Home Tags Internet Control Message Protocol (ICMP)

Tag: Internet Control Message Protocol (ICMP)

DDoS attacks in Q3 2017

In the third quarter of 2017, we registered a considerable increase in the number of both DDoS attacks and their targets.

Traditionally, China is the country with the largest number of attack sources and targets.
It was followed by the United States and South Korea.

The popularity of Windows OS as a basis for creating a botnet has fallen noticeably, while the share of Linux-based botnets increased proportionally.

DDoS attacks in Q2 2017

The second quarter quite clearly showed that the DDoS-attack threat is perceived rather seriously.
Some companies were prepared to pay cybercriminals literally after their first demand without waiting for the attack itself.

This set off a whole new wave of fraud involving money extortion under threat of a DDoS attack, also known as “ransom DDoSrdquo;.
Although the first quarter of 2017 was rather quiet compared to the previous reporting period, there were a few interesting developments.

Despite the growing popularity of IoT botnets, Windows-based bots accounted for 59.81% of all attacks. Meanwhile, complex attacks that can only be repelled with sophisticated protection mechanisms are becoming more frequent.
A vulnerability in the ICMP ingress packet processing of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an unauthenticated, remote attacker to cause the TelePresence endpoint to reload unexpectedly, resulting i...

DDoS attacks in Q4 2016

2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life.
In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology.
The Nmap Project just released the Holiday Edition of its open source cross-platform security scanner and network mapper, with several important improvements and bug fixes. New features in Nmap 7.40 include Npcap 0.78r5, for adding driver signing updates to work with Windows 10 Anniversary Update; faster brute-force authentication cracking; and new scripts for Nmap Script Engine, the project’s maintainer Fyodor wrote on the Nmap mailing list. The de facto standard network mapping and port scanning tool, Nmap (Network Mapper) Security Scanner is widely used by IT and security administrators for network mapping, port-scanning, and network vulnerability testing. Administrators can run Nmap against the network to find open ports, determine what hosts are available on the network, identify what services those hosts are offering, and detect any network information leaked, such as the type of packet filters and firewalls in use. With a network map, administrators can spot unauthorized devices, ports that shouldn’t be open, or users running unauthorized services. The Nmap Scripting Engine (NSE) built into Nmap runs scripts to scan for well-known vulnerabilities in the network infrastructure. Nmap 7.40 includes 12 new NSE scripts, bringing the total to 552 scripts, and makes several changes to existing scripts and libraries. The ssl-google-cert-catalog script has also been removed from NSE, since Google is no longer supporting the service. Known Diffie-Hellman parameters for haproxy, postfix, and IronPort have been added to ssl-dh-params script in NSE. A bug in mysql.lua that caused authentication failures in mysql-brute and other scripts (affecting Nmap 7.52Beta2 and later) have been fixed, along with a crash issue in smb.lua when using smb-ls. The http.lua script now allows processing HTTP responses with malformed header names. The script http-default-accounts, which tests default credentials used by a variety of web applications and devices against a target, adds 21 new fingerprints and changes the way output is displayed. The script http-form-brute adds content management system Drupal to the set of web applications it can brute force. The brute.lua script has been improved to use resources more efficiently. New scripts added to NSE include fingerprint-strings, to print the ASCII strings found in service fingerprints for unidentified services; ssl-cert-intaddr, to search for private addresses in TLS certificate fields and extensions; tso-enum, to enumerate usernames for TN3270 Telnet emulators; and tso-brute, which brute-forces passwords for TN3270 Telnet services. Nmap 7.40 adds 149 IPv4 operating system fingerprints, bringing the current total to 5,336 OS fingerprints. These fingerprints let Nmap identify the operating system installed on the machine being scanned, and the list includes a wide range of hardware from various vendors. The latest additions are Linux 4.6, macOS 10.12 Sierra, and NetBSD 7.0. The Amazon Fire OS was removed from the list of OS fingerprints because “it was basically indistinguishable from Android.” Nmap also maintains a list of service fingerprints so that it can easily detect different types of services running on the machine. Nmap now detects 1,161 protocols, including airserv-ng, domaintime, rhpp, and usher. The fingerprints help speed up overall scan times. Nmap 7.40 also adds service probe and UDP payload for Quick UDP Internet Connection, a secure transport developed by Google that is used with HTTP/2. A common issue when running a network scan is the time it takes to complete when some of the ports are unresponsive. A new option—defeat-icmp-ratelimit—will label unresponsive ports as “closed|filtered” in order to reduce overall UDP scan times. Those unresponsive ports may be open, but by marking the port this way, administrators know those ports require additional investigation. Source code and binary packages for Linux, Windows, and MacOS are available from the Nmap Project page.
At a time when the size of distributed denial-of-service attacks has reached unprecedented levels, researchers have found a new attack technique in the wild that allows a single laptop to take down high-bandwidth enterprise firewalls. The attack, dubbed BlackNurse, involves sending Internet Control Message Protocol (ICMP) packets of a particular type and code.
ICMP is commonly used for the ping network diagnostic utility, and attacks that try to overload a system with ping messages—known as ping floods—use ICMP Type 8 Code 0 packets. BlackNurse uses ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) packets instead and some firewalls consume a lot of CPU resources when processing them. According to experts from the Security Operations Center of the Danish telecom operator TDC, it would take from 40,000 to 50,000 ICMP Type 3 Code 3 packets a second to overload a firewall.

This is not a large number of packets and the bandwidth required to generate them is 15Mbps to 18Mbps, which means that BlackNurse attacks can be launched from a single laptop. “The impact we see on different firewalls is typically high CPU loads,” the TDC Security Operations Center (SOC) said in a technical report. “When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the internet.

All firewalls we have seen recover when the attack stops.” TDC SOC tested the attack successfully against Cisco Adaptive Security Appliance (ASA) firewalls in default configurations.

Cisco’s own documentation recommends that users allow ICMP Type 3 messages. “Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic,” the company warns in its user guidelines. Some firewalls from Palo Alto Networks, SonicWall and Zyxel Communications are also affected, but only if they’re misconfigured or if certain protections are not turned on. “Palo Alto Networks Next-Generation Firewalls drop ICMP requests by default, so unless you have explicitly allowed ICMP in a security policy, your organization is not affected and no action is required,” Palo Alto said in a blog post in response to TDC SOC’s report. Customers who need to allow ICMP requests can follow best practices for DoS protection to mitigate this attack, the company said.

This involves enabling ICMP Flood and ICMPv6 Flood in their firewall’s DoS protection profile. Denial of service attacks are typically about generating more traffic than the target’s internet bandwidth can take.

BlackNurse is unusual in this respect, because it cannot be stopped by provisioning additional bandwidth. “On firewalls and other kinds of equipment a list of trusted sources for which ICMP is allowed could be configured,” the TDC SOC experts advise. “Disabling ICMP Type 3 Code 3 on the WAN interface can mitigate the attack quite easily.

This is the best mitigation we know of so far.” That said, there are many devices out there that are configured to accept ICMP traffic from the internet.

The TDC SOC has identified 1.7 million of them in Denmark alone.
Wave goodbye to security if crims can pop a MIMO router Modern Wi-Fi doesn't just give you fast browsing, it also imprints some of your finger movements – swipes, passwords and PINs – onto the radio signal. A group of researchers from the Shanghai Jaio Tong University, the University of Massachusetts at Boston, and the University of South Florida have demonstrated that analysing the radio signal can reveal private information, using just one malicious Wi-Fi hotspot. In this paper, published by the Association of Computing Machinery, they claim covert password snooping as high as 81.7 per cent, once their system has enough training samples. It's an attack that wouldn't work if you had a primitive Wi-Fi setup with just one antenna, because it relies on the sophisticated beam-forming implemented in Multiple-Input, Multiple-Output (MIMO) antenna configurations. In a modern Wi-Fi setup, beam-forming is controlled by software that uses the small phase differences between antennas to reinforce signals in some directions, and cancel them out in other directions. That's what the researchers exploited: because the kit is designed to manage very small changes in signal, the researchers worked out the link state changes when the user's hand is moving near the phone – such as when they're using the screen input. From their paper – its obligatory cute title is When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals, where “CSI” stands for “channel state information: “WindTalker is motivated from the observation that keystrokes on mobile devices will lead to different hand coverage and the finger motions, which will introduce a unique interference to the multi-path signals and can be reflected by the channel state information (CSI)”. The boffins are particularly pleased with themselves that they don't need to compromise the target: the attack is launched entirely from a malicious Wi-Fi hotspot. A picture is probably useful at this point: this shows the CSI values recorded by the attackers if a user is continuously clicking different keys or the same key. Channel state information (CSI) analysis reveals user's movements.
Image from When CSI Meets Public WiFi To force the target to send CSI to the base station, the attack sends an ICMP (Internet Control Message Protocol) request to the victim, which sends back an ICMP Reply. WindTalker only needs to gather 800 packets per second of replies to analyse the user's keystrokes. As well as the signal analysis, the Wi-Fi base station was modified with a panel antenna for better sensitivity, and the researchers wrote WindTalker's software to watch out for HTTPS sessions (since that might alert them to when the user was hitting a payments site – AliPay was chosen for this experiment). The researchers note that there's a simple way to block WindTalker: companies crafting payment apps should randomise their keypad layouts.

The attacker can still infer the finger's position – but won't know what key was pressed. ® Sponsored: Customer Identity and Access Management
Bonnie Natkoreader comments 9 Share this story Researchers said they have discovered a simple way lone attackers with limited resources can knock large servers offline when they're protected by certain firewalls made by Cisco Systems and other manufacturers. The denial-of-service technique requires volumes of as little as 15 megabits, or about 40,000 packets per second, to sever the Internet connection of vulnerable servers.

The requirements are in stark contrast to recent attacks targeting domain name service provider Dyn and earlier security site KrebsOnSecurity and French Web host OVH.

Those assaults bombarded sites with volumes approaching or exceeding 1 terabit per second. Researchers from Denmark-based TDC Security Operations Center have dubbed the new attack technique BlackNurse. In a blog post published Wednesday, the researchers wrote: The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers' operations down.

This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack. BlackNurse harnesses data based on the Internet Control Message Protocol, which routers and other networking devices use to send and receive error messages.

By sending a special type of ICMP packets—specifically Type 3 ICMP packets with a code of 3—attackers can quickly strain the CPUs of certain types of server firewalls.

After reaching a threshold of 15 mbps to 18 mbps, the targeted firewalls drop so many packets that the server behind the device effectively drops off the Internet.

The researchers devised an attack that required only a single laptop to deliver BlackNurse volumes of 180 mbps. The TDC Security researchers wrote: It does not matter if you have a 1 Gbit/s Internet connection.

The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the [local area network] site will no longer be able to send/receive traffic to/from the Internet.

All firewalls we have seen recover when the attack stops. Over the past two years, the researchers reported, they have seen more than 95 ICMP attacks target customers inside the TDC network.

The report didn't say if the ICMP attacks were based on BlackNurse or a previously known ICMP attack that delivers Type 8 packets with a code of 0. According to researchers from Netresec, a security firm that collaborated with TDC Security on the research, the attack works against firewalls from Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

The specific models and many more details are available in this blog post from Thursday. Palo Alto Networks has issued its own advisory that reports company devices are only vulnerable in "very specific, non-default scenarios that contravene best practices." Cisco, meanwhile, has reportedly said it doesn't consider the reported behavior to be a security issue, although the company hasn't said why.

The networking giant might be aware of mitigations or limitations not reported by either TDC Security or Netresec.

The Sans Institute has its own brief write-up of the attack here.
Q3 events Cybercrime as a Service In the last few months the scale of the global ‘Cybercrime as a Service’ infrastructure has been revealed – fully commercialized, with DDoS as one of the most popular services capable of launching attacks the likes of which have never seen before in terms of volume and technological complexity. Against this background, Europol published the 2016 Internet Organized Crime Threat Assessment (IOCTA) on 28 September, which is based on the experiences of law enforcement institutions within the EU member states.

The report clearly ranks DDoS in first place as a key threat and that any “Internet facing entity, regardless of its purpose or business, must consider itself and its resources to be a target for cybercriminals”. Most likely, this stems from early September when Brian Krebs, an industry security expert, published an investigation outlining the business operations of a major global DDoS botnet service called vDOS and its principal owners, two young men in Israel.

The culprits have been arrested and investigations are ongoing, but the sheer scale of their business is stunning. Based on a subscription scheme, starting from $19.99 per month, tens of thousands of customers paid more than $600,000 over the past two years to vDOS.
In just four months between April and July, vDOS launched more than 277 million seconds of attack time, or approximately 8.81 years’ worth of attack traffic. It was no wonder, that shortly afterwards a DDoS attack brought down Brian Krebs’s website with a traffic volume close to 620 Gbps, making it one of the biggest attacks the Internet has ever witnessed, only to be topped several days later by another attack close to 1 Tbps that hit France’s OVH.

The attack vector, as Octava Klaba, CTO at OVH reported, looks like the same Internet of Things (IoT) botnet totaling 152,464 devices – mainly webcams, routers and thermostats – that brought down Brian Krebs’s website. To make the situation even worse, hackers just released the Mirai source code, which, according to security experts, was responsible for the aforementioned DDoS attacks.

The code includes a built-in scanner to look for vulnerable IoT devices and enrolls them into a botnet. With this, we expect to see a new wave of commercial services like vDOS and DDoS attacks in the coming months. The Internet of Things is increasingly becoming a powerful tool for attackers, facilitated by the neglect for information security both on the part of vendors and users. So, check that your devices connected to the Internet have a strong security setup. ‘Political’ DDoS attacks DDoS is widely used in politics.
In July of this year, an international tribunal stated China’s territorial claims to the Spratly archipelago in the South China Sea were groundless, and almost immediately at least 68 sites belonging to various Philippine government institutions were subjected to powerful DDoS attacks.

The international press called these incidents part of a long-term cyberespionage campaign launched by China in its struggle for sovereignty of the Spratly archipelago. Attack on a broker Cybercriminals have identified the most vulnerable targets for DDoS extortion purposes – broker companies.

They are high-turnover businesses that are also extremely dependent on web services.

The Taiwanese company First Securities recently received a demand for 50 bitcoins (about $32,000) from unknown persons.

After refusing to pay, the company’s website was targeted by a DDoS attack, which made bidding for the company’s clients impossible. Meanwhile, the president of First Securities released a statement to the press saying they had experienced a “trade slowdown” that only affected some of their investors. Assessing the damage caused by DDoS attacks B2B International, at the request of Kaspersky Lab, conducted the study called IT Security Risks 2016.

According to the results, corporations are suffering increasing damage from DDoS attacks: a single attack can cost a company more than $1.6 billion in losses.

At the same time, 8 out of 10 companies are subjected to several attacks per year. Trend of the quarter: SSL-based DDoS attacks According to Kaspersky DDoS Protection, the number of “smart” HTTPS-based DDoS attacks on applications increased in the third quarter of 2016.

These attacks boast a number of important advantages that make a successful attack more likely. Establishing a secure connection requires considerable resources, despite operating speeds for cryptographic algorithms constantly increasing (e.g., the elliptic curve algorithm has made it possible to enhance the performance of encryption while maintaining the persistence level).

For the sake of comparison, a properly configured web server is capable of processing tens of thousands of new HTTP connections per second, but when processing encrypted connections this capacity falls to just hundreds of connections per second. The use of hardware crypto accelerators makes it possible to significantly increase this value. However, this doesn’t help much considering the current reality of cheap and readily available rented servers, high-capacity communication channels, as well as known vulnerabilities that allow cybercriminals to build larger botnets.

They can carry out a successful DDoS attack by creating a load that exceeds the performance of expensive hardware solutions. A typical example of a “smart” attack is a relatively small number of queries being sent to the “load-heavy” parts of websites (as a rule, search forms are chosen) inside a small number of encrypted connections.

Those requests are almost invisible in the overall traffic flow, and at a low intensity they are often very effective.

At the same time, decryption and analysis of traffic is only possible on the web-server side. Encryption also complicates the operation of specialized systems designed to protect against DDoS attacks (especially solutions used by communications providers).

Decrypting traffic on-the-fly in order to analyze the content of network packets is often not possible during such attacks due to technical or security reasons (it’s not permitted to pass a server’s private key to third-party organizations, mathematical limitations prevent access to the information in encrypted packets in transit traffic).

This significantly reduces the effectiveness of protection against such attacks. The growing proportion of “smart” DDoS attacks is caused in no small part by the fact that amplification-type attacks, the most popular attack type in recent times, are becoming increasingly difficult to implement. On the Internet, the number of vulnerable servers that can be used to organize such attacks is steadily falling.
In addition, most of these attacks have similar features, making it easy to block them completely, and ensuring their effectiveness is eroded over time. The desire of website owners to protect data and improve privacy levels, combined with cheaper computing capacities have resulted in a growing trend: classic HTTP is being replaced by HTTPS, leading to an increase in the proportion of resources using encryption.

The development of web-based technology encourages active implementation of the new HTTP/2 protocol, in which operations without encryption are not supported by the latest browsers. We believe that the number of encryption-based attacks will grow.

For developers of information security solutions this requires an immediate reappraisal of their approach to combating distributed attacks, because today’s tried and tested solutions may soon become ineffective. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity.

The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. DDoS Intelligence (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the third quarter of 2016. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours.
If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack.

Attacks on the same web resource from two different botnets are also regarded as separate attacks. The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses.
In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab.
It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q3 Summary Resources in 67 countries (vs. 70 in Q2) were targeted by DDoS attacks in Q3 2016. 62.6% of targeted resources were located in China. China, the US and South Korea remained leaders in terms of both the number of DDoS attacks and number of targets.

For the first time both rankings included Italy. The longest DDoS attack in Q3 2016 lasted for 184 hours (or 7.6 days) – significantly shorter than the previous quarter’s maximum (291 hours or 12.1 days). A popular Chinese search engine was subjected to the largest number of attacks (19) over the reporting period. SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios.

The proportion of attacks using the SYN DDoS method continued to grow, increasing by 5 p.p., while the shares of TCP DDoS and HTTP DDoS continued to decline. In Q3 2016, the percentage of attacks launched from Linux botnets continued to increase and reached 78.9% of all detected attacks. Geography of attacks In Q3 2016, the geography of DDoS attacks narrowed to 67 countries, with China accounting for 72.6% (4.8 p.p. less than the previous quarter).
In fact, 97.4% of the targeted resources were located in just 10 countries.

The other two countries in the top three switched places – the US (12.8%) overtook South Korea (6.3%) to become the second most targeted country. Distribution of DDoS attacks by country, Q2 2016 vs. Q3 2016 One entry of note to the rating of most targeted countries was Italy, appearing for the first time ever and accounting for 0.6% of all attacks.
In all, the TOP 10 included three Western European countries (Italy, France and Germany). This quarter’s statistics show that targets within the leading 10 countries accounted for 96.9% of all attacks. Distribution of unique DDoS attack targets by country, Q2 2016 vs. Q3 2016 In Q3 2016, 62.6% of attacks (8.7 p.p. less than the previous quarter) targeted resources located in China. However, targets in the US became more attractive for cybercriminals – the country’s share accounted for 18.7% compared with 8.9% in the previous quarter.
South Korea rounded off the top three – its contribution decreased by 2.4 p.p. and amounted to 8.7%. The shares of the other countries in the TOP 10 increased, with the exception of France (0.4%), which saw a fall of 0.1 p.p. Japan (1.6%) and Italy (1.1%) each saw a 1 p.p. increase, and as a result, Italy entered the TOP 10 for the first time and went straight in at 6th place (Ukraine left the TOP 10).

The proportion of attacks targeting Russia also grew significantly – from 0.8% to 1.1%. This rating also included three Western European countries – Italy, France and the Netherlands. Changes in DDoS attack numbers DDoS activity was relatively uneven in Q3 2016.

The period between 21 July and 7 August was marked by the highest DDoS activity, with peaks in the number of attacks registered on 23 July and 3 August.

From 8 August, DDoS activity plummeted and resulted in a lull which lasted from 14 August till 6 September.

The smallest number of attacks was recorded on 3 September (22 attacks).

The largest number of attacks was observed on 3 August – 1,746 attacks. Note that this is the highest figure for the first three quarters of 2016. Most of these attacks took place on the servers of just one service provider located in the United States. Number of DDoS attacks over time* in Q3 2016 *DDoS attacks may last for several days.
In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
In Q3, Friday was the most active day of the week for DDoS attacks (17.3% of attacks), followed by Thursday (15.2%). Monday, which was second in Q2 with 15%, became the quietest day of the week in terms of DDoS attacks (12.6%). Distribution of DDoS attack numbers by day of the week, Q2 and Q3 2016 Types and duration of DDoS attacks The rating of the most popular attack methods saw no considerable changes from the previous quarter.

The SYN DDoS method has further strengthened its position as leader: its share increased from 76% to 81%.

The proportion of the other attack types decreased slightly.
ICMP DDoS was most affected: its share decreased by 2.6 p.p. Distribution of DDoS attacks by type, Q2 and Q3 2016 Attacks that last no more than four hours remained the most popular: in Q3 their share increased by 9.2 p.p., accounting for 69%.

Attacks that lasted 5-9 hours remained in second. Meanwhile, the percentage of longer attacks decreased considerably – the share of attacks lasting 100-149 hours fell from 1.7% in Q2 to 0.1% in the third quarter.

There were very few cases of attacks lasting longer than that. Distribution of DDoS attacks by duration (hours), Q2 and Q3 2016 The longest DDoS attack in Q3 2016 only lasted for 184 hours (targeting a Chinese provider), which is significantly lower than the Q2 maximum of 291 hours. A Chinese search engine had the unenviable distinction of being attacked most – it was targeted 19 times during the quarter. C&C servers and botnet types In Q3, the highest number of C&C servers (45.8%) was detected in South Korea, although this country’s contribution is considerably smaller compared to the previous quarter (69.6%). The top three countries hosting the most C&C servers remained unchanged – South Korea, China and the US – although their total share was 67.7% vs. 84.8% in Q2. The number of active C&C servers in Western Europe is growing – the TOP 10 included the Netherlands (4.8%), the UK (4.4%), and France (2%).

To recap, three Western European countries entered both the TOP 10 countries subjected to the highest number of attacks and the TOP 10 countries with the highest number of targets. Among the newcomers to the C&C rating were Hong Kong and Ukraine, each with a share of 2%. Distribution of botnet C&C servers by country in Q3 2016 In Q3, Linux-based DDoS bots remained the clear leader and the share of attacks launched from Linux botnets continued to grow, accounting for 78.9% vs. 70.8% in Q2.

This correlates with the growing popularity of SYN DDoS for which Linux bots are the most appropriate tool.
In addition, this can be explained by the growing popularity of Linux-based IoT devices used for DDoS attacks, and will most probably be boosted further after the leakage of Mirai. Correlation between attacks launched from Windows and Linux botnets, Q2 and Q3 2016 Q3 continues the trend of Linux dominance from the previous quarter. Prior to Q2 2016, the difference between the share of Windows- and Linux-based botnets did not exceed 10 p.p. for several quarters in a row. The majority of attacks – 99.8% – were carried out by bots belonging to a single family.

Cybercriminals launched attacks using bots from two different families in just 0.2% of cases. Conclusion ‘Classic’ botnet attacks based on widespread malware tools such as Pandora, Drive, etc. have been well researched by analysts who have developed effective and simple methods of neutralizing attacks that utilize these tools.

This is increasingly forcing cybercriminals to use more sophisticated attack methods, including data encryption and new approaches to the development of tools used for organizing attacks and building botnets. Another interesting trend this quarter was the increased activity of DDoS botnets in Western Europe.

For the first time in a year the TOP 10 most attacked countries included three Western European countries – Italy, France and Germany.

This correlates with the increased number of active C&C servers in Western Europe, particularly in France, the UK and the Netherlands. Overall, Western European countries accounted for about 13% of active DDoS botnet C&C servers.
For example, not-China* didn't “hack the BoM's supercomputers” Sensationalist language is making it hard to educate businesses and the public about infosec risks*, according to the Australian Cyber Security Centre's 2016 threat report. While every ICMP ping is treated as an attack by some, the report says unequivocally: “Australia still has not been subjected to malicious cyber activity that could constitute a cyber attack”. Also, in the short term, terrorist organisations will stick to the attacks they know best: finding ill-secured business or government Websites, and defacing them. After its formalities, glossary and housekeeping notes, the report opens with the complaint that the breadth of the term “cyber attack”, the proliferation of cybers (“cyber war”, “cyber terrorism” and “cyber weapons”) and sensationalism (leading to a “disproportionate sense of threat) “undermines the development and application of proportionate nation state responses“. The Bureau of Meteorology's woes in August get a mention – as an example of sensationalism: “this incident was initially described in some media reporting as being the result of a “foreign cyber attack” – a description that led to a heightened sense of threat and risk, increased concerns from the public about the security of their personal information, and triggered media speculation about nation state motivations, tradecraft, and the possibility of further 'attacks'.” There are, however, genuine threats: the much-discussed Bureau of Meteorology compromise in 2015 is given as one such example. The ACSC has decided to let a little light into what took place (see “sensationalist”, above). At the time, “sources” let loose coded signals that China had compromised the BoM's supercomputers in a “massive” attack. The reality is far less impressive: the attack – presumably by the tried-and-true vector of a phishing e-mail – led to this: “ASD identified the presence of particular Remote Access Tool (RAT) malware popular with state-sponsored cyber adversaries, amongst other malware associated with cybercrime.

The RAT had also been used to compromise other Australian government networks. “ASD identified evidence of the adversary searching for and copying an unknown quantity of documents from the Bureau’s network.

This information is likely to have been stolen by the adversary.” Vulture South notes that while there exist RATs for the Linux operating systems common on supercomputers, they're more typically associated with Windows desktops. As well as the two computers whose activity alerted the ASD of the RAT's presence, the attackers left footprints on “at least six further hosts” including “domain controllers and file servers”. The report says it identified the misuse of one domain administrator's account, and that the attackers also dropped Cryptolocker on the network (and therefore probably tried to extort a ransom from the Bureau). The Bureau has since been walked through the ASD's “don't be stupid” list, and is working with the ACSC on other strategies. As for the “terrorists will attack soon” that led the political press' coverage of the report before it landed (Fairfax here, for example), that's an inversion of what the report actually says: It is unlikely terrorists will be able to compromise a secure network and generate a significant disruptive or destructive effect for at least the next two to three years. What about critical infrastructure? Surely that, at least, is a legitimate reason for us to switch from “relaxed and comfortable” to “run around in a panic”? Yes and no, it seems: while CERT Australia reckons energy sits alongside communications as the sector with the highest number of compromised systems, it's hard to tell from the ACSC just how many blackouts, dam-release floods, or gas explosions the compromises have caused. The report provides one unnamed target as a case study – and in that case, the attacker got the credentials of an authorised user, escalated their privilege to admin, and copied documents rather than taking out the victim's control systems. The ACSC advises that industrial control should be kept away from the Internet, which is reasonable if imperfect advice (air-gaps can be crossed), but that's hardly exciting. For now, espionage and ransoms are the threats we should be taking most seriously. ® *Bootnote: Nobody will ever officially attribute the BoM attack to China.
Including ourselves, since we don't know. ®
 Download the full report (PDF) Technical analysis Indicators of compromise (IOC)Download YARA rules More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service.

Contact: intelreports@kaspersky.com Introduction: Over the last few years, the number of “APT-related” incidents described in the media has grown significantly.

For many of these, though, the designation “APT”, indicating an “Advanced Persistent Threat”, is usually an exaggeration. With some notable exceptions, few of the threat actors usually described in the media are advanced.

These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly “advanced” threat actors out there, are Equation, Regin, Duqu or Careto.

Another such an exceptional espionage platform is “ProjectSauron”, also known as “Strider”. What differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the ‘top’ cyberespionage groups: The use of zero day exploits Unknown, never identified infection vectors Have compromised multiple government organizations in several countries Have successfully stolen information for many years before being discovered Have the ability to steal information from air gapped networks Support multiple covert exfiltration channels on various protocols Malware modules which can exist only in memory without touching the disk Unusual persistence techniques which sometime use undocumented OS features “ProjectSauron” easily covers many of these points. From discovery to detection: When talking about long-standing cyber-espionage campaigns, many people wonder why it took so long to catch them. Perhaps one of the explanations is having the right tools for the right job.

Trying to catch government or military grade malware requires specialized technologies and products. One such product is Kaspersky’s AntiTargeted Attacks Platform, KATA (http://www.kaspersky.com/enterprise-security/anti-targeted-attack-platform).
In September 2015, our anti-targeted attack technologies caught a previously unknown attack.

The suspicious module was an executable library, loaded in the memory of a Windows domain controller (DC).

The library was registered as a Windows password filter and had access to sensitive data in cleartext.

Additional research revealed signs of massive activity from a new threat actor that we codenamed ‘ProjectSauron’, responsible for large-scale attacks against key governmental entities in several countries. “SAURON” – internal name used in the LUA scripts ProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.

Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.

For example, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Some other key features of ProjectSauron: It is a modular platform designed to enable long-term cyber-espionage campaigns. All modules and network protocols use strong encryption algorithms, such as RC6, RC5, RC4, AES, Salsa20, etc. It uses a modified LUA scripting engine to implement the core platform and its plugins. There are upwards of 50 different plugin types. The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations.
It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software. It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system. The platform makes extensive use of the DNS protocol for data exfiltration and real-time status reporting. The APT was operational as early as June 2011 and remained active until April 2016. The initial infection vector used to penetrate victim networks remains unknown. The attackers utilize legitimate software distribution channels for lateral movement within infected networks. To help our readers better understand the ProjectSauron attack platform, we’ve prepared an FAQ which brings together some of the most important points about this attacker and its tools.

A brief technical report is also available, including IOCs and Yara rules. Our colleagues from Symantec have also released their analysis on ProjectSauron / Strider. You can read it here: http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets ProjectSauron FAQ: 1. What is ProjectSauron? ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.

As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry.

That usually results in several infections in countries within that region, or in the targeted industry around the world.
Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the LUA scripts. 2. Who are the victims? Using our telemetry, we found more than 30 infected organizations in Russia, Iran, Rwanda and possibly in Italian-speaking countries as well. Many more organizations and geographies are likely to be affected. The attacked organizations are key entities that provide core state functions: Government Scientific research centers Military Telecommunication providers Finance 3. Have you notified victims? As usual, Kaspersky Lab actively collaborates with industry partners, CERTs and law enforcement agencies to notify victims and help to mitigate the threat. We also rely on public awareness to spread information about it.
If you need more information about this actor, please contact intelreports@kaspersky.com. 4.

For how long have the attackers been active? Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016.

Although it appears to have largely ceased, there is a chance that it is still active on computer systems that are not covered by Kaspersky Lab solutions. 5.

Did the attackers use interesting or advanced techniques? The attackers used multiple interesting and unusual techniques, including: Data exfiltration and real-time status reporting using DNS requests. Implant deployment using legitimate software update scripts. Data exfiltration from air-gapped networks through the use of specially prepared USB storage drives where the stolen data is stored in the area unused by standard tools of the operating system. Using a modified LUA scripting engine to implement the core platform and its plugins.

The use of LUA components in malware is very rare – it was previously spotted in the Flame and Animal Farm attacks. 6. How did you discover this malware? In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a client organization’s network.

Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server.

The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext.

Additional research revealed signs of activity of a previously unknown threat actor. 7. How does ProjectSauron operate? ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local Security Authority) password filter.

This feature is typically used by system administrators to enforce password policies and validate new passwords to match specific requirements, such as length and complexity.

This way, the ProjectSauron passive backdoor module starts every time any network or local user (including an administrator) logs in or changes a password, and promptly harvests the password in plaintext. In cases where domain controllers lack direct Internet access, the attackers install additional implants on other local servers which have both local network and Internet access and may pass through significant amount of network traffic, i.e. proxy-servers, web-servers, or software update servers.

After that, these intermediary servers are used by ProjectSauron as internal proxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic. Once installed, the main ProjectSauron modules start working as ‘sleeper cells’, displaying no activity of their own and waiting for ‘wake-up’ commands in the incoming network traffic.

This method of operation ensures ProjectSauron’s extended persistence on the servers of targeted organizations. 8. What kind of implants does ProjectSauron use? Most of ProjectSauron’s core implants are designed to work as backdoors, downloading new modules or running commands from the attacker purely in memory.

The only way to capture these modules is by making a full memory dump of the infected systems. Almost all of ProjectSauron’s core implants are unique, have different file names and sizes, and are individually built for each target.

Each module’s timestamp, both in the file system and in its own headers, is tailored to the environment on which it is installed. Secondary ProjectSauron modules are designed to perform specific functions like stealing documents, recording keystrokes, and stealing encryption keys from both infected computers and attached USB sticks. ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified LUA interpreter to execute internal scripts.

There are upwards of 50 different plugin types. 9. What is the initial infection vector? To date, the initial infection vector used by ProjectSauron to penetrate victim networks remains unknown. 10. How were the ProjectSauron implants deployed within the target network? In several cases, ProjectSauron modules were deployed through the modification of scripts used by system administrators to centrally deploy legitimate software updates within the network. In essence, the attackers injected a command to start the malware by modifying existing software deployment scripts.

The injected malware is a tiny module that works as a simple downloader. Once started under a network administrator account, this small downloader connects to a hard-coded internal or external IP address and downloads the bigger ProjectSauron payload from there. In cases where the ProjectSauron persistence container is stored on disk in EXE file format, it disguises the files with legitimate software file names. 11. What C&C infrastructure did the attackers use? The ProjectSauron actor is extremely well prepared when it comes to operational security. Running an expensive cyberespionage campaign like ProjectSauron requires vast domain and server infrastructure uniquely assigned to each victim organization and never reused again.

This makes traditional network-based indicators of compromise almost useless because they won’t be reused in any other organization. We collected 28 domains linked to 11 IPs located in the United States and several European countries that might be connected to ProjectSauron campaigns.

Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns. 12.

Does ProjectSauron target isolated (air-gapped) networks? Yes. We registered a few cases where ProjectSauron successfully penetrated air-gapped networks. The ProjectSauron toolkit contains a special module designed to move data from air-gapped networks to Internet-connected systems.

To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine. These USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data (several hundred megabytes) at the end of the disk for malicious purposes.

This reserved space is used to create a new custom-encrypted partition that won’t be recognized by a common OS, such as Windows.

The partition has its own semi-filesystem (or virtual file system, VFS) with two core directories: ‘In’ and ‘Out’. This method also bypasses many DLP products, since software that disables the plugging of unknown USB devices based on DeviceID wouldn’t prevent an attack or data leakage, because a genuine recognized USB drive was used. 13.

Does ProjectSauron target critical infrastructure? Some of the entities infected by ProjectSauron can be classified as critical infrastructure. However, we haven’t registered ProjectSauron infections inside industrial control system networks that have SCADA systems in place. Also, we have not yet seen a ProjectSauron module targeting any specific industrial hardware or software. 14.

Did ProjectSauron use any special communication methods? For network communication, the ProjectSauron toolkit has extensive abilities, leveraging the stack of the most commonly used protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP. One of the ProjectSauron plugins is the DNS data exfiltration tool.

To avoid generic detection of DNS tunnels at network level, the attackers use it in low-bandwidth mode, which is why it is used solely to exfiltrate target system metadata. Another interesting feature in ProjectSauron malware that leverages the DNS protocol is the real-time reporting of the operation progress to a remote server. Once an operational milestone is achieved, ProjectSauron issues a DNS-request to a special subdomain unique to each target. 15. What is the most sophisticated feature of the ProjectSauron APT? In general, the ProjectSauron platform is very advanced and reaches the level of complexity of Regin, Equation and similar threat actors we have reported on in the past.
Some of the most interesting things in the ProjectSauron platform include: Multiple exfiltration mechanisms, including piggybacking on known protocols. Bypassing air-gaps using hidden data partitions on USB sticks. Hijacking Windows LSA to control network domain servers. Implementing an extended LUA engine to write custom malicious scripts to control the entire malware platform with a high-level language. 16.

Are the attackers using any zero-day vulnerabilities? To date we have not found any 0-day exploits associated with ProjectSauron. However, when penetrating isolated systems, the creation of the encrypted storage area in the USB does not in itself enable attackers to get control of the air-gapped machines.

There has to be another component such as a 0­day exploit placed on the main partition of the USB drive. So far we have not found any 0-day exploit embedded in the body of the malware we analyzed, and we believe it was probably deployed in rare, hard-to-catch instances. 17.
Is this a Windows-only threat? What versions of Windows are targeted? ProjectSauron works on all modern Microsoft Windows operating systems – both x64 and x86. We have witnessed infections running on Windows XP x86 as well as Windows 2012 R2 Server Edition x64. To date, we haven’t found a non-Windows version of ProjectSauron. 18. Were the attackers hunting for specific information? ProjectSauron actively searches for information related to rather uncommon, custom network encryption software.

This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. In a number of the cases we analyzed, ProjectSauron deployed malicious modules inside the custom network encryption’s software directory, disguised under similar filenames and accessing the data placed beside its own executable.
Some of extracted LUA scripts show that the attackers have a high interest in the software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes. Also, one of the embedded ProjectSauron configurations contains a special unique identifier for the targeted network encryption software’s server within its virtual network.

The behavior of the component that searches for the server IP address is unusual.

After getting the IP, the ProjectSauron component tries to communicate with the remote server using its own (ProjectSauron) protocol as if it was yet another C&C server.

This suggests that some communication servers running the mentioned network encryption software could also be infected with ProjectSauron. 19. What exactly is being stolen from the targeted machines? The ProjectSauron modules we found are able to steal documents, record keystrokes and steal encryption keys from infected computers and attached USB sticks. The fragment of configuration block below, extracted from ProjectSauron, shows the kind of information and file extensions the attackers were looking for: .*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*|.*user.*|.*name|.*email|.*_id|id|uid|mn|mailaddress|.*nick.*|alias|codice|uin|sign-in|strCodUtente|.*pass.*|.*pw|pw.*|additional_info|.*secret.*|.*segreto.*[^\$]$ ^.*\.(doc|xls|pdf)$ *.txt;*.doc;*.docx;*.ppt;*.pptx;*.xls;*.xlsx;*.vsd;*.wab;*.pdf;*.dst;*.ppk;*.rsa;*.rar;*.one;*.rtf;~WPL*.tmp;*.FTS;*.rpt;*.conf;*.cfg;*.pk2;*.nct;*.key;*.psw Interestingly, while most of the words and extensions above are in the English language, several of them point to Italian, such as: ‘codice’, ‘strCodUtente’ and ‘segreto’. Keywords / filenames targeted by ProjectSauron data theft modules: Italian keyword Translation Codice code CodUtente Usercode Segreto Secret This suggests the attackers had prepared to attack Italian-speaking targets as well. However, we are not aware of any Italian victims of ProjectSauron at the moment. 20. Have you observed any artifacts indicating who is behind the ProjectSauron APT? Attribution is hard and reliable attribution is rarely possible in cyberspace.

Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a greater vantage point and vast resources. When dealing with the most advanced threat actors, as is the case with ProjectSauron, attribution becomes an unsolvable problem. 21.
Is this a nation-state sponsored attack? We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation-state. 22. What would ProjectSauron have cost to set up and run? Kaspersky Lab has no exact data on this, but estimates that the development and operation of ProjectSauron is likely to have required several specialist teams and a budget probably running into millions of dollars. 23. How does the ProjectSauron platform compare to other top-level threat actors? The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them. As a reminder, here are some features of other APT attackers which we discovered that the ProjectSauron attackers had carefully learned from or emulated: Duqu: Use of intranet C&Cs (where compromised target servers may act as independent C&Cs) Running only in memory (persistence on a few gateway hosts only) Use of different encryption methods per victim Use of named pipes for LAN communication Malware distribution through legitimate software deployment channels Flame: LUA-embedded code Secure file deletion (through data wiping) Attacking air-gapped systems via removable devices Equation and Regin: Usage of RC5/RC6 encryption Virtual Filesystems (VFS) Attacking air-gapped systems via removable devices Hidden data storage on removable devices These other actors also showed what made them vulnerable to potential exposure, and ProjectSauron did its best to address these issues: Vulnerable or persistent C&C locations ISP name, IP, domain, and tools reuse across different campaigns Crypto-algorithm reuse (as well as encryption keys) Forensic footprint on disk Timestamps in various components Large volumes of exfiltrated data, alarming unknown protocols or message formats In addition, it appears that the attackers took special care with what we consider as indicators of compromise and implemented a unique pattern for each and every target they attacked, so that the same indicators would have little value for anyone else.

This is a summary of the ProjectSauron strategy as we see it.

The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg. 24.

Do Kaspersky Lab products detect all variants of this malware? All Kaspersky Lab products detect ProjectSauron samples as HEUR:Trojan.Multi.Remsec.gen 25.

Are there Indicators of Compromise (IOCs) to help victims identify the intrusion? ProjectSauron’s tactics are designed to avoid creating patterns.
Implants and infrastructure are customized for each individual target and never re-used – so the standard security approach of publishing and checking for the same basic indicators of compromise (IOC) is of little use. However, structural code similarities are inevitable, especially for non-compressed and non-encrypted code.

This opens up the possibility of recognizing known code in some cases. That’s why, alongside the formal IOCs, we have added relevant YARA rules. While the IOCs have been listed mainly to give examples of what they look like, the YARA rules are likely to be of greater use and could detect real traces of ProjectSauron. For background: YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that share similarities. YARA rules—basically search strings—help analysts to find, group, and categorize related malware samples and draw connections between them in order to build malware families and uncover groups of attacks that might otherwise go unnoticed. We have prepared our YARA rules based on tiny similarities and oddities that stood out in the attackers’ techniques.

These rules can be used to scan networks and systems for the same patterns of code.
If some of these oddities appear during such a scan, there is a chance that the organizations has been hit by the same actor. More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service.

Contact: intelreports@kaspersky.com