Tag Archives: blocking-ddos

Naming & Shaming Web Polluters: Xiongmai

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras. In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings. Security experts soon discovered that a majority of Mirai-infected devices were chiefly composed of components made by Xiongmai (a.k.a. Hangzhou Xiongmai Technology Co., Ltd. ) and a handful of other Chinese tech firms that seemed to have a history of placing product market share and price above security. Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors. On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware. SEC Consult said it began the process of working with Xiongmai on these problems back in March 2018, but that it finally published its research after it became clear that Xiongmai wasn’t going to address any of the problems. “Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.” PROBLEM TO PROBLEM A core part of the problem is the peer-to-peer (P2P) communications component called “ XMEye ” that ships with all Xiongmai devices and automatically connects them to a cloud network run by Xiongmai. The P2P feature is designed so that consumers can access their DVRs or security cameras remotely anywhere in the world and without having to configure anything. The various business lines of Xiongmai. Source: xiongmaitech.com To access a Xiongmai device via the P2P network, one must know the Unique ID (UID) assigned to each device. The UID is essentially derived in an easily reproducible way using the device’s built-in MAC address (a string of numbers and letters, such as 68ab8124db83c8db). Electronics firms are assigned ranges of MAC address that they may use, but SEC Consult discovered that Xiongmai for some reason actually uses MAC address ranges assigned to a number of other companies, including tech giant Cisco Systems, German printing press maker Koenig & Bauer AG, and Swiss chemical analysis firm Metrohm AG. SEC Consult learned that it was trivial to find Xiongmai devices simply by computing all possible ranges of UIDs for each range of MAC addresses, and then scanning Xiongmai’s public cloud for XMEye-enabled devices. Based on scanning just two percent of the available ranges, SEC Consult conservatively estimates there are around 9 million Xiongmai P2P devices online. [For the record, KrebsOnSecurity has long advised buyers of IoT devices to avoid those advertise P2P capabilities for just this reason. The Xiongmai debacle is yet another example of why this remains solid advice]. BLANK TO BANK While one still needs to provide a username and password to remotely access XMEye devices via this method, SEC Consult notes that the default password of the all-powerful administrative user (username “admin”) is blank (i.e, no password). The admin account can be used to do anything to the device, such as changing its settings or uploading software — including malware like Mirai. And because users are not required to set a secure password in the initial setup phase, it is likely that a large number of devices are accessible via these default credentials. The raw, unbranded electronic components of an IP camera produced by Xiongmai. Even if a customer has changed the default admin password, SEC Consult discovered there is an undocumented user with the name “default,” whose password is “tluafed” (default in reverse). While this user account can’t change system settings, it is still able to view any video streams. Normally, hardware devices are secured against unauthorized software updates by requiring that any new software pushed to the devices be digitally signed with a secret cryptographic key that is held only by the hardware or software maker. However, XMEye-enabled devices have no such protections. In fact, the researchers found it was trivial to set up a system that mimics the XMEye cloud and push malicious firmware updates to any device. Worse still, unlike with the Mirai malware — which gets permanently wiped from memory when an infected device powers off or is rebooted — the update method devised by SEC Consult makes it so that any software uploaded survives a reboot. CAN XIONGMAI REALLY BE THAT BAD? In the wake of the Mirai botnet’s emergence in 2016 and the subsequent record denial-of-service attacks that brought down chunks of the Internet at a time (including this Web site and my DDoS protection provider at times), multiple security firms said Xiongmai’s insecure products were a huge contributor to the problem. Among the company’s strongest critics was New York City-based security firm Flashpoint, which pointed out that even basic security features built into Xiongmai’s hardware had completely failed at basic tasks. For example, Flashpoint’s analysts discovered that the login page for a camera or DVR running Xiongmai hardware and software could be bypassed just by navigating to a page called “DVR.htm” prior to login. Flashpoint’s researchers also found that any changes to passwords for various user accounts accessible via the Web administration page for Xiongmai products did nothing to change passwords for accounts that were hard-coded into these devices and accessible only via more obscure, command-line communications interfaces like Telnet and SSH. Not long after Xiongmai was publicly shamed for failing to fix obvious security weaknesses that helped contribute to the spread of Mirai and related IoT botnets, Xiongmai lashed out at multiple security firms and journalists, promising to sue its critics for defamation (it never followed through on that threat, as far as I can tell). At the same time, Xiongmai promised that it would be issuing a product recall on millions of devices to ensure they were not deployed with insecure settings and software. But according to Flashpoint’s Zach Wikholm , Xiongmai never followed through with the recall, either. Rather, it was all a way for the company to save face publicly and with its business partners. “This company said they were going to do a product recall, but it looks like they never got around to it,” Wikholm said. “They were just trying to cover up and keep moving.” Wikholm said Flashpoint discovered a number of additional glaring vulnerabilities in Xiongmai’s hardware and software that left them wide open to takeover by malicious hackers, and that several of those weaknesses still exist in the company’s core product line. “We could have kept releasing our findings, but it just got really difficult to keep doing that because Xiongmai wouldn’t fix them and it would only make it easier for people to compromise these devices,” Wikholm said. The Flashpoint analyst said he believes SEC Consult’s estimates of the number of vulnerable Xiongmai devices to be extremely conservative. “Nine million devices sounds quite low because these guys hold 25 percent of the world’s DVR market,” to say nothing of the company’s share in the market for cheapo IP cameras, Wikholm said. What’s more, he said, Xiongmai has turned a deaf ear to reports about dangerous security holes across its product lines principally because it doesn’t answer directly to customers who purchase the gear. “The only reason they’ve maintained this level of [not caring] is they’ve been in this market for a long time and established very strong regional sales channels to dozens of third-party companies,” that ultimately rebrand Xiongmai’s products as their own, he said. Also, the typical consumer of cheap electronics powered by Xiongmai’s kit don’t really care how easily these devices can be commandeered by cybercriminals, Wikholm observed. “They just want a security system around their house or business that doesn’t cost an arm and leg, and Xiongmai is by far the biggest player in that space,” he said. “Most companies at least have some sort of incentive to make things better when faced with public pressure. But they don’t seem to have that drive.” A PHANTOM MENACE SEC Consult concluded its technical advisory about the security flaws by saying Xiongmai “ does not provide any mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals.” While this may sound easy enough, acting on that advice is difficult in practice because very few devices made with Xiongmai’s deeply flawed hardware and software advertise that fact on the label or product name. Rather, the components that Xiongmai makes are sold downstream to vendors who then use it in their own products and slap on a label with their own brand name. How many vendors? It’s difficult to say for sure, but a search on the term XMEye via the e-commerce sites where Xiongmai’s white-labeled products typically are sold (Amazon, Aliexpress.com, Homedepot.com and Walmart) reveals more than 100 companies that you’ve probably never heard of which brand Xiongmai’s hardware and software as their own.  That list is available here (PDF) and is also pasted at the conclusion of this post for the benefit of search engines. SEC Consult’s technical advisory about their findings lists a number of indicators that system and network administrators can use to quickly determine whether any of these vulnerable P2P Xiongmai devices happen to be on your network. For end users concerned about this, one way of fingerprinting Xiongmai devices is to search Amazon.com, aliexpress.com, walmart.com and other online merchants for the brand on the side of your device and the term “XMEye.” If you get a hit, chances are excellent you’ve got a device built on Xiongmai’s technology. Another option: open a browser and navigate to the local Internet address of your device. If you have one of these devices on your local network, the login page should look like the one below: The administrative login screen for IoT devices powered by Xiongmai’s software and hardware. Another giveaway on virtually all Xiongmai devices is pasting “http://IP/err.htm” into a browser address bar should display the following error message (where IP= the local IP address of the device): Ironically, even the error page for Xiongmai devices contains errors. According to SEC Consult, Xiongmai’s electronics and hardware make up the guts of IP cameras and DVRs marketed and sold under the company names below. What’s most remarkable about many of the companies listed below is that about half of them don’t even have their own Web sites, and instead simply rely on direct-to-consumer product listings at Amazon.com or other e-commerce outlets. Among those that do sell Xiongmai’s products directly via the Web, very few of them seem to even offer secure (https://) Web sites. SEC Consult’s blog post about their findings has more technical details, as does the security advisory they released today. In response to questions about the SEC Consult reports, Xiongmai said it is now using a new encryption method to generate the UID for its XMEye devices, and will not longer be relying on MAC addresses. Xiongmai also said users will be asked to change a devices default username and password when they use the XMEye Internet Explorer plugin or mobile app. The company also said it had removed the “default” account in firmware versions after August 2018. It also disputed SEC Consult’s claims that it doesn’t encrypt traffic handled by the devices. In response to criticism that any settings changed by the user in the Web interface will not affect user accounts that are only accessible via telnet, Xiongmai said it was getting ready to delete telnet completely from its devices “soon.” KrebsOnSecurity is unable to validate the veracity of Xiongmai’s claims, but it should be noted that this company has made a number of such claims and promises in the past that never materialized. Johannes Greil, head of SEC Consult Vulnerability Lab, said as far as he could tell none of the proclaimed fixes have materialized. “We are looking forward for Xiongmai to fix the vulnerabilities for new devices as well as all devices in the field,” Greil said. Here’s the current list of companies that white label Xiongmai’s insecure products, according to SEC Consult: 9Trading Abowone AHWVSE ANRAN ASECAM Autoeye AZISHN A-ZONE BESDER/BESDERSEC BESSKY Bestmo BFMore BOAVISION BULWARK CANAVIS CWH DAGRO datocctv DEFEWAY digoo DiySecurityCameraWorld DONPHIA ENKLOV ESAMACT ESCAM EVTEVISION Fayele FLOUREON Funi GADINAN GARUNK HAMROL HAMROLTE Highfly Hiseeu HISVISION HMQC IHOMEGUARD ISSEUSEE iTooner JENNOV Jooan Jshida JUESENWDM JUFENG JZTEK KERUI KKMOON KONLEN Kopda Lenyes LESHP LEVCOECAM LINGSEE LOOSAFE MIEBUL MISECU Nextrend OEM OLOEY OUERTECH QNTSQ SACAM SANNCE SANSCO SecTec Shell film Sifvision/sifsecurityvision smar SMTSEC SSICON SUNBA Sunivision Susikum TECBOX Techage Techege TianAnXun TMEZON TVPSii Unique Vision unitoptek USAFEQLO VOLDRELI Westmile Westshine Wistino Witrue WNK Security Technology WOFEA WOSHIJIA WUSONLUSAN XIAO MA XinAnX xloongx YiiSPO YUCHENG YUNSYE zclever zilnk ZJUXIN zmodo ZRHUNTER Source: https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/

Excerpt from:
Naming & Shaming Web Polluters: Xiongmai

In Blockchain, There is no Checkmate

During my time as a Chairman of NATO’s Intelligence Committee and advising government and private companies on cybersecurity, I have noticed the same hacker-shaped hole in the industry. For the past 35 years, huge companies, organizations, charities and nation states have succumbed to cyber-criminals. Let me explain why. In a game of chess, you can win by either taking out all of your opponent’s pieces one-by-one, or by trapping the opposing side’s king in a checkmate. This is true of today’s cybersecurity model. One piece, in the wrong place at the wrong time could cost the entire game. Not just that, but any device in a network, whether it be a phone or a smart fridge, is a “king” that can be trapped and cost the integrity of an entire network. In this way, the “king” is a weakness. A weakness that costs companies and countries millions, a weakness that could mean loss of life in the healthcare industry or military systems – indeed, cybersecurity is not a game. Fighting cyber-criminals whilst being constrained by the rules of this chess match means we’ll never win. The centralized model where the hacking of a single device could compromise a network is categorically flawed. This needs to change: we don’t need to play a better game against cyber-criminals, we need to play a different game. Blockchain technology is arguably one of the most significant innovations for decades, and it extends beyond the vestiges of crypto currencies. At its core, the Blockchain is immutable, transparent, encrypted and fragmented (decentralized). As such, Blockchain and cybersecurity seem like a match made in heaven and for the most part, they are. For instance, right now, all the data of our personal or business devices – passwords, applications, files etc. – are stored on a centralized data server. Blockchain decentralizes the systems by distributing ledger data on many systems rather than storing them on one single network. There is no single point of failure, one central database or middleman that could potentially serve as a source of leaks or compromised data. The underpinnings of Blockchain architecture are based on time-stamped cryptographic nodes (the computer and servers that create blocks on a chain). Every time our data is stored or inserted into Blockchain ledgers, a new block is created. Each block has a specific summary of the previous block in the form of a secure digital signature. More sophisticated systems combine Blockchain and AI technologies to confirm each other based on previous signatures. If there is a discrepancy, threat, or a device steps outside of a set of pre-determined rules, the surrounding nodes will flag it for action. Since these blocks are linked in the form of a chain sequence, the timing, order and content of transactions cannot be manipulated. Just like crypto transactions, the Blockchain operates upon a democratic consensus. Any transfer of data would require a majority approval of the network participants; therefore, attackers can only impact a network by getting control of most of the network nodes. However, the nodes are random and the number of them stored on a given network can be in the millions. In the metaphorical game of chess, “the collective” Blockchain has an advantage. Imagine if team hackers could not eliminate a single piece, not a pawn nor rook, unless they could eliminate all million pieces on the entire board at once. If they fail to do that, all of the pieces remain untouchable – including the “king”. There is no checkmate, and no hope for hackers. Even still, since domain editing rights are only verified through nodes, hackers won’t get the right to edit and manipulate the data even after hacking a million of systems. As all transactions are cryptographically linked, the modification or tampering of the data at any given time would alert all those with access to the ledger, exposing the infected dataset near-instantaneously. The Blockchain does not linger or rely on any central point of failure to command changes; that allows for fixes to occur before attacks have time to spread. In other words, hacking a Blockchain with any scale is virtually impossible. For instance, in the case of DDoS attacks that crash large data servers, Blockchain technology would disrupt this completely by decentralizing the DNS (Domain Name Systems) and distributing the content to a greater number of nodes. The idea is clearly an attractive one. It can help save the billions that are being spent on developing arenas in which cybersecurity firms are fighting the hacker’s fight, especially in hard to defend environments. We have already seen a number of companies utilize Blockchain technology to safeguard networks. Companies such as Naoris bring this consensual Blockchain technology and link devices as blocks on a chain so that no single end-point or terminal exists in a silo. Current structures with multiple devices each act as a point of entry for a hacker into the network, however, as we know, the more nodes a network possesses on the Blockchain, the harder it becomes to infiltrate. Therefore, as the network expands and more devices are connected, the network becomes increasingly more resilient. This is only the beginning for Blockchain. As it develops, it’s only going to get smarter and better. New technologies have the potential to provide a robust and effective alternative way of ensuring that we evolve to compete with concerns surrounding our security. With the Blockchain, such concerns can be a thing of the past. Source: https://www.infosecurity-magazine.com/opinions/blockchain-no-checkmate/

Original post:
In Blockchain, There is no Checkmate

Hackers target the Queensland government with online attacks

International hackers have targeted the Queensland government, with cyber security experts being forced to defend against several potentially disastrous online attacks. Last year, state government IT experts prevented 19 distributed denial of service (DDoS) attacks, during which an average of 8000 malicious domain name system (DNS) requests per minute were blocked. A DDoS attack typically involves flooding a network with requests from multiple computers in an attempt to overload the system and can shut down websites, while DNS floods are a type of DoS. During 2017-18, state government cyber security experts also collected and analysed an average of 400 million events per day from more than 130 sources. Those system events – threat intelligence or activity flagged as of interest – were recorded across the state government network and were detected by security infrastructure, such as firewalls. “While this is regarded as criminal activity, the specific intention of the attacks is unknown and the majority of attempts appear to have originated from various countries,” a Housing and Public Works Department spokeswoman said. “However, cyber criminals behind such attempts often mask their true origin, therefore geographical information is not a true indicator of the source.” Fairfax Media asked for specific details of the dates, targets and outcomes of the 19 DDoS attacks. But the spokeswoman said the government’s policy, based on security advice, was not to publicly comment on specific cyber security incidents. In 2016, the Palaszczuk government created a whole-of-government Cyber Security Unit, sitting within the Chief Information Office, to enhance cyber security. Australian companies have suffered outages following DDoS cyber attacks in the past. In 2016, a DDoS attack left millions of users, mostly in the US and Europe, unable to access websites including Twitter, Spotify and Netflix. Interruptions were also experienced by websites including ANZ, Coles, eBay and The Sydney Morning Herald . In May last year, it was revealed five of Queensland’s biggest hospitals were suffering from major IT problems after efforts to prevent a possible cyber attack backfired. Security patches were installed in response to a global ransomware attack that affected hundreds of thousands of computers worldwide, but the patches then caused system slowness. However, there were no patient safety issues as a result. Source: https://www.smh.com.au/politics/queensland/hackers-target-the-queensland-government-with-online-attacks-20181008-p508gr.html

Read More:
Hackers target the Queensland government with online attacks

Are Your Applications Secure?

Executives express mixed feelings and a surprisingly high level of confidence in Radware’s 2018 Web Application Security Report.  As we close out a year of headline-grabbing data breaches (British Airways, Under Armor,  Panera Bread), the introduction of GDPR and the emergence of new application development architectures and frameworks, Radware examined the state of application security in its latest report. This global survey among executives and IT professionals has yielded insights about threats, concerns and application security strategies. The common trend among a variety of application security challenges including data breaches, bot management, DDoS mitigation, API security and DevSecOps, was the high level of confidence reported by those surveyed. 90% of all respondents across regions reported confidence that their security model is effective at mitigating web application attacks. Attacks against applications are at a record high and sensitive data is shared more than ever. So how can execs and IT pros have such confidence in the security of their applications? To get a better understanding, we researched the current threat landscape and application protection strategies organizations currently take. Contradicting evidence stood out immediately: 90% suffered attacks against their applications One in three shared sensitive data with third parties 33% allowed 3 rd parties to create/modify/delete data via APIs 67% believed a hacker can penetrate their network 89% see web-scraping as a significant threat to their IP 83% run bug bounty programs to find vulnerabilities they miss As it turned out there are quite a few threats to application services that are not properly addressed as traditional security approaches are challenged and stretched. In parallel, the adoption of emerging frameworks and architectures, which rely on numerous integrations with multiple services, adds more complexity and increases the attack surface. Current Threat Landscape Last November, OWASP released a new list of top 10 vulnerabilities in web applications. Hackers continue to use injections, XSS, and a few old techniques such as CSRF, RFI/LFI and session hijacking to exploit these vulnerabilities and gain unauthorized access to sensitive information. Protection is becoming more complex as attacks come through trusted sources such as a CDN, encrypted traffic, or APIs of systems and services we integrate with. Bots behave like real users and bypass challenges such as CAPTCHA, IP-based detection and others, making it even harder to secure and optimize the user experience. Web application security solutions must be smarter and address a broad spectrum of vulnerability exploitation scenarios. On top of protecting the application from these common vulnerabilities, it has to protect APIs and mitigate DoS attacks, manage bot traffic and make a distinction between legitimate bots (search engines for instance) and bad ones like botnets, web-scrapers and more. DDoS Attacks 63% suffered denial of service attack against their application. DoS attacks render applications inoperable by exhausting the application resources. Buffer overflow and HTTP floods were the most common types of DoS attacks, and this form of attack is more common in APAC. 36% find HTTP/Layer-7 DDoS as the most difficult attack to mitigate. Half of the organizations take rate-based approaches (such as limiting the number of request from a certain source or simply buying a rate-based DDoS protection solution) which are ineffective once the threshold is exceeded and real users can’t connect. API Attacks APIs simplify the architecture and delivery of application services and make digital interactions possible. Unfortunately, they also introduce a wide range of risks and vulnerabilities as a backdoor for hackers to break into networks. Through APIs, data is exchanged in HTTP where both parties receive, process and share information. A third party is theoretically able to insert, modify, delete and retrieve content from applications. This is nothing but an invitation to attack: 62% of respondents did not encrypt data sent via API 70% of respondents did not require authentication 33% allowed third parties to perform actions (GET/ POST / PUT/ DELETE) Attacks against APIs: 39% Access violations 32% Brute-force 29% Irregular JSON/XML expressions 38% Protocol attacks 31% Denial of service 29% Injections Bot Attacks The amount of both good and bad bot traffic is growing. Organizations are forced to increase network capacity and need to be able to precisely tell a friend from a foe so both customer experience and security are maintained. Surprisingly, 98% claimed they can make such a distinction. However, a similar amount sees web-scraping as a significant threat. 87% were impacted by such an attack over the past 12 months, despite a variety of methods companies use to overcome the challenge – CAPTCHA, in-session termination, IP-based detection or even buying a dedicated anti-bot solution. Impact of Web-scraping: 50% gathered pricing information 43% copied website 42% theft of intellectual property 37% inventory queued/being held by bot 34% inventory held 26% inventory bought out Data Breaches Multinational organizations keep close tabs on what kinds of data they collect and share. However, almost every other business (46%) reports having suffered a breach. On average an organization suffers 16.5 breach attempts every year. Most (85%) take between hours and days to discover. Data breaches are the most difficult attack to detect, as well as  mitigate, in the eyes of our survey respondents. How do organizations discover data breaches? 69% Anomaly detection tools/SIEM 51% Darknet monitoring service 45% Information was leaked publicly 27% Ransom demand IMPACT OF ATTACKS Negative consequences such as loss of reputation, customer compensation, legal action (more common in EMEA), churn (more common in APAC), stock price drops (more common in America) and executives who lose their jobs are quick to follow a successful attack, while the process of repairing the damage and rebuild of a company’s reputation is long and not always successful. About half admitted having encountered such consequences. Securing Emerging Application Development Frameworks The rapidly growing amount of applications and their distribution across multiple environments requires adjustments that lead to variations once a change to the application is needed. It is nearly impossible to deploy and maintain the same security policy efficiently across all environments. Our research shows that ~60% of all applications undergo changes on a weekly basis. How can the security team keep up? While 93% of organizations use a Web Application Firewall (WAF), only three in ten use a WAF that combines both positive and negative security models for effective application protection. Technologies Used By DevOps 63% – DevOps and Automation Tools 48% – Containers (3 in 5 use Orchestration) 44% – Serverless / FaaS 37% – Microservers Among the respondents that used micro-services, one-half rated data protection as the biggest challenge, followed by availability assurance, policy enforcement, authentication, and visibility. Summary Is there a notion that organizations are confident? Yes. Is that a false sense of security? Yes. Attacks are constantly evolving and security measures are not foolproof. Having application security tools and processes in place may provoke a sense of being in control but are likely to be breached or bypassed sooner or later. Another question we are left with is whether senior management is fully aware of the day to day incidents. Rightfully so, they look to their internal teams tasked with application security to manage the issue, but there seems to be a mismatch between their perceptions of the effectiveness of their organizations’ application security strategies and the actual exposure to risk. Source: https://securityboulevard.com/2018/10/are-your-applications-secure

Read the original post:
Are Your Applications Secure?

Could Your Organisation’s Servers Be A Botnet?

Most organisations are aware that they could be the target of a DDoS attack and have deployed protection to keep their public-facing services online in the face of such attacks. However, far fewer have thought about the potential for their servers to be harnessed for use in a botnet, the group of servers used to conduct such DDoS attacks. Up until a few months ago, attackers typically only used well-known infrastructure services, like DNS resolution servers, to launch and amplify DDoS attacks, but Memcached – a popular database caching system – changed that. Malicious hackers have begun abusing Memcached to deliver attacks that are amplified to over 50,000 times their original size – one of the largest amplification methods ever detected. Any organisation running Memcached to speeds up their systems is a potential botnet recruit. How Memcached and similar UDP based service attacks work Earlier this year, researchers discovered that a flaw in the implementation of the User Datagram Protocol (UDP) for Memcached servers can allow hackers to deliver record-breaking attacks with little effort. Memcached is a distributed memory caching system, originally intended for use in speeding up networks and website applications by reducing database load. Memcached reduces latency and database load by storing data objects in memory, immediately returning them to the caller without requiring a database query. Usually, Memcached systems are deployed within a trusted network where authentication may not be required. However, when exposed to the Internet, they become trivially exploitable if authentication isn’t turned on. Not only is the cached data accessible to attackers, it’s simple to use the Memcached server for a DDoS attack, if UDP access is enabled. Specifically, with UDP an attacker can “spoof” or fake the Internet Protocol address of the target machine, so that the Memcached servers all respond by sending large amounts of data to the spoofed address, thus triggering a DDoS attack. Most popular DDoS tactics that abuse UDP connections can amplify the attack traffic up to 20 times, but Memcached can take a small amount of attack traffic and amplify the size of the request thousands of times. Thus, a small number of open Memcached servers can be used to create very large DDoS attacks. The implications to the organisation If you’re running Memcached with UDP and without authentication, you’re now a likely target for inclusion in a botnet. Should you become part of a botnet, it’s possible that both your servers and your bandwidth will be overloaded, resulting in outages and increased network costs. Indeed, attackers have already demonstrated how badly servers with misconfigured Memcached can be abused and used to launch DDoS attacks with ease. In addition, unprotected Memcached servers give attackers access to the user data that has been cached from its local network or host, potentially including email addresses, database records, personal information and more. Additionally, cybercriminals could potentially modify the data they access and reinsert it back into the cache without user’s knowledge, thus polluting production applications. To avoid being assimilated into a Borg-ish botnet, organisations and internet service providers need to take a more proactive approach in identifying any vulnerable servers before damage is done. What can be done to prevent the severs being recruited? Despite multiple warnings about threat actors exploiting unprotected Memcached servers, ArsTechnica reported that searches show there are more than 88,000 vulnerable servers – a sign that attacks may get much bigger. Therefore, it’s crucial that organisations ensure they have the correct security measure in place, to avoid being part of this wave. Attacks of those scale and size cannot be easily defended against by Internet Service Providers (ISPs), thus organisations need to take inventory of any Internet-facing servers and ensure that Memcached is not inadvertently exposed. For any internet-facing servers that require Memcached, they should consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets or establish TCP connection. This will prevent attackers from being able to harness servers in a DDoS attack and leverage them to amplify those attacks. In addition, companies need to look at internal servers that are running Memcached, because an internal distributed denial-of-service attack could also be launched from some locally-running malware. Source: https://www.informationsecuritybuzz.com/articles/could-your-organisations-servers-be-a-botnet/

See more here:
Could Your Organisation’s Servers Be A Botnet?

190 UK Universities Targeted with Hundreds of DDoS Attacks

A large number of security attacks have been targeting universities all over the UK. Over 850 DDoS attacks were analyzed across 190 universities. Security experts suspect students or staff to be behind the large-scale attacks. Over 850 DDoS attacks have taken place in the United Kingdom, that have targeted 190 universities in the 2017-2018 academic year. Security researchers from JISC studied all of the reported attacks and have found clear patterns that tie all of the attacks. JISC is responsible for providing internet connectivity to UK research and education institutions. After a thorough analysis of all attacks during the past academic year, their study reveals that the attackers are most likely staff or students who are associated with the academic cycle. JISC came to this conclusion because the DDoS activity sees noticeable drops during holidays at universities. More importantly, most of the attacks were centered around the university working hours of 9 am to 4 pm local time. Image Courtesy of JISC Head of JISC’s security operations center John Chapman revealed “We can only speculate on the reasons why students or staff attack their college or university – for the ‘fun’ of disruption and kudos among peers of launching an attack that stops internet access and causes chaos, or because they bear a grudge for a poor grade or failure to secure a pay rise”. One of the DDoS attacks lasted four days and was sourced to a university’s hall of residence. A larger dip in attacks was noticed this summer compared to the summer of 2017. With an international law enforcement operation going into effect against the number one DDoS-for-hire online market. The website being taken down led to a massive drop in the number of DDoS attacks globally, which indicates that the attacks on the UK universities were not done by professional hackers working with a personal agenda, but hired professionals. The motive behind these DDoS attacks is unknown, and it may serve as a cover for more sinister cybercriminal activity. Universities often store valuable intellectual property which makes them prime targets for many hackers. Source: https://www.technadu.com/190-uk-universities-targeted-hundreds-ddos-attacks/42816/

View article:
190 UK Universities Targeted with Hundreds of DDoS Attacks

Security breaches costing UK SMBs millions

Cybercriminals have moved on from large enterprises and are now targeting SMBs. While large organisations may offer a bigger payload, cybercriminals are increasingly targeting small and medium-sized businesses (SMBs) as they generally have smaller cybersecurity budgets and often lack a dedicated in-house security team to deal with cyberattacks. In its new Small and Mighty SMB Cybersecurity report, Cisco revealed that 53 per cent of SMBs have experienced a data breach. To compile its report, the company surveyed 1,816 respondents across 26 countries and also drew upon the results of its 2018 Security Capabilities Benchmark Study. According to Cisco, 29 per cent of SMBs will pay less than $100,000 after a data breach though 20 per cent said the same incident would cost them between $1m and $2.5m to resolve. The report also shed light on the fact that 40 per cent of SMBs will experience an average of eight hours or more of system downtime following a breach which is on par with their larger counterparts. Cisco explained how SMBs’ response differs from that of large enterprises in its report, noting: “The difference, though, is that larger organizations tend to be more resilient than small/midmarket businesses following an attack because they have more resources for response and recovery.” Of those surveyed, 39 per cent said at least half of their systems had been impacted as a result of a severe data breach in the last year. Regarding the biggest security challenges faced by SMBs, respondents reported targeted attacks, advanced persistent threats (APTs), ransomware and DDoS attacks as the most concerning. Source: https://www.itproportal.com/news/security-breaches-costing-uk-smbs-millions/

Read More:
Security breaches costing UK SMBs millions

DDoS Attack on German Energy Company RWE

Protesters in Germany have been camping out at the Hambach Forest, where the German energy company RWE has plans to mine for coal. Meanwhile, it’s been reported that RWE’s website was under attack as police efforts to clear the protesters from the woods were underway. According to Deutsche Welle , unknown attackers launched a large-scale distributed denial-of-service (DDoS), which took down RWE’s website for virtually all of Tuesday. No other systems were attacked, but efforts to clear away the protesters have been ongoing for the better part of the month, and activists have reportedly made claims that they will be getting more aggressive in their tactics. Activists have occupied the forest in hopes of preventing RWE from moving forward with plans to expand its coal mining operations, which would effectively clear the forest. In addition to camping out in the forest, the protesters have reportedly taken to YouTube to spread their message. Reports claim that a clip was posted last week by Anonymous Deutsch that warned, “If you don’t immediately stop the clearing of the Hambach Forest, we will attack your servers and bring down your web pages, causing you economic damage that you will never recover from,” DW reported. “Together, we will bring RWE to its knees. This is our first and last warning,” the voice from the video reportedly added. DDoS attacks are intended to cripple websites, and the attack on RWE allowed the activists to make good on their threat, at least for one day. ““This is yet another example that illustrates the DDoS threat to [softer targets in] CNI [critical network infrastructure].  RWE is an operator of an essential service (energy) in Germany. The lights didn’t go out but their public-facing website was offline as a result of this attack,” said Andrew Llyod, president, Corero Network Security. In a recent DDoS report, Corero researchers found that “after facing one attack, one in five organizations will be targeted again within 24 hours.” Source: https://www.infosecurity-magazine.com/news/ddos-attack-on-german-energy/

See more here:
DDoS Attack on German Energy Company RWE

Don’t Look Away, Peekaboo Vulnerability May Allow Hackers to Play the Long Game

The newly named Peekaboo vulnerability is a zero-day flaw in China-based Nuuo’s video recorder technology.The flaw in NVRMini2, a network-attached storage device, has remained unfixed in the three months since the vendor was alerted. This vulnerability put internet-connected CCTV cameras at risk, a grave concern for organizations using the service to view and manage their connected CCTV cameras. NUUO both uses the technology in its own products and licenses it to third-party surveillance system makers and systems integration partners. Exposure from Peekaboo Vulnerability Tenable Research, which discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and approximately 2,500 different camera models. Organizations in wide range of industries, including retail, transportation, banking, and government, install these cameras to improve security. NUUO was informed of the vulnerability on June 5, 2018. Patches are now available on their website. This is not the first time an IoT vulnerability has brought unexpected risk to organizations. The Mirai botnet attacks showed how hackers can use CCTVs, webcams, and other Internet-connected devices to launch massive distributed denial of service (DDoS) attacks to cause mass disruption. Many of us saw the impact of Mirai in October 2016, when they used the botnets to take down Dyn. Apparently the latest IoT-related risk comes from the Peekaboo vulnerability, opening organizations to risk from an unexpected vector. Multiple Vulnerabilities Add Risk The Tenable team found two vulnerabilities; the first was an unauthenticated stack buffer overflow. A buffer overflow attack is when a hacker sends more data than a computer is designed to receive, leading the computer to inadvertently store the leftover data as commands the computer will later run. Buffer overflow is a common code level issue that has been prevalent for years, which can be identified through static analysis. The second vulnerability was a backdoor in leftover debug code, so together the flaws allow hackers to explore the surveillance data and access login credentials, port usage, IP addresses, and other information on the camera equipment itself. These types of issue map directly to coding errors and the remediation exposure disciplines of software exposure. Let’s take a look, however, at what a patient hacker can do with this particular security camera hack. Here is a hypothetical example of how a hacker might use the Peekaboo vulnerability: Turn off cameras or delete recordings by executing the buffer overflow Allow individuals to access to the building Install additional software within the building for later use Execute that software well after initial camera hack, resulting in significant exploits against the compromised system Confuse experts trying to determine the cause of exploit due to the multi-step attack Think Like a Hacker As usual, the original hack itself is not the end game. Deleting data or controlling security cameras allows attackers to circumvent security systems to rob residences or businesses. However, my major concern is the potential for infrastructure terrorism on electrical grids, nuclear plants, or water supplies. Hackers play the long game, and we in the security field need to as well. The software industry must react quickly to vulnerabilities such as Peekaboo, either to provide a patch in our own software, or to apply it as soon as it’s available. Software runs most of the objects we know and use every day. It’s our responsibility to make it as safe and secure as possible. Source:https://securityboulevard.com/2018/09/dont-look-away-peekaboo-vulnerability-may-allow-hackers-to-play-the-long-game/

Follow this link:
Don’t Look Away, Peekaboo Vulnerability May Allow Hackers to Play the Long Game

DDoS attack on education vendor hinders access to districts’ online portals

Multiple school districts are reportedly suffering the effects of a denial of service attack perpetrated against Blaine, Minn.-based Infinite Campus, a third-party online services provider. As a result, district residents may be unable to reliably use services such as the “Parent Portal, through which teachers, parents and students can access information such as grades, class schedules and school notifications. One such district is Oklahoma City Public Schools, which has issued an online statement to locals explaining that “Access to your student’s information through the parent portal may be limited or inaccessible due to the ‘denial of service’ attack on our provider, Infinite Campus.” No data was breached or stolen in the incident, OCPS has assured residents. “Many districts across the country are impacted and authorities are investigating,” the notification continues. Indeed, the Natrona County School District in Wyoming has reportedly issued a similar statement. Source: https://www.scmagazine.com/home/news/cybercrime/ddos-attack-on-education-vendor-hinders-access-to-districts-online-portals/

More:
DDoS attack on education vendor hinders access to districts’ online portals