Monthly Archives: April 2017

Alleged Kelihos botmaster indicted

36-year-old Pyotr Levashov was charged on Friday in the US with one count of causing intentional damage to a protected computer, one count of conspiracy, one count of accessing protected computers in furtherance of fraud, one count of wire fraud, one count of threatening to damage a protected computer, two counts of fraud in connection with email and one count of aggravated identity theft. Levashov stands accused of controlling and operating the Kelihos botnet to, … More ?

Read the article:
Alleged Kelihos botmaster indicted

Linksys Routers Vulnerable to DDoS Attack

Flaws in the routers’ firmware could let hackers access configuration settings and execute remote commands. Linksys said it’s working on a patch. Linksys this week identified several vulnerabilities in its router firmware that allow hackers to bypass authentication and perform denial of service (DDoS) attacks. The company said it is working on a fix for the vulnerabilities, which were discovered by security researchers at IOActive in January and affect more than two dozen models of Linksys wireless routers in the WRT and EAxxx series. IOActive found 10 separate issues in the Linksys firmware, including high-risk vulnerabilities that could let hackers exploit routers using default credentials to log in, view router settings, and execute remote commands. “Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router,” IOActive researcher Tao Sauvage wrote in a blog post. “By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack.” The vulnerabilities, which are similar to those found in many other Internet of Things (IoT) devices, are particularly worrisome because they could be used in future attacks of the sort that took large swaths of the internet offline for several hours last fall. Sauvage said that “11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.” Linksys published a full list of the router models that are affected, and suggested that owners change the default password for their administrator account. The company said it is working to provide a firmware update for all of the affected models, but didn’t offer details on when it would be ready. Source: http://www.pcmag.com/news/353228/linksys-routers-vulnerable-to-ddos-attacks

View post:
Linksys Routers Vulnerable to DDoS Attack

New DDoS Attacks Use Far Fewer Infected Hosts

Akamai Technologies has identified a new attack method generating extremely large distributed denial of service (DDoS) attacks against educational institutions and other types of organizations but without the millions of infected hosts typically seen in these scenarios. In a threat advisory recently published by the content delivery network company’s security intelligence response team, researchers described a reflection and amplification method that can produce “significant attack bandwidth” through “significantly fewer hosts.” What’s required are open ports allowing LDAP traffic. The company’s security experts have detected and mitigated a total of 50 Connection-less Lightweight Directory Access Protocol (CLDAP) reflection attacks. CLDAP was intended as an “efficient alternative to LDAP queries done over Transmission Control Protocol (TCP). Most of the attacks seen in the wild used CLDAP reflection exclusively. Twice, education has been the target. However, the primary victims have been in the software and technology industry, where 21 attacks have taken place, and the gaming segment, which has had 15 attacks. The largest of the attacks hit its target with a peak bandwidth of 24 gigabits per second and a top count of packets per second of 2 million. The source port was 386, the port used by Lightweight Directory Access Protocol (LDAP). According to the report, signatures of the attack suggest that it’s “capable of impressive amplification.” For example, Akamai security people obtained sample malicious LDAP reflection queries that had a payload of only 52 bytes. Yet the attack data payload was 3,662 bytes, meaning that the amplification factor was 73. More typically, the average amplification rate was 57, according to the researchers. The attacks are launched using “attack scripts,” usually written in C and with only slight variations from one vector to another. When the script is run, the target IP becomes the source of all the 52-byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the CLDAP servers do as they’re designed and reply to the query. As a result, the report described, “the target of this attack must deal with a flood of unsolicited CLDAP responses.” The attack is “fueled” by the number of servers on the internet with port 389 open and listening. Once a server has been identified as a viable source, it’s added to the list of reflectors. The best mitigation, suggested the report, is to filter the port in question. “Ingress filtering of the CLDAP port from the internet will prevent discovery and subsequent abuse of this service,” the report noted. Another option is to apply rules, which won’t stop the outbreak, but will alert system administers when an attempt is made to use the systems as part of a reflection attack. Source: https://campustechnology.com/articles/2017/04/20/new-ddos-attacks-use-far-fewer-infected-hosts.aspx?admgarea=news

See more here:
New DDoS Attacks Use Far Fewer Infected Hosts

Should we worry the general election will be hacked?

“Brexit vote site may have been hacked” warned the headlines last week after a Commons select committee published its report into lessons learned from the EU referendum. The public administration and constitutional affairs committee (Pacac) said that the failure of the voter registration website, which suffered an outage as many people tried to sign to vote up at the last minute in 2016, “had indications of being a DDoS ‘attack’”. It said it “does not rule out the possibility that the crash may have been caused … using botnets”. In the same paragraph it mentioned Russia and China. It said it “is deeply concerned about these allegations about foreign interference”. With a general election just seven weeks away, how worried should we be about foreign interference this time round? Labour MP Paul Flynn, who sits on the Pacac, certainly thinks we should be worried – although closer inspection of the report finds that, beyond the headlines, there’s a startling lack of evidence for those particular fears. In reality, a DDoS – “distributed denial of service” – attack is the bombarding of a server with requests it can’t keep up with, causing it to fail. Not only is it not actually hacking at all, but it also looks rather similar to when a lot of people at once try to use a server that doesn’t have the capacity. Given the history of government IT projects, some might favour this more prosaic explanation of why the voter registration website went offline. And that’s just what the Cabinet Office did say: “It was due to a spike in users just before the registration deadline. There is no evidence to suggest malign intervention.” So perhaps we shouldn’t fear that kind of attack, but hacking elections takes many forms. The University of Oxford’s Internet Institute, found a huge number of Twitter bots posting pro-Leave propaganda in the run up to the EU referendum. At least, that was how it was widely reported. The actual reportreveals the researchers can’t directly identify bots – they just assume accounts that tweet a lot are automated – and admit “not all of these users or even the majority of them are bots”. But the accuracy, or inaccuracy, of the research aside, there’s a bigger issue. What the Oxford Internet Institute never says is that there’s no evidence bots tweeting actually affects how anyone votes. Bots generally follow people – we’re all used to those suggestive female avatars in our notifications feeds – but people don’t really follow bots back. So when they push out propaganda, is there anyone there to see it? Of course, en masse, those bots can affect the trending topics. But getting “#Leave” trending is not the same as controlling the messaging around it, and Twitter’s algorithm explicitly tries to mitigate against such gaming of the system. And again there’s the question: who looks at tweets via the trending topics tab anyway (except perhaps journalists looking for something to pad out a listicle)? Fake news, the last of the unholy trinity, is a harder problem. We know it exists, and we know it gets in front of many people via social media sites like Facebook. We don’t really know how much it affects people and how much people see it for what it is – but the history of untrue stories in the tabloid press on topics like migration does lend weight to the idea that fake news can influence opinion. What is and isn’t fake news is a contested field. At one end of the spectrum, mainstream publications report inaccurate stories about flights full of Romanians and Bulgarians heading for the UK. At the other, teenagers in Macedonia run pro-Trump websites where the content is pure invention. Most would agree the latter is fake news, even if not the former. But this is a different problem to DDoS attacks or bot armies. The Macedonian teens aren’t ideologically driven by wanting Trump in the White House, they’re motivated by the advertising revenue their well-shared stories can earn. Even when fake news is created for propaganda rather than profit, there’s rarely a shadowy overlord pulling the strings – and bad reporting is some distance away from hacking the election. While there’s a strong case that foreign actors have tried to influence elections in other countries – such as the DNC hack in the US – we probably don’t need to worry unduly about cyberattacks swinging the UK election. Besides: why would a foreign state bother? We’ve already got a divided country struggling with its own future without any need for outside interference. Source: https://www.theguardian.com/technology/2017/apr/20/uk-general-election-2017-hacking-ddos-attacks-bots-fake-news

More:
Should we worry the general election will be hacked?

Flaws found in Linksys routers that could be used to create a botnet

Engineers working on firmware updates Multiple models of Linksys Smart Wi-Fi Routers have vulnerabilities that might be exploited to create a botnet, security researchers at IOActive warn.…

See original article:
Flaws found in Linksys routers that could be used to create a botnet

How The New York Times Handled Unprecedented Election-Night Traffic Spike

When he woke up the morning of October 21, 2016, Nick Rockwell did the same thing he had done first thing every morning since The New York Times hired him as CTO: he opened The Times’ app on his phone. Nothing loaded. The app was down along with BBC, CNN, Fox News, The Guardian, and a long list of other web services, taken out by the largest DDoS attack in history of the internet. An army of infected IP cameras, DVRs, modems, and other connected devices – the Mirai botnet – had flooded servers of the DNS registrar Dyn in 17 data centers, halting a huge number of internet services that depended on it for letting their users’ computers know how to find them online. The outage had started only about five minutes before Rockwell saw the blank screen on his phone. His team kicked off a standard process that was in place for such outages, failing over to the Times’ internal DNS hosted in two of its four data centers in the US. The mobile app and the main site were back online about 45 minutes after they had gone down. While going through the fairly routine recovery process, however, something was really worrying Rockwell. The thing was, he didn’t know whether the attack was directed at many targets or at the Times specifically. If it was the latter, the effect could be catastrophic; its internal DNS wouldn’t hold against a major DDoS for more than five seconds. “It would’ve been incredibly easy to DDoS our infrastructure,” he said in a phone interview with Data Center Knowledge. His team had been a few months deep into fixing the vulnerability, but they weren’t finished. “We were OK [in the end], but we were vulnerable during that time.” The process to fix it started as they were preparing for the 2016 presidential election. Election night is the biggest event for every major news outlet, and Rockwell was determined to avoid the 2012 election night fiasco, when the site went down, unable to handle the spike in traffic. One of the steps the team decided to do in preparation for November 2016 was to fully integrate a CDN (Content Delivery Network). CDN services, such as Akamai, CloudFlare, or CDN services by cloud providers Amazon, Microsoft, and Google, store their clients’ most popular content in data centers close to where many of their end users are located – so-called edge data centers — from where “last-mile” internet service providers deliver that content to its final destinations. A CDN essentially becomes a highly distributed extension of your network, adding to it compute, storage, and bandwidth capacity in many metros around the world. That a CDN had not been integrated into the organization’s infrastructure came as a big surprise to Rockwell, who joined in 2015, after 10 months as CTO at another big publisher, Condé Nast. While at Condé Nast, he switched the publisher from a major CDN provider to a lesser-known CDN by a company called Fastly. He has since become an unapologetically big fan of the San Francisco-based startup, which now also delivers content to The New York Times users around the world. Being highly distributed by design puts CDNs in good position to help their customers handle big traffic spikes, be it legitimate traffic generated by a big news event or a malicious DDoS attack. (Rockwell said he did wonder, as the Dyn attack was unfolding, whether it was a rehearsal for election night.) Fastly ensured that on the night Donald Trump beat Hillary Clinton, the Times rolled without incident through a traffic spike of unprecedented size for the publisher: an 8,371 percent increase in the number of people visiting the site simultaneously, according to the CTO. The CDN has also mostly absorbed the much higher levels of day-to-day traffic The Times has seen since the election as it covers the Trump administration. The six-year-old startup, which this year crossed the $100 million annualized revenue run-rate threshold, designed its platform to give users a detailed picture of the way their traffic flows through its CDN and lots of control. Artur Bergman, Fastly’s founder and CEO, said the platform enables a user to treat the edge of their network the same way they treat their own data centers or cloud infrastructure. In your own data center you have full control of your tools for improving your network’s security and performance (things like firewalls and load balancers), Bergman explained in an interview with Data Center Knowledge. While you maintain that level of control in the public cloud, you don’t necessarily have it at the edge, he said. Traditionally, CDNs have offered customers little visibility into their infrastructure, so even differentiating between a legitimate traffic spike and a DDoS attack has been hard to do quickly. Fastly gives users log access in real-time so they can see exactly what is happening to their edge nodes and make critical decisions quickly. The startup today unveiled an edge cloud platform, designed to enable developers to deploy code in edge data centers instantly, without having to worry about scaling their edge infrastructure as their applications grow. It also announced a collaboration with Google Cloud Platform, pairing its platform with the giant’s enterprise cloud infrastructure services around the world. GCP is one of two cloud providers The New York Times is using. The other one is Amazon Web Services. Today, the publisher’s infrastructure consists of three leased data centers in Newark, Boston, and Seattle, and one facility it owns and operates on its own, located in the New York Times building in Times Square, Rockwell said. The company uses a virtual private cloud by AWS and some of its public cloud services in addition to running some applications in the Google Cloud. This setup is not staying for long, however. Rockwell’s team is working to shut down the three leased data centers, moving most of its workloads onto GCP and AWS, with Fastly managing content delivery at the edge. Google’s cloud is also going to play a much bigger role than it does today. The plan is to run apps that depend on Oracle databases in AWS, while everything else, save for a few exceptions (primarily packaged enterprise IT apps), will run in app containers on GCP, orchestrated by Kubernetes. As he works to sort out what he in a conference presentation referred to as the “jumbled mess” that is The Times’ current infrastructure, Rockwell no longer worries about DDoS attacks. Luckily for his team, there was no major DDoS attack on The Times between the day he came on board and the day Fastly started delivering the publisher’s content to its readers. Whether there was one after Fastly was implemented is irrelevant to him. “It’s no longer something I have to think about.” Source: http://www.thewhir.com/web-hosting-news/how-the-new-york-times-handled-unprecedented-election-night-traffic-spike

View article:
How The New York Times Handled Unprecedented Election-Night Traffic Spike

Hajime IoT worm infects devices to head off Mirai

Mirai is the name of the worm that has taken control of many IoT devices around the world and used them to mount DDoS attacks, the most high-profile of which was directed against US-based DNS provider Dyn and resulted in many websites and online services being inaccessible for hours on end. Its source code was leaked by the author, which lead to the creation of more botnets, and an increased fear that we’ll soon witness … More ?

Original post:
Hajime IoT worm infects devices to head off Mirai

Criminals Leverage CLDAP Protocol to Conduct Amplified DDoS Attacks

Distributed denial-of-service attacks have quickly become one of the favorite tools among cyber criminals around the world. It appears some groups are taking things to the next level by leveraging the CLDAP protocol. As a result, they can amplify their DDoS attacks by as much as 700%. This is a very troublesome development, to say the least. CLDAP PROTOCOL IS NOW A CRIMINAL TOOL For those people who are unaware of what the CLDAP protocol is, allow us to briefly explain. It is a communication protocol used to connect, search, and modify internet directories. As one would expect, this particular protocol provides high performance at all times, as it can pump through data at an accelerated pace. So far, this protocol has only been used among network administrators to query data with relative ease. Unfortunately, all good technologies are often used for nefarious purposes, and the CLDAP protocol is no different in this regard. A new report has surfaced, indicating criminals use CLDAP to amplify their direct denial-of-service attacks. It is believed they can make such attacks up to 70 times as powerful as before, which does not bode well for any part of the global internet infrastructure. Researchers claim cybercriminals have been abusing the CLDAP protocol since late last year. That is quite a worrisome thought, although it is unclear which companies or services were targeted exactly. DDoS attacks leveraging the CLDAP protocol is not a positive development, as it only allows cybercriminals to shut down online services and platforms more easily. The last thing this world needs is more tools for online criminals to do bigger damage with less effort. The amplification part of the CLDAP protocol is of particular concern to security researchers right now. By using the CLDAP protocol, DDoS attackers can artificially increase the number of times a data packet is enlarged. At its peak, the CLDAP protocol can increase data packet sizes by as much as 700%. To be more specific, One bit of data sent through a DDoS attack over the CLDAP protocol results in the target receiving 700 bytes of data. So far, researchers have discovered over four dozen DDoS attacks leveraging the CLDAP protocol. That is quite a significant number, although it is only a hint of what the future will hold. Given the vulnerability of the Internet of Things devices, leveraging a hundred devices can now become as powerful as using 7,000 devices in a coordinated DDoS attack. It wouldn’t take much effort to shut down websites, online banking portals or even DNS service provides such as DynDNS. To put this latter part into perspective, it takes 1 Gbps of sustained HTTP requests to shut down the average website. The biggest DDoS attack leveraging CLDAP put through 24 Gbps, and that was merely a test to see how well the protocol would hold up under sustained throughput. It is evident things will get a lot more troublesome from here on out. Anti-DDoS providers will need to find ways to filter CLDAP traffic rather than try to block it, as they will fall woefully short otherwise. Source: https://themerkle.com/criminals-leverage-cldap-protocol-to-conduct-amplified-ddos-attacks/

Continue Reading:
Criminals Leverage CLDAP Protocol to Conduct Amplified DDoS Attacks

IoT malware clashes in a botnet territory battle

The Hajime malware is competing with the Mirai malware to enslave some IoT devices Mirai — a notorious malware that’s been enslaving IoT devices — has competition. A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers. “You can almost call it Mirai on steroids,” said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks. Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe. These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure. That’s how the Mirai malware grabbed headlines last October. A DDoS attackfrom a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S. Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious. Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program. However, Hajime doesn’t take orders from a command-and-control serverlike Mirai-infected devices do. Instead, it communicates over a peer-to-peernetwork built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized — and harder to stop. “Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.” Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts. Hajime infection attempts (blue) vs Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev. Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks — which is good news. A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done. “There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware. However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said. So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. “It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.” It’s also possible Hajime might be a research project. Or in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai. So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology. However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture. That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms. That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion. “There’s definitely an ongoing territorial conflict,” said Allison Nixon, director of security research at Flashpoint. To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said. That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired. “It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.” Source: http://www.itworld.com/article/3190181/security/iot-malware-clashes-in-a-botnet-territory-battle.html

Continue reading here:
IoT malware clashes in a botnet territory battle

‘One in five’ British firms hit by cyber attack in 2016

One in five British firms was hit by a cyber attack last year, research from the British Chambers of Commerce suggests Cyber attacks are a growing threat to global business operations. This was confirmed by research from the British Chambers of Commerce (BCC), which surveyed 1,200 companies, revealing that one in five British businesses experienced a cyber attack last year. Larger businesses – defined as those with over 100 staff – were more likely to be attacked than smaller counterparts, according to the survey. The report found that 42% of larger organisations had suffered a cyber attack, compared with 18% of smaller ones. Clearly, more needs to be done by businesses to protect themselves. Indeed, the BCC’s report alos found that only a quarter of the firms surveyed had put in security protocols to protect themselves from hackers and cyber threats. The well documented data breaches of web giant Yahoo, telecoms firm TalkTalk and the dating website Ashley Madison have all hit the headlines in recent years. But this survey has shown just how widespread the problem is. It is endemic. “Cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity,” said BCC director-general Adam Marshall. “Firms need to be proactive about protecting themselves from cyber attacks.” Reacting to the news, Anton Grashion, managing director-security practice at Cylance, said “This is probably an underestimate if anything. Two reasons for this, firstly, this assumes they even know they have been hit, secondly people are more likely to under-report.” “Evidence of our testing when we run a POC with prospective customers is that we almost invariably discover active malware on their systems so it’s the unconscious acceptance of risk that plagues both large and small businesses.” Stephanie Weagle, VP at Corero Network Security, has identified DDoS attacks as the greatest cyber threat facing business. She said “Attackers will always find new exploits, and new attack methods of disrupting financial opportunity, extortion, accessing personally identifiable data, and disrupting an organisations online availability. Cyber attack activity is prevalent today, more than ever – especially when it comes to DDoS attacks.” DDoS attacks are on the rise and “continue to increase in frequency, scale and sophistication over the last year. 31% of IT security professional and network operators polled in a 2017 survey conducted by Corero experienced more DDoS attacks than usual in recent months, with 40% now experiencing attacks on a monthly, weekly or even daily basis. Source: http://www.information-age.com/major-flaws-devops-teams-security-123465765/

See more here:
‘One in five’ British firms hit by cyber attack in 2016