Monthly Archives: September 2017

Australian companies face an increasing threat from domestic DDoS instigators

Mobile botnets, targeted DDoS attacks pose growing threat to Australian targets. Australian organisations are being hit by over 450 distributed denial of service (DDoS) attacks every day and fully a quarter of them are coming from domestic sources, analysts have warned as figures show DDoS attacks making a resurgence after nearly a year of decline. New figures from the Arbor Networks ATLAS service – which collects data on DDoS attacks and malware from 400 service providers – suggested that Australian targets suffered 14,000 attacks of various intensity in August alone. The largest of the attacks, in early August, measured 51.9 Gbps in intensity while the heaviest volume of packets – 15.8 million packets per second – came in an attack later in the month. While the United States was the largest source of the attacks – comprising 30 percent of the overall total – the lion’s share of the remainder came from Chinese (24 percent), Australian (24 percent), and UK (23 percent) sources. The August figures reinforce the resurgent threat from DDoS attacks, which flood targets with data in an effort to interrupt their operation for even a short period. They also reflect the continuing flexibility of attackers that were able to build a botnet out of mobile devices to instigate a high-impact DDoS extortion campaign against numerous travel and hospitality organisations. hat botnet, called WireX, was embedded in around 300 Google Play Store applications and had spread to estimated 130,000 to 160,000 bots that produced over 20,000 HTTP/HTTPS requests per second. On August 17 WireX was taken down through a concerted effort involving Google, Akamai, Cloudflare, Flashpoint, Oracle Dyn, RiskIQ, Team Cymru, and other organisations. Instigated by devices from over 100 countries, WireX changed quickly as the attacker “learned rapidly to try different techniques to try to thwart the defenders,” Arbor Security Engineering & Response Team (ASERT) principal engineer Roland Dobbins wrote in his analysis of the attack. WireX reflects the ingenuity being applied to the creation of DDoS attacks as identified in Akamai’s recent Q2 2017 State of the Internet Security Report. Analysing attacks remediated over Akamai’s core content distribution network, that report noted a 28 percent quarter-on-quarter increase in the total number of DDoS attacks as well as increases in infrastructure layer (by 27 percent), reflection-based (21 percent), and average number of attacks (28 percent) per target. Changing geographic distribution showed that “geographic profiling is a real and potentially imminent threat to Australia,” Akamai Asia-Pacific senior security specialist Nick Rieniets said in a statement. “When there are changes like this in the threat landscape and when new threats are released, companies need to recognise, acknowledge and assess that volatility, and change their security controls accordingly, and in a timely manner.” Akamai’s DDoS analysis suggested that the PBot botnet had been tapped once again to generate the biggest DDoS attacks observed in the second quarter. PBot – which Rieniets called “proof that the minute threat actors get access to a new vulnerability they can work out how to weaponise it” – appeared to have primarily infected around 400 Web servers, boosting the volume of data produced per device compared with previous infections such as last year’s Internet of Things-focused Mirai botnet. The range and efficacy of DDoS attack tactics have highlighted the need for businesses to remain disciplined about their protections, security experts have warned. “It’s important that organizations implement best current practices (BCPs) for their network infrastructure, application/service delivery stacks, and ancillary supporting services,” Arbor’s Dobbins writes. “This will allow the organization to maintain availability and ensure continuous service delivery even in the face of attack.” With many organisations found to not have a formal DDoS defense plan in place – and many that do, never rehearsing it – Dobbins said testing needed to become a habit: “It is critical that organizations devise and rehearse their DDoS defense plans in order to ensure that they have the requisite personnel, skills, operational processes, communications plans, and support services in place to defend their Internet properties in a timely and effective manner.” Source: https://www.cso.com.au/article/627915/australian-companies-face-an-increasing-threat-from-domestic-ddos-instigators/

Read More:
Australian companies face an increasing threat from domestic DDoS instigators

How Big is Your DDoS Mitigation Gap?

The DDoS mitigation industry is scaling up capacity following a consistent increase in the number of DDoS attacks and recent indications that IoT-based DDoS attacks are expected to grow significantly. The DDoS attack vector continues to wreak havoc in 2017, with a reported 380% spike in the number of DDoS attacks identified in Q1, compared to the same period last year. A recent study shows a year on year increase of 220% in the number of different types of malware designed to hijack IoT devices. DDoS Mitigation providers are taking heed, with Arbor dedicated to quadrupling their capacity to 8Tbps by the end of 2017, and both Neustar and OVH committing to capacities of over 10Tbps. A DDoS mitigation Gap occurs whenever DDoS traffic bypasses a company’s DDoS mitigation defenses, and penetrates the target network. The reasons for such gaps vary from some types of DDoS attacks that are completely unnoticed by DDoS mitigation, to a range of configuration issues that let through traffic that should be mitigated. However the problem is that visibility of DDoS mitigation gaps is currently nonexistent to those cybersecurity practitioners who are responsible for production uptime. Companies do not know how well their mitigation is performing, or where their configuration problems are, leaving them and their vendors to troubleshoot issues at the very worst possible time, that is, when systems are down at the height of a DDoS attack. Results from over 500 DDoS tests run by MazeBolt on companies from a wide range of industries, shows that on their first test, companies failed 41% (on average) of DDoS tests – simulations of real DDoS attacks conducted in a highly controlled manner to help companies understand their mitigation gap so they can strengthen their mitigation proactively. This means that after a company has deployed their DDoS mitigation strategy, on average it will stop only six out of ten attacks. To solve this, with insight about where their DDoS mitigation posture was leaking, companies could go back to vendors to reconfigure settings and harden their DDoS mitigation posture. As depicted in the bar chart below, by repeating the testing cycle only three times, companies were able to reduce their mitigation gap from an average of 41% in the first test to an average of 25% in the second and only 15% in the third – reflecting a 65% strengthening of their DDoS mitigation. Paraphrasing Heraclitus one might say you can never test the same DDoS mitigation twice, but our data clearly shows that testing it three times will strengthen it considerably. Source: https://www.infosecurity-magazine.com/opinions/big-ddos-mitigation-gap/

Continued here:
How Big is Your DDoS Mitigation Gap?

Protecting an online presence – DOSarrest’s technology leads the way

With over a decade of experience protecting websites from malicious traffic, DOSarrest has lead the way from the start. It was one of the first to supply its client base with a real-time statistical dashboard and an intuitive configuration management console. Fast forward to today where it has just released its 5 th major software upgrade; it’s these types of leading-edge features and services and a forward-looking road map that keeps it in the top tier of cloud-based DDoS mitigation companies. Some of DOSarrest’s new enhancements, just released, include an all-new front-end which supplies customers with 15 different statistical displays that are fully interactive, allowing customers to view just the statistics they are interested in. It’s clear from the work the company has put into this system that it knows what’s required to stay on ahead of the ‘bad actors’. It has also redeveloped its back-end software using the latest tools, including a new distributed database structure, which has the advantage of allowing it to develop and deploy new features in a matter of minutes, for attacks not yet even known. DOSarrest has also fine-tuned their cloud-based Web Application Firewall (WAF), which unlike many of their competitors’ is based on a positive security model, not a negative security model. Most people and even some security techs are not aware of the difference. Have a quick read of the blog post regarding the latest Equifax breach to get a real-life explanation of what happened and how DOSarrest’s cloud-based WAF would have prevented such a devastating data breach. DOSarrest doesn’t seem to follow its competitors or hyped up media trends; this must be due to its experience over its rivals in the DDoS protection arena. It has just installed a big data analytics cluster, which feeds its customer portal with real-time interactive displays. One asks why big data for a customer portal? DOSarrest will tell you that the real reason is to leverage machine learning. Machine learning, which has been tried by many organizations but proved to be not worth the effort and eventually abandoned by most enterprises, is not the case at DOSarrest. It has leveraged its big data cluster in conjunction with machine learning to yield some impressive results. DOSarrest states that the most difficult attacks to stop are the ones you don’t really notice. By this it articulates that if a website runs 10 Mb/sec of legitimate traffic it’s very possible to throw 75 Kb/sec of sophisticated, well-placed malicious traffic at the website and cause the website to slow considerably and eventually stop responding to legitimate visitors. Its machine learning system finds this small amount of malicious traffic and blocks it. DOSarrest states it’s like being able to find a needle in a haystack. In order to prove the point regarding small sophisticated attacks being the most difficult to detect and mitigate, DOSarrest has developed a website attack/stress simulator. This is a brand-new service called the Cyber Attack Preparation Platform (CAPP) and the company is running beta tests for a select number of customers. This service allows customers to login into a platform, input their attack target website, then choose from a selection of over 30 different attacks and even combination attacks. Along with the attacks, it enables users to choose from a variety of regions where one wants the attack to originate from, some of the choices being Europe, eastern or western US, Canada or Asia, or all of them. It also allows one to choose the size of the botnet and the intensity of each bot. Given that this privately-controlled botnet is dangerous in the wrong hands, it is strictly controlled and throttled on a per-user basis. In summary DOSarrest has proven itself to be a leader in fully-managed cloud-based DDoS protection services and is constantly adding capacity, enhancements, new technology and related security services to its portfolio. Should you be thinking of security for your website operations, DOSarrest is a very experienced, capable and customer-oriented solution provider. Source: http://techwireasia.com/2017/09/protecting-online-presence-dosarrests-technology-leads-way/#5c5GIKukziDpCqd8.97

Read this article:
Protecting an online presence – DOSarrest’s technology leads the way

CHJ Tech. Teams up with DOSarrest to deliver Internet Security Solutions for the Singapore Government

SINGAPORE, Sept. 25, 2017 (GLOBE NEWSWIRE) — CHJ Technologies Singapore announced today that they have been chosen as one of the 6 approved vendors to supply cloud based DDoS protection and Web Application security services for the Singapore government over the next 3 years.  The Singapore Government expects to spend SGD $50m to keep government websites going even under an attack.  CHJ is the exclusive distributor of DOSarrest Internet security services in Singapore and is utilizing their DDoS and WAF solutions to satisfy the Singapore government’s security requirements. Linus Choo, Managing Director of CHJ Technologies states “CHJ Technologies has a substantial track record providing cyber security services in Singapore. Having first been awarded DDoS mitigation contracts with the Singapore government in 2014, we are both elated and honored to have been awarded for a second time in this latest tender.  We feel that this renewal of our services is a testament to the calibre of services our team provides and our partnership with DOSarrest. “Understanding the strategic importance of cyber security services, we align and integrate perfectly with the investments our government is making in DDoS protection and other cyber security services, this makes the continuation of our collaboration with the government all the more valued.  This is a very significant accomplishment for both CHJ Technologies and DOSarrest.” Mark Teolis, CEO of DOSarrest explains “It was a very rigorous process to meet all the requirements of the Singapore government’s security specifications, in the end we beat out many competitors 3 years ago and we did it again this year.” Teolis adds “CHJ Tech is a great match for us, their staff on the ground and customer support paired with our technology is a home run.” Choo adds “We are actively exploring other opportunities in the Asean region as a partner with DOSarrest.“ About DOSarrest Internet Security: DOSarrest, founded in 2007 in Vancouver, B.C., Canada, is one of only a couple of companies worldwide to specialize in only cloud based DDoS protection services.  Additional Web security services offered are Cloud based W eb A pplication F irewall (WAF) , V ulnerability T esting and O ptimization (VTO), DataCenter Defender – GRE as well as cloud based global load balancing and a simulated DDoS attack Platform. For more information: DOSarrest.com About CHJ Technologies: Founded in 1987 and headquartered in Singapore, we have become one of Asia’s leading and fastest-growing managed cybersecurity service providers. Our expertise and product lines enable organizations to discover, risks and mitigate them. Continually pushing boundaries, we protect our customers’ critical assets and information wherever it lives – in the cloud and on-premises. For more information: http://www.chjtech.com.sg Contact Information: Lew Yong-He +65 6896 7998 sales@chjtech.com.sg Source: https://www.dosarrest.com/news-and-events/chj-tech-teams-up-with-dosarrest-to-deliver-internet-security-solutions-for-the-singapore-government/

Continue reading here:
CHJ Tech. Teams up with DOSarrest to deliver Internet Security Solutions for the Singapore Government

Three out of four DDoS attacks target multiple vectors

Three out of every four DDoS attacks employed blended, multi-vector approaches in the second quarter of 2017, according to Nexusguard. Distribution of DDoS attack vectors The quarterly report, which measured more than 8,300 attacks, demonstrated that hackers continued to rely on volumetric attacks to overwhelm system resources. For example, UDP-based attacks increased by 15 percent this quarter, targeting hijacked devices connected to the IoT, and overtaking SYN, HTTP Flood and other popular volumetric attacks in … More ?

Read More:
Three out of four DDoS attacks target multiple vectors

How enterprises can fend off DDoS attacks

Though distributed denial of service attacks have been around more than two decades, recently we have seen a spate of DDoS attacks that have increased in complexity and variability. Both the size and frequency of DDoS attacks have gone up, and criminals use these sophisticated attacks to target sensitive data, not just to disrupt businesses. Some recent attacks have exceeded 1 Tbps while the average DDoS attack peaked at 14.1 Gbps in the first quarter of 2017, according to Verisign’s DDoS trends report. The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Million packets per second (Mpps). This attack sent a flood of traffic to the targeted network inexcess of 60 Gbps for more than 15 hours. In a new report, Imperva warns about a new type of ferocious DDoS attack that uses ‘pulse waves’ to hit multiple targets. “Comprising a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 gigabits per second (Gbps). We believe these represent a new attack tactic, designed to double the botnet’s output and exploit soft spots in traditional mitigation solutions,“ says Robert Hamilton, director, Imperva. “DDoS attacks are rarely complex. They are the result of a volumetric based attack which results in a platform, application or service being rendered unavailable for the user. The biggest changes we have seen through evolution over the last few years are mostly within the amount of bandwidth attackers have at their disposal. This is due to the amount of more interconnected devices we now have on the Internet. We have three main types of DDoS attack, one is a volumetric, which accounts for most DDoS attacks, secondly we have application and lastly protocol level attacks,” says Warren Mercer, security researcher at Cisco Talos. Ransom is another growing trend in DDoS. “Ransom related attacks seem to be a trending issue as of late. Too many organisations are paying out these ransom requests, in an effort to remove themselves from the cross hairs of a DDoS attack – this behaviour likely causes an increase in ransom attack activity. Besides the financial loss that a company may experience by paying the ransom, companies must consider that they will still be subject to a DDoS attack even after the ransom has been paid,” says Stephanie Weagle, VP, Corero. What do you do if you are a CISO dealing with massive DDoS attack? What are your tips for CISOs dealing with massive DDoS attacks? “First thing would be to make sure the network is well prepared for such attacks. Making sure that there are protections and processes in place is critical. It’s also important to remember that the DDoS attack might not be the actual attack but just a distraction,” says Kalle Bjorn, director-systems engineering, Fortinet. Mohammed Al Moneer, regional director,  A10 Networks, says the challenge for defenders is to distinguish good and bad behaviour largely by analysing the instrumented data available from server logs and traffic behaviour reported from networking tools.  In effect, threat hunting is the act of finding a needle in a haystack of logs and flow data.  Unlike the stealth required for dropping malware or stealing data, DDoS is loud and does not hide in the shadows. Alaa Hadi, regional director, Arbor Networks, says these very large attacks must be mitigated in the cloud, as close to the source as possible. I would also caution CISOs that to have cloud protection is only a partial defence against modern DDoS attacks. They also target applications and infrastructure, like firewalls, with low and slow attacks that cannot be detected in the cloud. The place to protect against these attacks is on-premise, with a tight connection to the cloud, as a means of providing mitigation support for large attacks. Only with this multi-layer, hybrid approach is a business fully protected from DDoS attacks. Another alarming trend in DDoS has been the rise of DDoS attacks using IoT devices, as we have seen in the case of Mirai botnet, which infected tens of millions of connected devices. “IoT can have positive implications across several core industries such as manufacturing, retail, transportation, and healthcare. However, it’s important to bear in mind that a higher number of connected devices translates to more points of entry for attackers to penetrate. Criminals can leverage these end points to steal confidential information from businesses, distribute malware, or takeover the capacity and network bandwidth of connected ‘things’ to carry out massive strikes. The necessary tools and best practices to mitigate such threats are well-known and available in the application security field,” says Hadi Jaafarawi, managing director, Qualys Middle East. Bjorn from Fortinet adds compromised IoT devices are a massive potential traffic generator source for attackers. Securing the organisations own systems would prevent them from being used in attacks against others. Manufacturers should also work actively to ensure their own devices are fixed when vulnerabilities are found, unfortunately there are multiple IoT devices on the market that cannot be even upgraded, this means that the security will lie on the network where the devices connect to. Source: http://www.tahawultech.com/securityadvisorme/features/enterprises-fend-off-ddos/

View article:
How enterprises can fend off DDoS attacks

Large DDoS attacks over 50 Gbps have quadrupled between 2015 and 2017

Organizations are experiencing an increase in the magnitude of DDoS attacks, with the average size of attacks over 50 Gbps quadrupling in just two years, according to A10 Networks. Growth of DDoS attacks The study also found the gargantuan 1 Tbps attacks that started last year with the Mirai botnet have begun to leave their mark, with 42% of organizations reporting an average size of DDoS attacks greater than 50 Gbps, a significant increase from … More ?

View article:
Large DDoS attacks over 50 Gbps have quadrupled between 2015 and 2017

DDoS Extortion Group Sends Ransom Demand to Thousands of Companies

A group of DDoS extortionists using the name of Phantom Squad has sent out a massive spam wave to thousands of companies all over the globe, threating DDoS attacks on September 30, if victims do not pay a ransom demand. The emails spreading the ransom demands were first spotted by security researcher Derrick Farmer and the threats appear to have started on September 19 and continued ever since. Hackers looking for small $700 ransoms The emails contain a simple threat, telling companies to pay 0.2 Bitcoin (~$720) or prepare to have their website taken down on September 30. Sample of a Phantom Squad DDoS ransom email Usually, these email threats are sent to a small number of companies one at a time, in order for extortionists to carry out attacks if customers do not pay. This time, this group appears to have sent the emails in a shotgun approach to multiple recipients at the same time, a-la classic spam campaigns distributing other forms of malware. Because of this, several experts who reviewed the emails and ransom demands reached the conclusion that the group does not possess the firepower to launch DDoS attacks on so many targets on the same day, and is most likely using scare tactics hoping to fool victims into paying. Extortionists are not the sharpest tool in the shed The size of this email spam wave is what surprised many experts. Its impact was felt immediately on social media [1, 2, 3, 4] and on webmaster forums, where sysadmins went looking for help and opinions on how to handle the threat. Bleeping Computer reached out to several security companies to get a general idea of the size of this spam wave. “Not sure how widespread it is in terms of volume, but they are certainly spamming a lot of people,” Justin Paine, Head of Trust & Safety at Cloudflare, told Bleeping . “We’ve had 5 customers so far report these ‘Phantom Squad’ emails,” he added. “These geniuses even sent a ransom threat to the noc@ address for a major DDoS mitigation company.” Extortionists are “recycling” email text Radware engineers received similar reports, so much so that the company issued a security alert of its own. Radware security researcher Daniel Smith pointed out that the extortionists may not be the real Phantom Squad, a group of DDoS attackers that brought down various gaming networks in the winter of 2015 [1, 2]. Smith noticed that the ransom note was almost identical to the one used in June 2017 by another group of extortionists using the name Armada Collective. Those extortion attempts through the threat of DDoS attacks also proved to be empty threats, albeit some were successful. “The part that I find interesting is the low ransom request compared to the ransom request last month,” Smith told Bleeping Computer . “Last month a fake RDoS group going by the name Anonymous ransomed several banks for 100 BTC.” Experts don’t believe the group can launch DDoS attacks This shows an evolution in ransom DDoS (RDoS) attacks, with groups moving from targeting small groups of companies within an industry vertical to mass targeting in the hopes of extracting small payments from multiple victims. “This is what the modern RDoS campaign has come to,” Smith also said. “In the spring of 2016 after a lull in RDoS attacks, a group emerged calling themselves the Armada Collective, but their modus operandi had clearly changed. This group claiming to be Armada Collective was no longer targeting a small number of victims but instead were targeting dozens of victims at once without launching a sample attack.” “As a result, these attackers were able to make thousands of dollars by taking advantage of public fear and a notorious name. Several other copycat groups that emerged in 2016 and 2017 also leveraged the names of groups like, New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous.” “To launch a series of denial-of-service attacks, this group will require vast resources. Therefore, when a group sends dozens of extortion letters, they typically will not follow through with a cyber-attack,” Smith said. Smith’s opinion is also shared by Paine, who recently tweeted “ransom demands from this group = spam” and “empty threats, zero attacks from this copycat.” Victims should report extortion attempts to authorities Japan CERT has issued a security alert informing companies how to handle the fake demands by reporting the emails to authorities. Today, security researcher Brad Duncan also published an alert on the ISC SANS forums, letting other sysadmins and security researchers know not to believe the ransom threats. Source: https://www.bleepingcomputer.com/news/security/ddos-extortion-group-sends-ransom-demand-to-thousands-of-companies/

View original post here:
DDoS Extortion Group Sends Ransom Demand to Thousands of Companies

$50m deal to keep government websites going in a cyber attack

Six firms have won a multimillion- dollar bulk tender as Singapore further tightens its defence against sophisticated attacks that aim to disable government websites. The Straits Times understands that the three-year bulk contract which started yesterday is worth about $50 million – around twice the value of the last three-year contract which has lapsed. The deal comes on the heels of StarHub’s broadband outage last year linked to a cyber attack in the United States, and the theft of the personal details of 850 national servicemen and staff at the Ministry of Defence (Mindef), discovered in February. The six contractors awarded the contract by GovTech are local telcos Singtel and StarHub, Britain- based telco BT, and Singapore- based tech firms CHJ Technologies, Evvo Labs and Embrio Enterprises. The six firms are expected to keep government websites fully available to the public even when attacks are taking place. This is done by providing distributed denial of service (DDoS) mitigation services, which will now take into account the threats that took down United States Internet firm Dyn’s services in October last year. Dyn’s service outage, which took down websites such as The New York Times and Spotify, in turn disrupted Web surfing for StarHub’s broadband customers. DDoS attacks work by having thousands of infected computers accessing and overwhelming a targeted site, causing a huge spike in traffic. DDoS mitigation is a set of techniques that differentiates genuine incoming traffic from that sent by hijacked, infected browsers, so that services to genuine users will not be denied. According to tender documents seen by ST, the contractors are also expected to provide new capabilities to combat attacks stemming from software flaws on Internet-facing machines. In early February, Mindef discovered that a vulnerability in its I-net system had been exploited, resulting in the loss of NRIC numbers, telephone numbers and birth dates of 850 personnel. The I-net system provides Mindef staff and national servicemen with Internet access on thousands of dedicated terminals. Cloud security services firm Akamai Technologies’ regional director of product management Amol Mathur said that the new DDoS mitigation capabilities are necessary in an evolving threat landscape where large-scale attacks are being powered by compromised Internet devices such as Web cameras and routers. Dr Chong Yoke Sin, chief of StarHub’s enterprise business group, said it will provide the Singapore Government with its telco- centric security operations as well as the cloud-based mitigation services of its technology partner Nexusguard. Mr Jason Kong, co-founder of Toffs Technologies, the supplier of content delivery back-up services for Embrio Enterprises, said: “Organisations should have a content delivery back-up plan to ensure business is as usual should the main delivery platform suffer an outage.” Last week, the Nanyang Tech- nological University solicited a separate DDoS contract with more stringent requirements to com- bat attacks stemming from software flaws on Internet-facing machines. The university discovered in April this year that it was the victim of an apparent state-sponsored attack aimed at stealing government and research data. The National University of Singapore was similarly attacked at around the same time. Last year, an unnamed government agency also became the victim of a state-sponsored attack, the Cyber Security Agency of Sin- gapore said in a report released last Thursday. Source: http://www.straitstimes.com/tech/50m-deal-to-keep-govt-websites-going-in-a-cyber-attack

Taken from:
$50m deal to keep government websites going in a cyber attack