One in three organizations hit by DDoS attacks experienced an attack against their DNS server. Why is DNS such an attractive target? What are the challenges associated with keeping it secure? What attack vectors represent the worse of the worst when it comes to DNS assaults? Based on research from Radware’s 2017-2018 Global Application & Network Security Report, this piece answers all those questions and many more.
WHAT DO BANKS AND CYBERSECURITY HAVE IN COMMON? EVERYTHING
The world we live in can be a dangerous place, both physically and digitally. Our growing reliance on the Internet, technology and digitalization only makes our dependence on
technology more perilous. As an executive, you’re facing pressure both internally (from customers and shareholders) and externally (from industry compliance or government regulations) to keep your organization’s digital assets and your customers’ secure.
New cybersecurity threats require new solutions. New solutions require a project to implement them. The problems and solutions seem infinite while budgets remain bounded. Therefore, the challenge becomes how to identify the priority threats, select the solutions that deliver the best ROI and stretch dollars to maximize your organization’s protection. Consultants and industry analysts can help, but they too can be costly options that don’t always provide the correct advice.
So how best to simplify the decision-making process? Use an analogy. Consider that every cybersecurity solution has a counterpart in the physical world. To illustrate this point, consider the security measures at banks. They make a perfect analogy, because banks are just like applications or computing environments; both contain valuables that criminals are eager to steal.
The first line of defense at a bank is the front door, which is designed to allow people to enter and leave while providing a first layer of defense against thieves. Network firewalls fulfill the same role within the realm of cyber security. They allow specific types of traffic to enter an organization’s network but block mischievous visitors from entering. While firewalls are an effective first line of defense, they’re not impervious. Just like surreptitious robbers such as Billy the Kid or John Dillinger, SSL/TLS-based encrypted attacks or nefarious malware can sneak through this digital “front door” via a standard port.
Past the entrance there is often a security guard, which serves as an IPS or anti-malware device. This “security guard,” which is typically anti-malware and/or heuristic-based IPS function, seeks to identify unusual behavior or other indicators that trouble has entered the bank, such as somebody wearing a ski mask or perhaps carrying a concealed weapon.
Once the hacker gets past these perimeter security measures, they find themselves at the presentation layer of the application, or in the case of a bank, the teller. There is security here as well. Firstly, authentication (do you have an account) and second, two-factor authentication (an ATM card/security pin). IPS and anti-malware devices work in
concert with SIEM management solutions to serve as security cameras, performing additional security checks. Just like a bank leveraging the FBI’s Most Wanted List, these solutions leverage crowd sourcing and big-data analytics to analyze data from a massive global community and identify bank-robbing malware in advance.
THE EXECUTIVE GUIDE TO DEMYSTIFYING CYBERSECURITY
A robber will often demand access to the bank’s vault. In the realm of IT, this is the database, where valuable information such as passwords, credit card or financial transaction information or healthcare data is stored. There are several ways of protecting this data, or at the very least, monitoring it. Encryption and database
application monitoring solutions are the most common.
ADAPTING FOR THE FUTURE: DDOS MITIGATION
To understand how and why cybersecurity models will have to adapt to meet future threats, let’s outline three obstacles they’ll have to overcome in the near future: advanced DDoS mitigation, encrypted cyberattacks, and DevOps and agile software development.
A DDoS attack is any cyberattack that compromises a company’s website or network and impairs the organization’s ability to conduct business. Take an e-commerce business for example. If somebody wanted to prevent the organization from conducting business, it’s not necessary to hack the website but simply to make it difficult for visitors to access it.
Leveraging the bank analogy, this is why banks and financial institutions leverage multiple layers of security: it provides an integrated, redundant defense designed to meet a multitude of potential situations in the unlikely event a bank is robbed. This also includes the ability to quickly and effectively communicate with law enforcement.
In the world of cyber security, multi-layered defense is also essential. Why? Because preparing for “common” DDoS attacks is no longer enough. With the growing online availability of attack tools and services, the pool of possible attacks is larger than ever. This is why hybrid protection, which combines both on-premise and cloudbased
mitigation services, is critical.
Why are there two systems when it comes to cyber security? Because it offers the best of both worlds. When a DDoS solution is deployed on-premise, organizations benefit from an immediate and automatic attack detection and mitigation solution. Within a few seconds from the initiation of a cyber-assault, the online services are well protected and the attack is mitigated. However, on-premise DDoS solution cannot handle volumetric network floods that saturate the Internet pipe. These attacks must be mitigated from the cloud.
Hybrid DDoS protection aspire to offer best-of-breed attack mitigation by combining on-premise and cloud mitigation into a single, integrated solution. The hybrid solution chooses the right mitigation location and technique based on attack characteristics. In the hybrid solution, attack detection and mitigation starts immediately and automatically using the on-premise attack mitigation device. This stops various attacks from diminishing the availability of the online services. All attacks are mitigated on-premise, unless they threaten to block the Internet pipe of the organization. In case of pipe saturation, the hybrid solution activates cloud mitigation and the traffic is diverted to the cloud, where it is scrubbed before being sent back to the enterprise. An ideal hybrid solution also shares essential information about the attack between on-premise mitigation devices and cloud devices to accelerate and enhance the mitigation of the attack once it reaches the cloud.
INSPECTING ENCRYPTED DATA
Companies have been encrypting data for well over 20 years. Today, over 50% of Internet traffic is encrypted. SSL/TLS encryption is still the most effective way to protect data as it ties the encryption to both the source and destination. This is a double-edged sword however. Hackers are now leveraging encryption to create new,
stealthy attack vectors for malware infection and data exfiltration. In essence, they’re a wolf in sheep’s clothing.
To stop hackers from leveraging SSL/TLS-based cyberattacks, organizations require computing resources; resources to inspect communications to ensure they’re not infected with malicious malware. These increasing resource requirements make it challenging for anything but purpose built hardware to conduct inspection.
The equivalent in the banking world is twofold. If somebody were to enter wearing a ski mask, that person probably wouldn’t be allowed to conduct a transaction, or secondly, there can be additional security checks when somebody enters a bank and requests a large or unique withdrawal.
DEALING WITH DEVOPS AND AGILE SOFTWARE DEVELOPMENT
Lastly, how do we ensure that, as applications become more complex, they don’t become increasingly vulnerable either from coding errors or from newly deployed functionality associated with DevOps or agile development practices? The problem is most cybersecurity solutions focus on stopping existing threats. To use our bank analogy again, existing security solutions mean that (ideally), a career criminal can’t enter a bank, someone carrying a concealed weapon is stopped or somebody acting suspiciously is blocked from making a transaction. However, nothing stops somebody with no criminal background or conducting no suspicious activity from entering the bank. The bank’s security systems must be updated to look for other “indicators” that this person could represent a threat.
In the world of cybersecurity, the key is implementing a web application firewall that adapts to evolving threats and applications. A WAF accomplishes this by automatically detecting and protecting new web applications as they are added to the network via automatic policy generation.
It should also differentiate between false positives and false negatives. Why? Because just like a bank, web applications are being accessed both by desired legitimate users and undesired attackers (malignant users whose goal is to harm the application and/or steal data). One of the biggest challenges in protecting web applications is the ability to accurately differentiate between the two and identify and block security threats while not disturbing legitimate traffic.
ADAPTABILITY IS THE NAME OF THE GAME
The world we live in can be a dangerous place, both physically and digitally. Threats are constantly changing, forcing both financial institutions and organizations to adapt their security solutions and processes. When contemplating the next steps, consider the following:
- Use common sense and logic. The marketplace is saturated with offerings. Understand how a cybersecurity solution will fit into your existing infrastructure and the business value it will bring by keeping your organization up and running and your customer’s data secure.
- Understand the long-term TCO of any cyber security solution you purchase.
- The world is changing. Ensure that any cyber security solution you implement is designed to adapt to the constantly evolving threat landscape and your organization’s operational needs.
Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.
Individual research contributed by Adi Raff and Yuval Shapira.
On May 3, 2018, Radware’s cloud malware protection service detected a zero-day malware threat at one of its customers, a global manufacturing firm, by using machine-learning algorithms. This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more.
A newly discovered botnet targets TCP port 8291 and vulnerable Mikrotik RouterOS-based devices. MikroTik, a Latvian hardware manufacturer, products are used around the world and are now a target of a new propagating botnet exploiting vulnerabilities in their RouterOS operating system, allowing attackers to remotely execute code on the device. Such devices have been making unaccounted outbound winbox connections. Radware’s Emergency Response Team (ERT) has spotted an increase in malicious activity following Kaspersky’s publication about the Slingshot APT malware that infected Mikrotik routers. It is believed this botnet is part of the Hajime botnet. Radware is witnessing the spreading mechanism going beyond port 8291 into others and rapidly infecting other devices other than MikroTik (such as AirOS/Ubiquiti). The concern is that this new botnet will be leveraged to launch DDoS attacks. This is another event demonstrating the struggle for control between various bot-herders.
RouterOS is an operating system based on the Linux kernel, which implements functionalities normally used by ISPs, such as BGP, IPv6, OSPF or MPLS. RouterOS supported by MikroTik and its user community, providing a wide variety of configuration examples. RouterOS is embedded in MikroTik’s RouterBOARD product line, focused on small- and medium-sized Internet access providers that typically provide broadband access in remote areas.
Preliminary analysis suggests that the botnet is exploiting known Mikrotik vulnerabilities (HTTP, SMB) as well as password brute-forcing. The worm has a highly efficient propagation mechanism by aggressively scanning for port 8291 in order to identify publicly available Mikrotik devices and using the password cracking capabilities to infect neighbor devices.
Mikrotik RouterOS SMB Buffer-OverflowVulnerability
A buffer overflow state occurs in MikroTik’s RouterOS SMB service when processing NetBIOS session request messages. Remote attackers exploiting this vulnerability can execute code on the system. As the overflow occurs before authentication takes place, an unauthenticated remote attacker can easily exploit it.
ChimayRed HTTP Exploit
The MikroTik RouterOS software running on the remote host is affected by a flaw in its HTTP web server process due to improper validation of user-supplied input. An unauthenticated, remote attacker craft a POST request to write data to an arbitrary location within the web server process, resulting in a denial-of-service condition or the execution of arbitrary code.
On 2018-03-24, 15:00 UTC time, Radware ERT research team has detected a huge spike on activity for TCP port 8291 in its global honeypot network.
After near-zero activity for months, Radware witnessed over 10,000 unique IPs hitting port 8291 in a single day.
The worm aggressively scans the Internet with SYN packets to port 8291, but it never actually establishes a 3-way handshake on that port, e.g. no payload is sent to the point.
It appears the worm utilizes this stealth-SYN scan method to quickly identify vulnerable Mikrotik devices, as this port is used almost exclusively by the Mikrotik RouterOS platform. In addition to scanning port 8291, the worm targets the following ports: 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8880.
The worm uses the ChimayRed exploit targeting vulnerable web servers on Mikrotik devices.
The worm will try to send the malicious payload to port 80 as well as other ports described earlier (80 81 82 8080 8081 8082 8089 8181 8880).
The worm has a very high success rate of exploiting and spreading, as mentioned in MikroTik’s own forum (*Update 1), “Our network had a major attack today as well. It seems like they opened some devices via the http port (quite an old firmware) and they tried to spread or access by brute forcing mikrotik neighbors.”
This means that the worm utilizes exploits as well as password brute-forcing attempts to nearby neighbors, speeding up the infection rate.
Hashes / IOCs
- POST /jsproxy HTTP/1.1\r\nContent-Length:
Mikrotik recommends to Firewall ports 80/8291(Web/Winbox) and upgrade RouterOS devices to v6.41.3 (or at least, above v6.38.5 – *Update 2) Follow MikroTik’s thread on Twitter.
*Update 1: We regret the confusion caused by a wrong choice of wording that might have given the impression that MikroTik’s own network was compromised. We changed the wording from ‘own post’ to ‘own forum’ as the post was not originating from a MikroTik employee.
*Update 2: Updated MikroTik original recommendation that was posted in a deleted Twitter message (https://twitter.com/mikrotik_com/status/978160202380972032) and replaced with new recommendation as per the later Tweet (https://twitter.com/mikrotik_com/status/978533853324283904).
Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.
The Internet of Things (IoT) describes a world where just about anything is an Internet-enabled device. IoT is comprised of smart physical objects such as vehicles and buildings or embedded devices such as refrigerators, toasters and routers. These devices feature sensors and an IP address for Internet connectivity, enabling these objects to collect and exchange data while allowing users the ability to automate or control their devices.
On February 8th, 2018, Radware’s Deception Network detected a significant increase in malicious activity over port 8080. Further investigation uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 – Dasan Unauthenticated Remote Code Execution. Referred to as “Satori.Dasan,” it’s been rapidly expanding with a high success rate. The C2/Exploit server for this botnet is 220.127.116.11 (AS49349 – BlazingFast LLC, Ukraine)
It is not clear what is the purpose of this new botnet, as we were unable to find specific attack vectors in the binary.
Our analysis suggests that Satori is looking to take over 40,000 IoT devices to join its growing family of cryptocurrency miners, as we saw here, and here. This would make the Satori.dasan malware a stage #1 infection, responsible for rapidly scanning the internet looking for vulnerable devices.
Over the past two days Radware has detected over 2000 malicious Unique IPs daily, almost 10 times higher than the daily average in the weeks prior.
The majority of the traffic came from Vietnam originating almost entirely from an ISP named ‘Viettel.’
A significant percentage of those malicious bots were also listening themselves on port 8080.
By sampling roughly 1000 IPs and querying their server headers, Radware revealed that 95% identified themselves as running “Dasan Network Solution.”
A quick Shodan search revealed about 40,000 devices listening on port 8080, with over half located in Vietnam, and not surprisingly an ISP named ‘Viettell Corporation.’
Botnet Activity: Distributed Scanning and Central Exploitation Server
The infected bots will perform aggressive scanning of random IP addresses, exclusively targeting port 8080. Once it finds a suitable target, it notifies a C2 server which immediately attempts to infect it.
See the following sequence captured at one of Radware’s sensors (10.0.0.70):
The infected bot sends a half-open stealth-scan SYN request to port 8080. Instead of Ack, a TCP Reset is sent. Typical to Mirai code, the initial TCP SYN packet contains a sequence number identical to the 32bit value of the target victim.
After 4 seconds, the bot establishes a 3-way TCP handshake to port 8080
The following 113 bytes payload is sent:
Note that this is not the actual exploitation attempt, but rather a screening process to find vulnerable hosts.
Radware’s Deception Network sensor is answering the probe with the following response:
The bot closes the connection.
Now comes the interesting part.
Notice the timestamp – it is just 106 milliseconds after the last packet and we suddenly get an exploitation attempt from a completely different IP address. This IP belongs to a central exploitation server running on 18.104.22.168
The exploit server sends the following payload over HTTPS port 8080:
Investigating the Malware
With some scanning, fuzzing and Open-Source Intelligence (OSINT0) we found some interesting details.
As with previous incidents, the domain rippr.me is used to point to the C2 server.
The following entries have an associated TXT record:
As we saw in the exploit payload, the server is listening on port 7777. Connecting to it brings the following download code:
So let’s get the file and check the contents:
It looks like a downloader that will be running on an infected device. The script downloads several versions of the binary and tries to execute it. If it fails (due to wrong CPU architecture), it will just go over to the next one.
Let’s grab the binaries (and guess some additional ones, like the x86_64). They look quite fresh according to server timestamps:
At the moment, VirusTotal already knows about the C2 address and shows that less than five antivirus products detect the files as malicious. Not very promising right now, but this should improve.
We will use this opportunity to submit some of the binaries that are missing in VT.
The Satori.Dasan variant is a rapidly growing botnet which utilizes a worm-like scanning mechanism, where every infected host looks for more hosts to infect. In addition, it also has a central C2 server that handles the exploitation itself once the scanners detect a new victim.
Read “2017-2018 Global Application & Network Security Report” to learn more.
The financial services industry is, by its very nature, inherently risk adverse. The sheer volume of transactional data moving through networks can be staggering and protecting that data from cyberthreats is strategically and fiscally critical. To understand how financial service executives keep their most prized applications secure, Radware surveyed over 600 chief information security officers (CISOs) and other security leaders across financial services, retail and healthcare industries. This article provides an overview of key findings from Radware’s web application security report: Web Application Security in a Digitally Connected World.
The retail industry is undergoing a transformative period as the “empowered” consumer, driven by technological advances and breakthroughs, impacts how retailers market, communicate and sell. Retailers continue to erode the barrier to purchase via a myriad of new technologies, such as mobile apps, social media transactions and AI that converse with consumers. They leverage AI to analyze buyer behavior and optimize buyer preferences. Even “traditional” retailers have invested in technologies that track both offline and in-store behaviors to further reduce the barrier to sale regardless of location.
One of the businesses in the spotlight lately when it comes to cyber-attacks is healthcare – in fact, 46% of healthcare organizations experienced a data breach. The data associated with this industry is extremely sensitive and highly regulated, and also actively sought by hackers. It has even gotten to the point where we need to worry about the possibility of someone’s pacemaker or other medical device being hacked. We’ve covered this topic in much detail over the course of 2017, and below is our roundup of everything you need to know about cyber-security and healthcare.
Happy New Year to all our readers! In 2017, we conducted several studies and wrote several reports on the state of cyber security. Let’s take a look at how 2017 shaped up: