Posts Tagged: Dyn


24
Oct 17

Dell Lost Control of Key Customer Support Domain for a Month in 2017

A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned.

There is a program installed on virtually all Dell computers called “Dell Backup and Recovery Application.” It’s designed to help customers restore their data and computers to their pristine, factory default state should a problem occur with the device. That backup and recovery program periodically checks a rather catchy domain name — DellBackupandRecoveryCloudStorage.com — which until recently was central to PC maker Dell’s customer data backup, recovery and cloud storage solutions.

Sometime this summer, DellBackupandRecoveryCloudStorage.com was suddenly snatched away from a longtime Dell contractor for a month and exposed to some questionable content. More worryingly, there are signs the domain may have been pushing malware before Dell’s contractor regained control over it.

Image: Wikipedia

The purpose of DellBackupandRecoveryCloudStorage.com is inscribed in the hearts of countless PCs that Dell shipped customers over the past few years. The domain periodically gets checked by the “Dell Backup and Recovery application,” which “enables the user to backup and restore their data with just a few clicks.”

This program comes in two versions: Basic and Premium, explains “Jesse L,” a Dell customer liaison and a blogger on the company’s site.

“The Basic version comes pre-installed on all systems and allows the user to create the system recovery media and take a backup of the factory installed applications and drivers,”Jesse L writes. “It also helps the user to restore the computer to the factory image in case of an OS issue.”

Dell customer liaison Jesse L. talks about how the program in question is by default installed on all Dell PCs.

In other words: If DellBackupandRecoveryCloudStorage.com were to fall into the wrong hands it could be used to foist malicious software on Dell users seeking solace and refuge from just such nonsense!

It’s not yet clear how or why DellBackupandRecoveryCloudStorage.com got away from SoftThinks.com —  an Austin, Tex.-based software backup and imaging solutions provider that originally registered the domain back in mid-2013 and has controlled it for most of the time since. But someone at SoftThinks apparently forgot to renew the domain in mid-June 2017.

SoftThinks lists Dell among some of its “great partners” (see screenshot below). It hasn’t responded to requests for comment. Some of its other partners include Best Buy and Radio Shack.

Some of SoftThinks’ partners. Source: SoftThinks.com

From early June to early July 2017, DellBackupandRecoveryCloudStorage.com was the property of Dmitrii Vassilev of  TeamInternet.com,” a company listed in Germany that specializes in selling what appears to be typosquatting traffic. Team Internet also appears to be tied to a domain monetization business called ParkingCrew.

If you’re not sure what typosquatting is, think of what sometimes happens when you’re typing out a URL in the browser’s address field and you fat-finger a single character and suddenly get redirected to the kind of content that makes you look around quickly to see if anyone saw you looking at it. For more on Team Internet, see this enlightening Aug. 2017 post from Chris Baker at internet infrastructure firm Dyn.  Continue reading →


23
Oct 17

Reaper: Calm Before the IoT Security Storm?

It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks.

Now, experts are sounding the alarm about the emergence of what appears to be a far more powerful strain of IoT attack malware — variously named “Reaper” and “IoTroop” — that spreads via security holes in IoT software and hardware. And there are indications that over a million organizations may be affected already.

Reaper isn’t attacking anyone yet. For the moment it is apparently content to gather gloom to itself from the darkest reaches of the Internet. But if history is any teacher, we are likely enjoying a period of false calm before another humbling IoT attack wave breaks.

On Oct. 19, 2017, researchers from Israeli security firm CheckPoint announced they’ve been tracking the development of a massive new IoT botnet “forming to create a cyber-storm that could take down the Internet.” CheckPoint said the malware, which it called “IoTroop,” had already infected an estimated one million organizations.

The discovery came almost a year to the day after the Internet witnessed one of the most impactful cyberattacks ever — against online infrastructure firm Dyn at the hands of “Mirai,” an IoT malware strain that first surfaced in the summer of 2016. According to CheckPoint, however, this new IoT malware strain is “evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.”

Unlike Mirai — which wriggles into vulnerable IoT devices using factory-default or hard-coded usernames and passwords — this newest IoT threat leverages at least nine known security vulnerabilities across nearly a dozen different device makers, including AVTECH, D-Link, GoAhead, Netgear, and Linksys, among others (click each vendor’s link to view security advisories for the flaws).

This graphic from CheckPoint charts a steep, recent rise in the number of Internet addresses trying to spread the new IoT malware variant, which CheckPoint calls “IoTroop.”

Both Mirai and IoTroop are computer worms; they are built to spread automatically from one infected device to another. Researchers can’t say for certain what IoTroop will be used for but it is based at least in part on Mirai, which was made to launch distributed denial of service (DDoS) attacks.

While DDoS attacks target a single Web site or Internet host, they often result in widespread collateral Internet disruption. IoT malware spreads by scanning the Internet for other vulnerable devices, and sometimes this scanning activity is so aggressive that it constitutes an unintended DDoS on the very home routers, Web cameras and DVRs that the bot code is trying to subvert and recruit into the botnet.

However, according to research released Oct. 20 by Chinese security firm Netlab 360, the scanning performed by the new IoT malware strain (Netlab calls it the more memorable “Reaper”) is not very aggressive, and is intended to spread much more deliberately than Mirai. Netlab’s researchers say Reaper partially borrows some Mirai source code, but is significantly different from Mirai in several key behaviors, including an evolution that allows Reaper to more stealthily enlist new recruits and more easily fly under the radar of security tools looking for suspicious activity on the local network. Continue reading →


5
Dec 16

DDoS, IoT Top Cybersecurity Priorities for 45th President

Addressing distributed denial-of-service (DDoS) attacks designed to knock Web services offline and security concerns introduced by the so-called “Internet of Things” (IoT) should be top cybersecurity priorities for the 45th President of the United States, according to a newly released blue-ribbon report commissioned by President Obama.

commish“The private sector and the Administration should collaborate on a roadmap for improving the security of digital networks, in particular by achieving robustness against denial-of-service, spoofing, and other attacks on users and the nation’s network infrastructure,” reads the first and foremost cybersecurity recommendation for President-elect Donald Trump. “The urgency of the situation demands that the next Administration move forward promptly on our recommendations, working closely with Congress and the private sector.”

The 12-person, non-partisan commission produced a 90-page report (PDF) and recommended as their very first action item that the incoming President “should direct senior federal executives to launch a private–public initiative, including provisions to undertake, monitor, track, and report on measurable progress in enabling agile, coordinated responses and mitigation of attacks on the users and the nation’s network infrastructure.”

The panel said this effort should build on previous initiatives, such as a 2011 program by the U.S. Department of Commerce called the Industry Botnet Group.

“Specifically, this effort would identify the actions that can be taken by organizations responsible for the Internet and communications ecosystem to define, identify, report, reduce, and respond to attacks on users and the nation’s network infrastructure,” the report urged. “This initiative should include regular reporting on the actions that these organizations are already taking and any changes in technology, law, regulation, policy, financial reimbursement, or other incentives that may be necessary to support further action—while ensuring that no participating entity obstructs lawful content, applications, services, or nonharmful devices, subject to reasonable network management.”

The report spans some six major imperatives, including 16 recommendations and 63 associated action items. The second major imperative focuses on IoT security concerns, and urges the federal government and private industry to embark upon a number of initiatives to “rapidly and purposefully to improve the security of the Internet of Things.”

“The Department of Justice should lead an interagency study with the Departments of Commerce and Homeland Security and work with the Federal Trade Commission, the Consumer Product Safety Commission, and interested private sector parties to assess the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations within 180 days,” the panel recommended. “To the extent that the law does not provide appropriate incentives for companies to design security into their products, and does not offer protections for those that do, the President should draw on these recommendations to present Congress with a legislative proposal to address identified gaps, as well as explore actions that could be accomplished through executive order.”

Meanwhile, Morning Consult reports that U.S. Federal Communications Commission Chairman Tom Wheeler has laid out an unexpected roadmap through which the agency could regulate the security of IoT devices. The proposed certification process was laid out in a response to a letter sent by Sen. Mark Warner (D-Va.) shortly after the IoT-based attacks in October that targeted Internet infrastructure company Dyn and knocked offline a number of the Web’s top destinations for the better part of a day.

Morning Consult’s Brendan Bordelon notes that while Wheeler is set to step down as chairman on Jan. 20, “the new framework could be used to support legislation enhancing the FCC’s ability to regulate IoT devices.” Continue reading →


16
Nov 16

Chinese IoT Firm Siphoned Text Messages, Call Records

A Chinese technology firm has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China, researchers revealed this week. The revelations came the same day the White House and the U.S. Department of Homeland Security issued sweeping guidelines aimed at building security into Internet-connected devices, and just hours before a key congressional panel sought recommendations from industry in regulating basic security standards for so-called “Internet of Things” (IoT) devices.

At the center of the spyware controversy is software made by Shanghai ADUPS Technology, a Chinese firm whose product touts the ability to wirelessly update software installed on mobile and and IoT devices. The ADUPS technology is typically bundled with smart phones made by dozens of global wireless firms including ZTE, BLU and Huawei, and sold at popular consumer destinations like Amazon and BestBuy. Often retailing for between $50 and $100, the sleek and powerful devices sell so cheaply because they also require the user to accept on-screen advertisements.

An About Us page at ADUPS's Web site explains the company's foothold in the IoT market.

An About Us page at ADUPS’s Web site explains the company’s foothold in the IoT market.

According to research released this week, the low up-front cost of these smart phones may be subsidized not just by ads but by also by the theft of private information stolen from users. Researchers at Fairfax, Va.-based security firm Kryptowire say the ADUPS software gives the company near-total control over the devices that it runs on, and that they have proof ADUPS has abused that control to siphon personal data from countless consumers.

Kryptowire researchers say they stumbled upon ADUPS’s spyware capabilities by accident after purchasing a $59 BLU R1 HD smart phone from Amazon.com for use during international travel. Prying apart the phone and the ADUPS software, they discovered that all call records and text messages to and from the device were being digitally copied, encrypted and secretly forwarded to a server in Shanghai, China every 72 hours.

They also learned that ADUPS’s product was able to mine user text messages for specific strings of text, as well as install and remove any software from host devices.

“This behavior cannot be detected by mobile anti-virus tools because they assume that software that ships with the device is not malware and that it is white-listed,” Kryptowire wrote in an advisory published Tuesday. “We were able to capture, decrypt, and trace the data on the network as they were sent to multiple server locations that are located in Shanghai, China.”

In a statement posted to its Web site, ADUPS said it collects “model information, device status, application information, bin/xbin information and summary information from phones and messages,” and that it has done so “in response to user demand to screen out junk texts and calls from advertisers.”

ADUPS further claims that the functionality was added in June 2016 to some Blu Product Inc. devices, and that it has since shipped an update through its firmware updating software to disable the spying functionality on Blu phones.

But Azzedine Benameur, director of research at Kryptowire, said ADUPS’s software — deeply embedded alongside the operating system on these mobile devices — gives it full ability to re-enable the spyware capabilities at any time. He says ADUPS’s public response to their research raises more questions than it answers.

“They do not provide how many devices were affected and how the data were used,” Benameur said. “Also, they don’t mention who had access to that data, including third parties and the Chinese government. Also, there might be other [manufacturers] and device models affected that ADUPS does not mention.”

ADUPS claims on its Web site to have worldwide presence with more than 700 million active users, and that its firmware is integrated into “more than 400 leading mobile operators, semiconductor vendors and device manufacturers spanning from wearable and mobile devices to cars and televisions.”

“This is just one random device of theirs that we looked at,” Benameur said. “For a company that claims to provide over-the-air updates for 700 million devices, including cars and millions of IoT devices…this is really scary and unacceptable behavior.”

ADUPS's offer to business partners, January 2015.

ADUPS’s offer to business partners, circa January 2015.

ADUPS’s current site promises the company’s partners “big data analytics” and higher profit for partners. Earlier versions of the same page from 2015 and cached at the Internet Archive promise partners a slightly less euphemistic menu of services, from an “app push service,” and “device data mining” to “unique package checking” and “mobile advertising.” Interestingly, this story from January 2015 documents how ADUPS’s software has been used to install unwanted apps on customer mobile devices.

As for the Blu R1 HD phone? Benameur said it would be nice if it came with a disclosure that owners can expect zero privacy or control while using it. Aside from that? “At $59, it’s a steal,” Benameur said. “Minus the spyware, it’s a great phone.” Continue reading →


4
Nov 16

Did the Mirai Botnet Really Take Liberia Offline?

KrebsOnSecurity received many a missive over the past 24 hours from readers who wanted to know why I’d not written about widespread media reports that Mirai — a malware strain made from hacked “Internet of Things” (IoT) devices such as poorly secured routers and IP cameras — was used to knock the entire country of Liberia offline. The trouble is, as far as I can tell no such nationwide outage actually occurred.

First, a quick recap on Mirai: This blog was taken offline in September following a record 620 Gpbs attack launched by a Mirai botnet. The source code for Mirai was leaked online at the end of September. Since then, the code has been forked several times, resulting in the emergence of several large Mirai-based botnets. In late October, many of the Internet’s top destinations went offline for the better part of a day when Mirai was used to attack Internet infrastructure firm Dyn.

Enter Kevin Beaumont, a security architect from Liverpool, England who on Thursday published a piece on Medium.com about an attack by Mirai against Liberia. Beaumont had been researching the output of an automated Twitter account set up by security researchers to monitor attacks from these various Mirai botnets. That Twitter account, @MiraiAttacks, burps out a tweet with each new Mirai attack, listing the targeted Internet address, the attack type, and the observed duration of the attack.

Beamont’s story noted that a botnet based on Mirai was seen attacking the telecommunications infrastructure in the West African nation of Liberia. Citing anonymous sources, Beaumont said transit providers confirmed an attack of more than 500 Gpbs targeting Liberia’s lone underseas large-transit Internet cable, which Beaumont said “provides a single point of failure for internet access.”

“From monitoring we can see websites hosted in country going offline during the attacks,” Beaumont wrote. “Additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack. The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

Not long after Beamont’s story went live, a piece at The Hacker News breathlessly announced that hackers using Mirai had succeeded in knocking Liberia off the Internet. The Hacker News piece includes nifty graphics and images of Liberia’s underseas Internet cables. Soon after, ZDNet picked up the outage angle, as did the BBC and The Guardian and a host of other news outlets.

A graphic The Hacker News used to explain Liberia's susceptibility to a DDoS attack.

A graphic The Hacker News used to explain Liberia’s susceptibility to a DDoS attack.

The only problem that I can see with these stories is that there does not appear to have been anything close to a country-wide outage as a result of this Mirai attack.

Daniel Brewer, general manager for the Cable Consortium of Liberia, confirmed that his organization has fielded inquiries from news outlets and other interest groups following multiple media reports of a nationwide outage. But he could not point to the reason.

“Both our ACE submarine cable monitoring systems and servers hosted (locally) in LIXP (Liberia Internet Exchange Point) show no downtime in the last 3 weeks,” Brewer said. “While it is likely that a local operator might have experienced a brief outage, we have no knowledge of a national Internet outage and there are no data to [substantiate] that.” Continue reading →


31
Oct 16

Hackforums Shutters Booter Service Bazaar

Perhaps the most bustling marketplace on the Internet where people can compare and purchase so-called “booter” and “stresser” subscriptions — attack-for-hire services designed to knock Web sites offline — announced last week that it has permanently banned the sale and advertising of these services.

On Friday, Oct. 28, Jesse LaBrocca — the administrator of the popular English-language hacking forum Hackforums[dot]net — said he was shutting down the “server stress testing” (SST) section of the forum. The move comes amid heightened public scrutiny of the SST industry, which has been linked to several unusually powerful recent attacks and is responsible for the vast majority of denial-of-service (DOS) attacks on the Internet today.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as "booter" or "stresser" online attack-for-hire services.

The administrator of Hackforums bans the sale and advertising of server stress testing (SST) services, also known as “booter” or “stresser” online attack-for-hire services.

“Unfortunately once again the few ruin it for the many,” LaBrocca wrote under his Hackforums alias “Omniscient.” “I’m personally disappointed that this is the path I have to take in order to protect the community. I loathe having to censor material that could be beneficial to members. But I need to make sure that we continue to exist and given the recent events I think it’s more important that the section be permanently shut down.”

Last month, a record-sized DDoS hit KrebsOnSecurity.com. The attack was launched with the help of Mirai, a malware strain that enslaves poorly secured Internet-of-Things (IoT) devices like CCTV cameras and digital video recorders and uses them to launch crippling attacks.

At the end of September, a Hackforums user named “Anna_Senpai” used the forum to announce the release the source code for Mirai. A week ago, someone used Mirai to launch a massive attack on Internet infrastructure firm Dyn, which for the better part of a day lead to sporadic outages for some of the Web’s top destinations, including Twitter, PayPal, Reddit and Netflix.

The Hackforums post that includes links to the Mirai source code.

The Hackforums post that includes links to the Mirai source code.

As I noted in last week’s story Are the Days of Booter Services Numbered?, many booter service owners have been operating under the delusion or rationalization that their services are intended solely for Web site owners to test the ability of their sites to withstand data deluges.

Whatever illusions booter service operators or users may have harbored about their activities should have been dispelled following a talk delivered at the Black Hat security conference in Las Vegas this year. In that speech, FBI Agent Elliott Peterson issued an unambiguous warning that the agency was prepared to investigate and help prosecute people engaged in selling and buying from booter services.

But it wasn’t until this month’s attack on Dyn that LaBrocca warned the Hackforums community he may have to shut down the SST section.

“I can’t image this attention is going to be a good thing,” Omni said in an October 26, 2016 thread titled “Bad things.” “Already a Senator is calling for a hearing on the Internet of Things [link added]. In the end there could be new laws which effect [sic] us all. So for those responsible for the attacks and creating this mess….you dun goofed. I expect a lot of backlash to come out of this.”

If LaBrocca appears steamed from this turn of events, it’s probably with good reason: He stands to lose a fair amount of regular income by banning some of the most lucrative businesses on his forum. Vendors on Hackforums pay fees as high as $25 apiece to achieve a status that allows them to post new sales threads, and banner ads on the forum can run up to $200 per week.

"Stickies" advertising various "booter" or "stresser" DDoS-for-hire services.

“Stickies” advertising various “booter” or “stresser” DDoS-for-hire services.

Vendors who wish to “sticky” their ads — that is, pay to keep the ads displayed prominently near or at the top of a given discussion subforum — pay LaBrocca up to $60 per week for the prime sticky spots. And there were dozens of booter services advertised on Hackforums.

Allison Nixon, director of security research at Flashpoint and an expert on booter services, said the move could put many booter services out of business.

Nixon said the average booter service customer uses the attack services to settle grudges with opponents in online games, and that the closure of the SST subforum may make these services less attractive to those individuals.

“There is probably a lesser likelihood that the average gamer will see these services and think that it’s an okay idea to purchase them,” Nixon said. “The ease of access to these booters services makes people think it’s okay to use them. In gaming circles, for example, people will often use them to DDoS one another and not realize they might be shutting down an innocent person’s network. Recognizing that this is criminal activity on the same level of criminal hacking and fraud may discourage people from using these services, meaning the casual actor may be less likely to buy a booter subscription and launch DDoS attacks.”

While a welcome development, the closure of the SST subforum almost seems somewhat arbitrary given the sheer amount of other illegal hacking activity that is blatantly advertised on Hackforums, Nixon said.

“It’s interesting the norms that are on this forum because they’re so different from how you or I would recognize acceptable behavior,” she said. “For example, most people would think it’s not acceptable to see booter services advertised alongside remote access Trojans, malware crypting services and botnets.”

Other questionable services and subsections advertised on Hackforums include those intended for the sale of hacked social media and e-commerce accounts. More shocking are the dozens of threads wherein Hackforums members advertise the sale of “girl slaves,” essentially access to hacked computers belonging to teenage girls who can be extorted and exploited for payment or naked pictures. It’s worth noting that the youth who was arrested for snapping nude pictures of Miss Teen USA Cassidy Wolf through her webcam was a regular user of Hackforums.

Hackforums users advertising the sale and procurement of "girl slaves."

Hackforums users advertising the sale and procurement of “girl slaves.”

Continue reading →


27
Oct 16

Are the Days of “Booter” Services Numbered?

It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as “booter” or “stresser” services, new research released today suggests.

The findings come from researchers in Germany who’ve been studying patterns that emerge when miscreants attempt to mass-scan the entire Internet looking for systems useful for launching these digital sieges — known as “distributed denial-of-service” or DDoS attacks.

ddosbomb

To understand the significance of their research, it may help to briefly examine how DDoS attacks have evolved. Not long ago, if one wanted to take down large Web site, one had to build and maintain a large robot network, or “botnet,” of hacked computers — which is a fairly time intensive, risky and technical endeavor.

These days, however, even the least sophisticated Internet user can launch relatively large DDoS attacks just by paying a few bucks for a subscription to one of dozens of booter or stresser services, some of which even accept credit cards and PayPal payments.

These Web-based DDoS-for-hire services don’t run on botnets: They generally employ a handful of powerful servers that are rented from some dodgy “bulletproof” hosting provider. The booter service accepts payment and attack instructions via a front end Web site that is hidden behind Cloudflare (a free DDoS protection service).

But the back end of the booter service is where the really interesting stuff happens. Virtually all of the most powerful and effective attack types used by booter services rely on a technique called traffic amplification and reflection, in which the attacker can reflect or “spoof” his traffic from one or more third-party machines toward the intended target.

In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.

To find vulnerable systems that can be leveraged this way, booters employ large-scale Internet scanning services that constantly seek to refresh the list of systems that can be used for amplification and reflection attacks. They do this because, as research has shown (PDF), anywhere from 40-50 percent of the amplifiers vanish or are reassigned new Internet addresses after one week.

Enter researchers from Saarland University in Germany, as well as the Yokohama National University and National Institute of Information and Communications Technology — both in Japan. In a years-long project first detailed in 2015, the researchers looked for scanning that appeared to be kicked off by ne’er-do-wells running booter services.

To accomplish this, the research team built a kind of distributed “honeypot” system — which they dubbed “AmpPot” — designed to mimic services known to be vulnerable to amplification attacks, such as DNS and NTP floods.

“To make them attractive to attackers, our honeypots send back legitimate responses,” the researchers wrote in a 2015 paper (PDF). “Attackers, in turn, will abuse these honeypots as amplifiers, which allows us to observe ongoing attacks, their victims, and the DDoS techniques. To prevent damage caused by our honeypots, we limit the response rate. This way, while attackers can still find these ratelimited honeypots, the honeypots stop replying in the face of attacks.”

In that 2015 paper, the researchers said they deployed 21 globally-distributed AmpPot instances, which observed more than 1.5 million attacks between February and May 2015. Analyzing the attacks more closely, they found that more than 96% of the attacks stem from single sources, such as booter services.

“When focusing on amplification DDoS attacks, we find that almost all of them (>96%) are caused by single sources (e.g. booters), and not botnets,” the team concluded. “However, we sadly do not have the numbers to compare this [to] DoS attacks in general.”

Many large-scale Internet scans like the ones the researchers sought to measure are launched by security firms and other researchers, so the team needed a way to differentiate between scans launched by booter services and those conducted for research or other benign purposes.

“To distinguish between scans performed by researchers and scans performed with malicious intent we relied on a simple assumption: That no attack would be based on the results of a scan performed by (ethical) researchers,” said Johannes Krupp, one of the main authors of the report. “In fact, thanks to our methodology, we do not have to make this distinction upfront, but we can rather look at the results and say: ‘We found attacks linked to this scanner, therefore this scanner must have been malicious.’ If a scan was truly performed by benign parties, we will not find attacks linked to it.”

SECRET IDENTIFIERS

What’s new in the paper being released today by students at Saarland University’s Center for IT-Security, Privacy and Accountability (CISPA) is the method by which the researchers were able to link these mass-scans to the very amplification attacks that follow soon after.

The researchers worked out a way to encode a secret identifier into the set of AmpPot honeypots that any subsequent attack will use, which varies per scan source. They then tested to see if the scan infrastructure was also used to actually launch (and not just to prepare) the attacks. Continue reading →


25
Oct 16

Senator Prods Federal Agencies on IoT Mess

The co-founder of the newly launched Senate Cybersecurity Caucus is pushing federal agencies for possible solutions and responses to the security threat from insecure “Internet of Things” (IoT) devices, such as the network of hacked security cameras and digital video recorders that were reportedly used to help bring about last Friday’s major Internet outages.

In letters to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS), Virginia Senator Mark Warner (D) called the proliferation of insecure IoT devices a threat to resiliency of the Internet.

“Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support,” Warner wrote to the agencies. “And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics.”

The letter continues:

“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. Further, buyers have little recourse when, despite their best efforts, security failures occur” [link added].

As Warner’s letter notes, last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Continue reading →


24
Oct 16

IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers

A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.

iotstuf

Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.

In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.

In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.

The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.

“Mirai is a huge disaster for the Internet of Things,” the company said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”

At the same time, the Chinese electronics firm said that in September 2015 it issued a firmware fix for vulnerable devices, and that XiongMai hardware shipped after that date should not by default be vulnerable.

“Since then, XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.”

Regarding the default user name/password that ships with XM, “our devices are asking customers to change the default password when they first time to login,” the electronics maker wrote. “When customer power on the devices, the first step, is change the default password.”

I’m working with some researchers who are testing XM’s claims, and will post an update here if and when that research is available. In the meantime, XM is threatening legal action against media outlets that it says are issuing “false statements” against the company.

Google’s translation of their statement reads, in part: “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.” Continue reading →


21
Oct 16

Hacked Cameras, DVRs Powered Today’s Massive Internet Outage

A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.

l3outage

A depiction of the outages caused by today’s attacks on Dyn, an Internet infrastructure company. Source: Downdetector.com.

At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.

Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

“At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”

As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet. Continue reading →