main

HacksSecurity

Here’s How You Can Better Mitigate a Cyberattack

April 16, 2019 — by Daniel Smith0

HackersAlmanac-960x540.jpg

Where does the attack landscape lead us into 2020? No one knows for sure, but strong indicators help Radware build logic chains to better forecast where the state of network security is heading in the future.  Last year alone, the initial attributable cost of cyberattacks increased by 52% and 93% of those surveyed in our 2018-2019 Global Application and Network Security report experienced a cyberattack over the previous 12 months.

cyberattack. hacker. cyber security.

Let’s face it, today you stand a better chance of mitigating an attack if you understand your risks and the threats you may suffer due to your exposure. Once you begin to understand your enemies’ tactics, techniques, and procedures (TTPs), you can then begin to understand your enemies’ intentions and ability to disrupt your network. This is a good thing. Once you understand the basics, you can then begin to forecast attacks, allowing operators time to prepare to identify and mitigate malicious activity.

[You may also like: Can You Crack The Hack?]

Preparing for the next generation of cyber attacks has become the new norm and requires organizations to stay ahead of the threat landscape. Radware’s Hackers Almanac is designed to help do exactly that by generating awareness about current TTPs used by cyber criminals. In the Hackers Almanac, we cover two main topics: Groups and Tools.

Clear and Present Dangers

In the Groups section, we cover APTs, Organized Crime, Extortionist, DDoS’ers, Political and Patriotic Hackers, as well as Malicious insiders. In the Tools section, we cover Ransomware variants, exploit kits, Trojans and Botnets, as well as consumer tools and other persistent threats that can be expected on an annual basis.

While these threats constitute a clear and present danger to most if not all networks, knowledge is power and the first step to securing your network starts with surveying and auditing. Ensure that your system is up to date and adequately patched. The second step is getting in front of the problem by studying cyber criminals, the way they operate and how they launch their attacks. By understanding your network and its limitations and how hackers launch attacks, your organization can better prepare for attack vectors commonly leveraged by different threats targeting your network

[You may also like: How Cyberattacks Directly Impact Your Brand]

There is no need to fight every battle at the end of the day when you can learn from those around you. Before securing your network, make sure to conduct an audit of your organization’s system and understand its vulnerabilities/weaknesses. Then, leverage this almanac to study the threats posed against your organization.

Download “Hackers Almanac” to learn more.

Download Now

Attack Types & Vectors

Can You Crack the Hack?

April 11, 2019 — by Daniel Smith0

credential_stuffing-960x640.jpg

Let’s play a game. Below are clues describing a specific type of cyberattack; can you guess what it is?

  • This cyberattack is an automated bot-based attack
  • It uses automation tools such as cURL and PhantomJS
  • It leverages breached usernames and passwords
  • Its primary goal is to hijack accounts to access sensitive data, but denial of service is another consequence
  • The financial services industry has been the primary target

Struggling? We understand, it’s tricky! Here are two more clues:

  • Hackers will often route login requests through proxy servers to avoid blacklisting their IP addresses
  • It is a subset of Brute Force attacks, but different from credential cracking 

And the Answer Is….

Credential stuffing! If you didn’t guess correctly, don’t worry. You certainly aren’t alone. At this year’s RSA Conference, Radware invited attendees to participate in a #HackerChallenge. Participants were given clues and asked to diagnose threats. While most were able to surmise two other cyber threats, credential stuffing stumped the majority.

[You may also like: Credential Stuffing Campaign Targets Financial Services]

Understandably so. For one, events are happening at a breakneck pace. In the last few months alone, there have been several high-profile attacks leveraging different password attacks, from credential stuffing to credential spraying. It’s entirely possible that people are conflating the terms and thus the attack vectors. Likewise, they may also confuse credential stuffing with credential cracking.

Stuffing vs. Cracking vs. Spraying

As we’ve previously written, credential stuffing is a subset of brute force attacks but is different from credential cracking. Credential stuffing campaigns do not involve the process of brute forcing password combinations. Rather, they leverage leaked username and passwords in an automated fashion against numerous websites to take over users’ accounts due to credential reuse.

Conversely, credential cracking attacks are an automated web attack wherein criminals attempt to crack users’ passwords or PIN numbers by processing through all possible combines of characters in sequence. These attacks are only possible when applications do not have a lockout policy for failed login attempts. Software for this attack will attempt to crack the user’s password by mutating or brute forcing values until the attacker is successfully authenticated.

[You may also like: Bots 101: This is Why We Can’t Have Nice Things]

As for credential (or password) spraying, this technique involves using a limited set of company-specific passwords in attempted logins for known usernames. When conducting these types of attacks, advanced cybercriminals will typically scan your infrastructure for external facing apps and network services such as webmail, SSO and VPN gateways. Usually, these interfaces have strict timeout features. Actors will use password spraying vs. brute force attacks to avoid being timed out and possibly alerting admins.

So What Can You Do?

A dedicated bot management solution that is tightly integrated into your Web Application Firewall (WAF) is critical. Device fingerprinting, CAPTCHA, IP rate-based detection, in-session detection and terminations JavaScript challenge is also important.

In addition to these steps, network operators should apply two-factor authentication where eligible and monitor dump credentials for potential leaks or threats.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

SecurityService Provider

Out of the Shadows, Into the Network

April 9, 2019 — by Radware0

darkness-960x540.jpg

Network security is a priority for every carrier worldwide. Investments in human resources and technology solutions to combat attacks are a significant part of carriers’ network operating budgets.

The goal is to protect their networks by staying a few steps ahead of hackers. Currently, carriers may be confident that their network security solution is detecting and mitigating DDoS attacks.

All the reports generated by the solution show the number and severity of attacks as well as how they were thwarted. Unfortunately, we know it’s a false sense of well-being because dirty traffic in the form of sophisticated application attacks is getting through security filters. No major outages or data breaches have been attributed to application attacks yet, so why should carriers care?

Maintaining a Sunny Reputation

The impact of application attacks on carriers and their customers takes many forms:

  • Service degradation
  • Network outages
  • Data exposure
  • Consumption of bandwidth resources
  • Consumption of system resources

[You may also like: How Cyberattacks Directly Impact Your Brand]

A large segment of carriers’ high-value customers have zero tolerance for service interruption. There is a direct correlation between service outages and user churn.

Application attacks put carriers’ reputations at risk. For customers, a small slowdown in services may not be a big deal initially. But as the number and severity of application attacks increase, clogged pipes and slow services are not going to be acceptable. Carriers sell services based on speed and reliability. Bad press about service outages and data compromises has long-lasting negative effects. Then add the compounding power of social networking to quickly spread the word about service issues, and you have a recipe for reputation disaster.

[You may also like: Securing the Customer Experience for 5G and IoT]

Always Under Attack

It’s safe for carriers to assume that their networks are always under attack. DDoS attack volume is escalating as hackers develop new and more technologically sophisticated ways to target carriers and their customers In 2018, attack campaigns were primarily composed of multiple attacks vectors, according to the Radware 2018–2019 Global Application & Network Security Report.

The report finds that “a bigger picture is likely to emerge about the need to deploy security solutions that not only adapt to changing attack vectors to mitigate evolving threats but also maintain service availability at the same time.”

[You may also like: Here’s How Carriers Can Differentiate Their 5G Offerings]

Attack vectors include:

  • SYN Flood
  • UDP Flood
  • DNS Flood
  • HTTP Application Flood
  • SSL Flood
  • Burst Attacks
  • Bot Attacks

Attackers prefer to keep a target busy by launching one or a few attacks at a time rather than firing the entire arsenal all at once. Carriers may be successful at blocking four or five attack vectors, but it only takes one failure for the damage to be done.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now

HacksSecurity

How Hackable Is Your Dating App?

February 14, 2019 — by Mike O'Malley0

datingapps-960x653.jpeg

If you’re looking to find a date in 2019, you’re in luck. Dozens of apps and sites exist for this sole purpose – Bumble, Tinder, OKCupid, Match, to name a few. Your next partner could be just a swipe away! But that’s not all; your personal data is likewise a swipe or click away from falling into the hands of cyber criminals (or other creeps).

Online dating, while certainly more popular and acceptable now than it was a decade ago, can be risky. There are top-of-mind risks—does s/he look like their photo? Could this person be a predator?—as well as less prominent (albeit equally important) concerns surrounding data privacy. What, if anything, do your dating apps and sites do to protect your personal data? How hackable are these apps, is there an API where 3rd parties (or hackers) can access your information, and what does that mean for your safety?

Privacy? What Privacy?

A cursory glance at popular dating apps’ privacy policies aren’t exactly comforting. For example, Tinder states, “you should not expect that your personal information, chats, or other communications will always remain secure.” Bumble isn’t much better (“We cannot guarantee the security of your personal data while it is being transmitted to our site and any transmission is at your own risk”) and neither is OKCupid (“As with all technology companies, although we take steps to secure your information, we do not promise, and you should not expect, that your personal information will always remain secure”).

Granted, these are just a few examples, but they paint a concerning picture. These apps and sites house massive amounts of sensitive data—names, locations, birth dates, email addresses, personal interests, and even health statuses—and don’t accept liability for security breaches.

If you’re thinking, “these types of hacks or lapses in privacy aren’t common, there’s no need to panic,” you’re sadly mistaken.

[You may also like: Are Your Applications Secure?]

Hacking Love

The fact is, dating sites and apps have a history of being hacked. In 2015, Ashley Madison, a site for “affairs and discreet married dating,” was notoriously hacked and nearly 37 million customers’ private data was published by hackers.

The following year, BeautifulPeople.com was hacked and the responsible cyber criminals sold the data of 1.1 million users, including personal habits, weight, height, eye color, job, education and more, online. Then there’s the AdultFriendFinder hack, Tinder profile scraping, Jack’d data exposure, and now the very shady practice of data brokers selling online data profiles by the millions.

In other words, between the apparent lack of protection and cyber criminals vying to get a hold of such personal data—whether to sell it for profit, publicly embarrass users, steal identities or build a profile on individuals for compromise—the opportunity and motivation to hack dating apps are high.

[You may also like: Here’s Why Foreign Intelligence Agencies Want Your Data]

Protect Yourself

Dating is hard enough as it is, without the threat of data breaches. So how can you best protect yourself?

First thing’s first: Before you sign up for an app, conduct your due diligence. Does your app use SSL-encrypted data transfers? Does it share your data with third parties? Does it authorize through Facebook (which lacks a certificate verification)? Does the company accept any liability to protect your data?

[You may also like: Ensuring Data Privacy in Public Clouds]

Once you’ve joined a dating app or site, beware of what personal information you share. Oversharing details (education level, job, social media handles, contact information, religion, hobbies, information about your kids, etc.), especially when combined with geo-matching, allows creepy would-be daters to build a playbook on how to target or blackmail you. And if that data is breached and sold or otherwise publicly released, your reputation and safety could be at risk.

Likewise, switch up your profile photos. Because so many apps are connected via Facebook, using the same picture across social platforms lets potential criminals connect the dots and identify you, even if you use an anonymous handle.

Finally, you should use a VPN and ensure your mobile device is up-to-date with security features so that you mitigate cyber risks while you’re swiping left or right.

It’s always better to be safe and secure than sorry.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

HacksSecurity

Here’s Why Foreign Intelligence Agencies Want Your Data

January 23, 2019 — by Mike O'Malley0

iSpy-960x640.jpg

The implications of the recent Marriott hack go far beyond those of your average data breach. This megabreach of 383M records doesn’t just compromise sensitive data for the sake of fraud or financial gain, it paints a frightening picture of international espionage and personal privacy.

When news broke that hackers working on behalf of a Chinese intelligence agency may be responsible for the Marriott breach, questions abounded. Why would China be interested in loyalty program data by the millions? And why hospitality data?

Could You Be A Target?

Let’s be frank: Foreign intelligence agency actors aren’t exactly interested in earning a free night’s stay at a Marriott property. The answer is potentially far more nefarious. The fact is, data collected from breaches are but one piece of a larger, darker puzzle. Stolen customer data—when combined with travel data (see Delta, Cathay Pacific, and British Airways hacks, among others) and other sources of online personal information (i.e., what we share across social media platforms)—enable intelligence agencies to build profiles on individuals. These profiles can then be leveraged to recruit potential informants, as well as check the travel of known government and intelligence officers against their own government to identify moles.

It’s also critical to note that heads of state and other political VIPs are no longer foreign intelligence agencies’ only marks; ordinary citizens are similarly targeted, especially those who may have unfettered access to troves of company Intellectual Property (IP) that a foreign government may want for their domestic economy.

[You may also like: Will Cyber Serenity Soon Be a Thing of the Past?]

For example, if you work for a cloud storage company whose customers’ data is in an area of interest to an intelligence agency, you may very well become an object of interest. For example, in the FBI’s most recent indictment against foreign intelligence services, Zhu Hua and Zhang Shilong were charged on acting on behalf of the Chinese Ministry of State Security for stealing personal information and IP from companies in various industries including banking and finance, telecom, consumer electronics, healthcare, biotech, automotive, oil and gas, mining and the U.S. Navy.

The Hua/Shilong case is just the latest example of foreign intelligence agencies playing a game of chess while the U.S. is playing checkers. 2018 demonstrated this multiple times: In March, the Justice Department announced that Iranians had, through years-long cyberattacks, stolen intellectual property from over 300 U.S. universities and companies. In July, several Russian agents were indicted for election hacking and in September, North Korea was accused of trying to hurt the U.S. economy through a hack. And, of course, in December, the U.S. government accused China of the Marriott megabreach.  But 2018’s record isn’t unique; France was accused of stealing U.S. IP for French companies in 2014 by the U.S. Secretary of Defense.

In the case of Marriott and other large enterprises like it, CISOs and C-suite executives are focused on individual pieces of data lost, versus the sum of what that data can reveal about an individual as a whole, putting them (and us) at a significant disadvantage. Indeed, the entirety of the digital footprint we create, which can be used to impersonate us or to profile/create leverage on us, is greater than the sum of the individual data parts. Consumers likewise don’t typically consider the bigger picture their personal data paints, regarding their travel patterns, purchasing habits, hobbies, (not so) hidden secrets, social causes and more. Add in breach burnout, wherein the public has become desensitized to countless stories of data exposure, and a perfect storm for harvesting operatives and stealing IP emerges.

[You may also like: AI Considerations in Cyber Defence Automation]

Look at the Whole Picture

Until enterprises view data holistically and realize that any company with valuable IP could be the target of a foreign government on behalf of that company’s foreign competitors, they will continue to play into the hands of transnational threat actors at the expense of consumer safety and national security.

It is critical that organizations incorporate cybersecurity into every fabric of the business, from the C-level down, including training and education, as well as seeking expertise from security service companies who understand how to protect organizations from the capabilities of foreign intelligence groups. And that education must include an understanding how personal, government and business-related information can be used by foreign intelligence agencies, and how corporate IP may be of value to foreign competitors. Whether it’s a game of chess or an intricate puzzle, individuals must look beyond the breach at hand and grasp what’s around the corner.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

BotnetsBrute Force AttacksDDoS AttacksPhishing

Top 6 Threat Discoveries of 2018

December 18, 2018 — by Radware0

AdobeStock_192801212-960x540.jpg

Over the course of 2018, Radware’s Emergency Response Team (ERT) identified several cyberattacks and security threats across the globe. Below is a round-up of our top discoveries from the past year. For more detailed information on each attack, please visit DDoS Warriors.

DemonBot

Radware’s Threat Research Center has been monitoring and tracking a malicious agent that is leveraging a Hadoop YARN (Yet-Another-Resource-Negotiator) unauthenticated remote command execution to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

After a spike in requests for /ws/v1/cluster/apps/new-application appeared in our Threat Deception Network, DemonBot was identified and we have been tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 million exploits per day.

[You may also like: IoT Botnets on the Rise]

Credential Stuffing Campaign

In October, Radware began tracking a credential stuffing campaign—a subset of Bruce Force attacks—targeting the financial industry in the United States and Europe.

This particular campaign is motivated by fraud. Criminals are using credentials from prior data breaches to gain access to users’ bank accounts. When significant breaches occur, the compromised emails and passwords are quickly leveraged by cybercriminals. Armed with tens of millions of credentials from recently breached websites, attackers will use these credentials, along with scripts and proxies, to distribute their attack against the financial institution to take over banking accounts. These login attempts can happen in such volumes that they resemble a distributed denial-of-service (DDoS) attack.

DNS Hijacking Targets Brazilian Banks

This summer, Radware’s Threat Research Center identified a hijacking campaign aimed at Brazilian Bank customers through their IoT devices, attempting to gain their bank credentials.

The research center had been tracking malicious activity targeting DLink DSL modem routers in Brazil since early June. Through known old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server. The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server, which has no connection whatsoever to the legitimate Banco de Brasil website.

[You may also like: Financial Institutions Must Protect the Data Like They Protect the Money]

Nigelthorn Malware

In May, Radware’s cloud malware protection service detected a zero-day malware threat at one of its customers, a global manufacturing firm, by using machine-learning algorithms. This malware campaign is propagating via socially-engineered links on Facebook and is infecting users by abusing a Google Chrome extension (the ‘Nigelify’ application) that performs credential theft, cryptomining, click fraud and more.

Further investigation by Radware’s Threat Research group revealed that this group has been active since at least March 2018 and has already infected more than 100,000 users in over 100 countries.

[You may also like: The Origin of Ransomware and Its Impact on Businesses]

Stresspaint Malware Campaign

On April 12, 2018, Radware’s Threat Research group detected malicious activity via internal feeds of a group collecting user credentials and payment methods from Facebook users across the globe. The group manipulates victims via phishing emails to download a painting application called ‘Relieve Stress Paint.’ While benign in appearance, it runs a malware dubbed ‘Stresspaint’ in the background. Within a few days, the group had infected over 40,000 users, stealing tens of thousands Facebook user credentials/cookies.

DarkSky Botnet

In early 2018, Radware’s Threat Research group discovered a new botnet, dubbed DarkSky. DarkSky features several evasion mechanisms, a malware downloader and a variety of network- and application-layer DDoS attack vectors. This bot is now available for sale for less than $20 over the Darknet.

As published by its authors, this malware is capable of running under Windows XP/7/8/10, both x32 and x64 versions, and has anti-virtual machine capabilities to evade security controls such as a sandbox, thereby allowing it to only infect ‘real’ machines.

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

DDoS AttacksHacksSecurity

Hacking Democracy: Vulnerable Voting Infrastructure and the Future of Election Security

November 6, 2018 — by Mike O'Malley1

election_security-960x640.jpg

It’s been two years since international interference sabotaged the United States’ election security, and still the vulnerability of our voting infrastructure remains a major problem. This past May, during Tennessee’s primary election, the Knox County election website fell prey to a DDoS attack. And just days ago, Texas voters experienced “ominous irregularities” from voting machines.

In the lead up to the midterm elections, Radware surveyed Facebook users on the safety of U.S. elections, and the results paint a gloomy picture. The overwhelming majority (93.4 percent) of respondents believe that our election system is vulnerable to targeting and hacking—and they’re correct. What’s more, respondents were unable to suggest long-term tenable solutions when asked how the U.S. can improve its election safety (which is understandable, given the complexity of the issue).

A Seriously Flawed Voting Infrastructure

It is alarmingly quick and easy to hack into U.S. voting systems; just ask the 11-year-old boy who earlier this year demonstrated how he could hack into a replica of the Florida state election website and change voting results in under 10 minutes.

Why is it so easy? A large part of the problem is a lack of consistency among state election systems in either protocols or equipment. Voting equipment varies from paper ballots, to punch cards to electronic touch screens. Some states manually count votes while others use automation. Because of these many variables, each state has different security flaws and different vulnerability of being hacked.

There are roughly 350,000 voting machines used in the U.S. today, according to Verified Voting. There are two types of machines: direct-recording electronic (DRE) machines, which are digital and allow voters to touch a screen to make their selections, and optical-scan systems. Optical-scan machines allow voters to make their selections on a paper ballot, which gets fed into an optical scanner and can be used later to verify the digital results. The DREs are of particular concern because all models are vulnerable to hacking. And because DREs do not provide a hard copy of the vote, it is difficult to double-check results for signs of manipulation.

[You may also like: Can Hackers Ruin America’s Election Day?]

Additionally, voting machines need to be programmed with ballot information, which likely happens by direct connection to the Internet. Precinct results are often centrally tabulated by state and local governments over their various local area networks, adding even more points of potential hacking and vote manipulation.

Multiple voting machines, multiple connection points, multiple network architectures, multiple tabulation systems. There is no consistent framework to secure thousands of potential different weaknesses.

Today, the burden lies with local municipalities, which are ill-equipped to deal with sophisticated, nationally-organized cyber security attacks by hostile foreign governments. That’s the bad news. But the good news is that we can do something about it.

We Need to Reboot

This midterm election, it’s estimated that 1 in 5 Americans will cast ballots on machines that do not produce a paper record of their votes. This is highly problematic when you consider that the Department of Homeland Security (DHS) identified election system hacking in 21 states—nearly half of the country—last September. If left unaddressed, these vulnerabilities will continue to threaten national security and our democratic system.

The federal government, through DHS, needs to help municipalities and government workers minimize risks and become smarter about election hacking issues by taking these steps:

  • Teach administrative staff about phishing scams, DDoS attacks, etc.  While election officials and staff are trained on the proper procedures and deployment of their voting systems, it is also important that be educated on cybersecurity events so that they are not as likely to fall prey to them and compromise local networks.
  • Do not open any attachments without confirming the attachment came from a trusted source. Attachments are one of the biggest security risks, particularly attachments coming from unknown, suspicious or untrustworthy sources.
  • Use best practices for password protection such as two-factor authentication so that security is maximized. This method confirms users’ identities through a combination of two different factors: something they know and something they have, like using an ATM bank card which requires the correct combination of a bank card (something that the user has) and a PIN (something that the user knows).
  • Keep all software updated. Turn on auto-updates on your phone and laptops – don’t wait to apply them.
  • Check for firmware updates on all printer and network devices as part of your regular patch management schedule as these devices can be weaponized. Updates can add new or improved security features and patch known security holes.
  • Do not conduct any non-government related activity while connected to the network – fantasy football, signing your kid up for soccer, etc.

[You may also like: DDOS Protection is the Foundation for Application Site and Data Availability]

The Future of Election Security

Looking forward, innovative technologies such as blockchain, digital IDs and electronic signatures should be considered on a single, national voting network. Some states, like West Virginia, have already deployed pilot programs enabling voting via a blockchain network to store and secure digital votes.

The threat of interference remains until we are on a secure nationwide election system. To preserve the democratic value of one person one vote, the U.S. must make the necessary security upgrades to prevent voter fraud, foreign influence campaigns and hacking of our election infrastructure. Federal legislation needs to be introduced to make this happen. Protecting our elections is a matter of national security, requiring immediate action and coordination at all levels of government.

 

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Attack Types & VectorsSecurity

What Should You Do When Your Identity Has Been Compromised?

July 26, 2018 — by Daniel Smith5

identity-theft-960x640.jpg

Almost every day, someone calls me to inquire about how to deal with a compromised identity. It has become so common that I have come to the point of just assuming everyone has had their identity compromised in some way, shape or form after the last few years of large-scale data breaches[1].

In 2018, the trend of large data breaches continues with electronic toymaker Vtech settling for $650,000 after suffering a data breach that resulted in exposed personal information about millions of children. Just in the last few months, major breaches targeting payment processing systems at Chili’s, Rail Europe and Macy’s have occurred, resulting in the exposure of customers’ credit card details such as card numbers, CCV codes, expiration dates and in some cases additional information like addresses, phone numbers and emails.

Older Posts