The Cyber Attack Thread

[Isgrimnur]

USA Today

At least two successive waves of online attacks blocked multiple major websites Friday, at times making it impossible for many users on the East Coast to access Twitter, Spotify, Netflix, Amazon, Tumblr and Reddit.

The first attacks appear to have begun around 7:10 am Friday, then resolved towards 9:30 am, but then a fresh wave began.

The cause was a large-scale distributed denial of service attack (DDoS) against Internet performance company Dyn that blocked user access to many popular sites standstill.
...
White House Press Secretary Josh Earnest said the Department of Homeland Security was “monitoring the situation" but that “at this point I don’t have any information about who may be responsible for this malicious activity.”

It was unclear Friday if the attacks are focused on Dyn specifically or companies that it provides services to, said Carl Herberger, vice president of security at security company Radware.
...
A post on Hacker News first identified the attack and named the sites that were affected. Several sites, including Spotify and GitHub, took to Twitter this morning to post status updates once the social network was back online.
...
Twitter users similarly took to the service to keep lists of which sites were down and comment on the situation. The term DDoS quickly vaulted to among the top of the site's list of "Trending Topics" in the United States.

[Kurth]

http://www.cnn.com is down, too, I think. Pretty significant attack.

[Blackhawk]

They're attacking our cybers! Better call Barron!

[Max Peck]

I have 5 quatloos and a shiny button that says this is a warm-up for 8 Nov.

[Paingod]

I suppose it's good that they still use paper and can recount by hand, right?

This is going to keep happening, too, and likely get worse. Too many devices are being given Internet access with little oversight or easy way to maintain/update them. Too few people care enough to apply updates even if they released them... so we've got hundreds of thousands of stagnant devices that can be tapped by hackers to release large scale DDoS attacks against a wide array of targets at once. The Internet of Things is awesome. When your WiFi-enabled Toaster kills Steam ...

I look forward to the day when things get so bad that we have to keep rebooting the Interwebs like a bad Windows 98 install, or we're all issued DNS keycodes and security procedures that we renew with the Department of Data Transmissions every 6 months in order to maintain our internet access.

[malchior]

A good thing though is that ISPs are getting good (and profiting) off their ability to detect these and mitigate them so the damage isn't nearly as bad as they have been in the past. This one is a little odd though - it doesn't seem to have an obvious purpose.

[Isgrimnur]

On a side note, I was discussing internet-connected security cams, and our Exchange admin was telling me that his D-Link would routinely jam his entire home network, necessitating a router reboot.

[gilraen]

In September, Blizzard (and sometimes Steam) games were all down due to almost daily DDoS attacks by PoodleCorp. That went on for over a month, until FBI tracked them down and arrested the "leaders". Of course, those guys were boasting on Twitter about it, so they must not have been that hard to track down When you have anarchy-driven groups like that, where they are either trying to causing chaos for the sake of it, or taking "revenge" on a particular company, or possibly showcasing their capabilities to attract potential contracts - they are usually not particularly difficult to find. Now, if this was a test by someone with much bigger plans for the future - that's much worse, you are not going to flush them out by Twitter baiting.

I suppose it's good that they still use paper and can recount by hand, right?

Voting machines are not connected to the internet.

[LordMortis]

https://www.wired.com/2016/10/internet- ... s-dns-dyn/

[Blackhawk]

Copying for those that aren't following the R&P Wikileaks thread:

[Max Peck]

Apparently someone else is claiming the attack.

Like with other online attacks, the motivation behind DDoS attacks is usually mischief or money. Attackers have shut down websites in the past to make political statements. DDoS attacks have also been used in extortion attempts, something that's been made easier by the advent of Bitcoin.

For its part, a member of New World Hackers who identified themselves as "Prophet" told an AP reporter via Twitter direct message exchange that collective isn't motivated by money and doesn't have anything personal against Dyn, Twitter or any of the other sites affected by the attacks. Instead, the hacker said, the attacks were merely a test, and claimed that the next target will be the Russian government for committing alleged cyberattacks against the U.S. earlier this year.

"Twitter was kind of the main target. It showed people who doubted us what we were capable of doing, plus we got the chance to see our capability," said "Prophet." The claims couldn't be verified.

The collective has in the past claimed responsibility for similar attacks against sites including ESPNFantasySports.com in September and the BBC on Dec. 31. The attack on the BBC marshalled half the computing power of Friday's attacks.

[Blackhawk]

They are so mad at Russia for attacking the US that they attacked the US just to show Russia how mad they are. They are so meta!

[El Guapo]

It was an ironic ddos attack.

[Isgrimnur]

It was just a pprank, bbro.

[malchior]

At least those of us in the cyber field who thought this was an oddball attack were right to be confused.

[gilraen]

This is going to keep happening, too, and likely get worse. Too many devices are being given Internet access with little oversight or easy way to maintain/update them. Too few people care enough to apply updates even if they released them... so we've got hundreds of thousands of stagnant devices that can be tapped by hackers to release large scale DDoS attacks against a wide array of targets at once. The Internet of Things is awesome. When your WiFi-enabled Toaster kills Steam ...

Yeah, when was the last time you updated the antivirus on your fridge?

Blame the smart fridge, among other things

[malchior]

The security challenges around IoT are pretty tough to address. Hardware vendors are always updating their buggy firmware, right? Your 5 year old Smart TV totally will get regular updates.

[Paingod]

I'm going to fight this by keeping everything in my house as dumb as possible. Nothing "Smart" will ever enter there again.

[Isgrimnur]

To what overpass should we direct your mail, and how are you going to get half your stuff there?

[LordMortis]

I'm going to fight this by keeping everything in my house as dumb as possible. Nothing "Smart" will ever enter there again.

You jest, but I'm pretty much there. Fuck electronic maintenance. I don't need more stuff I need to maintain or that has an obsolesce window of three years. I hate that cable went to digital and killed my TV unless I went through a DTA and that my Series 2 TiVo isn't compatible with digital signals and the DTA isn't compatible with a Digital TV because the TV is already digital.

Is it too much to ask my stuff to last forever without ever having to do anything about it? I loathe I will have to replace my phone soon and the my choices is mostly revert to flip phone or break down and go to a smart phone.

...which reminds me. I really should look for updates on my Lynksys wireless router. I've had that thing in place for 11 years or more now. I'm not even sure I know where the interface CD and admin ID and password are anymore.

[malchior]

...which reminds me. I really should look for updates on my Lynksys wireless router.

On sale wherever you can find other quality goods such as Rolecks watches and Guchi bags.

[Paingod]

...which reminds me. I really should look for updates on my Lynksys wireless router. I've had that thing in place for 11 years or more now. I'm not even sure I know where the interface CD and admin ID and password are anymore.

On the bright side, you can always do a factory refresh and set it up like new again. It takes just a few minutes.

[Max Peck]

New World Hackers strike again?

Russian banks floored by withering DDoS attacks

At least five Russian banks weathered days-long DDoS attacks this week.

A wave of assaults began on Tuesday afternoon and continued over the next two days. Victims include Sberbank and Alfabank, both of which confirmed DDoS attacks on their online services, RT reports.

The attacks were powered by compromised IoT devices, according to an unnamed Russian Central Bank official. Early indications are that the Mirai IoT botnet which disrupted DNS services for scores of high-profile websites in October 2016 may be behind the latest attacks but this is unconfirmed.

The last DOOS attack on this scale against Russian banks was in October 2015, when eight major institutions were targeted.

David Kennerley, director of threat research at Webroot, commented: "These latest DDoS attacks are extremely similar to the recent ones targeted at Dyn last month, and really drives home the security issues of the Internet of Things. While attacks like these are complicated, there's still an element of basic security that could have reduced success – password management.

"Consumers and end users need to understand the importance of changing your password from the manufacturer's default. If the default password had been changed, many of the webcams and CCTV devices that formed the botnet army would not have been successfully hijacked."

Paul McEvatt, senior cyber threat intelligence manager for Fujitsu in UK and Ireland, added: "The issue is that IoT device manufacturers are failing to implement robust security controls from the outset, whether that's for routers, smart devices or connected cars. Anyone can use online services such as Shodan to look for vulnerable IoT devices, making organisations an easy target for low-level cyber-criminals. The worrying reality is that security is often an afterthought and security fundamentals are still not being followed such as changing default passwords."

[Isgrimnur]

Mirai

Citing “extraordinary cooperation” with the government, a court in Alaska on Tuesday sentenced three men to probation, community service and fines for their admitted roles in authoring and using “Mirai,” a potent malware strain used in countless attacks designed to knock Web sites offline — including an enormously powerful attack in 2016 that sidelined this Web site for nearly four days.

The men — 22-year-old Paras Jha Fanwood, New Jersey, Josiah White, 21 of Washington, Pa., and Dalton Norman from Metairie, La. — were each sentenced to five years probation, 2,500 hours of community service, and ordered to pay $127,000 in restitution for the damage caused by their malware.
...
In September 2016, KrebsOnSecurity was hit with a record-breaking denial-of-service attack from tens of thousands of Mirai-infected devices, forcing this site offline for several days. Using the pseudonym “Anna_Senpai,” Jha admitted to a friend at the time that the attack on this site was paid for by a customer who rented tens of thousands of Mirai-infected systems from the trio.
...
Prior to Tuesday’s sentencing, the Justice Department issued a sentencing memorandum that recommended lenient punishments for the three men. FBI investigators argued the defendants deserved light sentences because they had provided the government “extraordinary cooperation” in identifying other cybercriminals engaged in related activity and helping to thwart massive cyberattacks on several companies.

The government said Jha was especially helpful, devoting hundreds of hours of work in helping investigators. According to the sentencing memo, Jha has since landed a paying job at at a Silicon Valley technology firm, although the government declined to name his employer.

However, Jha is not quite out of the woods yet: He has also admitted to using Mirai to launch a series of punishing cyberattacks against Rutgers University, where he was enrolled as a computer science student at the time. Jha is slated to be sentenced next week in New Jersey for those crimes.

[Moliere]

The 2018 DOD Cyber Strategy: Understanding 'Defense Forward' in Light of the NDAA and PPD-20 Changes

The DoD plan, not the White House plan.

1. Hold up. Is this “DOD Cyber Strategy” the same thing as the “National Cyber Strategy”?

Nope. There were two “cyber strategy” documents announced last week. One of them is the National Cyber Strategy, available in full here. The National Cyber Strategy document is interesting in its own right (especially and, perhaps, surprisingly, in light of robust language about the importance of international law and—gasp!—“norms” to regulate cyber activity), but it is not the document I’m writing about here. I’m writing about the “Defense Department Cyber Strategy 2018,” which also dropped last week. As the name suggests, this a DOD-specific document framing the military’s roles in relation to cyberspace. We don’t actually have access to the full DOD document, mind you, but we do have about 6 pages of content in the form of an official “summary.” That’s my focus here.

2. Okay. What if anything is interesting about how the DOD Cyber Strategy 2018 Summary describes the military’s role in the cyber domain?

Not surprisingly, there is much talk in the summary about the role of cyber-domain operations in the context of the Joint Force. That is to say, the summary of course calls for effective employment of cyber-domain capacities, including offensive capacities, in support of the “full spectrum of conflict.” Nothing newsworthy there. The more interesting passages are the ones that address three distinct operational concepts: intelligence collection, preparation of the battlefield (or battlespace as some prefer) and the idea of defending “forward.”

[Isgrimnur]

Mirai

Citing “extraordinary cooperation” with the government, a court in Alaska on Tuesday sentenced three men to probation, community service and fines for their admitted roles in authoring and using “Mirai,” a potent malware strain used in countless attacks designed to knock Web sites offline — including an enormously powerful attack in 2016 that sidelined this Web site for nearly four days.

The men — 22-year-old Paras Jha Fanwood, New Jersey, Josiah White, 21 of Washington, Pa., and Dalton Norman from Metairie, La. — were each sentenced to five years probation, 2,500 hours of community service, and ordered to pay $127,000 in restitution for the damage caused by their malware.
...
However, Jha is not quite out of the woods yet: He has also admitted to using Mirai to launch a series of punishing cyberattacks against Rutgers University, where he was enrolled as a computer science student at the time. Jha is slated to be sentenced next week in New Jersey for those crimes.

Krebs

The convicted co-author of the highly disruptive Mirai botnet malware strain has been sentenced to 2,500 hours of community service, six months home confinement, and ordered to pay $8.6 million in restitution for repeatedly using Mirai to take down Internet services at Rutgers University, his former alma mater.
...
Jha told investigators he carried out the attacks not for profit but purely for personal, juvenile reasons: “He reveled in the uproar caused by the first attack, which he launched to delay upper-classmen registration for an advanced computer science class he wanted to take,” the government’s sentencing memo stated. “The second attack was launched to delay his calculus exam. The last two attacks were motivated in part by the publicity and outrage” his previous attacks had generated. Jha would later drop out of Rutgers after struggling academically.

[Moliere]

The full ATT&CK Matrix includes techniques spanning Windows, Mac, and Linux platforms and can be used to navigate through the knowledge base.

[malchior]

Marriott announces Starwood attack going on since 2014.

Marriott says its guest reservation system has been hacked, potentially exposing the personal information of approximately 500 million guests.
The hotel chain said Friday the hack affects its Starwood reservation database, a group of hotels it bought in 2016 that includes the St. Regis, Westin, Sheraton and W Hotels.
Marriott said hackers had gained "unauthorized access" to the Starwood reservation system since 2014, but the company only identified the issue last week.

This one boggles my mind. They claim they've had an intruder in their system for *4* years. In addition, Starwood and Marriott merged systems this year and it still went undetected!?! That is pure incompetence.

[Moliere]

New malware pulls its instructions from code hidden in memes posted to Twitter

Security researchers said they’ve found a new kind of malware that takes its instructions from code hidden in memes posted to Twitter .

The malware itself is relatively underwhelming: like most primitive remote access trojans (RATs), the malware quietly infects a vulnerable computer, takes screenshots and pulls other data from the affected system and sends it back to the malware’s command and control server.

What’s interesting is how the malware uses Twitter as an unwilling conduit in communicating with its malicious mothership.

Trend Micro said in a blog post that the malware listens for commands from a Twitter account run by the malware operator. The researchers found two tweets that used steganography to hide “/print” commands in the meme images, which told the malware to take a screenshot of an infected computer. The malware then separately obtains the address where its command and control server is located from a Pastebin post, which directs the malware where to send the screenshots — 10/10 points for creativity, that’s for sure.