DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop DDoS Attacks
IoT malware clashes in a botnet territory battle
April 18, 2017

The Hajime malware is competing with the Mirai malware to enslave some IoT devices

Mirai — a notorious malware that’s been enslaving IoT devices — has competition.

A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers.

“You can almost call it Mirai on steroids,” said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks.

Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe.

These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.

That’s how the Mirai malware grabbed headlines last October. A DDoS attackfrom a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S.

Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.

Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program.

However, Hajime doesn’t take orders from a command-and-control serverlike Mirai-infected devices do. Instead, it communicates over a peer-to-peernetwork built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized — and harder to stop.

“Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.”

Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts.

Screen Shot 2017-04-18 at 11.32.33

Hajime infection attempts (blue) vs Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev.

Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks — which is good news.  A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.

“There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware.

However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.

So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud.

“It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.”

It’s also possible Hajime might be a research project. Or in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai.

So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology.

However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.

That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.

That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.

“There’s definitely an ongoing territorial conflict,” said Allison Nixon, director of security research at Flashpoint.

To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.

That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.

“It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.”

Source: http://www.itworld.com/article/3190181/security/iot-malware-clashes-in-a-botnet-territory-battle.html


DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop DDoS Attacks
‘One in five’ British firms hit by cyber attack in 2016
April 18, 2017

One in five British firms was hit by a cyber attack last year, research from the British Chambers of Commerce suggests

Cyber attacks are a growing threat to global business operations. This was confirmed by research from the British Chambers of Commerce (BCC), which surveyed 1,200 companies, revealing that one in five British businesses experienced a cyber attack last year.

Larger businesses – defined as those with over 100 staff – were more likely to be attacked than smaller counterparts, according to the survey.
The report found that 42% of larger organisations had suffered a cyber attack, compared with 18% of smaller ones.

Clearly, more needs to be done by businesses to protect themselves. Indeed, the BCC’s report alos found that only a quarter of the firms surveyed had put in security protocols to protect themselves from hackers and cyber threats.

The well documented data breaches of web giant Yahoo, telecoms firm TalkTalk and the dating website Ashley Madison have all hit the headlines in recent years. But this survey has shown just how widespread the problem is. It is endemic.

“Cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses, but costs from disruption to their business and productivity,” said BCC director-general Adam Marshall.

“Firms need to be proactive about protecting themselves from cyber attacks.”

Reacting to the news, Anton Grashion, managing director-security practice at Cylance, said “This is probably an underestimate if anything. Two reasons for this, firstly, this assumes they even know they have been hit, secondly people are more likely to under-report.”

“Evidence of our testing when we run a POC with prospective customers is that we almost invariably discover active malware on their systems so it’s the unconscious acceptance of risk that plagues both large and small businesses.”

Stephanie Weagle, VP at Corero Network Security, has identified DDoS attacks as the greatest cyber threat facing business.

She said “Attackers will always find new exploits, and new attack methods of disrupting financial opportunity, extortion, accessing personally identifiable data, and disrupting an organisations online availability. Cyber attack activity is prevalent today, more than ever – especially when it comes to DDoS attacks.”

DDoS attacks are on the rise and “continue to increase in frequency, scale and sophistication over the last year. 31% of IT security professional and network operators polled in a 2017 survey conducted by Corero experienced more DDoS attacks than usual in recent months, with 40% now experiencing attacks on a monthly, weekly or even daily basis.

Source: http://www.information-age.com/major-flaws-devops-teams-security-123465765/

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop Hackers
CLDAP reflection attacks may be the next big DDoS technique
April 17, 2017

Security researchers discovered a new reflection attack method using CLDAP that can be used to generate destructive but efficient DDoS campaigns.

DDoS campaigns have been growing to enormous sizes and a new method of abusing CLDAP for reflection attacks could allow malicious actors to generate large amounts of DDoS traffic using fewer devices.

“Since October 2016, Akamai has detected and mitigated a total of 50 CLDAP reflection attacks. Of those 50 attack events, 33 were single vector attacks using CLDAP reflection exclusively,” Arteaga and Majia wrote. “While the gaming industry is typically the most targeted industry for [DDoS] attacks, observed CLDAP attacks have mostly been targeting the software and technology industry along with six other industries.”

The CLDAP reflection attack method was first discovered in October 2016 by Corero and at the time it was estimated to be capable of amplifying the initial response to 46 to 55 times the size, meaning far more efficient reflection attacks using fewer sources.

The largest attack recorded by Akamai using CLDAP reflection as the sole vector saw one payload of 52 bytes amplified to as much as 70 times the attack data payload (3,662 bytes) and a peak bandwidth of 24Gbps and 2 million packets per second.

This is much smaller than the peak bandwidths of more than 1Tbps seen with Mirai, but Jake Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga., said this amplification factor can allow “a user with low bandwidth [to] DDoS an organization with much higher bandwidth.”

“CLDAP, like DNS DDoS, is an amplification DDoS. The attacker has relatively limited bandwidth. By sending a small message to the server and spoofing the source, the server responds to the victim with a much larger response,” Williams told SearchSecurity. “You can only effectively spoof the source of connectionless protocols, so CLDAP is obviously at risk.”

Arteaga and Majia said enterprises could limit these kinds of reflection attacks fairly easily by blocking specific ports.

“Similarly to many other reflection and amplification attack vectors, this is one that would not be possible if proper ingress filtering was in place,” Arteaga and Majia wrote in a blog post. “Potential hosts are discovered using internet scans, and filtering User Datagram Protocol destination port 389, to eliminate the discovery of another potential host fueling attacks.”

Williams agreed that ingress filtering would help and noted that “CLDAP was officially retired from being on the IETF standards track in 2003″ but enterprises using Active Directory need to be aware of the threat.

“Active Directory supports CLDAP and that’s probably the biggest reason you’ll see a CLDAP server exposed to the internet,” Williams said. “Another reason might be email directory services, though I suspect that is much less common.”

Source: http://searchsecurity.techtarget.com/news/450416890/CLDAP-reflection-attacks-may-be-the-next-big-DDoS-technique

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Denial of Service Attack Stop DDoS
Hackers attacking WordPress sites via home routers
April 13, 2017

Administrators of sites using the popular blogging platform WordPress face a new challenge: hackers are launching coordinated brute-force attacks on the administration panels of WordPress sites via unsecured home routers, according to a report on Bleeping Computer.

Once they’ve gained access, the attackers can guess the password for the page and commandeer the account.

The home routers are corralled into a network which disseminates the brute-force attack to thousands of IP addresses negotiating around firewalls and blacklists, the report stated.

The flaw was detected by WordFence, a firm that offers a security plugin for the WordPress platform. The campaign is exploiting security bugs in the TR-069 router management protocol to highjack devices. Attackers gain entry by sending malicious requests to a router’s 7547 port.

The miscreants behind the campaign are playing it low-key to avoid detection, attempting only a few guesses at passwords for each router.

While the exact size of the botnet is unknown, WordFence reported that nearly seven percent of all the brute-force attacks on WordPress sites last month arrived from home routers with port 7547 exposed to the internet.

The flaw is exacerbated by the fact that most home users lack the technical know-how to limit access to their router’s 7547 port. In some cases, the devices do not allow the shuttering of the port.

A more practical solution is offered by WordFence: ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547.

“The routers we have identified that are attacking WordPress sites are suffering from a vulnerability that has been around since 2014 when CheckPoint disclosed it,” Mark Maunder, CEO of WordFence CEO, told SC Media on Wednesday.

The specific vulnerability, he pointed out, is the “misfortune cookie” vulnerability. “ISPs have known about this vulnerability for some time and they have not updated the routers that have been hacked, leaving their customers vulnerable. So, this is not a case of an attacker continuously evolving a technique to infect routers. This is a case of opportunistic infection of a large number of devices that have a severe vulnerability that has been known about for some time, but has never been patched.”

There are two attacks, Maunder told SC. The first is the router that is infected through the misfortune cookie exploit. The other is the attacks his firm is seeing on WordPress sites that are originating from infected ISP routers on home networks.

“The routers appear to be running a vulnerable version of Allegro RomPager version 4.07,” Maunders said. “In CheckPoint’s original 2014 disclosure of this vulnerability they specifically note that 4.07 is the worst affected version of RomPager. So there is nothing new or innovative about this exploit, it is simply going after ISP routers that have a large and easy to hit target painted on them.”

The real story here, said Maunder, is that a number of large ISPs, several of them state owned, have gone a few years without patching their customer routers and their customers and the online community are now paying the price. “Customer home networks are now exposed to attackers and the online community is seeing their websites attacked. I expect we will see several large DDoS attacks originating from these routers this year.”

Source: https://www.scmagazine.com/hackers-attacking-wordpress-sites-via-home-routers/article/649992/

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS
Did hackers fix the Brexit vote with DDoS?
April 12, 2017

The concerns around nation-state hackers echoes recent concerns regarding the US and French presidential elections.

A new report has raised concerns about the possible interference by nation-state hackers in the run-up to the Brexit vote.

The Commons Public Administration and Constitutional Affairs Committee (PACAC) said that MPs were concerned about foreign interference in last year’s Brexit vote. Although the report does not specifically identify the hackers or malicious actors responsible, it was noted that Russia and China were known to launch cyber attacks based on an understanding of mass psychology.

Many will note that the report echoes the recent claims and concerns surrounding Russia and its influence in the US and French presidential elections.

The report was launched to investigate the outage of the voter registration government website, with the outage hitting on one of the last days in the run-up to the vote, June 7. The government was forced to extend the deadline to register to vote in the EU referendum, allowing two further days for people to register.

The outage left tens of thousands of potential voters unable to complete registration, sparking a major voter registration row amongst the UK government and the Electoral Commission. Debate was further fuelled by arguments that the outage may disenfranchise voters and swing important votes. John Rakowski, Director of Technology Strategy at AppDynamics, said at the time:

“”Digital technology has revolutionised the way we interact with organisations – from shopping to banking, and now voting. The impact of young voters on the outcome of the EU referendum is unquestionable and technology plays a vital role. It’s unacceptable that thousands of Brits were left unable to vote due to an IT glitch that should have been anticipated and planned for months ago.”

Although an IT glitch was blamed at the time of the outage, the new report by MP’s points to a possible DDoS attack, but downplays its role in the referendum outcome.

“The crash had indications of being a DDOS ‘attack’. We understand that this is very common and easy to do with botnets… The key indicants are timing and relative volume rate,” the committee’s report said.

While the committee did not point the Brexit finger of blame at the website outage, it did note that lessons must be learned. While pointing to other nation states, the MP’s report said that it was crucial that the lessons learnt from this incident must extend past the purely technical.

“The US and UK understanding of ‘cyber’ is predominantly technical and computer network-based,” the report said.

“For example, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.

“The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear.

“PACAC is deeply concerned about these allegations about foreign interference,” the report concluded.

However, due to the simplistic nature of the supposed DDoS attack on the voter registration site, many experts are saying that it is not the work of state hackers.

“This is a very serious allegation, and it should be thoroughly investigated by all appropriate means. However, I doubt that a serious actor, such as a nation state for example, can be behind this particular DDoS attack,” said  Ilia Kolochenko, CEO of web security firm, High-Tech Bridge.

“Governments have enough technical and financial resources to create smart botnets, simulating human behavior that would be hardly distinguishable from legitimate website visitors. Running a classic DDoS attack is too coarse, and would rather attract unnecessary attention to the external interference, trigger investigations and all other outcomes that smart attackers would avoid at any price.”

Source: http://www.cbronline.com/news/cybersecurity/breaches/hackers-fix-brexit-vote-ddos/