Researchers from Avast have identified a worrying botnet affecting IoT devices Called ‘Torii,’ the virus infects devices at a server level that have weak encryption Virus can fetch and execute different commands, making it ‘very sophisticated’ Keep an eye on your smart home devices. Security experts have identified what they consider the ‘most sophisticated botnet they’ve ever seen’ and it’s believed to be targeting internet of things gadgets. Antivirus firm Avast said in a new report they’ve been closely watching a new malware strain, called ‘Torii,’ which uses ‘advanced techniques’ to infect devices. ‘…This one tries to be more stealthy and persistent once the device is compromised, an it does not (yet) do the usual stuff a botnet does like [Distributed Denial of Service attacks], attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,’ Avast researchers wrote in a blog post. The malware goes after devices that have weak encryption, using the Telnet remote access protocol. Telnet is a remote access tool that’s primarily used to log into remote servers, but it’s largely been replaced by tools that are more secure. Once it has identified a poorly secured system, Torii will attempt to steal your personal information. It’s entirely possible that vulnerable IoT device owners have no idea their device has been compromised. ‘As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer,’ the researchers wrote. While Torii hasn’t attempted cryptojacking or carried out DDoS attacks, researchers say the malware is capable of fetching and executing commands of different kinds on the infected device, making it very sophisticated. What’s more, many smart home gadgets are connected to one another, and it’s unclear yet if the malware is capable of spreading to other devices. ‘Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,’ the Avast researchers explained. Once Torii infects a device, it floods it with information and communicates with the master server, allowing the author of the malware to execute any code or deliver any payload to the infected device, according to researchers. ‘This suggests that Torii could become a modular platform for future use,’ the researchers continued. ‘Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer. Stay tuned for the follow ups.’ WHAT IS A DDOS ATTACK? DDoS stands for Distributed Denial of Service. These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time. The surge of simple requests overload the servers, causing them to become overwhelmed and shut down. In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware. Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file. Source: https://www.dailymail.co.uk/sciencetech/article-6216451/Security-experts-discover-sophisticated-botnet-seen.html
Monthly Archives: September 2018
Security breaches costing UK SMBs millions
Cybercriminals have moved on from large enterprises and are now targeting SMBs. While large organisations may offer a bigger payload, cybercriminals are increasingly targeting small and medium-sized businesses (SMBs) as they generally have smaller cybersecurity budgets and often lack a dedicated in-house security team to deal with cyberattacks. In its new Small and Mighty SMB Cybersecurity report, Cisco revealed that 53 per cent of SMBs have experienced a data breach. To compile its report, the company surveyed 1,816 respondents across 26 countries and also drew upon the results of its 2018 Security Capabilities Benchmark Study. According to Cisco, 29 per cent of SMBs will pay less than $100,000 after a data breach though 20 per cent said the same incident would cost them between $1m and $2.5m to resolve. The report also shed light on the fact that 40 per cent of SMBs will experience an average of eight hours or more of system downtime following a breach which is on par with their larger counterparts. Cisco explained how SMBs’ response differs from that of large enterprises in its report, noting: “The difference, though, is that larger organizations tend to be more resilient than small/midmarket businesses following an attack because they have more resources for response and recovery.” Of those surveyed, 39 per cent said at least half of their systems had been impacted as a result of a severe data breach in the last year. Regarding the biggest security challenges faced by SMBs, respondents reported targeted attacks, advanced persistent threats (APTs), ransomware and DDoS attacks as the most concerning. Source: https://www.itproportal.com/news/security-breaches-costing-uk-smbs-millions/
Read More:
Security breaches costing UK SMBs millions
DDoS Attack on German Energy Company RWE
Protesters in Germany have been camping out at the Hambach Forest, where the German energy company RWE has plans to mine for coal. Meanwhile, it’s been reported that RWE’s website was under attack as police efforts to clear the protesters from the woods were underway. According to Deutsche Welle , unknown attackers launched a large-scale distributed denial-of-service (DDoS), which took down RWE’s website for virtually all of Tuesday. No other systems were attacked, but efforts to clear away the protesters have been ongoing for the better part of the month, and activists have reportedly made claims that they will be getting more aggressive in their tactics. Activists have occupied the forest in hopes of preventing RWE from moving forward with plans to expand its coal mining operations, which would effectively clear the forest. In addition to camping out in the forest, the protesters have reportedly taken to YouTube to spread their message. Reports claim that a clip was posted last week by Anonymous Deutsch that warned, “If you don’t immediately stop the clearing of the Hambach Forest, we will attack your servers and bring down your web pages, causing you economic damage that you will never recover from,” DW reported. “Together, we will bring RWE to its knees. This is our first and last warning,” the voice from the video reportedly added. DDoS attacks are intended to cripple websites, and the attack on RWE allowed the activists to make good on their threat, at least for one day. ““This is yet another example that illustrates the DDoS threat to [softer targets in] CNI [critical network infrastructure]. RWE is an operator of an essential service (energy) in Germany. The lights didn’t go out but their public-facing website was offline as a result of this attack,” said Andrew Llyod, president, Corero Network Security. In a recent DDoS report, Corero researchers found that “after facing one attack, one in five organizations will be targeted again within 24 hours.” Source: https://www.infosecurity-magazine.com/news/ddos-attack-on-german-energy/
See more here:
DDoS Attack on German Energy Company RWE
Don’t Look Away, Peekaboo Vulnerability May Allow Hackers to Play the Long Game
The newly named Peekaboo vulnerability is a zero-day flaw in China-based Nuuo’s video recorder technology.The flaw in NVRMini2, a network-attached storage device, has remained unfixed in the three months since the vendor was alerted. This vulnerability put internet-connected CCTV cameras at risk, a grave concern for organizations using the service to view and manage their connected CCTV cameras. NUUO both uses the technology in its own products and licenses it to third-party surveillance system makers and systems integration partners. Exposure from Peekaboo Vulnerability Tenable Research, which discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and approximately 2,500 different camera models. Organizations in wide range of industries, including retail, transportation, banking, and government, install these cameras to improve security. NUUO was informed of the vulnerability on June 5, 2018. Patches are now available on their website. This is not the first time an IoT vulnerability has brought unexpected risk to organizations. The Mirai botnet attacks showed how hackers can use CCTVs, webcams, and other Internet-connected devices to launch massive distributed denial of service (DDoS) attacks to cause mass disruption. Many of us saw the impact of Mirai in October 2016, when they used the botnets to take down Dyn. Apparently the latest IoT-related risk comes from the Peekaboo vulnerability, opening organizations to risk from an unexpected vector. Multiple Vulnerabilities Add Risk The Tenable team found two vulnerabilities; the first was an unauthenticated stack buffer overflow. A buffer overflow attack is when a hacker sends more data than a computer is designed to receive, leading the computer to inadvertently store the leftover data as commands the computer will later run. Buffer overflow is a common code level issue that has been prevalent for years, which can be identified through static analysis. The second vulnerability was a backdoor in leftover debug code, so together the flaws allow hackers to explore the surveillance data and access login credentials, port usage, IP addresses, and other information on the camera equipment itself. These types of issue map directly to coding errors and the remediation exposure disciplines of software exposure. Let’s take a look, however, at what a patient hacker can do with this particular security camera hack. Here is a hypothetical example of how a hacker might use the Peekaboo vulnerability: Turn off cameras or delete recordings by executing the buffer overflow Allow individuals to access to the building Install additional software within the building for later use Execute that software well after initial camera hack, resulting in significant exploits against the compromised system Confuse experts trying to determine the cause of exploit due to the multi-step attack Think Like a Hacker As usual, the original hack itself is not the end game. Deleting data or controlling security cameras allows attackers to circumvent security systems to rob residences or businesses. However, my major concern is the potential for infrastructure terrorism on electrical grids, nuclear plants, or water supplies. Hackers play the long game, and we in the security field need to as well. The software industry must react quickly to vulnerabilities such as Peekaboo, either to provide a patch in our own software, or to apply it as soon as it’s available. Software runs most of the objects we know and use every day. It’s our responsibility to make it as safe and secure as possible. Source:https://securityboulevard.com/2018/09/dont-look-away-peekaboo-vulnerability-may-allow-hackers-to-play-the-long-game/
Follow this link:
Don’t Look Away, Peekaboo Vulnerability May Allow Hackers to Play the Long Game
DDoS Attack on Infinite Campus Limits Parent Access
A distributed denial-of-service (DDoS) attack on Infinite Campus, an educational software provider that houses the parent portal for Oklahoma City Public Schools, created access issues for those parents trying to connect to the district’s student information system. While this was not the first attack on Infinite Campus, district spokeswoman Beth Harrison told NewsOK that the most recent attacks were greater than any it had previously experienced in both volume and duration. “The latest series of attacks began Monday, September 17, and included multiple customers and data centers. Homeland Security is now involved and Infinite Campus has hired additional security experts to assure all data is safe and to track down the attack perpetrators.” In an announcement to parents explaining the cause of the access issues, the Oklahoma City Public Schools wrote, “Please note that NO student data was stolen or breached. This attack just causes the service to be very slow or unresponsive. Many districts across the country are impacted and authorities are investigating. We’ll provide updates as soon as we have them. Thanks for your patience!” The attack comes at the beginning of a new school year, and while the motive is unclear at this point, attackers often have myriad objectives when orchestrating these types of attacks. According to recent research from Corero Network Security, during the first half of 2018 DDoS attacks increased 40% from Q2 2017 to Q2 2018. “This highlights the increasing need for organizations that rely on high levels of online availability to ensure they include the latest always-on, real-time, automatic DDoS protection in their defenses,” said Sean Newman, director product management, Corero Network Security. “The key point is that such a critical service is able to be taken down by what is now a relatively cheap-and-simple-to-launch attack vector. It’s good to see that a strong emphasis is being placed on the privacy of any data being held, but that doesn’t help with the disruption and inconvenience caused when such a vital service is down for an extended period of time.” Many online services are delivered by third parties such as Infinite Campus, and when these service providers are targeted with DDoS or other attacks, their customers feel the impact. “The attack on Oklahoma City’s student information system is just another example of just how many services, which are increasingly provided online for reasons of cost, efficiency and scalability, are delivered without adequate resiliency to distributed denial-of-service attacks,” Source: https://www.infosecurity-magazine.com/news/ddos-attacks-infinite-campus/
Read More:
DDoS Attack on Infinite Campus Limits Parent Access
DDoS attack on education vendor hinders access to districts’ online portals
Multiple school districts are reportedly suffering the effects of a denial of service attack perpetrated against Blaine, Minn.-based Infinite Campus, a third-party online services provider. As a result, district residents may be unable to reliably use services such as the “Parent Portal, through which teachers, parents and students can access information such as grades, class schedules and school notifications. One such district is Oklahoma City Public Schools, which has issued an online statement to locals explaining that “Access to your student’s information through the parent portal may be limited or inaccessible due to the ‘denial of service’ attack on our provider, Infinite Campus.” No data was breached or stolen in the incident, OCPS has assured residents. “Many districts across the country are impacted and authorities are investigating,” the notification continues. Indeed, the Natrona County School District in Wyoming has reportedly issued a similar statement. Source: https://www.scmagazine.com/home/news/cybercrime/ddos-attack-on-education-vendor-hinders-access-to-districts-online-portals/
More:
DDoS attack on education vendor hinders access to districts’ online portals
Verizon Digital Media Services adds managed security services to its Cloud Security Solution
Verizon Digital Media Services announced it has added a managed cloud security offering as part of its global Cloud Security Solution. The managed cloud security component provides access to security professionals who monitor and take corrective action against the security threats, no matter the time of day. The addition of this offering complements features previously available within Verizon Digital Media Services’ Cloud Security Solution, including a dual web application firewall (WAF), distributed denial-of-service (DDoS) protection, … More ? The post Verizon Digital Media Services adds managed security services to its Cloud Security Solution appeared first on Help Net Security .
Read More:
Verizon Digital Media Services adds managed security services to its Cloud Security Solution
Some credential-stuffing botnets don’t care about being noticed any more
They just take a battering ram to the gates The bots spewing out malicious login attempts by the bucketload appear to have cranked it up a notch.…
Follow this link:
Some credential-stuffing botnets don’t care about being noticed any more
Mirai creators sentenced to probation after assisting FBI with cyber investigations
Three young men who developed and deployed the original Mirai IoT botnet malware were sentenced on Tuesday in an Alaskan federal court to five years probation – a lenient punishment earned through extensive cooperation with FBI on other cyber investigations. Paras Jha, 22, of Fanwood, N.J.; Josiah White, 21, of Washington, Penn.; and Dalton Norman, 22, of Metairie, La. were also each ordered to pay $127,000 in restitutions and serve 2,500 hours of community service that will require continued collaboration with law enforcement authorities and researchers on cybercrime and cybersecurity matters. A Sept. 18 Wired article citing additional court documents states the three men have already accumulated more than 1,000 hours of community service by lending their expertise to at least a dozen investigations. This reportedly includes efforts to reduce the impact of high-volume distributed denial of service (DDoS) attacks, counter a nation-state-backed APT group, and perhaps undercover work. “All three have made efforts at positive professional and educational development with varying degrees of success, and indeed it was their collective lack of success in those fields that provided some of the motive to engage in the criminal conduct” in the first place, stated a sentencing memorandum filed by U.S. prosecutors on Sept. 11. In recommending a lighter sentence to the court, the document cites “potential grounds for optimism regarding their prospects for rehabilitation and productive engagement in society after being sentenced in these cases. All three have significant employment and educational prospects should they choose to take advantage of them rather than continuing to engage in criminal activity.” Jha could still serve prison time for additional charges filed, in New Jersey, related to a 2016 Mirai-based DDoS attack he launched against Rutgers University, where he had been a student. The three men pleaded guilty in late 2017. White, Jha, and Norman created the botnet in the summer and fall of 2016, recruiting scores of compromised IoT devices – including wireless cameras, routers, and digital video recorders – and using them to flood targets with DDoS traffic. Jha later released Mirai’s source code to evade identification as an author. This action led to others individuals developing numerous versions of the malware, including one that impacted the Domain Name System provider Dyn and disabled many popular websites on Oct. 21, 2016. Other versions have focused focus from DDoS attacks to other illegal activities such as cryptomining. “Cybercrime is a worldwide epidemic that reaches many Alaskans,” said U.S. Attorney Bryan Schroder in a DOJ press release. “The perpetrators count on being technologically one step ahead of law enforcement officials. The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world.” “The sentences announced today would not have been possible without the cooperation of our partners in international law enforcement and the private sector,” Jeffery Peterson, Special Agent in Charge of FBI’s Anchorage field office, also said in the release. “The FBI is committed to strengthening those relationships and finding innovative ways to counter cybercrime. Cybercriminals often develop their technical skills at a young age. This case demonstrates our commitment to hold criminals accountable while encouraging offenders to choose a different path to apply their skills.” Source: https://www.scmagazine.com/home/news/mirai-creators-sentenced-to-probation-after-assisting-fbi-with-cyber-investigations/
Taken from:
Mirai creators sentenced to probation after assisting FBI with cyber investigations
3 Drivers Behind the Increasing Frequency of DDoS Attacks
What’s causing the uptick? Motivation, opportunity, and new capabilities. According to IDC Research’s recent US DDoS Prevention Survey, more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. For those who experienced an attack, more than 40% lasted longer than 10 hours. This statistic correlates with our ATLAS findings, which show there were 7.5 million DDoS attacks in 2017 — a rate, says Cisco, that is increasing at roughly the same rate as Internet traffic. What’s behind the uptick? It boils down to three factors: motivation of the attackers; the opportunity presented by inexpensive, easy-to-use attack services; and the new capabilities that Internet of Things (IoT) botnets have. Political and Criminal Motivations In an increasingly politically and economically volatile landscape, DDoS attacks have become the new geopolitical tool for nation-states and political activists. Attacks on political websites and critical national infrastructure services are becoming more frequent, largely because of the desire and capabilities of attackers to affect real-world events, such as election processes, while staying undiscovered. In June, a DDoS attack was launched against the website opposing a Mexican presidential candidate during a debate. This attack demonstrated how a nation-state could affect events far beyond the boundaries of the digital realm. It threatened the stability of the election process by knocking a candidate’s website offline while the debate was ongoing. Coincidence? Perhaps. Or maybe an example of the phenomenon security experts call “cyber reflection,” when an incident in the digital realm is mirrored in the physical world. DDoS attacks carried out by criminal organizations for financial gain also demonstrate cyber reflection, particularly for global financial institutions and other supra-national entities whose power makes them prime targets, whether for state actors, disaffected activists, or cybercriminals. While extortion on the threat of DDoS continues to be a major threat to enterprises across all vertical sectors, cybercriminals also use DDoS as a smokescreen to draw attention away from other nefarious acts, such as data exfiltration and illegal transfers of money. Attacks Made Easy This past April, Webstresser.org — one of the largest DDoS-as-a-service (DaaS) providers in existence, which allowed criminals to buy the ability to launch attacks on businesses and responsible for millions of DDoS attacks around the globe — was taken down in a major international investigation. The site was used by a British suspect to attack a number of large retail banks last year, causing hundreds of thousands of pounds of damage. Six suspected members of the gang behind the site were arrested, with computers seized in the UK, Holland, and elsewhere. Unfortunately, as soon as Webstresser was shut down, various other similar services immediately popped up to take its place. DaaS services like Webstresser run rampant in the underground marketplace, and their services are often available at extremely low prices. This allows anyone with access to digital currency or other online payment processing service to launch a DDoS attack at a target of their choosing. The low cost and availability of these services provide a means of carrying out attacks both in the heat of the moment and after careful planning. The rage-fueled, irrational DDoS-based responses of gamers against other gamers is a good example of a spur-of-the-moment, emotional attack enabled by the availability of DaaS. In other cases, the DaaS platforms may be used in hacktivist operations to send a message or take down a website in opposition to someone’s viewpoint. The ease of accessibility to DaaS services enables virtually anyone to launch a cyberattack with relative anonymity. IoT Botnets IoT devices are quickly brought to market at the lowest cost possible, and securing them is often an afterthought for manufacturers. The result? Most consumer IoT devices are shipped with the most basic types of vulnerabilities, including hard code/default credentials, and susceptibility to buffer overflows and command injection. Moreover, when patches are released to address these issues, they are rarely applied. Typically, a consumer plugs in an IoT device and never contemplates the security aspect, or perhaps does not understand the necessity of applying regular security updates and patches. With nearly 27 billion connected devices in 2017, expected to rise to 125 billion by 2030 according to analysis from IHS Markit, they make extremely attractive targest for malware authors. In the latter half of 2016, a high-visibility DDoS attack against a DNS host/provider was observed, which affected a number of major online properties. The malware responsible for this attack, and many others, was Mirai. Once the source code for Mirai was published on September 30, 2016, it sparked the creation of a slew of other IoT-based botnets, which have continued to evolve significantly. Combined with the proliferation of IoT devices, and their inherent lack of security, we have witnessed a dramatic growth in both the number and size of botnets. These new botnets provide the opportunity for attackers and DaaS services to create new, more powerful, and more sophisticated attacks. Conclusion Today’s DDoS attacks are increasingly multivector and multilayered, employing a combination of large-scale volumetric assaults and stealth infiltration targeting the application layer. This is just the latest trend in an ever-changing landscape where attackers adapt their solutions and make use of new tools and capabilities in an attempt to evade and overcome existing defenses. Businesses need to maintain a constant vigilance on the techniques used to target them and continually evolve their defenses to industry best practices. Source: https://www.darkreading.com/attacks-breaches/3-drivers-behind-the-increasing-frequency-of-ddos-attacks/a/d-id/1332824
Excerpt from:
3 Drivers Behind the Increasing Frequency of DDoS Attacks