Monthly Archives: February 2017

DDoS attacks increasingly form blended attacks of more vulnerabilities

DDoS attacks increasingly formed blended attacks of four or more vulnerabilities over the course of the fourth quarter of 2016, with an intent to overload targeted monitoring, detection and logging systems, according to Nexusguard. Hybrid attacks were a common attack pattern against financial and government institutions. DDoS botnet activity: Top attacking countries The supersized Mirai attack from Q3 set the stage for Q4 challenges, resulting in a ripple of botnets from connected devices and the … More ?

View article:
DDoS attacks increasingly form blended attacks of more vulnerabilities

Five Taiwan brokerages report cyber attack threats, regulator says

Taiwan is investigating an unprecedented case of threats made to five brokerages by an alleged cyber-group seeking payment to avert an attack that could crash their websites, an investigator and the securities regulator said on Monday. Rick Wang, an official with Taiwan’s Financial Supervisory Commission (FSC), said each brokerage had received an email setting a deadline for the transfer of funds to avoid a distributed denial of service (DDoS) attack. Such attacks, among the most common kind on the internet, overload a website until it is forced to inhibit access or go offline. They have become common tools for cyber criminals trying to cripple businesses and organizations with significant online activities. “We have never seen this on such a scale – five companies hit at one time with the same threat,” said Wang, adding that the regulator usually sees single instances of cyber-crime. FireEye, a cybersecurity consultancy, said the attacks were similar to a wave of threatened denial of service attacks by a previously unidentified group that first appeared in Europe last month. The Taiwan attacks do not pose a threat to the island’s broader trading and financial system, Wang said, but he added that the regulator had asked all securities firms to step up defensive measures. One threat recipient, Masterlink Securities Corp, said its website had come under attack, but it had recovered and operations were normal. “The emails were sent under the name of the ‘Armada Collective’,” said Chiu Shao-chou, an official of the internet cybercrime division of Taiwan’s Criminal Investigation Bureau, the government’s top investigation body. The Armada Collective, a hacking extortion group, has been linked to financial blackmail heists elsewhere. But Chiu said the group has been put under watch and Taiwan investigators were still looking into the original source of the emails. The email demanded payment in web-based digital currency bitcoin equivalent to about T$300,000 ($9,731.41), Taiwan media said. None of the securities companies made any payments, Chiu said. Another brokerage firm, Capital Securities Corp, was hit on Monday by a DDoS attack lasting 20 minutes before its system recovered, the regulator said, but it did not link the latest case to the threatening emails. (This version of the story corrects sixth paragraph to show the attacks were similar to, not necessarily part of, a wave of attacks in Europe last month) Source: http://www.reuters.com/article/us-taiwan-cyber-idUSKBN15L128

More:
Five Taiwan brokerages report cyber attack threats, regulator says

Everything old is new again: Experts predict a flood of denial-of-service attacks

As IoT goes mainstream Mirai-style denial-of-service botnet attacks are escalating, and hackers are targeting health care companies, financial services, and the government. The hottest trend in cyberattacks is an archaic and simplistic hacker tool. Propelled by the rise of IoT, the popularity of denial-of-service attacks rebounded in late 2016 and early 2017. Accompanying the rapid acceleration of the IoT and connected device market, warn cybersecurity experts, will be a zombie botnet swarm of network-crippling attacks. Denial-of-service attacks are simple but effective weapons that bring down websites and services by flooding networks with junk traffic from commandeered botnets. Digital fallout will often cripple the target and ripple across the web to knock out unaffiliated but connected services and sites. “After an attack [clients] often feel angry and violated,” said Matthew Prince, CEO of denial-of-service mitigation service CloudFlare in an interview with TechRepublic. “A distributed denial-of-service (DDoS) attack is not a sophisticated attack. It’s the functional equivalent of a caveman with a club. But a caveman with a club can do a lot of damage.” “DDoS outages are causing companies to completely rethink their cybersecurity strategies,” said cyber-defence strategist Terrence Gareau in a report by threat identification firm Nexusguard. Nexusguard examines network data to identify threat vector trends like duration, source, and variation of denial-of-service attacks.”Hackers’ preferences for botnets over reflection attacks are typical of cyclical behavior, where attackers will switch to methods that have fallen out of popularity to test security teams with unexpected vectors.” Denial-of-service attacks are a broad umbrella used to describe a number of technological sub-tactics. Denial-of-service attacks are common and relatively easy to pull off because these attacks simply crowdsource web IP addresses. The hacker group Anonymous made DDoS attacks famous by championing a tool nicknamed the “Low Orbit Ion Cannon” that made denial-of-service accessible and easy. The downside, of course, is that all cyberattacks are illegal, and unsophisticated DDoS attacks are easy for law enforcement to pursue. The Nexusguard report shows that hackers are switching from DDoS to IoT botnet-based attacks like last year’s devastating Mirai hack. “Distributed denial-of-service attacks fell more than 40 percent to 97,700 attacks in the second quarter of the year,” Gareau said. IoT attacks targeted at French data provider OVH broke records for speed and size, the report said, and were so severe that France broke into Nexusguard’s Top 3 [cyberattack] victim countries. “The preferred programming language for the Mirai botnet helped to better handle a massive number of nodes compared to other typical languages for DDoS attacks,” Gareau said. “Researchers attribute the [DDoS] attack dip and these massive attacks to hackers favoring Mirai-style botnets of hijacked connected devices, demonstrating the power IoT has to threaten major organizations.” Hackers are also diversifying attacks against large organizations in financial services, healthcare, and government sectors, Gareau said in the Nexusguard report. “Hackers favored blended attacks, which target four or more vectors, in attempts to overload targeted monitoring, detection, and logging systems.” To fend off attacks, experts like Prince, Gareau, and Cyberbit’s chief technology officer Oren Aspir agree enterprise companies need to develop a response plan. “Attacks on an endpoint device will always leave some sort of trail or evidence to analyze,” Aspir said. “Since the speed of detection is vital, analysts need tools that will allow them to quickly detect behavior at the endpoint, validate the threat, and perform an automated forensic investigation in real time on that endpoint.” Aspir also suggested companies prepare for DDoS and other hacks by reviewing previous attack metrics, conduct vulnerability assessment and penetration testing exercises, and simulate attacks to help evaluate team preparedness. “It’s important for organizations to build a baseline that consists of what ‘good behavior’ should look like on an endpoint. This allows for organizations to take unknown threats and validate them quickly.” Though IoT botnet denial-of-service attacks are relatively new enterprise organizations have learned from previous attacks and already shifted defense tactics. “Researchers predict the attention from recent botnet attacks will cause companies to strengthen their cybersecurity… and ensure business continuity despite supersized attacks,” Gareau said. Source: http://www.techrepublic.com/article/everything-old-is-new-again-experts-predict-a-flood-of-denial-of-service-attacks/

Original post:
Everything old is new again: Experts predict a flood of denial-of-service attacks

Monitoring scanning activities that could lead to IoT compromises

IoT devices are ideal targets for attackers looking to build DDoS botnets because they have limited or non-existent security features. Some IoT devices utilize hard-coded default passwords. Many devices have unnecessary services running that can be exploited, and others have unprotected management interfaces. Most important for DDoS attackers, IoT devices offer high-speed connections that are always on, which allows for a large, predictable amount of attack traffic volume per compromised device. Monitoring login attempts Looking … More ?

See original article:
Monitoring scanning activities that could lead to IoT compromises

DDoS Attack Takes Down Austrian Parliament Website

The DDoS attack, one of the most common cyber threats, is being investigated by authorities The Austrian parliament’s website was hit by a suspected cyber attack over the weekend which took the site down for 20 minutes. Hackers are believed to have used a Distributed Denial of Service (DDoS) attack to flood the website with digital service requests and, although no data was lost, authorities are now investigating the attack. “The hacker attack was most likely a so-called DDoS-attack; a similar attack took place last November targeting the websites of the Foreign Affairs and Defence Ministries,” the parliament said in a statement. Cyber attack One of the most common cyber threats around, DDoS attacks have been growing in size and prevalence in recent times, with Corero Network Security predicting that such threats will become the top security priority for businesses and the new norm in 2017. “While the Mirai botnet is certainly fearsome in terms of its size, its capacity to wreak havoc is also dictated by the various attack vectors it employs, said Dave Larson, CTO/COO at Corero Network Security. “If a variety of new and complex techniques were added to its arsenal next year, we may see a substantial escalation in the already dangerous DDoS landscape, with the potential for frequent, Terabit-scale DDoS events which significantly disrupt our Internet availability.” In January, a DDoS attack was responsible for an outage at Lloyds Banking Group that left customers unable to access online banking services for three days, after web security firm Imperva had earlier that month issued a warning to businesses after fending off the largest DDoS attack ever recorded on its network. But the most high-profile attack in recent months affected domain name service provider Dyn and resulted in a slew major sites – including Twitter, Spotify and Reddit – being taken offline. Source: http://www.silicon.co.uk/security/ddos-attack-austrian-parliament-website-204381

View the original here:
DDoS Attack Takes Down Austrian Parliament Website

DDoS attack on Dyn costly for company: claim

A distributed denial of service attack on Dynamic Network Services, otherwise known as Dyn, in October 2016, led to the company losing a considerable amount of business, according to data from the security services company BitSight. A report at the Security Ledger website said while Internet users endured short-term pain because they were cut off from popular websites during the attack, the company, Dyn, lost the business of about 8% of the domains — about 14,500 — it was hosting shortly thereafter. This figure was based on statistics in a talk given on 24 January by Dan Dahlberg, a research scientist at BitSight Technologies in Cambridge, Massachusetts. Dyn is based in Manchester, New Hampshire. It was recently bought by Oracle Corporation. During the outage, Dyn was targeted by hackers who are said to have used digital video recorders and security cameras which were compromised by malware known as Mirai and used to form a massive botnet. The first attack, on 21 October 2016 US time, began at 7.10am EDT (10.10pm AEDT) and, once this was resolved by Dyn, further waves caused disruptions throughout the day. While major US websites like Twitter, Spotify, Netflix and Paypal were disrupted, the application performance management software company Dynatrace said that Australian websites were affected as well. Among the Australian sites that took a hit, Dynatrace listed AAMI, ANZ, BankWest, Coles, The Daily Telegraph, Dan Murphy’s, ebay, HSBC, The Herald Sun, NAB, 9News, The Age, Ticketmaster, The Australian, Woolworths, The Sydney Morning Herald, and Westpac. BitSight provides security rating services for companies. It analysed 178,000 domains that were hosted on Dyn’s managed DNS infrastructure before and after the attacks; of these 145,000 used Dyn exclusively, while the remaining 33,000 used Dyn and others too. After the attack, according to Dahlberg, 139,000 of the 145,000 domains managed exclusively by Dyn continued to use its services, a loss of 4% or 6000 domains. Among domains that used Dyn and other providers as well, there was a loss of 8000 domains, or 24%. Security Ledger said it had tried to get a comment from Dyn but was refused one. It is not clear whether any of the 14,500 domains that were found not to be using Dyn’s services in the aftermath of the attack returned to the provider. Source: http://www.itwire.com/security/76717-ddos-attack-on-dyn-costly-for-company-claim.html

View the original here:
DDoS attack on Dyn costly for company: claim

SQL Sequel: Sequel Slammer worm resurfaces after more than a decade

SQL Slammer, a fast-moving worm that generated a wave of distributed denial of service (DDoS) attacks in 2013, mysteriously resumed high levels of activity in late 2016 after more than a decade of dormancy. According to a company blog post Thursday, Check Point Software Technologies detected a “massive” surge in SQL Slammer attacks between Nov. 28 and Dec. 4, 2016. “What we’ve been seeing is not the actual worm, but its attempts to reach more servers,” said Maya Horowitz, group manager, threat Intelligence at Check Point, in an email interview with SC Media. “Therefore we cannot know for sure if any changes have been [made to] the worm or the vulnerabilities it exploits.” When it first surfaced in 2003, the worm managed to infect tens of thousands of servers and routers in a matter of minutes by exploiting a buffer overflow vulnerability (CVE-2002-0649) in Microsoft SQL Server 2000 or Microsoft SQL Server Data Engine 2000 – both of which are no longer supported. These infected, exploited machines would then bombard ransom IP addresses with an enormous stream of malicious packets that would infect other vulnerable systems, while simultaneously overloading Internet-based network devices with traffic. Microsoft patched this vulnerability in Jan. 2003 and over the years has issued multiple new versions of the affected products. This makes these latest attacks ever stranger, because unless the worm has evolved in some way, it is hard to imagine that users remain susceptible to this threat. “One theory to why it’s attempting to make a comeback is that cybercriminals are seeking easy ways to cause DoS and slow down the entire Internet, just like with the recent Mirai botnet,” said Horowitz. “And reusing old malware is the easiest way.” Source:https://www.scmagazine.com/sql-sequel-sequel-slammer-worm-resurfaces-after-more-than-a-decade/article/636156/

Read More:
SQL Sequel: Sequel Slammer worm resurfaces after more than a decade

39% of businesses not ready to protect themselves against DDoS

Companies are not ready to protect themselves against DDoS, with four in ten (39%) businesses unclear about the most effective protection strategy to combat this type of attack, according to research from Kaspersky Lab. A lack of knowledge and protection is putting businesses at risk of grinding to a halt. DDoS attacks can quickly incapacitate a targeted business’s workflow, bringing business-critical processes to a stop. However, the research found that nearly a fifth (16%) of businesses are not protected from DDoS attacks at all, and half (49%) rely on built-in hardware for protection. This is not effective against the increasing number of large-scale attacks and ‘smart’ DDoS attacks which are hard to filter with standard methods. Large-scale cyberattacks are now commonplace, such as the recent attack on telecommunications provider StarHub, which faced a high-profile DDoS attack in October last year. Hackers are also showing a preference for DDoS attacks, with the proliferation of IoT devices today. As IoT devices have weak security protocols, they are easy targets for hackers to launch DDoS attacks from. As IoT devices are forecasted to hit 21 billion in 2020, each potential entry point into an organisation increases vulnerability to DDoS attacks. Many businesses are in fact aware that DDoS is a threat to them – of those that have anti-DDoS protection in place, a third (33%) said this was because risk assessments had identified DDoS as a potential problem, and one in five (18%) said they have been attacked in the past. For some, compliance, rather than awareness of the security threat, is the main driver, with almost half (43%) saying regulation is the reason they protect themselves. The problem for businesses is that, in many cases, they may assume they’re already protected. Almost half (40%) of the organizations surveyed fail to put measures in place because they think their Internet service provider will provide protection, and one in three (30%) think data center or infrastructure partners will protect them. This is also not always effective, because these organizations mostly protect businesses from large-scale or standard attacks, while ‘smart’ attacks, such as those using encryption or imitating user behavior, require an expert approach. Moreover, the survey found that a third (30%) fail to take action because they think they are unlikely to be targeted by DDoS attacks. Surprisingly, one in ten (12%) even admit to thinking that a small amount of downtime due to DDoS would not cause a major issue for the company. The reality is that any company can be targeted because such attacks are easy for cybercriminals to launch. What’s more, the potential cost to a victim can reach millions. “As we’ve seen with the recent attacks, DDoS is extremely disruptive, and on the rise,” says Kirill Ilganaev, Head of Kaspersky DDoS Protection at Kaspersky Lab. “When hackers launch a DDoS attack, the damage can be devastating for the business that’s being targeted because it disables a company’s online presence. As a result business workflow comes to a halt, mission-critical processes cannot be completed and reputations can be ruined. Online services and IT infrastructure are just too important to leave unguarded. That’s why specialized DDoS protection solution should be considered an essential part of any effective protection strategy in business today.” Source: http://www.networksasia.net/article/39-businesses-not-ready-protect-themselves-against-ddos.1486046674

See original article:
39% of businesses not ready to protect themselves against DDoS

How to Identify a DDoS Attack

DDoS stands for Distributed-Denial-of-Service. It basically means that a surge of information cuts you off from your network i.e. your server or your web host, disallowing access to web services. In recent times, a series of DDoS attacks have taken place, which is proven but the statistics put together by Arbor Networks’ 12th Annual Worldwide Infrastructure Security Report (WISR). The report indicates that incidences of DDoS attacks have risen 44% compared to last year. In fact, 53% of the service providers that were surveyed mentioned that 53 percent they are seeing more than 21 DDoS attacks per month, up from 44 percent last year. It is important to know if your network is under an attack, and take the necessary correction steps. Especially if you are an online business, a DDoS attack can wreak havoc, stopping your operations completely. An attack is initiated by sending a flood of traffic to your server or web host, thereby, eating into your available bandwidth and server resources. In effect, the original user, which is you, are left without access to web services. In extreme situations, the server may crash too. In fact, the attack is not launched from one source, making it difficult to track down a single IP in computer and data logs. The attacker generally infects user networks, including personal computers, mobiles, and IoT devices and so on, through his or her malware-infected machines. That is where the complexity of identifying a DDoS attack arises- it can quickly spiral into large proportions. Also, a DDoS attack can strike without warning, most hackers do not believe in sending threats before carrying out the hack. It may look like your website server or hosting domain is down, while in reality it may be a DDoS attack. Even elaborate server tests may just indicate a high traffic, which may appear normal. Hence it is important to be on the vigil and consider that you may indeed, be under a DDoS attack: Here are the key clues to look out for: An IP address makes x requests over y seconds, many times consistently, or IP addresses may repeat frequently: If you spot this behaviour for specific IPs, you can direct traffic from those IPs to specific NULL routes. This will bypass your servers. At the same time, make it a point to whitelist some of the valid IPs. Your server responds with a 503 error citing a service outage: Windows allows you to schedule alerts when a specific event happens in Event Viewer. Allocate a task to an event (such as errors or warnings). Similarly, allocate a task to a 503 event by opening Event Viewer, right clicking on the event, and set up a configuration to send an email to an administrator or to a team of people. Loggly can help you with this in case of multiple servers. Ping requests time out: Move beyond manually pinging servers to test response. A number of web pinging services are available, such as, UpTimeRobot, Pingdom, Mon.itor.us, InternetSeer, Uptrends and others. You can configure the frequency at which you want your site to ping from world-over. If a time out occurs, it is reported back to you or your team. Logs show a huge spike in traffic: Loggly can be used as a lookout for DDoS attacks. It not only shows traffic spikes but also their occurrence date and time, their originating servers and user errors. The logs and alerts can be designed to be more specific, for example, base your alerts on a combination of events and traffic spikes, so as to do away with false alerts. It is not practically possible for any human to keep looking out for these signs. One must automate notification systems. Loggly is a useful tool that can send these alerts to external messaging platforms too, such as Slack, or Hipchat. Of course, it is important that you learn how to perfectly configure an alert, to catch the right indicators, at the same time avoiding an overload of alerts. Source: http://www.readitquik.com/articles/networking-2/a-guide-to-identify-ddos-attack/

View article:
How to Identify a DDoS Attack

The emergence of new global cybercriminal attack patterns

The findings of a new Malwarebytes report illustrate a significant shift in cybercriminal attack and malware methodology from previous years. Ransomware, ad fraud and botnets, the subject of so much unjustified hype over previous years, surged to measurable prominence in 2016 and evolved immensely. Cybercriminals migrated to these methodologies en masse, impacting nearly anyone and everyone. To better understand just how drastically the threat landscape evolved in 2016, researchers examined data taken from Windows and … More ?

Read more here:
The emergence of new global cybercriminal attack patterns