Illinois man offered “DDoS for hire” services that hit millions of victims.

 Sergiy P. Usatyuk, who owned a series of services that collectively launched millions of distributed denial-of-service (DDoS) attacks, has pleaded guilty in federal court to one count of conspiracy to cause damage to Internet-connected computers. The services he owned and offered for use included ExoStress.in (“ExoStresser”), QuezStresser.com, Betabooter.com (“Betabooter”), Databooter.com, Instabooter.com, Polystress.com, and Zstress.net.

The sites were booter services, a class of publicly available, Web-based services that allow cybercriminals to launch DDoS attacks, often for low fees paid by customers who sign up via Web browser and online payment.

According to court documents, Usatyuk ran the network between August 2015 and November 2017. In September 2017, the ExoStresser website advertised that ” … its booter service alone had launched 1,367,610 DDoS attacks, and caused targeted victim computer systems to suffer 109,186.4 hours of network downtime,” one of the documents shows.

No date for sentencing was announced.

Source: https://www.darkreading.com/attacks-breaches/booter-owner-pleads-guilty-in-federal-court/d/d-id/1333993

Connected devices often get attacked minutes after being plugged in.

IoT devices are being attacked with greater regularity than ever before, new research has suggested.

According to a new report by NETSCOUT, smart products often come under attack within five minutes of being plugged in, and are targeted by specific exploits within a day.

The Threat Landscape Report says IoT device security is ‘minimal to non-existent’ on many devices. That makes the IoT sector among the most vulnerable ones, especially knowing that medical equipment and connected cars fall under the IoT category.

DDoS, in general, is still on the rise, the report adds. The number of such attacks grew by a quarter last year. Attacks in the 100-400 Gbps range ‘exploded’, it says, concluding a ‘continued interest’ hackers have in this attack vector.

The global maximum DDoS attack size grew by 19 per cent last year, compared to the year before.

International institutions, such as the UN or the IMF, have never been this interesting to hackers. DDoS attacks against such organisations had risen by almost 200 per cent last year.

Hackers operate similarly to the way legitimate businesses operate. They employ the affiliate model, allowing them to rake up profits quite quickly.

“Our global findings reveal that the threat landscape in the second half of 2018 represents the equivalent of attacks on steroids,” said Hardik Modi, NETSCOUT’s senior director of Threat Intelligence. “With DDoS attack size and frequency, volume of nation state activity and speed of IoT threats all on the rise, the modern world can no longer ignore the digital threats we regularly face from malicious actors capable of capitalizing on the interdependencies that wind through our pervasively connected world.”

Source: https://www.itproportal.com/news/iot-and-ddos-attacks-dominate-cybersecurity-space/

Botnets continue to spread to places never dreamed of a few years ago. But you can fight them off, and these tips can help.

Botnets have been around for over two decades, and with the rise of the Internet of Things (IoT), they have spread further to devices no one imagined they would: routers, mobile devices, and even toasters.

Some botnets are legions of bot-soldiers waiting for a command to attack a target server, generally to overwhelm the server with a distributed denial-of-service (DDoS) attack. Other botnets target specific devices by stealing passwords or mining cryptocurrency. Cryptocurrency mining, in particular, has been a dramatically growing threat for organizations recently, with botnets such as Coinhive and CryptoLoot enabling cybercriminals to make as much as $100 million a year at the expense of victims’ computing power. Smominru, among the largest cryptocurrency-mining botnets, has infected over half a million machines using the infamous EternalBlue exploit leaked from the NSA.

To prevent botnet infections, organizations must be able to detect them. But botnet detection isn’t easy. Let’s explore some of the top techniques and challenges in botnet detection.

Methods for Botnet Detection
So, what’s a botnet? Simply put, it’s a cluster of bots — compromised computers and devices — that perform commands given by the botnet owner. Usually, the botnet owner will dedicate a command and control server (C2), a compromised server for communicating with the bots, usually via Internet Relay Chat commands. The botnet owner uses the C2 server to order botnets to execute attacks, whether that’s DDoS attacks, data theft, identity theft, or another type of attack. Thus, the smoking gun that points to a botnet is its C2 server.

Unfortunately, finding the C2 isn’t usually a simple task. Many botnet commands emerge from multiple servers or take hidden forms, masking the malicious commands as harmless activity such as Tor network traffic, social media traffic, traffic between peer-to-peer services, or domain-generation algorithms. Further complicating matters, the commands are often very subtle, making it difficult to detect any anomalies.

One method for attempting to detect C2s is breaking down and analyzing the malware code. Organizations can try to disassemble the compiled code, from which they can sometimes identify the root source of the botnet’s commands. However, since botnet creators and administrators increasingly are using integrated encryption, this technique is less and less effective.

Generally, C2 detection requires visibility into the communication between a C2 server and its bots, but only security solutions that specifically protect C2 servers will have this kind of visibility. A more common approach for detecting botnets is tracking and analyzing the attacks themselves — into which standard security solutions provide visibility — and determining which attacks originated from botnets.

When looking at exploit attempts, there are a few possible indications for a botnet. For example, if the same IP addresses attack the same sites, at the same time, using the same payloads and attack patterns, there’s a good chance they’re part of a botnet. This is especially true if many IPs and sites are involved. One prominent example is a DDoS attempt by a botnet on a web service.

Source: Johnathan Azaria

Source: Johnathan Azaria

False Positives
The likelihood of false positives makes botnet detection particularly difficult. Some payloads are widely used, raising the probability of a randomly occurring pattern triggering a false positive. Additionally, attackers can change their IP addresses by using a virtual private network or a proxy, making it look like many attackers or bots are involved when there’s really only one.

Hacking tools and vulnerability scanners also behave similarly enough to botnets to often return false positives. This is because hacking tools generate the same payloads and attack patterns, and many hackers use them, regardless of the color of their hat. And, if different players happen to conduct a penetration test on the same sites at the same time, it may look like a botnet attack.

Organizations can often identify false positives by Googling the payload and referencing any documented information around it. Another technique involves simply gleaning any information readily available within the raw request in the security solution. For example, if a vulnerability scanner is to blame, most security solutions will reveal that by identifying it, especially if it’s one of the more common vulnerability scanners.

False positives are an unavoidable challenge in botnet detection given the enormous amount of potential incidents; recent research shows that 27% of IT professionals receive over 1 million security alerts every day, while 55% receive more than 10,000. But with the right techniques and diligence, organizations can discern the harmless traffic from the malicious, botnet-driven traffic.

Source: https://www.darkreading.com/cloud/diy-botnet-detection-techniques-and-challenges/a/d-id/1333949

Hackers are targeting airlines as never before, and this could affect your next flight. That’s the conclusion of a troubling new study of airline IT outages by Netscout, a provider of application and network performance management products.

Attacks against passenger air travel increased by more than 15,000% between 2017 and 2018, according to Netscout’s research.

That’s no decimal point error. 15,000%.

Why? Airlines are easier targets.

“Cybercriminals have traditionally concentrated attacks on internet service providers, telecoms, and cable operators,” says Hardik Modi, Netscout’s senior director for threat intelligence. “While those categories still represent prime targets, they are now relatively well protected”. Subsequently, cybercriminals are now targeting the enterprise market, including passenger air travel, with real venom.

Sungard Availability Services, a provider of IT production and recovery services, tracks the major airline IT outage incidents. It shows that their numbers steadily increasing.

Last year, the domestic airline industry had 10 major outages, the most since 2015, according to Sungard. It’s unknown what role, if any, cyberattacks played in these outages.

The trend appears to be accelerating in 2019. Southwest Airlines suffered a computer outage on Friday that temporarily grounded flights across the country. The airline said it suspended operations for about 50 minutes to ensure the performance of software systems that had been upgraded overnight. The airline also had a smaller outage in January that affected flights to and from Baltimore-Washington International Airport.

In January, 27 Alaska Airlines flights were delayed after the airline suffered a power outage in Seattle.

The incidents trigger an avalanche of consumer complaints to my nonprofit advocacy organization.

airline it outages

What’s going on with airline IT outages?

What’s happening? Distributed denial of service (DDoS) attacks are to blame for some of the outages, according to Netscout. DDoS attacks disrupt services of a host connected to the Internet. You can see some of these attacks in real time on a service like Downdetector.com (here’s Southwest Airlines and here’s Alaska Airlines.)

“Disruptions to air travel are felt immediately,” explains Modi. “We’re all used to seeing images of grounded flights on the evening news, while delayed passengers make their frustrations known over social media channels.”

airline it outages

But not all of the attacks directly affect passengers. Netscout’s analysis also reveals a spike in attacks which passengers might not notice, with volumes reaching levels not seen since 2016.

“Our analysis also indicated that the size of attacks grew at an alarming rate during 2018,” Modi adds. “The maximum attack size recorded last year reached a staggering 245 Gbps (billions of bits per second, a measure of internet bandwidth). When comparing this to the maximum attack sizes recorded in 2016, which reached 124 Gbps, you begin to understand the increasing severity of these attacks.”

In other words, the flight disruptions you’re feeling are only a small part of a much bigger problem that are keeping airline IT workers busy this year. Data trends point to even more outages in the coming weeks, which also happen to be among the busiest for air travel.

airline it outages

How to prevent hackers from ruining your next flight

Airline IT outages can affect your next flight, as I pointed out in my Washington Post column last year.

No one knows when the next IT outage will happen, but there are steps you can take to protect yourself from the worst effects.

Consider travel insurance. The major carriers offer coverage for flight disruptions, which include any information-systems problems that cause delays or force an airline to cancel flights. Cast a broad net when you’re researching coverage. A company like Etherisc allows you buy insurance up to 24 hours before your flight, track it in real time and receive an instant payout if your flight is delayed or canceled. There’s no formal claims process. I have an annual travel insurance policy through Allianz Travel Insurance that covers flight disruption.

Choose your airline carefully. Carriers that have been through multiple mergers are most likely to suffer an IT outage, due to the merged patchwork of systems, components and staffing. All of the major legacy airlines, plus Southwest Airlines, have recently completed mergers. Some are aggressively upgrading their aging IT equipment, which has led to a few hiccups.

Schedule your flight early and book it as a nonstop. Many IT outages happen in the afternoon or evening, as server loads spike. Passengers on early-morning flights aren’t affected. And flying nonstop lessens the chance that you’ll be stuck somewhere on a connection.

Know your rights. If you’re flying in the United States, your rights are outlined in the contract of carriage, the legal agreement between you and the airline. It’s a dense and often difficult-to-understand contract, but it contains several provisions that promise an airline will offer meal vouchers, phone cards and overnight hotel accommodations during a service disruption. While there’s no requirement that an airline must rebook you on a different carrier (known as endorsing the ticket), airlines are known to consider doing that on a case-by-case basis.

Could this be the year of the airline IT outage? Perhaps. Even if the first two months of the year are a fluke, you need to know the extent of the problem — and the fixes.

Source:https://www.forbes.com/sites/christopherelliott/2019/02/25/hackers-are-targeting-airlines-in-record-numbers-heres-what-that-means-for-you/#1f521ba932f7

US and EMEA security professionals interviewed by the Neustar International Security Council (NISC) in January 2019 said that DDoS attacks are perceived as the highest threat to their organizations, with roughly half of their companies having been attacked in 2018.

Another 75% of all professionals who took part in NISC’s study said that they are deeply concerned about “bot traffic (bot robots and scrapers) stealing company information, despite the same number already deploying a bot traffic manager solution.”

NISC uses a Cyber Benchmark Index to track the mounting threat concerns as “a reflection of the current international cybersecurity landscape,” While at the beginning of 2018 the index reached 10.5, in January 2019 it hit 19.4, the highest value recorded since NISC started charting threat levels in May 2017.

International Cyber Benchmarks Index for January 2019,

“Unfortunately, bot traffic makes up a large proportion of the Internet,” said NISC Chairman and Neustar SVP and Fellow Rodney Joffe. “So it is key that organizations make sure incoming data is scrubbed in real-time, while also identifying patterns of good and bad traffic to help with filtering. [..] Implementing a Web Application Firewall (WAF) is crucial for preventing bot-based volumetric attacks, as well as threats that target the application layer.”

According to NISC, 48% of respondents stated the threats posed by DDoS attacks have increased during November and December 2018, while 42% said that they have increased their ability to respond to DDoS attacks.

“Fears around bot traffic and bot-powered DDoS attacks are extremely valid but by no means new. However, with the rapid rise of the Internet of Things – whether that be across smart cities, banking or a nation’s critical infrastructure – the ability for bots to cause havoc at a global level has increased significantly,” also stated Joffe.

Besides the 23% of the ones who considered that DDoS attacks are the highest threat, NISC’s research found that:

System Compromise – 21% stated this was the highest threat to their enterprise
Ransomware – 15% stated this was the highest threat to their enterprise
Financial Theft – 15% stated this was the highest threat to their enterprise

Cyber threats ranked in order of level of concern
Cyber threats ranked in order of level of concern

“Without the appropriate detection, data scrubbing and mitigation tools in place, IoT devices have the potential to become part of a malicious botnet, whereby hackers essentially weaponize these devices to launch more powerful DDoS attacks,” continued Joffe. “Worryingly, as more and more devices continue to connect to the Internet, these types of attack pose an increased risk to not only the defenses of an enterprise, but also to a whole nation.”

NISC conducted 300 interviews in January 2019 to collect the data for this report, focused on security professionals from organizations in five countries across EMEA (i.e., France, Germany, Italy, Spain, and the UK), as well as from the US.

The survey respondents currently hold senior positions such as CTO, Director of IT, security consultants, and a number of other positions related to enterprise security responsibilities.

 

Source: https://www.bleepingcomputer.com/news/security/ddos-attacks-ranked-as-highest-threat-by-enterprises/