Plus: Cloudflare tackles huge DDoS attack, Apple and CSAM, and more In brief Razer is said to be working on an updated installer after it was discovered you can gain admin privileges on Windows by plugging in one of the gaming gear maker’s mice or keyboards.…
More:
Razer ponders how to fix installer that grants admin powers if you plug in a mouse
ThreatX announced new API Catalog capabilities to provide enterprises with a clear view of their API’s attack surface, as well as the operational health of APIs in production. ThreatX supports DevOps and Security teams by assessing traffic in real-time to reduce risk and protect critical APIs from misconfiguration, DDoS, BOT attacks and malicious use. APIs are under constant assault by sophisticated attackers. Any downtime or data loss experienced as a result of an API attack … More ? The post ThreatX API Catalog enables enterprises to reduce risk and protect critical APIs appeared first on Help Net Security .
Read this article:
ThreatX API Catalog enables enterprises to reduce risk and protect critical APIs
Here’s an overview of some of last week’s most interesting news and articles: Kaseya obtains universal REvil decryptor There’s finally some good news for the MSPs and their customers that have been hit by the REvil ransomware gang via compromised Kaseya VSA software: a universal decryptor has made it available to affected organizations. DDoS attacks are up, with ever-greater network impact With an overall rise in available network capacity, cyber criminals are increasingly targeting their … More ? The post Week in review: HiveNightmare on Windows 10, Kaseya obtains REvil decryptor appeared first on Help Net Security .
Continue reading here:
Week in review: HiveNightmare on Windows 10, Kaseya obtains REvil decryptor
Telia Carrier has announced the findings of a report with a perspective on today’s cyber threats from traffic data. The report investigates changes in attack vector, size and frequency, and reveals a staggering 50% increase in peak attack traffic compared to 2019, with a jump to 1.18 Terabytes per Second (TBps) or 887 Mega Packets Per Second (Mpps). In 2020, a staggering 57 Petabits or 14 tera packets of malicious data have been cleaned. During … More ? The post DDoS attacks are up, with ever-greater network impact appeared first on Help Net Security .
There has been a 33% increase in the number of DDoS attacks in H1 2021, according to a report published by Link11. Between January and June, there were record numbers of attacks compared to the same period last year. The report also found that between Q1 2021 and Q2 2021 there was a 19% increase in DDoS campaigns, some of which were over 100 Gbps in attack volume; further evidence that hackers are continuing to … More ? The post DDoS attacks increased 33% in H1 2021 appeared first on Help Net Security .
Read the original:
DDoS attacks increased 33% in H1 2021
Warning of acute ransom DDoS attacks against companies across Europe and North America on behalf of Fancy Lazarus The Link11 Security Operations Center (LSOC) has recently observed a sharp increase in ransom distributed denial of service (RDDoS or RDoS) attacks . Enterprises from a wide range of business sectors are receiving extortion e-mails from the sender Fancy Lazarus demanding 2 Bitcoins (approx. 66,000 euros): “It’s a small price for what will happen when your whole network goes down. Is it worth it? You decide!”, the extortionists argue in their e-mail. So far, LSOC has received reports of RDoS attacks from several European countries, such as Germany and Austria, and the USA and Canada . How the DDoS extortionists operate The perpetrators gather information about the company’s IT infrastructure in advance and provide clear details in the extortion e-mail about which servers and IT elements they will target for the warning attacks. To exert pressure, the attackers rely on demo attacks , some of which last several hours and are characterized by high volumes of up to 200 Gbps . To achieve these attack bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the contacted company is threatened with massive high-volume attacks of up to 2 Tbsp . The organization has 7 days to transfer the Bitcoins to a specific Bitcoin wallet. The e-mail also states that the ransom would increase to 4 Bitcoin with the passing of the payment deadline and increase by another Bitcoin with each additional day. Sometimes, the announced attacks fail to materialize after the expiration of the ultimatum. In other cases, DDoS attacks cause considerable disruption to the targeted companies. Suspected perpetrators already made headlines worldwide The perpetrators are no unknowns. In the fall of 2020, payment providers, financial service providers, and banking institutions worldwide were blackmailed with an identical extortion target and hit with RDoS attacks. Hosting providers, e-commerce providers, and logistics companies were also the focus of the blackmailers, showing they target businesses indiscriminately. They also operated under the names Lazarus Group and Fancy Bear or posed as Armada Collective. The perpetrators are even credited with the New Zealand stock exchange outages at the End of August 2020, which lasted several days. The new wave of extortion hits many companies when a large part of the staff is still organized via remote working and depends on undisrupted access to the corporate network. Marc Wilczek, Managing Director of Link11: “The rapid digitization that many companies have gone through in the past pandemic months is often not yet 100% secured against attacks. The surfaces for cyber attacks have risen sharply, and IT has not been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision.” What to do in the event of DDoS extortion As soon as they receive an extortion e-mail, companies should proactively activate their DDoS protection systems and not respond to the extortion under any circumstances. If the protection solution is not designed to scale to volume attacks of several hundred Gbps and beyond, it is important to find out how company-specific protection bandwidth can be increased in the short term and guaranteed with an SLA . If necessary, this should also be implemented via emergency integration . LSOC’s observation of the perpetrators over several months has shown: Companies that use professional and comprehensive DDoS protection can significantly reduce their downtime risks . As soon as the attackers realize their attacks are going nowhere, they stop them and let nothing more be heard of them. LSOC advises attacked companies to file a report with law enforcement authorities . The National Cyber Security Centers are the best place to turn. Source: https://www.link11.com/en/blog/threat-landscape/new-wave-ddos-extortion-campaigns-fancy-lazarus/
See the original article here:
A New Wave of DDoS Extortion Campaigns by Fancy Lazarus
The group, known for masquerading as various APT groups, is back with a spate of attacks on U.S. companies. A distributed denial-of-service (DDoS) extortion group has blazed back on the cybercrime scene, this time under the name of “Fancy Lazarus.” It’s been launching a series of new attacks that may or may not have any teeth, researchers said. The new name is a tongue-in-cheek combination of the Russia-linked Fancy Bear advanced persistent threat (APT) and North Korea’s Lazarus Group. The choice seems natural, given that the gang was last seen – including in a major campaign in October – purporting to be various APTs, including Armada Collective, Fancy Bear and Lazarus Group. According to Proofpoint, this time around the gang has been sending threatening, targeted emails to various organizations, including those operating in the energy, financial, insurance, manufacturing, public utilities and retail sectors – asking for a two-Bitcoin (BTC) starting ransom (around $75,000) if companies want to avoid a crippling DDoS attack. The price doubles to four BTC after the deadline, and increases by one BTC each day after that. The targets are mostly located in the U.S. While it’s hard to make a definitive correlation, the timing of some of the Fancy Lazarus campaigns correspond with high-profile ransomware attacks over the past six months, in terms of targeting the same vertical industries, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “These include utility, natural gas and manufacturing,” she told Threatpost. “This could be an attempt to ride the coattails of high-profile news stories and result in a higher likelihood of payment. Another trend we have seen over the past four months are a focus on sending these threats to financial institutions and large insurance providers.” Email Campaign Details The emails announce that the organization is being targeted by Fancy Lazarus, and they threaten a DDoS attack in seven days if the target doesn’t pay up, according to an analysis on Thursday from Proofpoint. The messages also warn of potential damage to reputation and loss of internet access at offices, and then promise that a “small attack” will be launched on a specific IP, subnet or Autonomous System with an attack of 2Tbps, as a preview of things to come. The emails are either in plain text, HTML-based or present the letter in an embedded .JPG image – likely a detection-evasion technique, Proofpoint noted. “The emails are typically sent to well researched recipients, such as individuals listed as contacts in Border Gateway Protocol (BGP) or Whois information for company networks,” according to Proofpoint’s analysis. “The emailed individuals also work in areas such as communications, external relations, investor relations. Additionally, extortion emails are often sent to email aliases such as help desk, abuse, administrative contacts or customer service.” Meanwhile, the sender email is unique to each target. They use a random “first name, last name” convention for the ender, using fake names. The ransom note. Source: Proofpoint. Some of this is a change in tactics from previous campaigns by the group. For instance, Proofpoint noted that the starting ransom was 10 or 20 BTC in 2020 campaigns – a change that was made likely to account for exchange-rate fluctuations. In October for instance, a 20-BTC demand translated to $230,000. Also, previously the sender names on the emails often contained the name of an APT that was in the headlines, such as Fancy Bear; or, they included the targeted company’s CEO name. Sometimes a Hoax? It’s unknown whether the group always follows through on its threat to launch massive DDoS attacks. An FBI alert on the group from last August said that while the group had taken aim at thousands of organizations from multiple global industry verticals by that point, many of them saw no further activity after the deadline expired – or, they were able to easily mitigate it. In some cases though, such as was the case with Travelex, “the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains, according to Intel471 researchers writing last year. Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers, the firm reported. “While FBI reporting indicates they do not always follow through on their threat of a DDoS, there have been several prominent institutions that have reported an impact to their operations and other impacted companies have just been successful at mitigating the attacks,” DeGrippo said. “This type of behavior keeps them more closely aligned with that of a cybercriminal versus a scam artist.” In any case, it’s important for companies and organizations to be prepared by having appropriate mitigations in place such as using a DDoS protection service and having disaster recovery plans at the ready, she added. Ransom DDoS: A Growing Tactic Ransom DDoS is not a recent development, but it has become more popular of late, according to DeGrippo, thanks to the mainstreaming of Bitcoin and Ethereum. “While RDDoS existed earlier this type of extortion likely did not catch on until, in part, the adoption of cryptocurrency, which allowed the threat actors a safer means to receive payment,” she told Threatpost. “These kinds of campaigns have been done in an organized fashion for the past year.” She added that Fancy Lazarus’ choice to align its ransom demand with the fluctuating price of cryptocurrency is notable. “As Bitcoin prices fluctuate, we see some change in their demand amounts, proving that cryptocurrency markets and malicious actor activity are absolutely correlated,” she said. “This has been the case since at least 2016 in the early days of large-scale ransomware. Threat actors send their campaigns when the prices are most advantageous, attempting to make more money when the various currencies are at a high valuation. Other actors use other cryptocurrencies like Ethereum, but Bitcoin continues to be the massively popular coin of choice for malicious threat actors.” While it’s impossible to know the success rate of the Fancy Lazarus campaigns, “given the potentially substantial financial payoff for relatively little work on the threat actor’s part, a low success rate would still make this a worthwhile tactic,” DeGrippo noted. One trend to watch is the addition of ransomware to the mix going forward. In February, the REvil ransomware gang started adding DDoS attacks to its efforts, in an effort to ratchet up the pressure to pay. Source: https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/
Read this article:
‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts
Security is front of mind for a lot of organizations these days, especially due to the 400% increase in cyberattacks since the pandemic started. Notable and alarming attacks include those on the federal government by nation-state threat actors using widely used third-party tools as vehicles for intrusion. Your contact center is no exception: it’s facing standard cyber security threats, such as DDoS attacks, but also seeing an increase in attacks targeting customers’ personal data. If … More ? The post How can companies prioritize contact center security? appeared first on Help Net Security .
View article:
How can companies prioritize contact center security?
Several recent cyber incidents targeting critical infrastructure prove that no open society is immune to attacks by cybercriminals. The recent shutdown of key US energy pipeline marks just the tip of the iceberg. Critical infrastructure is becoming more dependent on networks of interconnected devices. For example, only a few decades ago, power grids were essentially operational silos. Today, most grids are closely interlinked — regionally, nationally, and internationally as well as with other industrial sectors. And in contrast to discrete cyberattacks on individual companies, a targeted disruption of critical infrastructure can result in extended supply shortages, power blackouts, public disorder, and other serious consequences. According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks “the new normal across sectors such as energy, healthcare, and transportation.” Another report noted that such attacks can have major spillover effects. Lloyd’s and the University of Cambridge’s Centre for Risk Studies calculated the prospective economic and insurance costs of a severe cyberattack against America’s electricity system could amount to more than $240 billion and possibly more than $1 trillion. Given these potential far-reaching consequences, cyberattacks on critical infrastructure have become a big concern for industry and governments everywhere — and recent events haven’t done much to allay these fears. A Worldwide Phenomenon In May 2021, a huge distributed denial-of-service (DDoS) attack crippled large sections of Belgium’s Internet services, affecting more than 200 organizations, including government, universities, and research institutes. Even parliamentary debates and committee meetings were stalled since no one could access the online services they needed to participate. A few days later, a ransomware attack shut down the main pipeline carrying gasoline and diesel fuel to the US East Coast. The Colonial Pipeline is America’s largest refined-products pipeline. The company says it transports more than 100 million gallons a day of fossil fuels, including gasoline, diesel, jet fuel, and heating oil — or almost half the supply on the East Coast, including supplies for US military facilities. In August 2020, the New Zealand Stock Exchange (NZX) was taken offline for four trading days after an unprecedented volumetric DDoS attack launched through its network service provider. New Zealand’s government summoned its national cybersecurity services to investigate, and cyber experts suggested the attacks might have been a dry run of a major attack on other global stock exchanges. In October 2020, Australia’s Minister for Home Affairs, Peter Dutton, said his country must be ready to fight back against disastrous and extended cyberattacks on critical infrastructure that could upend whole industries. Obvious Uptick in DDoS Attacks During the pandemic, there’s been a huge increase in DDoS attacks, brute-forcing of access credentials, and malware targeting Internet-connected devices. The average cost of DDoS bots has dropped and will probably continue to fall. According to Link11’s Q1/2021 DDoS report, the number of attacks witnessed more than doubled, growing 2.3-fold year-over-year. (Disclosure: I’m the COO of Link11.) Unlike ransomware, which must penetrate IT systems before it can wreak havoc, DDoS attacks appeal to cybercriminals because they’re a more convenient IT weapon since they don’t have to get around multiple security layers to produce the desired ill effects. The FBI has warned that more DDoS attacks are employing amplification techniques to target US organizations after noting a surge in attack attempts after February 2020. The warnings came after other reports of high-profile DDoS attacks. In February, for example, the largest known DDoS attack was aimed at Amazon Web Services. The company’s infrastructure was slammed with a jaw-dropping 2.3 Tb/s — or 20.6 million requests per second — assault, Amazon reported. The US Cybersecurity and Infrastructure Security Agency (CISA) also acknowledged the global threat of DDoS attacks. Similarly, in November, New Zealand cybersecurity organization CertNZ issued an alert about emails sent to financial firms that threatened a DDoS attack unless a ransom was paid. Predominantly, cybercriminals are just after money. The threat actors behind the most recent and ongoing ransom DDoS (RDDoS or RDoS) campaign identify themselves as state-backed groups Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective — although it remains unclear whether that’s just been a masquerade to reinforce the hacker’s demands. The demanded ransoms ranged between 10 and 20 Bitcoin (roughly worth $100,000 to $225,000 at the time of the attacks), to be paid to different Bitcoin addresses. Mitigating the Risk Critical infrastructure is often more vulnerable to cyberattacks than other sectors. Paying a ransom has ethical implications, will directly aid the hackers’ future operations (as noted by the FBI), and will encourage them to hunt other potential victims. Targeted companies are also urged to report any RDoS attacks affecting them to law enforcement. Organizations can’t avoid being targeted by denial-of-service attacks, but it’s possible to prepare for and potentially reduce the impact should an attack occur. The Australian Cyber Security Centre notes that “preparing for denial-of-service attacks before they occur is by far the best strategy; it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.” However, as the architecture of IT infrastructure evolves, it’s getting harder to implement effective local mitigation strategies. Case in point: Network perimeters continue to be weak points because of the increasing use of cloud computing services and devices used for remote work. Also, it is increasingly infeasible to backhaul network traffic, as legitimate users will be banned, too — potentially for hours or days. To minimize the risk of disruption and aim for faster recovery time objectives (RTOs) after an attack, organizations should become more resilient by eliminating human error through stringent automation. These days, solutions based on artificial intelligence and machine learning offer the only viable means of protection against cyberattacks. Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio Source: https://www.darkreading.com/attacks-breaches/critical-infrastructure-under-attack-/a/d-id/1340960
Original post:
Critical Infrastructure Under Attack
In 2020, attacks against Windows Remote Desktop Protocol (RDP) grew by 768%, according to ESET. But this shouldn’t come as a surprise, given the massive increase in people working remotely during the pandemic. With enterprises resorting to making RDP services publicly available, hackers have taken notice. Some DDoS attacks are leveraging RDP servers to amplify their effect, and malware like Trickbot is employing scanners to identify vulnerable open RDP ports. When it comes to remote … More ? The post Defending against Windows RDP attacks appeared first on Help Net Security .
See more here:
Defending against Windows RDP attacks