Five days ago, Ecuador revoked Julian Assange’s 7-year long asylum and turned him over to the UK authorities, which promptly arrested the Wikileaks chief.
Since then, Ecuador claims to be under siege from Assange supporters and “groups linked” to him.
Patricio Real, Ecuador’s deputy minister for information and communication technology, said in a statement that the webpages for his country’s public institutions experienced 40 million cyber-attacks.
Among the hardest hit were pages for the central bank, the foreign ministry and the president’s office.
“During the afternoon of April 11 we jumped from 51st place to 31st place worldwide in terms of the volume of cyber attacks,” he said.
The deputy minister said that the attacks “principally come from the United States, Brazil, Holland, Germany, Romania, France, Austria and the United Kingdom,” but that countries from South America also show up on the list.
No major hacking groups were named in Ecuador’s statement, though famed Anonymous apparently made a threat.
Real also didn’t specify what type of attacks Ecuador’s website experience. He mentioned that no hacker managed to steal government data but that the attacks prevented some employees and citizens from accessing their accounts.
As Real called the attacks “volumetric,” he most likely referred to a type of DDoS attack in which hackers send a lot of traffic to a website hoping to overwhelm it.
While this is a serious threat to a network, the attack itself can be perpetrated even by those without a lot of technical knowledge.
Ecuador will receive cybersecurity support from Israel to handle the incidents. It has also made motions to arrest a suspect, Swedish citizen close to Assange.
Right now, Julian Assange is in the UK authorities’ hands and waiting to see if he will be extradited to the US to face conspiracy charges.
He was also stripped of his Ecuador citizenship, which was granted in 2017 under a different Ecuadorian regime.
A new Mirai variant comes with eleven new exploits, the enterprise WePresent WiPG-1000 Wireless Presentation system and the LG Supersign TV being the most notable new devices being targeted.
A previous report by Palo Alto Networks’ Unit 42 from September saw a strain of the Mirai botnet switching targets to attack Apache Struts servers using an exploit also employed during last year’s Equifax breach, while a new Gafgyt version was observed while assailing SonicWall firewalls, as part of a larger move against enterprise assets.
In both those instances, the Unit 42 security researchers saw exploits of older and already patched vulnerabilities used in the attacks, hinting at the threat actors trying to make their work easier by compromising unpatched devices impacted by severe security flaws such as the CVE-2017-5638 for Apache Struts.
Mirai attacks against enterprise devices mounting up
This time, as previously mentioned, the researchers found that, besides its usual marks represented by routers, network video cameras, modem routers, and wireless controllers, the Mirai version detected during January 2019 is now also scanning for and exploiting LG Supersign TVs and WePresent WiPG-1000 Wireless Presentation systems present in enterprise environments.
On top of that, with the 11 new exploits added by its masters to be used in the attacks, the total now reaches 27. As further discovered by Unit 42, the botnet’s malicious payload is hosted on a Colombian company’s server which, ironically, provides “electronic security, integration and alarm monitoring” services.
“These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks,” according to Unit 42.
The new Mirai variant spotted by Unit 42 also comes with a handful of new features:
Mirai is a self-propagating botnet created by Paras Jha, Josiah White, and Dalton Norman, originally designed to target Internet of Things (IoT) devices such as routers, digital video recorders, and IP cameras, transforming them into “bots” upon successful compromise which can later be used as sources for large-scale Distributed Denial of Service attacks.
During 2016, some malicious actors were advertising huge Mirai botnets of hundreds of thousands of infected devices capable of DDoS attacks over 650Gbps and managing to impact hundreds of thousands of devices [1, 2] during a single campaign.
Mirai still going strong despite creators’ getting caught
It all started after Jha posted the Mirai’s source code on a hacking forum during 2016 and, since then, other bad actors have used to create numerous other botnets using the code he shared as a starting point, most of them being on at least the same level of sophistication but, once in a while, adding newer and more complex attack tools [1, 2, 3, 4, 5, 6].
While their “masterpiece” was and is being improved by others and it still going strong as proven by Unit 42’s newest report on the new Mirai variant, Jha, White, and Norman were indicted and pleaded guilty for their role in the creation of the malware during December 2018, after Jha was first questioned by the FBI in January 2017 and the US authorities charged all three of them in May 2017.
Paras Jha was sentenced during October and ordered “to pay $8.6 million in restitution and serve six months of home incarceration” according to a DoJ release from October 26, 2018.
The group behind Mirai was sentenced to serve a five-year period of probation and do 2,500 hours of community service, as well as pay $127,000 as restitution while also having to abandon the cryptocurrency seized during the investigation. Jail time was removed from the sentence after they assisted the FBI in other cybercriminal investigations.
Most organizations understand that DDoS attacks are disruptive and potentially damaging. But many are also unaware of just how quickly the DDoS landscape has changed over the past two years, and underestimate how significant the risk from the current generation of attacks has become to the operation of their business. Here, I’m going to set the record straight about seven of the biggest misconceptions that I hear about DDoS attacks.
There are more important security issues than DDoS that need to be resolved first.
When it comes to cyber-attacks, the media focuses on major hacks, data breaches and ransomware incidents. DDoS attacks are growing rapidly in scale and severity: the number of attacks grew by 71% in Q3 2018 alone, to an average of over 175 attacks per day, while the average attack volume more than doubled according to the Link11 DDoS Report. The number of devastating examples is large. In late 2017, seven of the UK’s biggest banks were forced to reduce operations or shut down entire systems following a DDoS attack, costing hundreds of thousands of pounds according the UK National Crime Agency. And in 2018, online services from several Dutch banks and numerous other financial and government services in the Netherlands were brought to a standstill in January and May. These attacks were launched using Webstresser.org, the world’s largest provider of DDoS-on-demand, which sold attack services for as little as £11. It costs a criminal almost nothing and requires little to no technical expertise to mount an attack, but it costs a company a great deal to fix the damage they cause.
What’s more, DDoS attacks are often used as a distraction, to divert IT teams’ attention away from attempts to breach corporate networks. As such, dealing with DDoS attacks should be regarded as a priority, not a secondary consideration.
I know that DDoS attacks are common, but I’ve never been affected before
Many companies underestimate the risk of being hit by DDoS because they have never been hit before. The truth is that oftentimes only one attack is already more than enough to cause severe damage in the value chain. This potentially affects any company that is connected to the Internet in any way. Overload attacks not only affect websites, but also all other web services such as e-mail communication, intranet, customer connections, supplier and workflow systems, and more. Today, customers and partners expect 100% availability. Besides the business interruption due to production loss and recovery costs, reputational damage is a common consequence. Total costs for the incidents can quickly go into the millions. On the other hand, the costs for proactive protection against these kinds of attacks are comparably negligible.
There are many providers offering a solution, so DDoS is an easy problem to fix
DDoS is not a new topic, which means that many of the available solutions are outdated. Only a few provider deliver up-to-date, real-time protection that secures against all types of attacks on all network layers. Only a handful of providers can react immediately in an emergency, i.e. if the attack has already taken place, and quickly provide the right protection to organizations.
Reacting to an attack within a few minutes is sufficient
Ideally, the use of intelligent defence systems and always-on protection should prevent a failure in the first place. However, if a new attack pattern appears, the first 30 seconds are crucial. Even if an attack is mitigated after just one minute, subsequent IP connections will already be interrupted (for example, collapsing an IPSec tunnel) and it may take several hours until availability is restored. Although this prevents follow-up actions that can lead to infiltration and data theft, the economic costs of lost revenue, loss of productivity and damage to reputation can still be immense. Therefore, it is vital for organizations to implement a solution that guarantees mitigation in a matter of seconds.
We have our own 24/7 Security Operations Center (SOC), so we are immune
In the flood of security alerts in the SOC it is likely that some events are overlooked or not brought into context with other activities. Furthermore, the sheer amount of necessary analyses and measures is not feasible with people. Only a fully automated process that works based on intelligent and globally networked systems, and which precludes human errors in the process chain can ensure comprehensive security. Industrial-scale attacks can only be countered with industrial-scale defences.
I am already in the cloud and am automatically protected by my cloud provider
The major cloud providers offer some basic DDoS protections. But this is not aimed at preventing targeted, mega-scale attacks. In late 2016, the massive Dyn DDoS attack caused global disruption to public cloud services. In addition, cloud applications are easily attacked by other applications from within the same cloud. Therefore, when running business-critical applications in the cloud, it is important to consider deploying additional DDoS protections to those applications.
I have invested in hardware that offers protection
Although these systems ensure high infrastructure performance, they only provide static protection against DDoS attacks. This means that the DDoS protection there can only be as good as the current version of the filtering software – which is already outdated as soon as it is released. This approach might have worked a couple of years ago. Nowadays, however, with ever more complex and powerful attacks that combine several vectors and target multiple layers at the same time, this kind of protection is unsufficient. Effective protection is only possible via intelligent and networked systems which use advanced machine-learning techniques to analyse traffic and build a profile of legitimate traffic.
In conclusion, DDoS protection needs to be seen as an essential part of the IT security infrastructure. Considering effective solutions in the event of an attack is too late. Through educating about misconceptions in this context and implementing the measures listed in this text, companies can position themselves sustainably in terms of their business continuity strategy.
When someone in your organization starts using internet-connected devices without IT’s knowledge, that’s shadow IoT. Here’s what you need to know about its growing risk.
Shadow IoT definition
Shadow IoT refers to internet of things (IoT) devices or sensors in active use within an organization without IT’s knowledge. The best example is from before the days of bring your own device (BYOD) policies when employees used personal smartphones or other mobile devices for work purposes. “Shadow IoT is an extension of shadow IT, but on a whole new scale,” says Mike Raggo, CSO at 802 Secure. “It stems not only from the growing number of devices per employee but also the types of devices, functionalities and purposes.”
Employees have been connecting personal tablets and mobile devices to the company network for years. Today, employees are increasingly using smart speakers, wireless thumb drives and other IoT devices at work as well. Some departments install smart TVs in conference rooms or are using IoT-enabled appliances in office kitchens, such as smart microwaves and coffee machines.
In addition, building facilities are often upgraded with industrial IoT (IIoT) sensors, such as heating ventilation and air conditioning (HVAC) systems controlled by Wi-Fi-enabled thermostats. Increasingly, drink machines located on company premises connect via Wi-Fi to the internet to accept, say, Apple Pay payments. When these sensors connect to an organization’s network without IT’s knowledge, they become shadow IoT.
How prevalent is shadow IoT?
Gartner predicts that 20.4 billion IoT devices will be in use globally by 2020, up from 8.4 billion in 2017. Shadow IoT has become widely prevalent as a result. In 2017, 100 percent of organizations surveyed reported ‘rogue’ consumer IoT devices on the enterprise network, and 90 percent reported discovering previously undetected IoT or IIoT wireless networks separate from the enterprise infrastructure, according to a 2018 report from 802 Secure.
One-third of companies in the U.S., U.K. and Germany have more than 1,000 shadow IoT devices connected to their network on a typical day, according to a 2018 Infloblox report on shadow devices. Infoblox’s research found that the most common IoT devices on enterprise networks are:
Fitness trackers such as Fitbits, 49 percent;
Digital assistants such as Amazon Alexa and Google Home, 47 percent
Smart TVs, 46 percent
Smart kitchen devices such as connected microwaves, 33 percent
Gaming consoles such as Xboxes or PlayStations, 30 percent.
What are shadow IoT’s risks?
IoT devices are often built without inherent, enterprise-grade security controls, are frequently set up using default IDs and passwords that criminals can easily find via internet searches, and are sometimes added to an organization’s main Wi-Fi networks without IT’s knowledge. Consequently, the IoT sensors aren’t always visible on an organization’s network. IT can’t control or secure devices they can’t see, making smart connected devices an easy target for hackers and cybercriminals. The result: IoT attacks grew by 600 percent in 2018 compared to 2017, according to Symantec.
Vulnerable connected devices are easily discoverable online via search engines for internet-connected devices such as Shodan, Inflobox’s report points out. “Even when searching simple terms, Shodan provides details of identifiable devices, including the banner information, HTTP, SSH, FTP and SNMP services. As identifying devices is the first step in accessing devices, this provides even lower-level criminals with an easy means of identifying a vast number of devices on enterprise networks that can then be targeted for vulnerabilities.”
Why aren’t most shadow IoT devices secure?
When PCs were first released decades ago, their operating systems weren’t built with inherent security, Raggo observes. As a result, securing PCs against viruses and malware remains an ongoing struggle.
In contrast, the iOS and Android mobile operating systems were designed with integrated security, such as app sandboxing. While mobile devices aren’t bullet-proof, they’re typically more secure than desktops and laptops.
With today’s IoT and IIoT devices, “It’s like manufacturers have forgotten everything we’ve learned about security from mobile operating systems,” Raggo says. “There are so many IoT manufacturers, and the supply chain for building the devices is scattered all over the world, leading to a highly fragmented market.”
Because IoT devices tend to be focused on just one or two tasks, they often lack security features beyond basic protocols such as WPA2 Wi-Fi, which has its vulnerabilities. The result: Billions of unsecured IoT devices are in use globally on enterprise networks without IT’s knowledge or involvement.
“I bought 10 or 15 IoT devices a few years ago to check out their security,” says Chester Wisniewski, principal research scientist at Sophos. “It was shocking how fast I could find their vulnerabilities, which means anyone could hack them. Some devices had no process for me to report vulnerabilities.”
Have criminal hackers successfully targeted shadow IoT devices?
Yes. Probably the most famous example to date is the 2016 Mirai botnet attack, in which unsecured IoT devices such as Internet Protocol (IP) cameras and home network routers were hacked to build a massive botnet army. The army executed hugely disruptive distributed denial of service (DDoS) attacks, such as one that left much of the U.S. east coast internet inaccessible. The Mirai source code was also shared on the internet, for criminal hackers to use as building blocks for future botnet armies.
Other exploits are available that enable cybercriminals to take control of IoT devices, according to the Infoblox report. “In 2017, for example, WikiLeaks published the details of a CIA tool, dubbed Weeping Angel, that explains how an agent can turn a Samsung smart TV into a live microphone. Consumer Reports also found flaws in popular smart TVs that could be used to steal data as well as to manipulate the televisions to play offensive videos and install unwanted apps.”
Along with amassing botnet armies and conducting DDoS attacks, cybercriminals can also exploit unsecured IoT devices for data exfiltration and ransomware attacks, according to Infoblox.
In one of the oddest IoT attacks thus far, criminals hacked into a smart thermometer inside a fish tank in a casino lobby to access its network. Once in the network, the attackers were able to steal the casino’s high-roller database.
The future potential of IoT-enabled cyberattacks is enough to give CSOs and other IT security professionals concern. “Consider the damage to vital equipment that could occur if someone connected into an unsecured Wi-Fi thermostat and changed the data center temperature to 95 degrees,” Raggo says. In 2012, for instance, cybercriminals hacked into the thermostats at a state government facility and a manufacturing plant and changed the temperatures inside the buildings. The thermostats were discovered via Shodan, a search engine devoted to internet-connected devices.
To date, the impact of IoT device exploits hasn’t been hugely negative for any particular enterprise, says Wisniewski, in terms of exploiting sensitive or private data. “But when a hacker figures out how to make a big profit compromising IoT devices, like using a brand of smart TVs for conference room spying, that’s when the shadow IoT security risk problem will get everyone’s attention.”
3 ways to mitigate shadow IoT security risks?
Make it easy for users to officially add IoT devices. “The reason you have shadow IT and shadow IoT is often because the IT department is known for saying ‘no’ to requests to use devices like smart TVs,” says Wisniewski. Instead of outright banning IoT devices, fast-tracking their approval whenever possible and feasible—within, say, 30 minutes after the request is made—can help reduce the presence of shadow IoT.
“Publish and circulate your approval process,” Wisniewski adds. “Get users to fill out a brief form and let them know how quickly someone will get back to them. Make the process as flexible and as easy for the requester as possible, so they don’t try to hide something they want to use.”
Proactively look for shadow IoT devices. “Organizations need to look beyond their own network to discover shadow IoT, because much of it doesn’t live on the corporate network,” Raggo says. “More than 80 percent of IoT is wireless-enabled. Therefore, wireless monitoring for shadow IoT devices and networks can allow visibility and asset management of these other devices and networks.”
Traditional security products list devices by a media access control (MAC) address or a vendor’s organizationally unique identifier (OUI), yet they are largely unhelpful in an environment with a plethora of different types of devices, Raggo adds. “IT really wants to know ‘what is that device?’ so they can determine if it’s a rogue or permitted device. In today’s world of deep-packet inspection and machine learning, mature security products should provide human-friendly categorizations of discovered assets to ease the process of asset management and security.”
Isolate IoT. Ideally, new IoT and IIoT devices should connect to the internet via a separate Wi-Fi network dedicated to such devices that IT controls, says Wisniewski. The network should be configured to enable IoT devices to transmit information and to block them from receiving incoming calls. “With the majority of IoT devices, nothing legitimate is ever transmitted to them,” he says.
Anything shadowy is a problem
“Shadow anything is a problem, whether it’s an IoT device or any other addressable, unmanaged item,” says Wisniewski. “The key is controlling access to the network from only authorized devices, keeping an accurate inventory of authorized devices, and having clear policies in place to ensure employees know they aren’t allowed to ‘bring their own’ devices and that HR sanctions will be enforced if they do.”
Connected devices often get attacked minutes after being plugged in.
IoT devices are being attacked with greater regularity than ever before, new research has suggested.
According to a new report by NETSCOUT, smart products often come under attack within five minutes of being plugged in, and are targeted by specific exploits within a day.
The Threat Landscape Report says IoT device security is ‘minimal to non-existent’ on many devices. That makes the IoT sector among the most vulnerable ones, especially knowing that medical equipment and connected cars fall under the IoT category.
DDoS, in general, is still on the rise, the report adds. The number of such attacks grew by a quarter last year. Attacks in the 100-400 Gbps range ‘exploded’, it says, concluding a ‘continued interest’ hackers have in this attack vector.
The global maximum DDoS attack size grew by 19 per cent last year, compared to the year before.
International institutions, such as the UN or the IMF, have never been this interesting to hackers. DDoS attacks against such organisations had risen by almost 200 per cent last year.
Hackers operate similarly to the way legitimate businesses operate. They employ the affiliate model, allowing them to rake up profits quite quickly.
“Our global findings reveal that the threat landscape in the second half of 2018 represents the equivalent of attacks on steroids,” said Hardik Modi, NETSCOUT’s senior director of Threat Intelligence. “With DDoS attack size and frequency, volume of nation state activity and speed of IoT threats all on the rise, the modern world can no longer ignore the digital threats we regularly face from malicious actors capable of capitalizing on the interdependencies that wind through our pervasively connected world.”
Federal authorities have arrested two alleged members of a hacking group known as the Apophis Squad on charges of making false threats of violent attacks and staging attacks on multiple computer systems.
According to an announcement from the Department of Justice (DoJ), the two defendants, Timothy Dalton Vaughn, 20, of Winston-Salem, North Carolina, and George Duke-Cohan, 19, of Hertfordshire, United Kingdom, are allegedly part of a global group of hackers suspected of wreaking havoc on the internet for the better part of 2018, including launching distributed-denial-of-service (DDoS) attacks.
Duke-Cohan, who is already serving a three-year sentence in the UK for threatening an airline, which turned out to be a hoax, is believed to go by the names DigitalCrimes and 7R1D3N7 online.
The defendants face multiple charges, including conducting cyber- and swatting attacks against individuals, businesses and institutions in the US and the UK, according to the DoJ.
“Members of Apophis Squad communicated various threats – sometimes using ‘spoofed’ email addresses to make it appear the threats had been sent by innocent parties, including the mayor of London,” the announcement stated.
“They also allegedly defaced websites and launched denial-of-service attacks. In addition, Vaughn allegedly conducted a DDoS attack that took down hoonigan.com, the website of a Long Beach motorsport company, for three days, and sent extortionate emails to the company demanding a Bitcoin payment to cease the attack.”
If convicted of all charges in the 11-count indictment, Vaughn could be sentenced to a maximum of 80 years in prison. Duke-Cohen, who is facing nine charges, would be sentenced to a maximum of 65 years if found guilty.
“The Apophis Squad also took credit for hacking and defacing the website of a university in Colombia, resulting in visitors to the site seeing a picture of Adolf Hitler holding a sign saying ‘YOU ARE HACKED’ alongside the message ‘Hacked by APOPHIS SQUAD,’” the DoJ wrote.
Although most scrubbing services can help fend off distributed denial of service attacks, a more comprehensive mitigation strategy is required to remain unscathed
What was possibly the world’s biggest distributed denial of service (DDoS) attack in February 2018 was stopped in its tracks after 20 minutes because there was a DDoS protection service in place.
The attack on GitHub, a popular online code management service used by millions of developers, experienced incoming traffic of 1.3Tbps, bombarded by packets at a rate of 126.9 million per second. Within 10 minutes of the attack, GitHub had sounded the alarm and routed its traffic to its DDoS mitigation service Akamai Prolexic, which sorted out and blocked the malicious traffic.
GitHub is not alone, as DDoS attacks have grown in intensity and become more sophisticated. Since 2017, businesses in the Asia-Pacific (APAC) region started to experience DDoS attacks at almost the same rate as North American businesses, which have traditionally been the most targeted, said Shahnawaz Backer, security specialist for APAC at F5 Networks, based on F5’s data.
And ASEAN organisations are not standing still. The DDoS market in ASEAN has seen significant growth, accounting for 20% of the APAC market, according to Frost & Sullivan.
A growing number of enterprises are investing in DDoS solutions, especially cloud-based DDoS mitigation services, with a shift away from a service-provider-centric market.
A DDoS attack is one of the most complex threats that businesses can face. The goal of the individual hacker, organised criminals or state actors is to overwhelm a company’s network, website or network component, such as a router. To begin with, organisations have to determine whether a spike in traffic is legitimate or is an attack.
“Without a solid understanding of baselines and historic traffic trends, organisations are unlikely to detect an attack until it is too late,” said Sherrel Roche, senior market analyst at IDC’s Asia-Pacific business and IT services research group.
Landbank, the largest government-owned bank in the Philippines, has taken the step of implementing F5’s BIG-IP local traffic manager to understand its application traffic and performance better, as well as to gain full visibility into customer data as it enters and leaves an application. This enables the security team to inspect, manage and report fraudulent transactions as soon they are spotted.
Complementing that is an on-premise application level layer 7 DDoS mitigation service to ensure mission-critical applications are protected against application-specific attacks.
It can be relatively simple to launch a DDoS attack with readily available DDoS-for-hire services, and even people with little or no technical skills can launch a damaging attack.
One such attack, which generated over 170Gbps of traffic, was organised over chatrooms on the Steam game distribution platform and IRC (internet relay chat), with many participating members using downloaded tools. These included a YouTube tutorial by a 12-year-old developer, said Fernando Serto, head of security technology and strategy at Akamai Technologies APAC.
Part of the challenge of DDoS is the complexity of these attacks. Not only are there several categories of attack method, but each category has a host of different attacks. The same target can also be attacked using several different attack vectors.
On top of that, some attacks can be hard to detect. One notable attack involved overwhelming the target’s DNS (domain name system) server through a series of bursts that lasted several minutes, instead of a sustained attack.
“This led to defender fatigue as these bursts of traffic were coming in over a long period of time, and detection, let alone mitigation, of these types of attacks becomes very difficult,” said Serto.
DDoS attacks are unlike other cyber attacks, where patches and locally installed security appliances can block an attack altogether. The defence calculus for denial of service is different because no organisation can prevent or block all DDoS attacks on its own, said Gartner senior analyst Rajpreet Kaur.
So the decision to invest in DDoS protection is also not an easy one. DDoS mitigation is an expensive investment, which organisations do not easily choose unless they or their competitors have suffered an attack.
“While multinational and global firms will invest, the cost may deter smaller, local firms,” said Kaur.
Also, IT infrastructure is getting more complex as enterprises move their applications and infrastructure to the cloud, requiring DDoS solutions to cater to different environments, said Frost & Sullivan network security senior industry analyst Vu Anh Tien.
What GitHub relied on to counter the massive attack in February 2018 was scrubbing services, a common DDoS mitigation technique. Using this method, the traffic destined for a particular IP address range is redirected to datacentres, where the attack traffic is “scrubbed” or cleaned. Only clean traffic is then forwarded to the target destination.
Most DDoS scrubbing providers have three to seven scrubbing centres, typically distributed globally, said Gartner’s Kaur. Each centre consists of DDoS mitigation equipment and large amounts of bandwidth, which can be over 350Gbps, that feeds traffic to it. When customers are under attack, they “push the button” to redirect all traffic to the closest scrubbing centre to be cleaned.
Enterprise customers make use of scrubbing centres in two ways – one is to route traffic via the scrubbing centres around the clock, while others prefer to route traffic on demand when an attack occurs.
Given the complexity of security attacks and IT infrastructures, organisations are increasingly adopting hybrid models of protection, in order to protect against the broadest set of potential attack vectors. They often turn to an on-premise system that is the first line of defence, with the scrubbing centre stepping in when the on-premise technology is overwhelmed, said Backer.
IDC’s Roche added: “For bad traffic to be diverted to a scrubbing centre in a seamless action to reduce any downtime, organisations need to have seamless integration between cloud and on-premise solutions, implemented in front of an infrastructure’s network to help mitigate an attack before it reaches core network assets and data.”
On Monday, Europol said it was closing in on more than 250 customers of Webstresser.org and other DDoS-for-hire services. In April, authorities took down the site for letting buyers knock websites offline.
If you were a big buyer of DDoS attacks, you may be in trouble. Police in Europe plan to go after customers of Webstresser.org, a major DDoS-for-hire website it shut down last year
On Monday, Europol said it was closing in on more than 250 customers of Webstresser.org and other DDoS-for-hire services. “Actions are currently underway worldwide to track down the users of these Distributed Denial of Service (DDoS) attacks,” the agency added.
In April, Europol shut down Webstresser.org for letting buyers knock websites offline. For as little as $18.99 a month, the site offered access to DDoS attacks, which can overwhelm an IP address or website with enough internet traffic to disrupt access to it.
Webstresser.org was believed to be the world’s largest market for DDoS-for-hire services, according to Europol. Before its shutdown, the site helped launch 4 million attacks. It had also attracted 151,000 registered users under the guise of selling “server stress testing” services.
Now all those customers are in danger of facing potential prosecution. That’s because authorities have uncovered a “trove of information” on Webstresser.org’s users.
“In the United Kingdom, a number of webstresser.org users have recently been visited by the police,” Europol said in its announcement. “UK police are also conducting a number of live operations against other DDoS criminals.”
Although police have typically focused on targeting the sellers of DDoS attacks, Europol said law enforcement is ramping up activities to crack down on buyers as well. Last month, US federal investigators also warned they were going after customers of DDoS-for-hire websites.
“Whether you launch the DDoS attack or hire a DDoS service to do it for you, the FBI considers it criminal activity,” FBI Assistant Director Matthew Gorham said in December. “Working with our industry and law enforcement partners, the FBI will identify and potentially prosecute you for this activity.”
Malware and bots, phishing, and DDoS attacks are some of the top threats companies face, according to Radware.
The average estimated cost of a cyberattack on an enterprise was $1.1 million in 2018—up 52% from the year before, according to a Tuesday report from Radware. For companies with a formal cost calculation process, that estimate rises to $1.7 million, the report found, with the top impacts being operational/productivity loss (54%), negative customer experiences (43%), and brand reputation loss (37%).
The report surveyed 790 IT executives worldwide across industries. These IT leaders perceive the goals of the attacks to be service disruption (45%), data theft (35%), unknown reasons (11%), or espionage (3%).
Some 21% of businesses experience daily cyberattacks, up from 13% last year, the report found. Another 13% said they were attacked weekly, 13% said monthly, and 27% said once or twice a year. Only 7% of organizations said they have never been attacked, according to the report.
The most common types of attacks on enterprises are malware and bots (76%), socially engineered threats like phishing (65%), DDoS attacks (53%), web application attacks (42%), ransomware (38%), and cryptominers (20%).
Hackers are also increasing their usage of emerging attack vectors to bring down networks and data centers, the report found: IT leaders reporting HTTPS Floods rose from 28% in 2017 to 34% in 2018, while reports of DNS grew from 33% to 38%. Burst attacks rose from 42% to 49%, and reports of bot attacks grew from 69% to 76%.
“While threat actors only have to be successful once, organizations must be successful in their attack mitigation 100% of the time,” Anna Convery-Pelletier, chief marketing officer for Radware, said in a press release. “A cyberattack resulting in service disruption or a breach can have devastating business impacts. In either case, you are left with an erosion of trust between a brand and its constituency.”
American tech firm Cloudflare is providing cybersecurity services to at least seven designated foreign terrorist organizations and militant groups, HuffPost has learned.
The San Francisco-based web giant is one of the world’s largest content delivery networks and boasts of serving more traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Founded in 2009, it claims to power nearly 10 percent of Internet requests globally and has been widelycriticized for refusing to regulate access to its services.
Among Cloudflare’s millions of customers are several groups that are on the State Department’s list of foreign terrorist organizations, including al-Shabab, the Popular Front for the Liberation of Palestine, al-Quds Brigades, the Kurdistan Workers’ Party (PKK), al-Aqsa Martyrs Brigade and Hamas — as well as the Taliban, which, like the other groups, is sanctioned by the Treasury Department’s Office of Foreign Assets Control (OFAC). These organizations own and operate active websites that are protected by Cloudflare, according to fournational security and counterextremism experts who reviewed the sites at HuffPost’s request.
In the United States, it’s a crime to knowingly provide tangible or intangible “material support” — including communications equipment — to a designated foreign terrorist organization or to provideservice to an OFAC-sanctioned entity without special permission. Cloudflare, which is not authorized by the OFAC to do business with such organizations, has been informed on multiple occasions, dating back to at least 2012, that it is shielding terrorist groups behind its network, and it continues to do so.
The Electronic Frontier Foundation and other free speech advocates have long been critical of material support laws. The foundation described them as tools the government has used to “chill First Amendment protected activities” such as providing “expert advice and assistance” ― including training for peacefully resolving conflicts ― to designated foreign terrorist organizations. Many of the designated groups, the EFF has argued, also provide humanitarian assistance to their constituents.
But so far, free speech advocates’ arguments haven’t carried the day — which means that Cloudflare still could be breaking the law.
‘We Try To Be Neutral’
“We try to be neutral and not insert ourselves too much as the arbiter of what’s allowed to be online,” said Cloudflare’s general counsel, Doug Kramer. However, he added, “we are very aware of our obligations under the sanctions laws. We think about this hard, and we’ve got a policy in place to stay in compliance with those laws.” He declined to comment directly on the list of websites HuffPost provided to Cloudflare, citing privacy concerns.
Cloudflare secures and optimizes websites; it is not a domain host. Although Cloudflare doesn’t host websites, its services are essential to the survival of controversial pages, which would otherwise be vulnerable to vigilante hacker campaigns known as distributed denial-of-service attacks. As the tech firm puts it, “The size and scale of the attacks that can now easily be launched online make it such that if you don’t have a network like Cloudflare in front of your content, and you upset anyone, you will be knocked offline.”
Some of the terrorist sites that HuffPost identified on its server have been used to spread anti-state propaganda, claims of responsibility for terrorist attacks, false information and messages glorifying violence against Americans and civilians. But none of that really matters: Even if al-Shabab were posting cat videos, it would still be a crime to provide material support to the group.
“This is not a content-based issue,” said Benjamin Wittes, the editor in chief of Lawfare and a senior fellow at the Brookings Institution. “[Cloudflare] can be as pure-free-speech people as they want — they have an arguable position that it’s not their job to decide what speech is worthy and what speech is not — but there is a law, a criminal statute, that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.”
Intermediary websites are shielded from liability for illicit third-party content on their platforms, thanks to the U.S. Communications Decency Act (meaning, for example, that Twitter cannot be held legally accountable for a libelous tweet). This immunity is irrelevant with regard to the material support statute of the USA Patriot Act, which pertains strictly to the provision of a service or resource, not to any offending content, explained Wittes. In this case, Cloudflare’s accountability would not be a question of whether it should be monitoring its users or their content but, in part, whether the company is aware that it is serving terrorist organizations.
“If and when you know or reasonably should know, then you’re in legal jeopardy if you continue to provide services,” said University of Texas law professor Bobby Chesney.
There is a law — a criminal statute — that says that you are not allowed to give services to designated foreign terrorist organizations. Full stop.Benjamin Wittes, senior fellow at the Brookings Institution
Cloudflare’s services range in price from completely free to north of $3,000 per month for advanced cybersecurity. (Kramer declined to say if the sanctioned entities HuffPost identified are paying customers. Material support law applies to both free and paid services.) Its reverse proxy service reroutes visitors away from websites’ IP addresses, concealing their domain hosts and giving them a sense of anonymity. This feature has made Cloudflare especially appealing to neo-Nazis, white supremacists, pedophiles, conspiracy theorists — and terrorists.
Cloudflare has knowingly serviced terrorist-affiliated websites for years.In 2012, Reuters confronted Cloudflare about websites behind its network that were affiliated with al-Quds Brigades and Hamas. Prince argued that Cloudflare’s services did not constitute material support of terrorism. “We’re not sending money, or helping people arm themselves,” he said at the time. “We’re not selling bullets. We’re selling flak jackets.”
That analogy bears little relevance. “Material support,” as defined in 18 U.S.C. § 2339B, refers to “any property, tangible or intangible, or service,” excluding medicine and religious materials. Contrary to Prince’s suggestion, it applies to more than money and weapons. A New York man who provided satellite television services to Hezbollah was sentenced in 2009 to 69 months in prison for material support of terrorism. And although the definition is broad, “it really covers anything of value,” Chesney said. “It’s meant to be like a full-fledged embargo.”
In 2013, after journalist James Cook learned Cloudflare was securing a website affiliated with al Qaeda, he wrote an article arguing that the web giant was turning “a blind eye to terrorism.” Prince published his responses to Cook’s questions about serving terrorist groups in a Q&A-style blog post titled “Cloudflare and Free Speech.”
Cook asked what safeguards Cloudflare had in place to ensure it was not supporting illegal terrorist activity; Prince listed none. Cook inquired whether Cloudflare would investigate the website he had identified; Prince suggested it would not. The site is still online and is still secured by Cloudflare.
“A website is speech. It is not a bomb,” Prince wrote in his post. “We do not believe that ‘investigating’ the speech that flows through our network is appropriate. In fact, we think doing so would be creepy.”
Creepy or not, if a company receives a tip that it has customers who are sanctioned terrorists or has reason to believe that could be the case, it should absolutely investigate so as not to risk breaking the law, experts said. (Kramer noted Prince’s remarks are “from six years ago” and said Cloudflare does take such tips seriously.)
“This is a criminal statute that we’re talking about, so companies bear a risk by putting their heads in the sand,” said Georgetown Law professor Mary McCord, a former head of the Justice Department’s national security division. “A company has got to spend money, resources [and have] lawyers to make sure it’s not running afoul of the law. The risk it takes if it doesn’t is a criminal prosecution.”
President Donald Trump’s administration also urges due diligence. “We encourage service providers to follow the lead of the big social media companies, whose terms of service and community standards expressly enable them to voluntarily address terrorist content on their platforms, while exploring ways to more expeditiously tackle such content,” a White House official told HuffPost.
The international hacktivist group Anonymous accused Cloudflare of serving dozens of ISIS-affiliated websites in 2015, which Prince shrugged off as “armchair analysis” by “15-year-old kids in Guy Fawkes masks.” In media interviews, he maintained that serving a terrorist entity is not akin to an endorsement and said only a few of the sites on Anonymous’ list belonged to ISIS. Prince hinted that government authorities had ordered Cloudflare to keep certain controversial pages online. The FBI, Justice Department, State Department, Treasury Department and White House declined to comment on that assertion.
Last year, Cloudflare disclosed that the FBI subpoenaed the company to hand over information about one of its customers for national security purposes. The FBI, which also uses Cloudflare’s services, rescinded the subpoena and withdrew its request for information after Cloudflare threatened to sue. Neither Cloudflare nor the FBI would comment on this matter.
Over the past two years, the Counter Extremism Project, a nonpartisan international policy organization, has sent Cloudflare four detailed letters identifying a total of seven terrorist-operated websites on its server. HuffPost has viewed these letters, which explicitly address concerns about material support of terrorism, and Kramer acknowledged that Cloudflare received them.
“We’ve never received a response from [Cloudflare],” said Joshua Fisher-Birch, a content review specialist at the Counter Extremism Project. Five of the seven flagged websites remain online behind Cloudflare today, more than a year after they were brought to the firm’s attention.
“I think they’re doubling down on free speech absolutism at all costs,” he added. “In this case, that means they’re going to allow terrorist and extremist organizations to use their services and to possibly spread propaganda, try to recruit or even finance on their websites.”
‘Assholes’ vs. Terrorists
Kramer said he was not able to comment in detail on specific cases in which outside actors such as journalists and Anonymous informed Cloudflare about possible terrorist organizations using its services, but he noted that Cloudflare works with government agencies to comply with its legal obligations.
“Our policy is that if we receive new information that raises a flag or a concern about a potentially sanctioned party, then we’ll follow up to figure out whether or not that’s something that we need to take action on,” he said. “Part of the challenge is really to determine which of those are legitimate inquiries and which of those … are trying to manipulate the complaint process to take down people with whom they disagree.”
Cloudflare was flooded with such complaints in August 2017, when activists pleaded with the firm to terminate its services for the Daily Stormer, a prominent neo-Nazi website that was harassing the family of a woman who had recently been killed in violence surrounding a neo-Nazi rally in Charlottesville, Virginia.
Prince initially refused to drop the Daily Stormer, but as public outrage intensified, he reluctantly pulled the plug. “The people behind the Daily Stormer are assholes and I’d had enough,” he later said in an email to his team. The rationale behind that decision raised questions among Cloudflare’s staff, according to Wired.
“There were a lot of people who were like, ‘I came to this company because I wanted to help build a better internet … but there are some really awful things currently on the web, and it’s because of us that they’re up there,’” one employee said. Another wondered why Cloudflare would consider shutting down Nazis but not terrorists.