An introduction of DDoS mitigation techniques focused on Cloud-based DDoS Mitigation solution, an approach implemented by many companies.
Despite their prevalence, DDoS (Distributed Denial of Service) attacks have been erroneously considered minor attacks by some parts of the security community due their “limited” duration. Victims of DDoS attacks are typically forced to interrupt their services for a few hours without any other observable damage.
Recent events, however, have demonstrated that the impact of DDoS attacks is much more than meets the eye. Not only can these attacks inflict huge economic losses, they can also have a serious impact on the reputation and image of the victimized company or organization.
Another worrying trend observed in recent DDoS attacks is that in addition to targeting web infrastructures, attackers are also trying to exploit flaws and improper configurations within the Domain Name System (DNS) infrastructures. Arbor Networks’ 2012 Worldwide Infrastructure Security Report indicated that 41% of respondents experienced DDoS attacks against their DNS infrastructure.
Moreover, the targets of a DDoS attack do not fit into a specific category. Providers of online banking, payment services, email services and just about every other type of web service provider are prime candidates.
Similarly, there is no typical profile of an attacker – cyber criminals, hacktivists and state-sponsored hackers all use similar tactics to hit a large list of targets.
Principal Categories of DDoS Attacks
The security community classifies DDoS attacks as follows:
- Volume Based Attacks –The attacker tries to saturate the bandwidth of the target’s website by flooding it with a huge quantity of data. This category includes ICMP floods, UDP floods and other spoofed-packet floods. This type of attack is very common and simple to execute using the vast quantity of free tools available on the Internet, and, as such, is very popular in the hacktivist underground. The magnitude of Volume Based Attacks is measured in bits per second (Bps).
- Protocol Attacks –The attacker’s goal is to saturate the target’s server resources or those of intermediate communication equipment (e.g., Load balancers) by exploiting network protocol flaws. This category includes SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS and more. The magnitude of Protocol Attacks is measured in Packets per second.
- Application Layer (Layer 7) Attacks – Designed to exhaust the resource limits of Web services, application layer attacks target specific web applications, flooding them with a huge quantity of HTTP requests that saturate a target’s resources. Application layer attacks are hard to detect because they don’t necessarily involve large volumes of traffic and require fewer network connections than other types of DDoS techniques. Examples of application layer DDoS attacks include Slowloris, as well as DDoS attacks that target Apache, Windows, or OpenBSD vulnerabilities. The magnitude of application layer attacks is measured in Requests per second.
DDoS Mitigation Solutions – Traditional vs. Cloud-Based
The increase in the magnitude and complexity of DDoS attacks highlights the need for organizations to adopt proper countermeasures and mitigation techniques. Naturally, time is of the essence when it comes to DDoS protection. Prompt DDoS detection is a critical phase of the mitigation process – the faster security systems can detect a potential threat, the better the chance of minimizing damage and even neutralizing the threat.
Firms that provide solutions for DDoS mitigation follow various approaches to protect their customers. The first step in protecting a company’s web infrastructure against a DDoS attack is to identify normal conditions for network traffic. This definition of normal “traffic patterns” is necessary baseline for threat detection and alerting. The majority of commercial solutions provides threshold-based alerting mechanisms that trigger alerts based on the collection of meaningful information from the logs.
Another common detection approach is known as “Layered Filtering,”, dedicated appliances and software detect and mitigates different types of attacks in both the network and application layers. Defense mechanisms which analyze traffic in layers try to detect harmful traffic and apply filters to block the threats at the specific level. Many companies also adopt open source software to limit the incoming number of connections and traffic dimensions.
Traditional DDoS mitigation solutions oversize the network bandwidth and adopt complex hardware such as firewalls and load balancers. Many experts consider this approach to be unnecessarily costly and in many cases ineffective. For this reason, many companies have chosen to adopt a cloud-based approach to DDoS protection with direct management of DNS services, enabling them to optimize their response to malicious events. Another advantage of a cloud-based approach is the reduction of investment in equipment and infrastructure (capex) as well as the reduced cost of managing and maintaining typical hardware solutions (opex).
Key Criteria for Evaluating DDoS Mitigation Solutions
Choosing a DDoS mitigation solution is far from a simple task, given the numerous alternatives and choices, such as hardware versus software, appliance versus cloud-based solutions, etc. To simplify your decision process, the following checklist includes the most important features/criteria to evaluate before acquiring a new product:
- Capacity of solution in term of protocols supported, analysis path implemented and granularity offered for traffic inspection.
- Support for traffic profiling. Companies offering a variety of services may wish to define a different policy for each service. Normal traffic patterns for various services could be substantially different. For example, analyzing a banking website the traffic related to the users that simply visit the portal must be differentiated from the one related to banking customers that access to home banking functions.
- Product flexibility – the possibility to create ad hoc policies and patterns starting from well-known configurations.
- Product scalability – the product should be able to evolve and scale with the changing needs of the buyer.
- Availability of built-in hardware redundancy features
- Availability of an efficient reporting/alerting system. Various solutions provide very different levels of reports and alerts – these features should be evaluated with care.
- Reliability – DDoS is a dynamic threat that morphs over time. Be sure to choose a solution provider that is able to provide continuous updates and prompt support for its products.
- Bidirectional traffic monitoring – It is important to control both inbound and outbound traffic to prevent the abuse of network resources by attackers.
- Product reputation and customer references. This is a crucial aspect that must take into account the features of product and maintenance services.
How does the cloud based DDoS mitigation approach work?
As noted earlier, one of most popular mitigation approaches is cloud-based DDoS mitigation. Such solutions are offered by Incapsula, Prolexic and Verisign, among others. Successful mitigation depends on the ability to monitor and analyze traffic patterns in real time. When a DDoS attack is detected by monitoring systems, the malicious traffic is redirected from the targeted website to a mitigation architecture through the cloud. Inbound malicious traffic is sent to the nearest scrubbing center, where the mitigation solution applies DDoS filtering and routing techniques to reduce DDoS traffic interference. The clean traffic is then routed back to the customer’s network. Accordingly, the capacity of the scrubbing centers and the filtering methods used are crucial for the provisioning of an efficient DDoS mitigation service.
To get an industry expert’s take on these topics, I contacted Incapsula, one of the leading providers of DDoS mitigation services. Incapsula offers Web Security, DDoS Protection, Failover & Load Balancing on a Global CDN. The company was spun out of and is financially backed by Imperva [IMPV], a leading provider of data security solutions. Here are excerpts from my interview with Incapsula’s CEO, Gur Shatz.
What are the key criteria for a successful DDoS mitigation service?
“Well, there are various factors that contribute to a successful DDoS mitigation solution, such as:
- Network size: You need a mitigation service that can handle the largest possible attack that could come your way. Since attacks are becoming larger at a disturbing rate, anything below 250Gbps of network capacity just isn’t enough.
- Automatic detection: There are many ways to launch a DDoS attack, and sometimes the nature of the attack rather than its size is what makes mitigation so hard. Take, for example, hit and run attacks which are short bursts of traffic in random intervals over a long period of time. A manual mitigation solution that requires users to turn it on and off on every burst will throw the IT team into complete havoc. Some solutions, like Incapsula, offer automatic DDoS mitigation and take full responsibility for both detection and mitigation of the attack.
- Transparent mitigation: DDoS is about degradation of service. While this can be complete denial of service, it can also be disruptions. If your DDoS mitigation service introduces a large rate of false positives or degrades the normal user experience in any way, the DDoS attack is actually achieving its goal – even if your service is still up and running. Unless your mitigation service can offer zero disruption to the normal user experience, you will not be able to withstand lengthy attacks without damaging business performance.
- Time and complexity to onboard: A key factor in a DDoS service is the time it takes to on-board the service. There are various techniques and setups – the more complex ones require on‑premise devices and configuration, while the faster ones require only a simple DNS change. When you are under fire, you’ll appreciate having chosen a solution that can shield your network from that attack with minimal time and effort.
- Support: A 24×7 team of experts is an essential part of a reliable DDoS mitigation service. Being under a DDoS attack is one of the most frustrating situations for any IT manager. You have practically no visibility into what is happening, there is nothing you can do internally and your entire service is down. You need an expert by your side who can help you understand what is going on during the attack and get you through it as painlessly as possible.”
Based on the observation of DDoS attacks against your clients during the last few months, what are the changes/trends that you are seeing with respect to attack methods?
“The principal trends that we are observing are:
- Larger and larger network attacks. These large-scale attacks are often using SYN flood and DNS amplifications as their tool of choice.
- Hit and Run attacks. These are smaller scale application layer attacks that don’t last very long, but occur every few days.
This information might be biased, because as a cloud provider, we are well suited for handling large network attacks. Since our users typically use our “always on” automatic detection service, it is reasonable to assume that users with hit and run problems tend to reach us more than users of other solutions.”
What are the strong points of your Cloud-based solution?
“I believe that our true strengths lie in a number of aspects of our service:
- We offer a cloud based service that can be activated without any additional hardware, software or other integration requirements. Adding a website to Incapsula is done through a simple DNS change which allows us to offer our services to practically anyone regardless of company size, IT manpower or expertise.
- A large network of more than 300Gbps that can handle practically any attack out there.
- Transparent and automatic mitigation of attacks with no negative (and in most cases positive) effect on legitimate users’ experience.
- Having a built-in CDN and Web Application Firewall allow our customers to always be online and automatically mitigate attacks while improving overall user experience and overall security.”
Whatever solution you choose, you must always consider the trade-off between costs and benefits. To meet business goals, every company is increasing its exposure on the Internet and, in parallel, enlarging the potential surface of attack. At the same time, downtime is no longer acceptable from a business standpoint for the majority of these companies.
Pierluigi Paganini
(Security Affairs – DDoS Mitigation)
Periodic analysis of the evolution of the offer in the underground criminal thanks to the efforts of experts such as Dancho Danchev.
The offer of cyber criminals in the underground is very dynamic and articulated and its observation is a privileged point of view for better understand how evolve cyber threats.
Recently we have spoken of new serviced that adopted curious monetization models for botnet renting such as the “pay per execution” and we have seen how the underground has reacted to the shutdown of the Liberty Reserve currency scheme.
Today I will introduce a couple of discoveries made by researcher Dancho Danchev on the offer in the criminal underground. Once cyber criminals have obtained the control of huge botnet they mainly try to capitalize them in two ways:
- Renting the compromised machine to other criminals
- Selling the stolen information from victims to other criminals to arrange frauds.
One of the sectors most targeted is the gaming market due its millionaire profits, cyber criminals in this case mine the botnet for accounting credentials for a gaming platform ad for activation key of the most popular game.
Danchev found a new e-commerce website that is specialized in the sale of stolen accounting credentials gaming platforms (e.g. Origin and Uplay) and for a variety of online services( Hulu Plus, Spotify, Skype, Twitter, Instagram, Tumblr and Freelancer).
Following a screenshot of the actual advertisement, the prices of the compromised gaming accounts are very cheap:
still more cheaply if we consider the prices for the compromised accounts:
The security experts analyze new services for profiling the activity usually consider various factors such as references to geographic area, methods of payments accepted and of course aging of the services.
This information could give an idea to the researchers of the level of organization behind the services, typically cyber criminals operate for short period and gangs of individuals operate together for the time necessary for specific campaigns.
Analyzing the feedbacks of the e-shop Danchev discovered that it is not a one-time inventory of compromised assets, but it appears like “a long-term operation fueled by an ongoing botnet operation relying on commercially/publicly obtainable DIY (do-it-yourself) malware generating tools, in combination with malware crypting services.”
The service discovered accept various payment methods including popular Bitcoin, Webmoney and PayPal, the shutdown of Liberty Reserve is increasing the popularity of Bitcoin in the underground despite some exchange such as MT.Gox announced more checks on the identity of the service subscribers.
The number of the E – shop that is selling access to hacked machines worldwide that accepting Bitcoin as the primary method of payment is increasing.
The newly launched services accept Bitcoin and guarantees up to 20,000 hacked PCs every day, has proposed in the following image the cost for 1K hosts is $30, 10K hosts go for $250, and 20K hosts go for $400.
The machines are located worldwide, this means that services doesn’t segment the offer ‘targeting’ any kind of machine to increment the portfolio.
The last interesting news from underground forums is related to Pharmaceutical scammers that impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs.
Danchev wrote in his post
“Opportunistic pharmaceutical scammers are currently spamvertising tens of thousands of bogus emails impersonating Facebook’s Notification System in an attempt to trick users into clicking on the links, supposedly coming from a trusted source. Once users click on the links found in the fake emails, they’re exposed to counterfeit pharmaceutical items available for purchase without a prescription.”
The figure behind the business are impressive, despite the products are counterfeit drugs the US accounting for 72% of pharmaceutical orders.
If you are interested in the evolution of underground offer … stay tuned!
Pierluigi Paganini
(Security Affairs – Underground, Cybercrime)
The top secret PRISM project claims direct access to servers of major IT corporates including Google, Apple and Facebook.
The recent news on the control of communications made by the US Government through the PRISM program has literally left bewildered public opinion, everyone imagined it but when the Population has been confronted with the evidence remained shocked.
The Washington Post recently published an interesting article that tries to explain how the complex US machine for surveillance works. NSA and FBI systematically draw on information from central servers of the leading companies in the computer industry:
- AOL
- Apple
- Dropbox
- PalTalk
- Skype
- Yahoo
- You Tube
The surveillance project begun in 2007 and it was supported by the Bush’s administration, it is known as PRISM and is capable to acquire sensitive data from the IT majors and then operate complex analysis activities, of course companies deny any knowledge of the secret program.
“Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data.” Google states.
“We do not provide any government organization with direct access to Facebook servers,” “When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”said Joe Sullivan, chief security officer for Facebook.
“We have never heard of PRISM,” “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”said Steve Dowling, a spokesman for Apple.
The Washington Post has published an interesting post on running of PRISM detailed in secret documents, it revealed that the PRISM project has been referred at least 1477 times during a government briefing on the Homeland Security.
The document claims “collection directly from the servers” of major US IT service providers with principal argumentation to defend the project is the necessity of communications surveillance for security reason and counterterrorism.
“information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.” Director of National Intelligence James R. Clapper said.
According the revelation PRISM became popular during the Arab Spring when it was used to profile individuals considered dangerous for the US.
The Guardian has verified the authenticity of the PowerPoint presentation that is circulating on the Internet, it is composed of 41 slides classified as top secret with no distribution to foreign allies which was apparently used to train operatives.
Although the presentation claims the program is run with the assistance of the companies, all those who responded to a Guardian request for comment on Thursday denied knowledge of any such program.
Is PRISM legal?
The US program seems to be allowed by ”section 215 of the Patriot Act, which authorizes the existence of special procedures, authorized by the FISA court to force U.S. companies to deliver assets and records of their customers, from the metadata to confidential communications, including e-email, chat, voice and video, videos and photos”.
Any further comment seems superfluous … all imagined something like this, the reality exceeds imagination … the situation is unsettling.
I leave you with a few of questions
- How can PRISM program only cost $20 million?
- Have you noted the name PalTalk in the list of companies? Why PalTalk?
- Where is Twitter? Why it is mentioned when we have spoken of Arab Spring?
- Why 98 percent of PRISM production is based on Yahoo, Google and Microsoft?
- Why it has been revealed now?
- Why are all the 9 Companies denying participation?
Pierluigi Paganini
(Security Affairs – Surveillance, PRISM)
Principal security firms detected a new variant of Facebook Zeus malware that is exploiting the popular social network to target user’s bank accounts.
How does Facebook Zeus steal victim’s credentials?
ZBOT connects to a remote site to download its encrypted configuration file containing the following information:
- Site where an updated copy of itself can be downloaded
- List of websites to be monitored
- Site where it will send the stolen data
“These configuration files contain banks and other financial institutions that ZBOTs monitor in browsers. Since configuration files are downloaded from remote sites, the contents of these files may change any time. Malicious actors can change the list of sites they want to monitor on the affected system.” reported TrendMicro post.
“Best way to describe how we uncover the Zeus Malware is as follows. I observed that the Russian Business Network was created Fake Facebook Profiles that were posted .tk links to websites selling counterfeit Merchandise. The .tk links caught my attention when i did url query of these .tk links url query report listed these as likely hostile and from the Russian Business Network. I turn the links over to a colleague who identified the Zeus Botnet”
The U.S. NSA is collecting phone records of millions of Verizon Communications customers, according to a secret court order obtained by the Guardian.
The U.S. NSA is collecting phone records of millions of customers Verizon, the second telephone company in the country. The shocking news has been revealed by ‘Guardian‘ whose journalists had access to a “Top Secret” court order, signed by Judge Roger Vinson, issued in April against Verizon.
The order obliges the Verizon company to deliver the daily list of calls, “both within the Member States and between the United States and other countries.”
The order was issued by the U.S. The Foreign Intelligence Surveillance Court directs Verizon’s Business Network Services Inc and Verizon Business Services units to hand over electronic data including all calling records on an “ongoing, daily basis” until the order expires on July 19, 2013. Curious that order forbids disclosure of the order’s existence.
The order reveals that is ongoing a massive collection of communications records of millions of Americans, each citizen is intercepted regardless of whether he was suspected of some crime. It must be considered that the order covers each phone number dialed by every Verizon’s customer including location and routing data, duration and frequency of the calls, but not collecting the contents of the communications.
The revelation is embarrassing for the Obama administration, since now authorities and law enforcement haven’t commented the news, a source close to the judiciary has confirmed the authenticity of the order.
A spokesman for the National Security Agency announced:
“We will respond as soon as we can,” .
The news is arousing great noise, let’s consider that US Government has been severely criticized for many other law proposals that violate citizen’s privacy.
“That’s not the society we’ve built in the United States,” “It’s not the society we set forth in the Constitution, and it’s not the society we should have.” commented Kurt Opsahl, an attorney at the Electronic Frontier Foundation.
The order is the demonstration of advanced surveillance conducted by the US Government that began under the administration of President George W. Bush.
AT&T Inc, the biggest telephone company of US did not provide any comment when asked if the government had made a similar request for its data.
It can be expected that other providers have been achieved by similar court orders.
Pierluigi Paganini
(Security Affairs – Surveillance, NSA is collecting phone records)
An interesting post by Brian Krebs is food for thought on the business behind a cashout service for cybercriminals.
Brian Krebs has recently published an interesting post on his KrebsOnSecurity blog regarding the way cyber criminals cashout their money through a dedicated cashout service. The conversion of ill-gotten gains into cash, The “Cashout”, is considered most risky part of a cybercrime that exposes crooks to law enforcement investigation.
Krebs introduces a new cashout service for ransomware authors that offers money laundering service by abusing of a legitimate Web site that allows betting on dog and horse races in the United States. The Ransomware is a category of malware which restricts access to victim’s resources that it infects and demands a ransom paid to the author of malicious code in order to remove any. The service also employs a free CAPTCHA service from Microsoft that can be used to preserve the abuse of the service.
Most complex malicious codes encrypt files on the victim’s hard drive meanwhile other simply lock the system and display messages requesting the payment. Cyber criminals provide to the victims detailed instructions to pay ransom using prepaid cards such as MoneyPak or PaySafe and to provide evidence of the transaction.
The principal problem relates to the conversion of the extorted money criminals have to spend it in shops that accept these methods of payment, crooks have to daily manage a large number of transactions and often they are not based on the place where the fraud is consumed.
The post described an original ransomware cashout service hosted in Belarus that support crooks in this articulated and risky phase, the service in fact checks the balances of MoneyPak codes sent by victims to demonstrate the payment and verify them abusing of a legitimate feature of betamerica.com, a site for betting on dog and horse races in the US. The same service also provides cashout service for PaySafe cards from Mexico for a quarter of the price of their balances.
The operations team at Betamerica.com are aware of these abuses and have already tried to block the account used to check the MoneyPak voucher codes, anyway impeding them to place any bet to avoid money laundering.
“This account was already flagged as some type of bot or compromise, and was set to non-wagering,” explained an operator at betamerica.com.
“We are pretty diligent, because in the past we have had [individuals who] will try to do a Moneypak deposit and then do a withdrawal, basically trying to launder it. Bottom line is that money has to be wagered. It’s not going to be returned to you in another form.”
Following the Cashout process described by Krebs:
- The ransomware victims who agree to purchase MoneyPak vouchers to regain control over their PCs.
- The guys operating the botnets that are pushing ransomware, locking up victim PCs, and extracting MoneyPak voucher codes from victims.
- The guy(s) running this cashout service.
- The “cashiers” or “cashers” on the back end who are taking the Moneypak codes submitted to the cashing service, linking those codes to fraudulently-obtained prepaid debit cards, and then withdrawing the funds via ATMs and wiring the proceeds back to the cashing service, minus their commission. The cashing service then credits a percentage of the MoneyPak voucher code values to the ransomware peddler’s account.
The Business dimension
The cashout service is very expensive, the fee requested to the ransomware author is more than half of the value of the MoneyPaks, the service manager justifies the so high cost with decreasing of infection rate on exploits.
Analyzing the list of lists of checks made on MoneyPak voucher appears that a large number of requests are generated by a scammer that is extorting around $300 to the victims. It seems that around 24,000 MoneyPak codes have been checked that could indicate that the cashout service has processed more than $7 million coming from ransom victims.
This figure should lead us to a deeper reflection on criminal proceeds industry and in particular of this kind of malware. The situation is worrying because in addition to an increase of this type of crime should bear in mind that most of them are not even reported for fear of legal retaliation for downloading pirated content or pornographic.
Pierluigi Paganini
(Security Affairs – Ransomware, cybercrime, cashout service)
NetTraveler cyber espionage campaign, revealed by Kaspersky’s team, targeted over 350 high profile victims from 40 countries.
“however this data represents only a small fraction which we managed to see – the rest of the it had been previously downloaded and deleted from the c&c servers by the attackers.” the report states.
“during our analysis of nettraveler infections, we identified several victims that were infected both by nettraveler and red october. Although we see no direct links between the nettraveler attackers and the red october threat actor, the existence of victims infected by both of these campaigns is interesting.”
Mactans charger, this is the name of the malicious charger that will be presented by researchers at the Black Hat 2013 conference in July that is able to inoculate a malware in any Apple iOS devices.
Researchers from the Georgia Institute of Technology announced the creation of Mactans charger, a custom wall charger for Apple iPhone and iPad that is able to inoculate a malware in any devices running any version of iOS.
The infection of device is possible through a chargers called Mactans that is based on BeagleBoard architecture. The BeagleBoard is a low-power open-source hardware single-board computer designed by Texas Instruments in association with Digi-Key that is sold to the public under the Creative Commons share-alike license.
An introduction of their presentation states that they will be able to demonstrate how an iOS device can be infected in less than a minute after plugging in a malicious charger.
“In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.”
The name Mactans derive by is a highly venomous species of spider in the genus Latrodectus, the researchers Billy Lau, Yeongjin Jang, and Chengyu Song will present their creation at the Black Hat 2013 conference in July.
It’s not the first time we read about hardware disguised as everyday objects that are used to spy on networks, let’s remind the various researches promoted by DARPA that led to the design of objects able to penetrate the host network. This time Mactans charger is a circuit used to infect mobile users.
Once installed the malicious code with Mactans charger the researcher are also able to hide it exactly in the same way Apple does with its own built-in applications, the infection is possible due the exploit of a vulnerability already disclosed to Apple but that the company hasn’t yet fixed.
Apple in fact hasn’t yet recognized the findings of the team, but the consequences of similar exploits are clear, potentially any iPhone or iPad could be compromised using its USB connection.
The researcher declared:
“The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software. All users are affected, as our approach requires neither a jailbroken device nor user interaction.”
A last consideration relates to the possible impairment of the supply chain of any hardware device and the need of hardware qualification… have you got an idea of what can be done exploiting the networks in our homes with compromised hardware.
Pierluigi Paganini
(Security Affairs – Hacking , Mactans charger )
According to a recent research of Group-IB on cybercrime senior management is considered among most privileged targets.
Group-IB is one of the leading companies in fraud prevention, cybercrime and high-tech crime investigations, it is IMPACT-ITU member and one of most active firms in the analysis if cyber criminal phenomena.
The firm reported that cyber criminals use personal and confidential data of senior management of different financial institutions and companies for targeted attacks, including fraud and online-banking theft.
C Level executives are being targeted and drilled down on with specific attacks meanwhile HR managers are targeted due the sensitive information they manage.
Why senior management?
The principal reason is that information related to personal details of senior management or key employees helps are used by attackers for recruiting of potential insiders, it is very actual in banks, online-trading companies and e-commerce nowadays.
I contacted Andrey Komarov, the head of international projects of Group-IB, CERT-GIB CTO to have more information on the research, he told me:
«We have faced with internal fraud by bank employees in face of managers and top staff, recruited by cybercriminals absolutely remotely on the first stage, related to SWIFT MT 130 and SWIFT MT 760 operations on huge amounts of money. Of course, on the second stage, criminals involve such kind of employees to own criminal groups for further close cooperation»
SWIFT MT 130 and SWIFT MT 760 are very specific SWIFT operations, used for bank guarantees as well, and with the help of some corrupted employees it is possible to make some fraud in large amounts of money. In rare cases some of such operations are approved by insiders in face of senior management, especially who is connected with stocks and operational risks, as they have connections with all departments in the bank.
One of the most referenced sources of information are social networks, in particular hacked accounts of the most popular platforms such as Facebook and Linkedin. The social networks are a mine of information, employees use to publish their private e-mails and other personal information used by hackers to gather design their profile and to design a map of contacts.
In regard of targeted attacks, hackers are interested in the credentials of middleware employees and senior management for placing malware and getting more information about the network topology of potential victims, sometimes they spawn a specially crafted code for reverse connection to use the infected machine for cyber espionage.
The specific targets of hackers are IT-administrators and IT-managers, as most of them have full access to the company’s infrastructure, which means that if they will be compromised, the attackers may gain access to different information resources, including corporate e-mails.
In the above image is reported a post from an underground forum that demonstrates the hacker’s interest to confidential data on CEO and top management of different well known brands, following the translation from Russian:
“Will buy information about the following companies:
- Linkedin, Verizon, GoDaddy, British American Tobaco, Dupont, Pepsi, Names.co.uk, Facebook (private companies)
- Commerzbank, Reiffeisen, RBS, Bank of America, Wells, Wachovia, Citibank + any russians, having online-banking
Interested in email + password, any stolen accounts of its employees in social networks (Facebook + Linkedin), will pay good, before selling need to have a garant and checking.
Interested in hacked accounts and data on:
- sustem administrators;
- top managers (operational managers, heads of the departments)
Reach me only through PM, confidential and in 1 hands
WIll talk only under OTR/NDC encryption in Jabber, don’t use ICQ “
Experts at Group-IB confirmed me that there is great market of confidential data trading, mostly it is used by competitive entities for intelligence in same segment of market, by big players on the market for struggling, and hackers as well.
According to the statistics, the most valuable types of information well traded on the black market are:Annual accounting balances and financial reports;
- Project plans and strategies of the company for several years;
- Intellectual property and innovations used for successful business;
- Customers databases and partners’ contacts (CRM);
- Employees databases (Intranet systems);
- Credentials to corporate e-mails and personal e-mails of employees;
- Internal network infrastructure and its specifics.
Once again the observation of criminal underground is giving us precious information on the trends in the cyber criminal environment, this information is fundamental for the security departments of enterprises and governments
Pierluigi Paganini
(Security Affairs – Cybercrime)
iCloud could not properly protect the user’s data despite the implementation of a two-factor protection.
Millions of users access to the iCloud to store their data such as photos, music and documents and Apple has tried recently to improve their security introducing in March a two factor authentication system … Do users really know the security mechanisms that protect their data?
Last week I wrote a post on benefits and limits of a two-factor authentication process, the reflections made rise serious questions on possible incorrect implementations of security mechanism.
I started remarking to be deeply opposed to the storage of my information on a system of which I know very little as it can be any Cloud architecture managed by an enterprise.
The two-factor authentication has been introduced by Apple to preserve the use of user’s Apple Id for fraudulent purchases but it seems not sufficient to protect user’s files stored in the cloud.
The discovery has been done by researchers at ElcomSoft, a Russian company specialized in the providing of forensics software for cracking passwords and system auditing, in a post recently issued.
In case an attacker is able to access to user’s account credentials despite the Apple adopted a two-factor verification he is anyway able to access data stored in user’s iCloud account.
The ElcomSoft CEO Vladimir Katalov has written in the post:
“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” “In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information.”
“In ElcomSoft’s opinion, this is just not the right way to do this from a security point of view. iCloud has been exploited in the past (see Norwegian Teenagers Hacking iCloud Accounts) and will be exploited in the future.”
“To me the story here is all about Apple offering a 2FA [two-factor authentication] solution that doesn’t really add much extra security for you (files, documents etc), but it protects them (and you) from unauthorized money transactions and changes to your account,”
Although Apple hasn’t introduced the two-factor authentication to reinforce security of data stored in the iCloud architecture the flaw has puzzled researchers because the security mechanism not protect user’s data.
The security mechanism prevents in fact attackers from resetting a user’s iCloud password,but it doesn’t impede them from accessing data stored in an account. Apple two-factor authentication allows an attacker to restore backed up iPhone or iPad data to a new device or delete them permanently.
Resuming the 2FA solution added by apple doesn’t provide extra security for data, on the contrary it adds a wrong perception of security to the users which could have serious consequences.
Probably the flaw found in the Apple implementation of 2FA in not casual but it is the compromise between level of security ensured to the users and usability of the solution.
Other 2FA solutions such as the ones implemented by Microsoft or Google request customers to come up with a “second piece of an ID when attempting to access their services from a new device” to prevent anyone stealing user’s credentials.
“The purpose of two-factor authentication is to prevent parties gaining unauthorized access to your account credentials from taking any real advantage.”
The CEO of Duo Security, a firm specialized in providing of two-factor authentication services, commented the technical choice with following statement:
“It’s a worthwhile discovery,” “It’s good for people to know and understand that their account is not 100-percent protected by this new feature that rolled out. But I don’t think it’s an unaddressable limitation, and to be fair to Apple, I don’t know if this was ever intended to protect this model.”
Pierluigi Paganini
(Security Affairs – Apple iCloud, 2FA)
