Tag Archives: denial of service attack

DNS Root Servers Hit by DDoS Attack

Unknown parties carried out a large-scale DDoS attack on the Internet’s DNS root servers, causing slight timeouts for four nodes, more exactly on the B, C, G, and H servers, RootOps reports. There were two different attacks, one launched on November 30 that lasted 160 minutes (from 06:50 to 09:30 UTC), and a second, shorter one on December 1 that lasted only one hour (from 05:10 to 06:10 UTC). RootOps, the DNS root server operators, are reporting that the attacks were valid DNS queries addressed towards one domain in the first attack, and to a different domain on the second day. Each attack blasted up to five million queries per second per DNS root name server. RootOps has no hopes to catch the culprit, since IP source addresses can be easily spoofed, and the source IP addresses used in the DDoS attack were very well spread and randomized across the entire IPv4 address space. The DDoS didn’t cause any serious damage, but a mere delay for some users making DNS queries via their browser, FTP, SSH, or other clients. DNS protocol’s design saves the day “The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers,” said the DNS root server operators, referring to the fallback system employed by DNS servers. Because of the way DNS is constructed, on a mesh-like structure like the Internet itself, if one server does not respond, other servers intervene and provide a DNS query result. The DNS root server operators did not speculate on the reasons this massive attack was carried out against their infrastructure but did say this was not the result of a reflected DDoS attack. RootOps recommended that ISPs that don’t want to allow DDoS attacks that use IP address spoofing to be carried from their network should implement Source Address Validation and the BCP-38 specification. Source: http://news.softpedia.com/news/dns-root-servers-hit-by-ddos-attack-497363.shtml

Read this article:
DNS Root Servers Hit by DDoS Attack

Sputnik Türkiey website became the target of a DDoS attack

Access to the site was blocked for an hour due to a distributed denial-of-service (DDoS) attack carried out by unknown perpetrator(s). The website’s IT specialists managed to quickly deal with the attack and Sputnik Türkiye has already resumed operations. The resources of Rossiya Segodnya International Information Agency, including the Sputnik website and newswire, had already become a target for a major DDoS attack in October, when the agency’s websites and mailing services were unavailable to users for two hours. DDoS attacks are caused by a large number of Internet users or software programs simultaneously sending requests to a website until it exceeds its capacity to handle Internet traffic. Source: http://sputniknews.com/middleeast/20151208/1031410680/sputnik-turkey-ddos-attack.html

View article:
Sputnik Türkiey website became the target of a DDoS attack

Warnings over Node.js flaw that could lead to DoS attacks

TheNode.js Foundation has revealed a couple of bugs within its JavaScript software that could lead to major denial of service attacks against websites using the code. The issues affects versions of Node.js from version 0.12 up to version 5. In a bulletin issued by the Foundation, the popular server-id JavaScript platform has two vulnerabilities. One covers “a high-impact denial-of-service vulnerability” while the other is a “low-impact V8 out-of-bounds access vulnerability.” V8 is the JavaScript engine developed by Google and used by Node.js. The DoS issue is labelled as CVE 2015-8027, while the access problem is identified as CVE-2015-6764. According to the bulletin, the first bug could allow a hacker to launch a denial of service. The second bug could enable a hacker to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The issues were disclosed last week with patches due to be released yesterday. However, the Foundation announced that it will now delay releasing the patches until Friday. It said this was because of dependencies on OpenSSL, which itself has been found to contain further vulnerabilities. “Node.js versions v0.10.x and v0.12.x depend on OpenSSL v1.0.1 and versions v4.x (LTS Argon) and v5.x depend on OpenSSL v1.0.2,” stated an advisory on the Node.js website. “As the Node.js build process statically links OpenSSL into binaries, we will be required to release patch-level updates to all of our actively supported versions to include the upstream fixes. While we are unaware of the exact nature of the OpenSSL vulnerabilities being fixed, we must consider it likely that Node.js releases will be required in order to protect users.” It said the move to Friday was “unfortunate” but has to take into account of “the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical.” “Please be aware that patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release,” the organisation said. Wim Remes, strategic services manager EMEA at Rapid7, said vulnerabilities in Node.js “impacts organisations across verticals, from ecommerce websites, over healthcare organisations, to critical infrastructure.” “Hackers will leverage any vulnerability that allows them to gain control over a target. Denial of Service vulnerabilities are mostly used for targeted hacktivism or extortion purposes. The out-of-bounds access vulnerability, as it provides direct access to an infrastructure, would be a welcome tool in the arsenal of any digital criminal,” he said. “With access to part of the infrastructure, an attacker can pivot further through the infrastructure, destroy information, exfiltrate information, install spying software, etc. A vulnerability that provides direct access is the first tool an attacker needs to achieve their goals.” Remes added that in this case patching is about the only thing an organisation can do. “There are obviously ways to stop attacks using Web Application Firewalls or Intrusion Prevention Systems but given the severity of the issues, I would definitely recommend to prioritise patching. Additionally, making sure that any system which doesn’t need to be on the internet is not reachable by external users is something that makes sense too,” said Remes. Source: http://www.scmagazineuk.com/warnings-over-nodejs-flaw-that-could-lead-to-dos-attacks/article/457205/

See more here:
Warnings over Node.js flaw that could lead to DoS attacks

It’s Black Friday: Do you know who is DDoSing your servers? And how to stop them

Today is Black Friday in the U.S. a retail holiday where numerous, extravagant deals are revealed to a ravenous public. In the brick and mortar universe, this can become a free-for-all when shoppers will camp out for days in front of a store just to get in on the first deals. In the cyber universe the same greatly increase traffic can be seen and this also makes it hunting season for hackers and extortionists attempting to get a cut. On the Internet, the easiest and lowest form of disruption is the distributed denial of service (DDoS) attack and we’ve seen it employed throughout the year by for various reasons to take down websites. To get a better understanding of what e-retailers can expect now on Black Friday and the upcoming Cyber Monday, SiliconANGLE reached out to Nexusguard (Nexusguard Limited), DDoS protection experts, and spoke with their Chief Scientist Terrence Gareau. “Risk from cyberattack is a trend repeating every year,” says Gareau. “No doubt retailers all experience an uptick in attacks [during Black Friday]. Attackers are definitely taking advantage of the uptick and e-tailers need to put in more resources to boost their websites’ security.” This year DDoS attacks hit record highs, according to the State of the Internet report from Akamai for Q2 2015. The number of attacks grew by 132 percent compared to the same time in 2014 and 12 attacks occurred that exceeded 1,000 gigabits per second (Gbps). Nexusguard’s own overwatch on DDoS showed that during 2015 Q3 attack numbers rose by 53 percent over Q2, higher than any quarter over the past two years. E-commerce at more risk than ever from DDoS attacks Most DDoS attacks that make it to the news are being done my Internet mayhem groups looking for fame and attention. The most recent example is the attack committed by Lizard Squad on Christmas Day, December 26, 2014 against the Xbox LIVE and PlayStation networks that knocked the gaming services offline for millions of customers However, Gareau says that not all DDoS attacks come from people seeking attention—some are seeded with greed and extortion. Especially when it comes to the lesser-known attacks that services and e-retailers suffer around this time of year. When asked if competitors might use DDoS to knock out or weaken sales from other e-retailers, Nexusguard’s chief scientist would only say that it does appear that competitors do attack each other this time of year. That said, more danger appears to be coming from extortion rackets this time of year than from greedy competitors. The usual strategy is to hit an outlet with a DDoS attack (a short one) and then send an e-mail requesting some sort of ransom payment or the attack comes back. A few more blasts might come along to get the target’s attention. “Hackers are aware that the holidays are a prime time for online retailers. Therefore, they would do anything to break through any defenses,” says Gareau. This time of year criminals know that stores and e-retailers are looking to make as much money as possible off traffic. As well, increased traffic makes servers even more vulnerable to DDoS because it means they’re already working at capacity. Attackers see this as low-hanging fruit because first it’s easier and second an e-retailer will lose a great deal of money for even ten minutes of time offline during the sales rush. “One of the most sophisticated attacks focused on the login prompt,” Gareau adds, when asked for an example of how hackers attempt to knock sites offline. “In fact, on Thanksgiving and Christmas last year, we saw a hacker craft specific requests to the login form, preventing visitors from logging on.” Cold advice about DDoS extortion: “…don’t f**ing pay ‘em.” “We expect to see an increase in fraud and extortion, directly linked to DDoS as seen over the last few years,” Gareau says. When it comes to handling the potential of (or ongoing) DDoS attacks, Gareau suggests getting a proper team on board, he works for such a team at Nexusguard after all, but he also has an opinion on extortion and it’s a very simple one: “…And don’t f**ing pay ‘em,” he adds. This year has a perfect example of why paying DDoS extortion is a losing bet. In early November Switzerland-based ProtonMail, a provider of end-to-end encrypted e-mail, was struck by a powerful DDoS attack and the attackers demanded a ransom of $6,000 to relent. (The amount requested was 15 bitcoins, which at the time came out to approximately $5,850.) ProtonMail paid the ransom but then paid the price: the ProtonMail website and service were washed away by a DDoS attack anyway. Paying extortion to make a DDoS attacker go away does not necessarily make them go away. Just like any other criminal enterprise, knowing that a payment will come is a good way to make sure they will come back. Worse, it will fund the criminals to build out or increase their total power, which means they can go after other targets more frequently. In many cases that ransom requested by the criminals behind the DDoS could be paid to an anti-DDoS outfit and used to lessen the impact of the attack. The result is that the criminals get nothing but time wasted firing off their attack tools. Source: http://siliconangle.com/blog/2015/11/27/its-black-friday-do-you-know-who-is-ddosing-your-servers-and-how-to-stop-them/

UK Broadband Provider AAISP Suffers Strong DDoS Assault

Internet provider Andrews and Arnold (AAISP) appears to have become the target for a semi-sporadic Distributed Denial of Service (DDoS) assault, which began hitting their network yesterday and has caused some of their customers to lose connection. Generally speaking DDoS attacks work by overloading a target server (e.g. a website or other network service) with masses of data requests from multiple internet connected computers / devices; usually Trojan/Virus infected computers that then become part of a botnet , which can be controlled by a single individual that usually hides their connection behind other servers. At this point it’s crucial to reflect that DDoS attacks happen to ISPs all the time (we read about them on an almost weekly basis), they’re practically par-for-the-course, but most can be mitigated and few are ever significant enough to knock lots of end-users offline. In nearly all cases these incidents aren’t actually an attack against the ISP, but rather somebody targeting a specific customer on the ISPs network. As such this should NOT be confused with the recent TalkTalk incident, which also involved a separate hacking attempt and was aimed at the ISPs web server. By comparison the assault against AAISP appears to have targeted part of their network and NOT their website, which is usually what happens when somebody is looking to knock a specific subscriber offline. The nature of this assault, which seems both powerful and aimed at several areas of their network, meant that AAISP’s “ usual anti-DOS systems have not helped “, although they were later able to “ mitigated most of the problems. ” Unfortunately the assault began again this morning and moved to a new target block, which has kept AAISP’s staff on their toes. Adrian Kennard, Director of AAISP, told ISPreview.co.uk: “ Staff have been working on this to reduce the impact on all customers as much as possible, and are continuing to do so today. There are still a handful customers that are collateral damage from the attack and we are working on getting those customers on line right now .” Apparently “ many ” of AAISPs customers have been affected by the DDoS, although only a handful were actually left without Internet connectivity and the provider is now attempting to identify which customers were being targeted by the assault (in practice they may not get to the bottom of this, just as most other ISPs rarely do). In the meantime some of provider’s customers are having their WAN IP address changed to get them on-line, including a few that own blocks of IPs (this can sometimes be a bit more tricky for the customer). One of those is Basingstoke based fixed wireless broadband ISP HiWiFi, which has been tweeting about the incident since last night. It’s worth pointing out that the Computer Misuse Act effectively makes DDoS illegal, although finding the perpetrators is rather more difficult, not least because such attacks are usually short-lived (the longer they go on the greater the chance of being traced and caught). Source: http://www.ispreview.co.uk/index.php/2015/11/uk-broadband-provider-aaisp-suffers-strong-ddos-assault.html

Continued here:
UK Broadband Provider AAISP Suffers Strong DDoS Assault

Hacktivists claim ISIS terrorists linked to Paris attacks had bitcoin funding

Anti-ISIS hackers claimed to have detected indicators of an impending attack on Paris as well bitcoin funding, a wallet with over $3 million, used by ISIS militants. During Dateline coverage after the terrorist attacks on Paris, Lestor Holt asked, “Does this change the game in terms of intelligence?” Andrea Mitchell replied, “It does,” before discussing how intelligence missed any type of communication regarding the coordinated attacks. She added, “There’s such good surveillance on cell phones and there’s such good communications ability by the intelligence gathering in Europe, especially in France, especially in Great Britain and in the United States. So they may have been communicating via social media or through codes. And that’s the kind of thing that is very concerning to U.S. intelligence.” After the Charlie Hebdo massacre, France passed an “intrusive” surveillance bill, granting the government the power “to wiretap communications, install secret surveillance cameras and sweep up metadata.” That didn’t stop the horrific attacks on Paris, aka “Paris’ 9/11,” and more ubiquitous and invasive surveillance is not the answer. Matthew Williams, a researcher of computational criminology at Cardiff University in Wales, told Mic that “picking out singular acts of crime or terror from an indiscriminate pile of civilian noise is all but impossible.” Ghost Security Group detected indicators of attack on Paris Even with all the surveillance, intelligence groups again missed indicators of a credible terrorist attack. Yet in an interview with NewsBTC, a member of the hacktivist group “Ghost Security Group” claims it “did detect several indicators of an attack impending and are currently in the process of collecting valuable evidence for United States government officials.” ISIS and bitcoin funding DW (Deutsche Welle) previously reported that the Islamic State is experimenting with currency, specifically gold and bitcoin. One bitcoin wallet received around $23 million in a month; anti-ISIS hackers from GhostSec followed a chain of transactions to another wallet with over $3 million in bitcoins. Ghost Security Group confirmed to NewsBTC that ISIS is “extensively using bitcoin for funding their operations” and that the group has “managed to uncover several bitcoin addresses used by them.” Furthermore, bitcoin is “their prime form of cryptocurrency.” No evidence was given, such as the bitcoin wallet address, as the hackers “cannot go into more detail at the moment on current investigations.” GhostSec Background GhostSec (Ghost Security), a hacktivist group which is an offshoot of Anonymous, has been attacking thousands of ISIS social media accounts and public websites since early this year. The group is not alone; in February, Anonymous and the Redcult Team called ISIS a virus that it planned to cure during Operation ISIS (#OpISIS). A GhostSec spokesperson claimed that ISIS, ironically, has been using Google and Amazon Web Service to avoid U.S. and international intelligence agencies and to shield itself and its websites from being hacked by Ghost Security Group; the latter has been credited with stopping terrorist attacks. DigitaShadow, executive director of the Ghost Security Group, told IBTimes UK, that the group discovered terrorist threats against Tunisia in July, and also uncovered evidence that foiled a terrorist attack in New York on July 4. The hacktivist group has also been credited with discovering and reporting other credible extremist threats. GhostSec keeps a running tally of Twitter IDs reported, server IPs reported to host extremist content, Facebook, Tumblr, YouTube and other common sites as well as “uncommon sites” that have been reported as being dedicated to extremist causes and “could/should be targeted and brought down.” It also has a way to submit potential terrorism-related content and other tools. The hacking group has targeted and bypassed CloudFlare “to determine the actual website that they need to attack to takedown the actual website.” Ghost Security Group Ghost Security reportedly formed earlier this year after the terrorist attacks against Charlie Hebdo offices in Paris. Earlier this month, Ghost Security Group split (pdf) from “Ghost Security.” Ghost Security Group is a counter terrorism network that combats extremism on the digital front lines of today utilizing the internet and social media as a weapon. Our cyber operations consist of collecting actionable threat data, advanced analytics, offensive strategies, surveillance and providing situational awareness through relentless cyber terrain vigilance. The newly formed Ghost Security Group (GSG) said (pdf) it “needed to address some misapprehensions concerning our group. Much of that stemmed from our uses of menacing graphics which resemble logos used by illicit cyber networks. Perceptions matter and all of that was undermining our abilities to cultivate relationships with officials who now recognize our capabilities to add value to counter terrorism initiatives.” The new group has a new website that has a more corporate-like appearance, while Ghost Security uses the older .org website. Ghost Security Group added (pdf): The group’s new trademarked look discards the hoodies and Guy Fawkes masks so often associated with publicity stunts and distributed denial-of-service (DDoS) attacks on government, religious, and corporate websites in favor of pristine, white graphics devoid of any reference to illegal activities. Part of the transition has included discarding their old brand and website, www.GhostSec.org , which are now used by former group members who have a different philosophy and approach to combating ISIS online. Ghost Security Group has 12 core members, some of whom work “16 hours a day … and 7 days a week nonstop” to identify surface-level and hidden Deep Web sites that are suspected to be related to the Islamic State; the group receives tips from volunteers and part-time helpers. Foreign Policy reported the group receives 500 tips every day. Data-mining, identity stitching, email monitoring, predictive analysis, social media surveillance, terrorism financing and social engineering are but some of the things listed among GSG’s counter surveillance capabilities. Some members of the small group of terrorist hunters have “ex-military or cybersecurity backgrounds.” GSG said it “monitors over 200 known violent extremist websites for actionable threat data and analysis;” it has “identified and terminated over 100,000 extremist social media accounts that were used primarily for recruitment purposes and transmission of threats against life and property.” It is GSG that claims to have detected indicators of the attack on France. Can you believe that? Michael Smith, co-founder of Kronos Advisory and an advisor to U.S. Congress, forwards about 90% of GhostSec’s leads to the FBI. Even retired Gen. David Petraeus, formerly head of the CIA, told Foreign Policy, “[Smith] has shared with me some of the open source data he has provided to various U.S. agency officials, and I can see how that data would be of considerable value to those engaged in counter-terrorism initiatives.” Regarding ISIS and bitcoin funding, one unnamed GSG hacker said, “Most of the Bitcoin funding sites utilized by the Islamic State are on the deep web and we have managed to uncover several and successfully shut them down in order to limit the funding extremists receive through the use of cryptocurrencies.” The feds claim encryption is a terrorist’s tool, so hopefully the horrible attacks on Paris won’t add fuel to their encryption-is-evil claims. In the same way that all encryption is not bad, bitcoin is not used exclusively by terrorists; hopefully the ISIS-bitcoin-funding issue won’t take a twist and lead to the bashing of cryptocurrencies or a push for more surveillance laws. If you like the idea of cyber vigilantes going after ISIS instead of the government, and if you want to help stop ISIS and other extremist groups, GSG said to report “suspicious activities.” Tips go through a “rigorous review process before a website is cleared for termination.” Every potential “target is reviewed by five members – often including a native Arabic speaker – and ranked by level of threat.” When “asked if their destruction of Islamic State websites sets a bad precedent for freedom of speech online,” GSG’s @DigitaShadow answered: “No. Free speech isn’t murder.” Source: http://www.networkworld.com/article/3005308/security/hacktivists-claim-isis-terrorists-linked-to-paris-attacks-had-bitcoin-funding.html

Continue Reading:
Hacktivists claim ISIS terrorists linked to Paris attacks had bitcoin funding

FastMail the latest victim of a sustained DDoS offensive

FastMail has been subjected to a number of distributed denial of service (DDoS) attacks, the premium email provider has revealed. The Australian-based company said that the cyber offensive first took place in the early hours of November 8th, which took some of its services offline. In response it immediately “enabled mitigation strategies”, which proved successful in bringing the DDoS attack to an end. However, the following day, at around the same time, the cybercriminal once again launched another onslaught. This second-round of attacks came with a ransom demand, which threatened FastMail with more chaos if it didn’t hand over 20 Bitcoins (worth approximately £7,500). The company said that it does not respond to attempts of extortion and will not bow to pressure from the cybercriminal. “Over the last week, several email providers, including Runbox, Zoho, Hushmail and ProtonMail have been hit by large scale DDoS attacks, accompanied by an extortion demand from the attacker to stop,” FastMail outlined. “The goal of the attacker is clearly to extort money in the hope that the services will not be prepared to deal with the disruption. “With one exception, where ProtonMail paid the criminals and was still attacked, we do not believe the extortion attempts have been successful, and we fully intend to stand up to such criminal behaviour ourselves.” The company says that it is actively working to keep its services running as best as possible and that it has utilized knowledge gained from past DDoS attacks to help it react to numerous situations. The attack on ProtonMail is one of the most high-profile cases of 2015, which the encrypted email provider has described as the “largest and most extensive cyberattack in Switzerland”. A DDoS attack is when numerous computers make repeated requests for information to one computer or device. This has the effect of ‘overwhelming’ a computer or device’s ability to deal with the requests, resulting in it slowing down or crashing. Source: http://www.welivesecurity.com/2015/11/12/fastmail-latest-victim-sustained-ddos-offensive/

See original article:
FastMail the latest victim of a sustained DDoS offensive

TalkTalk hack: 15-year-old boy arrested in Northern Ireland over DDoS attack

News stunned security experts who had assumed that Isis terrorists or major country had been behind the breach A boy of 15 has been arrested and questioned on suspicion of being the mastermind behind the TalkTalk data theft cyber attack. A team from Scotland Yard’s Cyber Crime Unit joined Police Service of Northern Ireland officers as they raided the teenager’s home in County Antrim. The boy was arrested on suspicion of Computer Misuse Act offences and taken to a nearby police station. News of the suspect’s age stunned security experts who had assumed that a group of Isis terrorists or a country such as Russia had been behind the massive breach. IT insiders said it would be a “gamechanger” if proven that a teenager operating from his bedroom could bring a global company to its knees. The Met said the property was being searched and inquiries by CCU detectives, the PSNI’s Cyber Crime Centre and the National Crime Agency are continuing. A spokesman said on Monday night: “An arrest has been made in connection with the investigation into alleged data theft from the TalkTalk website. At approximately 4.20pm, officers from the Police Service of Northern Ireland (PSNI), working with detectives from the Metropolitan Police Cyber Crime Unit, executed a search warrant at an address in County Antrim, Northern Ireland. The phone and broadband provider, which has four million customers, initially said last week that the “sustained” attack was a DDoS, a distributed denial of service attack where a website is bombarded with waves of traffic. When experts pointed out a DDoS attack would not explain the loss of data TalkTalk later indicated it had been hit by an attack known as an SQL injection – a technique where hackers gain access to a database by entering instructions in a web form. IT security experts had already expressed surprise at how a company the size of TalkTalk was still vulnerable to the method, as it is a well-known type of attack and there are relatively simple ways of defending against it. The company has been heavily criticised for its handling of the cyber attack – the third it has suffered in the last eight months, with incidents in August and February resulting in customers’ data being stolen. Following last week’s breach TalkTalk admitted that customers’ bank account and sort code details may have been accessed as some customers said money has gone missing from their accounts. TalkTalk said there is currently no evidence that customers’ bank accounts have been affected but it does not know how much customer information was encrypted. The company said it would contact all current customers and that an unknown number of previous customers may also be at risk. TalkTalk’s chief executive Dido Harding said last week the firm had received a ransom demand from someone claiming to be behind the cyber attack. Jesse Norman, chair of the Culture, Media and Sport Select Committee, is leading an inquiry into the alleged data breach. Cyber Security Minister Ed Vaizey had earlier told MPs that companies could face bigger fines for failing to protect customer data from such attacks. He said the Information Commissioner’s Office can already levy “significant fines” but told the Commons he was “open to suggestions” about how the situation could be “improved”. TalkTalk is facing a maximum fine of £500,000 but the SNP’s John Nicolson said the prospect was “clearly not terrifying” for a company with an annual revenue of £1.8 billion a year. Shares in the telecoms company fell more than 12 per cent on Monday extending its losses from last week when news of the attack first emerged. A statement from Talk Talk said: “We know this has been a worrying time for customers and we are grateful for the swift response and hard work of the police. We will continue to assist with the ongoing investigation. “In the meantime, we advise customers to visit [our website] for updates and information regarding this incident.” Source: http://www.independent.co.uk/news/uk/home-news/talktalk-hack-boy-15-arrested-in-northern-ireland-over-attack-a6709831.html

Read the original:
TalkTalk hack: 15-year-old boy arrested in Northern Ireland over DDoS attack

Attackers hijack CCTV cameras to launch DDoS attacks

Default and weak credentials on embedded devices can lead to powerful botnets We’ve reached a point that security researchers have long warned is coming: Insecure embedded devices connected to the Internet are routinely being hacked and used in attacks. Want to add a bunch of users without going out of your mind? We show you how to do that, and more. The latest example is a distributed denial-of-service (DDoS) attack detected recently by security firm Imperva. It was a traditional HTTP flood aimed at overloading a resource on a cloud service, but the malicious requests came from surveillance cameras protecting businesses around the world instead of a typical computer botnet. The attack peaked at 20,000 requests per second and originated from around 900 closed-circuit television (CCTV) cameras running embedded versions of Linux and the BusyBox toolkit, researchers from Imperva’s Incapsula team said in a blog post Wednesday. When analyzing one of the hijacked cameras that happened to be located in a store close to the team’s office, the researchers found that it was infected with a variant of a known malware program designed for ARM versions of Linux that’s known as Bashlite, Lightaidra or GayFgt. While infecting computers with malware these days requires software exploits and social engineering, compromising the CCTV cameras that were used in this attack was very easy as they were all accessible over the Internet via Telnet or SSH with default or weak credentials. Insecure out-of-the-box configurations are a common issue in the embedded device world and have been for a long time. In 2013, an anonymous researcher hijacked 420,000 Internet-accessible embedded devices that had default or no login passwords and used them in an experiment to map the whole Internet. However, the problem is getting worse. The push by device manufacturers to connect things such as refrigerators or “smart” light bulbs to the Internet is largely done without consideration for security implications or an overhaul of outdated practices. As a result, the number of easily hackable embedded devices is growing fast. Shortly after the CCTV camera-based attack was mitigated, a separate DDoS attack was detected that originated from a botnet of network-attached storage (NAS) devices, the Imperva researchers said. “And yes, you guessed it, those were also compromised by brute-force dictionary attacks.” Source: http://www.computerworld.com/article/2996079/internet-of-things/attackers-hijack-cctv-cameras-to-launch-ddos-attacks.html

Continue Reading:
Attackers hijack CCTV cameras to launch DDoS attacks

Hacker Exfocus Blamed For Knocking Rutgers University Offline With DDoS Attack, Even After Expensive Upgrade

Someone is tormenting Rutgers University. The New Jersey school announced Monday it was fending off a distributed denial-of-service attack that crippled its Internet and Wi-Fi access. The latest cyberattack on a major U.S. research institution comes after a number of similar hacks against Rutgers, a school of approximately 65,000 undergraduate students. “We are currently experiencing a denial-of-service event affecting Internet connectivity and Wi-Fi access,” Rutgers said on its Facebook page. “OIT is working to resolve the issue, and we will inform the Rutgers community as soon as we have more information.” The outage also affected Sakai and eCollege, two online learning tools used to administer homework, tests and other communication, according to student complaints on social media. A previous outage limited the school’s ability to accept credit cards. It appears to be the first attack on Rutgers since the university invested $3 million to better protect its computer networks after at least four attacks during the past school year. That upgrade was the primary reason Rutgers raised tuition and fees by 2.3 percent for the 2015-16 school year, NJ.com reported in August, with a hacker known as Exfocus claiming responsibility for the problems. “Honestly, I am sitting here dumbfounded at the amount of incompetence displayed once again by the Rutgers IT department,” Exfocus wrote in a post on Pastebin in April. “I could run circles around all of you with my eyes closed, and one leg amputated.” A DDoS attack occurs when a hacker takes control of thousands (or millions) of computers and aims them at a single server, overwhelming that network with traffic and ultimately knocking it offline. Similar methods have been used by the Chinese government and the Anonymous hacking collective. Exfocus tweeted: “Did you miss me?” before deleting the message Monday. Student chatter on the anonymous Yik Yak social network also said Exfocus had been bragging there, though the most anyone seems to know about Exfocus came in an interview where he said he was being paid in bitcoin by someone with a grudge against the school. “When I stop getting paid — I’ll stop DDoSing lol. I’m hoping that RU will sign on some DDoS mitigation provider. I get paid extra if that happens,” Exfocus told APollonsky.me before being asked if he wished to share anything else with the Rutgers community. “I’m a fan of Taylor Swift.” Source: http://www.ibtimes.com/hacker-exfocus-blamed-knocking-rutgers-university-offline-ddos-attack-even-after-2117247