Ransomware and distributed denial of service (DDoS) attacks are increasingly giving CISOs headaches as criminals find the former lucrative and activists and suspected nation states find the later effective for harassment (and perhaps delivering warning messages.
Two security vendor reports issued this week shed some interesting light on these weapons which security teams may find useful.
Akamai’s third quarter State of the Internet report (registration required) contained more detail about the huge attack that temporarily knocked out U.S. security writer Brian Krebs’ Web site. Much of that attack came from the the Mirai botnet, made up of thousands of IoT-connected devices including digital video records and video surveillance cameras. Interestingly devices from Columbia accounted for the biggest source (15 per cent) of the traffic. Until now Columbia has not been a major source, the report says of attack traffic. China and Russia were other major sources of devices.
One attack peaked at 623 Gbps, which consisted of GRE, SYN (synchronize), and ACK signal protocol floods at the network level, along with PUSH and GET floods at the application layer. According to a report from F5 Networks GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an IP network.
Generally GRE flood attacks — which rely on the capacity of botnet nodes — are a “very minor” part of most DDoS attacks, says Akamai. But it adds, given the success it would not be surprising if this protocol is used in more attacks.
There’s also interesting information about the Mirai command and control (C2) servers: They are well distributed; at its peak, a single botnet was issuing commands from more than 30 C2 IP addresses. Second, Akamai said, the botnet appears to be segmented, yet its components can work in concert. “Many of the thousands of attack commands issued by the C2 structure only called for attacks from small portions of the botnet, while a much smaller number elicited attacks from the botnet as a whole.” The botnet is capable of generating 10 types of attacks: two UDP floods, two types of GRE floods, two types of ACK floods, one SYN flood, one DNS flood, a Valve Engine attack, and an http flood attack that is configurable and can leverage any http method, while allowing customization of path, data, and cookie headers. The botnet allows for both static and randomized ip address spoofing in five of the 10 attack types.
While one of the major manufacturers of the IoT devices used in the Mirai botnet has recalled some devices and is trying to correct its source code, because there are still so many insecure IoT devices out there it and similar botnets will continue to be a menace.
“Mirai is a botnet that would not exist if more networks practiced basic hygiene, such as blocking insecure protocols by default,” says Akamai. “This is not new—we’ve seen similar network hygiene issues as the source of infection in the Brobot attacks of 2011 and 2012. (Mirai) spreads like a worm, using telnet and more than 60 default username and password combinations to scan the Internet for additional systems to infect.”
The other interesting report came from Check Point Software and its quarterly threat summary, which found that the Locky ransomware continues to spread, moving up to second from third on its network as the most prevalent software around the world. (Number one is the Conficker worm, which dates back to 2008. It leverages flaws in unpatched Windows PCs to launch dictionary attacks on administrator passwords; once infected the machine joins a botnet.)
“The reason for the continued growth in attack using Locky is the constant variation and expansion of its distribution mechanism,” says the report. “It changes the type of files used for downloading the ransomware, the structure of the spam emails, etc. The actual ransomware is nothing exceptional, but cyber-criminals have invested a lot of time into maximising the number of machines that become infected.”
Training staff to watch out for suspicious emails with attachments that bear Locky is tricky, because malware developers constantly change messages. Here are a few recent examples of what’s being used in subject lines:
§ Please review
§ Fax transmission
§ Payment history
§ Bill overdue
§ Your order has been proceeded
§ Wrong model