Monthly Archives: March 2017

How the Necurs botnet influences the stock market

After a three-months-long partial hiatus, the Necurs botnet is back to flinging spam emails left and right. But unlike before the break, when it was mostly delivering the infamous Locky ransomware or the Dridex banking Trojan, the botnet is now engaged in distributing emails with no malicious attachment or link. According to Cisco Talost researchers, the botnet has been spotted firing off short-lasting but sizeable bursts of penny stock pump-and-dump emails. Necurs botnet’s latest campaign … More ?

Taken from:
How the Necurs botnet influences the stock market

Web smut seekers take resurgent Ramnit malware from behind

? Botnet knocked down, but it gets up again ? Aficionados of salacious smut sites in the UK and Canada are picking up some nasty software that infects systems by using corrupted pop-under adverts.…

Read More:
Web smut seekers take resurgent Ramnit malware from behind

World’s worst botnet fiends switch from ransomware to stock scam spam

IT LIVES! Cybercriminals behind the Necurs botnet have reactivated the zombie network and returned to their original business of using compromised machines as conduits for spam distribution.…

More here:
World’s worst botnet fiends switch from ransomware to stock scam spam

Russian bank Alfa Says it was Under DNS Botnet Attacks

The Russian banking giant Alfa announced, in a press statement, that hackers targeted its cyber infrastructure in a large-scale DNS Botnet attack. The purpose appears to have been to make it seem as though the bank had been communicating with the Trump Organization. The bank is now asking U.S. to assist it to uncover the culprits. On Friday, the bank revealed that their servers were under three cyber attacks targeting the domain name server (DNS) since mid-February. It is unclear who was behind these attacks; the details show unknown hackers allegedly used Amazon and Google servers to send requests to a Trump Organization server posing to look like they came from Alfa Bank, pushing the Trump server to respond back to the bank. An Alfa Bank spokesperson said: “The cyber attacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ’Trump servers’’. Furthermore, Alfa Bank revealed that it is ready to work with the U.S. law enforcement agency to identify the individuals involved in the campaign. The bank has already hired Stroz Friedberg, a US-based cyber security firm to get into the depth of the matter. “The cyber attacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ‘Trump servers,” an Alfa Bank representative said in a statement. “We have gone to the U.S. Justice Department and offered our complete cooperation to get to the bottom of this sham and fraud.” On February 18, 2017, the bank claims it experienced suspicious cyber activity from an unidentified third-party. Specifically, the unidentified third-party repeatedly sent suspicious DNS queries from servers in the U.S. to a Trump Organization server. The unidentified individuals made it look as though these queries originated from variants of MOSCow.ALFAintRa.nET. The use of upper and lower case indicated the human intervention in the process. Moreover, Alfa Bank says it received more than 1,340 DNS responses containing mail.trump-email.com.moscow.alfaintra.net. Last week, CNN reported that the FBI’s counterintelligence team was investigating if there was a computer server connection between the Trump Organization and Alfa Bank during the U.S. election, according to sources close to the investigation. The bank has now denied that there was ever a conversation between both parties. Mark McArdle, CTO at cyber security company eSentire commented on the issue and said that: “A botnet is typically associated with an attack that leverages scale, as it can employ thousands (potentially millions with IoT devices) of devices and use them to coordinate an attack on a target. We’ve seen this with some big DDoS attacks. We also see botnets being used as platforms for large-scale spamming. However, the number of DNS connections reported in the Alfa Bank attacks (1,340 in once case) don’t indicate massive scale. A botnet, however, can be used to add another layer of obfuscation between you and your attacker. Following the breadcrumbs back could bring you to a PVR that has been hacked and is now part of a botnet. I suspect in this case, the botnet is being used more for obfuscation of identity than scale. The attackers may be using a botnet to send spoofed DNS requests to a legitimate Trump server using a spoofed “reply-to” address inside Alfa-Bank’s infrastructure. Spoofing DNS lookups is not very difficult since DNS is not authenticated, and the ability to spoof source addresses is unfortunately still available – all you need is a system to launch your attack from that is connected to the Internet via an ISP that doesn’t filter out spoofed source addresses. While this type of attack has been around for a while, what’s new in this case is that someone is using it to try and contrive evidence of a relationship where neither party sought one. Additionally, there is also reference in Alfa Bank’s statement about Spam messages from marketing@trumphotels.com. It’s also possible to spoof email (spammers do this all the time). A spoofed email could include a reference to a legitimate Trump Org server and a real connection would be established if a user clicked on it (or selected “show images” in the email). Again, this does not mean the email came from Trump Org, just that it was sent in order to attempt to solicit “a connection” between Trump Org and Alfa-Bank.” Either way, identity is difficult to determine unless cryptographic certificates are used, and ultimate hack attribution is even more difficult. This is not the first time that allegations surrounding Trump’s relations with Russia have emerged. Some believe Russia hacked the US election to give Trump a way to win the presidency while some believe that Russian media was involved in spreading fake news against Trump’s opponent Hillary Clinton. Either way, nothing has been proven yet. Source: https://www.hackread.com/russia-alfa-bank-target-with-dns-botnet-attacks/

More:
Russian bank Alfa Says it was Under DNS Botnet Attacks

Nine Ways To Protect Your Technology Company From DDoS Attacks

DDoS attacks can wreak havoc on your company’s efficiency if you’re not careful. The Mirai botnet — malware that can be used for large-scale network attacks — can often go undetected due to common oversights and lack of preparation. It may be daunting to think about how IoT devices that make your company run smoothly can be used against you; however, it doesn’t take much time to set up multiple precautions to prevent it. Below, executives from Forbes Technology Council highlight simple and cost-effective ways that you can safeguard your company from baleful botnets. 1. Start By Looking At Your Infrastructure There are many botnets, Mirai just happens to be one of the largest known ones. Technology companies need to start developing more secure products rather than security being an afterthought. Firms need to look at their internet infrastructure to funnel botnet traffic away from their core business to enable the business to function when these attacks occur. – Heeren Pathak, Vestmark 2. Understand That Anyone Can Be A Target It’s very important to understand that anyone can be a target, no matter if you are a big or small company. If being offline just for a few minutes can cause a big economical impact, then you definitely should find a trusted partner that offers good solutions to mitigate against DDoS attacks. There are some companies offering this kind of service, but a quick Google search should be handy. – Cesar Cerrudo, IOActive 3. Choose The Right Hosting Partners No matter your line of business, your public-facing websites are potential targets of massive DDoS attacks. For business without a dedicated team of security experts, it’s important to choose the right hosting partners. For many customers of AWS, you automatically received free protection against some forms of attacks similar to Mirai botnet with the release of AWS Shield in December of 2016. – Jamey Taylor, Ticketbiscuit, LLC 4. Monitor Your Traffic Companies need to be skeptical of any device they have hanging on their networks. The average company now needs to apply firewall rules on a device-by-device basis, anticipating the possibility of a printer, web camera or AV control system becoming infected. Smart traffic monitoring software and methods of quarantining devices should be commonplace. – Chris Kirby, Voices.com 5. Set Strong, Custom Passwords IT security organizations should ensure their IoT devices have no direct public management access from outside the network. If an IoT device must be managed remotely through publicly accessible IPs, change the management password on the device from the default to a strong, custom one. IT admins need to put intrusion prevention, gateway anti-malware and network sandbox solutions at the network perimeter. – Bill Conner, SonicWall 6. Don’t Rely On The Internet Nearly all consumer products are computer-based in today’s marketplace, which makes reliance on the internet dangerous to a product’s infrastructure. That said, Cloudflare, Akamai and Dynect are solution services that will act as a protective wall for your servers and prevent large-scale network attacks. – Pin Chen, ONTRAPORT 7. Have The Right Company Policies In Place Technology companies should have policies in place to make sure IoT devices default factory credentials are changed as soon as they are procured. Will this guarantee they will never get infected with Mirai botnet? No. But this basic step along with modifying factory default privacy and security settings, firmware updates, audits, etc. will reduce the chances of an IoT device being infected. – Kartik Agarwal, TechnoSIP Inc 8. Cooperate And Act Mirai shows how an internet of everything can cause new kinds of net-quakes. Attackers can fire so much hostile traffic at one target that it takes down entirely unrelated sites nearby, in effect, causing major collateral damage. Unfortunately, there’s no simple defensive fix — it takes cooperation and active network control to deflect traffic tsunamis. – Mike Lloyd, RedSeal 9. Be Prepared Large-scale network attacks are not going away, and technology companies need to ensure they’re prepared. Doing a security audit of what protections are currently in place, and looking for existing holes that need to be plugged, is a good place to start. Also, make sure any IoT devices used at your company have security in place to prevent them from becoming part of this bot army. – Neill Feather, SiteLock Source: https://www.forbes.com/sites/forbestechcouncil/2017/03/16/nine-ways-to-protect-your-technology-company-from-ddos-attacks/2/#73d67f6a7178

Visit link:
Nine Ways To Protect Your Technology Company From DDoS Attacks

Standards and Security: The Great DDoS Challenge

Whether or not you work in IT security, distributed denial of service (DDoS) attacks are becoming more visible by the day. In the last three months of 2016 alone, DDoS attacks greater than 100Gbps increased by 140% year-on-year, according to a recent report. This growth isn’t expected to decelerate any time soon. The damage inflicted by DDoS attacks in the past year has been seen across various aspects of the online world. We often hear of news sites and political campaigns being taken offline, but this is now moving towards more mission critical operations in hospitals, banks and universities. The most significant example in recent months is the DDoS attack against Domain Name Service (DNS) provider Dyn. Let’s take a look at this case and determine the potential impact that conformance to existing standards could have had on the incident. IoT and the DDoS dilemma The Dyn attack in October 2016 impacted a whole host of major websites including Amazon, Netflix, Twitter, Spotify and Github, and was widely reported as the largest of its kind ever recorded. Its substantial impact was down to the huge number of connected devices used in the attack – not just laptops and PCs but routers, printers and baby monitors that make up the so-called Internet of Things (IoT). These devices were deliberately infected with the Mirai malware in order to create a botnet to carry out the momentous attack. It’s important to be clear on the mechanisms of the Mirai malware if we’re to consider the potential impact of standards on the attack. By using known passwords, it is able to search for susceptible IoT devices before infecting them with the malware. As a result, the device becomes part of a botnet which is capable of launching DDoS attacks from all of its infected devices. Seven out of 12 DDoS attacks in Q4 2016 were down to the Mirai botnet. In the Dyn case, it was estimated that the attack involved 100,000 malicious endpoints. The botnet sent around 1 TB of traffic per second to the company’s servers, meaning legitimate requests were denied. Mitigating DDoS attacks This attack was fundamentally a consequence of the devices involved still retaining their default password. There are two arguments as to where culpability lies in this instance. Some blame the users for not changing the default passwords once they were connected. Others feel more responsibility should fall on the manufacturers to ensure operators understand the importance of changing default passwords. In fact, in some cases manufacturers were distributing products with well-known default passwords and no option to change the password without purchasing a new product. In any case, these devices were vulnerable and open to attack. Standards: the silver bullet? DDoS attacks are becoming far more sophisticated so it’s essential that hardware and software manufacturers start to seriously consider standards to address the potential security risks in the growing Internet of Things. One key standard is the Open Trusted Technology Provider Standard, or O-TTPS, which addresses these issues around supply chain security and product integrity. Recently approved as ISO/IEC 20243, this set of best practices can be applied from design to disposal, throughout the supply chain and the entire product life cycle. Standards like the O-TTPS aim to reduce the risk of tainted (e.g., malware-enabled and malware-capable) and counterfeit hardware and software components from entering the supply chains and making their way into products that connect to the internet. This specific standard also has a conformance program that identifies Open Trusted Technology Providers who conform. The vendors involved in the Dyn incident could have followed the O-TTPS’ requirements for vulnerability analysis and notification of newly discovered and exploitable product weaknesses. If they had done so from the outset, the vulnerability that allowed the Mirai botnet to grow would have been caught early. The attack vector would have subsequently been blocked and the impact on businesses and consumers significantly reduced. Securing Information and Communication Technology (ICT) on which our business enterprises and critical infrastructures depend is a serious problem that becomes even more daunting and complex as we extend those environments to IoT devices. ICT and IoT devices are developed, manufactured, and assembled in multiple countries around the world. They are then distributed and connected globally. Providing international standards like the O-TTPS (ISO/IEC 20243) that all IT providers and their technology partners (e.g., component suppliers, manufacturers, value-add resellers) in their supply chains can adopt, regardless of locale, is one significant way to increase cyber and supply chain security. Standards can’t categorically prevent the inception of DDoS attacks, but what they can do is mitigate their effectiveness and limit their economic damage. The adoption of a universal product integrity and supply chain security standard is a major first step in the continued battle to secure ICT products and IoT devices and their associated end users. Further steps need to be taken in the form of collaboration, whereby we reach a point where we can recognise which technology and technology providers can be trusted and which cannot. But adhering to global standards provides a powerful tool for technology providers and component suppliers around the world to combat current and future DDoS attacks. Source: https://www.infosecurity-magazine.com/opinions/standards-security-great-ddos/

See more here:
Standards and Security: The Great DDoS Challenge

Dormant Linux kernel vulnerability finally slayed

Just, er, eight years later A recently resolved vulnerability in the Linux kernel that had the potential to allow an attacker to gain privilege escalation or cause denial of service went undiscovered for seven years.…

Originally posted here:
Dormant Linux kernel vulnerability finally slayed

Taiwan high-tech industry hardest hit by DDoS attacks in last 30 days

TAIPEI (Taiwan News)—Most denial-of-service (DDoS) attacks launched by hackers from Feb. 15 to March 14, 2017 in Taiwan targeted the high-tech industry, according to statistics compiled by leading global content delivery network provider Akamai Technologies. Industries in Taiwan that were most severely attacked by hackers were the high technology industry (61.8 percent), manufacturing industry (17.6 percent) and the financial services industry (7 percent), according to statistics compiled by Akamai’s intelligent platform that delivers 30 percent of the global Internet traffic. Industries in Taiwan under DDoS attacks from February 15 to March 14, 2017. (Taiwan News) The majority of the hacks were launched from IP addresses in Taiwan, followed by Alabama in the U.S., and Brazil. “It is often a misconception that most attacks are launched from abroad,” said Akamai’s Security Business Unit director Amol Mathur. “Attacks are coming both domestic and outside.” The premium CDN provider works customizes solutions for clients from different industries in Taiwan, including hospitality, banking, travel and airline services. Taiwan’s financial institutes are still recovering from a cybersecurity scare last month, in which 15 banks received threats from an anonymous hacker group to shell out 10 Bitcoins each (equivalent to US$10,466), or brace themselves for DDoS attacks that would compromise their server systems. DDoS attacks launched by hackers often compromise institute’s servers data processing capacity by delivering a sudden deluge of data that overtakes bandwidth resources, for instance if the company server bandwidth only allows 10 Gigabyte per second (Gbps) of capacity it can be paralyzed by a 100 Gbps attack. Hackers might use DDoS as a distraction to conceal other malign operations, such as stealing personal information or credential theft, added Mathur. Industries affected by hacker attacks vary monthly, depending on whether there is a major geopolitical event, said Mathur. For instance global hacker group Anonymous took down the London Stock Exchange system for two hours as part of its campaign against global central banks in June 2016. Mathur advised banks should not heed hacker demands to pay ransom. “In real life you would not pay ransom, so why would you pay hackers,” he said. The cybersecurity expert noted a rise in DDoS attacks globally during the fourth quarter of 2016, and pointed out DDoS attacks data size was increasing exponentially every quarter. Globally, attacks over 100 Gbps jumped 140 percent year-on-year during 4Q16, with the largest-size attack recorded reaching 517 Gbps, according to the Akamai “Fourth quarter 2016 State of the Internet/Security Report.” Mathur noted the cause of increased DDoS attacks was partly due to easy access for people to rent bots online, for as cheap as US$10 by going to a site and simply keying in the website address. Hackers can generate a monthly income of US$180,000 to US$200,000 from bot rentals. It remains extremely difficult for law enforcement agencies from a single country to track down hackers that spread the attacks launched by rented bots around the globe, and hide behind the protection of anonymity offered by the dark web. Additionally, the preferred Bitcoin currency used for business transactions by hackers is hard to trace to an IP address, explained Mathur. Introduction of mobile devices, mobile payment, IP surveillance cameras and emerging Internet of Things (IoT) trends introduce new cybersecurity vulnerabilities as hackers can utilize attacks through large number of connected devices. The Mirai bot for instance exposed vulnerabilities in the default user administrator name and passwords used by thousands of connected IP surveillance cameras and their DVR worldwide, said Mathur. He urged the IoT industry to form a joint standard, and for countries to start implementing regulations that set cybersecurity standards for connected devices. Hackers are also finding ways to target vulnerabilities in smartphone application programming interface (API) to obtain credentials, and data from mobile transactions. Apple Pay and some other mobile payment technologies periodically publish white papers announcing how it is securing data, but are mostly for tech savvy readers, said Mathur. One way consumers can safeguard credit card transactions is to check if the online shopping sites or App they use have The Payment Card Industry Data Security Standard (PCI DSS), noted Mathur. The proprietary information security standard launched nearly a decade ago by major credit card companies Visa, MasterCard, American Express, JCB and others follows a stringent standard and heavily fines companies that do not follow its compliance. Source: http://www.taiwannews.com.tw/en/news/3117326

Originally posted here:
Taiwan high-tech industry hardest hit by DDoS attacks in last 30 days

DDoS Attacks; Can You Find Who Dunnit?

Kaspersky Lab and B2B International recently polled 4,000 businesses among 25 countries that had been hit by a distributed denial of service (DDoS) attack; 40% of respondents said they believed that a rival business had launched the attack. Only 20% of DDoS victims blamed foreign governments and secret service organizations, and another 20% suspect disgruntled former employees. These are interesting statistics, given that it is extremely difficult to determine who launched a DDoS attack. Has law enforcement found any trends to support this belief that many DDoS attacks are caused by industrial sabotage? Maybe, maybe not. When it comes to hacking—especially DDoS hacks—law enforcers seldom find the perpetrators, because it is extremely difficult for anyone to trace the origins of DDoS attacks. The source is typically 1) a legitimate third-party server, running a service which has been leveraged by an attacker as part of a reflection/amplification attack, or 2) a direct flood attack from a single device, or 3) a botnet of many devices in which the IP source addresses are easily spoofed to ones that cannot be associated with the attacker. Motivations and Means Hacker motivations vary; some are political, others are financial. Certainly, if a business wanted to inflict financial or reputational harm upon a competitor, a DDoS attack would do the trick. After all, it is easy and relatively inexpensive for anyone to rent a botnet or DDoS-for-hire service to carry out a DDoS attack. Yes, it’s possible, but do victims have any evidence to back up their suspicions, or are they just paranoid about a rival business? Likewise, the threat of a disgruntled, malicious insider or former employee is a reasonable concern. But again, it is hard to trace the breadcrumbs. Speculating about “who dunnit” is usually pointless; there’s little hope of hunting down the perpetrator(s), and it costs time and money to conduct an investigation. Even if the perps are brought to justice, they’ve already damaged your business. The moral of the story is that it’s useless to close the proverbial stable door after the horse has left; the best approach is to prevent an attack by having DDoS protection in place. Source: http://www.dos-mitigation.com/wp-admin/post-new.php

More:
DDoS Attacks; Can You Find Who Dunnit?

IoT DDoS Reaches Critical Mass

In the wake of the Mirai botnet activity that dominated the end of last year, the “DDoS of Things (DoT)”, where bad actors use IoT devices to build botnets which fuel colossal, volumetric DDoS attacks, has become a growing phenomenon. According to A10 Networks, the DoT is reaching critical mass—recent attacks have leveraged hundreds of thousands of IoT devices to attack everything from large service providers and enterprises to gaming services, media and entertainment companies. In its research, it uncovered that there are roughly 3,700 DDoS attacks per day, and the cost to an organization can range anywhere from $14,000 to $2.35 million per incident. In all, almost three quarters of all global brands, organizations and companies (73%) have been victims of a DDoS attack. And, once a business is attacked, there’s an 82% chance they’ll be attacked again: A full 45% were attacked six or more times. There were 67 countries targeted by DDoS attacks in Q3 2016 alone, with the top three being China (72.6%), the US (12.8%) and South Korea (6.3%). A10 found that 75% of today’s DDoS attacks target multiple vectors, with a 60/40 percentage split of DDoS attacks that target an organization’s application and network layers, respectively. Meanwhile, DDoS-for-hire services are empowering low-level hackers with highly damaging network-layer bursts of 30 minutes or less. This relentless attack strategy systemically hurts corporations as colossal DDoS attacks have become the norm too; 300 Gbps used to be considered massive, but today, attacks often push past 1 Tbps thanks to the more than 200,000 infected IoT devices that have been used to build global botnets for hire. No industry is immune: While 57% of global DDoS attacks target gaming companies, any business that performs online services is a target. Software and technology were targeted 26% of the time; financial services 5%; media and entertainment, 4%; internet and telecom, 4%; and education, 1%. Source: https://www.infosecurity-magazine.com/news/iot-ddos-reaches-critical-mass/

See the original post:
IoT DDoS Reaches Critical Mass