Cybercrime Poses a Mounting Problem in Taiwan

“White hat” hackers and cyber-cops fight crime in Taiwan’s heavily attacked cyberspace.

Cybercrime is a growing problem in Taiwan and around the world, cybersecurity experts and law enforcement officers agree.

“It’s absolutely on the rise because everything is connected to the internet – you can shop online, can do anything,” says Wu Fu-mei, acting director of the Information and Communications Security Division within the Ministry of Justice Investigation Bureau. Along with network and mobile devices, the proliferation of connected IoT (internet of things) devices has created a vastly expanded pool of potential targets, many of which are only lightly protected from infection.

Incidences of software supply chains being infected with malware rose 200% last year, while targeted attacks were up 10% and mobile malware rose by 54% in 2017 in annual comparisons, according to global cybersecurity firm Symantec. The company notes that ransomware, in which an organization’s data is infected and encrypted by a hacker – to be decrypted only after payment of a ransom – has become so routine that the average amount of ransom demanded has dropped to only US$522 in 2017, less than half the 2016 average.

The Dark Web and the sudden rise of cryptocurrencies are key enablers of cybercrime. The Dark Web, that part of the internet accessible only through encrypted browsers such as TOR, provides criminals with an untraceable space for conducting illicit business ranging from hiring killers to obtaining illegal drugs – and buying and selling personal data stolen in data breaches. These transactions are now mostly done in Bitcoin or other cryptocurrencies, which use transparent blockchain technology but are anonymous.

“Both the Dark Web and digital currency are very difficult to trace,” notes MJIB’s Wu. “When we are investigating crimes we need to find two things: the cash flow and the information flow. The use of digital currency can hide the cash flow, and use of the Dark Web can hide the information flow.”

She adds that the relative ease and safety of cybercrime contributes to its appeal. “It’s a fairly easy way of doing crime. You don’t have to invest a lot, and you can commit a lot of crime by just sitting at a desk,” she says.

To cybersecurity experts, Taiwan’s digital landscape is a dystopian cyber-wilderness where malware bots hunt; hackers blackmail, rob, and vandalize; and our connected devices are able to be possessed by viruses and turn against us.

Shaking the doorknob

Taiwan receives tens of millions of attacks every month, most of them little more than “shaking the doorknob” to see if somebody forgot to secure an entry point. Many full-on attacks also occur that have resulted in massive data breaches and ransom payments. A lack of basic password protection on the part of an alarming number of firms and individuals means that hackers need not bother searching for back doors when the front door is wide open for intrusion and infestation.

Once inside, the malware takes increasing control over the device or server, often without impacting its usual functions. Cases of IP cameras that continue to record video even after being turned off and IoT household appliances recruited into a virtual army for distributed denial of service (DDOS) attacks at the behest of unseen masters have been widely reported in the media.

Doing battle against these hidden attackers is Taiwan’s army of “white hat” hackers in both the government cybersecurity agencies and the private sector. “It’s like a war,” says Allen Own, co-founder and CEO of cybersecurity consulting startup Devcore. “And there is an information disparity. The attackers always know more than the enterprise.”

Malware bots are endlessly scanning the internet for system and device vulnerabilities, and even the smallest lapse in password protection, coding, or design can result in a wholesale invasion. “Security is decided by the least secured links, which are everywhere,” says Steven Chen, CEO and co-founder of PFP Cybersecurity startup in Silicon Valley which has entered the Taiwan market.

Cybersecurity systems and technologies have advanced to the point that firewall, APT (Advanced Persistent Threats) deterrence, and other cybersecurity defense systems are now capable of fending off even the most sophisticated hacks. What is generally behind successful cyber-attacks is the weak link of the human factor. Symantec says that 71 % of successful hacks are due to phishing, in which people open up a bogus email that exposes their computer and thus their organization’s servers to infestation. Phishing attacks have brought down even the most internet-savvy people.

According to Hans Barre of Silicon Valley-based digital and social cybersecurity firm RiskIQ, corporate executives and brands from Taiwan and around the world are at huge risk of being “counterfeited.” An individual or organization may set up a profile on LinkedIn, for example, purporting to be a company executive. When this fraudulent identity makes contact with other industry professionals, they are easily fooled into exchanging emails and inviting the hacker right into their corporate networks, exposing all of their private data to theft.

Devcore deals with human error of a different kind, often involving website developers and programmers who make sloppy or inadvertent errors in their product, leaving them exposed to hackers. When programmers code websites with languages such as Java, PHP, or Ruby, mistakes or carelessness in the code might leave the site vulnerable to infection. Such errors can expose the site or other SQL (Structured Query Language) databases to infection, allowing hackers to access databases and basically wreak havoc on the system.

“These mistakes are the fault of the developer,” Own notes, adding that although he and the other 12 consultants at Devcore “might not be as good in these programming languages as actual developers are, “we are good in finding vulnerabilities.”

Devcore’s assignment is to act as the Red Team hackers, a term borrowed from military jargon used in war games, where the Red Team plays the role of attacker, while the Blue Team plays defense. Own’s team hacks the client’s website searching for vulnerabilities, which they usually find not in the main websites, but in developer-created websites that the company might not even be aware of.

Often website developers make a second website that mirrors the main site and is used as a practice and work site for future development. However, the second site is generally not protected as well as the first one, and can be a major point of system infection.

“The enterprise will defend the most important website that they own but the hackers will attack their other, less well-protected sites – the security level is lower,” explains Own. “They know that they have several websites but they don’t know which ones are vulnerable. But we know every website that they have, even if the company itself doesn’t know.”

Own says that along with his role operating his company, he has also been one of the organizers of HITCON – the “Hacks in Taiwan” conference – for 14 years. The main purpose of the conference is to “teach the government and enterprise what security is, and how to keep your website secure.” This year’s HITCON is scheduled for July 27-28 at the Taipei Nankang Exhibition Center.

Benson Wu, co-founder of Taiwanese cybersecurity startup CyCarrier Security, aims to solve the problem of human error by removing humans from the security system as far as possible, relying instead on Artificial Intelligence (AI) for monitoring. He notes that even top-line cybersecurity platforms are only as good as their operators, with most requiring well-trained staff. “But the reality is that you often can’t find such experts because that talent is already working directly in the cybersecurity industry,” he says.

Industry insiders say that AI and Machine Learning (ML) are already being deployed on both sides of the cybercrime battle. Wu says that his company’s system never gets tired, never misses a warning, and can reduce the time for discovery of a system breach from months to a matter of days. As such efficiency doesn’t come cheap, Wu says CyCarrier Security is targeting only the top-tier companies in Taiwan and abroad that have the money and awareness to pay for a top-line cybersecurity platform. He adds that he doesn’t need to do much of sales pitch. He simply sets up the platform to evaluate how many times and for how long the company has been breached. “They sign up right away after they see the results,” he says.

Threats against Taiwan are usually attributed to China, but recent experience shows that is not always true, including the heists of First Bank by Russian hackers and the Far Eastern Bank by the North Korean-linked Lazarus gang. Taiwan produces its own home-grown hackers as well, as a recent case cited by the MJIB cybercrimes unit attests.

In that case, securities firms were threatened with a DDOS attack if they didn’t pay a ransom in Bitcoin to the hacker. “Most companies paid the ransom, but one did not and his whole computer system was hacked and paralyzed,” says MJIB’s Wu. The MJIB was called in and traced the hacker through the email that he had sent to the company. The culprit turned out to be a 20-year-old Taiwanese who told investigators that he had pulled off similar attacks numerous times, but had already spent the money he gained. He now faces up to five years in prison.

With the threat of cyberattacks now being taken more seriously in Taiwan, demand for cybersecurity talent is increasing and salaries are rising accordingly. But Taiwan’s cybersecurity professionals are also fervently committed to the cause.

“Making money is necessary, but doing business is not my only concern,” says Devcore’s Own. “My company and I are passionate about cybersecurity in Taiwan.”


  • 0

Hide and Seek Brings Persistence to IoT Botnets

The rapidly evolving Hide and Seek botnet is now persistent on a wide range of infected IoT devices.

IoT devices tend to be simple. So simple, in fact, that turning them off and back on again has historically been a reliable way to eliminate malware. Now, though, a new variant of the Hide and Seek bot can remain persistent on IoT devices that use a variety of different hardware and Linux platforms.

A research team at Bitdefender described the new variant of a botnet they had first discovered in January with notes of two important developments, one novel and one in keeping with a broader trend in malware.

Persistence in IoT devices is novel and disturbing since it removes a common defense mechanism from the security team’s toolbox. In order to achieve persistence, Hide and Seek must gain access to the device via Telnet, using the protocol to achieve root access to the device. With root access, a file is placed in the /etc/init.d/ directory where it executes each time the device is rebooted. According to the Bitdefender researchers, there are at least 10 different versions of the executables that can run on 10 different system variants.

“Once this new botnet has been armed, it isn’t going to do anything but increase the availability of the already prevalent DDoS tools for those looking to launch such attacks,” says Sean Newman, director of product management at Corero Network Security. He points out that this is disturbing for technology advancement reasons, but it might not immediately make a huge impact on the DDoS environment. “With most IoT devices rarely rebooted and easily re-infected if they are, it feels like this may not make as much impact as you might think to the already burgeoning supply of botnets,” he says, “particularly those being used to launch damaging DDoS attacks.”

As part of a broader trend in malware, Hide and Seek shows considerable development and evolution in the code being deployed. Since its initial discovery in January of this year, “The botnet seems to undergo massive development as new samples compiled for a variety of architectures have been added as payloads,” according to the Bitdefender Labs blog post on the malware.

“This showcases the continued evolution of malware and how the internet continues to democratize access to information, malicious or otherwise,” says Dan Mathews, director at Lastline. He lists some of the ways in which the industry has seen botnet malware evolve since the days of Mirai, including, “…default & expanded password guessing and cross-compiled code to run on multiple CPU architectures added, as well as exploits added to leverage IoT vulnerabilities, exploits added for peer to peer communications, and now exploits added for persistence.”

Hide and Seek’s original version was notable for using a proprietary peer-to-peer network for both C&C and new infection communication. Now that persistence has been added to the feature mix, the botnet has become a more pressing concern for the owners of the 32,000+ already infected and those IoT devices that are vulnerable and still unprotected.


  • 0

Distributed-Denial-Of-Service Attacks And DNS

Distributed-denial-of-service (DDoS) attacks have become the scourge of the internet. DDoS attacks use compromised internet devices to generate enormous volumes of data and direct that data at a particular target such as a web server or router. That target either keels over due to some critical resource becoming exhausted, or it finds its connection to the internet saturated by garbage traffic.

DDoS attacks are simultaneously cheap to carry out and expensive to defend against. Almost anyone can order a DDoS attack against any target with no technical knowledge required. All that’s necessary is a website from which to order the attack (yes, such things exist) and some bitcoins with which to pay for it. The attacks generally use botnets with devices that have been compromised and infected with malware. Building internet infrastructure capable of withstanding the volume of data generated by a botnet requires costly over-engineering, commercial DDoS mitigation services or both.

Unfortunately, DDoS attacks have a special relationship to the Domain Name System: DDoS attacks both target and exploit DNS servers. By “target,” I mean that attackers frequently direct DDoS attacks at an organization’s authoritative DNS servers. These are the DNS servers responsible for advertising your DNS data to the rest of the internet; a successful DDoS attack against them will render your customers unable to visit your website or send you email. Every organization with a presence on the internet must have a set of authoritative DNS servers, and given even the most basic information — for example, one of your email addresses or the domain name of your website — a would-be attacker can find the names and addresses of those DNS servers, giving them a list of targets.

A particularly notable DDoS attack on authoritative DNS servers was the attack on Dyn in October 2016.  Attackers used the Mirai botnet to overwhelm Dyn’s DNS servers with a whopping 1.2 terabits per second of traffic. Dyn’s DNS servers couldn’t respond to legitimate DNS queries under the load, which left Dyn’s customers — including the New York Times, Reddit, Tumblr and Twitter — unreachable.

However, DNS servers are not just opportune targets of DDoS attacks. Clever attackers will use DNS servers to make their attacks more effective and to conceal their origins. This is possible for two main reasons: 1) Relatively small DNS queries can elicit large responses, and 2) DNS works over a “connectionless” protocol that’s easily spoofed.

Let’s discuss the first issue: DNS queries are generally small (less than 100 bytes long). However, they can generate much larger responses (4,000 bytes or more). This is what we refer to as amplification. In this case, the amplification factor is 4,000 bytes/100 bytes, or 40x.

Amplification wouldn’t be a problem if DNS responses were always sent back to the source of the query. However, DNS’s use of the User Datagram Protocol (UDP) makes it easy to spoof queries — that is, to send queries that look as though they came from another address. UDP is connectionless: Each UDP “datagram” is independent, like a postcard sent through the postal service rather than a text message in a stream of such messages. All an attacker needs to do is to use the address of his target as the source address in the packet that contains a DNS query — like writing a bogus return address on a postcard — and the DNS server will send the reply to the target rather than the real source of the query.

This makes it easy to enlist DNS servers as unwitting accomplices in a DDoS attack. An attacker can use a botnet to generate a high volume of queries to well-connected DNS servers on the internet, spoofing the source address of their target, and the DNS servers amplify the query traffic into a larger volume of response traffic. Moreover, the traffic that arrives at the target comes from the DNS servers rather than the attacker, making it difficult to trace the attack back to its origin.

Thankfully, there are several mechanisms that can help DNS servers defend against DDoS attacks. One is “anycast,” a configuration technique that lets a distributed group of DNS servers share a single address. The internet’s routing infrastructure directs queries sent to that address to the closest DNS server in the anycast group. This is efficient, of course, but it also implies that an attack launched from one part of the internet can only reach a single DNS server in an anycast group at any time. For example, a DDoS attack using a botnet based in China and targeting the anycast address used by a group of DNS servers would find all of its traffic directed to the closest DNS server in the anycast group. As a result, many organizations, including most DNS hosting companies, use anycast to make their DNS infrastructures resistant to DDoS attacks.

Newer DNS servers also incorporate a mechanism called Response Rate Limiting (RRL) to prevent their use as amplifiers in DDoS attacks. RRL limits the rate at which a particular response is sent to the source of a query. For example, if a DNS server receives too many queries for any records about from the same address, it will throttle responses to that address. If the source of the query is legitimate, this won’t cause a problem: It will cache the response, making duplicate responses unnecessary. But if the queries are spoofed and the DNS server is being used as an amplifier, this will limit the amplification and therefore the damage it can do.

Companies need to anticipate the possibility that their DNS services could be the target of these attacks. Without DNS, all internet applications and services are unreachable, bringing business to a grinding halt. In fact, recent research from Infoblox found that 24% of companies lost $100,000 or more due to downtime from their last DNS attack. Today, far too many businesses put all their eggs in one basket, relying on a single cloud-based DNS provider, leaving them vulnerable to an attack like we saw on Dyn.


  • 0

Philippine government starts tracking down North Korean cyber-hackers

Manila: The Philippine government is tracking down North Korean hackers who were identified to have attacked a government-run cyber-security agency, a senior official said, prompting observers to assess that computer systems nationwide are vulnerable to attacks.

“The Department of Science and Technology (DOST) and its Advanced Science and Techonology Institute (ASTI) will launch an investigation on Monday following reports that North Korean hackers have launched cyber-attacks against DOST’s website,” said Department of Information and Communications Technology (DICT) Assistant Secretary Allan Cabanlong.

The DOST and ASTI will jointly look if the so-called distributed denial-of-service (DDoS) attacks that shut down websites have entered its cyber-system, said Cabanlong.

“It’s like a teargas or smoke grenade. Once it’s in the website that is under attack — the website shuts off for a specific period, allowing the attacker to send malware to the website in order to control its system,” explained Cabanlong.

The investigation was launched after Quartz, a news site, cited a study that “some North Korean users were conducting research, or possibly even network reconnaissance, on a number of foreign laboratories and research centers” including India’s Space Research Organization and the Philippines’ DOST,” said Cabanlong.

On Saturday, DOST and ASI have not yet detected the North Korean attackers in the cyber system. “If ever there was, it was not yet reported to us,” said Cabanlong, adding that hackers often target websites of research and academic institutions that are focused on content more than on security features

The reported DOST hackers could be part of North Korea’s efforts to attack perceived enemies, said Cabanlong.

They could be sympathisers of North Korea which is being pressured by the international community to stop its nuclear missile tests, other observers said.

Last year, DICT directed all banks, government agencies, hospitals, institutions, schools, and telecommunication companies to hire network security administrators and put in place systems that would regularly monitor possible cyber-attacks and breaches.

Looking forward, Cabanlong said DICT will put up its National Cyber-intelligence Centre to expand its capability to protect all computer systems nationwide.

Right now, “DICT is working on band-aid solutions to cyber-attacks; it is limited to oversight function; and it cannot protect all computer systems in the country,” admitted Cabanlong, adding, “No single agency can do it alone. The private sector and multi-government agencies must work together on this campaign.”

The DICT has yet to compile a record of government agencies and private companies in the Philippines that are vulnerable to breaches, other critics said.


  • 0

Man accused of cyber attacks on Skype and Google appears in court

A man accused of cyber crime offences linked to alleged online attacks targeting Skype and Google has appeared before magistrates in Birmingham.

Alex Bessell faces a total of 11 allegations, including a charge of possessing a quantity of cocaine when he was arrested in September.

The 21-year-old, of Allington Street, Aigburth, Liverpool, spoke only to confirm his personal details during a ten-minute court appearance on Monday.

Prosecutors allege Bessell set up a web business which made more than 700,000 US dollars (£532,000) in sales from IT viruses.

It is also alleged the defendant infected and controlled more than 9,000 “zombie” computers to orchestrate Distributed Denial of Service (DDoS) attacks on firms including Skype, Pokemon and Google in an attempt to crash their online operations.

Bessell, who appeared in the dock dressed in a blue hooded coat, black jeans and trainers, faces two charges of carrying out unauthorised acts to impair the operation of a computer between August 2011 and November 2013.

He is also accused of causing a computer over the same time period to secure unauthorised access to data with intent to facilitate fraud by obtaining 750 passwords.

Further charges brought against Bessell allege that he gave a false address in Milton Keynes to Companies House, and possessed criminal property – namely 129,822 US dollars (£98,000) from selling illegal items – between May 2014 and September 2016.

Bessell was not asked to enter any pleas and was granted unconditional bail to appear at Birmingham Crown Court on November 27.

The charges against him were authorised after an investigation by detectives at the Birmingham-based West Midlands Regional Organised Crime Unit.


  • 0

DDoS Attacks Cause Train Delays Across Sweden

DDoS attacks on two separate days have brought down several IT systems employed by Sweden’s transport agencies, causing train delays in some cases.

The incidents took place early in the mornings of Wednesday and Thursday, October 11 and 12, this week.

The first attack hit the Sweden Transport Administration (Trafikverket) on Wednesday. According to local press, the attack brought down the IT system that manages train orders. The agency had to stop or delay trains for the time of the attack.

Trafikverket’s email system and website also went down, exacerbating the issue and preventing travelers from making reservations or getting updates on the delays. The agency used Facebook to manage the crisis and keep travelers informed.

Road traffic maps were also affected, an issue that lingers even today, at the time of publishing, according to the agency’s website.

Three Swedish transportation agencies targeted

Speaking to local media, Trafikverket officials said the attack was cleverly aimed at TDC and DGC, the agency’s two service providers, but they were both aimed in such a way to affect the agency’s services.

Trafikverket was able to restore service in a few hours, but the delays affected the entire day’s train operations.

While initially, some might have thought this was a random incident, the next day, a similar DDoS attack hit the website of another government agency, the Sweden Transport Agency (Transportstyrelsen), and public transport operator Västtrafik, who provides train, bus, ferry, and tram transport for parts of Western Sweden.

Cyber-warfare implications

In perspective, both incidents give the impression of someone probing various parts of Sweden’s transportation system to see how the country would react in the face of a cyber-attack and downtime.

The DDoS attacks come a week after a report that Russia was testing cyber-weapons in the Baltic Sea region.

In April 2016, Swedish officials blamed Russia for carrying out cyber-attacks on the country’s air traffic control infrastructure that grounded flights for a day in November 2015.


  • 0

As US launches DDoS attacks, N. Korea gets more bandwidth—from Russia

Fast pipe from Vladivostok gives N. Korea more Internet in face of US cyber operations.

As the US reportedly conducts a denial-of-service attack against North Korea’s access to the Internet, the regime of Kim Jong Un has gained another connection to help a select few North Koreans stay connected to the wider world—thanks to a Russian telecommunications provider. Despite UN sanctions and US unilateral moves to punish companies that do business with the Democratic People’s Republic of Korea, 38 North’s Martyn Williams reports that Russian telecommunications provider TransTelekom (ТрансТелеКо́m) began routing North Korean Internet traffic at 5:30pm Pyongyang time on Sunday.

The connection, Williams reported, offers a second route for traffic from North Korea’s Byol (“Star”) Internet service provider, which also runs North Korea’s cellular phone network. Byol offers foreigners in North Korea 1Mbps Internet access for €600 (US$660) a month (with no data caps).

Up until now, all Byol’s traffic passed through a single link provided by China Unicom. But the new connection uses a telecommunications cable link that passes over the Friendship Bridge railway bridge—the only connection between North Korea and Russia. According to Dyn Research data, the new connection is now providing more than half of the route requests to North Korea’s networks. TransTelekom (sometimes spelled TransTeleComm) is owned by Russia’s railroad operator, Russian Railways.

A Dyn Research chart showing the new routing data for North Korea's ISP.

A Dyn Research chart showing the new routing data for North Korea’s ISP.

According to a Washington Post report, The Department of Defense’s US Cyber Command had specifically targeted North Korea’s Reconnaissance General Bureau—the country’s primary intelligence agency—with a denial-of-service attack against the organization’s network infrastructure. That attack was supposed to end on Saturday, according to a White House official who spoke with the Post.

While the unnamed official said the attack specifically targeted North Korea’s own hacking operations, North Korea has previously run those operations from outside its borders—from China. So it’s not clear whether the attack would have had any impact on ongoing North Korean cyberespionage operations.


  • 0

How Artificial Intelligence Will Make Cyber Criminals More ‘Efficient’

The era of artificial intelligence is upon us, though there’s plenty of debate over how AI should be defined much less whether we should start worrying about an apocalyptic robot uprising. The latter issue recently ignited a highly publicized dispute between Elon Musk and Mark Zuckerberg, who argued that it was irresponsible to “try to drum up these doomsday scenarios”.

In the near-term however, it seems more than likely that AI will be weaponized by hackers in criminal organizations and governments to enhance now-familiar forms of cyberattacks like identity theft and DDoS attacks.

A recent survey has found that a majority of cybersecurity professionals believe that artificial intelligence will be used to power cyberattacks in the coming year. Cybersecurity firm Cylance conducted the survey at this year’s Black Hat USA conference and found that 62 percent of respondents believe that “there is high possibility that AI could be used by hackers for offensive purposes.”

Artificial intelligence can be used to automate elements of cyber attacks, making it even easier for human hackers (who need food and sleep) to conduct a higher rate of attacks with greater efficacy, writes Jeremy Straub, an assistant professor of computer science at North Dakota State University who has studied AI-decision making. For example, Straub notes that AI could be used to gather and organize databases of personal information needed to launch spearphishing attacks, reducing the workload for cybercriminals. Eventually, AI may result in more adaptive and resilient attacks that respond to the efforts of security professionals and seek out new vulnerabilities without human input.

Rudimentary forms of AI, like automation, have already been used to perpetrate cyber attacks at a massive scale, like last October’s DDoS attack that shut down large swathes of the internet.

“Hackers have been using artificial intelligence as a weapon for quite some time,” said Brian Wallace, Cylance Lead Security Data Scientist, to Gizmodo. “It makes total sense because hackers have a problem of scale, trying to attack as many people as they can, hitting as many targets as possible, and all the while trying to reduce risks to themselves. Artificial intelligence, and machine learning in particular, are perfect tools to be using on their end.”

The flip side of these predictions is that, even as AI is used by malicious actors and nation-states to generate a greater number of attacks, AI will likely prove to be the best hope for countering the next generation of cyber attacks. The implication is that security professionals need to keep up in their arms race with hackers, staying apprised of the latest and most advanced attacker tactics and creating smarter solutions in response.

For the time being, however, cyber security professionals have observed hackers sticking to tried-and-true methods.

“I don’t think AI has quite yet become a standard part of the toolbox of the bad guys,” Staffan Truvé, CEO of the Swedish Institute of Computer Science said to Gizmodo. “I think the reason we haven’t seen more ‘AI’ in attacks already is that the traditional methods still work—if you get what you need from a good old fashioned brute force approach then why take the time and money to switch to something new?”


  • 0

America’s Cardroom, WPN Hit by DDoS Attack Again

It had been a while, but America’s Cardroom seemed due for another cyber attack. Yup, leading into the Labor Day weekend, ACR and its network, the Winning Poker Network, were hit with a Distributed Denial of Service (DDoS) attack, something that is unfortunately not a unique event for either the online poker room or the network.

The attack began Thursday evening, affecting, among many other games, ACR’s Online Super Series (OSS) Cub3d. Problems continued all the way through Saturday.

America’s Cardroom initially tweeted about the issues at about quarter after eight Thursday night, writing, “We are currently experiencing a DDOS attack, all running tournaments have been paused. Will keep you updated.”

A half hour later, ACR announced that it was cancelling all tournaments in progress and providing refunds per the site’s terms and conditions. At about 9:00pm, the site was back up, but the DDoS attacks continued, causing poker client interruptions less than two and a half hours later. Problems continued well into Friday morning until ACR and WPN finally got things under control (temporarily) close to noon.

The pattern continued that evening, with games going down after 6:00pm Friday and then resuming, and going down again after 7:00pm. Finally, around noon Saturday, ACR’s techs seemed to get a handle on things “for good.”

In a Distributed Denial of Service attack, the attacker (or attackers) floods a server with millions of communications requests at once. It’s not a virus or a hack or anything malicious like that, but the communications overwhelm the server and grind it to a halt. Think of it like the traffic jam to end all traffic jams.

It wouldn’t be THAT big of a deal if the attack was coming from one source, but since it is “distributed,” the attacker arranges it so that it originates from literally millions of IP addresses. It makes defending one’s network insanely difficult. To use another brilliant illustration, if you are trapped in a house and a zombie horde is coming for your juicy brains, it’s scary and awful, but if all the zombies decide to come in through the front door, you can probably handle it if properly equipped. If they surround you and just crash in through every door, window, and mouse hole like in Night of the Living Dead, might as well develop a taste for human flesh because you’re screwed.

As with other DDoS attacks, the network was contacted by the aggressor, who demanded a ransom of some sort. WPN CEO Phil Nagy went on Twitch and said he refused to cave to any demands. He even posted a brief series of messages from the attacker, who said he was doing it on behalf of a competing poker room (all spelling mistakes what-not his):

this is my job
anouther site give me money
for doos you
and i ddos you
this is my job

Nagy said that he hoped that by at least making it public that it may be another site responsible for the DDoS attack that it will make someone nervous that they could get caught and the attacks will subside.

WPN first experienced a major DDoS attack in December 2014, during its Million Dollar Sunday tournament, when it caused disconnections, lag, and registration problems. It happened again in September 2015 and again in October 2015.

The network will be re-running many of the tournaments, including the OSS and MOSS, and will cut the buy-in of the million dollar guaranteed OSS tourney in half as well as add an extra Sunday Million.


  • 0

What is Pulse Wave? Hackers devise new DDoS attack technique aimed at boosting scale of assaults

The new attack method allows hackers to shut down targets’ networks for longer periods while simultaneously conducting attacks on multiple targets.

Hackers have begun launching a new kind of DDoS attack designed to boost the scale of attacks by targeting soft spots in traditional DDoS mitigation tactics. Dubbed “Pulse Wave”, the new attack technique allows hackers to shut down targeted organisations’ networks for prolonged periods while simultaneously conducting attacks on multiple targets.

The new attacks may render traditional DDoS mitigation tactics useless, experts say. Some of the pulse wave DDoS attacks detected lasted for days and “scaled as high as 350 Gbps”, according to security researchers at Imperva, who first spotted the new threat.

“Comprised of a series of short-lived pulses occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017,” Imperva researchers said in a report.

The researchers said they believe that the pulse wave technique was “purposefully designed” by “skilled bad actors” to boost hackers’ attack scale and output by taking advantage of “soft spots in hybrid ‘appliance first, cloud second’ mitigation solutions.”

Traditional DDoS attacks involve a continuous barrage of assaults against a targeted network, while pulse wave involves short bursts of attacks that have a “highly repetitive pattern, consisting of one or more pulses every 10 minutes”. The new attacks last for at least an hour and can extend to even days. A single pulse is large and powerful enough to completely congest a network.

“The most distinguishable aspect of pulse wave assaults is the absence of a ramp-up period — all attack resources are committed at once, resulting in an event that, within the first few seconds, reaches a peak capacity that is maintained over its duration,” the Imperva researchers said.

ulse wave takes advantage of appliance-first hybrid mitigation solutions by preying on the “Achilles’ heel of appliance-first mitigation solutions”, – the devices’ incapability of dealing with sudden powerful attack traffic surges.

The Imperva researchers said the emergence of pulse wave DDoS attacks indicates a significant shift in the attack landscape. “While pulse wave attacks constitute a new attack method and have a distinct purpose, they haven’t emerged in a vacuum. Instead, they’re a product of the times and should be viewed in the context of a broader shift toward shorter-duration DDoS attacks,” researchers said.

The Imperva researchers predicted that such attacks will continue, becoming more persistent and growing, boosted via botnets.



  • 0