DDoS Attacks Target Partypoker, PokerStars

Major online poker sites partypoker and PokerStars have been disrupted in recent days by apparent DDoS attacks, launched by party or parties unknown at present.

Two of the world’s largest online poker sites, partypoker and PokerStars, have endured periods of downtime and forced cancellations of tournaments in recent days after being targeted by confirmed or suspected DDoS (distributed denial of service) attacks. Both of the attack waves targeted the sites’ global “dot-com” gaming offerings, rather than being launched against their firewalled, single-jurisdiction offerings.

The attacks targeting partypoker began on August 9 and continued into August 11 or 12, with each attack wave consisting of a massive flood of data requests targeting its gaming servers. Partypoker confirmed the DDoS nature of the attacks late on August 9 and updated its customers via social media about the recurring waves and the ongoing mitigation efforts. Partypoker also released a formal statement about the attacks, the cancellation of tournaments, and an ongoing refund process for affected players.

That statement, issued as a formal apology for the unexpected downtime, expressed frustration about the nature of the DDoS attacks, without speculation as to the motive behind them. Tom Waters, partypoker managing director said: “The unfortunate events…were understandably frustrating for our players. After consideration, the decision was taken to pause and then subsequently cancel all affected tournaments.

“Our team worked hard to try to resolve the key issues. As poker players ourselves, we fully understand how frustrating it can be when an online poker room suffers technical issues, and we fully appreciate the considerable patience and understanding shown by our players in light of these difficulties.”

Additional commentary from partypoker

Partypoker received widespread praise from both its players and industry onlookers for its rapid response to the attacks, even as those attacks continued. VegasSlotsOnline received an additional statement from Colette Stewart, partypoker player rep and social specialist, who said: “The recent DDoS attacks were very unfortunate; however, we feel the team have done their very best to communicate and respond to as many of our players as possible during this very frustrating time. We greatly value our relationship with the player community and feel it is vital to be as open and transparent with our players as possible during such issues and, most importantly, ensure that we are available for player feedback and communication.

“In refunding affected players, we have ensured that every single cent collected in buy-ins, bounties, and fees has been refunded to players in addition to honoring the guarantees of tournaments that didn’t make the required entries due to the issues faced.

“All refunds have now been issued and, of course, should players wish to follow up in more detail or ask more questions about their specific refund, they should contact our 24/7 customer service line. The nature of ensuring the refunds were correct led to a delay that we simply hadn’t anticipated. We are sorry that it took us until Sunday to complete the process; however, we refunded players based on their chip stacks at the time that the disruption began and the data evaluation process was complex and took some time to complete.

“Finally, we are all poker players ourselves and fully appreciate the patience and loyalty of our players.”

PokerStars becomes the latest target

About the time the wave of attacks against partypoker ceased, a new wave of apparent DDoS attacks began targeting PokerStars. That attack wave started on August 12; Stars has not confirmed that these were explicitly DDoS attacks, but the recurring and intermittent nature of the “technical issues,” including forced disconnections affecting legitimate players, bears all the hallmarks of another DDoS attack.

Like partypoker and a third, smaller network (the Winning Poker Network) that also suffered several waves of DDoS attacks earlier in August, PokerStars has attempted to keep its players informed on the situation via social media.

“Apologies to all our players for the recent issues on PokerStars,” reads one of the site’s official Twitter posts, after nearly two days of the “technical issues.” “The players affected by this morning’s issues have already been credited & we aim to refund players affected by yesterday’s problems, with their equity at the time of disconnection, within 72 hours.”

Extortion central to most DDoS attacks

Modern DDoS attacks typically employ tens or hundreds of thousands of “zombie” computers — virus-laden devices scattered around the globe — that are commanded in harmony to send data requests to the targeted site to slow traffic to a crawl and make it useless for gambling-business activities. The “DDoS” moniker is commonly used to label several different forms of traffic-based online attacks designed to cripple the target site’s activity.

DDoS attacks have been an intermittent but occasionally recurring threat that has existed since online gambling’s earliest days. Similar attacks have targeted other forms of online commerce as well. Extortion, in the form of a promise to halt the attacks when the target pays a ransom to the attacker or attackers, is the most common motive behind the attacks.

One twist frequently seen in recent years is a demand by the blackmailers that payments be made in hard-to-trace cryptocurrencies such as Bitcoin. Whether a site victimized by an attack has made such a payment is virtually never disclosed in public, especially by publicly-traded firms. Most websites and networks impacted by such attacks incur heavy losses due to downtime and increased customer-service cost, but would rather incur that form of operating expense rather than give in to any kind of blackmail.

Source: http://www.vegasslotsonline.com/news/2018/08/14/ddos-attacks-target-partypoker-pokerstars/

  • 0

Black Hat 2018: IoT Security Issues Will Lead to Legal ‘Feeding Frenzy’

A “wave of litigation over IoT liability is on the horizon,” according to an attorney who has represented plaintiffs in the 2015 Jeep hack.

LAS VEGAS – The troves of insecure internet of things (IoT) devices have not yet led to widespread legal implications. But that’s set to change, a well-known attorney warned at Black Hat USA last week.

Ijay Palansky, partner at the law firm Armstrong Teasdale, said at the conference last week that IoT-related security issues have been challenging from a lawsuit perspective; despite high-profile headlines, there haven’t been that many IoT hacks, and there’s a lack of understanding of the technology and how the law applies to it, said Palansky.

However, he said that this is on the verge of changing.

“There will be more hacks,” he said from the stage during a session at the show. “The plaintiff’s bar has been salivating over [IoT] – it’s going to be a feeding frenzy.”

Palansky said that the IoT market is set to explode – particularly in the smart-home market, with consumer IoT spending set to reach $62 billion in 2018, making it the fourth-largest industry segment, according to market research firm IDC. Many of these devices are built with little to no security in mind: “Everyone’s been trying to get the latest and greatest device out – but haven’t been accurately valuing defense, and underinvesting in it,” said Palansky. “So the product won’t reach the right level of cybersecurity.”

IoT security reached its first big breaking point in 2016 during the Mirai botnet attack, which was orchestrated as a distributed denial of service (DDoS) attack through 300,000 vulnerable connected devices, like webcams, routers and video recorders. The DDoS attack brought down the DNS giant Dyn, along with a number of large web services, like CNN, the Guardian, Netflix, Reddit,  Twitter and many others.

However, there are several other threats that insecure IoT devices pose beyond DDoS attacks, stressed Palansky – from privacy issues in connected consumer devices all the way up to dangerous industrial IoT system hacks.

Even the 2016 DDoS attack, which led to an outcry for more regulations around IoT security, has ultimately not yet led to any widespread changes: “Statutes and regulations are an important piece of the puzzle for IoT security – but it’s going to be hard,” stressed Palansky.

Many experts in the legal space are not pursuing IoT security issues due to an array of challenges, said Palansky.

He added that he represented plaintiffs and class members who alleged in a 2015 Jeep hacking class-action lawsuit that the 3G “infotainment” center in those cars were vulnerable to hacking. Security researchers Charlie Miller and Chris Valasek were able to demonstrate how they were wirelessly able to hack into a Jeep Cherokee – taking control of the entertainment system, windshield wipers, and accelerator. A year later, they were able to find yet more flaws.

However, the Jeep hack is one of the few IoT-related attacks that has garnered legal attention. Another 2012 incident involved the hack of TrendNet Webcams, where hackers posted live feeds from 700 webcams in 2012. In 2013, the FTC reached a settlement with TrendNet – disallowing the company to misrepresent its software as “secure” and requiring it to get an independent assessment of its security programs once a year for 20 years.

Beyond these incidents, there’s really no precedence in legal implications for insecure IoT devices that are attacked and how security is enforced, said Palansky.

Another issue revolves around the interconnectedness of the supply ecosystem behind IoT systems, he said. IoT is difficult because partnerships are not only necessary, but required, for everything from connected cars to smart thermostats.

Beyond the technology security liability is complex even at a business-model level – an IoT implementation can involve different manufacturers, as well as OEMs or commercial buyers, plus of course end users.

“The ecosystem on the supply side is so interconnected that it creates risks and a lack of responsibility,” said Palansky. “Vendors will end up pointing fingers at each other when it comes to security.”

And on the other side of the coin, security experts working on IoT  products should be “guided by an understanding of liability risk,” he said.

Despite these challenges, a “wave of litigation over IoT liability is on the horizon,” said Palansky – and this could be dire for IoT manufacturers who aren’t properly prepared.

There are varying ways that insecure IoT systems and devices could be impacted: “IoT products have certain characteristics – they have a wide variety of code that is often proprietary and makes detection and patching of code more difficult,” he said. “There are so many devices and configurations and many ways these products can cause harm.”

For instance, possible claims against IoT devices include strict product liability (in the case of a design defect) or negligence. The damages, which vary by legal claim, include compensation for anyone injured by the product (including bystanders), property damage, cost of repair or diminished value of the product.

Moving forward, Palansky stressed that for IoT manufacturers and those involved in IoT product design and engineering, decisions about the right level of security should be informed by considerations of potential liability.

“Companies need to be paranoid and allocate risk,” he said. “There needs to be a clear process involving hazard identification, design response, risk assessment and testing… that goes along way to minimizing liability risk.”

Source: https://threatpost.com/black-hat-2018-iot-security-issues-will-lead-to-legal-feeding-frenzy/134997/

  • 0

FCC Admits It Lied About the DDoS Attack During Net Neutrality Comment Process – Ajit Pai Blames Obama

During the time the Federal Communications Commission (FCC) was taking public comments ahead of the rollback of net neutrality rules, the agency had claimed its comments system was knocked offline by distributed denial-of-service (DDoS) attacks.

These attacks were used to question the credibility of the comment process, where millions of Americans had voiced against the net neutrality rollback. The Commission then chose to ignore the public comments altogether.

FCC now admits it’s been lying about these attacks all this time

No one bought the FCC’s claims that its comment system was targeted by hackers during the net neutrality comment process. Investigators have today validated those suspicions revealing that there is no evidence to support the claims of DDoS attacks in 2017. Following the investigation that was carried out after lawmakers and journalists pushed the agency to share the evidence of these attacks, the FCC Chairman Ajit Pai has today released a statement, admitting that there was no DDoS attack.

This statement would have been surprising coming from Pai – an ex-Verizon employee who has continued to disregard public comments, stonewall journalists’ requests for data, and ignore lawmakers’ questions – if he hadn’t thrown the CIO under the bus, taking no responsibility whatsoever for the lies. In his statement, Pai blamed the former CIO and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

He went on to say that the CIO’s subordinates were scared of disagreeing with him and never approached Pai. If all of that is indeed true, the Chairman hasn’t clarified why he wouldn’t demand to see the evidence despite everyone out of the agency already believing that the DDoS claim was nothing but a lie to invalidate the comment process.

“It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission’s career IT staff were hesitant to express disagreement with the Commission’s former CIO in front of FCC management. Thankfully, I believe that this situation has improved over the course of the last year. But in the wake of this report, we will make it clear that those working on information technology at the Commission are encouraged to speak up if they believe that inaccurate information is being provided to the Commission’s leadership.”

The statement comes as the result of an independent investigation by the Government Accountability Office that is to be published soon. However, looking at Pai’s statement it is clear what this report is going to say.

As a reminder, the current FCC leadership didn’t only concoct this story of the DDoS attack. It had also tried to bolster its false claims by suggesting that this wasn’t the first such incident as the FCC had suffered a similar attack in 2014 under the former chairman Tom Wheeler. It had also tried to claim that Wheeler had lied about the true nature of the attack back in 2014 to save the agency from embarrassment. The former Chairman then went on record to call on Pai’s FCC for lying to the public as there was no cyberattack under his leadership.

Pai throws CIO under the bus; takes no responsibility

And now it appears the FCC was also lying about the true nature of the failure of comment system in 2017. In his statement released today, Pai is once again blaming [PDF] the Obama administration for feeding him inaccurate information.

I am deeply disappointed that the FCC’s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.

It remains unclear why the new team that replaced Bray nearly a year ago didn’t debunk what is being called a “conspiracy theory” and came clean about it.

Some redacted emails received through the Freedom of Information Act (FOIA) by the American Oversight had previously revealed that the false theory around 2014 cyberattack in order to justify 2017 attack also appeared in a draft copy of a blog post written on behalf of Pai. That draft was never published online to keep Pai’s hands clean since there was no evidence to support FCC’s claims of a malicious attack. These details were then instead sent out to media through which this narrative was publicized.

“The Inspector General Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus,” FCC Commissioner Jessica Rosenworce wrote. “What happened instead is obvious – millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”

Source: https://wccftech.com/fcc-admits-lied-ddos-ajit-pai-obama/

  • 0

Attackers Go After GPON Routers, Again

Using automated analysis via a Python script, researchers at eSentire observed an increase in exploitation attempts on gigabit passive optical network (GPON) routers. Though the router attacks had declined since the surge reported back in June, the researchers identified a new, coordinated weaponization campaign targeting D-Link routers on 20 July.

The company reported a botnet recruitment campaign being launched and saw a surge of exploit attempts from over 3,000 different source IPs, introducing a variation of the OS command injection attack against the 2750B D-Link router.

“A sample of packets from various source IPs involved in this event pointed to a single C2 server hosting malware that appeared. VirusTotal results for the malware indicated similarities with the Mirai botnet. Variants of Mirai code have been spotted in the Satori botnet,” researchers wrote.

While none of these exploits appeared to be successful in corporate environments, likely because they lack consumer-grade routers, “it is unknown whether this attack had any success on home networks where these devices are more likely to be deployed. A successful recruitment campaign has the potential to arm the associated threat actor(s) with DDoS artillery and facilitate espionage of private browsing habits,” researchers wrote in a blog post.

The mass number of attacks is indicative of a potential botnet and researchers suggested that the botnets built using the compromised routers could be offered as a service, adding “It is not uncommon for botnet controllers to attempt to increase the number of devices in their botnet by using tactics similar to this. The infected devices can then be used to launch additional attacks such as distributing malicious content or launching DDoS attacks.”

In addition, the company also released an advisory on the topic and noted that only Dasan routers using ZIND-GPON-25xx firmware and some H650 series GPON are vulnerable, and that there are no official patches at this time. Researchers are continuing to monitor the associated signatures.

Source: https://www.infosecurity-magazine.com/news/attackers-go-after-gpon-routers/

  • 0

DDoS Attacks Get Bigger, Smarter and More Diverse

DDoS attacks are relentless. New techniques, new targets and a new class of attackers continue to reinvigorate one of the internet’s oldest nemeses.

Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.

Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.

However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks. They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.

“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing – and the landscape is moving quickly.”

Terabit Era Dawns

One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub—setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.

The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers — by as much as 51,200x. That in turn means that malefactors can use fewer resources.  For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.

The good news is that even as the peaks get larger, volumetric attacks are quickly dealt with.

“These are big and obvious and relatively easy to mitigate,” said Chong. “Blocking Memcached attacks is as simple as doing ISP filtering and blocking the signature – it just goes away. So, it’s not as scary as it seems.”

However, criminals are almost certainly looking for the next major reflector source.

“Expect a huge attack, then the good guys to come in and shut some of those resources down on) the bad guys,” said Martin McKeay, global security advocate at Akamai. “This is cyclical. We saw it happen with NTP, DNS and now Memcached, and it will happen again.”

He added that the implications of being able to reach such dizzying attack heights could be profound going forward.

“The undersea cable between Europe and the U.S. is 3.2 terabits,” said McKeay. “If you try to send that amount of traffic through that pipe, you’re going to gum up the works for a very long time, for a lot of companies. A lot of countries don’t even have 1.3 terabits coming in in total, so we’re starting to look at attacks that can take whole countries offline for a good amount of time.”

This kind of doomsday scenario is not without precedent: In 2016, a Mirai botnet variant known as Botnet 14 spent seven days continually attacking the west African nation of Liberia, flooding the two companies that co-own the only fiber going into the country with 600 Gbps flows – easily overwhelming the fiber’s capacity and knocking the country offline.

Rising Sophistication

While big, splashy volumetric attacks make headlines, the reality is that smaller, more sophisticated attacks are perhaps the greater concern.

“DDoS has historically been pretty unsophisticated – it doesn’t require a closed-loop response where you steal data and need to get it back to you,” said Sean Newman, director of product management at Corero Network Security. “Typically, you just send out the traffic to a pipe with the goal of filling it up. But, what we’ve seen recently is that those very large unsophisticated attacks [now] represent a small proportion of the [campaigns] that go on. Across all the DDoS efforts that we see, the majority, just over 70 percent, are [now] less than 1 GB in size. And that’s because the attackers are moving away from using simplistic brute force, to using more sophisticated techniques. Modern DDoS toolkits can launch both infrastructure-based (i.e., volumetric) and application-based payloads; application-layer attacks in particular are sneakier and can be very targeted, researchers said.

Rather than just look to overwhelm a company’s broadband connection or DNS infrastructure, as was the norm in the past, application-layer attacks focus on one aspect of the target’s communications, such as, say, a VoIP server. These look to exhaust specific server resources by monopolizing processes and transactions.

“Attacks use just enough traffic to be successful,” Chong explained. “Most of the enterprises out there in the market have around 100 Mbps of bandwidth coming into their location, so you don’t need a 1-terabit attack to be effective. These are small, specially crafted campaigns where threat actors first examine where a service is hosted, such as a data center, in the cloud or at a hosting provider – and then they launch a small attack that just overwhelms the limits of the target’s bandwidth. This approach is much more precise and effective, requires fewer resources, and often flies under the radar because the bad traffic’s volume is close in size to the normal traffic going into that enterprise.”

An example of this is the attacks mounted during protests in the wake of the 2009 Iranian presidential election. That’s when several high-impact and relatively low bandwidth efforts were launched against Iranian government-run sites. Since then, the method has gained popularity. Meanwhile, the large, “big-bang” efforts that still make up 30 percent of the campaigns seen in the wild are sometimes used as a distraction, Chong added, acting as a smokescreen to mask other activities, such as a data exfiltration effort. F5 for example noted last year that almost 50 percent of attacks fell into this category.

To carry this out, higher-end threat actors can use partial link saturation, designed to leave just enough bandwidth available for a secondary attack. In this scenario, a distracting DDoS attack consumes resources in enough security layers to allow a targeted malware attack through. Often the IT staff is so busy dealing with the DDoS attack, which causes damage to revenue and reputation on its own, to notice that another intrusion is taking place through other channels.

IoT Factor

While both volumes and sophistication are on the rise, the impact of DDoS botnets that are built from tens of thousands of compromised internet-of-things (IoT) devices remains perhaps the biggest story in this particular crime sector, representing a rapidly expanding threat surface.

“The explosion of IoT devices is an attack vector that’s going to be around and of interest for a long while,” said Newman. “Consumers and businesses are buying these devices for the coolness factor and the ability to automate your life. And vendors are much more incentivized to get the latest thing to market ASAP instead of spending time on security.”

Elias Bou-Harb, research assistant professor at Florida Atlantic University and a cyber-threat researcher, added: “While the focus was on functionality and accessibility, security is and continue to be an afterthought. Vendors should be vigilant about this and emphasize security in their design, early on. This is especially factual if those IoT devices are deployed and being operated in critical infrastructure.”Meanwhile, for many consumer and business IoT users, security remains low on the list of concerns, making for little pressure on vendors to clean up their act. That’s because owners of compromised IoT devices rarely end up feeling like victims, Newman added.

“The small amount of traffic being requested from each device may be only 1 megabit each, and you’re unlikely to feel that on your home network in terms of performance degradation,” Newman explained. For that reason, IoT botnets continue to be responsible for widespread infections, which can be easily marshalled for DDoS attacks.

“IoT is kind of the sweet spot for DDoS botnets, because these devices are prevalent, but no one really controls them – they’re almost unmanaged,” said Jeremy Kennelly, manager of threat intelligence analysis at FireEye. “Cameras and routers and things are just left out there, not being updated, and meanwhile the non-expert population gets used to what they think are just glitches – they don’t think they might be compromised.”

While Mirai kicked off the era of the IoT botnet on 2016, two of the latest events on the bot scene include the rise of the Satori botnet, which infected more than 100,000 internet-connected D-Link routers in just 12 hours, and the VPNFilter IoT botnet, which infected almost a million consumer-grade internet routers (i.e., Linksys, MikroTik, Netgear, and TP-Link) in more than 50 countries in a very short amount of time. VPNFilter is particularly nasty, capable of DDoS as well as delivering malware and stealing data.

Others meanwhile are appearing all the time.

“Very recently, June 18-June 22, we tracked a botnet (which was never reported before) composed of more than 50,000 IoT bots, distributed over 170 countries and hosted in more than 30 business sectors,” said Bou-Harb. “We are seeing excessive IoT exploitations targeting home and business routers, storage devices, cameras, voice over IP phones and more.”

Bot herders are also in a race to expand their IoT infrastructure – something that’s all too easy. IoT botnets are either built through simplistic compromises involving common, hard-coded, default passwords for devices that are easy to search for on the internet; or via the exploit of known vulnerabilities.

“The recent compromise of GPON home routers came down to a couple of specific vulnerabilities in the code that were never patched,” Newman said.

Code-reuse is also rife in IoT devices, meaning that putting effort into exploiting vulnerabilities can be a valuable vector with a lot of payoff. The Satori botnet for example was created by exploiting a known buffer overflow technique in generic code, Newman added.

Beyond existing IoT, the actors behind botnets are always looking to also commandeer new classes of devices from which to carry out attacks. In the future, things such as sensor networks or devices for smart-city applications could vastly expand the attack infrastructure.

“We haven’t seen the peak of what IoT botnets are capable of yet, and you can be sure there are more pools of resources out there to be found,” McKeay. “For instance, we’re not monitoring IPv6 as closely as we should – and I wouldn’t be surprised if there’s something lurking there that can be harnessed for this.”

All of the bad actors’ frenetic expansion activity is driven by basic market economics. “We continue to see competition for the infrastructure,” said Kennelly. “That’s one of the reasons that the peak sizes for DDoS are decreasing. The bad guys are all competing for the same set of resources. As members of the community trade tips and exploit code, certain botnets become more popularized, and they start competing for access to it. As the resources are consumed, peak sizes level out.”

Motivations

DDoS is traditionally seen as a tool used by politically and religiously motivated hacktivists to make a point. However, DDoS intentions are evolving, particularly with the advent of DDoS-as-a-service. Put simply, IoT botnets have paved the way for a new generation of cheap on-demand services. These dramatically lower the barriers to entry for attackers by eliminating the requirement to have technical knowledge to carry out an offensive.

“Anyone with a PayPal account can make a quick purchase on a WebStresser-like site,” said McKeay. “You could be a 12-year-old that saw a tutorial on a YouTube channel – there’s not a huge amount of technical skills needed to DDoS someone.”

This low bar to entry has given rise to new actors with new kinds of motivations behind attacks. For instance, as with most things in cybercrime, there’s an emerging financial aspect to attacks thanks to the fantastic ROI that some campaigns can offer.

“We are starting to see ransom-driven attacks shifting to DDoS,” explained Newman. “For $10 an hour you can cause enough damage to take a website down. So, you craft a few ransom emails from an anonymous account and ask for Bitcoin in exchange for sparing the target a DDoS attack. You have nothing to lose, really. In the likelihood you get a good hit rate – say one in 1,000, even one in 10,000 – you can be making good money as an individual on the back of that.”

Some DDoS-as-a-service providers even have a “try before you buy” function. As a consequence, person-to-person attacks are also on the rise.

“Many of these are gaming attacks,” explained Darren Anstee, CTO NETSCOUT Arbor. “If I’m a serious player of game X and I want to slow down gameplay for opponents, it’s easy to launch a small, short-lived attack for no money. A lot of people will use it for a social-media beef or gaming issue, or really any personal slight.”

Winning Poker Network CEO Phil Nagy for instance in September 2017 said that his site was hit with a series of 26 separate DDoS attacks over three days – he said they were being carried out by a rival poker room. However, on the other end of the spectrum adaptive adversaries have appeared. Those type bad guys are capable of turning a DDoS attack into something akin to a game of chess.

“In a recent campaign we looked at incoming traffic and identified unique strings and started blocking it – but then we saw the attacker to change the type of traffic, or change the strings, essentially adapting to the defenses,” said McKeay. “The attackers finally started hitting the DNS server—and if you take that offline then you’ve taken the company offline.”

The level of sophistication indicated a different type of opponent as well.

“Reflection tactics and botnets make attribution almost impossible,” McKeay said. “But someone modifying code and traffic on the fly like that is probably organized crime or a nation-state actor, demonstrating training and skills that aren’t everyday things in the DDoS world. They’re doing stuff with the code and reconfiguring tools as time goes by—across a multi-day project.”

That’s not to say that hacktivism doesn’t still play an important role in fomenting DDoS. NETSCOUT Arbor’s 2017 Worldwide Infrastructure Security Report showed that vandalism together with political and ideological disputes were among the top three motivators of DDoS attacks.

In the build up to Mexico’s presidential elections, for instance, the website of the country’s National Action Party was hit by DDoS after it published documents critical of the leading candidate. NETSCOUT Arbor saw more than 300 attacks per day in Mexico during the period of June 12 and 13, which was 50 percent higher than the normal frequency in the country.

Whether we discuss tactics, motivation or sheer capability, the DDoS threat landscape is becoming more sophisticated and varied over time. And, thanks to the rise of the IoT botnet phenomenon, it’s not an area that’s shrinking in terms of the dangers it poses to both businesses and consumers. The good news is that effective mitigations exist, from basic security awareness on the part of consumers (i.e., change those default passwords), to higher-end traffic inspection and in-stream cleaning functions for enterprises; better collaboration between researchers and law enforcement and the emergence of ISPs getting into the filtering act are also helping.

Source: https://threatpost.com/ddos-attacks-get-bigger-smarter-and-more-diverse/134028/

  • 0

Top cyber security risks for business

AIG’s 2017 cyber claims statistics reveal business’s key vulnerabilities, and indicate areas of focus for risk committees and business continuity providers, says Roxanne Griffiths, Financial Lines Underwriting Manager, AIG South Africa.

he recent release of AIG’s cyber claims statistics for 2017 reveal the trends that businesses should be watching into the future. AIG’s statistics show cyber threats are escalating: claims notifications for 2017 equalled the total claims for the previous four years. On average, in 2017, AIG’s cyber claims staff was handling the equivalent of one claim per working day.

“Our statistics confirm that business’s increasing reliance on digital platforms has created a large group of vulnerabilities that must be addressed. This is not news to business, but it is good to have it confirmed, and perhaps the extent of the growth in successful attacks (and thus claims) may surprise many,” says Roxanne Griffiths, Financial Lines Underwriting Manager, AIG South Africa. “The statistics also make it clear that ransomware remains the top cause of loss in cyber claims. This was probably expected, but it’s less well understood that business interruption is the key impact of a ransomware attack.”

Another important trend is that the incidence of cyber claims is spreading more broadly across a range of industry sectors. In the past, financial services companies were the major source of cyber claims, but their percentage of claims dropped from 23% in 2013-16 to 18% in 2017, with professional services growing strongly. The retail/wholesale sector made up 12% of cyber claims, with business services and manufacturing both at 10%.

The growth in the percentage of claims from professional services firms, up from 6% in 2013-2016 to 18% indicates they are becoming more of a target. Lawyers and accountants, in particular, have large databases of sensitive client information that are attractive to hackers. AIG predicts the European Union’s General Data Protection Regulations (GDPR), which recently came into effect, will make firms more vulnerable to extortion, and the same trend could emerge in South Africa when the Protection of Personal Information Act (POPI) comes into force.

Another worrying trend is that the professionalism associated with ransomware attacks is diminishing, along with the certainty that those who pay the ransom will get their data back.

“Ransomware is becoming commoditised and automated. In line with this, attacks seem to be becoming indiscriminate, so even if you don’t think you have any valuable data or are too small, you can still be targeted and suffer business interruption,” says Griffiths.

AIG expects claims trends over the next 12 months to continue to be affected by the commoditisation of ransomware and more data breaches due to the influence of GDPR. Given the ongoing political uncertainty globally, actions by various state or quasi-state actors could also drive cyber attacks and thus claims.

Based on its analysis of these claims statistics, AIG has identified the top cyber security risks for companies in the Europe, Middle East and Africa region:

* External servers with remote access combined with weak passwords. This offers an opportunity for the introduction of malware and ransomware. Remote access should be carefully controlled.
* Lack of user awareness permits hacking by phishing for passwords. The user engages with the content of a phishing e-mail and is directed to a fake login page, where credentials are harvested, opening the victim’s account to hackers. Any request for login details is a red flag for phishing.
* Weak login protocols. The risk from phishing is eliminated if two-factor authentication is enabled, requiring a secondary code for account login. As a minimum, this should be adopted for business directors and partners, and employees involved in payments.
* Failure to install DDOS (distributed denial of service) defences. DOS attacks are an attempt to make a company’s servers unreachable by increasing the online traffic to the site. The flood of traffic can cause the Web site to shut down completely, and this type of attack is an increasing threat, especially as poorly protected devices on the Internet of things are easily harnessed by hackers to create botnet armies capable of pushing out huge amounts of data.

For the detailed report, please follow the link below https://www.aig.co.uk/insights/cyber-ransomeware-disrupts-business.

Source: https://www.itweb.co.za/content/raYAyMoV8w57J38N

  • 0

Bigger, Faster, Stronger: 2 Reports Detail the Evolving State of DDoS

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved

DDoS attacks don’t arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai’s report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of “script kiddies.”

“I believe [kids are] growing up faster because they’re exposed to it,” says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. “They also have a greater amount of time they can commit to it.” She continues, “Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target.”

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker’s arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. “Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond,” Beegle says. Now, “I’ve seen attacks that were a week long, where [the attacker] changed the dynamics during the attack,” she says. Moving forward, Beegle expects both types of attacks to continue. “I think there will always be the mix, depending on who the target is and who the attacker is,” she says. “We’ve seen some nation-state action and that will always be different than the script kiddies.”

Source: https://www.darkreading.com/attacks-breaches/bigger-faster-stronger-2-reports-detail-the-evolving-state-of-ddos/d/d-id/1332213

  • 0

The Lesson of the GitHub DDoS Attack: Why Your Web Host Matters

Surviving a cyberattack isn’t like weathering a Cat 5 hurricane or coming through a 7.0 earthquake unscathed. Granting that natural disasters too often have horrendous consequences, there’s also a “right place, right time” element to making it through. Cyber-disasters – which can be every bit as calamitous in their own way as acts of nature – don’t typically bend to the element of chance. If you come out the other side intact, it’s probably no accident. It is, instead, the result of specific choices, tools, policies and practices that can be codified and emulated – and that need to be reinforced.

Consider the recent case of GitHub, the target of the largest DDoS attack ever recorded. GitHub’s experience is instructive, and perhaps the biggest takeaway can be expressed in four simple words: Your web host matters.

That’s especially crucial where security is concerned. Cloud security isn’t like filling out a job application; it’s not a matter of checking boxes and moving on. Piecemeal approaches to security simply don’t work. Patching a hole or fixing a bug, and then putting it “behind” you – that’s hardly the stuff of which effective security policies are made. Because security is a moving target, scattershot repairs ignore the hundreds or even thousands of points of vulnerability that a policy of continuing monitoring can help mitigate.

Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. So while data is considerably safer in the cloud than beached on equipment under someone’s desk, there is no substitute for active vigilance – accent on active, since vigilance is both a mindset and a verb. About that mindset: sound security planning requires assessing threats, choosing tools to meet those threats, implementing those tools, assessing the effectiveness of the tools implemented – and repeating this process on an ongoing basis.

Among the elements of a basic cybersecurity routine: setting password expirations, obtaining certificates, avoiding the use of public networks, meeting with staff about security, and so on. Perfection in countering cyberattacks is as elusive here as it is in any other endeavor. Even so, that can’t be an argument for complacence or anything less than maximum due diligence, backed up by the most capable technology at each organization’s disposal.

In this of events is a counterintuitive lesson about who and what is most vulnerable during a hack. The experience of public cloud providers should put to rest the notion that the cloud isn’t safe. GitHub’s experience makes a compelling argument that the cloud is in fact the safest place to be in a cyber hurricane. Internal IT departments, fixated on their own in-house mixology, can be affected big-time – as they were in a number of recent ransomware attacks — raising the very legitimate question of why some roll-your-own organizations devote precious resources, including Bitcoin, to those departments in the belief that the cloud is a snakepit.

Cloud security isn’t what it used to be – and that’s a profound compliment to the cloud industry’s maturity and sophistication. What once was porous is now substantially better in every way, which isn’t to deny that bad actors have raised their game as well. Some aspects of cloud migration have always been threatening to the old guard. Here and there, vendors and other members of the IT community have fostered misconceptions about security in the cloud – not in an effort to thwart migration but in a bid to control it. Fear fuels both confusion and dependence.

Sadly, while established cloud security protocols should be standard-issue stuff, they aren’t. The conventional wisdom is that one cloud hosting company is the same as another, and that because they’re committed to life off-premises, they all must do the exact same thing, their feature sets are interchangeable, and the underlying architecture is immaterial. The message is, it doesn’t matter what equipment they’re using — it doesn’t matter what choice you make. But in fact, it does. Never mind the analysts; cloud computing is not a commodity business. And never mind the Street; investors and Certain Others fervently want it to be a commodity, but because those Certain Others go by the name of Microsoft and Amazon, fuzzing the story won’t fly. They want to grab business on price and make scads of money on volume (which they are).

The push to reduce and simplify is being driven by a combination of marketing gurus who are unfamiliar with the technology and industry pundits who believe everything can be plotted on a two-dimensional graph. Service providers are trying to deliver products that don’t necessarily fit the mold, so it’s ultimately pointless to squeeze technologies into two or three dimensions. These emerging solutions are much more nuanced than that.

Vendors need to level with users. The devil really is in the details. There are literally hundreds of decisions to make when architecting a solution, and those choices mean that every solution is not a commodity. Digital transformation isn’t going to emerge from some marketing contrivance, but from technologies that make cloud computing more secure, more accessible and more cost-effective.

Source: https://hostingjournalist.com/expert-blogs/the-lesson-of-the-github-ddos-attack-why-your-web-host-matters/

  • 0

Meet MyloBot malware turning Windows devices into Botnet

The IT security researchers at deep learning cybersecurity firm Deep Instinct have discovered a sophisticated malware in the wild targeting Microsoft’s Windows-based computers.

Adding devices to Botnet

The malware works in such a way that upon infecting, it allows hackers to take over the device and make it part of a botnet to carry out different malicious activities including conducting Distributed Denial of Service (DDoS) attacks, spreading malware or infecting the system with ransomware etc.

A Botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.

Apart from these, the malware not only steals user data, it also disables the anti-virus program and removes other malware installed on the system. Dubbed MyloBot by Deep Instinct; based on its capabilities and sophistication, researchers believe that they have “never seen” such a malware before.

Furthermore, once installed, MyloBot starts disabling key features on the system including Windows Updates, Windows Defender, blocking ports in Windows Firewall, deleting applications and other malware on the system.

“This can result in loss of the tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises. The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for the leak of sensitive data as well, following the risk of keyloggers/banking trojans installations,” researchers warned.

Dark Web connection

Further digging of MyloBot sample reveals that the campaign is being operated from the dark web while its command and control (C&C) system is also part of other malicious campaigns.

Although it is unclear how MyloBot is being spread, researchers discovered the malware on one of their clients’ system sitting idle for 14 days which is one of its delaying mechanisms before accessing its command and control servers.

It is not surprising that Windows users are being targeted with MyloBot. Last week, another malware called Zacinlo was caught infecting Windows 10, Windows 7 and Windows 8 PCs. Therefore, if you are a Windows user watch out for both threats, keep your system updated, run a full anti-virus scan, refrain from visiting malicious sites and do not download files from unknown emails.

Deep Instinct is yet to publish research paper covering Mylobot from end to end.

Source: https://www.hackread.com/meet-mylobot-malware-turning-windows-devices-into-botnet/

  • 0

Amplified DDoS Attacks Are Here to Stay, Experts Say

As bad actors seek ever-more lucrative ways to enhance their Distributed Denial of Service (DDoS) attacks, analysts are noticing a sustained effort from the black hat community to amplify their firepower.

Nexusguard has released new data revealing that DNS amplification attacks worldwide have increased 700% since 2016. In the first quarter of 2018, 55 DNS amplification attacks relied on vulnerable Memcached servers to amplify their DDoS efficiency by a factor of 51,000.

A DNS amplification attack is a sophisticated DDoS attack that takes advantage of DNS servers’ behavior to amplify the effect. The victim receives an enormous amount of unsolicited traffic resulting in denial of service.

Researchers discovered that DNS amplification (4,791 attacks), UDP (1,806), and ICMP (1,608) took first, second and third place. DNS amplification attacks accounted for 33.23% of attack vectors.

“Taking into consideration the full range of Amplifications (DNS, NTP, SSDP, CLDAP, CHARGEN, SNMP, and Memcached) brings us to 36.67% of the total attacks in the quarter. Clearly, attackers strongly prefer amplification attacks,” according to Nexusguard.

“Cyberattackers continue to seek new vulnerabilities to pursue more firepower, launching more amplification attacks through unguarded Memcached servers and poorly configured DNSSEC-enabled DNS servers the past two quarters, and we expect this trend to continue,” according to Juniman Kasman, CTO of Nexusguard.

Many organizations continue to leave their Memcached servers connected to the internet — a huge no-no in the IT industry. While the number of unguarded Memcached servers is dropping, many remain vulnerable to attacks.

Source: https://securityboulevard.com/2018/06/amplified-ddos-attacks-are-here-to-stay-experts-say/

  • 0