Author Archives: Enurrendy

Massive DDoS Brute-Force Campaign Targets Linux Rootkits

A brute force campaign looking to set up a distributed denial of service (DDoS) botnet using a rare Linux rootkit malware has been launched, emanating from the servers of a Hong Kong-based company called Hee Thai Limited. The malware, known as XOR.DDoS, was first spotted in September by security research firm Malware Must Die. But security firm FireEye says that new variants have been making their way into the wild, as recently as Jan.20. XOR.DDoS is installed on targeted systems via SSH (Secure Shell) brute-force attacks that target both servers and network devices. And these are being carried out using complex attack scripts to serve the malware through a sophisticated distribution scheme that allows the attackers to compile and deliver tailored rootkits on-demand, to infect x86 and mobile ARM systems alike. Once infected, the hosts are enlisted to launch DDoS attacks. “While typical DDoS bots are straightforward in operation and often programmed in a high-level script such as PHP or Perl, the XOR.DDoS family is programming in C/C++ and incorporates multiple persistence mechanisms including a rare Linux rootkit,” FireEye researchers noted in an analysis. What’s notable about the Hee Thai attack is the sheer scale of the operation. Within 24 hours of first sighting back in November, FireEye had observed well over 20,000 SSH login attempts, per server. By the end of January, each server had seen nearly 1 million login attempts. During this time period, traffic from 103.41.124.0/24 accounted for 63% of all observed port 22 traffic. “Someone with a lot of bandwidth and resources really wanted to get into our servers,” FireEye researcher noted. They also said that the campaign has been evolving. At the beginning, each IP address would attempt more than 20,000 passwords before moving on. It then dropped to attempting a few thousand passwords before cycling to the next, and repeat attacks also began to occur. Now, a new stage of the Hee Thai campaign is more chaotic than the previous two. “The attacks now occur en masse and at random, frequently with multiple IPs simultaneously targeting the same server,” FireEye explained. The Hee Thai campaign also features an on-demand malware build system. Using a sophisticated set of build systems, the malware harvests kernel headers and version strings from victims to deliver customized malware that may be compiled on-demand to deliver XOR.DDoS to the target machine. This strategy makes hash signature-based detection systems ineffective for detecting XOR.DDoS. “Brute force attacks are one of the oldest types of attacks,” FireEye researchers said. “Due to its ubiquity, there are numerous solutions available for defending against them. However a great many systems are vulnerable. Even in enterprise settings, network devices and servers in forgotten branch offices could be exposed to this threat.” Source: http://www.infosecurity-magazine.com/news/massive-ddos-bruteforce-targets/

Read the article:
Massive DDoS Brute-Force Campaign Targets Linux Rootkits

Home Routers and IoT Devices Set to Drive DNS DDoS Attacks

The volume of DNS-based DDoS attacks will see another sharp rise this year as increasing numbers of home routers and IoT devices are compromised, according to Nominum. The network infrastructure and security firm claimed there was a 100-fold rise in such attacks during 2014 with a major spike in December thanks to malware in home gateways. The trend is likely to continue in 2015, with the volume of exploitable home and IoT devices set to soar. According to Nominum, just 100 compromised devices managed to take down one million subscriber networks last year. In such DDoS campaigns, the attackers send specially crafted queries to ISP DNS resolvers and authoritative DNS servers, making the websites reliant upon them unreachable. Nominum claims that many DDoS prevention services are unable to counter these attacks as they’re either deployed in the wrong part of the network or lack accuracy. The firm added that last year, 24 million home routers with open DNS proxies were compromised and used to launch DDoS attacks. The volume of vulnerable devices has decreased since then, but with more than 100 million routers shipped every year and IoT devices set to reach tens of billions over the coming years, there’ll be plenty of opportunity for attackers to strike, it claimed. “The recent shift to bot-based DNS DDoS dramatically changes the threat landscape and these attacks will likely grow worse as the number of connected devices increases,” said Craig Sprosts, vice president product management at Nominum, in a statement. “These attacks are continuously changing and increasingly targeting legitimate domains, requiring rapid response and making simple domain or IP-based blocking approaches too risky to deploy in service provider networks.” However, David Stubley, CEO of security consultancy 7 Elements, argued that firms shouldn’t focus all their defensive efforts on DNS-related DDoS. “We have been dealing with bots and DDoS for the last 15 years and have seen a number of new techniques, such as BitTorrent as a delivery method for DDoS attacks,” he told Infosecurity . “While DNS amplification attacks will make DDoS attacks larger, this is just one of a number of approaches used and doesn’t dramatically change the threat landscape. Organizations need to assess the overall impact on their business that a DDoS attack could have and take appropriate measures to ensure that they can meet their business objectives.” Source: http://www.infosecurity-magazine.com/news/home-routers-iot-devices-drive-dns/

Read the original post:
Home Routers and IoT Devices Set to Drive DNS DDoS Attacks

Hackers ransoming encryption keys from website owners

Hackers are finding even more ways to harm website owners, in a new report from security firm High-Tech Bridge hackers are switching encryption keys and then ransoming website owners for money. The attack—known as “RansomWeb”—manages to take the current encryption keys and swap them with non-working numbers. In order for the website owner to regain control, they are forced to pay the hackers. Encryption is the basis of modern internet security, but with this new hack it locks the website owner out and gives no way to get back in, without having even more security latched on top. Even if the website owner sends payment over, there is no guarantee they will get the website back, or any guarantee that the attacker will not launch the same attack later. “We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks.” Ilia Kolochenko, chief executive of High-Tech Bridge said. “RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent.” These hackers wait for months until new patches of encryption keys are added, before locking out the website owner. This gives them full control over the website and allows them to implement old keys that are invalid. Kolochenko claims this is a change in hacker identity, moving from chaos to financial motives. He believes the next slew of hackers will always look for ransoms and lock owners out, instead of simply defacing a website. This was first seen on the Sony Pictures hack, when the apparent hackers sent ransom messages to Sony executives three days before taking the entire system offline. The ever changing world of encryption makes it hard for security firms to properly defend customers, especially with this new RansomWeb attack. It may lead to firms like Google and Facebook offering security help for smaller sites, offering new encryption and security tools. Source: http://www.itproportal.com/2015/02/03/hackers-ransoming-encryption-keys-website-owners/

Read More:
Hackers ransoming encryption keys from website owners

Tidal waves of spoofed traffic: DDoS attacks

While massive retail breaches dominated headlines in 2014, with hacks involving state-sponsored threats coming in a strong second, distributed denial-of-service (DDoS) attacks continued to increase, both in the volume of malicious traffic generated and the size of the organizations falling victim. Recently, both the Sony PlayStation and Xbox Live gaming networks were taken down by Lizard Squad, a hacking group which is adding to the threat landscape by offering for sale a DDoS tool to launch attacks. The Sony and Xbox takedowns proved that no matter how large the entity and network, they can be knocked offline. Even organizations with the proper resources in place to combat these attacks can fall victim. But looking ahead, how large could these attacks become? According to the “Verisign Distributed Denial of Service Trends Report,” covering the third quarter of 2014, the media and entertainment industries were the most targeted during the quarter, and the average attack size was 40 percent larger than those in Q2. A majority of these insidious attacks target the application layer, something the industry should be prepared to see more of in 2015, says Matthew Prince, CEO of CloudFlare, a website performance firm that battled a massive DDoS attack on Spamhaus early last year. Of all the types of DDoS attacks, there’s only one Price describes as the “nastiest.” And, according to the “DNS Security Survey,” commissioned by security firm Cloudmark, more than 75 percent of companies in the U.S. and U.K. experienced at least one DNS attack. Which specific attack leads that category? You guessed it. “What is by far the most evil of the attacks we’ve seen…[are] the rise of massive-scale DNS reflection attacks,” Prince said. By using a DNS infrastructure to attack someone else, these cyber assaults put pressure on DNS resolver networks, which many websites depend on when it comes to their upstream internet service providers (ISP). Believing these attacks are assaults on their own network, many ISPs block sites in order to protect themselves, thus achieving the attacker’s goal, Prince said. By doing so “we effectively balkanize the internet.” As a result, more and more of the resolvers themselves will be provided by large organizations, like Google, OpenDNS or others, says Prince. Source: http://www.scmagazine.com/tidal-waves-of-spoofed-traffic-ddos-attacks/article/393059/

Originally posted here:
Tidal waves of spoofed traffic: DDoS attacks

BitTorrent’s Project Maelstrom will host websites in torrents

When you enter a URL and hit enter, your computer reaches out to a server someplace in the world to access a website. Sometimes a site is stored on a few servers for redundancy or load balancing, but the model is functionally the same. BitTorrent, the company behind the popular file sharing protocol, is looking to change the way websites are hosted by keeping the data not on a centralized server, but on the home computers of users. These sites would be split up into pieces just like a file shared via a torrent. BitTorrent calls this system Project Maelstrom, and it’s getting very close to reality. Project Maelstrom is built on a modified version of Chromium, the open source project that backs Google’s Chrome browser. If we extend the file sharing analogy to Project Maelstrom, the modified browser is basically your torrent client. You enter a web address, and the browser connects to a “swarm” of users already accessing the site who have pieces of it ready to send over. These bits are assembled into the final product and displayed normally. If it works as intended, you won’t notice a difference in the functionality of these sites. The torrent browser is going to be able to access regular web pages via the internet, but it’s mainly for these so-called torrent web pages. One of the main advantages here will be scalability that surpasses anything we have today on traditional server infrastructure. When a site gets hit by a lot of traffic, a server has to devote more and more bandwidth to serving content, which can easily saturate the pipes. In the case of a distributed denial of service attack (DDoS), a website can be knocked offline for hours or days. A torrent web page should actually become more reliable as it is accessed more. More seeds means more speed and accessibility.   One notable drawback to Project Maelstrom would be the relative difficulty in keeping very new or unpopular sites online. When a new torrent web page is created, there is only one source for the data, probably with nowhere near the power of a dedicated web server. So the creator is the first seed, the next person to visit is the second seed, but the third person then has two sources to download from, then becoming the third seed. It’s just like a torrent — it can get stupid-fast when there are enough seeds. The decentralized nature of Project Maelstrom would also make it nearly impossible to take down a website as long as users kept seeding it. Seems like a perfect match for The Pirate Bay, right? This platform would present ethical issues, of course. What if a legitimately terrible or illegal site were hosted in Maelstrom? There might not be any way to take it down. This is something law enforcement already deals with on Tor, but Project Maelstrom has the potential to be much faster and easier to use. Still, BitTorrent thinks content providers will get on board with Maelstrom as a way to reduce costs. For example, if Netflix can detect when a user is connecting through a Maelstrom-enabled browser, it could save money by serving video content through a swarm of multiple users, rather than pushing separate streams out to everyone individually. It would be like a content delivery network on steroids. BitTorrent is going to find out if Maelstrom will be used for good or evil soon. A consumer version is expected this year.   Source: http://www.extremetech.com/internet/198578-bittorrents-project-maelstrom-will-host-websites-in-torrents

View article:
BitTorrent’s Project Maelstrom will host websites in torrents

Latest Lizard Squad hack shows increasing strength of DDoS attacks

Bill Barry, executive vice president, Nexusguard, has prepared a comment in light of the recent Lizard Squad hack on Taylor Swift’s Twitter account: “The hack on Taylor Swift proves that the Lizard Squad has another string to its bow, having previously used DDoS attacks to bring down the Sony Playstation, Microsoft Xbox and Malaysian Airlines systems rather than infiltrating them. “It’s time for businesses and brands to realise the multi-faceted security threats presented by sophisticated cyber criminals. “The DDoS for hire space has become so lucrative that these mayhem-for-sport acts of hacking  a celebrity Twitter account is a way to build brand recognition and raise awareness that anyone, anywhere could be the victim of cyber attacks. “This heightened market awareness becomes a dangerous marketing engine to allow anyone with a slight motive to launch their own attacks at intended targets. “Using this tactic has meant that in a short time over 14,000 customers have signed up to use the Lizardstresser DDoS tool. “The Lizard Squad has proved, if nothing else, that DDoS attacks are becoming more effective. The methods used by DDoS networks to locate vulnerabilities within security systems are more sophisticated and automated. “Leveraging zero-day and zero-plus vulnerabilities in unprotected networks means that they are able to recruit and add infected computers to their attack army at an ever-alarming rate. “This increased rate of botnet recruitment not only gives the attacker a flexible arsenal of attacks for causing mayhem, but increases the overall effectiveness and success rate of each attack. “Imagine the leverage a group such as The Lizard Squad could gain by bringing down a betting website on Grand National Day, for example. “The best way to guard against zero-plus attacks to is to always be vigilant and proactively try to identify vulnerabilities and weaknesses in your system before the attackers do. For an enterprise,  this may mean compiling rules and guidelines on which online applications are approved for use, and implementing proactive monitoring at an application level to detect abnormalities as early as possible. “However, this is just the first layer of total protection – an effective defence requires in-depth, tailored implementation, not a one-size-fits-all mitigation solution. “With multi-vector attacks, all avenues of attack must be detected and mitigated. For example, sophisticated attackers like the Lizard Squad may be using a mixture of DDoS and hacking – no off-the-shelf product is likely to deal with such an approach effectively. “Best practice is to seek the guidance of a security specialist that can design and customise a solution specific to your business.” Source: http://www.itproportal.com/2015/01/30/latest-lizard-squad-hack-shows-increasing-strength-ddos-attacks/

View original post here:
Latest Lizard Squad hack shows increasing strength of DDoS attacks

Nearly half of all DDoS attacks uses multiple attack vectors

Akamai released a new security report that provides analysis and insight into the global attack threat landscape including DDoS attacks. Akamai observed a 52 percent increase in average peak band…

More:
Nearly half of all DDoS attacks uses multiple attack vectors

Nearly half of all DDoS attacks use multiple attack vectors

Akamai released a new security report that provides analysis and insight into the global attack threat landscape including DDoS attacks. Akamai observed a 52 percent increase in average peak band…

See original article:
Nearly half of all DDoS attacks use multiple attack vectors

We take bots down, but they get up again – you’re never going to keep them down

Dell analysis shows ZeroAccess botnet still slinging out A combined attack on one of the world’s biggest networks of infected PCs has been partially successful: analysis from Dell SecureWorks shows you can’t keep a bad botnet down.…

View post:
We take bots down, but they get up again – you’re never going to keep them down

How much can a DDoS attack cost your organization?

A DDoS attack on a company’s online resources might cause considerable losses – with average figures ranging from $52,000 to $444,000 depending on the size of the company. For many organizations, thes…

View article:
How much can a DDoS attack cost your organization?