Tag Archives: blocking-ddos

Link11 Discovers Record Number of DDoS Attacks in First Half of 2021

In H1 2021, cyber criminals targeted businesses in record numbers as they continued to exploit vulnerabilities caused by the pandemic A report published by Link11, Europe’s leading IT security provider in cyber resilience, suggests there has been a 33% increase in the number of DDoS attacks in H1 2021. Between January and June, the Link11 Security Operations Centre (LSOC) recorded record numbers of attacks compared to the same period last year. The report also found that between Q1 2021 and Q2 2021 there was a 19% increase in DDoS campaigns, some of which were over 100 Gbps in attack volume; further evidence that cyber criminals are continuing to exploit the vulnerabilities of businesses during the pandemic. The key findings from the report are: The number of attacks continued to rise: + 33% increase year-on-year compared to H1/2020. DDoS attacks are increasing: +19% in Q2 2021 compared to Q1 2021. Overall attack bandwidth remained high: 555 Gbps in maximum attack volume. Sharp increase in attack bandwidth: +37% increase in H1/2021 compared to H1/2020. Number of high-volume attacks > 100 Gbps in H1/2021: 28 Criminals targeted those organisations and institutions that were in high demand during the global pandemic, such as va ccination websites, e-learning platforms or portals and businesses IT infrastructure as well as hosting providers and internet service providers . LSOC also suggests that the use of extortion emails has reached critical levels . Employees have received malicious emails from a multitude of different senders including Fancy Bear, Lazarus Group and most recently Fancy Lazarus. Instead of being indiscriminate, ransom demands now vary depending on the size of the company and the industry of the victims. In fact, companies from a wide range of industries (including finance, e-commerce, media and logistics) are currently being affected. The frequency of these campaigns has increased, ransom demands have skyrocketed and LSOC is warning that they could continue well into Q3 2021. According to Link11’s security experts, the intensity and regularity of extortion emails has noticeably increased . The scale of DDoS activity far exceeds any from previous years and the number of businesses experiencing serious security breaches has risen sharply. The consequences of such an attack can be severe, from loss of revenue, costly business interruptions, long recovery times to sensitive data being compromised. Marc Wilczek, Managing Director of Link11, said: “In an increasingly connected world, the availability and integrity of IT systems are critical to any business. Our research for the first half of 2021 shows that companies are continuously exposed to DDoS attacks and that they are far more frequent and complex. Due to the increasingly sophisticated attack techniques being used by cyber criminals, many security tools are reaching their limits. This means that solutions which provide maximum precision and speed in detecting and mitigating the attacks are more in demand than ever before.” Although the threat level of DDoS attacks has remained high and security providers have provided persistent warnings, LSOC believes some companies are still lack the relevant security solutions to prevent an attack . In a number of cases, organisations have been found to be completely unprotected and operations have been brought to a standstill. The only way to limit the damage is to implement specialised protection solutions on an ad-hoc basis. From an economic and legal point of view, however, it makes more sense to focus on sustainable prevention rather than reaction. As threat levels continue to rise LSOC recommends businesses take this opportunity to conduct a thorough review of their cyber security posture. They are also warning if you fall victim to a DDoS attack do not respond to extortion attempts and call in a specialist for DDoS protection as soon as an attack has been detected. Source: https://www.link11.com/en/blog/threat-landscape/link11-report-discovers-record-number-of-ddos-attacks-in-first-half-of-2021/

Originally posted here:
Link11 Discovers Record Number of DDoS Attacks in First Half of 2021

A New Wave of DDoS Extortion Campaigns by Fancy Lazarus

Warning of acute ransom DDoS attacks against companies across Europe and North America on behalf of Fancy Lazarus The Link11 Security Operations Center (LSOC) has recently observed a sharp increase in ransom distributed denial of service (RDDoS or RDoS) attacks . Enterprises from a wide range of business sectors are receiving extortion e-mails from the sender Fancy Lazarus demanding 2 Bitcoins (approx. 66,000 euros): “It’s a small price for what will happen when your whole network goes down. Is it worth it? You decide!”, the extortionists argue in their e-mail. So far, LSOC has received reports of RDoS attacks from several European countries, such as Germany and Austria, and the USA and Canada . How the DDoS extortionists operate The perpetrators gather information about the company’s IT infrastructure in advance and provide clear details in the extortion e-mail about which servers and IT elements they will target for the warning attacks. To exert pressure, the attackers rely on demo attacks , some of which last several hours and are characterized by high volumes of up to 200 Gbps . To achieve these attack bandwidths, the perpetrators use reflection amplification vectors such as DNS. If the demands are not met, the contacted company is threatened with massive high-volume attacks of up to 2 Tbsp . The organization has 7 days to transfer the Bitcoins to a specific Bitcoin wallet. The e-mail also states that the ransom would increase to 4 Bitcoin with the passing of the payment deadline and increase by another Bitcoin with each additional day. Sometimes, the announced attacks fail to materialize after the expiration of the ultimatum. In other cases, DDoS attacks cause considerable disruption to the targeted companies. Suspected perpetrators already made headlines worldwide The perpetrators are no unknowns. In the fall of 2020, payment providers, financial service providers, and banking institutions worldwide were blackmailed with an identical extortion target and hit with RDoS attacks. Hosting providers, e-commerce providers, and logistics companies were also the focus of the blackmailers, showing they target businesses indiscriminately. They also operated under the names Lazarus Group and Fancy Bear or posed as Armada Collective. The perpetrators are even credited with the New Zealand stock exchange outages at the End of August 2020, which lasted several days. The new wave of extortion hits many companies when a large part of the staff is still organized via remote working and depends on undisrupted access to the corporate network. Marc Wilczek, Managing Director of Link11: “The rapid digitization that many companies have gone through in the past pandemic months is often not yet 100% secured against attacks. The surfaces for cyber attacks have risen sharply, and IT has not been sufficiently strengthened. Perpetrators know how to exploit these still open flanks with perfect precision.” What to do in the event of DDoS extortion As soon as they receive an extortion e-mail, companies should proactively activate their DDoS protection systems and not respond to the extortion under any circumstances. If the protection solution is not designed to scale to volume attacks of several hundred Gbps and beyond, it is important to find out how company-specific protection bandwidth can be increased in the short term and guaranteed with an SLA . If necessary, this should also be implemented via emergency integration . LSOC’s observation of the perpetrators over several months has shown: Companies that use professional and comprehensive DDoS protection can significantly reduce their downtime risks . As soon as the attackers realize their attacks are going nowhere, they stop them and let nothing more be heard of them. LSOC advises attacked companies to file a report with law enforcement authorities . The National Cyber Security Centers are the best place to turn. Source: https://www.link11.com/en/blog/threat-landscape/new-wave-ddos-extortion-campaigns-fancy-lazarus/

See the original article here:
A New Wave of DDoS Extortion Campaigns by Fancy Lazarus

‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

The group, known for masquerading as various APT groups, is back with a spate of attacks on U.S. companies. A distributed denial-of-service (DDoS) extortion group has blazed back on the cybercrime scene, this time under the name of “Fancy Lazarus.” It’s been launching a series of new attacks that may or may not have any teeth, researchers said. The new name is a tongue-in-cheek combination of the Russia-linked Fancy Bear advanced persistent threat (APT) and North Korea’s Lazarus Group. The choice seems natural, given that the gang was last seen – including in a major campaign in October – purporting to be various APTs, including Armada Collective, Fancy Bear and Lazarus Group. According to Proofpoint, this time around the gang has been sending threatening, targeted emails to various organizations, including those operating in the energy, financial, insurance, manufacturing, public utilities and retail sectors – asking for a two-Bitcoin (BTC) starting ransom (around $75,000) if companies want to avoid a crippling DDoS attack. The price doubles to four BTC after the deadline, and increases by one BTC each day after that. The targets are mostly located in the U.S. While it’s hard to make a definitive correlation, the timing of some of the Fancy Lazarus campaigns correspond with high-profile ransomware attacks over the past six months, in terms of targeting the same vertical industries, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “These include utility, natural gas and manufacturing,” she told Threatpost. “This could be an attempt to ride the coattails of high-profile news stories and result in a higher likelihood of payment. Another trend we have seen over the past four months are a focus on sending these threats to financial institutions and large insurance providers.” Email Campaign Details The emails announce that the organization is being targeted by Fancy Lazarus, and they threaten a DDoS attack in seven days if the target doesn’t pay up, according to an analysis on Thursday from Proofpoint. The messages also warn of potential damage to reputation and loss of internet access at offices, and then promise that a “small attack” will be launched on a specific IP, subnet or Autonomous System with an attack of 2Tbps, as a preview of things to come. The emails are either in plain text, HTML-based or present the letter in an embedded .JPG image – likely a detection-evasion technique, Proofpoint noted. “The emails are typically sent to well researched recipients, such as individuals listed as contacts in Border Gateway Protocol (BGP) or Whois information for company networks,” according to Proofpoint’s analysis. “The emailed individuals also work in areas such as communications, external relations, investor relations. Additionally, extortion emails are often sent to email aliases such as help desk, abuse, administrative contacts or customer service.” Meanwhile, the sender email is unique to each target. They use a random “first name, last name” convention for the ender, using fake names. The ransom note. Source: Proofpoint. Some of this is a change in tactics from previous campaigns by the group. For instance, Proofpoint noted that the starting ransom was 10 or 20 BTC in 2020 campaigns – a change that was made likely to account for exchange-rate fluctuations. In October for instance, a 20-BTC demand translated to $230,000. Also, previously the sender names on the emails often contained the name of an APT that was in the headlines, such as Fancy Bear; or, they included the targeted company’s CEO name. Sometimes a Hoax? It’s unknown whether the group always follows through on its threat to launch massive DDoS attacks. An FBI alert on the group from last August said that while the group had taken aim at thousands of organizations from multiple global industry verticals by that point, many of them saw no further activity after the deadline expired – or, they were able to easily mitigate it. In some cases though, such as was the case with Travelex, “the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains, according to Intel471 researchers writing last year. Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers, the firm reported. “While FBI reporting indicates they do not always follow through on their threat of a DDoS, there have been several prominent institutions that have reported an impact to their operations and other impacted companies have just been successful at mitigating the attacks,” DeGrippo said. “This type of behavior keeps them more closely aligned with that of a cybercriminal versus a scam artist.” In any case, it’s important for companies and organizations to be prepared by having appropriate mitigations in place such as using a DDoS protection service and having disaster recovery plans at the ready, she added. Ransom DDoS: A Growing Tactic Ransom DDoS is not a recent development, but it has become more popular of late, according to DeGrippo, thanks to the mainstreaming of Bitcoin and Ethereum. “While RDDoS existed earlier this type of extortion likely did not catch on until, in part, the adoption of cryptocurrency, which allowed the threat actors a safer means to receive payment,” she told Threatpost. “These kinds of campaigns have been done in an organized fashion for the past year.” She added that Fancy Lazarus’ choice to align its ransom demand with the fluctuating price of cryptocurrency is notable. “As Bitcoin prices fluctuate, we see some change in their demand amounts, proving that cryptocurrency markets and malicious actor activity are absolutely correlated,” she said. “This has been the case since at least 2016 in the early days of large-scale ransomware. Threat actors send their campaigns when the prices are most advantageous, attempting to make more money when the various currencies are at a high valuation. Other actors use other cryptocurrencies like Ethereum, but Bitcoin continues to be the massively popular coin of choice for malicious threat actors.” While it’s impossible to know the success rate of the Fancy Lazarus campaigns, “given the potentially substantial financial payoff for relatively little work on the threat actor’s part, a low success rate would still make this a worthwhile tactic,” DeGrippo noted. One trend to watch is the addition of ransomware to the mix going forward. In February, the REvil ransomware gang started adding DDoS attacks to its efforts, in an effort to ratchet up the pressure to pay. Source: https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/

Read this article:
‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts

DOSarrest Unleashes new version of its Simulated DDoS Attack platform

VANCOUVER, British Columbia, Dec. 01, 2020 (GLOBE NEWSWIRE) — DOSarrest Internet Security announced today that they have released a new version of its C ybe r A ttack P reparation P latform ( CAPP ) . CAPP is a serve yourself portal allowing customers to test their DDoS protection services they have in place or to stress test their website’s software capability under load. The service has over 50 different types of DDoS attacks in stock, the latest version is a completely new software build of the backend to accommodate a larger and more powerful botnet along with resource management. This version of CAPP, has a new easy to use Wizard to help customers navigate and launch multiple different attacks on multiple targets simultaneously. The customer interface is also integrated into DOSarrest’s customer portal along with all of their other Internet security services. Some of the new attacks now available include: SSL Connection Overload, GRE Protocol Floods, Database Stress Testing, Variable ICMP Type Floods & Advanced TCP Table Exhaustion, Enhanced HTTP Attacks – Able to randomize User agents, URI’s, referrers and much more, all with a high number of concurrent connections. DOSarrest CTO Jag Bains comments, “It’s interesting to see how different systems react to attacks; CAPP not only shows you the traffic to the victim but also shows you the traffic response from the victim. A small attack to a target can actually produce a response back that’s 500 times larger.” Bains adds, “Every time a customer uses the service, they learn something new, sometimes it’s bad news; the good news is, it’s only a test.” CEO of DOSarrest, Mark Teolis states “Pretty much all of the new attacks and enhancements are a result of customer feedback over the last few years of operating the service first launched in 2018. Customers know they have weak or overcommitted resources, and they want test them to make sure they don’t fail.” About DOSarrest Internet Security: DOSarrest founded in 2007 in Vancouver, B.C., Canada serves a global client base and specializes in fully managed cloud based Internet security services including DDoS prot e ction for websites , Net w ork Infrastructure protection , W eb A pplication F ir e w a ll (WAF) , Traff i c Analyzer as well as C A PP . Source: https://www.globenewswire.com/news-release/2020/12/01/2137310/0/en/DOSarrest-Unleashes-new-version-of-its-Simulated-DDoS-Attack-platform.html

Read the original post:
DOSarrest Unleashes new version of its Simulated DDoS Attack platform

RangeAmp DDoS attacks can take down websites and CDN servers

A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP “Range Requests” attribute. HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion or disconnections) situations. The HTTP Range Requests standard has been under discussion at the Internet Engineering Task Force (IETF) for more than half a decade, but, due to its usefulness, has already been implemented by browsers, servers, and CDNs. Two RangeAmp attacks discovered Now, a team of Chinese academics says that attackers can use malformed HTTP Range Requests to amplify how web servers and CDN systems react when having to deal with a range request operation. The team says two different RangeAmp attacks exist. The first is called a RangeAmp Small Byte Range (SBR) attack. In this case [see (a) in the image below], the attacker sends a malformed HTTP range request to the CDN provider, which amplifies the traffic towards the destination server, eventually crashing the targeted site. The second is called a RangeAmp Overlapping Byte Ranges (OBR) attack. In this case [see b) in the image below], the attacker sends a malformed HTTP range request to a CDN provider, and in the case, the traffic is funneled through other CDN servers, the traffic is amplified inside the CDN networks, crashing CDN servers and rendering both the CDNs and many other destination sites inaccessible. Image: Weizhong et al. Academics said they tested RangeAmp attacks against 13 CDN providers and found that all were vulnerable to the RangeAmp SBR attack, and six were also vulnerable to the OBR variant when used in certain combinations. Researchers said the attacks were very dangerous and required a minimum of resources to carry out. Of the two, RangeAmp SBR attacks could amplify traffic the most. The research team found that attackers could use a RangeAmp SBR attack to inflate traffic from 724 to 43,330 times the original traffic. Image: Weizhong et al. RangeAmp OBR attacks were a little harder to carry out, as the six vulnerable CDNs needed to be in specific (master-surrogate) configurations, but when conditions were met, reserchers said OBR attacks could also be used to inflate traffic inside a CDN network with amplification factors of up to nearly 7,500 times the initial packet size. Image: Weizhong et al. Of the two, OBR attacks were considered more dangerous, as attackers could take down entire chunks of a CDN provider’s network, bringing down connectivity for thousands of websites at a time. CDN vendors notified seven months ago Academics said that for the past few months they have been silently contacting the affected CDN providers and disclosing the details of the RangeAmp attack. Of the 13 CDN providers, researchers said that 12 responded positively and either rolled out or said they planned to roll out updates to their HTTP Range Request implementation. The list includes Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud. “Unfortunately, although we have sent them emails several times and have tried to reach out to their customer services, StackPath did not provide any feedback,” the research team said. “In general, we have tried our best to responsibly report the vulnerabilities and provide mitigation solutions. The related CDN vendors have had nearly seven months to implement mitigation techniques before this paper was published.” Each CDN provider’s reply, along with technical details about the RangeAmp attacks, are available in the research team’s paper, entitled “CDN Backfired: Amplification Attacks Based on HTTP Range Requests,” available for download in PDF format from here. Source: https://www.zdnet.com/article/rangeamp-attacks-can-take-down-websites-and-cdn-servers/

See original article:
RangeAmp DDoS attacks can take down websites and CDN servers

Six Lessons From Boston Children’s ‘Hacktivist’ Attack

CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack. Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet. In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.” He offered six lessons learned from Boston Children’s experience: 1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.” 2. Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.” 3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained. 4. Push through security initiatives – no excuses anymore. Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.” 5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said. 6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.” In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million. Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy. Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don’t have these systems. We have important data and will do anything to get our systems back up and running.” Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.” Source: https://www.healthcare-informatics.com/article/cybersecurity/six-lessons-boston-children-s-hacktivist-attack

More here:
Six Lessons From Boston Children’s ‘Hacktivist’ Attack

Ireland vulnerable to cybersecurity attack, says industry leader

The Government has been urged to appoint a cybersecurity “tsar” to ensure the State is adequately prepared to deal with potential attacks. The call by one of the State’s leading IT security experts comes amid growing concern Ireland could be caught off-guard by a cybersecurity attack, due to a lack of joined-up thinking on the issue and a failure to take threats seriously. Currently the response to cyber threats lies across a number of bodies, with the Department of Communications, An Garda Síochána, the Defence Forces and the Department of Defence among those involved. Brian Honan, an independent security consultant who has also served as a special adviser to Europol’s Cybercrime Centre (EC3), said a tsar with the authority and autonomy to ensure an effective cybersecurity strategy should be appointed as a matter of urgency. “We need a coherent and centralised approach to protecting our nation rather than having responsibilities for various aspects of cybersecurity spread throughout different departments and agencies,” he said. Mr Honan warned that cybersecurity was becoming more of an issue globally with data breaches, DDoS and ransomware attacks, financial scams and state-sponsored hacking incidents all on the rise. As well as domestic considerations, the State is also responsible for the security of services provided across the EU by multinational companies who have their European headquarters located here. Mr Honan said that, given this, a cybersecurity attack could not only cause widespread disruption for businesses and public agencies, but would also lead to serious reputational damage. “It is too critical for us as a nation, both from an economic and national security point of view, for [cybersecurity] to be left to individual government departments or businesses to look after,” said Mr Honan. Funding review Mr Honan’s comments come just weeks after a report by the Comptroller and Auditor General revealed that a dedicated cybersecurity unit established to protect government and industry networks has no strategic plan and requires a review of its funding. The National Cyber Security Centre (NCSC), based in UCD, was established in 2011 with a view to “securing critical national infrastructure”. However, the C&AG report into its operations found an oversight body set up to monitor its performance had not met since 2015. Fianna Fáil has also recently urged the Government to take a more proactive approach to cybersecurity. Its defence spokesman, Jack Chambers, recently called for responsibility for the NCSC to be reassigned away from the Department of Communications. “The Department of Defence should take ownership and control of this so it can develop a proper whole-of-government response to the area of cybersecurity as it becomes a serious national threat. It would compromise foreign direct investment if our national infrastructure were to be seriously undermined and there were to be an attack,” Mr Chambers. Source: https://www.irishtimes.com/business/technology/ireland-vulnerable-to-cybersecurity-attack-says-industry-leader-1.3666946

Continue Reading:
Ireland vulnerable to cybersecurity attack, says industry leader

Has a BOT Network Compromised Your Systems?

BOT networks have surprisingly penetrated many corporate networks around the world. Yet many of the information technology and security operations teams often have difficulty identifying their activity and eliminating them from the network. The term botnet is derived from the combination of the words robot and network. A cybercriminal creates a network of these robots connected together for the purposes of coordinating some large-scale activity, most often to function as a cyberattack tool for cybercriminals. These activities often include the propagation of attacker malware tools, economic gain, or perhaps targeting a debilitating attack upon one or more websites on the internet, effectively harming revenue and reputation for enterprise organizations and online e-tailers. The larger the botnet, the more effective it can be in achieving the desired goal. Botnets spread via malware, often distributed through malicious email, and may also be self-propagating so that they move laterally from your laptop to other workstations and network devices within the network. Alternately, they can infect your laptop when you visit a compromised website, setting in motion a series of malicious events that result in a compromised system (drive-by download) and automatically installing the botnet software unbeknownst to the owner of that system. Very typically, due to a lack of effective cyber defense for both detection and remediation, cybercriminals find undefended internet of things (IoT) devices to be ideal hosts to harbor and hide their botnet malware. These IoT hosts can include the new generation of IoT enabled devices such as smart refrigerators, security cameras, digital video records, network connected access management systems, thermostats, and much more. Enterprise security departments are often surprised to find that their access management systems and security cameras are completely compromised by such botnets. The most common indicator is users complaining that computer programs are running much more slowly. This is an often key warning sign that hidden botnets or other malware are using your computing resources. More subtly, you may notice that your cooling fans are running when you are not actively using your computers or servers. This may be symptomatic of the considerable computational overhead created by botnets heating up the processor boards. Finally, on your Windows endpoint platforms, failure to shut down properly, or at all, or failure to download updates are other key indicators, any of which by themselves may not confirm the presence of a botnet, but together raise the suspicions to a high level. Some of your employees might also see unknown posts placed on their Facebook accounts. This might also be directly related to botnet activity. Cybercriminals can use social media accounts to easily disseminate malicious content. Conceptually, this social media botnet attack is very different than infecting your computer. By infecting your social media account, the botnet can propagate more rapidly across your entire social media account and never has to physically sit on your laptop or other home computers. Botnets usually work through automation set up, of course, by cybercriminals you don’t know. Key symptoms are almost always technology related – not related to insider activity or insider malicious threats. Beyond the symptoms already mentioned above, there are also technical indicators, such as strange processes running under windows, but these are very hard to detect. As quickly as cyber defense automation and tools evolve, so do the tactics, techniques, and procedures of the botnet cyberthieves. Most botnets don’t damage the host computers – most of what they do is degrade your performance and effectively “steal” your computer resources. More dangerous is the damage the cyberattackers can cause by using the botnet to maliciously target other websites. For example, when they launch a denial of service (DDOS) attack. Several best practices can help cut down or eliminate botnet infections and the secondary attacks that may be launched once an attacker has access to your networks through a botnet. These include: Utilize software that filters or cuts down on suspicious email attachments and don’t click on any links which are suspicious; Make sure your operating systems have all patches and updates installed; Keep your antivirus protection up to date – these often have the signatures of known and recent botnet malware components; and Encrypt your data end-to-end (at rest, in use, and in transit) so that an attacker in your network will be unable to make use of it. Source: https://securityboulevard.com/2018/10/has-a-bot-network-compromised-your-systems/

Original post:
Has a BOT Network Compromised Your Systems?

Businesses are becoming main target for cybercriminals, report finds

Cybercrime activity continues to expand in scope and complexity, according to the latest report by cybersecurity firm Malwarebytes, as businesses become the preferred target for crooks throughout Q3. Malware detection on businesses shot up 55% between Q2 and Q3, with the biggest attack vector coming from information-stealing trojans such as the self-propagating Emotet and infamous LokiBot. Criminals have likely ramped up attacks on organizations in an attempt to maximize returns, while consumers have seen significantly less action in Q3, with a mere 5% detection increase over the period. This incline toward a more streamlined campaign, as opposed to the wide nets cast in previous quarters, is due to numerous reasons including businesses failing to patch vulnerabilities, weaponized exploits, and possibly even the implementation of privacy-protective legislation such as GDPR. “There was a very long period where ransomware was the dominant malware against everybody,” said Adam Kujawa, director of Malwarebytes Labs, speaking to The Daily Swig about the quarterly report, Cybercrime tactics and techniques: Q3 2018. “We’ve seen the complete evolution of ransomware to what is really just a few families, and whether we’ll see the same distribution and exposure [of ransomware] that we’ve seen in the past few years is unlikely in my opinion.” GandCrab ransomware, however, which first appeared at the beginning of this year, has matured. New versions were discovered during Q3 as the ransomware variant is expected to remain a viable threat to both consumers and to businesses, which are at higher risk due to GandCrab’s advanced ability to encrypt network drives. But despite a recent report by Europol that highlighted ransomware as the biggest threat in 2018, Kujawa isn’t convinced that these campaigns will stick around in the quarters to come. “There are so many solutions out there that can protect users from ransomware, and there are more people that know what to do if you get hit with it,” he said. “When you compare that to is it a good return investment [for cybercriminals], we don’t think it is anymore. Most of what we’ve seen [in Q3] is information-stealers.” Kujawa points to the banking trojan Emotet, that can spread easily and with a primary intent to steal financial data and carry out disturbed denial of service (DDoS) attacks on infected machines. Businesses, particularly small and medium-sized enterprises with less money invested in cyber defenses, have become valuable targets due to the ease in which trojans like Emotet can spread throughout their networks. Changes in global information systems may also be a contributing factor in the revival of data-theft. “That may very well in part play to things like GDPR where you’ve got this data that is no longer legally allowed to be on a server somewhere protected in Europe,” said Kujawa. “Cybercriminals may be more interested in stealing data like they used to because this stuff is no longer as easy to obtain as it was.” While information-stealers hogged the spotlight, the threat landscape remains diverse – targets are predominately concentrated within Western countries, while the use of exploit kits were found mostly in Asian countries including South Korea. Kujawa also noted that social engineering, such as phishing attacks, remains a successful technique for malicious hackers. He said: “Almost all attacks are distributed through social engineering, that’s still the number one way to get past things like security software, firewalls, and things like that.” “The biggest problem in our industry right now is people not taking it [cybersecurity] seriously enough,” Kujawa added. “At the end of the day we’re never going to win the war on cybercrime with just technology because that’s exactly what the bad guys are using against us.” Source: https://portswigger.net/daily-swig/businesses-are-becoming-main-target-for-cybercriminals-report-finds

Read the original:
Businesses are becoming main target for cybercriminals, report finds

Central planning bureau finds Dutch cybersecurity at high level

Dutch businesses and the public sector are well protected against cybersecurity threats compared to other countries, according to a report from the Central Planning Bureau on the risks for cybersecurity. Dutch websites employ encryption techniques relatively often, and the ISPs take measures to limit the impact of DDoS attacks, the report said. Small and medium-sized businesses are less active than large companies in protecting their activities, employing techniques such as data encryption less often, the CPB found. This creates risks for small business and consumers that could be avoided. The report also found that the Dutch are more often victims of cybercrime than other forms of crime. This implies a high cost for society to ensure cybersecurity. In 2016, already 11 percent of businesses incurred costs due to a hacking attempt. The threat of DDoS attacks will only increase in the coming years due to the growing number of IoT devices. This was already evident in the attacks against Dutch bank websites earlier this year. A further risk is that over half the most important banks in the world use the same DDoS protection service. According to the paper Financieele Dagblad, this supplier is Akamai. The company provides DDoS protection for 16 of the 30 largest banks worldwide. The Dutch banks ABN Amro, ING and Rabobank said they were not dependent on a single provider. The CPB report also found that the often reported shortage of qualified ICT staff is less of a threat than thought. The number of ICT students has risen 50 percent in four years and around 100,000 ICT jobs have been added in the country since 2008. Already 5 percent of all jobs are in ICT. This puts the Netherlands at the top of the pack in Europe, alongside the Nordic countries. Source: https://www.telecompaper.com/news/central-planning-bureau-finds-dutch-cybersecurity-at-high-level–1264818

Taken from:
Central planning bureau finds Dutch cybersecurity at high level