For some time threat actors who create Internet of Things-based botnets have been relying on brute force attacks to take control of and build chains of devices for delivering malware or distributed denial of service attacks.

But according to a report out today from Netscout, as more secure IoT devices are being installed hackers are also adding a new takeover strategy: Exploiting vulnerabilities in the devices.

“In November our honeypot observed several older IoT vulnerabilities being used as a means to deliver malware,” says researchers in a blog. “Our data indicates it takes less than one day before a new IoT device is hit with exploitation attempts against known vulnerabilities.”

By comparison, it can take as little as five minutes after an IoT device is connected to the Internet and it will be subjected to  brute force login attempts using default IoT credentials. Still, vulnerability attacks can pay off becuase of the difficulties and slow cadence of patching IoT devices.

One factor that helps attackers is that IoT devices often sit on a distributor’s shelf for a while before being sold and installed on a network, say researchers. If a security update is released for the device it won’t be applied until the patch team updates it — assuming it is updated.

As evidenced the blog notes that in November its honeypot detected a number of attempts to exploit older IoT vulnerabilities to deliver variants of the Mirai botnet to devices.

“As the rate of patching IoT devices is done at a glacial pace, these older vulnerabilities are still leveraged by IoT botnets due to their level of success,” say researchers. “The continued use of these tried and true vulnerabilities highlights “what is old is new” when it comes to IoT botnets.”

Due to the sheer number of IoT devices connected to the internet, finding vulnerable devices is easy and quick. Add to the mix the large delta of when a vulnerable device is “turned on” and when updates for security vulnerabilities are applied, and attackers can quickly amass large botnets. In most cases these botnets are immediately conscripted into a DDoS army. It doesn’t take a significant amount of effort to create a large IoT botnet and create havoc, as we saw with the DDoS attacks conducted by Mirai in 2016.

 Source: https://www.itworldcanada.com/article/patch-new-iot-devices-fast-researchers-warn-or-theyll-be-in-a-botnet/412913

Radware’s ERT and Threat Research Center monitored an immense number of events over the last year, giving us a chance to review and analyze attack patterns to gain further insight into today’s trends and changes in the attack landscape. Here are some insights into what we have observed over the last year.

Healthcare Under Attack

Over the last decade there has been a dramatic digital transformation within healthcare; more facilities are relying on electronic forms and online processes to help improve and streamline the patient experience. As a result, the medical industry has new responsibilities and priorities to ensure client data is kept secure and available–which unfortunately aren’t always kept up with.

This year, the healthcare industry dominated news with an ever-growing list of breaches and attacks. Aetna, CarePlus, Partners Healthcare, BJC Healthcare, St. Peter’s Surgery and Endoscopy Center, ATI Physical Therapy, Inogen, UnityPoint Health, Nuance Communication, LifeBridge Health, Aultman Health Foundation, Med Associates and more recently Nashville Metro Public Health, UMC Physicians, and LabCorp Diagnostics have all disclosed or settled major breaches.

Generally speaking, the risk of falling prey to data breaches is high, due to password sharing, outdated and unpatched software, or exposed and vulnerable servers. When you look at medical facilities in particular, other risks begin to appear, like those surrounding the number of hospital employees who have full or partial access to your health records during your stay there. The possibilities for a malicious insider or abuse of access is also very high, as is the risk of third party breaches. For example, it was recently disclosed that NHS patient records may have been exposed when passwords were stolen from Embrace Learning, a training business used by healthcare workers to learn about data protection.

Profiting From Medical Data

These recent cyber-attacks targeting the healthcare industry underscore the growing threat to hospitals, medical institutions and insurance companies around the world. So, what’s driving the trend? Profit. Personal data, specifically healthcare records, are in demand and quite valuable on today’s black market, often fetching more money per record than your financial records, and are a crucial part of today’s Fullz packages sold by cyber criminals.

Not only are criminals exfiltrating patient data and selling it for a profit, but others have opted to encrypt medical records with ransomware or hold the data hostage until their extortion demand is met. Often hospitals are quick to pay an extortionist because backups are non-existent, or it may take too long to restore services. Because of this, cyber-criminals have a focus on this industry.

Most of the attacks targeting the medical industry are ransomware attacks, often delivered via phishing campaigns. There have also been cases where ransomware and malware have been delivered via drive-by downloads and comprised third party vendors. We have also seen criminals use SQL injections to steal data from medical applications as well as flooding those networks with DDoS attacks. More recently, we have seen large scale scanning and exploitation of internet connected devicesfor the purpose of crypto mining, some of which have been located inside medical networks. In addition to causing outages and encrypting data, these attacks have resulted in canceling elective cases, diverting incoming patients and rescheduling surgeries.

For-profit hackers will target and launch a number of different attacks against medical networks designed to obtain and steal your personal information from vulnerable or exposed databases. They are looking for a complete or partial set of information such as name, date of birth, Social Security numbers, diagnosis or treatment information, Medicare or Medicaid identification number, medical record number, billing/claims information, health insurance information, disability code, birth or marriage certificate information, Employer Identification Number, driver’s license numbers, passport information, banking or financial account numbers, and usernames and passwords so they can resell that information for a profit.

Sometimes the data obtained by the criminal is incomplete, but that data can be leveraged as a stepping stone to gather additional information. Criminals can use partial information to create a spear-phishing kit designed to gain your trust by citing a piece of personal information as bait. And they’ll move very quickly once they gain access to PHI or payment information. Criminals will normally sell the information obtained, even if incomplete, in bulk or in packages on private forums to other criminals who have the ability to complete the Fullz package or quickly cash the accounts out. Stolen data will also find its way to public auctions and marketplaces on the dark net, where sellers try to get the highest price possible for data or gain attention and notoriety for the hack.

Don’t let healthcare data slip through the cracks; be prepared.

Source: https://securityboulevard.com/2018/12/2018-in-review-healthcare-under-attack/

FragmentSmack, a DDoS vulnerability first discovered in Linux, affects Windows as well as nearly 90 Cisco products. Discover how it can be exploited with Judith Myerson.

A distributed denial-of-service vulnerability called FragmentSmack enables an unauthenticated remote attacker to disable servers with a stream of fragmented IP packets that activate the vulnerability on affected systems. First discovered in Linux, and now also found in Windows, FragmentSmack affects many products, including nearly 90 from Cisco. How can this vulnerability be exploited, and how big is the threat?
FragmentSmack is a vulnerability in the IP stack that can be used to execute a distributed denial-of-service attack. The vulnerability affects Linux kernel version 3.9 or later, and it was discovered in some Cisco products by the Vulnerability Coordination team of the National Cyber Security Centre of Finland and the CERT Coordination Center. The flaw is caused by inefficient algorithms used in IP implementations to reassemble fragmented IPv4 and IPv6 packets.

An attacker using the FragmentSmack vulnerability could exploit it remotely by continuously sending crafted packets — that appear to be fragments of larger packets that need to be reassembled — to cause the system to become unresponsive, as 100% of the CPU cores will be in use.

In one scenario, an attacker could send a stream of 8-byte sized IP fragments, each starting with randomly chosen offset values, to a server. The queue of malformed IP fragments waiting for reassembly — which will never happen because the fragments are not part of any legitimate packets — increases in size until all the CPU core resources are consumed, leaving no room for other tasks the system needs to perform.

The attacker doesn’t specify what core the malformed packets are sent to and the Linux kernel automatically distributes the reassembly to different cores. While such an attack could take a server down, once the flow of malicious fragments stops, the targeted server can resume its normal function.

Cisco’s vulnerable listed products include network and content security devices, voice and unified communications devices, and telepresence and transcending devices.

Likewise, this threat has extended to Microsoft and Red Hat, and the affected Microsoft’s Window systems include versions 7, 8.1 and 10, as well as all the Windows Server versions. Windows 10 — 64 bit — in particular, features an option for Windows Subsystem for Linux that is vulnerable. Turning off this option doesn’t prevent the attacker from exploiting the vulnerability, however.

Vulnerable Red Hat products include Virtualization 4, Enterprise MRG, Enterprise Linux Atomic Host and Enterprise Linux versions 6, 7, Real Time 7, 7 for ARM64 and 7 for Power.

Source: https://searchsecurity.techtarget.com/answer/FragmentSmack-How-is-this-denial-of-service-exploited

The website of the people’s militia department of the self-proclaimed Donetsk people’s republic was subjected to DDoS attacks, said the head of the people’s militia press service, Daniel Bezsonov.

According to him, this happened after the agency announced that Kiev was preparing a large-scale offensive in the Donbass.

“It has been established that the attack was carried out from the Ukrainian and Baltic IP addresses,” Betsonov quoted the Donetsk News Agency.

In October 2016, the DPR announced that hackers from Ukraine had hacked and blocked the database of the self-proclaimed Donetsk People’s Republic pension fund, as a result of which payments to DPR residents were suspended.

Source: http://www.tellerreport.com/news/–in-the-dni-reported-on-ddos-attack-on-the-site-of-the-national-police-.BkyHtk6JE.html

A British teenager involved in making false bomb threats and launching distributed denial-of-service (DDoS) attacks has been sentenced to three years in prison.

The bomb hoaxes of George Duke-Cohan, aged 19, targeted thousands of schools and other organizations in the United States and the United Kingdom, in hundreds of cases resulting in evacuations. He also made a prank call claiming that a United Airlines flight traveling from the UK to San Francisco had been hijacked.

The prank call targeting San Francisco airport was made while Duke-Cohan was on bail following his arrest – during that time he was not allowed to use electronic devices.

He has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport incident.

While the charges brought against Duke-Cohan in the U.K. focused on the pranks, the teen was said to be the leader of Apophis Squad, a group that not only made bomb threats, but also launched DDoS attacks and offered DDoS-for-hire services.

The DDoS attack targets included security blogger Brian Krebs, the DEF CON security conference, government organizations in several countries, and the encrypted email provider Protonmail, which helped authorities identify Duke-Cohan and other members of his group.

Duke-Cohan is said to face additional charges in the United States, but an indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Source: https://www.securityweek.com/uk-teen-responsible-bomb-threats-ddos-attacks-sentenced-prison