Cybercrime Archive

US warns that cyberattacks could be part of Iran’s plans as tensions rise. This is what Iran’s current offensive cyber capabilities look like.

Tensions between the United States and Iran are raised after the killing of Iranian IRGC-Quds Force commander Qassem Soleimani via a US drone strike while he was in Iraq. Iranian leaders have vowed to retaliate against the US, with the US Department of Homeland Security warning that previous Iranian plans have included “cyber-enabled” attacks against a range of US targets.

So, if Iran decided to use cyber means to respond, what would that potentially look like?

Iran has long been seen as one of the four countries that pose the greatest online threats to the US, along with China, Russia and North Korea, and there has been a long history of Iranian cyber intrusions against the US.

In March 2018, the US Department of Justice charged nine Iranians over a giant cyber-theft campaign, stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.

In March 2016, the US charged seven Iranians for over a coordinated campaign of DDoS attacks against 46 companies, mostly in the US financial sector, from late 2011 through mid-2013. At the same time one man was also charged with gaining unauthorised access into the control systems of the Bowman Dam in Rye, NY.

The February 2014 hacking of the Sands Las Vegas Corporation in Las Vegas, which saw customer data stolen and — according to reports — some computers wiped, was also blamed on Iran.

It’s also worth noting that US has also used cyberattacks against Iran — most notably the Stuxnet virus, which was designed to damage equipment used in Iran’s nuclear programme, back in 2007. More recently in June last year, the US attacked the computer systems used by Iran to control missile launches, after Iran shot down a US surveillance drone.

Iran’s capabilities have generally been considered to be more limited than those of Russia and China, but may have expanded recently.

In their most recent global threat assessment — from January last year — US intelligence agencies said that Iran was attempting to build cyber capabilities that would enable attacks against critical infrastructure in the US and elsewhere.

“Iran has been preparing for cyberattacks against the United States and our allies”, said the report, which warned that Iran was capable of causing “localized, temporary disruptive effects.” Those effects could include disrupting a large company’s corporate networks for days to weeks, as in the data-wiping attacks Iran has been accused of conducting against targets in Saudi Arabia.

But that reflects that Iran’s capabilities are limited in contrast to Russia and China, which both have the capacity to disrupt critical infrastructure like gas pipelines or power grids. However, it could be that in the last year Iran has developed its capabilities.

Last week’s warning from the US Department of Homeland Security noted: “Iran maintains a robust cyber program and can execute cyberattacks against the United States,” it warned, adding that Iran is capable, at a minimum “of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

A credible offensive actor

The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned that Iran has continuously improved its offensive cyber capabilities, going beyond DDoS and website defacement, and that its hackers have demonstrated a willingness to push further, including “destructive wiper malware and, potentially, cyber-enabled kinetic attacks”.

“Iran is a credible offensive actor in cyberspace having moved in recent years to boost their military capability in this area — in the past, they relied on third-party groups and supportive hackers to carry out attacks,” said Duncan Hodges, senior lecturer in Cyberspace Operations at Cranfield University.

Iran’s cyber capabilities can be broken down into three main areas; espionage, destructive attacks and social media manipulation (security companies track different Iranian groups under the advanced persistent threat (APT) model as APT33, APT34, APT35 and APT39, although there could be as many as 10 different Iranian groups in operation.)

It has consistently targeted government officials, government organisations, and companies to gain intelligence either for industrial espionage or to improve its positioning for future attacks.

For example, in October, Microsoft warned that its security team had seen Iranian hackers attack 241 email accounts, including those associated with a US presidential campaign, current and former US government officials, journalists covering global politics, and prominent Iranians living outside Iran. Four accounts were compromised as a result. Iranian hackers have also been accused of trying to steal data from US military veterans and attempting to steal academic research.

Iran launches multiple espionage campaign every month, said Sherrod DeGrippo senior director of threat research and detection at security company Proofpoint. But mostly these have been involved with reconnaissance by stealing data and login details, rather than doing damage.

Their objective – at least in the past – has been to get a foothold inside the organisation, extract the data and they keep that foothold for later use, DeGrippo said.

“They are relatively sophisticated but I haven’t seen the deep destructive catastrophic events from those groups,” she said. “They’ve have a lot of access, they’ve done a lot of campaigns, but they’ve been quiet. And so, what’s going to happen, now?”

Iran has also used social media campaigns focused on audiences in the US and elsewhere to advance its interests. In October last year, Facebook said it had removed three networks of fake accounts linked to Iran (and one linked to Russia) that had, among other things, pushed content from phoney news organisations.

But it’s the use of malware that can wipe PCs and hard drives by Iran’s hackers that creates the most serious risk of a destructive attack.

The 2012 attack against the Saudi Aramco oil company using the Shamoon malware is probably the most high-profile cyberattack blamed on Iran and saw at least 30,000 PCs wiped.

Since then, according to tech security companies, updated versions of this wiper malware have been used by Iran-backed hackers (or groups masquerading as Iran-backed hackers) to attack targets in Saudi Arabia and the Middle East.

Last month IBM warned of a new form of wiper malware it called ZeroCleare, which aims to overwrite the Master Boot Record and disk partitions on Windows-based machines. IBM said the malware had been used against the industrial and energy sectors and said that Iran-backed hackers were likely responsible.

“Iran’s history of cyberattacks has been more destructive rather than manipulative. They have looked to destroy and degrade infrastructure and hardware,” said Hodges.

Cyber-espionage alert

All of these different ingredients — digital spying, phishing, social media campaigns and destructive malware — are all potential risks if Iran does decide to use cyber warfare as part of its response.

John Hulquist, director of intelligence analysis at tech security company FireEye, said that a likely first consequence of the current crisis would be an uptick in cyber espionage by Iran.

“They want to know what the US is thinking and how the military is preparing and what our allies are doing. They are going to try to break into the computers belonging to the people who have that information,” he told ZDNet.

While Tehran-backed hacking groups have carried out some attacks against the US previously, like the DDoS attacks against financial institutions, this had declined after the Obama-era nuclear deal, after which Iranian hackers turned their attention to targets in the Gulf region, Hulquist said. But the latest incident could cause them to swing their focus back again.

“They have improved since we last saw them in the US,” Hulquist said. “They are very focused on the destructive wiper capability. We’ve seen a lot of incidents of this wiping capability used primarilly against critical infrastructure companies.”

Wiper malware is a bit like ransomware in that it goes after the data on the hard disk — but, unlike ransomware, there’s little hope of getting the information back again.

“You can still cause of lot of damage with just wipers and they’ve focused on that and they’ve got really good at it. The real question now is whether or not they are going to turn that against the US or our allies as a result of this operation,” he said.

But it may be that even if Iran-backed hackers do plan destructive attacks they will be focusing on US allies in the Gulf region rather that the US itself.

“Although we assess that Iranian actors will continue to target domestic US government, military, and commercial entities for cyberespionage purposes, organizations in the Persian Gulf region are at the greatest risk for destructive cyberattacks,” said cyber security company Recorded Future.

If Iran does decide to step up its cyber campaigns against the US and its allies, the first indication could be a new wave of phishing emails and probing of critical infrastructure companies or other targets.

“That will be our first clue that the status quo has changed,” said Hulquist.

Another thing to watch for, said DeGrippo, is that one of the Iranian groups, known as APT33, has spent years developing sophisticated payloads with Powershell implants exploits, which could allow them to potentially meddle with critical infrastructure like financial systems or industrial control systems.

“Those are the kinds of things we’re looking for, are they going to going to start using these sophisticated Powershell implants capabilities to get into places that have kinetic capabilities or that have physical real world impacts,” she said.

If Iran does choose cyber means to launch its response, it could mean the start of a new and darker chapter of the evolution of cyber warfare, according to Hodges.

“Offensive cyber activity has been used in the past to de-escalate tensions and avoid physical military engagement, such as in the US/Iran conflict in the Gulf of Oman last year. With the present conflict we could, for the first time, see cyberattacks used to escalate conflict.”

CISA has a set of recommended actions for organisations to take in the face of potential threats:

  • Disable all unnecessary ports and protocols, review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  • Enhance monitoring of network and email traffic, monitor for new phishing themes.
  • Patch externally facing equipment, with a focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service.
  • Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organisational network.

Source: https://www.zdnet.com/article/hard-disk-wiping-malware-phishing-and-espionage-how-irans-cyber-capabilities-stack-up/

If security incidents in the past few years are any indication, cybersecurity professionals face a bumpy road ahead. While some IT security chiefs are prepared to hang up their boots, many are almost certain their organization is under attack from hackers but they haven’t yet learned of it.

A Bitdefender survey of more than 6,000 infosec professionals in large organizations across the US, EMEA and APAC reveals a continued lack of budget, talent and training, leaving significant room for improvement in 2020.

57% of those surveyed said their organization experienced a breach in the past three years, while 24% had suffered a breach in the first half of 2019. Some 36% of infosec pros who haven’t suffered a cyber-attack in the past few years believe they likely are currently facing one but don’t know about it.

Our research shows no organization is impervious to a data breach, but an understanding of how cybersecurity professionals view risk reveals some clear weak spots — both on the organizational and individual levels.

Asked to name the biggest cyber threat to their organization, 36% answered “phishing/whaling.” In fact, chief information security officers consider today’s landscape a minefield riddled with cyber threats. 29% also cite Trojans as their main concern, while 28% name ransomware. Compliance risks and unpatched software are equally concerning aspects cited by CISOs in the polled geographies. 24% also named DDoS attacks as high risk for their organization.

Ransomware and DDoS attacks are notoriously dangerous for business in today’s digital economy – both threats are immensely disruptive to operations, preventing mission-critical applications from working properly and blocking revenue streams for weeks, even months.

Asked, “What would be the main consequences for your company of being unaware of a currently ongoing breach?” 43% cited business interruptions, followed by reputational costs (38%), loss of revenue (37%), loss of intellectual property (31%), legal fines and penalties (27%), and job loss for responsible IT and C-level execs (23%).

Our research also shows the number of companies falling victim to data breaches has actually decreased over the past three years. However, it’s also true that bad actors are getting better at remaining undetected. It stands to reason that IT departments are also finding it more difficult to tell when data is stolen. And there has been no shortage of security advisories in 2019 reflecting this reality, especially in the healthcare sector.

Source: https://securityboulevard.com/2020/01/a-third-of-infosec-pros-believe-theyre-under-cyber-attack-but-dont-know-yet/

DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic.

The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago, with amplification attacks using the domain name system (DNS) remaining the most popular technique for attacking targets.

DNS amplification attacks accounted for 45% of the attacks, while HTTP floods and TCP SYN attacks accounted for 14% and 7.7%, respectively, according to new data published by network security firm Nexusguard.

Mobile devices continued to be a significant source of attack traffic, with 41% of attacks coming from mobile gateways and three-quarters of that traffic coming from Apple iOS devices, according to the Nexusguard report. Internet of things (IoT) devices also continue to be compromised and used by attackers, says Tony Miu, Nexusguard’s research manager.

Mobile devices and Internet-of-things (IoT) devices “are particularly vulnerable — in part due to their always-on nature, in part due to insufficient security configurability,” he says, warning that “the amplification of speed, higher bandwidth, and reduced latency offered by 5G will also create a perfect environment for massive DDoS attacks that leverage enormous botnets comprised of PCs, smartphones, and IoT (devices).”

There were no major shifts in the denial-of-service landscape overall: Attacks tend to peak in the first quarter, decreasing every quarter after that, until attacks end the year on a slightly higher note. That trajectory happened in 2018, and appears to be happening this year. The vast majority — 86% — of attacks latest less than 90 minutes, and 90% of attacks involved less than 1 Gbps of data.

DNS DDoS via Apple iOS 

Mobile devices became a significant vector earlier this year. In the first quarter, more than 60% of application attacks — one of three broad classes of denial-of-service attacks — could be traced back to mobile gateways and either came from a mobile device or a computer connected to a mobile device. The latest quarter underscores that mobile devices have become increasingly used in volumetric and amplification attacks — Nexusguard’s other two broad categories — with mobile devices contributing to those attacks as well.

While Apple devices typically do well security-wise compared to Android, Nexusguard found that 31% of all DNS attacks came from Apple devices, versus 10% from Android devices.

“While Apple has done a great job in managing, checking, and maintaining the security of apps available for download at the App Store, we believe there are a considerable number of iOS devices were jailbroken, running unauthorized (and) malicious apps that have not been vetted by the App Store,” says Nexusguard’s Miu.

Overall, the company saw a steep rise in DNS amplification attacks. While amplification attacks more than doubled since the same quarter in 2018, DNS amplification attacks — which use the relatively large size of DNS responses to inundate a target — jumped by a factor of 48 in popularity.

The technique gives the attacker a lot of bandwidth for only a little effort, the company stated in its report.

“The target thus receives an enormous amount of responses from the surrounding network infrastructure, resulting in a DDoS attack,” the report said. “Because such a sizable response can be created by a very small request, the attacker can leverage this tactic to amplify attacks with a maximum amplification factor of 54.”

The adoption of DNS security, or DNSSEC, has contributed to that rise, according to Miu. “While it’s true that DNSSEC fixes one problem, it creates another,” he says. “The problem with DNSSEC lies in the exceptionally long responses DNSSEC-enabled servers generate.”

Along with DNS amplification attacks, single-vector attacks have quickly dominated again. Two-thirds of attacks used only a single technique to flood a target. Another 17% used two vectors, either simultaneously or soon after one another, to confuse defenders. The remaining 17% used three or more vectors.

Much of the rise in single vector attacks is because of attackers’ focus on DNS amplification, Miu says.

China, Turkey, the US, and South Korea topped the lists of nations from which attack emanated, accounting for 63% of attacks tracked by Nexusguard in the third quarter. Three networks, one in Turkey, another in China and the lsat in Korea, accounted for almost 40% of attacks.

Source: https://www.darkreading.com/attacks-breaches/mobile-devices-account-for-41–of-ddos-attack-traffic/d/d-id/1336635

DDoS – or distributed denial-of-service attacks – first came to prominence in the late 1990s. Even now, they are one of the biggest threats to any organization doing business on the internet.

What is DDoS?

Distributed denial-of-service (DDoS) attacks are a way of attacking online infrastructure, including websites and online applications, by overwhelming the host servers.

This prevents legitimate users from accessing the services.

The term ‘distributed’ refers to the way these attacks invariably come from a large number of compromised computers or devices.

“They can be a relatively simple type of attack to trigger and for sites without enough protection very effective”, says Gemma Allen, senior cloud security architect at Barracuda Networks.

The aim is to interrupt normal operation of the application or site, so it appears offline to any visitors.

“A DDoS puts so much traffic in the queue that your browser thinks the site is offline, and gives up,” says Brian Honan, Dublin-based security expert at BH Consulting. “The legitimate traffic can’t get through.”

What are the aims of a DDoS attack?

The purpose might be blackmail, to disrupt a rival business, a protest (DDoS attacks are frequently associated with hacktivist groups) or as part of a nation-state backed campaign for political, or even quasi-military aims.

The 2007 attack on Estonia was a DDoS attack.

Security researchers also point to DDoS attacks being used as a diversion, allowing hackers to launch other exploits against their targets, for example to steal data. This is what is believed to have happened during the attack on TalkTalk in 2015.

And, as Tim Bandos, vice president of cybersecurity at Digital Guardian, warns, DDoS attacks are not limited to online applications or websites. Any internet-connected device is at risk.

That broadens the attack surface to critical national infrastructure, including power and transportation, and the internet of things (IoT) devices.

How does a DDoS attack work?

“In their simplest form, DDoS attacks work by flooding a service with more of something than it can handle,” says Barracuda’s Allen.

“Of course, in reality, it’s not this simple, and DDoS attacks have been created in many forms to take advantage of the weaknesses.”

Allen explains that an attacker will start out with a discovery phase, setting out to identify weakness in the target site or application. They might even use a different form of DDoS to cover up that activity.

Then the attacker choses the best tool to exploit the site. They might buy an exploit on the dark web, or create their own.

On their own, though, most denial-of-service malware will have a limited impact on a well-resourced server. A DDoS attack works by operating at scale.

As Joseph Stalin supposedly said of the Red Army during WW2, “quantity has a quality all [of] its own”. So with DDoS. The exploits themselves are simple, but launch enough of them and they will overwhelm even the best systems.

To do this attackers build, or buy, a large enough “Zombie network” or botnet to take out the target. Botnets traditionally consisted of consumer or business PCs, conscripted into the network through malware. More recently, internet of things devices have been co-opted into botnets.

It’s claimed, for example, that the Marai botnet can be rented for $7,500 per attack.

“If we look at the DynDNS attack of 2016, one of the largest DDoS attacks to date, the attack occurred in phases,” says Allen.

“It first appeared in a single region and then expanded to a concerted global effort from millions of computers that had been breached and turned into a botnet.”

Types of DDoS attacks

A DDoS attack ranges from the accidental – genuine users overwhelming the resources of popular sites, such as in a ‘Reddit hug of death’ – to sophisticated exploits of vulnerabilities.

Simple attacks include the ‘Ping of Death’ – sending more data to the host than the Ping protocol allows, or Syn Flood, which manipulates TCP connection handshakes.

More recent and sophisticated attacks, such as TCP SYN, might attack the network whilst a second exploit goes after the applications, attempting to disable them, or at least degrade their performance.

James Smith, head of penetration testing at Bridewell Consulting, points to three common forms of DDoS attacks:

  • Volumetric attacks
  • Protocol attacks
  • Application (layer) attacks

“All of these render the targets inaccessible by depleting resources in one way or another,” he says.

One of the largest, and most damaging, forms of DDoS is now the UDP amplification attack. UDP is spoof-able. And, as Corey Nachreiner, chief technology officer at WatchGuard Technologies points out, very small UDP requests can generate large bandwidth attacks.

“UDP amplification gives threat actors asymmetric DDoS power. The most recently discovered UDP amplification attacks can magnify the traffic of one host by a factor of 10,000 or more. When combined with traditional botnets, this gives attackers enough DDoS power to affect ISPs.”

Currently, a memcached UDP amplification attack – which don’t need botnets – holds the DDoS record, with 1.7tbps of bandwidth.

What is the impact of a DDoS attack?

A DDoS attack affects victims in a number of ways:

  • Damage to reputation
  • Damage to customer trust
  • Direct financial losses
  • Impact on critical services
  • Impact on third parties and ‘collateral damage’
  • Data loss
  • The direct and indirect cost of restoring systems

What is the cost of a DDoS attack?

According to Kaspersky Labs, the average cost of an enterprise DDoS attack can approach $2 million.

Another report, by Netscout, calculates that the combined annual costs of DDoS attacks to the UK economy is close to £1 billion ($1.3 billion).

Akamai, another vendor in the space, publishes an online DDoS cost calculator.

The exact cost of a DDoS attack will, though, depend on the organization, the product or service it supplies, and the effectiveness of its incident response and post-incident strategy. This could range from a few tens of thousands of dollars to millions.

In the case of a nation-state attack or an attack on critical national infrastructure, the cost could be far higher – leading to social unrest or even the loss of life.

So far, no deaths have been attributed directly to DDoS attacks, but the economic impact is all too real.

How long does a DDoS attack last?

Again, this depends on the attacker, the target and their defenses. An attack might succeed in just a few moments, if the victim’s servers have few defenses. But the consensus in the industry is that an attack will last up to 24 hours.

According to Cloudflare, the largest DDoS attack – so far – against GitHub lasted about 20 minutes, due to the effectiveness of the site’s defenses.

If an attack does not take down the target in 24 hours, it does not mean the victim’s sites or applications are safe. Attackers can simply move on to another botnet, and try again with more data, or by using a different range of exploits.

Are DDoS attacks illegal?

“In the UK the Computer Misuse Act 1990 ‘makes it illegal to intentionally impair the operation of a computer or prevent or hinder access to a program/data on a computer unless you are authorized to do so’. As a result, these types of attacks are criminal under UK law,” says Bridewell Consulting’s Smith.

But law enforcement can only act if they can find the attacker. “The biggest challenge can be finding the people to prosecute,” says Barracuda’s Allen.

“The attacks are distributed and the attacking devices are often unwitting parties. The true attackers are hard to trace and while they may claim an attack, it’s not like they give out their real names.”

Recent DDoS attacks

Not all DDoS attacks are in the public domain, but here are some that made the headlines:

  • UK Labour Party, November 2019: Hacker group Lizard Squad claimed responsibility for an attack which attempted – but failed – to take down the political party’s website.
  • Wikipedia, September 2019: The site was subject to a three-day long attack, which took it offline in EMEA and slowed it down in the US and Africa
  • Telegram, June 2019: This attack is attributed mostly to China-based IP addresses
  • UPNProxy, November 2018: the Eternal Blue and Eternal Red attacks involved 45,113 infected routers.
  • GitHub, February 2018: Still cited as the largest-ever DDoS attack, at a massive 1.7tbps.
  • Dyn, 2016: Attack against US DNS provider, best known because the attack used IoT devices running Mirai malware

How to prevent a DDoS attack from happening

Dozens of vendors offer web application firewalls (WAFs), often directly through hosting providers, with the cost starting at just a few dollars a month. Businesses can also implement hardware-based DDoS mitigation hardware, at their network edge.

At the enterprise scale, the large distributed network companies, such as Akamai and Cloudflare, offer high-end, distributed DDoS protection. So do vendors, such as Verisign, HPE, and Cisco.

The most basic defense against DDoS is a DIY approach, monitoring and then shutting down requests from suspect IP addresses.

Although this approach is largely free, Brian Honan warns it is unlikely to be effective, especially against sophisticated, large-scale attacks. He also recommends that organizations place their defenses as far away as they can from their servers.

“You might be able to deal with a DDoS in your datacenter, but all of your internet pipe will be used up. So it is questionable how effective that will be,” he said.

Planning is another key element of any DDoS mitigation strategy.

“Having a plan and procedure in place in case of a DDoS attacks is paramount and having monitoring capabilities in place to detect attacks is highly advised,” says Bridewell’s James Smith.

“Organizations also need to have a well implemented patching policy and ensure anything externally facing is up-to-date to help guarantee that any service software that may contain DDoS vulnerabilities is patched in a timely manner.”

Source: https://portswigger.net/daily-swig/what-is-ddos-a-complete-guide

Vancouver, Canada, December 10, 2019 –(PR.com)– DOSarrest rolls out new advanced mitigation capabilities for their cloud based DDoS protection for infrastructure platform known as “Data Center Defender (DCD).” With the addition of AI to this platform, DOSarrest can now automatically mitigate even the most sophisticated attacks on this service. This major upgrade with real-time AI created algorithms does not even require a learning period. Packet by packet analysis enables the system to weed out even the most elusive attacks and automatically block them.

DOSarrest CTO, Jag Bains states, “While the DCD Network has been very successful in dealing with volumetric and protocol flood attacks for a number of years now we remain committed to upgrading and evolving the service. In conjunction to continually increasing the capacity of the DCD Network, we’ve also upgraded the capabilities of DCD with automated routing isolation of targeted IP’s through sophisticated analysis on our Big Data Platform. The targeted IP is automatically routed to an additional layer, that allows for more sophisticated challenges and mitigation capabilities of malicious traffic.”

Jag Bains adds, “This new capability doesn’t require any learning mode making mitigation ultra fast, it can pick-up anomalies based on combinations of source/destination ports, IP Protocols, TTL, packet lengths and payload patterns, and much more. It even detects and stops malicious traffic that has anomalous TCP flag combinations.”

DOSarrest CEO, Mark Teolis comments, “The traffic isolation and mitigation operates asymmetrically and happens within seconds, all automatically. The ability to automatically isolate targeted IPs gives us a future roadmap to add even more sophisticated security measures that will scale easily…Watch this space.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services, Data Center Defender (DCD), Web Application Firewall (WAF), DDoS Attack testing, as well as cloud based global load balancing.

Source: https://www.pr.com/press-release/801141