Tag Archives: DDoS

Is Your Organization Prepared? New Details on HIDDEN COBRA Botnet

North Korea’s HIDDEN COBRA botnet is targeting organizations in the finance sector, media, aerospace, and critical infrastructure around the globe with disruptive DDoS attacks.

The team at US-CERT issued an alert including technical details on the tools and infrastructure used by the botnet: DDoS, keyloggers, remote access tools, and wiper malware.

The alert notes common vulnerabilities used by these cyber criminals:

  • CVE-2015-6585: Hangul Word Processor Vulnerability
  • CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability
  • CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
  • CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability
  • CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

Organizations should update these applications as soon as possible to reflect the latest version and patches. Better yet, if you don’t need Adobe Flash or Microsoft Silverlight, remove them from your system altogether.

Indicators of compromise are included in the alert. Network administrators should review the IP addresses, file hashes, network signatures, and YARA rules provided. Additionally, add the IP addresses associated with HIDDEN COBRA to the watchlist to observe any potential malicious activity.

Key Takeaway

Unpatched applications continue to be a weak point for organizations. Vulnerabilities in Flash and Silverlight are commonly targeted by HIDDEN COBRA to spread malware. The US-CERT alert gives network administrators a good jump start on protecting their systems from the active botnet. Now the onus is on organizations to implement the information.

OCR Alert: Tips to Prevent DDoS Attacks

The Department of Health and Human Services Office for Civil Rights (OCR) has issued awareness guidance to give healthcare organizations tips to prevent Distributed Denial-of-Service (DDoS) attacks.

The guidance gives practical advice to avoid becoming a victim to DDoS attacks. These types of attacks come from attackers flooding a network or systems with tons of web traffic to prevent legitimate users from accessing the information or services.

The healthcare sector isn’t necessarily the biggest target for DDoS attacks, but the impact could be devastating. A DDoS attack might affect the ability to access critical healthcare assets – i.e. electronic health record databases or software-based medical equipment.

Best Practices

The guidance references a list of best practices from US-CERT to help prevent a DDoS attack:

  • Continuously monitor and scan for vulnerable and comprised IoT devices on networks, and follow proper remediation actions.
  • Create and implement password management policies and procedures for devices and their users. Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Install and maintain anti-virus software and security patches. Update IoT devices with security patches as soon as patches become available.
  • Install a firewall, and configure it to restrict traffic coming into and leaving your network and IT systems.
  • Segment networks where appropriate and apply appropriate security controls to control access among network segments.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
  • Practice and promote security awareness. It is important to be aware and understand the capabilities of IT systems, medical devices, and HVAC systems with network capabilities that are installed on Covered Entities and Business Associates networks. If the device has open Wi-Fi connection and transmits data or can be operated remotely, it has the potential to be infected.
  • Follow good security practices for distributing email addresses. Applying email filters may help entities manage unwanted traffic.

IoT Botnets Pose Big DDoS Threat

 

Internet of things concept and Cloud computing technology Smart Home Technology Internet networking concept. Internet of things cloud with apps.Cloud computing technology device.Cloud Apps

With the rapid expansion of Internet of Things (IoT) devices and their stark lack of security, cyber criminals have a plethora of devices to recruit for their botnets. Botnets are networks of connected devices infected with malware.

Botnets are often collectively used to launch Distributed Denial of Service (DDoS) attacks. With the mass quantities of IoT devices connected to the Internet, the new trend for cyber criminals is to infect these devices and use them in coordinated attacks.

DDoS Attack

Recently, a security blogger, Brian Krebs, was the target of a massive DDoS attack. A DDoS attack is where a network is flooded with requests in order to overload the system and make it unable to respond to legitimate requests, basically taking down a website.

The Krebs attack was one of the largest DDoS attacks on record at over 620 Gbps. The attack sparks interest because it was launched by a botnet of IoT devices powered by Mirai malware.

Mirai malware infects a device and starts the process by removing all other competing malware on the device. Then it scans the Internet for other vulnerable devices to add to its botnet. Once a new device is found, it uses a brute force dictionary attack with a short list of common default usernames and passwords to gain access. Apparently, 380,000 IoT devices infected with Mirai were used in the Krebs attack.

The Mirai malware’s source code has since been released on the Internet, so there’s a good chance we’ll see this problem expanding with more IoT botnets forming. After attacking Krebs’ blog, a Mirai botnet is credited with the massive attack on the Internet service provider Dyn, which took down several major websites in the process.

Vulnerable IoT Devices

The security industry has identified this as a major problem for quite some time. Most IoT devices have huge security concerns and can easily be leveraged in these coordinated attacks. For now, the IoT botnets primarily consist of routers, network-enabled cameras, or printers.

The main reason malware like Mirai is so effective is that most IoT devices never have the default credential changed. Default usernames and passwords for many devices can be found on the Internet, making it easy for them to be compromised.

Mitigation

To remove Mirai malware from an infected IoT device:

  • Disconnect the device from the network.
  • Perform a reboot. Mirai malware exists in dynamic memory, so rebooting clears the malware.
  • Change the password for the device. Make sure the default password is changed and use a strong password.
  • Reconnect to the network.

Prevention

To prevent Mirai malware from infecting your IoT devices:

  • Ensure all default passwords are changed to strong passwords.
  • Update IoT devices with patches as soon as possible. This isn’t always applicable, as many IoT devices don’t push security patches.
  • Disable Universal Plug and Play on routers unless it’s absolutely necessary.
  • Monitor IP port 2323/TCP and port 23/TCP for attempts to gain unauthorized control using the network terminal protocol.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware using port 48101.

[Mitigation and prevention measures referenced from the US-CERT alert here.]

Fake DDoS Threats Steal $100,000

Distributed denial-of-service DDoS attack - background with laptop

Cloudflare reported that its customers have started receiving DDoS threats from a cybercriminal group called Armada Collective. The extortion emails sent by the Armada Collective threatened businesses with a full scale DDoS attack if they didn’t pay the bitcoin demands.

Cloudflare checked in with other DDoS mitigation services, and – lo and behold – they were seeing the same threats. But the funny thing is there hasn’t been evidence of a single attack perpetrated by the almighty Armada Collective. Instead, they’ve collected over $100,000 in fake extortion payments. Let’s take a closer look…

Armada Collective Threat

Below is an example of the extortion email being sent out by the Armada Collective:

armada collective fake ddos

The interesting part is the Armada Collective claim they will know who paid, but each message leads the victim to send payment of the same amount to the same Bitcoin address. And they correctly state that Bitcoin is anonymous. So there is no way for them to identify victims that have agreed to pay the “fee.” It makes sense then that whether or not the victim chooses to pay the extortion fee, no attacks are launched.

The original group that called themselves Armada Collective disappeared around November of 2015. They were thought to be a part of the notorious DD4BC group that was very effective in carrying out DDoS threats. It sounds like some scheming cybercriminals are riding the coattails of the original group’s reputation to make a quick buck.

Threat Alert: Dorkbot

[US-CERT released this Threat Alert warning about Dorkbot.]

Systems Affected

Microsoft Windows

Overview

Dorkbot is a botnet used to steal online payment, participate in distributed denial-of-service (DDoS) attacks, and deliver other types of malware to victims’ computers. According to Microsoft, the family of malware used in this botnet “has infected more than one million personal computers in over 190 countries over the course of the past year.” The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and Microsoft, is releasing this Technical Alert to provide further information about Dorkbot.

Description

Dorkbot-infected systems are used by cyber criminals to steal sensitive information (such as user account credentials), launch denial-of-service (DoS) attacks, disable security protection, and distribute several malware variants to victims’ computers. Dorkbot is commonly spread via malicious links sent through social networks instant message programs or through infected USB devices.

In addition, Dorkbot’s backdoor functionality allows a remote attacker to exploit an infected system. According to Microsoft’s analysis, a remote attacker may be able to:

  • Download and run a file from a specified URL;
  • Collect logon information and passwords through form grabbing, FTP, POP3, or Internet Explorer and Firefox cached login details; or
  • Block or redirect certain domains and websites (e.g., security sites).

Impact

A system infected with Dorkbot may be used to send spam, participate in DDoS attacks, or harvest users’ credentials for online services, including banking services.

Solution

Users are advised to take the following actions to remediate Dorkbot infections:

  • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. Even though Dorkbot is designed to evade detection, security companies are continuously updating their software to counter these advanced threats. Therefore, it is important to keep your anti-virus software up-to-date. If you suspect you may be a victim of Dorkbot, update your anti-virus software definitions and run a full-system scan. (See Understanding Anti-Virus Software for more information.)
  • Change your passwords – Your original passwords may have been compromised during the infection, so you should change them. (See Choosing and Protecting Passwords for more information.)
  • Keep your operating system and application software up-to-date – Install software patches so that attackers cannot take advantage of known problems or vulnerabilities. You should enable automatic updates of the operating system if this option is available. (See Understanding Patches for more information.)
  • Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (see example below) to help remove Dorkbot from their systems.
  • Disable Autorun­Dorkbot tries to use the Windows Autorun function to propagate via removable drives (e.g., USB flash drive). You can disable Autorun to stop the threat from spreading.

Microsoft

http://www.microsoft.com/security/scanner/en-us/default.aspx (link is external)

The above example does not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

References

Threat Alert: Hacking Group DD4BC

Distributed Denial of Service (DDoS) attacks against financial services firms have been on the rise. The past few months have seen a spike in financial services and broker-dealer firms targeted by the hacking group DD4BC.

DD4BC is a hacking group making its name in the DDoS sphere.  The group has turned its attention towards the financial sector including government agencies. The size and frequency of attacks have been increasing, prompting threat alerts around the financial industry.

With DDoS attacks, the attackers flood a website with an overwhelming number of messages that forces it to shut down. DD4BC begin their attacks with an email to the organization demanding a sum of bitcoins to avoid the dreaded DDoS attack. If ignored, DD4BC follows up with another email demanding a larger ransom while launching a subsequent DDoS attack. DD4BC continues to escalate its attacks if demands aren’t met, usually launching a larger DDoS attack the next day.

Organizations should have technical defenses against DDOS and design their security architecture accordingly. Experts usually advise against paying the ransoms. Some organizations that have paid the bitcoin demands were attacked anyway. Others get retargeted because the attackers know there is a good chance they will pay the ransom.

FBI Alert: DDoS Extortions Continue

The Internet Crime Complaint Center (IC3) recently received an increasing number of complaints from businesses reporting extortion campaigns via e-mail. In a typical complaint, the victim business receives an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom. Ransoms vary in price and are usually demanded in Bitcoin.

Victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution.

Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, WordPress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit.

Based on information received at the IC3, the FBI suspects multiple individuals are involved in these extortion campaigns. The attacks are likely to expand to online industries and other targeted sectors, especially those susceptible to suffering financial losses if taken offline.

If you believe you have been a victim of this scam, you should reach out to your local FBI field office, and file a complaint with the IC3 at www.IC3.gov.

Tips to protect yourself:

  • React: Take the threat seriously, and “spin up” an incident response team to deal with any such attacks or threats.
  • Defend: Review DDoS defenses to ensure they can handle attackers’ threatened load, and if necessary contract with, subscribe to or buy an anti-DDoS service or tool that can help.
  • Alert: Warn the organization’s data centers and ISPs about the threatened attack, which they may also be able to help mitigate.
  • Report: Tell law enforcement agencies about the threat – even if attackers do not follow through – so they can amass better intelligence to pursue the culprits.
  • Plan: Continually review business continuity plans to prepare for any disruption, if it does occur, to avoid excessive disruptions to the business.

OCC Report Expects Cyber Threats to Shift From Disruption to Destruction and Corruption

The Office of Comptroller of the Currency (OCC) Semiannual Risk Perspective for Spring 2014 includes cyber security comments and guidance intended for both large and small financial institutions. The report reiterates the importance of cyber-threat guidance from previously issued bulletins.

Report Highlights

Banks continue to be attractive cyber-attack targets. For information on current threats, refer to the joint statements issued in April 2014.

  • OCC Bulletin 2014-13, “Cyber Attacks on Financial Institutions’ Automated Teller Machine and Card Authorization Systems”
  • OCC Bulletin 2014-14, “Distributed Denial-of-Service Cyber Attacks, Risk Mitigation, and Additional Resources”
  • OCC Bulletin 2014-17, “Information Security Vulnerability in OpenSSL Encryption Tool (Heartbleed)”

The report reiterates that risk management of third-party relationships should be commensurate with the breadth, complexity, and criticality of the arrangements, as previously outlined in OCC Bulletin 2013-29.

Additionally, there is OCC concern that cyber threat objectives will transition from simple disruption to destruction and corruption of information and systems.

FFIEC Webinar Promotes Cybersecurity Preparedness to Community Financial Institutions

During a webinar (see slideset) for approximately 5,000 chief executive officers and senior managers from community financial institutions, the Federal Financial Institutions Examination Council (FFIEC) announced a vulnerability and risk-mitigation assessment as well as regulatory self-assessment of supervisory policies and processes (FFIEC press release). These assessments will be conducted later in 2014 to help FFIEC member agencies make informed decisions about the state of cybersecurity across community institutions and address gaps and prioritize necessary actions to strengthen supervisory programs.

NCUA Issues DDoS Alert

In February, 2013 the National Credit Union Administration  (NCUA) issued an alert identifying policies and procedures to guard against Distribution Denial of Service DDoS attacks. According to the alert, key strategies for mitigating DDoS risk include:

  • Performing risk assessments to identify risks associated with DDoS attacks.
  • Ensuring incident response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack.
  • Performing ongoing third-party due diligence, in particular on Internet and web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.