DDoS attacks and botnets

Mirai botnet launches DDoS attack toward US college

At the end of March Incapsula researchers discovered a DDoS attack aimed to an UN college.
The attack lasted 54 hours and generated an average of 30.000 requests per second with a peak of 37.000 and a total of 2.8bln requests; such number can KO most devices on the network.
Less than a day after the first attack, a second one happened, but this time with a lower impact: it lasted a little bit more than an hour and a half and RPS were 15.000, on average.

The attack shows a probable new version of the Mirai botnet, as the dimensions of the attack itself and used agent users show; it had an impact on the application level rather than on the network layer.

9.793 different IP addresses (from the US, Israel, Taiwan, India, Turkey, Russia and Italy) belong to Internet of Things devices like CCTV cameras, router and DVRs; in particular, 56% of the devices belongs to a DVR model of a single manufacturer.

Radware announces the discovery of BrickerBot, the DoS botnet that sends KO IoT devices

Radware announces the discovery of BrickerBot, a botnet capable of launching attacks that work on storage and kernel parameters of IoT devices sending them KO so bad to require the reinstallation of the whole system or even the substitution of the device itself. This kind of attack is also called Permanent Denial of Service (PDoS) or phlashing.
Two distinct attacks have been identified, both started on the 20th of March and one -BrickerBot. 1- ended after 4 days, the other one -BrickerBot. 2- still going on, both aimed to Linux/BusyBox devices.
In particular BrickerBot. 1 originates from IP addresses assigned to access point and router units by Ubiquiti which use an obsolete version of the Dropbear SSH client, while BrickerBot. 2 uses TOR egress nodes, thus making impossible the identification of sources.

Similarly to Mirai, BrickerBot too leverages a brute-force attack with Telnet to gain access to the system; once accessed, it performs some Linux commands that corrupt storage, reduce Internet connectivity, damage kernel and delete all data.

Radware suggests to secure devices with these simple steps:

  • Change default access credentials
  • Disable Telnet access
  • Adopt security tools based on Network Behavioral Analysis User/Entity behavioral analysis (UEBA)
  • Un an Intrusion Protection System to block Telnet connections

A temporarily Bitcoin mining module has been added to Mirai

IBM X-FORCE researchers announced the identification of a Mirai malware variant with an added module for Bitcoin mining, ie the generation of Bitcoins, the virtual value that is gaining momentum.

This addition lasted almost a week, then it was removed as the infected units had not enough computational resources for Bitcoin mining, an activity that requires many CPU and GPU resources for its processes.
This new capability, albeit being an experiment, offers some reflections in terms of the future evolution of the malware and botnet Mirai: will it be limited to DDoS attacks? Or will it include Bitcoin mining capabilities, leveraging the total computational power of the network of infected devices? As most IoT devices can be hacked with simple tools, what are the real potentialities of botnets?

Ransomware

Cerber ransomware escaper Machine Learning

The Cerber ransomware adopts a new technique to avoid identification by solutions based on Machine Learning, becoming harder to identify. As TrendLabs (TrendMicro) researchers explain, the ransomware uses a loader to escape controls based on machine learning by hiding in regular system processes.

Cerber is distributed via email with a link to a Dropbox file, that once downloaded self-extracts (a Visual Basic script, a DLL library and a binary file with loader and configuration) and begins its activities.

The loader checks whether the system runs on a VM, in a sand-box or certain tools are running (Msconfig, Sandboxes, Regedit, Task Manager, Virtual Machines, Wireshark, 360, AVG, Bitdefender, Dr. Web, Kaspersky, Norton, Trend Micro): if one of these conditions is satisfies, Cerber stops its operation and injects its payload -ie Cerber binaries- directly in a process system, thus resulting transparent to normal analysis tools.

The danger derived from this version lies in the use of self-extracting file, regular DLL libraries and binary code, that is elements that are substantially transparent to systems based on static machine learning techniques, which checks the type of data on not the actual content.
However, Cerber at the moment is still identifiable by solutions based on cross-checks and not only machine learning.

The No More Ransomware project grows with new collaborations

The No More Ransomware was born in the summer of 2016 with the aim of fighting ransomware as a collaboration between Europol, Dutch policy, Kaspersky Labs and Intel Security.

It becomes richer with the addition of new and important partnerships: Avast, CERT Polska and Eleven Paths – Telefonica Cyber Security Unit, which bring to 7 the number of associate partners, while 30 other partners sum to the 46 already present, like policy departments of Australia, Belgium, Israel, South Korea, Russia, Ukraine and Interpol.
The content are now available in 14 languages, including german, spanish and japanese; further translations are expected soon to help people all around the world.
14 other new tools bring up to 40 the total number of decrypting tools.

Avast offers 6 new decryption tools

Avast offers 6 new tools for the decryption of files encrypted after a ransomware attack.

The first tool is for FindZip, a ransomware targeted to Apples macOS; the procedure is easy but the tool is an .exe file that requires an emulation software like Wine or CrossOver, while running natively on Windows. The second tool, provided in collaboration with CERT.PL researchers, is for CryptoMix, which is also common with the CryptFile2, Zeta and CryptoShield variants.
The other 3 tools are for HiddenTear, Jigsaw and Stampado/Philadelphia ransomware. The complete list of decryption tools offered by Avast is available at this address.

Avast recently became associate partner of the No More Ransom project.

Vulnerabilities

Cisco suggests to disable Telnet because of a vulnerability in its IOS operating system

After the diffusion by Wikileaks of classified material (“Vault 7”) which explains which techniques are adopted by the CIA to hack IT systems, Cisco identified some parts that could compromise its products and recommends its clients to disable Telnet.

The vulnerability exploits CMP code (Cluster Management Protocol) available in Cisco IOS, Cisco’s proprietary operating system, and in Cisco IOS XE Software that allows members of a cluster to share information via Telnet or SSH.
If exploited, this vulnerability allows a remote not-authenticate user to access the device and reboot it or even execute malicious code.
The bus is the result of two different issues: the first is that CMP doesn’t distinguish between internal and remote Telnet connections, and the second is due to the wrong use of specific Telnet commands for CMP. Cisco suggests to disable Telnet in favour of SSH; no patch is available at the moment.
A complete list of interested devices is available at this address.

36 Android devices from two companies come with preinstalled malware

Check Point researchers released a document with a list of Android devices that are infected by malware belonging to Loki and SLocker families. Those devices are distributed by two precise companies, whose identities haven’t been disclosed. Loki gains root privileges to use its spyware capability, thus stealing sensible information like browser chronology, contact list, calls register and geolocalization data; moreover, it injects illegal ads. SLocker is a ransomware for mobile devices.

This malware is not present on the operating system as is provided by Android developers or manufacturers, rather it’s injected by a third party in the production chain. The danger comes from both the presence of the malware and from a relationship of trust between buyer and seller that will lack, in particular with non reliable sellers: a device might contain backdoors or be “rooted” without the consent of the user.
Clients should only aim at conventional channels when purchasing apps and devices.
The complete list of interested devices and APKs with SHA1 is available here.

iOS 10.3 fixes a Safari vulnerability that allows scareware infections

Apple released an update for its mobile devices operating system iOS 10.3 that finally fixes a Safari vulnerability that is exploited to deliver scareware attacks with JavaScript. A scareware, like a ransomware, is a malware software that asks for money in order to unlock a blocked situation but, unlike ransomware, no data is actually blocked/encrypted: it relies on the scare and fear of the user to have him pay.

Some scareware campaigns, as mobile security company Lookout explains, leveraged a vulnerability in Safari that allowed JavaScript to open popups continuously, thus making impossible to use the browser (unless cleaning its cache, an operation unknown to most of the victims). A warning with fake institutional traits would then scare the used and ask for a certain sum of money to have the smartphone unlocked. iOS version 10.3 fixes this vulnerability.

News from the vendors

GoDaddy acquires Sucuri

GoDaddy, world’s biggest hosting company, announces the acquiring of Sucuri, the popular Website security firm. Sucuri will operate as usual, while GoDaddy will integrate its services in its services.

Products by Sucuri include a WAF (Web Application Firewall), an IPS (Intrusion Prevention System), a CDN (Content Delivery Network) and monitoring, DDoS attacks mitigation and Cloud backup services. “The vast majority of our customers aren’t website security experts, nor should they need to be to secure their websites,” says Kevin Doerr, Senior Vice President and General Manager of Security at GoDaddy. “Combining Sucuri with GoDaddy’s scale will advance digital security for our customers by making it simple, timely and affordable.”

We will continue to operate as is. There are no changes to our customers. They will continue to get the service they expect, and they will continue to be Sucuri customers. They can also expect improvements to our support services and products as we invest more in those areas in the coming months and quarters.” is the comment of Sucuri as appeared on a post on its blog.

Microsoft ends support to Windows Vista

On 11 April the Extended support to Windows Vista has officially ceased. Vista was introduced in 2007.

Extended support extends the duration of Mainstream support, which lasts 5 years, of 5 additional years, thus extending the total lifetime of the product. Once the period terminates, the operating system is no longer updated and maintained, and it should be considered obsolete and plan an upgrade (Windows 7, Windows 8.1, Windows 10 or another OS) in order to guarantee a support until 2020 at least (end of Extended support for Windows 7).

banner eng

fb icon evo twitter icon evo

Word of the Day

The term Edge Computing refers, when used in the cloud-based infrastructure sphere, the set of devices and technologies that allows...

>

The acronym SoC (System on Chip) describes particular integrated circuit that contain a whole system inside a single physical chip:...

>

The acronym PtP (Point-to-Point) indicates point-to-point radio links realized with wireless technologies. Differently, PtMP links connects a single source to...

>

Hold Down Timer is a technique used by network routers. When a node receives notification that another router is offline...

>

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • GURU advisor: issue 13 - March 2017

    GURU advisor: issue 13 - March 2017

  • GURU advisor: issue 12 -  January 2017

    GURU advisor: issue 12 - January 2017

  • GURU advisor: issue 11 -  October 2016

    GURU advisor: issue 11 - October 2016

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1