DDoS Protection Specialist Archive

Researchers last week detected a new, fileless version of the malicious remote access tool njRAT that propagates as a worm via removable drives.

Also known as BLADABINDI or njw0rm, the njRAT acts as a backdoor, capable of cyber espionage, keylogging, distributed denial of service attacks, retrieving and executing files, and stealing credentials from web browsers.

This particular variant, identified as Worm.Win32.BLADABINDI.AA, leverages AutoIt, a free automation script language for Windows, to compile the final payload and the main script into one executable. The technique makes the ultimate payload difficult to detect, Trend Micro threats analyst Carl Maverick R. Pascual reported today in a company blog post.

An analysis of the executable’s script determined that it deletes any file named Tr.exe from the %TEMP% directory and replaces it with its own malicious version, plus a copy of itself. All additional files downloaded from the C2 server, which is located at water-boom [.]duckdns[.]org, will also be stored in the %TEMP% folder.

The dropped Tr.exe file is actually a second AutoIt-compiled script that contains yet another executable, this one base-64 encoded. Tr.exe “will use an auto-run registry… named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading,” states the blog post,” meaning that the executable will load from memory instead of via the system’s disks.

Worm.Win32.BLADABINDI.AA is similar to its predecessors in that its C&C-related URL uses the dynamic domain name system service. Pascual believes this could be to allow the attackers “to hide the server’s actual IP address or change/update it as necessary.”

“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” the blog post concludes. “Users and especially businesses that still use removable media in the workplace should practice security hygiene. Restrict and secure the use of removable media or USB functionality, or tools like PowerShell… and proactively monitor the gateway, endpoints, networks, and servers for anomalous behaviors and indicators such as C&C communication and information theft.” Trend Micro also recommends employing an endpoint solution that can detect fileless malware attacks through behavior monitoring.

Source: https://www.scmagazine.com/home/security-news/cybercrime/malicious-developer-creates-wormable-fileless-variant-of-njrat/

Threats are now emerging beyond home and medical devices towards IoT control systems connected to national infrastructures. It is no exaggeration to say that IoT vulnerabilities are a threat to our national and personal security – dangers brought into sharp relief by the growing weaponisation of cybersecurity on the world stage

Cybersecurity agenda

Over the last decade, the scale of cyber attacks have increased dramatically and there has been a huge increase in the scale of cyber attacks against global IT infrastructures. The increase in the number of attack vectors enabled by the internet, the level of sophistication of the attacks, the ‘staying power’ of the cyber gangs, are all markers of how cybersecurity has become the subject of major international conflict.

The rewards of cyber crime over the last decade have been lavish and can be measured in trillions of dollars. And the size of this cyber treasure chest will only increase exponentially over the next decade.

The cyber war is an asymmetric battle. According to Carbon Black, cyber criminals are spending an estimated $1 trillion each year on finding weaknesses in the cyber defences of organisations and businesses, while the same organisations and businesses are spending a mere $96 billion per year to defend themselves against these attacks.

But it’s not always the case that these threats are created by what people in the West would call ‘rogue’ states or actors.

Militarisation of cyber attacks

The biggest single factor that has emerged in the cybersecurity landscape over the last decade is the brazen and overt participation of nation states in the battle. The size of a state’s cyber capability has now become the biggest statement of its national power and global influence.

So loud are the noises around cybersecurity that cyber-aggression appears to have bumped the threat of nuclear and biowarfare down the security agenda.

In the mid-noughties there appears to have been a joint US/Israeli project to attack Iran’s nuclear programme. A virus was created which attacked the SCADA infrastructure around this programme and thus the centrifuges which were being used to enrich uranium.

Stuxnet surfaced once activated in 2010 when it preyed upon Siemens PLCs to the extent that around a third of Iran’s centrifuges were taken out of action. This might be termed a ‘successful’ attack upon the process control layer of a large utility project.

To say that cyber warfare is preferable to weapons of mass destruction might appear an understatement. However one should at the same time be mindful of the huge impacts cyber attacks could have on energy and utility companies, upon hospitals, and upon the military apparatus and democratic institutions we take for granted. Lives can be placed at risk.

Internet of Things

The massive increase in the number of devices connected to the internet continues unabated. This year there will be in the region of 23bn connected devices. This number is projected by IHS to rise to 75bn by 2025. This huge growth presents an ever increasing ‘attack surface’ for the cyber gangs to attack.

The traditional target area for IoT cyber attacks has its origins very much in the home device front. A prime example would be the 2016 Mirai botnet attack which infected around 600,000 IoT devices. The devices affected in the main were internet routers, but connected cameras were also compromised.

Mirai wreaked havoc by launching a distributed denial of service (DDoS) attack and overwhelming the devices’ networks.

By 2018 the hackers had switched their focus to the wireless protocols which exist for smart home devices, specifically the Z-Wave wireless protocol. This year, a vulnerability was discovered which affected up to 100 million smart home devices. Burglar alarms, security cameras, and door locks could be disabled, for example, allowing thieves to enter unchecked.

Another major area of vulnerability is that of accessing an individual’s home banking systems via the ‘voice hacking’ of smart speakers.

The recent news about FreeRTOS – a real-time operating system ported to around 35 microcontroller platforms – being an easy target for hackers has further eroded confidence in the security of IoT home devices.

As well as connected domestic appliances there is growing concern about the threats to healthcare devices. There are around 100m such devices installed worldwide. From insulin pumps, to diagnostic equipment, to remote patient monitoring, the areas for potential attack are huge and life-threatening.

Industrial IoT

Cybersecurity firm Carbon Black issued its Quarterly Incident Response Threat Report in November. The report represents an analysis of the latest attack trends seen by the world’s top incident response (IR) firms.

The report found that a growing number of attacks are now taking advantage of IoT vulnerabilities. An alarming 38 percent of IR professionals saw attacks on enterprise IoT devices, which can become a point of entry to organisations’ primary networks, allowing island hopping (whereby attackers target organisations with the intention of accessing an affiliate’s network).

This latter point underscores the continuing trend of exploiting IoT devices in the enterprise domain to attack business and to move from there into other ‘supply chain’ networks in order to disrupt additional enterprise operations.

The threats emerging away from these home and medical devices towards IoT control systems connected to national infrastructures are increasing in number and truly terrifying.

Process control devices in the industrial world present vulnerabilities in our oil and gas industries, and in our water purification and power plants. A nation’s vital utility infrastructure could potentially be brought to its knees by cyber attacks against the IoT device layer.

This threat isn’t new, although comparatively rare in the past. The Industroyer (Crashoverride) malware framework took out approximately one fifth of Kiev’s power for one hour in December 2015. A number of other different malware attacks targeted against industrial control systems in energy plants have also been discovered in the last few years.

It is now well understood that nation states such as Russia, China and North Korea have been probing other nations’ power generation facilities with a view to potential future hacks. The dangers are well understood by many governments but as of yet these vital infrastructure areas are still massively vulnerable to attack.

Understanding the risks

Only recently, Ciaran Martin, head of the UK’s National Cyber Security Centre (the NCSC) gave an apocalyptic warning about cyber threats to the UK. Martin said that Britain will be hit by a life-threatening ‘category 1’ cyber emergency in the near future.

Similar warnings have been coming out of the US recently, and President Trump’s National Cyber Strategy outlined the same types of threats against US infrastructure. Trump has constantly talked about the threats to US Power Grids – primarily again via the IoT layer – and it’s an area of deep concern for the Federal Government.

In the last month, Trump has been offering to share cyber attack and defence capabilities with NATO allies at the same time as UN calls for an ‘amnesty’ in the use of cyber attacks against critical infrastructures.

But at the business level the understanding of cyber risks is patchy. British business is predominantly uneducated and complacent when it comes to the risks posed by cyber threats and the vulnerability of IoT devices wherever they might be on their network.

Who is responsible?

In the IoT domain for both home and enterprise devices we need secure device design and manufacture, secure deployment, and secure onward protection.

It is the device manufacturer’s responsibility that IoT devices are delivered uninfected with malware, or rogue components. They have a responsibility to ensure that default passwords cannot be implemented in a live environment and to ensure that system software is able to be patched and updated going forward as new threats are understood.

But there is a dual responsibility between device supplier and the end user. Users of these devices in public sector organisations and business enterprises also have a responsibility to ensure that this layer of their IT infrastructure is of itself secure and that it cannot be compromised by weaknesses in other layers of their own cyber defence, or by malware which might be passed on through their supply chain, i.e. ‘island hopping.’

The role of businesses

Starting with the boardroom, businesses must enact a top-down approach to avoid backlash from the market. All companies should be aware that their cybersecurity will be subject to considerable public scrutiny when things go wrong. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

News published in early November told us that Facebook had lost 1m users in Europe in the last couple of months after its highly publicised breaches, and we can expect them to lose more user share going forward.

In the home IoT market, consumer confidence is key. If any particular brand of fridge, TV, baby alarm, speaker, or burglar alarm was exposed as being the source of attacks, consumers will vote with their wallets.

A recent survey conducted by Opinium in the UK showed that businesses which were breached or caused other businesses to be breached would experience repercussions from other businesses.

One in five businesses would take legal action to recover financial losses incurred from a breach as a result of a supplier’s negligence, and a similar number would use the incident to negotiate a further discount. Just three percent of businesses said they would take no action.

The survey also showed that victims of cybercrime could find it more difficult to attract new customers, with 35 percent of the business leaders questioned saying they would not work with a supplier they thought would make them more vulnerable to cybercrime. Just over a quarter said they would avoid using a company that had been publicly associated with a major cybersecurity breach.

Shareholders tend to react when market share is impacted, when the brand of a company is trashed in the market, or when a CEO’s position is undermined by high profile incidents.

CEOs and senior executives have been put on notice that the buck stops with the boardroom. The directors of companies need to take an active interest in their companies’ cybersecurity policies.

Regulatory headwinds

Although only guidelines, the UK has made an admirable headstart towards IoT regulation with its recently released ‘secure by design’ guidelines.

The code – which the government claims is a ‘world first’ – has 13 guidelines, to ensure connected items are ‘secure by design’. It is long overdue and needs to be replicated by other countries.

The guidelines include: no default passwords; a vulnerability disclosure policy; pushed software updates; the secure storage of credentials and security-sensitive data; encrypted in transit communications and secure key management; resilience to outages; monitoring of telemetry data; and making it easy for users to delete personal data from any device.

The code of practice is designed with the home device market in mind. However, the guidelines can have a strong influence on the move towards industrial IoT regulatory requirements too.

In this latter scenario, primary responsibility would pass more towards the implementer or the end user of the industrial control technology.

It’s remarkable that these guidelines took so long to surface given the UK’s long history of consumer protection.

Similarly, the EU has a history of tackling technology giants who impinge on the privacy of individuals (GDPR being the latest culmination), so it’s surprising that a similar code of practice hasn’t emerged from Brussels yet. We can only assume that regulations are ‘in the pipeline.’

As for the IoT layer in the enterprise domain, the IIoT, expect a lot of focus to be driven by governments anxious to protect core businesses and infrastructure. Oil, gas, power generation, aviation and water industries are all highly dependent on IoT to run their businesses effectively.

These are obviously all vulnerable right now. It’s clear that notice has been given by aggressor states that these infrastructures are eminently hackable. It seems to me that the only thing stopping significant disruption is fear of reprisals.

Take The Sunday Times report in October that claimed British military forces had practised a cyber attack that would ‘plunge Moscow into darkness.’ This attack would be an immediate response if Putin’s forces were to move against the West.

Britain no longer possesses small battlefield nuclear weapons – in the eyes of the UK government and many others, cyberweapons have become the most effective military deterrent.

Source: https://thestack.com/iot/2018/11/22/iot-cybersecurity-where-we-are-and-what-needs-to-change/

In Europe DDoS attack volumes have increased sharply during the third quarter 2018 according to a new report.

The report from DDoS protection specialist Link11 shows the average attack volume more than doubled in July, August and September, to 4.6 Gbps (up from 2.2 Gbps in Q2).

Attacks are also becoming increasingly complex, with 59 percent of incidents using two or more vectors — up from 46 percent in Q2. The highest-volume attack observed by Link11 in 2018 rose to 371 Gbps in Q3, an increase of 75 percent compared to the maximum of 212 Gbps observed in Q1. In addition, there were a further 35 attacks with bandwidth peaks above 100 Gbps.

Multivector attacks, which accounted for 59 percent of all attacks in Q3, were also a major threat. 37 percent of all attacks in Q3 featured 3 different vectors – more than double the number of triple-vector attacks seen in Q2 (16 percent).

“The structure and composition of DDoS attacks is constantly changing, but the goal remains the same: to interrupt servers, networks or data streams,” says Aatish Pattni, regional director UK and Ireland for Link11. “Over half of attacks during Q3 were multi-vector, making them harder to defend against, and they are growing in volume, too, meaning they can easily overwhelm defenses. To stop these attacks disrupting business operations, organizations need proactive protection that tracks and responds to evolving attack scenarios and patterns automatically, using advanced machine-learning techniques.”

The report also reveals that attacks are most frequent on Fridays and Sundays, with the level of attacks declining during the business week. Attackers targeted organizations most frequently between 4pm and midnight Central European Time, with attack volumes at their lowest between 5am and 10 am CET. The highest number of attacks seen in one day during Q3 was 885 on Friday 17 August.

Source: https://betanews.com/2018/11/20/ddos-attack-volumes-double/

Small and medium-sized businesses are much more at risk of DDoS attacks than many think, according to research by the Dutch domain registrar SIGN and the internet providers group NBIP. The two groups conducted research on the .nl websites affected by such attacks and the organisations affected. In total, 237 DDoS attacks were identified in the year to June 2018.

Web shops selling consumer goods such as clothes, cosmetics and garden equipment have a bigger chance of being hit by DDoS attacks, the research found. On average the resulting damage costs EUR 1.8 million.

A common cause is the use of shared hosting. To save costs, small online sellers often share a server with other websites. They are then affected if another site on the server is hit by an attack. The chance of collateral damage is 35 times higher in such a case.

The public sector and larger banks remain the most likely target of direct attacks. The study estimates the direct damage cost EUR 59.6 million, while collateral effects cost another EUR 10 million.

The damages are based on the 237 attacks identified and estimates for the consequences if the attacks succeeded. If no protective measures are taken, the total cost to society from DDoS attacks is estimated at EUR 1 billion per year.

Source: https://www.telecompaper.com/news/sidn-nbip-warn-small-businesses-of-increased-risk-of-ddos-attacks–1269808

Resellers that support the retail sector will be keeping a keen eye on how their customers react to the huge amounts of data that will be generated this coming weekend.

Resellers selling into the retail sector are about to go through one of the most stressful weeks of the year as their customers gear up for Black Friday.

With this weekend marking one of the main moments consumers spend big before Christmas the emphasis might be on getting the best deals but for those with an eye on the IT the next few days is going to be about data.

On the one hand that means making use of the data around offers and stock to ensure that customers get current information about what a retailer can offer.

“Last year Black Friday itself was worth a total of £2.5bn in sales to the UK economy. However, if retailers fail to stand out against the intense competition, Black Friday could well be a Bleak Friday for them,” said Chris Haines, director of consulting at Amplience.

“To make the most out of the week and the increasingly important Cyber Monday, retailers should be focusing on their digital content. Retail is steadily marching towards the web, and Black Friday this year will be fought out online and on mobile,” he added.

But it is also about ensuring that data is protected, particularly over some of the busiest days of the year.

“Thanks to the popularity of ecommerce sites and credit card payments, the Black Friday shopping season has become synonymous with a peak in credit card thefts, site spoofing and DDoS attacks. It’s as much an occasion for cyber criminals as it is for consumers looking for a bargain,” said Spencer Young, rvp EMEA at Imperva.

“Retailers must also take responsibility for investing time and effort in testing their security measures ahead of the season,” he added.

There are also dangers that some retailers will get caught out by different shopping patterns and Ajmal Mahmood, customer solution architect, KCOM, warned against wrongly interpreting the sales the go through the tills.

“Buying habits change during big sales events, with some consumers making more impulse purchases, some stocking up on discounted items and some simply shopping as usual. It’s prudent for retailers to isolate the data collected during sales events, to ensure that they don’t significantly affect their personalisation algorithms across the year,” he said.

Source: https://www.computerweekly.com/microscope/news/252452793/Data-will-be-flowing-through-the-retail-systems-this-Black-Friday