Discovery of 8,800 servers sends warning to Asian cybercriminals

In one of the more curious cybercrime announcements of recent times, Interpol’s Asian centre says it has “identified” 8,800 servers used as command & control (C2) for all sorts of bad things including DDoS attacks and distributing ransomware and spam.

You read that correctly. Interpol hasn’t disrupted these servers, merely passed information on their whereabouts and malevolent purpose to police forces in eight countries, including Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam.

The operation isolated the C2 by working back from 270 websites infected with malware, assisted by intelligence and know-how from a number of cybersecurity companies.

Added Interpol:

Among them were several government websites which may have contained personal data of their citizens.

Individual criminals were also identified in Nigeria and Indonesia, which hints that arrests might be forthcoming.

It sounds like a modest achievement until you remember that Asia is a favoured geography for malware hosting infrastructure (including servers used to attack other parts of the globe) but, historically, underwhelming levels of cross-border co-operation.

If action at national level in the countries affected eventually sees the servers disappear forever, it’s not something to be sniffed at.

The bigger picture is that Interpol’s Global Complex for Innovation (IGCI), opened in Singapore in 2015, is signalling that it’s up and running and able to make a difference – however emblematic.

Cybercrime can be mitigated by technology, of course, but few doubt importance of going after it at the roots, both the servers and the people who run and profit from them.

It’s a massive challenge because these people can base themselves anywhere in the world, and introducing legal hazard into their lives requires the sort of co-operation police forces and governments aren’t used to.

Founded as long ago as 1923 as the International Criminal Police Commission (ICPC), Interpol is turning out to be a useful tool in the battle against cybercrime.

Cybersecurity companies like it because its regional centres act as an independent broker that allows them to put aside commercial considerations. Police forces value it because it means they can have a relationship with one centre instead of possibly dozens of national operations.

But its biggest significance is it gets the private and public sectors to work together, the former with intel and the latter with legal authority.

Recent Interpol cybercrime operations have included disrupting the Avalanche botnet late last year, and the takedown of the Simda botnet two years ago. Between times were the arrests of individuals accused of being behind the infamous DD4BC DDoS extortion racket, and a global operation across Interpol’s divisions to rid the world of the one-million strong Dorkbot botnet.

Only days ago, Europol’s European Cybercrime Centre (EC3) announced it had coordinated an operation between UK and Spanish police that saw the arrest of five people accused of distributing Remote Access Trojans (RATs) and keyloggers.

We should interpret the identification of 8,800 C2 servers as good PR for Interpol but also, to quote Interpol’s chief superintendent Chan, “a blueprint for future operations”.


  • 0

8 DDoS Attacks That Made Enterprises Rethink IoT Security

Distributed Denial of Service Disasters

The overall frequency of distributed denial of service (DDoS) attacks increased in 2016 thanks, in part, to Internet of Things botnets, according to information service provider Neustar. The company said it mitigated 40 percent more DDoS attacks from January through November, compared to the year earlier.

Neustar warned that as botnet code assemblies are published, dangerous new DDoS developments will continue to emerge, such as persistent device enrollment, which enables botnet operators to maintain control of a device even after it’s rebooted.

From colleges to entire U.S. regions, here are eight situations where vulnerable IoT devices brought down networks.

DDoS Attack Affects U.S. College For 54 Hours

A distributed denial of service attack on a college in February, recently made public by security firm Incapsula, affected that institution’s network for 54 hours straight.

Incapsula recently revealed the attack, noting that the attackers seemed adept at launching application layer assaults on vulnerable IoT devices.

“Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” according to an Incapsula spokesperson in a blog post. “Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers.”

DDoS Attack Takes Down Netflix, Twitter

An October DDoS attack – which was launched through IoT devices and blocked an array of websites – deepened the industry’s concerns over the security risk of the Internet of Things.

The denial of service attack was launched through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites.

The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data.

DDoS Attack Through Vending Machines Hits University

Verizon’s preview of its 2017 Data Breach Digest in February revealed that an unnamed university was hit by a DDoS attack launched through vending machines, lights, and 5,000 other IoT devices.

According to Verizon, an incident commander noticed that “name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.”

While administrators were locked out, the university intercepted “the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update.”

DDoS Attacks Attempted Against Campaign Websites of Hillary Clinton And Donald Trump

According to security firm Flashpoint, hackers attempted four Mirai botnet DDoS attacks in November against the campaign websites of Hillary Clinton and Donald Trump.

According to Flashpoint, the company observed a 30-second HTTP Layer 7 (application layer) attack against Trump’s website, while the next day, it saw attacks against both Trump and Clinton’s campaign sites. While attacks were attempted, neither website observed or reported outages.

“Flashpoint assesses with moderate confidence that the Mirai botnet has been fractured into smaller, competing botnets due to the release of its source code, which has led to the proliferation of actors exploiting the botnet’s devices,” a spokesperson wrote on Flashpoint’s website.

BBC Domain Downed By By DDoS Attack

On New Year’s Eve 2016, the BBC’s website was hit by a DDoS attack that downed its entire domain – including on-demand television and radio player – for more than three hours.

While BBC originally said that it was undergoing a technical issue, the broadcaster’s news organization later said the outage was a result of a DDoS attack, according to “sources within the BBC.”

Russian Banks Hit With Waves Of DDoS Attacks

In November, at least five Russian banks, including Sberbank and Alfabank banks, were the victims of prolonged DDoS attacks that lasted over two days.

According to Security Affairs, the attack came from a wide-scale botnet involving up to 24,000 computers and IoT devices that were located in 30 countries. The banks’ online clients services were not disrupted.

According to security firm Kaspersky Lab, the incident was the first time that massive DDoS attacks hit Russian banks in 2016.

Rio Olympics Organizations Hit By DDoS Attack Staged By LizardStresser

Arbor Networks’ security engineering and response team revealed in a statement that several organizations affiliated with the Olympics came under “large-scale volumetric” DDoS attacks beginning in September 2015.

“A large proportion of the attack volume consisted of UDP reflection and amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” said Arbor Networks in a statement.

According to Arbor Networks, a DDoS-for-hire service, called LizardStresser, staged most of the pre-Olympic attacks. Despite the attacks, Arbor Networks performed several mitigation measures to help Olympics administrators keep their systems running.

Brian Krebs’ Website Experienced DDoS Attack

In September 2016, security investigative reporter Brian Krebs’ information blog experienced a DDoS attack. The attack reportedly placed peak traffic at around 620 Gbps.

Krebs determined a Mirai botnet was responsible for the attack: “The source code that powers the IoT botnet responsible for launching the historically large DDoS attack  against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices,” he stated on his blog.

“My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems,” said Krebs in the blog post.


  • 0

Teenage hacker jailed for masterminding attacks on Sony and Microsoft

Adam Mudd jailed for two years for creating attack-for-hire business responsible for more than 1.7m breaches worldwide.

A man has been jailed for two years for setting up a computer hacking business that caused chaos worldwide.

Adam Mudd was 16 when he created the Titanium Stresser program, which carried out more than 1.7m attacks on websites including Minecraft, Xbox Live and Microsoft and TeamSpeak, a chat tool for gamers.

He earned the equivalent of more than £386,000 in US dollars and bitcoins from selling the program to cyber criminals.

Mudd pleaded guilty and was sentenced at the Old Bailey. The judge, Michael Topolski QC, noted that Mudd came from a “perfectly respectable and caring family”. He said the effect of Mudd’s crimes had wreaked havoc “from Greenland to New Zealand, from Russia to Chile”.

Topolski said the sentence must have a “real element of deterrent” and refused to suspend the jail term. “I’m entirely satisfied that you knew full well and understood completely this was not a game for fun,” he told Mudd. “It was a serious money-making business and your software was doing exactly what you created it to do.”

Mudd showed no emotion as he was sent to a young offender institution.

During the two-day hearing, Jonathan Polnay, prosecuting, said the effect of Mudd’s hacking program was “truly global”, adding: “Where there are computers, there are attacks – in almost every major city in the world – with hotspots in France, Paris, around the UK.”

The court heard that Mudd, who lived with his parents, had previously undiagnosed Asperger syndrome and was more interested in status in the online gaming community than the money.

The court heard that the defendant, now 20, carried out 594 of the distributed denial of service (DDoS) attacks against 181 IP addresses between December 2013 and March 2015.

He has admitted to security breaches against his college while he was studying computer science. The attacks on West Herts College crashed the network, cost about £2,000 to investigate and caused “incalculable” damage to productivity, the court heard.

On one occasion in 2014, the college hacking affected 70 other schools and colleges, including Cambridge, Essex and East Anglia universities as well as local councils.

Mudd’s explanation for one of the attacks was that he had reported being mugged to the college but claimed no action was taken.

Polnay said there were more than 112,000 registered users of Mudd’s program who hacked about 666,000 IP addresses. Of those, nearly 53,000 were in the UK.

Among the targets was the fantasy game RuneScape, which had 25,000 attacks. Its owner company spent £6m trying to defend itself against DDoS attacks, with a revenue loss of £184,000.

The court heard that Mudd created Titanium Stresser in September 2013 using a fake name and address in Manchester. He offered a variety of payment plans to his customers, including discounts for bulk purchases of up to $309.99 for 30,000 seconds over five years as well as a refer-a-friend scheme.

Polnay said: “This is a young man who lived at home. This is not a lavish lifestyle case. The motivation around this we tend to agree is about status. The money-making is by the by.”

When he was arrested in March 2015, Mudd was in his bedroom on his computer, which he refused to unlock before his father intervened.

Mudd, from Kings Langley in Hertfordshire, pleaded guilty to one count of committing unauthorised acts with intent to impair the operation of computers; one count of making, supplying or offering to supply an article for use in an offence contrary to the Computer Misuse Act; and one
count of concealing criminal property.

Ben Cooper, defending, appealed for his client to be given a suspended sentence. He said Mudd had been “sucked into” the cyber world of online gaming and was “lost in an alternate reality” after withdrawing from school because of bullying.

Mudd, who was expelled from college and now works as a kitchen porter, had been offline for two years, which was a form of punishment for any computer-obsessed teenager, Cooper said.

The “bright and high-functioning” defendant understood what he did was wrong but at the time he lacked empathy due to his medical condition, the court heard.

Cooper said: “This was an unhappy period for Mr Mudd, during which he suffered greatly. This is someone seeking friendship and status within the gaming community.”

But the judge said: “I have a duty to the public who are worried about this, threatened by this, damaged by this all the time … It’s terrifying.”


  • 0

How can you prepare for a cyber attack?

Keeping your data secure is more important than ever, but it seems like there’s a new wide-scale data breach every other week. In this article, David Mytton discusses what developers can do to prepare for what’s fast becoming inevitable.

Cyber security isn’t something that can be ignored anymore or treated as a luxury concern: recent cyber attacks in the UK have shown that no one is immune. The stats are worrying – in 2016, two thirds of large businesses had a cyber attack or breach, according to Government research. Accenture paints a bleaker picture suggesting that two thirds of companies globally face these attacks weekly, or even daily.

According to the Government’s 2016 cyber security breaches survey, only a third of firms have cyber security policies in place and only 10% have an emergency plan. Given management isn’t handling the threat proactively, developers and operations specialists are increasingly having to take the initiative on matters of cybersecurity. This article covers some essential priorities developers should be aware of if they want their company to be prepared for attack.

Know your plan

There’s no predicting when a cyber attack might come, whether it be in the form of a DDoS, a virus, malware or phishing. It’s therefore important to be constantly vigilant, and prepared for incidents when they do occur.

Senior leadership in your company should be proactive when laying out a plan in the event of an attack or other breach, however this might not always be the case. No matter what your position is within your company, there are preemptive actions you can take on a regular basis to ensure that you’re adequately prepared.

If you’re in an Ops team, make sure you’re encouraging your team to test your backups regularly. There’s little use having backups if you’re unable to actually restore from them, as GitLab learned to their detriment earlier in the year.

Use simulations and practice runs to ensure that everyone on your team knows what they’re doing, and have a checklist in place for yourself and your colleagues to make sure that nothing gets missed. For example, a DDoS attack may begin with a monitoring alert to let you know your application is slow. Your checklist would start with the initial diagnostics to pinpoint the cause, but as soon as you discover it is a DDoS attack then the security response plan should take over.

If you happen to be on-call, make sure you’ve got all the tools you need to act promptly to handle the issue. This might involve letting your more senior colleagues know about the issue, as well as requesting appropriate assistance from your security vendors.

Communication is always one of the deciding factors in whether a crisis can be contained effectively. As a developer or operations specialist, it’s important to be vocal with your managers about any lack of clarity in your plan, and ensure that there are clear lines of communication and responsibility so that, when the worst does occur, you and your colleagues feel clear to jump into action quickly.

Remember your limits

It might sound obvious, but it’s worth remembering: in a cyber attack or catastrophic incident, there is only so much you yourself can do. Too many developers and operations staff fall prey to a culture of being ‘superheroes’, encouraged (often through beer and pizza) to stay as late as they can and work as long as possible on fixes to particular issues.

The truth is, humans make mistakes. Amazon’s recent AWS S3 outage is a good example: swathes of the internet were taken offline due to one typo. If you’re on-call while a cyber attack occurs there’s no denying you’re likely to work long hours at odd times of the day, and this can put a real strain on you, both mentally and physically. This strain can make it much harder for you to actually concentrate on what you’re doing, and no amount of careful contingency planning can compensate for that.

At Server Density we’re keenly aware that employee health and well being is critical to maintaining business infrastructure, especially in the event of a crisis. That’s why we support movements like HumanOps, which promote a wider awareness of the importance of employee health, from the importance of taking regular breaks to ergonomic keyboards. All too often people working in IT forget that the most business-critical hardware they look after isn’t servers or routers, it’s the health and well being of the people on the front lines looking after these systems.

Cyber attacks are stressful on everyone working in an organisation, and the IT teams take the brunt of the strain. However, with careful planning, clear lines of delegation and an appreciation of the importance of looking after each other’s health, developers and operations specialists should be able to weather the storm effectively and recover business assets effectively.


  • 0

Should we worry the general election will be hacked?

“Brexit vote site may have been hacked” warned the headlines last week after a Commons select committee published its report into lessons learned from the EU referendum.

The public administration and constitutional affairs committee (Pacac) said that the failure of the voter registration website, which suffered an outage as many people tried to sign to vote up at the last minute in 2016, “had indications of being a DDoS ‘attack’”. It said it “does not rule out the possibility that the crash may have been caused … using botnets”. In the same paragraph it mentioned Russia and China. It said it “is deeply concerned about these allegations about foreign interference”.

With a general election just seven weeks away, how worried should we be about foreign interference this time round?

Labour MP Paul Flynn, who sits on the Pacac, certainly thinks we should be worried – although closer inspection of the report finds that, beyond the headlines, there’s a startling lack of evidence for those particular fears.

In reality, a DDoS – “distributed denial of service” – attack is the bombarding of a server with requests it can’t keep up with, causing it to fail. Not only is it not actually hacking at all, but it also looks rather similar to when a lot of people at once try to use a server that doesn’t have the capacity. Given the history of government IT projects, some might favour this more prosaic explanation of why the voter registration website went offline. And that’s just what the Cabinet Office did say: “It was due to a spike in users just before the registration deadline. There is no evidence to suggest malign intervention.”

So perhaps we shouldn’t fear that kind of attack, but hacking elections takes many forms. The University of Oxford’s Internet Institute, found a huge number of Twitter bots posting pro-Leave propaganda in the run up to the EU referendum. At least, that was how it was widely reported. The actual reportreveals the researchers can’t directly identify bots – they just assume accounts that tweet a lot are automated – and admit “not all of these users or even the majority of them are bots”. But the accuracy, or inaccuracy, of the research aside, there’s a bigger issue.

What the Oxford Internet Institute never says is that there’s no evidence bots tweeting actually affects how anyone votes. Bots generally follow people – we’re all used to those suggestive female avatars in our notifications feeds – but people don’t really follow bots back. So when they push out propaganda, is there anyone there to see it?

Of course, en masse, those bots can affect the trending topics. But getting “#Leave” trending is not the same as controlling the messaging around it, and Twitter’s algorithm explicitly tries to mitigate against such gaming of the system. And again there’s the question: who looks at tweets via the trending topics tab anyway (except perhaps journalists looking for something to pad out a listicle)?

Fake news, the last of the unholy trinity, is a harder problem. We know it exists, and we know it gets in front of many people via social media sites like Facebook. We don’t really know how much it affects people and how much people see it for what it is – but the history of untrue stories in the tabloid press on topics like migration does lend weight to the idea that fake news can influence opinion.

What is and isn’t fake news is a contested field. At one end of the spectrum, mainstream publications report inaccurate stories about flights full of Romanians and Bulgarians heading for the UK. At the other, teenagers in Macedonia run pro-Trump websites where the content is pure invention. Most would agree the latter is fake news, even if not the former.

But this is a different problem to DDoS attacks or bot armies. The Macedonian teens aren’t ideologically driven by wanting Trump in the White House, they’re motivated by the advertising revenue their well-shared stories can earn. Even when fake news is created for propaganda rather than profit, there’s rarely a shadowy overlord pulling the strings – and bad reporting is some distance away from hacking the election.

While there’s a strong case that foreign actors have tried to influence elections in other countries – such as the DNC hack in the US – we probably don’t need to worry unduly about cyberattacks swinging the UK election. Besides: why would a foreign state bother? We’ve already got a divided country struggling with its own future without any need for outside interference.


  • 0

Identifying the three steps of DDoS mitigation

It’s not a matter of if you’re going to be DDoS attacked, it’s a matter of when – many APAC organisations fail to understand the threat and quantify the risk – right-sizing and verifying the solution is a must. When an attack occurs, the mature organisation is prepared to effectively mitigate the attack – protecting themselves (and in turn their clients and partners) from unacceptable financial and reputational impact.

Let us look at these three steps, understand, quantify and mitigate, in detail.

1.Understand the threat

The threat imposed by DDoS attacks in APAC is more significant than global counterparts. A recent Neustar survey showed that 77 percent of organisations within APAC have been attacked at least once, compared to 73 percent globally. Organisations within the region are also getting attacked more frequently, with 83 percent of those attacked being attacked more than once, and 45 percent having been attacked more than six times.

In addition, attack sizes are steadily growing. In 2015, the average attack size identified by Neustar was about 5GB per second. By September 2016, average attack sizes had reached up to 7GB per second – and this was prior to the Mirai driven – IoT fuelled attacks – like those on Krebs, OVH and Dyn. Given this, we should expect a considerable rise in the mean size of volumetric attacks during 2017.

We’ve also seen a steady increase in the number of multi-vector attacks – which now equates to about 50 percent of all DDoS attacks. In a multi-vector attack – the criminals are potentially aiming to distract an organisation with the DDoS attack while they go after their main target. They use the DDoS attack to draw away the organisations defensive capacity while they plant ransomware, breach the network or steal valuable data. Within APAC, compared to the global average of 25 percent, network breaches associated with a multi-vector attack is sitting at 33 percent, according to Neustar’s own data. This begs the question, are APAC organisations deficient when it comes to perimeter protection?

When dealing with an attack, speed is critical. But surprisingly, within APAC, on average almost half of all organisations take over three hours to detect an attack and an additional three hours to respond. This is significantly higher than the global average of 29 percent and 28 percent respectively.

Worryingly, slow detection and response can lead to huge damages financially. Around half of all organisations stand to lose an average of $100,000 per hour of peak downtime during an attack. To exacerbate this, half the attacked organisations were notified of the attack by a third party, inflicting additional potential reputational damage.

2.Quantify the risk

If a person goes to insure their car, they’re not going to over or underinsure it. That is, they’re not going to pay a premium associated with a higher value car – if the car gets written-off, they’re only going to get the value of the car, not the extra value associated with the premium. Alternatively, if they are underinsured, they’re not going to get back the full value of the car – they will need to pay an additional amount to replace the car.

When looking at a DDoS environment, it is a similar scenario. An organisation will want to make sure it understands the level of risk and apply the right mitigation and the right cost to protect that risk. Paying the cost for a DDoS mitigation that exceeds their requirements is like over insuring the car – you are paying a premium for a service that does not match your level of risk/potential loss. Similarly, implementing a DDoS mitigation that does not cover the risk will likely lead to additional costs, resulting from greater organisational impact and additional emergency response activities.

Risk management is critical – rightsizing is a must – organisations need to prepare and implement a sound mitigation plan.

To understand the severity of the risk DDoS imposes, organisations must quantify both probability and impact – tangible and intangible – and know the risk appetite and technical environment of the organisation. Once this information is gathered and the severity of the risk is understood, there are three key critical elements of producing a good mitigation plan that must be enacted: detection, response and rehearsal.

3.Mitigate the attack

  • 0

New Mirai IoT variant launched 54-hour DDoS attack against a U.S. college

Researchers have spotted a new Mirai variant in the wild that is better at launching application layer attacks; other researchers spotted a new Cerber ransomware variant that can evade machine learning.

A new variant of the Mirai IoT malware was spotted in the wild when it launched a 54-hour DDoS attack against an unnamed U.S. college.

While the attack occurred on February 28, Imperva Incapsula is informing  the world about it today. The researchers believe it is a new variant of Mirai, one that is “more adept at launching application layer assaults.”

The average traffic flow was 30,000 requests per second (RPS) and peaked at about 37,000 RPS, which the DDoS mitigation firm said was the most it has seen out of any Mirai botnet so far. “In total, the attack generated over 2.8 billion requests.”

During the 54-hour DDoS attack on the college, researchers observed a pool of attacking devices normally associated with Mirai such as CCTV cameras, DVRs and routers. Attack traffic originated from 9,793 IPs worldwide, but 70% of the botnet traffic came from 10 countries.

The U.S. topped the list by having 18.4 percent of the botnet IPs. Israel was next with 11.3 percent, followed by Taiwan with 10.8 percent. The remaining seven countries of the top 10 were India with 8.7 percent, Turkey with 6 percent, Russia with 3.8 percent, Italy and Mexico both with 3.2 percent, Colombia with 3 percent and Bulgaria with 2.2 percent of the botnet traffic.

Other signature factors such as header order and header values also helped the researchers identify the attack as a Mirai-powered botnet, yet the DDoS bots hid behind different user-agents than the five hardcoded in the default Mirai version; it used 30 user-agent variants. Incapsula said, “This–and the size of the attack itself–led us to believe that we might be dealing with a new variant, which was modified to launch more elaborate application layer attacks.”

Less than a day after the 54-hour hour attack on the college ended, another was launched which lasted for an hour and half; during the second attack, the average traffic flow was 15,000 RPS.

90% of application layer attacks last less than six hours, Incapsula said, so “an attack of this duration stands in a league of its own.” The researchers said they “expect to see several more bursts before the offender(s) finally give up on their efforts.”

Cerber ransomware variant evades machine learning

Elsewhere, Trend Micro also has bad news in the form of a new Cerber ransomware variant. Cerber has “adopted a new technique to make itself harder to detect: it is now using a new loader that appears to be designed to evade detection by machine learning solutions.”

The newest Cerber variant is still being delivered via phishing emails, but those emails now include a link to Dropbox which downloads and self-extracts the payload. If the loader detects it is running in a virtual machine, in a sandbox, or if certain analysis tools or anti-virus are running, then the malware stops running.

Cerber stops, Trend Micro said, if it detects any of the following are running: msconfig, sandboxes, regedit, Task Manager, virtual machines, Wireshark, or if security products from the vendors 360, AVG, Bitdefender, Dr. Web, Kaspersky, Norton or Trend Micro are running.

Trend Micro explained:

Self-extracting files and simple, straightforward files could pose a problem for static machine learning file detection. All self-extracting files may look similar by structure, regardless of the content. Unpacked binaries with limited features may not look malicious either. In other words, the way Cerber is packaged could be said to be designed to evade machine learning file detection. For every new malware detection technique, an equivalent evasion technique is created out of necessity.


  • 0

CyberSecurity Malaysia in Asia Pacific drill to combat DDOS attacks

National digital security specialist CyberSecurity Malaysia has taken part in an Asia Pacific drill to test preparedness for DDOS attacks.

Themed ‘Emergence of a New Distributed Denial of Service (DDoS) Threat,’  this year’s  Asia Pacific Computer Emergency Response Team’s (APCERT) drill tested different response capabilities of leading Computer Security Incident Response Teams (CSIRT) from the Asia Pacific economies.

Throughout the exercise, which was completed on 22 March 2017, the participating teams activated and tested their incident handling arrangements.

Commenting on the operation, Dato’ Dr. Haji Amirudin Abdul Wahab, chief executive officer of CyberSecurity Malaysia, said: “Our participation in the APCERT drill is very important indeed as we believe nations in the Asia Pacific region should band together and collaborate more closely to enhance our skills, expertise and process in incident response handling to increase our vigilance against the current trends of DDoS threats.”

Dr Amirudin said that CyberSecurity Malaysia and its counterparts in the region are deepening collaboration to target and mitigate DDoS threats.

DDOS increase in Malaysia

He added that in Malaysia, incidents involving DDoS attacks have been on the rise for the past three years. Such attacks reported to CyberSecurity Malaysia increased to 66 in 2016, almost double from 38 incidents in 2015. In 2014, the incidents recorded stood at 38. As of February 2017, CyberSecurity Malaysia has recorded 11 incidents involving DDoS attacks.

The APCERT drill included interaction with local and international CSIRTs/CERTs, and victim organisations, for the coordinated suspension of malicious infrastructure, analysis of malicious code, as well as notification and assistance to affected entities.

In addition  to Malaysia, 23 APCERT teams from 17 other economies (Australia, Brunei, People’s Republic of China, Chinese Taipei, Hong Kong, India, Indonesia, Japan, Korea, Lao People’s Democratic Republic, Macao, Mongolia, Myanmar, Singapore, Sri Lanka, Thailand and Vietnam) along with 4 CSIRTs from 4 member countries (Egypt, Morocco, Nigeria and Pakistan) of the OIC-CERT participated in the drill.

Held for the sixth time, this year’s drill also involved the participation of members from the Organisation of the Islamic Cooperation – Computer Emergency Response Team (OIC-CERT).

CyberSecurity Malaysia, which is the permanent secretariat for the OIC-CERT, leads the cyber security efforts among the OIC member countries.

APCERT was established by leading and national Computer Security Incident Response Teams (CSIRTs) from the economies of the Asia Pacific region to improve cooperation, response and information sharing among CSIRTs in the region. APCERT Operational Members consist of 28 CSIRTs from 20 economies.

OIC-CERT was established in January 2009, to provide a platform for member countries to explore and to develop collaborative initiatives and possible partnerships in matters pertaining to cyber security that shall strengthen their self-reliant in the cyberspace. OIC-CERT consists of 33 CERTs, cyber security related agencies and professional from 20 economies.


  • 0

The Short List of Who Protects Companies Against DDoS Attacks

Here’s a question: when was the last time you got something truly useful for free? Like that time it turned out your phone company was giving you mobile data even though it wasn’t included in the plan you selected, or that time you turned up at the car dealership for a major repair, and they informed you the cost was covered because you’re just such a great customer.

Oh right: it was never.

So why is it that so many companies seem to think somebody else is responsible for protecting them against distributed denial of service (DDoS) attacks? DDoS mitigation is an important and complex service that requires careful expertise, on-demand or always-on deployment, nearly limitless scalability and huge amounts of network bandwidth. If a company hasn’t taken the steps to invest in this kind of protection, they don’t have it.

Attack overview
A DDoS attack is a distributed denial of service attack, which is a cyberattack that uses a botnet, a network of internet-connected devices that have been hijacked for remote use, to direct large amounts of malicious traffic at a website that has been targeted. This traffic overwhelms the website, its server or its resources to take it offline or render it so frustratingly slow it can’t be used.

Distributed denial of service attacks have been a problem for websites and organizations of all sizes for over 15 years, and the problem is becoming a crisis as DDoS for hire services steadily gain popularity, and botnets steadily gain in size due to unsecured Internet of Things devices. For larger organizations, a successful DDoS attack can cost between $20,000 and $100,000 per hour, and while unquantifiable, the loss of user trust or loyalty that can result from such an attack can be even worse.

Erroneous assumptions
DDoS attacks haven’t exactly been flying under the radar lately. Their frequency, as well as the threat they pose, should be well known to anyone working in online security. Yet a recent survey by Kaspersky uncovered some staggering statistics. Thirty percent of companies surveyed indicated that they haven’t taken action against the threat of DDoS attacks because they believe they won’t be targeted, 40% believe their ISP will provide protection, and a further 30% believe data centers will provide protection. Perhaps most misguided of all, 12% believe a small amount of DDoS-caused downtime would not have a negative impact on the company.

Why ISPs won’t provide complete protection
While some ISPs do provide complete DDoS protection as an added service that clients pay good money for, most provide only partial protection. Due to the large amounts of bandwidth an ISP has available, they can do well against large volumetric attacks, but craftier application layer attacks are a problem. Also, while ISPs can be good at identifying malicious traffic, they don’t deal with that malicious traffic efficiently, meaning that while it’s struggling to deal with an influx of malicious traffic, legitimate traffic will be caught in the bottleneck with it or even discarded alongside the bad traffic, resulting in users unable to get through to the website. In other words, while a basic DDoS attack could be thwarted by an ISP, the result – users unable to access the website – ends up being the same.

Further, some DDoS attacks like the Slowloris are made up of traffic and requests that are seemingly legitimate, making them difficult to detect for even some intrusion detection systems, let alone an ISP.

Perhaps the biggest problem with relying on an ISP for protection is that regardless of what type of attack is launched, there isn’t going to be a quick response from an ISP. They aren’t built for the kind of real-time monitoring and deployment that can catch an attack within seconds. Most often, it will be several hours before an ISP begins to deal with an attack. By then, the damage is done.

Why data centers won’t provide complete protection either
There’s a caveat here: just as with ISPs, some data centers do provide complete protection against distributed denial of service attacks, but again it is an added service that definitely adds to the data center bill. Similar to ISPs, data centers do provide some measure of DDoS protection, but it can generally only protect against basic attacks that can be stopped with rate limiters, or attacks that are not directly aimed at an application service. Large or complex attacks cannot be stopped by basic data center protection.

Moreover, not only do ISPs and data centers not provide complete protection against DDoS attacks, but they also put their clients at a bigger risk of second-hand DDoS damage. If an ISP or data center is struggling with a large or complex attack, websites that weren’t targeted will nonetheless suffer the effects.

A-Z protection
Professional DDoS protection is built to provide the quickest, most proactive and most complete protection against distributed denial of service attacks. Cloud-based protection is especially excellent at protecting against both network-layer and application-layer attacks, and with the use of a scrubbing server, attack traffic will be kept from ever touching the target website while legitimate traffic is let through unfettered.

For companies after a more bang-for-their-buck solution, it may be preferable to look into a quality content delivery network (CDN). CDNs are designed to improve site speed and performance, and all CDNs offer some level of DDoS protection due to the built-in load balancing that comes from their multi-server environments. However, CDNs will also offer additional DDoS protection on top of that.

High-quality distributed denial of service protection won’t become a freebie or throw-in until the internet reaches a phase where there’s something so much worse and so much more common than DDoS attacks that they become almost after-thoughts for all the malicious cyberattackers out there. So companies can either root for that reality, or take protection into their own hands by investing in solid DDoS protection.


  • 0

Russian bank Alfa Says it was Under DNS Botnet Attacks

The Russian banking giant Alfa announced, in a press statement, that hackers targeted its cyber infrastructure in a large-scale DNS Botnet attack. The purpose appears to have been to make it seem as though the bank had been communicating with the Trump Organization. The bank is now asking U.S. to assist it to uncover the culprits.

On Friday, the bank revealed that their servers were under three cyber attacks targeting the domain name server (DNS) since mid-February. It is unclear who was behind these attacks; the details show unknown hackers allegedly used Amazon and Google servers to send requests to a Trump Organization server posing to look like they came from Alfa Bank, pushing the Trump server to respond back to the bank.

An Alfa Bank spokesperson said: “The cyber attacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ’Trump servers’’.

Furthermore, Alfa Bank revealed that it is ready to work with the U.S. law enforcement agency to identify the individuals involved in the campaign. The bank has already hired Stroz Friedberg, a US-based cyber security firm to get into the depth of the matter.

“The cyber attacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ‘Trump servers,” an Alfa Bank representative said in a statement. “We have gone to the U.S. Justice Department and offered our complete cooperation to get to the bottom of this sham and fraud.”

On February 18, 2017, the bank claims it experienced suspicious cyber activity from an unidentified third-party. Specifically, the unidentified third-party repeatedly sent suspicious DNS queries from servers in the U.S. to a Trump Organization server. The unidentified individuals made it look as though these queries originated from variants of MOSCow.ALFAintRa.nET.

The use of upper and lower case indicated the human intervention in the process. Moreover, Alfa Bank says it received more than 1,340 DNS responses containing

Last week, CNN reported that the FBI’s counterintelligence team was investigating if there was a computer server connection between the Trump Organization and Alfa Bank during the U.S. election, according to sources close to the investigation. The bank has now denied that there was ever a conversation between both parties.

Mark McArdle, CTO at cyber security company eSentire commented on the issue and said that:

“A botnet is typically associated with an attack that leverages scale, as it can employ thousands (potentially millions with IoT devices) of devices and use them to coordinate an attack on a target. We’ve seen this with some big DDoS attacks. We also see botnets being used as platforms for large-scale spamming. However, the number of DNS connections reported in the Alfa Bank attacks (1,340 in once case) don’t indicate massive scale. A botnet, however, can be used to add another layer of obfuscation between you and your attacker. Following the breadcrumbs back could bring you to a PVR that has been hacked and is now part of a botnet. I suspect in this case, the botnet is being used more for obfuscation of identity than scale. The attackers may be using a botnet to send spoofed DNS requests to a legitimate Trump server using a spoofed “reply-to” address inside Alfa-Bank’s infrastructure.

Spoofing DNS lookups is not very difficult since DNS is not authenticated, and the ability to spoof source addresses is unfortunately still available – all you need is a system to launch your attack from that is connected to the Internet via an ISP that doesn’t filter out spoofed source addresses. While this type of attack has been around for a while, what’s new in this case is that someone is using it to try and contrive evidence of a relationship where neither party sought one.

Additionally, there is also reference in Alfa Bank’s statement about Spam messages from It’s also possible to spoof email (spammers do this all the time). A spoofed email could include a reference to a legitimate Trump Org server and a real connection would be established if a user clicked on it (or selected “show images” in the email). Again, this does not mean the email came from Trump Org, just that it was sent in order to attempt to solicit “a connection” between Trump Org and Alfa-Bank.”

Either way, identity is difficult to determine unless cryptographic certificates are used, and ultimate hack attribution is even more difficult.

This is not the first time that allegations surrounding Trump’s relations with Russia have emerged. Some believe Russia hacked the US election to give Trump a way to win the presidency while some believe that Russian media was involved in spreading fake news against Trump’s opponent Hillary Clinton. Either way, nothing has been proven yet.


  • 0