• A denial of service attack, which involves overwhelming computer systems with information in a bid to take them down, successfully interrupted electrical systems in Los Angeles County and Salt Lake County in March, according to the Department of Energy.
  • The incident was a rare example of as against an energy utility, particularly in a high population area.
  • Denial of service attacks are relatively rudimentary, and unlikely to be the work of a nation-state, one expert told CNBC.

Electrical grid operations in two huge U.S. population areas — Los Angeles County in California, and Salt Lake County in Utah — were interrupted by a distributed-denial-of-service attack in March, according to the Department of Energy’s Electric Emergency and Disturbance Report for March.

The attack did not disrupt electrical delivery or cause any outages, the Department of Energy confirmed, but caused “interruptions” in “electrical system operations.” In this case, “operations” does not refer to electrical delivery to consumers, but could cover any computer systems used within the utilities, including those that run office functions or operational software.

Although the attack did not interrupt service, denial-of-service attacks are easily preventable, and most large organizations no longer consider them major threats. The fact that it succeeded calls into question whether the utilities are prepared for a far more sophisticated attack, as the U.S. government has warned about.

DDoS attacks used to be common, but are easily prevented

A Department of Energy official told CNBC, “DOE received a report about a denial-of-service condition that occurred at an electric utility on March 5, 2019, related to a known vulnerability that required a previously published software update to mitigate. The incident did not impact generation, the reliability of the grid or cause any customer outages.”

The incident, which happened between 9:12 a.m. and 6:57 p.m., also interrupted electrical system operations in Kern County, California, and Converse County, Wyoming.

Distributed denial of service, or DDoS, involves delivering a heavy stream of information and internet traffic, usually with the help of a network of hacked computers, to overwhelm the systems of a target.

DDoS attacks are one of the simplest forms of cyberattack to execute. They used to be very common, but there are common practices in place to prevent them, and most large organizations have practically eliminated them as threats. The fact that such an easily preventable attack succeeded against a system serving such a large electrical distribution area is cause for concern, especially because energy is one of the U.S. government’s most important “critical infrastructure” sectors, making these utilities subject to the strongest protections.

The DOE has not released any information on the origins of the attack. Several countries, including Russia, Iran and China, have been cited by U.S. government authorities as sponsoring attacks against the U.S. electric grid, often with the goal of infiltrating the network or gathering intelligence.

But a DDoS is a relatively unsophisticated type of attack, meant to take down a computer network quickly. That means the culprit could be almost anybody, from a single individual to a larger group.

“DDoS is the low-hanging fruit in the hacker world. It’s very loud and it’s easy to detect quickly. The ones that are operating at the nation-state level don’t need to use DDoS,” said Chris Grove, director of industrial cybersecurity at Indegy, a utility and industrial systems cybersecurity company. “If this was a nation-state attack, they wouldn’t pull off a DDoS attack to take it down, they’d probably do a better job.”

This is the first reported cyberdisruption by the Department of Energy in 2019.

Last year, the DOE reported four reported cyber-events. One of them, like the March 5 incident, caused interruptions of electrical system operations in Michigan’s Midland and Genesee counties. The other three were reported as “could potentially impact electric power system adequacy or reliability.”

Source: https://www.cnbc.com/2019/05/02/ddos-attack-caused-interruptions-in-power-system-operations-doe.html

Analysis of two high-volume DDoS attacks show they’re becoming more difficult to remediate with changes to port and address strategies.

On Jan. 10, a distributed denial-of-service (DDoS) attack peaked at 500 million packets per second. Depending on precisely how you measure such things, this was likely one of the largest DDoS attacks ever — until April 30, when it was surpassed by an attack that hit 580 packets per second.

According to Imperva, the company that detected and mitigated the attacks, the January attack was a syn flood coupled with a large syn flood, each of which was launched with randomized source addresses and ports.

In a blog post, researchers at Imperva contrasted the two attacks with the 2018 Github DDoS attack — a memcached amplification attack that reached 1.35 terabits per second, most of which were in large packets with a single source port and originating service address.

Source: https://www.darkreading.com/attacks-breaches/huge-ddos-attacks-shift-tactics-in-2019/d/d-id/1334583

Hackers behind the DDoS attacks on Electrum Bitcoin users have managed to infect up to 152,000 hosts, according to security researchers.

In a blog post, researchers at Malwarebytes said that figure was reached earlier last week but has now plateaued at around the 100,000 mark. The botnet has been fuelled by two distribution campaigns (RIG exploit kit and Smoke Loader) dropping malware detected as ElectrumDoSMiner.

Researchers have now discovered a previously undocumented loader dubbed Trojan.BeamWinHTTP that is also involved in downloading ElectrumDoSMiner. So far, it has been estimated that the amount of stolen funds amassed by hackers could be as high as $4.6 million.

The botnet has largely been concentrated in the Asia Pacific region (APAC). For the Americas, most bots are located in Brazil and Peru, researchers said. However, the number of victims that are part of this botnet is constantly changing.

“We believe as some machines get cleaned up, new ones are getting infected and joining the others to perform DoS attacks. Malwarebytes detects and removes ElectrumDoSMiner infections on more than 2,000 endpoints daily,” said researchers.

Victims infected with the malware “may experience slowdowns in internet speed as they are joined to a botnet that performs DDoS attacks”, according to researchers.

They added that criminals have wasted no time in exploiting a vulnerability in Electrum wallets to phish unsuspecting users.

“What followed next with retribution attacks on Electrum servers was unexpected but logical, considering what is at stake. While these DDoS attacks have not been publicized much by mainstream media, they have undoubtedly caused millions of dollars in losses over the span of just a few months,” they said.

Source: https://www.scmagazineuk.com/electrum-ddos-botnet-infects-152000-hosts/article/1583311

 

The development of the telecommunications infrastructure in Central Asia has increased the online presence of the region dramatically. It has also exposed cybercrime weaknesses. Unfortunately, there has been little education and development of regional expertise around the dangers of information technology. Central Asia as a whole is now facing a growing threat from attacks by cyber-criminal gangs.

2018 digital use in Central Asia 

Responding to this increasing threat governments in the region have made it a priority to protect their countries online data. In a September 2017 speech to the Kazakh Majlis President Nursultan Nazarbaev stated,

“In the last three years alone, the volume of illegal online content has increased 40-fold. This means that we need a reliable cyber-shield for Kazakhstan. We cannot put off the creation of [this shield], we must protect the interests of our country, our culture and our values,”

Currently, only Uzbekistan, Kazakhstan and Kyrgyzstan have made significant inroads into this arena.  All three have engaged in the development of comprehensive legal and regulatory frameworks for cybersecurity. Moreover, they have established and adopted “kontseptsiya” or concept papers for the creation of national cybersecurity strategies’. One example of this being the successful Kazakhstan Cyber Shield. They have also formed Computer Emergency Response Teams or CERTs (CERT-KZ, UZ-CERT, CERT.KG. ).

Additionally, Uzbekistan and Kazakhstan have created dedicated cyber programs at national universities with the intention of training information and cyber experts on domestic CERT agencies. Both governments are now capable of repelling the majority of daily cyber attacks that occur. As Ruslan Abdikalikov, Deputy Chairman of the Committee for Information Security of the Ministry of Defence and Aerospace Industry of Kazakhstan stated at the 2018 SOC-FORUM conference,

“Cyber attacks are fixed every second and their number is growing. We fixed 1 billion of such attacks in 2016. There were 20bn attacks on Kazakhstan last year, on the state information structures. Nobody knows how many attacks business faces. The attacks on the Government increased by 20 times over the past year […] but we protect ourselves from them.”

Cybercrime and Hackmail

Central Asia currently has one of the highest global rates of cyber-criminal activities. This comes despite efforts improving the region’s capacity to deal with cyber attacks or cyber terrorism. Kazakhstan, thanks to its attractive financial situation and high number of internet users, has faced significant issues with cybercrime.  Statistics indicate that it has had the highest rate of cyber infiltration in Central Asia since 2010. At the same time, 85% of internet users have been compromised. In the past year alone, the Kazakh National Security Committee (KNB) announced that 63,000 attacks have occurred. This shows an increase of 38,000 since 2017.

Zeroing in on Kazakhstan’s financial sector, cyber-criminals have not just hacked accounts, but also bank machines and payment terminals. The lion’s share of the attacks has consisted of viruses and phishing attacks. These compromise devices to either generate spam or participate in Distributed Denial of Service (DDoS) attacks. Cyber-criminals have also used compromised machines to launch DDoS attacks. These typically demand that the victim pay a ransom for the attack to stop.

A prime example was Kazakhstan’s Alfa-Bank in 2017. According to Alfa-Bank IT specialist Yevgeny Nozikov, the hackers sought their reward in the form of a ransom. The bank had to pay a sum, in exchange for the hackers to unblock the IT systems. In another case of cyber extortion in March 2012, the owner of a Kyrgyz entertainment website suffered several days of DDoS attacks. A hacker sent a blackmail message warning that the attacks would continue if the owner chose not to pay.

Kyrgyzstan’s 24.kg news agency also noted that the country experiences high amounts of commercial cyber attacks. According to sources, 776 websites belonging to various commercial companies, individuals and government agencies had been hacked in 2017.

What experts say

On average, 20 websites are successfully hacked every five days in the country, while every tenth website is hacked repeatedly. Government officials and cyber-experts throughout Central Asia argue that this is due to the lack of awareness of cybersecurity in the general public.

This point was reiterated by the Kaspersky Lab Cybersecurity Index. The Index demonstrates that in countries like Kazakhstan and Uzbekistan, many users not particularly concerned about the need for any protective cyber measures. As Laziz Buranov, a department head from Uzbekistan’s Information Security Centre (TsOIB), explained to Caravansei,

“Last year, 493 .uz domain sites were subjected to hacker attacks. They were hacked for various reasons. In the majority of cases, the site owners themselves were at fault — they […] used infected and vulnerable software.”

According to Kaspersky Labs many private users and businesses in Kazakhstan and Uzbekistan even utilise pirated software such as unprotected copies of old Windows operating systems for their online activities. Thereby placing at risk all online activities, thanks to the lack of information technology expertise and cybersecurity in the public domain. This lack of expertise means that Central Asia as a whole is extremely attractive to cyber-criminals gangs who view these weaknesses as an invitation to stay.

Is Central Asia a CyberCrime Haven?

In Kazakhstan during the past two years, the criminal cyber gang Cobalt has established itself thanks to the lack of cybersecurity. According to Arman Abdrasilov, Director at TsARKA,  the Astana-based Center for Cyberattack Analysis and Research, Kazakh security experts have seen a rise in the number of domestic computers being hijacked by Cobalt malware. They point to the use of hacked Kazakh servers in the 2016 attack on the Bangladesh Bank. The attack resulted in $81 million worth of loss. This evidence demonstrates the criminal gang has set up shop in Central Asia.

Emerging in 2013, Cobalt is “One of the world’s most dangerous hacker groups […] which specializes in hacking into bank accounts,” stated Abdrasilov. The group first targetedRussian banks with phishing emails. These emails contained programmes that would enable them to gain access to password-protected archives. In turn, this gave them remote access to ATMs, which would then deliver cash to waiting accomplices. Since 2017, the group has branched out from Eastern Europe and Southeast Asia to Europe and North America. According to Europol, Cobalt has attacked banks in 40 countries and caused losses of more than $1.1 billion.

In Central Asia, cybercrime poses a significant risk to banking and financial institutions. Lack of knowledge, expertise and protective procedural training among employees make them vulnerable to attacks like those mentioned above. Authorities are yet to get a handle on dealing with these crimes. Governments are struggling to respond to the attacks. In Kazakhstan, for example, only 3% of online crimes are ever prosecuted.

Risks are Significant

Like a dog chasing its own tail, Central Asian governments are at something of an impasse with their cyber-readiness. While rapidly trying to catch up to the fast-paced global cyber environment, governments have focused heavily on the state IT infrastructure. They have not allocated enough time to educate or develop IT and cyber-knowledge in the general population. While the state apparatus is cyber-ready, the general public is still vulnerable to cybercrimes.

To redress this issue, the governments of the region should look beyond their borders for expertise in developing nation-wide cybersecurity information awareness programmes and domestic information technology specialists. Allies like Russia and China could provide these, as both are regarded at the forefront of cybersecurity. However, engaging help from their usual partner states is also fraught with danger in the current international climate. Both China and Russia are in an expansionist phase. They are utilising any opportunity that may arise to help them advance their own foreign agenda, as illustrated in Ukraine and the South China Sea. This leaves Central Asian countries little option but to develop domestic expertise from other sources, like America and India.

The problem here is that it will take time to develop expertise on a domestic level. Training information technology specialist and cybersecurity experts is an intensive task. Countries like Uzbekistan are now seeking to redress this issue and are implementing programs to right this crucial flaw in their cyber-readiness. It will be several years before these students are cyber-ready. Countries like Kazakhstan, though, are still attracting cyber-criminals at an increasing pace due to the lack of general cybersecurity infrastructure and knowledge at a grassroots level.

Once established, it can be difficult to remove cyber-criminal gangs without allocating significant resources to the task. These are resources the region does not yet possess. While many Central Asian governments are trying to fast track their cyber-readiness, the rapid evolution of malware and cyber threats means they are currently well behind in meeting this threat and will be for the foreseeable future.

Source: https://globalriskinsights.com/2019/04/central-asia-cybercrime-land/

Security headlines continue to focus on high-profile breaches of Fortune-ranked enterprises. But there is a second story being ignored. Cybercrime syndicates are also targeting, attacking and breaching small, medium and even micro organizations in greater and greater numbers. Multiple industry studies support this claim, including ones from Cisco and Ponemon.

Why exactly are these organizations being targeted, what are the attacks to defend against and how can these organizations start to defend themselves?

Fast Money With Lower Entry Barriers

Midsize organizations are relatively easy targets. Like enterprises, they are rapidly evolving. They have adopted the cloud and development and operations teams, and they have digitized all their valuable assets. But compared to enterprises, midsize organizations have smaller cybersecurity teams, lower organizational security awareness and fewer critical systems to infect —making them easier to breach and ransom. While cybercriminals still see larger enterprises as higher-value targets, midsize organizations have transformed themselves into low-hanging fruit that cybercrime syndicates are happy to snag. Midsize organizations keep the cash flow for cybercrime syndicates going while they try to earn high payoffs with large enterprise compromise.

 Supply Chains Are Vulnerable

Midsize organizations also offer easy entry points into the larger enterprises they service. In many high-profile, large-scale breaches — including the breaches of Target, OPM, Best Buy, Sears and UMG — cybercriminals first compromised their smaller third-party providers and used them to open backdoors into the real target. Large enterprises are taking notice and have begun to demand a high level of cybersecurity maturity from their third-party service providers.

The Evolution Of New Low-Cost Attacks

Attack technologies have evolved. In the past, cyberattacks were relatively resource-intensive, so criminals had to focus their limited resources on large, high-value organizations. However, cybercriminals can now use automated, scalable, on-demand attack infrastructures to quickly launch many sophisticated attacks against a high volume of targets. And smaller organizations are getting caught in this new spray-and-pray approach.

This will only get worse. Every year, cybercriminals will find it easier to launch attacks against many mid-size organizations, use their initial victims and deepen their compromise. And this problem is poised to explode due to artificial intelligence (AI). Cybercrime syndicates have already begun to experiment with AI-driven attack tools. These AI-driven hacking tools will continue to increase the speed and sophistication of cyber threats and only widen the asymmetry between attackers and defenders.

Compromised Machines: Artillery For Future Attacks

Cybercrime syndicates are harvesting small-to-midsize business (SMB) endpoints, converting them into weapons and using them to deploy larger attacks. Most endpoints — including PCs, laptops and mobile devices — are underutilized. Cybercriminals have learned how to compromise these endpoints, run backdoors on them to execute attacks and effectively create a large-scale distributed computing infrastructure to launch their campaigns. They are using thousands of compromised systems to launch smothering DDOS attacks on larger enterprises. They are compromising the email accounts of midsize organizations to bypass spam filters and produce short, effective bursts of phishing emails.

How Can Midsize Organizations Stay Safe?

Cybercrime syndicates will continue to innovate their techniques and scale their attack infrastructure. In fact, with the evolution of AI-driven attacks tools, compromising systems might be a simple voice command away for the attacker. Mid-market businesses will need to focus on the most-used threats because of their limited resources. Luckily, the 80-20 rule applies here, where the large majority of security problems stem from the following handful of threats.

Phishing Attacks

Most mid-size organizations have not implemented mature controls and robust user education programs to prevent phishing attacks, making them high-converting targets for phishing attacks. To get up to speed, midsize organizations need to focus on end-user awareness, strong email gateway security, two-factor authentication (2FA) for authentication and monitoring controls.

Malware Attacks

Malware attacks are more successful against midsize organizations, as they have smaller and simpler networks, and it takes attackers less time to reach organization crown jewels. In fact, according to a report from Verizon, 58% of malware victims are small organizations. As such, midsize organizations need to focus on detecting malware with good endpoint security, detecting lateral movement of attackers with analytics and rapidly containing successful breaches.

Cloud Console And Storage Attacks

As midsize organizations rush to get their cloud-based infrastructure into production, they often fail to realize that on-premise security mindset does not work in the cloud. Take, for example, storage security in the cloud. Small, inadvertent changes in the cloud can produce global high-impact data loss. Many organizations have suffered data exposure, due to Amazon Web Services S3 buckets being configured for public access.

Cybercrime syndicates are actively taking control of organizations by compromising their cloud consoles to steal data and demand ransom. These attacks are not new. Way back in 2014, Code Spaces completely shut downdue to console takeover. But today, automation is making these attacks faster and more common.

To protect against them, midsize organizations should tighten console access with 2FA, establish tighter role permissions and monitor different cloud components stringently. Simply put, a combination of weak console and storage permissions can prove fatal for any midsize organization.

Web Application Attacks

Web applications have been a weak link traditionally. With the current innovation wave incorporating microservices, containers and federated access — it has become more complex to secure.

Right now, the top web application attacks include SQL injection, cross-site scripting and parameter manipulation. This means mid-size organizations need to focus on building robust web application firewall (WAF) protection, continuously monitor all attack events on their web applications and, of course, ensure secure coding as part of their development, security and operations program.

Of course, it is not an asymmetric game in favor of cybercriminals. Artificial intelligence is part of many cybersecurity tools today, making it easier to detect and respond to these emerging scenarios.

Source: https://www.forbes.com/sites/forbestechcouncil/2019/04/24/preparing-your-mid-market-business-for-cyberattacks/#61cc791252ef