Philippine government starts tracking down North Korean cyber-hackers

Manila: The Philippine government is tracking down North Korean hackers who were identified to have attacked a government-run cyber-security agency, a senior official said, prompting observers to assess that computer systems nationwide are vulnerable to attacks.

“The Department of Science and Technology (DOST) and its Advanced Science and Techonology Institute (ASTI) will launch an investigation on Monday following reports that North Korean hackers have launched cyber-attacks against DOST’s website,” said Department of Information and Communications Technology (DICT) Assistant Secretary Allan Cabanlong.

The DOST and ASTI will jointly look if the so-called distributed denial-of-service (DDoS) attacks that shut down websites have entered its cyber-system, said Cabanlong.

“It’s like a teargas or smoke grenade. Once it’s in the website that is under attack — the website shuts off for a specific period, allowing the attacker to send malware to the website in order to control its system,” explained Cabanlong.

The investigation was launched after Quartz, a news site, cited a study that “some North Korean users were conducting research, or possibly even network reconnaissance, on a number of foreign laboratories and research centers” including India’s Space Research Organization and the Philippines’ DOST,” said Cabanlong.

On Saturday, DOST and ASI have not yet detected the North Korean attackers in the cyber system. “If ever there was, it was not yet reported to us,” said Cabanlong, adding that hackers often target websites of research and academic institutions that are focused on content more than on security features

The reported DOST hackers could be part of North Korea’s efforts to attack perceived enemies, said Cabanlong.

They could be sympathisers of North Korea which is being pressured by the international community to stop its nuclear missile tests, other observers said.

Last year, DICT directed all banks, government agencies, hospitals, institutions, schools, and telecommunication companies to hire network security administrators and put in place systems that would regularly monitor possible cyber-attacks and breaches.

Looking forward, Cabanlong said DICT will put up its National Cyber-intelligence Centre to expand its capability to protect all computer systems nationwide.

Right now, “DICT is working on band-aid solutions to cyber-attacks; it is limited to oversight function; and it cannot protect all computer systems in the country,” admitted Cabanlong, adding, “No single agency can do it alone. The private sector and multi-government agencies must work together on this campaign.”

The DICT has yet to compile a record of government agencies and private companies in the Philippines that are vulnerable to breaches, other critics said.


  • 0

Cybersecurity: into the data breach

Cybersecurity has become a significant issue as attacks are increasing. In the new payments ecosystem, where third-party developers can directly interact with banks’ customers, data privacy and security become paramount, according to the World Payments Report 2017 by Capgemini and BNP Paribas.

A significant issue to address as the new payments ecosystem evolves is that of cybersecurity. During the past few years, cyberattacks and crimes have increased across the globe, with corporate and financial institution entities, large and small, targeted.

The price of increasing collaboration among industry stakeholders in the new payments ecosystem could be an increase in cyber security vulnerabilities. To alleviate this risk, corporates are increasingly turning to their banks for advice on how to strengthen their infrastructures against cyber attacks. To ensure the highest levels of cybersecurity and the security of infrastructures in the new payments ecosystem, each stakeholder must assess security across all the data sources and points of collaboration.

The need for robust cyber security solutions to cater to all forms of cyberthreats has never been greater for corporate treasurers as new technologies proliferate and collaboration increases. Of prime importance for corporates in developing defence mechanisms is awareness of potential cyber security risks, regular updating of security profiles and continuous training of employees. This is because attacks perpetrated by cybercriminals are unpredictable in both timing and nature.

The vulnerabilities stakeholders face include cyber security, data privacy, data breaches, and payments fraud. The utmost vigilance is required to protect organisations against cyber attacks and all stakeholders, including regulators, must be more proactive regarding cybersecurity, with ownership of the issue taken to prevent attacks.

In the new payments ecosystem, third-party developers can directly interact with a partner banks’ customers, raising questions about data privacy and security. In an increasingly networked ecosystem, identifying the source of attack will be a challenge.

Verizon’s 2017 Data Breach Investigations Report found that security incidents and data breaches affect both large and small financial organisations almost equally. However, the security of larger banks is difficult to compromise as they invest more in cyber security solutions. Smaller banks, which do not have the same access to resources, are more prone to cyberattacks.

A fraud survey by the Association for Financial Professionals and JP Morgan found that the highest levels of fraud in 2016 were perpetrated via cheques. However, there was a surge in wire transfer fraud, from 27 per cent in 2014 to 46 per cent in 2016.

An increasing number of cyber security breaches are causing significant losses for banks and corporates across the world. Among recent incidents, in February 2016, a cyberheist at Bangladesh Central Bank resulted in a loss of $81 million and prevented another $850 million worth of transactions from being processed on the Swift network. Similarly, in May 2016 cybercriminals hacked the Swift system and stole $9 million from Ecuadorian bank Banco del Austro.

In May 2017, the WannaCry ransomware attack affected more than 150 countries and 200,000 computers, as attackers demanded each of those affected to pay up to $300 worth of bitcoins to unlock their systems.

In a survey for World Payments Report , bank executives ranked distributed denial of service (DDoS) attacks and customer payments fraud as the main security challenges they face. Also of concern were the high levels of card fraud, which place a significant cost burden on banks. The increasing adoption of digital offerings in transaction banking is also giving rise to higher levels of payments fraud, making cyber security a top priority for banks and corporates.

Customer payments fraud is the top ranked concern for financial technology companies and other survey respondents. This group is much less likely to view DDoS attacks as a threat; data breaches due to hacking attacks was of more concern, as was internal fraud.

While banks are investing significantly in cybersecurity solutions, there are still many risks at the corporate level that they cannot manage. Corporates must, therefore, step up their own efforts to manage cybersecurity risk and not leave it all to the banks. They should upgrade their internal systems, train their staff, and review their partners’ systems.

The idea of a cyberattacker as a lone figure hacking into systems is now obsolete. Cyberattacks are perpetrated by entities that are set up like companies, with project managers, key performance indicators and operations.

Attacks to compromise corporates and banks are designed to be multi-staged, with two main objectives: commercial gain and industry espionage. In general, the funds received via attacks go into the coffers of the organisation, while the intelligence gained during an attack will be used by perpetrators to gain a business advantage. Attacks can happen at any time, and over time, therefore all corporates should be vigilant and on constant guard against attacks.

So serious are the growing cyberattack and data breach problems that regulators across the globe should move from their present reactive approach to a more proactive one. Stringent regulations and fines to strengthen cybersecurity laws are required from regulators. Many regulations related to this are, however, still in the inception stage. Europe has relatively the most mature cybersecurity and data privacy laws, with recent initiatives including the Electronic Identification and Trusted Service which was launched in 2016.

Effective cybersecurity requires organisations to efficiently and quickly identify, mitigate and manage cyber risks and incidents. All stakeholders are taking measures to strengthen the security of transactions against potential cyber threats. Banks and other stakeholders have three options available to them: collaborating with financial technology companies, making investments in advanced technologies and monitoring tools, and strengthening internal governance to ensure seamless compliance.

  • Collaboration with fintechs

This is occurring in several areas including secure authentication and authorisation, account onboarding, identity verification and anti-money laundering. Examples include India’s Yes Bank and FortyTwoLabs’ development of multi-factor authentication tool PI-Control, which enables users to apply for internet banking access, pay bills, transfer funds, seek loans, make remittances and undertake other card transactions.

Rabobank in the Netherlands is working with Signicat to provide digital identity solutions that can be easily integrated using API technology. As banks increasingly collaborate with fintechs and regtechs, due diligence, adherence to industry standards and participating in the development of new industry standards has become critical.

  • Investment in advanced technologies and monitoring tools

Blockchain technology is still in a nascent stage, with its potential as an enabler of digital identity and payment transaction security still being tested. Banks can leverage the technology to differentiate themselves in the provision of digital identity, authentication and know your customer services.

Banks are investing in projects that combine advanced cryptography that supports private or permitted use of blockchain technology with transaction security elements that provider greater transaction visibility. To ensure the highest levels of cybersecurity and transaction security, all the ecosystem participants must assess security from multiple sources in the network. Common security standards and protocols when developing and investing in new technologies and monitoring tools will be increasingly important as collaboration increases.

With a common network governing the interfaces between banks and third-party providers, various groups are developing network-based security standards to ensure a secure environment is built around the dynamic payments ecosystem. The ability to respond to cyber threats or attacks in real-time is hampered by legacy security systems. Traditional security monitoring typically identified and reacted to cyber threats in isolation. A modern approach identifies specific unusual patterns or behaviour and alerts operational teams to anomalous activity. Advanced machine learning algorithms are the logical next step as response mechanisms in the event of a threat.

Artificial intelligence (AI) systems are being piloted globally, yet legal issues regarding accountability for the actions of such systems persist. Contextualisation of threats (linking the threat to the business and not just to technology) is needed to identify the source and understand the objective behind any attack. Another useful approach is risk-based authentication (RBA) to detect the risk profile of transaction banks and retailers. Using RBA and analytics processes, banks can create a threat matrix of fraud profiles to triangulate the threat instances to their origin and be able to proactively block fraudulent traffic. Behavioural analytics, AI, machine learning and threat matrix can help to continuously monitor the ecosystem network and provide threat intelligence.

Banks can undertake various activities such as continuously checking all systems for possible threats, observing markets, scenario simulation, examination of previous attacks, monitoring activities and applications, and establishing a payments control centre to permanently monitor payments and identify exceptional situations.

  • Robust internal governance

A robust governance model and standards are imperative for seamless functioning of the new payments ecosystem. Banks and treasurers need to interact with central authorities and regulators to share feedback, which in turn will help to improve compliance. Banks and treasurers are increasingly collaborating with regtechs to ensure compliance. Industry stakeholders must establish common data, technical, legal, functional, and security standards for robust governance.

Firms will be well served if they can ensure that security systems have multiple layers to withstand ‘flood’ attacks. To ensure a foolproof system, firms should identify the data needs of all stakeholders before finalising the controls to put in place.

With the onset of General Data Protection Regulation (GDPR) and revised Payment Services Directive (PSD2) in the EU, the focus on compliance with data privacy and security has increased. Firms must install a dedicated team to continuously review and update security policies. Additionally, stakeholders should work with the local regulatory authorities to understand the complexity of different regional legal requirements and expectations for each country.

Firms must ensure mandatory data privacy and security training is conducted at regular intervals. Educating employees on potential threats and ensuring they keep their systems updated would have prevented, or greatly reduced the impact of, events such as the WannaCry ransomware attack.


  • 0

National Lottery hit by DDoS attack – down 90 mins at peak demand time

On Saturday the UK National Lottery’s website was down – just as those players who stake online, rather than in retailers, were trying to pick their numbers and part with their cash – thanks to a DDoS attack.

On Saturday the UK National Lottery’s website was down – just as those players who stake online, rather than in retailers, were trying to pick their numbers and part with their cash – thanks to a DDoS attack.

Hitting a retail business causes it to loose money, but in the case of many time-sensitive events, that money can never be recouped,  which was why newspaper print unions were so strong – yesterday’s news is no good tomorrow, and a bet now on last night’s lottery won’t win you much either. Both the gaming sites and the DDoS attackers know this, making gaming both highly targeted and highly defended.

On the other hand, although there are other lotteries, there are not a lot of direct competitors to the National Lottery, so while it offered an apology to those customers unable to use its smartphone app or access its website, a quick fix is likely to retain their custom, but each hit is a direct revenue loss.

According to downdetector, and later confirmed by the National Lottery, the cause was indeed a DDoS attack, but it is not clear if it was the subject of a ransom, or if it might have been a demonstration of capability ahead of a future threat of attack.

Kirill Kasavchenko, principal security technologist at Arbor Networks emailed SC Media UK to comment:  “This latest DDoS attack shows that cyber-criminals are still up to old tricks, this time deliberately targeting the National Lottery website at a time of peak demand. We can also see that response plans are often not up to scratch, with the incident lasting 90 minutes. Websites who are unable to contain a DDoS attack like this risk losing their audience to competitors if they are unable to minimise the disruption, so it is essential that organisations expect cyber-attacks and know how they will respond.

“All organisations must examine their current DDoS defences, and decide whether their current processes are robust enough to ensure operations will not be halted by a DDoS attack. To guard against such attacks, organisations should implement best current practices for DDoS defence. That includes hardening network infrastructures, ensuring complete visibility of all network traffic, and implementing sufficient DDoS mitigation capacity and capabilities. Those mitigation defences ideally should be a combination of on-premises and cloud-based DDoS mitigation services. It is also crucial that organisations ensure their DDoS defence plan is kept updated and is rehearsed on a regular basis.”


  • 0

Protecting an online presence – DOSarrest’s technology leads the way

With over a decade of experience protecting websites from malicious traffic, DOSarrest has lead the way from the start. It was one of the first to supply its client base with a real-time statistical dashboard and an intuitive configuration management console. Fast forward to today where it has just released its 5th major software upgrade; it’s these types of leading-edge features and services and a forward-looking road map that keeps it in the top tier of cloud-based DDoS mitigation companies.

Some of DOSarrest’s new enhancements, just released, include an all-new front-end which supplies customers with 15 different statistical displays that are fully interactive, allowing customers to view just the statistics they are interested in. It’s clear from the work the company has put into this system that it knows what’s required to stay on ahead of the ‘bad actors’. It has also redeveloped its back-end software using the latest tools, including a new distributed database structure, which has the advantage of allowing it to develop and deploy new features in a matter of minutes, for attacks not yet even known.

DOSarrest has also fine-tuned their cloud-based Web Application Firewall (WAF), which unlike many of their competitors’ is based on a positive security model, not a negative security model. Most people and even some security techs are not aware of the difference. Have a quick read of the blog post regarding the latest Equifax breach to get a real-life explanation of what happened and how DOSarrest’s cloud-based WAF would have prevented such a devastating data breach.

DOSarrest doesn’t seem to follow its competitors or hyped up media trends; this must be due to its experience over its rivals in the DDoS protection arena. It has just installed a big data analytics cluster, which feeds its customer portal with real-time interactive displays. One asks why big data for a customer portal? DOSarrest will tell you that the real reason is to leverage machine learning. Machine learning, which has been tried by many organizations but proved to be not worth the effort and eventually abandoned by most enterprises, is not the case at DOSarrest. It has leveraged its big data cluster in conjunction with machine learning to yield some impressive results.

DOSarrest states that the most difficult attacks to stop are the ones you don’t really notice. By this it articulates that if a website runs 10 Mb/sec of legitimate traffic it’s very possible to throw 75 Kb/sec of sophisticated, well-placed malicious traffic at the website and cause the website to slow considerably and eventually stop responding to legitimate visitors. Its machine learning system finds this small amount of malicious traffic and blocks it. DOSarrest states it’s like being able to find a needle in a haystack.

In order to prove the point regarding small sophisticated attacks being the most difficult to detect and mitigate, DOSarrest has developed a website attack/stress simulator. This is a brand-new service called the Cyber Attack Preparation Platform (CAPP) and the company is running beta tests for a select number of customers. This service allows customers to login into a platform, input their attack target website, then choose from a selection of over 30 different attacks and even combination attacks. Along with the attacks, it enables users to choose from a variety of regions where one wants the attack to originate from, some of the choices being Europe, eastern or western US, Canada or Asia, or all of them. It also allows one to choose the size of the botnet and the intensity of each bot. Given that this privately-controlled botnet is dangerous in the wrong hands, it is strictly controlled and throttled on a per-user basis.

In summary DOSarrest has proven itself to be a leader in fully-managed cloud-based DDoS protection services and is constantly adding capacity, enhancements, new technology and related security services to its portfolio. Should you be thinking of security for your website operations, DOSarrest is a very experienced, capable and customer-oriented solution provider.


  • 0

CHJ Tech. Teams up with DOSarrest to deliver Internet Security Solutions for the Singapore Government

SINGAPORE, Sept. 25, 2017 (GLOBE NEWSWIRE) — CHJ Technologies Singapore announced today that they have been chosen as one of the 6 approved vendors to supply cloud based DDoS protection and Web Application security services for the Singapore government over the next 3 years.  The Singapore Government expects to spend SGD $50m to keep government websites going even under an attack.  CHJ is the exclusive distributor of DOSarrest Internet security services in Singapore and is utilizing their DDoS and WAF solutions to satisfy the Singapore government’s security requirements.

Linus Choo, Managing Director of CHJ Technologies states “CHJ Technologies has a substantial track record providing cyber security services in Singapore. Having first been awarded DDoS mitigation contracts with the Singapore government in 2014, we are both elated and honored to have been awarded for a second time in this latest tender.  We feel that this renewal of our services is a testament to the calibre of services our team provides and our partnership with DOSarrest.

“Understanding the strategic importance of cyber security services, we align and integrate perfectly with the investments our government is making in DDoS protection and other cyber security services, this makes the continuation of our collaboration with the government all the more valued.  This is a very significant accomplishment for both CHJ Technologies and DOSarrest.”

Mark Teolis, CEO of DOSarrest explains “It was a very rigorous process to meet all the requirements of the Singapore government’s security specifications, in the end we beat out many competitors 3 years ago and we did it again this year.” Teolis adds “CHJ Tech is a great match for us, their staff on the ground and customer support paired with our technology is a home run.”

Choo adds “We are actively exploring other opportunities in the Asean region as a partner with DOSarrest.“

About DOSarrest Internet Security:
DOSarrest, founded in 2007 in Vancouver, B.C., Canada, is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services.  Additional Web security services offered are Cloud based Web Application Firewall (WAF), Vulnerability Testing and Optimization (VTO), DataCenter Defender – GRE as well as cloud based global load balancingand a simulated DDoS attack Platform.

For more information:

About CHJ Technologies:

Founded in 1987 and headquartered in Singapore, we have become one of Asia’s leading and fastest-growing managed cybersecurity service providers. Our expertise and product lines enable organizations to discover, risks and mitigate them. Continually pushing boundaries, we protect our customers’ critical assets and information wherever it lives – in the cloud and on-premises.

For more information:

Contact Information:
Lew Yong-He
+65 6896 7998


  • 0

How enterprises can fend off DDoS attacks

Though distributed denial of service attacks have been around more than two decades, recently we have seen a spate of DDoS attacks that have increased in complexity and variability. Both the size and frequency of DDoS attacks have gone up, and criminals use these sophisticated attacks to target sensitive data, not just to disrupt businesses. Some recent attacks have exceeded 1 Tbps while the average DDoS attack peaked at 14.1 Gbps in the first quarter of 2017, according to Verisign’s DDoS trends report.

The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Million packets per second (Mpps). This attack sent a flood of traffic to the targeted network inexcess of 60 Gbps for more than 15 hours.

In a new report, Imperva warns about a new type of ferocious DDoS attack that uses ‘pulse waves’ to hit multiple targets. “Comprising a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 gigabits per second (Gbps). We believe these represent a new attack tactic, designed to double the botnet’s output and exploit soft spots in traditional mitigation solutions,“ says Robert Hamilton, director, Imperva.

“DDoS attacks are rarely complex. They are the result of a volumetric based attack which results in a platform, application or service being rendered unavailable for the user. The biggest changes we have seen through evolution over the last few years are mostly within the amount of bandwidth attackers have at their disposal. This is due to the amount of more interconnected devices we now have on the Internet. We have three main types of DDoS attack, one is a volumetric, which accounts for most DDoS attacks, secondly we have application and lastly protocol level attacks,” says Warren Mercer, security researcher at Cisco Talos.

Ransom is another growing trend in DDoS. “Ransom related attacks seem to be a trending issue as of late. Too many organisations are paying out these ransom requests, in an effort to remove themselves from the cross hairs of a DDoS attack – this behaviour likely causes an increase in ransom attack activity. Besides the financial loss that a company may experience by paying the ransom, companies must consider that they will still be subject to a DDoS attack even after the ransom has been paid,” says Stephanie Weagle, VP, Corero.

What do you do if you are a CISO dealing with massive DDoS attack? What are your tips for CISOs dealing with massive DDoS attacks? “First thing would be to make sure the network is well prepared for such attacks. Making sure that there are protections and processes in place is critical. It’s also important to remember that the DDoS attack might not be the actual attack but just a distraction,” says Kalle Bjorn, director-systems engineering, Fortinet.

Mohammed Al Moneer, regional director,  A10 Networks, says the challenge for defenders is to distinguish good and bad behaviour largely by analysing the instrumented data available from server logs and traffic behaviour reported from networking tools.  In effect, threat hunting is the act of finding a needle in a haystack of logs and flow data.  Unlike the stealth required for dropping malware or stealing data, DDoS is loud and does not hide in the shadows.

Alaa Hadi, regional director, Arbor Networks, says these very large attacks must be mitigated in the cloud, as close to the source as possible. I would also caution CISOs that to have cloud protection is only a partial defence against modern DDoS attacks. They also target applications and infrastructure, like firewalls, with low and slow attacks that cannot be detected in the cloud. The place to protect against these attacks is on-premise, with a tight connection to the cloud, as a means of providing mitigation support for large attacks. Only with this multi-layer, hybrid approach is a business fully protected from DDoS attacks.

Another alarming trend in DDoS has been the rise of DDoS attacks using IoT devices, as we have seen in the case of Mirai botnet, which infected tens of millions of connected devices.

“IoT can have positive implications across several core industries such as manufacturing, retail, transportation, and healthcare. However, it’s important to bear in mind that a higher number of connected devices translates to more points of entry for attackers to penetrate. Criminals can leverage these end points to steal confidential information from businesses, distribute malware, or takeover the capacity and network bandwidth of connected ‘things’ to carry out massive strikes. The necessary tools and best practices to mitigate such threats are well-known and available in the application security field,” says Hadi Jaafarawi, managing director, Qualys Middle East.

Bjorn from Fortinet adds compromised IoT devices are a massive potential traffic generator source for attackers. Securing the organisations own systems would prevent them from being used in attacks against others. Manufacturers should also work actively to ensure their own devices are fixed when vulnerabilities are found, unfortunately there are multiple IoT devices on the market that cannot be even upgraded, this means that the security will lie on the network where the devices connect to.


  • 0

Apache Struts Vulnerabilities and The Equifax Hack, What Happened?

In the wake of the Equifax breach, a lot of people are wondering how the theft of personal information occurred and how it could have been prevented.

Equifax initially reported that a vulnerability in Apache Struts was used to infiltrate their public-facing web server. Apache Struts has faced its fair share of vulnerabilities with 21 having been discovered since the start of 2016.

Which Apache Struts vulnerability was used in the Equifax hack?

At DOSarrest we researched current and past Apache Strut vulnerabilities and determined that they likely were not hacked using the new CVE-2017-9805 but likely CVE-2017-5638.

Equifax released additional details on Sept 13th 2017 confirming that the vulnerability involved was CVE-2017-5638. The CVE-2017-5638 vulnerability dates back to March 2017, which is why people in the security industry are now questioning how they could be so far behind in patching this well-known exploit.

The two vulnerabilities, CVE-2017-5638 and the recently revealed CVE-2017-9805 are very similar in nature and are both considered Remote Code Execution (RCE) vulnerabilities .

How does a RCE vulnerability work and how can they be prevented?

A RCE vulnerability is exploited when an attacker crafts a packet or request containing arbitrary code or commands. The attacker uses a method to bypass security that causes a vulnerable server to execute the code with either user or elevated privileges.

Such vulnerabilities can be prevented with a two-fold approach to web application security:

1) New vulnerabilities will continually be discovered in any web application framework, and it is the duty of IT teams to keep the software patched. This requires regular audits and patches to vulnerable software. Even the most proactive IT teams will not be able to prevent a so-called zero-day attack by patching alone so more must be done to protect the web server from zero-day vulnerabilities.

2) Since there is always a delay between the time a vulnerability is discovered and when a patch is developed by the maintainer of that product, a means to protect your website from undiscovered zero-day vulnerabilities is needed. Web Application Firewall’s (WAF) that typically rely on signatures are unfortunately at a disadvantage because signatures for existing vulnerabilities in most cases do not match newer zero-day vulnerabilities.

If I cannot rely on signature-based WAF options, what can I rely on to protect my business?

At DOSarrest our WAF is different. The problem with relying on signatures is that it requires constant updates as new vulnerabilities become known. Instead our WAF looks for sets of characters (such as /}/,/“/, and /;/) or phrases (like “/bin/bash” or “cmd.exe”) that are known to be problematic for some web applications.

What makes DOSarrest’s WAF even more appealing is that it is fast. Much faster than signature-based solutions that require high CPU use to match signatures–such matching could result in a measurable impact on latency. With DOSarrest’s WAF there is no increase in latency, and vulnerabilities not yet discovered will still be mitigated.

Examples of how the Apache Strut vulnerabilities are performed:

For the benefit of more technical users, some sample requests will be analyzed below. The first example represents a normal non-malicious request sent by millions of people everyday and the following two exploit RCE vulnerabilities in Apache Struts:

We can note the following characteristics in the exploit of CVE-2017-5638:

1. The Content-Type Header starts with %{(, an incorrect format.

2. The payload contains a java function call, java.lang.ProcessBuilder, that is normally regarded as dangerous.

3. The payload contains both windows and Linux command line interpreters: “cmd.exe” (Windows Command Prompt) and “/bin/bash” (Linux Bash shell/terminal).

The RCE vulnerability used to infiltrate Equifax, CVE-2017-5638 exploits a bug in the way Apache Struts processes the “Content-Type” HTTP header. This allows attackers to run an XML script with elevated user access, containing the java.lang.ProcessBuilder is required to execute the commands the attacker has placed within the XML request.

CVE 2017-9805, announced September 2017, is very similar to the previous RCE vulnerability.

With CVE-2017-9805, we can note the following characteristics:

1. The Content-Type is application/xml with the actual content in the request body matching that of the Content-Type.

2) The payload also contains the java function call java.lang.ProcessBuilder.

3) The payload in this case is Linux specific and calls “/bin/bash -c touch ./CVE-2017-9805.txt” to confirm that the exploit works by creating a file, “CVE-2017-9805.txt”.

Are the payloads shown the exact ones used by attackers to obtain data from Equifax?

Although some of the commands may have been used together as part of the information gathering process, the actual commands used to obtain the data from Equifax may only be known by the attackers and possibly Equifax or an auditing security team directly involved in the case. The examples show how the vulnerability could be exploited in the wild and what methods might be used, e.g., setting Content-Type and sending an XML file with a payload. These examples do not represent the actual payload used to obtain the data from Equifax.

Since the payload itself can be completely arbitrary, an attacker can run any commands desired on the victim’s server. Any action the web server software is capable of could be performed by an attacker, which could allow for theft of information or intellectual property if it is accessible from the hacked server.

In the case of Equifax, there was likely an initial vulnerability scan that the attackers used to expose Equifax’s vulnerability to this particular attack. This would have been followed by an effort to determine what files were available or what actions could be performed from the Equifax public-facing web server.At some point the attackers came across a method for accessing personal credit details on millions of Americans and citizens from other countries who had credit checks performed on their identities within the United States.

If Equifax had been using the DOSarrest WAF, they could have avoided a costly mistake. Don’t let your business suffer a damaging security breach that could result in you being out of business for good. Talk to us about our services.

For more information on our services including our Web Application Firewall, see DOSarrest for more information on Security solutions.


  • 0

Machine Learning in the DOSarrest Operations

Machine Learning can appear in many different forms and guises, but a general definition of Machine Learning usually incorporates something about computers learning without explicit programming and being able to automatically adapt. And while Machine Learning has been around for decades as a concept, it’s become more of a reality as computational power continues to increase, and the proliferation of Big Data platforms making it easier to capture floods of data. These developments have made ML practical and garnered a lot of interest, as evidenced by the large number of articles in the last two years surrounding AI and machine Learning

However despite all this, the adoption of this Machine Learning is still relatively low amongst companies in the tech landscape (Gartner estimating that fewer than 15 percent of enterprises successfully get machine learning into production). And even when you hear about Company X adopting a machine learning strategy, it’s often conflated with another strategy or service within that company, and not truly realizing the automated ‘adaptiveness’ inherent within ML.

Those companies that do realize a proper machine learning strategy, understanding and grooming their data as well as identifying the appropriate model/s can see real benefits to their operations, which is why DOSarrest has been developing such a strategy over the last year.

Here at DOSarrest, we’ve been focusing on building an Anomaly Detection engine, focusing on the constantly evolving sophisticated application layer attacks. We collect huge amounts of data from disparate sources (e.g. Customized web logs, snmp and flow data, IDS logs, etc.), even when customers are not under attack. This provides an opportunity to identify baselines even in a multi tenant environment. As you would expect, there is a high degree of cardinality within some of the data fields, which can be challenging to work with when working with data in motion, but can have great benefits. With these huge structured data sets, we are able to identify KPI’s (Key Performance Indicators) and statistics that can be leveraged by the engine to identify anomalous behavior and brought to the attention of the Security Ops team, who are then able to investigate and act on the identified pattern. The engine continues to refine the probability of a metric, becoming more accurate over time in determining the severity of an anomaly.

The strategy holds great promise, and further developments and refinements to this model will continue to evolve the best Security Operations Center in the business.

A more detailed view of an anomaly – this shows a single IP requesting more than 60 times more frequently than a normal visitor.

This screen gives an overview of any anomalies, organized by relevant factors. In this case the remote IP address of the requestor.

Jag Bains

CTO, DOSarrest Internet Security


  • 0

Alleged UK Bank Hacker Extradited From Germany

U.K. officials have extradited the man who allegedly masterminded a cyberattack earlier this year that impacted two of England’s biggest banks. They have accused 29-year-old Daniel Kaye, who was found in Germany, of using an infected computer network to damage and blackmail both Barclays and Lloyds Banking Group, The Financial Times reported.

Following the cyberattack, Lloyds found its digital services crippled on and off for over 48 hours in January 2017, preventing some customers from being able to check their bank balances or send out payments via the network. The assault was a distributed “denial of service” (DDoS) attack, which overwhelms a firm’s website so its services don’t operate properly. The same month, Barclays fought off their own cyberattack, according to the National Crime Agency.

These cybercrime attacks occurred just months following a high-profile cyberattack against Tesco Bank that caused 9,000 people to have their money stolen from accounts. HSBC also saw an attack against its personal banking website and mobile app in 2016, causing thousands of customers to be locked out of their accounts.

“The investigation leading to these charges was complex and crossed borders,” said Luke Wyllie, the National Crime Agency’s senior operations manager. “Our cybercrime officers have analyzed reams of data on the way. Cybercrime is not victimless, and we are determined to bring suspects before the courts,” the Financial Times reported.

Daniel Kaye is also being accused of operating a cyberattack against Liberia’s largest internet provider, Lonestar MTN. Kaye is scheduled to appear in the U.K.’s Westminster Magistrates Court on Aug. 31.

“In January, we were the target of a substantial distributed denial of service (DDoS) attack,” Lloyds Banking Group said in remarks according to news by the Financial Times. “This was successfully defended but resulted in intermittent and temporary service issues for some customers. There was no attempt to access the bank’s systems and no customer details or accounts were compromised.”


  • 0

PlayStation Network was the Real Target of Mirai Botnet DDoS Attack Last Year

Last year in October Mirai Botnet, a malware strain that can take control of IoT (Internet of Things) devices and use them for large cyber attacks resulting in ‘distributed denial-of-service (DDoS) — rendering the target website/server unreachable to legitimate visitors.

According to new study by researchers at Google, CloudFlare, Merit Networks, Akamai and other universities, the Mirai Botnet attack last October on DNS provider Dyn might actually be targeting the PlayStation Network (PSN).

The research which was presented at the Usenix Security Symposium, Vancouver, has suggested that the DDoS attack conducted via the Mirai botnet was meant to disable PlayStation Network services as all the IP addresses targeted by the attack were name servers for the PSN.

These name servers were used by Dyn to connect users to the correct IP address. The Verge reported that this Mirai botnet attack which was targeted towards bringing down PSN might be the handiwork of angry gamers.

“Although the first several attacks in this period solely targeted Dyn’s DNS infrastructure, later attack commands simultaneously targeted Dyn and PlayStation infrastructure, potentially providing clues towards attacker motivation,” the researchers noted.

According to the researchers, it’s not only the PlayStation Network that was being targeted by the botnet. They also detected that Xbox Live, Valve Steam, and other gaming servers were attacked during the same period too.

“This pattern of behavior suggests that the Dyn attack on October 21, 2016, was not solely aimed at Dyn. The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base,” the researchers added.

The researchers also pointed out that worms like Mirai botnet prosper majorly due to the absence of apt security measures for IoT devices. This results in a ‘fragile environment ripe for abuse’.

“As the IoT domain continues to expand and evolve, we hope Mirai serves as a call to arms for industrial, academic, and government stakeholders concerned about the security, privacy, and safety of an IoT-enabled world,” the researchers concluded.

The attack conducted using Mirai botnet in October 2016 wasn’t a standalone one. Since after the Mirai worm code was made public, 15,194 attacks were perpetrated on 5,046 victims (4,730 individual IPs, 196 subnets, 120 domain names), across 85 countries.


  • 0