Kaspersky honeypots – networks of virtual copies of various internet connected devices and applications – have detected 105 million attacks on IoT devices addresses in H1 2019.

Kaspersky honeypots – networks of virtual copies of various internet connected devices and applications – have detected 105 million attacks on IoT devices coming from 276,000 unique IP addresses in the first six months of the year. This figure is around nine times more than the number found in H1 2018, when only around 12 million attacks were spotted originating from 69,000 IP addresses. Capitalizing on weak security of IoT products, cybercrimanls are intenfsifying their attempts to create and monetize IoT botnets.This and other findings are a part of the ‘IoT: a malware story’ report on honeypot activity in H1 2019.

Cyberattacks on IoT devices are booming, as even though more and more people and organizations are purchasing ‘smart’ (network-connected and interactive) devices, such as routers or DVR security cameras, not everybody considers them worth protecting. Cybercriminals, however, are seeing more and more financial opportunities in exploiting such gadgets. They use networks of infected smart devices to conduct DDoS attacks or as a proxy for other types of malicious actions. To learn more about how such attacks work and how to prevent them, Kaspersky experts set up honeypots – decoy devices used to attract the attention of cybercriminals and analyze their activities. 

Based on data analysis collected from honeypots, attacks on IoT devices are usually not sophisticated, but stealth-like, as users might not even notice their devices are being exploited. The malware family behind 39% of attacks – Mirai – is capable of using exploits, meaning that these botnets can slip through old, unpatched vulnerabilities to the device and control it. Another technique is password brute-forcing, which is the chosen method of the second most widespread malware family in the list – Nyadrop. Nyadrop was seen in 38.57% of attacks and often serves as a Mirai downloader. This family has been trending as one of the most active threats for a couple of years now. The third most common botnet threatening smart devices – Gafgyt with 2.12% – also uses brute-forcing.

In addition, the researchers were able to locate the regions that became sources of infection most often in H1 2019. These are China, with 30% of all attacks taking place in this country, Brazil saw 19% and this is followed by Egypt (12%). A year ago, in H1 2018 the situation was different, with Brazil leading with 28%, China being second with 14% and Japan following with 11%.

“As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying. Judging by the enlarged number of attacks and criminals’ persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations. This is much easier than most people think: the most common combinations by far are usually “support/support”, followed by “admin/admin”, “default/default”. It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices” – said Dan Demeter, security researcher at Kaspersky Lab.

To keep your devices safe, Kaspersky recommends users:

Install updates for the firmware you use as soon as possible. Once a vulnerability is found, it can be fixed through patches within updates.

Always change preinstalled passwords. Use complicated passwords that include both capital and lower case letters, numbers and symbols if it’s possible.

Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware, but this doesn’t reduce the risk of getting another infection.

Keep access to IoT devices restricted by a local VPN, allowing you to access them from your “home” network, instead of publicly exposing them on the internet.

Kaspersky recommends companies to take the following measures:

Use threat data feeds to block network connections originating from malicious network addresses detected by security researchers. 

Make sure all devices software is up to date. Unpatched devices should be kept in a separate network inaccessible by unauthorised users.

Source: https://www.ameinfo.com/industry/technology/iot-more-than-100-million-attacks-on-smart-devices-h1-2019

Infosec vigilantism can cause serious harm in the era of industrial IoT and connected medical devices.

For several years now, security experts have been trying to bring attention to the growing threat that insecure Internet of Things (IoT) devices pose to networks around the world. The enormous growth in popular connected devices like webcams, DVRs, and smart watches has made it possible for hackers to amass huge botnets that can launch devastating distributed denial-of-service (DDoS) attacks.

Unfortunately, some vigilante hackers have tried to solve this problem with “bricker” malware that infects and destroys insecure IoT devices before they can become part of a botnet. This might seem like a positive on the surface, but this tactic creates serious, sometimes life-threatening risks as more IoT devices are used in industrial networks and healthcare organizations.

Let’s start at the beginning. IoT security became a top-of-mind issue in late 2016 thanks to the record-breaking DDoS attacks by the Mirai botnet and its subsequent source code release. In a perfect world, this should have been the wake-up call to improve IoT security. Unfortunately, slim profit margins and rapid development times kept IoT security considerations on the back burner and led some individuals to take matters into their own hands. The first instance of IoT vigilantism was in 2017 when a strain of malware known as BrickerBot began making its rounds.

Similar to the Mirai botnet, BrickerBot exploited flaws like insecure, hard-coded passphrases to log in to vulnerable IoT devices. But once it connected to a device, it didn’t add it to a massive botnet. Instead, it deleted files, corrupted the system storage, and disconnected the device from the Internet, effectively making it unusable. While it is possible to restore the device to factory defaults, the average IoT user likely doesn’t have the technical skills to do this. The author of BrickerBot, known by the pseudonym Janit0r, explained in an interview that his malware was intended to prevent devices from being infected by Mirai. Janit0r believed that if IoT manufacturers and owners weren’t going to take security seriously, then the devices shouldn’t exist to begin with.

In the end, BrickerBot destroyed over 10 million devices in just nine months before Janit0r retired it from service. While that may sound like a lot, it’s still less than one-tenth of 1% of the estimated 14 billion IoT devices online worldwide.

But the end of BrickerBot wasn’t the end of IoT bricking malware. In early 2019, a new variant of IoT bricking malware called Silex began infecting devices worldwide. Within a few hours, Silex had infected thousands of devices, deleting system file and firewall rules, and effectively rendering them useless. With the Mirai source code public, it’s not a stretch to think there are other similar malware variants lurking undiscovered in the wild today. Thankfully, individual IoT owners can also protect themselves from both botnets and brickers by changing the default passwords on their IoT devices, not exposing the telnet port (which BrickerBot uses to infect devices) and performing basic network segmentation and monitoring.

Bricker malware is dangerous because it doesn’t discriminate between different types of IoT devices. Almost every industry is incorporating IoT technology in some way. “Smart city” technology is becoming widely adopted across the globe, with municipalities connecting everything from power grids to traffic lights to networks. Healthcare is another sector that’s quickly adopting IoT technology, with the Internet of Medical Things projected to reach $136.8 billion worldwide by 2021. While some might question the need for refrigerators to connect to the Internet, there is no arguing that the ability to quickly share data from an ECG/EKG machine could be the difference between life and death. As widespread IoT adoption continues to grow within these sectors and overall, bricking malware can have some devastating consequences.

The problem is that many of these new IoT applications exhibit the same security lapses as consumer IoT devices, but with significantly higher risks if they fail. A rash of bricked industrial IoT sensors could cause widespread power outages, and an infusion pump or medical monitor that unexpectedly shuts off could put patients’ lives at risk. The authors of BrickerBot and Silex might not have been so ready to claim their work was for the good of the Internet if they truly considered the serious collateral damage that they might cause along the way.

There are other options to improve IoT security that don’t involve such a high degree of risk. Security researchers can work on raising awareness about connected device security, participating in public education initiatives and trying to drum up consumer demand for secure devices. Just last year the state of California, the fifth-largest economy in the world by GDP compared with other sovereign nations, passed Senate Bill 327, which mandates that manufacturers of connected devices equip their products with reasonable security features by January 2020. While the bill will have little effect on the masses of inexpensive IoT devices imported from foreign countries every year, it’s a step in the right direction that can be built upon with future legislation.

There is no denying the IoT industry needs to fundamentally change its approach to security, but vigilantism is not the answer. There are less destructive ways to convince both manufacturers and consumers that developing and deploying secure devices is worth the investment.

Source: https://www.darkreading.com/iot/why-bricking-vulnerable-iot-devices-comes-with-unintended-consequences-/a/d-id/1336009

The field of hacking is a rapidly evolving one. As cybersecurity defenders develop new means of detecting and protecting against cyberattacks, hackers also work to find ways to bypass these new defenses.

One way in which the field of hacking has dramatically changed is the emergence of the hacker service economy. In the beginning, hackers operated as “lone wolves”, carrying out hacking campaigns largely independently. Over time, hacking groups have emerged, and, recently, hackers have begun offering their services to other hackers or consumers. These services can range from specialist support for a certain portion of a cybercrime (like a phishing attack) to offering complete cyberattacks as a service.

The primary effects of this service-based hacking economy are a change in the hacker demographic and the types and number of threats observed in the wild. The ability to rent the services of hackers means that far less experienced players can enter the world of cybercrime, and the number and intensity of attacks against website security has dramatically increased. As a result, organizations need to take additional steps to protect themselves against cyberattacks that are becoming increasingly common and damaging.

The Modernization of Hacking

In the beginning, hacking was primarily a hobby. Technology nerds who knew a great deal about how computers worked would try breaking into different systems just to demonstrate that they could. While their actions were technically illegal, in general, they weren’t hacking to do damage, so the impact was minimal.

Over time, hacking changed from a (mostly) harmless hobby to one where hackers would steal sensitive information and hack into systems for profit. As the Internet became a part of daily life, more and more data was being placed there by individuals and organizations. This data can be valuable to a number of different parties on the black market (for use in further crimes), so hackers who managed to steal a collection of sensitive data could sell it and get paid for their troubles.

Originally, hackers worked alone, and an effective hacker needed to know a great deal about a lot of things and acted as a jack of all trades. Over time, hacking became more team-based, where a group of hackers could each specialize in a certain component of the hack and the team split the profits. This dramatically lowered the bar for entering the field of hacking, allowing it to grow, and laid the groundwork of the hacker service economy.

The Hacker Service Economy

A crucial step in the development of the modern economy was the emergence of role specialization. While it is certainly possible for an individual or a group to remain entirely self-sufficient, it is unlikely that they will be incredibly effective at doing so. Most people can be very good at one thing or fair to middling at many different things. Role specialization allowed individuals to develop expertise in a certain area and improved the overall quality of goods and services available to everyone. Unfortunately, the development of hacking has followed the example of the legitimate economy. The emergence of hacking groups and specializations has led to the creation of a hacker service-based economy. Specialists in a certain field can sell their services to other hackers or consumers.

One example of cybercrime as a service is the concept of a Distributed Denial of Service (DDoS) attack as a service. In a DDoS attack, a large number of computers under the control of a hacker attempt to overwhelm a victim’s website, making it unavailable to legitimate traffic. With the rise of the Internet of Things (IoT), which consists of a large number of insecure Internet-connected devices, and cloud computing, which allows individuals to lease computing power, building botnets to perform DDoS attacks has become easy and affordable. A DDoS attack can be performed for as little as $7 per hour, making it possible for a hacker to sell them affordably, even with a substantial markup.

An example of a service offered by hackers for hackers is the concept of combolists as a service. Combolists are collections of breached user credentials for various online services. In a combolists as a service offering, hackers can subscribe to receive lists of breached credentials on a regular basis. These credentials can then be used in credential stuffing attacks, where hackers try breached username/password combinations on different sites in the hope that a user used the same credentials on multiple sites.

Impacts on Website Security

Distributed Denial of Service and credential stuffing attacks have always posed a threat to website security. DDoS attacks can render a website inaccessible to legitimate users and credential stuffing attacks may allow an attacker to gain unauthorized access to a user’s account.

However, the rise of the hacker service economy has increased the threat that these attacks can pose to organizations’ websites. These services make it easier for an attacker to access the data and talent necessary to perform these attacks, lowering the bar to enter the space. Instead of these attacks primarily being focused on targets chosen by experienced hackers, anyone can buy and target an attack, making any organization vulnerable to a disgruntled employee or a dissatisfied customer.

As a result, organizations need to take action to protect their web resources from the types of attack commonly offered as a service by hackers. A DDoS protection solution and a bot detection & prevention solution capable of detecting credential stuffing attacks have become a crucial component of any organization’s cybersecurity strategy.

Source: https://smartereum.com/62423/at-your-service-inside-the-hacker-economy/

DDoS attacks are on the rise! “DDoS attacks have increased overall in the past 2 years, although the number of attacks between 2017 to 2018 and from 2018 to 2019 (to date) show some interesting trends. DDoS attacks increased 200 percent in Q1 2019 compared to the same time period in 2018. The number of DDoS attacks over 100 GB/s in volume increased 967 percent in Q1 2019,” according to Comparitech.

So, it brings us to the question: how can you defend against DDoS attacks? There are various techniques to protect your systems from DDoS attacks. But first and foremost, let’s get to know the biggest DDoS attacks of this century.

What is Distributed Denial-of-Service?

A Denial-of-Service (DoS) attack is a cyberattack that disrupts the services of a computer or other network resources connected to the Internet, making it unavailable to its intended users for a temporary or indefinite amount of time.

A DoS attack is usually achieved by flooding the targeted computer or resource with surplus requests with the goal of overloading the system and preventing some or all requests from its intended users, thus it’s called Denial of Service.

A Distributed Denial-of-Service (DDoS) is an advanced form of the Denial of Service (DoS) attack, wherein, the flooding of superfluous requests originates from various different sources. Since the requests come from various sources, it’s almost impossible to filter and block malicious attacks out of all requests.

How do Botnets assist in DDoS Attacks?

A botnet is a group of compromised devices connected to the Internet, which are running one or more bots. The devices in a botnet are compromised and controlled by an attacker to fulfil his malicious plans. A botnet may be used to launch Denial-of-Service attacks, send spam, steal data, and do a lot more.

Since a botnet is a collection of devices, which may be geographically distributed as well, it helps launch Distributed Denial-of-Service attacks. The devices in the botnet flood the target computer or resource with malicious, unneeded traffic, causing the target system to crash or overload, thus denying further service.

Worst DDoS Attacks of this Century

Let’s discuss the biggest or worst DDoS attacks, understand their methods and consequences, and learn from the mistakes that led to those DDoS attacks.

GitHub [2018]

The most popular developer platform — GitHub, now acquired by Microsoft — was attacked using Distributed Denial-of-Service (DDoS) on 28th February 2018. Fortunately, GitHub had opted for a protection service against DDoS attacks, which was able to detect and mitigate the attack under 10-20 minutes.

GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off,” according to WIRED.

The DDoS attack was powerful enough to disrupt GitHub. “The first portion of the attack against the developer platform peaked at 1.35Tbps, and there was a second 400Gbps spike later. This would make it the biggest DDoS attack recorded so far. Until now, the biggest clocked in at around 1.1Tbps,” reported ZDNet.

What was different in this attack? There were no botnets involved, which is a popular method for launching a DDoS attack. It was executed using memcached, a popular database caching system. The attackers flooded those servers with falsified or spoofed requests, amplifying the attack by up to 50,000x.

Dyn [2016]

The second most powerful DDoS attack was launched against Dyn — a web performance and security company — in October 2016. It was a more devastating attack than that on GitHub, disrupting various popular services such as AirBnB, GitHub, Netflix, PayPal, Reddit, and Twitter since Dyn is a DNS provider.

It was executed using Mirai — a botnet malware that targets and compromises Internet of Things (IoT) devices like cameras, printers, televisions, etc. These compromised devices were then used to launch the DDoS attack on Dyn.

Fortunately, Dyn recovered from the attack within one day — a lot more than that taken by GitHub. That’s why Dyn incurred millions of dollars in losses. “Damage from the attack is reputed to have cost $110 million and despite the attack being contained within one day, in the immediate aftermath of the attack, over 14,500 domains dropped Dyn’s services,” according to MetaCompliance.

BBC [2015]

The BBC (British Broadcasting Corporation) — the well-known media company — was attacked on 1st January 2015. Although the magnitude of the attack or the attacker’s identity was never confirmed, it mostly topped at 600Gbps. Since the attack on Dyn topped at 1.1Tbps and that on GitHub topped at 1.35Tbps, the attack on BBC was the third-worst attack in the history of DDoS attacks.

At the time this attack took place it was the largest one recorded (if indeed it reached that scale) taking nearly two weeks to completely recover from the incident. The entire BBC domain was taken down, including their on-demand television and radio player for a total of three hours worth of attack, plus experimenting residual issues for the rest of the morning,” per Sucuri Blog.

How to Defend against DDoS Attacks?

Since you now know about the worst DDoS attacks and the damages incurred to their target services, let’s learn the techniques to defend against DDoS attacks.

Secure your Infrastructure

You must opt for a multi-level protection plan to protect your network. The plan may include intrusion prevention systems and threat management systems along with content filters, firewalls, and load-balancers. Then, you must update your systems regularly since outdated systems have vulnerabilities, mostly!

Opt for Cloud/Scalable Host

You should plan for scale from the start by choosing a cloud-based or at least scalable hosting provider. Since the whole idea behind DDoS attacks is to flood your systems with unneeded requests to diminish resources if your systems are built to scale, such attacks will most likely fail. Then, a few cloud services can also detect and prevent unneeded traffic from reaching your app or website.

Deploy a Specialized Firewall

You must opt for a Web Application Firewall (WAF) — a specialized firewall built to analyze the incoming traffic to your app or website. It can detect and block malicious traffic from reaching your systems, thus protecting them against DDoS attacks. It also allows creating custom rules, allowing you to implement custom mitigations against any bad traffic after studying the traffic patterns.

That’s all about the worst DDoS attacks and how you can fight against future attacks on your app or website. Did you find it helpful? Write a comment below.

Source: https://thetechportal.com/what-were-the-worst-ddos-attacks-of-this-century-how-can-we-prevent-future-ones/

Up to 40,000 macOS systems expose a particular port online that can be abused for pretty big DDoS attacks.

DDoS-for-hire services, also known as DDoS booters, or DDoS stressors, are abusing macOS systems to launch DDoS attacks, ZDNet has learned.

These attacks are leveraging macOS systems where the Apple Remote Desktop feature has been enabled, and the computer is accessible from the internet, without being located inside a local network, or protected by a firewall.

More specifically, the attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature.

When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac.

HUGE “AMPLIFICATION FACTOR”

But sometime this year, cyber-criminals have realized that they can abuse the ARMS service as part of a so-called “DDoS amplification attack.”

DDoS amplification attacks are one of the many forms of DDoS attacks. It’s when attackers bounce traffic off an intermediary point and relay it towards a victim’s server.

In this case, that intermediary point is a macOS system with Remote Desktop enabled.

Protocols like DNS, NTP, CharGEN, Memcached, NetBIOS, CLDAP, and LDAP are often abused as part of DDoS amplification attacks. CoAP and WS-Discovery are just the latest protocols to have joined this list. Most of these protocols are UDP-based, where UDP is a type of network packet used as the base for the other, more complex protocols. ARMS is also a UDP-based protocol.

The danger level for any of the above protocol is what security researchers call the “amplification factor,” which describes the ratio between a packet before and after it bounces off towards its target.

Most DDoS amplification attacks observed in the wild have an amplification factor of between 5 and 10. The higher the protocol, the more useful it is for attackers.

According to security researchers from Netscout, who saw the first ARMS-based DDoS attacks in June, ARMS commands an impressive 35.5 amplification factor.

Furthermore, while there’ve been other protocols with big amplification factors in the past, most of them are oddities and rarely used protocols, making them unusable for attackers.

Most of today’s DDoS amplification attacks rely on DNS and NTP, which even if they have a small amplification factor, there’s plenty of servers to go around that attackers can use to amplify their bad traffic.

UP TO 40,000 MACOS EXPOSE ARD/ARMS PORTS

However, ARMS is different, in the sense that this is the worst-case scenario, where we have a big amplification factor protocol that’s available on a large number of hosts that attackers can abuse.

A search with the BinaryEdge IoT search engine shows nearly 40,000 macOS systems where the Remote Desktop feature is enabled, and the systems reachable via the internet.

ddos-mac-be.png

SOME ATTACKS PEAKED AT 70 GBPS

It is unclear who discovered that the ARMS service could be abused for DDoS amplification attacks, but attacks have already happened in the real world.

Netscout spotted the first one in the second week of June. The company said the attack peaked at 70 Gbps, which is a pretty large attack.

Other attacks followed, as observed by the Keyo University Shonan Fujisawa Campus in Japan, and by Italian systems administrator Marco Padovan.

But while initial attacks were sparse, they’re now starting to pick up, according to a source in the DDoS community. The main reason is that some DDoS booters have added support for launching attacks via this protocol, this source told ZDNet.

This means that macOS systems across the globe are now being used as bouncing points for DDoS attacks.

THESE SYSTEMS SHOULD NOT BE REACHABLE VIA THE INTERNET

According to an analysis of the BinaryEdge search results, the vast majority of these systems are on university and enterprise networks, where system administrators use the Apple Remote Desktop feature to manage large fleets of macOS systems, at a time.

These systems should not be available online, and if they need to be, then access should be restricted using Virtual Private Networks or IP whitelists.

The Apple Remote Desktop feature is the direct equivalent of Microsoft’s Remote Desktop Protocol (RDP).

In the past, hackers have brute-forced RDP endpoints to gain access to corporate networks, from where they stole proprietary information, or have installed ransomware. Similar to how crooks target companies with RDP systems exposed online, they can do the same for Mac systems with ARD.

Admins of macOS fleets should probably secure ARD endpoints to prevent these types of attacks first, and DDoS nuisance second.

Source: https://www.zdnet.com/article/macos-systems-abused-in-ddos-attacks/