Hacking & Security
Introduction Big data is typically characterized by 3,5, or 7 Vs’. The 3 Vs’ stand for volume, veracity and value (O’Leary, 2015). Big data is characterized by large volumes of data, data originating from different sources (such as smart devices, social media, weblogs, operational databases, flat files and so on) which is likely useful to […]
I hope you enjoyed my previous Oil and Gas Cyber Security articles. This time, I would like to tell you more about one of the three critical parts of the Oil and Gas security landscape. As you may remember, the Oil and Gas Security consists of IT Security, OT Security and connections between them. Today’s […]
The post Oil and Gas Cyber Security: Upstream Operational Technology Security appeared first on InfoSec Resources.
We have selected the events from the first quarter of 2016 that, in our view, illustrate the main trends in the field of DDoS attacks and the tools used to perform them.A record-breaking reflection DDoS attack
DDoS attacks using amplification/reflection techniques are still popular and allow cybercriminals to break their peak power records. From a technical point of view, amplification methods are nothing new in DDoS attacks, but cybercriminals are discovering new ways and resources to enhance the capacity of their botnets. For example, according to a recently published report, 2015 saw the largest ever DDoS attack on record at 450-500 Gbps.DDoS attack on Trump
It’s possible that last year’s record didn’t last very long – at the very beginning of the year the official website of Donald Trump’s election campaign were subjected to DDoS attacks whose strength, according to unconfirmed sources, reached 602 Gbps. The hacktivist group New World Hacking claimed responsibility for both incidents.Use of the DNSSEC protocol
Criminals are increasingly using the DNSSEC protocol to carry out DDoS attacks. The protocol is intended to minimize DNS spoofing attacks, but besides the domain data a standard DNSSEC reply also contains additional authentication information. Thus, unlike a standard DNS reply of 512 bytes, the DNSSEC reply comes to about 4096 bytes. Attackers exploit this feature to perform amplification DDoS attacks. They usually use domains in the government zone .gov, because in the US such domains are required by law to maintain DNSSEC.Pingback attacks on WordPress
Web resources powered by the WordPress content management system (CMS) are still popular with cybercriminals carrying out DDoS attacks. Popular CMS-based resources often become targets of DDoS attacks exploiting the WordPress pingback function. The pingback function notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. If the administrator of the site running WordPress has enabled the function, all links leading to the materials published on a site can perform a so-called pingback, i.e. send a special XML-RPC request to the original site. A huge number of pingback requests sent to the original site can cause a “denial of service”. This feature continues to attract the attention of cybercriminals and helps them perform DDoS attacks at the application level.Linux Mint hacking
On 21 February 2016, the head of Linux Mint, Clement Lefebvre, reported that someone had managed to hack the project infrastructure including its official website and forum, and substituted the link to the legitimate ISO image of the Linux Mint 17.3 Cinnamon edition with their own URL. The hacker’s modified ISO contained malicious code that used infected machines to perform DDoS attacks.Attacks on security companies
Cybercriminals also target companies working in information security, with most of the major players – especially those offering anti-DDoS services – having to regularly combat DDoS attacks on their resources. These attacks can’t cause much damage because all these resources are well-protected, but that doesn’t stop the cybercriminals.
In Q1 2016, resources in 74 countries were targeted by #DDoS attacks #KLreportTweet
In general, cybercriminals don’t go all out to bring down an IT security company’s site. The attacks tend not to last long, and in most cases, they are terminated as soon as the source notices that protection systems are working. The cybercriminals don’t want to waste their botnet resources when they could be earning money elsewhere. Nevertheless, the attacks continue.
Analysis of the correspondence on underground forums suggests that the criminal fraternity uses the websites of IT security companies as test bed, i.e. to test new methods and tools. This approach is no worse than others, but it does give us some valuable information. If worldwide DDoS statistics show the current state of things, then attacks on IT security companies allow us to some extent to predict the future of DDoS.
Data on the tactics, strength and types of attacks targeting Kaspersky Lab sites also allows us to forecast the trends in the DDoS industry for the coming months.
Once again, we have had to deal with amplification attacks. Their number has declined slightly compared to last year, but their maximum strength has increased fourfold. This confirms the trend of a general strengthening of these attacks – the criminals have to increase the strength to overcome protection measures used by Internet providers and information security companies. In our case, none of these attacks led to our sites being unavailable.
In Q1 2016, 93.6% of resources targeted by #DDoS attacks, were located in 10 countries #KLreportTweet
Considering the number of attacks on Kaspersky Lab resources in the first quarter of 2016, the “cream” of the cybercriminal community has gone back to the good old methods of attacks at the application level. Already in the first quarter of this year, we combated several times more HTTP(s) attacks than we did in the whole of 2015. Interestingly, there were several application-layer attacks performed simultaneously against a number of Kaspersky Lab resources. The strength of the DDoS resources was spread between several targets, reducing the effect on each target. This is most probably because the aim was not to disrupt Kaspersky Lab’s sites but to test tools and to see how we responded. The longest attack of this type lasted less than six hours.
We can assume that the proportion of Data Link layer attacks will gradually decline, and application-layer and multi-layer attacks (a combination of hardware and application-layer attacks) will come to the fore.
Powerful UDP amplification attacks came into general use a few years ago and are still a favorite tool of cybercriminals. The reasons for their popularity are clear: they are relatively easy to perform, they can be very powerful with a relatively small botnet, they often involve a third party, and it is extremely difficult to detect the source of the attack.
Although in Q1 of 2016 our Kaspersky DDoS Prevention service continued to combat UDP amplification attacks, we believe that they will gradually disappear. The once daunting task of combining the efforts of Internet providers and IT security companies to effectively filter the junk traffic generated by UDP attacks is almost solved. Having faced the risk of their main channels being clogged up due to large volumes of UDP packets, providers have acquired the necessary equipment and skills and cut this traffic off at the root. This means amplification attacks on a Data Link Layer are becoming less effective and, as a result, less profitable.
In Q1 2016, the largest numbers of #DDoS attacks targeted victims in #China, the #USA & #SouthKorea #KLReportTweet
To execute application-layer attacks on web services, large botnets or several high-performance servers and a wide output channel are required, as well as thorough preparatory work to study the target and find its vulnerabilities. Without this, they are ineffective. If the application-layer attack is carried out properly, it is difficult to counter it without blocking access to legitimate users – malicious requests look authentic and every bot faithfully fulfills the connection procedure. The only anomaly is the high demand for the service. We registered these sorts of attempts in the first quarter. This suggests that the DDoS market has developed so that complex, expensive attacks are becoming cost-effective, and better qualified cybercriminals are trying to make money using them.
Moreover, there is a real danger of these methods being used by cybercriminals en masse – the more popular the technique, the more tools are offered for it on the black market. And if application-layer attacks really do become widespread, we should expect to see a growth in the number of customers for this type of DDoS attack and more competent attackers.Statistics for botnet-assisted DDoS attacks Methodology
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the first quarter of 2016.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The longest #DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) #KLreportTweet
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.Q1 Summary
- In Q1, resources in 74 countries were targeted by DDoS attacks (vs. 69 in Q4 of 2015).
- 93.6% of the targeted resources were located in 10 countries.
- China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. France and Germany were newcomers to the Top 10.
- The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period).
- SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios, while the number of UDP attacks continues to fall from quarter to quarter.
- Overall, command servers remained located in the same countries as the previous quarter, but Europe’s contribution increased – the number of C&C servers in the UK and France grew noticeably.
In Q1 2016, the geography of DDoS attacks narrowed to 74 countries.
93.6% of targeted resources were located in 10 countries.
Distribution of DDoS attacks by country, Q1 2016 vs. Q4 2015
The Top 3 most targeted countries remained unchanged. However, South Korea’s share grew from 18.4% to 20.4% while the US’s contribution dropped by 2.2 percentage points. Also of note is the fact that Q1 2016 saw an increase in the number of attacks targeting resources in Ukraine – from 0.3% to 2.0%.
The statistics show that 94.7% of all attacks had targets within the Top 10 most targeted countries:
Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q4 2015
The number of targets in South Korea increased by 3.4 percentage points. China’s share fell from 50.3% in Q4 2015 to 49.7% in the first three months of 2016. The percentage of DDoS attacks targeting resources in the United States also decreased (9.6% in Q1 2016 vs. 12.8% in Q4 2016). Despite the change in figures, South Korea, China and the US maintained their positions in the Top 3, coming well ahead of all other countries.
SYN #DDoS, TCP DDoS & HTTP DDoS remain the most common DDoS attack scenarios in Q1 2016 #KLreportTweet
The first quarter of 2016 saw Ukraine enter the Top 5 DDoS targets: its share grew from an insignificant 0.5% at the end of last year to 1.9% in Q1 2016.
Taiwan and the Netherlands’ share fell 0.8 and 0.7 percentage points respectively, meaning both dropped out of the Top 10 most attacked countries.Changes in DDoS attack numbers
In Q1 2016, DDoS activity was distributed more or less evenly, with the exception of one peak on 6 February. The peak number of attacks in one day was 1,272, recorded on 31 March.
Number of DDoS attacks over time* in Q1 2016.
* DDoS attacks may last for several days. In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
As in the previous quarter, Monday (16.5% of attacks) was the most active day of the week for DDoS attacks. Thursday moved up to second (16.2%). Tuesday, which was in second place in Q4 2015 (from 16.4% to 13.4%), became the quietest day of the week in terms of DDoS attacks.
Distribution of DDoS attack numbers by day of the weekTypes and duration of DDoS attacks
The ranking of the most popular attack methods remained constant from quarter to quarter. Those used most often were the SYN DDoS method, although its share fell compared to the previous quarter (57.0% vs 54.9%), and TCP DDoS which fell by 0.7 percentage point. The proportion of ICMP DDoS attacks grew significantly, rising to 9%; however, it did not affect the order of the Top 5.
Distribution of DDoS attacks by type
Noticeably, the figure for UDP DDoS has fallen continually over the last year: from 11.1% in Q2 2015 to 1.5% in Q1 2016.
Like the previous quarter, about 70% of attacks lasted no more than 4 hours. At the same time, the maximum duration of attacks decreased considerably. The longest DDoS attack in the last quarter of 2015 lasted for 333 hours; in Q1 2016, the longest registered attack ended after 197 hours.
Distribution of DDoS attacks by duration (hours)C&C servers and botnet types
In Q1, South Korea remained the leader in terms of the number of C&C servers located on its territory, with its share growing from 59% in the previous quarter to 67.7% in the first quarter of 2016.
China came second; its share grew from 8.3% to 9.5%. As a result, China pushed the US down to third (6.8% vs 11.5% in Q4 of 2015). For the first time during the reporting period France appeared in the Top 10 countries hosting the most C&C servers. This correlates with the increased number of attacks in the country.
Distribution of botnet C&C servers by country in Q1 2016
99.73% of DDoS targets in Q1 2016 were attacked by bots belonging to one family. Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.25% of cases. In 0.01% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families.
Correlation between attacks launched from Windows and Linux botnets
When it came to the number of attacks launched from Windows and Linux botnets in Q1 2016, Windows-based botnets were the clear leader. For the third quarter in a row, the difference between the share of Windows- and Linux-based attacks was approximately 10 percentage points.Conclusion
The events of the first quarter of 2016 once again demonstrated that the attackers are not resting on their laurels and are increasing their computing resources to perform DDoS attacks. Amplification scenarios, which have de facto become the standard tool for carrying out a powerful attack, exploit vulnerabilities in new network protocols. The reasons for an attack can vary: from disrupting pre-election campaigns and attacking candidates’ resources to showdowns between competitors on the black market. There have been frequent incidents of DDoS attacks targeting the very organizations that specialize in countering them. With the spread of vulnerable devices and workstations and the abundance of configuration drawbacks at the application level, the cost of a significant attack is going down. Therefore, reliable protection is needed to ensure these attacks are financially unviable for the criminals.
The Islamic State has been deft in its use of the Internet as a communications tool. ISIS has long leveraged social media to spread propaganda and even coordinate targets for attacks, using an ever-shifting collection of social media accounts for recruitment and even to call for attacks on individuals ISIS leaders have designated as enemies. But the organization's efforts to build a sophisticated internal “cyber army” to conduct information warfare against the US and other powers opposing it have thus far been fragmented and limited in their effectiveness—and more often than not they've been more propaganda than substance.
Now, ISIS is taking another crack at building a more credible cyber force. As analysts from Flashpoint note in a report being published today (entitled "Hacking for ISIS: The Emergent Cyber Threat Landscape"), ISIS earlier this month apparently merged four separate pro-ISIS “cyber” teams into a single group called the United Cyber Caliphate.
"Until recently, our analysis of the group's overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting," said Laith Alkhouri, director of Research & Analysis for the Middle East and North Africa and a cofounder of Flashpoint. “With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies.”
The number of reported breaches of organizations' data has been growing hyperbolically over the past few years, based on data in Verizon's 2016 Data Breach Investigations Report (DBIR). And a major reason for that is that many organizations are still doing security like they were decades ago. The leading cause of reported data breaches, as documented by Verizon, is "miscellaneous errors"—mistakes made by employees—that open the door to attackers.
For those who've followed the recent chain of crypto-ransomware attacks at hospitals around the country, this finding will come as no surprise. Issues such as system misconfiguration, end users sending sensitive data out of the network by mistake, or users clicking on stuff they shouldn't be clicking on were among the errors made by organizations that led to about 18 percent of the data breaches documented in 2015—and were likely the leading contributor to the many incidents that went unreported.
In 63 percent of "confirmed" breaches, attackers took advantage of weak password credentials, default passwords left in place, or passwords that were stolen through phishing attacks or other means. In other words, if organizations were using something other than just usernames and passwords as credentials to gain access to systems, more than half of the data breaches that happened in 2015 would not have occurred.
This year’s DBIR release from Verizon exposes valuable and well organized data on global incidents this past year. Our contributions on targeted attack activity and other areas to a report like this one over the past several years is important to help to improve cyber-security awareness and education both in the security industry and the general public.
The report is well organized, offering trending information from Point of Sale incidents to cyber-espionage, web application hacking, cybercrime, and skimming. And it simplifies most of the data into nine categories for ease of discussion. The data demonstrates that intruders will use tried and true techniques before moving on to the newest and most expensive. Like most years in cybersecurity, “It’s like déjà vu, all over again.” —Yogi Berra
You can download the 2016 DBIR here, its 85 pages of data and diagrams can help provide informed discussion around these topics on a greater scale. We look forward to another great writeup in 2017 from the DBIR guys at Verizon.
A nuclear power plant 75 miles from Munich has been harboring malware—including remote-access trojans and file-stealing malware—on the computer system that is used to monitor the plant's fuel rods. Fortunately, as Reuters reported, the computer isn't connected to the Internet, and the malware was never able to be activated.
The malware was discovered on computer systems at the Gundremmingen nuclear power facility by employees of the German electrical utility company RWE. It included Conficker, a worm first detected in 2008 designed to steal user credentials and personal financial data and turn infected computers into "bots" to carry out distributed denial of service (DDoS) attacks. W32.Ramnit, a worm that provides attackers with a remote access tool and allows them to steal files and inject code into webpages to capture banking data, was also discovered on the system.
In addition to the infected computer system, last upgraded in 2008, malware was discovered on 18 USB removable storage devices. Both Conficker and W32.Ramnit spread themselves through USB drives. The malware did no harm because it required Internet access to contact a command-and-control network, and it appears that the plant was not specifically targeted by attackers since the malware was focused largely on financial fraud.
As security breaches go, they don't get more vexing than this: 7 million compromised accounts that protected passwords using woefully weak unsalted MD5 hashes, and the outfit responsible, still hadn't disclosed the hack three months after it came to light. And as if that wasn't enough, the service recommended the use of short passwords. That's what Motherboard reported Tuesday about Lifeboat, a service that provides custom multiplayer environments to gamers who use the Minecraft mobile app.
The data circulating online included the e-mail addresses and hashed passwords for 7 million Lifeboat accounts. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past.
Hunt reported that some of the plaintext passwords users had chosen were so weak that he was able to discover them simply by posting the corresponding MD5 hash into Google. As if many users' approach to password selection weren't lackadaisical enough, Lifeboat's own Getting started guide recommended "short, but difficult to guess passwords" because "This is not online banking."