Tag Archives: cybercrime

DDoS in the Time of COVID-19: Attacks and Raids

There is no escaping it. COVID-19 is dominating headlines and has impacted virtually every corner of the world. Like most people at this point, I’m 30 days into isolation and trying everything in my power to ignore the elephant in the room and the politics that go along with it. Unfortunately, or fortunately, cyber security is an essential business. As a result, those working in the field are not getting to experience any downtime during a quarantine. Many of us have been working around the clock, fighting off waves of attacks and helping other essential businesses adjust to a remote work force as the global environments change. Waves of Attacks Along the way we have learned a few things about how a modern society deals with a pandemic. Obviously, a global Shelter-in-Place resulted in an unanticipated surge in traffic. As lockdowns began in China and worked their way west, we began to see massive spikes in streaming and gaming services. These unanticipated surges in traffic required digital content providers to throttle or downgrade streaming services across Europe, to prevent networks from overloading. The COVID-19 pandemic also highlights the importance of service availability during a global crisis. Due to the forced digitalization of the work force and a global Shelter-in-Place, the world became heavily dependent on a number of digital services during isolation. Degradation or an outage impacting these services during the pandemic could quickly spark speculation and/or panic. For example, as COVID-19 began to take a toll on Australia’s economy, there became a rush of suddenly unemployed citizens needing to register for welfare services on MyGov, Australia’s government service portal. This natural spike in traffic ended up causing an outage on the morning of March 23 rd , requiring Government Services Minister Stuart Roberts to walk back his initial claims that the portal had suffered from a DDoS attack, naturally causing panic and speculation among those desperately seeking government assistance. In France, Assistance Publique – Hôpitaux de Paris, the university hospital trust managing 39 public hospitals in the area, found itself a victim of a DDoS attack on March 22 nd , just as France begin to deal with a surge in COVID-19 related cases. The attack was reported to have only lasted an hour and did not cause any significant damage. The problem was, upon further review, in order to deal with the attack, there was a reduction in internet access. Typically, during any other day, this reduction would not have had an impact, but due to the pandemic and a remote, non-essential work force, employees outside of the hospital’s network were blocked from external access during this attack, resulting in the inability to access email, Skype or remote application. In addition to this attack, the Brno University Hospital in the Czech Republic was hit a week earlier with a cyber-attack that force the hospital to shut down their entire network, resulting in the cancellation of surgeries. And if that wasn’t enough, a food delivery service in Germany experienced a DDoS attack from an extortionist. Lieferando.de, also known as takeaway.com, is a takeaway food service that delivers from more than 15,000 restaurants in Germany. During this global pandemic, citizens of the world have become very dependent on take away food services as part of the effort to help flatten the curve. Unfortunately, an extortionist attempted to capitalize on this by launching a Ransom Denial of Service (RDoS) attack on Takeaway, demanding 2 BTC ($11,000) to stop the attack. As a result, some orders were able to be accepted but were never delivered, forcing Germans to find another option for the night. Taking Down Cyber Criminals It should come as no surprise that law enforcement agencies around the world are particularly interested in taking down those looking to profit from COVID-19. They are also interested in kicking down doors of those who are conducting DDoS attacks during the pandemic. On April 10 th , a 19-year-old from Breda, Netherlands, was arrested for conducting a DDoS attack on March 19 th against MijnOverheid.nl and Overhied.nl. Both of these websites are government-related and were providing Dutch citizens with important government information related to the pandemic. It’s truly unfortunate to see teenagers in the middle of a pandemic targeting critical infrastructure, preventing access to emergency regulations and advisories, but what did we expected? A cease-fire? In order to prevent additional DDoS attacks, a week prior to the Breda arrest, Dutch police shut down 15 stresser services. While these services were not listed, I can tell you, the raid was largely unnoticeable. Part of the problem can be found between the words of Jeroen Niessen, Dutch Police: “With preventive actions, we want to protect people as much as possible against DDoS attacks. By taking booters and their domain names offline, we make it difficult for cyber criminals. We have now put quite a few on black. If they pop up elsewhere, we will immediately work on it again. Our goal is to seize more and more booters…” If they pop up elsewhere, we will immediately work on it again…. But Are These Efforts Futile? In my opinion, it sounds like the police finally understand that raids are a losing battle without total commitment. If there’s one thing we learned from the 2019 raid of KV solution, a bulletproof hosting provider, it was that when one criminal falls, dozens are willing to replace them. For example, in 2018 the Department of Justice took down 15 stresser services as part of an effort to prevent DDoS attacks. The domain seized are listed below: anonsecurityteam.com booter.ninja bullstresser.net critical-boot.com defcon.pro defianceprotocol.com downthem.org layer7-stresser.xyz netstress.org quantumstress.net ragebooter.com request.rip str3ssed.me torsecurityteam.org vbooter.org The problem is, taking down a stresser service is pointless when there are so many criminals using public services and corporations to mask their identities. Until there is cooperation and commitment to removing the DDoS threat completely, it will always linger, rearing its nasty head in the worst moments. Due to the lack of commitment between the global law enforcement community and the security community, we are unable to see a meaningful impact in the DDoS landscape. It’s really not that difficult to find a stresser service today. In fact, you can find these criminals openly advertising their services on major search engines–no Tor browser or Darknet Market required. While search engines could simply de-index these services, they choose not to. Instead, they elect to profit from your misfortune. Below are a handful of sites found on popular search engine using the terms ‘booter’ or ‘stresser’: powerstresser.pro, freeboot.to, instant-stresser.to, meteor-security.to, layer7-security.to, stressthem.to, stress.to, stress.gg, booter.vip, bootstresser.com, bootyou.net, defconpro.net, str3ssed.co, ts3booter.net, vdos-s.co, webstresser.biz, hardstresser.com, havoc-security.pw, synstresser.to, dosninja.com, stresser.wtf, thunderstresser.me, ripstresser.rip, astrostress.com, botstress.to, dotn3t.org, nightmarestresser.to, silentstress.wtf, torstress.com, xyzbooter.net, databooter.to. A Temporary Solution After reviewing the list, Officer Jeroen Niessen’s statement becomes clearer. Whether or not these current websites are associated with the original criminal groups or cloned, multiple stressers with notorious names have been reappearing. In general, I think it’s fair to say that while raids are disrupting criminals, they have hardly put a dent in the overall activity or economy of the DDoS-as-a-Service industry. Takedowns only represent a temporary solution, and this has become clear during the pandemic. Unfortunately, the threat landscape continues to evolve during a pandemic. Criminals are clearly not taking time off. Worst of all, not only is the public cloud fully in scope for cybercriminals looking to compromise enterprise equipment, but due to the ongoing pandemic and the remote digitalization of the work force, remote software and digital services have come under fire from opportunist criminals. I think during this time of chaos and uncertainty we really need to reflect on our impact and ability to secure the digital workforce and ask ourselves, are we protecting criminals due to privacy concerns or is there more we could do to remove and eliminate the DDoS threat? Source: https://securityboulevard.com/2020/04/ddos-in-the-time-of-covid-19-attacks-and-raids/

Taken from:
DDoS in the Time of COVID-19: Attacks and Raids

Cyber Warfare Doesn’t Take a Break During Coronavirus Season

US Health Agencies Are Fending off DDoS Attacks and Disinformation Campaigns in the Midst of a Pandemic Unfettered by social distancing measures or economic concerns, cyber threat actors are taking full advantage of opportunities created by the coronavirus pandemic. United States health agencies are being tested by distributed denial of service (DDoS) attacks and social media disinformation campaigns as they scramble to respond to an unprecedented viral outbreak, and these attacks are thought to be backed by a hostile foreign government. Federal health agency hit with DDoS attack A large-scale DDoS attack was directed at the U.S. Health and Human Services Department sometime around March 15. A spokesperson for the National Security Council stated that the attack did not do any substantial damage and that the networks are being “continuously monitored” to mitigate any future attempts. The DDoS attack involved millions of requests on the health agency’s servers over a period of several hours. A Health and Human Services spokesperson indicated that the government does not know who was behind the attack, but suspects a foreign government. The DDoS attack did not involve any network compromise, nor did it significantly slow down operations. The spokesperson indicated that the agency has put unspecified “extra protections” in place going forward. Fake texts and tweets part of organized disinformation campaign In addition to the DDoS attack, the National Security Council indicated that there is an ongoing disinformation campaign intended to sow fear and confusion in the American public that focuses on the health agencies. This is also believed to be backed by a foreign government. The agency warns about fake text messages that claim a mandatory national quarantine or lockdown is imminent. This disinformation campaign is also circulating widely on social media platforms such as Twitter and Facebook, and usually involves someone claiming they heard about imminent National Guard mobilization for a lockdown from some sort of friend or family member with inside information. The most damaging aspect of the disinformation campaign was a hack that managed to penetrate emergency MMS and SMS text-messaging systems used in a number of different cities in the US, which occurred just after Italy opted to lock down the entire country. The attackers sent out a bogus “warning” message claiming that public and emergency services were about to be shut down due to the coronavirus. These messages did not initially get out to the general public on a large scale, but did make their way to various emergency services personnel in a number of major cities including Boston, Washington DC and New York City. There is no indication at present that a national quarantine or lockdown is being considered. Such a move would be logistically difficult and extremely unpopular politically. While President Trump has mentioned that the possibility has been discussed, he has also signaled a desire to avoid action of this sort by the federal government on several occasions. During his March 21 briefing, Trump indicated that the government is focusing on action in coronavirus “hot zones” and that a national shutdown was not being seriously considered at the time. Perpetrators, motives and methods The assumption that a foreign government is behind these cyber incidents is primarily based on the lack of any sort of profit motive behind shutting down health agency servers or spreading false rumors on social media. While the rumors could potentially be used to manipulate stock prices in an indirect way, it seems more likely that this is a coordinated effort given that the DDoS attack and the disinformation campaign emerged at about the same time. Anonymous officials told ABC News that they believe Russia or China are the most likely perpetrators. This would not at all be a surprising move by either of these American adversaries, but particularly not for Russia. Russian “troll farms” that use fake social media accounts to pose as Americans and stir up dissent and division have been making the news since the widespread interference in the 2016 election, but have likely been working for over a decade now. This sort of disinformation campaign is precisely their MO. Any state-sponsored threat actor is capable of using a botnet, but DDoS attacks against other countries have been the hallmark of two particular hacking groups in recent years: APT 28, aka Russia’s infamous “Fancy Bear” group, and APT 33 (Elfin Team) out of Iran. Greg Wendt, Executive Director of Appsian, points out that though these health agencies have been successfully able to mitigate DDoS attacks they may be ripe for more targeted and sophisticated breach attempts: ” … government institutions such as the HHS are key targets for cyberattacks, and given that the government has many applications and systems that were written and developed 35-40 years ago, the process to modernize and transform the critical nature of data is a lengthy one and not a process that can be successfully done overnight.” New challenges for both government and private industry The cyber challenges posed by the coronavirus outbreak are not limited to health agencies. Private industry and individuals can also expect online predators to attempt to take advantage of the situation. Thomas Hatch, CTO and Co-Founder at SaltStack, a Lehi, Utah-based provider of intelligent IT automation software, foresees an inevitable increase in attacks on certain business sectors: “Petty thieves will assume that classical attacks are going to be more effective because cyber defense staffing is likely distracted right now dealing with the influx of issues that come from a demand shift for specific services. Organized groups are likely empowered by the situation and will want to take advantage of it. They can attack specific services, particularly financial institutions because of the overall distracted nature of the defenders.” Leading security firm Crowdstrike is reporting a significant increase in activity in phishing campaigns concurrent with global implementation of coronavirus restrictions. Early examples that have been spotted in the wild have promised free vaccines or offers of charity relief. Some targeted attacks on health care organizations have claimed to be related to shipments of ventilators or personal protective equipment. Hackers are also commonly attempting to pose as a legitimate health agency such as the WHO or CDC. In addition to targeted cyber attacks, everyone should be on heightened alert for messages tied to disinformation campaigns being spread throughout all sorts of public forums online. Source: https://www.cpomagazine.com/cyber-security/cyber-warfare-doesnt-take-a-break-during-coronavirus-season-us-health-agencies-are-fending-off-ddos-attacks-and-disinformation-campaigns-in-the-midst-of-a-pandemic/

Read the original post:
Cyber Warfare Doesn’t Take a Break During Coronavirus Season

Across-the-board increase in DDoS attacks of all sizes

There has been a 168% increase in DDoS attacks in Q4 2019, compared with Q4 2018, and a 180% increase overall in 2019 vs. 2018, according to Neustar. The company saw DDoS attacks across all size categories increase in 2019, with attacks sized 5 Gbps and below seeing the largest growth. These small-scale attacks made up more than three quarters of all attacks the company mitigated on behalf of its customers in 2019. DDoS attacks … More ? The post Across-the-board increase in DDoS attacks of all sizes appeared first on Help Net Security .

Original post:
Across-the-board increase in DDoS attacks of all sizes

Ransomware getting more fearsome, but there’s reason for optimism

Cybercriminals continued a barrage of attacks in 2019, spurred on by botnets of infected IoT devices and by attacker interest in the Eternal Blue vulnerability. A report from F-Secure documents a steep increase in attack traffic in 2019 that was unmatched by previous years. There have been 2.8 billion attack events in the second half of the year. After 2.9 billion in the first half of the year, the yearly total rings in at 5.7 … More ? The post Ransomware getting more fearsome, but there’s reason for optimism appeared first on Help Net Security .

More:
Ransomware getting more fearsome, but there’s reason for optimism

Average DDoS attack sizes decrease 85% due to FBI’s shutdown of DDoS-for-hire websites

The FBI’s shutdown of the 15 largest distributed denial-of-service (DDoS) for hire vendors (booters) reduced the overall number of attacks worldwide by nearly 11 percent compared to the same period last year. Along with the fewer total attacks, the average size decreased by 85 percent as did the maximum attack size by 24 percent, indicating the FBI crackdown was effective in reducing the global impact of DDoS attacks. However, booter websites are poised to make … More ? The post Average DDoS attack sizes decrease 85% due to FBI’s shutdown of DDoS-for-hire websites appeared first on Help Net Security .

Protecting consumers from mobile and IoT threats

A new report by Allot Communications revealed a dynamic and automated threat landscape in which consumers lack the security expertise to effectively protect themselves. Mobile and Internet of Things continue to be primary attack vectors, contributing to a spike in cryptojacking, adware, and DDoS attacks. The Telco Security Trends Report is based on anonymous data gathered from four communications service providers (CSPs) across Europe and Israel, who between them, protect seven million customers. It found … More ? The post Protecting consumers from mobile and IoT threats appeared first on Help Net Security .

Return of Necurs botnet brings new ransomware threat

The Necurs botnet has returned to the top ten most prevalent malware during November 2017, as cybercriminals used it to distribute a new form of ransomware, according to Check Point. Researchers found that hackers were using Necurs, considered to be the largest spam botnet in the world, to distribute the relatively new Scarab ransomware that was first seen in June 2017. The Necurs botnet started mass distribution of Scarab during the Thanksgiving holiday, sending over … More ?

Link:
Return of Necurs botnet brings new ransomware threat

DDoS attacks: $100,000 per hour is at risk during peak revenue generation periods

Neustar and Harris Interactive conducted global, independent research of 1,010 directors, managers, CISOs, CSOs, CTOs, and other c-suite executives to find out how DDoS attacks affect their organizations and what measures are in place to counter these threats. The respondents span many industries, including technology, financial services, retail, healthcare and energy. “DDoS attacks are the zeitgeist of today’s Internet,” said Barrett Lyon, pioneer of the DDoS defense industry and Head of Research and Development at … More ?

Continue Reading:
DDoS attacks: $100,000 per hour is at risk during peak revenue generation periods

CLDAP reflection attacks generate up to 24 Gbps of traffic

Akamai researchers Jose Arteaga and Wilber Majia have identified a new Connection-less Lightweight Directory Access Protocol (CLDAP) reflection and amplification method. CLDAP query packet Akamai’s Security Intelligence Response Team (SIRT) has observed this attack vector producing DDoS attacks consistently exceeding 1 Gbps, comparable to DNS reflection attacks. CLDAP Unlike other reflection-based vectors, where compromised hosts may number in the millions, the observed CLDAP amplification factor has been able to produce significant attack bandwidth with significantly … More ?

More:
CLDAP reflection attacks generate up to 24 Gbps of traffic

The emergence of new global cybercriminal attack patterns

The findings of a new Malwarebytes report illustrate a significant shift in cybercriminal attack and malware methodology from previous years. Ransomware, ad fraud and botnets, the subject of so much unjustified hype over previous years, surged to measurable prominence in 2016 and evolved immensely. Cybercriminals migrated to these methodologies en masse, impacting nearly anyone and everyone. To better understand just how drastically the threat landscape evolved in 2016, researchers examined data taken from Windows and … More ?