Monthly Archives: September 2014

Russian botnet suspects cuffed over romantic MMS spyware allegs

Avast! Belay that ‘RomanticVK’ order – there be MONSTERS Russian cops have arrested two mobile botnet cybercrime suspects as part of an ongoing investigation that’s reckoned to be the first of its kind in Russia.…

More:
Russian botnet suspects cuffed over romantic MMS spyware allegs

Japanese Teen Sent to Prosecutors over DDoS Attack

Japanese police sent papers on a 16-year-old boy to public prosecutors Thursday over a suspected distributed denial of service (DDoS) attack on an online game company. It was the first criminal accusation by police in the country against a DDoS attack, which entails saturating a particular server or computer with large amounts of data, according to Tokyo’s Metropolitan Police Department. The high school student in the southwestern city of Kumamoto has admitted the charges, sources familiar with police investigations said. He told investigators that he was frustrated after the game company froze his game account and that he had a lot of fun to make numerous attacks, according to the sources. He is suspected of carrying out similar attacks on two other companies as well, the sources said. Source: http://jen.jiji.com/jc/i?g=eco&k=2014091800573

Read the article:
Japanese Teen Sent to Prosecutors over DDoS Attack

DDoS Attack on RT News Website

The RT news website has undergone the most powerful Distributed Denial of Service (DDoS) attack in its history, the press service of the channel reported Wednesday. “Thanks to the website’s reliable technical protection, RT.com was unavailable just for a few minutes,” the statement reads. According to the channel’s press service, RT.com has been repeatedly subjected to DDoS-attacks. One of the most powerful hacker attacks occurred on February 18, 2013. The website was unavailable for about 6 hours. In 2012 the channel’s English and Spanish websites also came under attack. The attack was claimed by anti-WikiLeaks hacker group AntiLeaks. A DDoS-attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. The RT network’s first channel was launched in December 2005 and now consists of three global news channels broadcasting in English, Spanish and Arabic. RT has 22 bureaus in 19 countries and territories. RT reaches over 644 million people in more than 100 countries. Source: http://en.ria.ru/society/20140918/193035597/Hackers-Attack-RT-News-Website.html

View original post here:
DDoS Attack on RT News Website

DDoS Attack on Russia Today News Website

Read the original:
DDoS Attack on Russia Today News Website

DDoS Attacks: Why Hosting Providers Need to Take Action

With no shortage of distributed denial-of-service (DDoS) attacks overwhelming the news headlines, many businesses have been fast to question whether they are well protected by their current DDoS mitigation strategy and are turning to their cloud and hosting providers for answers. Unfortunately, the sheer size and scale of hosting or data center operator network infrastructures and their massive customer base presents an incredibly attractive attack surface due to the multiple entry points and significant aggregate bandwidth that acts as a conduit for a damaging and disruptive DDoS attack. As enterprises increasingly rely on hosted critical infrastructure or services, they are placing themselves at even greater risk from these devastating cyber threats – even as an indirect target. The indirect target: secondhand DDoS The multi-tenant nature of cloud-based data centers can be less than forgiving for unsuspecting tenants. A DDoS attack, volumetric in nature against one tenant, can lead to disastrous repercussions for others; a domino effect of latency issues, service degradation and potentially damaging and long-lasting service outages. The excessive amount of malicious traffic bombarding a single tenant during a volumetric DDoS attack can have adverse effects on other tenants, as well as the overall data center operation. In fact, it is becoming more common that attacks on a single tenant or service can completely choke up the shared infrastructure and bandwidth resources, resulting in the entire data center being taken offline or severely slowed – AKA, secondhand DDoS. A crude defense against DDoS attacks Black-holing or black-hole routing is a common, crude defense against DDoS attacks, which is intended to mitigate secondhand DDoS. With this approach, the cloud or hosting provider blocks all packets destined for a domain by advertising a null route for the IP address(es) under attack. There are a number of problems with utilizing this approach for defending against DDoS attacks: Most notably is the situation where multiple tenants share a public IP address range. In this case, all customers associated with the address range under attack will lose all service, regardless of whether they were a specific target of the attack. In effect, the data center operator has finished the attacker’s job by completely DoS’ing their own customers. Furthermore, injection of null routes is a manual process, which requires human analysts, workflow processes and approvals; increasing the time to respond to the attack, leaving all tenants of the shared data center suffering the consequences for extended periods of time, potentially hours. DDoS attacks becoming increasingly painful The growing dependence on the Internet makes the impact of successful DDoS attacks – financial and otherwise – increasingly painful for service providers, enterprises, and government agencies. And newer, more powerful DDoS tools promise to unleash even more destructive attacks in the months and years to come. Enterprises that rely on hosted infrastructure or services need to start asking the tough questions of their hosting or data center providers, as to how they will be properly protected when a DDoS attack strikes. As we’ve seen on numerous occasions, hosted customers are simply relying on their provider to ‘take care of the attacks’ when they occur, without fully understanding the ramifications of turning a blind eye to this type of malicious behavior. Here are three key steps for providers to consider to better protect their own infrastructure, and that of their customers: Eliminate the delays incurred between the time traditional monitoring devices detect a threat, generate an alert and an operator is able to respond; reducing initial attack impact from hours to seconds by deploying appliances that both monitor and mitigate DDoS threats automatically. Your mitigation solution should allow for real-time reporting alert and event integration with back-end OSS infrastructure for fast reaction times and the clear visibility needed to understand the threat condition and proactively improve DDoS defenses. Deploy your DDoS mitigation inline. If you have out-of-band devices in place to scrub traffic, deploy inline threat detection equipment quickly that can inspect, analyze and respond to DDoS threats in real-time. Invest in a DDoS mitigation solution that is architected to never drop good traffic. Providers should avoid the risk of allowing the security equipment to become a bottleneck in delivering hosted services and always allowing legitimate traffic to pass un-interrupted, a “do no harm” approach to successful DDoS defense. Enterprises rely on their providers to ensure availability and ultimately protection against DDoS attacks and cyber threats. With a comprehensive first line of defense against DDoS attacks deployed, you are protecting your customers from damaging volumetric threats directed at or originating from or within your networks. Source: http://www.datacenterknowledge.com/archives/2014/09/17/ddos-attacks-hosting-providers-need-take-action/

View original post here:
DDoS Attacks: Why Hosting Providers Need to Take Action

SNMP-Based DDoS Attack Spoofs Google Public DNS Server

The SANS Internet Storm Center this afternoon reported SNMP scans spoofed from Google’s public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic. “The traffic is spoofed, and claims to come from Google’s DNS server. The attack is however not an attack against Google. It is likely an attack against misconfigured gateways,” said Johannes Ullrich, dean of research of the SANS Technology Institute and head of the Internet Storm Center. Ullrich said the ISC is still investigating the scale of the possible attacks, but said the few packets that have been submitted target default passwords used by SNMP. “The attack uses the default ‘read/write’ community string of ‘private.’ SNMP uses this string as a password, and ‘private’ is a common default,” Ullrich said. “For read-only access, the common default is ‘public.’” Ullrich explained that the attack tries to change configuration variables in the affected device, the TTL or Time To Live variable to 1 which he said prevents any future traffic leaving the gateway, and it also sets the Forwarding variable to 2, which shuts it off. “If this works, it would amount to a [DDoS] against the network used by the vulnerable router,” Ullrich said. Large-scale DDoS attacks rely on amplification or reflection techniques to amp up the amount of traffic directed at a target. DNS reflection attacks are a time-tested means of taking down networks with hackers taking advantage of the millions of open DNS resolvers on the Internet to get up to 100 to 1 amplification rates for every byte sent out. Earlier this year, home routers were targeted in DNS-based amplification attacks; more than five million were used during February alone as the starting point for DDoS attacks. Also earlier this year, hackers found a soft spot in Network Time Protocol (NTP) servers that synch time for servers across the Internet. NTP-based DDoS attacks, some reaching 400 Gbps, were keeping critical services offline. However, a concerted patching effort has kept these attacks at bay and in June, NSFocus reported that of the 430,000 vulnerable NTP servers found in February, all but 17,000 had been patched. Experts, however, warned that SNMP-based DDoS attacks could be the next major area of concern. Matthew Prince, CEO of CloudFlare, said in February that SNMP attacks could dwarf DNS and NTP. “If you think NTP is bad, just wait for what’s next. SNMP has a theoretical 650x amplification factor,” Prince said. “We’ve already begun to see evidence attackers have begun to experiment with using it as a DDoS vector. Buckle up.” SANS’ Ullrich, meanwhile, said he’s continuing to research this attack, and admins should be on the lookout for packets from the source IP 8.8.8.8, which is Google’s DNS server, with a target UDP port of 161. “Just like other UDP based protocols (DNS and NTP), SNMP has some queries that lead to large responses and it can be used as an amplifier that way,” Ullrich said. Source: http://threatpost.com/snmp-based-ddos-attack-spoofs-google-public-dns-server

Continue reading here:
SNMP-Based DDoS Attack Spoofs Google Public DNS Server

Attackers tapping on SNMP door to see if it’s open

SANS spots new, dumb attack Google’s DNS IP address is being spoofed by an attacker, apparently in an attempt to DDoS hosts vulnerable to a flaw in the SNMP protocol.…

View original post here:
Attackers tapping on SNMP door to see if it’s open

Silk Road 2.0 Hit by ‘Sophisticated’ DDoS Attack

Online black market Silk Road 2.0 experienced a distributed denial-of-service (DDoS) attack last week, which forced the site’s administrators to temporarily suspend services. News of the attack broke on bitcoin forums hours after it started, with the Silk Road team soon confirming the news via its own forums. For reasons that are less clear, black market Agora has faced outage issues problems of its own in the last few days. Silk Road remains defiant Silk Road 2.0 moderator ‘Defcon’ issued a statement saying that the site was facing a “very sophisticated” DDoS attack using the most advanced methods the site has experienced to date. The moderator said: “The dev team is working around the clock to get marketplace service restored, as well as watch the security of our systems closely. Much of the downtime you have seen is intentional on our part: if this is an attempt to locate our servers through packet analysis, we do not want to make it easy for our adversary and would rather be offline while we adapt our defences.” As the attack continued, Silk Road 2.0 remained offline. Defcon eventually issued a second update, indicating that the team is trying out different approaches to blocking the inbound DDoS. He stressed that the site is still processing withdrawals, although these have been delayed by the attacks. Silk Road 2.0 is aware that cashflow is very important and the site is therefore prioritising delayed withdrawals, the moderator added. Defcon ended the update on a defiant note: “To our adversaries: you cannot stop us. We will overcome every attack.” Questions persist Silk Road 2.0 vendors started reporting problems earlier last week, before the site was finally forced to shut down. Despite official updates, the outage prompted a number vendors to raise questions about the impact of the attack. Silk Road 2.0 was targeted by hackers in the past: last February, the site lost 4,476 BTC to an alleged hack, worth over $2.6m at the time. The attack was blamed on a transaction malleability exploit used by one of the vendors. The site decided to compensate affected customers and, by late May, it said more than 80% of bitcoins stolen in the alleged heist have been repaid to the victims. The source and goal of the latest attack remains unclear. Speculation is mounting that the attack was in fact launched by law enforcement in an attempt to ascertain the location of Silk Road 2.0 servers, while other users believe the attack was launched by criminals or competitors. Following the February hack, Silk Road 2.0 said it would introduce a multi-signature wallet system to replace its previous escrow platform. A multisig system should be less vulnerable to hackers, but has not been fully implemented yet. Online black market Agora faces outage Silk Road 2.0 is not the only black market suffering outage issues. While Silk Road 2.0 was struggling to restore services, which it eventually did late on Friday, competing market Agora went offline. Agora users started reporting intermittent problems on Saturday. The site was out of action over much of the weekend and had still not become available by press time (12:15 BST, Monday). The reason for the outage remains unclear. Earlier this month, Agora confirmed that it was suffering from availability issues on a regular basis. However, the team offered an extensive explanation into the inner workings of the market and the need for security, saying it considers that more important than around-the-clock availability. The Agora team said at the time: “Our primary goal is to stay hidden from law enforcement agencies and secure from hackers. We implement much more security measures than many others, which causes problems with availability.” Source: http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/

Read the article:
Silk Road 2.0 Hit by ‘Sophisticated’ DDoS Attack

How Boston Children’s Hospital Hit Back at Anonymous

Hackers purportedly representing Anonymous hit Boston Children’s Hospital with phishing and DDoS attacks this spring. The hospital fought back with vigilance, internal transparency and some old-fashioned sneakernet. That – and a little bit of luck – kept patient data safe. On March 20, Dr. Daniel J. Nigrin, senior vice president for information services and CIO at Boston Children’s Hospital, got word that his organization faced an imminent threat from Anonymous in response to the hospital’s diagnosis and treatment of a 15-year-old girl removed from her parent’s care by the Commonwealth of Massachusetts. The hospital’s incident response team quickly convened. It prepared for the worst: “Going dark” – or going completely offline for as long as the threat remained. Luckily, it never came to that. Attacks did occur, commencing in early April and culminating on Easter weekend – also the weekend of Patriot’s Day, a Massachusetts holiday and the approximate one-year anniversary of the Boston Marathon bombings – but slowed to a trickle after, of all things, after a front-page story about the incident ran in The Boston Globe . No patient data was compromised over the course of the attacks, Nigrin says, thanks in large part to the vigilance of Boston Children’s (and, when necessary, third-party security firms). The organization did learn a few key lessons from the incident, and Nigrin shared them at the recent HIMSS Media Privacy and Security Forum. As Anonymous Hit, Boston Children’s Hit Back As noted, the hospital incident response team – not just the IT department’s – planned for the worst. Despite that fact that the information Anonymous claimed to have, such as staff phone numbers and home addresses, is the stuff of “script kiddies,” Nigrin says Children’s took the threat seriously. Attacks commenced about three weeks after the initial March 20 warning. Initially, the hospital could handle the Distributed Denial of Service (DDoS) attacks on its own. Anonymous changed tactics. Children’s responded. The hackers punched. The hospital counterpunched. As the weekend neared, though, DDoS traffic hit 27 Gbps – 40 times Children’s typical traffic – and the hospital had to turn to a third-party for help. The attacks hit Children’s external websites and networks. (Hackers also pledged to hit anyone linked to Children’s – including the energy provider NStar, which played no role in the child custody case at all but sponsors Children’s annual walkathon.) In response, Nigrin took down all websites and shut down email, telling staff in person that email had been compromised. Staff communicated using a secure text messaging application the hospital had recently deployed. Internal systems were OK, he says, so Children’s electronic health record (EHR) system, and therefore its capability to access patient data, wasn’t impacted. In contrast to this internal transparency, Children’s, at the urging of federal investigators, didn’t communicate anything externally. Nonetheless, word got to The Boston Globe , which ran its front-page story on April 23. Nigrin, again, prepared for the worst. He didn’t have to. After the article came out, the Twitter account @YourAnonNews took notice, urging hackers to stop targeting a children’s hospital. Attacks continued, but at a much smaller clip. 6 Quick Tips for Beating Back Hackers In reflecting on the Anonymous attack, Nigrin offers the following security lessons that Boston Children’s learned. DDoS countermeasures are crucial. “We’re not above these kinds of attacks,” Nigrin says. Know which systems depend on external Internet access. As noted, the EHR system was spared, but the e-prescribing system wasn’t. Get an alternative to email. In addition to secure testing, Children’s used Voice over IP communications. In the heat of the moment, make no excuses when pushing security initiatives. Children’s had to shut down email, e-prescribing and external-facing websites quickly. “Don’t wait until it’s a fire drill,” Nigrin says. Secure your teleconferences. Send your conference passcode securely, not in the body of your calendar invite. Otherwise, the call can be recorded and posted on the Internet before you even hang up, he says. Separate signals from noise. Amid the Anonymous attack, several staff members reported strange phone calls from a number listed as 000-000-0000. At the time, it was hard to tell if this was related, and it made the whole incident that much harder to manage. Above all, Nigrin says healthcare organizations need to pay attention to the growing number of security threats the industry faces. “There are far more than we have seen in the past,” he says. Source: http://www.cio.com/article/2682872/healthcare/how-boston-childrens-hospital-hit-back-at-anonymous.html

Read the original:
How Boston Children’s Hospital Hit Back at Anonymous

5 most targeted industries for DDoS attacks

1. Gaming Gaming is the most-targeted industry, according to the report, accounting for more than 45% of total attacks. The industry, which includes any company related to online gaming or gaming-related content, is prone to attacks by motivated players seeking to gain a competitive advantage or by malicious actors seeking to steal personal data from players. The industry received a large percentage of infrastructure layer attacks and a fair percentage of application-layer attacks in Q2, including 46% of all NYN floods and 68% of GET floods. 2. Software and technology The software and technology industry, which includes companies that provide solutions such as SaaS and cloud-based technologies, was hit with the second-greatest number of attacks (22%), and was the most-frequently targeted with infrastructure-layer attacks. The report reveals that the most popular attack vectors against the software and technology industry were DNS and NTP reflection and amplification attacks, accounting for 33% and 26% respectively. SYN floods made up approximately 22% of attacks, and UDP floods accounted for 27%. 3. Media and entertainment The report reveals that the media and entertainment industry accounted for a smaller percentage of all attacks, at 15% in Q2. This marks a 39% decrease from last quarter. Despite this shift, the media and entertainment industry remains one of the most targeted industries for hackers. These attacks often offer higher visibility for malicious actors, with press coverage that helps campaign organizers reach out to supporters and recruit new participants. The media and entertainment industry was hit by mostly infrastructure attacks, including SYN floods (18%), UDP floods (25%) and UDP fragments (22%). 4. Financial services Major financial institutions, such as banks and trading platforms, were targeted in 10% of all attacks in Q2, according to the Prolexic report. Historically, financial institutions have been the target of many DDoS attacks, including those orchestrated by the group Izz ad-Din al Qassam Cyber Fighters (QCF), using the Brobot botnet. The report discloses that recent activity indicates a possible resurgence of the use of the Brobot botnet, but the financial sector did not experience many major attack campaigns this quarter. 5. Internet and telecom Including companies that offer internet-related services such as ISPs and CNDs, the internet and telecom industry was the fifth most-targeted industry in Q2, accounting for 4% of all attacks. Infrastructure-layer attack vectors were the most common, with 10% of all attacks as UPD floods, and 9% as UPD fragments. Internet and telecom was the target of 12% of all NTP flood attacks this quarter. Source: http://www.propertycasualty360.com/2014/09/12/5-most-targeted-industries-for-ddos-attacks?t=tech-management&page=6

Continue Reading:
5 most targeted industries for DDoS attacks