RDP-enabled instances attacked, perhaps via Iran and China, then use Telegram desktop client for command and control Data analysis firm Splunk says it’s found a resurgence of the Crypto botnet – malware that attacks virtual servers running Windows Server inside Amazon Web Services.…
More:
Splunk spots malware targeting Windows Server on AWS to mine Monero
Here’s an overview of some of last week’s most interesting news and articles: Kaseya obtains universal REvil decryptor There’s finally some good news for the MSPs and their customers that have been hit by the REvil ransomware gang via compromised Kaseya VSA software: a universal decryptor has made it available to affected organizations. DDoS attacks are up, with ever-greater network impact With an overall rise in available network capacity, cyber criminals are increasingly targeting their … More ? The post Week in review: HiveNightmare on Windows 10, Kaseya obtains REvil decryptor appeared first on Help Net Security .
Continue reading here:
Week in review: HiveNightmare on Windows 10, Kaseya obtains REvil decryptor
In H1 2021, cyber criminals targeted businesses in record numbers as they continued to exploit vulnerabilities caused by the pandemic A report published by Link11, Europe’s leading IT security provider in cyber resilience, suggests there has been a 33% increase in the number of DDoS attacks in H1 2021. Between January and June, the Link11 Security Operations Centre (LSOC) recorded record numbers of attacks compared to the same period last year. The report also found that between Q1 2021 and Q2 2021 there was a 19% increase in DDoS campaigns, some of which were over 100 Gbps in attack volume; further evidence that cyber criminals are continuing to exploit the vulnerabilities of businesses during the pandemic. The key findings from the report are: The number of attacks continued to rise: + 33% increase year-on-year compared to H1/2020. DDoS attacks are increasing: +19% in Q2 2021 compared to Q1 2021. Overall attack bandwidth remained high: 555 Gbps in maximum attack volume. Sharp increase in attack bandwidth: +37% increase in H1/2021 compared to H1/2020. Number of high-volume attacks > 100 Gbps in H1/2021: 28 Criminals targeted those organisations and institutions that were in high demand during the global pandemic, such as va ccination websites, e-learning platforms or portals and businesses IT infrastructure as well as hosting providers and internet service providers . LSOC also suggests that the use of extortion emails has reached critical levels . Employees have received malicious emails from a multitude of different senders including Fancy Bear, Lazarus Group and most recently Fancy Lazarus. Instead of being indiscriminate, ransom demands now vary depending on the size of the company and the industry of the victims. In fact, companies from a wide range of industries (including finance, e-commerce, media and logistics) are currently being affected. The frequency of these campaigns has increased, ransom demands have skyrocketed and LSOC is warning that they could continue well into Q3 2021. According to Link11’s security experts, the intensity and regularity of extortion emails has noticeably increased . The scale of DDoS activity far exceeds any from previous years and the number of businesses experiencing serious security breaches has risen sharply. The consequences of such an attack can be severe, from loss of revenue, costly business interruptions, long recovery times to sensitive data being compromised. Marc Wilczek, Managing Director of Link11, said: “In an increasingly connected world, the availability and integrity of IT systems are critical to any business. Our research for the first half of 2021 shows that companies are continuously exposed to DDoS attacks and that they are far more frequent and complex. Due to the increasingly sophisticated attack techniques being used by cyber criminals, many security tools are reaching their limits. This means that solutions which provide maximum precision and speed in detecting and mitigating the attacks are more in demand than ever before.” Although the threat level of DDoS attacks has remained high and security providers have provided persistent warnings, LSOC believes some companies are still lack the relevant security solutions to prevent an attack . In a number of cases, organisations have been found to be completely unprotected and operations have been brought to a standstill. The only way to limit the damage is to implement specialised protection solutions on an ad-hoc basis. From an economic and legal point of view, however, it makes more sense to focus on sustainable prevention rather than reaction. As threat levels continue to rise LSOC recommends businesses take this opportunity to conduct a thorough review of their cyber security posture. They are also warning if you fall victim to a DDoS attack do not respond to extortion attempts and call in a specialist for DDoS protection as soon as an attack has been detected. Source: https://www.link11.com/en/blog/threat-landscape/link11-report-discovers-record-number-of-ddos-attacks-in-first-half-of-2021/
Originally posted here:
Link11 Discovers Record Number of DDoS Attacks in First Half of 2021
The group, known for masquerading as various APT groups, is back with a spate of attacks on U.S. companies. A distributed denial-of-service (DDoS) extortion group has blazed back on the cybercrime scene, this time under the name of “Fancy Lazarus.” It’s been launching a series of new attacks that may or may not have any teeth, researchers said. The new name is a tongue-in-cheek combination of the Russia-linked Fancy Bear advanced persistent threat (APT) and North Korea’s Lazarus Group. The choice seems natural, given that the gang was last seen – including in a major campaign in October – purporting to be various APTs, including Armada Collective, Fancy Bear and Lazarus Group. According to Proofpoint, this time around the gang has been sending threatening, targeted emails to various organizations, including those operating in the energy, financial, insurance, manufacturing, public utilities and retail sectors – asking for a two-Bitcoin (BTC) starting ransom (around $75,000) if companies want to avoid a crippling DDoS attack. The price doubles to four BTC after the deadline, and increases by one BTC each day after that. The targets are mostly located in the U.S. While it’s hard to make a definitive correlation, the timing of some of the Fancy Lazarus campaigns correspond with high-profile ransomware attacks over the past six months, in terms of targeting the same vertical industries, according to Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. “These include utility, natural gas and manufacturing,” she told Threatpost. “This could be an attempt to ride the coattails of high-profile news stories and result in a higher likelihood of payment. Another trend we have seen over the past four months are a focus on sending these threats to financial institutions and large insurance providers.” Email Campaign Details The emails announce that the organization is being targeted by Fancy Lazarus, and they threaten a DDoS attack in seven days if the target doesn’t pay up, according to an analysis on Thursday from Proofpoint. The messages also warn of potential damage to reputation and loss of internet access at offices, and then promise that a “small attack” will be launched on a specific IP, subnet or Autonomous System with an attack of 2Tbps, as a preview of things to come. The emails are either in plain text, HTML-based or present the letter in an embedded .JPG image – likely a detection-evasion technique, Proofpoint noted. “The emails are typically sent to well researched recipients, such as individuals listed as contacts in Border Gateway Protocol (BGP) or Whois information for company networks,” according to Proofpoint’s analysis. “The emailed individuals also work in areas such as communications, external relations, investor relations. Additionally, extortion emails are often sent to email aliases such as help desk, abuse, administrative contacts or customer service.” Meanwhile, the sender email is unique to each target. They use a random “first name, last name” convention for the ender, using fake names. The ransom note. Source: Proofpoint. Some of this is a change in tactics from previous campaigns by the group. For instance, Proofpoint noted that the starting ransom was 10 or 20 BTC in 2020 campaigns – a change that was made likely to account for exchange-rate fluctuations. In October for instance, a 20-BTC demand translated to $230,000. Also, previously the sender names on the emails often contained the name of an APT that was in the headlines, such as Fancy Bear; or, they included the targeted company’s CEO name. Sometimes a Hoax? It’s unknown whether the group always follows through on its threat to launch massive DDoS attacks. An FBI alert on the group from last August said that while the group had taken aim at thousands of organizations from multiple global industry verticals by that point, many of them saw no further activity after the deadline expired – or, they were able to easily mitigate it. In some cases though, such as was the case with Travelex, “the threat actor conducted a volumetric attack on a custom port of four IP addresses serving the company’s subdomains, according to Intel471 researchers writing last year. Two days later, the attackers carried out another DNS amplification attack against Travelex using Google DNS servers, the firm reported. “While FBI reporting indicates they do not always follow through on their threat of a DDoS, there have been several prominent institutions that have reported an impact to their operations and other impacted companies have just been successful at mitigating the attacks,” DeGrippo said. “This type of behavior keeps them more closely aligned with that of a cybercriminal versus a scam artist.” In any case, it’s important for companies and organizations to be prepared by having appropriate mitigations in place such as using a DDoS protection service and having disaster recovery plans at the ready, she added. Ransom DDoS: A Growing Tactic Ransom DDoS is not a recent development, but it has become more popular of late, according to DeGrippo, thanks to the mainstreaming of Bitcoin and Ethereum. “While RDDoS existed earlier this type of extortion likely did not catch on until, in part, the adoption of cryptocurrency, which allowed the threat actors a safer means to receive payment,” she told Threatpost. “These kinds of campaigns have been done in an organized fashion for the past year.” She added that Fancy Lazarus’ choice to align its ransom demand with the fluctuating price of cryptocurrency is notable. “As Bitcoin prices fluctuate, we see some change in their demand amounts, proving that cryptocurrency markets and malicious actor activity are absolutely correlated,” she said. “This has been the case since at least 2016 in the early days of large-scale ransomware. Threat actors send their campaigns when the prices are most advantageous, attempting to make more money when the various currencies are at a high valuation. Other actors use other cryptocurrencies like Ethereum, but Bitcoin continues to be the massively popular coin of choice for malicious threat actors.” While it’s impossible to know the success rate of the Fancy Lazarus campaigns, “given the potentially substantial financial payoff for relatively little work on the threat actor’s part, a low success rate would still make this a worthwhile tactic,” DeGrippo noted. One trend to watch is the addition of ransomware to the mix going forward. In February, the REvil ransomware gang started adding DDoS attacks to its efforts, in an effort to ratchet up the pressure to pay. Source: https://threatpost.com/fancy-lazarus-cyberattackers-ransom-ddos/166811/
Read this article:
‘Fancy Lazarus’ Cyberattackers Ramp up Ransom DDoS Efforts
Several recent cyber incidents targeting critical infrastructure prove that no open society is immune to attacks by cybercriminals. The recent shutdown of key US energy pipeline marks just the tip of the iceberg. Critical infrastructure is becoming more dependent on networks of interconnected devices. For example, only a few decades ago, power grids were essentially operational silos. Today, most grids are closely interlinked — regionally, nationally, and internationally as well as with other industrial sectors. And in contrast to discrete cyberattacks on individual companies, a targeted disruption of critical infrastructure can result in extended supply shortages, power blackouts, public disorder, and other serious consequences. According to the World Economic Forum (WEF), cyberattacks on critical infrastructure posed the fifth-highest economic risk in 2020, and the WEF called the potential for such attacks “the new normal across sectors such as energy, healthcare, and transportation.” Another report noted that such attacks can have major spillover effects. Lloyd’s and the University of Cambridge’s Centre for Risk Studies calculated the prospective economic and insurance costs of a severe cyberattack against America’s electricity system could amount to more than $240 billion and possibly more than $1 trillion. Given these potential far-reaching consequences, cyberattacks on critical infrastructure have become a big concern for industry and governments everywhere — and recent events haven’t done much to allay these fears. A Worldwide Phenomenon In May 2021, a huge distributed denial-of-service (DDoS) attack crippled large sections of Belgium’s Internet services, affecting more than 200 organizations, including government, universities, and research institutes. Even parliamentary debates and committee meetings were stalled since no one could access the online services they needed to participate. A few days later, a ransomware attack shut down the main pipeline carrying gasoline and diesel fuel to the US East Coast. The Colonial Pipeline is America’s largest refined-products pipeline. The company says it transports more than 100 million gallons a day of fossil fuels, including gasoline, diesel, jet fuel, and heating oil — or almost half the supply on the East Coast, including supplies for US military facilities. In August 2020, the New Zealand Stock Exchange (NZX) was taken offline for four trading days after an unprecedented volumetric DDoS attack launched through its network service provider. New Zealand’s government summoned its national cybersecurity services to investigate, and cyber experts suggested the attacks might have been a dry run of a major attack on other global stock exchanges. In October 2020, Australia’s Minister for Home Affairs, Peter Dutton, said his country must be ready to fight back against disastrous and extended cyberattacks on critical infrastructure that could upend whole industries. Obvious Uptick in DDoS Attacks During the pandemic, there’s been a huge increase in DDoS attacks, brute-forcing of access credentials, and malware targeting Internet-connected devices. The average cost of DDoS bots has dropped and will probably continue to fall. According to Link11’s Q1/2021 DDoS report, the number of attacks witnessed more than doubled, growing 2.3-fold year-over-year. (Disclosure: I’m the COO of Link11.) Unlike ransomware, which must penetrate IT systems before it can wreak havoc, DDoS attacks appeal to cybercriminals because they’re a more convenient IT weapon since they don’t have to get around multiple security layers to produce the desired ill effects. The FBI has warned that more DDoS attacks are employing amplification techniques to target US organizations after noting a surge in attack attempts after February 2020. The warnings came after other reports of high-profile DDoS attacks. In February, for example, the largest known DDoS attack was aimed at Amazon Web Services. The company’s infrastructure was slammed with a jaw-dropping 2.3 Tb/s — or 20.6 million requests per second — assault, Amazon reported. The US Cybersecurity and Infrastructure Security Agency (CISA) also acknowledged the global threat of DDoS attacks. Similarly, in November, New Zealand cybersecurity organization CertNZ issued an alert about emails sent to financial firms that threatened a DDoS attack unless a ransom was paid. Predominantly, cybercriminals are just after money. The threat actors behind the most recent and ongoing ransom DDoS (RDDoS or RDoS) campaign identify themselves as state-backed groups Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective — although it remains unclear whether that’s just been a masquerade to reinforce the hacker’s demands. The demanded ransoms ranged between 10 and 20 Bitcoin (roughly worth $100,000 to $225,000 at the time of the attacks), to be paid to different Bitcoin addresses. Mitigating the Risk Critical infrastructure is often more vulnerable to cyberattacks than other sectors. Paying a ransom has ethical implications, will directly aid the hackers’ future operations (as noted by the FBI), and will encourage them to hunt other potential victims. Targeted companies are also urged to report any RDoS attacks affecting them to law enforcement. Organizations can’t avoid being targeted by denial-of-service attacks, but it’s possible to prepare for and potentially reduce the impact should an attack occur. The Australian Cyber Security Centre notes that “preparing for denial-of-service attacks before they occur is by far the best strategy; it is very difficult to respond once they begin and efforts at this stage are unlikely to be effective.” However, as the architecture of IT infrastructure evolves, it’s getting harder to implement effective local mitigation strategies. Case in point: Network perimeters continue to be weak points because of the increasing use of cloud computing services and devices used for remote work. Also, it is increasingly infeasible to backhaul network traffic, as legitimate users will be banned, too — potentially for hours or days. To minimize the risk of disruption and aim for faster recovery time objectives (RTOs) after an attack, organizations should become more resilient by eliminating human error through stringent automation. These days, solutions based on artificial intelligence and machine learning offer the only viable means of protection against cyberattacks. Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio Source: https://www.darkreading.com/attacks-breaches/critical-infrastructure-under-attack-/a/d-id/1340960
Original post:
Critical Infrastructure Under Attack
Link11 has released its DDoS report for Q1 2021 which revealed the number of DDoS attacks continued to grow. Between January and March, more than double the number of attacks than the same period in the previous year were recorded. This suggest the already alarming threat level from cybercrime, a pandemic that has been raging since Spring 2020 alongside the fight against COVID-19, has once again intensified. DDoS attackers stick to their target The number … More ? The post DDoS attackers stick to their target even if they are unsuccessful appeared first on Help Net Security .
View article:
DDoS attackers stick to their target even if they are unsuccessful
Netscout announced findings from its bi-annual Threat Intelligence Report, punctuated by a record-setting 10,089,687 DDoS attacks observed during 2020. Cybercriminals exploited vulnerabilities exposed by massive internet usage shifts since many users were no longer protected by enterprise-grade security. Attackers paid particular attention to vital pandemic industries such as e-commerce, streaming services, online learning, and healthcare generating a 20% year-over-year increase in attack frequency over 2019 plus a 22% increase in the last six months of … More ? The post DDoS attack activity: 10 million-plus attacks and 22% increase in attack frequency appeared first on Help Net Security .
Read More:
DDoS attack activity: 10 million-plus attacks and 22% increase in attack frequency
We’re only three months into 2021, and Akamai has mitigated 3 out of the 6 largest DDoS attacks they have ever witnessed. Two of these hit the same company on the same day, and the attackers’ goal was extort money from the target. “Growing” DDoS attacks Hoping for a major Bitcoin payout, DDoS attackers continue to raise the bar when it comes to attack size, frequency, and target diversification. “In 2021 alone, we’ve already seen … More ? The post DDoS attacks in 2021: What to expect? appeared first on Help Net Security .
Continue Reading:
DDoS attacks in 2021: What to expect?
Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products. OpenSSL is a commonly used software library for building networking applications and servers that need to establish secure communications. These flaws include: CVE-2021-3449 : A Denial of Service (DoS) flaw due to NULL pointer dereferencing which only impacts OpenSSL server instances, not the clients. CVE-2021-3450 : An improper Certificate Authority (CA) certificate validation vulnerability which impacts both the server and client instances. DoS vulnerability fixed by a one-liner The DoS vulnerability (CVE-2021-3449) in OpenSSL TLS server can cause the server to crash if during the course of renegotiation the client sends a malicious ClientHello message. “If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” states the advisory. The vulnerability only impacts OpenSSL servers running versions between 1.1.1 and 1.1.1j (both inclusive) that have both TLSv1.2 and renegotiation enabled. However, because this is the default configuration on these OpenSSL server versions, many of the active servers could be potentially vulnerable. OpenSSL clients are not impacted. Fortunately, all it took to fix this DoS bug was a one-liner fix, which comprised setting the peer_sigalgslen to zero. One line fix for NULL pointer issue leading to DoS, CVE-2021-3449 Source: GitHub The vulnerability was discovered by engineers Peter Kästle and Samuel Sapalski of Nokia, who also offered the fix shown above. Non-CA certificates cannot issue certificates! The Certificate Authority (CA) certificate validation bypass vulnerability, CVE-2021-3450, has to do with the X509_V_FLAG_X509_STRICT flag. This flag is used by OpenSSL to disallow use of workarounds for broken certificates and strictly requires that certificates be verified against X509 rules. However, due to a regression bug, OpenSSL versions 1.1.1h and above (but excluding the fixed release 1.1.1k) are impacted by this vulnerability, as this flag is not set by default in these versions. “Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.” “An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten,” states the advisory. In effect, this means OpenSSL instances fail to check that non-CA certificates must not be the issuers of other certificates, therefore opening up the possibilities for attackers to exploit this miss. On March 18th, 2021, Benjamin Kaduk from Akamai reported this flaw to the OpenSSL project. The vulnerability was discovered by Xiang Ding and others at Akamai, with a fix having been developed by Tomáš Mráz. Neither vulnerabilities impact OpenSSL 1.0.2. Both vulnerabilites are fixed in OpenSSL 1.1.1k and users are advised to upgrade to this version to protect their instances. As reported by BleepingComputer, DHS-CISA had urged system administrators in December 2020 to patch another OpenSSL DoS vulnerability. Users should therefore protect themselves from security flaws like these by applying timely updates. Source: https://www.bleepingcomputer.com/news/security/openssl-fixes-severe-dos-certificate-validation-vulnerabilities/
See the original post:
OpenSSL fixes severe DoS, certificate validation vulnerabilities
Remote code execution, denial of service, API abuse possible. Meanwhile, FBI pegs China for Exchange hacks Security and automation vendor F5 has warned of seven patch-ASAP-grade vulnerabilities in its Big-IP network security and traffic-grooming products, plus another 14 vulns worth fixing.…