Ransomware and distributed denial of service (DDoS) attacks are increasingly giving CISOs headaches as criminals find the former lucrative and activists and suspected nation states find the later effective for harassment (and perhaps delivering warning messages.
Two security vendor reports issued this week shed some interesting light on these weapons which security teams may find useful.
temporarily knocked out U.S. security writer Brian Krebsโ Web site. Much of that attack came from the the Mirai botnet, made up of thousands of IoT-connected devices including digital video records and video surveillance cameras. ย Interestingly devices from Columbia accounted for the biggest source (15 per cent) of the traffic. Until now Columbia has not been a major source, the report says of attack traffic. China and Russia were other major sources of devices.
One attack peaked at 623 Gbps, which consisted of GRE, SYN (synchronize), and ACK signal protocol floods at the network level, along with PUSH and GET floods at the application layer. According to a report from F5 Networks GREย (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an IP network.
Generally GRE flood attacks โ which rely on the capacity of botnet nodes โ are a โvery minorโ part of most DDoS attacks, says Akamai. But it adds, given the success it would not be surprising if this protocol is used in more attacks.
Thereโs also interesting information about the Mirai command and control (C2) servers: They are well distributed; at its peak, a single botnet was issuing commands from more than 30 C2 IP addresses. Second, Akamai said, the botnet appears to be segmented, yet its components can work in concert. โMany of the thousands of attack commands issued by the C2 structure only called for attacks from small portions of the botnet, while a much smaller number elicited attacks from the botnet as a whole.โ The botnet is capable of generating 10 types of attacks: two UDP floods, two types of GRE floods, two types of ACK floods, one SYN flood, one DNS flood, a Valve Engine attack, and an http flood attack that is configurable and can leverage any http method, while allowing customization of path, data, and cookie headers. The botnet allows for both static and randomized ip address spoofing in five of the 10 attack types.
While one of the major manufacturers of the IoT devices used in the Mirai botnet has recalled some devices and is trying to correct its source code, because there are still so many insecure IoT devices out there it and similar botnets will continue to be a menace.
โMirai is a botnet that would not exist if more networks practiced basic hygiene, such as blocking insecure protocols by default,โ says Akamai. โThis is not newโweโve seen similar network hygiene issues as the source of infection in the Brobot attacks of 2011 and 2012. (Mirai) spreads like a worm, using telnet and more than 60 default username and password combinations to scan the Internet for additional systems to infect.โ
The other interesting report came from Conficker worm, which dates back to 2008. It leveragesย flaws in unpatched Windows ย PCs to launch dictionary attacks on administrator passwords; once infected the machine joins a botnet.)
โThe reason for the continued growth in attack using Locky is the constant variation and expansion of its distribution mechanism,โ says the report. โIt changes the type of files used for downloading the ransomware, the structure of the spam emails, etc. The actual ransomware is nothing exceptional, but cyber-criminals have invested a lot of time into maximising the number of machines that become infected.โ
Training staff to watch out for suspicious emails with attachments that bear Locky is tricky, because malware developers constantly change messages. Here are a few recent examples of whatโs being used in subject lines:
ยงย Statement
ยงย Please review
ยงย Fax transmission
ยงย Payment history
ยงย Bill overdue
ยงย Your order has been proceeded
ยงย Wrong model
ยงย Urgent!
ย