DDoS attacks and botnets
Mirai botnet launches DDoS attack toward US college
At the end of March Incapsula researchers discovered a DDoS attack aimed to an UN college.
The attack lasted 54 hours and generated an average of 30.000 requests per second with a peak of 37.000 and a total of 2.8bln requests; such number can KO most devices on the network.
Less than a day after the first attack, a second one happened, but this time with a lower impact: it lasted a little bit more than an hour and a half and RPS were 15.000, on average.
The attack shows a probable new version of the Mirai botnet, as the dimensions of the attack itself and used agent users show; it had an impact on the application level rather than on the network layer.
9.793 different IP addresses (from the US, Israel, Taiwan, India, Turkey, Russia and Italy) belong to Internet of Things devices like CCTV cameras, router and DVRs; in particular, 56% of the devices belongs to a DVR model of a single manufacturer.
Radware announces the discovery of BrickerBot, the DoS botnet that sends KO IoT devices
Radware announces the discovery of BrickerBot, a botnet capable of launching attacks that work on storage and kernel parameters of IoT devices sending them KO so bad to require the reinstallation of the whole system or even the substitution of the device itself. This kind of attack is also called Permanent Denial of Service (PDoS) or phlashing.
Two distinct attacks have been identified, both started on the 20th of March and one -BrickerBot. 1- ended after 4 days, the other one -BrickerBot. 2- still going on, both aimed to Linux/BusyBox devices.
In particular BrickerBot. 1 originates from IP addresses assigned to access point and router units by Ubiquiti which use an obsolete version of the Dropbear SSH client, while BrickerBot. 2 uses TOR egress nodes, thus making impossible the identification of sources.
Similarly to Mirai, BrickerBot too leverages a brute-force attack with Telnet to gain access to the system; once accessed, it performs some Linux commands that corrupt storage, reduce Internet connectivity, damage kernel and delete all data.
Radware suggests to secure devices with these simple steps:
- Change default access credentials
- Disable Telnet access
- Adopt security tools based on Network Behavioral Analysis User/Entity behavioral analysis (UEBA)
- Un an Intrusion Protection System to block Telnet connections
A temporarily Bitcoin mining module has been added to Mirai
IBM X-FORCE researchers announced the identification of a Mirai malware variant with an added module for Bitcoin mining, ie the generation of Bitcoins, the virtual value that is gaining momentum.
This addition lasted almost a week, then it was removed as the infected units had not enough computational resources for Bitcoin mining, an activity that requires many CPU and GPU resources for its processes.
This new capability, albeit being an experiment, offers some reflections in terms of the future evolution of the malware and botnet Mirai: will it be limited to DDoS attacks? Or will it include Bitcoin mining capabilities, leveraging the total computational power of the network of infected devices? As most IoT devices can be hacked with simple tools, what are the real potentialities of botnets?
Cerber ransomware escaper Machine Learning
The Cerber ransomware adopts a new technique to avoid identification by solutions based on Machine Learning, becoming harder to identify. As TrendLabs (TrendMicro) researchers explain, the ransomware uses a loader to escape controls based on machine learning by hiding in regular system processes.
Cerber is distributed via email with a link to a Dropbox file, that once downloaded self-extracts (a Visual Basic script, a DLL library and a binary file with loader and configuration) and begins its activities.
The loader checks whether the system runs on a VM, in a sand-box or certain tools are running (Msconfig, Sandboxes, Regedit, Task Manager, Virtual Machines, Wireshark, 360, AVG, Bitdefender, Dr. Web, Kaspersky, Norton, Trend Micro): if one of these conditions is satisfies, Cerber stops its operation and injects its payload -ie Cerber binaries- directly in a process system, thus resulting transparent to normal analysis tools.
The danger derived from this version lies in the use of self-extracting file, regular DLL libraries and binary code, that is elements that are substantially transparent to systems based on static machine learning techniques, which checks the type of data on not the actual content.
However, Cerber at the moment is still identifiable by solutions based on cross-checks and not only machine learning.
The No More Ransomware project grows with new collaborations
The No More Ransomware was born in the summer of 2016 with the aim of fighting ransomware as a collaboration between Europol, Dutch policy, Kaspersky Labs and Intel Security.
It becomes richer with the addition of new and important partnerships: Avast, CERT Polska and Eleven Paths – Telefonica Cyber Security Unit, which bring to 7 the number of associate partners, while 30 other partners sum to the 46 already present, like policy departments of Australia, Belgium, Israel, South Korea, Russia, Ukraine and Interpol.
The content are now available in 14 languages, including german, spanish and japanese; further translations are expected soon to help people all around the world.
14 other new tools bring up to 40 the total number of decrypting tools.
Avast offers 6 new decryption tools
Avast offers 6 new tools for the decryption of files encrypted after a ransomware attack.
The first tool is for FindZip, a ransomware targeted to Apples macOS; the procedure is easy but the tool is an .exe file that requires an emulation software like Wine or CrossOver, while running natively on Windows. The second tool, provided in collaboration with CERT.PL researchers, is for CryptoMix, which is also common with the CryptFile2, Zeta and CryptoShield variants.
The other 3 tools are for HiddenTear, Jigsaw and Stampado/Philadelphia ransomware. The complete list of decryption tools offered by Avast is available at this address.
Avast recently became associate partner of the No More Ransom project.
Cisco suggests to disable Telnet because of a vulnerability in its IOS operating system
After the diffusion by Wikileaks of classified material (“Vault 7”) which explains which techniques are adopted by the CIA to hack IT systems, Cisco identified some parts that could compromise its products and recommends its clients to disable Telnet.
The vulnerability exploits CMP code (Cluster Management Protocol) available in Cisco IOS, Cisco’s proprietary operating system, and in Cisco IOS XE Software that allows members of a cluster to share information via Telnet or SSH.
If exploited, this vulnerability allows a remote not-authenticate user to access the device and reboot it or even execute malicious code.
The bus is the result of two different issues: the first is that CMP doesn’t distinguish between internal and remote Telnet connections, and the second is due to the wrong use of specific Telnet commands for CMP. Cisco suggests to disable Telnet in favour of SSH; no patch is available at the moment.
A complete list of interested devices is available at this address.
36 Android devices from two companies come with preinstalled malware
Check Point researchers released a document with a list of Android devices that are infected by malware belonging to Loki and SLocker families. Those devices are distributed by two precise companies, whose identities haven’t been disclosed. Loki gains root privileges to use its spyware capability, thus stealing sensible information like browser chronology, contact list, calls register and geolocalization data; moreover, it injects illegal ads. SLocker is a ransomware for mobile devices.
This malware is not present on the operating system as is provided by Android developers or manufacturers, rather it’s injected by a third party in the production chain. The danger comes from both the presence of the malware and from a relationship of trust between buyer and seller that will lack, in particular with non reliable sellers: a device might contain backdoors or be “rooted” without the consent of the user.
Clients should only aim at conventional channels when purchasing apps and devices.
The complete list of interested devices and APKs with SHA1 is available here.
iOS 10.3 fixes a Safari vulnerability that allows scareware infections
News from the vendors
GoDaddy acquires Sucuri
GoDaddy, world’s biggest hosting company, announces the acquiring of Sucuri, the popular Website security firm. Sucuri will operate as usual, while GoDaddy will integrate its services in its services.
Products by Sucuri include a WAF (Web Application Firewall), an IPS (Intrusion Prevention System), a CDN (Content Delivery Network) and monitoring, DDoS attacks mitigation and Cloud backup services. “The vast majority of our customers aren’t website security experts, nor should they need to be to secure their websites,” says Kevin Doerr, Senior Vice President and General Manager of Security at GoDaddy. “Combining Sucuri with GoDaddy’s scale will advance digital security for our customers by making it simple, timely and affordable.”
“We will continue to operate as is. There are no changes to our customers. They will continue to get the service they expect, and they will continue to be Sucuri customers. They can also expect improvements to our support services and products as we invest more in those areas in the coming months and quarters.” is the comment of Sucuri as appeared on a post on its blog.
Microsoft ends support to Windows Vista
On 11 April the Extended support to Windows Vista has officially ceased. Vista was introduced in 2007.
Extended support extends the duration of Mainstream support, which lasts 5 years, of 5 additional years, thus extending the total lifetime of the product. Once the period terminates, the operating system is no longer updated and maintained, and it should be considered obsolete and plan an upgrade (Windows 7, Windows 8.1, Windows 10 or another OS) in order to guarantee a support until 2020 at least (end of Extended support for Windows 7).