Q4 2017 Global DDoS Threat Landscape Report

Today we are releasing our latest Global DDoS Threat Landscape Report, a statistical analysis of 5,055 network and application layer DDoS attacks mitigated by Imperva Incapsula services during Q4 2017.

In Q4, the number of application layer attacks nearly doubled, just as the number of network layer assaults declined. In both cases, however, we saw attacks grow more persistent.

Target wise, the cryptocurrency industry continued to draw the attention of DDoS offenders, ranking as the fifth most attacked industry this quarter alongside some of the more regular attack targets. Another notable development was the high number of network layer assaults against businesses in the APAC region. In the last quarter of the year, the region served as home to seven out of the top-ten attacked countries. Combined, they drew 68.9 percent of all network layer DDoS attacks.DDoS report_top attacked countriesFigure 1: Top attacked countries, by number of network layer attacks

Report Highlights

Amidst Price Spike, Attacks on Cryptocurrency Industry Continue

Bitcoin was once again the eighth most targeted industry in Q4, after making its first appearance on the top-10 list in the prior quarter. Furthermore, it came in fifth place for the most attacks suffered, outscoring such established and commonly attacked business sectors as financials and publishing.DDoS report_top attacked industriesFigure 2: Top attacked industries, by number of network layer attacks

The increase in attacks against bitcoin-related sites is likely linked to a growth spike experienced by the industry late last year when cryptocurrency prices reached an all-time high. As prices have since subsided, it will be interesting to see if the overall number of attacks declines as well in the coming months.

Even after the recent price drop, there currently remains 190 active cryptocurrency exchanges, up from 70 in Q3. Of these, 24 exchanges have a daily turnover of more than 10 million USD. With an ever-increasing number of targets, despite the volatility in the price of bitcoin, we expect to see assaults directed at the cryptocurrency industry continue for the foreseeable future.

Application Layer Attacks Double, Assaults Become More Persistent

This quarter, we saw a spike in the number of application assaults, which increased 43 percent over their Q3 levels. Network layer attacks, on the other hand, fell by more than 50 percent since last quarter.

DDoS report_number of attacks per week

Figure 3: Number of weekly DDoS attacks QoQ

Interestingly, even as the number of application layer assaults went up and network layer attacks decreased, both became more persistent. Our data shows that 63.3 percent of application layer DDoS targets were subjected to repeat attacks, up from 46.7 last quarter.

DDoS report_repeat app layer attacks

Figure 4: Repeat application layer attacks Q0Q

In the case of network layer attacks, the number of repeat DDoS assaults went up to 67.4 percent, compared to 57.8 percent in Q3. However, the average number of attack decreased, as most of the repeat assaults consisted of two to five bursts.

DDoS report_repeat network layer attacks

Figure 5: Repeat network layer attacks Q0Q

The increase in attack persistence reflects the growing ease with which bad actors can launch multiple DDoS attacks. Today, even if a mitigation service is able to deflect an initial attack, perpetrators have every reason to try again and again, until they take down their target or grow bored and move on.

This obviously highlights the need for a hands-off mitigation solution that can be automatically activated to mitigate every repeat attack burst. In the absence of such a solution, a persistent DDoS campaign can quickly turn into a prolonged war of attrition, forcing an enterprise to spend money and man-hours to fight off a series of assaults.

Source: https://securityboulevard.com/2018/03/q4-2017-global-ddos-threat-landscape-report/

  • 0

How Can Blockchain Be Used to Aid Cybersecurity?

With the rapid advancement of internet-based technologies, cybersecurity is a constant cloud looming on the horizon. As the technology evolves, so too, do the cybercriminals. Their constant efforts to steal valuable data and disrupt business through DDoS attacks are increasingly sophisticated.

Holding companies hostage and monetizing data through ransomware techniques is sadly par for the course. In fact, it’s estimated that cybersecurity alone costs the global economy some $450 billion a year. With IT professionals scrambling to stay one step ahead of the hackers, how can blockchain be used to aid cybersecurity?

No Single Point of Failure

The decentralized nature of the blockchain means that there is no single point of failure, nor one central database waiting to be hacked. Information is stored over several databases, and each block is linked to the next in the chain, making no “hackable” entrance. This provides infinitely greater security than our current, centralized structures.

Removing Human Error

The weakest link in our current system is simple logins that are vulnerable to being cracked. Blockchain can remove human error in cybersecurity, as businesses can authenticate devices without the need for a password system. Each device is provided with a specific SSL certificate, rather than a password. Human intervention becoming a potential hacker vector is consequently avoided.

Bitcoin advocate, adjunct professor at NYU Law School and practicing attorney, Andrew Hinkes, explains, “Using a public blockchain with proof of work consensus can remove the foibles of human mistake or manipulation.”

Detecting Tampering in Real Time

The blockchain can uncover and reject suspicious behavior in the system in real time. Say, for example, that a hacker tried to interfere with the information in a block. The entire system would be alerted and examine all data blocks to locate the one that stood out from the rest. It would then be recognized as false and excluded from the system.

Improving IoT Security

With the rise in IoT devices, come inherent security risks. We’ve already seen problems occur when trying to disable compromised devices that become part of botnets. According to Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, the blockchain can put an end to that:

“The blockchain, with its solid cryptographic foundation offering a decentralized solution can aid against data tampering, thus offering greater assurances for the legitimacy of the data.” This would mean that potentially billions of IoT devices could connect and communicate in a secure ecosystem.


All transactions on the blockchain are highly traceable, using a timestamp and digital signature. Companies can easily go back to the root of each and every transaction to a given date and locate the corresponding party. Since all transactions are cryptographically associated to a user, the perpetrator can be easily found.

Says Hinkes, “Blockchains create an audit trail of all activity by its participants, which simplifies access control and monitoring.” This offers companies a level of security and transparency on every iteration.

The Takeaway

Currently, the impending threat of DDoS attacks comes from our existing Domain Name System. Blockchain technology would disrupt this completely by decentralizing the DNS and distributing the content to a greater number of nodes. This would make it virtually impossible for cybercriminals to hack and create a secure environment to host the world’s data.

Source: https://blocksleuth.com/category/ddos-attacks/

  • 0

Misconfigured security measure leads DDoS amplification attacks to soar at end of 2017

DDoS attacks using domain name server (DNS) amplification increased more than 357 percent in the fourth quarter of 2017 compared to the previous year.

A new report by protection specialist Nexusguard attributes the rise to the use of Domain Name System Security Extensions (DNSSEC), a technology that’s intended to add integrity and security to the DNS protocol.

If not correctly configured, however, DNSSEC-enabled servers can be deliberately targeted to reflect amplification attacks, due to the large size of the responses they generate.

While the overall number of DDoS attacks has fallen 12 percent compared to the same period last year, a new class of powerful botnets is set to exploit wider DNSSEC adoption. Nexusguard warns teams to evaluate the DNSSEC response and security flaw to strengthen systems against future attacks.

“Enterprises have worked hard to patch against snooping, hijacking and other DNS abuses; however, improperly configured DNSSEC-enabled name servers may be a new plague for unprepared teams,” says Juniman Kasman, chief technology officer for Nexusguard. “Admins and IT teams need to check security for the entire network, as well as correctly configure DNSSEC on the domain to properly harden servers against these new attacks.”

The report also finds that hackers continue to favor multi-vector attacks, blending combinations of network time protocol (NTP), universal datagram protocol (UDP), DNS and other popular attack vectors. This tactic has been seen in more than half of all botnets over the past year.

China and the US continue as the top two sources of DDoS attacks in Q4, contributing 21.8 percent and 14.3 percent of the botnets, respectively. South Korea climbed to third place, contributing nearly six percent of the global attacks, up from sixth place last quarter.

Source: https://betanews.com/2018/03/14/security-ddos-amplification-2017/

  • 0

Cryptocurrency: just for tax avoidance & paying cyber-hold-ups anonymously?

At a cursory glance, the cryptocurrency landscape looks an awful lot like the old Wild West – lawless, volatile, open; no viable law enforcement in sight. But is there also a more positive side to blockchain technology?

We’ve all seen the headlines. Bitcoin’s rise and fall, high profile hacking attacks, and ICO fly-by-night scam teams riding off into the sunset with investor money. At a cursory glance, the cryptocurrency landscape looks an awful lot like the old Wild West – lawless, volatile, open; no viable law enforcement in sight.

Transactions are sent anonymously by faceless villains on the darkweb for illicit dealings. Lack of central authorities have lead to crypto’s ban in at least five countries, and its surging value makes it increasingly attractive to cyber-criminals. So the question remains: Are cryptocurrencies more than just a way for criminals to get paid anonymously and avoid tax?

A response to the 2008 financial crisis

To get to the root of the issue, it’s worth remembering why cryptocurrencies came about in the first place. Bitcoin, the world’s first cryptocurrency, emerged in response to the 2008 financial crisis. It was an open source project to allow for a transparent economy, in which individuals could be responsible for their own wealth.

The lack of centralisation meant that people could transact globally without the need for intervention or permission from institutions, at a time when trust in the banking system was at an all-time low.

Head of Red Team Services at CyberArk, Shay Nahari, explains to SC Media UK, “The original idea behind cryptocurrencies was to provide a way for network computers to anonymously complete transactions. And today there are credible and legitimate services online and in retail that use cryptocurrency as a form of payment”.

Cryptocurrency has also been successfully used to complete many an international transfer, bypassing hefty banking fees and avoiding lengthy delays. Yet, the anonymity of cryptocurrency makes it a magnet for delinquents of all stripes, particularly on the darkweb.

Cryptocurrency adoption by criminals

Not only are tax evaders and drug barons willfully using it to fly below the radar and move vast sums of undeclared money around, but hackers have discovered the weak links, as well.

Despite the much marketed “anonymity” of Bitcoin, all transactions are visible, and this provides law enforcement authorities with enough data to uncover hackers’ identities. It’s also brought about a rise in the usage of altcoins (Bitcoin alternatives).

Currencies like Monero, that have been designed to be secure and untraceable, are gaining favour in the underground world for protecting the user identity and keeping follow-up transactions anonymous.

Nahari remarks, “Together with the fact that Monero was designed to still be effectively mined with CPU and not just special hardware, and the fact that due to its anonymity, accounts cannot be blacklisted (even if they are identified as malicious) means that bots of infected machines can generate large amounts of money for the attackers while still being almost resilient against law enforcement. As a result, Monero use on the darkweb has risen and its price has risen along with it”.

While all this sounds like a veritable hotbed of malevolent activity, it’s pertinent to remember that digital currencies are not the only vehicle for carrying out nefarious deeds. It’s well known that the US dollar is the criminal’s bill of choice when it comes to money laundering and drug trafficking.

And while it’s true that both currencies can be used for legitimate and illegitimate purposes, cryptocurrency is inherently more trackable than fiat currency. In many countries, the US included, national regulations already require cryptocurrency purchasers to undergo Know Your Customer/Anti-Money Laundering (KYC/AML) protocol before being able to invest.

Moreover, despite the fact that the public at large rarely comes across US$ 100 bills, they make up a massive 80 percent of all US currency.

Large notes in outside currencies have caused a problem for a while now, for their propensity to facilitate criminal activity. In 2010, UK exchange offices ceased sales of €500 notes, after police officials found that some 90 percent of them were used by organised crime.

Jennifer McEntire, manager of financial crime compliance strategy at LexisNexis Risk Solutionscomments, “When you look at money laundering overall, that actually occurs and is easier with traditional currencies. Bulk movement of cash and hand to hand cash transfers are far more common and easier to execute by most people, while remaining truly anonymous. If you’re using a cryptocurrency in an exchange platform, it’s likely that you’re leaving a digital trail in emails, text messages, and device usage. You’re not as anonymous as you think you are”.

Not all cryptocurrencies were created equal

When Bitcoin value soared to just shy of US$ 20,000 (apx £14,000) in December of last year and promptly plummeted back down to under US$ 7,000 (£5,000) in a few short weeks, it became pretty clear that such rampant volatility rendered its usage as a currency challenging, to say the least.

Says McEntire, “Many people in the United States are seeing it as an investment vehicle, they’re seeing the games that are happening. So I think that it can be dangerous in some ways, but not necessarily more dangerous than our traditional markets. Our traditional markets are also volatile. Cryptocurrency isn’t going to go away but the volatility… I would liken and compare to our traditional markets.”

Actually the volatility of cryptocurrency isn’t unique. Even gold, that is historically viewed as a stable asset, has experienced similar surges and crashes over the decades.

Jeremy Epstein, leading speaker on blockchain innovation and CEO of blockchain marketing agency NeverStopMarkerting comments, “The volatility comes from the fact that we are seeing the birth of an entirely new asset class. It’s the first digitally-native currency, built specifically for digital. That’s not the case with our existing fiat systems. As such, it’s tough for all of us to understand how it works and how to value it”.

And while cryptos are often labelled as being “volatile”, not all cryptocurrencies were created equal. There are plenty of stable-value cryptocurrencies on the market whose value is pegged to another asset, such as the dollar. Naturally, corporate treasurers are risk averse and, as adoption becomes more widespread, payments will likely be made using these types of cryptocurrencies, rather than the wildly fluctuating Bitcoin or Ethereum.

Cryptocurrency, blockchain and cyber-security

Just as cryptocurrency has different uses, so too, does the blockchain. One of which will undoubtedly change the face of cyber-security in the not-so-distant future. Cyber-crime remains a constant threat and thorn in the side of many an IT department, costing the global economy some £324 billion a year.

“Equifax is exhibits A-Z on this. Our current IT systems are not built to hold the amount of data that they currently have, particularly personal data. We’re vulnerable because of centralisation. Decentralising and securing the data stores provides greater security”, Epstein remarks.

Because blockchains create an audit trail of all activity by its participants, the process of access control and monitoring is greatly simplified, and can remove human manipulation and error. Thanks to cryptography, blockchain offers practically impenetrable security – the sheer possibilities of combinations in the encryption would take a typical modern PC trillions of years to go through.

Paul Brody, global innovation blockchain leader at EY asserts, “Blockchains are possibly the most secure information technology ever invented. It is, for all practical purposes, impossible to counterfeit Bitcoin or alter transaction histories in these systems. Blockchains hold the promise of creating vastly more secure online transactions and secure, unbreakable digital contracts between users”.

If blockchain is so secure though, that poses a rather awkward question. Why are we always hearing about hacking, theft, and criminal activity?

Brody has an answer to that. “Cryptocurrency blockchains are public”, he points out, “which allows for increased and earlier visibility when thefts occur. And while blockchains are themselves very secure, they operate in an ecosystem that still has many weaknesses, including human error. While you can’t counterfeit bitcoins, you can steal them, and once they are stolen they may very well be gone for good. Various parts of the cryptocurrency ecosystem still require development in order to provide a higher level of security for users”.

Indeed. In fact, EY’s own ICO research found that as much as 10 percent of the total funding through ICOs may have been subject to theft or fraud, to the tune of £290 million.

Cyber-security strategist at Juniper Networks, Nick Bilogorskiy, emphasises, “It is important to make a distinction between the technologies of cryptocurrency and blockchain. While the former has been used mostly for nefarious purposes, the latter has plenty of genuine use cases, for example, decentralised storage, and preventing fraud and data theft. Blockchain technology has no single point of failure, which highly decreases the chances of a successful DDoS attack”.

In fact, blockchain is so secure that cyber-criminals are already finding ways of using it to make their own servers hacker-proof, as recently reported in SC Magazine.

Cryptocurrencies are just the tip of the iceberg

Just as AOL and email were to the internet, cryptocurrencies are the tip of the iceberg when it comes to blockchain technology. After all, they haven’t been banned by the Bank of England and other institutions, despite the growing concern about criminal use cases.

European central banks and regulators, in fact, have a tradition of encouraging innovation (not to mention sniffing out a financial opportunity) and it’s becoming clearer by the day that blockchain presents plenty of these.

Kevin Curran, IEEE senior member and professor of cyber-security at Ulster University says, “The blockchain has an important role to play in the security of the Internet of Things in the days ahead. Scaling the Internet of Things will prove difficult using traditional centralised models. There are also inherent security risks in the Internet of Things, such as disabling them should they become compromised and become parts of botnets., which has become a serious problem already… Blockchain technology could potentially allow billions of connected IoT devices to communicate in a secure yet decentralised ecosystem, which also allows consumer data to remain private”.

Moreover, according to Brody, we can soon expect to see the blockchain touching most areas of our lives. “Cryptocurrencies – and the blockchains they run on – are a technical revolution that should enable a transformational set of new business technologies. It offers secure, reliable, disintermediated collaboration between companies doing business with each other. We think everything from the digital media business to supply chains will be transformed with this technology in the coming years”.

From empowering and connecting people currently overlooked by the legal and banking systems, to resolving electoral fraud, creating transparency in the supply chain, and reducing costs; the potential of the blockchain is practically limitless.

But it isn’t all utopia yet.

While blockchains themselves are natively secure, secondary software, such as wallets and exchanges, are often notably less so. Ownership of open source projects remains an under-addressed issue that may ultimately impact version updating and liability. Smart contracts rely on oracles to report external data, and this technology is still underdeveloped and problematic.

Regulation remains the elephant in the room. Everyone agrees that regulation in some shape or form will have to take place, but no one agrees on what it will look like, the form it will take from jurisdiction to jurisdiction – or the impact it may have on curtailing blockchain innovations.

Until these teething troubles are resolved and we begin to gain a better understanding of the technology, cryptocurrencies may continue to be hijacked by bottom feeding lowlives to facilitate their lifestyles. But whatever your stance on digital money, you’ll surely agree there’s a lot more to crypto than meets the eye.

Source: https://www.scmagazineuk.com/cryptocurrency-just-for-tax-avoidance-paying-cyber-hold-ups-anonymously/article/750236/

  • 0

New world record DDoS attack hits 1.7Tbps days after landmark GitHub outage

Just a week after code repository GitHub was knocked offline by the world’s largest recorded distributed denial-of-service (DDoS) attack, the same technique has been used to direct an even bigger attack at an unnamed US service provider.

According to DDoS protection outfit Arbor Networks, that US service provider survived an attack that reached an unprecedented 1.7Tbps.

Last week Arbor, Cloudflare and Akamai reported an uptick in amplification attacks that abuse memcached servers to ramp up by traffic by a factor of 50,000.

Within a day of Cloudflare reporting that attackers were abusing open memcached servers to power DDoS attacks, GitHub was taken offline for about 10 minutes by an attack that peaked at 1.35Tbps.

Memcached is a caching system to optimize websites that rely on external databases. Memcached-enabled servers shouldn’t be left exposed to the internet, although at any given time over 100,000 are, according to Rapid7.

The attacks involve spoofing a target’s IP address to the default UDP port on available memcached amplifiers, which return much larger responses to the target.

The attacks appear to be getting larger by the day. Before the attack on GitHub, Arbor Networks reported seeing attacks exceeding 500Gbps.

Arbor Networks’ Carlos Morales predicts memcached attacks won’t be going away any time soon because of the number of exposed memcached servers.

“While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” he wrote.

Morales’ colleague, Roland Dobbins believes the memcached DDoS attacks were initially used exclusively by skilled attackers who launched attacks manually, but now they’ve been automated via rental ‘booter’ or ‘stressor’ botnets.

He notes that the potential for abusing memcached servers in application attacks was revealed by Chinese researchers in November 2017, but that as early as 2010 researchers had discovered widespread insecure memcached servers across the world.

As Ars Technica reports, some people attacking memcached servers are attaching a ransom note instructing targets to “Pay 50 XMR” or the equivalent of $18,415 to a specified wallet.

Rapid7’s internet-wide Project Sonar scanner found over 100,000 exposed memcached servers at any given time.

Image: Rapid7

Source: http://www.zdnet.com/article/new-world-record-ddos-attack-hits-1-7tbps-days-after-landmark-github-outage/

  • 0

‘First true’ native IPv6 DDoS attack spotted in wild

First in-the-wild DDOS IPV6 attack hits servers, with portents of more to come. The DNS dictionary attack originated from around 1,900 different native IPv6 hosts, on more than 650 different networks.

The first documented native IPv6 DDoS attack has been spotted in the wild over the weekend.

The DNS dictionary attack originated from around 1,900 different native IPv6 hosts, on more than 650 different networks and targeted authoritative DNS service Neustar’s network.

The distributed attack demonstrates that that hackers are deploying new methods for IPv6 attacks, as widely predicted, not simply replicating IPv4 attacks using IPv6 protocols, according to Neustar.

Barrett Lyon, head of research and development, Neustar, told SC Media UK: “We’ve been expecting this event for a while, but it has now happened. We’ve also seen a real ramping up of IPV4 attacks this year too – nearly double compared to the same period in 2017 – but IPV6 attacks present some unique issues that can’t be easily solved. One example is the sheer number of addresses available to an attacker can exhaust the memory of modern security appliances…”

The total number of possible IPv6 addresses is more than 7.9×1028 times as many as IPv4, which uses 32-bit addresses and provides approximately 4.3 billion addresses. However, due to the greater potential number of IPv6 addresses, a considerably greater attack volume is possible, and as many newer network deployments may support IPV6, but mitigation tools may not, the result is potentially a patchwork quilt of adoption, ideal for attackers to take advantage.

Wesley George, principle engineer, SiteProtect Network Engineering Neustar told SC Media UK: “There is a big challenge here, but there has been a lot of progress made in the last few years. The best practice guidance is out there, and it is clear that IPV6 needs to be treated as a first class citizen now. In many cases it is about visibility – we see companies with great telemetry for IPV4, and it’s essential that security stances are able to do the same for IPV6 traffic.”

Neustar’s UltraDNS service handles 10 percent of all internet traffic, customers include Tesco, Forbes.com, PurpleBricks and NetRefer. The number of Alexa Top 1000 websites currently reachable over IPv6 has hit 26.9 percent, according to the IPv6 launch website, and it is clear that there will be more work for security professionals in the IPV6 pipeline.

Just weeks ago Internet Engineering Task Force (IETF) contributor Fernando Gont helped write RFC 8021, a fix designed to prevent a fragmentation attack vector against IPv6 protocol routers in large-scale networks. The vector, called “atomic fragments” has been the subject of much debate – and was the topic of a Black Hat 2012 presentation.

Source: https://www.scmagazineuk.com/first-true-native-ipv6-ddos-attack-spotted-in-wild/article/747217

  • 0

Memcached Servers Being Exploited in Huge DDoS Attacks

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211.

Multiple security vendors this week are warning about threat actors for the first time exploiting unprotected Memcached servers to launch dangerously large denial-of-service attacks against target organizations.

German DDoS mitigation service provider Link11, one of those to report on the new activity, says that over the past few days it has observed massive UDP attacks in which Memcached servers have been used as an amplification vector.

Each of the high-bandwidth attacks that Link11 observed in late February has exceeded 100 Gbps, with peaks of well over 400 Gbps. The attacks went on over multiple consecutive days and lasted up to 10 minutes on average, according to the company.

Akamai Technologies says this Monday it mitigated a 190 Gbps Memcached attack that generated over 17 million packets per second. Cloudflare, another vendor to report on the previously unseen attack type, says that over the past two days it has seen an increase in UDP attacks coming in via UDP port 11211, the port associated with Memcached services.

The company says the peak inbound UDP Memcached traffic it has seen so far is 260 Gbps, which is massive for a completely new amplification vector.

Memcached is open source software that many organizations install on their servers to increase performance speed. It works by caching data in system memory and is designed purely for use behind firewalls and on enterprise LANs, says Link11 CTO Karsten Desler. But many organizations have deployed Memcached hosts that are completely accessible from the public Internet. All that attackers have to do is to search for these hosts and then use them to direct high-volume DDoS traffic at a victim.

Desler says a recent Link11 scan showed at least 5,000 Memcached servers deployed on the public Internet that are open for exploit. These servers give attackers a way to generate massive volumes of DDoS traffic with even a relatively small bandwidth connection and minimal input.

“The amplification factor with Memcached servers is hundreds of times larger than DNS,” says Desler. “You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector,” he says.

With DNS amplification, for instance, an attacker might be able to generate a 50KB response to a 1KB request. But with a Memcached server, an attacker would be able to send a 100-byte request and get a 100MB or even 500MB response in return. In theory, at least, the amplification could be unlimited, Desler says.

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations.

Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai’s Security Intelligence Response Team. “A researcher had theorized this could be done previously,” Seaman says. “But as Memcached isn’t meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment.”

But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says. “And now the DDoS attackers have found them and appear to be capitalizing on them before significant clean-up efforts take place.”

What makes the attacks worrisome is that Memcached services are deployed on servers and in hardware pools with plenty of bandwidth and resources. Unlike typical reflected attacks with mostly static payloads — like CharGen and NTP — that cannot be easily modified, with Memcached reflection an attacker has much more control over the payload. This gives them to the potential to do a lot more damage, Seaman says.

The primary problem is that Memcached, with its lack of authentication or controls, is world readable and writable. It’s also very fast, as it does all data management directly in memory, and by default it supports key value stores of up to 1MB.”

So, if attackers can find suitably beefy machines and load them up with as many keys as they want, they can use the box to launch waves of traffic with amplification rates far exceeding the norm for DDoS attacks, Seaman says. “In theory, an attack could unleash gigs of traffic from a single machine with a packet that’s only a few dozen bytes.”

Mitigation at this point is basically blocking traffic from source port 11211 at the router, firewall, and elsewhere along the network edge, adds Domingo Ponce, director of global security operations at Akamai. Organizations also need to ensure they have the bandwidth to absorb the attacks while allowing legitimate traffic to remain up.

“It’s real and we’ve seen it,” Ponce says. “At the end of the day, your pipes better be big enough.”

Source: https://www.darkreading.com/attacks-breaches/memcached-servers-being-exploited-in-huge-ddos-attacks/d/d-id/1331149?

  • 0

Storage Terminals need protection against cyber attacks

Cyber security is a subject that we read about almost every week and one thing is for sure, we need to take the matter more seriously both at a business and personal level.

This is a key focus at the forthcoming StocExpo Europe conference and exhibition in Rotterdam.

The tank storage industry has its own cyber security challenges with many terminals in existence using older equipment which is often susceptible to cyber-attack. Terminal owners and tank storage operators must protect their assets from cyber-attacks by ensuring that their entire automation and control systems are compliant to IEC62443. This is defacto standard for the operational technology environment worldwide.  The European Union has recognised the potential threats businesses have, and as such is in the process of developing the new IACS Cyber Security Framework.

There are two major threats that terminals and tank storage companies should be aware of; ransomware and Denial of Service (DDos). Of course, there is also the threat of general cyber espionage to consider. On initial reading of this latter point, cyber espionage may not seem relevant to the terminal and tank storage industry until you consider that cyber criminals could use programs to manipulate and influence the stock market through interference with the production process. Of course, that in turn opens up issues of health and safety.

Today many terminal operators are taking active steps to determine the current state of cyber security in order to identify key risks. For example, establishing whether equipment, installation or control systems are directly connected to the internet without the appropriate protection.

Companies such as Hudson Cybertec often begin this process by conducting interviews looking at the organizational structure, review policies and procedures and review technology. These three pillars are important because investing in technology alone is not the answer. Speaking at the upcoming StocExpo Europe exhibition and conference, which is being held in Rotterdam on 20-22 March, Marcel Jutte, Managing Director of Hudson Cybertec and Ruud Timmermans, Automation Engineer at VTTI, will be addressing the entire subject of cyber security as it effects the terminal and tank storage industry and will be giving best practice advice those delegates in attendance.

Several exhibitors will also be showcasing their innovative solutions, products and services focused around security and safety, including:

·         Zheijiang Dahua Technology, leading solution provider in the global vídeo surveillance industry, will be showcasing their network cameras that provide an all-in-one solution to capturing long distance surveillance for outdoor applications.

·         Eccos, who have extensive experience in safety and security projects, will be showcasing three new products; Orgman (a computerized management system); Epsimax (an advance software solution) and a new internal corrosion monitoring system.

Visitors attending StocExpo Europe 2018 can find out more information about the latest innovations and developments and how they are improving security within industry at the show. Attendees are encouraged to register online to ensure free entry to the event or www.stocexpo.com

Source: http://www.oilandgastechnology.net/news/storage-terminals-need-protection-against-cyber-attacks

  • 0

Interpol Tests Global Cops with IoT Simulation

Interpol last week held a simulated training exercise for global investigators designed to help overcome Internet of Things (IoT) skills shortages.

The international police organization’s annual Digital Security Challenge saw 43 cybercrime investigators and digital forensics experts from 23 countries face a simulated cyber-attack on a bank launched through an IoT device.

During the course of the simulation, investigators found that the malware was sent in an email attachment via a hacked webcam, and not direct from a computer.

Interpol claimed this is an increasingly popular tactic designed to obfuscate the source of attacks, but warned that police may not have the skills to forensically examine IoT devices.

“The ever-changing world of cybercrime is constantly presenting new challenges for law enforcement, but we cannot successfully counter them by working in isolation,” said Noboru, Nakatani, executive director of the Interpol Global Complex for Innovation.

“A multi-stakeholder approach which engages the expertise of the private sector is essential for anticipating new threats and ensuring police have access to the technology and knowledge necessary to detect and investigate cyber-attacks.”

The first two Digital Security Challenge exercises in 2016 and 2017 simulated cyber-blackmail involving Bitcoin and a ransomware attack, so the new focus on IoT is reflective of the changing nature of threats.

Last week, Trend Micro claimed in its 2017 roundup report that IoT devices are increasingly being “zombified” to mine crypto-currency and launch cyber-attacks like DDoS.

Hackers can target exposed IoT endpoints to infiltrate corporate networks, conscript into botnets or even interfere with critical infrastructure.

However, nearly half (49%) of all IoT “events” observed by the security vendor last year — amounting to a total of 45.6 million — involved crypto-currency mining.

Adam Brown, security solutions manager at Synopsys, argued that IoT attacks will continue until firmware flaws are addressed.

“Good practices by vendors around configuration and authentication need to be initiated or matured to prevent this in future,” he added.

“I would love to see certification for IoT devices become commonplace so that consumers can know that the devices are cyber-safe, much in the same way that if you buy a toy with a CE mark you know it has been through a process of assessment and it won’t, for example, poison anyone because it has lead in its paint.”

Source: https://www.infosecurity-magazine.com/news/interpol-tests-global-cops-with/

  • 0

DDoS Costs Skyrocket for SMBs and Enterprises Alike

The financial impact of a distributed denial-of-service (DDoS) attack is continuing to rise globally – with significant cost spikes for both small to medium-sized businesses (SMBs) and enterprises per attack.

Kaspersky Lab’s IT Security Risks Survey 2017, which polled 5,200 business representatives from 29 countries, shows that whether as the result of a single incident or as part of a multi-faceted cyberattack, the financial implications of reacting to a DDoS attack in 2017 is $123,000 for SMBs per incident, compared to $106,000 in 2016.

For enterprises, the cost has soared more than half a million dollars – from $1.6 million in 2016 to $2.3 million in 2017 on average per attack. The rising financial costs of DDoS attacks, coupled with unquantifiable impacts such as reputational damage, are crippling for many organizations.

When asked about the specific consequences experienced as a result of a DDoS attack, most organizations (33%) claim that the cost incurred in fighting the attack and restoring services is the main burden, while a quarter (25%) cited money spent investing in an offline or back-up system while online services are unavailable. Additionally, 23% said that a loss of revenue and business opportunities occurred as a direct result of DDoS attacks, whereas 22% listed the loss of reputation among clients and partners as another direct consequence of a DDoS attack.

Previous Kaspersky Lab research also found that the attack rate is accelerating, with more than a third (33%) of organizations facing a DDoS attack in 2017, compared to just 17% in 2016. Even so, organizations are undereducated about taking steps to protect themselves. For instance, they often expect third parties to protect their businesses.

According to the research, 34% of organizations expect their ISP will protect them from DDoS attacks, and another 26% expect their data center or infrastructure partners will do so. Additionally, nearly a third (28%) claim that it is unlikely that they will be targeted by a DDoS attack in general.

“DDoS attacks, both standalone or as part of an attack arsenal, can cost an organization thousands, if not millions – that’s without counting reputational damage and lost clients and partners as a result,” said Kirill Ilganaev, head of Kaspersky DDoS protection, Kaspersky Lab. “It is therefore wise to be aware of these threats and invest in their own protective measures in advance. It is also important to choose reliable specialized security solutions that are based on cybersecurity expertise and tailored to fight the most sophisticated DDoS attacks organizations face today.”

Source: https://www.infosecurity-magazine.com/news/ddos-costs-skyrocket-for-smbs/

  • 0