The Mevade Trojan and botnet have gained unexpected notoriety when it turned out that the majority of the recent, sudden and massive uptick in Tor users was the result of it adding Tor as a method of …
Read More:
Tor-using Mevade botnet is stealthy new version of old threat
A London schoolboy has been secretly arrested over the “world’s biggest cyber attack” as part of an international swoop against a suspected organised crime gang. The 16-year-old was detained by detectives at his home in south-west London after “significant sums of money” were found to be “flowing through his bank account”. He was also logged on to what officials say were “various virtual systems and forums” and had his computers and mobiles seized as officers worked through the night to secure potential evidence. The boy’s arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out a cyber attack so large that it slowed down the internet. The “distributed denial of service” or “DDoS” attack was directed at the Dutch anti-spam group Spamhaus which patrols the web to stop prolific spammers filling inboxes with adverts for counterfeit Viagra, bogus weight-loss pills and other illegal products. Details of the arrest, which happened in April, had been kept secret, but have been disclosed to the Evening Standard ahead of the formation of the Government’s new National Crime Agency. It will take over the National Cyber Crime Unit as part of a drive against offending carried out over the internet, now seen as one of the most serious crime-fighting challenges. More than half of the 4,000 officers who will form the new agency next month will be trained in combating cyber crime. The arrest of the London schoolboy, whose identity has not been disclosed, came during a series of coordinated raids with international police forces. Others detained included a 35-year-old Dutchman living in Spain. A briefing document seen by this newspaper on the British investigation, codenamed Operation Rashlike, states that the attack was the “largest DDoS attack ever seen” and that it had a “worldwide impact” on internet exchanges. The document says services affected included the London Internet Exchange and that although the impact was eventually “mitigated” it managed to cause “worldwide disruption of the functionality” of the internet. Giving details of the schoolboy’s alleged involvement, the briefing note states: “The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies.” The boy has been released on bail until later this year. The disclosure of his arrest follows two cyber attacks on banks. Four men have appeared in court over the first, involving an alleged plot to take over Santander computers by fitting a device during maintenance work. Another eight were arrested over a £1.3?million theft by a gang who took control of a Barclays computer. Meanwhile, security minister James Brokenshire said the creation National Crime Agency would bolster efforts to combat organised criminals operating on the internet and ensure that “cyber gangsters” were left with no hiding place. “The new National Crime Agency’s Cyber Crime Unit will pursue the organised crime gangs behind the online crimes that blight people’s lives and cost the economy millions,” he added. Source: http://www.standard.co.uk/news/crime/london-schoolboy-secretly-arrested-over-worlds-biggest-cyber-attack-8840766.html
Continue reading here:
London schoolboy secretly arrested over ‘world’s biggest cyber attack’
Now that the banking industry has gone through four rounds of very public DDoS attacks, experts are looking at what happened to extract some “lessons learned” to turn this negative into a positive. Even if your business isn’t a financial institution, there’s good advice here that’s certainly worth heeding. Lesson One: No matter what industry or business you’re in, you need to have a plan in place to defend your business. DDoS attacks are not just hitting the banking industry. If your business has competitors that would benefit from your website being down, then you are vulnerable. Since it’s possible to buy DDoS as a service, anyone can launch an attack against you for as little as $10. Lesson Two: Don’t wait for an attack to put a solution in place to defend your company. Once an attack starts – and it could happen at any time – your organization’s website could be completely out of commission for an extended period. Why risk downtime when it’s easy enough to put a solution in place today? The solution could be on premise, in the cloud, or a hybrid combination. Lesson Three: Get a dedicated DDoS solution. Don’t count on traditional security devices like firewalls and IDS/IPS to protect your business because they just aren’t designed to handle modern DDoS attacks. When you choose a solution, consider that the volume level of attacks has been getting bigger, and the attacks have grown more sophisticated. Get a solution that meets today’s needs. Lesson Four: Create a detailed incident response plan. Know what to do if/when an attack occurs and assign tasks to specific people to avoid delays in responding. Lesson Five: If your organization is hit by an attack, closely monitor for indicators of compromise (IOCs). Many experts believe that DDoS attacks are smoke screens for fraud and other types of attacks that are designed to steal money or intellectual property. Lesson Six: Be willing to share information. DDoS attacks have been widespread and businesses, solution vendors and law enforcement agencies are better together than individually. If we look at what happened with the banking industry attacks, it got easier to defend against them once all types of organizations collaborated with each other to share intelligence, profiles of the attacks and mitigation strategies. Lesson Seven: This is more of a prediction than a lesson learned. Experts predict that critical infrastructure such as utilities, transportation systems, pipelines, the electrical grid, etc., will be targeted for DDoS attacks at some point. Attackers have the ability to target industrial controls as well as business websites. Administrators who control critical infrastructure need to re-read lessons one through six and take them to heart. Source: http://www.securitybistro.com/?p=8023
See original article:
Lessons Learned From the Banking Industry DDoS Attacks: Good Advice Worth Heeding
What could possibly go wrong other than a C&C net sharing your colo barn’s IP address? Telstra is preparing to get proactive with malware, announcing that it will be implementing a DNS-based blocker to prevent customer systems from contact known command-and-control servers.…
Taken from:
Telstra to DNS-block botnet C&Cs with unknown blacklist
September 11 came, it went and despite the FBI warning to credit unions to be ready for a bump in hostile activities on that anniversary date, multiple experts said they saw absolutely no traffic increase. But they also had worrisome news: There has been a sharp rise in low-grade Distributed Denial of Service (DDoS) attacks aimed at financial institutions, often in association with attempted fraud, but sometimes apparently simply an angry act by a rejected loan applicant or a terminated employee. First, the 9/11 news: “Nothing unusual happened on September 11. The reason there is nothing to report is that the volume is the same as the day before,” said Ashley Stephenson, CEO of Corero, a Hudson, Mass.-based DDoS mitigation firm. “Every day there are attacks.” Chris Novak of the Verizon Risk Team said likewise: “We saw no spike in activity on 9/11.” Rich Bolstridge, a DDoS expert with Cambridge, Mass-based network traffic firm Akamai, made it three: “We saw no increase in activity on September 11. We had expected to see activity. But it was very quiet.” The big DDoS guns fired by al Qassam and other actors usually said to be connected to nation states in the Middle East may not have been out on 9/11, but the bad news is the jump in low-grade attacks that may be small compared to the giant attacks unleashed by al Qassam are plenty large enough to knock an unprepared credit union off line and, said the experts, most credit unions remain unprepared to adequately deflect DDoS assaults of just about any magnitude. “We are surprised how naive CUs are about DDoS,” said Kirk Drake, CEO of Hagerstown, Md.-based CUSO Ongoing Operations. “They don’t realize how easy it has become for just about anyone to aim DDoS at a target.” That is the rub, Terrence Gareau, principal research scientist for DDoS mitigation firm Prolexic in Hollywood, Fla., explained: “There is a very low barrier to entry for DDoS. We are talking $5 that will buy you 600 seconds of DDoS.” That may only be 10 minutes, but the plunger who can come up with $50 could put a credit union down for an afternoon. A chilling factoid via a report from Santa Clara, Calif.-based NSFOCUS, a DDoS mitigation firm: “Based on traffic analysis, there are 1.29 DDoS attacks occurring worldwide every two minutes, on average.” The company added, “Most attacks are short and small. The report found that 93.2% of DDoS attacks were less than 30 minutes in duration and 80.1% did not surpass a traffic rate of 50 Mbps.” By contrast, the data throughput in al Qassam attacks has sometimes exceeded 45 Gbps, meaning it is vastly larger. Van Abernethy, an NSFOCUS spokesperson, elaborated, “The main news – the press focuses on the big DDoS – but the reality is that unreported DDoS goes on all the time. There are a lot of small attacks.” And then it gets worse still: “Small attacks are often accompanied by data exfiltration attempts, especially at financial institutions,” said Abernethy. Verizon’s Novak agreed: “We are seeing where DDoS is used to distract a medium-size financial institution. While they are busy fighting off the DDoS. they don’t see that terabytes of data just walked out the door. That’s scary.” A similar warning was issued a few weeks ago by respected Gartner analyst Avivah Litan who said she knew of three instances where DDoS was used to distract financial institution security as fraud was committed. She declined to offer specific details. At CUNA Mutual, risk expert Ken Otsuka said that in the past year one loss associated with a DDoS attack had been filed. He also offered no specifics. Add it up, however, and the situation is grim. DDoS as a service – available for hire by those with a grudge or with criminal intent – is increasingly available, it is cheap, and at least some providers happily accept Bitcoin, the virtual currency with some anonymity built in. Importantly, just about no technical skill is required, just a few dollars and a willingness to name a target. On the credit union front, the sense among experts is that the largest institutions – perhaps the top 25 or 50 – may have credible DDoS mitigation tools in place. As for the many thousands of others, the collective opinion is that probably most are unprotected. That could paint an attractive bull’s-eye for crooks. “There’s a trend where we see attacks going down market,” said Novak, “where the criminals are attacking smaller financial institutions because they don’t have the same defenses as the big banks.” Source: http://www.cutimes.com/2013/09/13/threat-of-the-week-sept-11-quiet-but-ddos-on-the-r
Read the article:
Threat of the Week: Sept. 11 Quiet But DDoS On The Rise (Again)
Denial-of-service attacks have long been considered the blunt wooden club of online hazards, a multi-gigabit stream of shock and awe. Yet, increasingly the noisy attacks are being used to hide more subtle infiltrations of a target’s network. A number of financial institutions, for example, have been targeted by distributed denial-of-service (DDoS) attacks immediately following a wire transfer, according to security firms familiar with the cases. The attacks, generated by computers infected with the DirtJumper DDoS malware, attempt to disrupt any response to the fraudulent transfer of funds, which are usually in the six-figure dollar range, according to a report by Dell Secureworks published in April. “The analogy is signal jamming,” says Kevin Houle, director of threat intelligence for managed security provider Dell Secureworks. “To the extent that you can use the DDoS attack to do cause chaos electronically, to prevent access to particular systems during an attack, the tactic has proven successful.” While DirtJumper has focused on causing chaos immediately following money transfers, the technique could be generalized to other attack scenarios. A variation of the attack has been used by Iranian hacktivists groups to disrupt the online operations of U.S. financial institutions by hiding more subtle application-layer attacks within larger packet floods. And South Korean companies were flooded with data while malware deleted information on organizations’ servers. “Your goal is to sow confusion,” says Vann Abernethy, a senior product manager at NSFOCUS, a DDoS mitigation firm. “A DDoS attack is designed to get your IT department to run around like their hair is on fire.” In addition, noisy DDoS attacks could attract more attackers, says Terrence Gareau, principal security architect for Prolexic, a DDoS mitigation firm. A very public attack could convince other groups to attempt their own operations in the chaos, he says. “If it’s a very public attack, then there is a high probability that other opportunistic attackers could take part as well,” Gareau says. “Opportunistic criminals will say, wow they are under a DDoS attack, so lets look at the network and see what changes have been made.” Companies need to structure their response group to handle a large infrastructure attack, but not be blinded by the influx of alerts to their system. Like magicians, the goal of the attackers is to force the security staff to only pay attention to a distraction to keep them from discovering the actual trick. “You almost have to have a team that deals with the infrastructure attack, and a separate group that goes into hyper-vigilance to find any other attacks coming in,” says NSFOCUS’s Abernethy. A third-party provider, who can use intelligence from attacks on other customers to more quickly identify new attacks, can help eliminate much of the inbound attack traffic, dialing down the volume of alerts that the security team has to process. The level of alerts seen by a security team during a denial-of-service attacks can increase by an order of magnitude. Filtering them out at the edge of the Internet can greatly reduce the impact on a business’s network and employees. “If you don’t have to have all those alerts on your network, you can pay attention to what matters,” Prolexic’s Gareau says. “Using a third part mitigation provider can significantly reduce the noise.” Yet, attacks that use a variety of traffic and techniques in a short time period can cause problems for denial-of-service mitigation firms, says Lance James, head of intelligence for Vigilance, a threat information firm that is now part of Deloitte. “They are not perfect,” James says. “We still see major banks going down. But they do well against long period term DDoS attacks.” While DirtJumper, also known as Drive, is not the only botnet that is used for combined attacks, it a popular one. DirtJumper has a half dozen ways of attacking infrastructure, including flooding Web sites with GET requests and POST requests, targeting infrastructure with two types of IP floods, and using UDP packets to slow down networks. Source: http://www.darkreading.com/threat-intelligence/countering-attacks-hiding-in-denial-of-s/240161237
Continued here:
Countering Attacks Hiding In Denial-Of-Service Smokescreens
It’s always the same: Government cybersecurity experts learn of pending distributed denial of service attacks, especially around the anniversary of Sept. 11, and issue warning after warning after warning, as though security is something we can do on a “per-warning” basis. I really don’t understand this way of approaching security or why government agencies believe such warnings are helpful. I’m not saying we shouldn’t be warned — not at all. What I’m saying is that we shouldn’t wait for a warning before we do something about security. On Aug. 5, for instance, the FBI and the Financial Services and Information Sharing and Analysis Center issued a warning that the same groups behind the unsuccessful Operations USA and Operation Israel attacks in May were planning a new DDoS attack. Their recommendations leave me perplexed. For instance, they suggest: – Implement backup and recovery plans. Really? We’re supposed to wait for a warning on a 9/11 DDoS threat to know that we need to do this? We’re in serious trouble if that’s the case. – Scan and monitor emails for malware. Again, really? This is a recommendation? Is there truly anyone out there who still doesn’t do this? And, if there is, they deserve whatever happens to their network, I say. – Outline DDoS mitigation strategies. Finally, something a bit more relevant. I know for a fact that most companies aren’t putting much thought into DDoS defense strategy. Unfortunately, if you’re hosting a server with public access, you’ve no choice but to consider this with the utmost seriousness. Just how seriously, you ask? Well, that all depends on how much of your company’s livelihood hinges on that server. It’s an undeniable fact of our Internet life that these things will keep happening. No matter if it’s 9/11 or OpUSA or a private single hacker from Russia or China. They’ll continue to happen, and we all understand the need to be prepared. DDoS preparedness is accomplished as a strategy. It involves hardware, large bandwidth, ISP collaboration, remote redundancy and other possible strategies for defense and elusion. This isn’t anti-malware. You can’t create a signature or heuristic against DDoS. This is sheer brute force in that you win if you’re stronger, or if you’re the more elusive, so they can’t really get you. And that’s precisely why you need a strategy, and you need to plan it now. You can also purchase hardware — but make it part of a strategy. Don’t expect it to be the one and only thing you need to do to fend off a DDoS attack. Source: http://www.informationweek.com/government/security/federal-ddos-warnings-are-outdated/240161165
Read More:
Federal DDoS Warnings Are Outdated
Prolexic, detailed the rampant problem of denial of service attacks within and from online gaming communities. The DDoS attacks, which can pack a powerful punch by the use of reflection and amplificat…
See the article here:
Multiplayer games and DoS attacks
Earlier this year, US-CERT has deemed it important to release an alert about publicly accessible open recursive DNS servers that are increasingly being used in DNS amplification attacks – a very effec…
More here:
C&C PHP script for staging DDoS attacks sold on underground forums
U.S. and Israeli government agencies and banking institutions should be on alert for a potential Sept. 11 wave of distributed-denial-of-service attacks launched by the same groups behind the unsuccessful Operation USA and Operation Israel attacks in May. That warning comes from cybersecurity experts and alerts issued by the Federal Bureau of Investigation and the Financial Services Information Sharing and Analysis Center. While OpUSA and OpIsrael, which were designed to take down websites operated by globally recognized brands and governmental agencies, were not successful, cybersecurity experts say the threat this time is genuine. The groups behind these attacks are now more organized, better equipped and trained, and more determined than they were the first time around, they say. The FBI, however, notes that the attacks are not expected to have a serious or significant impact. “It is thought that due to the fact that hackers will be relying on commercial tools to exploit known vulnerabilities, and not developing custom tools or exploits, that the skill levels are, at best rudimentary, and capable of causing only temporary disruptions of any of the targeted organizations,” the FBI alert states. Attack Alerts On Aug. 5, the FS-ISAC issued a warning to its membership about a new wave of DDoS attacks that could target U.S. banks. David Floreen, senior vice president of the Massachusetts Bankers Association , says the FBI, which issued a separate alert on Aug. 30, and the FS-ISAC asked banking associations to spread the word about the possibility of attacks. “The attacks are expected to occur in two phases,” notes the FBI alert. “Phase I will take place over a period of 10 days and target several commercial and government sites with DDoS attacks. … “Phase II is scheduled to take place on September 11, with a more widespread attack threatened, along with Web defacements.” The FBI recommends organizations: Implement data backup and recovery plans; Outline DDoS mitigation strategies; Scan and monitor e-mail attachments for malicious links or code; and Mirror and maintain images of critical systems files The FBI did not release its alert to the public, an FBI spokeswoman acknowledges. But in an effort to get the word out, the Massachusetts Bankers Association posted the FBI and FS-ISAC warnings on its site, Floreen says. The FS-ISAC alert names top-tier banks that are likely to be targeted during an upcoming attack. The list of potential attack targets includes the same 133 U.S. banking institutions named in the April 24 Anonymous post that appeared on Pastebin during the first OpUSA campaign, says financial fraud expert Al Pascual, an analyst with consultancy Javelin Strategy & Research. The FS-ISAC alert does not reference OpIsrael, but experts say OpUSA and OpIsrael are connected. Planning Attacks Gary Warner, a cyberthreat researcher at the University of Alabama at Birmingham who also works for the anti- phishing and anti- malware firm Malcovery, claims the hacktivist groups’ main focus, for now, is Israel. If attacks against Israeli targets are successful, then U.S. targets will be next, he warns. Since June, two hacktivist groups, AnonGhost and Mauritanian Attacker, have been building plans for OpIsrael Reborn, according to Warner’s research. So far, these groups have not been linked to new attacks planned for a sequel to OpUSA, Warner says. Both groups, however, were involved in OpIsrael and OpUSA, he notes. “As part of our process of watching the phishers who create counterfeit bank websites, we track where many of those criminals hang out and what sorts of things they are discussing,” he says. “We became aware of OpIsrael Reborn while reviewing posts made by criminals who have been phishing U.S. banks and Internet companies.” Announcements for the new campaign began Sept. 2. But more posts were added on Facebook and in underground forums within the last week to recruit additional attackers, he says. “AnonGhost and Mauritanian Attacker have taken the time to build a strong coalition of hackers,” Warner says. “In that June release, there were no dates, no members and no targets announced.” Since that time, attackers have honed their targets, and they claim to have already compromised several government and banking sites in Israel, he says. On Sept. 11, they plan to publish information they’ve compromised from during those attacks, Warner adds. “They claim [on YouTube ] they are going to begin publishing the internal government documents of Israel,” he says. “The video also makes reference to the recent FBI claim that they have dismantled Anonymous.” Attackers are uniting this time out of anger over those claims made by the FBI as well as recent attacks waged against Islamic businesses believed to be backed by an Israeli hacktivist group, Warner explains. So why is this wave of attacks being taken more seriously than the first OpIsrael? The sheer number of attackers, their tools and the way the hacktivist groups have been building momentum through social networking sites such as Facebook has raised serious concern, Warner says. “They’ve been gathering tools since June 9, and training attackers on how do SQL and DDoS attacks,” he says. “It’s a SANS-quality training for hackers, and they’re prepping for wiping Israel off the [online] map.” On Sept. 9, two Israeli government websites were successfully taken offline for a period of time, Warner adds. “We did not see that success in OpIsrael or OpUSA,” he says. “If they pull this thing off against Israel, they will keep hitting others,” he says. No Attack Link to Al-Qassam Experts, including Warner, say Izz ad-Din al-Qassam Cyber Fighters , the self-proclaimed hacktivist group that’s been targeting U.S. banks since September 2012, does not appear to be involved in these most recent campaigns. And although U.S. banking institutions have built up strong online defenses over the last year to mitigate cyber-threats such as DDoS attacks, other sectors are far less prepared, Javelin’s Pascual says. “The lack of success that Izz ad-Din al-Qassam achieved during the fourth round of DDoS attacks was indicative of how well fortified U.S. banks have become,” Pascual says. But Rodney Joffe , senior technologist at DDoS-mitigation provider Neustar, says security professionals should be concerned that other attackers have learned lessons from al-Qassam’s strikes. “I don’t believe there is any connection between OpUSA and AQCF [al-Qassam Cyber Fighters],” he says. “However, the reason I think it is more worrying this time is because, as I have said over and over, the underground learned a lot of groundbreaking lessons from AQCF. … And this time around, they may be more successful.” Source: http://www.bankinfosecurity.com/911-ddos-alert-for-banks-agencies-a-6054
See the article here:
9/11 DDoS Alert for Banks, Agencies