Connect with us

Expert Speak

Why Attackers are Focusing on Low-Volume Persistent DDoS Attacks



Written by Anthony Webb, VP of International, A10 Networks

The COVID-19 pandemic has created significant challenges and changes to the world as we know it. As enterprises quickly moved to remote working also implementing a new hybrid set-up, adversaries have seized the opportunity and we have witnessed significant growth in the number of cyberattacks. In particular, DDoS attacks have grown – not only in size and frequency – but adversaries have also swivelled to focus on low-volume, persistent attacks that run for longer periods of time, frequently injecting attack traffic. These low-volume attacks enable adversaries to evade basic defensive measures, yet they still have significant impact on enterprise systems and operations.

Modern malware is hijacking IoT devices
As the name indicates, DDoS attacks are distributed in nature. A single attack may employ multiple DDoS weapons to overwhelm the victim’s network and defences. Our security research team have been tracking DDoS weapons and their behaviours and reporting on their frequency and impact over the last several years. Our latest H1 2021 DDoS Attack Mitigation: Global State of DDoS Weapons Report provides detailed insights into the origins of DDoS activity, highlighting how easily and quickly modern malware can hijack IoT devices and convert them into malicious botnets. The report also provides some helpful guidance on what organisations can do to protect against such activities and act rather than sit and wait for the inevitable to happen.

What we can see is that with new attacks and new malware variants, we are witnessing new layers of sophistication in how IoT and smart devices are being weaponised. Cybercriminals are recruiting IoT devices into their botnet armies, aided by Mozi malware and spreading this around the world. Here I’ve summarised some of the key findings:

DDoS weapons are steadily growing
The total number of DDoS weapons increased by 2.5 million during H1 2021 this was the same as previous quarters, meaning the number of DDoS weapons has been steadily growing with a total number of 15 million weapons tracked. SSDP (Simple Service Discovery Protocol) remains the largest reflected amplification weapon with 3.2 million potential weapons exposed to the internet. This is an increase of over 28 percent compared to the previous reporting period.

And while DDoS attackers have been increasingly focused on smaller attacks launched persistently over a longer period, these larger-scale attacks might not occur as frequently, but they cause a lot of damage and make significant headlines as a result. The rest of the amplification weapons remained virtually the same with SNMP, Portmap, TFTP and DNS Resolvers as the top five. It is important to note that all these weapons experienced growth in numbers except for DNS Resolvers. 

China leads the way
DDoS attacks are not limited to a specific geographic location and can originate from and attack organisations anywhere in the world. However, what we found in this report is that China (for the second reporting period in a row) continues to lead the way in hosting the highest number of potential DDoS weapons including both amplification weapons and botnet agents. This was closely followed by the U.S. which remains the second-largest source of DDoS weaponry, particularly amplification weapons, followed by South Korea.

This edition of the threat intelligence report takes a deeper look at how botnets work. Botnets or drones are compute nodes like computers, servers, routers, cameras and other IoT devices infected by malware and are the tools controlled and used by DDoS attackers. Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. Subsequently, these botnets are used to launch large-scale DDoS attacks. The increase or decrease of botnets can be attributed to factors such as the growth of IoT, new vulnerabilities, as well as CVEs exploited by attackers, large-scale security updates to patch CVEs and botnet takedowns.

Botnet agents halve in H1 2021
In H1 2021, the total number of botnet agents almost halved with 449,509 tracked and China hosting 44% of the total number of drones available worldwide. This is likely due to the high-profile takedown of the Emotet botnet, one of the largest botnets in the world, dubbed “the internet’s most dangerous malware”. In early 2021 international law enforcement took down Emotet’s command and control infrastructure in more than 90 countries. While this takedown was a contributing factor to the large-scale reduction in botnet agents, it is important to note that these changes may be temporary as attackers can quickly build their infrastructures back up and exploit network systems and vulnerabilities.

One other particularly prevalent malware in the DDoS world is Mozi. Mozi is a DDoS-focused botnet that utilises a large set of Remote Code Executions (RCEs) to leverage Common Vulnerabilities and Exposures (CVEs) in IoT devices for infection. Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Our report found that in the first half of 2021 Mozi reached 360,000 systems from manufacturers including Huawei, Realtek, NETGEAR and many others. The Mozi botnet includes infected bots around the globe with China, India, Russia, Brazil leading the list of countries and regions.

Strategies for protecting the network against DDoS attacks
So how do organisations protect their networks and resources against such attacks? Organisations should invest in Zero Trust models and create micro-perimeters within the network to limit access to resources. They should also look to invest in modern AI and machine learning solutions that will not only defeat attacks but also protect against the unknown.

Likewise, organisations should investigate whether they are already infected. If network devices suddenly start generating abnormal amounts of traffic this might be because they are infected and, in this instance, they should immediately isolate suspicious devices and limit the traffic originating from these devices.

It is important to observe and block commonly exploited ports, and potentially block, payloads and any BitTorrent traffic coming into or going out the network. Above all, organisations should make sure that their security infrastructure is regularly updated and that IoT devices are running the latest firmware with all the necessary security patches. And finally, they should use modern DDoS techniques like baselining to see anomalous behaviour versus historical norms. Additionally, AI/ML techniques for detection and zero-day attack prevention can really help security teams.

As we prepare for 2022, it is commonly acknowledged that hybrid and remote working environments are here to stay, and security teams will need to look at how they secure a mix of on-premises, multi-cloud and edge-cloud environments. Sophisticated DDoS threat intelligence combined with real-time threat detection, AI and ML capabilities as well as automated signature extraction allow organisations to defend against all kinds of DDoS attacks, no matter where they originate.

Cyber Security

Why Context is Everything When it Comes to Cybersecurity?



Written by Hadi Jaafarawi, managing director – Middle East, Qualys

The cybersecurity threat landscape has never been more challenging, sophisticated, and severe. Research suggests that in the UAE alone, around $746 million is lost every year to cybercrime, and the country faced a 79% increase in the problem from 2019 to 2020. For firms and IT departments across the region, it’s a constant battle to stay ahead of the bad actors.

Add in the fact that several security teams are either stretched or under-skilled, not to mention, that many face pressure to keep budgets in check and it really is a perfect storm. In an effort to level the playing field, security teams are turning to technology. But that comes with challenges of its own.

A lack of clarity
There’s no shortage of security tools offering what professes to be the solution. And it’s no surprise that security teams reach for them in the hope of coping with the issue and reducing their risks. More and more, companies are adopting an increasing number of tools to add further layers of security and protect against risk. Today an organisation’s security infrastructure will include everything from Security Incident and Event Management (SIEM) and Security Orchestration Automation and Response (SOAR) to Network Detection & Response (NDR) and Extended Detection and Response (XDR)

Admittedly, the tools each have value, so that’s not the problem. The challenge is that each new tool adds another data silo. Each separately reports its own specific data based on its own particular use and area of the network. And it’s then down to the analysts, who are faced with multiple alerts from multiple systems and solutions, to make sense of it all.

When there are too many alerts, issues can be notified to lots of different teams, or worse missed altogether. Alert fatigue — where the team is exposed to constant alerts and consequently fails to act when it really matters — is a real problem. This is why XDR tools are designed as a holistic, top-layer solution that collects data from multiple sources to provide a comprehensive picture, enabling real-time incident detection and response. But again, it’s not that simple, as XDRs vary in quality, effectiveness, and even function.

Some SIEM and XDR tools simply deliver raw data to analysts, who then have to interpret the data and make endless decisions about any actions that are needed. They collect disparate, unrelated data, and it’s up to the analyst to deal with the notifications, analyse, prioritise and then act, or not. Busy security analysts are likely to be faced with multiple alerts in any given day, many of which are actually false alarms. It’s little wonder that it’s easy to miss or ignore that one really vital alert.

Context is key
Enter the value of contextual insight. Rather than simply churning out data and leaving it to the over-worked analyst to handle, some XDR tools can go a step further by providing that all-important context. All alerts may look basically the same in one tool. But, when brought together with external threat intelligence and other security data, that harmless-looking alert will suddenly have more meaning and jump up the priority list. XDR is designed to break down data silos and provide the context required to help analysts get better insight, by creating a consolidated view of the entire enterprise technology stack and any threats. It pulls together all security solutions and functions into one place, giving analysts a single, comprehensive view of threats across the entire network.

By correlating data from asset inventory and vulnerability information, high-quality threat intelligence, network endpoint telemetry, and third-party log data, analysts get more context on what’s happening — leading to a far more effective and quicker response to threats. Without this context, too much time is wasted on manual tasks and important alerts can easily be missed. This context allows the rapid, focused investigation to be carried out where it’s actually needed.

Providing context using XDR gives security professionals the visibility and insights they need to reduce risks and improve their security approach. It empowers busy teams with the clarity and context to enable them to make the right decisions and deal with potential issues — and quickly.

Continue Reading

Cyber Security

How Cybersecurity Readiness Prevents SMBs from Fuelling Supply Chain Attacks



Written by Ram Narayanan, Country Manager at Check Point Software Technologies, Middle East

Supply chain attacks aren’t new. If the past couple of years has taught businesses anything, it’s that the impact of supply chain cyber-attacks is now, universal, from the fallout of the SolarWinds software breach to the exposed Apache Log4j vulnerability and Kaseya last year. Unfortunately, when such supply chain attacks hit smaller businesses who are usually the suppliers to larger enterprises, their impact is especially prohibitive.

For SMBs already feeling the prolonged impact of the pandemic, the added pressure of dealing with sophisticated and frequent cyber attacks in real-time, is a heavy burden, as they try to protect their business against financial, legal, and reputational damage, as well as their own suppliers and larger clients’ security. It is now more important than ever for SMBs to implement strict security hygiene and effective cybersecurity processes to ensure their business is prepared for the event of cyber attacks happening.

SMBs as an indirect avenue of cyber attacks
The ‘new normal’ opened the door to several new vulnerabilities; cyber-attacks globally increased by 50% on average in 2021, compared to 2020. Our Check Point Threat Intelligence report revealed that an organisation in the United Arab Emirates is being attacked on average 906 times per week in the last six months. While security breaches are on the rise, the top threats impacting SMBs have remained the same. In Check Point’s Small and Medium Business Security Report from 2020/2021, we revealed phishing, malware, credential theft, and ransomware to be the top four threats impacting these businesses. So, what does this mean for them?

The reality is threat actors have taken advantage not only of the now-entrenched remote working model to target organisations, but also the usual limits preventing SMBs from bulking up on their cyber security defenses, mainly lack of budget and expertise. SMBs often do not have a dedicated IT or security department, meaning with no in-house security expertise and reduced focus on security patching, these companies are easier to socially engineer and infiltrate.

Adding to this, SMBs usually have employees doing multiple roles, and thus wider access to valuable areas of the business and information is given to them, and so if breached, they pose a  threat to multiple areas within the business. In addition, the business IT infrastructure is often shared for personal use communication as well eg. social media, personal emails allowing easier access to hackers, as the data is often not secured.

Threat actors often target SMBs as low-hanging fruit for their vital role in supply chains. This is especially so as such attacks wreak havoc on not only one organisation but entire businesses within the supply networks. By leveraging tactics such as phishing, cybercriminals gain access to an organisation to launch a malware attack, steal data and credentials or instigate ransomware.

Take, for example, the attack against Target USA where hackers used stolen credentials from an SMB vendor that serviced the HVAC systems in Target stores, to gain access to the retailer’s network and then laterally move to the systems that kept customer payment information. As a result, the global retailer was breached and 40 million credit and debit card details stolen.

The key factor to preventing cyberattacks is threat prevention. With minimal time and lack of cyber expertise or manpower, SMBs must adopt a prevention mindset to minimise potential cyber-attacks and threats.

Why cybersecurity readiness is paramount for SMBs
Beyond the immediate financial impact and reputational blow as a trustworthy, reliable partner, SMBs can also face legal or regulatory repercussions, operational disruption, flow-on costs for system remediation and cyberattack response, customer churn, and the loss of competitive advantage that can make or break a smaller business. In fact, a tarnished reputation as an avenue of attack can be even more detrimental to an SMB organisation, as the loss of trust with a larger organisation could mean a loss of potential business and revenue down the line with them or other new, potential customers.

With this in mind, budgetary constraints to keep computers and corporate networks protected should never be an excuse, as keeping sensitive data and information protected will bring many advantages and benefits to companies. This can range from overall cost savings, compliance with data protection laws, gaining the trust of customers and suppliers, to protecting your documents and information to the maximum by preventing any type of data breach.

How SMBs can prevent supply chain attacks
By applying stronger cyber defences, SMBs are in a position to provide larger organisations with assurance that larger companies they supply to will not be compromised via the SMB partner or third-party vendor. Whilst there are multiple means to prevent such supply chain attacks, the first step is to have good software capable of covering the entire company, protecting the company’s endpoints and devices, supported by regular backups so that, in the event of a cyberattack, they have the possibility of restoring all the data.

Any device that connects to the network can become a security breach, so it is important to secure all endpoints. It is especially critical for remote or hybrid workforces to avoid security breaches and data compromise. Also, all employees should be trained in cybersecurity so that they themselves become the first barrier to any attempted attack, such as phishing via email or SMS. Keep in mind that prevention is one of the best protection measures available.

A viable option for SMBs is to also consider engaging an experienced Managed Security Service Provider (MSSP), who will have the skilled resources, updated security software and experienced expertise to monitor for and analyse threats on behalf of the SMB player. This is especially useful for SMBs who have neither the time nor resources to adequately enforce threat detection and response.

Partnering with a cybersecurity expert equipped with best-in-class security and scalable solution such as Check Point Software can put SMBs in good stead to protect against the most sophisticated attacks and generate trust among larger potential players. Ultimately, SMBs seek a simple plug-and-play solution with best-in-class threat protection, given their lack of financial funding and skills. With an effective cybersecurity strategy, SMBs are better placed to demonstrate their credibility as secure partners to larger organisations, opening up more business opportunities.

Continue Reading

Cyber Security

How Cybercriminals Target Cryptocurrency



Written by Sherrod DeGrippo, Vice President for Threat Research and Detection at Proofpoint

As cryptocurrency and non-fungible tokens (NFTs) become more mainstream, and capture headlines for their volatility, there is a greater likelihood of more individuals falling victim to fraud attempting to exploit people for digital currencies.  The rise and proliferation of cryptocurrency have also provided attackers with a new method of financial extraction. It’s commonly believed that cryptocurrency provides more anonymity via less governmental and organizational oversight and visibility coupled with the inherent fungibility, thus making it an appealing financial resource for threat actors. The financially motivated attacks targeting cryptocurrency have largely coalesced under pre-existing attack patterns observed in the phishing landscape prior to the rise of blockchain based currency.

Proofpoint researchers observe multiple objectives demonstrated by cybercriminal threat actors relating to digital tokens and finance such as traditional fraud leveraging business email compromise (BEC) to target individuals, and activity targeting decentralized finance (DeFi) organizations that facilitate cryptocurrency storage and transactions for possible follow-on activity. Both of these threat types contributed to a reported $14 billion in cryptocurrency losses in 2021. In fact, Business Email Compromise topped the list of types of attacks CISOs in UAE expect to face in the coming months with 35% of CISO’s being concerned of potential BEC attacks.

While most attacks require a basic understanding of how cryptocurrency transfers and wallets function, they do not require sophisticated tooling to find success. Common techniques observed when targeting cryptocurrency over email include credential harvesting, the use of basic malware stealers that target cryptocurrency credentials and cryptocurrency transfer solicitation like BEC. These techniques are viable methods of capturing sensitive values which facilitate the transfer and spending of cryptocurrency.

There are multiple DeFi applications and platforms – such as cryptocurrency exchanges – that people can use to manage their cryptocurrency. These platforms often require usernames and passwords, which are potential targets for financially motivated threat actors.

Despite public keys being “safe” to share, researchers are seeing actors solicit the transfer of cryptocurrency funds via BEC type emails that include threat actor-controlled public keys and cryptocurrency addresses. These email campaigns rely on social engineering to secure the transfer of funds from targeted victims.

Credential Harvesting and Cryptocurrency
In 2022 Proofpoint has observed regular attempts to compromise user’s cryptocurrency wallets using credential harvesting. This method often relies on the delivery of a URL within an email body or formatted object which redirects to a credential harvesting landing page. Notably these landing pages have begun to solicit values utilized in the transfer and conversion of cryptocurrencies.

Crypto Phishing Kits
Credential harvesting landing pages are often built with phish kits that can be used to create multiple landing pages and used in multiple campaigns. Phish kits give threat actors the ability to deploy an effective phishing page regardless of their skill level. They are pre-packaged sets of files that contain all the code, graphics, and configuration files to be deployed to make a credential capture web page. These are designed to be easy to deploy as well as reusable. They are usually sold as a zip file and ready to be unzipped and deployed without a lot of “behind the scenes” knowledge or technical skill.

It is no wonder that CISOs around the world consider phishing as one of the most prevalent and challenging cybersecurity threats. A 2021 Proofpoint study found that almost a third of CISOs in the UAE believed they were at risk of suffering a phishing attack. Proofpoint researchers have observed multiple examples of phishing threat actors create and deploy phishing kits to harvest both login credentials to cryptocurrency related sites and cryptocurrency wallet credentials or passphrases.

Business Email Compromise – But For Crypto
A popular form of financial crime vectored through phishing is business email compromise (“BEC”). In 2022 Proofpoint regularly observes cryptocurrency transfer within the context of BEC attempts. Primarily these requests are observed in the context of employee targeting, using impersonation as a deception, and often leveraging advanced fee fraud, extortion, payroll redirect, or invoicing as themes.

The initial BEC email often contains the safe for public consumption values, including public keys and cryptocurrency addresses. By impersonating an entity known to the user and listing an actor-controlled public key or address, actors are attempting to deceive users into transferring funds from their account willingly based on social-engineering content. This is like the way actors use routing and bank account numbers during BEC phishing campaigns.

Financially motivated threat actor activity attempting to steal or extort cryptocurrency is not new. However, cryptocurrencies, digital tokens, and “Web3” concepts are becoming more widely known and accepted in society. Where once “crypto” was a concept that thrived in certain parts of the internet, it is now a mainstream idea, with cryptocurrency apps and services advertised by professional athletes and celebrities, and major events sponsored by cryptocurrency and block chain companies.

But threat actors are way ahead of general adoption of cryptocurrency, with existing infrastructure and ecosystems long established for stealing and using it. And as mainstream awareness and interest increases, it is more likely people will trust or engage with threat actors trying to steal cryptocurrency because they better understand how DeFi operates or are interested in being a part of “the next big thing”.

Users should be aware of common social engineering and exploitation mechanisms used by threat actors aiming to steal cryptocurrencies.

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.