main

Attack Types & VectorsBotnetsSecurity

IoT Expands the Botnet Universe

March 6, 2019 — by Radware0

AdobeStock_175553664-960x607.jpg

In 2018, we witnessed the dramatic growth of IoT devices and a corresponding increase in the number of botnets and cyberattacks. Because IoT devices are always-on, rarely monitored and generally use off-the-shelf default passwords, they are low-hanging fruit for hackers looking for easy ways to build an army of malicious attackers. Every IoT device added to the network grows the hacker’s tool set.

Botnets comprised of vulnerable IoT devices, combined with widely available DDoS-as-a-Service tools and anonymous payment mechanisms, have pushed denial-of-service attacks to record-breaking volumes. At the same time, new domains such as cryptomining and credentials theft offer more opportunities for hacktivism.

Let’s look at some of the botnets and threats discovered and identified by Radware’s deception network in 2018.

JenX

A new botnet tried to deliver its dangerous payload to Radware’s newly deployed IoT honeypots. The honeypots registered multiple exploit attempts from distinct servers, all located in popular cloud hosting providers based in Europe. The botnet creators intended to sell 290Gbps DDoS attacks for only $20. Further investigation showed that the new bot used an atypical central scanning method through a handful of Linux virtual private servers (VPS) used to scan, exploit and load malware onto unsuspecting IoT victims. At the same time, the deception network also detected SYN scans originating from each of the exploited servers indicating that they were first performing a
mass scan before attempting to exploit the IoT devices, ensuring that ports 52869 and 37215 were open.

[You may also like: IoT Botnets on the Rise]

ADB Miner

A new piece of malware that takes advantage of Android-based devices exposing debug capabilities to the internet. It leverages scanning code from Mirai. When a remote host exposes its Android Debug Bridge (ADB) control port, any Android emulator on the internet has full install, start, reboot and root shell access without authentication.

Part of the malware includes Monero cryptocurrency miners (xmrig binaries), which are executing on the infected devices. Radware’s automated trend analysis algorithms detected a significant increase in activity against port 5555, both in the number of hits and in the number of distinct IPs. Port 5555 is one of the known ports used by TR069/064 exploits, such as those witnessed during the Mirai-based attack targeting Deutsche Telekom routers in November 2016. In this case, the payload delivered to the port was not SOAP/HTTP, but rather the ADB remote debugging protocol.

Satori.Dasan

Less than a week after ADB Miner, a third new botnet variant triggered a trend alert due to a significant increase in malicious activity over port 8080. Radware detected a jump in the infecting IPs from around 200 unique IPs per day to over 2,000 malicious unique IPs per day. Further investigation by the research team uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 — Dasan Unauthenticated Remote Code Execution.

[You may also like: New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers]

The rapidly growing botnet referred to as “Satori.Dasan” utilizes a highly effective wormlike scanning mechanism, where every infected host looks for more hosts to infect by performing aggressive scanning of random IP addresses and exclusively targeting port 8080. Once a suitable target is located, the infected bot notifies a C2 server, which immediately attempts to infect the new victim.

Memcached DDoS Attacks

A few weeks later, Radware’s system provided an alert on yet another new trend — an increase in activity on UDP port 11211. This trend notification correlated with several organizations publicly disclosing a trend in UDP-amplified DDoS attacks utilizing Memcached servers configured to accommodate UDP (in addition to the default TCP) without limitation. After the attack, CVE2018-1000115 was published to patch this vulnerability.

Memcached services are by design an internal service that allows unauthenticated access requiring no verification of source or identity. A Memcached amplified DDoS attack makes use of legitimate third-party Memcached servers to send attack traffic to a targeted victim by spoofing the request packet’s source IP with that of the victim’s IP. Memcached provided record-breaking amplification ratios of up to 52,000x.

[You may also like: Entering into the 1Tbps Era]

Hajime Expands to MikroTik RouterOS

Radware’s alert algorithms detected a huge spike in activity for TCP port 8291. After near-zero activity on that port for months, the deception network registered over 10,000 unique IPs hitting port 8291 in a single day. Port 8291 is related to a then-new botnet that exploits vulnerabilities in the MikroTik RouterOS operating system, allowing attackers to remotely execute code on the device.

The spreading mechanism was going beyond port 8291, which is used almost exclusively by MikroTik, and rapidly infecting other devices such as AirOS/Ubiquiti via ports: 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8880, utilizing known exploits and password-cracking attempts to speed up the propagation.

Satori IoT Botnet Worm Variant

Another interesting trend alert occurred on Saturday, June 15. Radware’s automated algorithms alerted to an upsurge of malicious activity scanning and infection of a variety of IoT devices by taking advantage of recently discovered exploits. The previously unseen payload was delivered by the infamous Satori botnet. The exponential increase in the number of attack sources spread all over the world, exceeding 2,500 attackers in a 24-hour period.

[You may also like: A Quick History of IoT Botnets]

Hakai

Radware’s automation algorithm monitored the rise of Hakai, which was first recorded in July. Hakai is a new botnet recently discovered by NewSky Security after lying dormant for a while. It started to infect D-Link, Huawei and Realtek routers. In addition to exploiting known vulnerabilities to infect the routers, it used a Telnet scanner to enslave Telnet-enabled devices with default credentials.

DemonBot

A new stray QBot variant going by the name of DemonBot joined the worldwide hunt for yellow elephant — Hadoop cluster — with the intention of conscripting them into an active DDoS botnet. Hadoop clusters are typically very capable, stable platforms that can individually account for much larger volumes of DDoS traffic compared to IoT devices. DemonBot extends the traditional abuse of IoT platforms for DDoS by adding very capable big data cloud servers. The DDoS attack vectors supported by DemonBot are STD, UDP and TCP floods.

Using a Hadoop YARN (Yet-Another-Resource-Negotiator) unauthenticated remote command execution, DemonBot spreads only via central servers and does not expose the wormlike behavior exhibited by Mirai-based bots. By the end of October, Radware tracked over 70 active exploit servers that are spreading malware
and exploiting YARN servers at an aggregated rate of over one million exploits per day.

[You may also like: Hadoop YARN: An Assessment of the Attack Surface and Its Exploits]

YARN allows multiple data processing engines to handle data stored in a single Hadoop platform. DemonBot took advantage of YARN’s REST API publicly exposed by over 1,000 cloud servers worldwide. DemonBot effectively harnesses the Hadoop clusters in order to generate a DDoS botnet powered by cloud infrastructure.

Always on the Hunt

In 2018, Radware’s deception network launched its first automated trend-detection steps and proved its ability to identify emerging threats early on and to distribute valuable data to the Radware mitigation devices, enabling them to effectively mitigate infections, scanners and attackers. One of the most difficult aspects in automated anomaly detection is to filter out the massive noise and identify the trends that indicate real issues.

In 2019, the deception network will continue to evolve and learn and expand its horizons, taking the next steps in real-time automated detection and mitigation.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack Types & VectorsBotnets

Attackers Are Leveraging Automation

January 31, 2019 — by Radware0

automation-960x681.jpg

Cybercriminals are weaponizing automation and machine learning to create increasingly evasive attack vectors, and the internet of things (IoT) has proven to be the catalyst driving this trend. IoT is the birthplace of many of the new types of automated bots and malware.

At the forefront are botnets, which are increasingly sophisticated, lethal and highly automated digitized armies running amok on corporate networks. For example, hackers now leverage botnets to conduct early exploitation and network reconnaissance prior to unleashing an attack.

The Mirai botnet, which was made famous by its use in the 2016 attack on DNS provider Dyn, along with its subsequent variants, embodies many of these characteristics. It leverages a network-scanning and attack architecture capable of identifying “competing” malware and removing it from the IoT device to block remote administrative control. In addition, it leverages the infamous Water Torture attack to generate randomized domain names on a DNS infrastructure. Follow-up variants use automation to allow the malware to craft malicious queries in real time.

[You may also like: A Quick History of IoT Botnets]

Modern-day malware is an equally sophisticated multi-vector cyberattack weapon designed to elude detection using an array of evasion tools and camouflage techniques. Hackers now leverage machine learning to create custom malware that defeats anti-malware defenses. One example is Generative Adversarial Network algorithms
that can bypass black-box machine-learning models. In another example, a cybersecurity company adapted Elon Musk’s OpenAI framework to create forms of malware that mitigation solutions couldn’t detect.

Automation for Detection and Mitigation

So how does a network security team improve its ability to deal with these increasingly multifarious cyberattacks? Fight fire with fire. Automated cybersecurity solutions provide the data-processing muscle to mitigate these advanced threats.

Executives clearly understand this and are ready to take advantage of automation. According to Radware’s C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts report, the vast majority of executives (71%) report shifting more of their network security budget into technologies that employ machine learning and automation. The need to protect increasingly heterogeneous infrastructures, a shortage in cybersecurity talent and increasingly dangerous
cyberthreats were indicated as the primary drivers of this fiscal shift.

In addition, the trust factor is increasing. Four in 10 executives trust automated systems more than humans to protect their organization against cyberattacks.

[You may also like: Looking Past the Hype to Discover the Real Potential of AI]

Traditional DDoS solutions use rate limiting and manual signature creation to mitigate attacks. Rate limiting can be effective but can also result in a high number of false positives. As a result, manual signatures are then used to block offending traffic to reduce the number of false positives. Moreover, manual signatures take time to create because identifying offending traffic is only possible AFTER the attack starts. With machine-learning botnets now breaching defenses in less than 20 seconds, this hands-on strategy does not suffice.

Automation and, more specifically, machine learning overcome the drawbacks of manual signature creation and rate-limiting protection by automatically creating signatures and adapting protections to changing attack vectors. Machine learning leverages advanced mathematical models and algorithms to look at baseline network parameters, assess network behavior, automatically create attack signatures and adapt security configurations and/or policies to mitigate attacks. Machine learning transitions an organization’s DDoS protection strategy from manual, ratio- and rate-based protection to behavioral-based detection and mitigation.

The Final Step: Self-Learning

A market-leading DDoS protection solution combines machine-learning capabilities with negative and positive security protection models to mitigate automated attack vectors, such as the aforementioned DNS Water Torture attacks made notorious by Mirai. By employing machine learning and ingress-only positive protection models, this sort of an attack vector is eliminated, regardless of whether the protected DNS infrastructure is an authoritative or a recursive DNS.

The final step of automated cybersecurity is automated self-learning. DDoS mitigation solutions should leverage a deep neural network (DNN) that conducts post-analysis of all the generated data, isolates known attack information and feeds those data points back into the machine learning algorithms. DNNs require massive amounts of storage and computing power and can be prohibitively expensive to house and manage within a privately hosted data center.

[You may also like: Are Application Testing Tools Still Relevant with Self Learning WAFs?]

As a result, ideally a DNN is housed and maintained by your organization’s DDoS mitigation vendor, which leverages its network of cloud-based scrubbing centers (and the massive volumes of threat intelligence data that it collects) to process this information via big data analytics and automatically feed it back into your organization’s DDoS mitigation solution via a real-time threat intelligence feed.This makes the input of thousands of malicious IPs and new attack signatures into an automated process that no SOC team could ever hope to accomplish manually.

The result is a DDoS mitigation system that automatically collects data from multiple sources and leverages machine learning to conduct zero-day characterization. Attack signatures and security policies are automatically updated and not reliant on a SOC engineer who is free to conduct higher-level analysis, system management and threat analysis.

Automation is the future of cybersecurity. As cybercriminals become more savvy and increasingly rely on automation to achieve their mischievous goals, automation and machine learning will become the cornerstone of cybersecurity solutions to effectively combat the onslaught from the next generation of attacks. It will allow organizations to improve the ability to scale network security teams, minimize human errors and safeguard digital assets to ensure brand reputation and the customer experience.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Attack Types & VectorsSecurity

The Rise in Cryptomining

January 29, 2019 — by Radware1

cryptomining-960x255.jpg

There are four primary motivations for cyberattacks: crime, hacktivism, espionage and war. Setting aside nation-state sponsored groups, the largest faction of attackers are cybercriminals, individuals or well-established organizations looking to turn a profit.

For the last several years, ransom-based cyberattacks and ransomware had been the financial modus operandi for hackers, but 2018 flipped the coin to unveil a new attack vector: cryptomining.

Always Crypto

Radware’s Malware Threat Research Group monitored this phenomenon throughout the year and identified two recurring trends. Some groups use cryptomining to score a quick, easy profit by infecting machines and mining cryptocurrencies. Other groups use cryptomining as an ongoing source of income, simply by reselling installations on infected machines or selling harvested data.

While there is no definitive reason why cryptomining has become popular, what is clear are some of the advantages it has over older attacks methods:

  • It’s easy – There’s no need to develop a cryptomining tool or even buy one. An attacker can just download a free tool into the victim’s machine and run it with a simple configuration that instructs it to mine the pool.
  • CPU – While Bitcoin requires a graphic processing unit (GPU) to perform effective mining, other cryptocurrency, such as Monero, require only CPU to effectively mine a machine. Since every machine has a CPU, including web cameras, smartphones, smart TVs and computers, there many potential targets.
  • Minimal footprint — Other attack types require the hackers to market their “goods” or to actively use the information they acquired for malicious purposes. In cryptomining, the money moves directly to the attacker.
  • Value — The value of cryptocurrencies skyrocketed in late 2017 and early 2018. The outbreak quickly followed. More recently, as monetary value declined, so has the number of incidences.
  • Multipurpose hack — After successfully infecting a machine, hackers can leverage the installation of the malware program for multiple activities. Stealing credentials from machines? Why not use those machines to cryptomine as well (and vice versa)? Selling data mining installations on machines to other people? Add a cryptomining tool to run at the same time.

[You may also like: Top Cryptomining Malware. Top Ransomware.]

The Malware Ecosystem

There are a few popular ways for cybercriminals to launch cryptomining attacks:

  • Information stealing — By distributing a data harvesting malware, attackers steal access credentials or files (photos, documents, etc.), and even identities found on an infected machine, its browser or inside the network. Then, the cybercriminals generally use the stolen data to steal. In the case of bank credentials, the hackers use the information to steal money from accounts. They may also sell the stolen data through an underground market on the dark web to other hackers. Credit cards, social security numbers and medical records go for just a few dollars. Social media accounts and identities are popular, as well. Facebook and Instagram accounts have been hijacked and used for propagation.
  • Downloaders — Malware is distributed with simple capabilities to download additional malware and install on other systems.The motivation is to infect as many machines as possible. The next step is to sell malware installations on those machines. Apparently, even infected machines enjoy brand premium fees — machines from a Fortune 500 company cost a lot more.
  • Ransomware — Machines are infected with a malware that encrypts files, which are usually valuable to the victim, such as photos, Microsoft files (.xlsx,.docx) and Adobe Acrobat files. Victims are then asked to pay a significant amount of money in order to get a tool to decrypt their files. This attack was first introduced against individuals but grew exponentially when hackers figured out that organizations can pay a higher premium.
  • DDoS for ransom (RDoS) — Attackers send targets a letter that threatens a DDoS attack on a certain day and time unless the organization makes a payment, usually via Bitcoin. Often hackers know the IP address of the targeted server or network and launch a small-scale attack as a preview of what could follow.

[You may also like: Malicious Cryptocurrency Mining: The Road Ahead]

Social Propagation

Malware protection is a mature market with many competitors. It is a challenge for hackers to create a one-size-fits-all zero-day attack that will run on as many operating systems, servers and endpoints as possible, as well as bypass most, if not all, security solutions. So in addition to seeking ways to penetrate protection engines, hackers are also looking for ways to bypass them.

During the past year, Radware noticed several campaigns where malware was created to hijack social network credentials. That enabled hackers to spread across the social network accessing legitimate files on the machine and private information (or computing resources, in the context of cryptomining).

[You may also like: 5 Ways Modern Malware Defeats Cyber Defenses & What You Can Do About It]

Here are a few examples:

  • Nigelthorn – Radware first detected this campaign, which involved a malicious chrome extension, in a customer’s network. The hackers bypassed Google Chrome native security mechanisms to disguise the malware as a legitimate extension. The group managed to infect more than 100,000 machines. The purpose of the extension was cryptomining Monero currency by the host machine, as well as stealing the credentials of the victim’s Facebook and/or Instagram accounts. The credentials were abused to propagate the attack through the Facebook user’s contact network. It is also possible that the credentials were later sold on the black market.
  • Stresspaint — In this spree, hackers used a benign-looking drawing application to hijack Facebook users’ cookies. They deceived victims by using an allegedly legitimate AOL.net URL, which was actually a unicode representation. The true address is “xn--80a2a18a.net.” The attackers were building a database of users with their contact
    network, business pages and payment details. Radware suspects that the ultimate goal was to use this information to fund public opinion influence campaigns on the social network.
  • CodeFork — This campaign was also detected in some of Radware’s customers’ networks when the infected machines tried to communicate with their C&C servers. Radware intercepted the communication and determined that this group was infecting machines in order to sell their installations. The group has been active for several years during which time we have seen them distributing different malware to the infected machines. The 2018 attack included an enhancement that distributes
    cryptomining malware.

Moving Forward

Radware believes that the cryptomining trend will persist in 2019. The motivation of financial gain will continue, pushing attackers to try to profit from malicious malware. In addition, hackers of all types can potentially add cryptomining capabilities to the infected machines that they already control. Our concern is that during the next phase, hackers will invest their profits to leverage machine-learning capabilities to find ways to access and exploit resources in networks and applications.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack MitigationAttack Types & Vectors

5 Ways Malware Defeats Cyber Defenses & What You Can Do About It

January 17, 2019 — by Radware0

modern_malware-960x640.jpg

Malware is a key vector for data breaches. Research shows that 51% of data breaches include the usage of malware, whether for initial breach, expansion within the network or heisting data. Yet despite malware being a pivotal attack vector, companies are unable to defend against data-theft malware running wild in their network. In fact, some of the biggest and most well-publicized breaches ever were the result of undetected malware.

Why? Modern malware is built to evade traditional anti-malware defenses. Today’s malwares are sophisticated multi-vector attack weapons designed to elude detection using an array of evasion tools and camouflage techniques. In the game of chess between attackers and defenders, hackers constantly find new ways to stay one step ahead of existing defenses.

Modern Malware

Here are five common evasion techniques used by modern malware and how they beat traditional anti-malware defenses.

Polymorphic malware: Many traditional anti-malware defenses operate using known malware signatures. Modern data-theft malware counteracts this by constantly morphing or shapeshifting. By making simple changes to the code, attackers can easily generate an entirely new binary signature for the file.

Shapeshifting, zero-day malware beats signature-based defenses such as anti-virus, email filtering, IPS/IDS, and sandboxing.

File-less malware: Many anti-malware tools focus on static files and operating-systems (OS) processes to detect malicious activity. However, an increasingly common technique by attackers is to use file-less malware which is executed in run-time memory only, leaves no footprint on the target host and is therefore transparent to file-based defenses.

File-less malware beats IPS/IDS, UEBA, anti-virus, and sandboxing.

[You may also like: Threat Alert: MalSpam]

Encrypted payloads: Some anti-malware defense use content scanning to block sensitive data leakage. Attackers get around this by encrypting communications between infected hosts and Command & Control (C&C) servers.

Encrypted payloads beat DLP, EDR, and secure web gateways (SWG).

Domain generation algorithm (DGA): Some anti-malware defenses include addresses of known C&C servers, and block communication with them. However, malwares with domain generation capabilities get around this by periodically modifying C&C address details and using previously unknown addresses.

Beats secure web gateways (SWG), EDR, and sandboxing.

Host spoofing: spoofs header information to obfuscate the true destination of the data, thereby bypassing defenses that target the addresses of known C&C servers.

Beats secure web gateways (SWG), IPS/IDS and sandboxing.

[You may also like: Micropsia Malware]

What Can You Do?

Beating zero-day evasive malware is not easy, but there are several key steps you can take to severely limit its impact:

Apply multi-layer defenses: Protecting your organization against evasive malware is not a one-and-done proposition. Rather, it is an ongoing effort that requires combining endpoint defenses (such as anti-virus software) with network-layer protection such as firewalls, secure web gateways and more. Only multi-layered protection ensures complete coverage.

Focus on zero-day malware: Zero-day malware accounts for up to 50% of malware currently in circulation. Zero-day malware frequently goes unrecognized by existing anti-malware defenses and is a major source of data loss. Anti-malware defense mechanisms that focus squarely on identifying and detecting zero-day malwares is a must have.

[You may also like: The Changing Face of Malware: Malware Being Used as Cryptocurrency Miners]

Implement traffic analysis: Data theft malware attacks take aim at the entire network to steal sensitive data. Although infection might originate from user endpoints, it is typically the aim of attackers to expand to network resources as well. As a result, it is important for an anti-malware solution to not just focus on  one area of the network or resource type, but maintain a holistic view of the entire network and analyze what is happening.

Leverage big data: A key ingredient in detecting zero-day malware is the ability to collect data from a broad information base amassed over time. This allows defenders to detect malware activity on a global scale and correlate seemingly unrelated activities to track malware development and evolution.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Attack Types & VectorsDDoSDDoS Attacks

Top 3 Cyberattacks Targeting Proxy Servers

January 16, 2019 — by Daniel Smith0

Proxy-960x540.jpg

Today, many organizations are now realizing that DDoS defense is critical to maintaining an exceptional customer experience. Why? Because nothing diminishes load times or impacts the end user’s experience more than a cyberattack.

As a facilitator of access to content and networks, proxy servers have become a focal point for those seeking to cause grief to organizations via cyberattacks due to the fallout a successful assault can have.

Attacking the CDN Proxy

New vulnerabilities in content delivery networks (CDNs) have left many wondering if the networks themselves are vulnerable to a wide variety of cyberattacks. Here are five cyber “blind spots” that are often attacked – and how to mitigate the risks:

Increase in dynamic content attacks. Attackers have discovered that treatment of dynamic content requests is a major blind spot in CDNs. Since the dynamic content is not stored on CDN servers, all requests for dynamic content are sent to the origin’s servers. Attackers are taking advantage of this behavior to generate attack traffic that contains random parameters in HTTP GET requests. CDN servers immediately redirect this attack traffic to the origin—expecting the origin’s server to handle the requests. However, in many cases the origin’s servers do not have the capacity to handle all those attack requests and fail to provide online services to legitimate users. That creates a denial-of-service situation. Many CDNs can limit the number of dynamic requests to the server under attack. This means they cannot distinguish attackers from legitimate users and the rate limit will result in legitimate users being blocked.

SSL-based DDoS attacks. SSL-based DDoS attacks leverage this cryptographic protocol to target the victim’s online services. These attacks are easy to launch and difficult to mitigate, making them a hacker favorite. To detect and mitigate SSL-based attacks, CDN servers must first decrypt the traffic using the customer’s SSL keys. If the customer is not willing to provide the SSL keys to its CDN provider, then the SSL attack traffic is redirected to the customer’s origin. That leaves the customer vulnerable to SSL attacks. Such attacks that hit the customer’s origin can easily take down the secured online service.

[You may also like: SSL Attacks – When Hackers Use Security Against You]

During DDoS attacks, when web application firewall (WAF) technologies are involved, CDNs also have a significant scalability weakness in terms of how many SSL connections per second they can handle. Serious latency issues can arise. PCI and other security compliance issues are also a problem because they limit the data centers that can be used to service the customer. This can increase latency and cause audit issues.

Keep in mind these problems are exacerbated with the massive migration from RSA algorithms to ECC and DH-based algorithms.

Attacks on non-CDN services. CDN services are often offered only for HTTP/S and DNS applications.  Other online services and applications in the customer’s data center, such as VoIP, mail, FTP and proprietary protocols, are not served by the CDN. Therefore, traffic to those applications is not routed through the CDN. Attackers are taking advantage of this blind spot and launching attacks on such applications. They are hitting the customer’s origin with large-scale attacks that threaten to saturate the Internet pipe of the customer. All the applications at the customer’s origin become unavailable to legitimate users once the internet pipe is saturated, including ones served by the CDN.

[You may also like: CDN Security is NOT Enough for Today]

Direct IP attacks. Even applications that are served by a CDN can be attacked once attackers launch a direct hit on the IP address of the web servers at the customer’s data center. These can be network-based flood attacks such as UDP floods or ICMP floods that will not be routed through CDN services and will directly hit the customer’s servers. Such volumetric network attacks can saturate the Internet pipe. That results in degradation to application and online services, including those served by the CDN.

Web application attacks. CDN protection from threats is limited and exposes web applications of the customer to data leakage and theft and other threats that are common with web applications. Most CDN- based WAF capabilities are minimal, covering only a basic set of predefined signatures and rules. Many of the CDN-based WAFs do not learn HTTP parameters and do not create positive security rules. Therefore, these WAFs cannot protect from zero-day attacks and known threats. For companies that do provide tuning for the web applications in their WAF, the cost is extremely high to get this level of protection. In addition to the significant blind spots identified, most CDN security services are simply not responsive enough, resulting in security configurations that take hours to manually deploy. Security services are using technologies (e.g., rate limit) that have proven inefficient in recent years and lack capabilities such as network behavioral analysis, challenge-response mechanisms and more.

[You may also like: Are Your Applications Secure?]

Finding the Watering Holes

Waterhole attack vectors are all about finding the weakest link in a technology chain. These attacks target often forgotten, overlooked or not intellectually attended to automated processes. They can lead to unbelievable devastation. What follows is a list of sample watering hole targets:

  • App stores
  • Security update services
  • Domain name services
  • Public code repositories to build websites
  • Webanalytics platforms
  • Identity and access single sign-on platforms
  • Open source code commonly used by vendors
  • Third-party vendors that participate in the website

The DDoS attack on Dyn in 2016 has been the best example of the water-holing vector technique to date. However, we believe this vector will gain momentum heading into 2018 and 2019 as automation begins to pervade every aspect of our life.

Attacking from the Side

In many ways, side channels are the most obscure and obfuscated attack vectors. This technique attacks the integrity of a company’s site through a variety of tactics:

  • DDoS the company’s analytics provider
  • Brute-force attack against all users or against all of the site’s third-party companies
  • Port the admin’s phone and steal login information
  • Massive load on “page dotting”
  • Large botnets to “learn” ins and outs of a site

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Application SecurityAttack MitigationAttack Types & Vectors

How Cyberattacks Directly Impact Your Brand: New Radware Report

January 15, 2019 — by Ben Zilberman0

BinaryCodeEncryption-002-960x600.jpg

Whether you’re an executive or practitioner, brimming with business acumen or tech savviness, your job is to preserve and grow your company’s brand. Brand equity relies heavily on customer trust, which can take years to build and only moments to demolish. 2018’s cyber threat landscape demonstrates this clearly; the delicate relationship between organizations and their customers is in hackers’ cross hairs and suffers during a successful cyberattack. Make no mistake: Leaders who undervalue customer trust–who do not secure an optimized customer experience or adequately safeguard sensitive data–will feel the sting in their balance sheet, brand reputation and even their job security.

Radware’s 2018-2019 Global Application and Network Security report builds upon a worldwide industry survey encompassing 790 business and security executives and professionals from different countries, industries and company sizes. It also features original Radware threat research, including an analysis of emerging trends in both defensive and offensive technologies. Here, I discuss key takeaways.

Repercussions of Compromising Customer Trust

Without question, cyberattacks are a viable threat to operating expenditures (OPEX). This past year alone, the average estimated cost of an attack grew by 52% and now exceeds $1 million (the number of estimations above $1 million increased 60%). For those organizations that formalized a real calculation process rather than merely estimate the cost, that number is even higher, averaging $1.67 million.

Despite these mounting costs, three in four have no formalized procedure to assess the business impact of a cyberattack against their organization. This becomes particularly troubling when you consider that most organizations have experienced some type of attack within the course of a year (only 7% of respondents claim not to have experienced an attack at all), with 21% reporting daily attacks, a significant rise from 13% last year.

There is quite a range in cost evaluation across different verticals. Those who report the highest damage are retail and high-tech, while education stands out with its extremely low financial impact estimation:

Repercussions can vary: 43% report a negative customer experience, 37% suffered brand reputation loss and one in four lost customers. The most common consequence was loss of productivity, reported by 54% of survey respondents. For small-to-medium sized businesses, the outcome can be particularly severe, as these organizations typically lack sufficient protection measures and know-how.

It would behoove all businesses, regardless of size, to consider the following:

  • Direct costs: Extended labor, investigations, audits, software patches development, etc.
  • Indirect costs: Crisis management, fines, customer compensation, legal expenses, share value
  • Prevention: Emergency response and disaster recovery plans, hardening endpoints, servers and cloud workloads

Risk Exposure Grows with Multi-Dimensional Complexity

As the cost of cyberattacks grow, so does the complexity. Information networks today are amorphic. In public clouds, they undergo a constant metamorphose, where instances of software entities and components are created, run and disappear. We are marching towards the no-visibility era, and as complexity grows it will become harder for business executives to analyze potential risks.

The increase in complexity immediately translates to a larger attack surface, or in other words, a greater risk exposure. DevOps organizations benefit from advanced automation tools that set up environments in seconds, allocate necessary resources, provision and integrate with each other through REST APIs, providing a faster time to market for application services at a minimal human intervention. However, these tools are processing sensitive data and cannot defend themselves from attacks.

Protect your Customer Experience

The report found that the primary goal of cyber-attacks is service disruption, followed by data theft. Cyber criminals understand that service disruptions result in a negative customer experience, and to this end, they utilize a broad set of techniques. Common methods include bursts of high traffic volume, usage of encrypted traffic to overwhelm security solutions’ resource consumption, and crypto-jacking that reduces the productivity of servers and endpoints by enslaving their CPUs for the sake of mining cryptocurrencies. Indeed, 44% of organizations surveyed suffered either ransom attacks or crypto-mining by cyber criminals looking for easy profits.

What’s more, attack tools became more effective in the past year; the number of outages grew by 15% and more than half saw slowdowns in productivity. Application layer attacks—which cause the most harm—continue to be the preferred vector for DDoSers over the network layer. It naturally follows, then, that 34% view application vulnerabilities as the biggest threat in 2019.

Essential Protection Strategies

Businesses understand the seriousness of the changing threat landscape and are taking steps to protect their digital assets. However, some tasks – such as protecting a growing number of cloud workloads, or discerning a malicious bot from a legitimate one – require leveling the defense up. Security solutions must support and enable the business processes, and as such, should be dynamic, elastic and automated.

Analyzing the 2018 threat landscape, Radware recommends the following essential security solution capabilities:

  1. Machine Learning: As hackers leverage advanced tools, organizations must minimize false positive calls in order to optimize the customer experience. This can be achieved by machine-learning capabilities that analyze big data samples for maximum accuracy (nearly half of survey respondents point at security as the driver to explore machine-learning based technologies).
  2. Automation: When so many processes are automated, the protected objects constantly change, and attackers quickly change lanes trying different vectors every time. As such, a security solution must be able to immediately detect and mitigate a threat. Solutions based on machine learning should be able to auto tune security policies.
  3. Real Time Intelligence: Cyber delinquents can disguise themselves in many forms. Compromised devices sometimes make legitimate requests, while other times they are malicious. Machines coming behind CDN or NAT can not be blocked based on IP reputation and generally, static heuristics are becoming useless. Instead, actionable, accurate real time information can reveal malicious activity as it emerges and protect businesses and their customers – especially when relying on analysis and qualifications of events from multiple sources.
  4. Security Experts: Keep human supervision for the moments when the pain is real. Human intervention is required in advanced attacks or when the learning process requires tuning. Because not every organization can maintain the know-how in-house at all times, having an expert from a trusted partner or a security vendor on-call is a good idea.

It is critical for organizations to incorporate cybersecurity into their long-term growth plans. Securing digital assets can no longer be delegated solely to the IT department. Rather, security planning needs to be infused into new product and service offerings, security, development plans and new business initiatives. CEOs and executive teams must lead the way in setting the tone and invest in securing their customers’ experience and trust.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Attack Types & VectorsSecurity

Threat Alert: MalSpam

January 10, 2019 — by Daniel Smith0

malware-960x720.jpg

Radware researchers have been following multiple campaigns targeting the financial industry in Europe and the United States. These campaigns are designed to commit fraud via credential theft by sending MalSpam, malicious spam that contains banking malware like Trickbot and Emotet, to unsuspecting users. If the users open the document, they will become infected, and the malware will harvest and extract data from the victim’s machine for fraudulent purposes. Once the data is retrieved from their c2 server, the stolen credentials will be used to commit fraud against the victim’s bank account, leveraged in a credential stuffing attack or quickly sold for profit.

One of the things that make these two pieces of banking malware stand out is their ability to evolve and consistently update their modules to allow additional capabilities. Additionally, we have seen denial of service attacks in the past that have coincided with these security events. Occasionally attackers have been known to launch a flood of malicious traffic, known as a smoke screen attack, to distract network operators from other nefarious activity such as data exfiltration. These attacks typically will not exhaust network resources since the criminals still need access.

To read the full ERT Threat Alert, click here.

Attack Types & VectorsBotnetsSecurity

Ad Fraud 101: How Cybercriminals Profit from Clicks

January 3, 2019 — by Daniel Smith0

Fraud-960x480.jpg

Fraud is and always will be a cornerstone of the cybercrime community. The associated economic gains provide substantial motivation for today’s malicious actors, which is reflected in the rampant use of identity and financial theft, and ad fraud. Fraud is, without question, big business. You don’t have to look far to find websites, on both the clear and the darknet, that profit from the sale of your personal information.

Fraud-related cyber criminals are employing an evolving arsenal of tactics and malware designed to engage in these types of activities. What follows is an overview.

Digital Fraud

Digital fraud—the use of a computer for criminal deception or abuse of web enabled assets that results in financial gain—can be categorized and explained in three groups for the purpose of this blog: basic identity theft with the goal of collecting and selling identifiable information, targeted campaigns focused exclusively on obtaining financial credentials, and fraud that generates artificial traffic for profit.

Digital fraud is its own sub-community consistent with typical hacker profiles. You have consumers dependent on purchasing stolen information to commit additional fraudulent crime, such as making fake credit cards and cashing out accounts, and/or utilizing stolen data to obtain real world documents like identification cards and medical insurance. There are also general hackers, motivated by profit or disruption, who publicly post personally identifiable information that can be easily scraped and used by other criminals. And finally, there are pure vendors who are motivated solely by profit and have the skills to maintain, evade and disrupt at large scales.

[You may also like: IoT Hackers Trick Brazilian Bank Customers into Providing Sensitive Information]

  • Identity fraud harvests complete or partial user credentials and personal information for profit. This group mainly consists of cybercriminals who target databases with numerous attack vectors for the purposes of selling the obtained data for profit. Once the credentials reach their final destination, other criminals will use the data for additional fraudulent purposes, such as digital account takeover for financial gains.
  • Banking fraud harvests banking credentials, digital wallets and credit cards from targeted users. This group consists of highly talented and focused criminals who only care about obtaining financial information, access to cryptocurrency wallets or digitally skimming credit cards. These criminals’ tactics, techniques and procedures (TTP) are considered advanced, as they often involve the threat actor’s own created malware, which is updated consistently.
  • Ad fraud generates artificial impressions or clicks on a targeted website for profit. This is a highly skilled group of cybercriminals that is capable of building and maintaining a massive infrastructure of infected devices in a botnet. Different devices are leveraged for different types of ad fraud but generally, PC-based ad fraud campaigns are capable of silently opening an internet browser on the victim’s computer and clicking on an advertisement.

Ad Fraud & Botnets

Typically, botnets—the collection of compromised devices that are often referred to as a bot and controlled by a malicious actor, a.k.a. a “bot herder—are associated with flooding networks and applications with large volumes of traffic. But they also send large volumes of malicious spam, which is leveraged to steal banking credentials or used to conduct ad fraud.

However, operating a botnet is not cheap and operators must weigh the risks and expense of operating and maintaining a profitable botnet. Generally, a bot herder has four campaign options (DDoS attacks, spam, banking and ad fraud) with variables consisting of research and vulnerability discovery, infection rate, reinfection rate, maintenance, and consumer demand.

[You may also like: IoT Botnets on the Rise]

With regards to ad fraud, botnets can produce millions of artificially generated clicks and impressions a day, resulting in a financial profit for the operators. Two recent ad fraud campaigns highlight the effectiveness of botnets:

  • 3ve, pronounced eve, was recently taken down by White Owl, Google and the FBI. This PC-based botnet infected over a million computers and utilized tens of thousands of websites for the purpose of click fraud activities. The infected users would never see the activity conducted by the bot, as it would open a hidden browser outside the view of the user’s screen to click on specific ads for profit.
  • Mirai, an IoT-based botnet, was used to launch some of the largest recorded DDoS attacks in history. When the co-creators of Mirai were arrested, their indictments indicated that they also engaged in ad fraud with this botnet. The actors were able to conduct what is known as an impression fraud by generating artificial traffic and directing it at targeted sites for profit. 

[You may also like: Defending Against the Mirai Botnet]

The Future of Ad Fraud

Ad fraud is a major threat to advertisers, costing them millions of dollars each year. And the threat is not going away, as cyber criminals look for more profitable vectors through various chaining attacks and alteration of the current TTPs at their disposal.

As more IoT devices continue to be connected to the Internet with weak security standards and vulnerable protocols, criminals will find ways to maximize the profit of each infected device. Currently, it appears that criminals are looking to maximize their new efforts and infection rate by targeting insecure or unmaintained IoT devices with a wide variety of payloads, including those designed to mine cryptocurrencies, redirect users’ sessions to phishing pages or conduct ad fraud.

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Application SecurityAttack MitigationAttack Types & VectorsSecurity

10 Most Popular Blogs of 2018

December 27, 2018 — by Radware1

blog-960x480.jpg

Between large scale cyberattacks, the implementation of GDPR and increasing popularity of smart home technologies (and their associated vulnerabilities), we had a lot to write about this year. Of the hundreds of blogs we published in 2018, several floated to the top in terms of readership. Below, we recap the ten most popular blogs of 2018.

Consumer Sentiments About Cybersecurity and What It Means for Your Organization

Over the past six months, the data breaches against companies such as Panera BreadDelta Airlines and Sears, and Saks have proven we live in an age where cyberattacks and data breaches are now commonplace. The result? Cybersecurity is no longer just the topic of conversation of tech gurus and IT personnel. It has transitioned into the mainstream conversation and has become a concern of the masses. Consumers are now concerned that the organizations they are conducting business with are proactive about safeguarding their information and how they will fix it if a breach does occur. Read more…

New Threat Landscape Gives Birth to New Way of Handling Cyber Security

With the growing online availability of attack tools and services, the pool of possible attacks is larger than ever. Let’s face it, getting ready for the next cyber-attack is the new normal! This ‘readiness’ is a new organizational tax on nearly every employed individual throughout the world. Amazingly enough, attackers have reached a level of maturity and efficiency – taking advantage of the increased value and vulnerability of online targets, and resulting in a dramatic increase in attack frequency, complexity and size. Read more…

The Evolution of IoT Attacks

IoT devices are nothing new, but the attacks against them are. They are evolving at a rapid rate as growth in connected devices continues to rise and shows no sign of letting up. One of the reasons why IoT devices have become so popular in recent years is because of the evolution of cloud and data processing which provides manufacturers cheaper solutions to create even more ‘things’. Before this evolution, there weren’t many options for manufacturers to cost-effectively store and process data from devices in a cloud or data center.  Older IoT devices would have to store and process data locally in some situations. Today, there are solutions for everyone and we continue to see more items that are always on and do not have to store or process data locally. Read more…

Are Your Applications Secure?

As we close out a year of headline-grabbing data breaches (British Airways, Under Armor, Panera Bread), the introduction of GDPR and the emergence of new application development architectures and frameworks, Radware examined the state of application security in its latest report. This global survey among executives and IT professionals yielded insights about threats, concerns and application security strategies. Read more…

Snapshot of the Most Important Worldwide Cybersecurity Laws, Regulations, Directives and Standards

Are you out of breath from the breakneck pace of cyberattacks since the start of 2018? Throughout the world, nearly daily news reports have been filed detailing the results of incredibly effective cyberattacks ranging from small companies to nation-states. The sum total of these attacks has permanently and dramatically changed the information security threat landscape.  This change hasn’t gone unnoticed with the regulators and now, depending on where your business operates, you have accrued even more work to demonstrate your diligence to these threats. Read more…

Credential Stuffing Campaign Targets Financial Services

Over the last few weeks, Radware has been tracking a significant Credential Stuffing Campaign targeting the financial industry in the United States and Europe. Credential Stuffing is an emerging threat in 2018 that continues to accelerate as more breaches occur. Today, a breach doesn’t just impact the compromised organization and its users, but it also affects every other website that the users may use. Read more…

Is My Smart Home Telling People What I Do Every Day?

The overall smart home market is expected to grow to over $50 billion by 2022.  Already 1 in 4 U.S. households has some kind of smart device in their home.  With all the smart thermostats, smart fridges, smart light bulbs, smart doors and windows, personal assistants, and smart home surveillance, internet-connected home devices are rapidly stacking up in U.S. households. These devices are adding convenience and efficiency, but are they safe? Read more…

Machine Learning Algorithms for Zero Time to Mitigation

Effective DDoS protection combines machine-learning algorithms with negative and positive protection models, as well as rate limiting. The combination of these techniques ensures zero time to mitigation and requires little human intervention. Read more…

Cybersecurity & The Customer Experience: The Perfect Combination

Organizations have long embraced the customer experience and declared it a competitive differentiator. Many executives are quick to focus on the benefits of a loyal-centric strategy and companies now go to great lengths to communicate their organization’s customer centricity to retain existing customers and attract new ones. But where is cybersecurity in this discussion? Read more…

Nigelthorn Malware Abuses Chrome Extensions to Cryptomine and Steal Data

On May 3, 2018, Radware’s cloud malware protection service detected a zero-day malware threat at one of its customers, a global manufacturing firm, by using machine-learning algorithms. This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more. Read more…

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

Attack Types & VectorsDDoSDDoS Attacks

2018 In Review: Memcache and Drupalgeddon

December 20, 2018 — by Daniel Smith0

AdobeStock_199421574-960x640.jpg

Attackers don’t just utilize old, unpatched vulnerabilities, they also exploit recent disclosures at impressive rates. This year we witnessed two worldwide events that highlight the evolution and speed with which attackers will weaponize a vulnerability: Memcache and Druppalgeddon.

Memcached DDoS Attacks

In late February, Radware’s Threat Detection Network signaled an increase in activity on UDP port 11211. At the same time, several organizations began alerting to the same trend of attackers abusing Memcached servers for amplified attacks. A Memcached amplified DDoS attack makes use of legitimate third-party Memcached servers to send spoofed attack traffic to a targeted victim. Memcached, like other UDP-based services (SSDP, DNS and NTP), are Internet servers that do not have native authentication and are therefore hijacked to launch amplified attacks against their victims. The Memcached protocol was never intended to be exposed to the Internet and thus did not have sufficient security controls in place. Because of this exposure, attackers are able to abuse Memcached UDP port 11211 for reflective, volumetric DDoS attacks.

On February 27, Memcached version 1.5.6 was released which noted that UDP port 11211 was exposed and fixed the issue by disabling the UDP protocol by default. The following day, before the update could be applied, attackers leveraged this new attack vector to launch the world’s largest DDoS attack, a title previously held by the Mirai botnet.

There were two main concerns with regards to the Memcached vulnerability. The first is centered around the number of exposed Memcached servers. With just under 100,000 servers and only a few thousand required to launch a 1Tbps attack, the cause for concern is great. Most organizations at this point are likely unaware that they have vulnerable Memcached servers exposed to the Internet and it takes time to block or filter this service. Memcached servers will be vulnerable for some time, allowing attackers to generate volumetric DDoS attacks with few resources.

[You may also like: Entering into the 1Tbps Era]

The second concern is the time it took attackers to begin exploiting this vulnerability. The spike in activity was known for several days prior to the patch and publication of the Memcached vulnerability. Within 24 hours of publication, an attacker was able to build an amplification list of vulnerable MMemcached servers and launch the massive attack.

Adding to this threat, Defcon.pro, a notorious stresser service, quickly incorporated Memcache into their premium offerings after the disclosure. Stresser services are normally quick to utilize the newest attack vector for many reasons. The first reason being publicity. Attackers looking to purchase DDoS-as-a-service will search for a platform offering the latest vectors. Including them in a service shows demand for the latest vectors. In addition, an operator might include the Memcache DDoS-as-a-service so they can provide their users with more power. A stresser service offering a Memcache DDoS-as-a-service will likely also attract more customers who are looking for volume and once again plays into marketing and availability.

[You may also like: The Rise of Booter and Stresser Services]

DDoS-as-a-service operators are running a business and are currently evolving at rapid rates to keep up with demand. Oftentimes, these operators are using the public attention created by news coverage similar to extortionists. Similarly, ransom denial-of-service (RDoS) operators are quick to threaten the use of new tools due to the risks they pose. DDoS-as-a-service will do the same, but once the threat is mitigated by security experts, cyber criminals will look for newer vectors to incorporate  into their latest toolkit or offerings.

This leads into the next example of Drupalgeddon campaign and how quickly hacktivists incorporated this attack vector into their toolkit for the purpose of spreading messages via defacements.

Drupalgeddon

In early 2018, Radware’s Emergency Response Team (ERT) was following AnonPlus Italia, an Anonymous-affiliated group that was engaged in digital protests throughout April and May. The group–involved in political hacktivism as they targeted the Italian government–executed numerous web defacements to protest war, religion, politics and financial power while spreading a message about their social network by abusing the content management systems (CMS).

On April 20, 2018 AnonPlus Italia began a new campaign and defaced two websites to advertise their website and IRC channel. Over the next six days, AnonPlus Italia would claim responsibility for defacing 21 websites, 20 of which used the popular open-source CMS Drupal.

[You may also like: Hacking Democracy: Vulnerable Voting Infrastructure and the Future of Election Security]

Prior to these attacks, on March 29, 2018, the Drupal security team released a patch for a critical remote code execution (RCE) against Drupal that allowed attackers to execute arbitrary code on unpatched servers as a result of an issue affecting multiple subsystems with default or common module configurations. Exploits for CVE-2018-7600 were posted to Github and Exploit-DB under the guise of education purposes only. The first PoC was posted to Exploit DB on April 13, 2018. On April 14, Legion B0mb3r, a member of the Bangladesh-based hacking group Err0r Squad, posted a video to YouTube demonstrating how to use this CVE-2018-7600 to deface an unpatched version of Drupal. A few days later, on April 17, a Metasploit module was also released to the public.

In May, AnonPlus Italia executed 27 more defacements, of which 19 were Drupal.

Content management systems like WordPress and Joomla are normally abused by Anonymous hacktivists to target other web servers. In this recent string of defacements, the group AnonPlus Italia is abusing misconfigured or unpatched CMS instances with remote code exploits, allowing them to upload shells and deface unmaintained websites for headline attention.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now