Cybersecurity Archive

The field of hacking is a rapidly evolving one. As cybersecurity defenders develop new means of detecting and protecting against cyberattacks, hackers also work to find ways to bypass these new defenses.

One way in which the field of hacking has dramatically changed is the emergence of the hacker service economy. In the beginning, hackers operated as “lone wolves”, carrying out hacking campaigns largely independently. Over time, hacking groups have emerged, and, recently, hackers have begun offering their services to other hackers or consumers. These services can range from specialist support for a certain portion of a cybercrime (like a phishing attack) to offering complete cyberattacks as a service.

The primary effects of this service-based hacking economy are a change in the hacker demographic and the types and number of threats observed in the wild. The ability to rent the services of hackers means that far less experienced players can enter the world of cybercrime, and the number and intensity of attacks against website security has dramatically increased. As a result, organizations need to take additional steps to protect themselves against cyberattacks that are becoming increasingly common and damaging.

The Modernization of Hacking

In the beginning, hacking was primarily a hobby. Technology nerds who knew a great deal about how computers worked would try breaking into different systems just to demonstrate that they could. While their actions were technically illegal, in general, they weren’t hacking to do damage, so the impact was minimal.

Over time, hacking changed from a (mostly) harmless hobby to one where hackers would steal sensitive information and hack into systems for profit. As the Internet became a part of daily life, more and more data was being placed there by individuals and organizations. This data can be valuable to a number of different parties on the black market (for use in further crimes), so hackers who managed to steal a collection of sensitive data could sell it and get paid for their troubles.

Originally, hackers worked alone, and an effective hacker needed to know a great deal about a lot of things and acted as a jack of all trades. Over time, hacking became more team-based, where a group of hackers could each specialize in a certain component of the hack and the team split the profits. This dramatically lowered the bar for entering the field of hacking, allowing it to grow, and laid the groundwork of the hacker service economy.

The Hacker Service Economy

A crucial step in the development of the modern economy was the emergence of role specialization. While it is certainly possible for an individual or a group to remain entirely self-sufficient, it is unlikely that they will be incredibly effective at doing so. Most people can be very good at one thing or fair to middling at many different things. Role specialization allowed individuals to develop expertise in a certain area and improved the overall quality of goods and services available to everyone. Unfortunately, the development of hacking has followed the example of the legitimate economy. The emergence of hacking groups and specializations has led to the creation of a hacker service-based economy. Specialists in a certain field can sell their services to other hackers or consumers.

One example of cybercrime as a service is the concept of a Distributed Denial of Service (DDoS) attack as a service. In a DDoS attack, a large number of computers under the control of a hacker attempt to overwhelm a victim’s website, making it unavailable to legitimate traffic. With the rise of the Internet of Things (IoT), which consists of a large number of insecure Internet-connected devices, and cloud computing, which allows individuals to lease computing power, building botnets to perform DDoS attacks has become easy and affordable. A DDoS attack can be performed for as little as $7 per hour, making it possible for a hacker to sell them affordably, even with a substantial markup.

An example of a service offered by hackers for hackers is the concept of combolists as a service. Combolists are collections of breached user credentials for various online services. In a combolists as a service offering, hackers can subscribe to receive lists of breached credentials on a regular basis. These credentials can then be used in credential stuffing attacks, where hackers try breached username/password combinations on different sites in the hope that a user used the same credentials on multiple sites.

Impacts on Website Security

Distributed Denial of Service and credential stuffing attacks have always posed a threat to website security. DDoS attacks can render a website inaccessible to legitimate users and credential stuffing attacks may allow an attacker to gain unauthorized access to a user’s account.

However, the rise of the hacker service economy has increased the threat that these attacks can pose to organizations’ websites. These services make it easier for an attacker to access the data and talent necessary to perform these attacks, lowering the bar to enter the space. Instead of these attacks primarily being focused on targets chosen by experienced hackers, anyone can buy and target an attack, making any organization vulnerable to a disgruntled employee or a dissatisfied customer.

As a result, organizations need to take action to protect their web resources from the types of attack commonly offered as a service by hackers. A DDoS protection solution and a bot detection & prevention solution capable of detecting credential stuffing attacks have become a crucial component of any organization’s cybersecurity strategy.

Source: https://smartereum.com/62423/at-your-service-inside-the-hacker-economy/

DDoS attacks are on the rise! “DDoS attacks have increased overall in the past 2 years, although the number of attacks between 2017 to 2018 and from 2018 to 2019 (to date) show some interesting trends. DDoS attacks increased 200 percent in Q1 2019 compared to the same time period in 2018. The number of DDoS attacks over 100 GB/s in volume increased 967 percent in Q1 2019,” according to Comparitech.

So, it brings us to the question: how can you defend against DDoS attacks? There are various techniques to protect your systems from DDoS attacks. But first and foremost, let’s get to know the biggest DDoS attacks of this century.

What is Distributed Denial-of-Service?

A Denial-of-Service (DoS) attack is a cyberattack that disrupts the services of a computer or other network resources connected to the Internet, making it unavailable to its intended users for a temporary or indefinite amount of time.

A DoS attack is usually achieved by flooding the targeted computer or resource with surplus requests with the goal of overloading the system and preventing some or all requests from its intended users, thus it’s called Denial of Service.

A Distributed Denial-of-Service (DDoS) is an advanced form of the Denial of Service (DoS) attack, wherein, the flooding of superfluous requests originates from various different sources. Since the requests come from various sources, it’s almost impossible to filter and block malicious attacks out of all requests.

How do Botnets assist in DDoS Attacks?

A botnet is a group of compromised devices connected to the Internet, which are running one or more bots. The devices in a botnet are compromised and controlled by an attacker to fulfil his malicious plans. A botnet may be used to launch Denial-of-Service attacks, send spam, steal data, and do a lot more.

Since a botnet is a collection of devices, which may be geographically distributed as well, it helps launch Distributed Denial-of-Service attacks. The devices in the botnet flood the target computer or resource with malicious, unneeded traffic, causing the target system to crash or overload, thus denying further service.

Worst DDoS Attacks of this Century

Let’s discuss the biggest or worst DDoS attacks, understand their methods and consequences, and learn from the mistakes that led to those DDoS attacks.

GitHub [2018]

The most popular developer platform — GitHub, now acquired by Microsoft — was attacked using Distributed Denial-of-Service (DDoS) on 28th February 2018. Fortunately, GitHub had opted for a protection service against DDoS attacks, which was able to detect and mitigate the attack under 10-20 minutes.

GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off,” according to WIRED.

The DDoS attack was powerful enough to disrupt GitHub. “The first portion of the attack against the developer platform peaked at 1.35Tbps, and there was a second 400Gbps spike later. This would make it the biggest DDoS attack recorded so far. Until now, the biggest clocked in at around 1.1Tbps,” reported ZDNet.

What was different in this attack? There were no botnets involved, which is a popular method for launching a DDoS attack. It was executed using memcached, a popular database caching system. The attackers flooded those servers with falsified or spoofed requests, amplifying the attack by up to 50,000x.

Dyn [2016]

The second most powerful DDoS attack was launched against Dyn — a web performance and security company — in October 2016. It was a more devastating attack than that on GitHub, disrupting various popular services such as AirBnB, GitHub, Netflix, PayPal, Reddit, and Twitter since Dyn is a DNS provider.

It was executed using Mirai — a botnet malware that targets and compromises Internet of Things (IoT) devices like cameras, printers, televisions, etc. These compromised devices were then used to launch the DDoS attack on Dyn.

Fortunately, Dyn recovered from the attack within one day — a lot more than that taken by GitHub. That’s why Dyn incurred millions of dollars in losses. “Damage from the attack is reputed to have cost $110 million and despite the attack being contained within one day, in the immediate aftermath of the attack, over 14,500 domains dropped Dyn’s services,” according to MetaCompliance.

BBC [2015]

The BBC (British Broadcasting Corporation) — the well-known media company — was attacked on 1st January 2015. Although the magnitude of the attack or the attacker’s identity was never confirmed, it mostly topped at 600Gbps. Since the attack on Dyn topped at 1.1Tbps and that on GitHub topped at 1.35Tbps, the attack on BBC was the third-worst attack in the history of DDoS attacks.

At the time this attack took place it was the largest one recorded (if indeed it reached that scale) taking nearly two weeks to completely recover from the incident. The entire BBC domain was taken down, including their on-demand television and radio player for a total of three hours worth of attack, plus experimenting residual issues for the rest of the morning,” per Sucuri Blog.

How to Defend against DDoS Attacks?

Since you now know about the worst DDoS attacks and the damages incurred to their target services, let’s learn the techniques to defend against DDoS attacks.

Secure your Infrastructure

You must opt for a multi-level protection plan to protect your network. The plan may include intrusion prevention systems and threat management systems along with content filters, firewalls, and load-balancers. Then, you must update your systems regularly since outdated systems have vulnerabilities, mostly!

Opt for Cloud/Scalable Host

You should plan for scale from the start by choosing a cloud-based or at least scalable hosting provider. Since the whole idea behind DDoS attacks is to flood your systems with unneeded requests to diminish resources if your systems are built to scale, such attacks will most likely fail. Then, a few cloud services can also detect and prevent unneeded traffic from reaching your app or website.

Deploy a Specialized Firewall

You must opt for a Web Application Firewall (WAF) — a specialized firewall built to analyze the incoming traffic to your app or website. It can detect and block malicious traffic from reaching your systems, thus protecting them against DDoS attacks. It also allows creating custom rules, allowing you to implement custom mitigations against any bad traffic after studying the traffic patterns.

That’s all about the worst DDoS attacks and how you can fight against future attacks on your app or website. Did you find it helpful? Write a comment below.

Source: https://thetechportal.com/what-were-the-worst-ddos-attacks-of-this-century-how-can-we-prevent-future-ones/

Up to 40,000 macOS systems expose a particular port online that can be abused for pretty big DDoS attacks.

DDoS-for-hire services, also known as DDoS booters, or DDoS stressors, are abusing macOS systems to launch DDoS attacks, ZDNet has learned.

These attacks are leveraging macOS systems where the Apple Remote Desktop feature has been enabled, and the computer is accessible from the internet, without being located inside a local network, or protected by a firewall.

More specifically, the attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature.

When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac.

HUGE “AMPLIFICATION FACTOR”

But sometime this year, cyber-criminals have realized that they can abuse the ARMS service as part of a so-called “DDoS amplification attack.”

DDoS amplification attacks are one of the many forms of DDoS attacks. It’s when attackers bounce traffic off an intermediary point and relay it towards a victim’s server.

In this case, that intermediary point is a macOS system with Remote Desktop enabled.

Protocols like DNS, NTP, CharGEN, Memcached, NetBIOS, CLDAP, and LDAP are often abused as part of DDoS amplification attacks. CoAP and WS-Discovery are just the latest protocols to have joined this list. Most of these protocols are UDP-based, where UDP is a type of network packet used as the base for the other, more complex protocols. ARMS is also a UDP-based protocol.

The danger level for any of the above protocol is what security researchers call the “amplification factor,” which describes the ratio between a packet before and after it bounces off towards its target.

Most DDoS amplification attacks observed in the wild have an amplification factor of between 5 and 10. The higher the protocol, the more useful it is for attackers.

According to security researchers from Netscout, who saw the first ARMS-based DDoS attacks in June, ARMS commands an impressive 35.5 amplification factor.

Furthermore, while there’ve been other protocols with big amplification factors in the past, most of them are oddities and rarely used protocols, making them unusable for attackers.

Most of today’s DDoS amplification attacks rely on DNS and NTP, which even if they have a small amplification factor, there’s plenty of servers to go around that attackers can use to amplify their bad traffic.

UP TO 40,000 MACOS EXPOSE ARD/ARMS PORTS

However, ARMS is different, in the sense that this is the worst-case scenario, where we have a big amplification factor protocol that’s available on a large number of hosts that attackers can abuse.

A search with the BinaryEdge IoT search engine shows nearly 40,000 macOS systems where the Remote Desktop feature is enabled, and the systems reachable via the internet.

ddos-mac-be.png

SOME ATTACKS PEAKED AT 70 GBPS

It is unclear who discovered that the ARMS service could be abused for DDoS amplification attacks, but attacks have already happened in the real world.

Netscout spotted the first one in the second week of June. The company said the attack peaked at 70 Gbps, which is a pretty large attack.

Other attacks followed, as observed by the Keyo University Shonan Fujisawa Campus in Japan, and by Italian systems administrator Marco Padovan.

But while initial attacks were sparse, they’re now starting to pick up, according to a source in the DDoS community. The main reason is that some DDoS booters have added support for launching attacks via this protocol, this source told ZDNet.

This means that macOS systems across the globe are now being used as bouncing points for DDoS attacks.

THESE SYSTEMS SHOULD NOT BE REACHABLE VIA THE INTERNET

According to an analysis of the BinaryEdge search results, the vast majority of these systems are on university and enterprise networks, where system administrators use the Apple Remote Desktop feature to manage large fleets of macOS systems, at a time.

These systems should not be available online, and if they need to be, then access should be restricted using Virtual Private Networks or IP whitelists.

The Apple Remote Desktop feature is the direct equivalent of Microsoft’s Remote Desktop Protocol (RDP).

In the past, hackers have brute-forced RDP endpoints to gain access to corporate networks, from where they stole proprietary information, or have installed ransomware. Similar to how crooks target companies with RDP systems exposed online, they can do the same for Mac systems with ARD.

Admins of macOS fleets should probably secure ARD endpoints to prevent these types of attacks first, and DDoS nuisance second.

Source: https://www.zdnet.com/article/macos-systems-abused-in-ddos-attacks/

With three months left in the year, 2019 has already seen an exceptional number of major cybersecurity incidents.

An avalanche of hacks, breaches, and data exposures have rattled government agencies and private companies alike, and the victims are typically consumers or citizens.

An attack earlier this summer that targeted Uighur Muslims and Tibetans in China exposed flaws in systems like iOS that were previously thought to be impenetrable. Ransomware attacks have swept government agencies across the US, debilitating them for days on end.

Hackers are becoming increasingly innovative with the techniques they use to access sensitive data. In many cases, new technologies that have just hit the market are boons to hackers, who capitalize on people’s lack of understanding of how those technologies work, as well as undiscovered holes in new systems’ security.

In turn, cybersecurity experts are highlighting certain technologies that have been repeatedly exploited by hackers, calling for heightened awareness of their vulnerability to bad actors.

Here are seven emerging technologies that pose threats to modern cybersecurity.

AI-generated “deepfake” audio and video can help hackers scam people.

“Deepfake” technology — which allows people to manipulate video and audio in a way that looks very real — has made leaps and bounds in recent years Indeed, anyone familiar with face-swapping filters on Snapchat or Instagram has witnessed a rudimentary version of deepfake technology firsthand.

As deepfakes become increasingly sophisticated and hard to tell apart from the real thing, cybersecurity experts worry that hackers could use the technology for phishing scams, wherein hackers pose as somebody else to get victims to hand over private information.

Some companies are working on AI-driven software to detect deepfakes, but these efforts are still in the early stages of development.

Quantum computing could easily crack encryption.

In September, Google announced that it had achieved “quantum supremacy,” meaning it built a functioning quantum computer — a feat that had been theorized but never achieved. The announcement was a major milestone in the field, but the technology is still nascent and doesn’t have many practical applications yet.

Nonetheless, the announcement raised immediate concerns for security watchdogs, who say that quantum computers — which channel aberrant phenomena from quantum physics into computing power — could easily break encryption currently used in products seen as airtight, like blockchain or credit card transactions.

While quantum computers haven’t been used to this end by hackers yet, experts worry that the technology could continue to advance in years to come, threatening encrypted data sets that organizations like banks protect for decades.

 

5G networks will bring faster speeds, and a host of new vulnerabilities.

5G is beginning to roll out as the next generation of wireless network, promising faster wireless internet with the bandwidth to support more devices.

But security watchdogs warn that the shift to 5G could give hackers new inroads to target systems that use the network. The increased speed could make 5G devices more susceptible to DDoS attacks, which aim to flood victims’ servers with traffic in order to overwhelm and shut them down, according to Security Boulevard.

 

The “internet of things” creates new threats to security infrastructure.

The “internet of things,” or networks specifically made for internet-connected devices and appliances to communicate with each other, is now used widely across industries.

As this technology becomes more common, however, hackers are increasingly finding vulnerabilities in IoT networks and using them to compromise companies’ operations. In one high-profile example, hackers breached the network used by Verizon’s shipping vessels and were able to track where the company was shipping its most valuable cargo.

Hackers are using artificial intelligence to outsmart cybersecurity systems.

As artificial intelligence makes leaps forward in sophistication and versatility, hackers are already using it to get around cybersecurity defenses. Hackers can use AI-driven programs to quickly scan networks to find weak points, or predictive text functions to impersonate insiders and trick targets into handing over sensitive information.

“We do imagine that there will be a time when attackers use machine learning and artificial intelligence as part of the attack. We have seen early signs of that,” Nicole Egan, CEO of cybersecurity firm Darktrace, told the Wall Street Journal.

 

As companies outsource high-tech functions to third parties, supply-chain hacks proliferate.

A growing number of recent data breaches came about as the result of “supply chain” hacks, wherein break into a company’s software that’s in turn distributed to clients.

This trend is the result of an increasing number of companies and agencies outsourcing services to third parties, which widens the range of potential victims for hackers to target. According to a recent report by cybersecurity firm Aon, the number of targets that are potentially vulnerable to supply chain hacks is growing exponentially.

 

More operational functions are moving online, which is good news for hackers.

ompanies and government agencies are maximizing the number of operations that use internet connectivity, drawn in by the efficiency the internet brings.

But doing so comes at a security cost — with more internet connectivity, the “attack surface” that’s vulnerable to hacks becomes wider, lowering an organization’s defenses, according to the Aon report. If hackers compromise one internet-connected facet of an organization, it’s easy for them to laterally hack other devices on the network.

Source:  https://www.businessinsider.com/7-emerging-technologies-that-cybersecurity-experts-are-worried-about-2019-10#more-operational-functions-are-moving-online-which-is-good-news-for-hackers-7

WASHINGTON — In the past year, political campaigns, parties, and pro-democracy groups around the world have faced more than 800 cyberattacks, according to new data provided to Rolling Stone by tech giant Microsoft.

“The threat is real and it’s not stopping,” Tom Burt, a vice president of customer security and trust at Microsoft, tells Rolling Stone. “Anyone involved in the democratic process needs to know that it’s likely not a question of if they’ll be targeted but whether they will be breached, and there’s a lot they can do today — basic cybersecurity hygiene — to protect themselves.”

The 2016 presidential race demonstrated how a foreign adversary’s hackingoperation could wreak havoc in US democracy — in that case, by digitally breaking into the DNC and the personal email account of Clinton campaign chief John Podesta and then weaponizing those stolen emails and documents through publishing them online.

Despite Special Counsel Robert Mueller’s indictment of 12 Russian intelligence officers for the DNC and Podesta hacks, the cyberattacks didn’t let up in the 2018 midterm elections. In the summer of 2017, shortly after President Trump took aim at then-Sen. Claire McCaskill (D-Mo.) and told a Missouri rally crowd to “vote her out of office,” Russian-affiliated hackers targeted staffers in McCaskill’s Senate office and tried to dupe those staffers into handing over their email passwords.

Rolling Stone broke two stories that revealed online attacks targeting two Democratic candidates for Congress in competitive races, one of whom was challenging then-Rep. Dana Rohrabacher (R-Calif.), widely seen as the most pro-Russia lawmaker in Washington. (Rohrabacher lost his race last year.) The other Democratic candidate was Bryan Caforio, whose official campaign website was crippled multiple times by distributed denial of service attacks.

The FBI has investigated both of these incidents and continues to look into the DDoS attacks on Bryan Caforio, according to a source with knowledge of the investigation.

Then-Director of National Intelligence Dan Coats said in the summer of 2018 that the warning lights for future cyberattacks on American elections were “blinking red.” A month later, Microsoft announced that it had used a court order to disrupt and shut down phony domain names used by Fancy Bear, the Russian-affiliated hacking operation, to attack U.S. Senate staffers and employees of nonprofit groups like International Republican Institute that have been critical of Russia and its leader, President Vladimir Putin.

As part of its Defending Democracy Program, Microsoft created a free tool called AccountGuard that political candidates, parties, and democracy-focused NGOs can use for free to protect themselves against the hacking attempts and other cyberthreats. There are approximately 60,000 accounts enrolled in AccountGuard, which is available in more than two dozen countries, according to Microsoft.

Tom Burt, the Microsoft executive in charge of customer security, tells Rolling Stone that the majority of nation-state attacks the company has detected against all Microsoft customers have originated with actors in Iran, North Korea, and Russia. (The company doesn’t specify which nation-states are behind attacks on political campaigns, parties, and pro-democracy groups that use the AccountGuard tool.)

Burt says that he and his team have detected a pattern in the cyberattacks that they’re seeing. “Early on in election cycles, we often see the majority of attacks targeting NGOs and think tanks involved in policy-making process and that are in communication with campaigns,” Burt says. “As we get closer to elections themselves, we often see more attacks targeting campaigns themselves and the personal email of campaign staff.”

The Microsoft data suggest that, when it comes to the threat of cyberattacks, the 2020 elections are shaping up to be as bad or worse than 2016.

Source: https://www.rollingstone.com/politics/politics-news/cyberattack-election-meddling-democracy-2020-892623/