DDoS attacks and botnets
Rakos, the new botnet that attacks Linux systems
ESET researchers published an article which explain how a botnet, called Rakos, is developing by infecting Linux servers and IoT devices through SSH attacks. The Mirai botnet, as a comparison, acts via Telnet, albeit a few attacks via SSH.
The first traces of Rakos date back to August 2016 and increased in the next months: the far is that the botnet, which is not active at the moment, is in the making and will sooner or later start DDoS attacks.
ESET researchers have understood how Rakos works: first it access to a Linux server via SSH with a brute force attack and creates folder with names such as .javaxxx, .swap, or kworker and where it works from.
Then it establishes a connection to the C&C (Command and Control) server and asks for a configuration file that contains version number, backup C&C server and a list of username-passwords combinations and IP address to force. Then the infected servers tries to access via SSH to these IP addresses with the credentials in the list.
If the attack is successful, Rakos uploads its binaries on the new infected server and starts a local web server on port 61314 which communicates with the C&C server and sends a periodical report on the infected system. The server starts the cycle again and so the attacks is wide spread.
Luckily Rakos disappears as the server is rebooted, but the systems that adopt default or weak access credentials will be infected again.
Mirai-based worm knocks out thousands of Deutsche Telekom users
At the end of last November almost 900.000 Deutsche Telekom -Germany’s biggest ISP- users have been victim of a Mirai based worm of a Mirai based worm that compromised Internet connectivity.
The worm was based on Mirai, a worm (not to be confused with the botnet of the same name) whose source code was released last September and that is at the basis of different botnets that exploits vulnerabilities (weak credentials and open ports) of IoT devices and are responsible, among the things, of the massive DDoS attacks of the 2016 Fall and of creating proxy that hide the identity of cyber-criminals.
The attack, directed to port 7547, aimed some routers by Zyxel and Speedport that Deutsche Telekom provides its clients with and didn’t update following the best practices which require the block of ports on incoming connections to prevent devices from being remote controlled from the outside. This way, it was possible to knock out thousands of devices and putting them offline until the ISP provided a fixing patch.
CloudFlare discovers a botnet responsible of DDoS attacks towards the US
CloudFlare announces the discovery of a colossal botnet responsible of several DDoS (Distributed Denial of Service) attacks aimed to the west coast of the US in the last weeks of November. The most powerful attack peaked with a bandwidth of more than 480Gbps and more than 200 million packets sent per second: the first attack was recorded on the 23rd of November -the day before Thanksgiving day- and lasted 8 hours and a half, with peaks of 400Gbps and an average of 320Gbps; the attack repeated again in the following days.
CloudFlare then precises that the botnet is not related to Mirai, the IoT devices composed botnet responsible of the most important DDoS attack ever recorded and different ones that knocked out Dyn, Deutsche Telekom and Krebs on Security.
Last fall recorded several DDoS attacks coming from botnets composed by hacked IoT devices, and the trend is going to increase. DDoS attacks for sure represent a threat that is aimed to everybody and not just ‘sensible categories’; they don’t come from a single source anymore, which could be neutralized, indeed they come from a network of millions of different sources that can hardly be controlled.
It’s mandatory to take some precautions when using IoT devices in order to avoid them to be hacked. Gartner estimates that in 2016 billion devices have been connected to the Internet, and by 2020 they will be 20 billion.
Ransomware
California sets ransomware as a crime
Good news in the ransomware fight: California approved a law that sets the diffusion of ransoware as a crime punishable by law.
Before this law, ransomware would fall into the category of extortion, money laundering or IT hacking: there wasn’t a specific law. Under the bill, a person engaged in the activity could be convicted of a felony and imprisoned up to four years.
“This legislation provides prosecutors the clarity they need to charge and convict perpetrators of ransomware,” Senator Bob Hertzberg said. “Unfortunately, we’ve seen a dramatic increase in the use of ransomware. This bill treats this crime, which is essentially an electronic stickup, with the seriousness it deserves.”
California is the second american state to sign a bill of this kind. Wyoming was the first in 2014.
Ransomware in 2016: the numbers according to Kaspersky Lab
Kaspersky Lab in its annual Kaspersky Security Bulletin report defines 2016 as the year when ransomware still continue to be a plague. Here’s the numbers:
- 62 new ransomware families have been identified
- The number of variants has grown 11 times: from 2900 in Q1 to 32000 in Q3
- Between January and October the number of attacks towards companies has grown 3 times: from one attack every 2 minutes to one every 40 seconds
- In the same period, attacks towards privates doubled: from one attack every 20 seconds, to one every 10 seconds
- 42% of SMB has been victim of a ransomware attack
- 32% of those SMB actually payed the ransom
- 67% of victim SMB has lost their data entirely or in part
- 1 company out of 4 needed more than a week to restore the access to encrypted data
- 20% of SMB that payed the ransom hasn’t received any private key to decrypt data
- 1 attack out of 5 leverages negligence, disattention or lack of awareness of the personal (so the human factor has a significant weight)
Ransomware campaigns are custom tailored according to specific objectives: “criminal cyber groups select their target, which are often caught into malicious spear-phishing operations, as long as they own important data or have access to it”, explains John Fokker of the Dutch National High Tech Crime Unit. There aren’t privileged sectors for attacks: from 23% of the education sector to 16% of health and wholesale and retail, thus describing a scenario where the risk of being a victim of a ransomware attack doesn’t change significantly.
Despite this year ransomware have grown in terms sophistication and numbers (quantity and attack power), the general awareness of this threat has grown between users and professionals: the No More Ransom project is a collaboration between the Dutch police, Europol, Intel Security and Kaspersky Lab that started in July; and by October, 13 other organizations have adhered to the project, creating an interesting pool.
And collaboration is the answer to the question -can we defeat ransomware?- that closes the report: “We believe we can – but only by working together. Ransomware is a lucrative criminal business. To make it stop the world needs to unite to disrupt the criminals’ kill-chain and make it increasingly difficult for them to implement and profit from their attacks.”
No More Ransom project grows with Bitdefender, Check Point, Emisoft, Trend Micro and 32 new tools
The No More Ransom was born in the summer of 2016 as a collaboration between the Dutch police, Europol and companies like Kaspersky Lab and Intel Security with the objective of providing advices and fight against the threats brought by ransomware, and to offer decryption tools.
Today No More Ransom grows with new associated partners like Bitdefender, Check Point, Emsisoft and Trend Micro that bring 32 new decryption tools (in addition to the 8 already available and that helped almost 6000 users to restore their encrypted files). The collaboration, as we read in a note, is extended on the European territory with the support of the police of Austria, Croatia, Denmark, Finland, Malta, Romania, Slovenia and Singapore (extra UE), thus bringing to 22 the number of countries involved in the project. An important Agency of the European Union is involved too: eu-LISA, or European Agency for the operational management of Large-Scale IT Systems in the area of freedom, security and justice.
Other supporting partners of the No More Ransom include AnubisNetworks, AON, Armor, Association for Preventing and Countering Frauds (APCF), BH Consulting, CECyF (Centre Expert contre la Cybercriminalité Français), Cyberlaws.NET, Cylance Inc., DATTO, Inc., ESET, FS- ISAC (Financial Services – Information Sharing & Analysis Center), G DATA Software AG, Heimdal Security, S21Sec, Smartfense, SWITCH, Ukrainian Interbank Payment Systems Member Association (EMA), CERT-EU (Computer Emergency Response Team for the EU institutions, agencies and bodies), IRISS CERT (Irish Reporting and Information Security Service), CIRCL.LU (Computer Incident Response Center Luxembourg) and SI-CERT (Slovenian Computer Emergency Response Team).
Vulnerabilities
Joomla vulnerability allows hackers to reset passwords
A Joomla vulnerability, catalogued as CVE-2016-9838, has been discovered. It affects all version of the CMS system up to version 3.6.4 included and allows hackers to modify existing accounts, including resetting passwords. The vulnerability has been fixed in version 3.6.5, therefore we suggest to update your Joomla installation as soon as possible.
Flash availability for the main browsers: the actual state
Flash is an obsolete technology that, after powering plenty of Websites for years, has now been replaced by HTML5, which offers better performances and less vulnerabilities: Flash, as of today, cannot be considered secure.
Google announced that Chrome will focus less on Flash than on HTML5, and indeed in September 2016, Chrome 53 disabled Flash by default, yet leaving the option to the user to enable it for certain sites or all the time. Chrome 55, available in December 2016, uses HTML5 by default except for some sites that support Flash only, and it will ask to enable it at the first visit.
Windows 10 Creators Update, expected this Spring, will disable Flash content by default in the Edge browser, yet remaining available to the user by means of a click-to-run feature.
The summer Anniversary Update already had a click-to-run feature in Edge but it was available for ads banners only, now it’s extended to all Flash content.
A whitelist with popular sites with Flash enabled will be present, and the list will be shortened as such sites will transition towards HTML5.
Safari, the native browser of macOS computers, adopts a similar policy as well: the Flash plugin (and the same goes for Java, QuickTime and Silverlight) is disabled by default, but the user can enable it on specific Websites. The plugin will be enable on that site as long as the user visits it, and if a month passes between a visit and the next one, the exception for that site will be revoked.
Lastly, Mozilla too announced that during 2017 Firefox will offer the Flash content of a site after user approval (click-to-activate). Firefox will end the support for NPAPI plugins, save Flash, in March 217, and the next version of Firefox ESR (Extended Support Release) will support plugin such as Silverlight and Java until the beginning of 2018, thus giving time for a transition towards other technologies.
The trend of the main browsers is to disable Flash by default, still providing the users with the choice to enable it (click-to-run). This decision is to be seen in a perspective of a safer and quicker Web, thus offering a simpler and carefree user experience.
Stegano, the exploit kit that hides in the pixels of advertising banners
ESET researchers discovered a new exploit kit a new exploit kit (ie a malware that allows to scan the system and find vulnerabilities that hackers can use for attacks. Further information on Kaspersky Lab blogs) that hides in the advertising banners of several news sites considered reliable and visited by million of users every day.
Stegano, this is the name of the exploit kit, is aimed to Internet Explorer users and looks for Flash Player vulnerabilities. It hides in the pixels of banners images, hence the name that derives from steganography, “the practice of concealing a file, message, image, or video within another file, message, image, or video. The word steganography combines the Greek words steganos (στεγανός), meaning "covered, concealed, or protected", and graphein (γράφειν) meaning "writing". (Wikipedia).
Robert Lipovsky, an ESET researcher, explains that “there are advertising banners with “poisoned pixels” leading to a new exploit kit, intended to enable the bad guys to remotely install malware onto victims’ computers. The victim doesn’t even need to click on the malicious ad content; all it takes is to visit a website displaying it. If the victim’s computer runs a vulnerable version of Flash Player, the machine will be compromised via an exploited vulnerability automatically.
After that, the bad guys have all they need to download and execute the malware of their choice. Some of the payloads we analyzed include banking trojans, backdoors and spyware, but the victims could end up facing a nasty ransomware attack, for example.”
Stegano is a sneaky exploit kit as it doesn’t require a user input in order to start working and it can’t be detected easily as it hides in the parameters that regulate the transparency of images, and it’s impossible to notice it by just looking at images.
The good old advice about keeping the computer updated and disabling Flash Player by default (enable it momentarily only when needed) still hold true.
News from the vendors
HP blocks FTP and Telnet on its printers
HP announced that new printers of the Business tier will come with FTP and Telnet access disabled by default, still providing the user with the option to enable these controls.
“HP started the dismission process of obsolete and not maintained technologies which includes ports, protocols and encryption suites classified as non secure by the U.S. National Institute of Standards and Technology”, says a statement released by the American company.
Furthermore, HP announced that the Secure MSP programme will include new services and features for the safeguard of documents and hardware, with the aim of “taking actions in a proactive manner to prevent security problems related to printing and document archiving infrastructures”, as Robert Palmer, IDC Research Director, explains.
First patches for exploitable Netgear routers are now available
8 different models of Netgear routers are vulnerable to a simple exploit that allows hackers to take control of the device: the hacker needs to trick the user to digit an URL in the form http://< router_IP >/cgi-bin/;COMMAND in order to leverage the exploit with a technique called comand injection.
According to the Netgear security team, the vulnerable router models are:
-
R6250
-
R6400
-
R6700
-
R7000
-
R7100LG
-
R7300
-
R7900
-
R8000
Netgear released beta firmware for the models R6400, R7000 and R8000 that fix the issue; while waiting for patches for the remaining models, the United States Computer Emergency Readiness Team (US-CERT) suggests not to use a compromised router at all until a patch is available.
ADDENDUM: all routers have working firmware patches. You can find them here.
Mozilla Firefox extends the support to Windows XP and Vista until September 2017
Mozilla GitHub repo that Firefox will support Windows XP and Windows Vista operating systems until September 2017. In March users will be automatically shifted to the Extended Support Release (ESR) and will receive no support anymore a few months later.
Mozilla encourages the upgrades to operating systems that are currently supported by Microsoft.
Let us remind you that Microsoft stopped supporting Windows XP in 2014 and will stop supporting Windows Vista in April 2017.
Facebook releases its Certificate Transparency Monitoring Tool
“Certificate Transparency is an open framework to log, audit and monitor all publicly-trusted TLS certificates on the Internet. This tool lets you search for certificates issued for a given domain. Subscribe to email updates to be alerted when new certificates are issued.”
This is how Facebook presents its newly released Certificate Transparency Monitoring Tool.
Bartosz Niemczura of the security team explains in a note that “Certificate Authorities issue hundreds of certificates every minute, but by using Facebook infrastructure, we can quickly process large amounts of data and provide a reliable and efficient search function for certificates listed for a domain.”
The goal of CT is to limit abuses in the releasing of certificates, which are feed by the introduction of player that release free certificates. Risks derived from an irresponsible use of SSL certificates is to be kept in mind and jeopardizes the benefits brought by the standard.
CT is available in two mode: Domain Research -it shows certificates collected by CT for a particular domain- and Subscribe to Domain -it sends email alerts each time new certificates are added for a specific domain.
Project Wycheproof, the tool by Google to prevent crypto-bugs
Google announces the release of Project Wycheproof, an open source tool dedicated to the analysis of known vulnerabilities of the most popular encryption libraries.
The tool is developed in Java and offers test for different algorithms such as AES-EAX, AES-GCM, DH, DHIES, DSA, ECDH, ECDSA, ECIES ed RSA.
In more than 80 tests performed by Google, more than 40 bugs have been identified in RSA, DSA, ECDH e DH.
Project Wycheproof is obviously not a complete test, however Google believes that it will be useful to developers and users as starting point in the hard task of verifying whether an encryption algorithm has been properly implemented.
Indeed a success in the tests offered by the tool doesn’t mean that the library is secure, rather that it’s not vulnerable to the attacks that Project Wycheproof analyses; it’s still possible to perform a good amount of tests without having particular knowledge in the matter.
Further information, including use instructions, are available at the GitHub repo of the project.
Adobe Flash Player 24 now available for Linux, 5 years after the latest release
Adobe Flash Player 24 for Linux is available after a stop in the development for this OS with no known reasons in 2012. Flash in Linux has remained dormant at version 11 for 5 years without receiving a single update, now it’s on par with Windows and macOS.
Adobe Flash Player 24 includes all security features available in Windows and macOS but lacks some features in terms of performances: there is no support for GPU 3D acceleration and video DRM.
This release seems to be quite late, now that the main browser developers have announced the end of support to Flash in favour of alternatives such as HTML5 and JavaScript.
Chrome to label as “non secure” all HTTP connections
Google reminds that starting with Chrome 56, all Websites that asks for password, credit card number and other sensible data and don’t use an HTTPS connection will be labeled as “non secure” with a warning banner in the address bar of the browser.
This measure has been announced months ago, and with time all HTTP connections will be labeled as non secure.
“Enabling HTTPS on your whole site is important, but if your site collects passwords or credit cards, it’s critical to use HTTPS. #NoHacker” is how the post ends.
Apple extends the HTTPS deadline for iOS apps
Last June at the Worldwide Developers Conference (WWDC) 2016, Apple announced that all iOS apps available at the App Store would use the App Transport Security (ATS) protocol by the end of the year.
ATS is a proprietary protocol that protects the connection between an app and the server by leveraging the HTTPS protocol. It has been introduced and enabled by default in iOS 9.0 and OS X 10.11.
However Apple released a note that extends the deadline with no date until further communication.
According to a study by Appthority, in December only 5% of the 200 most popular apps are compliant with the guidelines proposed by Apple with ATS.
Firefox will include patches of the TOR browser to improve its security level
The developers of Firefox and TOR are collaborating in the development of these two browsers, a note appeared on Tor blog says.
The Tor browser is based almost entirely on Firefox, and the parts of code which differentiates it from the Mozilla product are called patches by the development teams.
Such patches are important on a security level and require a new implementation every time the team decides to use a newer version of Firefox.
As a consequence, the dev teams of both browsers decided to join forces. This collaboration will bring advantages to Tor (tighter integration) and Firefox, that will take particular advantage of the patches.
The integration process of a patch is called ‘uplifting’: the first uplifting in Firefox 52 is about First Party Isolation, which is an anti-tracking system.
Patches are disabled by default: the user must enable them. For instance, in order to enable First Party Isolation, you must digit ‘about:config’ in the browser address bar to access the configuration tab and set to True the value of the string ‘privacy.firstparty.isolate’.
Future patches will include an anti-fingerprinting system which prevents the website to identify the browser (additional info at https://amiunique.org/) also with cookies disabled and a sandbox that will isolate malware distributed via the Web.
AVG improves its main products with Avast technologies
After being acquired by Avast, AVG announced the release the release of the 2017 verson of its main products: AVG AntiVirus FREE, AVG Internet Security and AVG TuneUp. These products now integrates Avast technologies that enrich and improve the overall offer.
AVG AntiVirus Free and AVG Internet Security can now leverage the real time protection of CyberCapture, the file scanner based on proprietary Cloud. The latest version of the software protect users from viruses and malware -ransomware included-, hacking attempts and guarantee safe Web and email activities. The new user interface improves the user experience.
AVG Internet Security includes a control on DNS records which prevents malicious redirects to phishing sites, an encryption system for personal data and a protection mechanism for sensible activities like home banking and online payments.
TuneUp, the free performance scanner by AVG, is now part of the security line: the new Software Updater automatically checks for and installs updates of the programs installed on the computer, thus reducing the likelihood of being hacked because of bugs and vulnerabilities. TuneUp, as the name suggests, helps to improve the computer performances also thanks to the Sleep Mode, which puts in ‘sleep’ mode all applications which are not currently used, saving battery and network bandwidth.