For example, publication of documents related to “staffing decisions made by Commission supervisors, draft talking points, staff summaries of congressional letters, and policy suggestions from staff” could “harm the Commission’s deliberative processes,” the FCC said. “Release of this information would chill deliberations within the Commission and impede the candid exchange of ideas.”
The FCC also declined to release internal “discussion of the Commission’s IT infrastructure and countermeasures,” because “It is reasonably foreseeable that this information, if released, would allow adversaries to circumvent the FCC’s protection measures.”
The FCC did release 16 pages of records, “though none of them shed any light on the events that led to the FCC’s website crashing on May 8,” Gizmodo wrote yesterday. “The few e-mails by FCC staff that were actually released to Gizmodo are entirely redacted.”
The Gizmodo article comes in the same week that the FCC refused to release the text of more than 40,000 net neutrality complaints that it has received from Internet users since June 2015. Pai has claimed that net neutrality rules were a response to “hypothetical harms and hysterical prophecies of doom,” but most complaints to the FCC about potential net neutrality violations by ISPs are being kept secret. (The FCC did release 1,000 of the complaints to the National Hispanic Media Coalition, which had filed a FoIA request.)
Pai has claimed that his proposed repeal of net neutrality rules is using a “far more transparent” process than the one used to implement net neutrality rules in 2015.
UPDATE: The FCC released a statement this afternoon claiming that it is “categorically false” to suggest that “the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system.” The FCC statement said there is publicly available written analysis in the form of a letter to Congress (which we quoted and linked to in the next section of this article). The FCC statement also said it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” which has not been released publicly.
But again, the FCC refused to provide its internal analysis of the attack, which is what Gizmodo requested. The FCC’s new statement says that “Gizmodo requested records related to the FCC analysis cited in [CIO] David Bray’s May 8 public statement about this attack. Given that the Commission’s IT professionals were in the midst of addressing the attack on May 8, that analysis was not reduced to writing. However, subsequent analysis, once the incident had concluded, was put in writing.”
We asked the FCC to provide this “subsequent analysis,” and haven’t heard back yet.
The FCC’s position seems to be that it wasn’t asked to provide any analysis that was written down after May 8. But Gizmodo requested “A copy of any records related to the FCC ‘analysis’ (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place.” The FCC’s analysis after May 8 did not change—the commission continues to say it was hit by DDoS attacks. Yet the FCC refused to provide records related to its analysis that it was hit by DDoS attacks.
“We asked for all records ‘related to’ this analysis (emails, etc.), not just the analysis itself, which they claim does not exist,” Gizmodo reporter Dell Cameron wrote on Twitter.
Ars’ FoIA request denied
Separately, Ars filed a FoIA request on May 9 for e-mails and other communications and records related to the attack on the net neutrality comment system and related downtime. The FCC denied our request on June 21, saying that “due to an ongoing investigation we are not able to release records associated with this incident.”
Ars appealed that decision to the FCC on June 30 in light of Chairman Ajit Pai’s statement to US senators that the FBI is not investigating the comment system attack.
“In speaking with the FBI, the conclusion was reached that, given the facts currently known, the attack did not appear to rise to the level of a major incident that would trigger further FBI involvement,” Pai wrote to Senate Democrats who asked for more details about the attacks and the FCC’s response to the attacks.
The FCC has not responded to our FoIA appeal or to a followup e-mail we sent on Tuesday this week.
UPDATE: The FCC responded to our FoIA appeal two hours after this story published, saying it won’t release the e-mails and other records because of an internal investigation.
“An internal investigation into the matter is under consideration,” the FCC told us. “Agency staff have concluded that release of the records you requested could be reasonably expected to impede and interfere with this investigation.”
Comment system failure and DDoS analysis
The FCC’s website failure temporarily prevented the public from commenting on Pai’s controversial proposal to dismantle net neutrality rules. The downtime coincided with a heavy influx of comments triggered by comedian John Oliver’s HBO segment criticizing Pai’s plan, but the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks.”
We published an analysis of the FCC’s statements in May, concluding that the incident was caused either by “an unusual type of DDoS or poorly written spam bots.” Cloudflare, which operates a global network that protects websites from DDoS attacks, supported the FCC’s statements. The FCC’s descriptions are consistent with “a ‘Layer 7′ or Application Layer attack,” Cloudflare Information Security Chief Marc Rogers told Ars.
“In this type of [DDoS] attack, instead of trying to saturate the site’s network by flooding it with junk traffic, the attacker instead tries to bring a site down by attacking an application running on it,” Rogers said.
The FCC also refused to release server logs related to the attack because they might contain private information such as IP addresses. Security experts who spoke to Ars supported this decision.
There are now more than 10 million comments on Pai’s plan to overturn net neutrality rules, though many contain the same text because they come from spam bots or from campaigns urging people to submit pre-written comments. Pai has said that the number of comments opposing or supporting his plan “is not as important as the substantive comments that are in the record.”
A third of respondents indicated that the cloud adds the greatest network complexity to their organisation.
Cloud adoption is still the ‘most vexing factor’ in increased network complexity, according to a new report by Kentik.
The report, based on a poll of 203 IT professionals attending the Cisco Live 2017 annual conference, says cloud adoption is followed by IoT, SDN, and networks functions virtualisation (NFV).
It also says that most organisations still aren’t ready for network automation, even though machine learning is seen as ‘important technology for network management’.
More than a third (36 per cent) of respondents said cloud adds the greatest network complexity to their organisations. They can still improve operational visibility for cloud and digital business networking, it was added.
According to the report, organisations need to be able to spot DDoS attacks better. A third (32 per cent) said they’re using DDoS detection technology.
The majority of organisations (70 per cent) says using the same stack of tools to manage both network performance and security hinders operational efficiency. More than half (59 per cent), however, added that their organisation is not yet using the same stack of tools.
“There is a lot of noise in our industry right now about intuitive systems and new-age machine learning that can monitor, identify and react to network conditions before issues occur. However, dozens of our largest customers have been telling us, and our survey results from Cisco Live support, that the key 2016 and 2017 enterprise efforts have focused on getting complete visibility into increasingly hybrid network complexity; detecting and preventing DDoS; and integrating tools that can provide operational and business value from network analytics,” said Avi Freedman, co-founder and CEO of Kentik. “Full automation outside of constrained data centre and cloud topologies is still a vision that customers are tracking, but network operators say that they need deeper and comprehensive visibility into their network’s performance and security before they can let their networks run autonomously.”
“Real-time network traffic intelligence is a critical component for network operators supporting their organizations with digital transformation,” he added.
It is imperative that cloud users ensure that their vendor(s) of choice can provide the visibility and protection they need.
Cloud adoption continues to accelerate as businesses look to reap the cost, scale and flexibility benefits that are on offer. Whether a business uses a large, well-known public cloud operator or one of the smaller, more focused, specialist cloud / outsourcing organisations they are becoming more reliant on data and application services which are, in most cases, accessible via the Internet.
Unfortunately, this means that access to these services is conditional on the availability of connectivity – and a significant threat here is a Distributed Denial of Service (DDoS) attack – a threat that exhausts the resources available to a network, application or service so that genuine users cannot gain access.
Increasing attacks on data-centres
According to Arbor’s Worldwide Infrastructure Security Report (WISR) the majority of data-centre operators now offer cloud services. In fact they are as common as managed hosting and colocation, demonstrating how rapidly ‘cloud’ has been adopted. Data-centres have been a magnet for DDoS activity for a number of years, but 2016 saw a step change with the WISR indicating that nearly two-thirds of data-centres saw DDoS attacks, with over 20 per cent of those seeing more than 50 attacks per month – a big jump from 8 per cent in 2015. Data-centres are now being targeted more frequently and with larger attacks, and they will only continue to grow.
Worryingly, Arbor’s WISR also revealed that 60 per cent of data-centre operators had seen an attack that completely saturated their Internet connectivity last year. This is significant, as if Internet bandwidth is completely saturated then all data-centre infrastructure is effectively cut-off from the outside world – regardless of whether it was a part of the original target. For cloud and data-centre environments ensuring shared infrastructure is protected is of utmost importance given the size and complexity of today’s DDoS attacks.
The weaponisation of DDoS has made it easy for anyone to launch a large volumetric or advanced multi-vector attack and this shows through in the data we have from data-centre operators. For example, 60 per cent of data-centres who experienced a DDoS attack in 2016 saw at least one attack that completely saturated their Internet connectivity – effectively disconnecting them, and their customers, from the connected world.
The impact of a successful DDoS attack to a data-centre operator can be significant from an operational and customer churn / revenue loss perspective. The proportion of data-centre operators experiencing revenue loss due to DDoS attacks grew from 33 per cent to 42 per cent from 2015 to 2016, with nearly a quarter of data-centre respondents to the WISR indicated that the cost of a successful DDoS attack was in excess of $100K, illustrating the importance of the right defensive services and solutions.
Before we discuss defences though, it is almost impossible to right a DDoS related article without mentioning IoT. 2016 was without doubt the year where weaponised IoT botnets came to the fore, with attacks against Dyn and more garnering significant media attention. Cloud processing of IoT related data is driving increases in scale for data-centre connectivity, but IoT devices can just as easily be subsumed into botnets and used to send unwanted DDoS traffic at those same data-centres. Given the numbers of IoT devices out there, the likelihood of an attack against one piece of cloud infrastructure having a broader impact is only going to increase.
Combating today’s attackers
To deal with high magnitude attacks, in most cases, data-centres need to leverage a cloud or ISP based DDoS protection service –and this is happening. Data-centre operators have been one of the top organisation types driving the growth in cloud and ISP managed DDoS protection services over the past couple of years. The WISR shows us that over a half of data-centre operators now implement layered DDoS protection, a proportion that has been steadily increasing year-on-year. This is the recognised best-practice and allows data-centre operators to protect themselves and their customers from the impact of an attack.
Layered DDoS protection employs a cloud and ISP based DDoS protection service to deal with high magnitude attacks, plus a defensive solution at the data-centre perimeter to proactively deal with more focused, advanced attacks. Integrating these two layers together, so that they work in harmony, can provide complete protection from the DDoS threat – protecting the availability of both infrastructure and customer services.
In fact, many data-centre operators are now leveraging the protections they have put in place to offer add-on, sticky DDoS protection services to their customers. Businesses are increasingly aware of both their dependence on cloud, and the threat DDoS poses, and are looking to ensure that their providers are adequately protected.
Technology and services are however only a part of the solution, having incident response plans in place is also important so that businesses can deal efficiently and effectively with any attack. Arbor’s WISR reveals that 57 per cent of data-centre operators carried out DDoS defence simulations in 2016, up from 46 per cent in 2015. This is very encouraging, as exercising incident responses plans, on at least a quarterly basis, is best-practice.
Future security of data centres
The data-centres that support cloud application and data services are becoming ever more important to our businesses, but with nearly two-thirds of data-centres experiencing DDoS attacks last year, and over 20 per cent of those seeing more than 50 attacks per month, it has never been more important to ensure the right defences are in place.
It is imperative that cloud users ensure that their vendor(s) of choice can provide the visibility and protection they need, and the telemetry that allows them to monitor what is going on. Increasingly customers of cloud services want a holistic view of the threats they face, across the 3 pillars of security and their cloud, on-premise data and applications services. This isn’t easy to achieve, but to balance the benefits of cloud against business risks it is something we need, especially in today’s cyber threat landscape.
The $1 million ransom payment paid last week by South Korean web hosting company Nayana has sparked new extortion attempts on South Korean companies.
According to local media, seven banks have received emails that asked the organizations to pay ransoms of nearly $315,000 or suffer downtime via DDoS attacks.
Only five of the seven targets are publicly known, which are also the country’s biggest financial institutions: KB Kookmin Bank, Shinhan Bank, Woori Bank, KEB Hana Bank, and NH Bank.
Ransom demands made by Armada Collective
The ransom demands were signed by a group of “Armada Collective,” a name that has a long history behind it.
The group first appeared in 2015, and they are considered one of the hacker groups that popularized ransom DDoS (RDoS) attacks alongside another group known as DD4BC (DDoS-for-Bitcoin).
While Europol apprehended suspects behind the DD4BC group, the people behind Armada Collective were never caught, and their tactics seem to have evolved across time.
Armada Collective and RDoS attacks over time
Radware, a cyber-security company that tracks RDoS attacks on a consistent basis, says the group has gone through two main stages.
In the beginning, the group targeted a small number of targets, all from the same industry, and launched demo DDoS attacks to prove their claims and force the hand of victims into paying the ransom.
After a successful extortion of the ProtonMail secure email service in late 2015 that got a lot of media attention, the group appeared to have gone into hiding, but then returned in 2016.
This time around, the group’s tactics changed, and Armada Collective — or impostors posing as the group — only made empty threats, targeting a large number of companies, all at the same time, from different sectors, and rarely launched any DDoS attacks to prove their claims.
Armada Collective’s RDoS attacks in 2016 were hardly noticed. Because of the group and DD4BC’s success, numerous other actors entered the DDoS ransom market niche, such as New World Hackers, Lizard Squad (copycats), Kadyrovtsy, RedDoor, ezBTC, Borya Collective, and others.
Most of these groups issued empty threats, a common theme with RDoS groups in 2016, also continued in 2017, with new groups such as Stealth Ravens, XMR Squad, ZZb00t, Meridian Collective, Xball Team, and Collective Amadeus. Furthermore, empty DDoS threats from groups posing as Anonymous have been the norm for the past two years, with the most recent wave being detected just last week.
Nayana’s payment may lead to more attacks on South Korea
Last week, Armada Collective’s name resurfaced after a long period of silence. The ransom demands were sent — not surprisingly — just two days after news broke in the international press that a South Korean web hosting company paid over $1 million in a ransomware demand.
Nayana’s payment was the largest ransomware payment ever made and may have involuntarily put a giant bullseye on the backs of all South Korean businesses, now considered more willing to pay outrageous ransom demands to be left alone.
The Armada Collective ransom letters sent last week to South Korean banks said the group would launch DDoS attacks on the targeted banks today, June 26, and double their ransom demand.
At the time of writing, the attacks didn’t take place, based on evidence available in the public domain. Nonetheless, the attackers won’t be discouraged by this initial refusal, and if they truly have the ability to launch crippling DDoS attacks like the ones that targeted ProtonMail, then South Korean banks and other businesses are in for a long summer.
Business is under assault from cybercriminals like never before, and the cost to companies is exploding. Here’s what you need to know about safeguarding your digital assets.
1. Under attack
In the summer of 2015, several of New York’s most prestigious and trusted corporate law firms, including Cravath Swaine & Moore and Weil Gotshal & Manges, found themselves under cyberattack. A trio of hackers in China had snuck into the firms’ computer networks by tricking partners into revealing their email passwords. Once inside the partners’ accounts, the thieves snooped on highly sensitive documents about upcoming mergers. Then, from computers halfway around the world, the cybercrooks allegedly traded on the purloined information, netting $4 million in stock market gains.
Like most other victims of corporate espionage, the firms preferred to keep mum about having been victimized. They feared antagonizing other digital thugs as well as damaging their reputations as keepers of clients’ secrets. Instead, word of the attack leaked in the press and then was confirmed by federal prosecutors and the firms themselves. The Feds made public their discoveries and trumpeted their efforts to bring the alleged perpetrators to justice. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” said Preet Bharara, then the U.S. Attorney in Manhattan. “You are and will be the targets of cyberhacking because you have information valuable to would-be criminals.”
It may have been a shock to the system for the legal community, but the incident only served to underscore a hard truth that CEOs, company directors, and network security experts have been grappling with for some time now: Business is under assault like never before from hackers, and the cost and severity of the problem is escalating almost daily.
The latest statistics are a call to arms: According to Cisco, the number of so-called distributed denial-of-service (DDoS) attacks—assaults that flood a system’s servers with junk web traffic—jumped globally by 172% in 2016. Cisco projects the total to grow by another two and a half times, to 3.1 million attacks, by 2021. Indeed, the pace of cyberassaults is only increasing. Internet security firm Nexusguard reports that it observed a 380% increase in the number of DDoS attacks in the first quarter of 2017 compared with a year earlier.
As the number and scale of network attacks grow, the toll on business is rising. The average total cost of a data breach in the U.S. in 2014 was $5.85 million, according to research from IBM and the Ponemon Institute, and this year it’s estimated to be $7.35 million. According to a report earlier this year from business insurer Hiscox, cybercrime cost the global economy more than $450 billion in 2016. The WannaCry ransomware attack alone, which crippled computers in more than 150 countries in May, could cost as much as $4 billion according to some estimates.
What is slowly dawning on corporate hacking victims is how vulnerable and defenseless they really are, even when their opponents may be three guys in a room halfway around the world. Expensive data-security systems and high-priced information security consultants don’t faze today’s hackers, who have the resources to relentlessly mount assaults until they succeed. In the New York law-firm case, for example, prosecutors said the attackers attempted to penetrate targeted servers more than 100,000 times over seven months.
It has become abundantly clear that no network is completely safe. Where once companies thought they could defend themselves against an onslaught, they’re now realizing that resistance is, if not futile, certainly less important than having a plan in place to detect and neutralize intruders when they strike.
But there remains a gaping chasm between awareness of the threat and readiness to address it: A survey last fall by IBM and Ponemon of 2,400 security and IT professionals found that 75% of the respondents said they did not have a formal cybersecurity incident response plan across their organization. And 66% of those who replied weren’t confident in their organization’s ability to recover from an attack.
Cybercrime is metastasizing for the same reason online services have become so popular with consumers and businesses alike: Ever-more-accessible technology. Hacking is easier than ever thanks to the ever-growing number of online targets and the proliferation of off-the-shelf attack software. The very Internet networks that were built for convenience and profit are exposing their users to a steady stream of new threats.
What’s more, the tense state of affairs is a glaring example of how the entire nature of business has changed in the digital age. In most cases, technology is much more than just a supplement to a company’s core operations. For scores of the world’s most valuable companies—from Alphabet to Amazon to Facebook to Uber—the assets that live on their networks are their core operations.
No sector of corporate America is safe. Hackers have plundered big retailers like Neiman Marcus and Home Depot for credit card and customer information. They’ve burrowed into banks like JPMorgan Chase. Even tech companies can’t seem to protect themselves. Yahoo’s ineptitude in repelling (or even being aware of) hackers forced it to reduce its sale price to Verizon. Google and Facebook recently fell victim to a hacker who conned their accountants into wiring him a total of more than $100 million. And OneLogin, a startup that bills itself as a secure password management service, recently lost certain customer data to hackers.
In one survey, 66% of security and I.T. professionals replied that they weren’t confident that their organization could recover from a cyberattack.
It’s not like companies aren’t trying to play defense. Accenture estimates that companies worldwide spent $84 billion in 2015 to protect against attacks. That spending is an acknowledgment that every company needs to safeguard its digital assets, which in turn requires knowing about the criminals that keep coming at them and what defenses they can build to minimize the damage.
2. A new breed of criminal
Hacking is particularly frustrating for corporate executives who don’t understand their enemy. Embezzlers or extortionists? Sure. But faceless gangs of nasty nerds? It’s often harder for CEOs to wrap their brains around the motivation of their antagonists—or their audacity. “At the C-level they feel violated,” says Jay Leek, a venture capitalist pursuing cybersecurity investments and a former chief information security officer at private equity giant Blackstone. “I witness this emotional ‘What just happened?’ You don’t walk in physically to a company and violate it.”
The brazenness Leek describes is a hallmark of hackers who—despite their mystique in popular culture—are basically everyday thieves, like bank robbers. Where hackers are different, however, is that they rarely meet in person. Instead, they convene in online forums on the “dark web,” an anonymous layer of the Internet that requires a special browser to access. Deep in the forums, crooks hatch hacking plots of all sorts: breaking into corporate databases or selling stolen Social Security numbers or purchasing inside information from unscrupulous employees.
Cybercriminals have proved adept at adopting successful corporate strategies of their own. A recent development has seen the cleverest crooks selling hacking tools to criminal small-fry. It’s analogous to semiconductor companies licensing their technology to device manufacturers. According to a report from security software giant Symantec, gangs now offer so-called ransomware as a service, a trick that involves licensing software that freezes computer files until a company pays up. The gangs then take their cut for providing the license to their criminal customers.
If it weren’t all blatantly illegal, the practices would be laudably corporate. “Cybercriminals no longer need all the skills to complete any particular crime,” says Nicole Friedlander, a former assistant U.S. Attorney in charge of the key Southern District of New York’s complex fraud and cybercrime unit. “Instead, they can hire other cybercriminals online who have those skills and do it together.” In that sense, hackers have become service providers like doctors or lawyers or anyone else, says Friedlander, who joined the New York office of law firm Sullivan & Cromwell last year.
But the bad guys aren’t all freelancers. In fact, some of the most sinister hacking outfits operating today are “state-sponsored” groups supported, or at least loosely supervised, by governments. That includes the Russians who are believed to have hacked into the Democratic National Committee last year and the North Korean team credited with unleashing the WannaCry malware as a moneymaking scheme.
3. Playing defense
In early March, the information security team at ride-hailing giant Uber leaped into action: An Uber employee had reported a suspicious email message, and similar reports were flooding in from all over the company.
Uber’s databases contain the email addresses and personal information of millions of riders around the world, making security a particularly pressing issue. And the company has had its share of problems as a caretaker of sensitive data. In 2014, Uber suffered a breach that exposed the insurance and driver’s license information of tens of thousands of drivers; it took the mega-startup months to discover and investigate the incident and fully notify its drivers.
As soon as the alarm was raised in March, Uber established an “incident commander” to manage the developing situation. The job of the incident commander—a term of art in cybersecurity circles—is to keep the company informed about potential attacks. It turned out that the attack was targeting users of Google’s Gmail service, not Uber itself. But anyone with a Gmail address was vulnerable. Later that same day Google fixed the vulnerability in its Gmail service, allowing Uber’s incident commander to stand down.
Uber’s reaction is an example of the vigilance with which companies must treat the torrent of threats coming at them every day. John “Four” Flynn, a former Facebook executive who now is chief information security officer for Uber, says the key to cybersecurity incidents—which he defines as everything from a data breach to a stolen laptop—is to have a clear communication strategy. “During an incident, the role of executives is to give support,” says Flynn. “There’s no room for confusion about who’s in charge.”
Flynn has every right to sound confident in his authority. The chief information security officer, or CISO, is possibly the hottest job in the C-suite today. Cybercrime is so serious that these formerly little-known and unloved executives now typically have a direct line to boards of directors—a big break from the past. Before, the CISO would report to the chief information officer, who was responsible for buying and operating computers, not obsessing over flies in the ointment. If the CISO sounded the alarm over a breach, too often he or she ended up being the one sacrificed to appease top management. “It was my job to tell my boss his baby was ugly,” one former information security executive laments.
These days, though, smart companies treat hacking threats like other existential risks to their business—recessions, terrorist attacks, and natural disasters come to mind—and plan accordingly. The CISO is pivotal in maintaining readiness. “If you’re a Fortune 500 company, you already have a response,” says Leek, the former executive at Blackstone, which had several portfolio companies that suffered breaches, including arts-and-crafts merchant Michaels Stores. “But people forget to take it out, blow the dust off, and recall: ‘Let’s do what we decided when we had a sound mind.’ ”
Having a clear line of authority and a good action plan take a company only so far. At some point it has to call the cops, specifically the Federal Bureau of Investigation or the U.S. Secret Service. Both agencies have reach and power that allow them to take the fight to foreign cybercrooks. On several occasions, U.S. law enforcement agents working undercover on the dark web have managed to lure presumed offenders out of hiding with phony deals, and then had them apprehended in and extradited to the U.S.
During the incident, the role of executives is to give support,” says Uber’s chief information officer. “There’s no room for confusion about who’s in charge.”
Calling law enforcement has downsides, however. The likely outcome—an investigation—imposes burdens on the victim company in terms of money and time. And it increases the chance that sensitive details about the hack will leak publicly. That’s why the best course of action is for companies to avoid FBI-level hacking incidents in the first place. A new, multibillion-dollar industry has sprung up to help.
4. An industry is born
The videoconference camera looked like any other. But unbeknownst to its corporate owner, the device was working overtime: Hackers had captured the microphone remotely and were using it to spy on every meeting that took place in the boardroom. The company, which does not want to be identified, finally got wise to the spying scheme thanks to Darktrace, a global cybersecurity company that uses artificial intelligence to detect aberrant activity on client networks. Darktrace CEO Nicole Eagan says her company noticed the camera had been gobbling abnormal amounts of data. This raised a red flag, enabling Darktrace to notify its client that something was amiss.
Darktrace is just one of hundreds of firms that offer help to combat the hacking epidemic. Once a stodgy corner of enterprise software, cybersecurity has become a hot sector for venture capitalists. Investors put some $3.5 billion into a total of 404 security startups last year, according to New York research firm CB Insights. That’s up from $1.8 billion for 279 investments in 2013.
For executives, all of this entrepreneurial activity translates into a dizzying array of security options. There are newcomers like Tanium, for instance, which offers a service that lets companies see who is on their network. Publicly traded Palo Alto Networks makes a kind of intelligent firewall that uses machine learning to thwart intruders. There are also a host of niche security firms such as Area 1 (which specializes in defending against phishing scams) and Lookout (which is a mobile-phone-focused security service).
With all of this firepower arrayed against it, how can cybercrime continue to grow so fast? One answer is that some of the glitzy defense systems don’t work as advertised. Security insiders grumble about firms bamboozling clients with “blinky lights” in order to sell “scareware”—software that plays to customers’ insecurities but doesn’t protect them.
At the end of the day, though, humans are as much to blame as software. “The weak underbelly of security is not tech failure but poor process implementation or social engineering,” says Asheem Chandna, an investor with Greylock Partners and a Palo Alto Networks director. Chandna notes that most hacking attacks come about in two ways, neither of which involves a high level of technical sophistication: An employee clicks on a booby-trapped link or attachment—perhaps in an email that appears to be from her boss—or someone steals an employee’s log-in credentials and gets access to the company network.
While cyberdefense tools can mitigate such attacks, some will always succeed. Humans are curious creatures and, in a big organization, there will always be someone who clicks on a message like, “Uh-oh. Did you see these pictures of you from the office party?” When it comes to hacking, a penny of offense can defeat a dollar’s worth of defense. That’s why the fight against hacking promises to be a never-ending battle.
Final Fantasy 14’s servers have been under intense strain this past weekend. It now seems that these issues are the direct result of distributed denial-of-service attacks, Square Enix stated today.
The attacks have apparently been going on since June 16, the first day that the game’s second expansion, Stormblood, went live for early access. This past weekend, early adopters were met with congested servers that were filled to capacity. Some queues just to log in surpassed 6,000 users. In the game proper, overwhelmed servers have lead to increased load times and made some quests impossible to complete.
Stormblood was officially released yesterday and as of today, massive amounts of access requests due to the alleged hack are continuing to occur.
Square Enix has stated that its technicians are doing all they can to defend against the attacks, but they are “continuing to take place by changing their methods at every moment.” The company also assured players that character data and private information associated with accounts have not been affected.
Despite years’ worth of warnings and countermeasures, distributed denial of service (DDoS) attacks continue to escalate. Every year sees more of them, with increasing duration and severity.
The frequency was up by 380% in the first quarter of 2017 compared to the first quarter of 2016, according to Nexusguard, which compiled this set of statistics (PDF) in a new report. From the fourth quarter of 2016 to the first quarter of 2017, HTTP attack counts and total attack counts increased by 147% and 37% respectively.
Examples of increasing severity include a 275 Gbps attack that took place during Valentine’s Day (there have been significantly larger attacks) and an attack spanning 4,060 minutes that occurred over the Chinese New Year, the company said.
The percentage of days with sizable attacks (larger than 10Gbps) grew appreciably within the quarter for 48.39% in January to 64.29% in March.
Lengthier attacks at erratic intervals are becoming the norm, the company said.
A separate, simultaneously published report from Corero Network Security said its customers have been hit by an increasing number of small DDoS attacks. Though attacks of 10 Gbps or smaller would seem less severe, what’s insidious about them is that they are apt to sneak under minimum detection thresholds. Though the DDoS attacks themselves might not be that disruptive, they can give hackers the access to wreak plenty of other damage.
Corero CEO Ashley Stephenson said in a statement, “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander—in this case, a flicker of internet outage—while hiding their more sinister motives.”
Nextguard believes part of the increase in DDoS activity is a ripple effect of increased botnet activity that occurred in the fourth quarter.
This is in part a reference to the Mirai botnet, which was first identified in the latter half of 2016. Mirai provided a means to take over connected deviceswith inadequate built-in security safeguards (webcams, some set-top boxes, etc.), and use them to launch sustained attacks, sometimes with spectacular results.
Those attacks revealed the Achilles’ heel in the internet of things: Many IoT applications are based on the distribution of large numbers of very inexpensive devices, which can be made so cheaply in part by adopting only minimal security, if any.
The DDoS problem is worldwide, but nearly a quarter of the attacks are launched from the U.S. (followed by China and Japan). That’s likely to remain the case, as more U.S. households install “smart” devices that have poorly guarded IP addresses, making them susceptible to hijacking in the service of more DDoS attacks.
“IoT botnets are only the beginning for this new reign of cyberattacks. Hackers have the scale to conduct gigantic, continuous attacks; plus, teams have to contend with attacks that use a combination of volumetric and application aspects,” said Nexusguard CTO Juniman Kasman, in a statement.
The two largest sources of DDoS attacks were China and Japan, with Russia a distant third.
The release of such results is meant to emphasize what should be obvious: companies that haven’t upgraded their security are the most vulnerable.
During Q1 2017, a reduction in average DDoS attack duration was witnessed, thanks to the prevalence of botnet-for-hire services that commonly used short, low-volume bursts.
Imperva Incapsula’s latest Global DDoS Threat Landscape Reportanalysed more than 17,000 network and application layer DDoS attacks that were mitigated during Q1 2017.
Igal Zeifman, Incapsula security evangelist at Imperva told SC Media UK: “These attacks are a sign of the times; launching a DDoS assault has become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service. Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber-vandalism in what is essentially a form of internet trolling.”
The research found that more and more assaults occurred in bursts, as 80 percent of attacks lasted less than an hour. Three-quarters of targets suffered repeat assaults, in which 19 percent were attacked 10 times or more.
For the first time, 90 percent of all network layer attacks lasted less than 30 minutes, while only 0.1 percent of attacks continued for more than 24 hours. The longest attack of the quarter continued for less than nine days.
Researchers observed a higher level of sophistication on the part of DDoS offenders, reflected by the steep rise in multi-vector attacks. These accounted for more than 40 percent of all network layer assaults in Q1 2017.
In terms of worldwide botnet activity, 68.8 percent of all DDoS attack requests originated in just three countries; China (50.8 percent), South Korea (10.8 percent) and the US (7.2 percent).
Others on the attacking country list included Egypt (3.2 percent), Hong Kong (3.2 percent), Vietnam (2.6 percent), Taiwan (2.4 percent), Thailand (1.6 percent), UK (1.5 percent) and Turkey (1.4 percent).
The US, UK and Japan continued to top the list of most targeted countries. Over the past year Singapore and Israel joined that list for the first time.