A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.
A previous report by Palo Alto Networks’ Unit 42 from September saw a strain of the Mirai botnet switching targets to attack Apache Struts servers using an exploit also employed during last year’s Equifax breach, while a new Gafgyt version was observed while assailing SonicWall firewalls, as part of a larger move against enterprise assets.
In both those instances, the Unit 42 security researchers saw exploits of older and already patched vulnerabilities used in the attacks, hinting at the threat actors trying to make their work easier by compromising unpatched devices impacted by severe security flaws such as the CVE-2017-5638 for Apache Struts.
Mirai attacks against enterprise devices mounting up
This time, as previously mentioned, the researchers found that, besides its usual marks represented by routers, network video cameras, modem routers, and wireless controllers, the Mirai version detected during January 2019 is now also scanning for and exploiting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems present in enterprise environments.
On top of that, with the 11 new exploits added by its masters to be used in the attacks, the total now reaches 27. As further discovered by Unit 42, the botnet’s malicious payload is hosted on a Colombian company’s server which, ironically, provides “electronic security, integration and alarm monitoring” services.
“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” according to Unit 42.
The new Mirai variant spotted by Unit 42 also comes with a handful of new features:
Mirai is a self-propagating botnet created by Paras Jha, Josiah White, and Dalton Norman, originally designed to target Internet of Things (IoT) devices such as routers, digital video recorders, and IP cameras, transforming them into “bots” upon successful compromise which can later be used as sources for large-scale Distributed Denial of Service attacks.
During 2016, some malicious actors were advertising huge Mirai botnets of hundreds of thousands of infected devices capable of DDoS attacks over 650Gbps and managing to impact hundreds of thousands of devices [1, 2] during a single campaign.
Mirai still going strong despite creators’ getting caught
It all started after Jha posted the Mirai’s source code on a hacking forum during 2016 and, since then, other bad actors have used to create numerous other botnets using the code he shared as a starting point, most of them being on at least the same level of sophistication but, once in a while, adding newer and more complex attack tools [1, 2, 3, 4, 5, 6].
While their “masterpiece” was and is being improved by others and it still going strong as proven by Unit 42’s newest report on the new Mirai variant, Jha, White, and Norman were indicted and pleaded guilty for their role in the creation of the malware during December 2018, after Jha was first questioned by the FBI in January 2017 and the US authorities charged all three of them in May 2017.
Paras Jha was sentenced during October and ordered “to pay $8.6 million in restitution and serve six months of home incarceration” according to a DoJ release from October 26, 2018.
The group behind Mirai was sentenced to serve a five-year period of probation and do 2,500 hours of community service, as well as pay $127,000 as restitution while also having to abandon the cryptocurrency seized during the investigation. Jail time was removed from the sentence after they assisted the FBI in other cybercriminal investigations.
Most organizations understand that DDoS attacks are disruptive and potentially damaging. But many are also unaware of just how quickly the DDoS landscape has changed over the past two years, and underestimate how significant the risk from the current generation of attacks has become to the operation of their business. Here, I’m going to set the record straight about seven of the biggest misconceptions that I hear about DDoS attacks.
There are more important security issues than DDoS that need to be resolved first.
When it comes to cyber-attacks, the media focuses on major hacks, data breaches and ransomware incidents. DDoS attacks are growing rapidly in scale and severity: the number of attacks grew by 71% in Q3 2018 alone, to an average of over 175 attacks per day, while the average attack volume more than doubled according to the Link11 DDoS Report. The number of devastating examples is large. In late 2017, seven of the UK’s biggest banks were forced to reduce operations or shut down entire systems following a DDoS attack, costing hundreds of thousands of pounds according the UK National Crime Agency. And in 2018, online services from several Dutch banks and numerous other financial and government services in the Netherlands were brought to a standstill in January and May. These attacks were launched using Webstresser.org, the world’s largest provider of DDoS-on-demand, which sold attack services for as little as £11. It costs a criminal almost nothing and requires little to no technical expertise to mount an attack, but it costs a company a great deal to fix the damage they cause.
What’s more, DDoS attacks are often used as a distraction, to divert IT teams’ attention away from attempts to breach corporate networks. As such, dealing with DDoS attacks should be regarded as a priority, not a secondary consideration.
I know that DDoS attacks are common, but I’ve never been affected before
Many companies underestimate the risk of being hit by DDoS because they have never been hit before. The truth is that oftentimes only one attack is already more than enough to cause severe damage in the value chain. This potentially affects any company that is connected to the Internet in any way. Overload attacks not only affect websites, but also all other web services such as e-mail communication, intranet, customer connections, supplier and workflow systems, and more. Today, customers and partners expect 100% availability. Besides the business interruption due to production loss and recovery costs, reputational damage is a common consequence. Total costs for the incidents can quickly go into the millions. On the other hand, the costs for proactive protection against these kinds of attacks are comparably negligible.
There are many providers offering a solution, so DDoS is an easy problem to fix
DDoS is not a new topic, which means that many of the available solutions are outdated. Only a few provider deliver up-to-date, real-time protection that secures against all types of attacks on all network layers. Only a handful of providers can react immediately in an emergency, i.e. if the attack has already taken place, and quickly provide the right protection to organizations.
Reacting to an attack within a few minutes is sufficient
Ideally, the use of intelligent defence systems and always-on protection should prevent a failure in the first place. However, if a new attack pattern appears, the first 30 seconds are crucial. Even if an attack is mitigated after just one minute, subsequent IP connections will already be interrupted (for example, collapsing an IPSec tunnel) and it may take several hours until availability is restored. Although this prevents follow-up actions that can lead to infiltration and data theft, the economic costs of lost revenue, loss of productivity and damage to reputation can still be immense. Therefore, it is vital for organizations to implement a solution that guarantees mitigation in a matter of seconds.
We have our own 24/7 Security Operations Center (SOC), so we are immune
In the flood of security alerts in the SOC it is likely that some events are overlooked or not brought into context with other activities. Furthermore, the sheer amount of necessary analyses and measures is not feasible with people. Only a fully automated process that works based on intelligent and globally networked systems, and which precludes human errors in the process chain can ensure comprehensive security. Industrial-scale attacks can only be countered with industrial-scale defences.
I am already in the cloud and am automatically protected by my cloud provider
The major cloud providers offer some basic DDoS protections. But this is not aimed at preventing targeted, mega-scale attacks. In late 2016, the massive Dyn DDoS attack caused global disruption to public cloud services. In addition, cloud applications are easily attacked by other applications from within the same cloud. Therefore, when running business-critical applications in the cloud, it is important to consider deploying additional DDoS protections to those applications.
I have invested in hardware that offers protection
Although these systems ensure high infrastructure performance, they only provide static protection against DDoS attacks. This means that the DDoS protection there can only be as good as the current version of the filtering software – which is already outdated as soon as it is released. This approach might have worked a couple of years ago. Nowadays, however, with ever more complex and powerful attacks that combine several vectors and target multiple layers at the same time, this kind of protection is unsufficient. Effective protection is only possible via intelligent and networked systems which use advanced machine-learning techniques to analyse traffic and build a profile of legitimate traffic.
In conclusion, DDoS protection needs to be seen as an essential part of the IT security infrastructure. Considering effective solutions in the event of an attack is too late. Through educating about misconceptions in this context and implementing the measures listed in this text, companies can position themselves sustainably in terms of their business continuity strategy.
When someone in your organization starts using internet-connected devices without IT’s knowledge, that’s shadow IoT. Here’s what you need to know about its growing risk.
Shadow IoT definition
Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge. The best example is from before the days of bring your own device (BYOD) policies when employees used personal smartphones or other mobile devices for work purposes. “Shadow IoT is an extension of shadow IT, but on a whole new scale,” says Mike Raggo, CSO at 802 Secure. “It stems not only from the growing number of devices per employee but also the types of devices, functionalities and purposes.”
Employees have been connecting personal tablets and mobile devices to the company network for years. Today, employees are increasingly using smart speakers, wireless thumb drives and other IoT devices at work as well. Some departments install smart TVs in conference rooms or are using IoT-enabled appliances in office kitchens, such as smart microwaves and coffee machines.
In addition, building facilities are often upgraded with industrial IoT (IIoT) sensors, such as heating ventilation and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats. Increasingly, drink machines located on company premises connect via Wi-Fi to the internet to accept, say, Apple Pay payments. When these sensors connect to an organization’s network without IT’s knowledge, they become shadow IoT.
How prevalent is shadow IoT?
Gartner predicts that 20.4 billion IoT devices will be in use globally by 2020, up from 8.4 billion in 2017. Shadow IoT has become widely prevalent as a result. In 2017, 100 percent of organizations surveyed reported ‘rogue’ consumer IoT devices on the enterprise network, and 90 percent reported discovering previously undetected IoT or IIoT wireless networks separate from the enterprise infrastructure, according to a 2018 report from 802 Secure.
One-third of companies in the U.S., U.K. and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a 2018 Infloblox report on shadow devices. Infoblox’s research found that the most common IoT devices on enterprise networks are:
Fitness trackers such as Fitbits, 49 percent;
Digital assistants such as Amazon Alexa and Google Home, 47 percent
Smart TVs, 46 percent
Smart kitchen devices such as connected microwaves, 33 percent
Gaming consoles such as Xboxes or PlayStations, 30 percent.
What are shadow IoT’s risks?
IoT devices are often built without inherent, enterprise-grade security controls, are frequently set up using default IDs and passwords that criminals can easily find via internet searches, and are sometimes added to an organization’s main Wi-Fi networks without IT’s knowledge. Consequently, the IoT sensors aren’t always visible on an organization’s network. IT can’t control or secure devices they can’t see, making smart connected devices an easy target for hackers and cybercriminals. The result: IoT attacks grew by 600 percent in 2018 compared to 2017, according to Symantec.
Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices such as Shodan, Inflobox’s report points out. “Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP and SNMP services. As identifying devices is the first step in accessing devices, this provides even lower-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.”
Why aren’t most shadow IoT devices secure?
When PCs were first released decades ago, their operating systems weren’t built with inherent security, Raggo observes. As a result, securing PCs against viruses and malware remains an ongoing struggle.
In contrast, the iOS and Android mobile operating systems were designed with integrated security, such as app sandboxing. While mobile devices aren’t bullet-proof, they’re typically more secure than desktops and laptops.
With today’s IoT and IIoT devices, “It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems,” Raggo says. “There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market.”
Because IoT devices tend to be focused on just one or two tasks, they often lack security features beyond basic protocols such as WPA2 Wi-Fi, which has its vulnerabilities. The result: Billions of unsecured IoT devices are in use globally on enterprise networks without IT’s knowledge or involvement.
“I bought 10 or 15 IoT devices a few years ago to check out their security,” says Chester Wisniewski, principal research scientist at Sophos. “It was shocking how fast I could find their vulnerabilities, which means anyone could hack them. Some devices had no process for me to report vulnerabilities.”
Have criminal hackers successfully targeted shadow IoT devices?
Yes. Probably the most famous example to date is the 2016 Mirai botnet attack, in which unsecured IoT devices such as Internet Protocol (IP) cameras and home network routers were hacked to build a massive botnet army. The army executed hugely disruptive distributed denial of service (DDoS) attacks, such as one that left much of the U.S. east coast internet inaccessible. The Mirai source code was also shared on the internet, for criminal hackers to use as building blocks for future botnet armies.
Other exploits are available that enable cybercriminals to take control of IoT devices, according to the Infoblox report. “In 2017, for example, WikiLeaks published the details of a CIA tool, dubbed Weeping Angel, that explains how an agent can turn a Samsung smart TV into a live microphone. Consumer Reports also found flaws in popular smart TVs that could be used to steal data as well as to manipulate the televisions to play offensive videos and install unwanted apps.”
Along with amassing botnet armies and conducting DDoS attacks, cybercriminals can also exploit unsecured IoT devices for data exfiltration and ransomware attacks, according to Infoblox.
In one of the oddest IoT attacks thus far, criminals hacked into a smart thermometer inside a fish tank in a casino lobby to access its network. Once in the network, the attackers were able to steal the casino’s high-roller database.
The future potential of IoT-enabled cyberattacks is enough to give CSOs and other IT security professionals concern. “Consider the damage to vital equipment that could occur if someone connected into an unsecured Wi-Fi thermostat and changed the data center temperature to 95 degrees,” Raggo says. In 2012, for instance, cybercriminals hacked into the thermostats at a state government facility and a manufacturing plant and changed the temperatures inside the buildings. The thermostats were discovered via Shodan, a search engine devoted to internet-connected devices.
To date, the impact of IoT device exploits hasn’t been hugely negative for any particular enterprise, says Wisniewski, in terms of exploiting sensitive or private data. “But when a hacker figures out how to make a big profit compromising IoT devices, like using a brand of smart TVs for conference room spying, that’s when the shadow IoT security risk problem will get everyone’s attention.”
3 ways to mitigate shadow IoT security risks?
Make it easy for users to officially add IoT devices. “The reason you have shadow IT and shadow IoT is often because the IT department is known for saying ‘no’ to requests to use devices like smart TVs,” says Wisniewski. Instead of outright banning IoT devices, fast-tracking their approval whenever possible and feasible—within, say, 30 minutes after the request is made—can help reduce the presence of shadow IoT.
“Publish and circulate your approval process,” Wisniewski adds. “Get users to fill out a brief form and let them know how quickly someone will get back to them. Make the process as flexible and as easy for the requester as possible, so they don’t try to hide something they want to use.”
Proactively look for shadow IoT devices. “Organizations need to look beyond their own network to discover shadow IoT, because much of it doesn’t live on the corporate network,” Raggo says. “More than 80 percent of IoT is wireless-enabled. Therefore, wireless monitoring for shadow IoT devices and networks can allow visibility and asset management of these other devices and networks.”
Traditional security products list devices by a media access control (MAC) address or a vendor’s organizationally unique identifier (OUI), yet they are largely unhelpful in an environment with a plethora of different types of devices, Raggo adds. “IT really wants to know ‘what is that device?’ so they can determine if it’s a rogue or permitted device. In today’s world of deep-packet inspection and machine learning, mature security products should provide human-friendly categorizations of discovered assets to ease the process of asset management and security.”
Isolate IoT. Ideally, new IoT and IIoT devices should connect to the internet via a separate Wi-Fi network dedicated to such devices that IT controls, says Wisniewski. The network should be configured to enable IoT devices to transmit information and to block them from receiving incoming calls. “With the majority of IoT devices, nothing legitimate is ever transmitted to them,” he says.
Anything shadowy is a problem
“Shadow anything is a problem, whether it’s an IoT device or any other addressable, unmanaged item,” says Wisniewski. “The key is controlling access to the network from only authorized devices, keeping an accurate inventory of authorized devices, and having clear policies in place to ensure employees know they aren’t allowed to ‘bring their own’ devices and that HR sanctions will be enforced if they do.”
Illinois man offered “DDoS for hire” services that hit millions of victims.
Sergiy P. Usatyuk, who owned a series of services that collectively launched millions of distributed denial-of-service (DDoS) attacks, has pleaded guilty in federal court to one count of conspiracy to cause damage to Internet-connected computers. The services he owned and offered for use included ExoStress.in (“ExoStresser”), QuezStresser.com, Betabooter.com (“Betabooter”), Databooter.com, Instabooter.com, Polystress.com, and Zstress.net.
The sites were booter services, a class of publicly available, Web-based services that allow cybercriminals to launch DDoS attacks, often for low fees paid by customers who sign up via Web browser and online payment.
According to court documents, Usatyuk ran the network between August 2015 and November 2017. In September 2017, the ExoStresser website advertised that ” … its booter service alone had launched 1,367,610 DDoS attacks, and caused targeted victim computer systems to suffer 109,186.4 hours of network downtime,” one of the documents shows.
Connected devices often get attacked minutes after being plugged in.
IoT devices are being attacked with greater regularity than ever before, new research has suggested.
According to a new report by NETSCOUT, smart products often come under attack within five minutes of being plugged in, and are targeted by specific exploits within a day.
The Threat Landscape Report says IoT device security is ‘minimal to non-existent’ on many devices. That makes the IoT sector among the most vulnerable ones, especially knowing that medical equipment and connected cars fall under the IoT category.
DDoS, in general, is still on the rise, the report adds. The number of such attacks grew by a quarter last year. Attacks in the 100-400 Gbps range ‘exploded’, it says, concluding a ‘continued interest’ hackers have in this attack vector.
The global maximum DDoS attack size grew by 19 per cent last year, compared to the year before.
International institutions, such as the UN or the IMF, have never been this interesting to hackers. DDoS attacks against such organisations had risen by almost 200 per cent last year.
Hackers operate similarly to the way legitimate businesses operate. They employ the affiliate model, allowing them to rake up profits quite quickly.
“Our global findings reveal that the threat landscape in the second half of 2018 represents the equivalent of attacks on steroids,” said Hardik Modi, NETSCOUT’s senior director of Threat Intelligence. “With DDoS attack size and frequency, volume of nation state activity and speed of IoT threats all on the rise, the modern world can no longer ignore the digital threats we regularly face from malicious actors capable of capitalizing on the interdependencies that wind through our pervasively connected world.”
Federal authorities have arrested two alleged members of a hacking group known as the Apophis Squad on charges of making false threats of violent attacks and staging attacks on multiple computer systems.
According to an announcement from the Department of Justice (DoJ), the two defendants, Timothy Dalton Vaughn, 20, of Winston-Salem, North Carolina, and George Duke-Cohan, 19, of Hertfordshire, United Kingdom, are allegedly part of a global group of hackers suspected of wreaking havoc on the internet for the better part of 2018, including launching distributed-denial-of-service (DDoS) attacks.
Duke-Cohan, who is already serving a three-year sentence in the UK for threatening an airline, which turned out to be a hoax, is believed to go by the names DigitalCrimes and 7R1D3N7 online.
The defendants face multiple charges, including conducting cyber- and swatting attacks against individuals, businesses and institutions in the US and the UK, according to the DoJ.
“Members of Apophis Squad communicated various threats – sometimes using ‘spoofed’ email addresses to make it appear the threats had been sent by innocent parties, including the mayor of London,” the announcement stated.
“They also allegedly defaced websites and launched denial-of-service attacks. In addition, Vaughn allegedly conducted a DDoS attack that took down hoonigan.com, the website of a Long Beach motorsport company, for three days, and sent extortionate emails to the company demanding a Bitcoin payment to cease the attack.”
If convicted of all charges in the 11-count indictment, Vaughn could be sentenced to a maximum of 80 years in prison. Duke-Cohen, who is facing nine charges, would be sentenced to a maximum of 65 years if found guilty.
“The Apophis Squad also took credit for hacking and defacing the website of a university in Colombia, resulting in visitors to the site seeing a picture of Adolf Hitler holding a sign saying ‘YOU ARE HACKED’ alongside the message ‘Hacked by APOPHIS SQUAD,’” the DoJ wrote.
Although most scrubbing services can help fend off distributed denial of service attacks, a more comprehensive mitigation strategy is required to remain unscathed
What was possibly the world’s biggest distributed denial of service (DDoS) attack in February 2018 was stopped in its tracks after 20 minutes because there was a DDoS protection service in place.
The attack on GitHub, a popular online code management service used by millions of developers, experienced incoming traffic of 1.3Tbps, bombarded by packets at a rate of 126.9 million per second. Within 10 minutes of the attack, GitHub had sounded the alarm and routed its traffic to its DDoS mitigation service Akamai Prolexic, which sorted out and blocked the malicious traffic.
GitHub is not alone, as DDoS attacks have grown in intensity and become more sophisticated. Since 2017, businesses in the Asia-Pacific (APAC) region started to experience DDoS attacks at almost the same rate as North American businesses, which have traditionally been the most targeted, said Shahnawaz Backer, security specialist for APAC at F5 Networks, based on F5’s data.
And ASEAN organisations are not standing still. The DDoS market in ASEAN has seen significant growth, accounting for 20% of the APAC market, according to Frost & Sullivan.
A growing number of enterprises are investing in DDoS solutions, especially cloud-based DDoS mitigation services, with a shift away from a service-provider-centric market.
A DDoS attack is one of the most complex threats that businesses can face. The goal of the individual hacker, organised criminals or state actors is to overwhelm a company’s network, website or network component, such as a router. To begin with, organisations have to determine whether a spike in traffic is legitimate or is an attack.
“Without a solid understanding of baselines and historic traffic trends, organisations are unlikely to detect an attack until it is too late,” said Sherrel Roche, senior market analyst at IDC’s Asia-Pacific business and IT services research group.
Landbank, the largest government-owned bank in the Philippines, has taken the step of implementing F5’s BIG-IP local traffic manager to understand its application traffic and performance better, as well as to gain full visibility into customer data as it enters and leaves an application. This enables the security team to inspect, manage and report fraudulent transactions as soon they are spotted.
Complementing that is an on-premise application level layer 7 DDoS mitigation service to ensure mission-critical applications are protected against application-specific attacks.
It can be relatively simple to launch a DDoS attack with readily available DDoS-for-hire services, and even people with little or no technical skills can launch a damaging attack.
One such attack, which generated over 170Gbps of traffic, was organised over chatrooms on the Steam game distribution platform and IRC (internet relay chat), with many participating members using downloaded tools. These included a YouTube tutorial by a 12-year-old developer, said Fernando Serto, head of security technology and strategy at Akamai Technologies APAC.
Part of the challenge of DDoS is the complexity of these attacks. Not only are there several categories of attack method, but each category has a host of different attacks. The same target can also be attacked using several different attack vectors.
On top of that, some attacks can be hard to detect. One notable attack involved overwhelming the target’s DNS (domain name system) server through a series of bursts that lasted several minutes, instead of a sustained attack.
“This led to defender fatigue as these bursts of traffic were coming in over a long period of time, and detection, let alone mitigation, of these types of attacks becomes very difficult,” said Serto.
DDoS attacks are unlike other cyber attacks, where patches and locally installed security appliances can block an attack altogether. The defence calculus for denial of service is different because no organisation can prevent or block all DDoS attacks on its own, said Gartner senior analyst Rajpreet Kaur.
So the decision to invest in DDoS protection is also not an easy one. DDoS mitigation is an expensive investment, which organisations do not easily choose unless they or their competitors have suffered an attack.
“While multinational and global firms will invest, the cost may deter smaller, local firms,” said Kaur.
Also, IT infrastructure is getting more complex as enterprises move their applications and infrastructure to the cloud, requiring DDoS solutions to cater to different environments, said Frost & Sullivan network security senior industry analyst Vu Anh Tien.
What GitHub relied on to counter the massive attack in February 2018 was scrubbing services, a common DDoS mitigation technique. Using this method, the traffic destined for a particular IP address range is redirected to datacentres, where the attack traffic is “scrubbed” or cleaned. Only clean traffic is then forwarded to the target destination.
Most DDoS scrubbing providers have three to seven scrubbing centres, typically distributed globally, said Gartner’s Kaur. Each centre consists of DDoS mitigation equipment and large amounts of bandwidth, which can be over 350Gbps, that feeds traffic to it. When customers are under attack, they “push the button” to redirect all traffic to the closest scrubbing centre to be cleaned.
Enterprise customers make use of scrubbing centres in two ways – one is to route traffic via the scrubbing centres around the clock, while others prefer to route traffic on demand when an attack occurs.
Given the complexity of security attacks and IT infrastructures, organisations are increasingly adopting hybrid models of protection, in order to protect against the broadest set of potential attack vectors. They often turn to an on-premise system that is the first line of defence, with the scrubbing centre stepping in when the on-premise technology is overwhelmed, said Backer.
IDC’s Roche added: “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data.”
On Monday, Europol said it was closing in on more than 250 customers of Webstresser.org and other DDoS-for-hire services. In April, authorities took down the site for letting buyers knock websites offline.
If you were a big buyer of DDoS attacks, you may be in trouble. Police in Europe plan to go after customers of Webstresser.org, a major DDoS-for-hire website it shut down last year
On Monday, Europol said it was closing in on more than 250 customers of Webstresser.org and other DDoS-for-hire services. “Actions are currently underway worldwide to track down the users of these Distributed Denial of Service (DDoS) attacks,” the agency added.
In April, Europol shut down Webstresser.org for letting buyers knock websites offline. For as little as $18.99 a month, the site offered access to DDoS attacks, which can overwhelm an IP address or website with enough internet traffic to disrupt access to it.
Webstresser.org was believed to be the world’s largest market for DDoS-for-hire services, according to Europol. Before its shutdown, the site helped launch 4 million attacks. It had also attracted 151,000 registered users under the guise of selling “server stress testing” services.
Now all those customers are in danger of facing potential prosecution. That’s because authorities have uncovered a “trove of information” on Webstresser.org’s users.
“In the United Kingdom, a number of webstresser.org users have recently been visited by the police,” Europol said in its announcement. “UK police are also conducting a number of live operations against other DDoS criminals.”
Although police have typically focused on targeting the sellers of DDoS attacks, Europol said law enforcement is ramping up activities to crack down on buyers as well. Last month, US federal investigators also warned they were going after customers of DDoS-for-hire websites.
“Whether you launch the DDoS attack or hire a DDoS service to do it for you, the FBI considers it criminal activity,” FBI Assistant Director Matthew Gorham said in December. “Working with our industry and law enforcement partners, the FBI will identify and potentially prosecute you for this activity.”
If a week is a long time in politics, as former British Prime Minister Harold Wilson observed, a year in cyber security can seem like an eternity. But despite the rapid changes, many things remain constant. We can always expect cyber criminals to embrace new technology as fast as legitimate businesses do, and to use it to launch new types of attacks that are ever more damaging and harder to defend against.
DDoS attacks are a case in point. In April 2018, the UK’s National Crime Agency named DDoS as the leading threat facing businesses. The Agency noted the sharp increase in attacks on a range of organisations during 2017 and into 2018, and advised organisations to take immediate steps to protect themselves against the escalating threat.
DDoS gets bigger, stronger, smarter
This warning was timely, as through late 2017 and into 2018, DDoS attacks got much larger – and that trend is showing no signs of slowing down. In Q3 of 2018, the average DDoS attack volume more than doubled compared to Q1, from 2.2 Gbps to 4.6 Gbps according to Link11´s latest DDoS Report. These attack volumes are far beyond the capacity of most websites, so this is an alarming trend. Compared to Q2, the total number of attacks also grew by 71% in Q3, to an average of over 175 attacks per day.
Attacks also got more sophisticated. 59% of DDoS incidents in Q3 of 2018 used two or more attack vectors, compared with 46% in Q2. Meanwhile, a highly targeted and strategic approach to DDoS attacks was observed as the year went on; our operation centre saw DDoS attacks on e-commerce providers increase by over 70% on Black Friday (23 November) and by a massive 109% on Cyber Monday (26 November) compared with the November average. Attacks are focusing on specific sectors, with the aim of causing more disruption.
DDoS as a service
At the same time, these larger, more sophisticated DDoS attacks are easier for criminals to launch than ever before too, from DDoS-as-a-Service provider. Perhaps the best known of these, Webstresser.org was selling multi-gigabit DDoS attacks on the Darknet for as little as $11 per attack before it was shut down by police in early 2018. Webstresser’s services were used in early 2018 to bring online services from several Dutch banks and numerous other financial and government services in the Netherlands to a standstill. Customers were left without access to their bank accounts for days.
Other services have sprung up to take Webstresser’s place, offering DDoS by the hour for $10, and by the day at bulk discount rates of $200. No expertise is required: just enter your (stolen) credit card details, and the domain you want to target. Even cloud services can be knocked offline, with very little money and little to no technical expertise required to launch an attack.
Web application attacks
Another increasingly targeted component of organisations’ IT estates during 2018 was web applications. 2018 saw high-profile breaches affecting tens of millions of customers from several high-profile companies in the travel and financial sectors. The aim of these attacks is to exfiltrate sensitive data for re-use or resale, with the attackers seeking to exploit weaknesses in the application itself, or the platform it is running on to get access to the data.
2019: predictions and protection
So as 2018 saw attacks growing in volume and complexity, what attacks can we expect to see in 2019?
We have already seen how versatile botnets are for crypto-mining and sending spam – this will extend into DDoS attacks too. Botnets benefit from the ongoing rapid growth in cloud usage and increasing broadband connections as well as the IoT, and the vulnerabilities that they address are on the protocol and application level and are very difficult to protect using standard network security solutions. Bots in public cloud environments can also propagate rapidly to build truly massive attacks.
Attack tactics, for which SSL encryption have long since ceased to be a defence, will gain even more intelligence in the coming months. The only possible answer to this can be defence strategies that cover machine learning and artificial intelligence, which can process large data streams in real time and develop adaptive measures. Highly-targeted attacks, such as those on web applications, will also continue because the rewards are so high – as we’ve seen from the 2018 data breaches we touched on earlier.
Also, 2019 could be the year in which a hacktivist collective or nation-state will launch a coordinated attack against the infrastructure of the internet itself. The 2016 DDoS attack against hosting provider Dyn showed that a single attack against a hosting provider or registrar could take down major websites. DDoS tools and techniques have evolved significantly since then, creating a very real risk of attacks that could take down sections of the Web – as shown by the attack which targeted ISPs in Cambodia. Other forms of critical infrastructure are also vulnerable to DDoS exploits, as we saw in 2018’s attack on the Danish rail network.
In conclusion, tech innovations will continue to accelerate and enable business, and cyber criminals will also take advantage of those innovations for their own gain. With more and more business taking place online, dependence on a stable internet connection rises significantly. Likewise, revenues and reputation are more at risk than ever before. Therefore, organisations must be proactive and deploy defences that can keep pace with even new, unknown threats – or risk becoming the next victim of increasingly sophisticated, highly targeted mega-attacks.
Malware and bots, phishing, and DDoS attacks are some of the top threats companies face, according to Radware.
The average estimated cost of a cyberattack on an enterprise was $1.1 million in 2018—up 52% from the year before, according to a Tuesday report from Radware. For companies with a formal cost calculation process, that estimate rises to $1.7 million, the report found, with the top impacts being operational/productivity loss (54%), negative customer experiences (43%), and brand reputation loss (37%).
The report surveyed 790 IT executives worldwide across industries. These IT leaders perceive the goals of the attacks to be service disruption (45%), data theft (35%), unknown reasons (11%), or espionage (3%).
Some 21% of businesses experience daily cyberattacks, up from 13% last year, the report found. Another 13% said they were attacked weekly, 13% said monthly, and 27% said once or twice a year. Only 7% of organizations said they have never been attacked, according to the report.
The most common types of attacks on enterprises are malware and bots (76%), socially engineered threats like phishing (65%), DDoS attacks (53%), web application attacks (42%), ransomware (38%), and cryptominers (20%).
Hackers are also increasing their usage of emerging attack vectors to bring down networks and data centers, the report found: IT leaders reporting HTTPS Floods rose from 28% in 2017 to 34% in 2018, while reports of DNS grew from 33% to 38%. Burst attacks rose from 42% to 49%, and reports of bot attacks grew from 69% to 76%.
“While threat actors only have to be successful once, organizations must be successful in their attack mitigation 100% of the time,” Anna Convery-Pelletier, chief marketing officer for Radware, said in a press release. “A cyberattack resulting in service disruption or a breach can have devastating business impacts. In either case, you are left with an erosion of trust between a brand and its constituency.”