main

Attack Types & VectorsBotnetsSecurity

IoT Expands the Botnet Universe

March 6, 2019 — by Radware0

AdobeStock_175553664-960x607.jpg

In 2018, we witnessed the dramatic growth of IoT devices and a corresponding increase in the number of botnets and cyberattacks. Because IoT devices are always-on, rarely monitored and generally use off-the-shelf default passwords, they are low-hanging fruit for hackers looking for easy ways to build an army of malicious attackers. Every IoT device added to the network grows the hacker’s tool set.

Botnets comprised of vulnerable IoT devices, combined with widely available DDoS-as-a-Service tools and anonymous payment mechanisms, have pushed denial-of-service attacks to record-breaking volumes. At the same time, new domains such as cryptomining and credentials theft offer more opportunities for hacktivism.

Let’s look at some of the botnets and threats discovered and identified by Radware’s deception network in 2018.

JenX

A new botnet tried to deliver its dangerous payload to Radware’s newly deployed IoT honeypots. The honeypots registered multiple exploit attempts from distinct servers, all located in popular cloud hosting providers based in Europe. The botnet creators intended to sell 290Gbps DDoS attacks for only $20. Further investigation showed that the new bot used an atypical central scanning method through a handful of Linux virtual private servers (VPS) used to scan, exploit and load malware onto unsuspecting IoT victims. At the same time, the deception network also detected SYN scans originating from each of the exploited servers indicating that they were first performing a
mass scan before attempting to exploit the IoT devices, ensuring that ports 52869 and 37215 were open.

[You may also like: IoT Botnets on the Rise]

ADB Miner

A new piece of malware that takes advantage of Android-based devices exposing debug capabilities to the internet. It leverages scanning code from Mirai. When a remote host exposes its Android Debug Bridge (ADB) control port, any Android emulator on the internet has full install, start, reboot and root shell access without authentication.

Part of the malware includes Monero cryptocurrency miners (xmrig binaries), which are executing on the infected devices. Radware’s automated trend analysis algorithms detected a significant increase in activity against port 5555, both in the number of hits and in the number of distinct IPs. Port 5555 is one of the known ports used by TR069/064 exploits, such as those witnessed during the Mirai-based attack targeting Deutsche Telekom routers in November 2016. In this case, the payload delivered to the port was not SOAP/HTTP, but rather the ADB remote debugging protocol.

Satori.Dasan

Less than a week after ADB Miner, a third new botnet variant triggered a trend alert due to a significant increase in malicious activity over port 8080. Radware detected a jump in the infecting IPs from around 200 unique IPs per day to over 2,000 malicious unique IPs per day. Further investigation by the research team uncovered a new variant of the Satori botnet capable of aggressive scanning and exploitation of CVE-2017-18046 — Dasan Unauthenticated Remote Code Execution.

[You may also like: New Satori Botnet Variant Enslaves Thousands of Dasan WiFi Routers]

The rapidly growing botnet referred to as “Satori.Dasan” utilizes a highly effective wormlike scanning mechanism, where every infected host looks for more hosts to infect by performing aggressive scanning of random IP addresses and exclusively targeting port 8080. Once a suitable target is located, the infected bot notifies a C2 server, which immediately attempts to infect the new victim.

Memcached DDoS Attacks

A few weeks later, Radware’s system provided an alert on yet another new trend — an increase in activity on UDP port 11211. This trend notification correlated with several organizations publicly disclosing a trend in UDP-amplified DDoS attacks utilizing Memcached servers configured to accommodate UDP (in addition to the default TCP) without limitation. After the attack, CVE2018-1000115 was published to patch this vulnerability.

Memcached services are by design an internal service that allows unauthenticated access requiring no verification of source or identity. A Memcached amplified DDoS attack makes use of legitimate third-party Memcached servers to send attack traffic to a targeted victim by spoofing the request packet’s source IP with that of the victim’s IP. Memcached provided record-breaking amplification ratios of up to 52,000x.

[You may also like: Entering into the 1Tbps Era]

Hajime Expands to MikroTik RouterOS

Radware’s alert algorithms detected a huge spike in activity for TCP port 8291. After near-zero activity on that port for months, the deception network registered over 10,000 unique IPs hitting port 8291 in a single day. Port 8291 is related to a then-new botnet that exploits vulnerabilities in the MikroTik RouterOS operating system, allowing attackers to remotely execute code on the device.

The spreading mechanism was going beyond port 8291, which is used almost exclusively by MikroTik, and rapidly infecting other devices such as AirOS/Ubiquiti via ports: 80, 81, 82, 8080, 8081, 8082, 8089, 8181, 8880, utilizing known exploits and password-cracking attempts to speed up the propagation.

Satori IoT Botnet Worm Variant

Another interesting trend alert occurred on Saturday, June 15. Radware’s automated algorithms alerted to an upsurge of malicious activity scanning and infection of a variety of IoT devices by taking advantage of recently discovered exploits. The previously unseen payload was delivered by the infamous Satori botnet. The exponential increase in the number of attack sources spread all over the world, exceeding 2,500 attackers in a 24-hour period.

[You may also like: A Quick History of IoT Botnets]

Hakai

Radware’s automation algorithm monitored the rise of Hakai, which was first recorded in July. Hakai is a new botnet recently discovered by NewSky Security after lying dormant for a while. It started to infect D-Link, Huawei and Realtek routers. In addition to exploiting known vulnerabilities to infect the routers, it used a Telnet scanner to enslave Telnet-enabled devices with default credentials.

DemonBot

A new stray QBot variant going by the name of DemonBot joined the worldwide hunt for yellow elephant — Hadoop cluster — with the intention of conscripting them into an active DDoS botnet. Hadoop clusters are typically very capable, stable platforms that can individually account for much larger volumes of DDoS traffic compared to IoT devices. DemonBot extends the traditional abuse of IoT platforms for DDoS by adding very capable big data cloud servers. The DDoS attack vectors supported by DemonBot are STD, UDP and TCP floods.

Using a Hadoop YARN (Yet-Another-Resource-Negotiator) unauthenticated remote command execution, DemonBot spreads only via central servers and does not expose the wormlike behavior exhibited by Mirai-based bots. By the end of October, Radware tracked over 70 active exploit servers that are spreading malware
and exploiting YARN servers at an aggregated rate of over one million exploits per day.

[You may also like: Hadoop YARN: An Assessment of the Attack Surface and Its Exploits]

YARN allows multiple data processing engines to handle data stored in a single Hadoop platform. DemonBot took advantage of YARN’s REST API publicly exposed by over 1,000 cloud servers worldwide. DemonBot effectively harnesses the Hadoop clusters in order to generate a DDoS botnet powered by cloud infrastructure.

Always on the Hunt

In 2018, Radware’s deception network launched its first automated trend-detection steps and proved its ability to identify emerging threats early on and to distribute valuable data to the Radware mitigation devices, enabling them to effectively mitigate infections, scanners and attackers. One of the most difficult aspects in automated anomaly detection is to filter out the massive noise and identify the trends that indicate real issues.

In 2019, the deception network will continue to evolve and learn and expand its horizons, taking the next steps in real-time automated detection and mitigation.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Mobile SecurityService Provider

Don’t Be A “Dumb” Carrier

February 12, 2019 — by Mike O'Malley0

dumbcarrier-960x540.jpg

By next year, it is estimated that there will be 20.4 billion IoT devices, with businesses accounting for roughly 7.6 billion of them. While these devices are the next wireless innovation to improve productivity in an ever-connected world, they also represent nearly 8 billion opportunities for breaches or attacks.

In fact, 97% of companies believe IoT devices could wreak havoc on their organizations, and with good reason. Security flaws can leave millions of devices vulnerable, creating pathways for cyber criminals to exfiltrate data—or worse. For example, a July 2018 report disclosed that nearly 500 million IoT devices were susceptible to cyberattacks at businesses worldwide because of a decade old web exploit.

A New Attack Environment

In other words, just because these devices are new and innovative doesn’t mean your security is, too. To further complicate matters, 5G networks will begin to roll out in 2020, creating a new atmosphere for mobile network attacks. Hackers will be able to exploit IoT devices and leverage the speed, low latency and high capacity of 5G networks to launch unprecedented volumes of sophisticated attacks, ranging from standard IoT attacks to burst attacks, and even smartphone infections and mobile operating system malware.

Scary stuff.

[You may also like: IoT, 5G Networks and Cybersecurity: A New Atmosphere for Mobile Network Attacks]

So, who is responsible for securing these billions of devices to ensure businesses and consumers alike are protected?  Well, right now, nobody. And there’s no clear agreement on what entity is—or should be—held accountable. According to Radware’s 2017-2018 Global Application & Network Security Report, 34% believe the device manufacturer is responsible, 11% believe service providers are, 21% think it falls to the private consumer, and 35% believe business organizations should be liable.

Ownership Is Opportunity

Indeed, no one group is raising its hand to claim ownership of IoT device security. But if service providers want to protect their networks and customers, they should jump at the chance to take the lead here. While service providers technically don’t own the emerging security issues, it is ultimately the operators who are best positioned to deal with and mitigate attack traffic. While many may view this as an operational cost, it is, in actuality, a business opportunity.

In fact, the Japanese government is so concerned about a large scale IoT attack disrupting the 2020 Tokyo Olympics, they just passed a law empowering the government to intentionally identify and hack vulnerable IoT devices.  And who is the government asking to secure the list of devices they find vulnerable? Consumers? Businesses? Manufacturers?  No, No, and NO.  They are asking service providers to secure these devices from attacks.

[You may also like: IoT, 5G Networks and Cybersecurity: Safeguarding 5G Networks with Automation and AI]

Think about it: Every device connected to a network is another potential security weakness. And as we’ve written about previously, IoT devices are especially vulnerable because of manufacturers’ priority to maintain low costs, rather than spending more on additional security features. If mobile service providers create a secure environment that satisfies the protection of customer data and devices, they can establish a competitive advantage and reap financial rewards.

From Opportunity to Rewards

This translates to the potential for capturing new revenue streams. If your mobile network is more secure than your competitors’, it stands to reason that their customer attrition becomes your win. And mobile IoT businesses will pay an additional service premium for the knowledge that their IoT devices won’t be compromised and can maintain 100% availability.

[You may also like: The Rise of 5G Networks]

What’s more, service providers need to be mindful of history repeating itself. After providers lost the war with Apple and Google to control apps (and their associated revenue), they earned the unfortunate reputation of being “dumb pipes.” Conversely, Apple and Google were heralded for capturing all the value of the explosion of mobile data apps. Apple now sits with twice the valuation as AT&T and Verizon, COMBINED.  Now, as we are on the precipice of a similar explosion of IoT apps that enterprises will buy, the question again arises over whether service providers will just sell “dumb pipes” or whether they will get involved in the value chain.

A word to the wise: Don’t be a “dumb” carrier. Be smart.  Secure the customer experience and reap the benefits.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now

Attack Types & VectorsCloud SecurityDDoS AttacksSecurity

2019 Predictions: Will Cyber Serenity Soon Be a Thing of the Past?

November 29, 2018 — by Daniel Smith0

AdobeStock_227784320-2-960x600.jpg

In 2018 the threat landscape evolved at a breakneck pace, from predominantly DDoS and ransom attacks (in 2016 and 2017, respectively), to automated attacks. We saw sensational attacks on APIs, the ability to leverage weaponized Artificial Intelligence, and growth in side-channel and proxy-based attacks.

And by the looks of it, 2019 will be an extension of the proverbial game of whack-a-mole, with categorical alterations to the current tactics, techniques and procedures (TTPs). While nobody knows exactly what the future holds, strong indicators today enable us to forecast trends in the coming year.

The public cloud will experience a massive security attack

The worldwide public cloud services market is projected to grow 17.3 percent in 2019 to total $206.2 billion, up from $175.8 billion in 2018, according to Gartner, Inc. This means organizations are rapidly shifting content to the cloud, and with that data shift comes new vulnerabilities and threats. While cloud adoption is touted as faster, better, and easier, security is often overlooked for performance and overall cost. Organizations trust and expect their cloud providers to adequately secure information for them, but perception is not always a reality when it comes to current cloud security, and 2019 will demonstrate this.

[You may also like: Cloud vs DDoS, the Seven Layers of Complexity]

Ransom techniques will surge

Ransom, including ransomware and ransom RDoS, will give way to hijacking new embedded technologies, along with holding healthcare systems and smart cities hostage with the launch of 5G networks and devices. What does this look like? The prospects are distressing:

  • Hijacking the availability of a service—like stock trading, streaming video or music, or even 911—and demanding a ransom for the digital return of the devices or network.
  • Hijacking a device. Not only are smart home devices like thermostats and refrigerators susceptible to security lapses, but so are larger devices, like automobiles.
  • Healthcare ransom attacks pose a particularly terrifying threat. As healthcare is increasingly interwoven with cloud-based monitoring, services and IoT embedded devices responsible for administering health management (think prescriptions/urgent medications, health records, etc.) are vulnerable, putting those seeking medical care in jeopardy of having their healthcare devices that they a dependent on being targeted by malware or their devices supporting network being hijacked.

[You may also like: The Origin of Ransomware and Its Impact on Businesses]

Nation state attacks will increase

As trade and other types of “soft-based’ power conflicts increase in number and severity, nation states and other groups will seek new ways of causing widespread disruption including Internet outages at the local or regional level, service outages, supply chain attacks and application blacklisting by government in attempted power grabs. Contractors and government organizations are likely to be targeted, and other industries will stand to lose millions of dollars as indirect victims if communications systems fail and trade grinds to a halt.

More destructive DDoS attacks are on the way

Over the past several years, we’ve witnessed the development and deployment of massive IoT-based botnets, such as Mirai, Brickerbot, Reaper and Haijme, whose systems are built around thousands of compromised IoT devices.  Most of these weaponized botnets have been used in cyberattacks to knock out critical devices or services in a relatively straightforward manner.

Recently there has been a change in devices targeted by bot herders. Based on developments we are seeing in the wild, attackers are not only infiltrating resource-constrained IoT devices, they are also targeting powerful cloud-based servers. When targeted, only a handful of compromised instances are needed to create a serious threat. Since IoT malware is cross-compiled for many platforms, including x86_64, we expect to see attackers consistently altering and updating Mirai/Qbot scanners to include more cloud-based exploits going into 2019.

[You may also like: IoT Botnets on the Rise]

Cyber serenity may be a thing of the past

If the growth of the attack landscape continues to evolve into 2019 through various chaining attacks and alteration of the current TTP’s to include automated features, the best years of cybersecurity may be behind us. Let’s hope that 2019 will be the year we collectively begin to really share intelligence and aid one another in knowledge transfer; it’s critical in order to address the threat equation and come up with reasonable and achievable solutions that will abate the ominous signs before us all.

Until then, pay special attention to weaponized AI, large API attacks, proxy attacks and automated social engineering. As they target the hidden attack surface of automation, they will no doubt become very problematic moving forward.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

SecurityService Provider

IoT, 5G Networks and Cybersecurity: Safeguarding 5G Networks with Automation and AI

September 18, 2018 — by Louis Scialabba1

iot-5g-networks-cybersecurity-blog-img-960x519.jpg

By 2020, Gartner says there will be 20.4 billion IoT devices. That rounds out to almost three devices per person on earth. As a result, IoT devices will show up in just about every aspect of daily life. While IoT devices promise benefits such as improved productivity, longevity and enjoyment, they also open a Pandora’s box of security issues for mobile service providers.

This flood of IoT devices, combined with the onset of 5G networks to support it, is creating an atmosphere ripe for mobile network attacks.  This threat landscape requires mobile service providers to alter their approach to network security or suffer dire consequences. The same old tools are no longer enough.

[You might also like: A New Atmosphere for Mobile Network Attacks]

Battle Increased Complexity with Automation

For years, security teams have struggled with the proliferation of data from dozens of security products, outpacing their ability to process it. This same problem applies to mobile service providers regarding the aforementioned issues surrounding 5G and IoT devices.

Security threats and anomalies within mobile network traffic are growing faster than security teams can detect and react to them. All the security threats we see now on enterprise networks are a harbinger of what’s to come on 5G networks. The introduction of 5G adds significant complexities to mobile networks that require next-generation security solutions.

Automation is key to better identification and mitigation of these threats for mobile service providers. Machine-learning based DDoS mitigation solutions enable real-time detection and mitigation of DDoS attacks. Through behavioral analysis, bad traffic can then be identified and automatically blocked before any damage is done.

[You might also like: The Rise of 5G Networks]

Automation Across the Security Architecture

For mobile service providers, automation must expand across all layers of the security architecture. First and foremost, the network must be leveraged as a sensor, a digital cyberattack tripwire. In 5G networks, network elements are distributed at the edge and virtualized. The network’s endpoints can be used as detection spots to send messages back to a centralized control plane (CCP).

The CCP serves as the brain of the network, compiling all the inputs from its telemetry feeds to deploy the best way to apply mitigation policies.

The myriad amount of CCP data can be put to work via Big Data. As 5G pushes network functions and data to the cloud, there’s an opportunity to use this information to better protect against attacks with the help of artificial intelligence (AI) and deep learning.

This is where the “big” in “big data” comes into play. Because 5G virtual devices live on the edge of the network in small appliances, there isn’t enough computing power available to identify evolving attack traffic from within. But by feeding traffic through an extra layer of protection at large data centers, it is possible to efficiently compile all the data to identify attacks.

Large data centers can be prohibitively expensive to house and maintain. Ideally, these data centers are housed and maintained by the mobile service provider’s DDoS mitigation vendor, which leverages its network of cloud-based scrubbing centers (and the massive volumes of threat intelligence it collects) to process this information and automatically feed it back to the mobile service provider.

A Game of Probability

In the end, IoT and 5G security will come down to being a game of probability, however, automation and AI stack the odds heavily in favor of mobile service providers.

The new network technology has the speed and capacity to enable AI with data from 50 billion connected devices. AI requires huge amounts of data to sift through and create neural networks where anomalies can be detected, with emphasis on good data. Bad or poisoned data will lead to biased models and false negatives. The more good data, the better the outcomes in this high-stakes game of probability.

As all this traffic is fed through the scrubbing centers at data centers around the world, AI can help inform security algorithms to detect protocol anomalies and flag issues. The near real-time process is complicated. Like an FBI watch list, a register of attack information goes to a mobile network’s control plane. The result is a threat intelligence feed that uses the power of machine learning to identify and prevent attacks.

The best place to populate AI and deep learning systems is from crowdsourcing and global communities where large numbers of enterprises and networks contribute data. Bad data will find its way in, but the good data will significantly outnumber the bad data to make deep learning possible.

Ultimately, the threats from botnets, web scraping, and IoT zombies is dynamic and increasingly complex. With 5G on the horizon, it’s critical that mobile service providers are proactive and make plans now to protect their networks against evolving security threats by turning to machine learning and AI.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now

BotnetsMobile DataMobile SecuritySecurityService Provider

IoT, 5G Networks and Cybersecurity: The Rise of 5G Networks

August 16, 2018 — by Louis Scialabba2

rise-5g-networks-iot-cybersecurity-960x640.jpg

Smartphones today have more computing power than the computers that guided the Apollo 11 moon landing. From its original positioning of luxury, mobile devices have become a necessity in numerous societies across the globe.

With recent innovations in mobile payment such as Apple Pay, Android Pay, and investments in cryptocurrency, cyberattacks have become especially more frequent with the intent of financial gain. In the past year alone, hackers have been able to mobilize and weaponize unsuspected devices to launch severe network attacks. Working with a North American service provider, Radware investigations found that about 30% of wireless network traffic originated from mobile devices launching DDoS attacks.

Each generation of network technology comes with its own set of security challenges.

How Did We Get Here?

Starting in the 1990s, the evolution of 2G networks enabled service providers the opportunity to dip their toes in the water that is security issues, where their sole security challenge was the protection of voice calls. This was resolved through call encryption and the development of SIM cards.

Next came the generation of 3G technology where the universal objective (at the time) for a more concrete and secure network was accomplished. 3G networks became renowned for the ability to provide faster speeds and access to the internet. In addition, the new technology provided better security with encryption for voice calls and data traffic, minimizing the impact and damage levels of data payload theft and rogue networks.

Fast forward to today. The era of 4G technology has evolved the mobile ecosystem to what is now a mobile universe that fits into our pockets. Delivering significantly faster speeds, 4G networks also exposed the opportunities for attackers to exploit susceptible devices for similarly quick and massive DDoS attacks. More direct cyberattacks via the access of users’ sensitive data also emerged – and are still being tackled – such as identity theft, ransomware, and cryptocurrency-related criminal activity.

The New Age

2020 is the start of a massive rollout of 5G networks, making security concerns more challenging. The expansion of 5G technology comes with promises of outstanding speeds, paralleling with landline connection speeds. The foundation of the up-and-coming network is traffic distribution via cloud servers. While greatly benefitting 5G users, this will also allow attackers to equally reap the benefits. Without the proper security elements in place, attackers can wreak havoc with their now broadened horizons of potential chaos.

What’s Next?

In the 5G universe, hackers can simply attach themselves to a 5G connection remotely and collaborate with other servers to launch attacks of a whole new level. Service providers will have to be more preemptive with their defenses in this new age of technology. Because of the instantaneous speeds and low lag time, they’re in the optimal position to defend against cyberattacks before attackers can reach the depths of the cloud server.

2018 Mobile Carrier Ebook

Discover more about what the 5G generation will bring, both benefits and challenges, in Radware’s e-book “Creating a Secure Climate for your Customers” today.

Download Now

Security

It’s All Fun and Games…Until Your “Smart” Home Gets Hacked

September 21, 2017 — by David Hobbs0

iot-smart-homes-960x640.jpg

A year ago, we bought a fixer-upper well below market value. We knew that we would have the opportunity to make some investment in smart tech. When Amazon sent a Smart Home Consultant to our house, they said we were farther ahead than most of the people they met with. I was trying to get them to help me make my lights flash blue and green when the Seahawks NFL team scored a touchdown. We’ve since solved that problem, and along the way, we had to take many important security measures.

Attack Types & VectorsSecurity

Do Hackers Have It Easy?

September 19, 2017 — by Shira Sagiv0

defense-pro-iot-960x540.jpg

Hackers got it easy. At least, it feels like it. They are in a growing “industry” with many, almost endless, targets to choose from. They have access to new tools and techniques, services that make it easy for them to launch an attack and lots of information and personal data at their fingertips. All of that is available today on the Darknet, and you don’t need to be a sophisticated hacker to get access and start “enjoying” it all.

Security

Blockchain and the future of IoT – Part 3

August 10, 2017 — by Pascal Geenens0

blockchain-iot-part-3-960x640.jpg

To read Part 1 of the series, click here.

To read Part 2 of the series, click here.

Blockchain in the IoT world

A blockchain implementation in the IoT world is probably not best served by a public blockchain based on Proof of Work. The inefficient consumption, not to say waste, of energy to generate Proof of Work is pretty much orthogonal with the premise of IoT devices, which have to consume less energy and are in some cases battery powered. POW comes at a severe cost and it does not add much value to the use case of a distributed ledger used within a consortium of partners. Hence the implementation based on Proof of Stake provides a better starting point for any attempt to chainify an IoT ecosystem where a consortium of partners is adopting a new business application. The security would then be based on a limited number of centralized nodes or cloud servers and by design it does not rely on independence of central trust as do the public cryptocurrencies. Most blockchain use cases I came across start from the assumption that there is a set of parties or a consortium of partners that have a common interest in a specific ledger, and while it might serve the larger public in terms of better quality and faster service, the consumer is not directly concerned with or interested in the ledger itself, only the parties who provide the service and rely on the ledger for remuneration will be.

Older Posts