Tag Archives: ddos-attacks

Are you Ready for These 26 Different Types of DDoS Attacks?

The scourge of distributed denial-of-service (DDoS) attacks has been a major concern for businesses and governments for more than two decades. First reported in 1996, this is a destructive and ever-evolving vector of cyber raids that knocks electronic networks offline by flooding them with the traffic they can’t handle. Not only is DDoS a way for hacktivists to manifest protest against Internet censorship and controversial political initiatives, but it’s also a goldmine of opportunities for achieving strictly nefarious goals. For instance, the latest tweak in this epidemic is what’s called “ransom DDoS,” a technique used to extort money from organizations in exchange for discontinuing a massive incursion. A big hurdle to thwarting the DDoS phenomenon is that it’s heterogeneous and spans a variety of different tactics. To begin with, there are three overarching categories of these attacks that form the backbone of this ecosystem: Volume-based (volumetric) attacks are the “classic” ones that congest a target network’s bandwidth with a hefty amount of traffic packets. Protocol attacks are aimed at exhausting server or firewall resources. Application layer (layer 7 DDoS) attacks zero in on specific web applications rather than the whole network. These ones are particularly hard to prevent and mitigate while being relatively easy to orchestrate. Furthermore, there are dozens of sub-types that fall into either one of the above generic groups but exhibit unique characteristics. Here’s a complete breakdown of the present-day DDoS attack methods. 1. SYN Flood This attack exploits the TCP three-way handshake, a technique used to establish any connection between a client, a host, and a server using the TCP protocol. Normally, a client submits a SYN (synchronize) message to the server to request a connection. When a SYN Flood attack is underway, criminals send a plethora of these messages from a spoofed IP address. As a result, the receiving server becomes incapable of processing and storing so many SYN packets and denies service to real clients. 2. LAND attack To perform a Local Area Network Denial (LAND) attack, a threat actor sends a fabricated SYN message in which the source and destination IP addresses are the same. When the server tries to respond to this message, it gets into a loop by recurrently generating replies to itself. This leads to an error scenario, and the target host may eventually crash. 3. SYN-ACK Flood The logic of this attack vector is to abuse the TCP communication stage where the server generates a SYN-ACK packet to acknowledge the client’s request. To execute this onslaught, crooks inundate the CPU and RAM resources of the server with a bevy of rogue SYN-ACK packets. 4. ACK & PUSH ACK Flood Once the TCP three-way handshake has resulted in establishing a connection between a host and a client, ACK or PUSH ACK packets are sent back and forth until the session is terminated. A server targeted by this type of a DDoS attack cannot identify the origin of falsified packets and wastes all of its processing capacity trying to determine how to handle them. 5. Fragmented ACK Flood This attack is a knockoff of the above-mentioned ACK & PUSH ACK Flood technique. It boils down to deluging a target network with a comparatively small number of fragmented ACK packets that have a maximum allowed size, usually 1500 bytes each. Network equipment such as routers ends up running out of resources trying to reassemble these packets. Furthermore, fragmented packets can slip below the radar of intrusion prevention systems (IPS) and firewalls. 6. Spoofed Session Flood (Fake Session Attack) In order to circumvent network protection tools, cybercriminals may forge a TCP session more efficiently by submitting a bogus SYN packet, a series of ACK packets, and at least one RST (reset) or FIN (connection termination) packet. This tactic allows crooks to get around defenses that only keep tabs on incoming traffic rather than analyzing return traffic. 7. UDP Flood As the name suggests, this DDoS attack leverages multiple User Datagram Protocol (UDP) packets. For the record, UDP connections lack a handshaking mechanism (unlike TCP), and therefore the IP address verification options are very limited. When this exploitation is in full swing, the volume of dummy packets exceeds the target server’s maximum capacity for processing and responding to requests. 8. DNS Flood This one is a variant of UDP Flood that specifically homes in on DNS servers. The malefactor generates a slew of fake DNS request packets resembling legitimate ones that appear to originate from a huge number of different IP addresses. DNS Flood is one of the hardest denial-of-service raids to prevent and recover from. 9. VoIP Flood This is a common form of UDP Flood that targets a Voice over Internet Protocol (VoIP) server. The multitude of bogus VoIP requests sent from numerous IP addresses drain the victim server’s resources and knock it offline at the end of the day. 10. NTP Flood (NTP Amplification) Network Time Protocol (NTP), one of the oldest networking protocols tasked with clock synchronization between electronic systems, is at the core of another DDoS attack vector. The idea is to harness publicly-accessible NTP servers to overload a target network with a large number of UDP packets. 11. CHARGEN Flood Similarly to NTP, the Character Generator Protocol (CHARGEN) is an oldie whose emergence dates back to the 1980s. In spite of this, it is still being used on some connected devices such as printers and photocopiers. The attack comes down to sending tiny packets containing a victim server’s fabricated IP to devices with CHARGEN protocol enabled. In response, the Internet-facing devices submit UDP packets to the server, thus flooding it with redundant data. 12. SSDP Flood Malefactors can exploit networked devices running Universal Plug and Play (UPnP) services by executing a Simple Service Discovery Protocol (SSDP) reflection-based DDoS attack. On a side note, SSDP is embedded in the UPnP protocol framework. The attacker sends small UDP packets with a spoofed IP address of a target server to multiple devices running UPnP. As a result, the server is flooded with requests from these devices to the point where it goes offline. 13. SNMP Flood (SNMP Amplification) Tasked with harvesting and arranging data about connected devices, the Simple Network Management Protocol (SNMP) can become a pivot of another attack method. Cybercriminals bombard a target server, switch, or router with numerous small packets coming from a fabricated IP address. As more and more “listening” devices reply to that spoofed address, the network cannot cope with the immense quantity of these incoming responses. 14. HTTP Flood When executing an HTTP Flood DDoS attack, an adversary sends ostensibly legitimate GET or POST requests to a server or web application, siphoning off most or all of its resources. This technique often involves botnets consisting of “zombie” computers previously contaminated with malware. 15. Recursive HTTP GET Flood To perpetrate this attack, a malicious actor requests an array of web pages from a server, inspects the replies, and iteratively requests every website item to exhaust the server’s resources. The exploitation looks like a series of legitimate queries and can be difficult to identify. 16. ICMP Flood Also referred to as Ping Flood, this incursion aims to inundate a server or other network device with numerous spoofed Internet Control Message Protocol (ICMP) echo requests or pings. Having received a certain number of ICMP pings, the network responds with the same number of reply packets. Since this capability to respond is finite, the network reaches its performance threshold and becomes unresponsive. 17. Misused Application Attack Instead of using spoofed IP addresses, this attack parasitizes legitimate client computers running resource-intensive applications such as P2P tools. Crooks reroute the traffic from these clients to the victim server to bring it down due to excessive processing load. This DDoS technique is hard to prevent as the traffic originates on real machines previously compromised by the attackers. 18. IP Null Attack This one is carried out by sending a slew of packets containing invalid IPv4 headers that are supposed to carry transport layer protocol details. The trick is that threat actors set this header value to null. Some servers cannot process these corrupt-looking packets properly and waste their resources trying to work out how to handle them. 19. Smurf Attack This one involves a malware strain called Smurf to inundate a computer network with ICMP ping requests carrying a spoofed IP address of the target. The receiving devices are configured to reply to the IP in question, which may produce a flood of pings the server can’t process. 20. Fraggle Attack This DDoS technique follows a logic similar to the Smurf Attack, except that it deluges the intended victim with numerous UDP packets rather than ICMP echo requests. 21. Ping of Death Attack To set this raid in motion, cybercrooks poison a victim network with unconventional ping packets whose size significantly exceeds the maximum allowed value (64 bytes). This inconsistency causes the computer system to allocate too many resources for reassembling the rogue packets. In the aftermath of this, the system may encounter a buffer overflow or even crash. 22. Slowloris This attack stands out from the crowd because it requires very low bandwidth and can be fulfilled using just one computer. It works by initiating multiple concurrent connections to a web server and keeping them open for a long period of time. The attacker sends partial requests and complements them with HTTP headers once a while to make sure they don’t reach a completion stage. As a result, the server’s capability to maintain simultaneous connections is drained and it can no longer process connections from legitimate clients. 23. Low Orbit Ion Cannon (LOIC) Originally designed as a network stress testing tool, LOIC can be weaponized in real-world DDoS attacks. Coded in C#, this open-source software deluges a server with a large number of packets (UPD, TCP, or HTTP) in an attempt to disrupt a target’s operation. This onslaught is usually backed by a botnet consisting of thousands of machines and coordinated by a single user. 24. High Orbit Ion Cannon (HOIC) HOIC is a publicly accessible application that superseded the above-mentioned LOIC program and has a much bigger disruptive potential than its precursor. It can be used to submit a plethora of GET and HTTP POST requests to a server concurrently, which ends up knocking a target website offline. HOIC can affect up to 256 different domains at the same time. 25. ReDoS ReDoS stands for “regular expression denial-of-service.” Its goal is to overburden a program’s regular expression implementation with instances of highly complex string search patterns. A malicious actor can trigger a regular expression processing scenario whose algorithmic complexity causes the target system to waste superfluous resources and slow down or crash. 26. Zero-Day DDoS This term denotes an attack that takes advantage of uncatalogued vulnerabilities in a web server or computer network. Unfortunately, such flaws are surfacing off and on, making the prevention a more challenging task. A Serious Threat Although distributed denial-of-service is an old school attack vector, it continues to be a serious threat to organizations. The monthly number of such attacks exceeds 400,000. To top it off, cybercriminals keep adding new DDoS mechanisms to their repertoire and security providers aren’t always prepared to tackle them. Another unnerving thing is that some techniques, including Low and High Orbit Ion Cannon, are open source and can be leveraged by wannabe criminals who lack tech skills. Such an attack may get out of hand and go way beyond the intended damage. To prevent DDoS attacks and minimize the impact, businesses should learn to proactively identify the red flags; have an appropriate response plan in place; make sure their security posture has no single point of failure, and continuously work on strengthening the network architecture. Source: https://www.securitymagazine.com/articles/92327-are-you-ready-for-these-26-different-types-of-ddos-attacks

Read the original:
Are you Ready for These 26 Different Types of DDoS Attacks?

DDoS in the Time of COVID-19: Attacks and Raids

There is no escaping it. COVID-19 is dominating headlines and has impacted virtually every corner of the world. Like most people at this point, I’m 30 days into isolation and trying everything in my power to ignore the elephant in the room and the politics that go along with it. Unfortunately, or fortunately, cyber security is an essential business. As a result, those working in the field are not getting to experience any downtime during a quarantine. Many of us have been working around the clock, fighting off waves of attacks and helping other essential businesses adjust to a remote work force as the global environments change. Waves of Attacks Along the way we have learned a few things about how a modern society deals with a pandemic. Obviously, a global Shelter-in-Place resulted in an unanticipated surge in traffic. As lockdowns began in China and worked their way west, we began to see massive spikes in streaming and gaming services. These unanticipated surges in traffic required digital content providers to throttle or downgrade streaming services across Europe, to prevent networks from overloading. The COVID-19 pandemic also highlights the importance of service availability during a global crisis. Due to the forced digitalization of the work force and a global Shelter-in-Place, the world became heavily dependent on a number of digital services during isolation. Degradation or an outage impacting these services during the pandemic could quickly spark speculation and/or panic. For example, as COVID-19 began to take a toll on Australia’s economy, there became a rush of suddenly unemployed citizens needing to register for welfare services on MyGov, Australia’s government service portal. This natural spike in traffic ended up causing an outage on the morning of March 23 rd , requiring Government Services Minister Stuart Roberts to walk back his initial claims that the portal had suffered from a DDoS attack, naturally causing panic and speculation among those desperately seeking government assistance. In France, Assistance Publique – Hôpitaux de Paris, the university hospital trust managing 39 public hospitals in the area, found itself a victim of a DDoS attack on March 22 nd , just as France begin to deal with a surge in COVID-19 related cases. The attack was reported to have only lasted an hour and did not cause any significant damage. The problem was, upon further review, in order to deal with the attack, there was a reduction in internet access. Typically, during any other day, this reduction would not have had an impact, but due to the pandemic and a remote, non-essential work force, employees outside of the hospital’s network were blocked from external access during this attack, resulting in the inability to access email, Skype or remote application. In addition to this attack, the Brno University Hospital in the Czech Republic was hit a week earlier with a cyber-attack that force the hospital to shut down their entire network, resulting in the cancellation of surgeries. And if that wasn’t enough, a food delivery service in Germany experienced a DDoS attack from an extortionist. Lieferando.de, also known as takeaway.com, is a takeaway food service that delivers from more than 15,000 restaurants in Germany. During this global pandemic, citizens of the world have become very dependent on take away food services as part of the effort to help flatten the curve. Unfortunately, an extortionist attempted to capitalize on this by launching a Ransom Denial of Service (RDoS) attack on Takeaway, demanding 2 BTC ($11,000) to stop the attack. As a result, some orders were able to be accepted but were never delivered, forcing Germans to find another option for the night. Taking Down Cyber Criminals It should come as no surprise that law enforcement agencies around the world are particularly interested in taking down those looking to profit from COVID-19. They are also interested in kicking down doors of those who are conducting DDoS attacks during the pandemic. On April 10 th , a 19-year-old from Breda, Netherlands, was arrested for conducting a DDoS attack on March 19 th against MijnOverheid.nl and Overhied.nl. Both of these websites are government-related and were providing Dutch citizens with important government information related to the pandemic. It’s truly unfortunate to see teenagers in the middle of a pandemic targeting critical infrastructure, preventing access to emergency regulations and advisories, but what did we expected? A cease-fire? In order to prevent additional DDoS attacks, a week prior to the Breda arrest, Dutch police shut down 15 stresser services. While these services were not listed, I can tell you, the raid was largely unnoticeable. Part of the problem can be found between the words of Jeroen Niessen, Dutch Police: “With preventive actions, we want to protect people as much as possible against DDoS attacks. By taking booters and their domain names offline, we make it difficult for cyber criminals. We have now put quite a few on black. If they pop up elsewhere, we will immediately work on it again. Our goal is to seize more and more booters…” If they pop up elsewhere, we will immediately work on it again…. But Are These Efforts Futile? In my opinion, it sounds like the police finally understand that raids are a losing battle without total commitment. If there’s one thing we learned from the 2019 raid of KV solution, a bulletproof hosting provider, it was that when one criminal falls, dozens are willing to replace them. For example, in 2018 the Department of Justice took down 15 stresser services as part of an effort to prevent DDoS attacks. The domain seized are listed below: anonsecurityteam.com booter.ninja bullstresser.net critical-boot.com defcon.pro defianceprotocol.com downthem.org layer7-stresser.xyz netstress.org quantumstress.net ragebooter.com request.rip str3ssed.me torsecurityteam.org vbooter.org The problem is, taking down a stresser service is pointless when there are so many criminals using public services and corporations to mask their identities. Until there is cooperation and commitment to removing the DDoS threat completely, it will always linger, rearing its nasty head in the worst moments. Due to the lack of commitment between the global law enforcement community and the security community, we are unable to see a meaningful impact in the DDoS landscape. It’s really not that difficult to find a stresser service today. In fact, you can find these criminals openly advertising their services on major search engines–no Tor browser or Darknet Market required. While search engines could simply de-index these services, they choose not to. Instead, they elect to profit from your misfortune. Below are a handful of sites found on popular search engine using the terms ‘booter’ or ‘stresser’: powerstresser.pro, freeboot.to, instant-stresser.to, meteor-security.to, layer7-security.to, stressthem.to, stress.to, stress.gg, booter.vip, bootstresser.com, bootyou.net, defconpro.net, str3ssed.co, ts3booter.net, vdos-s.co, webstresser.biz, hardstresser.com, havoc-security.pw, synstresser.to, dosninja.com, stresser.wtf, thunderstresser.me, ripstresser.rip, astrostress.com, botstress.to, dotn3t.org, nightmarestresser.to, silentstress.wtf, torstress.com, xyzbooter.net, databooter.to. A Temporary Solution After reviewing the list, Officer Jeroen Niessen’s statement becomes clearer. Whether or not these current websites are associated with the original criminal groups or cloned, multiple stressers with notorious names have been reappearing. In general, I think it’s fair to say that while raids are disrupting criminals, they have hardly put a dent in the overall activity or economy of the DDoS-as-a-Service industry. Takedowns only represent a temporary solution, and this has become clear during the pandemic. Unfortunately, the threat landscape continues to evolve during a pandemic. Criminals are clearly not taking time off. Worst of all, not only is the public cloud fully in scope for cybercriminals looking to compromise enterprise equipment, but due to the ongoing pandemic and the remote digitalization of the work force, remote software and digital services have come under fire from opportunist criminals. I think during this time of chaos and uncertainty we really need to reflect on our impact and ability to secure the digital workforce and ask ourselves, are we protecting criminals due to privacy concerns or is there more we could do to remove and eliminate the DDoS threat? Source: https://securityboulevard.com/2020/04/ddos-in-the-time-of-covid-19-attacks-and-raids/

Taken from:
DDoS in the Time of COVID-19: Attacks and Raids

Dutch Police Shut Down 15 DDoS-for-Hire Services

Dutch law enforcement has shut down 15 DDoS-for-hire services that were used to run cyberattacks aimed at knocking websites and networks offline. Although they did not reveal the names of the DDoS-for-hire booters that they stopped, Police in The Netherlands were able to arrest a 19-year-old man from The Netherlands, who is suspected of orchestrating a DDoS attack against two websites that provide information on the coronavirus. The affected websites, MijnOverheid.nl and Overheid.nl, were unavailable for several hours on March 19 after being bombarded with traffic, according to the Dutch police. “We want to protect people and companies and make it increasingly difficult for cyber criminals to carry out a DDoS attack,” the head of the cyber crime team of the Central Netherlands police, Jeroen Niessen, said in a statement on the takedown. Dutch citizens may have found the interruptions to Overhead.nl particularly exasperating because the site is used as a “digital letterbox” to receive communications, including information about the pandemic, from the government. “The availability of this site to citizens is crucial for the country, especially during these times,” the Dutch police said. “By flattening a website like this, you are denying citizens access to their personal data and important government information. We take this very [seriously], especially now that the corona[virus] crisis is causing additional uncertainty and a great need for information for many people,” Niessen added. Dutch police have been pushing in recent years to stop Distributed Denial of Service attacks, which can overload computers with so much traffic that they become inaccessible. Last year, for example, Dutch police took down a hosting company that helped cybercriminals propagate hundreds of thousands of DDoS attacks. The year prior, the U.S. Department of Justice, in concert with the Dutch police and the U.K.’s National Crime Agency, knocked down 15 internet domains used to launch DDoS attacks. The Dutch police will continue to tackle new services, companies, and individuals involved in making DDoS attacks easier to operate moving forward, according to Niessen. “If they pop up elsewhere, we will immediately work on it again,” Niessen said. “Our goal is to seize more and more booters.” In the meantime, the Dutch police advised victims against paying cybercriminals behind DDoS attacks in the hopes that they call the police to investigate and hold them accountable instead. “Don’t give the cyber criminals money, as this may seem like a quick fix to get your site back up and running, you run the risk of getting rid of them,” the police advised. Source: https://www.cyberscoop.com/dutch-police-ddos-shutdown/

See more here:
Dutch Police Shut Down 15 DDoS-for-Hire Services

Over third of large Dutch firms hit by cyberattack in 2016 – CBS

Large companies are hit by cyberattacks at an above average rate, according to the Cybersecurity Monitor of Dutch statistics bureau CBS for 2018. Among companies of 250+ employees, 39 percent were hit at least once by a cyberattack in 2016, such as a hack or DDoS attack. By contrast, around 9 percent of small companies (2-10 employees) were confronted with such an ICT incident. Of the larger companies, 23 percent suffered from failure of business processes due to the outside cyberattacks. This compares to 6 percent for the smaller companies. Of all ICT incidents, failures were most common, for all sizes, though again, the larger companies were more affected (55%) than the smaller ones (21%). The incidents led to costs for both groups of companies. Chance of incident bigger at large company CBS noted that ICT incidents can arise from both from an outside attack and from an internal cause, such as incorrectly installed software or hardware or from the unintentional disclosure of data by an employee. The fact that larger companies suffer more from ICT incidents can be related to the fact that more people work with computers; this increases the chance of incidents. In addition, larger companies often have a more complex ICT infrastructure, which can cause more problems. The number of ICT incidents also varies per industry. For example, small businesses in the ICT sector (12%) and industry (10%) often suffer from ICT incidents due to external attacks. Small companies in the hospitality sector (6%) and health and welfare care (5%) were less often confronted with cyberattacks. Internal cause more common at smaller companies Compared to larger companies, ICT incidents at small companies more often have an internal cause: 2 out 3, compared to 2 out of 5 for larger companies. ICT incidents at small companies in health and welfare care most often had an internal cause (84%). In the ICT sector, this share was 60 percent. About 7 percent of companies with an ICT incident report them to one or more authorities, including police, the Dutch Data Protection Authority AP, a security team or their bank. The largest companies report ICT incidents much more often (41%) than the smallest companies (6%). Large companies report these ICT incidents most frequently to the AP, complying with law. After that, most reports are made to the police. The smallest companies report incidents most often to their bank. Smaller: less safe Small businesses are less often confronted with ICT incidents and, in comparison with large companies, take fewer security measures. Around 60 percent of small companies take three or more measures. This goes to 98 percent for larger companies. Source: https://www.telecompaper.com/news/over-third-39-of-large-dutch-firms-hit-by-cyberattack-in-2016-cbs–1265851

More here:
Over third of large Dutch firms hit by cyberattack in 2016 – CBS

The FBI Is Investigating More Cyberattacks in a California Congressional Race

The hacks — first reported by Rolling Stone — targeted a Democratic candidate in one of the country’s most competitive primary races WASHINGTON — The FBI has opened an investigation into cyberattacks that targeted a Democratic candidate in a highly competitive congressional primary in southern California. As Rolling Stone first reported in September, Democrat Bryan Caforio was the victim of what cybersecurity experts believe were distributed denial of service, or DDoS, attacks. The hacks crashed his campaign website on four separate occasions over a five-week span, including several hours before the biggest debate of the primary race and a week before the election itself, according to emails and other forensic data reviewed by Rolling Stone. They were the first reported instances of DDoS attacks on a congressional candidate in 2018. Caforio was running in the 25th congressional district represented by Republican Rep. Steve Knight, a vulnerable incumbent and a top target of the Democratic Party. Caforio ultimately finished third in the June primary, failing to move on to the general election by several thousand votes. “I’m glad the FBI has now launched an investigation into the hack,” Caforio tells Rolling Stone in a statement. “These attacks put our democracy at risk, and they’ll keep happening until we take them seriously and start to punish those responsible.” It was unclear from the campaign’s data who launched the attacks. But in early October, a few weeks after Rolling Stone’s report, Caforio says an FBI special agent based in southern California contacted one of his former campaign staffers about the DDoS attacks. The FBI has since spoken with several people who worked on the campaign, requested forensic data in connection with the attacks and tasked several specialists with investigating what happened, according to a source close to the campaign. According to the source, the FBI has expressed interest in several details of the DDoS attacks. The bureau asked about data showing that servers run by Amazon Web Services, the tech arm of the online retail giant, appear to have been used to carry out the attacks. The FBI employees also seemed to focus on the last of the four attacks on Caforio’s website, the one that came a week before the primary election. An FBI spokeswoman declined to comment for this story. A DDoS attack occurs when a flood of online traffic coming from multiple sources intentionally overwhelms a website and cripples it. The cybersecurity company Cloudflare compares DDoS to “a traffic jam clogging up a highway, preventing regular traffic from arriving at its desired destination.” Such attacks are becoming more common in American elections and civic life, according to experts who monitor and study cyberattacks. “DDoS attacks are being used to silence political speech and voters’ access to the information they need,” George Conard, a product manager at Jigsaw, a Google spin-off organization, wrote in May. “Political parties, campaigns and organizations are a growing target.” Matthew Prince, the CEO of Cloudflare, told Rolling Stone last month that his company had noticed an increase in such attacks after 2016 and the successful Russian operations on U.S. soil. “Our thesis is that, prior to 2016, U.S.-style democracy was seen as the shining city on the hill. The same things you could do to undermine a developing democracy wouldn’t work here,” Prince says. “But after 2016, the bloom’s off the rose.” The FBI has since created a foreign influence task force to combat future efforts to interfere and disrupt U.S. elections. Southern California, in particular, has seen multiple cyberattacks on Democratic congressional candidates during the 2018 midterms. Rolling Stone reported that Hans Keirstead, a Democratic candidate who had challenged Rep. Dana Rohrabacher (R-CA), widely seen as the most pro-Russia and pro-Putin member of Congress, had been the victim of multiple hacking efforts, including a successful spear-phishing attempt on his private email account that resembled the 2016 hack of John Podesta, Hillary Clinton’s campaign chairman. Hackers also reportedly broke into the campaign computer of Dave Min, another Democratic challenger in a different southern California district, prompting the FBI to open an investigation. On Friday, the nation’s four top law enforcement and national security agencies — the FBI, Justice Department, Department of Homeland Security and the Office of the Director of National Intelligence — released a joint statement saying there were “ongoing campaigns by Russia, China and other foreign actors, including Iran” that include interference in the 2018 and 2020 elections. Cybersecurity experts and political consultants say there are many reports of hacking attempts on 2018 campaigns that have not been publicized. But the proximity of the attacks is significant because Democrats have a greater chance of taking back the House of Representatives if they can flip multiple seats in Southern California. Source: https://www.rollingstone.com/politics/politics-news/california-congressional-race-hack-745519/

View the original here:
The FBI Is Investigating More Cyberattacks in a California Congressional Race

The Haunting Horror Story Of Cybercrime

As the old saying goes, “darkness falls across the land, the midnight hour is close at hand.” Halloween is upon the scene and frightening things are unforeseen. Imagine watching a chilling movie depicting a zombie apocalypse or a deadly virus spreading fast across a metropolis, infecting everything in its wake. Sounds like a monstrous scenario? Sounds analogous to a cyber-attack? You could be onto something. Strap yourself in. It’s going to be a bumpy ride. According to recent F5 Labs threat analysis, the top application breaches haunting companies right now with rapidly mutating sophistication include payment card theft via web injection (70%), website hacking (26%), and app database hacking (4%). Frighteningly, further analysis shows that 13% of all web application breaches in 2017 and Q1 2018 were access related. This bloodcurdling discovery can be dissected as follows: credentials stolen via compromised email (34.29%), access control misconfiguration (22.86%); credential stuffing from stolen passwords (8.57%), brute force attacks to crack passwords (5.71%), and social engineering theft (2.76). The eerie evidence also shows that applications and identities are the initial targets in 86% of breaches. Businesses worldwide now face a sense of creeping dread and imminent disruption. Nowadays, they are more prone than ever to terrors such as malware hijacking browsers to sniff or intercept application authentication credentials. Then there are the strains of malware that target financial logins to menace both browser and mobile clients. There’s no way around it. Getting your cybersecurity posture right is the only way to stay safe. Get it wrong, however, and you’ll get the fright of your life in the shape of EU’s General Data Protection Regulation (GDPR) enforcement. There is definitively nowhere to hide this Halloween if you’re breached or fall short of tightening compliance expectations. Yet, if scary movies have taught us anything about horror stories, it is to never to scream and run away. As this ghoulish season can overshadow any organisation, it’s imperative that preventative measures are in place to protect vital assets. Yes, the findings from F5 Labs may paint a bleak picture but there are plenty of preventative measures you can take to improve your security posture and safeguard your employees’ applications and sensitive data: Understand your threat environment and prioritise defences against grave risk concerns. Know which applications are important and minimise your attack surface. Remember, an app’s surface is broadening all the time, encompassing multiple tiers and the ever-increasing use of application programming interfaces (APIs) to share data with third parties. Use data to drive your risk strategy and identify what attackers would typically target. Beware that any part of an application service visible on the Internet will be probed by fiendish hackers for possible exploitation. Configure your network systems properly or suffer the consequences of applications leaking internal and infrastructure information, including server names, private network addresses, email addresses, and even usernames. This is all valuable ammunition for a horrible hacker to carry out an attack. Be aware of common threats including DDoS attacks, ransomware, malware, phishing, and botnets. Ensure your IT response strategies are built to adapt and update in line with new vulnerabilities and threats will invariably improve survival rates. Implement a strong set of easily manageable and powerful security solutions such as an advanced web application firewall (AWAF). This type of technology is extremely scalable and can protect against the latest wave of attacks using behavioural analytics, proactive bot defence, and application-layer encryption of sensitive data like personal credentials. Ensure the company enforces a proactive culture of security and educates employees on policy, device management, as well as safe internet and cloud usage. When travelling on business, ensure staff never conduct financial transactions requiring a debit or credit card when using public or free Wi-Fi services. Never assume mobiles and laptop devices are safe, even at the local coffee bar. Change your passwords regularly (i.e. every month). This is especially important after travel. Devices may have been compromised during transit. Always perform regular data backups on approved devices and/or secure cloud platforms to ensure sensitive information is not lost or stolen and can be quickly recovered in the event of an attack. Remember, careless employees who feel they are unaccountable for the loss of work devices can damage business reputations. The grim reality Remember this is the time of year when “creatures crawl in search of blood to terrorize the neighbourhood”. Whether you’re expecting a trick or treat this Halloween, neglecting cybersecurity is certain to have ghastly consequences. The business world is littered with victims of cybercrime, so don’t get consigned to the grievous graveyard of cyber fraud. Know what makes your apps vulnerable and how they can be attacked. Makes sure you put the right solutions in place to lower your risk. Now is the time to stop being haunted by cybercriminals draining the lifeblood out of your business. Source: https://www.informationsecuritybuzz.com/articles/the-haunting-horror-story-of-cybercrime/

Six Lessons From Boston Children’s ‘Hacktivist’ Attack

CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack. Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet. In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.” He offered six lessons learned from Boston Children’s experience: 1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.” 2. Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.” 3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained. 4. Push through security initiatives – no excuses anymore. Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.” 5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said. 6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.” In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million. Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy. Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don’t have these systems. We have important data and will do anything to get our systems back up and running.” Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.” Source: https://www.healthcare-informatics.com/article/cybersecurity/six-lessons-boston-children-s-hacktivist-attack

More here:
Six Lessons From Boston Children’s ‘Hacktivist’ Attack

Cybercrime-as-a-Service: No End in Sight

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere. Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques. Line Between Illicit and Legitimate E-Commerce Is Blurring The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products. The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks. Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites. From Niche to Mass Market In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate. There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities. Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each. Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize. Cybercrime Infrastructure-as-a-Service The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example. Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post. The New Reality Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services. The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay. Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

Follow this link:
Cybercrime-as-a-Service: No End in Sight

Businesses are becoming main target for cybercriminals, report finds

Cybercrime activity continues to expand in scope and complexity, according to the latest report by cybersecurity firm Malwarebytes, as businesses become the preferred target for crooks throughout Q3. Malware detection on businesses shot up 55% between Q2 and Q3, with the biggest attack vector coming from information-stealing trojans such as the self-propagating Emotet and infamous LokiBot. Criminals have likely ramped up attacks on organizations in an attempt to maximize returns, while consumers have seen significantly less action in Q3, with a mere 5% detection increase over the period. This incline toward a more streamlined campaign, as opposed to the wide nets cast in previous quarters, is due to numerous reasons including businesses failing to patch vulnerabilities, weaponized exploits, and possibly even the implementation of privacy-protective legislation such as GDPR. “There was a very long period where ransomware was the dominant malware against everybody,” said Adam Kujawa, director of Malwarebytes Labs, speaking to The Daily Swig about the quarterly report, Cybercrime tactics and techniques: Q3 2018. “We’ve seen the complete evolution of ransomware to what is really just a few families, and whether we’ll see the same distribution and exposure [of ransomware] that we’ve seen in the past few years is unlikely in my opinion.” GandCrab ransomware, however, which first appeared at the beginning of this year, has matured. New versions were discovered during Q3 as the ransomware variant is expected to remain a viable threat to both consumers and to businesses, which are at higher risk due to GandCrab’s advanced ability to encrypt network drives. But despite a recent report by Europol that highlighted ransomware as the biggest threat in 2018, Kujawa isn’t convinced that these campaigns will stick around in the quarters to come. “There are so many solutions out there that can protect users from ransomware, and there are more people that know what to do if you get hit with it,” he said. “When you compare that to is it a good return investment [for cybercriminals], we don’t think it is anymore. Most of what we’ve seen [in Q3] is information-stealers.” Kujawa points to the banking trojan Emotet, that can spread easily and with a primary intent to steal financial data and carry out disturbed denial of service (DDoS) attacks on infected machines. Businesses, particularly small and medium-sized enterprises with less money invested in cyber defenses, have become valuable targets due to the ease in which trojans like Emotet can spread throughout their networks. Changes in global information systems may also be a contributing factor in the revival of data-theft. “That may very well in part play to things like GDPR where you’ve got this data that is no longer legally allowed to be on a server somewhere protected in Europe,” said Kujawa. “Cybercriminals may be more interested in stealing data like they used to because this stuff is no longer as easy to obtain as it was.” While information-stealers hogged the spotlight, the threat landscape remains diverse – targets are predominately concentrated within Western countries, while the use of exploit kits were found mostly in Asian countries including South Korea. Kujawa also noted that social engineering, such as phishing attacks, remains a successful technique for malicious hackers. He said: “Almost all attacks are distributed through social engineering, that’s still the number one way to get past things like security software, firewalls, and things like that.” “The biggest problem in our industry right now is people not taking it [cybersecurity] seriously enough,” Kujawa added. “At the end of the day we’re never going to win the war on cybercrime with just technology because that’s exactly what the bad guys are using against us.” Source: https://portswigger.net/daily-swig/businesses-are-becoming-main-target-for-cybercriminals-report-finds

Read the original:
Businesses are becoming main target for cybercriminals, report finds

Central planning bureau finds Dutch cybersecurity at high level

Dutch businesses and the public sector are well protected against cybersecurity threats compared to other countries, according to a report from the Central Planning Bureau on the risks for cybersecurity. Dutch websites employ encryption techniques relatively often, and the ISPs take measures to limit the impact of DDoS attacks, the report said. Small and medium-sized businesses are less active than large companies in protecting their activities, employing techniques such as data encryption less often, the CPB found. This creates risks for small business and consumers that could be avoided. The report also found that the Dutch are more often victims of cybercrime than other forms of crime. This implies a high cost for society to ensure cybersecurity. In 2016, already 11 percent of businesses incurred costs due to a hacking attempt. The threat of DDoS attacks will only increase in the coming years due to the growing number of IoT devices. This was already evident in the attacks against Dutch bank websites earlier this year. A further risk is that over half the most important banks in the world use the same DDoS protection service. According to the paper Financieele Dagblad, this supplier is Akamai. The company provides DDoS protection for 16 of the 30 largest banks worldwide. The Dutch banks ABN Amro, ING and Rabobank said they were not dependent on a single provider. The CPB report also found that the often reported shortage of qualified ICT staff is less of a threat than thought. The number of ICT students has risen 50 percent in four years and around 100,000 ICT jobs have been added in the country since 2008. Already 5 percent of all jobs are in ICT. This puts the Netherlands at the top of the pack in Europe, alongside the Nordic countries. Source: https://www.telecompaper.com/news/central-planning-bureau-finds-dutch-cybersecurity-at-high-level–1264818

Taken from:
Central planning bureau finds Dutch cybersecurity at high level