Category Archives: DDoS Vendors

DDoS attacks could cost enterprises over $2.5 million in revenue

A new report from information services specialist Neustar looks at the frequency and cost of DDoS attacks and what is being done to counter the threat. In terms of revenue loss, three percent of organizations report average revenue loss of at least $250,000 per hour, with 51 percent taking at least three hours to detect an attack and 40 percent taking at least three hours to respond, that means an attack could cost over $2.5 million. Attacks are getting larger too, with 45 percent of DDoS attacks delivered at more than 10 gigabits per second (Gbps), and 15 percent of attacks being at least 50 Gbps, almost double the number reported last year. In total 849 out of 1,010 organizations surveyed were attacked, with no particular industry spared, an increase of 15 percent since 2016. 86 percent of those attacked were also hit more than once. Also customers are often the first to spot a problem, with 40 percent of respondents reporting receiving attack alerts from customers, up from 29 percent in 2016. “Distributed Denial of Service (DDoS) attacks are the zeitgeist of today’s Internet,” says Barrett Lyon, pioneer of the DDoS defense industry and head of research and development at Neustar Security Solutions. “The question organizations must ask now is how they are prepared to manage these highly disruptive events. Are they prepared for the bad day where their customers call and ask why the website is down?” Ransomware now often goes hand in hand with DDoS too, the number of instances of this increased 53 percent since 2016. 51 percent of attacks involved some sort of loss or theft with a 38 percent increase year on year in thefts of customer data, financial and intellectual property. Whilst almost all organizations surveyed have some form of DDoS protection in place, 90 percent say they are investing more than they did a year ago and 36 percent think they should be investing more still. Source: https://betanews.com/2017/05/04/ddos-attack-cost/

Netflix Incident A Sign Of Increase In Cyber Extortion Campaigns

Attackers using threats of data exposure and DDoS disruptions to try and extort ransoms from organizations The recent leak of 10 unaired episodes from Season 5 of Netflix’ hit series “Orange Is The New Black” shows that ransomware is not the only form of online extortion for which organizations need to be prepared. Increasingly, cyber criminals have begun attempting to extort money from organizations by threatening to leak corporate and customer data, trade secrets, and intellectual property. Instead of encrypting data and seeking a ransom for decrypting it, criminals have begun using doxing as a leverage to try and quietly extort bigger sums from enterprises. “Targeted attacks are the new cybersecurity threat and are on the rise,” says Nir Gaist, CEO and co-founder of security vendor Nyotron. “Organizations, regardless of industry or size, can be targeted with cyber extortion or espionage as the hackers’ goal.” The reason why there isn’t more noise over such incidents is that victims often like to keep quiet about them, he says. “Unless the company is regulated to report the attack, they will keep it quiet to keep brand and reputation intact,” Gaist says. Even in the case of the Netflix leak, for instance, it was the hackers themselves who announced the attack. “There was no monetary loss due to the early release of the ‘Orange is the New Black’ episodes, but there was reputation loss and brand damage,” he says. A malicious hacker or hacking group calling itself TheDarkOverload earlier this week claimed responsibility for publicly posting several episodes of the Netflix series after apparently stealing them from Larson Studio, a small post-production company, back in December. The hackers first tried to extort money from Larson Studio before going after Netflix directly. When Netflix refused to acquiesce to the extortion demand, the hackers released the unaired episodes. The hackers claimed to have stolen several more unaired episodes of TV programs from Netflix, Fox, and National Geographic and have threatened to release them as well. It is not clear if the hackers have made any extortion demands from the various studios. The Netflix incident is an example of the growing threat to organizations from extortion scams, says Moty Cristal the CEO of NEST Negotiation Strategies, a firm that specializes in helping organizations negotiate with online extortionists. Cyber extortion can include the threat of DDoS attacks and data exposure. The goal of attackers is to find a way to threaten targets with the most damage, either financial or from a brand reputation standpoint, Cristal explains. Any decision on whether to pay or not to pay should be based on an assessment of the potential damage, both real and perceived, that the attacker could wreak, and the company’s ability to withstand such damage, Cristal says. In the Netflix incident, the fact that the attackers demanded just around 50 bitcoin for the stolen episodes suggests they were likely motivated more by the need to be recognized and professionally acknowledged than by financial gain, Cristal adds. Surprisingly, targeted extortion attacks do not always have to be sophisticated to be successful, although sometimes they can very sophisticated Gaist says. “In a targeted attack, the hacker will attempt to find a simple vulnerability to get in,” he says. “Unfortunately for most companies, basic security hygiene is simply not attended to properly – leaving them completely vulnerable to a targeted attack.” While attacks that result in potential exposure of customer and corporate data can be scary, there are a couple of good reasons not to pay, security analysts say. One of course is that paying off a ransom or extortion is only likely to inspire more attempts. An organization that shows its willingness to pay to get data back or to prevent something bad from happening will almost certainly be attacked again. The other reason is that not all extortion scams are real. In fact, a lot of times attackers will attempt to scare money out of an organization with false threats. Last year for instance, a malicious hacking group calling itself the Armada Collective sent extortion letters to some 100 companies threatening them with massive distributed denial of service attacks if they did not pay a specific ransom amount. Security vendor CloudFlare, which analyzed the Armada Collective’s activities, estimated that the group netted hundreds of thousands of dollars in ransom payments from victims, without carrying out a single attack. Meg Grady-Troia, web security product marketing manager at Akamai, says paying a ransom doesn’t necessarily guarantee a chosen outcome. “So doing separate analysis of the request for payment and the real threat is critical for any organization.” Akamai’s customers have seen a lot of extortion letters, threatening a DDoS attack if a specified amount of bitcoin is not deposited to an identified wallet by a certain time, she says. These letters have come from a number of groups, including DD4BC, Armada Collective, Lizard Squad, XMR Squad, and others. Often though, there is very little follow-through. “Some of these DDoS extortion letters are merely profit-making schemes, while some are serious operations with the resources to damage a business,” says Grady-Troia. Paying a ransom is no guarantee that your data still won’t be leaked, she says. “Once data has been exfiltrated from your system, the blackmail may or may not continue after the requested payment, or it may still be leaked.” What organizations need to be focusing on is DDoS attack resilience and the operational agility of their systems, particularly access controls, backup procedures, and digital supply chain. “The importance of online extortion depends immensely on the nature of the threat and the enterprise’s risk tolerance,” Grady-Troia says. “Businesses should have a security event or incident response process that can be invoked in the case of any attack, and that process should include subject matter experts for systems and tools, procedures for all kinds of hazards.” Source: http://www.darkreading.com/attacks-breaches/netflix-incident-a-sign-of-increase-in-cyber-extortion-campaigns/d/d-id/1328794

Read the article:
Netflix Incident A Sign Of Increase In Cyber Extortion Campaigns

Malware Hunter: Find C&C servers for botnets

Recorded Future and Shodan released Malware Hunter, a specialized crawler for security researchers that explores the Internet to find computers acting as remote access trojan (RAT) command and control centers. What Malware Hunter does Malware Hunter unearths computers hosting RAT controller software that remotely controls malware-infected computers and instructs them to execute malicious activities such as recording audio, video, and keystrokes on a victim’s machine. Using command and control servers, attackers can launch widescale attacks … More ?

More than 400 DDos attacks identified using new attack vector – LDAP

Hackers use misconfigured LDAP servers – Connectionless Lightweight Directory Access Protocol (CLDAP) – to provide a means to launch DDoS attacks. More than 400 DDoS attacks taking advantage of misconfigured LDAP servers have been spotted by security researchers. CLDAP DDoS attacks use an amplification technique, which takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP): LDAP is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in many online servers. When an Active Directory server is incorrectly configured and exposes the CLDAP service to the Internet it is vulnerable to be leveraged to perform DDoS attacks. Since its discovery in October 2016, researchers at Corero Network Security have observed a total of 416 CLDAP DDoS attacks, most of which are hosting and internet service providers. The largest attack volume recorded was 33 Gbps, with an average volume of 10 Gbps. The attacks averaged 14 minutes long in duration. “These powerful short duration attacks are capable of impacting service availability, resulting in outages, or acting as a smoke screen for other types of cyber-attacks, including those intended for breach of personally identifiable data,” said Stephanie Weagle, vice president of marketing at Corero Network Security, in a blog post. Stephen Gates, chief research intelligence analyst from NSFOCUS, told SC Media UK that in the quest to find new means of launching DDoS attacks, hackers have once again found open devices on the Internet running weak protocols that can be exploited for their personal gain. “However, like any other reflective DDoS attack campaign, the number of available reflectors is of critical importance. In addition, the amplification factor those reflectors afford is the second stipulation,” he said. “In this case, the number of open devices on the Internet running CLDAP is relatively small, in comparison to open DNS and NTP reflectors; yet the amplification factor is respectable (~70x). Surely, this attack technique is new, but it is not the worse seen so far. This vector will likely be used in combination with other reflective attack techniques, and rarely used on its own. Until the world’s service providers fully implement BCP-38, similar discoveries and resulting campaigns will continue to plague us all.” Bogdan Botezatu, senior E-Threat analyst at Bitdefender, told SC that a CLDAP attack is designed around third parties: an entity running a misconfigured instance of CLDAP, a victim and an attacker. “The attacker would ask the CLDAP infrastructure to retrieve all the users registered in the Active Directory. Because the attacker makes this query look like it was initiated by the victim by replacing the originating IP address with the victim’s, the CLADP service will actually send the answer to the victim,” he said. “Subsequently, the victim finds itself being bombarded with the information they did not request. If the attacker can harness enough power, the victim’s infrastructure will crash under a load of unsolicited information.” He said that organisations could deploy strong, restrictive firewall policies for inbound traffic. “Load balancing and specialised hardware can also help organisations absorb the impact,” said Botezatu. Source: https://www.scmagazineuk.com/more-than-400-ddos-attacks-identified-using-new-attack-vector–ldap/article/652939/

View original post here:
More than 400 DDos attacks identified using new attack vector – LDAP

8 DDoS Attacks That Made Enterprises Rethink IoT Security

Distributed Denial of Service Disasters The overall frequency of distributed denial of service (DDoS) attacks increased in 2016 thanks, in part, to Internet of Things botnets, according to information service provider Neustar. The company said it mitigated 40 percent more DDoS attacks from January through November, compared to the year earlier. Neustar warned that as botnet code assemblies are published, dangerous new DDoS developments will continue to emerge, such as persistent device enrollment, which enables botnet operators to maintain control of a device even after it’s rebooted. From colleges to entire U.S. regions, here are eight situations where vulnerable IoT devices brought down networks. DDoS Attack Affects U.S. College For 54 Hours A distributed denial of service attack on a college in February, recently made public by security firm Incapsula, affected that institution’s network for 54 hours straight. Incapsula recently revealed the attack, noting that the attackers seemed adept at launching application layer assaults on vulnerable IoT devices. “Based on a number of signature factors, including header order, header values and traffic sources, our client classification system immediately identified that the attack emerged from a Mirai-powered botnet,” according to an Incapsula spokesperson in a blog post. “Our research showed that the pool of attacking devices included those commonly used by Mirai, including CCTV cameras, DVRs and routers.” DDoS Attack Takes Down Netflix, Twitter An October DDoS attack – which was launched through IoT devices and blocked an array of websites – deepened the industry’s concerns over the security risk of the Internet of Things. The denial of service attack was launched through Internet of Things consumer devices, including webcams, routers and video recorders, to overwhelm servers at Dynamic Network Services (Dyn) and led to the blockage of more than 1,200 websites. The attack on Dyn, which connects users to websites such as Twitter and Netflix, came from tens of millions of addresses on devices infected with malicious software codes, knocking out access by flooding websites with junk data. DDoS Attack Through Vending Machines Hits University Verizon’s preview of its 2017 Data Breach Digest in February revealed that an unnamed university was hit by a DDoS attack launched through vending machines, lights, and 5,000 other IoT devices. According to Verizon, an incident commander noticed that “name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood.” While administrators were locked out, the university intercepted “the clear text password for a compromised IoT device over the wire and then use that information to perform a password change before the next malware update.” DDoS Attacks Attempted Against Campaign Websites of Hillary Clinton And Donald Trump According to security firm Flashpoint, hackers attempted four Mirai botnet DDoS attacks in November against the campaign websites of Hillary Clinton and Donald Trump. According to Flashpoint, the company observed a 30-second HTTP Layer 7 (application layer) attack against Trump’s website, while the next day, it saw attacks against both Trump and Clinton’s campaign sites. While attacks were attempted, neither website observed or reported outages. “Flashpoint assesses with moderate confidence that the Mirai botnet has been fractured into smaller, competing botnets due to the release of its source code, which has led to the proliferation of actors exploiting the botnet’s devices,” a spokesperson wrote on Flashpoint’s website. BBC Domain Downed By By DDoS Attack On New Year’s Eve 2016, the BBC’s website was hit by a DDoS attack that downed its entire domain – including on-demand television and radio player – for more than three hours. While BBC originally said that it was undergoing a technical issue, the broadcaster’s news organization later said the outage was a result of a DDoS attack, according to “sources within the BBC.” Russian Banks Hit With Waves Of DDoS Attacks In November, at least five Russian banks, including Sberbank and Alfabank banks, were the victims of prolonged DDoS attacks that lasted over two days. According to Security Affairs, the attack came from a wide-scale botnet involving up to 24,000 computers and IoT devices that were located in 30 countries. The banks’ online clients services were not disrupted. According to security firm Kaspersky Lab, the incident was the first time that massive DDoS attacks hit Russian banks in 2016. Rio Olympics Organizations Hit By DDoS Attack Staged By LizardStresser Arbor Networks’ security engineering and response team revealed in a statement that several organizations affiliated with the Olympics came under “large-scale volumetric” DDoS attacks beginning in September 2015. “A large proportion of the attack volume consisted of UDP reflection and amplification attack vectors such as DNS, chargen, ntp, and SSDP, along with direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services,” said Arbor Networks in a statement. According to Arbor Networks, a DDoS-for-hire service, called LizardStresser, staged most of the pre-Olympic attacks. Despite the attacks, Arbor Networks performed several mitigation measures to help Olympics administrators keep their systems running. Brian Krebs’ Website Experienced DDoS Attack In September 2016, security investigative reporter Brian Krebs’ information blog experienced a DDoS attack. The attack reportedly placed peak traffic at around 620 Gbps. Krebs determined a Mirai botnet was responsible for the attack: “The source code that powers the IoT botnet responsible for launching the historically large DDoS attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices,” he stated on his blog. “My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems,” said Krebs in the blog post. Source: http://www.crn.com/slide-shows/internet-of-things/300084663/8-ddos-attacks-that-made-enterprises-rethink-iot-security.htm

Original post:
8 DDoS Attacks That Made Enterprises Rethink IoT Security

Teenage hacker jailed for masterminding attacks on Sony and Microsoft

Adam Mudd jailed for two years for creating attack-for-hire business responsible for more than 1.7m breaches worldwide. A man has been jailed for two years for setting up a computer hacking business that caused chaos worldwide. Adam Mudd was 16 when he created the Titanium Stresser program, which carried out more than 1.7m attacks on websites including Minecraft, Xbox Live and Microsoft and TeamSpeak, a chat tool for gamers. He earned the equivalent of more than £386,000 in US dollars and bitcoins from selling the program to cyber criminals. Mudd pleaded guilty and was sentenced at the Old Bailey. The judge, Michael Topolski QC, noted that Mudd came from a “perfectly respectable and caring family”. He said the effect of Mudd’s crimes had wreaked havoc “from Greenland to New Zealand, from Russia to Chile”. Topolski said the sentence must have a “real element of deterrent” and refused to suspend the jail term. “I’m entirely satisfied that you knew full well and understood completely this was not a game for fun,” he told Mudd. “It was a serious money-making business and your software was doing exactly what you created it to do.” Mudd showed no emotion as he was sent to a young offender institution. During the two-day hearing, Jonathan Polnay, prosecuting, said the effect of Mudd’s hacking program was “truly global”, adding: “Where there are computers, there are attacks – in almost every major city in the world – with hotspots in France, Paris, around the UK.” The court heard that Mudd, who lived with his parents, had previously undiagnosed Asperger syndrome and was more interested in status in the online gaming community than the money. The court heard that the defendant, now 20, carried out 594 of the distributed denial of service (DDoS) attacks against 181 IP addresses between December 2013 and March 2015. He has admitted to security breaches against his college while he was studying computer science. The attacks on West Herts College crashed the network, cost about £2,000 to investigate and caused “incalculable” damage to productivity, the court heard. On one occasion in 2014, the college hacking affected 70 other schools and colleges, including Cambridge, Essex and East Anglia universities as well as local councils. Mudd’s explanation for one of the attacks was that he had reported being mugged to the college but claimed no action was taken. Polnay said there were more than 112,000 registered users of Mudd’s program who hacked about 666,000 IP addresses. Of those, nearly 53,000 were in the UK. Among the targets was the fantasy game RuneScape, which had 25,000 attacks. Its owner company spent £6m trying to defend itself against DDoS attacks, with a revenue loss of £184,000. The court heard that Mudd created Titanium Stresser in September 2013 using a fake name and address in Manchester. He offered a variety of payment plans to his customers, including discounts for bulk purchases of up to $309.99 for 30,000 seconds over five years as well as a refer-a-friend scheme. Polnay said: “This is a young man who lived at home. This is not a lavish lifestyle case. The motivation around this we tend to agree is about status. The money-making is by the by.” When he was arrested in March 2015, Mudd was in his bedroom on his computer, which he refused to unlock before his father intervened. Mudd, from Kings Langley in Hertfordshire, pleaded guilty to one count of committing unauthorised acts with intent to impair the operation of computers; one count of making, supplying or offering to supply an article for use in an offence contrary to the Computer Misuse Act; and one count of concealing criminal property. Ben Cooper, defending, appealed for his client to be given a suspended sentence. He said Mudd had been “sucked into” the cyber world of online gaming and was “lost in an alternate reality” after withdrawing from school because of bullying. Mudd, who was expelled from college and now works as a kitchen porter, had been offline for two years, which was a form of punishment for any computer-obsessed teenager, Cooper said. The “bright and high-functioning” defendant understood what he did was wrong but at the time he lacked empathy due to his medical condition, the court heard. Cooper said: “This was an unhappy period for Mr Mudd, during which he suffered greatly. This is someone seeking friendship and status within the gaming community.” But the judge said: “I have a duty to the public who are worried about this, threatened by this, damaged by this all the time … It’s terrifying.” Source: https://www.theguardian.com/technology/2017/apr/25/teenage-hacker-adam-mudd-jailed-masterminding-attacks-sony-microsoft

Link:
Teenage hacker jailed for masterminding attacks on Sony and Microsoft

Brit behind Titanium Stresser DDoS malware sent to chokey

20-year-old Herts man slapped with two years’ stripey suntan time A Hertfordshire man has been jailed for two years after netting nearly £400,000 from the malware he wrote as a 15-year-old student.…

See more here:
Brit behind Titanium Stresser DDoS malware sent to chokey

Locky ransomware makes a comeback, courtesy of Necurs botnet

The Necurs botnet has, once again, begun pushing Locky ransomware on unsuspecting victims. The botnet, which flip-flops from sending penny stock pump-and-dump emails to booby-trapped files that lead to malware (usually Locky or Dridex), has been spotted slinging thousand upon thousand of emails in the last three or four days. “Talos has seen in excess of 35K emails in the last several hours associated with this newest wave of Locky,” Cisco Talos researchers noted on … More ?

Continued here:
Locky ransomware makes a comeback, courtesy of Necurs botnet

Linksys Routers Vulnerable to DDoS Attack

Flaws in the routers’ firmware could let hackers access configuration settings and execute remote commands. Linksys said it’s working on a patch. Linksys this week identified several vulnerabilities in its router firmware that allow hackers to bypass authentication and perform denial of service (DDoS) attacks. The company said it is working on a fix for the vulnerabilities, which were discovered by security researchers at IOActive in January and affect more than two dozen models of Linksys wireless routers in the WRT and EAxxx series. IOActive found 10 separate issues in the Linksys firmware, including high-risk vulnerabilities that could let hackers exploit routers using default credentials to log in, view router settings, and execute remote commands. “Two of the security issues we identified allow unauthenticated attackers to create a Denial-of-Service (DoS) condition on the router,” IOActive researcher Tao Sauvage wrote in a blog post. “By sending a few requests or abusing a specific API, the router becomes unresponsive and even reboots. The Admin is then unable to access the web admin interface and users are unable to connect until the attacker stops the DoS attack.” The vulnerabilities, which are similar to those found in many other Internet of Things (IoT) devices, are particularly worrisome because they could be used in future attacks of the sort that took large swaths of the internet offline for several hours last fall. Sauvage said that “11 percent of the active devices exposed were using default credentials, making them particularly susceptible to an attacker easily authenticating and potentially turning the routers into bots, similar to what happened in last year’s Mirai Denial of Service (DoS) attacks.” Linksys published a full list of the router models that are affected, and suggested that owners change the default password for their administrator account. The company said it is working to provide a firmware update for all of the affected models, but didn’t offer details on when it would be ready. Source: http://www.pcmag.com/news/353228/linksys-routers-vulnerable-to-ddos-attacks

View post:
Linksys Routers Vulnerable to DDoS Attack

New DDoS Attacks Use Far Fewer Infected Hosts

Akamai Technologies has identified a new attack method generating extremely large distributed denial of service (DDoS) attacks against educational institutions and other types of organizations but without the millions of infected hosts typically seen in these scenarios. In a threat advisory recently published by the content delivery network company’s security intelligence response team, researchers described a reflection and amplification method that can produce “significant attack bandwidth” through “significantly fewer hosts.” What’s required are open ports allowing LDAP traffic. The company’s security experts have detected and mitigated a total of 50 Connection-less Lightweight Directory Access Protocol (CLDAP) reflection attacks. CLDAP was intended as an “efficient alternative to LDAP queries done over Transmission Control Protocol (TCP). Most of the attacks seen in the wild used CLDAP reflection exclusively. Twice, education has been the target. However, the primary victims have been in the software and technology industry, where 21 attacks have taken place, and the gaming segment, which has had 15 attacks. The largest of the attacks hit its target with a peak bandwidth of 24 gigabits per second and a top count of packets per second of 2 million. The source port was 386, the port used by Lightweight Directory Access Protocol (LDAP). According to the report, signatures of the attack suggest that it’s “capable of impressive amplification.” For example, Akamai security people obtained sample malicious LDAP reflection queries that had a payload of only 52 bytes. Yet the attack data payload was 3,662 bytes, meaning that the amplification factor was 73. More typically, the average amplification rate was 57, according to the researchers. The attacks are launched using “attack scripts,” usually written in C and with only slight variations from one vector to another. When the script is run, the target IP becomes the source of all the 52-byte query payloads. These are then sent rapidly to every server in the supplied reflector list. From there, the CLDAP servers do as they’re designed and reply to the query. As a result, the report described, “the target of this attack must deal with a flood of unsolicited CLDAP responses.” The attack is “fueled” by the number of servers on the internet with port 389 open and listening. Once a server has been identified as a viable source, it’s added to the list of reflectors. The best mitigation, suggested the report, is to filter the port in question. “Ingress filtering of the CLDAP port from the internet will prevent discovery and subsequent abuse of this service,” the report noted. Another option is to apply rules, which won’t stop the outbreak, but will alert system administers when an attempt is made to use the systems as part of a reflection attack. Source: https://campustechnology.com/articles/2017/04/20/new-ddos-attacks-use-far-fewer-infected-hosts.aspx?admgarea=news

See more here:
New DDoS Attacks Use Far Fewer Infected Hosts