Monthly Archives: December 2013

Attackers Wage Network Time Protocol-Based DDoS Attacks

Attackers have begun exploiting an oft-forgotten network protocol in a new spin on distributed denial-of-service (DDoS) attacks, as researchers spotted a spike in so-called NTP reflection attacks this month. The Network Time Protocol, or NTP, syncs time between machines on the network, and runs over port 123 UDP. It’s typically configured once by network administrators and often is not updated, according to Symantec, which discovered a major jump in attacks via the protocol over the past few weeks. “NTP is one of those set-it-and-forget-it protocols that is configured once and most network administrators don’t worry about it after that. Unfortunately, that means it is also not a service that is upgraded often, leaving it vulnerable to these reflection attacks,” says Allan Liska, a Symantec researcher in blog post last week. Attackers appear to be employing NTP for DDoSing similar to the way DNS is being abused in such attacks. They transmit small spoofed packets requesting a large amount of data sent to the DDoS target’s IP address. According to Symantec, it’s all about abusing the so-called “monlist” command in an older version of NTP. Monlist returns a list of the last 600 hosts that have connected to the server. “For attackers the monlist query is a great reconnaissance tool. For a localized NTP server it can help to build a network profile. However, as a DDoS tool, it is even better because a small query can redirect megabytes worth of traffic,” Liska explains in the post. Monlist modules can be found in NMAP as well as in Metasploit, for example. Metasploit includes monlist DDoS exploit module. The spike in NTP reflection attacks occurred mainly in mid-December, with close to 15,000 IPs affected, and dropped off significantly after December 23, according to Symantec’s data,. Symantec recommends that organizations update their NTP implementations to version 4.2.7, which does not use the monlist command. Another option is to disable access to monlist in older versions of NTP. “By disabling monlist, or upgrading so the command is no longer there, not only are you protecting your network from unwanted reconnaissance, but you are also protecting your network from inadvertently being used in a DDoS attack,” Liska says. Source: http://www.darkreading.com/attacks-breaches/attackers-wage-network-time-protocol-bas/240165063

Read the article:
Attackers Wage Network Time Protocol-Based DDoS Attacks

NatWest hit by Distributed Denial of Service (DDoS) Attack

NatWest has been hit by a ‘cyber attack’, leaving customers unable to access online accounts. The bank’s online banking service was disrupted after it was deliberately bombarded with internet traffic. Twitter users tweeted to say they could not access their bank accounts to pay bills or transfer money. @TomGilchrist wrote: “Do other banks computer systems/services go down as much as NatWest? I assume not. Time to move banks I think.” @AleexReid tweeted: “Just joined Santander. Fed up with NatWest. Another computer failure tonight. #welldone.” A NatWest spokesperson said: “Due to a surge in internet traffic deliberately directed at the NatWest website, some of our customers experienced difficulties accessing our customer web sites this evening. “This deliberate surge of traffic is commonly known as a distributed denial of service (DDoS) attack. “We have taken the appropriate action to restore the affected web sites. At no time was there any risk to customers. We apologise for the inconvenience caused.” At the beginning of December  all of RBS and NatWest’s systems went down for three hours on one of the busiest shopping days of the year. The group chief executive Ross McEwan described that glitch as “unacceptable” and added: “For decades, RBS failed to invest properly in its systems. “We need to put our customers’ needs at the centre of all we do. It will take time, but we are investing heavily in building IT systems our customers can rely on.” RBS and NatWest also came under fire in March after a “hardware fault” meant customers were unable to use their online accounts or withdraw cash for several hours. A major computer issue in June last year saw payments go awry, wages appear to go missing and home purchases and holidays interrupted for several weeks, costing the group £175m in compensation. This latest problem is the fourth time in 18 months RBS and NatWest customers have reported problems with the banks’ services. Source: http://news.sky.com/story/1187653/natwest-hit-by-fourth-online-banking-glitch

Continue Reading:
NatWest hit by Distributed Denial of Service (DDoS) Attack

Lessons From 5 Advanced Attacks Of 2013

Distributed denial-of-service attacks targeted application and business-logic weaknesses to take down systems; fraudsters used encryption to scramble victims’ data until they paid a ransom; and, attackers increasingly targeted providers as a weak link in the chain of the digital security protecting businesses. In 2013, there were no major revolutions in the way that attackers compromised, cut off, or just plain inconvenienced their victim’s systems, but their techniques and tactics evolved. From more pernicious encryption in ransomware to massive DDoS attacked fueled by reflection, attackers showed that they still had options available in their bag of tricks. “As the criminals have become more savvy and more technically knowledgable and understand the victims’ environments better, they are able to see opportunities that they might otherwise overlook,” says Jeff Williams, director of security strategy for the counter threat unit at Dell SecureWorks, a managed security provider. Based on interviews with experts, here are five advanced attacks from 2013 and the lessons for businesses from those events. 1. Cryptolocker and the evolution of ransomware While many attackers create botnets to steal data or use victim’s machines as launching points for further attacks, a specialized group of attackers have used strong-arm tactics to extort money from victims. In the past, most of these types of attacks, referred to as ransomware, have been bluffs, but Cryptolocker, which started spreading in late summer, uses asymmetric encryption to lock important files. The group behind Cryptolocker has likely infected between 200,000 and 250,000 computers in the first hundred days, according to researchers at Dell SecureWorks. Based on the number of payments made using Bitcoin, the company conservatively estimated that 0.4 percent of victims paid the attackers, but it is likely many times more than minimum take of $240,000, the company stated in an analysis. “What sets it apart is not just the size and the professional ability of the people behind it, but that–unlike most ransomware, which is a bluff–this one actually destroys your files, and if you don’t pay them, you lose the data,” says Keith Jarvis, senior security researcher with Dell SecureWorks. Companies should expect ransomware to adopt the asymmetric-key encryption strategy employed by the Cryptolocker gang. 2. New York Times “hack” and supplier insecurity The August attack on The New York Times and other media outlets by the Syrian Electronic Army highlighted the vulnerability posed by service providers and technology suppliers. Rather than directly breach the New York Times’ systems, the attackers instead fooled the company’s domain registrar to transfer the ownership of the nytimes.com and other media firms’ domains to the SEA. The attack demonstrated the importance of working with any suppliers that could be a “critical cog” in a company’s security strategy, says Carl Herberger, vice president of security solutions for Radware, a network security firm. “You need to have real-time, critical knowledge from your service providers to determine whether they are being attacked and whether you are the intended victim of that attack,” says Herberger. 3. Bit9 and attacks on security providers In February, security firm Bit9 revealed that its systems had been breached to gain access to a digital code-signing certificate. By using such a certificate, attackers can create malware that would be considered “trusted” by Bit9?s systems. The attack, along with the breach of security company RSA, underscore that the firms whose job is to protect other companies are not immune to attack themselves. In addition, companies need to have additional layers of security and not rely on any one security vendor, says Vikram Thakur, a researcher with Symantec’s security response group. “The onus resides with the security firm to prevent successful attacks from happening, but when they fail, a victim should have a plan to bolster their defense,” Thakur says. 4. DDoS attacks get bigger, more subtle A number of denial-of-service attacks got digital ink this year. In March, anti-spam group Spamhaus suffered a massive denial-of-service attack, after it unilaterally blocked a number of online providers connected–in some cases tenuously–to spam. The Izz ad-Din al-Qassam Cyberfighters continued their attacks on U.S. financial institutions, causing scattered outages during the year. As part of those attacks and other digital floods, attackers put a greater emphasis on using techniques designed to overwhelm applications. Such application-layer attacks doubled in frequency in the third quarter 2013, compared to the same quarter a year before, according to denial-of-service mitigation firm Prolexic. Reflection attacks, where attackers use incorrectly configured servers to amplify attacks, grew 265 percent in the same period, according to the firm. The attack against Spamhaus, which reportedly topped a collective 300 Gbps, used reflection attacks via open DNS resolvers to generate the massive flood of traffic. “This technique is still an available option for attackers,” says Radware’s Herberger. “Because there are 28 million vulnerable resolvers, and every resolver needs to be fixed, this problem is not going away any time soon.” 5. South Korea and destructive attacks Companies in both the Middle East and South Korea suffered destructive attacks designed to wipe data from computers. In 2012, Saudi Aramco and other companies in the Middle East were targeted with a malicious attack that erased data from machines, causing them to become unrecoverable. This year, South Korean firms were attacked in a similar manner in a multi-vector attack whose finale was the deletion of master boot records on infected computers. While such attacks have happened in the past, they seem to be more frequent, says Dell SecureWorks’ Williams. “The impact of these attacks have been pretty impressive–30,000 machines needed to be rebuilt in the Saudi Aramco case,” he says. Source: http://www.darkreading.com/advanced-threats/lessons-from-five-advanced-attacks-of-20/240165028

View the original here:
Lessons From 5 Advanced Attacks Of 2013

The Changing Trends of DDoS Attacks

Distributed denial-of-service (DDoS) attacks certainly aren’t new. I’ve been talking about them for years. However, they have been changing. The traditional style of attack, the flood-the-target type that crashes a website, is still going strong. But now we are seeing an increase in application-layer attacks that have the same goal: Systems go down, resources are unavailable and the victim is scrambling to fix everything. Recently, Vann Abernethy, senior product manager for NSFOCUS, talked to me about the changing DDoS landscape. Something he has noticed is how DDoS attacks are being used as smokescreens to cover up other criminal activity. He said: In fact, the FBI warned of one such attack type back in November of 2011, which relies upon the insertion of some form of malware. When the attacker is ready to activate the malware, a DDoS attack is launched to occupy defenders. In this case, the DDoS attack is really nothing more than a smokescreen used to confuse the defenses and allow the real attack to go unnoticed – at least initially.  Considering that most malware goes undetected for long periods of time, even a small DDoS attack should be a huge red flag that something else may be going on. Abernethy adds that another trend he’s seeing is that the DDoS attack itself may be a bit more sinister. For example, a DDoS attack could be masking a simultaneous attack that is probing for vulnerabilities. He said: It’s like a recon team sent to look at an enemy’s position while they’re under some sort of long-range barrage. In general, basic probing will likely be caught if the victim has even modest security protections. But while under the duress of a DDoS attack, the very systems charged with either blocking or alerting suspicious activity might be under too much strain. Abernethy provides several solutions to protect against these emerging DDoS attack styles. One way is to have multiple teams set up to respond to DDoS attacks. One team would work on the DDoS attacks themselves; another team would be responsible for searching for other possible, hidden attacks. For the trend that involves probing, IT and security departments may want to deploy application security testing, and all applications used by the company should be subjected to the testing. DDoS attacks can be devastating to a company , interrupting vital customer interactions and ruining company reputations. The more we know about them, the better chance we have at protecting the company from any serious damage, if not preventing them altogether. Source: http://www.itbusinessedge.com/blogs/data-security/the-changing-trends-of-ddos-attacks.html

Read More:
The Changing Trends of DDoS Attacks

DDoS trojan ferrets SMB data

A new distributed-denial-of-service (DDoS) bot has been discovered targeting real estate companies and other small and medium-sized businesses. Arbor Networks researcher Dennis Schwarz found the malware after receiving a tip-off from a Twitter user. A relatively small number of unique samples and command and control servers were uncovered, making it difficult to judge just how dangerous the new threat could be. These samples are written in the Delphi programming language but most likely originate from Russia, said Schwarz, who added that the bot’s self-preservation tools include UPX packing, string obfuscation, anti-virtual machine, anti-bugging measures, self-modifying code and process hollowing. Command and control is done over HTTP. The analyst firm has a ‘fairly complete picture’ of what the bot represents, but admitted concerns on how Trojan.Ferret is being distributed. “Trojan.Ferret is a new Russian DDoS bot.  It stood out to me due to the silly ferret theme and that we have a fairly complete picture of it,” said Schwarz, adding that the company had tracked a sample of bot, the C&C panel view and live C&C traffic. “It is a traditional DDoS bot focusing on the ‘core’ set of DDoS attacks, such as HTTP, UDP and TCP. It lacks the common application layer attacks such as Slowloris, Apache Killer, and RUDY. “A major missing component that we’re unsure of is how this particular Trojan is being distributed–whether by exploit kit, malware-laced spam, or via one of the many ‘dropper/downloader’ networks.” Schwarz said that the Trojan is targeting the UK, the US, Germany, Russia and the Netherlands, as well as Kazakhstan, and said that attacks have hit property companies, an electronics shop, a wedding dress shop and even a politician in Panama. Malwarebytes malware intelligence analyst Adam Kujawa said the information security industry is still coming to grips with the threat posed by the new DDoS bot. “It is likely of Russian origin, uses an array of specialised malware tricks to hide it from detection and of course is used as a DDOS bot,” said Kujawa.  “Ferret will infect as many systems as it can to recruit them into the Botnet and then use each of those systems to attack a single server at the same time,” he added, commenting, “A single system cannot perform a successful DDOS attack but a botnet of thousands can.” Source: http://www.scmagazine.com.au/News/368168,ddos-trojan-ferrets-smb-data.aspx

Continue Reading:
DDoS trojan ferrets SMB data

Casino DDoS duo caged for five years after blackmail buyout threat

Polish crims demanded 50% of gambling biz, on pain of firm-killing cyber attacks A pair of cyber-extortionists who attempted to blackmail a Manchester-based online casino with threats of unleashing a debilitating denial of service attack have been jailed for five years and four months.…

See more here:
Casino DDoS duo caged for five years after blackmail buyout threat

China’s central bank hit by DDoS after Bitcoin blitz

Reports claim revenge attack after digi-currency restrictions Angry Bitcoin users are suspected of DDoS-ing the website of China’s central bank following tough new restrictions it levied this week which appear to have forced the world’s biggest Bitcoin exchange into meltdown.…

See the original article here:
China’s central bank hit by DDoS after Bitcoin blitz

7 Security Trends to Expect in 2014

Computer systems, in many peoples’ eyes, are there to be hacked — and that means fraudsters are always working on new ways to exploit vulnerabilities. So what does 2014 have in store? Here are seven security predictions for the New Year. DDoS Attacks Get Sneaky DDoS attackers will go from simple volumetric attacks to ones which take advantage of a site’s specific performance characteristics. That’s the prediction of security researchers at Neohapsis, a security and risk management consulting company. DDoS attacks that intelligently target bottlenecks in performance, such as pages with a high server load (like database writes) or specific network bottlenecks (like login and session management), can magnify the impact over attacks which are simply volume-based and request the homepage of a site. So it’s likely that we will begin to see the spread of tools which profile specific targets. The result? DDoS attacks that have more impact, and involve less network traffic, than the ones enterprises have become accustomed to mitigating against. Insider Threats Remain Major Security Problem According to a CyberSecurity Watch survey insiders were found to be the cause in 21 percent of security breaches, and a further 21 percent may have been due to the actions of insiders. More than half of respondents to another recent survey said it’s more difficult today to detect and prevent insider attacks than it was in 2011, and 53 percent were increasing their security budgets in response to insider threats. While a significant number of breaches are caused by malicious or disgruntled employees – or former employees – many are caused by well-meaning employees who are simply trying to do their job. BYOD programs and file sharing and collaboration services like Dropbox mean that it will be harder than ever to keep corporate data under corporate control in the face of these well-meaning but irresponsible employees. Defending against insider threats requires a multi-layered use of technological controls, including system-wide use of data encryption and establishment of policies stressing prevention of data loss. Security Worries Drive Cloud Consolidation Organizations will look to buy more solutions from a single vendor and demand greater integration between solutions to automate security, according to Eric Chiu, president of HyTrust, a cloud security company. The fact that securing cloud environments is very different from securing traditional physical environments will drive greater consolidation in the market, he says. Legacy Systems Cause More Security Headaches The spate of IT failures in banks and other high profile companies highlights a simple fact: Many of them are running legacy systems which are so old and out of date that they are becoming almost impossible to maintain. That’s because there are few people with the skills and expert knowledge that would be needed to run them securely – even if they were updated to eliminate know vulnerabilities, which they frequently are not. They often aren’t updated because no-one knows what impact that would have. It’s inevitable that we’ll see hackers going after such systems, exploiting vulnerabilities that can’t easily be fixed. Encryption Will Be Revisited In the wake of revelations about the NSA, many companies are realizing that encryption many be the only thing that is protecting their data, and it may not be as strong as they imagined. What’s more, if hackers are led to believe there is a weakness in a particular system – either accidental or intentional – they will pound on it until they find it. As a result, many companies will look to improve the way they use encryption. Look for particular attention to be paid to cryptographic block modes like CBC and OFB, and authenticated modes like EAX, CCM and GCM, advise the experts at Neohapsis. In addition to the encryption methods themselves, look for insights and innovations around key management and forward security. ‘Stuxnets’ Become More Common State-sponsored malware like Stuxnet – which is widely attributed to the United States, Israel or both – has proved to be far more sophisticated and effective than anything that a couple of hackers can develop. Expect more of this type of malware from the likes of China, Russia, Iran, India, Brazil and Pakistan. It’s probably already out there, even if it hasn’t yet been detected. 2014 could be the year that its prevalence becomes apparent. Bitcoin Drives New Malware The Bitcoin virtual currency is growing in popularity with legitimate businesses, and that’s likely to continue. That’s because Bitcoin payments offer significant attractions: They are quick and cheap, and there is no possibility of a chargeback. But Bitcoin wallets make attractive targets for criminals, because stolen coins can be cashed out instantly, without a middleman or launderer taking a cut. And many Bitcoin users are relatively unsophisticated, protecting their wallets with very little security. So expect Trojans and other malware that specifically look for and target Bitcoin stashes, as well as ransomware that demands Bitcoins in return for decrypting data. Source: http://www.esecurityplanet.com/network-security/7-security-trends-to-expect-in-2014.html

View article:
7 Security Trends to Expect in 2014