DDoS Defense Archive

An American businessman who co-founded a cybersecurity company has admitted to hiring criminals to carry out cyber-attacks against others.

Tucker Preston, of Macon, Georgia, confessed to having paid threat actors to launch a series of distributed denial-of-service (DDoS) attacks between December 2015 and February 2016.

DDoS attacks prevent a website from functioning by bombarding it with so much junk internet traffic that it can’t handle visits from genuine users.

In a New Jersey court last week, 22-year-old Preston pleaded guilty to one count of damaging protected computers by transmission of a program, code, or command. Preston admitted to causing at least $5,000 of damage to the business he targeted.

“In or around December 2015, Preston arranged for an entity that engages in DDoS attacks to initiate attacks against a company. The entity directed DDoS attacks against the victim company, causing damage and disrupting the victim’s business,” wrote the Department of Justice in a statement released on January 16.

The count to which Preston pleaded guilty is punishable by a maximum penalty of 10 years in prison and a fine of up to $250,000 or twice the gross gain or loss from the offense.

US Attorney Craig Carpenito credited special agents of the FBI, under the direction of Special Agent in Charge Gregory W. Ehrie in Newark, New Jersey, with the investigation that led to Preston’s guilty plea.

The identity of the company that Preston paid criminals to attack has not been revealed, but Carpenito has confirmed that the targeted business had servers in New Jersey.

Preston co-founded the cloud-based internet security and performance company BackConnect Security LLC, which claims to be “the new industry standard in DDoS mitigation” and is currently online using an invalid certificate.

Preston was featured in the 2016 KrebsOnSecurity story “DDoS Mitigation Firm Has History of Hijacks,” which detailed how BackConnect Security LLC had developed the unusual habit of hijacking internet address space it didn’t own in a bid to protect clients from DDoS attacks.

Preston will reappear before the court on May 7 for sentencing.

Source: https://www.infosecurity-magazine.com/news/backconnect-founder-funded-ddos/

Hackers target businesses with malware, for the sake of disrupting their operations, experts claim.

A third of all reported incidents against businesses were caused by ransomware, destructive malware and distributed denial of service (DDoS) attacks, according to cloud-delivered endpoint protection firm CrowdStrike.

The company’s latest cybersecurity report, argues that cybercriminals are increasingly seeing business disruption as their main attack objective.

It was also said that they were able to hide their activities from cybersecurity departments much longer – 95 days on average (up from 85 days a year ago). CrowdStrike believes that businesses still lack the technology they need to reinforce their defences, prevent being exploited and mitigate potential risks.

“As adversaries are stealthier than ever, with new attack vectors on the rise, we must remain agile, proactive and committed to defeat them, “commented Shawn Henry, chief security officer and president of CrowdStrike Services.

“They still seek the path of least resistance — as we harden one area, they focus on accessing and exploiting another.”

It added that hackers would often target third-party service providers to create a sort of a force multiplier for the attacks. Cloud infrastructure as a service (IaaS) is often targeted, and Macs are no longer ignored as a platform.

Patching vulnerable systems and software would mitigate many of these problems, but patching remains a pain point, as many organisations don’t have “basic cyber-hygiene”. Even the security systems they have are often not set up properly, and as such aren’t as effective as they could be.

“The failure to enable critical settings not only leaves organizations vulnerable but also gives them a false sense of security,” the report concludes.

Source: https://www.itproportal.com/news/business-disruption-is-now-a-bigger-cyber-threat/

US warns that cyberattacks could be part of Iran’s plans as tensions rise. This is what Iran’s current offensive cyber capabilities look like.

Tensions between the United States and Iran are raised after the killing of Iranian IRGC-Quds Force commander Qassem Soleimani via a US drone strike while he was in Iraq. Iranian leaders have vowed to retaliate against the US, with the US Department of Homeland Security warning that previous Iranian plans have included “cyber-enabled” attacks against a range of US targets.

So, if Iran decided to use cyber means to respond, what would that potentially look like?

Iran has long been seen as one of the four countries that pose the greatest online threats to the US, along with China, Russia and North Korea, and there has been a long history of Iranian cyber intrusions against the US.

In March 2018, the US Department of Justice charged nine Iranians over a giant cyber-theft campaign, stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.

In March 2016, the US charged seven Iranians for over a coordinated campaign of DDoS attacks against 46 companies, mostly in the US financial sector, from late 2011 through mid-2013. At the same time one man was also charged with gaining unauthorised access into the control systems of the Bowman Dam in Rye, NY.

The February 2014 hacking of the Sands Las Vegas Corporation in Las Vegas, which saw customer data stolen and — according to reports — some computers wiped, was also blamed on Iran.

It’s also worth noting that US has also used cyberattacks against Iran — most notably the Stuxnet virus, which was designed to damage equipment used in Iran’s nuclear programme, back in 2007. More recently in June last year, the US attacked the computer systems used by Iran to control missile launches, after Iran shot down a US surveillance drone.

Iran’s capabilities have generally been considered to be more limited than those of Russia and China, but may have expanded recently.

In their most recent global threat assessment — from January last year — US intelligence agencies said that Iran was attempting to build cyber capabilities that would enable attacks against critical infrastructure in the US and elsewhere.

“Iran has been preparing for cyberattacks against the United States and our allies”, said the report, which warned that Iran was capable of causing “localized, temporary disruptive effects.” Those effects could include disrupting a large company’s corporate networks for days to weeks, as in the data-wiping attacks Iran has been accused of conducting against targets in Saudi Arabia.

But that reflects that Iran’s capabilities are limited in contrast to Russia and China, which both have the capacity to disrupt critical infrastructure like gas pipelines or power grids. However, it could be that in the last year Iran has developed its capabilities.

Last week’s warning from the US Department of Homeland Security noted: “Iran maintains a robust cyber program and can execute cyberattacks against the United States,” it warned, adding that Iran is capable, at a minimum “of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

A credible offensive actor

The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned that Iran has continuously improved its offensive cyber capabilities, going beyond DDoS and website defacement, and that its hackers have demonstrated a willingness to push further, including “destructive wiper malware and, potentially, cyber-enabled kinetic attacks”.

“Iran is a credible offensive actor in cyberspace having moved in recent years to boost their military capability in this area — in the past, they relied on third-party groups and supportive hackers to carry out attacks,” said Duncan Hodges, senior lecturer in Cyberspace Operations at Cranfield University.

Iran’s cyber capabilities can be broken down into three main areas; espionage, destructive attacks and social media manipulation (security companies track different Iranian groups under the advanced persistent threat (APT) model as APT33, APT34, APT35 and APT39, although there could be as many as 10 different Iranian groups in operation.)

It has consistently targeted government officials, government organisations, and companies to gain intelligence either for industrial espionage or to improve its positioning for future attacks.

For example, in October, Microsoft warned that its security team had seen Iranian hackers attack 241 email accounts, including those associated with a US presidential campaign, current and former US government officials, journalists covering global politics, and prominent Iranians living outside Iran. Four accounts were compromised as a result. Iranian hackers have also been accused of trying to steal data from US military veterans and attempting to steal academic research.

Iran launches multiple espionage campaign every month, said Sherrod DeGrippo senior director of threat research and detection at security company Proofpoint. But mostly these have been involved with reconnaissance by stealing data and login details, rather than doing damage.

Their objective – at least in the past – has been to get a foothold inside the organisation, extract the data and they keep that foothold for later use, DeGrippo said.

“They are relatively sophisticated but I haven’t seen the deep destructive catastrophic events from those groups,” she said. “They’ve have a lot of access, they’ve done a lot of campaigns, but they’ve been quiet. And so, what’s going to happen, now?”

Iran has also used social media campaigns focused on audiences in the US and elsewhere to advance its interests. In October last year, Facebook said it had removed three networks of fake accounts linked to Iran (and one linked to Russia) that had, among other things, pushed content from phoney news organisations.

But it’s the use of malware that can wipe PCs and hard drives by Iran’s hackers that creates the most serious risk of a destructive attack.

The 2012 attack against the Saudi Aramco oil company using the Shamoon malware is probably the most high-profile cyberattack blamed on Iran and saw at least 30,000 PCs wiped.

Since then, according to tech security companies, updated versions of this wiper malware have been used by Iran-backed hackers (or groups masquerading as Iran-backed hackers) to attack targets in Saudi Arabia and the Middle East.

Last month IBM warned of a new form of wiper malware it called ZeroCleare, which aims to overwrite the Master Boot Record and disk partitions on Windows-based machines. IBM said the malware had been used against the industrial and energy sectors and said that Iran-backed hackers were likely responsible.

“Iran’s history of cyberattacks has been more destructive rather than manipulative. They have looked to destroy and degrade infrastructure and hardware,” said Hodges.

Cyber-espionage alert

All of these different ingredients — digital spying, phishing, social media campaigns and destructive malware — are all potential risks if Iran does decide to use cyber warfare as part of its response.

John Hulquist, director of intelligence analysis at tech security company FireEye, said that a likely first consequence of the current crisis would be an uptick in cyber espionage by Iran.

“They want to know what the US is thinking and how the military is preparing and what our allies are doing. They are going to try to break into the computers belonging to the people who have that information,” he told ZDNet.

While Tehran-backed hacking groups have carried out some attacks against the US previously, like the DDoS attacks against financial institutions, this had declined after the Obama-era nuclear deal, after which Iranian hackers turned their attention to targets in the Gulf region, Hulquist said. But the latest incident could cause them to swing their focus back again.

“They have improved since we last saw them in the US,” Hulquist said. “They are very focused on the destructive wiper capability. We’ve seen a lot of incidents of this wiping capability used primarilly against critical infrastructure companies.”

Wiper malware is a bit like ransomware in that it goes after the data on the hard disk — but, unlike ransomware, there’s little hope of getting the information back again.

“You can still cause of lot of damage with just wipers and they’ve focused on that and they’ve got really good at it. The real question now is whether or not they are going to turn that against the US or our allies as a result of this operation,” he said.

But it may be that even if Iran-backed hackers do plan destructive attacks they will be focusing on US allies in the Gulf region rather that the US itself.

“Although we assess that Iranian actors will continue to target domestic US government, military, and commercial entities for cyberespionage purposes, organizations in the Persian Gulf region are at the greatest risk for destructive cyberattacks,” said cyber security company Recorded Future.

If Iran does decide to step up its cyber campaigns against the US and its allies, the first indication could be a new wave of phishing emails and probing of critical infrastructure companies or other targets.

“That will be our first clue that the status quo has changed,” said Hulquist.

Another thing to watch for, said DeGrippo, is that one of the Iranian groups, known as APT33, has spent years developing sophisticated payloads with Powershell implants exploits, which could allow them to potentially meddle with critical infrastructure like financial systems or industrial control systems.

“Those are the kinds of things we’re looking for, are they going to going to start using these sophisticated Powershell implants capabilities to get into places that have kinetic capabilities or that have physical real world impacts,” she said.

If Iran does choose cyber means to launch its response, it could mean the start of a new and darker chapter of the evolution of cyber warfare, according to Hodges.

“Offensive cyber activity has been used in the past to de-escalate tensions and avoid physical military engagement, such as in the US/Iran conflict in the Gulf of Oman last year. With the present conflict we could, for the first time, see cyberattacks used to escalate conflict.”

CISA has a set of recommended actions for organisations to take in the face of potential threats:

  • Disable all unnecessary ports and protocols, review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  • Enhance monitoring of network and email traffic, monitor for new phishing themes.
  • Patch externally facing equipment, with a focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service.
  • Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organisational network.

Source: https://www.zdnet.com/article/hard-disk-wiping-malware-phishing-and-espionage-how-irans-cyber-capabilities-stack-up/

If security incidents in the past few years are any indication, cybersecurity professionals face a bumpy road ahead. While some IT security chiefs are prepared to hang up their boots, many are almost certain their organization is under attack from hackers but they haven’t yet learned of it.

A Bitdefender survey of more than 6,000 infosec professionals in large organizations across the US, EMEA and APAC reveals a continued lack of budget, talent and training, leaving significant room for improvement in 2020.

57% of those surveyed said their organization experienced a breach in the past three years, while 24% had suffered a breach in the first half of 2019. Some 36% of infosec pros who haven’t suffered a cyber-attack in the past few years believe they likely are currently facing one but don’t know about it.

Our research shows no organization is impervious to a data breach, but an understanding of how cybersecurity professionals view risk reveals some clear weak spots — both on the organizational and individual levels.

Asked to name the biggest cyber threat to their organization, 36% answered “phishing/whaling.” In fact, chief information security officers consider today’s landscape a minefield riddled with cyber threats. 29% also cite Trojans as their main concern, while 28% name ransomware. Compliance risks and unpatched software are equally concerning aspects cited by CISOs in the polled geographies. 24% also named DDoS attacks as high risk for their organization.

Ransomware and DDoS attacks are notoriously dangerous for business in today’s digital economy – both threats are immensely disruptive to operations, preventing mission-critical applications from working properly and blocking revenue streams for weeks, even months.

Asked, “What would be the main consequences for your company of being unaware of a currently ongoing breach?” 43% cited business interruptions, followed by reputational costs (38%), loss of revenue (37%), loss of intellectual property (31%), legal fines and penalties (27%), and job loss for responsible IT and C-level execs (23%).

Our research also shows the number of companies falling victim to data breaches has actually decreased over the past three years. However, it’s also true that bad actors are getting better at remaining undetected. It stands to reason that IT departments are also finding it more difficult to tell when data is stolen. And there has been no shortage of security advisories in 2019 reflecting this reality, especially in the healthcare sector.

Source: https://securityboulevard.com/2020/01/a-third-of-infosec-pros-believe-theyre-under-cyber-attack-but-dont-know-yet/

DNS amplification attacks continue to dominate distributed denial-of-service (DDoS) attacks, while mobile devices make up a larger share of traffic.

The number of distributed denial-of-service (DDoS) attacks rose 86% in the third quarter compared to a year ago, with amplification attacks using the domain name system (DNS) remaining the most popular technique for attacking targets.

DNS amplification attacks accounted for 45% of the attacks, while HTTP floods and TCP SYN attacks accounted for 14% and 7.7%, respectively, according to new data published by network security firm Nexusguard.

Mobile devices continued to be a significant source of attack traffic, with 41% of attacks coming from mobile gateways and three-quarters of that traffic coming from Apple iOS devices, according to the Nexusguard report. Internet of things (IoT) devices also continue to be compromised and used by attackers, says Tony Miu, Nexusguard’s research manager.

Mobile devices and Internet-of-things (IoT) devices “are particularly vulnerable — in part due to their always-on nature, in part due to insufficient security configurability,” he says, warning that “the amplification of speed, higher bandwidth, and reduced latency offered by 5G will also create a perfect environment for massive DDoS attacks that leverage enormous botnets comprised of PCs, smartphones, and IoT (devices).”

There were no major shifts in the denial-of-service landscape overall: Attacks tend to peak in the first quarter, decreasing every quarter after that, until attacks end the year on a slightly higher note. That trajectory happened in 2018, and appears to be happening this year. The vast majority — 86% — of attacks latest less than 90 minutes, and 90% of attacks involved less than 1 Gbps of data.

DNS DDoS via Apple iOS 

Mobile devices became a significant vector earlier this year. In the first quarter, more than 60% of application attacks — one of three broad classes of denial-of-service attacks — could be traced back to mobile gateways and either came from a mobile device or a computer connected to a mobile device. The latest quarter underscores that mobile devices have become increasingly used in volumetric and amplification attacks — Nexusguard’s other two broad categories — with mobile devices contributing to those attacks as well.

While Apple devices typically do well security-wise compared to Android, Nexusguard found that 31% of all DNS attacks came from Apple devices, versus 10% from Android devices.

“While Apple has done a great job in managing, checking, and maintaining the security of apps available for download at the App Store, we believe there are a considerable number of iOS devices were jailbroken, running unauthorized (and) malicious apps that have not been vetted by the App Store,” says Nexusguard’s Miu.

Overall, the company saw a steep rise in DNS amplification attacks. While amplification attacks more than doubled since the same quarter in 2018, DNS amplification attacks — which use the relatively large size of DNS responses to inundate a target — jumped by a factor of 48 in popularity.

The technique gives the attacker a lot of bandwidth for only a little effort, the company stated in its report.

“The target thus receives an enormous amount of responses from the surrounding network infrastructure, resulting in a DDoS attack,” the report said. “Because such a sizable response can be created by a very small request, the attacker can leverage this tactic to amplify attacks with a maximum amplification factor of 54.”

The adoption of DNS security, or DNSSEC, has contributed to that rise, according to Miu. “While it’s true that DNSSEC fixes one problem, it creates another,” he says. “The problem with DNSSEC lies in the exceptionally long responses DNSSEC-enabled servers generate.”

Along with DNS amplification attacks, single-vector attacks have quickly dominated again. Two-thirds of attacks used only a single technique to flood a target. Another 17% used two vectors, either simultaneously or soon after one another, to confuse defenders. The remaining 17% used three or more vectors.

Much of the rise in single vector attacks is because of attackers’ focus on DNS amplification, Miu says.

China, Turkey, the US, and South Korea topped the lists of nations from which attack emanated, accounting for 63% of attacks tracked by Nexusguard in the third quarter. Three networks, one in Turkey, another in China and the lsat in Korea, accounted for almost 40% of attacks.

Source: https://www.darkreading.com/attacks-breaches/mobile-devices-account-for-41–of-ddos-attack-traffic/d/d-id/1336635