Tag Archives: defend against ddos

Cybercrime-as-a-Service: No End in Sight

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere. Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques. Line Between Illicit and Legitimate E-Commerce Is Blurring The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products. The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks. Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites. From Niche to Mass Market In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate. There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities. Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each. Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize. Cybercrime Infrastructure-as-a-Service The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example. Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post. The New Reality Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services. The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay. Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

Follow this link:
Cybercrime-as-a-Service: No End in Sight

Businesses are becoming main target for cybercriminals, report finds

Cybercrime activity continues to expand in scope and complexity, according to the latest report by cybersecurity firm Malwarebytes, as businesses become the preferred target for crooks throughout Q3. Malware detection on businesses shot up 55% between Q2 and Q3, with the biggest attack vector coming from information-stealing trojans such as the self-propagating Emotet and infamous LokiBot. Criminals have likely ramped up attacks on organizations in an attempt to maximize returns, while consumers have seen significantly less action in Q3, with a mere 5% detection increase over the period. This incline toward a more streamlined campaign, as opposed to the wide nets cast in previous quarters, is due to numerous reasons including businesses failing to patch vulnerabilities, weaponized exploits, and possibly even the implementation of privacy-protective legislation such as GDPR. “There was a very long period where ransomware was the dominant malware against everybody,” said Adam Kujawa, director of Malwarebytes Labs, speaking to The Daily Swig about the quarterly report, Cybercrime tactics and techniques: Q3 2018. “We’ve seen the complete evolution of ransomware to what is really just a few families, and whether we’ll see the same distribution and exposure [of ransomware] that we’ve seen in the past few years is unlikely in my opinion.” GandCrab ransomware, however, which first appeared at the beginning of this year, has matured. New versions were discovered during Q3 as the ransomware variant is expected to remain a viable threat to both consumers and to businesses, which are at higher risk due to GandCrab’s advanced ability to encrypt network drives. But despite a recent report by Europol that highlighted ransomware as the biggest threat in 2018, Kujawa isn’t convinced that these campaigns will stick around in the quarters to come. “There are so many solutions out there that can protect users from ransomware, and there are more people that know what to do if you get hit with it,” he said. “When you compare that to is it a good return investment [for cybercriminals], we don’t think it is anymore. Most of what we’ve seen [in Q3] is information-stealers.” Kujawa points to the banking trojan Emotet, that can spread easily and with a primary intent to steal financial data and carry out disturbed denial of service (DDoS) attacks on infected machines. Businesses, particularly small and medium-sized enterprises with less money invested in cyber defenses, have become valuable targets due to the ease in which trojans like Emotet can spread throughout their networks. Changes in global information systems may also be a contributing factor in the revival of data-theft. “That may very well in part play to things like GDPR where you’ve got this data that is no longer legally allowed to be on a server somewhere protected in Europe,” said Kujawa. “Cybercriminals may be more interested in stealing data like they used to because this stuff is no longer as easy to obtain as it was.” While information-stealers hogged the spotlight, the threat landscape remains diverse – targets are predominately concentrated within Western countries, while the use of exploit kits were found mostly in Asian countries including South Korea. Kujawa also noted that social engineering, such as phishing attacks, remains a successful technique for malicious hackers. He said: “Almost all attacks are distributed through social engineering, that’s still the number one way to get past things like security software, firewalls, and things like that.” “The biggest problem in our industry right now is people not taking it [cybersecurity] seriously enough,” Kujawa added. “At the end of the day we’re never going to win the war on cybercrime with just technology because that’s exactly what the bad guys are using against us.” Source: https://portswigger.net/daily-swig/businesses-are-becoming-main-target-for-cybercriminals-report-finds

Read the original:
Businesses are becoming main target for cybercriminals, report finds

Security automation can help IT teams limit cyberattack risks

Attacks are becoming largely automated forcing security solutions to provide multiple layers of defence. Basic forms of automatioorks and infrastructure secure. Cybersecurity threats have become a grim reality for businesses today. Due to wide-scale digitisation efforts, companies now store customers’ personal and financial information making their systems prime targets for cybercriminals to breach. These kinds of data can easily be sold on the black market. Their rising prices make cyberattacks quite profitable. Companies are also subject to other types of attacks such as ransomware and extortion. Unlike ordinary users, they are the ones likely to spend and pay the ransom in order to avoid downtime or recover critical work products. The FBI estimates an average of 4,000 ransomware attacks daily since 2016. Many of these threats are automated. Malware like Mirai and Reaper have hijacked hundreds of thousands of devices to make them part of botnets capable of carrying out massive distributed denial-of-service (DDoS) attacks on other networks. These malware run using pre-programmed rules that exploit the most common vulnerabilities of network devices. Companies are now under pressure to cope with these threats. Each stolen record costs companies $148 to deal with. A data breach, even to a company holding a few thousand records, can mean a total loss worth hundreds of thousands of dollars. Falling victim to a DDoS attack could also cost larger enterprises at least $2.5 million in damages or downtime. IT teams now have their work cut out for them. Most are already feeling the strain of having to implement further digitisation in the workplace including the adoption of new technologies such as cloud computing, Internet-of-Things (IoT), and big data. Managing security is an added responsibility for them. Fortunately, there are also developments in cybersecurity and IT management automation that could help ease the pressure. Automating security Attacks are becoming largely automated forcing security solutions to provide multiple layers of defence. Basic forms of automation in IT management could already greatly help in keeping networks and infrastructure secure. For example, automated payload deployment and software patching could help keep endpoint software and firmware up-to-date. Outdated software continues to be one of the leading causes of breaches as attackers exploit known vulnerabilities of older software. Patches and updates are designed to plug these holes. Services that provide basic layers of defence such as Cloud Management Suite (CMS) can be used to automate updates and patching. Automation tools can significant boost IT teams’ efficiency and decrease risks especially if enterprises have hundreds of devices connected to their networks. For instance, CMS automatically scans developer releases for software and firmware updates and deploys them to target machines. IT teams can also remotely administer devices over the cloud. They can even secure IoT devices which have now become fashionable in a number of workplaces. The use of cloud-based security services can also automate certain security tasks. Security platforms like Akamai and Imperva, for instance, constantly update their rules and blacklists to mitigate emerging threats. Once these services are integrated to their respective networks, companies are immediately protected from both new and known sources of malicious traffic thanks to updated threat databases. Benefits of automation Here are some of the common benefits of automation. Augments IT teams’ capacity. There is a shortage of capable IT talent in the job market right now which forces companies to make do with limited IT team personnel. Automated solutions help IT teams operate more efficiently and effectively by taking over time-consuming tasks. Using cloud-based services also essentially allow companies to outsource their work and expertise requirement, filling the skills gap in case it exists. Allows IT teams to focus on high-value activities. The time saved through these automation efforts could free up IT teams to allocate their energies to monitoring and other threat mitigation and response tasks. Threats could come from various sources including internal lapses so IT teams even have to take on the task of educating fellow staff concerning best practices in security. Minimises risk of human error. Automation can also help minimise the possibility of injecting human error into security tasks. Phishing emails, which try to trick recipients into clicking links to malware, are among the common ways office networks get compromised. Phishing emails are becoming more sophisticated making manual reviews more challenging. Automated tools could easily weed out such emails from company servers. Improvements needed Unlike in other areas, security automation is only starting to gain traction meaning there are still kinks that have to be ironed out. For instance, it is possible for automated solutions to be too stringent. Firewalls might block legitimate traffic and threat detection mechanisms might report back false positives. Such episodes could hamper user experience and productivity. Tasks such as endpoint management, monitoring, and response could also benefit from orchestration. Many of the available services are currently offered by different providers. Integrations across these services are limited. Having an orchestration layer that could merge these services into customisable workflows would be ideal since companies and organisations typically have their own way of doing things. Giving IT teams a fighting chance IT teams must be able to hold their ground against the rampant threats they face. Most threats are now automated, so automating security would give IT teams a fighting chance to cope with these challenges. While no system is full-proof yet, automation frees IT teams from typical tedious tasks so they can then refocus their energies towards other high-value activities. Having more ways to mitigate risks empowers IT teams to be better guardians of companies’ IT data and resources. Source: https://www.itproportal.com/features/security-automation-can-help-it-teams-limit-cyberattack-risks/

Read More:
Security automation can help IT teams limit cyberattack risks

Naming & Shaming Web Polluters: Xiongmai

What do we do with a company that regularly pumps metric tons of virtual toxic sludge onto the Internet and yet refuses to clean up their act? If ever there were a technology giant that deserved to be named and shamed for polluting the Web, it is Xiongmai — a Chinese maker of electronic parts that power a huge percentage of cheap digital video recorders (DVRs) and Internet-connected security cameras. In late 2016, the world witnessed the sheer disruptive power of Mirai, a powerful botnet strain fueled by Internet of Things (IoT) devices like DVRs and IP cameras that were put online with factory-default passwords and other poor security settings. Security experts soon discovered that a majority of Mirai-infected devices were chiefly composed of components made by Xiongmai (a.k.a. Hangzhou Xiongmai Technology Co., Ltd. ) and a handful of other Chinese tech firms that seemed to have a history of placing product market share and price above security. Since then, two of those firms — Huawei and Dahua — have taken steps to increase the security of their IoT products out-of-the-box. But Xiongmai — despite repeated warnings from researchers about deep-seated vulnerabilities in its hardware — has continued to ignore such warnings and to ship massively insecure hardware and software for use in products that are white-labeled and sold by more than 100 third-party vendors. On Tuesday, Austrian security firm SEC Consult released the results of extensive research into multiple, lingering and serious security holes in Xiongmai’s hardware. SEC Consult said it began the process of working with Xiongmai on these problems back in March 2018, but that it finally published its research after it became clear that Xiongmai wasn’t going to address any of the problems. “Although Xiongmai had seven months notice, they have not fixed any of the issues,” the researchers wrote in a blog post published today. “The conversation with them over the past months has shown that security is just not a priority to them at all.” PROBLEM TO PROBLEM A core part of the problem is the peer-to-peer (P2P) communications component called “ XMEye ” that ships with all Xiongmai devices and automatically connects them to a cloud network run by Xiongmai. The P2P feature is designed so that consumers can access their DVRs or security cameras remotely anywhere in the world and without having to configure anything. The various business lines of Xiongmai. Source: xiongmaitech.com To access a Xiongmai device via the P2P network, one must know the Unique ID (UID) assigned to each device. The UID is essentially derived in an easily reproducible way using the device’s built-in MAC address (a string of numbers and letters, such as 68ab8124db83c8db). Electronics firms are assigned ranges of MAC address that they may use, but SEC Consult discovered that Xiongmai for some reason actually uses MAC address ranges assigned to a number of other companies, including tech giant Cisco Systems, German printing press maker Koenig & Bauer AG, and Swiss chemical analysis firm Metrohm AG. SEC Consult learned that it was trivial to find Xiongmai devices simply by computing all possible ranges of UIDs for each range of MAC addresses, and then scanning Xiongmai’s public cloud for XMEye-enabled devices. Based on scanning just two percent of the available ranges, SEC Consult conservatively estimates there are around 9 million Xiongmai P2P devices online. [For the record, KrebsOnSecurity has long advised buyers of IoT devices to avoid those advertise P2P capabilities for just this reason. The Xiongmai debacle is yet another example of why this remains solid advice]. BLANK TO BANK While one still needs to provide a username and password to remotely access XMEye devices via this method, SEC Consult notes that the default password of the all-powerful administrative user (username “admin”) is blank (i.e, no password). The admin account can be used to do anything to the device, such as changing its settings or uploading software — including malware like Mirai. And because users are not required to set a secure password in the initial setup phase, it is likely that a large number of devices are accessible via these default credentials. The raw, unbranded electronic components of an IP camera produced by Xiongmai. Even if a customer has changed the default admin password, SEC Consult discovered there is an undocumented user with the name “default,” whose password is “tluafed” (default in reverse). While this user account can’t change system settings, it is still able to view any video streams. Normally, hardware devices are secured against unauthorized software updates by requiring that any new software pushed to the devices be digitally signed with a secret cryptographic key that is held only by the hardware or software maker. However, XMEye-enabled devices have no such protections. In fact, the researchers found it was trivial to set up a system that mimics the XMEye cloud and push malicious firmware updates to any device. Worse still, unlike with the Mirai malware — which gets permanently wiped from memory when an infected device powers off or is rebooted — the update method devised by SEC Consult makes it so that any software uploaded survives a reboot. CAN XIONGMAI REALLY BE THAT BAD? In the wake of the Mirai botnet’s emergence in 2016 and the subsequent record denial-of-service attacks that brought down chunks of the Internet at a time (including this Web site and my DDoS protection provider at times), multiple security firms said Xiongmai’s insecure products were a huge contributor to the problem. Among the company’s strongest critics was New York City-based security firm Flashpoint, which pointed out that even basic security features built into Xiongmai’s hardware had completely failed at basic tasks. For example, Flashpoint’s analysts discovered that the login page for a camera or DVR running Xiongmai hardware and software could be bypassed just by navigating to a page called “DVR.htm” prior to login. Flashpoint’s researchers also found that any changes to passwords for various user accounts accessible via the Web administration page for Xiongmai products did nothing to change passwords for accounts that were hard-coded into these devices and accessible only via more obscure, command-line communications interfaces like Telnet and SSH. Not long after Xiongmai was publicly shamed for failing to fix obvious security weaknesses that helped contribute to the spread of Mirai and related IoT botnets, Xiongmai lashed out at multiple security firms and journalists, promising to sue its critics for defamation (it never followed through on that threat, as far as I can tell). At the same time, Xiongmai promised that it would be issuing a product recall on millions of devices to ensure they were not deployed with insecure settings and software. But according to Flashpoint’s Zach Wikholm , Xiongmai never followed through with the recall, either. Rather, it was all a way for the company to save face publicly and with its business partners. “This company said they were going to do a product recall, but it looks like they never got around to it,” Wikholm said. “They were just trying to cover up and keep moving.” Wikholm said Flashpoint discovered a number of additional glaring vulnerabilities in Xiongmai’s hardware and software that left them wide open to takeover by malicious hackers, and that several of those weaknesses still exist in the company’s core product line. “We could have kept releasing our findings, but it just got really difficult to keep doing that because Xiongmai wouldn’t fix them and it would only make it easier for people to compromise these devices,” Wikholm said. The Flashpoint analyst said he believes SEC Consult’s estimates of the number of vulnerable Xiongmai devices to be extremely conservative. “Nine million devices sounds quite low because these guys hold 25 percent of the world’s DVR market,” to say nothing of the company’s share in the market for cheapo IP cameras, Wikholm said. What’s more, he said, Xiongmai has turned a deaf ear to reports about dangerous security holes across its product lines principally because it doesn’t answer directly to customers who purchase the gear. “The only reason they’ve maintained this level of [not caring] is they’ve been in this market for a long time and established very strong regional sales channels to dozens of third-party companies,” that ultimately rebrand Xiongmai’s products as their own, he said. Also, the typical consumer of cheap electronics powered by Xiongmai’s kit don’t really care how easily these devices can be commandeered by cybercriminals, Wikholm observed. “They just want a security system around their house or business that doesn’t cost an arm and leg, and Xiongmai is by far the biggest player in that space,” he said. “Most companies at least have some sort of incentive to make things better when faced with public pressure. But they don’t seem to have that drive.” A PHANTOM MENACE SEC Consult concluded its technical advisory about the security flaws by saying Xiongmai “ does not provide any mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals.” While this may sound easy enough, acting on that advice is difficult in practice because very few devices made with Xiongmai’s deeply flawed hardware and software advertise that fact on the label or product name. Rather, the components that Xiongmai makes are sold downstream to vendors who then use it in their own products and slap on a label with their own brand name. How many vendors? It’s difficult to say for sure, but a search on the term XMEye via the e-commerce sites where Xiongmai’s white-labeled products typically are sold (Amazon, Aliexpress.com, Homedepot.com and Walmart) reveals more than 100 companies that you’ve probably never heard of which brand Xiongmai’s hardware and software as their own.  That list is available here (PDF) and is also pasted at the conclusion of this post for the benefit of search engines. SEC Consult’s technical advisory about their findings lists a number of indicators that system and network administrators can use to quickly determine whether any of these vulnerable P2P Xiongmai devices happen to be on your network. For end users concerned about this, one way of fingerprinting Xiongmai devices is to search Amazon.com, aliexpress.com, walmart.com and other online merchants for the brand on the side of your device and the term “XMEye.” If you get a hit, chances are excellent you’ve got a device built on Xiongmai’s technology. Another option: open a browser and navigate to the local Internet address of your device. If you have one of these devices on your local network, the login page should look like the one below: The administrative login screen for IoT devices powered by Xiongmai’s software and hardware. Another giveaway on virtually all Xiongmai devices is pasting “http://IP/err.htm” into a browser address bar should display the following error message (where IP= the local IP address of the device): Ironically, even the error page for Xiongmai devices contains errors. According to SEC Consult, Xiongmai’s electronics and hardware make up the guts of IP cameras and DVRs marketed and sold under the company names below. What’s most remarkable about many of the companies listed below is that about half of them don’t even have their own Web sites, and instead simply rely on direct-to-consumer product listings at Amazon.com or other e-commerce outlets. Among those that do sell Xiongmai’s products directly via the Web, very few of them seem to even offer secure (https://) Web sites. SEC Consult’s blog post about their findings has more technical details, as does the security advisory they released today. In response to questions about the SEC Consult reports, Xiongmai said it is now using a new encryption method to generate the UID for its XMEye devices, and will not longer be relying on MAC addresses. Xiongmai also said users will be asked to change a devices default username and password when they use the XMEye Internet Explorer plugin or mobile app. The company also said it had removed the “default” account in firmware versions after August 2018. It also disputed SEC Consult’s claims that it doesn’t encrypt traffic handled by the devices. In response to criticism that any settings changed by the user in the Web interface will not affect user accounts that are only accessible via telnet, Xiongmai said it was getting ready to delete telnet completely from its devices “soon.” KrebsOnSecurity is unable to validate the veracity of Xiongmai’s claims, but it should be noted that this company has made a number of such claims and promises in the past that never materialized. Johannes Greil, head of SEC Consult Vulnerability Lab, said as far as he could tell none of the proclaimed fixes have materialized. “We are looking forward for Xiongmai to fix the vulnerabilities for new devices as well as all devices in the field,” Greil said. Here’s the current list of companies that white label Xiongmai’s insecure products, according to SEC Consult: 9Trading Abowone AHWVSE ANRAN ASECAM Autoeye AZISHN A-ZONE BESDER/BESDERSEC BESSKY Bestmo BFMore BOAVISION BULWARK CANAVIS CWH DAGRO datocctv DEFEWAY digoo DiySecurityCameraWorld DONPHIA ENKLOV ESAMACT ESCAM EVTEVISION Fayele FLOUREON Funi GADINAN GARUNK HAMROL HAMROLTE Highfly Hiseeu HISVISION HMQC IHOMEGUARD ISSEUSEE iTooner JENNOV Jooan Jshida JUESENWDM JUFENG JZTEK KERUI KKMOON KONLEN Kopda Lenyes LESHP LEVCOECAM LINGSEE LOOSAFE MIEBUL MISECU Nextrend OEM OLOEY OUERTECH QNTSQ SACAM SANNCE SANSCO SecTec Shell film Sifvision/sifsecurityvision smar SMTSEC SSICON SUNBA Sunivision Susikum TECBOX Techage Techege TianAnXun TMEZON TVPSii Unique Vision unitoptek USAFEQLO VOLDRELI Westmile Westshine Wistino Witrue WNK Security Technology WOFEA WOSHIJIA WUSONLUSAN XIAO MA XinAnX xloongx YiiSPO YUCHENG YUNSYE zclever zilnk ZJUXIN zmodo ZRHUNTER Source: https://krebsonsecurity.com/2018/10/naming-shaming-web-polluters-xiongmai/

Excerpt from:
Naming & Shaming Web Polluters: Xiongmai

Hackers target the Queensland government with online attacks

International hackers have targeted the Queensland government, with cyber security experts being forced to defend against several potentially disastrous online attacks. Last year, state government IT experts prevented 19 distributed denial of service (DDoS) attacks, during which an average of 8000 malicious domain name system (DNS) requests per minute were blocked. A DDoS attack typically involves flooding a network with requests from multiple computers in an attempt to overload the system and can shut down websites, while DNS floods are a type of DoS. During 2017-18, state government cyber security experts also collected and analysed an average of 400 million events per day from more than 130 sources. Those system events – threat intelligence or activity flagged as of interest – were recorded across the state government network and were detected by security infrastructure, such as firewalls. “While this is regarded as criminal activity, the specific intention of the attacks is unknown and the majority of attempts appear to have originated from various countries,” a Housing and Public Works Department spokeswoman said. “However, cyber criminals behind such attempts often mask their true origin, therefore geographical information is not a true indicator of the source.” Fairfax Media asked for specific details of the dates, targets and outcomes of the 19 DDoS attacks. But the spokeswoman said the government’s policy, based on security advice, was not to publicly comment on specific cyber security incidents. In 2016, the Palaszczuk government created a whole-of-government Cyber Security Unit, sitting within the Chief Information Office, to enhance cyber security. Australian companies have suffered outages following DDoS cyber attacks in the past. In 2016, a DDoS attack left millions of users, mostly in the US and Europe, unable to access websites including Twitter, Spotify and Netflix. Interruptions were also experienced by websites including ANZ, Coles, eBay and The Sydney Morning Herald . In May last year, it was revealed five of Queensland’s biggest hospitals were suffering from major IT problems after efforts to prevent a possible cyber attack backfired. Security patches were installed in response to a global ransomware attack that affected hundreds of thousands of computers worldwide, but the patches then caused system slowness. However, there were no patient safety issues as a result. Source: https://www.smh.com.au/politics/queensland/hackers-target-the-queensland-government-with-online-attacks-20181008-p508gr.html

Read More:
Hackers target the Queensland government with online attacks

100,000-Plus Home Routers Hijacked in Campaign to Steal Banking Credentials

The GhostDNS campaign, which has been mainly targeting consumers in Brazil, has exploded in scope since August. An unknown attacker has hijacked over 100,000 home routers and changed their DNS settings in a major campaign to steal login credentials from customers of several banks in Brazil. Security vendor Radware first reported on the campaign in August. Since then, the campaign has exploded in scope from mostly targeting users of DLink DSL modem routers to targeting users of more than 70 different types of home routers. In a report released Saturday, Chinese security vendor Qihoo 360’s Netlab team said it recently observed a significant increase in attempts to break into routers with weak passwords. About 88% of the devices that have been targeted so far in what Netlab is calling the GhostDNS campaign are located in Brazil. The attackers are attempting to install a version of a previously known DNS hijacking exploit called DNSChanger on the routers and change their default settings so traffic gets redirected to a rogue server. When users attempt to access certain banks, the rouge server takes them to a phishing server hosting phishing pages that are clones of the account login page of the corresponding bank. The rogue server currently hosts phishing pages for 52 domains belonging to banks, cloud service providers, Netflix, and one cybersecurity firm. In situations where the attackers are unable to guess the router passwords, they have been using a previously known exploit known as dnscfg.cgi to remotely configure DNS server settings on the routers without authenticating into them first. Unlike previous DNSChanger campaigns, GhostDNS involves the use of an additional three submodules, which Netlab is calling Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger (after their programming languages). Together, the modules have more than 100 scripts for changing settings on more than 70 routers. The ShellDNSChanger module includes 25 Shell scripts for attacking 21 routers and firmware. It features a third-party tool to scan IPs in a selected range of network segments in Brazil and uses the router information that is collected to try and crack passwords on their Web authentication pages. The Js DNSChanger module, written in JavaScript, contains scripts for attacking six routers/firmware. The PyPhpDNSChanger is the main module, with attack scripts for 47 different routers/firmware. Netlab says it discovered the module deployed on more than 100 servers, scanning for and attacking target router IPs in Brazil. “The GhostDNS system poses a real threat to [the] Internet,” Netlab said in its advisory. “It is highly scaled, utilizes diverse attack [vectors, and] adopts automated attack process.” Pascal Geenens, a cybersecurity evangelist for Radware who wrote about the start of the campaign in August, says GhostDNS is another example of how attackers have begun exploiting vulnerable consumer Internet of Things (IoT) devices in different ways. Previously, attackers have hijacked IoT devices to create botnets for launching distributed denial-of-service (DDoS) attacks or to mine for cryptocurrencies and provide anonymizing proxy services. With GhostDNS, attackers have demonstrated how they can exploit consumer routers to steal information that can be used to break into bank accounts and carry out other fraud. What is especially troubling about the attack is that many users of the compromised routers — especially those on older browsers — will have no indication their traffic is being redirected to a malicious server, he says. “I’m a little bit surprised,” Geenen says about how much the DNS hijacking campaign in Brazil has evolved since August. “It’s not that easy to make an exploit work across that many routers.” Configuration commands for each router can vary. In order to carry out a campaign such as GhostDNS, the attackers would have needed to find the commands for each of the targeted routers and developed scripts for changing them. Then they would have needed to test the scripts to see how well they worked. For Internet users, campaigns such as GhostDNS are another reminder to keep IoT devices properly updated, Geenens says. “All the vulnerabilities that we have seen abused, whether it is for cryptomining or for DDoS, were vulnerabilities that were fixed,” he explains. Attackers have learned that a majority of consumers don’t update their IoT devices promptly when patches for newly announced flaws become available. So it is not unusual to see adversaries attacking new vulnerabilities almost immediately after the flaws are disclosed, he says. Source: https://www.darkreading.com/attacks-breaches/100000-plus-home-routers-hijacked-in-campaign-to-steal-banking-credentials/d/d-id/1332946

More:
100,000-Plus Home Routers Hijacked in Campaign to Steal Banking Credentials

Could Your Organisation’s Servers Be A Botnet?

Most organisations are aware that they could be the target of a DDoS attack and have deployed protection to keep their public-facing services online in the face of such attacks. However, far fewer have thought about the potential for their servers to be harnessed for use in a botnet, the group of servers used to conduct such DDoS attacks. Up until a few months ago, attackers typically only used well-known infrastructure services, like DNS resolution servers, to launch and amplify DDoS attacks, but Memcached – a popular database caching system – changed that. Malicious hackers have begun abusing Memcached to deliver attacks that are amplified to over 50,000 times their original size – one of the largest amplification methods ever detected. Any organisation running Memcached to speeds up their systems is a potential botnet recruit. How Memcached and similar UDP based service attacks work Earlier this year, researchers discovered that a flaw in the implementation of the User Datagram Protocol (UDP) for Memcached servers can allow hackers to deliver record-breaking attacks with little effort. Memcached is a distributed memory caching system, originally intended for use in speeding up networks and website applications by reducing database load. Memcached reduces latency and database load by storing data objects in memory, immediately returning them to the caller without requiring a database query. Usually, Memcached systems are deployed within a trusted network where authentication may not be required. However, when exposed to the Internet, they become trivially exploitable if authentication isn’t turned on. Not only is the cached data accessible to attackers, it’s simple to use the Memcached server for a DDoS attack, if UDP access is enabled. Specifically, with UDP an attacker can “spoof” or fake the Internet Protocol address of the target machine, so that the Memcached servers all respond by sending large amounts of data to the spoofed address, thus triggering a DDoS attack. Most popular DDoS tactics that abuse UDP connections can amplify the attack traffic up to 20 times, but Memcached can take a small amount of attack traffic and amplify the size of the request thousands of times. Thus, a small number of open Memcached servers can be used to create very large DDoS attacks. The implications to the organisation If you’re running Memcached with UDP and without authentication, you’re now a likely target for inclusion in a botnet. Should you become part of a botnet, it’s possible that both your servers and your bandwidth will be overloaded, resulting in outages and increased network costs. Indeed, attackers have already demonstrated how badly servers with misconfigured Memcached can be abused and used to launch DDoS attacks with ease. In addition, unprotected Memcached servers give attackers access to the user data that has been cached from its local network or host, potentially including email addresses, database records, personal information and more. Additionally, cybercriminals could potentially modify the data they access and reinsert it back into the cache without user’s knowledge, thus polluting production applications. To avoid being assimilated into a Borg-ish botnet, organisations and internet service providers need to take a more proactive approach in identifying any vulnerable servers before damage is done. What can be done to prevent the severs being recruited? Despite multiple warnings about threat actors exploiting unprotected Memcached servers, ArsTechnica reported that searches show there are more than 88,000 vulnerable servers – a sign that attacks may get much bigger. Therefore, it’s crucial that organisations ensure they have the correct security measure in place, to avoid being part of this wave. Attacks of those scale and size cannot be easily defended against by Internet Service Providers (ISPs), thus organisations need to take inventory of any Internet-facing servers and ensure that Memcached is not inadvertently exposed. For any internet-facing servers that require Memcached, they should consider using a Software-Defined Perimeter to ensure that only authorized users will be able to send UDP packets or establish TCP connection. This will prevent attackers from being able to harness servers in a DDoS attack and leverage them to amplify those attacks. In addition, companies need to look at internal servers that are running Memcached, because an internal distributed denial-of-service attack could also be launched from some locally-running malware. Source: https://www.informationsecuritybuzz.com/articles/could-your-organisations-servers-be-a-botnet/

See more here:
Could Your Organisation’s Servers Be A Botnet?

‘Torii’ Breaks New Ground For IoT Malware

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says. A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff. Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes. Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures. Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands. Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well. Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes. Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona. Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes. While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data. Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine. Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once. The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said. Source: https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930

See the original post:
‘Torii’ Breaks New Ground For IoT Malware

Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

Researchers from Avast have identified a worrying botnet affecting IoT devices Called ‘Torii,’ the virus infects devices at a server level that have weak encryption Virus can fetch and execute different commands, making it ‘very sophisticated’ Keep an eye on your smart home devices. Security experts have identified what they consider the ‘most sophisticated botnet they’ve ever seen’ and it’s believed to be targeting internet of things gadgets. Antivirus firm Avast said in a new report they’ve been closely watching a new malware strain, called ‘Torii,’ which uses ‘advanced techniques’ to infect devices. ‘…This one tries to be more stealthy and persistent once the device is compromised, an it does not (yet) do the usual stuff a botnet does like [Distributed Denial of Service attacks], attacking all the devices connected to the internet, or, of course, mining cryptocurrencies,’ Avast researchers wrote in a blog post. The malware goes after devices that have weak encryption, using the Telnet remote access protocol. Telnet is a remote access tool that’s primarily used to log into remote servers, but it’s largely been replaced by tools that are more secure. Once it has identified a poorly secured system, Torii will attempt to steal your personal information. It’s entirely possible that vulnerable IoT device owners have no idea their device has been compromised. ‘As we’ve been digging into this strain, we’ve found indications that this operation has been running since December 2017, maybe even longer,’ the researchers wrote. While Torii hasn’t attempted cryptojacking or carried out DDoS attacks, researchers say the malware is capable of fetching and executing commands of different kinds on the infected device, making it very sophisticated. What’s more, many smart home gadgets are connected to one another, and it’s unclear yet if the malware is capable of spreading to other devices. ‘Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before,’ the Avast researchers explained. Once Torii infects a device, it floods it with information and communicates with the master server, allowing the author of the malware to execute any code or deliver any payload to the infected device, according to researchers. ‘This suggests that Torii could become a modular platform for future use,’ the researchers continued. ‘Also, because the payload itself is not scanning for other potential targets, it is quite stealthy on the network layer. Stay tuned for the follow ups.’ WHAT IS A DDOS ATTACK? DDoS stands for Distributed Denial of Service. These attacks attempt to crash a website or online service by bombarding them with a torrent of superfluous requests at exactly the same time. The surge of simple requests overload the servers, causing them to become overwhelmed and shut down. In order to leverage the number of requests necessary to crash a popular website or online service, hackers will often resort to botnets – networks of computers brought under their control with malware. Malware is distributed by tricking users into inadvertently downloading software, typically by tricking users into following a link in an email or agreeing to download a corrupted file. Source: https://www.dailymail.co.uk/sciencetech/article-6216451/Security-experts-discover-sophisticated-botnet-seen.html

Read More:
Beware of Torii! Security experts discover the ‘most sophisticated botnet ever seen’ – and say it is targeting smart home gadgets

DDoS Attack on German Energy Company RWE

Protesters in Germany have been camping out at the Hambach Forest, where the German energy company RWE has plans to mine for coal. Meanwhile, it’s been reported that RWE’s website was under attack as police efforts to clear the protesters from the woods were underway. According to Deutsche Welle , unknown attackers launched a large-scale distributed denial-of-service (DDoS), which took down RWE’s website for virtually all of Tuesday. No other systems were attacked, but efforts to clear away the protesters have been ongoing for the better part of the month, and activists have reportedly made claims that they will be getting more aggressive in their tactics. Activists have occupied the forest in hopes of preventing RWE from moving forward with plans to expand its coal mining operations, which would effectively clear the forest. In addition to camping out in the forest, the protesters have reportedly taken to YouTube to spread their message. Reports claim that a clip was posted last week by Anonymous Deutsch that warned, “If you don’t immediately stop the clearing of the Hambach Forest, we will attack your servers and bring down your web pages, causing you economic damage that you will never recover from,” DW reported. “Together, we will bring RWE to its knees. This is our first and last warning,” the voice from the video reportedly added. DDoS attacks are intended to cripple websites, and the attack on RWE allowed the activists to make good on their threat, at least for one day. ““This is yet another example that illustrates the DDoS threat to [softer targets in] CNI [critical network infrastructure].  RWE is an operator of an essential service (energy) in Germany. The lights didn’t go out but their public-facing website was offline as a result of this attack,” said Andrew Llyod, president, Corero Network Security. In a recent DDoS report, Corero researchers found that “after facing one attack, one in five organizations will be targeted again within 24 hours.” Source: https://www.infosecurity-magazine.com/news/ddos-attack-on-german-energy/

See more here:
DDoS Attack on German Energy Company RWE