Thursday, January 18, 2018
Home Tags Western Digital

Tag: Western Digital

Q4 events Of all the Q4 2015 events in the world of DDoS attacks and the tools used to launch them, we picked out those that, in our opinion, best illustrate the main trends behind the evolution of these threats. Emergence of new vectors for conducting reflection DDoS attacks; Increase in number of botnets composed of vulnerable IoT devices; Application-level attacks – the workhorse behind DDoS attack scenarios. Attacks using compromised web applications powered by WordPress Web resources powered by the WordPress content management system (CMS) are popular with cybercriminals who carry out DDoS attacks. This is because WordPress supports the pingback function that notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. When the post containing the link to the other web resource is published on a site with the enabled pingback function, a special XML-RPC request is sent to the site where the link leads and that resource receives and processes it. During processing, the recipient site may call the source of the request to check for the presence of the content. This technology allows a web resource (victim) to be attacked: a bot sends a specially formed pingback request specifying the address of the victim resource as the sender to a WordPress site with the pingback function enabled. The WordPress site processes the request from the bot and sends the reply to the victim’s address. By sending pingback requests with the victim’s address to lots of WordPress resources with pingback enabled, the attackers create a substantial load on the victim resource. This is why web resources running WordPress with the pingback function enabled are of interest to cybercriminals. In Q4 2015, resources in 69 countries were targeted by DDoS attacks #KLReportTweet In the fourth quarter of 2015, cybercriminals did not limit their activities to sites supporting pingback; they carried out a mass compromise of resources running WordPress. This was probably caused by the emergence of “zero-day” vulnerabilities either in the CMS or one of its popular plugins. Whatever the cause, we registered several cases of JavaScript code being injected into the body of web resources. The code addressed the victim resource on behalf of the user’s browser. At the same time, the attackers used an encrypted HTTPS connection to impede traffic filtering. The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering. IoT-based botnets In October 2015, experts registered a huge number of HTTP requests (up to 20,000 requests per second) coming from CCTV cameras. The researchers identified about 900 cameras around the world that formed a botnet used for DDoS attacks. The experts warn that in the near future new botnets utilizing vulnerable IoT devices will appear. Three new vectors for carrying out reflection DDoS attacks Reflection DDoS attacks exploit weaknesses in a third party’s configuration to amplify an attack. In Q4, three new amplification channels were discovered. The attackers send traffic to the targeted sites via NetBIOS name servers, domain controller RPC portmapper services connected via a dynamic port, and to WD Sentinel licensing servers. Attacks on mail services In Q4 2015, mail services were especially popular with DDoS attackers. In particular, activity was detected by the Armada Collective cybercriminal group, which uses DDoS attacks to extort money from its victims. The group is suspected of being involved in an attack on the ProtonMail secure e-mail service in which the cybercriminals demanded $6000 to end the DDoS attack. In Q4 2015, the largest numbers of DDoS attacks targeted victims in China, the US and South Korea. #KLReportTweet As well as the ProtonMail encrypted email service, the FastMail and the Russian Post e-mail services were also targeted. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the fourth quarter of 2015. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks. The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q4 Summary In Q4, resources in 69 countries were targeted by DDoS attacks. 94.9% of the targeted resources were located in 10 countries. The largest numbers of DDoS attacks targeted victims in China, the US and South Korea. The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The popularity of Linux-based bots continued to grow: the proportion of DDoS attacks from Linux-based botnets in the fourth quarter was 54.8%. Geography of attacks By the end of 2015, the geography of DDoS attacks narrowed to 69 countries. 94.9% of targeted resources were located in 10 countries. Q4 saw a considerable increase in the proportion of DDoS attacks targeting resources located in China (from 34.5% to 50.3%) and South Korea (from 17.7% to 23.2%). Distribution of unique DDoS attack targets by country, Q3 vs Q4 2015 The share of DDoS targets located in the US dropped by 8 percentage points, which saw it move down to third place and South Korea climb to second. Croatia with 0.3% (-2.5 percentage points) and France, whose share fell from 1.1% to 0.7%, left the Top 10. They were replaced by Hong Kong, with the same proportion as the previous quarter, and Taiwan, whose share increased by 0.5 percentage points. The statistics show that 94% of all attacks had targets within the Top 10 countries: Distribution of DDoS attack by country, Q3 vs Q4 2015 In the fourth quarter, the Top 3 ranking remained the same, although the US and South Korea swapped places: South Korea’s contribution grew by 4.3 percentage points, while the US share dropped by 11.5 percentage points. The biggest increase in the proportion of DDoS attacks in Q4 was observed in China – its share grew by 18.2 percentage points. Changes in DDoS attack numbers In Q4 2015, DDoS activity was distributed more or less evenly, with the exception of one peak that fell in late October and an increase in activity in early November. The peak number of attacks in one day was 1,442, recorded on 2 November. The quietest day was 1 October – 163 attacks. Number of DDoS attacks over time* in Q4 2015. * DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration. Monday and Tuesday were the most active days of the week in terms of DDoS attacks. In Q4, the number of attacks carried out on a Monday was 5.7 percentage points more than in the previous quarter. The figure for Tuesdays changed slightly (-0.3 percentage points). Distribution of DDoS attack numbers by day of the week, Q4 2015 Types and duration of DDoS attacks 97.5% of DDoS targets in Q4 2015 (vs. 99.3% in Q3) were attacked by bots belonging to one family. In just 2.4% of all cases cybercriminals launched attacks using bots from two different families (used by one or more botnet masters). In 0.1% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families. The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). #KLReportTweet The ranking of the most popular attack methods remained unchanged, although SYN DDoS (57%) and TCP DDoS (21.8%) added 5.4 and 1.9 percentage points respectively. The distribution of DDoS attacks by type Once again, most attacks lasted no longer than 24 hours in Q4 2015. The distribution of DDoS attacks by duration (hours) The maximum duration of attacks increased again in the fourth quarter. The longest DDoS attack in the previous quarter lasted for 320 hours (13.3 days); in Q4, this record was beaten by an attack that lasted 371 hours (15.5 days). C&C servers and botnet types In Q4 2015, South Korea maintained its leadership in terms of the number of C&C servers located on its territory, with its share growing by 2.4 percentage points. The US share decreased slightly – from 12.4% to 11.5%, while China’s contribution grew by 1.4 percentage points. In Q4 2015, SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. #KLReportTweet The Top 3 ranking remained the same. The countries in fourth and fifth switched places – Russia’s share increased from 4.6% to 5.5%, while the share of the UK declined from 4.8% to 2.6%. Distribution of botnet C&C servers by country in Q4 2015 The proportion of DDoS attacks from Linux-based botnets in Q4 2015 was 54.8% #KLReportTweet In Q4, the correlation between active bots created from Windows and Linux saw the proportion of attacks by Linux bots grow from 45.6% to 54.8%. Correlation between attacks launched from Windows and Linux botnets Conclusion Events in Q4 2015 demonstrated that the cybercriminals behind DDoS attacks utilize not only what are considered to be classic botnets that include workstations and PCs but also any other vulnerable resources that are available. These include vulnerable web applications, servers and IoT devices. In combination with new channels for carrying out reflection DDoS attacks this suggests that in the near future we can expect a further increase in DDoS capacity and the emergence of botnets consisting of new types of vulnerable devices.
The US National Security Agency has been hiding spyware within the firmware of hard-disk drives made by Seagate, Samsung, Toshiba, and Western Digital - and other major manufacturers - in a spy programme that has been running for almost 20 years, according to security software company Kaspersky. Kaspersky claims to have found the spyware lurking in the firmware of PC hard-disk drives in as many as 30 countries worldwide, with Iran the most affected country. PCs in Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria were also affected. The targets included government and military institutions, telecoms companies, banks, energy companies, nuclear researchers, media, and Islamic activists. Kaspersky claims that the attacks - which it has dubbed "the Equation group" - may date back to as long ago as 1996 - but were certainly being conducted from 2001. "The Equation group uses multiple malware platforms, some of which surpass the well-known 'Regin' threat in complexity and sophistication. The Equation group is probably one of the most sophisticated cyber attack groups in the world; and they are the most advanced threat actor we have seen," claims the report from Kaspersky. It continues: "In general, the Equation group uses a specific implementation of the RC5 encryption algorithm throughout their malware. Some of the most recent modules use RC6, RC4 and Advanced Encryption Standard (AES) too, in addition to other cryptographic functions and hashes. "One technique in particular caught our attention and reminded us of another complex malware, Gauss. The GrayFish loader uses SHA-256 one thousand times over the unique NTFS object ID of the victim's Windows folder to decrypt the next stage from the registry. This uniquely ties the infection to the specific machine, and means the payload cannot be decrypted without knowing the NTFS object ID," explains the report. The company claims to have identified several malware platforms within the Equation group. These include: • EquationDrug: A complex attack platform used by the group on its victims. It supports a module plug-in system, which can be dynamically uploaded and unloaded by the attackers; • DoubleFantasy: A validator-style Trojan, designed to confirm the target is the intended one. If the target is confirmed, they are upgraded to a more sophisticated platform, such as EquationDrug or GrayFish; • Equestre: Same as EquationDrug; • TripleFantasy: Full-featured backdoor, sometimes used in tandem with GrayFish. Looks like an upgrade of DoubleFantasy, and is possibly a more recent validator-style plug-in; • GrayFish: The most sophisticated attack platform from the Equation group. It resides completely in the registry, relying on a bootkit to gain execution at operating system start-up; • Fanny: A computer worm created in 2008 and used to gather information about targets in the Middle East and Asia. Some victims appear to have been upgraded first to DoubleFantasy, and then to the EquationDrug system. Fanny used exploits for two zero-day vulnerabilities which were later discovered with Stuxnet; • EquationLaser: An early implant from the Equation group, used around 2001-2004. Compatible with Windows 95/98, and created sometime between DoubleFantasy and EquationDrug. A victim doesn't immediately get infected with EquationDrug, claims Kaspersky. First, the attackers infect them with DoubleFantasy, which is a validator-style plug-in. If the victim is confirmed as interesting to the attackers, the EquationDrug installer is delivered. "GrayFish is the most modern and sophisticated malware implant from the Equation group. It is designed to provide an effective (almost "invisible") persistence mechanism, hidden storage and malicious command execution inside the Windows operating system," claims Kaspersky. It continues: "By all indications, GrayFish was developed between 2008 and 2013 and is compatible with all modern versions of Microsoft's operating systems, including Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, Windows 7 and 8 - both 32-bit and 64-bit versions. "To store stolen information, as well as its own auxiliary information, GrayFish implements its own encrypted Virtual File System (VFS) inside the Windows registry. To bypass modern OS security mechanisms that block the execution of untrusted code in kernel mode, GrayFish exploits several legitimate drivers, including one from the CloneCD program. This driver (ElbyCDIO.sys) contains a vulnerability which GrayFish exploits to achieve kernel-level code execution. Despite the fact that the vulnerability was discovered in 2009, the digital signature has not yet been revoked," claims the report. The 44-page report by Kaspersky may lend weight to long-running claims that software vendors have colluded with US authorities by leaving particular vulnerabilities unpatched, or even providing backdoors into their systems that can subsequently be exploited by the NSA. A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. "Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it," reported the news agency. The NSA refused to publicly comment on the report.