The following is a Q&A with Daniel Smith, an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.
Botnets have been getting all the attention since the beginning of 2017, but what other attack vectors are proving popular this year?
Botnets certainly received a great deal of fanfare after the launch of Mirai in 2016. One reason why was due to two new attack vectors launched by Mirai: GRE floods and DNS water torture attacks. Both of these attack vectors combined with the sheer volume produced by an IoT botnet has proven a challenge to mitigate.
Generic routing encapsulation (GRE) is a tunneling protocol developed by Cisco. GRE mainly encapsulates data packets and routes them through the tunnel to a destination network that de- encapsulates the payload packets. Sending many GRE packets with large amount of encapsulated data may lead to resource consumption once the victim will try to de-encapsulate them until exhaustion.
A DNS water torture attack sends a pre-crafted DNS query to the service provider’s DNS server. The malicious DNS query contains random string concatenated previous to the victim’s domain. The DNS server will attempt to get an answer from the authoritative nameserver repeatedly with no success. Sending different false strings with the victims’ domain name will eventually increase the DNS server’s CPU utilization, making it unreachable.
Ransom denial-of-service (RDoS) attacks have become popular thanks to financially motivated criminals, in addition to hacktivist groups. Most RDoS groups will request between $1,000 – $10,000 dollars on average and the penalty for missing payment is typically much larger. RDoS is a growing concern as it gains popularity. In 2016, Radware witnessed an exponential increase in the number of ransom threats companies have received from these types of criminals.
Another big reason for its rise is due to the large monetary gain for little to no investment. For example, thanks to DDoS-as-a-service programs that are available on the Darknet, a hacker could launch an attack for as little as $20 for a twenty-minute, 1Gbps attack. In addition, opening a bitcoin account and sending an extortion email costs nothing. Distributing enough ransom letters typically generates at least a few individuals/organizations that are willing to pay. Some groups don’t even follow through with the attack. Inside the ransom note they claim they will attack leveraging a popular attack vector, such as Mirai, and the victim (aware of the potential damage) will pay. For all these reasons, many opportunists have emerged in 2016/17 looking to spread fear and extort victims for monetary gain.
Is ransomware’s evolution responsible for its recent resurgence?
Yes it is. Ransomware was first introduced 25 years ago. Traditionally, ransomware is a type of malware that restricts access to user data by encrypting the files on an infected computer and demanding payment for the decryption key. Just like in RDoS, the attacker simply distributes a largescale phishing campaign in hopes someone will click on the malicious attachment or link.
Recently, the idea has evolved and now relies on cryptocurrency as its main form of payment. Ransomware authors are still using malware to encrypt critical data, making it unusable until the user complies by paying a ransom. What has also changed is the delivery method.
With the WannaCry attack, the attack did not send out a phishing campaign, but rather used scanners to identify devices that were vulnerable to MS17-010, a Microsoft security update that patched remote code execution vulnerabilities in Microsoft’s SMB services. Once a computer was infected, a worm replicated itself across the device’s network, targeting other computers. This attack represents an evolution in ransomware attacks: they can now leverage recently disclosed exploits and default credentials to infect a device similarly to the way IoT botnets spread.
Not only are authors looking for new delivery methods, they are also looking for new methods to cash in. The latest threat that Radware’s research is witnessing are hackers offering user-friendly attack services; i.e. Ransomware as a Service (RaaS). A novice user can access the Darknet and find several RaaS offerings. Potential criminals can pay a small fee to have access to customizable ransomware platforms. RaaS providers charge a fee for access to the source code, or take a percentage of any profits that are generated. Some even offer ransomware free of charge.
Expert skills are no longer required to hold victims’ information hostage. Satan is the name of one service that automates the process by allowing users to specify the ransom amount, various multipliers and the actual creation of the ransom note, completely free of charge. At the end of the process, a user is left with a malicious .exe file that they can send to their victims.
Between the Darknet going mainstream, the U.S. government repealing certain privacy rules that prevent broadband providers from selling personal data, and the vulnerability of IoT devices, are you seeing data privacy becoming a bigger concern?
Data privacy is a big concern and it’s becoming bigger. The average user is unaware of their digital footprint, how large it is, and how far back it dates. Online privacy is a two-front battle. You have the service providers and the online services that have the ability to harvest data about individuals for marketing or law enforcement purposes. Then there are the criminals who hack these providers and services to either sell the data or target an individual directly.
In 2016, 117 million accounts from LinkedIn were leaked, 360 million from MySpace, 68 million from Tumblr and 127 million from Badoo. These leaks alone compromised over half a billion emails and usernames. This represents a gold mine for hackers who keep databases so they can conduct malicious activity.
Fraud has always been a big business for hackers. Ultimately, users must take steps to insure their own privacy from both providers and criminals. Users must understand how they connect to the Internet, which data they are comfortable disclosing, such as life events they share on social media. An individual might take steps to keep their image or location disclosed, but when a friend posts a tagged picture on Instagram with that individual in the background, this unintentional disclosure becomes data that can be used against that person.
Once an individual has a better understanding of what information they are exposing, they can incorporate VPN, security settings and become aware of their surroundings to prevent further information from being exposed.
Users should always be alert for phishing emails and should monitor credit and bank statements, keep their personal devices updated, create strong passwords and use two-factor authentications when possible. File sharing services should be disabled and always verify any company that you’re conducting business with. If personal data is stored on a personal computer, consider encrypted file storage and data backup. And never reuse passwords.