Sunday, October 23, 2016

[The Guardian] Cyber attack: hackers 'weaponised' everyday devices with malware to mount assault (21.10.2016) (English)

Форматирование моё.
См. также:
Российско-китайские хакеры взяли ответственность за атаку на серверы в США (21.10.2016)

Hundreds of thousands of devices such as webcams and DVRs were infected with malicious code to create a so-called ‘botnet’ to target leading sites

The huge attack on global internet access, which blocked some of the world’s most popular websites, is believed to have been unleashed by hackers using common devices like webcams and digital recorders.

Among the sites targeted on Friday were Twitter, Paypal and Spotify. All were customers of Dyn, an infrastructure company in New Hampshire in the US that acts as a switchboard for internet traffic.

Outages were intermittent and varied by geography, but reportedly began in the eastern US before spreading to other parts of the country and Europe.

Users complained they could not reach dozens of internet destinations, including Mashable, CNN, the New York Times, the Wall Street Journal, Yelp and some businesses hosted by Amazon.
Major cyber attack disrupts internet service across Europe and US
Read more

Hackers used hundreds of thousands of internet-connected devices that had previously been infected with a malicious code – known as a “botnet” or, jokingly, a “zombie army” – to force an especially potent distributed denial of service (DDoS) attack.

Ниже есть продолжение.

The aim of a DDoS attack is to overwhelm an online service with traffic from multiple sources, rendering it unavailable. Dyn said attacks were coming from millions of internet addresses, making it one of the largest attacks ever seen.

Dyn said it had resolved one attack, which disrupted operations for about two hours, but disclosed a second a few hours later that was causing further disruptions. By the evening it was fighting a third.

At least some of the malicious traffic was coming from connected devices, including webcams and digital video recorders.

Security researchers working with Dyn to investigate the attack have linked it to a network of web-enabled CCTV cameras made by a single Chinese company, XiongMai Technologies.

Allison Nixon, director of research at the security firm Flashpoint, said its web-enabled CCTV cameras and digital video recorders were forcibly networked together using the sophisticated malware program Mirai to direct the crushing number of connection requests to Dyn’s customers.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” she told security researcher Brian Krebs.

The Guardian has contacted XiongMai for comment.

The same Mirai malware was used in September to launch what was then described as the biggest DDoS attack ever on Krebs’ website, Krebs on Security. His reporting on cybercrime has made him a target in the past.

Hackers released the source code for Mirai earlier this month, inspiring a significant number of copycats.

Experts had warned of increasingly sophisticated botnets – in essence, a weaponised combination of malware and as many as 100,000 hijacked individual devices – just days before Friday’s attack.

Researchers at Level 3 Communications, a global communications company focused on managed security, warned earlier this week that “the threat from these botnets is growing” as more and more devices were connected to the web.

The US Department of Homeland Security had issued a warning last week.

Mirai was the most sophisticated botnet malware Level 3 had seen yet, able to rotate the IP addresses (likely to avoid detection) about three times as often as had been observed with other botnets.

More worryingly still, it was “becoming still more sophisticated”.

Mirai targeted household and everyday devices – such as DVRs, cameras and even kettles – that were connected to the internet, a concept of connectivity commonly referred to as “the internet of things” (IoT). Many were devised without particular mind to security.

Level 3 researchers said the majority – as many as 80% – of botnets were networked DVRs, with the rest routers and other miscellaneous devices such as IP cameras and Linux servers.

“The devices are often operated with the default passwords, which are simple for bot herders to guess.”

Michael Mimoso, of cybersecurity research group Kaspersky Lab, estimated on Wednesday that the number of compromised devices had reached 493,000, with most in the US. “But Brazil and Colombia are also high on the list”.

Dyn categorized the attack as “resolved” shortly after 6pm New York time, but it is still not known who deployed the botnet, and why.

“The complexity of the attacks is what’s making it very challenging for us,” the company’s chief strategy officer, Kyle York, told Reuters. Homeland Security and the Federal Bureau of Investigation said they were investigating.

A tweet from WikiLeaks at 5pm Friday New York time implied that its supporters were behind the attack.

“Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point.”

WikiLeaks (@wikileaks)

Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point.
October 21, 2016

Security researcher Bruce Schneier caused waves when he wrote in September that someone, probably a country, was “learning how to take down the internet”.

He wrote that “a large nation state” (“China or Russia would be my first guesses”) had been testing increasing levels of DDoS attacks against unnamed core internet infrastructure providers in what seemed like a test of capability.

Nixon told Reuters there was no reason to think a national government was behind Friday’s assaults, but attacks carried out on a for-hire basis were famously difficult to attribute.

UPDATE 25-10-2016:
Someone Is Learning How to Take Down the Internet
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.

I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex."

There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.

Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes -- and especially their persistence -- points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

What can we do about this? Nothing, really. We don't know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it's possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the US decides to make an international incident over this, we won't see any attribution.

But this is happening. And people should know.

No comments:

Post a Comment