Radware’s Pascal Geenens walks us through 10 questions regarding the cyber security threat landscape, trends in the Darknet, motivations for attacks, and much more.
As devices get more connected, they potentially get smarter and provide richer functionality. The internet of things (IoT) describes a world where just about anything can be connected, from routers, smart thermostats, smart light bulbs, and door locks to intelligent fridges, or even cars.
In recent events, devices with less than desirable security states were taken over by massive botnets consisting of hundreds of thousands of devices that were able to launch an impressive DDoS attack that crippled several online services.
Data is the currency of today’s digital economy, the oil of the 21st century. Personal data is considered our economical asset generated by our identities and our behavior and we trade it for higher quality services and products. Online platforms act as intermediaries in a two-sided market collecting data from consumers and selling advertising slots to companies. In exchange for our data being collected, we get what appears to be a free service.
The growth and the market capitalization of social platform providers like Facebook and search engines such as Google demonstrate the value of personal data. Personal data also provides new ways to monetize services as news organizations are finding it difficult to charge ‘real’ money for digital news, but leverage our willingness to pay for a selection of ‘free’ news with our personal data. Every 3 out of 4 persons prefer free registration with selective access over a paid registration with full access.
On January 12th, the Shadow Brokers announced they are ‘going dark’ by leaving a farewell: “So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and b*******, not many bitcoins. … Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and b******* political talk was being for marketing attention. There being no bitcoins in free dumps and giveaways. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers.”
The success of an online business depends in large part on the user experience. After all, competitors are only a single click away. There is a broad spectrum of services that impact user experience from an infrastructure and application perspective. Think about page load times, availability, and feature richness. Agility in the delivery infrastructure and continuous delivery of applications have become ubiquitous to the success of an online business. Hyper scale cloud providers such as Google, Amazon, eBay, and Netflix have been leading on highly scalable, agile infrastructure and continuous delivery of applications and are considered the golden standards for the practice of online business.
Mirai has been popping on and off the news and is becoming a commodity resource for large scale DDoS attacks. Although most of the security community have been debating and warning about the IoT threat, there is only evidence for a very specific class of devices being involved in the Mirai attacks. As we came to know the source code and security researchers started to investigate the victimized devices, it was clear that a common class of devices stood out in the list compiled by Krebs: IP cameras, DVRs and a handful of routers. What made them better candidates than your smart toaster or your cloud connected thermostat? The fact that routers are in the list should not be surprising, those devices are per definition connected to the internet and are clearly #1 on the pwning list, which was proven again recently when 900,000 routers from DT where taken offline for service as a result of what is supposed to be an adapted version of Mirai using a remote code execution (RCE) vulnerability through the TR-069 CPE WAN management protocol.
Following the public release of the Mirai (You can read more about it here) bot code, security analysts fear for a flood of online attacks from hackers. Mirai exposes worm-like behavior that spreads to unprotected devices, recruiting them to form massive botnets, leveraging factory default credentials and telnet to brute and compromise unsuspecting user’s devices.
Soon after the original attacks, Flashpoint released a report identifying the primary manufacturer of the devices utilizing the default credentials ‘root’ and ‘xc3511’. In itself, factory default credentials should not pose an enormous threat, however combined with services like Telnet or SSH enabled by default and the root password being immutable, the device could be considered a Trojan with a secret backdoor, a secret that now has become public knowledge.
On Tuesday, September 20th around 8:00PM, KrebsOnSecurity.com was the target of a record-breaking 620Gbps volumetric DDoS attack designed to take the site offline. A few days later, the same type of botnet was used in a 1Tbps attack targeting the French webhoster OVH. What’s interesting about these attacks was that compared to previous record-holding attacks, which were less than half the traffic volume, they were not using amplification or reflection. In the case of KrebsOnSecurity, the biggest chunk of the attack traffic came in the form of GRE, which is very unusual. In the OVH attack, more than 140,000 unique IPs were reported in what seemed to be a SYN and ACK flood attack.