Tag Archives: victim

Let’s play everyone’s favorite game: REvil? Or Not REvil?

Another day, another DDoS attack that tries to scare the victim into paying up with mention of dreaded gang Akamai has spoken of a distributed denial of service (DDoS) assault against one of its customers during which the attackers astonishingly claimed to be associated with REvil, the notorious ransomware-as-a-service gang.…

See the original article here:
Let’s play everyone’s favorite game: REvil? Or Not REvil?

New phishing campaign uses 20-year-old Microsoft mess as bait

Necurs botnet spreads ransomware carried in Office documents The ever-vigilant folk at the Internet Storm Centre (SANS) have spotted yet another campaign trying to drop the Locky ransomware using compromised Word files.…

Link:
New phishing campaign uses 20-year-old Microsoft mess as bait

Dark DDoS: hacker tools and techniques – the challenges faced

In 2017 has the cyber landscape changed? What are the objectives of hackers? What are their methods? The variety of attacks used has increased, so how can you mitigate the risk? Hackers can have many different possible objectives. For instance, they may aim to interrupt business, corrupt data, steal information – or even all of these at the same time. To reach their goals, they continuously look for any vulnerability – and will use any vulnerability – to attack. They’re getting increasingly smarter and always looking for more, faster and easier ways to strike. Furthermore, their attacks are no longer designed simply to deny service but to deny security. The initial service denial attack is often used as a camouflage to mask further – and potentially more sinister – activities. These include data theft, network infiltration, data exfiltration, networks being mapped for vulnerabilities, and a whole host of other potential risks. These types of attacks are often referred to as ‘Dark DDoS’ because of initial smokescreen attack which acts to distract organisations from the real breach that’s taking place. In a large proportion of recent data breaches, DDoS (distributed denial of service attacks) have been occurring simultaneously – as a component of a wider strategy – meaning hackers are utilising this technique in a significant way. According to a report by SurfWatch Labs, DDoS attacks rose 162% in 2016. SurfWatch Labs claims this is due to the increasing use of IoT devices and the attacks on the KrebsOnSecurity.com and on domain name provider, Dyn – believed to be some of the biggest DDoS attacks ever recorded. Last year, France was also hit by one of the largest DDoS attacks when hosting company, OVH, was targeted through 174,000 connected cameras. Today’s hackers have developed a high variety of DNS attacks that fall into three main categories: Volumetric DoS attacks An attempt to overwhelm the DNS server by flooding it with a very high number of requests from one or multiple sources, leading to degradation or unavailability of the service. Stealth/slow drip DoS attacks Low-volume of specific DNS requests causing capacity exhaustion of outgoing query processing, leading to degradation or unavailability of the service. Exploits Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating systems running DNS services. Often DNS threats are geared towards a specific DNS function (cache, recursive & authoritative), with precise damage objectives. This aspect must be integrated into the DNS security strategy to develop an in-depth defence solution, ensuring comprehensive attack protection. The list below of the most common attacks aims to emphasise the diversity of the threats and details the extent of the attack surfaces: Volumetric attacks Direct DNS attacks Flooding of DNS servers with direct requests, causing saturation of cache, recursion or authoritative functions. This attack is usually sent from a spoofed IP address. DNS amplification DNS requests generating an amplified response to overwhelm the victim’s servers with very large traffic. DNS reflection Attacks using numerous distributed open resolver servers on the Internet to flood victim’s authoritative servers (usually combined with amplification attacks). NXDOMAIN Flooding of the DNS servers with non-existing domains requests, implying recursive function saturation. Stealth/slow drip DoS attacks Sloth domain attacks Attacks using queries sent to hacker’s authoritative domain that very slowly answers requests – just before the time out, to cause victim’s recursive server capacity exhaustion. Phantom domain attack Attacks targeting DNS resolvers by sending them sub-domains for which the domain server is unreachable, causing saturation of cache server capacity. Random subdomain attack (RQName) Attacks using random query name, causing saturation of victim’s authoritative domain and recursive server capacity. Exploits Zero-Day vulnerability Zero-day attacks take advantage of DNS security holes for which no solution is currently available. DNS-based exploits Attacks exploiting bugs and/or flaws in DNS services, protocol or on operating systems running DNS services. DNS tunnelling The DNS protocol is used to encapsulate data in order to remotely control malware or/and the exfiltration of data. Protocol anomalies DNS Attacks based on malformed queries, intending to crash the service. DNS cache poisoning Attacks introducing data into a DNS resolver’s cache, causing the name server to return an incorrect IP address and diverting traffic to the attacker’s computer. The DNS landscape security is continuously moving and DNS attacks are becoming more and more sophisticated, combining multiple attack vectors at the same time. Today’s DDoS attacks are almost unrecognisable from the simple volumetric attacks that gave the technique its name. In 2017, they have the power to wreak significant damage – as all those affected by the Dyn breach last year will testify – they are far more sophisticated, deceptive and frequent. To keep ahead of these threats, today’s security solutions must continuously protect against a family of attacks rather than a limited list of predefined attacks that must be frequently updated or tuned. Source: http://www.information-age.com/securing-website-content-management-system-123463910/

Read the original post:
Dark DDoS: hacker tools and techniques – the challenges faced

A Turkish hacker is giving out prizes for DDoS attacks

But the DDoS software comes with a hidden backdoor A hacker in Turkey has been trying to encourage distributed denial-of-attacks by making it into a game, featuring points and prizes for attempting to shut down political websites. The DDoS platform, translated as Surface Defense in English, has been prompting other hackers in Turkey to sign up and score points, according to security firm Forcepoint which uncovered it. Users that participate will be given a tool known as Balyoz, the Turkish word for Sledgehammer, that can be used to launch DDoS attacks against a select number of websites. For every ten minutes they attack a website, the users will be awarded a point, which can then be used to obtain rewards. These prizes include a more powerful DDoS attacking tool, access to bots designed to generate revenue from click fraud,  and a prank program that can infect a computerand scare the victim with sounds and images.  The DDoS platform has been promoted on Turkish hacking forums, and the attack tool involved is designed to only harass 24 political sites related to the Kurds, the German Christian Democratic Party — which is led by Angela Merkel — and the Armenian Genocide, and others. “Users can also suggest new websites to add to the list of targets,” Forcepoint said. “There is a live scoreboard for participants to see how they compare to other participants.” The maker of the DDoS platform also tightly regulates the way users play. For example, the DDoS attack tool given to the participants is designed to run on only one machine, preventing it from being used on multiple computers. This is done to ensure fairness during the competition, according to Forcepoint. However, it’s not exactly an efficient way to launch a DDoS attack, which are typically done with armies of infected computers that can number in thousands or more. It’s unclear how many participants the DDoS platform managed to recruit or if it managed to take down any websites. But Forcepoint noticed that the DDoS attack tool given to the participants also contains a backdoor that will secretly install a Trojan on the computer. The backdoor will only execute on a participant’s machine if they’ve been banned from the competition. Its goal is probably to enslave the computerand form a botnet to launch additional DDoS attacks, Forcepoint said. The hacker behind the DDoS platform is believed to go by the handle “Mehmet” and is possibly based in the Turkish city of Eskisehir, according to evidence found in Forcepoint’s investigation.   Although the DDoS attacks are geared at political websites, the participants involved the competition might not be ideologically motivated, and instead could just want access to the hacking tools, Forcepoint said.  Source: http://www.pcworld.com/article/3148270/security/a-turkish-hacker-is-giving-out-prizes-for-ddos-attacks.html

Continue reading here:
A Turkish hacker is giving out prizes for DDoS attacks

Cloud infrastructure attacks to increase in 2017, predicts Forcepoint

The cloud offers organizations a number of benefits, from simple off-site storage to rent-a-server to complete services. But 2017 will also see cloud infrastructure increasingly the target of attacks, with criminals lured by the data stored there and the possibility of using it to launch distributed denial of service attacks. That’s one of the predictions for the new year from security vendor Forcepoint. Hacking a cloud provider’s hypervisor would give an attacker access to all of the customers using the service, Bob Hansmann, Forcepoint’s director of security technologies, told a Webinar last week. “They’re not targeting you, they may not even know you exist until they get into the infrastructure and get the data. Then they’re going to try to maximize the attack” by selling whatever data is gained. Also tempting attackers is the bandwidth cloud providers have, to possibly be leveraged for DDoS attacks. As attacks on cloud infrastructure increase it will be another reason why CISOs will be reluctant to put sensitive data in the cloud, he said, or to limit cloud use to processing but not storing sensitive data. CIOs/CISOs have to realize “the cloud is a lie,” he said. “There is no cloud. Any cloud services means data is going to someone’s server somewhere. So you need to know are they securing that equipment the same way you’re securing data in your organization … are the personnel vetted, what kind of digital defences do they have?” “You’re going to have to start pushing your cloud providers to meet compliance with the regulations you’re trying to be compliant with,” he added. That will be particularly important for organizations that do business in Europe with the coming into force next year of the European Union’s new General Data Protection Regulation (GDPR) So answering questions such as now long does a cloud service hold the organization’s data, is it backed up securely, are employees vetted, is there third party certification of its use of encryption, how is it protected from DDoS attacks are more important than ever. Other predictions for next year include: –Don’t fear millennials. At present on average they are they second largest group (behind boomers) in most organizations. They do increase security risk because as a tech-savvy group they tend to over-share information – particularly through social media. So, Hansmann says, CISOs should use that to their advantage. “Challenge them to become security-savvy. Put in contests where employees submit they think are spam or phishing attacks, put in quarterly award recognitions, or something like that. Challenge them, and they will step up to the challnge. They take pride in their digital awareness.” Don’t try to make them feel what they do is wrong, but help them to become better. “They will be come a major force for change in the organiztion, and hopefully carry the rest of the organization with them.” –the so-called Digital Battlefield is the world. That means attackers can be nation-states as well as criminals. But CISOs should be careful what they do about it. Some infosec pros – and some politicians – advocate organizations and countries should be ready to launch attacks against a foe instead of being defensive. But, Forcepoint warns, pointing the finger is still difficult, with several hops between the victim and attacker. “The potential for mis-attribution and involving innocents is going to grow,” Hansmann said. “Nations are going to struggle with how do they ensure confidence in businesses, that they are a safe and secure place to do business with or through — and yet not over-react in a way that could cause collateral damage.” –Linked to this this the threat that will be posed in 2017 by automated attacks. The widespread weaponization of autonomous hacking machines by threat actors will emerge next year, Forcepoint says, creating an arms race to build autonomous patching. “Like nuclear weapons technology proliferation, weaponized autonomous hacking machines may greatly impact global stability by either preventing national defense protocols being engaged or by triggering them unnecessarily,” says the company. –Get ready for the Euopean GDPR. It will come into effect in May, 2018 and therefore next year will drive compliance and data protection efforts. “We’ve learned compliance takes a long time to do right, and to do it without disrupting your business.” Organizations may have to not only change systems but redefine processes, including training employees. CIOs need to tell business units, ‘We’re here to support you, but if you’re going to run operations through the EU this regulation is going to have impact. We need to understand it now because will require budgeting and changes to processes that IT doesn’t control,’ said Hansmann. –There will be a rise in what Forcepoint calls “corporate-incentivized insider abuse.’ That’s shorthand for ‘employees are going to cheat to meet sales goals.’ The result is staff falsifying reports or signing up customers signed up for services they didn’t order. Think of U.S. bank Wells Fargo being fined $185 million this year because more than 2 million bank accounts or credit cards were opened or applied for without customers’ knowledge or permission between May 2011 and July 2015. Over 5,000 staff were fired over the incidents. If organizations don’t get on top of this problem governments will regulate, Hansmann warned. Source: http://www.itworldcanada.com/article/cloud-infrastructure-attacks-to-increase-in-2017-predicts-forcepoint/389001

Read More:
Cloud infrastructure attacks to increase in 2017, predicts Forcepoint

Blizzard’s Battle.net Servers Knocked Offline By Another DDoS Attack

Blizzard Entertainment became a victim of yet another distributed denial-of-service (DDoS) attack as its Battle.net servers were knocked down on Sunday, Sept. 18. The DDoS attack that rendered Battle.net’s servers offline was waged by hacking group PoodleCorp. Owing to the attack, Battle.net, which runs several popular games such as  World of Warcraft ,  Hearthstone: Heroes of Warcraft  and  Overwatch  to name a few, was left handicapped even as angry users took to social media to vent their ire. Gamers on PC, PlayStation 4 and Xbox One were all affected by the outage. Blizzard Entertainment acknowledged the situation on its official Twitter account. “We are currently monitoring a DDOS attack against network providers which is affecting latency/connections to our games,” wrote Blizzard in a tweet. The DDoS attack on Battle.net lasted for half an hour after PoodleCorp took to Twitter to state that it would halt the attack and restore the servers if the tweet below was retweeted 2,000 times. The blackmail (ransom note?) found favor with a majority of gamers as they were only too willing to retweet to have access again to the games they were playing. As promised, PoodleCorp stopped the attack once the 2,000 retweet milestone was reached. This is not the first time Blizzard Entertainment has come under the mercy of PoodleCorp. Earlier in August, we reported that it was hit with a PoodleCorp DDoS attack, which disrupted gameplay for users of Battle.net until network engineers addressed the issue. Back then however, the hacking group did not ask for retweets. Blizzard Entertainment has been the victim of a spate of DDoS attacks in the past few months. In June, an attack took down its servers as well. The outage was attributed to Lizard Squad member AppleJ4ck, who claimed responsibility and cautioned that the hack was a small part of some “preparations.” Aside from the DDoS attack, Blizzard has been having a terrible week anyway. On Sept. 14, 16 and 18, the company suffered from technical issues that prevented or delayed users from logging in and joining the game servers. However, for now, Blizzard Entertainment can breathe easy as the technical problems Battle.net was encountering owing to the DDoS attack from PoodleCorp have been resolved. Source: http://www.techtimes.com/articles/178300/20160919/blizzards-battle-net-servers-knocked-offline-by-another-ddos-attack.htm  

Visit link:
Blizzard’s Battle.net Servers Knocked Offline By Another DDoS Attack

DDoS Extortionist Copycats Continue To Hound Victims

It has been a while sine I wrote about this subject (or about anything at all for that matter) but, it occurred to me to today that the distributed denial of service (DDoS) extortionist issue is a problem that needs to be talked about again. Over the last couple years there have been a lot of websites come under attack from miscreants armed with all manner of distributed denial of service platforms and tools. Often these attackers would first launch an attack and then contact the victim company to say “check your logs to see we’re for real”. Once their bonafides were established they would then demand a sum of money to be paid in bitcoin or suffer the “wrath” of their DDoS attack that was more often that naught was severely oversold. There have been examples of criminal outfits like DD4BC who were true to their word when they made a threat. They would in fact follow through on their threat of an attack. This came to an unceremonious end a year ago when one of the main ne’er do wells was arrested by Europol. More often than naught however, these extortion gangs turn out to be little more than confidence tricksters. One such example was the Armada Collective. This was a criminal outfit that did little more than threaten targets but, with one lone exception, never followed through on the threats they made. Mind you, they did end up making a tidy sum of money from their victims. What this did accomplish was to set a precedent that has given rise to the copycat attackers. A prime example of this was an in an email that I received from a friend. His organization was threatened by a copycat group that were masquerading as the Armada Collective. Basically using the name as a hex sign. A brand name that could be used to possibly intimidate an organization. Here is a redacted version of the email that he provided to me. From: Armada Collective Sent: Subject: ATTENTION: Ransom request!!! FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION! We are Armada Collective. All your servers will be DDoS-ed starting Wednesday (Jun 29 2016) if you don’t pay 5 Bitcoins @ [Bitcoin wallet address redacted] When we say all, we mean all – users will not be able to access sites host with you at all. If you don’t pay by Wednesday, attack will start, price to stop will increase by 5 BTC for every day of attack. If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time. This is not a joke. Our attacks are extremely powerful – sometimes over 1 Tbps per second. So, no cheap protection will help. Prevent it all with just 5 BTC @ [Bitcoin wallet address redacted] Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US! Bitcoin is anonymous, nobody will ever know you cooperated. While people might not be aware that an organization had in fact cooperated, as per their email, they would be setting a horrible example. The more that companies pay extortionists like this the more emboldened that the criminals would become. This could potentially become a lucrative endeavor for the criminals. At the time of this writing 1 bitcoin was valued at roughly $628 USD. At a bare minimum there would be 5 bitcoin per email above, they would be raking in at least $3000 USD for each successful attack. Not bad for the cost of an email. If you are the recipient of an email like this, seek help to protect your enterprise. Do not feel compelled to pay the attackers. You have no guarantees that they won’t return. Source: http://www.forbes.com/sites/davelewis/2016/09/08/ddos-extortionist-copycats-continues-to-hound-victims/#2c6d7a7b4d06

Read this article:
DDoS Extortionist Copycats Continue To Hound Victims

What are the DoS and DDoS attacks that brought down the census?

Experts believe that the electronic assault on the census site was a DDoS attack – a kind of electronic army that attacks an enemy’s website on every flank using millions of computers as soldiers.  About 2000 of these attacks occur every day across the world, said DigitalAttackMap, a website that monitors such attacks. Only days ago, this type of attack shut down US Olympic swimming Michael Phelps’ commercial website,  SCMagazine , which specialises in IT security, said.  It said the attack happened fresh after Phelps’ gold medal-winning performance in the men’s 4×100 metre freestyle relay at the Rio Games. One hacking expert told  Time  magazine that any celebrity or high-profile site should expect these attacks. “Each celebrity on our target list will be either hacked or DDoSed,” a representative of hacking group New World Hackers said. Xbox, US Republican presidential candidate Donald Trump and the BBC have been among New World Hackers’ recent targets. DigitalAttackMap, a joint venture between Google Ideas and network security firm Arbor Networks, said these attacks had hit online gaming sites, newspapers and banks; Greek banks were crippled this year. Yet its site doesn’t show a DDoS attack on the ABS census site on Tuesday, bolstering claims by some that the attack didn’t take place.  The DigitalAttackMap tracks DDoS attacks on a daily basis. The red flare over Brazil shows a serious DDoS attack.   Photo: DigitalAttackMap.com The Australian Bureau of Statistics said its census site was hit four times by denial of service (DoS) attacks. A DoS is a broad term for attacks that attempt to crash an online system so that users cannot access it. Some IT and cybersecurity professionals speculated that a DDoS (Distributed Denial of Service) attack was to blame.  A DDoS is a type of DoS attack in which hackers attempt to crash a system by flooding it with bots – or Trojan – accounts. DigitalAttackMap said attackers cripple websites, such as the ABS’ census site, by building networks of infected computers, known as botnets, by spreading malicious software through emails, websites and social media. Once infected, these machines can be controlled remotely, without their owners’ knowledge, and used like an army to launch an attack against any target. Some botnets are millions of machines  strong.   DigitalAttackMap says these botnets can generate huge floods of traffic to overwhelm a target. “These floods can be generated in multiple ways, such as sending more connection requests than a server can handle, or having computers send the victim huge amounts of random data to use up the target’s bandwidth. Some attacks are so big they can max out a country’s international cable capacity.” Adding to many people’s fears about the security of the census website before the attack, the information gained from these sites during an attack is sold on online marketplaces that specialise in information gained from these DDoS attacks, DigitalAttackMap said. “Using these underground markets, anyone can pay a nominal fee to silence websites they disagree with or disrupt an organisation’s online operations. A week-long DDoS attack, capable of taking a small organisation offline, can cost as little as $150,” the website said. Source: http://www.smh.com.au/technology/technology-news/what-are-the-dos-and-ddos-attacks-that-brought-down-the-census-20160809-gqowwp.html

Read More:
What are the DoS and DDoS attacks that brought down the census?

Media Organizations Beware – DDos Attacks are Coming

There’s nothing subtle about a DDoS attack. Your incident response console is lit up like a Christmas tree. Alarms are going off indicating that your network is down or severely disrupted. System users and managers are sending you panicky messages that business has ground to a halt. Meanwhile your mind is racing: Who would do this to us? Some kind of cyber extortionist? An unsavoury competitor? Hacktivists trying to send a message? And why would they do this? There are many reasons behind a DDoS attack but one thing we have continued to see is the rise of DDoS attacks on media publications – most recently demonstrated by the attacks on Swedish media sites. After a bit of investigation, Arbor found that the attack was not endorsed by the Russian government, but instead a typical distributed attack, with computers located in Russia, among many other countries, generating attack traffic – most likely a botnet for hire service. At the end of last year, we also saw the BBC hit by a DDoS attack and according to Newscycle Solutions, while Brian Krebs was hit by a DDoS back in 2013. Over 50% of media companies have been the victim of some sort of cyber-attack in the last two years – it’s clear that media organizations are currently in the firing line for hackers. We know that every business has a different IT team and because of this have different views towards security. But it is important that even soft targets such as media organizations have a good understanding of the threat landscape and implement the right security processes. There are several factors media organizations should consider. Easy to implement, easy to attack Firstly, it is now far too easy to launch a DDoS attack.  For a mere $5/hr anyone without any technical knowledge can purchase a DDoS for Hire Service and launch a DDoS attack.  Quite often, it is used as a smokescreen to cover fraudulent activity. Combine this with the many motives behind a DDoS attack and you see why there is such a rise in the number of DDoS attacks across all types of industries. Changing motivations Traditionally, vandalism and political/ideological disputes are the common reason for attacks on media organizations. The poster child for this is the DDoS attack on the BBC. It is just a way for hackers to flex their muscles to show everyone what they’re capable of. More recent attacks have highlighted the growth of criminal extortion, data exfiltration and DDoS for Bitcoin. As media organizations report on all types events, while they may not take a side, they could still become a target of an attack. Interestingly there is usually a correlation between political conflicts in the real world and online attacks – often called cyber-reflection. The variety of DDoS continues to grow DDoS attacks are utilized as a diversion or smokescreen in multiple stages of the cyberattack kill chain. The following cases have all been documented as part of complex attacks and should be steps every business should be aware of: Reconnaissance : In this initial stage, cybercriminals launch a small DDoS attack to size up your security posture and ability to respond. If they find that a business’ security is weak, they will stick around to do some discrete probing and port scanning, looking for vulnerabilities to exploit so they can break into the organization. The knowledge they gather in this phase will be used for the Extract Data/Complete Mission Phase Malware Delivery/Exploitation : Now they’re inside the network and spreading out, dropping malware onto your machines. To cover their tracks, hackers will launch a DDoS attack to overwhelm an organization’s threat detection and forensics tools, making the search for the breach and the planted malware much harder to detect Extract Data/Complete Mission : In the final stage, they launch a DDoS attack as a diversion while they steal confidential data such as credit card information, intellectual property or other valuable information they can get their hands on. While the IT team are distracted, cyber criminals quietly slip away undetected with their loot and the DDoS attack mysteriously ends Don’t be low-hanging fruit If a media organization is hit with a DDoS attack, it might not be an independent event. It’s important to make sure there’s nothing happening inside the network that could be related to that attack – otherwise the consequences could be far worse. In fact, businesses may be able to take some cues from the DDoS attack that will help them investigate further. For example, if the IT team knows where the attack is coming from, that could indicate who the threat actor may be. Plus the tactics, techniques and procedures (TTPs) the threat actor uses may help you hunt for other indicators of compromise (IOCs) potentially signalling that you’re falling victim to a larger threat campaign. But why take all the risk? Preventing smokescreen attacks, and the potentially devastating damage they cause, is one more reason why many companies invest in strong DDoS protection. Like a burglar checking for unlocked doors, cyber-criminals look for low-hanging fruit. If they realize that a media site has the defenses in place that can deflect their initial attack, they’re more likely to abandon their efforts and look for an easier victim. Source: http://www.infosecurity-magazine.com/opinions/media-organizations-beware-ddos/

See more here:
Media Organizations Beware – DDos Attacks are Coming