DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Denial of Service Attack Stop DDoS
Hackers attacking WordPress sites via home routers
April 13, 2017

Administrators of sites using the popular blogging platform WordPress face a new challenge: hackers are launching coordinated brute-force attacks on the administration panels of WordPress sites via unsecured home routers, according to a report on Bleeping Computer.

Once they’ve gained access, the attackers can guess the password for the page and commandeer the account.

The home routers are corralled into a network which disseminates the brute-force attack to thousands of IP addresses negotiating around firewalls and blacklists, the report stated.

The flaw was detected by WordFence, a firm that offers a security plugin for the WordPress platform. The campaign is exploiting security bugs in the TR-069 router management protocol to highjack devices. Attackers gain entry by sending malicious requests to a router’s 7547 port.

The miscreants behind the campaign are playing it low-key to avoid detection, attempting only a few guesses at passwords for each router.

While the exact size of the botnet is unknown, WordFence reported that nearly seven percent of all the brute-force attacks on WordPress sites last month arrived from home routers with port 7547 exposed to the internet.

The flaw is exacerbated by the fact that most home users lack the technical know-how to limit access to their router’s 7547 port. In some cases, the devices do not allow the shuttering of the port.

A more practical solution is offered by WordFence: ISPs should filter out traffic on their network coming from the public internet that is targeting port 7547.

“The routers we have identified that are attacking WordPress sites are suffering from a vulnerability that has been around since 2014 when CheckPoint disclosed it,” Mark Maunder, CEO of WordFence CEO, told SC Media on Wednesday.

The specific vulnerability, he pointed out, is the “misfortune cookie” vulnerability. “ISPs have known about this vulnerability for some time and they have not updated the routers that have been hacked, leaving their customers vulnerable. So, this is not a case of an attacker continuously evolving a technique to infect routers. This is a case of opportunistic infection of a large number of devices that have a severe vulnerability that has been known about for some time, but has never been patched.”

There are two attacks, Maunder told SC. The first is the router that is infected through the misfortune cookie exploit. The other is the attacks his firm is seeing on WordPress sites that are originating from infected ISP routers on home networks.

“The routers appear to be running a vulnerable version of Allegro RomPager version 4.07,” Maunders said. “In CheckPoint’s original 2014 disclosure of this vulnerability they specifically note that 4.07 is the worst affected version of RomPager. So there is nothing new or innovative about this exploit, it is simply going after ISP routers that have a large and easy to hit target painted on them.”

The real story here, said Maunder, is that a number of large ISPs, several of them state owned, have gone a few years without patching their customer routers and their customers and the online community are now paying the price. “Customer home networks are now exposed to attackers and the online community is seeing their websites attacked. I expect we will see several large DDoS attacks originating from these routers this year.”

Source: https://www.scmagazine.com/hackers-attacking-wordpress-sites-via-home-routers/article/649992/

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS
Did hackers fix the Brexit vote with DDoS?
April 12, 2017

The concerns around nation-state hackers echoes recent concerns regarding the US and French presidential elections.

A new report has raised concerns about the possible interference by nation-state hackers in the run-up to the Brexit vote.

The Commons Public Administration and Constitutional Affairs Committee (PACAC) said that MPs were concerned about foreign interference in last year’s Brexit vote. Although the report does not specifically identify the hackers or malicious actors responsible, it was noted that Russia and China were known to launch cyber attacks based on an understanding of mass psychology.

Many will note that the report echoes the recent claims and concerns surrounding Russia and its influence in the US and French presidential elections.

The report was launched to investigate the outage of the voter registration government website, with the outage hitting on one of the last days in the run-up to the vote, June 7. The government was forced to extend the deadline to register to vote in the EU referendum, allowing two further days for people to register.

The outage left tens of thousands of potential voters unable to complete registration, sparking a major voter registration row amongst the UK government and the Electoral Commission. Debate was further fuelled by arguments that the outage may disenfranchise voters and swing important votes. John Rakowski, Director of Technology Strategy at AppDynamics, said at the time:

“”Digital technology has revolutionised the way we interact with organisations – from shopping to banking, and now voting. The impact of young voters on the outcome of the EU referendum is unquestionable and technology plays a vital role. It’s unacceptable that thousands of Brits were left unable to vote due to an IT glitch that should have been anticipated and planned for months ago.”

Although an IT glitch was blamed at the time of the outage, the new report by MP’s points to a possible DDoS attack, but downplays its role in the referendum outcome.

“The crash had indications of being a DDOS ‘attack’. We understand that this is very common and easy to do with botnets… The key indicants are timing and relative volume rate,” the committee’s report said.

While the committee did not point the Brexit finger of blame at the website outage, it did note that lessons must be learned. While pointing to other nation states, the MP’s report said that it was crucial that the lessons learnt from this incident must extend past the purely technical.

“The US and UK understanding of ‘cyber’ is predominantly technical and computer network-based,” the report said.

“For example, Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.

“The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear.

“PACAC is deeply concerned about these allegations about foreign interference,” the report concluded.

However, due to the simplistic nature of the supposed DDoS attack on the voter registration site, many experts are saying that it is not the work of state hackers.

“This is a very serious allegation, and it should be thoroughly investigated by all appropriate means. However, I doubt that a serious actor, such as a nation state for example, can be behind this particular DDoS attack,” said  Ilia Kolochenko, CEO of web security firm, High-Tech Bridge.

“Governments have enough technical and financial resources to create smart botnets, simulating human behavior that would be hardly distinguishable from legitimate website visitors. Running a classic DDoS attack is too coarse, and would rather attract unnecessary attention to the external interference, trigger investigations and all other outcomes that smart attackers would avoid at any price.”

Source: http://www.cbronline.com/news/cybersecurity/breaches/hackers-fix-brexit-vote-ddos/

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop DDoS Attacks
Canada one of sources for destructive IoT botnet
April 11, 2017

Canada is among the countries that have been stung by a mysterious botnet infecting Internet-connected devices using the Linux and BusyBox operating systems that essentially trashes the hardware, according to a security vendor.

Called a Permanent Denial of Service attack (PDoS) – also called “plashing” by some – the attack exploits security flaws or misconfiguration and goes on to destroy device firmware and/or basic functions of a system, Radware said in a blog released last week.

The first of two versions has rendered IoT devices affected into bricks, which presumably is why the attack has been dubbed the BrickerBot. A second version goes after IoT devices and Linux servers.

“Over a four-day period, Radware’s honeypot recorded 1,895 PDoS attempts performed from several locations around the world,” the company said in the blog. “Its sole purpose was to compromise IoT devices and corrupt their storage.”

After accessing a device by brute force attacks on the Telnet login, the malware issues a series of Linux commands that will lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device.

Vulnerable devices have their Telnet port open. Devices tricked into spreading the attack — mainly equipment from Ubiquiti Networks Inc. including wireless access points and bridges with beam directivity — ran an older version of the Dropbear secure shell (SSH) server. Radware estimates there are over 20 million devices with Dropbear connected to the Internet now which could be leveraged for attacks.

Targets include digital video cameras and recorders, which have also been victimized by the Mirai or similar IoT botnets.

According to Radware, the PDoS attempts it detected came from a limited number of IP addresses in Argentina, the U.S., Canada, Russia, Iran, India, South Africa and other countries.

Screen Shot 2017-04-11 at 11.10.48

Two versions of the bot were found starting March 20: Version one, which was short-lived and aimed at BusyBox devices, and version two, which continues and has a wider number of targets. While the IP addresses of servers used to launch the first attack can be mapped, the more random addresses of servers used in the second attack have been obscured by Tor egress nodes. The second version is not only going after IoT devices but also Unix and Linux servers by adding new commands.

What makes this botnet mysterious is that it wipes out devices, rather than try to assemble them into a large dagger that can knock out web sites – like Mirai.

“BrickerBot 2 is still ongoing,” Pascal Geenens, a Radware security evangelist based in Belgium, said in a phone interview this morning. “We still don’t have an idea who it is because it’s still hiding behind the Tor network.”

“We still have a lot of questions like where was it originating from, what is the motivation? One of them could be someone who’s angry at IoT manufacturers for not solving that [security] problem, maybe somebody who suffered a DDoS attack and wants to get back at manufacturers by bricking the devices. That way it solves the IoT problem and gets back at manufacturers.

“Another idea that I have is maybe its a hacker that is running Windows-based botnets, which are more costly to maintain.” It’s easy to inspect and compromise an IoT device through a Telnet command, he explained, so IoT botnet are easy to assemble. That lowers the cost for a botnet-for-hire. By comparison Windows devices have to be compromised through phishing campaigns that trick end users into downloading binaries that evade anti-virus software. It’s complex. So Geenens wonders if a hacker’s goal here is to get into IoT botnets and destroy the devices, which then raises the value of his Windows botnet.

Another theory is the attacker is searching for Linux-based honeypots — traps set by infosec pros  — with default passwords.

He also pointed out Unix or Linux-based servers with default credentials are vulnerable to the BrickerBot 2 attack. However, he added, there wouldn’t be many of those because during installation process Linux ask for creation of a root password, so there isn’t a default credential. The exception, he added, is a pre-installed image downloaded from the Internet.

Administrators who have these devices on their networks are urged to change factory default credentials and disable Telnet access. Network and user behavior analysis can detect anomalies in traffic, says Radware.

Source: http://www.itworldcanada.com/article/canada-one-of-sources-for-destructive-iot-botnet/392242

DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist Stop DDoS Stop Hackers
Identifying the three steps of DDoS mitigation
April 10, 2017

It’s not a matter of if you’re going to be DDoS attacked, it’s a matter of when – many APAC organisations fail to understand the threat and quantify the risk – right-sizing and verifying the solution is a must. When an attack occurs, the mature organisation is prepared to effectively mitigate the attack – protecting themselves (and in turn their clients and partners) from unacceptable financial and reputational impact.

Let us look at these three steps, understand, quantify and mitigate, in detail.

1.Understand the threat

The threat imposed by DDoS attacks in APAC is more significant than global counterparts. A recent Neustar survey showed that 77 percent of organisations within APAC have been attacked at least once, compared to 73 percent globally. Organisations within the region are also getting attacked more frequently, with 83 percent of those attacked being attacked more than once, and 45 percent having been attacked more than six times.

In addition, attack sizes are steadily growing. In 2015, the average attack size identified by Neustar was about 5GB per second. By September 2016, average attack sizes had reached up to 7GB per second – and this was prior to the Mirai driven – IoT fuelled attacks – like those on Krebs, OVH and Dyn. Given this, we should expect a considerable rise in the mean size of volumetric attacks during 2017.

We’ve also seen a steady increase in the number of multi-vector attacks – which now equates to about 50 percent of all DDoS attacks. In a multi-vector attack – the criminals are potentially aiming to distract an organisation with the DDoS attack while they go after their main target. They use the DDoS attack to draw away the organisations defensive capacity while they plant ransomware, breach the network or steal valuable data. Within APAC, compared to the global average of 25 percent, network breaches associated with a multi-vector attack is sitting at 33 percent, according to Neustar’s own data. This begs the question, are APAC organisations deficient when it comes to perimeter protection?

When dealing with an attack, speed is critical. But surprisingly, within APAC, on average almost half of all organisations take over three hours to detect an attack and an additional three hours to respond. This is significantly higher than the global average of 29 percent and 28 percent respectively.

Worryingly, slow detection and response can lead to huge damages financially. Around half of all organisations stand to lose an average of $100,000 per hour of peak downtime during an attack. To exacerbate this, half the attacked organisations were notified of the attack by a third party, inflicting additional potential reputational damage.

2.Quantify the risk

If a person goes to insure their car, they’re not going to over or underinsure it. That is, they’re not going to pay a premium associated with a higher value car – if the car gets written-off, they’re only going to get the value of the car, not the extra value associated with the premium. Alternatively, if they are underinsured, they’re not going to get back the full value of the car – they will need to pay an additional amount to replace the car.

When looking at a DDoS environment, it is a similar scenario. An organisation will want to make sure it understands the level of risk and apply the right mitigation and the right cost to protect that risk. Paying the cost for a DDoS mitigation that exceeds their requirements is like over insuring the car – you are paying a premium for a service that does not match your level of risk/potential loss. Similarly, implementing a DDoS mitigation that does not cover the risk will likely lead to additional costs, resulting from greater organisational impact and additional emergency response activities.

Risk management is critical – rightsizing is a must – organisations need to prepare and implement a sound mitigation plan.

To understand the severity of the risk DDoS imposes, organisations must quantify both probability and impact – tangible and intangible – and know the risk appetite and technical environment of the organisation. Once this information is gathered and the severity of the risk is understood, there are three key critical elements of producing a good mitigation plan that must be enacted: detection, response and rehearsal.

3.Mitigate the attack

Block DDoS DDoS DDoS Attack Specialist DDoS Attacks DDoS Defense DDoS Protection Specialist
#OpIsrael: Anonymous hackers poised to execute ‘electronic holocaust’ cyberattacks against Israel
April 7, 2017

Hacktivists pledge to take government, military and business websites offline in annual attacks.

Since 2013, hackers and internet activists affiliated with the notorious Anonymous collective have targeted digital services as part of #OpIsrael, a campaign designed to take down the websites of government, military and financial services in the country.

Taking place annually on 7 April, it first started in 2013 to coincide with a Holocaust memorial service. Anonymous-linked hackers take to Twitter and YouTube to tout their cybercrime plans – which includes defacements and distributed denial of service (DDoS) attacks as a retaliation against Israel’s treatment of the Palestinians.

On PasteBin, a list of targets for the 2017 series of attacks has been posted, naming potential victims as the government and parliament websites.

In one YouTube video, links to alleged DDoS tools had been posted. These have the ability to send surges of malicious traffic at a website domain to take it offline.

“We are coming back to punish you again for your crimes in the Palestinian territories as we do every year,” a statement being circulated by Anonymous-linked accounts online pledged.

The statement said the hackers’ plan is to take down servers and the websites of the government, military, banks and unspecified public institutions. “We’ll erase you from cyberspace as we have every year,” it added, continuing: “[It] will be an electronic holocaust.

“Elite cyber-squadrons from around the world will decide to unite in solidarity with the Palestinian people, against Israel, as one entity to disrupt and erase Israel from cyberspace.

“To the government, as we always say, expect us.”

Far from being shocked at the news of the attacks, both cybersecurity experts and government officials have brushed off the aggressive rhetoric from the hacking group. It is not believed that past attacks have caused any physical damage other than website outages.

Dudu Mimran, a chief technology officer at Ben-Gurion University, told The Jerusalem Post on 5 April that the attacks may actually be used as “training” for the Israelis. “From a training perspective there is always a learning lessons from this kind of event,” he said.

Mimran claimed the biggest threat that may come from #OpIsrael is that it keeps government and business officials distracted from other – potentially more serious attacks. “When it makes everyone busy it gives slack to more serious attackers,” he said.

Nevertheless, he added that “Israel and many other Western countries – but Israel in particular – are always under attack and ultimately concluded: “It does not elevate any serious threat on Israel.” On the morning of 7 April, Anonymous tweets mounted. “#OpIsrael has begun,” one claimed.

Anonymous has been linked to numerous cyberattacks in recent years, launching campaigns on targets including US president Donald Trump, the government of Thailand and Arms supplier Armscor. The group has no known leadership and remains a loose collective of hackers.

Source: http://www.ibtimes.co.uk/opisrael-anonymous-hackers-poised-execute-electronic-holocaust-cyberattacks-against-israel-1615926