Author Archives: Enurrendy

Could Your Organisation’s Servers Be A Botnet?

Most organisations are aware that they could be the target of a DDoS attack and have deployed protection to keep their public-facing services online in the face of such attacks. However, far fewer have thought about the potential for their servers to be harnessed for use in a botnet, the group of servers used to conduct such DDoS attacks. Up until a few months ago, attackers typically only used well-known infrastructure services, like DNS resolution servers, to launch and amplify DDoS attacks, but Memcached – a popular database caching system – changed that. Malicious hackers have begun abusing Memcached to deliver attacks that are amplified to over 50,000 times their original size – one of the largest amplification methods ever detected. Any organisation running Memcached to speeds up their systems is a potential botnet recruit. How Memcached and similar UDP based service attacks work Earlier this year, researchers discovered that a flaw in the implementation of the User Datagram Protocol (UDP) for Memcached servers can allow hackers to deliver record-breaking attacks with little effort. Memcached is a distributed memory caching system, originally intended for use in speeding up networks and website applications by reducing database load. Memcached reduces latency and database load by storing data objects in memory, immediately returning them to the caller without requiring a database query. Usually, Memcached systems are deployed within a trusted network where authentication may not be required. However, when exposed to the Internet, they become trivially exploitable if authentication isn’t turned on. Not only is the cached data accessible to attackers, it’s simple to use the Memcached server for a DDoS attack, if UDP access is enabled. Specifically, with UDP an attacker can “spoof” or fake the Internet Protocol address of the target machine, so that the Memcached servers all respond by sending large amounts of data to the spoofed address, thus triggering a DDoS attack. Most popular DDoS tactics that abuse UDP connections can amplify the attack traffic up to 20 times, but Memcached can take a small amount of attack traffic and amplify the size of the request thousands of times. Thus, a small number of open Memcached servers can be used to create very large DDoS attacks. The implications to the organisation If you’re running Memcached with UDP and without authentication, you’re now a likely target for inclusion in a botnet. Should you become part of a botnet, it’s possible that both your servers and your bandwidth will be overloaded, resulting in outages and increased network costs. Indeed, attackers have already demonstrated how badly servers with misconfigured Memcached can be abused and used to launch DDoS attacks with ease. In addition, unprotected Memcached servers give attackers access to the user data that has been cached from its local network or host, potentially including email addresses, database records, personal information and more. Additionally, cybercriminals could potentially modify the data they access and reinsert it back into the cache without user’s knowledge, thus polluting production applications. To avoid being assimilated into a Borg-ish botnet, organisations and internet service providers need to take a more proactive approach in identifying any vulnerable servers before damage is done. What can be done to prevent the severs being recruited? Despite multiple warnings about threat actors exploiting unprotected Memcached servers, ArsTechnica reported that searches show there are more than 88,000 vulnerable servers – a sign that attacks may get much bigger. Therefore, it’s crucial that organisations ensure they have the correct security measure in place, to avoid being part of this wave. Attacks of those scale and size cannot be easily defended against by Internet Service Providers (ISPs), thus organisations need to take inventory of any Internet-facing servers and ensure that Memcached is not inadvertently exposed. For any internet-facing servers that require Memcached, they should consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets or establish TCP connection. This will prevent attackers from being able to harness servers in a DDoS attack and leverage them to amplify those attacks. In addition, companies need to look at internal servers that are running Memcached, because an internal distributed denial-of-service attack could also be launched from some locally-running malware. Source: https://www.informationsecuritybuzz.com/articles/could-your-organisations-servers-be-a-botnet/

See more here:
Could Your Organisation’s Servers Be A Botnet?

‘Torii’ Breaks New Ground For IoT Malware

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says. A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff. Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes. Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures. Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands. Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well. Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes. Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona. Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes. While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data. Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine. Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once. The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said. Source: https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930

See the original post:
‘Torii’ Breaks New Ground For IoT Malware

190 UK Universities Targeted with Hundreds of DDoS Attacks

A large number of security attacks have been targeting universities all over the UK. Over 850 DDoS attacks were analyzed across 190 universities. Security experts suspect students or staff to be behind the large-scale attacks. Over 850 DDoS attacks have taken place in the United Kingdom, that have targeted 190 universities in the 2017-2018 academic year. Security researchers from JISC studied all of the reported attacks and have found clear patterns that tie all of the attacks. JISC is responsible for providing internet connectivity to UK research and education institutions. After a thorough analysis of all attacks during the past academic year, their study reveals that the attackers are most likely staff or students who are associated with the academic cycle. JISC came to this conclusion because the DDoS activity sees noticeable drops during holidays at universities. More importantly, most of the attacks were centered around the university working hours of 9 am to 4 pm local time. Image Courtesy of JISC Head of JISC’s security operations center John Chapman revealed “We can only speculate on the reasons why students or staff attack their college or university – for the ‘fun’ of disruption and kudos among peers of launching an attack that stops internet access and causes chaos, or because they bear a grudge for a poor grade or failure to secure a pay rise”. One of the DDoS attacks lasted four days and was sourced to a university’s hall of residence. A larger dip in attacks was noticed this summer compared to the summer of 2017. With an international law enforcement operation going into effect against the number one DDoS-for-hire online market. The website being taken down led to a massive drop in the number of DDoS attacks globally, which indicates that the attacks on the UK universities were not done by professional hackers working with a personal agenda, but hired professionals. The motive behind these DDoS attacks is unknown, and it may serve as a cover for more sinister cybercriminal activity. Universities often store valuable intellectual property which makes them prime targets for many hackers. Source: https://www.technadu.com/190-uk-universities-targeted-hundreds-ddos-attacks/42816/

View article:
190 UK Universities Targeted with Hundreds of DDoS Attacks

Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

Researchers from Avast have identified a worrying botnet affecting IoT devices Called ‘Torii,’ the virus infects devices at a server level that have weak encryption Virus can fetch and execute different commands, making it ‘very sophisticated’ Keep an eye on your smart home devices. Security experts have identified what they consider the ‘most sophisticated botnet they’ve ever seen’ and it’s believed to be targeting internet of things gadgets. Antivirus firm Avast said in a new report they’ve been closely watching a new malware strain, called ‘Torii,’ which uses ‘advanced techniques’ to infect devices. ‘…This one tries to be more stealthy and persistent once the device is compromised, an it does not (yet) do the usual stuff a botnet does like [Distributed Denial of Service attacks], attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,’ Avast researchers wrote in a blog post. The malware goes after devices that have weak encryption, using the Telnet remote access protocol. Telnet is a remote access tool that’s primarily used to log into remote servers, but it’s largely been replaced by tools that are more secure. Once it has identified a poorly secured system, Torii will attempt to steal your personal information. It’s entirely possible that vulnerable IoT device owners have no idea their device has been compromised. ‘As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer,’ the researchers wrote. While Torii hasn’t attempted cryptojacking or carried out DDoS attacks, researchers say the malware is capable of fetching and executing commands of different kinds on the infected device, making it very sophisticated. What’s more, many smart home gadgets are connected to one another, and it’s unclear yet if the malware is capable of spreading to other devices. ‘Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,’ the Avast researchers explained. Once Torii infects a device, it floods it with information and communicates with the master server, allowing the author of the malware to execute any code or deliver any payload to the infected device, according to researchers. ‘This suggests that Torii could become a modular platform for future use,’ the researchers continued. ‘Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer. Stay tuned for the follow ups.’ WHAT IS A DDOS ATTACK? DDoS stands for Distributed Denial of Service. These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time. The surge of simple requests overload the servers, causing them to become overwhelmed and shut down. In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware. Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file. Source: https://www.dailymail.co.uk/sciencetech/article-6216451/Security-experts-discover-sophisticated-botnet-seen.html

Security breaches costing UK SMBs millions

Cybercriminals have moved on from large enterprises and are now targeting SMBs. While large organisations may offer a bigger payload, cybercriminals are increasingly targeting small and medium-sized businesses (SMBs) as they generally have smaller cybersecurity budgets and often lack a dedicated in-house security team to deal with cyberattacks. In its new Small and Mighty SMB Cybersecurity report, Cisco revealed that 53 per cent of SMBs have experienced a data breach. To compile its report, the company surveyed 1,816 respondents across 26 countries and also drew upon the results of its 2018 Security Capabilities Benchmark Study. According to Cisco, 29 per cent of SMBs will pay less than $100,000 after a data breach though 20 per cent said the same incident would cost them between $1m and $2.5m to resolve. The report also shed light on the fact that 40 per cent of SMBs will experience an average of eight hours or more of system downtime following a breach which is on par with their larger counterparts. Cisco explained how SMBs’ response differs from that of large enterprises in its report, noting: “The difference, though, is that larger organizations tend to be more resilient than small/midmarket businesses following an attack because they have more resources for response and recovery.” Of those surveyed, 39 per cent said at least half of their systems had been impacted as a result of a severe data breach in the last year. Regarding the biggest security challenges faced by SMBs, respondents reported targeted attacks, advanced persistent threats (APTs), ransomware and DDoS attacks as the most concerning. Source: https://www.itproportal.com/news/security-breaches-costing-uk-smbs-millions/

DDoS Attack on German Energy Company RWE

Protesters in Germany have been camping out at the Hambach Forest, where the German energy company RWE has plans to mine for coal. Meanwhile, it’s been reported that RWE’s website was under attack as police efforts to clear the protesters from the woods were underway. According to Deutsche Welle , unknown attackers launched a large-scale distributed denial-of-service (DDoS), which took down RWE’s website for virtually all of Tuesday. No other systems were attacked, but efforts to clear away the protesters have been ongoing for the better part of the month, and activists have reportedly made claims that they will be getting more aggressive in their tactics. Activists have occupied the forest in hopes of preventing RWE from moving forward with plans to expand its coal mining operations, which would effectively clear the forest. In addition to camping out in the forest, the protesters have reportedly taken to YouTube to spread their message. Reports claim that a clip was posted last week by Anonymous Deutsch that warned, “If you don’t immediately stop the clearing of the Hambach Forest, we will attack your servers and bring down your web pages, causing you economic damage that you will never recover from,” DW reported. “Together, we will bring RWE to its knees. This is our first and last warning,” the voice from the video reportedly added. DDoS attacks are intended to cripple websites, and the attack on RWE allowed the activists to make good on their threat, at least for one day. ““This is yet another example that illustrates the DDoS threat to [softer targets in] CNI [critical network infrastructure]. RWE is an operator of an essential service (energy) in Germany. The lights didn’t go out but their public-facing website was offline as a result of this attack,” said Andrew Llyod, president, Corero Network Security. In a recent DDoS report, Corero researchers found that “after facing one attack, one in five organizations will be targeted again within 24 hours.” Source: https://www.infosecurity-magazine.com/news/ddos-attack-on-german-energy/

See more here:
DDoS Attack on German Energy Company RWE

Don’t Look Away, Peekaboo Vulnerability May Allow Hackers to Play the Long Game

The newly named Peekaboo vulnerability is a zero-day flaw in China-based Nuuo’s video recorder technology.The flaw in NVRMini2, a network-attached storage device, has remained unfixed in the three months since the vendor was alerted. This vulnerability put internet-connected CCTV cameras at risk, a grave concern for organizations using the service to view and manage their connected CCTV cameras. NUUO both uses the technology in its own products and licenses it to third-party surveillance system makers and systems integration partners. Exposure from Peekaboo Vulnerability Tenable Research, which discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and approximately 2,500 different camera models. Organizations in wide range of industries, including retail, transportation, banking, and government, install these cameras to improve security. NUUO was informed of the vulnerability on June 5, 2018. Patches are now available on their website. This is not the first time an IoT vulnerability has brought unexpected risk to organizations. The Mirai botnet attacks showed how hackers can use CCTVs, webcams, and other Internet-connected devices to launch massive distributed denial of service (DDoS) attacks to cause mass disruption. Many of us saw the impact of Mirai in October 2016, when they used the botnets to take down Dyn. Apparently the latest IoT-related risk comes from the Peekaboo vulnerability, opening organizations to risk from an unexpected vector. Multiple Vulnerabilities Add Risk The Tenable team found two vulnerabilities; the first was an unauthenticated stack buffer overflow. A buffer overflow attack is when a hacker sends more data than a computer is designed to receive, leading the computer to inadvertently store the leftover data as commands the computer will later run. Buffer overflow is a common code level issue that has been prevalent for years, which can be identified through static analysis. The second vulnerability was a backdoor in leftover debug code, so together the flaws allow hackers to explore the surveillance data and access login credentials, port usage, IP addresses, and other information on the camera equipment itself. These types of issue map directly to coding errors and the remediation exposure disciplines of software exposure. Let’s take a look, however, at what a patient hacker can do with this particular security camera hack. Here is a hypothetical example of how a hacker might use the Peekaboo vulnerability: Turn off cameras or delete recordings by executing the buffer overflow Allow individuals to access to the building Install additional software within the building for later use Execute that software well after initial camera hack, resulting in significant exploits against the compromised system Confuse experts trying to determine the cause of exploit due to the multi-step attack Think Like a Hacker As usual, the original hack itself is not the end game. Deleting data or controlling security cameras allows attackers to circumvent security systems to rob residences or businesses. However, my major concern is the potential for infrastructure terrorism on electrical grids, nuclear plants, or water supplies. Hackers play the long game, and we in the security field need to as well. The software industry must react quickly to vulnerabilities such as Peekaboo, either to provide a patch in our own software, or to apply it as soon as it’s available. Software runs most of the objects we know and use every day. It’s our responsibility to make it as safe and secure as possible. Source:https://securityboulevard.com/2018/09/dont-look-away-peekaboo-vulnerability-may-allow-hackers-to-play-the-long-game/

Follow this link:
Don’t Look Away, Peekaboo Vulnerability May Allow Hackers to Play the Long Game

DDoS Attack on Infinite Campus Limits Parent Access

A distributed denial-of-service (DDoS) attack on Infinite Campus, an educational software provider that houses the parent portal for Oklahoma City Public Schools, created access issues for those parents trying to connect to the district’s student information system. While this was not the first attack on Infinite Campus, district spokeswoman Beth Harrison told NewsOK that the most recent attacks were greater than any it had previously experienced in both volume and duration. “The latest series of attacks began Monday, September 17, and included multiple customers and data centers. Homeland Security is now involved and Infinite Campus has hired additional security experts to assure all data is safe and to track down the attack perpetrators.” In an announcement to parents explaining the cause of the access issues, the Oklahoma City Public Schools wrote, “Please note that NO student data was stolen or breached. This attack just causes the service to be very slow or unresponsive. Many districts across the country are impacted and authorities are investigating. We’ll provide updates as soon as we have them. Thanks for your patience!” The attack comes at the beginning of a new school year, and while the motive is unclear at this point, attackers often have myriad objectives when orchestrating these types of attacks. According to recent research from Corero Network Security, during the first half of 2018 DDoS attacks increased 40% from Q2 2017 to Q2 2018. “This highlights the increasing need for organizations that rely on high levels of online availability to ensure they include the latest always-on, real-time, automatic DDoS protection in their defenses,” said Sean Newman, director product management, Corero Network Security. “The key point is that such a critical service is able to be taken down by what is now a relatively cheap-and-simple-to-launch attack vector. It’s good to see that a strong emphasis is being placed on the privacy of any data being held, but that doesn’t help with the disruption and inconvenience caused when such a vital service is down for an extended period of time.” Many online services are delivered by third parties such as Infinite Campus, and when these service providers are targeted with DDoS or other attacks, their customers feel the impact. “The attack on Oklahoma City’s student information system is just another example of just how many services, which are increasingly provided online for reasons of cost, efficiency and scalability, are delivered without adequate resiliency to distributed denial-of-service attacks,” Source: https://www.infosecurity-magazine.com/news/ddos-attacks-infinite-campus/

DDoS attack on education vendor hinders access to districts’ online portals

Multiple school districts are reportedly suffering the effects of a denial of service attack perpetrated against Blaine, Minn.-based Infinite Campus, a third-party online services provider. As a result, district residents may be unable to reliably use services such as the “Parent Portal, through which teachers, parents and students can access information such as grades, class schedules and school notifications. One such district is Oklahoma City Public Schools, which has issued an online statement to locals explaining that “Access to your student’s information through the parent portal may be limited or inaccessible due to the ‘denial of service’ attack on our provider, Infinite Campus.” No data was breached or stolen in the incident, OCPS has assured residents. “Many districts across the country are impacted and authorities are investigating,” the notification continues. Indeed, the Natrona County School District in Wyoming has reportedly issued a similar statement. Source: https://www.scmagazine.com/home/news/cybercrime/ddos-attack-on-education-vendor-hinders-access-to-districts-online-portals/

More:
DDoS attack on education vendor hinders access to districts’ online portals

Verizon Digital Media Services adds managed security services to its Cloud Security Solution

Verizon Digital Media Services announced it has added a managed cloud security offering as part of its global Cloud Security Solution. The managed cloud security component provides access to security professionals who monitor and take corrective action against the security threats, no matter the time of day. The addition of this offering complements features previously available within Verizon Digital Media Services’ Cloud Security Solution, including a dual web application firewall (WAF), distributed denial-of-service (DDoS) protection, … More ? The post Verizon Digital Media Services adds managed security services to its Cloud Security Solution appeared first on Help Net Security .