Cybercrime-as-a-Service: No End in Sight

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.

Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques.

Line Between Illicit and Legitimate E-Commerce Is Blurring
The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products.

The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks.

Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites.

From Niche to Mass Market
In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate.

There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities.

Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers
The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each.

Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize.

Cybercrime Infrastructure-as-a-Service
The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example.

Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post.

The New Reality
Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services.

The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay.

Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

  • 0

‘Torii’ Breaks New Ground For IoT Malware

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.

A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff.

Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes.

Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures.

Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands.

Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well.

Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes.

Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona.

Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes.

While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data.

Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine.

Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once.

The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said.

Source: https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930

  • 0

Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

  • Researchers from Avast have identified a worrying botnet affecting IoT devices
  • Called ‘Torii,’ the virus infects devices at a server level that have weak encryption
  • Virus can fetch and execute different commands, making it ‘very sophisticated’

Keep an eye on your smart home devices.

Security experts have identified what they consider the ‘most sophisticated botnet they’ve ever seen’ and it’s believed to be targeting internet of things gadgets.

Antivirus firm Avast said in a new report they’ve been closely watching a new malware strain, called ‘Torii,’ which uses ‘advanced techniques’ to infect devices.

‘…This one tries to be more stealthy and persistent once the device is compromised, an it does not (yet) do the usual stuff a botnet does like [Distributed Denial of Service attacks], attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,’ Avast researchers wrote in a blog post.

The malware goes after devices that have weak encryption, using the Telnet remote access protocol.

Telnet is a remote access tool that’s primarily used to log into remote servers, but it’s largely been replaced by tools that are more secure.

Once it has identified a poorly secured system, Torii will attempt to steal your personal information.

It’s entirely possible that vulnerable IoT device owners have no idea their device has been compromised.

‘As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer,’ the researchers wrote.

While Torii hasn’t attempted cryptojacking or carried out DDoS attacks, researchers say the malware is capable of fetching and executing commands of different kinds on the infected device, making it very sophisticated.

What’s more, many smart home gadgets are connected to one another, and it’s unclear yet if the malware is capable of spreading to other devices.

‘Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,’ the Avast researchers explained.

Once Torii infects a device, it floods it with information and communicates with the master server, allowing the author of the malware to execute any code or deliver any payload to the infected device, according to researchers.

‘This suggests that Torii could become a modular platform for future use,’ the researchers continued.

‘Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer. Stay tuned for the follow ups.’

WHAT IS A DDOS ATTACK?

DDoS stands for Distributed Denial of Service.

These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time.

The surge of simple requests overload the servers, causing them to become overwhelmed and shut down.

In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware.

Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file.

Source: https://www.dailymail.co.uk/sciencetech/article-6216451/Security-experts-discover-sophisticated-botnet-seen.html

  • 0

3 Drivers Behind the Increasing Frequency of DDoS Attacks

What’s causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices.

Source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824

  • 0

Who’s hacking into UK unis? Spies, research-nickers… or rival gamers living in res hall?

Report fingers students and staff for academic cyber-attacks

Who’s hacking into university systems? Here’s a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break.

A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic research and personal information, staff or students are often the culprits in attacks against UK higher education institutions.

The non-profit body, which provides among other things internet connectivity to universities, analysed 850 attacks in the 2017-18 academic year and found a consistent pattern that occurred during term time and the UK working day.

Holidays brought with them a sharp reduction in attacks, from a peak 60-plus incidents a week during periods of the autumn term to a low of just one a week at times in the summer. It acknowledged that part of the virtual halt in summer may be down to cops and Feds cracking down on black hat distributed denial-of-service tools in the months prior, however.

Jisc is perhaps better known among Reg readers for providing the Janet network to UK education and research institutions.

Its data covered cyber-attacks against almost 190 universities and colleges and focused on denial-of-service and other large-scale infosec hits rather than phishing frauds and malware.

Staff and students with a grudge or out to cause mischief are more credible suspects in much of this rather than external hackers or spies. More sophisticated hackers might be inclined to use DDoS as some sort of smokescreen.

In a blog post, Jisc security operations centre head John Chapman admitted some of the evidence suggesting staff and students might be behind DDoS attacks is circumstantial. However, he pointed out evidence from law enforcement and detected cyber assaults supported this theory. For example, a four-day DDoS attack the unit was mitigating against was traced back to a university hall of residence – and turned out to be the result of a feud between two rival gamers.

Whoever might be behind them, the number of incidents is growing. Attacks are up 42 per cent to reach this year’s 850; the previous academic year (2016-17) witnessed less than 600 attacks against fewer than 140 institutions.

Matt Lock, director of solutions engineers at Varonis, said: “This report is another reminder that some of the biggest threats facing organisations today do not involve some hoodie-wearing, elusive computer genius.”

Education is targeted more often than even the finance and retail sectors, according to McAfee research (PDF).

Nigel Hawthorn, data privacy expert at McAfee, commented in March:

“The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.

Source: https://www.theregister.co.uk/2018/09/17/cyber_attack_uk_universities/

  • 0

DDoS attacks: Students blamed for many university cyber attacks

DDoS attacks against university campuses are more likely in term time.

Nation-states and criminal gangs often get the blame for cyber attacks against universities, but a new analysis of campaigns against the education sector suggests that students — or even staff — could be perpetrators of many of these attacks.

Attributing cyber attacks is often a difficult task but Jisc, a not-for-profit digital support service for higher education, examined hundreds of DDoS attacks against universities and has come to the conclusion that “clear patterns” show these incidents take place during term-time and during the working day — and dramatically drop when students are on holiday.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of security operations at Jisc.

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

The research notes that attacks against universities usually drop off during the summer — when students and staff are away — but that the dip for 2018 started earlier than it did in 2017.

“The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity — Operation Power Off took down a ‘stresser’ website at the end of April,” said Chapman.

The joint operation by law enforcement agencies around the world took down ‘Webstresser’, a DDoS for hire service which illegally sold kits for overwhelming networks and was, at the time, the world’s largest player in this space. This seemingly led to a downturn in DDoS attacks against universities.

But universities ignore more advanced threats “at their peril” said Chapman. “It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.”

Despite this, a recent survey by Jisc found that educational establishments weren’t taking cyber attacks seriously, as they weren’t considered a priority issue by many.

“When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network,” said Chapman.

Source: https://www.zdnet.com/article/ddos-attacks-students-blamed-for-many-university-cyber-attacks/

  • 0

Cyber policies: More than just risk transfer

Digital connectivity continues apace – but brings with it increased cyber risks. These relatively new and complex risk profiles require approaches that go far beyond traditional insurance, argues Munich Re’s reinsurance boss Torsten Jeworrek.

Self-learning machines, cloud computing, digital ecosystems: in the steadily expanding Internet of Things, all objects communicate with others. In 2017, 27 billion devices around the world were online, but this number is set to increase five-fold to 125 billion by the year 2030. And many industries are profiting from the connectivity megatrend.

In virtually every sector, automated processes are delivering greater efficiency and therefore higher productivity. By analysing a wide range of data, businesses also hope to gain new insights into existing and prospective customers, their purchasing behaviour, or the risk that they might represent. This will facilitate a more targeted customer approach. At the same time, greater levels of interconnection are leading to new business models. Examples include successful sharing concepts and online platforms.

Growing risk of ransomware

But just as there are benefits to growing connectivity, there are also risks. Ensuring data security at all times is a serious challenge in this complex world. When setting up and developing digital infrastructure, companies must constantly invest in data-security expertise and in technical security systems, not least to protect themselves against cyber attacks. This became clear in 2017, when the WannaCry and NotPetya malware attacks caused business interruption and production stoppages around the world. T

he costs of WannaCry in the form of lost data and business interruption were many times greater than the losses from ransom demands. With other attacks, the objective was not even extortion – but rather to sabotage business operations or destroy data. Phishing, which is the attempted capture of sensitive personal and log-in data, and distributed denial of service (DDoS) attacks, which take down entire servers by systematically overloading them, also cause billions of dollars in damage each year. It is difficult to calculate the exact amounts involved, but business losses from cyber attacks are currently estimated at between $400bn and $1tn each year.

And the number of cyber attacks continues to rise – as do the resulting losses. According to estimates from market research institute Cybersecurity Ventures, companies around the world will fall victim to such attacks every 14 seconds on average in 2019. Europol also notes that there have been attacks on critical national infrastructure in the past, in which people could have died had the attacks succeeded.

Increasing demand for cyber covers from SMEs as well

As the risks increase, so too does the number of companies that attach importance to effective prevention measures and that seek insurance cover. The pressure to improve data protection has also increased as a result of legal requirements such as the EU’s General Data Protection Regulation, which came into force in May 2018 and provides for severe penalties in the event of violations. In a world of digital dependency, automated processes, and networked supply chains, small- and medium- sized companies in particular realise that it is no longer enough to focus on IT security within their own four walls.

For the insurance industry, cyber policies are gradually becoming an important field of business in their own right. According to estimates, further significant increases in premium volume are on their way. In 2017, premium volume was at between $3.5bn and $4bn. That figure is expected to increase to between $8bn and $9bn by 2020. So there will be good growth opportunities over the next few years, particularly in Europe.

Cyber risks difficult to assess

Cyber risks pose unique challenges for the insurance industry, above all in connection with accumulation risk: a single cyber event can impact many different companies at the same time, as well as leading to business interruption for other companies.

How can the market opportunities be exploited, while at the same time managing the new risks? Are cyber risks ultimately uninsurable, as many industry representatives have said? One thing is certain: there are a number of extreme risks that the insurance industry cannot bear alone. At present, these include network outages that interrupt the electricity supply, or internet and telecommunication connections. Scenarios like these, and the costs that come with them, should be borne jointly by governments and companies, for example in the form of pool solutions.

Cyber as a new type of risk

There are key differences between cyber risks and traditional risks. Historical data such as that applied to calculate future natural hazards, for example, cannot tell us much about future cyber events. Data from more than ten years ago, when there was no such thing as cloud computing and smartphones had not yet taken off, are of little use when assessing risks from today’s technologies. Insurers and reinsurers must be able to recognise and model the constantly evolving risks over the course of these rapid advances in technology. An approach that relies on insurance expertise alone will rapidly reach its limits. Instead, the objective of all participants should be to create as much transparency as possible with regard to cyber risks. IT specialists, authorities, and the scientific and research communities can all help to raise awareness of the risks and contribute their expertise for the development of appropriate cyber covers.

Working together to enhance security

Munich Re relies on collaboration with technology companies and IT security providers to develop solutions for cyber risks. This is because the requirements for comprehensive protection are complex, and safeguarding against financial losses is only one component of an overall concept. Accordingly, in consultation with our technology partners, we are developing highly effective, automated prevention services for our clients. These are designed to permanently monitor the client infrastructure, identify risks promptly, and prevent losses. And – importantly – a company needs to respond quickly to limit the loss from an event and allow it to resume normal operations without delay. In this context, we assist our clients with a network of experts.

But cyber risks remain a challenge, and one that the insurance industry needs to tackle. Insurers can only remain relevant for their clients if they constantly adapt their offerings to new or changed risks and requirements. Opportunities for new fields of business are arising.

Source: https://www.re-insurance.com/opinion/cyber-policies-more-than-just-risk-transfer/1687.article

  • 0

McDreary? The Future of Medical Call Centers & DDoS

As healthcare’s digital transformation continues, security remains a top priority — especially as distributed denial-of-service (DDoS) attacks target the click-to-call features on websites.

Click-to-call defines the services that enable patients to immediately call a hospital or clinic directly from a button on their website, either using a traditional phone service or Voice over Internet Protocol (VoIP) technology. This is different from click-to-callback features, which are used for less pressing medical needs, and is an important differentiation when securing hospital communications from DDoS attacks.

Because direct click-to-call scenarios use more resources, such as audio streams and interactive voice response (IVR) systems, these types of connections are much easier to effect using an application-layer DDoS attack.

When a DDoS attack affects a healthcare system, click-to-call features are often taken fully offline. If this occurs during a health emergency, the implications can mean life or death.

However, click-to-call features also offer enhanced and more personalized engagement in a cost-effective manner, so simply removing them could result in delayed care or service abandonment as well as raise the cost of future care. So what’s the best move?

Neustar’s 2017 Worldwide DDoS Attacks and Cyber Insights Research Report found that while 99% of the organizations it surveyed had some sort of DDoS protection in place, the vast majority of them (90%) were planning to invest more than in the previous year, and 36% thought they should be investing even more than that.

The same way that keeping protected health information (PHI) secure continues to be of the utmost importance, further steps must be taken to protect healthcare organizations from DDoS attacks.

Gated access through proper authentication 
One of the primary ways healthcare organizations can prevent a DDoS attack is through proper authentication. Proper authentication reduces the attack surface by providing a gate of access to those systems and rules out certain flavors of anonymous attacks.

Anonymous DDoS attacks use an open access or resource and distribute/coordinate mass usage of the access, and are challenging to thwart as it is difficult to differentiate an attack from actual usage.

Proper authentication provides a simple differentiation. Credential loss is a possible attack vector even with authentication; however, coordinating DDoS attacks with authentication credentials is much more difficult due to the distribution of credentials. For instance, if an attacker has compromised a single access point and distributes the single authentication to all endpoints, a properly protected account could easily thwart an attack with access rate-limiting.

Securing Patient Portals 
Implementing secure patient portals is another way to prevent DDoS attacks on medical call centers.

Patient portals require strong authentication. If proper authentication is required before using resources such as call centers and call agents, then the ability to launch a large-scale attack would require numerous credentials. In circumstances where multi-factor authentication is required, the complexity of a successful DDoS attack only increases — thereby making it more difficult to pull off.

For example, if a username/password entry into a patient portal required a text or email verification as well — or even a prompt on an installed smartphone application — then the loss of even a large set of credentials could not be used in an attack without also compromising some other form(s) of communication. Since patient portals also contain mass amounts of private data, securing that information to the highest degree in order to safeguard it properly is key and can also help prevent a large-scale attack on a hospital’s click-to-call functionality.

What the threat of DDoS attacks means to the global security community 
Today it’s obviously critical that global security managers remain aware of the daunting DDoS threat. When (not “if”) an attack occurs, critical resources are consumed — sometimes even resources that are unrelated.

For example, a DDoS attack against a website might consume networking resources, bringing down a patient portal, and an attack against a patient portal may consume database resources and prevent normal internal operations.

DDoS attacks on weak targets are relatively inexpensive for attackers — existing botnets with simple traffic flooding exist and await the next purchase — and simple networking attacks can be thwarted with up-to-date networking equipment front-ending services.

However, application-aware and custom attacks are much more expensive to create, and can be made prohibitively expensive by taking simple steps like requiring authentication before allowing access to resource offerings.

Additionally, keeping software up-to-date is critical as software flaws are discovered, and quickly updating components is effective at blocking attacks before they can be crafted and deployed. Regularly updating systems and keeping them free of malware not only reduces available botnet size, amplification points and reflection points, but may also prevent a hop-off point for more sophisticated attacks.

As more tech companies enter the healthcare field to enable its digitization, and information security continues to be top of mind in every field, it’s important for those in the security industry — some of whom may directly dabble in healthcare — as well as the healthcare organizations themselves to focus on increasing their security measures and to know what they should be doing to prevent this type of communications attack.

Source: https://www.infosecurity-magazine.com/opinions/mcdreary-medical-ddos/

  • 0

Rise in multifunctional botnets

There is a growing demand around the world for multifunctional malware that is not designed for specific purposes but is flexible enough to perform almost any task.

This was revealed by Kaspersky Lab researchers in a report on botnet activity in the first half of 2018. The research analysed more than 150 malware families and their modifications circulating through 600 000 botnets around the world.

Botnets are large ‘nets’ of compromised machines that are used by cybercriminals to carry out nefarious activities, including DDoS attacks, spreading malware or sending spam. Kaspersky botnet activity on an ongoing basis to prevent forthcoming attacks or to stop a new type of Trojan before it spreads.

It does this by employing technology that emulates a compromised , trapping the commands received from threat actors that are using the botnets to distribute malware. Researchers gain valuable malware samples and statistics in the process.

Drop in single-purpose malware

The first half of 2018 also saw the number of single-purpose pieces of malware distributed through botnets dropping significantly in comparison to the second half of 2017. In H2 2017, 22.46% of all unique malware strands were banking Trojans. This number dropped to 13.25% in the first half of this year.

Moreover, the number of spamming bots, another type of single-purpose malware distributed through botnets, decreased dramatically, from 18.93% in the second half of 2017 to 12.23% in the first half 2018. DDoS bots, yet another typical single-purpose malware, also dropped, from 2.66% to 1.99%, in the same period.

The only type of single-purpose malicious programs to demonstrate notable growth within botnet networks were miners. Even though their percentage of registered files is not comparable to highly popular multifunctional malware, their share increased two-fold and this fits in the general trend of a malicious mining boom, as noted in previous reports.

There’s a RAT in my PC

Alongside these findings, the company noted distinctive growth in malware that is more versatile, in particular Remote Access Tools (RATs) that give cyber crooks almost unlimited opportunities for exploiting infected machines.

Since H1 2017, the share of RAT files found among the malware distributed by botnets almost doubled, rising from 6.55% to 12.22%, with the Njrat, DarkComet and Nanocore varieties topping the list of the most widespread RATs.

“Due to their relatively simple structure, the three backdoors can be modified even by an amateur threat actor. This allows the malware to be adapted for distribution in a specific region,” the researchers said.

Trojans, which can also be employed for a range of purposes, did not grow as much as RATs, but unlike a lot of single-purpose malware, still increased 32.89% in H2 2017 to 34.25% in H1 2018. In a similar manner to RATs, Trojans can be modified and controlled by multiple command and control servers, for a range of nefarious activities, including cyberespionage or the theft of personal information.

Bot economy

Alexander Eremin, a security expert at Kaspersky Lab, says the reason multipurpose malware is taking the lead when it comes to botnets is clear. “Botnet ownership costs a significant amount of money and, in order to make a profit, criminals must be able to use each and every opportunity to get money out of malware. A botnet built out of multipurpose malware can change its functions relatively quickly and shift from sending spam to DDoS or to the distribution of banking Trojans.”

In addition to switching between different ‘active’ malicious activities, it also opens an opportunity for a passive income, as the owner can simply rent out their botnet to other criminals, he added.

Source: https://www.itweb.co.za/content/LPwQ57lyaoPMNgkj

  • 0

It’s Time To Protect Your Enterprise From DDoS Attacks

DDoS (Distributed Denial of Service) attacks feature amongst the most dreaded kinds of cyber attacks, for any enterprise today. This is especially because, as the name itself suggests, there it causes a total denial of service; it exhausts all resources of an enterprise network, application or service and consequently it becomes impossible to gain access to the network, application or the service.

In general, a DDoS attack is launched simultaneously from multiple hosts and it would suffice to host the resources, the network and the internet services of enterprises of any size. Many prominent organizations today encounter DDoS attacks on a daily basis. Today DDoS attacks are becoming more frequent and they are increasing in size, at the same time becoming more sophisticated. In this context, it becomes really important that enterprises look for DDoS attack prevention services, in fact the best DDoS attack prevention services, so as to ensure maximum protection for their network and data.

The different kinds of DDoS attacks

Though there are different kinds of DDoS attacks, broadly speaking there are three categories into which all the different kinds of DDoS attacks would fit.

The first category is the volumetric attacks, which include those attacks that aim at overwhelming network infrastructure with bandwidth-consuming traffic or by deploying resource-sapping requests. The next category, the TCP state-exhaustion attacks, refer to the attacks that help hackers abuse the stateful nature of the TCP protocol to exhaust resources in servers, load balancers and firewalls. The third category of DDoS attacks, the application layer attacks, are basically the ones targeting any one aspect of an application or service at Layer 7.

Of the above-mentioned three categories, volumetric attacks are the most common ones; at the same time there are DDoS attacks that combine all these three vectors and such attacks are becoming commonplace today.

DDoS attacks getting sophisticated, complex and easy-to-use

Cybercriminals today are getting cleverer and smarter. They tend to package complex, sophisticated DDoS attack tools into easy-to-use downloadable programs, thereby making it easy even for non-techies to carry out DDoS attacks against organizations.

What are the main drivers behind DDoS attacks? Well, there could be many, ranging from ideology or politics to vandalism and extortion. DDoS is increasingly becoming a weapon of choice for hacktivists as well as terrorists who seek to disrupt operations or resort to extortion. Gamers too use DDoS as a means to gain competitive advantage and win online games.

There are clever cybercriminals who use DDoS as part of their diversionary tactics, intending to distract organizations during APT campaigns that are planned and executed in order to steal data.

How to prevent DDoS attacks

The first thing that needs to be done, to prevent DDoS attacks from happening, is to secure internet-facing devices and services. This helps reduce the number of devices that can be recruited by hackers to participate in DDoS attacks.

Since cybercriminals abuse protocols like NTP, DNS, SSDP, Chargen, SNMP and DVMRP to generate DDoS traffic, it’s advisable that services that use any of these ought to be carefully configured and run on hardened, dedicated servers.

Do repeated tests for security issues and vulnerabilities. One good example is doing penetration tests for detecting web application vulnerabilities.

Ensure that your enterprise implements anti-spoofing filters as covered in IETF Best Common Practices documents BCP 38 and BCP 84. This is because hackers who plan DDoS attacks would generate traffic with spoofed source IP addresses.

Though there are no fool-proof techniques that can prevent DDoS attacks completely, you can ensure maximum protection by ensuring proper configuration of all machines and services. This would ensure that attackers don’t harness publicly available services to carry out DDoS attacks.

It’s to be remembered that it’s difficult to predict or avoid DDoS attacks and also that even an attacker with limited resources can bring down networks or websites. Hence, for any organization, it becomes important that the focus is always on maximum level protection for enterprise networks, devices, websites etc.

  • 0