Most Updated News on How to Protect Against DoS Attacks!

DoubleDoor Botnet Chains Exploits to Bypass Firewalls
What cybersecurity surprises does 2018 hold?
Industry Weighs in on How the Government Can Fight Botnets
Hackers graduate to financial gain as motivation for IoT attacks
Let’s Not Make the Distributed Internet Insecure
Combating DDoS attacks in Asia Pacific: It’s more than just a defence mechanism
Tracking Bitcoin Wallets as IOCs for Ransomware
PyeongChang Winter Games hit by cyber attack
Europe in the firing line of evolving DDoS attacks
Deconstructing a Denial of Service attack

DoubleDoor Botnet Chains Exploits to Bypass Firewalls

Crooks are building a botnet that for the first time is bundling two exploits together in an attempt to bypass enterprise firewalls and infect devices.

Discovered by researchers from NewSky Security, the botnet has been cleverly named DoubleDoor. According to Ankit Anubhav, NewSky Security Principal Researcher, the DoubleDoor malware attempts to execute exploits that take advantage of two backdoors:

CVE-2015–7755 – backdoor in Juniper Networks’ ScreenOS software. Attackers can use the hardcoded password <<< %s(un=’%s’) = %u password with any username to access a device via Telnet and SSH.
CVE-2016–10401 – backdoor in ZyXEL PK5001Z routers. Attackers can use admin:CenturyL1nk (or other) and then gain super-user access with the password zyad5001 to gain control over the device.

Anubhav says DoubleDoor attackers are using the first exploit to bypass Juniper Netscreen firewalls and then scan internal networks for ZyXEL routers to exploit with the second exploit.

First time an IoT botnet chains two exploits

In a conversation with Bleeping Computer, Anubhav says this is the first time that a botnet has chained two exploits together in an attempt to infect devices.

“For the first time, we saw an IoT botnet doing two layers of attacks, and was even ready to get past a firewall,” the expert told Bleeping Computer. “Such multiple layers of attack/evasion are usually a Windows thing.”

“Satori/Reaper have used exploits, but those are exploits for one level of attack for various devices,” Anubhav said. “If the attacker finds a Dlink device, then it uses this exploit; if it finds a Huawei device, then that exploit,” Anubhav added showing the simple exploitation logic that most IoT malware employed in the past.

DoubleDoor botnet is not a major threat, yet

Scans and exploitation attempts for this botnet were spotted between January 18 and January 27, all originating from South Korean IP addresses.

But the botnet is not a major danger just yet. Anubhav says DoubleDoor looks like a work in progress and still under heavy development.

“The attacks are less in number when compared to Mirai, Satori, Asuna, or Daddyl33t,” he said.

The NewSky Security expert says the smaller attack numbers are likely because the botnet only targets a small subset of devices, either Internet-exposed ZyXEL PK5001Z routers, or ZyXEL PK5001Z routers protected by an enterprise-grade Juniper Netscreen firewall.

“Such setups are usually found in corporations,” Anubhav said, raising a sign of alarm of what targets the DoubleDoor author may be trying to infect.

DoubleDoor doesn’t do anything, for the moment

The good news is that DoubleDoor doesn’t do anything special after compromising ZyXEL devices. It just merely adds them to a botnet structure.

“Probably it’s a test run or they are just silently recruiting devices for something bigger down the road,” Anubhav said.

But as Anubhav points out, because DoubleDoor appears to still be under development, we may soon see its author expand it with even more exploits that target other types of devices, such as those from Dlink, Huawei, Netgear, and others.

Further, the botnet may try to carry out DDoS attacks, spread malware to internal Windows networks, or something more intrusive.

But even if DoubleDoor dies down and is never seen again, its double-exploit firewall bypass technique has already attracted the attention of other IoT botnet operators, and we may see it pretty soon with other malware strains as well. The cat’s out of the bag, as they say.


What cybersecurity surprises does 2018 hold?

One thing’s for sure: securing ourselves and our organizations will only get more difficult this year.

Bitcoin, the General Data Protection Regulation in Europe and the Internet of Things (IoT) are just three recent developments that will present security professionals with new challenges in 2018. That’s in addition to the usual raft of malware, DDoS attacks and database thefts that have dominated the headlines for some time.

To get a handle on what to expect, we asked two Keeper Security experts – Director of Security and Architecture Patrick Tiquet and Chief Technology Officer Craig Lurey – to peer into their crystal balls to find what 2018 holds. Here’s what they saw.


IoT has been on Patrick’s mind a lot lately, not just because it represents a vast expansion of the attack surface, but also because it opens whole new types of data to compromise. “Every aspect of your everyday life is potentially accessible to anyone anywhere in the world in seconds,” he says. “All your conversations can be accessed, captured and converted.”

Vulnerabilities have already been reported in voice-activated personal assistants, and attackers years ago figured out how to turn on smart phone microphones and cameras without the owner’s knowledge. “We will see a major IoT security disaster this year, and I think it will be bigger than the Dyn hack of 2016,” which originated with printers, security cameras, residential gateways and baby monitors,” Patrick says.

New attack vectors

New attack vectors have also been on Craig’s mind, particularly in light of recentdisclosures of hardware flaws in microprocessors. “There’ll be more activity by hackers around hardware-based attacks that go after the memory of the device,” he says. Particularly concerning is that “Spectre and Meltdown took advantage of hardware flaws but were able to abstract them to the software level.” That makes them harder to stop with conventional anti-malware protections alone. Hardware vulnerabilities may demand a whole new type of protection.


GDPR has many people spooked because of its onerous penalties – violators can be fined up to four percent of annual revenues per incident – as well as the strict set of controls the regulation imposes upon keepers of personal information. Will the European Union enforce GDPR to the full extent of the law, or will the scope of the penalties cause regulators to pull their punches? Patrick thinks it’s the former. “It’s in the EU’s best interest to aggressively enforce the regulation,” he says. “If they don’t, then people will ignore it.” He expects the EU to penalize an assortment of large, medium and small companies “to show that just because you’re small, you don’t get to skate.”

Password alternatives

Many smart phone makers have lately been showing off alternatives to passwords, such as biometric security controls. While these technologies have some promise, they also create new targets for attackers, Craig believes. Cyber criminals will turn more attention to compromising systems that are supposedly super secure, such as two-factor authentication (2FA), he believes. “Meltdown opened up new ways to get in,” by showing how hardware can be exploited he says. “Attackers will look for ways to sidestep 2FA.”

Emergency warning systems

Another intriguing new target for the bad guys is emergency warning systems. Just since the first of the year, citizens in Hawaii and Japan have received false notifications of impending missile attacks. In both cases, human error was the culprit, but attackers will no doubt look for opportunities to create mayhem using the same channels. Imagine the security implications of being able to clear out entire neighborhoods or cities for burglars to mine. “It’s social engineering on a large scale,” says Craig.


Now that the bitcoin bubble is beginning to melt away, practical applications of blockchain will emerge, Patrick believes. So will questions about the security of various blockchain-based technologies. Crypto currencies will be a viable medium of transactions in the future, but Patrick doesn’t believe bitcoin will be the winner. “It relies on massive amounts of electricity, and I don’t think it’s sustainable,” he says. “What makes a currency valuable over the long term is its stability. Bitcoin looks more like a Ponzi scheme right now.” As an alternative, he suggests Digibyte, which is billed as a set of “digital assets that cannot be destroyed, counterfeited or hacked.”

Our experts also shared these quick predictions:

“The security skills gap will become even more pronounced. Companies will be less time available to patch quickly, which will create even more opportunities for ransomware authors.” –Patrick

“More sites will require strong passwords and start defaulting to much longer generated passwords. There’ll be more attention paid to 2FA, but that approach will also be under fire.” –Craig

“State-sponsored hacking will grow and continue to be a concern. I don’t think it’s going away.” –Patrick

“There’ll be a lot more work around security at the software development stage. New cybersecurity degrees and programs will pop up in this area. It deserves its own field of study.” –Craig

One thing is clear from our experts’ prognostications: Securing ourselves and our organizations will only get more difficult this year.


Industry Weighs in on How the Government Can Fight Botnets

Industry Weighs in on How the Government Can Fight Botnets.

Feds need to secure the internet of things and work more closely with private companies, they said.

Government technologists must develop more partnerships with the private sector and flesh out security guidelines to stop botnets from knocking websites and networks offline, cybersecurity experts said.

Cyber policy experts and telecommunications and technology trade groups weighed in on a draft report outlining the government’s plans to reduce cyber threats from internet-connected devices.

The growing number of such devices worldwide has raised fears about cybersecurity and personal privacy. Online bad actors are increasingly hacking and harnessing those devices en masse for large distributed denial-of-service attacks that can knock websites and services offline by overwhelming them with bunk traffic.

In the report, Commerce, Homeland Security and other federal agencies outlined five major goals to mitigate the threat of distributed attacks: strengthen the intrinsic security of software and devices, bolster infrastructure, improve network protections, build partnerships with global tech communities, and increase cybersecurity education and awareness.

While experts largely agreed with the government’s broad goals, they each highlighted certain areas that have particular bag for the buck.

U.S. Telecom, a trade organization for telecommunications groups, stressed the need for agencies to bring companies together to find ways to “share responsibility” in addressing attacks. The administration should also work with industry to improve software security and coordinate efforts with other governments, they said.

“The gross shortfall in investment in the parts of the government that support industry-driven cybersecurity processes and industry-government collaboration constitutes a long-term threat to our national security,” U.S. Telecom said in its comment. “The government should invest in sufficient structural support for these private sector efforts.”

BSA | The Software Alliance emphasized the importance of building protection straight into software and devices to keep them from being co-opted by online bad actors. The group also recommended feds avoid “across-the-board” standards for securing internet-connected devices, as different systems carry a wide array of vulnerabilities and risks.

In their comment, the Coalition for Cybersecurity Policy and Law included a full framework to prevent DDoS and botnet attacks based on existing guidelines from the National Institute for Standards and Technology for security cyber infrastructure. In addition to detailing ways to bolster systems against attacks, the framework outlines steps to detect, respond and recover from them.

The report responds to a directive in President Donald Trump’s executive order on cybersecurity. The Commerce and Homeland Security departments must submit a final report to the White House by May 11.


Hackers graduate to financial gain as motivation for IoT attacks

Securing IoT devices is a top priority for organisations looking to implement this new technology.

The phrase Internet-of-Things (IoT) has gone from buzzword to common speech, having had an impact on almost every industry and sector. Once an abbreviation that seemed bound for fad-status among the tech elite, even the average consumer now embraces “IoT” as a category of connected technology that’s increasingly all around us.

In fact, it’s estimated that the IoT market hit a staggering $20.35 billion valuation in 2017 and is only set to continue past $75.44 billion by 2025. That means that the perception that IoT is “all around us” is going to go great leap further in under a decade – and the implications will be dramatic.

Especially in the context of cybersecurity, what will an omnipresence of connected devices tracking our every move mean for the hacking community?

We’re already starting to get a taste of what the future holds today when it comes to hacked IoT, as headlines over the past year have consistently focused on ever-increasing “muscle-flexing” on the part of hackers. As with any major technological change that’s embraced so rapidly by the masses, cracks in the façade will inevitably emerge as best practices catch up with the rate of adoption. IoT devices are especially prone to this chain of events, as industries and individuals are often bringing IoT solutions into their workflows before security is assured or a defense against threats is even mapped.

Evolving from DDoS to Financial Gain

Take, as an example, the distributed denial of service (DDoS) attacks that leveraged common household and office IoT devices over the course of 2016 and 2017. The Mirai attack, for instance, was a DDoS operation that used an army of botnet-infected IoT devices to flood Twitter, GitHub and the PlayStation network – to name just a few victims – with “loud” network traffic that drowned out legitimate directives from network administrators. This overwhelmed the targets’ servers, forcing them to shut down. First detected in October 2016, active strains of the Mirai virus were still being reported as recently as December 2017.

While the Mirai attack continues to be causing financial hurt for those affected parties, it was widely considered an exercise in showboating for the hacker Paras Jha, who recently pleaded guilty to hacking charges alongside two of his classmates. Jha and his cohorts made the vulnerabilities to IoT networks – even those connected to tech giants – glaringly obvious, which only opens the doors for “one-upsmanship” that will give IoT hacking over the next year a new motive: Malicious actors looking for financial gain will inevitably attempt to leverage those vulnerabilities, taking advantage of readily available ransomware and PII for big paydays.

In fact, research group Forrester made this prediction one of its top forecasts for the next year. Instead of being motivated solely by political, social, or military reasons – as had been forecasted in previous years – cybercriminals will likely be driven by financial gain moving forward, as the black market for malware and the Dark Web continue to mature, Forrester noted.

Bracing for the future

Fighting the increasingly persistent threats that will affect enterprise IoT networks requires a similarly comprehensive approach to security that IT takes with their standard network connectivity. For starters, organizations need to immediately ensure the security of their existing IoT infrastructure by assessing their hardware for security gaps, including weak encryption implementation or inadequate patching functions.

When it comes to encryption, IT teams need to ensure that data is encrypted while at rest and in motion. Full Disk encryption, for instance, is one method designed to prevent access to sensitive data only when that content is at rest – as soon as a a device or server is turned on and a user is logged in, anyone, including bad actors who entered the network during downtime, can access that data.

Rather, teams need to ensure their security solutions are encrypting at all times using established industry standards (SSL, for instance). At the same time, businesses need to be sure their encryption keys are held privately and offline – not within a network-accessible server – to ensure that only necessary parties have access to the most sensitive network data.

Organizations also need to be sure they are taking appropriate steps to stop bad actors from entering the network to begin with. This requires a “defense-in-depth” approach to network security that mirrors what’s often touted on the battlefield – putting as many layers between the enemy and the walls of the network as possible. That means not just relying on a next-generation firewall – which only look at packets of data entering the network rather than entire files – or standard proxies. Instead, secure web gateways that feature a consortium of solutions via a single management console are the best path forward.

Stopping cash-grabs on the way out of the network

With financial gain at the core of attacks going forward, businesses need to be extra critical of the vetting they do of content leaving the network as well. This is especially true in the context of IoT devices – which harkens back to our sentiments surrounding encryption – in that many of these devices spend a great deal of time “turned off” before being activated by a beacon or sensor. Sleeping trojans within the network could leverage the data collection of these newly “activated” IoT communications to conduct data exfiltration – essentially exiting the network with cash in hand – if they make it past robust gateway defenses. It’s almost like having all eyes on the front door and no insight into who might be leaving through the window, or a method to chase after them.

Of course, IoT devices make network security more complicated than ever before, and even the most extensive security solutions can’t thwart every threat. But with the mindset of hackers evolving to meet these new threats, the financial downfall of entities who don’t do all they can to secure IoT tech that is otherwise a boon for business can be significant.


Let’s Not Make the Distributed Internet Insecure

We built the internet to be fast and efficient, but made mistakes that have led to the security problems we see today: DDoS attacks, massive breaches, thefts of huge amounts of data, and tampering with systems for either profit or political gain. In building the internet, we prioritized performance, and built the infrastructure assuming people would use it for good. Now we know better. The next generation of internet infrastructure needs to be built assuming that everything can and will be attacked.

A key piece of the next-generation internet will be Distributed Ledger technologies (DLTs) like blockchain. DLTs allow a network of actors who don’t necessarily need to know or trust each other to nevertheless come to agreement on the order of some set of transactions – without some specially empowered and trusted third party. This holds value not only for the cryptocurrencies that have rapidly gained popularity, but also for markets, stock exchanges, games, or any other kind of distributed community you want to participate in without having to trust everyone in the community.

Clearly, if DLTs are going to be used for real-world and meaningful use cases, then they must be protected against all sorts of possible malicious activity, as well as the likelihood of network faults. If DLTs are used to track the ownership of valuable resources (whether currency, diamonds, or real estate) then we have to expect them to be targeted – and need to prepare for that.

Two security risks to DLTs arguably do not receive their fair amount of attention: Distributed Denial of Service (DDoS) attacks, and state manipulation. Both attacks ultimately derive from consolidating the nodes that determine consensus – specifically two different types – that of control and location.

Distributed Denial of Service
A Distributed Denial of Service (DDoS) attack occurs when an attacker is able to flood an honest node on a network with meaningless messages, preventing that node from performing other (valid) duties and roles. In a DLT, those other duties would be the processing required to achieve consensus.

Consensus protocols are the engine of DLTs, and all rely on nodes sending & receiving messages, and processing and validating of those messages. In some DLTs, one or some set of nodes are ‘special’ compared to the rest. If an attacker is able to prevent such a special node from performing those consensus operations with a targeted DDoS, then consensus could be inhibited.

Consensus models fall along a spectrum of how much they empower nodes with special privileges. A single central database is at one extreme, and a DLT where no nodes are special is at the other. DLTs that give some special privileges to some nodes sit in the middle of the continuum. Generally, the more privileges a DLT assigns to a particular node, the more vulnerable it will be to DDoS – because a DDoS against a special node will be more damaging than a DDoS against any normal node. It is consolidation of control over consensus that makes a DLT vulnerable to DDoS.

Leader-based DLTs (such as Paxos, Raft, PBFT, and dPOS) elect a leader from amongst the community of nodes. This leader plays a special role in enabling consensus (for the duration of their turn). Because the normal nodes need to know which of them is the current leader to send messages there, that knowledge could be abused by a DDoS attack against that current leader. As the leader changes, the attacker simply adjusts their target in real time, in a ‘follow the leader’ pattern. If the leader can be tied up by the DDoS, they may be unable to play their key role in enabling consensus for the other nodes.

While proof-of-work DLTs, like Bitcoin and Ethereum, also grant particular nodes special privileges, they guard against DDoS by randomizing the selection of that privileged node via the mining process (and the underlying hashing puzzle). If an attacker hoped to target miners with a DDoS to prevent a new block being added to the chain, they would be unlikely to know *which* miner would win the crypto puzzle and be granted the ability to add the block.

Consequently, the attacker wouldn’t be able to target the miner selected until after the fact. However, while proof-of-work provides DDoS resistance, the mining process introduces inefficiency and slowness, leading to expenses that cause consolidation in location.

Other consensus models guard against DDoS by using a more egalitarian distribution of the burden of determining consensus. When all nodes contribute to consensus, then knocking one out with a DDoS will not stop consensus.

DDoS attacks and the risk of government interference both highlight a fundamental reality – when more nodes secure a network, the network is less dependent on any particular nodes, and that makes it more robust. Prioritizing a few nodes to help reach consensus runs the risk of DDoS attacks, while prioritizing one location runs the risk of government interference.

If blockchain and other distributed ledger technologies are to become ubiquitous, we must understand their limitations, evaluate their security risks, and make choices on our architecture, assuming that the bad guys will be looking for ways to ‘break’ these powerful systems to their advantage as soon as we build them.


Combating DDoS attacks in Asia Pacific: It’s more than just a defence mechanism

Imagine going to the frontlines of a battlefield wielding a sword and shield only to come face to face with fighter jets from the opponent instead. The crackdown against DDoS attacks is like an arms race enterprises have to face by evolving their weapons and defences against a cyber felon. As attack rates have grown, so has their impact. Despite an increase in DDoS defence spend, Neustar’s recent study found that 90 percent of organisations were hit by breaches that stemmed from DDoS offensives.

IoT as a DDoS attack tool

Just like the hallmarks of a fighter jet are its speed and manoeuvrability, the emergence of cloud computing and IoT devices has streamlined the infrastructure of today’s connected world. As IoT progressed from a stage of nascence to an enterprise driver capable of maintaining inventory levels, delivering real-time metrics on shipments and powering autonomous vehicles, organisations are left with their hands full in attempts to secure the enterprise value chain.

This year was inevitably a watershed moment in IoT security; headlined in the form of IoT botnet Reaper or IoT Troop. The perpetrators infected over a million organisations worldwide by infiltrating routers and smart devices – far more sophisticated than the 2016 Mirai IoT botnet that exploited weak passwords and infected major websites across the U.S. such as Twitter, Netflix and the New York Times.

What’s more dangerous is that some of these attacks were used as smokescreens to disarm an organisation’s cybersecurity shield while simultaneously causing a temporary relaxation of networking defences to alleviate the effects of the DDoS. Neustar found that more than half (51 percent) of Asia Pacific organisations reported falling prey to viruses stemming from DDoS attacks. As IoT adoption increases, the number of IoT-driven botnets is only set to escalate, presenting attackers with more opportunities to elude detection.

The IoT Culprit

In Asia Pacific, IoT devices remain a tempting target for DDoS attacks – more than 78 percent of enterprises experienced attacks while their IoT devices were in operation. To make matters worse, once attackers get hold of vulnerable IoT devices and exploit the security deficiency, it becomes nearly impossible to prevent infection without issuing a security update or recalling the affected devices. With 89 percent of organisations suffering a breach, including data theft, dangerous ransomware, and network compromise with DDoS attacks, the dream of a connected world might be a disaster in the waiting.

True to its name, the IoT botnet Reaper spreads through the security gaps in IoT software and hardware causing massive destruction at one go – amassing more than 20,000 devices and affecting 2 million hosts that have been identified as potential botnet nodes.

Better Detection = Greater Protection

As attacks scale in complexity, organisations need to prime themselves to be at the vanguard in the fight against cyberattacks. The average organisation needs a couple of hours to definitively detect a DDoS attack with reaction times getting longer – translating to greater vulnerability.

Through an Asia Pacific lens in Singapore, organisations in the financial services sector could be staring at revenue losses upwards of US$15.2m when six hours is taken to respond to a DDoS attack. In Hong Kong, the figure stands at US$29.9m for breaches in the public sector. This threat represents a new reality where the strikes have morphed beyond standard and commonplace into dangerous and continuous. The financial risks alone can exceed far beyond a quarter of a billion dollars and drives home the point that speed in detection and response is an ally to risk mitigation practices.

Neustar found the top three organisational motivations behind DDoS defense investments, namely: preserving customer confidence, prevention of associated attacks including ransomware and proactively strengthening existing protection. It should come as no surprise that those who seek to harm companies use DDoS as a weapon.

There is however, a silver lining. Businesses are acknowledging this threat by deploying Web Application Firewalls (WAF) that filter, analyse and isolate HTTP traffic stemming from web application security flaws. In fact, 53 percent of respondents have added WAF to their combat arsenals against DDoS – tripling in numbers since March 2017.

The future ahead will offer opportunities for bad actors to devise craftier ways to launch far more dangerous DDoS attacks capable of distracting IT teams and stymieing forensics. Understanding the right combination of defences is crucial and this can be achieved by working with security consultants to develop strategies and law enforcement bodies to provide maximum protection for stakeholders, only then will we be able to remain ahead of the curve on the battlefield and defeat the attackers.


Tracking Bitcoin Wallets as IOCs for Ransomware

By understanding how cybercriminals use bitcoin, threat analysts can connect the dots between cyber extortion, wallet addresses, shared infrastructure, TTPs, and attribution.

Cryptocurrency, particularly bitcoin, has captured the attention of Wall Street and Silicon Valley over the past few months. It seems like everybody wants to talk about bitcoin as if it is something brand new.

The truth is that cryptocurrencies have been the norm on the Dark Web for quite some time. Bitcoin has been payment method of choice for ransomware and cyber extortion because it allows bad actors to operate under a cloak of anonymity. But that could be changing. Threat intelligence analysts are beginning to incorporate bitcoin wallet addresses into their investigations, and we’ll soon be able to recognize attack patterns and track attribution. One thing we’ve noticed is the ability to track, to some degree, the correlations and connections between cyberattacks by following bitcoin transactions.

In order to understand why tracking bitcoin wallet addresses as indicators of compromise (IOCs) is so valuable, we need to understand why cybercriminals use bitcoin in the first place. There are three primary reasons.

Anonymity: Bitcoin provides anonymity when payments are received and when they are cashed out. That’s because bitcoin accounts and money transfers are difficult to trace and depend largely on the cybercriminal being sloppy with operations security.

Global Currency: Hackers typically prey on out-of-country targets and need a fast, untraceable method to transfer funds across nations without worrying about account freezes. Bitcoin is used as a global currency because you don’t need to worry about the exchange rates between your home country’s currency and US dollars.

Ease of Payments: In the past, hackers used to rely on gift cards for payment. This was troublesome on many levels — for instance, gift cards can’t be used globally, and criminals needed to come up with a mailing addresses that can’t be traced. Bitcoin and the higher profile of cryptocurrency have contributed to the rise in ransomware, as well as hackers’ ability to use extortion to elicit payments. One example occurred after the Ashley Madison website breach, when hackers threatened some users with a bitcoin ransom or have their identities revealed as adulterers. Another tactic involved using malicious emails to threaten a distributed denial-of-service attack on an organization’s network unless a bitcoin payment was made.

By tracking bitcoin wallet addresses as an IOC, we’ve been able to connect the dots between ransomware, wallet addresses, and shared infrastructure, TTPs (tactics, techniques, and procedures), and attribution.

Here is an example of how bitcoin is used in a ransomware campaign: A new piece of ransomware gives you a bitcoin address for payment. You can then make correlations that connect across sectors, like retail, energy, or technology groups based on the blockchain and/or reuse of the same address. With WannaCry, there were hard-coded bitcoin addresses that made it easy to correlate what you are dealing with and which sectors were being affected. The more bitcoin addresses are shared, the more you can identify addresses to which bitcoins are forwarded.

The ability to track transactions through the blockchain allows you to connect different ransomware campaigns. Cybercriminals don’t typically share bitcoin wallets as they might share the same exploit kit, but by tracking blockchain transactions, analysts have another investigation point from which they can pivot and dig for more.

Bitcoin Addresses Reported by Multiple Sectors

Addresses are often unique to each target or a small set of targets, but you can track where the money goes by looking at the blockchain (the transactions) to see which addresses deliver funds to the same final addresses before being cashed out.

Addresses are often unique to each target or a small set of targets, but you can track where the money goes by looking at the blockchain (the transactions) to see which addresses deliver funds to the same final addresses before being cashed out.

Why is it important to be able to track bitcoin wallets as IOCs? With the ability to track payments, you can determine if bitcoins are going to specific wallet addresses, and then narrow that down to determine if they are the same two or three addresses over time. This will give you some idea of where and when cybercriminals are cashing out.

The value of the metadata as an indicator for malicious activity is because, although there are many variants of ransomware, the number of variants does not necessarily represent separate campaigns or cybercriminal groups. If you can follow the transactions through the blockchain, you can see how or if these variants are connected, and identify specific campaigns.

There is a well-known saying that if you want to know where trouble is coming from, follow the money. It’s hard to follow bitcoins, but all of those bitcoin wallets can help you see how ransomware is connected.

This research was provided by the TruSTAR Data Science Unit.


PyeongChang Winter Games hit by cyber attack

Although critical operations were not affected by the incident, event organisers at the PyeongChang Winter Olympics had to shut down servers and the official games website to prevent further damage.

The ongoing Winter Olympics in South Korea was hit by a cyber attack that affected internet and TV services last Friday, according to the International Olympic Committee (IOC).

After the attack was detected, event organisers had to shut down servers and take the official PyeongChang Winter Olympics website offline to prevent further damage.

During a press briefing on the sidelines of the global sporting event, IOC spokesperson Mark Adams declined to reveal the source of the attack, noting that the issue had been resolved the next day, according to a Reuters report.

“We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure,” he told reporters.

Cyber security experts had warned of an increase in cyber attacks on the Winter Games using spear phishing e-mails loaded with suspicious links to lure victims into downloading malware in targeted campaigns, such as GoldDragon which took place in December 2017.

According to threat analysts from McAfee, GoldDragon – directed at organisations affiliated with the Winter Olympics – lets attackers access end-user systems and collect data stored on devices and the cloud. The data may include customer and employee financial or personal data, Winter Games related details and trade secrets.

Although critical operations were not affected by last week’s incident, similar attacks had been launched against critical and non-critical systems in past Olympics games.

During the summer Olympics in London, there were reportedly six major cyber attacks against critical systems, including distributed denial of service attacks on power systems that lasted for 40 minutes. Hacktivists also made calls on social media to launch similar attacks at specific times.

And during the Rio Olympics in 2016, the IOC said it was under regular attack. Phishing emails were also sent to athletes in attempts to steal credentials that could be used to access a World Anti-Doping Agency database.

Japan is already bracing itself for more cyber attacks aimed at the Tokyo Olympics in 2020. For one, the Tokyo 2020 organising committee has been conducting cyber security exercises to simulate potential attacks, both in cities and rural areas.

Cyber security drills would be conducted up to six times a year, rising to 10 in the run-up to Tokyo 2020. The drills, which involve local governments, would also include simulated attacks on mock ticketing websites. Between 300 and 500 people took part in similar exercises in Rio and London.


Europe in the firing line of evolving DDoS attacks

The Europe, Middle East and Africa region accounts for more than half the world’s distributed denial of service attacks, a report from F5 Labs reveals.

The past year has seen a 64% rise in distributed denial of service (DDoS) attacks and greater tactical diversity from cyber criminals, according to customer data from F5’s Poland-based Security Operations Center (SOC).

However, more than 51% of attacks globally were targeted at organisations in Europe, the Middle East and Africa (Emea), and 66% involved multiple attack vectors, requiring sophisticated mitigation tools and knowledge, the report said.

The F5 report comes less than two weeks after several waves of powerful DDoS attacks hit banks and other organisations in the Netherlands.

Reflecting the spike in activity, F5 reported 100% growth for Emea customers deploying web application firewall (WAF) technology in the past year, while the adoption of anti-DDoS technology increased by 58%.

A key discovery was the relative drop in power for single attacks. In 2016, the F5 SOC logged multiple attacks of over 100Gbps, with some surpassing 400Gbps.

In 2017, the top attack stood at 62Gbps. This suggests a move towards more sophisticated Layer 7 (application layer) DDoS attacks that are potentially more effective and have lower bandwidth requirements.

“DDoS threats are on the rise in Emea and we’re seeing notable changes in their scope and sophistication compared with 2016,” said Kamil Wozniak, F5 SOC manager.

“Businesses need to be aware of the shift and ensure, as a matter of priority, that the right solutions are in place to halt DDoS attacks before they reach applications and adversely impact on business operations. Emea is clearly a hotspot for attacks on a global scale, so there is minimal scope for the region’s decision-makers to take their eyes off the ball,” he said.

Disruptive attacks

Last year started with a bang, the report said, with F5 customers facing the widest range of disruptive attacks recorded to date in the first quarter of 2017.

User Diagram Protocol (UDP) floods stood out, representing 25% of all attacks. Attackers typically send large UDP packets to a single destination or random ports, disguising themselves as trustworthy entities before stealing sensitive data. The next most common attacks were DNS reflection (18%) and SYN flood attacks (16%).

The first quarter of 2017 was also the peak for Internet Control Message Protocol (ICMP) attacks, whereby cyber criminals overwhelm businesses with rapid “echo request” (ping) packets without waiting for replies. In stark contrast, the first-quarter attacks in 2016 were evenly split between UDP and Simple Service Discovery Protocol (SSDP) floods.

The second quarter of 2017 proved equally challenging, the report said, with SYN floods moving to the front of the attack pack (25%), followed by network time protocol and UDP floods (both 20%).

The attackers’ momentum continued into the third quarter, the report said, with UDP floods leading the way (26%). NTP floods were also prevalent (rising from 8% during the same period in 2016 to 22%), followed by DNS reflection (17%).

The year wound down with more UDP flood dominance (25% of all attacks). It was also the busiest period for DNS reflection, which accounted for 20% of all attacks (compared to 8% in 2016 during the same period).

“Attack vectors and tactics will only continue to evolve in the Emea region. It is vital that businesses have the right systems and services in place to safeguard apps wherever they reside”

Kamil Wozniak, F5 SOC

Another key discovery during the fourth quarter of 2017, and one that underlines cyber criminals’ capacity for agile reinvention, was how the Ramnit trojan dramatically extended its reach. Initially built to hit banks, F5 Labs found that 64% of Ramnit’s targets during the holiday season were US-based e-commerce sites.

Other new targets included sites related to travel, entertainment, food, dating and pornography. Other observed banking trojans extending their reach included Trickbot, which infects its victims with social engineering attacks, such as phishing or malvertising, to trick unassuming users into clicking malware links or downloading malware files.

“Attack vectors and tactics will only continue to evolve in the Emea region,” said Wozniak. “It is vital that businesses have the right systems and services in place to safeguard apps wherever they reside. 2017 showed that more internet traffic is SSL/TLS encrypted, so it is imperative that DDoS mitigation systems can examine the nature of these increasingly sophisticated attacks.

“Full visibility and greater control at every layer are essential for businesses to stay relevant and credible to customers. This will be particularly important in 2018 as the EU General Data Protection Regulation comes into play,” he said.


Deconstructing a Denial of Service attack

Denial of service attacks present a major threat to the world, but we may be set to see it get much worse as IoT devices continue to flood the consumer market.

The term denial of service will strike fear into the hearts of many organisations and individuals that have been targeted by this kind of attack. Whether permanent or temporary disruption is caused by the attack, denial of service is when a hacker forces an internet-connected host to be unable to function.

A more high-profile variation of this form of attack is the distributed denial of service; a hacker channels an overwhelming volume of traffic toward its target from as many sources as possible.

This bombardment ultimately incapacitates the victim, left unable to barricade itself against the multitude of entry points, with customers or users of the target’s services also prevented from gaining access.

DoS and DDoS attacks are made all the more troubling by the fact that they are purely destructive, meaning that malicious intent is commonly behind the attacks. Over the years there have been examples of activism, blackmail and revenge as driving factors behind the launching of this kind of cyberattack.

CBR is setting out to look inside the world of denial of service attacks, to find out how they are orchestrated, the damage they have been known to do, and what we can expect from this fearsome form of attack in the near and more distant future.


How to launch one

You might think that the planning stages behind these attacks are extensive, but really not a great deal of forethought is required to launch a dangerous denial of service attack.

Once you have honed in your target system, locating open ports or vulnerabilities in the target is the next important step in the process. Prime targets could be email servers, DNS servers or Web servers, given the likelihood that incoming connection requests will be accepted.

Now that these basics have been established, just a pure brute force approach to drowning the target with traffic remains, but this step is not always quite that simple. For success, the attacker must be able to summon up enough traffic to hit the target with to deny it of service.

Deconstructing a Denial of Service attack

Making complex DNS queries at an extremely high rate could be enough to make weaker systems suffer and fall into the hands of your attack, but many targets will be able to stand up to this simplistic method.

This is not the only option however, especially if you are able to tap into the destructive power of an army of zombies. In this sense, a zombie is a device enslaved by a hacker to be used as part of the attack, a single device is not enough to generate a sizeable enough attack on its own to cause a denial of service. Here we have touched on a deadly combination, entering into the world of botnets, a network of hijacked devices that can be used in sync to deliver a crushing blow with an unstoppable torrent of traffic.

The botnet

This army of devices brought together by an attacker to generate overwhelming traffic is not comprised solely of computers. In fact, mobile devices, servers, PCs or internet of things devices can be enslaved for malicious purposes, but it is this last example that is set to be the harbinger of a new era of powerful DDoS attacks.

IoT devices are flooding into the consumer market while also being used increasingly within industry, and while manufacturers gleefully tend to the demand for everything to be connected, security professionals shudder at the prospect of the tinderbox scenario.

IT security experts are often highly concerned by the negligence of manufacturers when equipping these mass produced devices with security that can stand up to modern threats, meaning that hackers can go unchecked as they secretly harness more and more devices.

Towards the end of 2017, researchers claimed to have discovered a frightening behemoth of a botnet that they believed at the time could have infected over a million IoT devices. Cameras stood out among the devices involved, and perhaps more worrying were the similarities it bore to the notorious Mirai botnet.

The massive botnet has been given the name ‘Reaper’, an apt name given that it does not rely on subtlety for attacks, instead working by hijacking and using its vast power directly against its victims. Not yet slowed or defeated, the Reaper botnet is a glimpse of the monster we may be creating by excitedly connecting devices to the internet; some professionals have even considered this botnet big enough to kill the internet.


How to defend against it

You will stand a vastly improved chance of avoiding the destructive power of a denial of service attacks by leveraging these methods of defence. Firstly, it could prove very beneficial to use statistical patterns and filter illegitimate traffic.

Honeypots are also a way of protecting your organisation that are increasing in popularity as it becomes harder and harder to guarantee that you have not been breached. As the name suggests, these attack rely on dummy servers to give away the presence and activity of an attacker, with the honeypot inaccessible to customers. This form of defence is included in the Gartner top strategic trends prediction for 2018, looking at this method as a key to better protection in 2018.

Safer Internet Day 2018: Why it cannot be ignored
Data Privacy Day 2018: Four predictions for the future of data protection
GCHQ stops 54m cyberattacks with ‘Great British Firewall’

Another reliable form of mitigation is throttling, this allows an organisation to control a maximum level of traffic flow, preventing a system being forced to its limits by a sudden violent spike to traffic. Also known as rate-limiting, the method could also prove useful for identifying attacks for heightened protection in the future.


Copyright © 2014. DoS Protection UK. All Rights Reserved. Website Developed by: 6folds Marketing Inc. | Demo Test