Malware with bricking capabilities poses major threat after infecting 500,000+ networking device

A potentially highly destructive malware is estimated to have infected at least 500,000 networking devices in at least 54 countries since as far back as 2016, in what could be the prelude to a massive attack potentially capable of cutting off the internet from hundreds of thousands around the world.

Researchers from Cisco Systems’ Talos threat intelligence unit warn that the newly discovered malware, dubbed VPNFilter, has overlapping code with BlackEnergy, an APT trojan capable of DDoS attacks, information wiping, and cyber espionage that Russia allegedly used in past cyberattacks to disable the Ukrainian power grid.

The campaign’s connection to BlackEnergy, combined with its heavy emphasis on infecting Ukrainian hosts using a command-and-control infrastructure specifically dedicated to that country, leads Talos experts to believe Ukraine may again be the primary target of an imminent cyber assault.

Talos observed markedly heavy infection activity in Ukraine on May 8 and again on May 17. Meanwhile, Symantec, posted its own take on the threat, informing SC Media in emailed comments that while VPNFilter has spread widely, honeypot and sensor data seem to indicate that it is not scanning and infecting indiscriminately.

The malware compromises devices so that attackers can potentially spy on and collect their network traffic (including website credentials) and monitor Modbus supervisory control and data acquisition (SCADA) protocols used with industrial control systems.

It can even “brick” devices — individually or, far worse, en masse –rendering them unusable by overwriting a portion of the firmware and forcing a reboot. “In most cases, this action is unrecoverable by most victims, requiring technical capabilities, know-how, or tools that no consumer should be expected to have,” the Talos blog post explains.

“This shows that the actor is willing to burn users’ devices to cover up their tracks, going much further than simply removing traces of the malware,” the post continues. “If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor’s purposes.

Affected products include Linksys, MikroTik, NETGEAR and TP-Link small and home office networking equipment, and QNAP NAS devices.

“The type of devices targeted by this actor are difficult to defend, They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package,” Talos warns in its blog post. “We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward.”

The modular malware is comprised of three stages. The first stage, which establishes persistence, is unique among IoT malware programs in that it can survive a reboot. It also uses multiple redundant command-and-control mechanisms to discover the current stage-two deployment server’s IP address.

Stage two is in charge of file collection, command execution, data exfiltration and device management, and also possesses the “kill” function” that can brick devices. Stage three acts as a plug-in that provides the remaining known capabilities. “The capabilities built into the various stages and plugins of the malware are extremely versatile and would enable the actor to take advantage of devices in multiple ways,” Talos reports.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend,” warns Talos, which does suggest several mitigation techniques in its report. “Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks.”

In a security advisory, NETGEAR has advised running the latest firmware on routers, changing default admin passwords and ensuring that remote management is turned off.

“Given the list of compromised device models is large and potentially incomplete, it is recommended that everyone reboots their home routers and NAS devices one time,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, in emailed comments. “This will remove any second- and third-stage malware from their devices, since the malware does not have persistence capabilities. It will leave the first stage in place, which will try to download the second stage again, but with law enforcement’s efforts to take down the known command-and-control infrastructure and the efforts by security vendors who provide equipment to internet service providers, the threat should be partially mitigated.”

Derek Manky, global security strategist at Fortinet, said in emailed comments that VPNFilter reminds him of a BrickerBot, a wormable IoT malware capable of knocking unsecured IoT devices offline.

“Last year we talked about while the BrickerBot was not a worm with mass adoption yet, it was a precursor of things to come,” said Manky. Forward to today, VPNFilter is the real deal, in the wild, and in full force, which makes it a much larger threat and quite concerning. This is a true brick, overwriting the first 5,000 bytes of memory,” resulting in a “dead state.”

Source: https://www.scmagazine.com/malware-with-bricking-capabilities-poses-major-threat-after-infecting-500000-networking-devices/article/768231/

  • 0

This new type of DDoS attack takes advantage of an old vulnerability

The new technique has “the potential to put any company with an online presence at risk of attack”, warn researchers.

A newly-uncovered form of DDoS attack takes advantage of a well-known, yet still exploitable, security vulnerability in the Universal Plug and Play (UPnP) networking protocol to allow attackers to bypass common methods for detecting their actions.

Attacks are launched from irregular source ports, making it difficult to determine their origin and blacklist the ports in order to protect against future incidents.

The new form of distributed denial-of-service attack has been uncovered and detailed by researchers at security company Imperva, who say it has been used by unknown attackers twice.

The UPnP protocol is commonly used for device discovery, especially so by Internet of Things devices, which use it to find each other and communicate over a local network.

The protocol is still used, despite known issues around poor default settings, lack of authentication, and UPnP-specific remote code execution vulnerabilities, which make the devices vulnerable to attack.

Just like the much-discussed case of easily exploitable IoT devices, most UPnP device vendors prefer focusing on compliance with the protocol and easy delivery, rather than security,” Avishay Zawoznik, security research team leader at Imperva, told ZDNet.

“Many vendors reuse open UPnP server implementations for their devices, not bothering to modify them for a better security performance.”

Examples of problems with the protocol go all the way back to 2001, but the simplicity of using it means it is still widely deployed. However, Imperva researchers claim the discovery of how it can be used to make DDoS attacks more difficult to attack could mean widespread problems.

“We have discovered a new DDoS attack technique, which uses known vulnerabilities, and has the potential to put any company with an online presence at risk of attack,” said Zawoznik.

Researchers first noticed something was new during a Simple Service Discovery Protocol (SSDP) attack in April. This type of botnet tends to be small and spoofs their victim’s IP addresses in order to query common internet connected devices such as routers, printers and access points.

While most of the attacks were arriving from the usual SSDP port number of 1900, around 12 percent of payloads were arriving from randomised source ports. Imperva investigated and found that a UPnP-integrated attack method could be used to hide source port information.

Attackers could easily find devices to take advantage of by using the Shodan IoT search engine — researchers found over 1.3 million devices which could be exploitable, especially if the attacker used scripts to automate discovery.

In order to not fall victim to this, businesses “should come up with a DDoS protection that is based on the packet payloads, rather than source ports only,” said Zawoznik.

However, researchers note that there is a relatively simple way to protect systems from this and other UNPnP exploits: just block the device from being remotely accessible, because in the vast majority of cases, they note, “it serves no useful function or has any benefit for device users”.

Source:https://www.zdnet.com/article/this-new-type-of-ddos-attacks-takes-advantage-of-an-old-vulnerability/

  • 0

Why the game industry is still vulnerable to distributed-denial-of-service attacks

The game industry has been under attack for a long time. Security professionals have often had to deal with distributed-denial-of-service (DDoS) attacks going back years.

It seemed like the problem was solved not so long ago, but then, the vector for attacks changed. With the rise of the Internet of Things (IoT), hackers were able to get their hands on many more compromised machines, and in turn, they were able to marshal those machines in much larger DDoS attacks. And so, the game companies are finding that they are getting flooded with attacks once again.

Nokia Deepfield helps companies defend themselves against such attacks. I spoke with Craig Labovitz, general manager of Nokia Deepfield, about the game industry’s ongoing vulnerability to DDoS attacks. That may not sound like the specialty you’d expect Nokia to have, but Nokia acquired Deepfield back in 2016 to ensure real-time network security and performance.

Here’s an edited transcript of our interview. GamesBeat and Akamai will hold a breakfast at the Electronic Entertainment Expo (E3) on June 14 to talk about games and security. Contact us through deantak on Twitter if you’d like to attend.

GamesBeat: Tell us about your interest in security and game companies.

Craig Labovitz: I’ve been doing DDoS for about 20 years now. I was a founder and chief architect at Arbor Networks, one of the first commercially successful DDoS companies. I was with Arbor for 12 years. After we left Arbor, we started Deepfield about five years ago, but our history goes back 25 years doing security, doing DDoS, particularly focused on unusual traffic blocking, traffic floods, things like that.

Deepfield had its start trying to do the next generation of security for both the large cloud guys, the large game guys, and the large carriers. Deepfield was an independent company for about five years. We grew pretty quickly, to cover about 90 percent of North America. We’d just started to enter Europe and Latin America and other parts of the world when we joined Nokia, about a year ago. Since then, we’ve been able to — Nokia provided additional investment. We’ve grown our technology, grown the base. Now, we’re deployed all over the world, doing both engineering and DDoS security.

GamesBeat: Why has this problem persisted for so many years? It sounds like an almost unsolvable issue in some ways, the fact that people can still do DDoS attacks.

Labovitz: Well, I’d actually say the opposite. When we left our last company, one of the reasons I left is I thought we were done. If you go back to 2011, all the carriers deployed appliances. It’s always an arms race between attackers and defenders, whether it’s war or security. In 2011, the defenders had the upper hand. Everyone had deployed the tech they bought from Arbor Networks. Generally, while DDoS was a nuisance, it wasn’t on the front page.

Back in 2000, when we started Arbor, DDoS was on the evening news. All the major brand names were under attack. 2011, there were still attacks, but most of them were easily mitigated. Technology had advanced to a point where we thought it was basically over. We saw the market declining. There wasn’t a lot of growth. It wasn’t in the news. Everyone who was going to buy had already bought: 80 or 90 percent of the large cloud and game companies. Then, things started to change, and you get to where we are today, which of course is a very different market.

GamesBeat: 2011 was a big deal in gaming security, because it was the year of the PlayStation Network hack.

Labovitz: Right. That was when things began to change, in that time frame. I left Arbor in 2011, and in the last five or six years, we’ve seen the resurgence. As far as why things changed, a couple of things have really changed the marketplace to where you’re seeing DDoS be such a pain point for our customers and for games, as well as other verticals.

What changed is, number one, the platforms changed, in the sense of we went from compromising PCs in consumer homes to millions of mobile devices. On a regular basis, we’re seeing cloud DVRs and other home devices participating in attacks. The number of compromised devices participating in botnets has tilted the balance of DDoS back to favor the attackers.

The second thing is just the bandwidth available. In 2010, I had a megabit, a couple of megabits at home? Now, I have hundreds. Other people have gigabits. You see significant last-mile advances in bandwidth and not just to consumers. We’ve seen the explosion of cloud servers and VMs, all of which we see being used as part of DDoS today. The firepower in terms of bandwidth has grown dramatically.

Now, we’ve gone from one device in a home you can compromise to as many as 30 or 40. We’re seeing some of these IOT devices participate in DDoS — like webcams. It’s gotten much easier for criminals to hijack devices all around the world. These devices aren’t connected to just a megabit anymore. Some of them have gigabit bandwidth to the rest of the Internet.

GamesBeat: And that sends a much higher volume of junk requests?

Labovitz: Correct. The number of devices to compromise has grown by a factor of 10 or, in some cases, 100, and the bandwidth to those devices has grown in the same way. All this has really happened since 2010, 2011, where we’ve seen the balance of DDoS tilt back to the attackers.

GamesBeat: What’s been the reaction on the defensive side?

Labovitz: Well, concern. It puts you in a tough position when your attackers grow by 10 or 100 times. It’s hard to counter that. That’s why DDoS, particularly in the last few years, is making headlines again and becoming more of a challenge.

It’s a pretty fundamental shift in the way people are thinking about security. When attacks are occasional, when attacks are small, whether you’re a game company or a provider you respond by adding stuff to the network, by adding servers or different security devices. When you get to this scale of attacks, when the attackers are 10 times bigger than any capacity you have, it’s no longer a matter of just adding more devices to the network. You have to fundamentally shift how you think about security, particularly with an eye toward things like DDoS.

GamesBeat: What has that shift been like?

Labovitz: Back in the day, I used to have a Palm Pilot. I had an MP3 player. I had five different devices that I carried with me that were all sort of adjunct. Similarly, in networking, you used to have a separate device for every possible function. You had a firewall, a DDoS box, an analysis box, a router, a management box. You tried to scale by scaling up all five or six of these things, and that worked for a good 15 [to] 20 years.

The problem, of course, is your attackers are now so much bigger than you are. It’s hard to scale each of those things separately by 10 or 100 times. What you’re seeing now across the market is a shift to move away from that Palm Pilot view of the universe and look to have this embedded in the network, embedded in the infrastructure. You can’t just add it on as an afterthought.

For years, security was an afterthought. You build your network, your game, or your data center, and then, you added security to it. The real shift today is it needs to be part of how you build it from day one. It needs to be everywhere, ubiquitous, embedded. It needs to scale at the same rate you scale your game servers and your network. That’s what we’re seeing in the market today.

GamesBeat: If you had to tick off, say, five things game companies have to worry about, where would you put DDoS in that spectrum of security problems?

Labovitz: It’s kind of like asking a homeowner how they consider security. If they’ve never been burglarized, that’s the last thing on their list. Someone who’s just been broken into or someone who’s made the front page of the Wall Street Journal because they just lost five percent off their stock value, they might have a different opinion. Having done DDoS for 20 years, our best sales were the day after. We used to call them the day-after sales. The day after someone made the front page of the Financial Times, those were the easiest sales we ever had. You hear similar stories about home alarm systems.

When we started doing DDoS 20 years ago, we had to convince people they needed DDoS protection. I think the market has largely matured, and people believe they need it. The question is how much. Clearly losing all your game infrastructure for a period of hours or days is catastrophic to the business. In terms of things you worry about, that would probably be near the top of the list. Things that pose an existential threat to a company are good things to worry about.

GamesBeat: As far as where the online game operators are at, are they effectively all outsourcing this function to the likes of Akamai or Amazon? Do they say to the providers, “Hey, if I get attacked, just give me some more compute resources and get me through it?” Or, is there a different mix of infrastructure.

Labovitz: If you look at the game companies, what’s been interesting over the last three or four years is they’ve come to look a lot like network providers. They’re starting to not only do DDoS themselves, but they’re building their own data centers, laying their own dark fiber, handling more and more as performance becomes a competitive element in games. We see the top five game companies take over more and more of their own infrastructure, down to dark fiber. They’re building out their own global networks.

We did see a period of outsourcing, but now, the opposite is happening, as performance and latency and jitter become more important. As scale has grown, the major game operators — certainly in the U.S. and also in other parts of the world — have made big investments in infrastructure.

GamesBeat: We haven’t talked much about platforms yet, but are we talking about consoles or PC or even mobile? I know that on mobile now, the fast interaction has been very important for games like Clash Royale or Arena of Glory. These are multiplayer team games. They seem to be very sensitive to latency problems. If they’re getting attacked, is that another layer to the problem?

Labovitz: There are definitely attacks there. I think most of the issues we see and hear about from our game customers and carrier customers are more the first-person shooters. We see a ton of — it’s just constant. At any given time for some networks, as much as five or 10 percent of traffic is just people with Xboxes or other console games trying to block someone else.

When we talk about DDoS with respect to gaming, there are two types of attacks. One is you’re specifically targeting another consumer, trying to knock them off, knock their IP address off. The other is you might have monetary incentives. You might go after one of the main game companies and attack their servers. We see both of those. Less frequent, though they happen on a regular basis, are the attacks against servers. But we do see a constant, never stopping wave of gamers attacking each other for whatever motives.

GamesBeat: In that case, they’re going to the trouble of finding a farm to use to attack someone?

Labovitz: I don’t know if it’s a farm exactly. There are just sites that you can go to, pay $10 or whatever, and get a link. I don’t think it’s that much trouble. If you have a credit card or Bitcoin, you too can launch a DDoS.

GamesBeat: Now, we’re getting to another part of the problem, then, that something like this isn’t getting shut down.

Labovitz: No, they’re not. It used to be a big deal, to find a machine that [had] a gigabit of bandwidth. Today, you can rent one. We’ve seen an explosion of bandwidth, an explosion of devices out there, servers and others. Stuff on the edge has grown by 10 or 100 times. You’re left with the guys in the middle of the Internet facing — I remember I had a pool growing up, and sometimes, the algae in it would just explode overnight. I think that’s how a lot of game companies and carriers feel, facing 10 times the devices with 10 times the bandwidth. You can buy any of it for a few bucks.

GamesBeat: How do you mitigate this?

Labovitz: As I say, we have pretty broad coverage. Our customer base includes a large cross section of the major game companies, as well as providers, in North America. The game companies do two things. We work with them on traffic engineering and visibility. We can detect unusual spikes, unusual shifts in traffic. We also work with devices on the network, particularly — a lot of our focus is not on third-party devices, that Palm Pilot world, but we’re working with a lot of the router vendors. Nokia, of course, is a big focus there, but we’re also working with other providers that do the plumbing of the Ethernet.

Deepfield’s big idea, instead of what we used to do when security was something you added to the network, we’ve been working with all of these providers to make sure it’s built in. Every bit of networking device has the capability to block and to filter. We’re working with them to build these blocking capabilities, to build this intelligence in the network, so we can accommodate this huge explosion of devices and bandwidth over the last few years.

GamesBeat: I’ve written a lot about semiconductor companies like ARM that are trying to build trust networks and physical hardware security for IoT chips. Is any of that helping yet? Or do we have too many unprotected devices already out there?

Labovitz: I’ve never won my battles against the moles in the backyard, and that’s never going to happen on the Internet. We’re never going back. Pandora’s box is open. Just as an example, do you know what’s the most popular domain name on the Internet as far as DNS queries?

GamesBeat: Maybe some kind of movie pirating site?

Labovitz: Nope. It’s not Google or Facebook either. The single most popular thing queried on the Internet is time.netgear.com because eight years ago, a bug was introduced into the firmware of routers, where devices would make regular queries well beyond anything they really needed to do to set their time. That bug was fixed long ago, but what’s fascinating is that it’s still by far the most popular thing queried on the Internet. That speaks to how hard it is, once firmware gets out there — the changes of that getting permanently fixed, it’s like a radioactive half-life. We’re stuck with it forever.

GamesBeat: As far as game companies go, are they collectively addressing this in some way? Do they have their own security conferences or other signs they’re approaching this as a group?

Labovitz: Certainly, there’s a very tight security community. It’s not very big. All of us know each other and travel in the same circles. There’s a lot of collaboration. It’s not just the game companies, of course. Whether you’re a game company, a financial company, or one of the ISPs, security crosses all of those. There’s a lot of interaction as we push on initiatives and share information about the threats we’re seeing, as well as working with vendors like Nokia as we work on solutions and try to implement them.

We spend a lot of time talking to different groups and working with different parties. I’m not aware of a specific security organization just for gaming, but certainly, there are a lot of discussions, a lot of engineering meetings. It’s a fairly small community, and it works together.

GamesBeat: As far as other problems besides DDoS, what do you see in security that relates to games?

Labovitz: I can only tell you about what we deal with. I read articles about other things, like loot box fraud, but the problems we deal with in the market, what I personally interact with — it’s just keeping everything running as this stuff continues to scale. Keeping it running, keeping the latency and performance up. Part of that is blocking DDoS, but it’s also just managing the complexity of traffic.

It used to be that whenever you went to Netscape.com, you went to a single server. Today, if you play a game or watch a video, a lot of infrastructure needs to work together from different game servers, different telemetry servers, and content distribution. Power has come at the cost of complexity. Traffic comes from a lot of places. Lots of things go into playing a game. Managing that traffic as it makes its way across the Internet, having the real-time visibility into quality so that as things shift, you can adjust, and, of course, having real-time visibility into DDoS and security. We really help with all of that: just managing stuff, keeping it up and running, and maintaining basic levels of quality in the experience.

GamesBeat: When you do that, are you interacting directly with game companies, or do you work through intermediaries like Amazon or other games-as-a-service vendors?

Labovitz: We do a little bit of both. We do have direct companies we interact with that are game companies.

GamesBeat: Do you have some predictions on this front? It seems like it can only get to be a bigger and bigger problem.

Labovitz: I’m lousy at predicting the future. Like I said, in 2010, I predicted that DDoS was over. I left my previous DDoS company thinking we were done. But I can give you some predictions with that in mind.

I think we’re in the early days of IoT. I’m one of those guys who vowed to never have an IoT device at home, and now — well, I don’t want to talk about what I have in my home. But if you take my mother, she has a Nest doorbell. She has connected speakers. We’re still in the early days of things in the home that have IP addresses. We’re also in the early days of bandwidth. The bandwidth predictions we’re seeing these days are wild. If you look at 5G, suddenly, we’re talking about every phone having huge amounts of bandwidth available in addition to IoT devices.

I don’t think we’ve made the advances we need to in terms of figuring out how to secure servers, how to secure IoT. I don’t think we’ll win that. There’s no magic bullet. We’ve been trying to win as far as protecting PCs and protecting servers for 30 or 35 years. It hasn’t happened yet. It’s not likely to happen any time soon. We’re seeing new threats even at low levels. The threat will continue to grow.

My main prediction is we need to be able to build this stuff into the network itself. You mentioned ARM and others. We’re seeing significant advances in the basic chipsets. Nokia makes our own hardware, so we like to think we’re ahead of the curve, but we’re seeing even some of what’s called merchant silicon, the commodity chips market. They’re a little bit behind, but we’re seeing a lot of advances in merchant silicon as well.

I have high hopes that if we can build this into the network, if we can make sure the hardware advances continue, and if security isn’t an afterthought but really starts to become a part of how we build everything, we can have a chance of improving or at least maintaining the status quo. I don’t know if we’ll ever win.

GamesBeat: I had a couple of questions about streamers. A few years ago, there was a streamer who became very popular broadcasting on Twitch, and he was followed by a bunch of DDoS attack groups. They had a sort of sparring conversation. He would go play a game, and then, the attackers would take down that game while he was trying to stream and repeat the process every time he started a new game. People would watch this, and the audience got bigger and bigger as the day went on. Every game he tried to play, the attackers took down. Some of these streamers have enormous audiences now, with hundreds of thousands of concurrent viewers. I wonder if there’s a way they have of protecting themselves now.

Labovitz: That’s another big thing. Like I say, there are two types of attacks we see. You have attacks against servers and then attacks against players or even streamers. Previously, I think most of the focus was on the servers, higher up on the network. But we’re seeing the volume of malicious traffic — and a lot of that is DDoS — becoming so large that it’s a performance win if your provider can automatically block this traffic when it first enters the network. We’re starting to see carriers — including probably your provider because we’re working with a lot of the U.S. providers — who are trying to add these capabilities for blocking traffic before it ever enters the network.

Going back 5 [to] 10 years, DDoS protection was so expensive that it was just the big banks and a handful of other companies that were purchasing it. Of course, those numbers have come down. You can protect web pages. But the cost of protecting your business traffic or your traffic at home is still prohibitive. Sometimes, that’s not even technically available.

What we are seeing, though, is DDoS protection going from something you add to the network to something that is available, that’s already in place for every customer. It’s just part of the network. We’re starting to see the buildout of infrastructure and capability to block DDoS everywhere in the network, and that capability could be available, whether automatically or for a fee, to every home user and every business. We’re seeing DDoS go from something available to dozens or hundreds of companies to something that’s available to everyone as the problem has become more significant [and] more ubiquitous.

As I say, this has taken a while, but we’re finally seeing a convergence of technology and incentives. This stuff is cyclical. Back in 2010, I thought we had won. Then, the world changed on us. In hindsight, the ways it changed are obvious, but hindsight is always obvious. We’re starting to see more capabilities built into the network, and that’s quite encouraging.

Source: https://venturebeat.com/2018/05/13/why-the-game-industry-is-still-vulnerable-to-distributed-denial-of-service-attacks/view-all/

  • 0

Incident Of The Week: 15K Accounts Breached At U.K. Credit Union

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a data breach that affected 15,000 members of a U.K.-based credit union.

Threat actors targeted the Sheffield Credit Union (SCU), and officials have warned against the potential compromise of personally identifiable information (PII). SCU said information including names, addresses, national insurance numbers and bank details were accessed, according to a report from the BBC.

The same report notes that the attack happened on Feb. 14, 2018, but only emerged recently after hackers attempted to demand a ransom on the heisted data.

South Yorkshire Police reportedly worked with the SCU and Action Fraud to ameliorate the situation. The BBC notes that the Information Commissioners Office (ICO) was also made aware of the occurrence. The SCU also said its security has heightened since. Nevertheless, the credit union is being cautious in warning that the incident could find hackers looking to defraud customers.

The SCU pointed out in a letter to its members that the breach “may expose you to text messaging, cold calling and attempts to defraud.”

Chairwoman of Trustees, Fiona Greaves, reportedly said that hackers likely accessed the data in a “brute-force” attack, in which they overpower systems with password combinations to crack the proverbial code.

She said that members do not need to assume that the data loss will result in “wholesale fraud,” but that “people need to be aware.” The credit union also suggests that members monitor accounts for anomalous activity.

In a news release on the SCU site, the credit union wrote that in the wake of the attack, “and numerous other similar attacks on businesses large and small,” its aim is to keep members “safe from scammers.”

It offers helpful tips for effective cyber hygiene, some of which include:

  • Use caution in giving out bank details; make sure you are 100% sure it’s the right organization
  • Do not change bank details without thorough vetting/verification
  • Only access a company’s official website; enter by typing the address in the browser
  • Log out of systems after you’ve finished
  • Add virus and malware protection to any device that uses the Internet (including IoT devices)
  • Carry out regular software updates (allow for automatic ones if possible)
  • In downloading software, ensure it’s from a reputable/verifiable source
  • Count on updating your passwords regularly (and making them complex)

While these tips are aimed at the SCU member base, they are largely applicable for the enterprise – as security teams oversee awareness campaigns to educate staffers about proactive cyber behavior/hygiene.

Both health and financial data (highly sensitive) will continue to fall within the crosshairs of hackers. Password offensives such as the “brute-force” attack can become a true thorn in the side of IT security practitioners.

In a recent article for the Cyber Security Hub, Integral Partners’ Director of Information Security Services, Kayne McGladrey, said, “Multi-factor authentication (MFA) that incorporates User Behavior Analytics (UBA) is the lowest-cost and easiest solution for organizations to prevent both credential stuffing and password spraying attacks. These attacks both work because the user account is typically protected with a password which may be stolen or guessed, and which may be reused at multiple websites and cloud services.

“MFA requires that the user provide a second form of authentication to access a cloud service… Modern MFA solutions incorporate UBA, which can require MFA only when the user is doing something unusual… This simple and elegant solution can protect both non-privileged business and privileged users.”

Source: https://www.cshub.com/news/incident-of-the-week-15k-accounts-breached-at-uk

  • 0

Hide and Seek Brings Persistence to IoT Botnets

The rapidly evolving Hide and Seek botnet is now persistent on a wide range of infected IoT devices.

IoT devices tend to be simple. So simple, in fact, that turning them off and back on again has historically been a reliable way to eliminate malware. Now, though, a new variant of the Hide and Seek bot can remain persistent on IoT devices that use a variety of different hardware and Linux platforms.

A research team at Bitdefender described the new variant of a botnet they had first discovered in January with notes of two important developments, one novel and one in keeping with a broader trend in malware.

Persistence in IoT devices is novel and disturbing since it removes a common defense mechanism from the security team’s toolbox. In order to achieve persistence, Hide and Seek must gain access to the device via Telnet, using the protocol to achieve root access to the device. With root access, a file is placed in the /etc/init.d/ directory where it executes each time the device is rebooted. According to the Bitdefender researchers, there are at least 10 different versions of the executables that can run on 10 different system variants.

“Once this new botnet has been armed, it isn’t going to do anything but increase the availability of the already prevalent DDoS tools for those looking to launch such attacks,” says Sean Newman, director of product management at Corero Network Security. He points out that this is disturbing for technology advancement reasons, but it might not immediately make a huge impact on the DDoS environment. “With most IoT devices rarely rebooted and easily re-infected if they are, it feels like this may not make as much impact as you might think to the already burgeoning supply of botnets,” he says, “particularly those being used to launch damaging DDoS attacks.”

As part of a broader trend in malware, Hide and Seek shows considerable development and evolution in the code being deployed. Since its initial discovery in January of this year, “The botnet seems to undergo massive development as new samples compiled for a variety of architectures have been added as payloads,” according to the Bitdefender Labs blog post on the malware.

“This showcases the continued evolution of malware and how the internet continues to democratize access to information, malicious or otherwise,” says Dan Mathews, director at Lastline. He lists some of the ways in which the industry has seen botnet malware evolve since the days of Mirai, including, “…default & expanded password guessing and cross-compiled code to run on multiple CPU architectures added, as well as exploits added to leverage IoT vulnerabilities, exploits added for peer to peer communications, and now exploits added for persistence.”

Hide and Seek’s original version was notable for using a proprietary peer-to-peer network for both C&C and new infection communication. Now that persistence has been added to the feature mix, the botnet has become a more pressing concern for the owners of the 32,000+ already infected and those IoT devices that are vulnerable and still unprotected.

Source: https://www.darkreading.com/iot/hide-and-seek-brings-persistence-to-iot-botnets/d/d-id/1331783

  • 0

DDoS Attacks Ebb and Flow After Webstresser Takedown

Shortly after Infosecurity Magazine reported that administrators of the world’s largest DDoS-as-a-service website had been arrested, Link11 wrote a blog post, concluding that “In the short period of time since that date, the Link11 Security Operation Center (LSOC) has seen a roughly 60% decline in DDoS attacks on targets in Europe.”

The reported deduction differs significantly from the findings of Corero Network Security. President Andrew Lloyd questioned the conclusions drawn by Link11, saying, “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action.”

In stark contrast to the LSOC findings, Corero noticed a spike in distributed denial-of-service (DDoS) attacks around 17 April but said, “Since then, European attacks have remained higher in the second half of the month versus the first half of April and the year as a whole.”

The news that law enforcement agencies had closed down Webstresser.org was a big win for cybercrime fighters. “But even so, the number of attacks will only decrease temporarily,” said Onur Cengiz, head of the Link11 security operation center. “Experience has shown in recent years that for every DDoS attack marketplace taken out, multiple new platforms will pop up like the heads of a hydra.”

A Kaspersky Lab study released on 26 April, on the heels of the Webstreser takedown, gives evidence that supports the changing tides of DDoS attack types and the ebb and flow of attacks Cengiz’s alluded to in his statement.

According to the Kaspersky Lab DDoS report, Q1 revealed an increased number of DDoS attacks and targets, but there are distinctions among the different attack methods. “Amplified” attacks were beginning to wane but had a bit of a boost in momentum, while network time protocol (NTP) and DNS-based boosting had almost disappeared after most vulnerable services were patched.

DDoS attacks as a means of personal revenge grew more popular in Q1 2018. Also trending were Memcached attacks that resemble a typical DDoS attack; however, according to the Kaspersky report, “Cybercriminals will likely seek out other non-standard amplification methods besides Memcached.”

As server owners patch vulnerabilities, there will be dips in certain types of attacks. “That being the case, DDoS masterminds will likely seek out other amplification methods, one of which could be LDAP services,” the Kaspersky report authors wrote.

Source: https://www.infosecurity-magazine.com/news/ddos-attacks-ebb-flow-after/

  • 0

Why DDoS Just Won’t Die

Distributed denial-of-service attacks are getting bigger, badder, and ‘blended.’ What you can (and can’t) do about that.

Most every organization has been affected by a distributed denial-of-service (DDoS) attack in some way: whether they were hit directly in a traffic-flooding attack, or if they suffered the fallout from one of their partners or suppliers getting victimized.

While DDoS carries less of a stigma than a data breach in the scheme of security threats, a powerful flooding attack can not only take down a company’s network, but also its business. DDoS attacks traditionally have been employed either to merely disrupt the targeted organization, or as a cover for a more nefarious attack to spy on or steal data from an organization.

The April takedown by the UK National Crime Agency and Dutch National Police and other officials of the world’s largest online market for selling and launching DDoS attacks, Webstresser, was a big win for law enforcement. Webstresser boasted more than 136,000 registered users and supported some four million DDoS attacks worldwide.

But in the end, Webstresser’s demise isn’t likely to make much of a dent in DDoS attack activity, experts say. Despite reports that the takedown led to a significant decline in DDoS attacks, Corero Network Security saw DDoS attacks actually rise on average in the second half of the month of April. “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action,” said Andrew Lloyd, president of Corero.

Even without a mega DDoS service, it’s still inexpensive to wage a DDoS attack. According to Symantec, DDoS bot software starts as low as a dollar to $15, and less than one-hour of a DDoS via a service can go from $5 to $20; a longer attack (more than 24 hours) against a more protected target, costs anywhere from $10 to $100.

And bots are becoming even easier to amass and in bigger numbers, as Internet of Things (IoT) devices are getting added to the arsenal. According to the Spamhaus Botnet Threat Report, the number of IoT botnet controllers more than doubled last year. Think Mirai, the IoT botnet that in October of 2016 took down managed DNS provider Dyn, taking with it big names like Amazon, Netflix, Twitter, Github, Okta, and Yelp – with an army of 100,000 IoT bots.

Scott Tierney, director of cyber intelligence at Infoblox, says botnets increasingly will be comprised of both traditional endpoints—Windows PCs and laptops—as well as IoT devices. “They are going to be blended,” he said in an interview. “It’s going to be harder to tell the difference” in bots.

The wave of consumer products with IP connections without software or firmware update capabilities will exacerbate the botnet problem, according to Tierney.

While IoT botnets appear to be the thing of the future, some attackers have been waging old-school DDoS attacks: in the first quarter of this year, a long-tail DDoS attack lasted more than 12 days, according to new Kaspersky Lab research. That type of longevity for a DDoS was last seen in 2015.

Hardcore heavy DDoS attacks have been breaking records of late: the DDoS attack on Github recently, clocked at 1.35 terabytes, was broken a week later by a 1.7TB DDoS that abused the Memcached vulnerability against an undisclosed US service provider. “That Github [DDoS] record didn’t even last a week,” Tierney said in a presentation at Interop ITX in Las Vegas last week.

The DDoS attack employed Memcached servers exposed on the public Internet. Memcached, an open-source memory-caching system for storing data in RAM for speeding access times, doesn’t include an authentication feature, so attackers were able to spoof requests and amplify their attack. If properly configured, a Memcached server sits behind firewalls or inside an organization.

“Memcached amplification attacks are just the beginning” of these jacked-up attacks, Tierney said. “Be ready for multi-vector attacks. Rate-limiting is good, but alone it’s not enough. Get ready for scales of 900Mbps to 400Gbps to over a Terabyte.”

Tierney recommended ways to prepare for a DDoS attack, including:

  • Establish a security policy, including how you’ll enact and enforce it
  • Track issues that are security risks
  • Enact a business continuity/disaster recovery plan
  • Employ good security hygiene
  • Create an incident response plan that operates hand-in-hand with a business continuity/disaster recovery plan
  • Have a multi-pronged response plan, so that while you’re being DDoSed, your data isn’t also getting stolen in the background
  • Execute tabletop attack exercises
  • Hire external penetration tests
  • Conduct user security awareness and training
  • Change all factory-default passwords in devices
  • Know your supply chain and any potential risks they bring
  • Use DDoS traffic scrubbers, DDoS mitigation services

Source: https://www.darkreading.com/endpoint/privacy/why-ddos-just-wont-die/d/d-id/1331734

  • 0

From The Internet Of Things To The Internet Of Thoughts

The development of the cyber environment is articulated through new digital scenarios — from the technological development of smartphone apps to the Internet of Things, from the sharing economy to social networks — the circulation of personal data has expanded extensively and rapidly. In particular, I recognize a slow but decisive transition from a material, utilitarian and free sharing typical of the sharing economy, for which self-regulation was sufficient, to today’s atmosphere of social sharing. If the services of the sharing economy technologies seemed to put the privacy of users at risk, the new system seems to be even more saturated with issues. In fact, the social sharing of photographs, thoughts and confidential information risks endangering the privacy of internet users and, considering that much of this personal data is also transported overseas where the discipline and the protection provided is profoundly different, the question becomes extremely complex.

This shift is characterized by the diffusion and horizontal expansion of increasingly sophisticated and integrated social engineering methods and techniques, and through the release and sharing of technologically persuasive applications. These scenarios are found in the profile of cyber ttacks and are significant characterizations in terms of behavioral matrixes and operational creativity.

Inevitably, the concepts of knowledge and information management have been redefined and are now almost completely digitalized, with significant relapses in terms of security. In today’s cyber scenario, a new multidimensional concept of security has emerged, deriving from the interpenetration of the paradigms of social change and digital-media convergence — both understood as multipliers of instances coming in particular from the underground. This underground becomes ever more reticular, competent and cohesive, from a digital point of view, until it’s the “cartilage” of the system exoskeleton, not only in infrastructural terms but also in terms of cultural identity.

As a result, open society, right-to-know and digital info sharing become the pillars of contemporary democratic architecture. It is necessary to explore cyberspace in a deep and scientific way — to understand it as a human space, one which needs to be identified and analyzed dynamically, with scientific rigor, avoiding any reductionist simplicity dictated by the fashions of the moment. The specificities and the socio-cultural differences between activism and hacktivism are also worth examining in the transition process toward fully digital models of politics and diplomacy.

As an example, Bitcoin should not be considered mere virtual currency, but also as an instrument, product and modality of self-construction. It’s an identity-based dissemination of digital exchange communities and an interactive process through which all the subjects involved create information, innovation and resources.

It is essential to direct operational research into the elaboration and anticipation of scenarios that are no longer futuristic or even too far in the future — ones in which we imagine the impact and dynamics of the cybercriminals who use distributed denial of service (DDoS) or botnet attacks. These attacks might be a self-legitimized form of cyber-protest or a revisitation, in a cyber environment, of protest sit-ins that animated most of the 20th century and which often caused paralysis not only of viability but also of the vital functions of important institutions.

The unknown journey that leads humanity toward post-globalization is strongly marked by some pieces of evidence including the conflicts arising from the frictions between the development of the metropolitan institutional environment and the organizational dynamics of transnational digital communities and the advent of new sexual-digital identities.

We are witnessing the progressive emergence of organized and globalized criminals, above all at the level of the media. These criminals are born from the necessity of evolution through the web, pre-existing local and internationalized structures, and by long processes of criminal hybridization. This hybridization has connected them through the web. This evolution requires a resetting of operational missions based on full integration between social sciences and computational technologies in order to uncover qualitative and quantitative strategies that can be used to attain a deep understanding of the organized and now digitized criminal complex.

The triangulation of big data, web intelligence and information assurance turns out to be the key to managing the complexity and the centrality of information, which is now the regulating essence of every aspect of life. Today, it’s important to focus not just on the internet of things but also on the sometimes obscure internet of thoughts, which requires equal amounts of analytical attention. This emphasizes that today cyber can no longer be considered an object external to mankind, and should instead be seen as pervasively connected to it. Therefore, in firmly considering cybersecurity as a dynamic process and not a static product, it is evident that it is not possible to guarantee the security of the globalized citizen in relation to the relationship between freedom and democracy, without using appropriate conceptual tools to understand and manage the complexity that turns out to be unquestionably human, cultural and social.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/05/07/from-the-internet-of-things-to-the-internet-of-thoughts/#67a7651c736f

  • 0

DDoSer Who Terrorized German and UK Firms Gets Off Without Jail Time

A German hacker who launched DDoS attacks and tried to extort ransom payments from German and UK firms was sentenced last month to one year and ten months of probation.

The hacker, identified by authorities only as 24-year-old Maik D., but known online as ZZb00t, was fingered for attacking companies such as eBay.de, DHL.de, billiger.de, hood.de, rakuten.de, DPD.de, EIS.de, ESL.eu, but also some UK firms.

Hacker would launch DDoS attacks and then extort victims

ZZb00t would act following the same pattern. He’d first warn companies via Twitter, and then launch DDoS attacks, taking down services from hours to up to a day.

Maik, who in real life was an IT security consultant, would often criticize companies for their poor security practices.

“Sadly but true @[REDACTED] your servers just sucks,” he wrote in one tweet. “Never thought that [REDACTED] was so extremely poorly protected. It’s more than embarrassing,” he wrote in another.

He’d often claim his actions were only for the purpose of exposing security weakness, claiming he was a vulnerability hunter.

But Maik wouldn’t launch DDoS attacks just out of the kindness of the kindness of his heart so that companies would improve security. The hacker would often send emails promising to stop attacks for a payment in Bitcoin.

Hacker arrested after one company pressed charges

His DDoS and extortion campaigns have been tracked all last year by German blog Wordfilter.de [1, 2, 3, 4]. A recently released Link11 report details the hacker’s tactics.

The hacker was active at the same time as another DDoS extortion team named XMR Squad, and Link11 claims in its report that there was a working relationship and coordination of attacks between ZZb00t and XMR Squad members.

Link11 says it documented over 300 of ZZb00t’s tweets related to attacks he carried out before German authorities arrested the suspect on May 23, last year, putting an end to his attacks.

Source: https://www.bleepingcomputer.com/news/security/ddoser-who-terrorized-german-and-uk-firms-gets-off-without-jail-time/

  • 0

Security Holes Make Home Routers Vulnerable

Security threats abound on the internet, which is why ethical hackers and security researchers spend much of their time in search of these issues. As part of the work that they do to keep the internet safe, researchers at vpnMentor announced that they have found an RCE vulnerability in the majority of gigabit-capable passive optical network (GPON) home routers.

With more than 1 million people using the GPON fiber-optics system, the network is pretty popular. Because so many routers today use GPON internet, the researchers conducted a comprehensive assessment on a number of the home routers and found a way to bypass all authentication on the devices, which is the first vulnerability (CVE-2018-10561).

“With this authentication bypass, we were also able to unveil another command injection vulnerability (CVE-2018-10562) and execute commands on the device,” vpnMentor said.

Through a comprehensive analysis of the GPON firmware, researchers learned that the combination of the two vulnerabilities granted full control of not only the devices but their networks as well.

“The first vulnerability exploits the authentication mechanism of the device that has a flaw. This flaw allows any attacker to bypass all authentication,” they wrote. This critical vulnerability could leave users’ gateways vulnerable to being used for botnets.

The authentication bypass bug could easily be exploited so that the gateways could be accessed remotely. “If verified, these home gateways join the escalating category of botnet-vulnerable IoT devices, and they underscore the growing risk of very large botnet-based DDoS attacks,” said Ashley Stephenson, CEOCorero Network Security.

Because this class of routers is most often directly connected to high-speed broadband internet connections, compromised devices could be covertly herded by a bot master to form a botnet large enough to generate high-impact distributed denial-of-service (DDoS) attacks against victims around the world, said Stephenson.

Source: https://www.infosecurity-magazine.com/news/security-holes-make-home-routers/

 

 

  • 0