82% of security pros fear hackers using AI to attack their company

Artificial intelligence (AI) is poised to impact every industry in the near future—including the lucrative business of malicious hacking and the cybersecurity industry working to defend against those attacks.

Enterprise IT and security professionals recognize AI’s potential in cybersecurity, according to a new report from Neustar: 87% of the 301 senior technology and security workers surveyed agreed that AI will make a difference in their company’s defenses. However, 82% said they are also afraid of attackers using AI against their company, the report found.

In a cyberattack, IT and security professionals said they most fear stolen company data (50%), loss of customer trust (19%), unstable business performance (16%), and the cost implications (16%).

Despite the risks, 59% of security pros said they remain apprehensive about adopting AI for security purposes, the report found.

“Artificial intelligence has been a major topic of discussion in recent times – with good reason,” Rodney Joffe, head of the the Neustar International Security Council and Neustar senior vice president and fellow, said in a press release. “There is immense opportunity available, but as we’ve seen today with this data, we’re at a crossroads. Organizations know the benefits, but they are also aware that today’s attackers have unique capabilities to cause destruction with that same technology. As a result, they’ve come to a point where they’re unsure if AI is a friend or foe.”

In terms of threats, security professionals said they were most concerned about DDoS attacks (22%), system compromise (20%), and ransomware (15%). Nearly half of organizations surveyed (46%) said they had been on the receiving end of a DDoS attack in Q3 2018, a higher proportion than in years past, the report found.

“What we do know is that IT leaders are confident in AI’s ability to make a significant difference in their defenses,” Joffe said in the release. “So what’s needed now is for security teams to prioritize education around AI, not only to ensure that the most efficient security strategies have been implemented, but to give organizations the opportunity to embrace – and not fear – this technology.”

The big takeaways for tech leaders:

  • 82% of security professionals said they are afraid of attackers using AI in cyberattacks against their company. — Neustar, 2018
  • Security professionals said they were most concerned about DDoS attacks (22%), system compromise (20%), and ransomware (15%). — Neustar, 2018

Source:https://www.techrepublic.com/article/82-of-security-pros-fear-hackers-using-ai-to-attack-their-company/

  • 0

Are you using Hadoop for data analytics? If so, know that a new bot is targeting Hadoop clusters with the intention of performing DDoS attacks powered by the strength of cloud infrastructure servers. Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.

Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.

It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

Hadoop YARN Exploits

Radware Research has been tracking malicious actors exploiting a Hadoop YARN unauthenticated remote command execution for which proof of concept code was first published here in March of this year. YARN, Yet Another Resource Negotiator, is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. YARN exposes a REST API which allows remote applications to submit new applications to the cluster. The exploit requires two steps:

  • Request an application-id using POST to URI http://x.x.x.x:8088/ws/v1/cluster/apps/new-application
  • Use the ‘application-id’ from the response in step 1 and submit a new task to the cluster manager using the POST method to URI http://x.x.x.x:8088/ws/v1/cluster/apps and with the body containing the following JSON encoded data structure:

Our deception network recorded repeated attempts for /ws/v1/cluster/apps/new-application, slowly starting end of September and growing to over 1 million attempts per day for most of October.

The number of unique IPs from where the requests originated grew from a few servers to over 70 servers this week.

Older exploits from servers that are offline by now were referencing a well-known Mirai variant Owari, infamous because of the weak password used by the hackers for securing their command and control database:

More recently, however, we found Owari to be replaced by a new bot:

This new ‘bash’ binary was added to the server on Sunday Oct 21st. The same server also hosts the typical shell script we came to expect from multiplatform IoT malwares:

While the botnet comes with all the typical indicators of Yet-Another-Mirai-Botnet, a closer look at the binaries revealed to be different enough to continue the investigation.

DemonBot v1 – © Self-Rep-NeTiS

The reversing of the unstripped ‘bash’ binary revealed some unfamiliar function names and an atypical string which provided a unique fingerprint for the botnet code:

Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’. Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.

Both DemonBot.c and DemonCNC.c had an identical signature:

DemonCNC

The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:

  • A bot command and control listener service – allowing bots to register and listen for new commands form the C2
  • A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet

Starting the C2 service requires 3 arguments: a bot listener port, the number of threads and a port for the remote access CLI.

Credentials for remote users are stored in a plain text file ‘login.txt’ in the format “username password” using one line per credential pair.

Upon connecting to the remote access CLI (port 8025 in our demo setup) using telnet, the botnet greets us and asks for a username followed by a password prompt. If the provided credentials match one of the lines in the login.txt file, the user is given access to the bot control interface.

The HELP command reveals the botnet commands which will be discussed below in the section about DemonBot itself.

DemonBot

DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP.

Once successfully connected, DemonBot sends information about the infected device to the C2 server in the format:

Bot_ip

The public IP address of the device or server infected with DemonBot:

Port

Either 22 or 23 depending on the availability of python or perl and telnetd on the device/server:

Build

“Python Device”, “Perl Device”, “Telnet Device” or “Unknown” depending on the availability of a Python or Perl interpreter on the device server:

Arch

The architecture, determined at build time and depending on the executing binary on the compromised platform – supported values for Arch are: x86_64 | x86_32 | Arm4 | Arm5 | Arm6 | Arm7 | Mips | Mipsel | Sh4 (SuperH) | Ppc (PowerPC) | spc (Sparc) | M68k | Arc

OS

Limited identification of the host OS running the bot based on package installer configuration files. Value is either “Debian Based Device”, “REHL Based Device” or “Unknown OS”

Malicious payloads

The bot supports the following commands:

If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP.

The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets:

Fixed payload used by the STD UDP attack:

IOC

8805830c7d28707123f96cf458c1aa41  wget
1bd637c0444328563c995d6497e2d5be  tftp
a89f377fcb66b88166987ae1ab82ca61  sshd
8b0b5a6ee30def363712e32b0878a7cb  sh
86741291adc03a7d6ff3413617db73f5  pftp
3e6d58bd8f10a6320185743d6d010c4f  openssh
fc4a4608009cc24a757824ff56fd8b91  ntpd
d80d081c40be94937a164c791b660b1f  ftp
b878de32a9142c19f1fface9a8d588fb  cron
46a255e78d6bd3e97456b98aa4ea0228  bash
53f6451a939f9f744ab689168cc1e21a  apache2
41edaeb0b52c5c7c835c4196d5fd7123  [cpu]

Source:https://securityboulevard.com/2018/10/new-demonbot-discovered/

  • 0

Travel staff are the weakest link in cybersecurity, says expert

Travel industry staff are the “weakest link” in the fight against cybercrime, a security expert has warned.

Cyber consultant Bruce Wynn said cybercrime attacks risked bringing down entire businesses.

He was speaking at the launch of anti-fraud group Profit’s Secure Our Systems campaign, backed by Travel Weekly.

Wynn, who has 40 years’ cybersecurity experience and is one of several experts supporting the seven-week campaign, which aims to give the industry the tools to fight cybercrime, said: “The weakest link in any cybersecurity chain is the thing that fills the space between the keyboard and the floor.”

There was a 92% rise in the number of cyberattack reports made to Action Fraud between January 2016 and September 2018, from 1,140 to 2,190, according to The City of London Police’s National Fraud Intelligence Bureau. Reports of hacking, in which fraudsters gain unauthorised access to data, saw the biggest increase, up 110%.

Wynn believes all travel firms will have experienced cyberattacks but some may not know it.

“You need to have planned well ahead for what you will do when you do discover you’ve been attacked, including how to recover from some of the damage that will have been caused,” he said.

He said a ransomware attack, for example, could be “catastrophic” as a company could lose all data without an adequate data recovery plan. It could also face a GDPR fine.

“It will cost you big time if criminals get into your system and even just corrupt your information to the point you can no longer do business confidently,” he warned.

Other threats include cloned websites, impersonating chief executives and insider fraud, with criminals using techniques such as phishing and hacking to get into companies’ computer systems to steal money or information.

Wynn said one of the most productive attacks is spear phishing, which targets an individual for sensitive or confidential information and often relies on the vulnerability of the person involved.

“The bad guys are going to get in and they will do damage,” he said. “Who are your staff going to call? Your troops need to know how to detect something suspicious, and what to do.

“Computer technicians can try to ‘backstop’ some of it, but staff need to be educated and trained and get a professional to assess how their business can best manage its risk in terms of cybercrime as part of its wider risk assessments.”

At the very minimum all companies should have up-to-date systems in place with anti-virus and anti-fraud software and back-up programs that are regularly tested to ensure any data lost can be recovered.

Wynn believes 80% of attacks can be mitigated at “almost zero cost” to businesses. “Thirty minutes now [on planning] could save lots of money, embarrassment, legal costs and even your business, later on,” he said.

Wynn recommended free resource Cyber Essentials, at cyberessentials.ncsc.gov.uk. The government-backed scheme offers guidelines on self-assessment and access to professional advice on cyber security.

What are the cyber threats?

Here are some common terms for malicious technology and fraudulent activity.

DDoS attack – a distributed denial-of-service attack is where multiple computers flood a server, website or network with unwanted traffic to make it unavailable to its intended users temporarily or indefinitely.

Ransomware – a type of malicious software (malware), usually deployed through spam or phishing, designed to block access to a computer system, typically by encryption, until a sum of money is paid. It can be spread through email attachments, infected software apps, compromised websites and infected external storage devices. Famous examples include the WannaCry attack last year.

Rootkits – a set of software tools that enable an unauthorised user to take over a computer system without detection.

Trojan – type of malicious software often disguised as a legitimate app, image, or program. Typically users are tricked into loading and putting Trojans on their systems.

Viruses – a piece of computer code capable of copying itself, normally deployed through a spam or phishing attack that typically has a detrimental effect, such as corrupting the system, stealing, or destroying data.

Worms – self-replicating malware that duplicates itself to spread to uninfected computers.

CEO fraud – a senior executive in a company is impersonated to divert payments for products and services to a fraudulent bank account. Typically the fraud will target the company’s finance department via email or over the telephone.

Account takeover fraud – a form of identity theft in which the fraudster accesses the victim’s bank or credit card accounts through a data breach, malware or phishing, to make unauthorized transactions.

Insider fraud – when an employee uses his or her position in an organization to steal money or information to threaten security

Cloned websites – when a fraudster copies or modifies an existing website design or script to create a new site in order to steal money.

Phishing – when emails purport to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.

Spearphishing – email scam targeted to one specific individual, organisation or business often to steal sensitive information for malicious purposes. These purport to be from someone you know and use your name.

SMiShing (or SMS phishing) – type of phishing attack where mobile phone users receive text messages with a website hyperlink which, if clicked on, will download a Trojan horse (malicious software) to the phone.

Hacking – unauthorised intrusion into a computer or network.

Bot– a computer infected with software that allows it to be controlled by a remote attacker. This term is also used to refer to the malware itself.

Exploit kit – code used to take advantage of vulnerabilities in software code and configuration, usually to install malware. This is why software must be kept updated.

Keylogger – a program that logs user input from the keyboard, usually without the user’s knowledge or permission, often using memory sticks on laptop ports.

Man-in-the-Middle Attack – similar to eavesdropping, this is where criminals use software to intercept communication between you and another person you are emailing, for example when you are using third-party wi-fi in a café or on a train.

Source: http://www.travelweekly.co.uk/articles/314616/travel-staff-are-the-weakest-link-in-cybersecurity-says-expert

  • 0

The FBI Is Investigating More Cyberattacks in a California Congressional Race

The hacks — first reported by Rolling Stone — targeted a Democratic candidate in one of the country’s most competitive primary races

WASHINGTON — The FBI has opened an investigation into cyberattacks that targeted a Democratic candidate in a highly competitive congressional primary in southern California.

As Rolling Stone first reported in September, Democrat Bryan Caforio was the victim of what cybersecurity experts believe were distributed denial of service, or DDoS, attacks. The hacks crashed his campaign website on four separate occasions over a five-week span, including several hours before the biggest debate of the primary race and a week before the election itself, according to emails and other forensic data reviewed by Rolling Stone. They were the first reported instances of DDoS attacks on a congressional candidate in 2018.
Caforio was running in the 25th congressional district represented by Republican Rep. Steve Knight, a vulnerable incumbent and a top target of the Democratic Party. Caforio ultimately finished third in the June primary, failing to move on to the general election by several thousand votes.

“I’m glad the FBI has now launched an investigation into the hack,” Caforio tells Rolling Stone in a statement. “These attacks put our democracy at risk, and they’ll keep happening until we take them seriously and start to punish those responsible.”

It was unclear from the campaign’s data who launched the attacks. But in early October, a few weeks after Rolling Stone’s report, Caforio says an FBI special agent based in southern California contacted one of his former campaign staffers about the DDoS attacks. The FBI has since spoken with several people who worked on the campaign, requested forensic data in connection with the attacks and tasked several specialists with investigating what happened, according to a source close to the campaign.

According to the source, the FBI has expressed interest in several details of the DDoS attacks. The bureau asked about data showing that servers run by Amazon Web Services, the tech arm of the online retail giant, appear to have been used to carry out the attacks. The FBI employees also seemed to focus on the last of the four attacks on Caforio’s website, the one that came a week before the primary election.

An FBI spokeswoman declined to comment for this story.

A DDoS attack occurs when a flood of online traffic coming from multiple sources intentionally overwhelms a website and cripples it. The cybersecurity company Cloudflare compares DDoS to “a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.” Such attacks are becoming more common in American elections and civic life, according to experts who monitor and study cyberattacks. “DDoS attacks are being used to silence political speech and voters’ access to the information they need,” George Conard, a product manager at Jigsaw, a Google spin-off organization, wrote in May. “Political parties, campaigns and organizations are a growing target.”

Matthew Prince, the CEO of Cloudflare, told Rolling Stone last month that his company had noticed an increase in such attacks after 2016 and the successful Russian operations on U.S. soil.

“Our thesis is that, prior to 2016, U.S.-style democracy was seen as the shining city on the hill. The same things you could do to undermine a developing democracy wouldn’t work here,” Prince says. “But after 2016, the bloom’s off the rose.”

The FBI has since created a foreign influence task force to combat future efforts to interfere and disrupt U.S. elections.

Southern California, in particular, has seen multiple cyberattacks on Democratic congressional candidates during the 2018 midterms. Rolling Stone reported that Hans Keirstead, a Democratic candidate who had challenged Rep. Dana Rohrabacher (R-CA), widely seen as the most pro-Russia and pro-Putin member of Congress, had been the victim of multiple hacking efforts, including a successful spear-phishing attempt on his private email account that resembled the 2016 hack of John Podesta, Hillary Clinton’s campaign chairman. Hackers also reportedly broke into the campaign computer of Dave Min, another Democratic challenger in a different southern California district, prompting the FBI to open an investigation.

On Friday, the nation’s four top law enforcement and national security agencies — the FBI, Justice Department, Department of Homeland Security and the Office of the Director of National Intelligence — released a joint statement saying there were “ongoing campaigns by Russia, China and other foreign actors, including Iran” that include interference in the 2018 and 2020 elections. Cybersecurity experts and political consultants say there are many reports of hacking attempts on 2018 campaigns that have not been publicized. But the proximity of the attacks is significant because Democrats have a greater chance of taking back the House of Representatives if they can flip multiple seats in Southern California.

Source: https://www.rollingstone.com/politics/politics-news/california-congressional-race-hack-745519/

  • 0

Cybercrime-as-a-Service: No End in Sight

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.

Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques.

Line Between Illicit and Legitimate E-Commerce Is Blurring
The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products.

The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks.

Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites.

From Niche to Mass Market
In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate.

There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities.

Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers
The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each.

Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize.

Cybercrime Infrastructure-as-a-Service
The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example.

Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post.

The New Reality
Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services.

The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay.

Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

  • 0

‘Torii’ Breaks New Ground For IoT Malware

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.

A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff.

Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes.

Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures.

Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands.

Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well.

Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes.

Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona.

Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes.

While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data.

Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine.

Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once.

The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said.

Source: https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930

  • 0

Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

  • Researchers from Avast have identified a worrying botnet affecting IoT devices
  • Called ‘Torii,’ the virus infects devices at a server level that have weak encryption
  • Virus can fetch and execute different commands, making it ‘very sophisticated’

Keep an eye on your smart home devices.

Security experts have identified what they consider the ‘most sophisticated botnet they’ve ever seen’ and it’s believed to be targeting internet of things gadgets.

Antivirus firm Avast said in a new report they’ve been closely watching a new malware strain, called ‘Torii,’ which uses ‘advanced techniques’ to infect devices.

‘…This one tries to be more stealthy and persistent once the device is compromised, an it does not (yet) do the usual stuff a botnet does like [Distributed Denial of Service attacks], attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,’ Avast researchers wrote in a blog post.

The malware goes after devices that have weak encryption, using the Telnet remote access protocol.

Telnet is a remote access tool that’s primarily used to log into remote servers, but it’s largely been replaced by tools that are more secure.

Once it has identified a poorly secured system, Torii will attempt to steal your personal information.

It’s entirely possible that vulnerable IoT device owners have no idea their device has been compromised.

‘As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer,’ the researchers wrote.

While Torii hasn’t attempted cryptojacking or carried out DDoS attacks, researchers say the malware is capable of fetching and executing commands of different kinds on the infected device, making it very sophisticated.

What’s more, many smart home gadgets are connected to one another, and it’s unclear yet if the malware is capable of spreading to other devices.

‘Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,’ the Avast researchers explained.

Once Torii infects a device, it floods it with information and communicates with the master server, allowing the author of the malware to execute any code or deliver any payload to the infected device, according to researchers.

‘This suggests that Torii could become a modular platform for future use,’ the researchers continued.

‘Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer. Stay tuned for the follow ups.’

WHAT IS A DDOS ATTACK?

DDoS stands for Distributed Denial of Service.

These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time.

The surge of simple requests overload the servers, causing them to become overwhelmed and shut down.

In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware.

Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file.

Source: https://www.dailymail.co.uk/sciencetech/article-6216451/Security-experts-discover-sophisticated-botnet-seen.html

  • 0

3 Drivers Behind the Increasing Frequency of DDoS Attacks

What’s causing the uptick? Motivation, opportunity, and new capabilities.

According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic.

What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have.

Political and Criminal Motivations
In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered.

In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world.

DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money.

Attacks Made Easy
This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place.

DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning.

The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity.

IoT Botnets
IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors.

In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks.

Conclusion
Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices.

Source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824

  • 0

Who’s hacking into UK unis? Spies, research-nickers… or rival gamers living in res hall?

Report fingers students and staff for academic cyber-attacks

Who’s hacking into university systems? Here’s a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break.

A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic research and personal information, staff or students are often the culprits in attacks against UK higher education institutions.

The non-profit body, which provides among other things internet connectivity to universities, analysed 850 attacks in the 2017-18 academic year and found a consistent pattern that occurred during term time and the UK working day.

Holidays brought with them a sharp reduction in attacks, from a peak 60-plus incidents a week during periods of the autumn term to a low of just one a week at times in the summer. It acknowledged that part of the virtual halt in summer may be down to cops and Feds cracking down on black hat distributed denial-of-service tools in the months prior, however.

Jisc is perhaps better known among Reg readers for providing the Janet network to UK education and research institutions.

Its data covered cyber-attacks against almost 190 universities and colleges and focused on denial-of-service and other large-scale infosec hits rather than phishing frauds and malware.

Staff and students with a grudge or out to cause mischief are more credible suspects in much of this rather than external hackers or spies. More sophisticated hackers might be inclined to use DDoS as some sort of smokescreen.

In a blog post, Jisc security operations centre head John Chapman admitted some of the evidence suggesting staff and students might be behind DDoS attacks is circumstantial. However, he pointed out evidence from law enforcement and detected cyber assaults supported this theory. For example, a four-day DDoS attack the unit was mitigating against was traced back to a university hall of residence – and turned out to be the result of a feud between two rival gamers.

Whoever might be behind them, the number of incidents is growing. Attacks are up 42 per cent to reach this year’s 850; the previous academic year (2016-17) witnessed less than 600 attacks against fewer than 140 institutions.

Matt Lock, director of solutions engineers at Varonis, said: “This report is another reminder that some of the biggest threats facing organisations today do not involve some hoodie-wearing, elusive computer genius.”

Education is targeted more often than even the finance and retail sectors, according to McAfee research (PDF).

Nigel Hawthorn, data privacy expert at McAfee, commented in March:

“The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.

Source: https://www.theregister.co.uk/2018/09/17/cyber_attack_uk_universities/

  • 0

DDoS attacks: Students blamed for many university cyber attacks

DDoS attacks against university campuses are more likely in term time.

Nation-states and criminal gangs often get the blame for cyber attacks against universities, but a new analysis of campaigns against the education sector suggests that students — or even staff — could be perpetrators of many of these attacks.

Attributing cyber attacks is often a difficult task but Jisc, a not-for-profit digital support service for higher education, examined hundreds of DDoS attacks against universities and has come to the conclusion that “clear patterns” show these incidents take place during term-time and during the working day — and dramatically drop when students are on holiday.

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of security operations at Jisc.

While the research paper notes that in many cases the reasons behind these DDoS campaigns can only be speculated about, just for fun, for the kudos and to settle grudges are cited as potential reasons.

In one case, a DDoS attack against a university network which took place across four nights in a row was found to be specifically targeting halls of residence. In this instance, the attacker was launching an attack in order to disadvantage a rival in online games.

The research notes that attacks against universities usually drop off during the summer — when students and staff are away — but that the dip for 2018 started earlier than it did in 2017.

“The heat wave weather this year could have been a factor, but it’s more likely due to international law enforcement activity — Operation Power Off took down a ‘stresser’ website at the end of April,” said Chapman.

The joint operation by law enforcement agencies around the world took down ‘Webstresser’, a DDoS for hire service which illegally sold kits for overwhelming networks and was, at the time, the world’s largest player in this space. This seemingly led to a downturn in DDoS attacks against universities.

But universities ignore more advanced threats “at their peril” said Chapman. “It’s likely that some of these more sophisticated attacks are designed to steal intellectual property, targeting sensitive and valuable information held at universities and research centres.”

Despite this, a recent survey by Jisc found that educational establishments weren’t taking cyber attacks seriously, as they weren’t considered a priority issue by many.

“When it comes to cyber security, complacency is dangerous. We do everything we can to help keep our members’ safe, but there’s no such thing as a 100% secure network,” said Chapman.

Source: https://www.zdnet.com/article/ddos-attacks-students-blamed-for-many-university-cyber-attacks/

  • 0