Bigger, Faster, Stronger: 2 Reports Detail the Evolving State of DDoS

DDoS attacks continue to plague the Internet, getting bigger and more dangerous. And now, the kids are involved

DDoS attacks don’t arrive on little cat feet; they announce their presence with the subtlety of a shovel to the face. Two just-released reports show that these loud DDoS attacks are getting louder, larger, and more numerous with the passage of time.

Verisign released its Q1 2018 DDoS Trends Report and Akamai published its State of the Internet/Security Summer 2018 report and neither was filled with good news if your job is defending a company or network against DDoS attacks. Together, the two reports paint a detailed and disturbing picture of the way DDoS attacks are evolving to be both more common and more dangerous.

Both reports noted the largest DDoS attack in the period, a 170 Gbps, 65 Mpps (million packets per second) operation notable for two things: its target and its originator.

The target was not a single organization or individual. It was, instead, an entire /24 subnet on the Internet. The size of the attack and the broad target meant that scores of websites and services around the world felt the effects.

Akamai’s report notes that the threat actor was also notable, given that it was a 12-year-old who originated the attack mechanism on YouTube and coordinated the attack through Steam (an online game-playing platform) and IRC.

When adolescents can use YouTube to launch a globe-spanning attack, it marks the dawn of a new definition of “script kiddies.”

“I believe [kids are] growing up faster because they’re exposed to it,” says Lisa Beegle, senior manager of information security at Akamai, when asked about the age of this attack developer. “They also have a greater amount of time they can commit to it.” She continues, “Was this kid as smart as an adult threat actor? No, but there was still a level of sophistication as to the target.”

That target was hit with a reflection and massive amplification attach using memcached — an attack that saw a returned payload directed at the victim subnet that was 51,000 times the size of the spoofed request sent by the attacker.

While memcached has been in existence for 15 years, this attack seems to be the first major assault using the function in a malicious manner. Since it is a distributed memory object caching system, memcached becomes a very effective tool in the DDoS attacker’s arsenal.

While new attacks are available, the Verisign report notes that UDP floods remain the favorite DDoS mechanism, accounting for roughly half of all attacks seen in the quarter. TCP attacks were the next most common, involved in approximately one-quarter of the attacks. In many cases, though, both types (and others) could be involved, since 58% of attacks involved multiple attack types in a single event.

The nature of attacks continues to evolve through the industry. “Last year, we were seeing smaller attacks that were coming in under the radar — they were causing an impact in 30 seconds, before we could see it and respond,” Beegle says. Now, “I’ve seen attacks that were a week long, where [the attacker] changed the dynamics during the attack,” she says. Moving forward, Beegle expects both types of attacks to continue. “I think there will always be the mix, depending on who the target is and who the attacker is,” she says. “We’ve seen some nation-state action and that will always be different than the script kiddies.”

Source: https://www.darkreading.com/attacks-breaches/bigger-faster-stronger-2-reports-detail-the-evolving-state-of-ddos/d/d-id/1332213

  • 0

Botnets Evolving to Mobile Devices

Millions of mobile devices are now making requests in what’s described as “an attack on the economy.”

Botnets have tended to hide in the nooks and crevices of servers and endpoint devices. Now a growing number are hiding in the palms of users’ hands. That’s one of the conclusions of a new report detailing the evolving state of malicious bots.

“Mobile Bots: The Next Evolution of Bad Bots” examined requests from 100 million mobile devices on the Distil network from six major cellular carriers during a 45-day period. The company found that 5.8% of those devices hosted bots used to attack websites and apps – which works out to 5.8 million devices humming away with activity that their owners know nothing about.

“The volume was a surprise,” says Edward Roberts, senior director of product marketing at Distil Networks. The research team even took another sampling run to verify the number, he says. In all, “one in 17 network requests was a bad bot request,” Roberts says,

Another significant step in the evolution of these bots is their use. The “traditional” use of botnets is as an engine for distributed denial-of-service (DDoS) attacks or spam campaigns. These mobile bots, though, seem to be focused on a different sort of attack.

“It’s an attack on the economy,” Roberts says, describing the activity in which bots repeatedly scrape prices from a retail site so that a competitor can constantly match or undercut the price.

Another activity for these mobile bots is hunting through brand loyalty sites looking for login information so that premium products or “points” can be harvested for the botnet owner. A side effect of this type of activity is much lower traffic volume than that often seen in bot-infected devices.

“We only see an average of 50 requests a day from these devices,” Roberts says. “The activity is low and slow and highly targeted.” In this targeted activity, the nature of a cellular-connected device comes into play, as the IP address will change every time the device moves from one cell to another.

The one thing that hasn’t evolved is the way in which the devices become infected, the report points out. Tried-and-true infection mechanisms, including malicious file attachments in email, infected files behind website links, and drive-by infections that use redirected links, are all commonly found. As with desktop and laptop computers, the researchers recommend anti-malware software and user education as primary defenses against infection and botnet recruitment.

Source:https://www.darkreading.com/mobile/botnets-evolving-to-mobile-devices/d/d-id/1332182

  • 0

Small businesses aren’t properly prepared for cyberattacks

Even though businesses all over the world are increasingly taking online protection seriously – they still aren’t 100 per cent confident they could tackle serious cybersecurity threats.

Polling 600 businesses in the US, UK and Australia, a study by Webroot found that new types of attacks are dominating in 2018 (compared to the year before) but that the cost of a breach is decreasing, as well.

Phishing has taken the number one spot as the most dangerous type of attack, from malware. Ransomware is also up, from fifth to third, mostly thanks to the large success of WannaCry.

With 25 per cent on a global scale, insider threats seem to be least dangerous of the bunch.

When it comes to the UK in particular, ransomware is the biggest threat. SMBs are far less concerned about DDoS attacks in the UK, compared to their US counterparts, too.

The report has also taken a closer look at training and uncovered that even though almost all businesses do conduct training to teach their staff about cybersecurity, this training isn’t continuous. This leads to the next stat, 79 per cent can’t say they are “completely ready to manage IT security and protect against threats.”

“As our study shows, the rise of new attacks is leaving SMBs feeling unprepared,” commented Charlie Tomeo, vice president of worldwide business sales, Webroot.

“One of the most effective strategies to keep your company safe is with a layered cybersecurity strategy that can secure users and their devices at every stage of an attack, across every possible attack vector.”

Source: https://www.itproportal.com/news/small-businesses-arent-prepared-for-cyberattacks/

  • 0

Protonmail Hit By Yet Another DDoS Attack

Attack comes as scale, scope and sophistication of DDoS attacks rises sharply

Popular encrypted email provider Protonmail was this morning hit by the latest in a long-running serious of malicious attacks on its infrastructure.

The privacy-focussed Geneva-based email provider, which has some 500,000 users, has faced numerous DDoS attacks since being founded.

As one of the only email providers which owns and manages all of its servers and network components such as routers and switches, it is in a unique position – particularly since the company is its own internet service provider.

 

 

 

 

 

 

 

In 2015 its servers were hit with a 50Gbps wall of “junk data” that threatened to torpedo the company.

After initially paying a ransom following an attack that took its main data centre offline, the company faced a further week-long assault from another adversary that targeted 15 different ISP nodes simultaneously, then attacked all the ISPs going into the datacentre using a wide range of sophisticated tactics.

No ransom nor responsibility claim was made.

The company, born from work done at CERN, has since partnered with DDoS protection specialists, Israel-headquartered Radware, and uses BGP redirection and GRE tunnels to defend itself. Today’s attack slowed email delivery and its VPN for several hours, but did not result in the loss of any emails, Protonmail said.

“Our network was hit by a DDoS attack that was unlike the more ‘generic’ DDoS attacks that we deal with on a daily basis. As a result, our upstream DDoS protection service (Radware) needed more time than usual to perform mitigation,” a ProtonMail spokesperson wrote in an email. ”

“Radware is making adjustments to their DDoS protection systems to better mitigate against this type of attack in the future. While we don’t yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS’s on record,” the spokesperson wrote.

Carl Herberger, Vice President for Security Solutions at Radware, earlier noted: “Corporations need to understand the severity of the Advanced Persistent DoS attacks, such as SMTP DoS, and review their security measures”.

“APDoS is akin to the way bomber aircraft would jam radar systems many years ago – the type of attack is so varied and frequent that it becomes near impossible to detect them all, and more importantly difficult to mitigate them without impacting your legitimate web traffic.”

DDoS Attacks Continue to Rise

The attack comes after a new report from Akamai revealed that there was a 16 percent increase in the number of DDoS attacks recorded since last year, with the largest DDoS attack of the year setting a new record at 1.35 Tbps by using a memcached reflector attack.

Akamai said in its State of the Internet report: “To understand the scale of such an attack, it helps to compare it to the intercontinental undersea cables in use today. The TAT-14 cable, one of many between the US and Europe, is capable of carrying 3.2 Tbps of traffic, while the Japan-Guam-Australia cable, currently under construction, will be capable of 36 Tbps. Neither of these hugely important cables would have been completely swamped by February’s attack, but an attack of that magnitude would have made a significant impact on intercontinental traffic, if targeted correctly.”

The company’s researchers also identified a four percent increase in reflection-based DDoS attacks since last year and a 38 percent increase in application-layer attacks such as SQL injection or cross-site scripting.

Source: https://www.cbronline.com/news/protonmail-ddos

  • 0

How to Prevent DDoS Attacks: 6 Tips to Keep Your Website Safe

Falling victim to a distributed denial of service (DDoS) attack can be catastrophic: The average cost to an organization of a successful DDoS attack is about $100,000 for every hour the attack lasts, according to security company Cloudflare.

There are longer term costs too: loss of reputation, brand degradation and lost customers, all leading to lost business. That’s why it is worth investing significant resources to prevent a DDoS attack, or at least minimize the risk of falling victim to one, rather than concentrating on how to stop a DDoS attack once one has been started.

In the first article in this series, we discussed how to stop DDoS attacks. If you’re fortunate enough to have survived an attack – or are simply wise enough to think ahead – we will now address preventing DDoS attacks.

Understanding DDoS attacks

A basic volumetric denial of service (DoS) attack often involves bombarding an IP address with large volumes of traffic. If the IP address points to a Web server, legitimate traffic will be unable to contact it and the website becomes unavailable. Another type of DoS attack is a flood attack, where a group of servers are flooded with requests that need processing by the victim machines. These are often generated in large numbers by scripts running on compromised machines that are part of a botnet, and result in exhausting the victim servers’ resources such as CPU or memory.

A DDoS attack operates on the same principles, except the malicious traffic is generated from multiple sources, although orchestrated from one central point. The fact that the traffic sources are distributed – often throughout the world – makes DDoS attack prevention much harder than preventing DoS attacks originating from a single IP address.

Another reason that preventing DDoS attacks is a challenge is that many of today’s attacks are “amplification” attacks. These involve sending out small data packets to compromised or badly configured servers around the world, which then respond by sending much larger packets to the server under attack. A well-known example of this is a DNS amplification attack, where a 60 byte DNS request may result in a 4,000 byte response being sent to the victim – an amplification factor of around 70 times the original packet size.

More recently, attackers have exploited a server feature called memcache to launch memcached amplification attacks, where a 15 byte request can result in a 750 kb response, a amplification factor of more than 50,000 times the original packet size. The world’s largest ever DDoS attack, launched against Github in earlier this year, was a memcached amplification attack that peaked at 1.35 Tbps of data hitting Github’s servers.

The benefit to malicious actors of amplification attacks is that they need only a limited amount of bandwidth at their disposal to launch far larger attacks on their victims than they could do by attacking the victims directly.

Six steps to prevent DDoS attacks

1. Buy more bandwidth

Of all the ways to prevent DDoS attacks, the most basic step you can take to make your infrastructure “DDoS resistant” is to ensure that you have enough bandwidth to handle spikes in traffic that may be caused by malicious activity.

In the past it was possible to avoid DDoS attacks by ensuring that you had more bandwidth at your disposal than any attacker was likely to have. But with the rise of amplification attacks, this is no longer practical. Instead, buying more bandwidth now raises the bar which attackers have to overcome before they can launch a successful DDoS attack, but by itself, purchasing more bandwidth is not a DDoS attack solution.

2. Build redundancy into your infrastructure

To make it as hard as possible for an attacker to successfully launch a DDoS attack against your servers, make sure you spread them across multiple data centers with a good load balancing system to distribute traffic between them. If possible, these data centers should be in different countries, or at least in different regions of the same country.

For this strategy to be truly effective, it’s necessary to ensure that the data centers are connected to different networks and that there are no obvious network bottlenecks or single points of failure on these networks.

Distributing your severs geographically and topographically will make it hard for an attacker to successfully attack more than a portion of your servers, leaving other servers unaffected and capable of taking on at least some of the extra traffic that the affected servers would normally handle.

3. Configure your network hardware against DDoS attacks

There are a number of simple hardware configuration changes you can take to help prevent a DDoS attack.

For example, configuring your firewall or router to drop incoming ICMP packets or block DNS responses from outside your network (by blocking UDP port 53) can help prevent certain DNS and ping-based volumetric attacks.

4. Deploy anti-DDoS hardware and software modules

Your servers should be protected by network firewalls and more specialized web application firewalls, and you should probably use load balancers as well. Many hardware vendors now include software protection against DDoS protocol attacks such as SYN flood attacks, for example, by monitoring how many incomplete connections exist and flushing them when the number reaches a configurable threshold value.

Specific software modules can also be added to some web server software to provide some DDoS prevention functionality. For example, Apache 2.2.15 ships with a module called mod_reqtimeout to protect itself against application-layer attacks such as the Slowloris attack, which opens connections to a web server and then holds them open for as long as possible by sending partial requests until the server can accept no more new connections.

5. Deploy a DDoS protection appliance

Many security vendors including NetScout Arbor, Fortinet, Check Point, Cisco and Radware offer appliances that sit in front of network firewalls and are designed to block DDoS attacks before they can take effect.

They do this using a number of techniques, including carrying out traffic behavioral baselining and then blocking abnormal traffic, and blocking traffic based on known attack signatures.

The main weakness of this type of approach of preventing DDoS attacks is that the appliances themselves are limited in the amount of traffic throughput they can handle. While high-end appliances may be able to inspect traffic coming in at a rate of up to 80 Gbps or so, today’s DDoS attacks can easily be an order of magnitude greater than this.

6. Protect your DNS servers

Don’t forget that a malicious actor may be able to bring your web servers offline by DDoSing your DNS servers. For that reason it is important that your DNS servers have redundancy, and placing them in different data centers behind load balancers is also a good idea. A better solution may even be to move to a cloud-based DNS provider that can offer high bandwidth and multiple points-of-presence in data centers around the world. These services are specifically designed with DDoS prevention in mind. For more information, see How to Prevent DNS Attacks.

Source: https://www.esecurityplanet.com/network-security/how-to-prevent-ddos-attacks.html

  • 0

Hospitality industry under siege from botnets

The hospitality industry, including hotels, airlines and cruise lines, is the biggest target for cyber criminal botnet attacks that abuse credentials and overwhelm online systems, a report reveals

Cyber security defenders face increasing threats from bot-based credential abuse targeting the hospitality industry, a report shows.

Bot-based attacks are also being used for advanced distributed denial of service (DDoS) attacks, according to the Summer 2018 state of the internet/security: web attack report by Akamai Technologies.
The report is based on attack data from across Akamai’s global infrastructure and represents the research of a diverse set of teams throughout the company.

Analysis of current cyber attack trends for the six months from November 2017 to April 2018 reveals the importance of maintaining agility not only by security teams, but also by developers, network operators and service providers in order to mitigate new threats, the report said.

The use of bots to abuse stolen credentials continues to be a major risk for internet-driven businesses, but Akamai’s data revealed that the hospitality industry experiences many more credential abuse attacks than other sectors.

Akamai researchers analysed nearly 112 billion bot requests and 3.9 billion malicious login attempts that targeted sites in this industry. Nearly 40% of the traffic seen across hotel and travel sites is classified as “impersonators of known browsers”, which is a common technique used by cyber fraudsters.

Geographic analysis of attack traffic origination revealed that Russia, China and Indonesia were major sources of credential abuse for the travel industry during the period covered by the report, directing about half of their credential abuse activity at hotels, cruise lines, airlines, and travel sites. Attack traffic origination against the hospitality and travel industry from China and Russia combined was three times the number of attacks originating in the US.

“These countries have historically been large centres for cyber attacks, but the attractiveness of the hospitality industry appears to have made it a significant target for hackers to carry out bot-driven fraud,” said Martin McKeay, senior security advocate at Akamai and senior editor of the report.

While simple volumetric DDoS attacks continued to be the most common method used to attack organisations globally, the report said other techniques have continued to appear. Akamai researchers identified and tracked advanced techniques that show the influence of intelligent, adaptive enemies who change tactics to overcome the defences in their way.

One of the attacks mentioned in the report came from a group that coordinated its attacks over group chats on Steam digital distribution platform and IRC (internet relay chat). Rather than using a botnet of devices infected with malware to follow hacker commands, these attacks were carried out by a group of human volunteers.

Another notable attack overwhelmed the target’s DNS (domain name system) server with bursts lasting several minutes instead of using a sustained attack against the target directly. This added to the difficulty of mitigating the attack because of the sensitivity of DNS servers, which allows outside computers to find them on the internet. The burst system also increased difficulty for defenders by tiring them out over a long period of time.

“Both of these attack types illustrate how attackers are always adapting to new defences to carry out their nefarious activities,” said McKeay. “These attacks, coupled with the record-breaking 1.35Tbps memcached attacks from earlier this year, should serve as a not-so-gentle reminder that the security community can never grow complacent.”

Other key findings of the report include a 16% increase in the number of DDoS attacks recorded since 2017. Researchers identified a 4% increase in reflection-based DDoS attacks since 2017 and a 38% rise in application-layer attacks such as SQL injection or cross-site scripting.

The report also noted that in April 2018, the Dutch National High Tech Crime Unit took down a malicious DDoS-for-hire website with 136,000 users.

Source: https://www.computerweekly.com/news/252443696/Hospitality-industry-under-siege-from-botnets

  • 0

Cyber security incidents could cost Aussie businesses $29B per year

Fear and doubt of cyber risks has led 66 per cent of Australian businesses to put off digital transformation plans, with security incidents potentially costing organisations $29 billion per year.

In research conducted by Frost & Sullivan and commissioned by Microsoft, local security incidents include losses in revenue, decreased profitability, fines, lawsuits and remediation.

“The fact that two-thirds of Australian organisations are putting off digital transformation efforts is concerning, when you consider that digital transformation is expected to contribute $45 billion to Australia’s economy by 2021,” Microsoft director of corporate legal and external affairs Tom Daemen said.

“To combat this, we need to be instilling a data culture throughout organisations. Data management needs to be prioritised in the boardroom as a strategic focus.

“Not only will this ensure organisations comply with Australian Notifiable Data Breaches Act and European GDPR legislation, but it will empower employees to see data as the strategic asset it is – and push forward with digital transformation initiatives.”

The study, Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World, revealed that a large-sized organisation (over 500 employees) in Australia can incur an economic loss of $35.9 million if a breach occurs.

The economic loss is calculated from direct costs, indirect costs (including customer churn and reputation damage) as well as induced costs (the impact of cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending).

A total of 1,300 executives were interviewed for this study in Australia, China, Hong Kong, Indonesia, India, Japan, Korea, Malaysia, New Zealand, Philippines, Singapore, Taiwan and Thailand.

According to findings, more than half of the organisations surveyed in Australia, or 55 per cent, have experienced a cyber security incident in the last five months while one in five companies are not sure if they have had one or not as they have not performed proper forensics or a data breach assessment.

“The number of organisations that have experienced a cyber security incident, although large, is not particularly surprising given the increased rate of cyber security attacks we’re seeing annually,” Daemen said.

“However, the finding that one in five Australian businesses are not performing regular forensics and data breach assessments is surprising given the frequency of attacks and suggests a need for greater awareness and a cultural shift in how we manage and think about data.”

Artificial intelligence (AI) is being adopted by businesses in order to improve their cyber security.

In fact, the study found that 84 per cent of Australian organisations have either adopted or are looking to adopt an AI approach towards boosting cyber security.

Although ransomware and DDoS attacks have dominated headlines in recent times, the study found that online brand impersonation, remote code execution and data corruption are actually the bigger concern as they have the highest impact on business with the slowest recovery time.

According to data collected in 2017, email scams cost Australian businesses losses of $22.1 million last year, according to the combined scams reported to both the ACCC and ACORN.

ACCC’s Scamwatch alone received 5,432 reports scams from Australian businesses in 2017 with 60 per cent being delivered via email and money being sent to scammers via bank transfers 85 per cent of the time – total losses from those scams amount to $4.6 million.

Source: https://www.arnnet.com.au/article/642959/cyber-security-could-cost-aussie-businesses-29b-per-year/

  • 0

The Lesson of the GitHub DDoS Attack: Why Your Web Host Matters

Surviving a cyberattack isn’t like weathering a Cat 5 hurricane or coming through a 7.0 earthquake unscathed. Granting that natural disasters too often have horrendous consequences, there’s also a “right place, right time” element to making it through. Cyber-disasters – which can be every bit as calamitous in their own way as acts of nature – don’t typically bend to the element of chance. If you come out the other side intact, it’s probably no accident. It is, instead, the result of specific choices, tools, policies and practices that can be codified and emulated – and that need to be reinforced.

Consider the recent case of GitHub, the target of the largest DDoS attack ever recorded. GitHub’s experience is instructive, and perhaps the biggest takeaway can be expressed in four simple words: Your web host matters.

That’s especially crucial where security is concerned. Cloud security isn’t like filling out a job application; it’s not a matter of checking boxes and moving on. Piecemeal approaches to security simply don’t work. Patching a hole or fixing a bug, and then putting it “behind” you – that’s hardly the stuff of which effective security policies are made. Because security is a moving target, scattershot repairs ignore the hundreds or even thousands of points of vulnerability that a policy of continuing monitoring can help mitigate.

Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. So while data is considerably safer in the cloud than beached on equipment under someone’s desk, there is no substitute for active vigilance – accent on active, since vigilance is both a mindset and a verb. About that mindset: sound security planning requires assessing threats, choosing tools to meet those threats, implementing those tools, assessing the effectiveness of the tools implemented – and repeating this process on an ongoing basis.

Among the elements of a basic cybersecurity routine: setting password expirations, obtaining certificates, avoiding the use of public networks, meeting with staff about security, and so on. Perfection in countering cyberattacks is as elusive here as it is in any other endeavor. Even so, that can’t be an argument for complacence or anything less than maximum due diligence, backed up by the most capable technology at each organization’s disposal.

In this of events is a counterintuitive lesson about who and what is most vulnerable during a hack. The experience of public cloud providers should put to rest the notion that the cloud isn’t safe. GitHub’s experience makes a compelling argument that the cloud is in fact the safest place to be in a cyber hurricane. Internal IT departments, fixated on their own in-house mixology, can be affected big-time – as they were in a number of recent ransomware attacks — raising the very legitimate question of why some roll-your-own organizations devote precious resources, including Bitcoin, to those departments in the belief that the cloud is a snakepit.

Cloud security isn’t what it used to be – and that’s a profound compliment to the cloud industry’s maturity and sophistication. What once was porous is now substantially better in every way, which isn’t to deny that bad actors have raised their game as well. Some aspects of cloud migration have always been threatening to the old guard. Here and there, vendors and other members of the IT community have fostered misconceptions about security in the cloud – not in an effort to thwart migration but in a bid to control it. Fear fuels both confusion and dependence.

Sadly, while established cloud security protocols should be standard-issue stuff, they aren’t. The conventional wisdom is that one cloud hosting company is the same as another, and that because they’re committed to life off-premises, they all must do the exact same thing, their feature sets are interchangeable, and the underlying architecture is immaterial. The message is, it doesn’t matter what equipment they’re using — it doesn’t matter what choice you make. But in fact, it does. Never mind the analysts; cloud computing is not a commodity business. And never mind the Street; investors and Certain Others fervently want it to be a commodity, but because those Certain Others go by the name of Microsoft and Amazon, fuzzing the story won’t fly. They want to grab business on price and make scads of money on volume (which they are).

The push to reduce and simplify is being driven by a combination of marketing gurus who are unfamiliar with the technology and industry pundits who believe everything can be plotted on a two-dimensional graph. Service providers are trying to deliver products that don’t necessarily fit the mold, so it’s ultimately pointless to squeeze technologies into two or three dimensions. These emerging solutions are much more nuanced than that.

Vendors need to level with users. The devil really is in the details. There are literally hundreds of decisions to make when architecting a solution, and those choices mean that every solution is not a commodity. Digital transformation isn’t going to emerge from some marketing contrivance, but from technologies that make cloud computing more secure, more accessible and more cost-effective.

Source: https://hostingjournalist.com/expert-blogs/the-lesson-of-the-github-ddos-attack-why-your-web-host-matters/

  • 0

Meet MyloBot malware turning Windows devices into Botnet

The IT security researchers at deep learning cybersecurity firm Deep Instinct have discovered a sophisticated malware in the wild targeting Microsoft’s Windows-based computers.

Adding devices to Botnet

The malware works in such a way that upon infecting, it allows hackers to take over the device and make it part of a botnet to carry out different malicious activities including conducting Distributed Denial of Service (DDoS) attacks, spreading malware or infecting the system with ransomware etc.

A Botnet is a network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, e.g., to send spam messages.

Apart from these, the malware not only steals user data, it also disables the anti-virus program and removes other malware installed on the system. Dubbed MyloBot by Deep Instinct; based on its capabilities and sophistication, researchers believe that they have “never seen” such a malware before.

Furthermore, once installed, MyloBot starts disabling key features on the system including Windows Updates, Windows Defender, blocking ports in Windows Firewall, deleting applications and other malware on the system.

“This can result in loss of the tremendous amount of data, the need to shut down computers for recovery purposes, which can lead to disasters in enterprises. The fact that the botnet behaves as a gate for additional payloads, puts the enterprise in risk for the leak of sensitive data as well, following the risk of keyloggers/banking trojans installations,” researchers warned.

Dark Web connection

Further digging of MyloBot sample reveals that the campaign is being operated from the dark web while its command and control (C&C) system is also part of other malicious campaigns.

Although it is unclear how MyloBot is being spread, researchers discovered the malware on one of their clients’ system sitting idle for 14 days which is one of its delaying mechanisms before accessing its command and control servers.

It is not surprising that Windows users are being targeted with MyloBot. Last week, another malware called Zacinlo was caught infecting Windows 10, Windows 7 and Windows 8 PCs. Therefore, if you are a Windows user watch out for both threats, keep your system updated, run a full anti-virus scan, refrain from visiting malicious sites and do not download files from unknown emails.

Deep Instinct is yet to publish research paper covering Mylobot from end to end.

Source: https://www.hackread.com/meet-mylobot-malware-turning-windows-devices-into-botnet/

  • 0

Vulnerable Web Applications Leave All Sectors at Risk

Coming into 2018, security professionals expected to see a continued increase in the use of websites as a means of infecting user workstations, according to a recently released report from Positive Technologies. The prediction has proven true. Websites increasingly are becoming the target of attacks, largely because of coding issues in web applications. These flaws leave the websites of banks, government agencies, IT organizations and healthcare companies vulnerable to attack, with their web apps being prime targets for financially motivated hackers.

Using the trends of 2017 to forecast the likelihood of threats in 2018, Web Application Attack Statistics found that the IT industry was a growing target given the proliferation of its interwoven customer base. Some of the report’s other predictions have already come to fruition, particularly in government and education. Because there is an inherent trust that users have in accessing government websites, they are highly attractive targets for cybercriminals.

When users feel they are accessing a trusted site, they let their guards down. Users often pay less attention to suspicious activity when on a government websites. The research analyzed data from the comprehensive security assessments of 23 web applications tested in 2017 and found cross-site scripting, which targets users, made up almost one-third of the attacks. Other popular attacks involved the ability to access data or execute commands on the server: SQL injection, path traversal, local file inclusion, remote code execution and OS commanding.

Government

As far as the forecasts go, hackers are largely living up to industry expectations. The 2018 predicted an increase in government attacks, particularly in Brazil and Mexico. Halfway through 2018, a DDoS attack took a Mexican campaign website offline, arousing fears that hackers might do more damage on or before their July 1 election. Denial-of-service attacks often can be smokescreens for more malicious attacks that actually infect computers with malware, which was the case in Tennessee with an attack on a Knox County election commission website.

“Government websites can be hacked in cyberwarfare to give credibility to incendiary materials: fake news planted on the official website of a Ministry of Foreign Affairs can trigger a diplomatic row and put a strain on international relationships,” according to the report.

Financial Sector

No sector is without risk, though. The review revealed that all the web apps tested contained vulnerabilities with 44 percent of them unprotected against unauthorized access. In 17 percent of those apps, an attacker could gain full control. Financially motivated attackers are known to target banks and because banking applications hold the possibility of profit.

“Web applications are a weak spot in bank security. Therefore attackers continue to target bank sites in order to penetrate internal infrastructure and steal money via banking systems,” the report said.

Education and Health Care

Increasingly, students are becoming the insider threats for the education sector, with a growing number of brazen individuals attacking their school’s website in an attempt to either augment their own grades or make changes to the grades of other students. Gaining control of a web application, these technically sophisticated youngsters “try to either alter their grades in electronic gradebooks or obtain access to exam materials,” according to the attack statistics report.

A common denominator that government and education share with the healthcare industry is the assumed trustworthiness of their websites. With health care in particular, “the users of these websites are unlikely to know the basics of how to stay safe online.”

Mitigating the Risks

For organizations to detect vulnerabilities in their web apps, they need comprehensive security strategies, but evidence shows that hackers often still have the upper hand as they stay abreast of zero-day vulnerability reporting to exploit those attacks before the flaw can be fixed.

“The time between a vulnerability being published and attempts to exploit it in 2017 was as little as three hours. Software developers might have no chance to remediate the vulnerability and release patches before attacks start,” the report said.

The security industry has seen a shift, moving from a primary focus on prevention to building better detection and response strategies. But that doesn’t mean prevention tools don’t have a place in securing today’s digital enterprise. Web application firewalls (WAFs) are effective security tools that protect against known attacks and can even detect attempts at zero-day exploits. When all the tools of the security ecosystem work in harmony with each other, security professionals are better equipped at identifying attacks.

Source: https://securityboulevard.com/2018/06/vulnerable-web-applications-leave-all-sectors-at-risk/

  • 0