Monthly Archives: October 2015

Xen Project plugs critical host hijacking flaw, patch ASAP

The latest security update (XSA-145 through 153) for the popular Xen virtualization software fixes nine issues. Eight of them can lead to Denial of Service, but the ninth is much more serious than…

Read More:
Xen Project plugs critical host hijacking flaw, patch ASAP

China is the top target for DDoS reflection attacks

China bore the brunt of DDoS reflection attacks last month, with 61 percent of the top attack destinations observed hitting Chinese-based systems, according to Nexusguard. Of the 21,845 attack events …

More here:
China is the top target for DDoS reflection attacks

Hackers infect MySQL servers with malware for DDoS attacks

Hackers are exploiting SQL injection flaws to infect MySQL database servers with a malware program that’s used to launch distributed denial-of-service (DDoS) attacks. Security researchers from Symantec found MySQL servers in different countries infected with a malware program dubbed Chikdos that has variants for both Windows and Linux. Don’t count on your ‘plain vanilla’ resume to get you noticed – your resume needs a personal flavor to This Trojan is not new and was first documented in 2013 by incident responders from the Polish Computer Emergency Response Team (CERT.PL). At that time the malware was being installed on servers after using brute-force dictionary attacks to guess SSH (Secure Shell) login credentials. However, the new attacks observed by Symantec abuse the user-defined function (UDF) capability of the MySQL database engine. UDF allows developers to extend the functionality of MySQL with compiled code. Symantec believes that attackers exploit SQL injection vulnerabilities in order to inject malicious UDF code in databases. They then use the DUMP SQL command to save the injected code as a library file that is later executed by the MySQL process. The malicious UDF code downloads and installs the Chikdos Trojan, which allows attackers to abuse the server’s bandwidth for DDoS attacks. The Symantec researchers found MySQL servers infected with Chikdos in many countries, including India, China, Brazil, Netherlands, the U.S., South Korea, Mexico, Canada, Italy, Malaysia, Nigeria and Turkey. The largest concentrations were in India and China, 25 and 15 percent respectively. During their analysis the researchers saw the servers being used to launch DDoS attacks against a U.S. hosting provider and a Chinese IP address. The reason for targeting MySQL servers is likely because their bandwidth is considerably larger than that of regular PCs, making them more suitable for large DDoS campaigns, the Symantec researchers said in a blog post. To prevent such attacks, website owners should avoid running SQL servers with administrative privileges and should follow best programming practices for mitigating SQL injection vulnerabilities, they said. Source: http://social-media-news.com/link/907984_hackers-infect-mysql-servers-with-malware-for-ddos-attacks

Read this article:
Hackers infect MySQL servers with malware for DDoS attacks

New DDoS attacks misuse NetBIOS name server, RPC portmap, and Sentinel licensing servers

Akamai has observed three new reflection DDoS attacks in recent months: NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection. In a reflection DDoS attack, also called a D…

View the original here:
New DDoS attacks misuse NetBIOS name server, RPC portmap, and Sentinel licensing servers

Attackers are turning MySQL servers into DDoS bots

Someone has been compromising MySQL servers around the world and using them to mount DDoS attacks. The latest targets of these attacks are an (unnamed) US hosting provider and a Chinese IP address. …

See the article here:
Attackers are turning MySQL servers into DDoS bots

TalkTalk hack: 15-year-old boy arrested in Northern Ireland over DDoS attack

News stunned security experts who had assumed that Isis terrorists or major country had been behind the breach A boy of 15 has been arrested and questioned on suspicion of being the mastermind behind the TalkTalk data theft cyber attack. A team from Scotland Yard’s Cyber Crime Unit joined Police Service of Northern Ireland officers as they raided the teenager’s home in County Antrim. The boy was arrested on suspicion of Computer Misuse Act offences and taken to a nearby police station. News of the suspect’s age stunned security experts who had assumed that a group of Isis terrorists or a country such as Russia had been behind the massive breach. IT insiders said it would be a “gamechanger” if proven that a teenager operating from his bedroom could bring a global company to its knees. The Met said the property was being searched and inquiries by CCU detectives, the PSNI’s Cyber Crime Centre and the National Crime Agency are continuing. A spokesman said on Monday night: “An arrest has been made in connection with the investigation into alleged data theft from the TalkTalk website. At approximately 4.20pm, officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Metropolitan Police Cyber Crime Unit, executed a search warrant at an address in County Antrim, Northern Ireland. The phone and broadband provider, which has four million customers, initially said last week that the “sustained” attack was a DDoS, a distributed denial of service attack where a website is bombarded with waves of traffic. When experts pointed out a DDoS attack would not explain the loss of data TalkTalk later indicated it had been hit by an attack known as an SQL injection – a technique where hackers gain access to a database by entering instructions in a web form. IT security experts had already expressed surprise at how a company the size of TalkTalk was still vulnerable to the method, as it is a well-known type of attack and there are relatively simple ways of defending against it. The company has been heavily criticised for its handling of the cyber attack – the third it has suffered in the last eight months, with incidents in August and February resulting in customers’ data being stolen. Following last week’s breach TalkTalk admitted that customers’ bank account and sort code details may have been accessed as some customers said money has gone missing from their accounts. TalkTalk said there is currently no evidence that customers’ bank accounts have been affected but it does not know how much customer information was encrypted. The company said it would contact all current customers and that an unknown number of previous customers may also be at risk. TalkTalk’s chief executive Dido Harding said last week the firm had received a ransom demand from someone claiming to be behind the cyber attack. Jesse Norman, chair of the Culture, Media and Sport Select Committee, is leading an inquiry into the alleged data breach. Cyber Security Minister Ed Vaizey had earlier told MPs that companies could face bigger fines for failing to protect customer data from such attacks. He said the Information Commissioner’s Office can already levy “significant fines” but told the Commons he was “open to suggestions” about how the situation could be “improved”. TalkTalk is facing a maximum fine of £500,000 but the SNP’s John Nicolson said the prospect was “clearly not terrifying” for a company with an annual revenue of £1.8 billion a year. Shares in the telecoms company fell more than 12 per cent on Monday extending its losses from last week when news of the attack first emerged. A statement from Talk Talk said: “We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation. “In the meantime, we advise customers to visit [our website] for updates and information regarding this incident.” Source: http://www.independent.co.uk/news/uk/home-news/talktalk-hack-boy-15-arrested-in-northern-ireland-over-attack-a6709831.html

Read the original:
TalkTalk hack: 15-year-old boy arrested in Northern Ireland over DDoS attack

Thai govt website DDoSed as CAT customer data leaked

Faced with a wave of DDoS attacks, a horde of hackers claiming to be Anonymous and major data leaks from state-owned CAT Telecom all in protest of Thailand’s Single Gateway surveillance program, ICT Minister Uttama Savanayana took to Twitter to reassure people that everything was in order and that we had nothing to fear because we have regular data backups. Yes, apparently regular backups and standards in data storage are the answer to a hack and data leak. The tweet was up for most of the weekend before he deleted it to save himself further embarrassment. To recap, a group claiming to be Anonymous issued a statement in the wee hours of Thursday morning to attack the Thai Government and in particular CAT Telecom for refusing to back down on Single Gateway internet super censorship and surveillance project which, despite promises from the Prime Minister that it was just a clerical error never existed, is forging ahead full steam. Since then at various moments, hackers have managed to temporarily take down an obscure army internal accounting website, the ICT Ministry and CAT Telecom. The Anons also posted screenshots of what they claimed was CAT customer data with names blanked out, taunting the ICT Minister by asking what data standard allows for plaintext storage of passwords. CAT Telecom initially responded by saying the information posted was false and that the hackers only tried to infiltrate CAT’s dealer network and did so unsuccessfully at that. The Anons responded with more CAT customer data and a screenshot of a login in CAT’s CRM module. One would have thought that this would have caused the junta to think twice about centralizing everything but no. The ICT Minister had the stage in the weekly two-minutes of hate propaganda show, sorry, I meant Thailand Moves Forward propaganda show, in which he extolled the virtues of a single Geoment Service Chanel [sic] which called for even more centralization. Half the jokes were of using designer clothing to serve the people the other, well, let’s just say that geo in Thai is a anatomical word that would not befit the pages of this publication. So apparently not only he totally clueless as to what a modern day hack is (by saying that he had backup) but he cannot use a spell checker. By Sunday, CAT’s My 3G self-service portal was still down, though whether it was from the attack or if someone pulled the plug as a precaution was anyone’s guess. However, that hardly made the social media circles. Why? Well, because despite oodles of taxpayer cash (roughly $1 billion each for CAT and TOT for their 3G networks, plus who knows how much more to run the network), CAT and TOT have between them less than 100,000 subscribers, none of which bothered to check their balance or top up over the weekend, it seemed. Also noteworthy was how servers in CAT’s data center had their latency and jitter both jump but again, that could be a routing issue rather than someone installing deep-packet-inspection gear. But was the hack actually from a real Anon? Anonymous is more of a state of mind that a club with a for formal job interview and membership cards. Anyone can claim to be an Anon. Their key tenets are anti-surveillance and anti-censorship, both of which the Thai Single Gateway are aimed at imposing. One developer who did not want to be identified told TelecomAsia that the hacks on Thai government websites were simply too easy. He sent a screenshot with a page of .go.th sites with old, unpatched mysql servers that were ripe for taking over. His point being, a script kiddie noob could have carried out hacks on these government websites and it did not require the skills of a true Anon. Source: http://www.telecomasia.net/blog/content/thai-govt-website-ddosed-cat-customer-data-leaked DDoS? Well, considering that Thai government websites cannot even stand up to use on a busy day without crashing, again, that hardly requires serious firepower. The CAT data breach also happened about a month ago if the rumors in the underground are to be believed. Talking about the underground, none of my shadier contacts know who did it the attack. Considering the rather small size of the Thai hacking community, this is odd. To further throw doubt on everything, the F5 hackers dared me over Twitter to double check a phone number in the CAT data breach to see if the data was real or made up. I did call up the number and he had no clue about being hacked and said he was not a CAT customer. Not looking good for the hackers then. To be fair I did try to ask if he was working at the company he was listed as working for but the chap hung up on me first, obviously annoyed at my questions. But perhaps the number had been reused (the phone line application with CAT was way back in August 2014), perhaps he never got the phone line and had totally forgot about it. Or maybe it was made-up data and the hacker thought I would not call to fact-check. At this juncture, my gut feeling is leaning towards this entire episode being a honey trap to lure out dissenters and convince the undecided of the need to give up further liberties so that the government can protect us from Anonymous. If so, that has worked wonders. Then there is the separate matter of the 231 pages of leaked documents that are a headache just to try and read through. Who leaked them and why? It is a curious mix of army and MICT secret documents which begs the question, who would even have access to both sets of documents in the first place? Very few. But regardless as to whether this initial hack was real or staged, the matter of the Thailand’s Single Gateway has now reached the eyes of Anons the world over. One wonders if they are planning a real attack soon.

View article:
Thai govt website DDoSed as CAT customer data leaked

TalkTalk DDoS Attack: Website hit by ‘significant’ breach

Police are investigating a “significant and sustained cyber-attack” on the TalkTalk website, the UK company says. The phone and broadband provider, which has over four million UK customers, said banking details and personal information could have been accessed. TalkTalk said potentially all customers could be affected but it was too early to know what data had been stolen. The Metropolitan Police said no-one had been arrested over Wednesday’s attack but enquiries were ongoing. TalkTalk said in a statement that a criminal investigation had been launched on Thursday. It said there was a chance that some of the following customer data, not all of which was encrypted, had been accessed: Names and addresses Dates of birth Email addresses Telephone numbers TalkTalk account information Credit card and bank details In the wake of the news, the company’s share price dropped by 10% in the first few hours after the London stock exchange opened at 08:00 BST. Cyber security consultant and former Scotland Yard detective Adrian Culley told BBC Radio 4’s Today programme that a Russian Islamist group had posted online to claim responsibility for the attacks. He said hackers claiming to be a cyber-jihadi group had posted data which appeared to be TalkTalk customers’ private information – although he stressed their claim was yet to be verified or investigated. Dido Harding, chief executive of the TalkTalk group, told BBC News the authorities were investigating and she could not comment on the claims. Cyber-attacks on consumer companies happen with mounting frequency, but TalkTalk’s speedy decision to warn all of its customers that their vital data is at risk suggests that this one is very serious indeed. We are being told that this was what’s called a DDoS – a distributed denial of service attack – where a website is hit by waves of traffic so intense that it cannot cope. What is not clear is why this would result in the loss of data rather than just the site going down. One suggestion is that the DDoS was a means of distracting TalkTalk’s defence team while the criminals went about their work. I’m assured that TalkTalk customers’ details, including banking information, were all being held in the UK rather than in some overseas data centre. What is less clear is the extent to which that data was encrypted. For TalkTalk, the cost to its reputation is likely to be very serious. Now it is going to have to reassure its customers that its security practices are robust enough to regain their trust. The TalkTalk website was now secure again and TV, broadband, mobile and phone services had not been affected by the attack, she added. The sales website and the “My account” services are still down but the company hopes to restore them on Friday. Ms Harding added: “It’s too early to know exactly what data has been attacked and what has been stolen,” she said. “Potentially it could affect all of our customers, which is why we are contacting them all by email and we will also write to them as well.” However, customers have expressed their frustration with what is the third cyber-attack to affect TalkTalk over the past 12 months. Sara Jones, from East Sussex, said she found out about the breach in the news. “I have not received a single piece of correspondence. The level of information is lacking. And to think this is Get Safe Online Week! “TalkTalk’s online advice is not proportionate to what has happened. Telling customers to “keep an eye on accounts” just does not cut it in terms of advice.” Daniel Musgrove, from Powys, said he had been unable to get through to TalkTalk customer services. “They may not get a payment for my next bill if they don’t get this sorted,” he added. In August, the company revealed its mobile sales site had been targeted and personal data breached. And in February, TalkTalk customers were warned about scammers who had managed to steal thousands of account numbers and names. The biggest risk is that customers’ details have been stolen and criminals try to impersonate them Dido Harding, TalkTalk group chief executive Ms Harding said: “Unfortunately cybercrime is the crime of our generation. Can our defences be stronger? Absolutely. Can every company’s defences be stronger? “I’m a customer myself of Talk Talk, I’ve been a victim of this attack.” What should you do if you think you’re at risk? Report any unusual activity on your accounts to your bank and the UK’s national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or www.actionfraud.police.uk TalkTalk is advising customers to change their account password as soon as its website is back up and running – expected to be later on Friday – and any other accounts for which you use the same password Beware of scams: TalkTalk will not call or email customers asking for bank details or for you to download software to your computer, or send emails asking for you to provide your password TalkTalk said it had contacted the major banks asking them to look out for any suspicious activity on customers’ accounts. It added that every customer would be getting a year’s free credit monitoring. Ms Harding said: “The biggest risk is that customers’ details have been stolen and criminals try to impersonate them.” Professor Peter Sommer, an expert an cyber security, said TalkTalk’s rapid growth could be to blame for the breaches. “They are acquiring more customers and each of those customers wants to do more things and so they have to increase their capacity… but that’s an expensive exercise,” he told the BBC. Source: http://www.bbc.com/news/uk-34611857

See the original post:
TalkTalk DDoS Attack: Website hit by ‘significant’ breach

CCTV botnets proliferate due to unchanged default factory credentials

Incapsula researchers have uncovered a botnet consisting of some 9,000 CCTV cameras located around the world, which was being used to target, among others, one of the company's clients with HTTP flood…

Read the original:
CCTV botnets proliferate due to unchanged default factory credentials

Attackers hijack CCTV cameras to launch DDoS attacks

Default and weak credentials on embedded devices can lead to powerful botnets We’ve reached a point that security researchers have long warned is coming: Insecure embedded devices connected to the Internet are routinely being hacked and used in attacks. Want to add a bunch of users without going out of your mind? We show you how to do that, and more. The latest example is a distributed denial-of-service (DDoS) attack detected recently by security firm Imperva. It was a traditional HTTP flood aimed at overloading a resource on a cloud service, but the malicious requests came from surveillance cameras protecting businesses around the world instead of a typical computer botnet. The attack peaked at 20,000 requests per second and originated from around 900 closed-circuit television (CCTV) cameras running embedded versions of Linux and the BusyBox toolkit, researchers from Imperva’s Incapsula team said in a blog post Wednesday. When analyzing one of the hijacked cameras that happened to be located in a store close to the team’s office, the researchers found that it was infected with a variant of a known malware program designed for ARM versions of Linux that’s known as Bashlite, Lightaidra or GayFgt. While infecting computers with malware these days requires software exploits and social engineering, compromising the CCTV cameras that were used in this attack was very easy as they were all accessible over the Internet via Telnet or SSH with default or weak credentials. Insecure out-of-the-box configurations are a common issue in the embedded device world and have been for a long time. In 2013, an anonymous researcher hijacked 420,000 Internet-accessible embedded devices that had default or no login passwords and used them in an experiment to map the whole Internet. However, the problem is getting worse. The push by device manufacturers to connect things such as refrigerators or “smart” light bulbs to the Internet is largely done without consideration for security implications or an overhaul of outdated practices. As a result, the number of easily hackable embedded devices is growing fast. Shortly after the CCTV camera-based attack was mitigated, a separate DDoS attack was detected that originated from a botnet of network-attached storage (NAS) devices, the Imperva researchers said. “And yes, you guessed it, those were also compromised by brute-force dictionary attacks.” Source: http://www.computerworld.com/article/2996079/internet-of-things/attackers-hijack-cctv-cameras-to-launch-ddos-attacks.html

Continue Reading:
Attackers hijack CCTV cameras to launch DDoS attacks