Michael Sun

FS-ISAC Announces New Initiative to Strengthen the Financial Services Critical Infrastructure

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has launched what it calls the Financial Systemic Analysis & Resilience Center (FSARC). While FS-ISAC is primarily about sharing threat intelligence between banks and other financial institutions, FSARC will provide a more strategic analysis and identification of emerging threats to help mitigate systemic cyber threats. Those results will be shared through the existing FS-ISAC structure.

FSARC is the brainchild of CEOs from eight leading banks who came together to discuss ways to improve the resilience of the financial services infrastructure. The banks concerned are Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street and Wells Fargo.

Information about how FSARC will operate is limited and provides only a high level overview. "The challenges associated with cyber-attacks and the financial fraud stemming from such incidents are bigger than any one institution, and this is something the financial sector must face together. We are stronger and more resilient when we work collectively to understand the evolving tactics of cyber adversaries and to deepen the layers of defense against such attacks,” said Bill Nelson, President and CEO, FS-ISAC in a recent statement. 

FS-ISAC shares threat intelligence with its members, and does so anonymously if required by the members concerned. It receives intelligence from US government agencies such as the Department of Treasury, the Department of Homeland Security and the Federal Bureau of Investigation; but will only share with them if approved by the member. FSARC is likely to increase this relationship with government agencies (the US Secret Service tweeted its congratulations on the launch); but it says it will maintain the existing structure and methods for disseminating information. 

"FSARC is a long-term strategic initiative that performs deep analyses of systemic cyber risk across financial products and practices. Findings and adaptable mitigation strategies will be shared across the financial sector through FS-ISAC and its membership," explains FS-ISAC in a statement.

So far we seem to know only who and where; but not how. FSARC is looking to establish its own physical location, understood to be in Arlington. It is also believed that for the time being at least it will use FS-ISAC's existing web structure. Bank of America's Siobhan MacDermott and JPMorgan's Greg Rattray will serve as interim Co-Presidents until the center reaches full operational capability. 

How FSARC will achieve a proactive analysis of emerging threats is not yet known, but it seems almost certain that it will leverage the expanding and improving technology of analytics based on machine learning. Machine learning analytics works best when there is a large pool of data from which to learn. The current FS-ISAC database has thousands of threats, vulnerabilities, and events dating back to its formation in 1999. What isn't known is whether FSARC will develop its own analytics, or will call on the security industry.

One firm already involved in machine learning threat detection for financial services is Corvil. "This newly established center enables banks to gain an upper hand in their ongoing asymmetric battle against cyber crime, through both collaboration and a preventative, longer term perspective," Corvil's Graham Ahearne told SecurityWeek.

"At the heart of what FS-ISAC provides is a platform that enables collaboration. This new resilience center takes all that works well from FS-ISAC and combines it with longer range perspective and planning, paving the way for more proactive and preventative measures."

Since prevention is always better than cure, the output from FSARC will provide a more holistic, broader view of both challenges and options for associated solutions.

"Financial services fuel the engine of our economy," he said, "and bold steps need to be taken in order to assure this engine is protected and resilient. This new initiative takes a promising step in that direction."

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:


SecurityWeek RSS Feed

The recently spotted Telecrypt ransomware can be thwarted: malware analyst Nathan Scott has created a tool that decrypts the encrypted files.

Telecrypt Decryptor

Telecrypt Decryptor works only if the affected user has .NET 4.0 and above (every Windows version since Windows XP has it by default), and if he or she has at least one of the encrypted files in unencrypted form. It also needs to be run from an Administrator account.

The tool comes with instructions and a warning: don’t use it if you haven’t been infected with this particular ransomware, as it could corrupt some of your files.

About Telecrypt

Telecrypt was first spotted a few weeks ago, targeting Russian-speaking users.

Its specificity is that it uses Telegram’s communication protocol to deliver the decryption key to the crooks and, in general, to keep in touch with them.

The message it shows puts the ransom at 5,000 rubles (around 78 USD), and the crooks thank the victims for helping the “Young Programmers Fund.”

“Telecrypt will generate a random string to encrypt the files that is between 10-20 length and only contain the letters vo, pr, bm, xu, zt, dq,” Malwarebytes explained.

“[It] encrypts files by looping through them a SINGLE byte at a time, and then simply adding a byte from the key in order. This simple encryption method allows a decryption application to be made.”

Telecrypt is distributed in the form of an executable, via spam emails, exploits, and drive-by download schemes.

It encrypts a wide variety of files and, depending on its configuration, it either adds the extension ‘.Xcri’ to the encrypted files or leaves it unchanged.


Help Net Security

As the biggest shopping weekend of the year in the US approaches, Skycure is advising shoppers to beware of mobile threats while browsing in both physical and online stores.

riskiest shopping malls

Researchers found that mobile shopping dangers are not limited to dangerous Wi-Fi in malls. Malicious apps masquerading as legitimate online stores or ways to get online shopping bargains also appear this time of year, hoping to lure unsuspecting shoppers eager to make a quick purchase on their phones or tablets.

“Black Friday and Cyber Monday are a recipe for cyber-scams,” said Yair Amit, CTO and co-founder of Skycure. “The first brings large groups of people using their mobile phones to one place. The second attracts people who might overlook security to get a better deal. Unfortunately, mobile threats exist for shoppers whether they’re shopping in a store, or on a mobile device from the comfort of their own home or workplace.”

Top 10 riskiest shopping malls for mobile

According to industry statistics, 90 percent of shoppers used a mobile phone inside of a physical store to either look up product information, compare prices or check reviews online in 2015. But before pulling out their mobile phones, shoppers should beware of joining risky Wi-Fi networks while out shopping this holiday season.

Malicious Wi-Fi are set up by cyber criminals specifically to steal shoppers’ data, while risky Wi-Fi networks are misconfigured and expose sensitive mobile data to hackers. Both are dangerous and put mobile shoppers at risk. The most popular data to steal are usernames and passwords.

Below is the list of the top 10 malls with highest number of suspicious Wi-Fi networks. All the shopping centers listed below were found to have five or more risky Wi-Fi networks:

  • Fashion Show, Las Vegas, NV
  • Tysons Corner Center, McLean, VA
  • Yorktown Center, Lombard, IL
  • Town Center at Boca Raton, Boca Raton, FL
  • Sawgrass Mills, Sunrise, FL
  • Mall of America, Bloomington, MN
  • Houston Galleria, Houston, TX
  • King of Prussia Mall, King of Prussia, PA
  • Westfield Garden State, Paramus, NJ
  • Memorial City Mall, Houston, TX.

Avoid malicious commerce apps

Criminals know that people are shopping for bargains around the holidays, and there are many ways to lure people with fake coupons or too-good-to-be-true offers. One way is to offer apps that look like they are from legitimate online stores, either designed to make shopping easier, or to offer discounts or rewards.

Researchers found multiple examples, including the following:

  • A repackaged Starbucks app. Repackaged apps look exactly like the official apps offered by legitimate retailers and other businesses, but have a small amount of malicious code added in.
  • An app called “Amazon Rewards” which is actually a trojan that spreads using SMS messages that fake Amazon vouchers with a link to a fake website. It accesses the user’s contact list so that it can send SMS messages to even more people.

Both apps are examples of ways that hackers use trusted brands and shoppers thirst for deals to infiltrate a mobile device, then steal user data, banking, and/or credit card information.

riskiest shopping malls

Safety tips for shoppers

Skycure offered the following quick tips for mobile users traveling to high-risk destinations:

1. Avoid “Free Wi-Fi” networks (10 percent of malicious networks have the word “Free” in their name).
2. If you see a Wi-Fi that is named as if it is hosted by a store, but that store is nowhere nearby, don’t connect. Skycure found multiple networks named “Apple Store” or “Macysfreewifi” where the named stores were nowhere nearby. Remember that mobile devices automatically join “known” Wi-Fi networks without any user intervention.
3. Only download mobile apps from reputable app stores such as the Google Play store and Apple’s App Store.
4. Read the warnings on your device and don’t click “Continue” if you don’t understand the exposure.
5. Update your device to the most current operating system.
6. Disconnect from the network if your phone behaves strangely (e.g. frequent crashes)
7. Protect your device with a mobile security app.


Help Net Security

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Threatpost News Wrap, November 18, 2016

November 18, 2016 , 9:15 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

Dyn Confirms DDoS Attack Affecting Twitter, Github, Many Others

October 21, 2016 , 10:01 am

IoT Botnets Are The New Normal of DDoS Attacks

October 5, 2016 , 8:51 am

iPhone Call History Synced to iCloud Without User Consent, Knowledge

November 17, 2016 , 1:51 pm

Cryptsetup Vulnerability Grants Root Shell Access on Some Linux Systems

November 15, 2016 , 3:28 pm

Microsoft Patches Zero Day Disclosed by Google

November 8, 2016 , 2:57 pm

Microsoft Says Russian APT Group Behind Zero-Day Attacks

November 1, 2016 , 5:50 pm

Google to Make Certificate Transparency Mandatory By 2017

October 29, 2016 , 6:00 am

Microsoft Extends Malicious Macro Protection to Office 2013

October 27, 2016 , 4:27 pm

Dyn DDoS Work of Script Kiddies, Not Politically Motivated Hackers

October 25, 2016 , 3:00 pm

Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

October 22, 2016 , 6:00 am

FruityArmor APT Group Used Recently Patched Windows Zero Day

October 20, 2016 , 7:00 am

Experts ‘Outraged’ by Warrant Demanding Fingerprints to Unlock Smartphones

October 18, 2016 , 4:58 pm

Leftover Factory Debugger Doubles as Android Backdoor

October 14, 2016 , 9:00 am

Researchers Break MarsJoke Ransomware Encryption

October 3, 2016 , 5:00 am

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Regulation May Be Best Answer to IoT Insecurity

November 16, 2016 , 1:10 pm

Facebook Debuts Open Source Detection Tool for Windows

September 27, 2016 , 12:24 pm

Serious Dirty Cow Linux Vulnerability Under Attack

October 21, 2016 , 11:21 am

Popular Android App Leaks Microsoft Exchange User Credentials

October 14, 2016 , 8:00 am

Cisco Warns of Critical Flaws in Nexus Switches

October 7, 2016 , 10:55 am

Free Tool Protects Mac Users from Webcam Surveillance

October 7, 2016 , 7:00 am


Threatpost | The first stop for security news

  • Advisory ID: DRUPAL-SA-CORE-2016-005
  • Project: Drupal core
  • Version: 7.x, 8.x
  • Date: 2016-November-16
  • Security risk: 13/25 ( Moderately Critical) AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon
  • Vulnerability: Multiple vulnerabilities

Description

Inconsistent name for term access query (Less critical - Drupal 7 and Drupal 8)

Drupal provides a mechanism to alter database SELECT queries before they are executed. Contributed and custom modules may use this mechanism to restrict access to certain entities by implementing hook_query_alter() or hook_query_TAG_alter() in order to add additional conditions. Queries can be distinguished by means of query tags. As the documentation on EntityFieldQuery::addTag() suggests, access-tags on entity queries normally follow the form ENTITY_TYPE_access (e.g. node_access). However, the taxonomy module's access query tag predated this system and used term_access as the query tag instead of taxonomy_term_access.

As a result, before this security release modules wishing to restrict access to taxonomy terms may have implemented an unsupported tag, or needed to look for both tags (term_access and taxonomy_term_access) in order to be compatible with queries generated both by Drupal core as well as those generated by contributed modules like Entity Reference. Otherwise information on taxonomy terms might have been disclosed to unprivileged users.

Incorrect cache context on password reset page (Less critical - Drupal 8)

The user password reset form does not specify a proper cache context, which can lead to cache poisoning and unwanted content on the page.

Confirmation forms allow external URLs to be injected (Moderately critical - Drupal 7)

Under certain circumstances, malicious users could construct a URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form, thereby exposing the users to potential social engineering attacks.

Denial of service via transliterate mechanism (Moderately critical - Drupal 8)

A specially crafted URL can cause a denial of service via the transliterate mechanism.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Drupal core 7.x versions prior to 7.52
  • Drupal core 8.x versions prior to 8.2.3

Solution

Install the latest version:

  • If you use Drupal 7.x, upgrade to Drupal core 7.52
  • If you use Drupal 8.x, upgrade to Drupal core 8.2.3

Also see the Drupal core project page.

Reported by

Inconsistent name for term access query:

Incorrect cache context on password reset page:

Confirmation forms allow external URLs to be injected:

Denial of service via transliterate mechanism:

  • Lee Rowlands of the Drupal Security Team

Fixed by

Inconsistent name for term access query:

  • znerol
  • xjm of the Drupal Security Team
  • David Rothstein of the Drupal Security Team
  • Dave Reid of the Drupal Security Team
  • Larry Garfield

Incorrect cache context on password reset page:

  • Chris McCafferty, provisional Drupal Security Team member
  • xjm of the Drupal Security Team
  • Alex Pott of the Drupal Security Team
  • Michael Hess of the Drupal Security Team
  • Nathaniel Catchpole of the Drupal Security Team

Confirmation forms allow external URLs to be injected:

  • Peter Wolanin of the Drupal Security Team
  • Alex Pott of the Drupal Security Team
  • David Rothstein of the Drupal Security Team

Denial of service via transliterate mechanism:

  • Lee Rowlands of the Drupal Security Team
  • Cathy Theys of the Drupal Security Team
  • Alex Pott of the Drupal Security Team
  • Peter Wolanin of the Drupal Security Team
  • Daniel Wehner
  • Nate Haug
  • Heine Deelstra of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity


Security advisories

blog-prevent-ddos-attack_sqConsidering the magnitude of the recent DDoS attack on Dyn, that almost brought down the internet, all sysadmins must take action to prevent their devices from taking part in future attacks.

As many of you might have noticed, at least from the news headlines, a few weeks ago there was a huge internet outage that impacted availability of dozens of major sites, including popular ones like Twitter, Reddit, CNN, the Guardian, and many others. This was a result from a devastatingly simple attack on one of the main providers of core services underpinning of the Internet.

Dyn, one of the major providers of DNS services on the Internet, with customers ranging from end users to some of the most recognizable names on the web, experienced what may prove to be the largest Distributed Denial of Service (DDoS) attack in history, with a reported attack strength of 1.2Tbps. While Dyn was the target, potentially millions of people were victims. Unfortunately, many of those victims were also unwitting accomplices in the attack.

I called the attack simple, because at its heart, a DDoS attack is simple. To execute such a Denial of Service attack, you simply need to overwhelm the target with so many requests that it is unable to service valid ones. When the target has more computing resources than you can attack with, you need to leverage others in a distributed fashion, causing a DDoS. DDoS attacks are nothing new, but this particular one has several features that make it an historic event.

We all know how critical a high performing and responsive DNS is for all users of the Internet. By attacking one of the core providers of DNS services, the attack rendered dozens of marquee brands inaccessible, including Amazon, Netflix, PayPal, Spotify, and more, with an untold number of smaller sites. Odds are pretty good that many you use at least one of those companies on a regular basis, and if you are on the East Coast of the United States, you probably felt the impact of the first wave. There were as many as three coordinated attacks, with the second having more global impact and the third being successfully defended against.

Several different groups have either claimed responsibility, been accused, or at least didn’t deny allegations for responsibility, but we want to look at the participating nodes in the attack, rather than the mastermind who coordinated them. Because not only was the target new and high impact, but the method of attack was too. DDoS attacks are nothing new, but this attack leveraged the Mirai botnet, one of the many pieces of malware out there infecting untold numbers of systems. But in this case, based on the logs Dyn collected, we can tell that the number is at least 100,000 malicious nodes. The attack was compounded by legitimate DNS clients retrying their queries, and that number rose into the tens of millions.

What makes Mirai particularly unique is that it can compromise any number of devices, typically associated with the Internet of Things, to make them unwitting zombies and participants in a DDoS attack. Whether these are webcams, DVRs, programmable thermostats, temperature or light sensors, or any other IoT devices, they are all running a stripped down and optimized version of Linux which is built for simplicity of setup, not security. And when a user downloads an infected file and the Mirai malware executes, it scans the local network for devices it can recognize and attack, using known vulnerabilities and default passwords. Once it is in, that cool IoT device is now a zombie just waiting for orders to attack.

The scale of this attack, and the fact that it used devices we’re normally not taking care of, makes it a real wake-up call for IT administrators, but also for various IoT device users in general. Think not only about the flaws in your patch management strategy at work, but more about the complete lack of patch management strategies that exist at the homes of most, if not all your coworkers, friends, and family.

Do they run vulnerability scans regularly? Manage and deploy patches to all nodes under their control? Run web filtering software or setup home firewalls so compromised devices cannot hit the Internet directly? Of course not! And that’s why Mirai was able to leverage so many hosts in its DDoS. It grabbed the low hanging fruit that we have all ignored, and we’ve only seen the tip of the iceberg here.

While defending against a DDoS may be beyond the capabilities and capacities of many of us, we can at least ensure that we are not contributing to the problem, so here’s a list of things all of us can do to help.

Everyone, even at home, can do these first two:

  • Ensure we keep all our devices; computers, mobile devices, tablets, network hardware, IoT devices, and anything else that is network capable, patched and up to date;
  • ALWAYS change the default passwords on EVERY device that has a network connection, even when it is a home use device on an internal network;

And at work, you can do even more:

  • Set up outbound egress filters at work to ensure that only devices which need to directly connect to the Internet can do so;
  • If you provide DNS services internally, then no other devices but your DNS servers should need to directly make DNS queries to external servers;
  • Web filtering is great way to protect users from downloading malware or executing malicious scripts, which is how Mirai started, and keeping an eye on your web traffic with tools such as GFI WebMonitor is also a good way to make sure your network is not taking part in anything shady;
  • End users don’t need to ping external hosts, but make sure your admins can, and that you allow ICMP internally;
  • Consider whether your end users really do need admin rights on their workstations, since there’s very little malware can do executing with regular user privileges;
  • Use vulnerability scanning software such as GFI LanGuard on all your systems regularly, to ensure you don’t have any vulnerable devices in the network you’re managing;
  • I mentioned it above, but for companies this is much more important: use patch management software to keep all your systems are up to date, for both operating system and third party application needs.

Keep in mind that while Mirai took out Dyn for hours by leveraging vulnerable devices with default configurations, it first got to those devices as malware executed on unguarded and unpatched workstations. With hundreds of thousands of systems hammering Dyn, most of us probably felt the impact of that attack, but never thought that we could be a part of the attack.

So, it’s in all of our best interests to help make sure we’re not a part of the problem, by patching everything that needs to be patched, and by preventing our devices from becoming an integral part of such attacks. Next time you angrily dismiss a Windows Update notification, remember these words.

You may also like:

  • IT automation comes to the rescue for sysadmins
  • Microsoft Patch Tuesday has changed and now all patches are…
  • Ransomware FUD strikes again, this time against Office 365


GFI Blog

AirLink cellular gateway devices by Sierra Wireless are being infected by the infamous Mirai malware.

Sierra Wireless

Sierra Airlink models LS300, GX400, GX/ES440, GX/ES450, and RV50 are listed as vulnerable.

“The malware is able to gain access to the gateway by logging into ACEmanager with the default password and using the firmware update function to download and run a copy of itself,” the company noted in a security advisory.

“Based on currently available information, once the malware is running on the gateway it deletes itself and resides only in memory. The malware will then proceed to scan for vulnerable devices and report its findings back to a command and control server. The command and control server may also instruct the malware to participate in a Distributed Denial of Service (DDoS) attack on specified targets.”

ICS-CERT pointed out that the malware does not exploit a software or hardware vulnerability in the gateway devices.

“The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices,” they explained, and added that with the recent release of the Mirai source code on the Internet, more IoT botnets are likely to be created.

Sierra Wireless has advised administrators of these devices to reboot the gateway to eliminate the malware (it resides in memory, so it will be automatically deleted), then immediately change the ACEmanager password to a unique, strong (complex and long) one.

Other attack mitigation options, such as disabling remote access on the devices and IP whitelisting, have been noted.


Help Net Security

  • Home
  • Application Development

Microsoft opens up its 'million dollar' bug-finder Credit: Thinkstock

Microsoft is previewing a cloud-based bug detector, dubbed Project Springfield, that it calls one of its most sophisticated tools for finding potential security vulnerabilities.

Project Springfield uses "whitebox fuzzing," which uncovered one-third of the "million dollar" security bugs during the development of Windows 7. Microsoft has been using a component of the project called SAGE since the mid-2000s to test products prior to release, including fuzzing both Windows and Office applications. 

[ From Docker containers and Nano Server to software-defined storage and networking improvements, Windows Server 2016 is packed with great additions: Get the scoop on Windows Server 2016 from InfoWorld. | Stay up on key Microsoft technologies with the Windows Report newsletter. ]

For this project, SAGE is bundled with other tools for fuzz testing, featuring a dashboard and other interfaces that enable use by people without an extensive security background. The tests are run using Microsoft's Azure cloud.

With fuzz testing, the system throws random inputs at software to find instances in which unforeseen actions cause software to crash. This testing, according to Microsoft researcher David Molnar, is ideal for software regularly incorporating inputs like documents, images, videos, or other information that may not be trustworthy. Bad actors are sought out that could launch malicious attacks or crash a system. Whitebox fuzz testing uses artificial intelligence to ask a series of "what if" questions and make decisions about what might cause a crash and signal a security concern.

The code-name, Springfield, previously was used at Microsoft for the now-defunct Popfly web page and mashup creation service. There's no relation between the two projects, a Microsoft representative said. Microsoft is extending preview invitations for Project Springfield to customers, with an initial group to evaluate it for free.

Pokémon GO Spam, Ransomware, On the Rise

August 17, 2016 , 12:58 pm

Cisco Begins Patching Equation Group ASA Zero Day

August 24, 2016 , 5:53 pm

Mozilla Wants to Drop WoSign as Trusted CA

September 27, 2016 , 2:51 pm

OpenSSL Fixes Critical Bug Introduced by Latest Update

September 26, 2016 , 10:45 am

500 Million Yahoo Accounts Stolen By State-Sponsored Hackers

September 22, 2016 , 3:47 pm

Yahoo Reportedly to Confirm Breach of Hundreds of Millions of Credentials

September 22, 2016 , 12:31 pm

Experts Want Transparency From Government’s Vulnerabilities Equities Process

September 20, 2016 , 2:41 pm

Bruce Schneier on Probing Attacks Testing Core Internet Infrastructure

September 15, 2016 , 11:15 am

Generic OS X Malware Detection Method Explained

September 13, 2016 , 9:14 am

Patched Android Libutils Vulnerability Harkens Back to Stagefright

September 9, 2016 , 2:06 pm

Chrome to Label Some HTTP Sites ‘Not Secure’ in 2017

September 8, 2016 , 3:43 pm

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Dropbox Forces Password Reset for Older Users

August 29, 2016 , 9:58 am

New Collision Attacks Against 3DES, Blowfish Allow for Cookie Decryption

August 24, 2016 , 8:00 am

Cisco Acknowledges ASA Zero Day Exposed by ShadowBrokers

August 17, 2016 , 4:06 pm

ProjectSauron APT On Par With Equation, Flame, Duqu

August 8, 2016 , 1:40 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

Keystroke Recognition Uses Wi-Fi Signals To Snoop

August 25, 2016 , 2:19 pm

Critical MySQL Vulnerability Disclosed

September 12, 2016 , 11:00 am

PLC-Blaster Worm Targets Industrial Control Systems

August 5, 2016 , 4:49 pm

Android Patch Fixes Nexus 5X Critical Vulnerability

September 2, 2016 , 12:49 pm

WordPress Update Resolves XSS, Path Traversal Vulnerabilities

September 8, 2016 , 12:23 pm

Browser Address Bar Spoofing Vulnerability Disclosed

August 17, 2016 , 12:54 pm


Threatpost | The first stop for security news