Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

A record-breaking DDoS cyberattack hits Spamhaus

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

March 27, 2013

An unprecedented Denial of Service (DDoS) attack targeting Spamhaus, an anti-spam watchdog group has sent tremors of service disruption across the internet since mid-March.

Spamhaus, a site responsible for keeping email spammers' counterfeit Viagra, Cialis and other bogus things such as weight-loss pills out of the world's inboxes, said it has been bombarded with numerous DDoSs, apparently from groups angry at being blacklisted by the watchdog.

"It is a small miracle that we're still online," Spamhaus researcher Vincent Hanna said. Denial-of-service attacks suddenly overwhelm Web servers with a lot of traffic. Security experts measure those attacks in bits of data per second.

Recent cyberattacks-- like the ones that caused persistent service outages at U.S. banking sites late last year have tended to peak at 100 billion bits per second.

But since mid-March, the furious and numerous assaults on Spamhaus has broken all records, clocking in at 300 billion bits per second.

"It was likely quite a bit more, but at some point, measurement systems simply can't keep up with such an attack of these proportions," said CloudFlare chief executive Matthew Prince.

Patrick Gilmore of Akamai Technologies said that was no understatement. "This attack is the largest that has been publicly disclosed in the history of the Internet," he said. "I've never seen anything of this magnitude yet," he added.

However, it's still unclear who exactly was behind the attack, although a man who identified himself as Sven Olaf Kamphuis said he was in touch with the attackers and described them as mainly consisting of disgruntled Russian Internet service providers who had found themselves on Spamhaus' blacklists.

There was no immediate way to verify his claim, however, so anything's possible. He accused Spamhaus of arbitrarily blocking content that it did not like. Spamhaus has widely used and constantly updates blacklists of sites that send email spam. It's their mandate to protect internet users from junk mail.

"They abuse their position not to stop spam but to exercise censorship without a court order," Kamphuis said.

Gilmore and Prince said that the attack's perpetrators had taken advantage of weaknesses in the Internet's infrastructure to trick thousands of servers into routing a torrent of junk traffic to Spamhaus every second.

The tactic, called "DNS reflection," works a little bit like mailing requests for information to thousands of different organizations with a target's return address written across the back of the envelopes. When all the organizations reply all at once, they send a landslide of useless data to the unwitting addressee.

Both experts said the attack's sheer size and magnitude has sent several ripples of disruptions across the web as servers moved mountains of junk email traffic back and forth across the internet.

"At a minimum, there would have been sluggishness," Prince said, adding that "if the web felt a bit more sluggish for you over the last few days in Europe, this may be part of the reason why."

At the London Internet Exchange, where service providers exchange traffic across the globe, spokesman Malcolm Hutty said his organization had seen "a minor degree of congestion in a small portion of the network."

But he said it was unlikely that any ordinary users had been affected by the attack. Hanna said his site had so far managed to stay online, but warned that being knocked off the web could give spammers an opening to step up their mailings -- which may mean more ads to buy Viagra, fake lottery announcements and pitches for penny stocks heading to people's inboxes.

Hanna denied claims that his organization had behaved arbitrarily, noting that his group would lose all its credibility if it started flagging benign content as spam.

"We have 1.7 billion people who watch over our shoulder," he said. "If we start blocking emails that they want, they will obviously stop using us."

Gilmore of Akamai was also dismissive of the claim that Spamhaus was biased. "Spamhaus' reputation is among the best, really," he said.

In other internet security news

The development team behind Unix NetBSD have warned that a recently discovered security flaw in the open-source operating system can create weak cryptographic keys that can be easily compromised by attackers.

End users attempting to secure sensitive communications, such as root SSH terminal connections, using the compromised keys could be easily decrypted, rendering them useless from a security standpoint.

The utilization of a cryptographically flawed random-number generator in NetBSD 6.0 means that potentially predictable security keys were generated.

Versions of NetBSD-current older than January 26, 2013 are affected. NetBSD 5.1 and 5.2 don't suffer from the security hole, which is due to be fixed in NetBSD 6.1 that should be released soon.

Until then users need to update their Unix kernels to builds created after Jan. 26, 2013. Overall, many types of cryptographic keys (including SSH and SSL session keys) generated on compromised systems may be weak and hazardous.

A 'sizeof()' blunder introduced data that wasn't sufficiently random for cryptography. System admins are advised to generate new keys after updating the Unix NetBSD kernel software, as explained in an advisory from the NetBSD Foundation.

"For various systems newly set up with NetBSD 6.0 all SSH host keys are suspect," the advisory explains. "Other persistent cryptographic secrets (for example, SSH or SSL keys of any type) generated using /dev/urandom on NetBSD 6 systems which may have had insufficient entropy at key generation time may be impacted and should be regenerated."

The first version of the advisory was published Feb. 25 prior to publication of an update with a stronger warning that caught the eye of crypto experts such as Ivan Ristic, an open-source advocate who runs the SSL Labs service.

In other internet security news

South Korea's massive data wiping malware that knocked out hundreds of personal computers at TV stations and banks last week may have been introduced through a combination of compromised corporate patching systems spread across the country.

Several South Korean financial institutions-- Shinhan Bank, Nonghyup Bank and Jeju Bank and TV broadcaster networks were all impacted by a destructive virus, since identified as DarkSeoul by Sophos and Jokra Trojan by Symantec, which deleted all the data on the hard drives, right down to the operating system of infected PCs, preventing them from booting up upon restart.

Initially, it was believed that the malware spread through local telco LG U+ and may have came from a single Chinese IP address. The Korea Communications Commission said it was mistaken when it identified an internet address in China as the source of the mega-attack.

The IP address involved actually belonged to NongHyup Bank, one of the main victims of the assault, suggesting that the attack could have been an 'inside job'.

Late on Friday afternoon, security appliance firm Fortinet claimed that hackers broke into the servers of an unnamed but local antivirus company and planted malware which was then distributed as an update patch. Local researchers at Fortinet's Threat Response Team working with the Korea Information Security Association came up with the theory before notifying news media about the apparent find.

But later on Friday evening, Guillaume Lovet of Fortinet stated that the security appliance firm no longer stood by its earlier pronouncement.

By early this morning, things had moved on again with South Korean security software firm AhnLab putting out a release saying hacked corporate patching systems were to blame for the wide spread of the malware. It also added that its own security technology wasn't involved in the distribution of the malware, an apparent reference to the premature and since-discredited theory put up by Fortinet.

It now appears that attackers used stolen user IDs and passwords to launch some of the attacks. The credentials were used to gain access to individual patch management systems located on the affected networks. Once the attackers had access to the patch management system, they used it to distribute the malware much like the system distributes new software and their updates.

Contrary to early reports, no security hole in any AhnLab server or product was used by the attackers to deliver the malicious code.

The latest theory suggests hackers first obtained administrator login to a security vendors' patch management server via a targeted attack. Armed with the login information, the hackers then created malware on the PMS server that masqueraded as a normal software update.

This fake update file subsequently infected a large number of PCs all at once, deleting a Master Boot Record on each Windows PC to prevent it from booting up normally. The malware was designed to activate on March 20 at 2.00 PM, South Korea time.

The speed at which the attack spread had already led security tools firm AlienVault to suggest that the wiper malware might have been distributed to already compromised clients in a zombie network. AhnLabs suggests that this compromised network was actually the patching system of the data wiping malware's victims.

However, the prevailing theory remains that North Korea may have instigated the attacks, which follows weeks of heightened tension on the small peninsula. But there's no hard evidence to support this conclusion. We will keep you posted on this and other news stories as they develop.

In other internet security news

A very obvious security flaw has been blamed for the compromise and attempted theft of 300 .uk domains managed by hosting firm in 2012.

Anyone with a hosting package from 123-Reg and an account control panel supplied by that company, simply had to change the final section of the URL manually (to, for example, / to be able to gain full access to someone's else emails, FTP credentials, name servers, private information and billing.

With access to the administrative control panel, would-be domain thieves just had to change the contact details for U.K. registry at Nominet to a new email address and then do a failed password request to have a new password sent to the new email address, locking the original owner out.

In defense, 123-Reg said it had "worked with our registrars to help them tighten security and prevent a repeat of this incident."

Both 123-Reg and Nominet say that there was "a query from a registrant" last year that led to Nominet "discovering some irregularities in registration and renewal patterns".

"As part of Nominet's standard operating procedures they locked the affected domains from any transfer or adjustment while they investigated further, and with our full support," 123-Reg said in an emailed statement.

Nominet said that its investigations into the issue revealed that "a total of 300 .uk domains had been transferred over to a new registrant in the post-expiry period without the permission of the original registrant".

"We have terminated our registrar agreement with one registrar," the dot-UK registry said. Neither firm would comment on how the the security breach had come about or whether the matter had been referred to Britain's Information Commissioner to investigate in such matters.

Nominet added that it couldn't elaborate any further because "we understand there is an ongoing police investigation into this issue".

In other internet security news

Critical internet-facing industrial systems controlling crucial equipment used by nuclear power plants, airports, factories and other sensitive systems are still subjected to sustained attacks within a few hours of appearing online, according to new research by Trend Micro.

The security vulnerabilities of SCADA (supervisory control and data acquisition) industrial control systems are numerous, and have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy virus attacks.

A security expert has challenged a theory on how the infamous Stuxnet worm, best known for tampering with Iranian lab equipment, somehow escaped into the internet. New York Times reporter David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a U.S. / Israeli team. The sophisticated malware virus was deployed to sabotage high-speed centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.

According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge device and was almost immediately infected by the malfunctioning equipment.

Trend Micro researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth by setting up an internet-facing 'honeypot' and record numerous attempted attacks. The honeypot architecture developed by Wilhoit directly mimics those of real industrial control systems and SCADA devices.

The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and persistent threats, created a total of three honeypots. All three were internet-facing and used three different static IP addresses in different subnets scattered across the United States.

One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system.

The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory. All three honeypots included traditional vulnerabilities found across the same or similar systems. Various steps were taken to make sure the honeypots were easily discovered.

The sites were then optimized for searches and published on Google. The researchers also made sure that that honeypot settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers, printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded device, then Metasploit provides a library of possible attacks, which - as security strategist Josh Corman points out - can be run without any detailed knowledge or skill.

The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose a threat to internet-facing ICS/SCADA systems. This includes unauthorized access to secure areas of sites, attempted modifications of controllers, or any other attack against a protocol specific to SCADA devices, such as Modbus/TCP.

They also logged any targeted attempt to gain access or take out servers running the system. Various tools including popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and some analysis of server log files were used to monitor and record the attacks the honeypots attracted.

The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really Attacking Your ICS Equipment? It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing.

The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.”

All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same subnet. The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware exploitation attempts on the servers running the honeypot environment.

Other attacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts to harvest systems information. Four samples were collected over the four-week testing period, two of which have not been seen in the wild.

Trend Micro is currently analyzing these pieces of malware to determine their functionality. As well as looking at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin of attempted attacks.

About 34 percent of attacks against the industrial control system honeypot originated in China but one in five (19 percent) originated in the U.S. Security researchers also discovered that a surprisingly high (12 percent) of attacks against a honeypot control system they had established came from the southeast Asian nation of Laos.

Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday. “Trend Micro's research reveals that attackers have enough knowledge to analyze and affect industrial control devices' infrastructures,” said Raimund Genes, CTO at Trend Micro.

“This is an alarming wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the internet/open networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”

SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali and uranium enrichment centrifuges in Iran.

"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.

"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were originally configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance."

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Spamhaus.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Get your Linux or Windows dedicated server today.

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Click here to order your new fully dedicated Plesk server with the Linux operating system.