As the hacktivist community continues to grow and evolve, so do the tools and services at a hacker’s disposal. The digital divide between skilled and amateur hackers continues to grow. This separation in skill is forcing those with limited knowledge to rely solely on others who are offering paid attack services available in marketplaces on both the Clearnet and Darknet. While most hacktivists still look to enlist a digital army, some are discovering that it’s easier and more time efficient to pay for an attack service like DDoS-as-a-Service. Cyber criminals that are financially motivated market their attack services to these would-be hacktivists looking to take down a target with no knowledge or skill.
If you are reading this, you are back on Twitter, listening to your favorite music on Spotify, watching Netflix and you can finally breathe!
Yes, the massive DDoS attack targeting Dyn’s DNS service provider almost broke the Internet, and we are still in the aftermath.
Although the forensics analysis are still ongoing, we do know that this attack integrated at least one botnet of Internet of Things (IoT) devices.
This attack follows two large scale DDoS attacks launched in September that used the same methodology: infecting an ‘army’ of IoT devices to knock down victims’ services.
On the morning of October 21st Dyn began to suffer from a denial of service (DoS) attack that interrupted their Managed DNS network. As a result, hundreds of thousands of websites became unreachable to most of the world including Amazon’s EC2 instances. This problem intensified later in the day when the attackers launched a second round of attacks against Dyn’s DNS system. Dyn’s mitigation of the attack can be viewed on RIPE’s website where a video illustrates the BGP switches.
Following the public release of the Mirai (You can read more about it here) bot code, security analysts fear for a flood of online attacks from hackers. Mirai exposes worm-like behavior that spreads to unprotected devices, recruiting them to form massive botnets, leveraging factory default credentials and telnet to brute and compromise unsuspecting user’s devices.
Soon after the original attacks, Flashpoint released a report identifying the primary manufacturer of the devices utilizing the default credentials ‘root’ and ‘xc3511’. In itself, factory default credentials should not pose an enormous threat, however combined with services like Telnet or SSH enabled by default and the root password being immutable, the device could be considered a Trojan with a secret backdoor, a secret that now has become public knowledge.
In retail marketing, companies often try to add value to a product with the addition of extra items that are discounted or free. In the words of one of the infomercial kings, Ron Popeil, ‘But wait, there’s more!’. While I may have been originally interested in a set of Ginsu knives, the bonus vegetable dicer sealed the deal.
It seems the future is upon us. Some of you may have heard about the attacks on Brian Krebs’ security researcher and journalist, as well as the attacks on OVH French hosting company. The attacks are accounting for the world’s largest DDoS attacks ever on record, 620Gbps and 1+Tbps respectively. If you’ve read up on these attacks, you’ll also be familiar with the fact that automated bot armies are being leveraged by booter or stresser services. These services are offered by “entrepreneurs” for a nominal fee to their paying clientele. Booter services are not new to the realm of DDoS. What’s changed over the years is the scale and scope these automation engines are achieving. The services command and control networks have grown in number of pwn’d bots and increased capabilities of advanced and effective attack tactics. The exponential population growth of insecure internet-connected devices has enabled this. The Internet of Things (IoT) aka IP-enabled cameras, printers, TVs, refrigerators, etc. have certainly contributed in part because these devices were not developed with security in mind.
Most recently I traveled to Mexico City in large part to support a tradeshow and presentation I was to deliver at Segurinfo Mexico 2016.
My hat’s off to the organizers of Segurinfo Mexico 2016, which is held in Mexico City every year as they held a very powerful event! Over the past few years this event has continued to build attendance and interest at a brisk pace as they achieved a record high attendance and a wonderful gathering of vendors and practitioners alike. All-in-all, I believe that if one couldn’t learn something from the Segurinfo Mexico 2016 show then the problem probably laid more with the seeker than the organizers of this show!
The unprecedented attacks launched recently against Brian Krebs’ blog (Krebs on Security) and the hosting provider OVH highlight the immense damage from IoT-driven botnets, and really signal a new age of attacks.
For years, security evangelists have been talking about the potential for IoT-driven attacks, a message that has often been met with a combination of eye rolls and skepticism. That’s likely no longer the case after these latest attacks. It’s a shift I experienced first-hand at the SecureWorld event in Denver where I participated in a panel on the current threat landscape. Suddenly, the IoT threat has more attention in such a setting, whereas in the past it held more merit in the future threats panels and discussions. This week’s panel elicited a palpable degree of anxiety from the audience about what these attacks mean for security professionals.
Thus far, if nothing else, the two presidential debates have been breathtaking spectacles of differences of opinion and pomp. I think I would be in fair company to say that most of the topics have been superficially covered and numerous dire topics have yet to really be debated, such as cyber-security. Among the deep and profound questions, I would be eager to understand where the candidates are with regard to the following extremely important topics:
On Tuesday, September 20th around 8:00PM, KrebsOnSecurity.com was the target of a record-breaking 620Gbps volumetric DDoS attack designed to take the site offline. A few days later, the same type of botnet was used in a 1Tbps attack targeting the French webhoster OVH. What’s interesting about these attacks was that compared to previous record-holding attacks, which were less than half the traffic volume, they were not using amplification or reflection. In the case of KrebsOnSecurity, the biggest chunk of the attack traffic came in the form of GRE, which is very unusual. In the OVH attack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack.