Monthly Archives: May 2017

6 steps to reduce your risk of a DDoS attack

You’ve seen the splashy headlines about web services getting taken down by DDoS, or Distributed-Denial-of-Service Attacks, but have you ever worried about these attacks taking down your firm’s site? As recently as October 2016, internet traffic company Dyn was the victim of several DDoS attacks, which shut down websites and services across the East Coast. With the increasingly popularity of Internet of Things devices, which includes any everyday device that’s now connected to the web, these DDoS attacks are increasing in frequency. Hackers create armies of these devices, which are infected with malware, that will attack any given service. The attack works by having multiple devices flood the bandwidth of a service or website with so much traffic that the service is no longer available to normal users. Neustar, a global DDoS protection and cybersecurity firm, releases a yearly study about the impacts of DDoS attacks on businesses. Neustar’s first quarter 2017 report, found that the number of attacks doubled between 2017 and 2016. DDoS attacks are only getting larger, the report states, and the 1,010 respondents collectively experienced a minimum revenue risk from the attacks in excess of $2.2 billion during the previous 12 months. On Thursday, during the Arizona Technology Council 2017 Cybersecurity Summit, Mark Goldenberg, security solutions architect at CenturyLink, presented six steps regarding the possibility of a DDoS attack. In 2012, during the Occupy Wall Street movement, many financial institutions were victims of DDoS attacks, Goldenberg said. The attacks prompted the Federal Financial Institutions Examination Council to release these six steps. Goldenberg said these steps can apply to any firm in regards to a DDoS attack. Step 1: Assess information security risk Goldenberg said that a company should understand its online assets by maintaining an ongoing program to assess information security risk. Take time to review which publicly-based Internet assets are critical to your business that could be affected by a DDoS attack, he said. Some firms have services on a website that can be down for a period of time, but there are other parts of the website that are absolutely vital to your firm’s day-to-day operations, Goldenberg said. Understanding what’s vital and what isn’t will help your business make the right decisions in the event of an attack, he said. Step 2: Monitor Internet traffic to your site(s) in order to detect attacks Talk to your team about what sort of visibility your firm has, whether it’s sources of internet traffic or what types of internet traffic parts of your site is getting, Goldenberg said. Knowing your site’s analytics will let you and your team know where to look in the event of a cyberattack, which in turn will let your team know what kind of resources to bring to the table, Goldenberg said. Step 3: Be ready and notify Make sure your team has an incident response plan, which includes alerting service providers, especially internet providers, Goldenberg said. If your firm has multiple internet providers, Goldneberg said it’s important to know how to coordinate between the providers in the event of a DDoS attack. Your internet provider(s) won’t do anything independent of you, Goldenberg said. And be ready to know when and how to notify your customers when you’re under attack. “A communication plan is key,” Goldenberg said. Step 4: Ensure sufficient staffing for the duration of the DDoS attack When your firm is undergoing a DDoS attack, it’s important to have both your security and network team at the table working together. Make sure, though, that your security team is on the alert for potential breaches. “The perpetrators of the attack understand that when they launch an attack, it’s a priority issue for you to get your network back available,” Goldenberg said. If your security team isn’t on the lookout for breaches at the same time, your data could be compromised during the attack. Step 5: Share that information After your attack, you may want to share the information about it to fellow businesses within your industry. Goldenberg said the Arizona Technology Council is the perfect example of a group to share this information with. “If one peer is hit with a DDoS attack today, it could mean that you’re going to be next,” Goldenberg said. Step 6: Evaluate gaps in your response and adjust After the attack, it’s time to come together to find out what kind of gaps your firm may still have and to learn from it, Goldenberg said. “What you do today has to be reviewed with the team on a regular basis and kept up to date. If you’re able to withstand a low level attack today, regroup with the team, understand where your strengths are, where your weaknesses are, so you can plan for the larger attack down the road.” Source: http://azbigmedia.com/ab/6-steps-preparing-ddos-attack

Read More:
6 steps to reduce your risk of a DDoS attack

FCC blames DDoS for weekend web lockout

Not down to people trying to file comments on issues rhyming with wetsuit balloty, it insists Vid   Problems faced by consumers hoping to submit comments to the Federal Communications Commission over the weekend were caused by a denial of service attack, the US government agency admits.…

More:
FCC blames DDoS for weekend web lockout

FCC blames DDoS for weekend commentary lockout

Not down to people trying to file comments on issues rhyming with wetsuit balloty, it insists Problems faced by consumers hoping to submit comments to the Federal Communications Commission over the weekend were caused by a denial of service attack, the US government agency admits.…

Continue Reading:
FCC blames DDoS for weekend commentary lockout

FCC: Commission Hit By DDoS Attacks

Amidst reports that John Oliver’s segment on Title II on Sunday night’s Last Week Tonight on HBO had created a flood of comments that brought down the FCC’s comment site, the FCC released a statement saying it had been hit by a denial-of-service attack. The statement came from chief information officer Dr. David Bray about delays experienced by “consumers” trying to file comments. He did not specify the net neutrality docket. “Beginning on Sunday night at midnight [Last Week Tonight aired at 11 p.m.], our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDoS). These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host.” He said the attacks were not attempts to file comments themselves but “rather they made it difficult for legitimate commenters to access and file with the FCC. While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments. We have worked with our commercial partners to address this situation and will continue to monitor developments going forward.” Source: http://www.broadcastingcable.com/news/washington/fcc-commission-hit-ddos-attacks/165609

Read this article:
FCC: Commission Hit By DDoS Attacks

DDoS Attack On Gaming, Gambling Sites In Hong Kong Believed To Be Extortion Attempt

In the first two weeks of April, sudden spikes of traffic started hitting gaming and gambling sites in Hong Kong. The increased rush weren’t anxious gamers looking to place bets, but a DDoS attack designed to take the sites offline. The unusual activity hounding sites in Hong Kong was caught by Security Engineering and Response Team at Arbor Networks, a cyber security firm based in the U.S. A massive influx of traffic from China starting pouring into the territory on April 6, and carried out in blasts through April 13. During that time frame, Hong Kong was the top destination for targeted attacks, topping the U.S., which routinely receives the highest percentage of DDoS attacks. It’s uncommon for Hong Kong to attract such attention from a DDoS, or Distributed Denial of Service attack. The types of attacks use coordinated machines to direct an overwhelming amount of traffic at a single target. These attacks—often carried out by massive networks of compromised internet-connected devices coordinated as part of a botnet—can often force a service offline. DDoS attacks are difficult to mitigate because they cannot be stopped by simply blocking one source. Because the traffic comes from anywhere from dozens to thousands of individual locations, it can also prove next to impossible to distinguish legitimate traffic from attack traffic or determine the origin of the attack. That anomalous activity detected by Arbor Networks—during which Hong Kong received 28 and 39 percent of all attacks greater than 10 Gbps in size in the two respective weeks—caught the eye of Kirk Soluk, the manager of the company’s Threat Intelligence and Response team. According to Soluk’s analysis, the attack was likely an attempted extortion attack, designed to knock a target offline until they are willing to pay to make the attack stop. “Gambling sites and gaming sites that have a financial component are a particularly attractive target,” Soluk told International Business Times, “due to the money the sites stand to lose if they are not available.” Extortion attempts have been on the rise in recent years, in part because of the wider availability of tools used to perform such attacks and in part because businesses and individuals are more reliant on digital services—trusting digital systems with sensitive data and financial information. According to a recent report by Symantec, ransomware attacks, which attempt to extort money from individual users and businesses by encrypting their files and demanding payment to decrypt them, rose by 36 percent in 2016—and the average ransom cost increased by 266 percent from the previous year. DDoS attacks are often used to hit larger organizations rather than single users or small networks like ransomware, but it can have an impact on others beyond the intended target. Soluk warned that DDoS attacks could potentially compromise users of an attacked site and in some cases even put them at physical risk, like in a November 2016 attack in Finland that damaged the heating systems of residential properties in the dead of winter. “Fortunately, we haven’t seen a large-scale critical infrastructure outage directly attributed to a DDoS attack but it’s certainly not out of the realm of possibility,” Soluk said. “More notable are outages that result in financial losses for organizations whose Internet presence is taken offline as well as inconveniences for end users wishing to purchase goods or even play games.” There is collateral in any attack of such magnitude, and the bombardment of Hong Kong gaming sites was no exception. While those sites took the brunt of the traffic, a number of other sites also got hit, including two domains belonging to hospitals. Given that 29 total online gambling and gaming sites were hit in the same surge of traffic, it seems obvious those were the true targets. What is less clear is who carried out the attack. The vast majority of the traffic came from China, and in some cases such a direct stream directed at domains of one territory can be indicative of cyber warfare between states. DDoS attacks have become tools of war, and have been seen in attacks like the one launched against the former Soviet Republic of Estonia. Much of the nation was taken offline by a DDoS attack that hit government and private sector servers after Estonian government decided to move the Bronze Warrior, a Soviet World War II memorial, and angered Russian leadership. It’s also noteworthy that Hong Kong itself has been hit by DDoS attacks before. Those came in 2014 following a growing pro-democracy movement that was angered in part by China’s influence in the territory’s elections. Despite the history, and the onslaught of traffic driven from China, there isn’t much indication that the attack on Hong Kong gaming sites was in any way a politically motivated attack. “Geography has to be taken in proper context, particularly when considering the source of an attack,” Soluk explained. “It is easy for an attacker sitting anywhere in the world to launch a DDoS attack from anywhere else in world.” Because of the targets of the attack, Soluk concluded the hit on Hong Kong gaming sites was more likely to be financially motivated than part of an ongoing geopolitical battle between two territories. The attacks have ceased and the dust has cleared from the torrential traffic, but it’s not clear if that means the targets are in the clear. The attacks came out of nowhere, spiking with little indication and disappearing back into the ether. That type of uncertainty can’t be planned for, but Soluk said it can be mitigated to some degree with preparedness. He advised sites and online services to follow best current practices for architecting and protecting network infrastructure, including having trained staff that regularly conduct DDoS war games to test the system and utilizing an Intelligent DDoS Mitigation System (IDMS) to help counteract an attack. Source: http://www.ibtimes.com/ddos-attack-gaming-gambling-sites-hong-kong-believed-be-extortion-attempt-2535523

Read More:
DDoS Attack On Gaming, Gambling Sites In Hong Kong Believed To Be Extortion Attempt

Bondnet botnet goes after vulnerable Windows servers

A botnet consisting of some 2,000 compromised servers has been mining cryptocurrency for its master for several months now, “earning” him around $1,000 per day. GuardiCore researchers first spotted it in December 2016, and have been mapping it out and following its evolution since then. The’ve dubbed it Bondnet, after the handle its herder uses online (“Bond007.01”). Compromised Windows servers serve different functions Bondnet’s main reason of being is the mining of cryptocurrencies: primarily Monero, … More ?

See more here:
Bondnet botnet goes after vulnerable Windows servers

DDoS attacks could cost enterprises over $2.5 million in revenue

A new report from information services specialist Neustar looks at the frequency and cost of DDoS attacks and what is being done to counter the threat. In terms of revenue loss, three percent of organizations report average revenue loss of at least $250,000 per hour, with 51 percent taking at least three hours to detect an attack and 40 percent taking at least three hours to respond, that means an attack could cost over $2.5 million. Attacks are getting larger too, with 45 percent of DDoS attacks delivered at more than 10 gigabits per second (Gbps), and 15 percent of attacks being at least 50 Gbps, almost double the number reported last year. In total 849 out of 1,010 organizations surveyed were attacked, with no particular industry spared, an increase of 15 percent since 2016. 86 percent of those attacked were also hit more than once. Also customers are often the first to spot a problem, with 40 percent of respondents reporting receiving attack alerts from customers, up from 29 percent in 2016. “Distributed Denial of Service (DDoS) attacks are the zeitgeist of today’s Internet,” says Barrett Lyon, pioneer of the DDoS defense industry and head of research and development at Neustar Security Solutions. “The question organizations must ask now is how they are prepared to manage these highly disruptive events. Are they prepared for the bad day where their customers call and ask why the website is down?” Ransomware now often goes hand in hand with DDoS too, the number of instances of this increased 53 percent since 2016. 51 percent of attacks involved some sort of loss or theft with a 38 percent increase year on year in thefts of customer data, financial and intellectual property. Whilst almost all organizations surveyed have some form of DDoS protection in place, 90 percent say they are investing more than they did a year ago and 36 percent think they should be investing more still. Source: https://betanews.com/2017/05/04/ddos-attack-cost/

Read More:
DDoS attacks could cost enterprises over $2.5 million in revenue

Netflix Incident A Sign Of Increase In Cyber Extortion Campaigns

Attackers using threats of data exposure and DDoS disruptions to try and extort ransoms from organizations The recent leak of 10 unaired episodes from Season 5 of Netflix’ hit series “Orange Is The New Black” shows that ransomware is not the only form of online extortion for which organizations need to be prepared. Increasingly, cyber criminals have begun attempting to extort money from organizations by threatening to leak corporate and customer data, trade secrets, and intellectual property. Instead of encrypting data and seeking a ransom for decrypting it, criminals have begun using doxing as a leverage to try and quietly extort bigger sums from enterprises. “Targeted attacks are the new cybersecurity threat and are on the rise,” says Nir Gaist, CEO and co-founder of security vendor Nyotron. “Organizations, regardless of industry or size, can be targeted with cyber extortion or espionage as the hackers’ goal.” The reason why there isn’t more noise over such incidents is that victims often like to keep quiet about them, he says. “Unless the company is regulated to report the attack, they will keep it quiet to keep brand and reputation intact,” Gaist says. Even in the case of the Netflix leak, for instance, it was the hackers themselves who announced the attack. “There was no monetary loss due to the early release of the ‘Orange is the New Black’ episodes, but there was reputation loss and brand damage,” he says. A malicious hacker or hacking group calling itself TheDarkOverload earlier this week claimed responsibility for publicly posting several episodes of the Netflix series after apparently stealing them from Larson Studio, a small post-production company, back in December. The hackers first tried to extort money from Larson Studio before going after Netflix directly. When Netflix refused to acquiesce to the extortion demand, the hackers released the unaired episodes. The hackers claimed to have stolen several more unaired episodes of TV programs from Netflix, Fox, and National Geographic and have threatened to release them as well. It is not clear if the hackers have made any extortion demands from the various studios. The Netflix incident is an example of the growing threat to organizations from extortion scams, says Moty Cristal the CEO of NEST Negotiation Strategies, a firm that specializes in helping organizations negotiate with online extortionists. Cyber extortion can include the threat of DDoS attacks and data exposure. The goal of attackers is to find a way to threaten targets with the most damage, either financial or from a brand reputation standpoint, Cristal explains. Any decision on whether to pay or not to pay should be based on an assessment of the potential damage, both real and perceived, that the attacker could wreak, and the company’s ability to withstand such damage, Cristal says. In the Netflix incident, the fact that the attackers demanded just around 50 bitcoin for the stolen episodes suggests they were likely motivated more by the need to be recognized and professionally acknowledged than by financial gain, Cristal adds. Surprisingly, targeted extortion attacks do not always have to be sophisticated to be successful, although sometimes they can very sophisticated Gaist says. “In a targeted attack, the hacker will attempt to find a simple vulnerability to get in,” he says. “Unfortunately for most companies, basic security hygiene is simply not attended to properly – leaving them completely vulnerable to a targeted attack.” While attacks that result in potential exposure of customer and corporate data can be scary, there are a couple of good reasons not to pay, security analysts say. One of course is that paying off a ransom or extortion is only likely to inspire more attempts. An organization that shows its willingness to pay to get data back or to prevent something bad from happening will almost certainly be attacked again. The other reason is that not all extortion scams are real. In fact, a lot of times attackers will attempt to scare money out of an organization with false threats. Last year for instance, a malicious hacking group calling itself the Armada Collective sent extortion letters to some 100 companies threatening them with massive distributed denial of service attacks if they did not pay a specific ransom amount. Security vendor CloudFlare, which analyzed the Armada Collective’s activities, estimated that the group netted hundreds of thousands of dollars in ransom payments from victims, without carrying out a single attack. Meg Grady-Troia, web security product marketing manager at Akamai, says paying a ransom doesn’t necessarily guarantee a chosen outcome. “So doing separate analysis of the request for payment and the real threat is critical for any organization.” Akamai’s customers have seen a lot of extortion letters, threatening a DDoS attack if a specified amount of bitcoin is not deposited to an identified wallet by a certain time, she says. These letters have come from a number of groups, including DD4BC, Armada Collective, Lizard Squad, XMR Squad, and others. Often though, there is very little follow-through. “Some of these DDoS extortion letters are merely profit-making schemes, while some are serious operations with the resources to damage a business,” says Grady-Troia. Paying a ransom is no guarantee that your data still won’t be leaked, she says. “Once data has been exfiltrated from your system, the blackmail may or may not continue after the requested payment, or it may still be leaked.” What organizations need to be focusing on is DDoS attack resilience and the operational agility of their systems, particularly access controls, backup procedures, and digital supply chain. “The importance of online extortion depends immensely on the nature of the threat and the enterprise’s risk tolerance,” Grady-Troia says. “Businesses should have a security event or incident response process that can be invoked in the case of any attack, and that process should include subject matter experts for systems and tools, procedures for all kinds of hazards.” Source: http://www.darkreading.com/attacks-breaches/netflix-incident-a-sign-of-increase-in-cyber-extortion-campaigns/d/d-id/1328794

Read the article:
Netflix Incident A Sign Of Increase In Cyber Extortion Campaigns

DDoS attack size doubles, but 40% are still reported by customers

While the headline record breaking attack size goes up every year, the long tail of average attack size has also doubled in the past year to reach 50 Gps according to Neustar’s fourth annual Worldwide DDoS Attacks and Cyber Insights Research Report. However, the increased average is partly put down multiple 500 Gbps+ attacks from IoT botnets, one of which exceeded 680 Gbps peak size. The report records that nearly half (45 percent) of DDoS attacks were more than 10 Gbps and 15 percent of attacks were at least 50 Gbps, showing that volumetric attacks are getting larger. And the average cost of DDoS attacks has also gone up, now costing an organisation almost £2 million (£1.9 million) in revenue. Neustar’s report is based on responses from 1,010 CISOs, CSOs, CTOs security directors and managers. Out of 1010 organisations, 849 were attacked – with no particular industry spared. Eighty-six percent (727) of those attacked were hit more than once. Forty percent of respondents reported receiving attack alerts from customers, up from 29 percent in 2016, demonstrating just how unprepared we are when dealing with this threat. An average revenue loss of at least US$250,000 (£190,000) per hour was reported by 43 percent of organisations, with 51 percent taking at least three hours to detect an attack and 40 percent taking at least that amount of time to respond. Instances of ransomware increased 53 percent since 2016. Half of the attacks involved some sort of loss or theft with a 38 percent increase year over year in customer data, financial and intellectual property thefts. Nearly all (99 percent) organisations have some sort of DDoS protection in place, but 90 percent are investing more than they did a year ago. More than a third (36 percent) think they should be investing even more. Showing that the year is off to a fast start, the research is already seeing significant increases in average attack size and variety of attack vectors even though Q1 is generally considered “pre-season” with most attacks traditionally happening in the shopping season in the run up to Christmas. The new hot attack trends for 2017 include Generic Routing Encapsulation (GRE) based flood attacks and Connectionless Lightweight Directory Access Protocol (CLDAP). The report explains how CLDAP Reflection attacks come from botnets that target exposed public facing LDAP servers by exploiting UDP’s inherent stateless nature. These attacks originate from port 389 (LDAP’s UDP port), however they are not always concentrated on attacking a specific source port. Although LDAP is more prevalent on internal networks, attackers have been increasingly using this form of attack across the internet and have now increased to what the Neustar describes as a point of significance. The largest CLDAP attack mitigated this year by Neustar Security Operations had a peak size of 20.9 Gbps/2.1 Mpps, targeted 9 different ports, used UDP protocols and lasted 14 minutes. Growth in these attacks is attributed to the near eradication of SSDP attacks, thus attackers looking for quick ramping volumetric menaces have gravitated to CLDAP. Also attackers may launch LDAP-based attacks using brute force to saturate and neutralise authentication systems and security infrastructure components. GRE-based attacks target private connections and are used many times to disrupt a DDoS target’s connection to its protection provider explains the report. GRE tunnels are typically used to connect infrastructures and facilitate contaminated traffic flows into DDoS mitigation clouds. Attackers tend to understand this and thus, these types of attacks are increasingly being seen and mitigated. Neustar points out that typically stopping a GRE flood without completely shutting down legitimate traffic requires surgical rate limiting (specific packet size ranges, source and destinations, etc.) or specific white/black lists. Attackers continue to launch more sophisticated attacks to penetrate organisation’s defences as multi-vector attacks have become the nearly universal experience for Neustar mitigation operations, with DDoS often a distraction for the main attack. “Distributed Denial of Service (DDoS) attacks are the zeitgeist of today’s internet,” said Barrett Lyon, head of research and development at Neustar Security Solutions in a news release. “The question organisations must ask now is how they are prepared to manage these highly disruptive events. Are they prepared for the bad day where their customers call and ask why the website is down?” “We have to have confidence that our website infrastructure can stand up to DDoS attacks and attacks on our DNS infrastructure, which is unfortunately a constant threat,” said Chris Matthews, head of operations at Experian Data Quality in a release. Neustar has expanded its network capacity to 3 Tbps, and is increasing it to 10 Tbps enabling it to absorb more attacks and stop more complex versions of attack combinations. Neustar’s advice to companies in its report is: assess, plan, test, and communicate within the organisation because the attacks are going to keep coming. Invest wisely to right size your DDoS defences. Not all DDoS defences are made equally. Some of the experienced gained by attackers last year was an operational understanding of DDoS defence business models. With long, large attacks come big expenses for targeted organisations and in several extreme cases, removal from protective cover. Attackers are figuring out the economics of DDoS defence and using it to their advantage. This is an important consideration when evaluating security investments. Source: https://www.scmagazineuk.com/ddos-attack-size-doubles-but-40-are-still-reported-by-customers/article/654480/

Read the article:
DDoS attack size doubles, but 40% are still reported by customers

Malware Hunter: Find C&C servers for botnets

Recorded Future and Shodan released Malware Hunter, a specialized crawler for security researchers that explores the Internet to find computers acting as remote access trojan (RAT) command and control centers. What Malware Hunter does Malware Hunter unearths computers hosting RAT controller software that remotely controls malware-infected computers and instructs them to execute malicious activities such as recording audio, video, and keystrokes on a victim’s machine. Using command and control servers, attackers can launch widescale attacks … More ?

Read more here:
Malware Hunter: Find C&C servers for botnets