main

Attack MitigationHacksSecurity

Growing Your Business: Security as an Expectation

November 7, 2018 — by Mike O'Malley0

Growing_Your_Business-960x640.jpg

Who is responsible for my device and application security? This is a critical question in today’s growing threat landscape, and one without a clear answer. Despite increases in demands for mobile app and connected device security features, no key players—device manufacturers, consumers, mobile carriers or organizations that consumers do business with via devices—will take responsibility.

While this is certainly problematic, it also represents an opportunity to differentiate your business from competitors by baking security into your platform. Over 70% of C-suite executives report being greatly concerned about data privacy and 66% admit that their network is vulnerable to hacking. In light of this, security must be recognized and acknowledged beyond an add-on or premium feature; it must be treated as an integral feature for any business owner.

The True Cost of Data Insecurity

When security is included as a core component of a business, it strengthens customers’ perceptions of your company. In fact, security itself can be a key selling point that sways customers from competitors. Startups that especially integrate security as part of its foundational architecture have a competitive advantage over companies of all sizes that gloss over security or utilize it as an unsupported, unplanned add-on.

[You may also like: The Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?]

Indeed, security as an afterthought is a major, and potentially fatal, flaw during a company’s decision-making process. The average cost of a data breach is $3.9 million – an amount enough to put myriad companies in bankruptcy. But costs can be even higher. For example, Yahoo agreed to a settlement of $50 million following its 2013 data breach and had to pay an additional $37.5 million for attorney fees and expenses.  And it didn’t end there; the original $4.83 billion deal to sell Yahoo’s digital services to Verizon was also discounted by $350 million as an added penalty for decreased brand value and to amend for other potential related costs. The true cost of a data breach? Far more than the current visible numbers.

Potential Growth Areas

Instead of approaching security as an extra, optional cost, business owners would do well to view security as a core capability for revenue; the growth potential for security as an integrated core strategy is enormous. Need proof? Just look at the numerous security vulnerabilities that accompany the constant onslaught of innovative hacking threats. Commonplace attacks, like IoT botnets, mobile APIs and malware, show no evidence of going away anytime soon and companies that are prone to system vulnerabilities are at risk. Even threats from a decade ago, such as Trojan malwares, and exploitation of vulnerabilities are still utilized as attacks, either in their original form or through modifications like malware botnet Mirai.

[You may also like: Defending Against the Mirai Botnet]

This is why companies shouldn’t wait for the “perfect” security product; delaying an investment in security only increases a company’s risk factor for being attacked and potentially dooms one to a constant game of catch up—and enormous costs. Conversely, by adding new applications within a secure business framework from the start, businesses can ensure optimal protection without any extreme added costs.

The sooner a business incorporates security as a core piece of the business puzzle, the better they’ll be at protecting and mitigating threats, and capturing new revenue opportunities. 

Don’t let data seep through the cracks. Secure the customer experience now.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

BotnetsSecurity

New DemonBot Discovered

October 25, 2018 — by Pascal Geenens31

code_blog_post_demonbot_botnet-960x640.jpg

Are you using Hadoop for data analytics? If so, know that a new bot is targeting Hadoop clusters with the intention of performing DDoS attacks powered by the strength of cloud infrastructure servers. Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.

Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.

It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

Hadoop YARN Exploits

Radware Research has been tracking malicious actors exploiting a Hadoop YARN unauthenticated remote command execution for which proof of concept code was first published here in March of this year. YARN, Yet Another Resource Negotiator, is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. YARN exposes a REST API which allows remote applications to submit new applications to the cluster. The exploit requires two steps:

Our deception network recorded repeated attempts for /ws/v1/cluster/apps/new-application, slowly starting end of September and growing to over 1 million attempts per day for most of October.

The number of unique IPs from where the requests originated grew from a few servers to over 70 servers this week.

Older exploits from servers that are offline by now were referencing a well-known Mirai variant Owari, infamous because of the weak password used by the hackers for securing their command and control database:

Recently, however, we found Owari to be replaced by a new bot:

This new ‘bash’ binary was added to the server on Sunday Oct 21st. The same server also hosts the typical shell script we came to expect from multiplatform IoT malwares:

While the botnet comes with all the typical indicators of Yet-Another-Mirai-Botnet, a closer look at the binaries revealed to be different enough to continue the investigation.

DemonBot v1 – © Self-Rep-NeTiS

The reversing of the unstripped ‘bash’ binary revealed some unfamiliar function names and an atypical string which provided a unique fingerprint for the botnet code:

Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’. Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.

Both DemonBot.c and DemonCNC.c had an identical signature:

DemonCNC

The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:

  • A bot command and control listener service – allowing bots to register and listen for new commands form the C2
  • A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet

Starting the C2 service requires 3 arguments: a bot listener port, the number of threads and a port for the remote access CLI.

Credentials for remote users are stored in a plain text file ‘login.txt’ in the format “username password” using one line per credential pair.

Upon connecting to the remote access CLI (port 8025 in our demo setup) using telnet, the botnet greets us and asks for a username followed by a password prompt. If the provided credentials match one of the lines in the login.txt file, the user is given access to the bot control interface.

The HELP command reveals the botnet commands which will be discussed below in the section about DemonBot itself.

DemonBot

DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP.

Once successfully connected, DemonBot sends information about the infected device to the C2 server in the format:

Bot_ip

The public IP address of the device or server infected with DemonBot:

Port

Either 22 or 23 depending on the availability of python or perl and telnetd on the device/server:

Build

“Python Device”, “Perl Device”, “Telnet Device” or “Unknown” depending on the availability of a Python or Perl interpreter on the device server:

Arch

The architecture, determined at build time and depending on the executing binary on the compromised platform – supported values for Arch are: x86_64 | x86_32 | Arm4 | Arm5 | Arm6 | Arm7 | Mips | Mipsel | Sh4 (SuperH) | Ppc (PowerPC) | spc (Sparc) | M68k | Arc

OS

Limited identification of the host OS running the bot based on package installer configuration files. Value is either “Debian Based Device”, “REHL Based Device” or “Unknown OS”

Malicious payloads

The bot supports the following commands:

If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP.

The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets:

Fixed payload used by the STD UDP attack:

IOC

8805830c7d28707123f96cf458c1aa41  wget
1bd637c0444328563c995d6497e2d5be  tftp
a89f377fcb66b88166987ae1ab82ca61  sshd
8b0b5a6ee30def363712e32b0878a7cb  sh
86741291adc03a7d6ff3413617db73f5  pftp
3e6d58bd8f10a6320185743d6d010c4f  openssh
fc4a4608009cc24a757824ff56fd8b91  ntpd
d80d081c40be94937a164c791b660b1f  ftp
b878de32a9142c19f1fface9a8d588fb  cron
46a255e78d6bd3e97456b98aa4ea0228  bash
53f6451a939f9f744ab689168cc1e21a  apache2
41edaeb0b52c5c7c835c4196d5fd7123  [cpu]

 

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Attack MitigationSecurity

Consolidation in Consumer Products: Could it Solve the IoT Security Issues?

October 9, 2018 — by David Hobbs1

consolidation_in_iot_security_blog-960x640.jpg

In 2003, I went to Zermatt, Switzerland to go snowboarding under the Matterhorn. We had an eclectic group of people from all over the world. Some of us were enthusiasts, some ski patrol or medics, and a few were backcountry avalanche trained. Because of this, we had a lot of different gear with us, including ice saws, shovels, probes, avalanche beacons, radios, etc. In addition to the gear we carried, we also brought cameras, cell phones, MP3 players and of course, large battery charger bays with international inverters/adapters to keep everything going. I had a backpack with all the avalanche and snow testing gear. In my jacket, I carried an avalanche beacon,  digital camera,  flip cell phone,  family radio with a long external mic, GPS, and an MP3 player with headphones. I felt like I was Batman with all the gear crammed all over the place. I told one of my friends on the trip that one day all of this technology would be consolidated into one device – radio, phone, camera, MP3 player, and avalanche beacon. My friends thought I was crazy and that it would never happen. Fast forward to the smartphone where we now have it all, with the exception of Avalanche beacon, in one device.

To think that many of us had these “point solutions” in our personal tech and now it’s all consolidated into one makes me wonder when will we consolidate at home?

The future of the smart home

I have a Zigbee bridge for my lights, a Zigbee bridge for my blinds, 5 smart speakers, solar panels on the blinds (to charge them and get heat/sunlight measures), smart smoke detectors, smart locks, IP cameras, smart watering system for the plants, smart lights, smart alarm, UTM firewall, WiFi mesh, etc. These are all point solutions. Some of them are really neat and probably should stay point solution based, but what if the technology companies today were to start thinking about consolidating and adding security into the mix?

[You might also like: Cities Paying Ransom: What Does It Mean for Taxpayers?]

I’ve started to look at upgrading my home WiFi network as my smart TV and smart streaming box are now struggling to play streaming movies. After looking at some of the new consumer level WiFi mesh solutions, they show a lot of promise. One of the vendors I’m considering offers not only an easy to set up mesh WiFi, but they also provide automatic channel changing for WiFi radio frequencies to find the fastest radio, as well as automatically move devices around to access points. One of them offers VPN services as well as anti-virus and content filtering, (keeping you safe from malicious websites) and giving out tokens for guests and keeping them on their own network. This all looks great, but I started to think back to Zermatt, Switzerland.

What if the smart home speaker manufacturers wanted to really capture the market? What if you could get a smart speaker that had both a WiFi Mesh Access Point, Zigbee/Zwave access point (for lights, controllers, etc), and cloud-based security features in it? If I could drop a new smart speaker in any room and set it up in 3-5 minutes and have it join my wireless mesh network, it could cover a lot of territories quickly. Now, if one of them were the base unit that plugged into the internet router, it could be the main interface for security. Take all the device groups and help suggest security policies to keep them from talking to things they shouldn’t (like the cameras should never talk to the smart watering controller). What if it could look for IoT threats that spread internally as well as connections to malware Command and Control servers?

Security should be a priority

In terms of the security that could easily be offered and bundled across this platform could be things like VPN (both to and from the home network). This could allow you to browse safely while using public WiFi. You could also access any home devices that may not be very secure from the manufacturers like IP cameras and DVR’s without having to expose them to the world. Cloud-based security offerings could do things like look for malware infections and requests to malware botnet controllers. Then, layers like intrusion prevention and active WiFi defense layers could help detect if hackers were aiming at getting onto the network and doing harm. And finally, putting all of these offerings into a single pane of glass for visibility would definitely be attractive to end customers.

Granted, I know this could put the point solution providers in a position where their WiFi solutions and home routers become less valuable to the mainstream. But what if we got better antivirus and IOT protection? I can only dream of the day that we as consumers are able to consolidate all of our home networks to a real smart home-based solution. I know in the enterprise IT market; we have gained the popularity of Unified Threat Management platforms. Firewalls that do Intrusion Prevention, Wireless Intrusion Prevention, Inline Antivirus, Content Filtering, Guest and networks. I think the next logical step is to see all of these features consolidated into the next generation smart home speakers. How long will it take to see this reality? I don’t know. Will people think this idea is crazy? Probably.

Update: At the time of writing this, there has been an announcement from one of the smart home speaker manufacturers for a new smart home speaker. This new line will actually include a smart home hub in the speaker.  Nothing has been said as to whether it provides any security features.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Attack Types & VectorsBotnetsSecurity

IoT Botnets on the Rise

October 2, 2018 — by Daniel Smith3

iot_botnets_rise_blog-960x518.jpg

Over the last two years, the criminal community has shifted its focus away from exploit kits as a mean of payload delivery and began focusing on exploiting IoT devices for the purpose of botnet development.

Botnets are all the rage and have become more advanced than the days of Sub7 and Pretty Pack. They possess the capability to target multiple devices on different architectures and infect them with a diverse range of payloads. But why are exploit kits falling out of favor and where is the evolution of botnets going?

Exploit kits in general are prepackaged toolkits that focus on compromising a device with a specific set of exploits. Typically, a victim is directed in a number of different ways to an attack page where the exploit kit will target an application in a browser such as Adobe Flash, Java or Silverlight. Once the victim is compromised by the exploit kit, it will drop and run a malicious payload on the targeted machine. What that payload is depends on the criminal or the person leasing the exploit kit for the day, but today they are mainly used to distribute ransomware or crypto mining payloads.

Exploit kits, a once popular avenue for an attack are now barely used due to the popularity of other attack vectors. Another major reason for the decrease in exploit kits activity is a result of authors abandoning their projects. But why did they abandon their project? Many experts would agree that this was the result of updated browser security and limited availability of undisclosed exploits needed to update their kits.

Unlike IoT devices, Adobe and Java exploits tend to be patched as soon as they become aware of the problem. This is a major challenge for criminals and one that involves a lot of effort and research on the criminals’ behalf. So the attacker is left with a choice. Invest time and research into an undiscovered exploit, or target devices that are rarely maintained patched or updated.

Enter: The IoT Botnet

Today modern botnets are mainly comprised of infected IoT devices such as cameras, routers, DVRs, wearables and other embedded technologies. The evolution in the botnet landscape highlights the security risks from millions of Internet-connected devices configured with default credentials or manufactures who won’t issue updates. Hackers can build enormous botnets consisting of a wide variety of devices and architectures because of this.

In comparison to web browser exploits, IoT devices come with poor security features such as open ports and default credentials. They are also poorly maintained and hardly receive updates. The process of capturing devices for a botnet is a fairly simple task that’s mainly automated. Hackers typically compromise these devices via brute force login. They have also recently evolved to inject exploit via open ports to compromise devices. They leverage these exploits typically after a researcher discloses a vulnerability.

Overall it is an automated process in which a bot is scanning the internet to identify potential targets and sending that information back to a reporting process. If a match is found, the device is exploited with an injection exploit and a malicious payload is downloaded to the device. The payloads downloaded today can vary, but it mainly gives the bot-herder the ability to remotely control the infected device just like a traditional PC botnet.

IoT botnets continue to evolve and they are becoming more versatile. It wasn’t long ago when Mirai reached the 1tbps mark but the process of how it was done has improved, leading many of us in the industry to worry about the next super attack.

[You might also like: The Evolution of IoT Attacks]

Mirai was simply a botnet comprised of infected IoT devices who left telnet open and utilized 61 default credentials found on popular devices. Because the port was left open to the world and users didn’t change their password, the attacker was able to capture a large number of exposed devices.

Before Mirai’s success, there was Gafgyt and Aidra. Both of these are IoT botnets as well. They spread by infecting vulnerable routers with default credentials. These botnets were successful.  In fact, Gafgyt still continues to move in lockstep with Mirai.  However, after the publication of the Mirai source code, the field became over saturated and bot-herders started incorporating patches to prevent other malware and herders from infecting their captured device. This change forced herders to look for a new way of capturing devices.

Shortly after, new Mirai variants started appearing. This time, instead of using default credentials they started incorporating exploits to target vulnerable devices. Attacker Best Buy used a modified variant that leveraged the TR-069 RCE exploit in an attempted to infect hundreds of thousands of Deutsche Telekom routers. Following Best Buy, IoT reaper appeared with borrowed code from Mirai, but this time included the addition of a LUA execution environment so more complex exploits could be leveraged to enslave devices. As a result, IoT reaper came loaded with nine exploits.

Hajime was not as elaborate as IoT reapers but it did combine the default credentials found in the original Mirai sample and the TR-069 Exploit leveraged by Best Buy. The Omni Botnet, another variant of Mirai was found to contain two new exploits targeting Dasan GPON routers. And just recently a Mirai sample was discovered and found to contain 16 exploits, including the Apache Strut vulnerability used against Equifax while the newest variant of Gafgyt was found to contain an exploit targeting SonicWalls Global Management System.

[You might also like: Defending Against the Mirai Botnet]

These two recent discoveries highlight a major change in their targeting strategy. This indicated a shift from targeting consumer devices to unprotected and rarely updated enterprise devices putting more pressure on the industry to ensure devices are updated in a timely manner.

Today we see Botnet development filling the void of Exploit kits as they incorporate more attack vectors and exploits into their deployments.  Keep in mind that it’s not just about the multiple exploits. It also has to do with the speed in which exploitation occurs in the wild.

One of the main reasons we are seeing exploit kits fall out of favor is due to the improved browser security and speed in which the industry patches vulnerabilities targeting Flash, Java and Silverlight. This is not seen in the IoT botnet world where vulnerabilities are rarely patched.

At the end of the day, cybercriminals are following the money by taking the path of least resistance. Exploit kits over the last several years have been deemed high maintenance and hard to maintain due to improved security practices and a diminishing availability of private exploits.

We are also seeing cybercriminals looking to maximize their new efforts and infection rate by targeting insecure or unmaintained IoT devices with a wide variety of payloads ranging from crypto mining and ransomware to denial of service and fraud.

In the recent months, we have also seen a handful of botnets targeting enterprise devices which indicated an intention to move from targeting consumer devices to target enterprise devices that are poorly maintained and rarely updated.

Read: “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies”

Download Now

Application SecurityBotnetsSecurity

Don’t Let Your Data Seep Through The Cracks: Cybersecurity For the Smart Home

September 20, 2018 — by Anna Convery-Pelletier4

secure_customer_experience_smart_home_blog-960x610.jpg

Technology and wireless connectivity have forever changed households. While we don’t have the personal hovercrafts or jetpacks that we were promised as children, infinite connectivity has brought a whirlwind of “futuristic” benefits and luxuries few could have imagined even a decade ago. But more importantly, it has re-defined how the modern domicile needs to be managed.

Just as with an enterprise network, cybersecurity concerns also impact the home network. The onus is on us, the consumer, to take responsibility for home network security because device manufacturers have not and the risks associated with any data breach is hugely detrimental in the digital age we live in.

A home network is no longer just laptops, tablets, smartphones and printers. The explosion of the Internet of Things (IoT) has resulted in network connectivity to nearly everything. Everyday household items – appliances, cameras, routers, baby monitors, toys, televisions, thermostats, heating systems, etc. are now connected to each other and the internet. But with all this network connectivity comes risk. Why is that and more importantly, what should you do about it?

While many consumers naively assume that developers behind new network-connected equipment must be thinking long and hard about security, in truth they aren’t. To be first to market, design zero-setup equipment, and to deliver a more fulfilling consumer experience, security on many IoT devices is woefully inadequate and often times an afterthought. In addition, many of these network-connected devices leverage bare bone operating systems that have neither the capacity nor processing power for sophisticated anti-virus/malware tools.

It’s common knowledge that home security such as burglar alarms and even door locks are connected to the internet. What many consumers don’t realize is that this creates a huge exposure because the Wi-Fi serves as a new vulnerability to the house’s physical security system. While useful for providing remote access to your next-door neighbors when the dog needs to be let outside, tech-savvy thieves need only to hack the Wi-Fi to gain access to security controls, monitor resident’s daily habits and gain physical access to the house.

IoT devices connected to e-commerce sites is yet another. For example, a smart fridge integrated into somebody’s Amazon Fresh or FreshDirect account (and access to banking/credit card information) allows someone to purchase groceries or other kitchen necessities right from the refrigerator door. This seamless connectivity can be a dream come true for today’s digital consumer, but can also provide a virtual playground from which hackers can gain access to digital bounties via a single vulnerability.

Smart Homes Require Smart Planning and Smart Security

Smart homes are here and are only going to get smarter. In effect, they are no different from a small corporate network, and as such, they need similar levels of planning and security, especially when considering the growing trend of working from home. However, many consumers simply don’t have the desire to run them securely. Most importantly, consumers are not reviewing and taking the necessary security precautions like they do other aspects of their life.

[You might also like: Cybersecurity & The Customer Experience: The Perfect Combination]

Just like security must become the very fabric of a business, cybersecurity planning – the act of reviewing network-connected devices, where sensitive data is stored and potential security vulnerabilities – must become a critical component of the smart home.

On a yearly basis, my family sits down and does financial planning to review everything from vacations to unexpected expenses. We’ve now included conversations about security planning and ask ourselves some questions such as:

Have I taken an inventory of and actually know all of the various network-connected devices that are in my home? Have security updates been applied to home computers and network-connected devices? Do any outdated devices, such as routers, need to be changed out by the vendor? Are my passwords secure and have I backed up any critical/sensitive information?

These types of questions are what modern-day consumers must be asking, in addition to executing the multitude of security best practices regarding password management, device protection, and backing up sensitive information. Even traditional consumer-focused antivirus software providers now offer multi-layered security devices meant specifically to safeguard home networks, routers and IoT devices.

[You might also like: Personal Security Hygiene]

To truly enjoy the promise of the smart home, it needs to be protected from cyber intruders just as vicariously as it’s protected against physical intruders. Similar to the lessons that leading organizations and name brands have learned in recent years, the best combination is taking proactive measures and leveraging consumer security tools that are easy to implement, easy to operate and does not require a great deal of expertise. It’s time for consumers to become proactive and smarter about home cybersecurity.

Read “Consumer Sentiments: Cybersecurity, Personal Data and The Impact on Customer Loyalty” to learn more.

Download Now

SecurityService Provider

IoT, 5G Networks and Cybersecurity: Safeguarding 5G Networks with Automation and AI

September 18, 2018 — by Louis Scialabba1

iot-5g-networks-cybersecurity-blog-img-960x519.jpg

By 2020, Gartner says there will be 20.4 billion IoT devices. That rounds out to almost three devices per person on earth. As a result, IoT devices will show up in just about every aspect of daily life. While IoT devices promise benefits such as improved productivity, longevity and enjoyment, they also open a Pandora’s box of security issues for mobile service providers.

This flood of IoT devices, combined with the onset of 5G networks to support it, is creating an atmosphere ripe for mobile network attacks.  This threat landscape requires mobile service providers to alter their approach to network security or suffer dire consequences. The same old tools are no longer enough.

[You might also like: A New Atmosphere for Mobile Network Attacks]

Battle Increased Complexity with Automation

For years, security teams have struggled with the proliferation of data from dozens of security products, outpacing their ability to process it. This same problem applies to mobile service providers regarding the aforementioned issues surrounding 5G and IoT devices.

Security threats and anomalies within mobile network traffic are growing faster than security teams can detect and react to them. All the security threats we see now on enterprise networks are a harbinger of what’s to come on 5G networks. The introduction of 5G adds significant complexities to mobile networks that require next-generation security solutions.

Automation is key to better identification and mitigation of these threats for mobile service providers. Machine-learning based DDoS mitigation solutions enable real-time detection and mitigation of DDoS attacks. Through behavioral analysis, bad traffic can then be identified and automatically blocked before any damage is done.

[You might also like: The Rise of 5G Networks]

Automation Across the Security Architecture

For mobile service providers, automation must expand across all layers of the security architecture. First and foremost, the network must be leveraged as a sensor, a digital cyberattack tripwire. In 5G networks, network elements are distributed at the edge and virtualized. The network’s endpoints can be used as detection spots to send messages back to a centralized control plane (CCP).

The CCP serves as the brain of the network, compiling all the inputs from its telemetry feeds to deploy the best way to apply mitigation policies.

The myriad amount of CCP data can be put to work via Big Data. As 5G pushes network functions and data to the cloud, there’s an opportunity to use this information to better protect against attacks with the help of artificial intelligence (AI) and deep learning.

This is where the “big” in “big data” comes into play. Because 5G virtual devices live on the edge of the network in small appliances, there isn’t enough computing power available to identify evolving attack traffic from within. But by feeding traffic through an extra layer of protection at large data centers, it is possible to efficiently compile all the data to identify attacks.

Large data centers can be prohibitively expensive to house and maintain. Ideally, these data centers are housed and maintained by the mobile service provider’s DDoS mitigation vendor, which leverages its network of cloud-based scrubbing centers (and the massive volumes of threat intelligence it collects) to process this information and automatically feed it back to the mobile service provider.

A Game of Probability

In the end, IoT and 5G security will come down to being a game of probability, however, automation and AI stack the odds heavily in favor of mobile service providers.

The new network technology has the speed and capacity to enable AI with data from 50 billion connected devices. AI requires huge amounts of data to sift through and create neural networks where anomalies can be detected, with emphasis on good data. Bad or poisoned data will lead to biased models and false negatives. The more good data, the better the outcomes in this high-stakes game of probability.

As all this traffic is fed through the scrubbing centers at data centers around the world, AI can help inform security algorithms to detect protocol anomalies and flag issues. The near real-time process is complicated. Like an FBI watch list, a register of attack information goes to a mobile network’s control plane. The result is a threat intelligence feed that uses the power of machine learning to identify and prevent attacks.

The best place to populate AI and deep learning systems is from crowdsourcing and global communities where large numbers of enterprises and networks contribute data. Bad data will find its way in, but the good data will significantly outnumber the bad data to make deep learning possible.

Ultimately, the threats from botnets, web scraping, and IoT zombies is dynamic and increasingly complex. With 5G on the horizon, it’s critical that mobile service providers are proactive and make plans now to protect their networks against evolving security threats by turning to machine learning and AI.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now

BotnetsSecurity

Defending Against the Mirai Botnet

September 12, 2018 — by Ron Winward2

mirai_handbook_blog_image-960x540.jpg

When attacks from the Mirai botnet hit the network in 2016, we all knew something was different. You could feel it. In a 31-day span, the internet suffered three record-breaking attacks; Brian Krebs’ at 620 Gbps, OVH at 1.2 Tbps, and the widespread outages caused by the attack on Dyn DNS. Also within that window, the source code for Mirai was released to the world.

Mirai no longer holds the record for the largest volumetric attack on the Internet. That honor goes to the Memcached reflection attacks on Github. In fact, once the code was released, the botnets went from a few botnets with several enslaved members, to several botnets with fewer members. More botnets were fighting to enslave a pool of devices.

[You might also like: The Dyn Attack – One Year Later]

Attackers Get Creative

Attackers, as they always do, got creative. By modifying the Mirai code, attackers could discover new devices by leveraging other known exploits. While many attackers were fighting for telnet access to IoT devices with traditional Mirai, new variants were developed to find additional methods of exploitation and infection. Examples include TR-064 exploits that were quickly added to the code (and used to infect the endpoints of service providers), a 0-day exploit on Huawei routers in several botnets, and the Reaper botnet, which includes 10 previously disclosed CVEs.

One thing that has remained the same, however, is the attack vectors that are included in the modern botnets. They’re largely all based on Mirai, and even if their infection methods differ, the attacks don’t change much.

For example, Masuta and DaddysMirai include the original Mirai vectors but removed the HTTP attack. Orion is an exact copy of the original Mirai attack table (and just like Mirai, has abandoned the PROXY attack). Owari added two new vectors, STD and XMAS.

Understanding IoT Attacks

My background in network engineering naturally made me curious about the impact of these attacks on the network. What do they look like in flight? How is each one different? Is one more of a threat than another? I have been studying the attack vectors since they were released in 2016, but with the observation that new variants largely included the same attacks (and some twists), it was clearly worth revisiting.

[You might also like: IoT Threats: Whose problem is it?]

Today we launch a new publication, IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants. This is a collection of research on the attack vectors themselves and what they look like on the wire. You will see that they’re not much different from each other, with the only truly interesting change being the introduction of a Christmas Tree attack in Owari. But that too had some interesting challenges. You’ll have to read the guide to find out why.

It’s important to understand the capabilities of Mirai and other IoT botnets so that your organization can truly comprehend the threat. Manually reacting to these attacks is not viable, especially in a prolonged campaign. In many cases, it is possible to block some of these attacks on infrastructure devices such as core routers or upstream transit links, but in many cases, it’s not.

Effectively fighting these attacks requires specialized solutions, including behavioral technologies that can identify the threats posed by Mirai and other IoT botnets. It also requires a true understanding of how to successfully mitigate the largest attacks ever seen. Hopefully, this handbook provides the guidance and insight needed for each vector if your organization ever needs to take emergency measures.

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Attack Types & VectorsBotnetsDDoSSecurity

The Evolution of IoT Attacks

August 30, 2018 — by Daniel Smith9

iot_botnet_emerge-960x636.jpg

What is the Internet of Things (IoT)? IoT is the ever-growing network of physical devices with embedded technologies that connect and exchange data over the internet. If the cloud is considered someone else’s computer, IoT devices can be considered the things you connect to the internet beyond a server or a PC/Laptop. These are items such as cameras, doorbells, light bulbs, routers, DVRs, wearables, wireless sensors, automated devices and just about anything else.

IoT devices are nothing new, but the attacks against them are. They are evolving at a rapid rate as growth in connected devices continues to rise and shows no sign of letting up. One of the reasons why IoT devices have become so popular in recent years is because of the evolution of cloud and data processing which provides manufacturers cheaper solutions to create even more ‘things’. Before this evolution, there weren’t many options for manufacturers to cost-effectively store and process data from devices in a cloud or data center.  Older IoT devices would have to store and process data locally in some situations. Today, there are solutions for everyone and we continue to see more items that are always on and do not have to store or process data locally.

[You might also like: The 7 Craziest IoT Device Hacks]

Cloud and Data Processing: Good or Bad?

This evolution in cloud and data processing has led to an expansion of IoT devices, but is this a good or a bad thing? Those that profit from this expansion would agree that this is positive because of the increase in computing devices that can assist, benefit or improve the user’s quality of life. But those in security would be quick to say that this rapid rise in connected devices has also increased the attack landscape as there is a lack of oversight and regulation of these devices. As users become more dependent on these IoT devices for daily actives, the risk also elevates. Not only are they relying more on certain devices, but they are also creating a much larger digital footprint that could expose personal or sensitive data.

In addition to the evolution of IoT devices, there has been an evolution in the way attacker’s think and operate. The evolution of network capabilities and large-scale data tools in the cloud has helped foster the expansion of the IoT revolution. The growth of cloud and always-on availability to process IoT data has been largely adopted among manufacturing facilities, power plants, energy companies, smart buildings and other automated technologies such as those found in the automotive industry. But this has increased the attack surfaces for those that have adopted and implemented an army of possible vulnerable or already exploitable devices. The attackers are beginning to notice the growing field of vulnerabilities that contain valuable data.

In a way, the evolution of IoT attacks continues to catch many off guard, particularly the explosive campaigns of IoT based attacks. For years, experts have warned about the pending problems of a connected future, with IoT botnets as a key indicator, but very little was done to prepare for it.  Now, organizations are rushing to identify good traffic vs malicious traffic and are having trouble blocking these attacks since they are coming from legitimate sources.

As attackers evolve, organizations are still playing catch up. Soon after the world’s largest DDoS attack, and following the publication of the Mirai source code, began a large battle among criminal hackers for devices to infect. The more bots in your botnet, the larger the attack could be.  From the construction of a botnet to the actual launch an attack, there are several warning signs of an attack or pending attack.

As the industry began monitoring and tracking IoT based botnets and threats, several non-DDoS based botnets began appearing. Criminals and operators suddenly shifted focus and began infecting IoT devices to mine for cryptocurrencies or to steal user data. Compared to ransomware and large-scale DoS campaigns that stem from thousands of infected devices, these are silent attacks.

Unchartered Territory

In addition to the evolving problems, modern research lacks standardization that makes analyzing, detecting and reporting complicated. The industry is new, and the landscape keeps evolving at a rapid rate causing fatigue in some situations. For instance, sometimes researchers are siloed, and research is kept for internal use only which can be problematic for the researcher who wants to warn of the vulnerability or advise on how to stop an attack. Reporting is also scattered between tweets, white papers, and conference presentations. To reiterate how young this specialty is, my favorite and one of the most respected conferences dedicated to botnets, BotConf, has only met 6 times.

EOL is also going to become a problem when devices are still functional but not supported or updated. Today there are a large number of connected systems found in homes, cities and medical devices that at some point will no longer be supported by the manufacturers yet will still be functional. As these devices linger unprotected on the internet, they will provide criminal hackers’ a point of entry into unsecured networks. Once these devices pass EOL and are found online by criminals, they could become very dangerous for users depending on their function.

In a more recent case, Radware’s Threat Research Center identified criminals that were targeting DLink DSL routers in Brazil back in June. These criminals were found to be using outdated exploits from 2015. The criminals were able to leverage these exploits against vulnerable and unpatched routers 4 years later. The malicious actors attempted to modify the DNS server settings in the routers of Brazilian residents, redirecting their DNS request through a malicious DNS server operated by the hackers. This effectively allowed the criminals to conduct what’s called a man in the middle attack, allowing the hackers to redirect users to phishing domains for local banks so they could harvest credentials from unsuspecting users.

[You might also like: IoT Hackers Trick Brazilian Bank Customers into Providing Sensitive Information]

Attackers are not only utilizing old and unpatched vulnerabilities, but they are also exploiting recent disclosures. Back in May, vpnMentor published details about two critical vulnerabilities impacting millions of GPON gateways. The two vulnerabilities allowed the attackers to bypass authentication and execute code remotely on the targeted devices. The more notable event from this campaign was the speed at which malicious actors incorporated these vulnerabilities. Today, actors are actively exploiting vulnerabilities within 48 hours of the disclosure.

What Does the Future Hold?

The attack surface has grown to include systems using multiple technologies and communication protocols in embedded devices. This growth has also led to attackers targeting devices for a number of different reasons as the expansion continues. At first hackers, mainly DDoS’er would target IoT devices such as routers over desktops, laptops, and servers because they are always on, but as devices have become more connected and integrated into everyone’s life, attackers have begun exploring their vulnerabilities for other malicious activity such as click fraud and crypto mining. It’s only going to get worse as authors and operators continue to look towards the evolution of IoT devices and the connected future.

If anything is an indication of things to come I would say it would be found in the shift from Ransomware to crypto mining. IoT devices will be the main target for the foreseeable future and attackers will be looking for quieter ways to profit from your vulnerabilities. We as an industry need to come together and put pressure on manufacturers to produce secure devices and prove how the firmware and timely updates will be maintained. We also need to ensure users are not only aware of the present threat that IoT devices present but also what the future impact of these devices will be as they approach end of life. Acceptance, knowledge, and readiness will help us keep the networks of tomorrow secured today.

Download “When the Bots Come Marching In, a Closer Look at Evolving Threats from Botnets, Web Scraping & IoT Zombies” to learn more.

Download Now

BotnetsMobile DataMobile SecuritySecurityService Provider

IoT, 5G Networks and Cybersecurity: A New Atmosphere for Mobile Network Attacks

August 28, 2018 — by Louis Scialabba3

cyborg_iot_5g-960x432.jpg

The development and onset of 5G networks bring a broad array of not only mobile opportunities but also a litany of cybersecurity challenges for service providers and customers alike. While the employment of Internet of Things (IoT) devices for large scale cyberattacks has become commonplace, little has been accomplished for their network protection. For example, research by Ponemon Institute has found that 97% of companies believe IoT devices could wreak havoc on their organizations.

With hackers constantly developing technologically sophisticated ways to target mobile network services and their customers, the rapidly-approaching deployment of 5G networks, combined with IoT device vulnerability has created a rich environment for mobile network cyberattacks.

[You might also like: The Rise of 5G Networks]

Forecast Calls for More Changes

Even in today’s widespread use of 4G networks, network security managers face daily changes in security threats from hackers. Just as innovations for security protection improve, the sophistication of attacks will parallel. Cybersecurity agency ENISA forebodes an increase in the prevalence of security risks if security standards’ development doesn’t keep pace.

Add in research company Gartner’s estimate that there will be 20.4 billion connected devices by 2020, hackers will have a happy bundle of unprotected, potential bots to work with. In the new world of 5G, mobile network attacks can become much more potent, as a single hacker can easily multiply into an army through the use of botnet deployment.

Separating the Good from the Bad

Although “bot traffic” has an unappealing connotation to it, not all is bad. Research from Radware’s Emergency Response Team shows that 56% of internet traffic is represented by both good and bad bots, and of that percentage, they contribute almost equally to it. The critical part for service providers, however, is to be able to differentiate the two and stop the bad bots on their path to chaos.

New Technology, New Concerns

Although 4G is expected to continue dominating the market until 2025, 5G services will be in demand as soon as its rollout in 2020 driven by features such as:

  • 100x faster transmission speeds resulting in improved network performance
  • Lower latency for improved device connections and application delivery
  • 1,000x greater data capacity which better supports more simultaneous device connections
  • Value-added services enabled by network slicing for better user experience

The key differentiating variable in the composition of 5G networks is its unique architecture of the distributed nature capabilities, where all network elements and operations function via the cloud. Its flexibility allows for more data to pass through, making it optimal for the incoming explosion of IoT devices and attacks, if unsecured. Attacks can range from standard IoT attacks to burst attacks, even potentially escalating to smartphone infections and operating system malware.

[You might also like: Can You Protect Your Customers in a 5G Universe?]

5G networks will require an open, virtual ecosystem, one where service providers have less control over the physical elements of the network and more dependent on the cloud. More cloud applications will be dependent on a variety of APIs. This opens the door to a complex world of interconnected devices that hackers will be able to exploit via a single point of access in a cloud application to quickly expand the attack radius to other connected devices and applications.

Not only are mobile service providers at risk, but as are their customers; if not careful, this can lead to more serious repercussions regarding customer loyalty and trust between the two.

A Slice of the 5G Universe

Now that the new network technology is virtualized, 5G allows for service providers to “slice” portions of a spectrum as a customizable service for specific types of devices. Each device will now have its own respective security, data-flow processes, quality, and reliability. Although more ideal for their customers, it can simultaneously prove to be a challenge in satisfying the security needs of each slice. Consequently, security can no longer be considered as simply an option but as another integral variable that will need to be fused as part of the architecture from the beginning.

2018 Mobile Carrier Ebook

Read “Creating a Secure Climate for your Customers” today.

Download Now