Category - Denial of Service

1
Universities seeing rise in DDoS attacks
2
81.5M Voter Records For Sale On Dark Web Ahead Of Midterm Elections
3
Man Ordered to Pay $8.6 Million for Launching DDoS Attacks against Rutgers University
4
This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai
5
In Blockchain, There is no Checkmate
6
DDoS Attacks Target Multiple Games including Final Fantasy XIV, Assassin’s Creed
7
‘Torii’ Breaks New Ground For IoT Malware
8
DDoS Attack on German Energy Company RWE
9
Who’s hacking into UK unis? Spies, research-nickers… or rival gamers living in res hall?
10
DDoS attacks are getting even larger

Universities seeing rise in DDoS attacks

Kaspersky Lab has noticed an overall decline in the number of DDoS attacks this year, which may be due to many bot owners reallocating the computing power of their bots to a more profitable and relatively safe way of making money: cryptocurrency mining.

However, there is still a risk of DDoS attacks causing disruption, despite attackers not seeking financial gain.

The Kaspersky Lab DDoS Q3 report marked a continued trend in attacks aimed at educational organisations, as they open their doors after a long summer and students head back to school.

Attackers were most active during the third quarter in August and September, proven by the number of DDoS attacks on educational institutions increasing sharply at the start of the academic year.

This year, the most prominent attacks hit the websites of one of the UK’s leading universities – the University of Edinburgh – and the US vendor Infinite Campus, which supports the parent portal for numerous city public schools.

Analysis from Kaspersky Lab experts has found that the majority of these DDoS attacks were carried out during term time and subsided during the holidays.

More or less the same result was obtained by the British organisation Jisc.

After collecting data about a series of attacks on universities, it determined that the number of attacks fell when students were on holiday.

The number of attacks also decreases outside of study hours, with DDoS interference in university resources mainly occurring between 9am and 4pm.

Overall, between July and September, DDoS botnets attacked targets in 82 countries.

China was once again first in terms of the number of attacks.

The US returned to second after losing its place in the top three to Hong Kong in Q2.

However, third place has now been occupied by Australia – the first time it’s reached such heights since Kaspersky Lab DDoS reports began.

There have also been changes in the top 10 countries with the highest number of active botnet C&C servers.

As in the previous quarter, the US remained in first place, but Russia moved up to second, while Greece came third.

Kaspersky DDoS protection business development manager Alexey Kiselev says, “The top priority of any cybercriminal activity is gain.

“However, that gain doesn’t necessarily have to be financial. The example of DDoS attacks on universities, schools and testing centres presumably demonstrates attempts by young people to annoy teachers, institutions or other students, or maybe just to postpone a test.

“At the same time, these attacks are often carried out without the use of botnets, which are, as a rule, only available to professional cybercriminals, who now seem to be more concerned with mining and conducting only well-paid attacks.

“This sort of ‘initiative’ shown by students and pupils would be amusing if it didn’t cause real problems for the attacked organisations which, in turn, have to prepare to defend themselves against such attacks,” Kiselev says.

Source: https://datacentrenews.eu/story/universities-seeing-rise-in-ddos-attacks

81.5M Voter Records For Sale On Dark Web Ahead Of Midterm Elections

The quarterly incident response (IR) threat report from Carbon Black isn’t usually such an exciting read, aggregating as it does data from across a number of partners in order to provide actionable intelligence for business leaders. The latest report, published today, is a politically charged exception. Not only does it reveal that nation-state politically motivated cyberattacks are on the up, with China and Russia responsible for 41.4% of all the reported attacks, but that voter databases from Alabama to Washington (and 18 others) are for sale on the dark web. These databases cover 21 states in all, with records for 81,534,624 voters that include voter IDs, names and addresses, phone numbers and citizenship status. Tom Kellerman, Carbon Black’s chief cybersecurity officer, describes the nation-state attackers as not “just committing simple burglary or even home invasion, they’re arsonists.” Nobody relishes their house burning down, even figuratively speaking. Which is why, according to another newly published report, this time from Unisys, suggests one in five voters may stay at home during the midterms as they fear their votes won’t count if systems suffer a cyberattack.

Amongst the key findings of the Carbon Black report, however, is the fact that China and Russia were responsible for 41.4% of the investigated attacks analyzed by researchers. The two also lead the pack when it comes to which countries incident response teams are seeing cyberattacks originating from. China was top of the table on 68% with Russia second on 59%. While the continent of North America (the report does not contain statistics that break this down to attacks from the United States alone) was third on 49%$, Iran, North Korea and Brazil were next in line. Earlier this year, Venafi surveyed security professionals with regards to election infrastructure risk. That research revealed that 81% of them thought threat actors will target election data as it is transmitted by voting machines. Worryingly, only 2% were ‘very confident’ in the capability of local, state and federal government to detect such attacks and only 3% thought the same about their abilities to block those attacks.

It’s just as well, then, that it has been reported the United States Cyber Command has now started what is believed to be the first cyber-operation to protect against election interference from Russia. “The attack surface in the US is incredibly broad and fragmented making security highly challenging” says Simon Staffell, head of public affairs at Nominet, who continues “but the response that has taken place in the US is also of an entirely different magnitude to anything seen before.” Yet this response does not appear to target Chinese threat actors. Some may find this omission a surprise, considering that Vice President Pence stated earlier this month that “what the Russians are doing pales in comparison to what China is doing across this country” and suggested that China wants to turn Trump voters against the administration.

Fraser Kyne, EMEA CTO at Bromium, would not be amongst the surprised though. He tells me that Bromium researchers have been working with Dr Mike McGuire to look into the impact of fake news on the US midterms. Early indications appear to suggest accusations against China are most likely unfounded. “Whilst China is funding local campaigns like the advertising taken out in US newspapers to promote US-Chinese trade” Kyne says “there is little evidence at the moment to suggest China is attempting to subvert democracy and influence the midterm elections.”

Meanwhile, some 68% of respondents to the Carbon Black report, representing a cross-section of some of the leading cybersecurity professionals across the globe, believe that cyberattacks will influence the midterms. This isn’t any kind of surprise when you take in the amount of election hacking and meddling resources that those same researchers found to be on sale through the dark web. These range from the aforementioned voter databases, through to social media election influence kits to target thousands of Instagram, Facebook, Twitter and YouTube accounts as well as the services of freelance hackers for hire who are offering to target government entities “for the purposes of database manipulation, economic/corporate espionage, DDoS attacks and botnet rentals.”

So, what kind of cyberattacks can we expect to see from state-sponsored actors as far as the midterms are concerned? Tony Richards, group CISO at Falanx Group, expects there will be some minor and likely not state sanctioned hacking attempts on electronic voting machines. “The fallout if a nation state was identified as the perpetrator would be considerable” Richards told me “so this would have to be a deniable operation.” It would also have to be done by someone with physical access to the voting machines in order to exploit many of the vulnerabilities that have been identified by researchers. “Voting machines are not usually connected to the Internet” explains Rafael Amado, senior strategy and research analyst at Digital Shadows, which means “the ability for attackers to tamper with voting ballots and results is greatly hindered.”

Some go as far as suggesting that to take the hacking concern out of the equation, elections should look back rather than forwards. The ‘right’ solution, according to Ryan Kalember, senior vice-president, Cybersecurity Strategy at Proofpoint, is paper. “An election system can be extremely resilient to fraud if there are paper records for registration and the votes themselves” Kalember insists, agreeing that this “may seem anti-modern, but is where we find ourselves in 2018.” Other cybersecurity experts suggest that the focus, when it comes to mitigating risk of interference in the midterm elections, simply needs to extend beyond voter registration and voting machine security altogether. “It’s important to take a look at the entire digital voting system” says Cindy Provin, CEO at Thales eSecurity, “how citizens register, how they find their polling places, how they check in, how they cast their ballots and how they find out who won.” This is an argument that is also made by Joseph Carson, chief security scientist & advisory CISO with Thycotic, who told me that the biggest challenge is that cybersecurity is only taken seriously in the voting infrastructure “when it is lacking in candidate campaigns, leaving the US open to serious cyber influence from foreign nation states.”

Maybe the notion of cyberattacks during the election process itself is something of a red-herring altogether? Especially given that there is such a global media appetite for Russian meddling stories, which will surely lead to this being such a high risk maneuver that it’s unlikely to be executed in any meaningful way. “The main effort will likely be in attempting to generate genuine conversations with organizations and individuals that have influence over a significant audience” says James Monckton, strategic communications director at Verbalisation, who thinks that the ‘influencing the influencers’ approach would be a highly effective method with a low level of attribution risk. The idea of shaping the debate by amplifying a particular viewpoint isn’t new news, but it is the most obvious meddling methodology we will see. Or rather, not see. “In the long term, it spreads mistrust as it becomes harder to distinguish the true from the fake” concludes Emily Orton, co-founder and director at Darktrace, “and has profound effects on democratic societies…”

One thing is for sure, according to Michael O’Malley, vice president of marketing with Radware, and that’s the threat of election interference will continue unabated until the US moves from the current fragmented state-by-state model to a nationwide election system. “We need a one person one vote approach and the US must make the necessary security upgrades to prevent voter fraud, foreign influence campaigns and hacking of our election infrastructure” O’Malley insists, warning that “Federal legislation needs to be introduced to make this happen…”

Source: https://www.forbes.com/sites/daveywinder/2018/10/30/81-5m-voter-records-for-sale-on-dark-web-ahead-of-midterm-elections/#1dca850f2a0c

Man Ordered to Pay $8.6 Million for Launching DDoS Attacks against Rutgers University

A New Jersey man received a court order to pay $8.6 million for launching a series of distributed denial-of-service (DDoS) attacks against Rutgers University.

On October 26, the U.S. Attorney’s Office for the District of New Jersey announced the sentence handed down by U.S. District Judge Michael Shipp to Paras Jha, 22, of Fanwood, New Jersey.

According to court documents, Jha targeted Rutgers University with a series of DDoS attacks between November 2014 and September 2016. The attacks took down the education institution’s central authentication server that maintains the gateway portal used by staff, faculty and students. In so doing, the DDoS campaigns disrupted students’ and faculty members’ ability to exchange assignments and assessments.

The FBI assisted Rutgers in its investigation of the attacks. In August 2015, the university also hired three security firms to test its network for vulnerabilities.

Jha’s criminal efforts online didn’t stop at Rutgers. In the summer and fall of 2016, Jha created the Mirai botnet with Josiah White, 21, of Washington, Pennsylvania and Dalton Norman, 22, of Metairie, Louisiana. The trio spent the next few months infecting more than 100,000 web-connected devices. They then abused that botnet to commit advertising fraud.

In December 2017, the three individuals pleaded guilty in the District of Alaska for conspiring to violate the Computer Fraud & Abuse Act by operating the Mirai botnet. It was less than a year later that a federal court in Alaska ordered the men to serve five-year probation periods, complete 2,500 hours of community service, pay restitution in the amount of $127,000 and voluntarily relinquish cryptocurrency seized by law enforcement during an investigation of their crimes.

Judge Shipp passed down his sentence to Jha within a Trenton federal court. As part of that decision, Jha must serve six months of home incarceration, complete five years of supervised release and perform 2,500 hours of community service for violating the Computer Fraud & Abuse Act.

Source: https://www.tripwire.com/state-of-security/security-data-protection/man-ordered-to-pay-8-6-million-for-launching-ddos-attacks-against-rutgers-university/

This botnet snares your smart devices to perform DDoS attacks with a little help from Mirai

Chalubo is a new botnet which is targeting poorly-secured Internet of Things (IoT) devices and servers for the purpose of distributed denial-of-service (DDoS) attacks.

Researchers from cybersecurity firm Sophos said this week that the botnet is becoming “increasingly prolific” and is ramping up efforts to target Internet-facing SSH servers on Linux-based systems alongside IoT products.

The main Chalubo bot is not only adopting obfuscation techniques more commonly found in Windows-based malware but is also using code from Xor.DDoS and Mirai, the latter of which was responsible for taking down Internet services across the US and Europe three years ago.

Chalubo contains a downloader, the main bot — which runs on systems with an x86 processor architecture, and a Lua command script. The downloader is the Elknot dropper, which has previously been linked to the Elasticsearch botnet.

Different versions of the bot have been uncovered by the researchers which operate on other processors — such as 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC — which the team suggests “may indicate the end of a testing period.”

Attacks began in late August, and one assault registered at a Sophos honeypot on September 6 gave the firm an insight into the new bot’s capabilities.

Chalubo attempted to brute-force attack and secure the credentials of the honeypot, and while the attackers believed they were able to gain a shell through root admin, the researchers silently recorded how they used commands to ‘stop’ firewall protections and install malicious components.

The main bot component and the corresponding Lua command script are encrypted using the ChaCha stream cipher, and when the attack against the honeypot was launched, one particular command — libsdes — stood out.

Upon execution, libsdes creates an empty file to prevent the malware accidentally executing more than once. The botnet then attempts to copy itself with a random string of letters and numbers in /usr/bin/, forking itself to create multiple points of persistence to survive a reboot.

A script is then dropped and executed for additional persistence, which Sophos says is close to a carbon copy of how the Xor.DDoS family operates.

“This bot demonstrates increased complexity compared to the standard Linux bots we typically see delivered from these types of attacks,” Sophos says. “Not only are the attackers using a layered approach to dropping malicious components, but the encryption used isn’t one that we typically see with Linux malware.”

The bot itself contains snippets of Mirai but the majority of the code is new. The Lua command script communicates with the botnet’s command-and-control (C2) server and will download, decrypt, and execute any additional script it finds.

The sample of Lua Sophos obtained was designed to prompt the bot to perform an SYN flood attack, a kind of DoS which sends SYN packets at high packet rates in an attempt to overwhelm a system.

In this case, a single Chinese IP address was targeted.

Sophos expects that as the botnet appears to be reaching the end of a testing phase, we may expect more widespread attacks from this botnet in the future. However, Chalubo is far from the only botnet menace out there.

In September, researchers from Avast revealed the existence of Torii, a botnet which is considered “a level above anything we have seen before” — including Mirai.

Source: https://www.zdnet.com/article/this-botnet-snares-your-smart-devices-to-perform-ddos-attacks/

In Blockchain, There is no Checkmate

During my time as a Chairman of NATO’s Intelligence Committee and advising government and private companies on cybersecurity, I have noticed the same hacker-shaped hole in the industry. For the past 35 years, huge companies, organizations, charities and nation states have succumbed to cyber-criminals. Let me explain why.

In a game of chess, you can win by either taking out all of your opponent’s pieces one-by-one, or by trapping the opposing side’s king in a checkmate. This is true of today’s cybersecurity model. One piece, in the wrong place at the wrong time could cost the entire game. Not just that, but any device in a network, whether it be a phone or a smart fridge, is a “king” that can be trapped and cost the integrity of an entire network. In this way, the “king” is a weakness.

A weakness that costs companies and countries millions, a weakness that could mean loss of life in the healthcare industry or military systems – indeed, cybersecurity is not a game.

Fighting cyber-criminals whilst being constrained by the rules of this chess match means we’ll never win. The centralized model where the hacking of a single device could compromise a network is categorically flawed. This needs to change: we don’t need to play a better game against cyber-criminals, we need to play a different game.

Blockchain technology is arguably one of the most significant innovations for decades, and it extends beyond the vestiges of crypto currencies. At its core, the Blockchain is immutable, transparent, encrypted and fragmented (decentralized). As such, Blockchain and cybersecurity seem like a match made in heaven and for the most part, they are.

For instance, right now, all the data of our personal or business devices – passwords, applications, files etc. – are stored on a centralized data server. Blockchain decentralizes the systems by distributing ledger data on many systems rather than storing them on one single network.

There is no single point of failure, one central database or middleman that could potentially serve as a source of leaks or compromised data.

The underpinnings of Blockchain architecture are based on time-stamped cryptographic nodes (the computer and servers that create blocks on a chain). Every time our data is stored or inserted into Blockchain ledgers, a new block is created. Each block has a specific summary of the previous block in the form of a secure digital signature.

More sophisticated systems combine Blockchain and AI technologies to confirm each other based on previous signatures. If there is a discrepancy, threat, or a device steps outside of a set of pre-determined rules, the surrounding nodes will flag it for action. Since these blocks are linked in the form of a chain sequence, the timing, order and content of transactions cannot be manipulated.

Just like crypto transactions, the Blockchain operates upon a democratic consensus. Any transfer of data would require a majority approval of the network participants; therefore, attackers can only impact a network by getting control of most of the network nodes. However, the nodes are random and the number of them stored on a given network can be in the millions.

In the metaphorical game of chess, “the collective” Blockchain has an advantage. Imagine if team hackers could not eliminate a single piece, not a pawn nor rook, unless they could eliminate all million pieces on the entire board at once. If they fail to do that, all of the pieces remain untouchable – including the “king”. There is no checkmate, and no hope for hackers.

Even still, since domain editing rights are only verified through nodes, hackers won’t get the right to edit and manipulate the data even after hacking a million of systems.

As all transactions are cryptographically linked, the modification or tampering of the data at any given time would alert all those with access to the ledger, exposing the infected dataset near-instantaneously.

The Blockchain does not linger or rely on any central point of failure to command changes; that allows for fixes to occur before attacks have time to spread. In other words, hacking a Blockchain with any scale is virtually impossible.

For instance, in the case of DDoS attacks that crash large data servers, Blockchain technology would disrupt this completely by decentralizing the DNS (Domain Name Systems) and distributing the content to a greater number of nodes.

The idea is clearly an attractive one. It can help save the billions that are being spent on developing arenas in which cybersecurity firms are fighting the hacker’s fight, especially in hard to defend environments.

We have already seen a number of companies utilize Blockchain technology to safeguard networks. Companies such as Naoris bring this consensual Blockchain technology and link devices as blocks on a chain so that no single end-point or terminal exists in a silo.

Current structures with multiple devices each act as a point of entry for a hacker into the network, however, as we know, the more nodes a network possesses on the Blockchain, the harder it becomes to infiltrate. Therefore, as the network expands and more devices are connected, the network becomes increasingly more resilient.

This is only the beginning for Blockchain. As it develops, it’s only going to get smarter and better. New technologies have the potential to provide a robust and effective alternative way of ensuring that we evolve to compete with concerns surrounding our security. With the Blockchain, such concerns can be a thing of the past.

Source: https://www.infosecurity-magazine.com/opinions/blockchain-no-checkmate/

DDoS Attacks Target Multiple Games including Final Fantasy XIV, Assassin’s Creed

A set of DDoS attacks plagued a series of gaming publishers including Final Fantasy XIV’s creator Square Enix and Assassin’s Creed publisher Ubisoft, respectively on the day of the Assassin’s Creed Odyssey launch on Friday.

Ubisoft began experiencing connectivity issues around Oct. 4 when the officials first tweeted an alert to users informing them of issues and actual attacks began surfacing around 7:48 am CT on Oct. 5, 2018 and affected Ubisoft games such as Rainbow Six Siege and For Honor.

​​We’re currently experiencing a series of DDoS attacks, which unfortunately are a common occurrence for almost all online service providers,” Ubisoft posted on an official forum addressing the incident. “This may impact connections to our games as well as server latency, and we are taking steps to mitigate this issue.”

Later that day Square Enix announced that it was also fighting off an attack aimed towards its popular MMORPG, Final Fantasy XIV although it is unclear if the attacks are connected or not.

In response to the high-profile incident, Corero Network Security’s Director of Product Management Sean Newman said it was “somewhat bemusing why some providers of online gaming platforms appear to still accept a certain air of inevitability when it comes to suffering as the result of DDoS attacks,” Newman said.

“With solutions available which can protect against DDoS automatically, and in real-time, help is at hand to keep games online, avoid lag, and ensure that player confidence and bottom lines, are preserved,” he continued.

Overall, many gamers noted that 2018 has been a relatively peaceful year for the online gaming community compared to previous years that were plauged by rampant DDoS attacks carried out by the Lizard Squad and other threat actors.

Source: https://www.scmagazine.com/home/news/ddos-attacks-target-multiple-games-including-final-fantasy-xiv/

 

 

‘Torii’ Breaks New Ground For IoT Malware

Stealth, persistence mechanism and ability to infect a wide swath of devices make malware dangerous and very different from the usual Mirai knockoffs, Avast says.

A dangerous and potentially destructive new IoT malware sample has recently surfaced that for the first time this year is not just another cheap Mirai knockoff.

Researchers from security vendor Avast recently analyzed the malware and have named it Torii because the telnet attacks through which it is being propagated have been coming from Tor exit nodes.

Besides bearing little resemblance to Mirai in code, Torii is also stealthier and more persistent on compromised devices. It is designed to infect what Avast says is one of the largest sets of devices and architectures for an IoT malware strain. Devices on which Torii works include those based on x86, x64, PowerPC, MIPS, ARM, and several other architectures.

Interestingly, so far at least Torii is not being used to assemble DDoS botnets like Mirai was, or to drop cryptomining tools like some more recent variants have been doing. Instead it appears optimized for stealing data from IoT devices. And, like a slew of other recent malware, Torii has a modular design, meaning it is capable of relatively easily fetching and executing other commands.

Martin Hron, a security researcher at Avast says, if anything, Torii is more like the destructive VPNFilter malware that infected some 500,000 network attached storage devices and home-office routers this May. VPNFilter attacked network products from at least 12 major vendors and was capable of attacking not just routers and network attached storage devices but the systems behind them as well.

Torii is different from other IoT malware on several other fronts. For one thing, “it uses six or more ways to achieve persistence ensuring it doesn’t get kicked out of the device easily on a reboot or by another piece of malware,” Hron notes.

Torii’s modular, multistage architecture is different too. “It drops a payload to connect with [command-and-control (CnC)] and then lays in wait to receive commands or files from the CnC,” the security researcher says. The command-and-control server with which the observed samples of Torii have been communicating is located in Arizona.

Torii’s support for a large number of common architectures gives it the ability to infect anything with open telnet, which includes millions of IoT devices. Worryingly, it is likely the malware authors have other attack vectors as well, but telnet is the only vector that has been used so far, Hron notes.

While Torii hasn’t been used for DDoS attacks yet, it has been sending a lot of information back to its command-and-control server about the devices it has infected. The data being exfiltrated includes Hostname, Process ID, and other machine-specific information that would let the malware operator fingerprint and catalog devices more easily. Hron says Avast researchers aren’t really sure why Torii is collecting all the data.

Significantly, Avast researchers discovered a hitherto unused binary on the server that is distributing the malware, which could let the attackers execute any command on an infected device. The app is written in GO, which means it can be easily recompiled to run on virtually any machine.

Hron says Avast is unsure what the malware authors plan to do with the functionality. But based on its versatility and presence on the malware distribution server, he thinks it could be a backdoor or a service that would let the attacker orchestrate multiple devices at once.

The log data that Avast was able to analyze showed that slightly less than 600 unique client devices had downloaded Torii. But it is likely that the number is just a snapshot of new machines that were recruited into the botnet for the period for which Avast has the log files, the security vendor said.

Source: https://www.darkreading.com/attacks-breaches/-torii-breaks-new-ground-for-iot-malware/d/d-id/1332930

DDoS Attack on German Energy Company RWE

Protesters in Germany have been camping out at the Hambach Forest, where the German energy company RWE has plans to mine for coal. Meanwhile, it’s been reported that RWE’s website was under attack as police efforts to clear the protesters from the woods were underway.

According to Deutsche Welle, unknown attackers launched a large-scale distributed denial-of-service (DDoS), which took down RWE’s website for virtually all of Tuesday. No other systems were attacked, but efforts to clear away the protesters have been ongoing for the better part of the month, and activists have reportedly made claims that they will be getting more aggressive in their tactics.

Activists have occupied the forest in hopes of preventing RWE from moving forward with plans to expand its coal mining operations, which would effectively clear the forest. In addition to camping out in the forest, the protesters have reportedly taken to YouTube to spread their message.

Reports claim that a clip was posted last week by Anonymous Deutsch that warned, “If you don’t immediately stop the clearing of the Hambach Forest, we will attack your servers and bring down your web pages, causing you economic damage that you will never recover from,” DW reported.

“Together, we will bring RWE to its knees. This is our first and last warning,” the voice from the video reportedly added.

DDoS attacks are intended to cripple websites, and the attack on RWE allowed the activists to make good on their threat, at least for one day.

““This is yet another example that illustrates the DDoS threat to [softer targets in] CNI [critical network infrastructure].  RWE is an operator of an essential service (energy) in Germany. The lights didn’t go out but their public-facing website was offline as a result of this attack,” said Andrew Llyod, president, Corero Network Security.

In a recent DDoS report, Corero researchers found that “after facing one attack, one in five organizations will be targeted again within 24 hours.”

Source: https://www.infosecurity-magazine.com/news/ddos-attack-on-german-energy/

Who’s hacking into UK unis? Spies, research-nickers… or rival gamers living in res hall?

Report fingers students and staff for academic cyber-attacks

Who’s hacking into university systems? Here’s a clue from the UK higher education tech crew at Jisc: the attacks drop dramatically during summer break.

A new study from Jisc (formerly the Joint Information Systems Committee) has suggested that rather than state-backed baddies or common criminals looking to siphon off academic research and personal information, staff or students are often the culprits in attacks against UK higher education institutions.

The non-profit body, which provides among other things internet connectivity to universities, analysed 850 attacks in the 2017-18 academic year and found a consistent pattern that occurred during term time and the UK working day.

Holidays brought with them a sharp reduction in attacks, from a peak 60-plus incidents a week during periods of the autumn term to a low of just one a week at times in the summer. It acknowledged that part of the virtual halt in summer may be down to cops and Feds cracking down on black hat distributed denial-of-service tools in the months prior, however.

Jisc is perhaps better known among Reg readers for providing the Janet network to UK education and research institutions.

Its data covered cyber-attacks against almost 190 universities and colleges and focused on denial-of-service and other large-scale infosec hits rather than phishing frauds and malware.

Staff and students with a grudge or out to cause mischief are more credible suspects in much of this rather than external hackers or spies. More sophisticated hackers might be inclined to use DDoS as some sort of smokescreen.

In a blog post, Jisc security operations centre head John Chapman admitted some of the evidence suggesting staff and students might be behind DDoS attacks is circumstantial. However, he pointed out evidence from law enforcement and detected cyber assaults supported this theory. For example, a four-day DDoS attack the unit was mitigating against was traced back to a university hall of residence – and turned out to be the result of a feud between two rival gamers.

Whoever might be behind them, the number of incidents is growing. Attacks are up 42 per cent to reach this year’s 850; the previous academic year (2016-17) witnessed less than 600 attacks against fewer than 140 institutions.

Matt Lock, director of solutions engineers at Varonis, said: “This report is another reminder that some of the biggest threats facing organisations today do not involve some hoodie-wearing, elusive computer genius.”

Education is targeted more often than even the finance and retail sectors, according to McAfee research (PDF).

Nigel Hawthorn, data privacy expert at McAfee, commented in March:

“The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.

Source: https://www.theregister.co.uk/2018/09/17/cyber_attack_uk_universities/

DDoS attacks are getting even larger

Average DDoS attack is five times stronger this year, compared to the year before.
The average DDoS attack is five times stronger this year, compared to the year before, and the biggest DDoS attack is four times stronger than last year’s strongest, according to new reports.

Nexusguard’s Q2 2018 Threat Report analysed thousands of DDoS attacks worldwide and came to the conclusion that the average DDoS attack is now bigger than 26 Gbps, and the maximum attack size is now 359 Gbps.

IoT botnets are still largely in use, mostly because of the increasing number of IoT-related malware exploits, as well as the huge growth in large-scale DDoS attacks.

The report says that CSPs and susceptible operations should ‘enhance their preparedness to maintain their bandwidth, especially if their infrastructure don’t have full redundancy and failover plans in place’.

“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard. “Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these supersized attacks to ensure customer service and operations continue uninterrupted.”

Universal datagram protocol, or UDP, is the hacker’s favourite attack tool, with more than 31 per cent of all attacks using this approach. This is a connectionless protocol which helps launch mass-generated botnets.

Top two sources of these attacks are the US and China.

Source: https://www.itproportal.com/news/ddos-attacks-are-getting-even-larger/

Copyright © 2014. DoS Protection UK. All Rights Reserved. Website Developed by: 6folds Marketing Inc. | Demo Test