Monthly Archives: May 2017

Expect an increase in ransomware and DDoS attack combos in 2017

“Follow the money” is a popular catchphrase attributed to the 1976 movie All The President’s Men suggesting a money trail or corruption scheme within high (often political) office. Cybercriminal actors are certainly following the advice. The Deloitte Global Cyber Executive Briefing on E-Commerce & Online payments suggests that as retailers discover the financial rewards of having an e-commerce website, criminals are not far behind. But while robbing a brick and mortar store is wrought with risk of getting caught, the cyber world is proving much more lucrative relative to the effort and investments needed to execute a digital heist. For every e-commerce site that goes up, the potential target expands to include merchant, payment service provider, card company, suppliers, banks and buying customer. That is because e-commerce websites are directly connected both to the internet and to the business’ back-end systems for data processing and supply management. This makes e-commerce website a prime attack point for gaining access to crucial information assets within the organization according to Deloitte. The fourth Neustar annual Worldwide DDoS Attacks and Cyber Insights Research Report reveals that attacks against the financial services and retail industries are on the rise. Industry respondents confirm that it is getting much longer for organizations to detect and respond as cyberattacks grow in volume, complexity and frequency. Financial services institutions (FSIs) under attack There is recognition among industry players that they remain at high risk of malware and data theft (44% in 2017 versus 37% in 2016). Ransomware appears to be on the rapid rise in financial services industry as respondents to the survey indicate an increase in reported attacks from 17% in 2016 to 28% a year later. Financial institutions are also investing against Distributed Denial of Service (DDoS) attacks with 91% of organizations putting in more resources in 2017 compared to 79% in 2016. FSIs continue to be one of the favored targets of hackers as 86% of surveyed respondents confirm being under attack in 2017, up 10% from the previous year. More worrisome is that 88% reported being under attack more than once. Retailers under attack Eighty percent of respondents said they were under attack in 2017, up 7% from 2016. Respondents to the survey also noted that it took longer for them to detect and respond to the attacks in 2017 compared to 2016 suggesting that attack are getting sophisticated. Retailers responding to the survey Industry confirmed that they are spending more for security in 2017 (87%) compared to 2016 (76%). Respondents also report that ransomware attacks have increased from 13% in 2016 to 21% in 2017. Asia Pacific under attack Among respondents in Asia Pacific, 33% reported average revenue loss of at least US$250,000 with 49% reporting ransomware and DDoS attacks occurring in concert. Time to detect for 49% of respondents in the region stood at about three hours while 42% said it was taking them at least three hours to respond following discovery of the attack. In response to escalating frequency, complexity and severity of malware and DDoS attacks, Robin Schmitt, general manager, APAC at Neustar recommended that IT and business leaders need to evaluate the effectiveness of existing security strategies. “The research shows that simply identifying an attack and depending on basic defenses is not enough. Organizations in the region need to adopt stronger defenses and innovative solutions to more quickly and effectively mitigate the growing risk and likely impact of a major DDoS attack,” he said. According to Neustar the data from the research suggests that 2017 will be another challenging one from a DDoS threat landscape perspective. Generic Routing Encapsulation (GRE) based flood attacks and Connectionless Lightweight Directory Access Protocol (CLDAP) reflection attacks are emerging as the new hot attack trends for 2017, suggesting that attackers are constantly eyeing new ways to turn legitimate infrastructure elements against their owners. Source: https://www.enterpriseinnovation.net/article/expect-increase-ransomware-and-ddos-attack-combos-2017-145803210

Original post:
Expect an increase in ransomware and DDoS attack combos in 2017

What is a DDoS attack? What happens during a DDoS attack?

DDoS attacks can leave systems down for days. But how do they actually work? DDoS attacks are one of the most common forms of cyber attack, with the number of global DDoS attacks increasing to 50 million annually, according to VeriSign. Distributed denial of service, or DDoS for short, refers to a cyber attack resulting in victims being unable to access systems and network resources, essentially disrupting internet services. The DDoS attack will attempt to make an online service or website unavailable by flooding it with unwanted traffic from multiple computers. For a DDoS attack to be successful, an attacker will spread malicious software to vulnerable computers, mainly through infected emails and attachments. This will create a network of infected machines which is called a botnet. The attacker can then instruct and control the botnet, commanding it to flood a certain site with traffic: so much that its network ceases to work, taking the site offline. There are lots of different ‘types’ of botnets, with the most recent, called Mirai, housing an estimated 380,000 bots. Mirai, which shot to fame in 2016, had the potential to infect unsecured internet of things devices, such as DVRs and IP cameras. Mirai famously shut down internet access for nearly one million Germans by exploiting security flaws in routers at OEM manufacturers Speedport and Zyxel, shutting down web access for about one million Deutsche Telekom customers for two days. Why hackers choose DDoS attacks? DDoS attacks can take down websites of all sizes, from heavy duty enterprises to smaller, more vulnerable sites. The moves for attacks can vary widely from politics to pure financial gain. DDoS attacks can be sold. So a buyer could request a certain site is taken offline, and pay a sum for its execution. Revenge is often a motive in these cases. Alternatively, attackers might want to blackmail a site for money and keep their site down for days until they pay. Finally, a popular tactic used to influence political events and block others political agendas is to overwhelm and bring down sites with different views and you. This activism is becoming an increasingly popular way of using DDoS attacks to control the media. How do I know if I’m a victim of a DDoS attack? Before your website crashes and goes offline entirely, there are a few warning signs to look out for. A common effect of DDoS attacks is an unusually slow connection to your site. Some DDoS attacks twin this with a large and sharp increase of spam emails. If your overall network performance is slow, there is no need to assume it’s a DDoS attack but if it has slowed down rapidly and you’re unable to open files or perform usually quick maintenance tasks on your website, you might have a problem. For most, the biggest (and most obvious) giveaway is that your site cannot be accessed. If you’ve checked all other possibilities, and you have no access whatsoever, it could be a DDoS attack. Source: http://www.techworld.com/security/how-does-ddos-attack-work-3659197/

See original article:
What is a DDoS attack? What happens during a DDoS attack?

WannaCry FAQ

What is it ? WannaCry also know as WanaCrypt 2.0 is a form of malware commonly known as “Ransom Ware”. Where did it come from ? It was originally developed by the NSA in the US called “Eternal Blue” and was a way for them to secretly access computers. It was based on a flaw in windows machines, Unfortunately the NSA did not store this weaponized malware securely enough and someone hacked in and stole it. At this point it was loose and easily findable on the Internet. If you see a screen like this, you’re machine is definitely infected. Here is a link below from Microsoft to check/scan if your PC has a virus. https://www.microsoft.com/security/scanner/en-us/default.aspx Who is responsible for this ? At this point no one knows but there are a lot of smart people working on it and they will be caught eventually…This is my opinion. Is someone making money from this ? Yes, as with all ransom ware there is a money component.These are 3 discovered bitcoin Identifiers that victims are paying the ransom to Which is hardcoded into the Malware. As of 09:15 EST May 14, 2017 The total ransom paid is a total of $15,150.00 USD. This is surprisingly low, it’s definitely going to rise. Check for yourself on its progress by clicking the 3 links below. https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn How did my computer get infected ? If you’re on a corporate network, you most likely got it from another computer on your network. If you’re at home on a cable modem you got it through email phishing or visiting a hacked or a sketchy website. How did it spread so quickly ? As you most likely know by now, millions of computers were infected in a few short days and those most affected by this are on corporate, Government and University networks. It spreads on these networks by using a windows flaw that goes from machine to machine using Microsoft’s SMB feature . Here’s a short list of victims from GITHUB NHS (uk) turning away patients, unable to perform x-rays. (list of affected hospitals) Nissan (uk) http://www.chroniclelive.co.uk/news/north-east-news/cyber-attack-nhs-latest-news-13029913 Telefonica (spain) ( https://twitter.com/SkyNews/status/863044193727389696 ) power firm Iberdrola and Gas Natural ( spain ) FedEx (us) ( https://twitter.com/jeancreed1/status/863089728253505539 ) University of Waterloo ( us ) Russia interior ministry & Megafon (russia) https://twitter.com/dabazdyrev/status/863034199460261890/photo/1 VTB (russian bank) https://twitter.com/vassgatov/status/863175506790952962 Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768 Portugal Telecom ???????? – Sberbank Russia ( russia ) Shaheen Airlines (india, claimed on twitter) Train station in frankfurt ( germany ) Neustadt station ( germany ) the entire network of German Rail seems to be affected ( @farbenstau ) in China secondary schools and universities had been affected ( source ) A Library in Oman ( @99arwan1 ) China Yanshui County Public Security Bureau ( https://twitter.com/95cnsec/status/863292545278685184 ) Schools/Education (France) https://twitter.com/Damien_Bancal/status/863305670568837120 A mall in singapore https://twitter.com/nkl0x55/status/863340271391580 ATMs in china https://twitter.com/95cnsec/status/863382193615159 Renault STC telecom Norwegian soccer team ticket sales Is my website spreading this malware ? I can only say that any DOSarrest customers using our advanced WAF are not spreading this Malware as we won’t allow this type of malicious traffic to get to your server. Is it still spreading ? No, good news ! This thing had a kill switch built into its code, so if any machine can access this site www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com it won’t spread from that machine. I’m infected, What should I do ? We recommend that you wipe your machine clean  and restore from back-ups….of course everyone has backups, Right ? Need more info… Try Github.com Microsoft to get the free patch if you need it. Source: https://www.dosarrest.com/ddos-blog/wannacry-faq/

Read More:
WannaCry FAQ

News in brief: laptop ban could be extended; DDoS hits news sites; Taiwan might block Google DNS

Laptop ban could be extended Planning on flying from European countries to the US? Prepare to check in your laptop, tablet and any other devices larger than a cellphone, as US authorities are reported to be close to announcing an extension of the restriction on devices in the cabin from some Middle Eastern and Gulf countries to some countries in Europe, too. After the initial ban was announced, observers pointed out that the lithium batteries that power laptops and other devices have been banned from the holds of aircraft, adding that they’d prefer a battery fire in the cabin, where it can quickly be dealt with by crew, than in the hold. Lithium batteries have been implicated in many incidents – the US authorities were reported on Thursday to be in discussions about the risks of carrying a large number of batteries in the hold. If you’re affected by the ban, which also applies from some airports and to some carriers flying into the UK, we’ve got some tips on how to minimise the risk to your devices and the data on them in this piece. News sites hit by DDoS attack Just days after France shrugged off a dump of emails stolen from the campaign of the new president, Emmanuel Macron, leading French news websites including those of Le Monde and Le Figaro were knocked offline following a cyberattack on Cedexis, a cloud infrastructure provider. Cedexis had been hit by a “significant DDoS attack”, said Julien Coulon, the company’s co-founder. Cedexis was founded in France in 2009 and has its US headquarters in Portland, Oregon. Meanwhile, the victorious Macron shrugged off the cyberattack that was thought to be aimed at generating support for his far-right opponent, Marine Le Pen, as it emerged that his campaign had turned the table on the hackers, deliberately signing into phishing sites with a view to planting fake information. Mounir Mahjoubi, the digital lead for the campaign, told the Daily Beast: “You can flood these [phishing] addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.” Taiwan could block Google DNS Taiwan is planning to block access to Google’s public DNS service, claiming the move will improve cybersecurity, the Register reported on Thursday. It’s not clear if the block to Google’s DNS, which many people use to bypass government filters on banned websites, would apply to the whole population or just to government officials. The presentation seen by The Register seems to suggest the aim is to reduce the risk of DNS spoofing. Taiwan doesn’t usually crop up on the list of countries where there’s concern about censorship of the internet, but he Register notes that customers of one Taiwanese ISP, HiNet broadband, had earlier this year reported issues with connecting to sites and platforms that users in mainland China are blocked from, including Facebook, YouTube, Google and Gmail. Source: https://nakedsecurity.sophos.com/2017/05/11/news-in-brief-laptop-ban-could-be-extended-ddos-hits-news-sites-taiwan-might-block-google-dns/

More:
News in brief: laptop ban could be extended; DDoS hits news sites; Taiwan might block Google DNS

Democrats Want FCC’s Pai to Drill Down on DDoS Attacks

A pair of Democratic senators has asked FCC chairman Ajit Pai for more information on what the FCC has said were multiple DDoS attacks on its website that affected comments being posted there. FCC chief information officer Dr. David Bray said the attacks “made it difficult for legitimate commenters to access and file with the FCC.” The key docket in terms of activity that could have been interrupted is net neutrality, where the FCC still managed to post more than half a million comments since last week, attack or no. Among the senators’ questions was whether any comments were prevented from being submitted and if so how many. Sens. Ron Wyden of Oregon and Brian Schatz of Hawaii, the latter the ranking member of the Senate Communications Subcommittee, sent a letter to Pai about the May 8 attack (which came in the wee hours of the morning following the May 7 airing of John Oliver’s call for a flood of comments in support of net neutrality). They asked about the FCC’s defenses against such an attack should it be repeated and that the chairman insure there were other ways to comment as a workaround, a dedicated email account for example. “Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue.” Specifically, they wanted information on the following by June 8: “Please provide details as to the nature of the DDoS attacks, including when the attacks began, when they ended, the amount of malicious traffic your network received, and an estimate of the number of devices that were sending malicious traffic to the FCC. To the extent that the FCC already has evidence suggesting which “actor(s) may have been responsible for the attacks, please provide that in your response. “Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks? Which agencies have you sought assistance from? Have you received all of the help you have requested? “Several federal agencies utilize commercial services to protect their websites from DDoS attacks. Does the FCC use a commercial DDoS protection service? If not, why not? To the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not? “How many concurrent visitors is the FCC’s website designed to be able to handle? Has the FCC performed stress testing of its own website to ensure that it can cope as intended? Has the FCC identified which elements of its website are performance bottlenecks that limit the number of maximum concurrent visitors? Has the FCC sought to mitigate these bottlenecks? If not, why not? “Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected? “Will commenters who successfully submitted a comment — but did not receive a response, as your press release indicates — receive a response once your staff have addressed the DDoS and related technical issues?” While the letter did not question whether such an attack had happened, others have. “We think it’s more than just coincidence that the FCC would cite a DDoS attack at the same time that John Oliver’s call to make public comment on the FCC website in favor of net neutrality went viral,” said Rashad Robinson, executive director of Color Of Change, a big Title II fan. “That said, we certainly hope to see a full investigation into what happened in order to ensure the integrity and full transparency of a key federal agency. But the unfortunate reality is that, after everything this administration has done to steal our rights as Americans, we wouldn’t be surprised if this was merely an attempt to label the democratic exercise of free speech as a cyberattack.” Source: http://www.radioworld.com/news-and-business/0002/democrats-want-fccs-pai-to-drill-down-on-ddos-attacks/339655

See the original article here:
Democrats Want FCC’s Pai to Drill Down on DDoS Attacks

APAC organisations report average revenue loss of US$250,000 to DDoS attacks

Distributed Denial of Service (DDoS) attacks are causing revenue loss to organisations in Asia Pacific (APAC), according to Neustar’s Worldwide DDoS Attacks and Cyber Insights Research Report. A third (33 percent) of APAC organisations reported average revenue loss of at least US$250,000. Nearly half (49 percent) of organisations in the region take at least three hours to detect, and 42 percent take at least three hours to respond. The instances of ransomware and malware reported in concert with DDoS attacks were reported by 49 percent of organisations in APAC too. “With organisations across Asia Pacific being attacked more often and DDoS attacks predicted to become even larger and more complex, IT and business leaders need to evaluate the effectiveness of existing security strategies,” said Robin Schmitt, general manager, APAC at Neustar. Global findings The report also found that 99 percent of organisations globally have some sort of DDoS protection in place. However, 849 out of 1,010 organisations surveyed globally were attacked with no particular industry spared. Forty percent of the ‘victims’ said they received attack alerts from customers. More than half (51 percent) of attacks involved some sort of loss or theft, with a 38 percent increase year-over-year in customer data, financial and intellectual property thefts. Forty-five percent of DDoS attacks across the globe were reported to be more than 10 gigabits per second (Gbps), while 15 percent of attacks were at least 50 Gbps.. “The research shows that simply identifying an attack and depending on basic defences is not enough. Organisations in the region need to adopt stronger defences and innovative solutions to more quickly and effectively mitigate the growing risk and likely impact of a major DDoS attack,” said Schmitt. Source: https://www.mis-asia.com/tech/security/apac-organisations-report-average-revenue-loss-of-us250000-to-ddos-attacks/

See original article:
APAC organisations report average revenue loss of US$250,000 to DDoS attacks

Major French news sites victim of DDoS attack

Major news sites in France including Le Monde and Le Figaro went down yesterday in the fallout of a DDoS attack. Many of the biggest French news sites were hit by a DDoS attack on a Portland, Oregon cloud computing company – Cedexis. The attack caused the sites to go dark. Dr Malcolm Murphy, technology director at Infoblox said “This is the latest in a run of cyber attacks in France – only a week ago newly elected French President Macron’s emails were leaked by hackers. This latest attack highlights the importance of organisations prioritising cyber defences at a time when commonly deployed cyberattacks are being used to disrupt both political processes and organisations.” Bloomberg reported that Le Monde and Le Figaro were two of the websites that crashed. “At approximately 2 p.m. GMT (7 a.m. Pacific time), the Cedexis infrastructure came under a unique and sophisticated distributed denial of service (DDOS) attack,” Cedexis said in a written statement. “This attack caused a partial but widespread outage that affected many of our customers. Our customers are our number one priority and at this time, the attack is being mitigated, and services are being restored.” DDoS attacks have grown in prevalence as more and more unsecure Internet of Things (IoT) devices have entered the market. Murphy suggested that “DDoS attacks in particular are growing in both frequency and sophistication. Whilst there is no easy solution to securing DNS, there are a few steps that an organisation’s IT team can take to help mitigate and respond to DNS-based DDoS attacks.” “Organisations who don’t know their query load will never know when they’re under attack. By using statistical support, administrators can help analyse their data for attack indicators. Whilst it may not always be clear what an attack looks like, anomalies will be more easily identifiable. IT teams should also continually scrutinise internet-facing infrastructure for single points of failure by going beyond external authoritative name servers, and checking on the switch and router interactions, firewalls, and connections to the internet.” Source: http://www.information-age.com/major-french-news-sites-victim-ddos-attack-123466206/

More:
Major French news sites victim of DDoS attack

FCC says DDOS attacks, not net neutrality comments, tied up comments system

The federal agency did not provide any evidence of the alleged attacks, which occurred as HBO comedian John Oliver urged viewers to flood the FCC with comments. The Federal Communications Commission (FCC) on Monday said that consumers trying to use its Electronic Comment Filing System ran into delays Sunday night because of multiple distributed denial-of-service (DDoS) attacks — not due to a deluge of comments from net neutrality proponents, as early reports suggested. “Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos),” FCC chief information officer David Bray said in a statement. “These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.” The statement followed news reportssuggesting the FCC site was once again overwhelmed by commenters trying to voice their support for net neutrality at the behest of comedian John Oliver. On his HBO show Sunday night, Oliver urged viewers to leave comments at goFCCyourself.com, a URL that redirects visitors to the FCC’s proposal to reverse net neutrality rules. In 2014, net neutrality supporters managed to bring down the FCC comments system after Oliver made a similar plea for commenters to flood the site. The FCC didn’t offer any evidence of the DDoS attacks, nor did the agency immediately answer questions about how the incident was handled. ZDNet will update this article if the FCC responds. At least one pro-net neutrality group, Fight for the Future, expressed skepticism about the agency’s claim that the problems were caused by DDoS attacks. “The FCC’s statement today raises a lot of questions, and the agency should act immediately to ensure that voices of the public are not being silenced as it considers a move that would affect every single person that uses the Internet,” Fight for the Future Campaign Director Evan Greer said in a statement. By Monday afternoon, the FCC’s comments system appeared to be functioning, and there were more than 179,000 comments on the site. FCC Chairman Ajit Pai acknowledged to CNET’s Maggie Reardon on Monday that he favors “a free and open internet” — meaning he favors rolling back the Obama-era net neutrality rules. However, he said the committee has an “open mind” and will consider the public comments that are collected. “It’s not a decree,” he said of the proposal. “The entire purpose of this process is to get public input. Then, after the record is closed, we apply what the DC Circuit calls a ‘substantial evidence test.’ We look through the record, figure out what the right course is based on facts in the record. Then we make the appropriate judgment. I don’t have any predetermined views as to where we’re going to go.” Source: http://www.zdnet.com/article/fcc-says-ddos-attacks-not-net-neutrality-comments-tied-up-comments-system/

Read more here:
FCC says DDOS attacks, not net neutrality comments, tied up comments system