Apache Struts Vulnerabilities and The Equifax Hack, What Happened?

In the wake of the Equifax breach, a lot of people are wondering how the theft of personal information occurred and how it could have been prevented.

Equifax initially reported that a vulnerability in Apache Struts was used to infiltrate their public-facing web server. Apache Struts has faced its fair share of vulnerabilities with 21 having been discovered since the start of 2016.

Which Apache Struts vulnerability was used in the Equifax hack?

At DOSarrest we researched current and past Apache Strut vulnerabilities and determined that they likely were not hacked using the new CVE-2017-9805 but likely CVE-2017-5638.

Equifax released additional details on Sept 13th 2017 confirming that the vulnerability involved was CVE-2017-5638. The CVE-2017-5638 vulnerability dates back to March 2017, which is why people in the security industry are now questioning how they could be so far behind in patching this well-known exploit.

The two vulnerabilities, CVE-2017-5638 and the recently revealed CVE-2017-9805 are very similar in nature and are both considered Remote Code Execution (RCE) vulnerabilities .

How does a RCE vulnerability work and how can they be prevented?

A RCE vulnerability is exploited when an attacker crafts a packet or request containing arbitrary code or commands. The attacker uses a method to bypass security that causes a vulnerable server to execute the code with either user or elevated privileges.

Such vulnerabilities can be prevented with a two-fold approach to web application security:

1) New vulnerabilities will continually be discovered in any web application framework, and it is the duty of IT teams to keep the software patched. This requires regular audits and patches to vulnerable software. Even the most proactive IT teams will not be able to prevent a so-called zero-day attack by patching alone so more must be done to protect the web server from zero-day vulnerabilities.

2) Since there is always a delay between the time a vulnerability is discovered and when a patch is developed by the maintainer of that product, a means to protect your website from undiscovered zero-day vulnerabilities is needed. Web Application Firewall’s (WAF) that typically rely on signatures are unfortunately at a disadvantage because signatures for existing vulnerabilities in most cases do not match newer zero-day vulnerabilities.

If I cannot rely on signature-based WAF options, what can I rely on to protect my business?

At DOSarrest our WAF is different. The problem with relying on signatures is that it requires constant updates as new vulnerabilities become known. Instead our WAF looks for sets of characters (such as /}/,/“/, and /;/) or phrases (like “/bin/bash” or “cmd.exe”) that are known to be problematic for some web applications.

What makes DOSarrest’s WAF even more appealing is that it is fast. Much faster than signature-based solutions that require high CPU use to match signatures–such matching could result in a measurable impact on latency. With DOSarrest’s WAF there is no increase in latency, and vulnerabilities not yet discovered will still be mitigated.

Examples of how the Apache Strut vulnerabilities are performed:

For the benefit of more technical users, some sample requests will be analyzed below. The first example represents a normal non-malicious request sent by millions of people everyday and the following two exploit RCE vulnerabilities in Apache Struts:

We can note the following characteristics in the exploit of CVE-2017-5638:

1. The Content-Type Header starts with %{(, an incorrect format.

2. The payload contains a java function call, java.lang.ProcessBuilder, that is normally regarded as dangerous.

3. The payload contains both windows and Linux command line interpreters: “cmd.exe” (Windows Command Prompt) and “/bin/bash” (Linux Bash shell/terminal).

The RCE vulnerability used to infiltrate Equifax, CVE-2017-5638 exploits a bug in the way Apache Struts processes the “Content-Type” HTTP header. This allows attackers to run an XML script with elevated user access, containing the java.lang.ProcessBuilder is required to execute the commands the attacker has placed within the XML request.

CVE 2017-9805, announced September 2017, is very similar to the previous RCE vulnerability.

With CVE-2017-9805, we can note the following characteristics:

1. The Content-Type is application/xml with the actual content in the request body matching that of the Content-Type.

2) The payload also contains the java function call java.lang.ProcessBuilder.

3) The payload in this case is Linux specific and calls “/bin/bash -c touch ./CVE-2017-9805.txt” to confirm that the exploit works by creating a file, “CVE-2017-9805.txt”.

Are the payloads shown the exact ones used by attackers to obtain data from Equifax?

Although some of the commands may have been used together as part of the information gathering process, the actual commands used to obtain the data from Equifax may only be known by the attackers and possibly Equifax or an auditing security team directly involved in the case. The examples show how the vulnerability could be exploited in the wild and what methods might be used, e.g., setting Content-Type and sending an XML file with a payload. These examples do not represent the actual payload used to obtain the data from Equifax.

Since the payload itself can be completely arbitrary, an attacker can run any commands desired on the victim’s server. Any action the web server software is capable of could be performed by an attacker, which could allow for theft of information or intellectual property if it is accessible from the hacked server.

In the case of Equifax, there was likely an initial vulnerability scan that the attackers used to expose Equifax’s vulnerability to this particular attack. This would have been followed by an effort to determine what files were available or what actions could be performed from the Equifax public-facing web server.At some point the attackers came across a method for accessing personal credit details on millions of Americans and citizens from other countries who had credit checks performed on their identities within the United States.

If Equifax had been using the DOSarrest WAF, they could have avoided a costly mistake. Don’t let your business suffer a damaging security breach that could result in you being out of business for good. Talk to us about our services.

For more information on our services including our Web Application Firewall, see DOSarrest for more information on Security solutions.

Source: https://www.dosarrest.com/ddos-blog/apache-struts-vulnerabilities-and-the-equifax-hack-what-happened/

Cybercrooks fight over DDoS attack resources

As more groups get into the denial-of-service attack business they’re starting to get in each other’s way, according to a report released this morning.

That translates into a smaller average attack size, said Martin McKeay, senior security advocate at Cambridge, Mass.-based Akamai Technologies Inc.

There are only so many devices around that have the kind of vulnerabilities that make them potential targets for a botnet.

“And other people can come in and take over the device, and take those resources to feed their own botnet,” he said. “I’m seeing that over and over.”

He said that Akamai is seeing evidence of the contention in the threat intelligence it gathers, as well as in the size of the attacks.

The median attack size has been decreasing over the last year and a half, he said.

At the start of 2015, the median DDoS attack size was 4 gigabits per second, and it went down to just over 500 megabits per second during the first quarter of this year.

The number of very large attacks has also gone down over the past year, from 19 attacks greater than 100 gigabits per second over the course of the first quarter of 2016, to just two attacks of that size during the first quarter of this year.

That could be due to the fact that several large DDoS crews were arrested at the end of last year.

“Because of the high publicity of some of these attacks, we have Interpol and U.S. government agencies going after the owners and authors of those botnets,” McKeay said. “Those people are getting jailed, and that portion of the attack traffic goes away.”

But that doesn’t mean that companies can get complacent about their defenses, since other groups may step in to take their place.

“DDoS in general is a cyclic phenomenon,” he said. “About three years ago, it really took off and we saw a big increase. It’s been trending down for about a year but we suspect that that’s just a temporary change, and it’s going to start back up again.”

Meanwhile, even smaller-sized attacks can still do a great deal of damage. According to the Akamai report, many businesses lease Internet uplinks of between 1 and 10 gigabits per second, so any attack bigger than 10 gigabits per second could take an unprotected business offline.

And the capabilities of attackers keep expanding, he added.

“Within two to three years, we might see a five to ten terabit attack,” he said.

With more criminal groups competing for access to vulnerable devices for their botnets, does that mean that we might see less ransomware such as the WannaCry attack?

No such luck.

“It’s a different group of resources that are being used,” said McKeay. “When we’re talking about the ransomware like that which we’ve been seeing since Friday, that’s a completely different breed than DDoS.”

Source: http://www.csoonline.com/article/3196847/security/cybercrooks-fight-over-ddos-attack-resources.html

DDoS attack and measures to Fight DDoS attack

White hats are in an ongoing battle with black hats for protecting the Internet from DDoS attacks. According to Abhor Network, more than 2000 daily DDoS attacks are observed worldwide.

In 2016, we saw the largest DDoS attack till date on Dyn (a DNS provider). During the attack, Dyn’s servers were loaded with more than  1.2 Tbps of data which crashed the company’s servers. This attack caused major websites like Twitter, Amazon, Reddit, and Netflix to go down. The attack was carried out using IoT devices infected by Mirai malware; which means the attacker might have used your routers, Smart TVs, mobiles, computers and IP cameras to do the DDoS attack.

Since the attackers have started using your Internet-connected devices to launch dangerous attacks (without your knowledge) against  Banks, Telecom, and Media (that speak against some political agendas), it is about time we(users) become aware of DDoS.

What is DDoS Attack?

DDoS is Distributed Denial of Service attack. In this attack, hackers use compromised systems (called botnets) to make online services unavailable to clients. During the attack, the attacker simply overfloods the service provider’s servers with fake traffics from multiple sources (botnets). This causes the servers to crash. Thus, the intended audience are deprived of the services.

In simple words, DDoS attack is like window shoppers swarming your business denying genuine customers from getting your service.

DDoS Attack Nepal
DDoS Attack

Symptoms of DDoS Attack:

According to Wikipedia, the United States Computer Emergency Readiness Team (US-CERT) has identified symptoms of a denial-of-service attack to include:

  • unusually slow network performance (opening files or accessing web sites)
  • unavailability of a particular website
  • inability to access any website
  • a dramatic increase in the number of spam emails received (this type of DoS attack is considered an e-mail bomb).

Additional symptoms may include:

  • disconnection of a wireless or wired internet connection
  • long-term denial of access to the web or any internet services.

Why is DDoS attack so dangerous?

  1. A large-scale attack can affect Internet connectivity of entire geographical regions.
  2. Anyone can buy a week of  DDoS attack at just $150 in the black market. Source: Trendmicro Research
  3. There can be millions of Botnets since many devices these days are connected to the Internet. This makes the attack more dangerous.
  4. There are more than 2000 attacks per day.
  5. Small businesses are an easy target because it is cheap and easy to attack services that don’t have DDoS countermeasures.

How to Fight DDoS attack:

  1. Be prepared by recognizing the symptoms of a DDoS attack.
  2. Get extra bandwidth for your website. This will give you time to fight the DDoS without your service going down.
  3. Monitor your website traffic regularly. Use Web Analytics tools.
  4. If you think you are under attack, contact your ISP or Host Provider.
  5. Use DDoS mitigation specialist companies if you can afford.

In conclusion, spread the words about DDoS attack to everyone you know who owns or wish to own a website. Also, prevent your devices from being compromised– I will write about it on next post. For now, let’s fight DDoS attacks together.

Source: https://www.gadgetbytenepal.com/fight-ddos-attack/

Mirai Source Code Boosts Popularity of DDoS-as-a-Service Criminal Activity

As one would come to expect from the recent Mirai botnet attacks, DDoS-as-a-service is becoming quite the booming industry. Seemingly everyone in the world holds a grudge against online companies and would like nothing more than to take them down. Now that the Mirai source code was put online several months ago, the number of DDoS attacks will only increase.

DDoS-as-a-business Turns Into A Profitable Business Model

In the world of cybercrime, there are always people willing to do the dirty work for you. Even those who have no idea where to begin when it comes to compiling the Mirai botnet source code, there are those who will offer DDoS attacks as a service in exchange for payment. Even though there are plenty of people who can turn this source code into a valuable tool for their own needs, there are always people willing to pay for such a service.

Just because the Mirai source code is freely available does not mean that aspiring criminals will have an easy time setting up their first botnet. The code is nothing more than a brief guide as to how things will unfold, assuming people put in enough effort to make it work. That doesn’t mean, however, that there is no steep learning curve attached to this process.

Setting up the Mirai source code requires a minimum of four different servers and a certain level of expertise. Now that the solution has been open sourced, criminals have started developing new tools and features for the community. Unfortunately for aspiring internet criminals, this makes setting up the source code even more difficult.

But there is a silver lining for those who are not willing to invest a lot of time into researching the source code and its intricate working. Botnet-as-a-service is a booming business, even though hackers are charging steep prices for this service. Some will even go as far as offering technical support to set up the source code.

To put this into perspective, HackForums contained one particular listing which charged over US$700 for setting up Mirai on behalf of someone else. This included six hours of work to set up servers and conduct quality checks. This is not the biggest investment for a potentially successful criminal operation, although it may put off a lot of people.

DDoS service providers are posing a very significant threat to online companies and users alike. Everyone and everything in the world can be knocked offline if the attack is powerful enough. By offering this business as a service, it is not unlikely that DDoS attacks will become far more widespread than ever before. Mirai’s source code is a significant threat, and it looks like things are only getting worse over time.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

Source: http://themerkle.com/mirai-source-code-boosts-popularity-of-ddos-as-a-service-criminal-activity/

Ransomware demands are working, fueling an increase in attacks

Infoblox DNS Threat Index finds criminals are creating more ransomware-domains than ever, and predicts a continuing increase in attacks as more criminals rush to cash in. 

 

Emboldened by the wave of successful ransomware attacks in early 2016, more cybercriminals are rushing to take advantage of this lucrative crime spree.

Networking company Infoblox’s quarterly threat index shows cybercriminals have been busy in the first quarter of 2016 creating new domains and subdomains and hijacking legitimate ones to build up their ransomware operations.

The number of domains serving up ransomware increased 35-fold in the first three months of 2016 compared to the end of 2015, according to the latest Infoblox DNS Threat Index. The index doesn’t measure actual attack volumes but observes malicious infrastructure — the domains used in individual campaigns. Criminals are constantly creating new domains and subdomains to stay ahead of blacklists and other security filters. The fact that the attack infrastructure for ransomware is growing is a good indicator that more cybercriminals are shifting their energies to these operations.

“There is an old adage that success begets success, and it seems to apply to malware as in any other corner of life,” Infoblox researchers wrote in the report.

The threat index hit an all-time high of 137 in the first quarter of 2016, compared to 128 in fourth quarter 2015. While there was a lot of activity creating infrastructure for all types of attacks, including malware, exploit kits, phishing, distributed denial-of-service, and data exfiltration, the explosion of ransomware-specific domains helped propel the overall threat index higher, Infoblox said in its report. Ransomware-related domains, which include those hosting the actual download and those that act as command-and-control servers for infected machines, accounted for 60 percent of the entire malware category.

“Again in simple terms: Ransomware is working,” the report said.

Instead of targeting consumers and small businesses in “small-dollar heists,” cybercriminals are shifting toward “industrial-scale, big-money” attacks on commercial entities, said Rod Rasmussen, vice president of cybersecurity at Infoblox. Cybercriminals don’t need to infect several victims for $500 each if a single hospital can net them $17,000 in bitcoin, for example.

The latest estimates from the FBI show ransomware cost victims $209 million in the first quarter of 2016, compared to $24 million for all of 2015. That doesn’t cover only the ransoms paid out — it also includes costs of downtime, the time required to clean off the infection, and resources spent recovering systems from backup.

Toward the end of 2015, Infoblox researchers observed that cybercriminals appeared to have abandoned the “plant/harvest cycle,” where they spent a few months building up the attack infrastructure, then a few months reaping the rewards before starting all over again. That seems to be the case in 2016, as there was no meaningful lull in newly created threats and new threats — such as ransomware — jumped to new highs. The harvest period seems to be less and less necessary, as criminals get more efficient shifting from task to task, from creating domains, hijacking legitimate domains, creating and distributing malware, stealing data, and generally causing harm to their victims.

 

“Unfortunately, these elevated threat levels are probably with us for the foreseeable future — it’s only the nature of the threat that will change from quarter to quarter,” Infoblox wrote.

Ransomware may be the fastest-growing segment of attacks, but it still accounts for a small piece of the overall attack infrastructure. Exploit kits remain the biggest threat, accounting for more than 50 percent of the overall index, with Angler leading the way. Angler is the toolkit commonly used in malvertising attacks, where malicious advertisements are injected into third-party advertising networks and victims are compromised by navigating to websites displaying those ads. Neutrino is also gaining popularity among cybercriminals. However, the lines are blurring as Neutrino is jumping into ransomware, as recent campaigns delivered ransomware, such as Locky, Teslacrypt, Cryptolocker2, and Kovter, to victims.

Recently, multiple reports have touted ransomware’s rapid growth, but what gets lost is that ransomware isn’t the most prevalent threat facing enterprises today. Organizations are more likely to see phishing attacks, exploit kits, and other types of malware, such as backdoors, Trojans, and keyloggers. Note Microsoft’s recent research, which noted that in 2015, ransomware accounted for less than 1 percent of malware. The encounter rate for ransomware jumped 50 percent over the second half of 2015, but that is going from 0.26 percent of attacks to 0.4 percent. Even if there are 35 times more attacks in 2016, that’s still a relatively small number compared to all other attacks.

The good news is that staying ahead of ransomware requires the same steps as basic malware prevention: tightening security measures, keeping software up-to-date, and maintaining clean backups.

“Unless and until companies figure out how to guard against ransomware — and certainly not reward the attack — we expect it to continue its successful run,” warned the report.

 

Source:  http://www.infoworld.com/article/3077859/security/ransomware-demands-are-working-fueling-an-increase-in-attacks.html

HACKERS TARGET CZECH REPUBLIC GOV’T SITES OVER PLANS TO BLOCK GAMBLING DOMAINS

Hackers have attacked Czech Republic government websites to protest the country’s decision to block the domains of unauthorized online gambling operators.

Last week, the Czech senate overwhelmingly approved the country’s new gambling legislation, which would open up the market to international online operators for the first time, while imposing blocks on the domains of sites not holding a Czech license.

On Tuesday, Novinky.cz reported that the Senate’s official website Senat.cz had been knocked offline Monday night following a distributed denial of service (DDoS) attack by someone claiming to be associated with the Anonymous hackers collective.

An English-language statement accompanying the attack claimed that the Senate’s website had been targeted “because you passed a law to prevent free access to the Internet.” The statement warned that this wasn’t the last time the government would hear from the hackers on this issue.

The Czech News Agency reported that the attack also affected websites belonging to the Interior Ministry and its affiliated police and firefighters’ organizations, as well as the Social Democratic Party (CSSD), which holds a majority in the Czech parliament.

A CSSD spokesman dismissed the disruption as “no massive, dangerous or successful attack,” while claiming that the average visitor to the party’s website wouldn’t have noticed anything was amiss.

The Interior Ministry brushed off the “unsuccessful attempts” at public disruption, saying they’d managed to restore their website’s functionality within a few hours. The ministry said its information systems weren’t affected and steps were being taken to ensure defenses were in place against future attacks.

The Canadian province of Quebec may wish to take similar precautions. Last month, the province approved the Ministry of Finance’s proposal to block unauthorized gambling sites in a bid to bolster the bottom line of EspaceJeux, the online gambling site of provincial gaming monopoly Loto-Quebec.

Loto-Quebec’s plans, which have no precedent in Canada, have been condemned by free-speech advocates, who wonder what other types of websites might be next on the province’s blacklist.

 

Source:  http://calvinayre.com/2016/06/01/business/hackers-target-czech-republic-plans-gambling-domains/

Hayden: Russian cyber sophistication derives from criminal groups

Russia is one of the most sophisticated nation-states in cyberspace in part because of its ability to enlist cyber-criminal groups to do its bidding, said retired Gen. Michael Hayden, former head of the CIA and National Security Agency.

“The Chinese have scale, the Russians have skill,” Hayden said May 24 at a conference in Washington hosted by Gigamon. That assessment echoes what Adm. Michael Rogers, the current NSA director, has told Congress.

Hayden likened Russian President Vladimir Putin’s alleged sponsorship of criminal hackers to the patronage Don Vito Corleone provides associates in the popular film The Godfather.

“Don Vladimir has allowed the criminal gangs to survive and flourish without legal interference as long as they go outward,” Hayden said. “And from time to time the Don then has need of their services.”

Analysts and U.S. lawmakers have pointed to close ties between the Russian government and cybercriminal groups to the point of blurring the lines of attribution. Some have blamed Russia for a December hack of the Ukrainian power grid, which affected 225,000 customers.

The different bilateral relationships Washington has with Moscow and Beijing have dictated different U.S. policy responses to alleged state-sponsored cyber operations.

The U.S. and China last September agreed to not “knowingly support cyber-enabled theft of intellectual property,” something U.S. lawmakers have long accused China of doing. But with the U.S. government already heavily sanctioning Russia, such a bilateral agreement with Moscow seems unlikely.

“The relationship with Russia is such [that] I don’t know how you do that,” Hayden said.

In an April Senate hearing, Rogers, the current NSA director, told lawmakers that of nation-states, Russia “probably has the most active criminal element with … the greatest capability.” Asked if the Russia government was doing anything to combat cyber criminals on its turf, Rogers replied with a smile, “I would only say it doesn’t appear to be getting much better.”

Analysts such as NSS Labs CEO Vikram Phatak have argued that in a relatively lawless field, the U.S. government should embrace hackers who otherwise wouldn’t pass a background check. Although U.S. military and intelligence agencies have talented personnel, they don’t have “the kind of operational experience that the Russian mob has or the Chinese mob has,” Phatak told FCW earlier this year.

When asked if the U.S. government should give its computer operatives freer rein to go after Russian targets, Hayden was circumspect. “You cannot create symmetric effects in the Russian economy compared to what they can do in our economy,” he told FCW after his remarks.

Stuxnet a ‘poster child’ for certain hacks

Hayden’s remarks underscored the legal and normative ambiguity in cyberspace.

The United States is “incredibly aggressive in the cyber domain. We steal other nations’ data,” but not for commercial gain, he said.

U.S. officials suspect Chinese hackers were behind the breach of at least 22 million U.S. government records at the Office of Personnel Management. Hayden indicated he was jealous of that data heist.

“If I could have done this against a comparable Chinese database when I was director of NSA, I would have done it in a heartbeat,” the former Air Force general said.

During his remarks, Hayden described Stuxnet, the computer worm reportedly developed by the U.S. and Israel to destroy Iran’s nuclear centrifuges, as the “poster child” for hacks with physical-world implications. He told FCW afterward that the distributed-denial-of-serviceattacks that hit the U.S. financial sector from 2011 to 2013, which were allegedly carried out by Iranian hackers, were retribution for Stuxnet.

Hayden declined to confirm or deny U.S. involvement in Stuxnet, but said the net trade off — hampered Iranian centrifuges versus financial loss inflicted by the DDOS attacks — was in U.S. interests. Banks spent tens of millions of dollars in response to those attacks, according to the FBI.

Source:  https://fcw.com/articles/2016/05/24/hayden-russia-cyber.aspx

Anonymous Announces #OpSilence, Month-Long Attacks on Mainstream Media

Members of the Ghost Squad Hackers team, one of most active Anonymous sub-divisions, have carried out DDoS attacks on CNN and FOX News as part of a new hacktivism campaign.

Called OpSilence, the campaign’s goal is to attack all mainstream media that fails to report on the Palestine war or the true crimes happening in Syria, one of the hackers told Mic.

#OpSilence will take place during the entire month of June 2016

The operation will be run similarly to #OpIcarus, a month-long series of attacks that took place in the month of May against various banks around the world.

Any hacktivism group is welcomed to join, and the campaign comes on the heels of OpIcarus, which just ended yesterday.

Ghost Squad Hackers didn’t wait for June to start to begin their attacks, and they’ve already hit the email servers of FOX News and CNN. The group has been changing tactics lately, switching from DDoSing public websites to attacking mail servers, as they did most recently against the Bank of England.

Other hackers have taken a pro-Palestine stance before

Taking a pro-Palestine stance isn’t something strange for hackers, many others supporting this cause as well. The previous group that did so was CWA (Crackas With Attitude), whose hacked targets include CIA Director John Brennan’s personal AOL email account, FBI Deputy Director Mark Giuliano, US National Intelligence Director James Clapper, and President Barack Obama’s Senior Advisor on science and technology John Holdren.

The group is also responsible for hacking the JABS US national arrests database. They also leaked details for 2,400 US government officials, 80 Miami police officers, 9,000 DHS employees, and 20,000 FBI staffers.

Back in February, the group’s leader, a sixteen-year-old boy, was arrested in East Midlands, England.

External Source: http://www.ddosattacks.net/anonymous-announces-opsilence-month-long-attacks-on-mainstream-media/

 

Internal source:  http://news.softpedia.com/news/anonymous-announces-opsilence-month-long-attacks-on-mainstream-media-504760.shtml

First stage of CIS counterterrorism exercises Cyber Anti-terror 2016 over

MOSCOW, 26 May (BelTA) – The special services of the CIS member states have carried out the first stage of the CIS counter-terrorism exercise Cyber Anti-terror 2016, the press service of the CIS Anti-Terrorism Center told BelTA. According to the source, security agencies and special services of the CIS member states carried out a number of search and respond actions coordinated by the CIS Anti-Terrorism Center to detect and suppress acts of cyber-terrorism as part of the first stage of the CIS counter-terrorism exercise Cyber Anti-terror 2016 on 23-25 May. In particular, with assistance of the CIS Anti-Terrorism Center experts from Armenia, Belarus, Kazakhstan, Kyrgyzstan, and Russia practiced the detection and filtering of DDoS attacks staged by imaginary terrorists against a critical piece of infrastructure (a power engineering industry installation) located in Belarus. The experts determined IP subnets of the accomplices of the imaginary terrorists and their geographical locations. The experts then used minimal data provided by the collective-access information systems of the CIS states, including the specialized database of the CIS Anti-Terrorism Center and fingerprint databases, to determine the identity of the cyber-terrorists, document their illegal activities, and prevent their attempt to disrupt control over the critical installation. The efforts resulted in the simultaneous arrest of the imaginary cyber-terrorists in Armenia, Belarus, Kazakhstan, Kyrgyzstan, and the Russian Federation. The equipment they used to commit crimes was seized. Results of the first stage of the CIS counter-terrorism exercise Cyber Anti-terror 2016 will be summed up when top officers of the counter-terrorism units of the security agencies and special services of the CIS member states convene in Minsk on 31 May – 2 June. A counter-terrorism operation will be staged then to free hostages and neutralize terrorists at a strategically important installation (the Lukoml state district power plant). The press service of the CIS Anti-Terrorism Center told BelTA that joint counter-terrorism exercises are an important component in practical interaction between the member states of the Commonwealth of Independent States. The main purpose of the exercises is to improve the readiness of security agencies, special services, and other power-wielding agencies of the CIS member states to work together to counteract terrorist threats and challenges. Practical experience is accumulated and the best practices are shared during such exercises.

 

Source: http://eng.belta.by/society/view/first-stage-of-cis-counterterrorism-exercise-cyber-antiterror-2016-over-91638-2016/

U.S. Spending Heavily to Counter Deadly DDoS Cyber Attacks by Foreign Foes

The U.S. Defense Advanced Research Projects Agency (DARPA) is spending heavily to automate the cyber defense responses of the U.S. military to counter distributed denial-of-service (DDoS) attacks that are widely expected to precede a limited armed conflict or a full-scale war with another nation.

DARPA’s answer to this deadly threat is Extreme DDoS Defense or XD3. This program will alter the way the military protects its networks from high- and low-speed DDoS attacks. The general public and private business firms will also benefit from this program.

A DDoS attack occurs when multiple systems flood the bandwidth or resources of a targeted system such as the Pentagon’s using one or more web servers. These attacks are difficult to thwart since multiple machines are used to overwhelm a target. It’s also difficult to deal with since responses to DDoS attacks are usually delayed and manually driven.

Over the past seven months, DARPA has awarded seven XD3 multi-million dollar contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs and the University of Pennsylvania.

DARPA said the nature of DDoS attacks span a wide range. Botnet-induced volumetric attacks, which can generate hundreds of gigabits per second of malicious traffic, are perhaps the best-known form of DDoS.

“However, low-volume DDoS attacks can be even more pernicious and problematic from a defensive standpoint. Such attacks target specific applications, protocols or state-machine behaviors while relying on traffic sparseness (or seemingly innocuous message transmission) to evade traditional intrusion-detection techniques.”

DARPA noted the current art in DDoS defense generally relies on combinations of network-based filtering, traffic diversion and “scrubbing” or replication of stored data (or the logical points of connectivity used to access the data) to dilute volumetric attacks and provide diverse access for legitimate users.

It said these approaches fall well short of desired capabilities in terms of response times and the ability to identify and to thwart low-volume DDoS. Current methods also don’t have the ability to stop DDoS within encrypted traffic. There is also the need to defend real-time transactional services such as those associated with and military command and control.

DARPA laments that responses to DDoS attacks are too slow and manually driven.

Diagnosis and formulation of filtering rules often take hours to formulate and execute. This means a clear need exists for fundamentally new DDoS defenses with far greater resilience to DDoS attacks across a broader range of contexts, than existing approaches or evolutionary extensions.

Source: http://www.chinatopix.com/articles/88761/20160526/u-s-spending-heavily-counter-deadly-ddos-cyber-attacks.htm