DDoS Attacks Archive

Additions to the Murai botnet suggest those behind the automated IoT-based attack mechanism are turning more to enterprise devices, says a report from Palo Alto Networks.

The company’s Unit 42 threat intelligence division said Monday that new targets of the botnet include the WePresent WiPG-1000 Wireless Presentation systems and LG’s Supersign TVs. Businesses that use these devices should ensure they are password-protected.

Also new on the botnet’s list are exploits for DLink DCS-930L Network Video Cameras, DLink DIR-645 and DIR-815 home routers, the Zyxel P660HN-T routers. and a number of access points and wireless controllers from Netgear.

They join earlier enterprise targets including products from SonicWall and an exploit of the  Apache Struts web framework.

This new Murai varient also includes more credentials to use in brute force against devices.

And in an ironic twist, the report says the malicious payload was hosted at a compromised website in Colombia belonging to an unnamed electronic security, integration and alarm monitoring company.

“These new features afford the botnet a large attack surface,” says the report. “In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.

“These developments underscore the importance for enterprises to be aware of the IoT devices on their network, change default passwords, ensure that devices are fully up-to-date on patches. And in the case of devices that cannot be patched, to remove those devices from the network as a last resort.”

Murai is a botnet composed of hundreds of thousands of routers, network storage devices, NVRs, and IP cameras to deliver malware and launch distributed denial of service (DDoS) attacks. Some of the biggest DDoS victims have been web hosting provider OVH, DNS provider Dyn and the web site of security reporter Brian Krebs.

Three Americans who created the Murai botnet have been fined, forced to give up cryptocurrency and sentenced to five years probation.  However, one of the group posted the source code so criminals have copied it to set up their own versions and continue spreading malware.

Commenting on the two new device targets listed in the Palo Alto report, Lane Thames, senior security researcher at Tripwire, said the news shows the computing industry still has a long way in toughening up secure development practices. The two vulnerabilities affecting WePresent and the Supersign TV “are trivial to exploit, but, more concerning, is that they are trivial to prevent. These two vulnerabilities are a classic case of a web application not sanitizing user input (input that a user/attacker can control when interacting with the web application). These two vulnerabilities are very basic and easily addressed with modern development frameworks. Further, organizations developing web-based products should have mechanisms in place to catch such low hanging “fruit” as this during their development and QA processes.

“Don’t get me wrong,” he added, “developing secure software is hard, and there is no such thing as perfect security, but, we should have graduated beyond this level of trivialness by now.”

Source: https://www.itworldcanada.com/article/murai-botnet-targets-more-enterprise-devices-report/416120

The sharp decline follows an FBI takedown of so-called “booter,” or DDoS-for-hire, websites in December 2018.

The average distributed denial-of-service (DDoS) attack size shrunk 85% in the fourth quarter of 2018 following an FBI takedown of “booter,” or DDoS-for-hire, websites, in December 2018, researchers report.

Late last year, United States authorities seized 15 popular domains as part of an international crackdown on booter sites. Cybercriminals can use booter websites (also known as “stresser” websites) to pay to launch DDoS attacks against specific targets and take them offline. Booter sites open the door for lesser-skilled attackers to launch devastating threats against victim websites.

About a year before the takedown, the FBI issued an advisory detailing how booter services can drive the scale and frequency of DDoS attacks. These services, advertised in Dark Web forums and marketplaces, can be used to legitimately test network resilience but also make it easy for cyberattackers to launch DDoS attacks against an existing network of infected devices.

The shutdown of prominent booter sites made a pronounced difference in DDoS attack trends for the fourth quarter of 2018, researchers report in Nexusguard’s DDoS Threat Report 2018 Q4. During the most recent quarter, the number of DDoS attacks fell nearly 11% year-over-year, and the maximum attack size decreased nearly 24%. The biggest difference was in attack size, which dropped 85%.

Booter sites are the origin for many DDoS attacks as they make it “fairly simple” for amateur hackers to take down websites, explains Donny Chong, product director at Nexusguard. While the shutdown of booter sites had a positive effect on DDoS trends year-over-year, the growing prevalence of the “bit-and-piece” technique caused attacks to grow quarter-over-quarter.

The bit-and-piece tactic avoids detection by injecting small pieces of malicious code into legitimate traffic across hundreds of IP prefixes, Chong explains. By using small bits of junk, adversaries avoid sounding the alarms that large traffic spikes would set off. Between third and fourth quarters of 2018, this method caused the number of attacks, and the maximum and average attack sizes, to increase 36%, 49%, and 3.75%, respectively, Nexusguard researchers found.

Nexusguard noticed the bit-and-piece trend emerge in the third quarter, when it was the focus of its threat report. Unlike in a typical DDoS attack, in which an actor identifies and targets a particular IP address, bit-and-piece attacks are spread across multiple IP addresses on the same prefix. Diffused traffic can cause service providers to miss large-scale DDoS attacks in progress.

SSDP Amplification Attacks Ramp Up
SSDP amplification attacks are the most popular bit-and-piece attack vector and increased by 3,122% year-over-year and 91.2% quarter-over-quarter, Nexusguard reports. This type of attack, which made up 48.3% of DDoS attacks overall, is launched over UDP via Universal Plug and Play devices (printers, webcams, routers, and servers, for example).

Source: https://www.darkreading.com/vulnerabilities—threats/ddos-attack-size-drops-85–in-q4-2018/d/d-id/1334197

VANCOUVER, British Columbia, March 19, 2019 /PRNewswire/ — DOSarrest Internet Security announced today that they have released a new service offering called DOSarrest Traffic Analyzer (DTA). This new service allows subscribers to send their Netflow, Sflow or Jflow network data from their routers and switches to DOSarrest’s Big Data cluster, then login to their portal and graphically see what types and volumes of traffic are flowing in and out of their networks in almost real-time. Using this traffic intelligence, network operators can pinpoint the cause of any congestion, create their own ACLs to white-list or black-list any malicious networks. It gives engineers the intelligence they need to understand how their network is being used and for what purpose.

Some of the real-time graphical and historical information available in the dashboard is

Top 10 Source Countries
Top 10 Source Networks
Top 10 Source ASNs
Top 10 Source Netblocks
Top 10 Destination IPs
Top 10 Destination IPs
Top 10 Protocols and Ports

DOSarrest CTO, Jag Bains states, “I have been running Internet backbones for over 20 years and having something that is this cost effective has always been a problem, most solutions require expensive hardware and licensing or extensive software development. Setup is easy with DTA, just add 1 line to the router config and you’re done.”

This new service can also be combined with DOSarrest’s existing DDoS protection for network infrastructure service, where customers, using the same dashboard can automatically stop any DDoS attack on a customer’s data center or corporate network.

CEO Mark Teolis adds, “This service is really in its infancy, we are already working on version 2 and we plan on releasing a new version every 90 days thereafter. Once the network flow information is in the big data platform, there’s so much that can be done to extract network intelligence, it’s almost impossible to predict today what and how it can help network operators going forward. We are starting to test with some machine learning models to see what it can do.”

About DOSarrest Internet Security:
DOSarrest founded in 2007 in Vancouver, B.C., Canada specializes in fully managed cloud based Internet security services including DDoS protection services, Data Center Defender (DCD), Web Application Firewall (WAF), DDoS Attack testing, as well as cloud based global load balancing.

More information at http://www.DOSarrest.com

Source: https://www.prnewswire.com/news-releases/dosarrest-launches-new-cloud-based-network-traffic-analyzer-service-300814472.html

A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.

A previous report by Palo Alto Networks’ Unit 42 from September saw a strain of the Mirai botnet switching targets to attack Apache Struts servers using an exploit also employed during last year’s Equifax breach, while a new Gafgyt version was observed while assailing SonicWall firewalls, as part of a larger move against enterprise assets.

In both those instances, the Unit 42 security researchers saw exploits of older and already patched vulnerabilities used in the attacks, hinting at the threat actors trying to make their work easier by compromising unpatched devices impacted by severe security flaws such as the CVE-2017-5638 for Apache Struts.

Mirai attacks against enterprise devices mounting up

This time, as previously mentioned, the researchers found that, besides its usual marks represented by routers, network video cameras, modem routers, and wireless controllers, the Mirai version detected during January 2019 is now also scanning for and exploiting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems present in enterprise environments.

On top of that, with the 11 new exploits added by its masters to be used in the attacks, the total now reaches 27. As further discovered by Unit 42, the botnet’s malicious payload is hosted on a Colombian company’s server which, ironically, provides “electronic security, integration and alarm monitoring” services.

“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” according to Unit 42.

Vulnerability Affected Devices
CVE-2018-17173 LG Supersign TVs
WePresent WiPG-1000 Command Injection WePresent WiPG-1000 Wireless Presentation systems
DLink DCS-930L Remote Command Execution DLink DCS-930L Network Video Cameras
DLink diagnostic.php Command Execution DLink DIR-645, DIR-815 Routers
Zyxel P660HN Remote Command Execution Zyxel P660HN-T routers
CVE-2016-1555 Netgear WG102, WG103, WN604, WNDAP350, WNDAP360, WNAP320, WNAP210, WNDAP660, WNDAP620 devices
CVE-2017-6077, CVE-2017-6334 Netgear DGN2200 N300 Wireless ADSL2+ Modem Routers
Netgear Prosafe Remote Command Execution Netgear Prosafe WC9500, WC7600, WC7520 Wireless Controllers

                                                                         Newly added exploits

The new Mirai variant spotted by Unit 42 also comes with a handful of new features:

Mirai is a self-propagating botnet created by Paras Jha, Josiah White, and Dalton Norman, originally designed to target Internet of Things (IoT) devices such as routers, digital video recorders, and IP cameras, transforming them into “bots” upon successful compromise which can later be used as sources for large-scale Distributed Denial of Service attacks.

During 2016, some malicious actors were advertising huge Mirai botnets of hundreds of thousands of infected devices capable of DDoS attacks over 650Gbps and managing to impact hundreds of thousands of devices [1, 2] during a single campaign.

Mirai still going strong despite creators’ getting caught

It all started after Jha posted the Mirai’s source code on a hacking forum during 2016 and, since then, other bad actors have used to create numerous other botnets using the code he shared as a starting point, most of them being on at least the same level of sophistication but, once in a while, adding newer and more complex attack tools [1, 2, 3, 4, 5, 6].

While their “masterpiece” was and is being improved by others and it still going strong as proven by Unit 42’s newest report on the new Mirai variant, Jha, White, and Norman were indicted and pleaded guilty for their role in the creation of the malware during December 2018, after Jha was first questioned by the FBI in January 2017 and the US authorities charged all three of them in May 2017.

Paras Jha was sentenced during October and ordered “to pay $8.6 million in restitution and serve six months of home incarceration” according to a DoJ release from October 26, 2018.

 The group behind Mirai was sentenced to serve a five-year period of probation and do 2,500 hours of community service, as well as pay $127,000 as restitution while also having to abandon the cryptocurrency seized during the investigation. Jail time was removed from the sentence after they assisted the FBI in other cybercriminal investigations.
Source: https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

Hackers are increasingly trying to steal data instead of money from victims, according to Positive Technologies.

DDoS attacks are becoming more powerful, according to a Monday report from Positive Technologies. The year 2018 saw the two biggest DDoS attacks in history, reaching 1.35 and 1.7 terabits per second, with hackers using memcached servers to amplify their strike, the report found.

Government institutions and IT companies were the most common targets of DDoS attacks in Q4 2018, according to the report.

Cybercriminals are increasingly motivated by data theft, rather than solely direct monetary theft. Of all attacks in 2018, 42% were motivated by access to information, 41% by financial profit, 15% by hacktivism, and 2% by cyberwar, the report found.

However, it should be noted that many hackers steal data to later steal money, blackmail someone, or sell it on the Dark Web, it noted. Hacking a computer system can also be a first step in a major fraud scheme, or tool in a cyberwar, the report said.

Malware was used in 56% of all attacks, as malicious software is increasingly available, reducing the barrier to entry for criminals, according to the report.

The number of unique cybersecurity incidents grew by 27% in 2018 over 2017, with no signs of slowing down, it noted.

Cybersecurity predictions

Positive Technologies researchers made the following predictions for the rest of 2019 when it comes to the cybersecurity landscape:

  • DDoS attacks will become more powerful because of the growth of botnets and use of new techniques and exploits. The growing malware marketplace will also make it easier for even low-skill hackers to complete attacks.
  • Data theft attacks will continue to grow, as criminals hack poorly protected systems to steal personal, medical, and payment information. Businesses that lack strong security measures, including service companies, educational institutions, healthcare institutions, and retailers, will be particularly at risk.
  • Cryptomining attacks will continue to be less profitable than they were in the past, and will continue to decline if cryptocurrency prices do as well.

Source: https://www.techrepublic.com/article/ddos-attacks-on-the-rise-largest-attack-ever-hit-1-7-tbsecond/