Hackers utilise Thingbots to launch IoT attacks

Internet of Things (IoT) devices are now cybercriminals’ top attack target and have managed to surpass web, application services and email servers according to new research from F5 Labs.

The fifth volume of the security firm’s The Hunt for IoT report that thirteen Thingbots, IoT devices that have become part of a botnet, were discovered during the first half of 2018.

During the past 18 months, Spain was the top country under attack and it endured a remarkable 80 per cent of all monitored IoT attack traffic between January 1st and June 30th of last year. Russia, Hungary, the US and Singapore were also under consistent pressure from IoT attacks.

A majority of the attacks in the first half of last year originated in Brazil (18%) with China being the second biggest culprit (15%) followed by Japan (9%), Poland (7%), the US (7%) and Iran (6%).

Rise of the Thingbots

While DDoS attacks remain the most utilised attack method, hackers began adapting Thingbots to perform additional tactics including installing proxy servers to launch attacks from, crypto-jacking, installing Tor nodes and packet sniffers, DNS hijacks, credential collection, credential stuffing and fraud trojans.

Hackers commonly used global internet scans searching for open remote administration services to discover and then infect IoT devices.

Telnet and Secure Shell (SSH) protocols were the most popular followed by Home Administration Protocols (HNAP), Universal Plug and Play protocols (UpnP), Simple Object Access Protocols (SOAP) and various other Transmission Control Protocols (TCP) ports used by IoT devices.

Senior EMEA Threat Research Evangelist at F5 Networks, David Warburton explained why organisations should prepare themselves for future IoT attacks, saying:

“We are stuck with over 8 billion IoT devices around the world that, for the most part, prioritise access convenience over security. Organisations need to brace themselves for impact, because IoT attack opportunities are virtually endless and the process of building Thingbots is more widespread than ever. Unfortunately, it is going to take material loss of revenue for IoT device manufacturers, or significant costs incurred by organisations implementing these devices, before any meaningful security advances are achieved. Therefore, it is essential to have security controls in place that can detect bots and scale to the rate at which Thingbots attack. As ever, having bot defense at your application perimeter is crucial, as is a scalable DDoS solution.”

Source: https://www.techradar.com/news/iot-devices-now-top-priority-for-cybercriminals

We could define DDoS (Distributed Denial of Service) attacks as the exclusive appropriation of a resource or service with the intention of avoiding any third party access. Also included in this definition are the attacks destined to collapse a resource or system with the intention of destroying the service or resource. DoS attacks are born as a natural consequence of the Internet’s own architecture. It is not necessary to have great knowledge to carry out this type of attacks and it is not as risky as making a direct attack against a server, this type of attacks uses other intermediate equipment to then be able to erase traces.

For example: If a server has a bandwidth of 1mbps and a user has a bandwidth of 30mbps, this user could deny the server service by making many requests and dropping their bandwidth. There are three basic types of denial of service:

  • Resource consumption: The attacker tries to consume the resources of the server until they are exhausted: bandwidth, CPU time, memory, hard disk …
  • Destruction or alteration of the configuration: An attempt is made to modify the information of the machine. These types of attacks require more sophisticated techniques.
  • Destruction or physical alteration of the equipment: Attempt to deny the service by physically destroying the server or some of its components, cutting the connection cable, or the power cable. We will focus on the first type of attacks.

The proliferation of tools has been growing thanks to the emergence of communities of intruders who, with a lot of organization and very little response time, manage to move from a beta version to their final version of their tools. This makes the difficulty of dealing with them increasingly greater. The tools used to create DDoS attacks are increasingly simple and easy to use for less experienced users, this also increases the number of attacks and the damage they cause.

Motivated for both financial and political reasons, DDoS attacks are becoming more prevalent. Although a first attack can occur in a random, these occur frequently when a attacker with specific knowledge of high value targets service decides to put it offline. This can cause panic and cause costly decisions, including the payment of a ransom, to prioritize and stop the attack.

If we analyze the operation of DDoS we will realize that there are no 100% reliable solutions against them. Current solutions are based on classic firewalls and intrusion detection systems.

The following are the 10 steps to mitigate against DDoS attacks:

Check the attack

Not all interruptions are caused by a DDoS attack. Incorrect DNS settings, Routing problems, and human error are causes of common network interruptions. First, system admins have to rule out these types of non-DDoS attacks and distinguish an attack of a common interruption. The quicker the verification that the interruption in the service is an attack DDos, a faster can response can be established. Even if the interruption was not caused for an erroneous configuration or other type of human errors, there may be other explanations that resemble a DDoS attack.

Contact the team leaders

Once the attack has been verified, contact the leaders of the relevant teams. If there is no quick reference sheet or contact list prepared earlier, create one now, which can be used as a template going forward. When a service interruption occurs, the organization may convene a formal conference call that includes several of the operational teams and of applications. If the organization has a procedure of this kind, use this meeting to officially confirm the DDoS attack on the leaders of equipment.

Define application hierarchy

Once the attack has been confirmed, reclassive the applications. When facing an intense DDoS attack with resources limited, organizations must make a decisions based-on the defined hierarchy. Online assets of highest value usually also generate high value gains. These are the applications that firms usually want to keep alive. Lower value applications, regardless of their level of legitimate traffic, must be disabled intentionally so that the processing, use of resources and network can be cleverly allocated to application services of greater value. Seek the opinion of team leaders before doing this.

Protect fellow associates and remote users

It is very likely that there are fellow employees or clients who require access to applications or networks. If still it has not done so, collect the IP addresses that they always use, defining access control based-on it, which needs to be regularly reviewed. It is possible that the white list has to be distributed to several places within the network, such as in the firewall, the Application Delivery Controller (Application Delivery Controller, ADC), and possibly even with the service provider, to ensure that the traffic to and from those directions is not disrupted. Many companies put TLS users VPNs in white lists or provide them quality-of-service Usually this is achieved in a integrated firewall / VPN server, which can be great importance if you have a significant number of remote employees.

Identify the attack

Now is the time to gather intelligence technique about the attack. The first question that should be done is: “What are the vectors of the attack?” If the attack is only volumetric, the Internet Service Provider will have informed the sysadmin and it may be that it has already taken actions to remedy the DDoS attack. Although, well-equipped organizations use existing monitoring solutions such as deep packet capturing devices, for a more deeper probe.

Evaluate mitigation options by original address

If step 5 above has identified that the campaign uses advanced attack vectors that the service provider can not mitigate (like zero-day attacks, vulnerability attacks on applications, or SSL injection scenario), then the next step become the next Question: “How many sources are there?” If the list of aggressor IP addresses is small, The system through the use of firewall can block them all. Another option would be to ask the ISP to widen the IP blocks of those targeting the local network. The list of aggressor IP addresses can be too big to be blocked in the firewall. Each address that are added to the block list will encourage processing and increase the CPU utilization. But it is still possible to block the attackers if everyone found in the same geographical region or within of a few regions that can be block temporarily.

Mitigate attacks against applications specific through patching

If the issue reached this step, then the DDoS attack is sophisticated enough to make the mitigation by address of ineffective origin. The attacks that fall into this category can have been generated by DDoS tools of varying quality, many of which are open source. These attacks look like normal traffic in layer 4, but they have anomalies that alter the services at the server, application, or database level.

Increase the level of security posture of applications

If this step is reached in a DDoS attack, levels 3 and 4 are already mitigated, has evaluated mitigations for application-specific attacks, and continues to experience problems. This means that the attack is relatively sophisticated, and its ability to mitigate will depend in part on the target applications. It is very likely that the organization is facing one of the most difficult modern attacks: the attack asymmetric to applications.

The best defense against these asymmetric attacks depends on the application. For example, organizations like financial institutions know their customers and are capable to use logon barriers to reject anonymous requests. Industry applications of entertainment as hotel websites, for On the other hand, many times they do not know the user that they agrees to make a reservation. For them, A CAPTCHA can be a better deterrent.

Limit resources

If all previous steps fail to stop the DDoS attack, the system admin may be forced to simply limit resources to survive the attack. This technique rejects both good and bad traffic. In fact, limit the capacity in many cases rejects 90 to 99 percent of desirable traffic at the same time that allows the aggressor to increase the costs of operations in a data center. For many organizations it is better to disable an application instead of just accepting defeat and unfairly increase cost of operations, like spending a lot for a bigger bandwidth allocation.

Manage public relations

Financial organizations, in particular, can have internal policies related to responsibility that prevent them from admitting when an attack is happening. This can become a situation complicated for the person responsible in public relations. Reporters, however, may not accept this type of evasions, especially if the site seems to be completely out of order. The organization may do the following:

  • For the press. If the policies of the industry allow the organization to admit when they have been attacked from the outside, do it and be frank about it. Yes a policy dictates that the firm must divert questions, argue in a clever way against mostly IT-ignorant press, but be sure to prepare for the next press release. However, this is rather unlawful nowadays due to the security/privacy laws are operating in many territories, just like the European Commission’s GDPR (General Data Protection Regulation) and similar laws.
  • For internal staff, including anyone that can be contacted by the press. The firm’s Internal communication team should give directions about what to say and what not to say to the media. Or better yet, tell staff members to direct all questions related to the event to the person in charge of Public Relations, include their contact number.

Source: https://hackercombat.com/10-masterful-steps-in-combating-denial-of-service-attacks/

The breathtaking pace at which everyone and everything is becoming connected is having a profound effect on digital business, from delivering exceptional experiences, to ensuring the security of your customers, applications, and workforce.

Consider this: There are over 20 billion connected devices and more than 2 billion smartphones in use today. Gartner predicts that by 2022, $2.5 million will be spent every minute in the IoT and 1 million new IoT devices will be sold every hour.

No longer can you secure the perimeter or a centralized core and trust that nothing will get in or out. Effective security depends upon an in depth strategy – from the core to the edge – that enables you to protect your most valuable assets by implementing proactive protection closer to the threats and far away from your end users.

The Evolution of a Digital Topology

Centralized computing systems were never an extraordinarily efficient or cost-effective way to process huge volumes of transactional data for throngs of online users concurrently. The search for more engaging experiences at digital touchpoints paved the way for cloud and distributed computing to exploit parallel processing technology in the marketplace.

This worked for a while, until streaming video and other rich media became the norm across the Internet and users had very little tolerance for glitches or latency. The problem is, dragging every experience back and forth to a centralized cloud doesn’t resolve the critical issues of capacity and traffic pile ups.

It’s one of the great misconceptions of the Internet that “the last mile” is the bottleneck. The issue instead lies within the cloud data centers and backbone providers, which typically only have a few hundred Tbps capacity – not enough to deliver the kind of experiences or security your customers expect.

The demand for more real-time business moments between things and people at digital touchpoints is pushing us all toward the edge. Which is a good thing. It’s already expanding business opportunities, and fundamentally changing how we live, interact, shop, and work.

It’s forcing businesses to adapt, either by pushing faster development, becoming more agile in their processes, favoring faster features over perfect features, or all three. The problem is, security teams aren’t currently set up to handle this kind of disruption on top of the need to monitor, develop insights, and adapt processes based on soak time they simply don’t have anymore.

All the while, attacks continue to grow and target with more precision. Trust based on a single network location is no longer enough.

Enter Security at the Edge

Security at the edge is an approach to defending your business, your customers – all of your users – from security threats by deploying in depths defense measures closer to the point of attack and as far away from your assets (your people, applications, or infrastructure) as possible. Security at the edge allows InfoSec pros to address three critical security imperatives.

1. Scale We live in a time when attackers hold unprecedented power and there’s simply no way to summons the capacity you need to defend yourself in a data center. Even the largest cloud data centers can be overwhelmed by the attacks we’re seeing. And even if it was physically possible to equip the cloud data center with enough capacity, the cost would be prohibitive.

This is becoming an even more widespread problem with the rise of IoT. There are now billions of devices connected at the last mile, with powerful CPU and little or no security.

The only way to prevent this is by intercepting the enormous volumes of attack traffic at the edge, where there is the capacity to mount a viable defense and stop attacks from reaching and swamping your data centers.

2. Intelligence It’s now imperative that you protect applications and APIs deployed anywhere – in your data centers or in the public cloud – with DDoS protection, web app firewall, and bot management. An intelligent defense strategy has become more important as more people than ever are accessing your apps through APIs from mobile devices. What’s more, the millions of bots being deployed by malicious actors are becoming extremely sophisticated at evading traditional defenses.

But protecting your apps, APIs and users is about more than just capacity, it requires cutting edge threat intelligence. Threat intelligence should leverage a multilayered approach of machine learning and human intelligence where both data scientists and algorithms perform statistical, trend, and pattern analysis of structured and unstructured data to identify and mitigate new attack vectors before anybody else. The key is that this is all happening at the edge, closer to the attack point and farther away from you and your end users.

3. Expertise Nothing tops human expertise. Not only do you need the network capacity that the ever-growing threat of volumetric DDoS attacks demand, but you also need the expertise to understand what the data, the patterns, and anomalies are telling you.

Along with sophisticated technology and a security at the edge approach, industry experts are capable of helping you make sense of the threats you face everyday. And as you know, attackers never sleep. The only response: always-on, 24x7x365 monitoring, scrubbing, and DDoS mitigation services.

Connecting to the Future

At the end of the day, it’s all about connecting to your customers and your employees; your apps and data; and to the countless IoT devices out there. Simply put: You need to be everywhere your customers are. When it comes to performance it has to be fast. And when it comes to security it needs to be proactive and in depth.

As nearly everyone and everything gets connected, the data required to function in the digital world risks not only being congested in the core but, even worse, caught up in large-scale cyberattacks. And cloud data centers are struggling to keep up.

Delivering engaging and glitch free digital business moments securely is the heart and the backbone of everything your digital business stands for. And In spite of how remarkably the Internet has grown and evolved over the past 20 years, we believe the most dramatic digital experiences are yet to come.

As a result, the world is now realizing just how important a security-at-the-edge strategy can be – one that brings users closer to the digital experiences and knocks down attacks where they’re generated. One that breeds trust and puts the confidence and control back in your hands.

Source: https://securityboulevard.com/2019/01/from-the-core-to-the-edge-3-security-imperatives-and-the-evolving-digital-topology/

Over 45 billion IoT devices are expected to be connected by 2021, while the cumulative cost of data breaches between 2017 and 2022 is expected to touch $8 trillion

The era of Internet of things (IoT) is upon us and it is impacting our lives. Today, technology has pervaded into nearly all walks of life, and constant innovation has made it almost impossible to stay disconnected. However, with all the convenience that connected devices offer, there is also a growing risk of cyber threats that can cripple the IoT networks and infrastructure, and cause considerable economic and personal harm to users.

According to a report by Juniper Research, as much as 46 billion IoT devices are expected to be connected by 2021, while the cumulative cost of data breaches between 2017 and 2022 is expected to touch $8 trillion. Securing IoT would require adopting a future-ready, flexible and highly scalable cybersecurity strategy – a significant shift from current reactive approaches used by businesses that involve patching discovered vulnerabilities and adding new solutions without performing a comprehensive assessment.

IoT makes it possible to connect previously closed devices and appliances to the Internet and allow users to control their operations remotely. However, as more closed systems are made accessible online, they also become increasingly vulnerable to cyberattacks and hacks. From smart homes and offices to connected cars, unmanned aerial vehicles, autonomous trucks and even to critical infrastructure like industrial control systems as part of industrial Internet of things (IIoT) – all existing and emerging IoT networks face a very high risk of cyber threats.

Blockchain-powered cybersecurity  

An emerging technology alongside IoT which offers much promise in helping secure connected devices is blockchain technology. While blockchain technology gained prominence originally in the world of fintech by ushering in the revolution of digital payments, this underlying technology behind the success and rise of cryptocurrencies could play an important role in cybersecurity, especially in the IoT space.

A blockchain-based cybersecurity platform can secure connected devices using digital signatures to identify and authenticate them, adding them as authorized participants in the blockchain network and ring-fencing critical infrastructure by rendering them invisible to unauthorized access attempts. Each authenticated device joining the blockchain-based secure IoT network is treated as a participating entity, just like in a conventional blockchain network. All communication among these verified participants (IoT devices) are cryptographically secure and are stored in tamper-proof logs.

Every new device added to the network is registered by assigning a unique digital ID on the blockchain network, and the platform provides secure channels for inter-device communication and offers all connected devices secure access to core systems or infrastructure as well. A blockchain-based cybersecurity solution can additionally leverage Software-Defined Perimeter (SDP) architecture and utilize a Zero-Trust model to render all authenticated devices invisible to attackers. This means that only verified devices can “see” or know of the existence of other connected devices, adding an extra layer of security to the IoT infrastructure.

Benefits and the way forward

A blockchain powered platform uses a decentralized set-up, further denying cyber attackers a single point of failure to target to bring down such a network. Consensus-based control distributes the responsibility of security across nodes within a blockchain network, making it impossible for hackers to spoof their way into such a network, and also protecting IoT networks from being brought down via DDoS attacks. Decentralization also makes such a solution highly scalable – one of the biggest concerns of implementing cybersecurity on an ever-growing network such as in the case of connected devices. With every new device that gets added/removed, the change is immediately notified to all participants, letting the system be adaptable and flexible to expand and evolve over time without significant upgrades to the platform in entirety.

Such a system can be used to secure smart homes, connected autonomous vehicles, critical IIoT infrastructure and even entire smart cities. A cybersecurity solution based on blockchain technology enhanced using SDP architecture offers a next-generation, future-proof way to secure IoT devices, networks and communication, not just from present-day vulnerabilities and cyber risks, but remain just as robust in anticipating emerging vulnerabilities and offering protection against them.

Both blockchain and IoT are emerging technologies, with most innovations in these domains being at nascent, proof-of-concept stages. However, blending the strengths of blockchain technology with the potential of IoT can quickly and effectively propel entire industries, cities and nations into the “smart” space, by easing the burden of securing an ever-expanding perimeter of unconventional devices and critical infrastructure without impeding the rate of innovation.

Source: https://www.entrepreneur.com/article/325855

Fraud is and always will be a cornerstone of the cybercrime community. The associated economic gains provide substantial motivation for today’s malicious actors, which is reflected in the rampant use of identity and financial theft, and ad fraud. Fraud is, without question, big business. You don’t have to look far to find websites, on both the clear and the darknet, that profit from the sale of your personal information.

Fraud-related cyber criminals are employing an evolving arsenal of tactics and malware designed to engage in these types of activities. What follows is an overview.

Digital Fraud

Digital fraud—the use of a computer for criminal deception or abuse of web enabled assets that results in financial gain—can be categorized and explained in three groups for the purpose of this blog: basic identity theft with the goal of collecting and selling identifiable information, targeted campaigns focused exclusively on obtaining financial credentials, and fraud that generates artificial traffic for profit.

Digital fraud is its own sub-community consistent with typical hacker profiles. You have consumers dependent on purchasing stolen information to commit additional fraudulent crime, such as making fake credit cards and cashing out accounts, and/or utilizing stolen data to obtain real world documents like identification cards and medical insurance. There are also general hackers, motivated by profit or disruption, who publicly post personally identifiable information that can be easily scraped and used by other criminals. And finally, there are pure vendors who are motivated solely by profit and have the skills to maintain, evade and disrupt at large scales.

  • Identity fraud harvests complete or partial user credentials and personal information for profit. This group mainly consists of cybercriminals who target databases with numerous attack vectors for the purposes of selling the obtained data for profit. Once the credentials reach their final destination, other criminals will use the data for additional fraudulent purposes, such as digital account takeover for financial gains.
  • Banking fraud harvests banking credentials, digital wallets and credit cards from targeted users. This group consists of highly talented and focused criminals who only care about obtaining financial information, access to cryptocurrency wallets or digitally skimming credit cards. These criminals’ tactics, techniques and procedures (TTP) are considered advanced, as they often involve the threat actor’s own created malware, which is updated consistently.
  • Ad fraud generates artificial impressions or clicks on a targeted website for profit. This is a highly skilled group of cybercriminals that is capable of building and maintaining a massive infrastructure of infected devices in a botnet. Different devices are leveraged for different types of ad fraud but generally, PC-based ad fraud campaigns are capable of silently opening an internet browser on the victim’s computer and clicking on an advertisement

Ad Fraud & Botnets

Typically, botnets—the collection of compromised devices that are often referred to as a bot and controlled by a malicious actor, a.k.a. a “bot herder—are associated with flooding networks and applications with large volumes of traffic. But they also send large volumes of malicious spam, which is leveraged to steal banking credentials or used to conduct ad fraud.

However, operating a botnet is not cheap and operators must weigh the risks and expense of operating and maintaining a profitable botnet. Generally, a bot herder has four campaign options (DDoS attacks, spam, banking and ad fraud) with variables consisting of research and vulnerability discovery, infection rate, reinfection rate, maintenance, and consumer demand.

With regards to ad fraud, botnets can produce millions of artificially generated clicks and impressions a day, resulting in a financial profit for the operators. Two recent ad fraud campaigns highlight the effectiveness of botnets:

  • 3ve, pronounced eve, was recently taken down by White Owl, Google and the FBI. This PC-based botnet infected over a million computers and utilized tens of thousands of websites for the purpose of click fraud activities. The infected users would never see the activity conducted by the bot, as it would open a hidden browser outside the view of the user’s screen to click on specific ads for profit.
  • Mirai, an IoT-based botnet, was used to launch some of the largest recorded DDoS attacks in history. When the co-creators of Mirai were arrested, their indictments indicated that they also engaged in ad fraud with this botnet. The actors were able to conduct what is known as an impression fraud by generating artificial traffic and directing it at targeted sites for profit. 

The Future of Ad Fraud

Ad fraud is a major threat to advertisers, costing them millions of dollars each year. And the threat is not going away, as cyber criminals look for more profitable vectors through various chaining attacks and alteration of the current TTPs at their disposal.

As more IoT devices continue to be connected to the Internet with weak security standards and vulnerable protocols, criminals will find ways to maximize the profit of each infected device. Currently, it appears that criminals are looking to maximize their new efforts and infection rate by targeting insecure or unmaintained IoT devices with a wide variety of payloads, including those designed to mine cryptocurrencies, redirect users’ sessions to phishing pages or conduct ad fraud.

Source: https://securityboulevard.com/2019/01/ad-fraud-101-how-cybercriminals-profit-from-clicks/