STE WILLIAMS

A former student at the College of St. Rose pleaded guilty this week to a February computer attack that destroyed $51,109 worth of computer and peripheral equipment and cost the New York college $7,362 in employee time spent in investigation and remediation. The attack vector was the USB port found in all of the computers, monitors, and computer-enhanced podiums hit in the attack.

Vishwanath Akuthota, a 27-year-old Indian national, shot video of himself during part of the campaign in which he used a USB killer — a USB stick that contains a capacitor that stores electricity then rapidly discharges it into a USB port, damaging or destroying the host computer.

Akuthota, a 2017 MBA graduate of the college, was arrested in February and is scheduled to be sentenced on August 12.

For more, read here and here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/former-student-admits-to-usb-killer-attack/d/d-id/1334469?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A sophisticated state-sponsored hacking group is intercepting and redirecting Web and email traffic of targeted organizations in over a dozen countries in a brazen DNS hijacking campaign that has heightened fears over vulnerabilities in the Internet’s core infrastructure.

Since 2017, the threat group has compromised at least 40 organizations in 13 countries concentrated in the Middle East and North Africa, researchers from Cisco Talos said Wednesday.

In each case, the attackers gained access to, and changed DNS (Domain Name System) records of, the victim organizations so their Internet traffic was routed through attacker-controlled servers. From there, it was inspected and manipulated before being sent to the legitimate destination.  

Most of the victims of the “Sea Turtle” campaign – as Cisco Talos is calling it – are national security-related and include ministries of foreign affairs, intelligence agencies, and military organizations.

The Sea Turtle group has also successfully targeted numerous third-party entities such as DNS registrars, Internet service providers, and telecommunication companies that provide access to its primary targets. Among this secondary set of victims is, for the very first time, a DNS registry service—an entity that manages Top Level Domains (TLD) such as .com domains.

The primary motive for the Sea Turtle campaign appears to be cyber espionage. “We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems,” the security vendor said in a report.

Craig Williams, director of outreach at Talos, says the manner in which the attackers have been updating the DNS records make it appear as if the owner is simply pointing their domain at another server. This would typically appear to be normal activity.

“The takeaway for the enterprise is to ensure you have your domains locked down with a registry lock and have multifactor authentication on wherever possible,” Williams says.

“This is also a great reminder that everyone needs to turn on automatic updates where possible, and if that isn’t possible, ensure there are extra defensive layers in place,” he says.

Mounting Worries

Concerns over DNS-level attacks have been growing in recent months.

In January, the US Department of Homeland Security issued an emergency directive directing administrators of all .gov and other agency-managed domains to audit their public DNS records to ensure the records had not been manipulated. The directive also required .gov domains to change DNS account passwords and implement multi-factor authentication. The directive was prompted by what the DHS described as a series of incidents of DNS infrastructure-tampering involving multiple executive branch agencies.

In a separate advisory also in January, the DHS warned of attackers changing DNS records at many organizations by using credentials stolen from enterprise administrators with legitimate access to those records. In these incidents, the attackers were altering DNS records like Name Server (NS) records, DNS A (Address) records, and MX or Mail Exchanger records.

That particular DHS advisory stemmed from warnings by several vendors including Cisco Talos and FireEye of DNS redirection attacks. The Talos warning had to do with a campaign targeting organizations in the Middle East, where attackers were using a malware dubbed DNSpionage to redirect a targeted website’s traffic.

FireEye’s warning pertained to a likely Iran-based threat actor carrying out a massive DNS traffic redirection campaign once again focused on Middle East targets.

According to Talos researchers, the Sea Turtle campaign is different from and more severe than DNSpionage and other previous DNS hijacking campaigns.

Typical attacks have begun with Sea Turtle actors gaining initial access to a targeted entity either by exploiting known remote-code execution vulnerabilities, or via spear-phishing emails. Once on a network, the group’s tactic is to expand its access until it can grab credentials for accessing the breached organization’s DNS records at the registrar managing them.

Sea Turtle actors then use the stolen credentials to modify the DNS name server record and point users to a man-in-the-middle server under the attacker’s control for capturing credentials and other information. The MitM server is usually set up to spoof a legitimate service – like a VPN, for instance.

To make the malicious server appear legitimate, Sea Turtle actors have been using a technique called certificate impersonation, where the attackers obtain a valid, signed digital certificate from another certificate provider for the same domain. “For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider,” Talos said.

The attackers have also been stealing the breached organization’s SSL certificate and using it on their own servers to carry out MitM attacks. In one instance, Cisco Talos discovered one of the company’s own VPN applications being used in MitM attacks.

Dangerous Turn

In addition to accessing enterprise DNS records using stolen credentials, Sea Turtle actors have also been directly targeting DNS registrars and registries as well. One example is NetNod, a Swedish DNS service provider. In another incident, Sea Turtle actors gained access to registrars that manage top-level domains for Armenia.

Such attacks are of considerably more concern than DNS modification attacks involving a single organization’s credentials. “Access to a registrar can have catastrophic consequences since the attacker may be able to modify where domains point,” Williams says.

DNS hijacking attacks are certainly not new. Threat actors have been previously known to modify DNS records and redirect traffic for a variety of reasons. The concern is whether such attacks are going to increase, and the damage that could result from a compromise of a major DNS registry or registrar. 

“My experience indicates that compromising network admin credentials by some means such as phishing and using those to log in to the DNS provider or registrar” remains the most common and straightforward method for attackers, says Emily Hacker, security researcher at DomainTools. The approach only allows the attacker to manipulate the records for the company whose network admin credentials were phished, she says.

“Alternatively—and less commonly—an attacker could get the admin credentials for a registrar, registry, or hosting provider, which would then allow them to manipulate records for any and all DNS records managed by that particular service” Hacker says.

Related Content:

• DNS Hijacking Campaign Targets Organizations Globally
• New Hacker Group Behind ‘DNSpionage’ Attacks in Middle East
• Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East
• 6 Reasons to Be Wary of Encryption in Your Enterprise

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/nation-state-hacker-group-hijacking-dns-to-redirect-email-web-traffic/d/d-id/1334462?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

For years, cybercriminals have used the Dark Web as a platform for devising new ways to steal data, break into IT systems, and abuse victims’ identities. As they explore new techniques, their “how-to” instructions for crime are preserved in guides and tutorials on Dark Web markets.

Researchers at Terbium Labs analyzed roughly 30,000 guides and more than 15,000 supporting files to learn how cybercriminals teach and sell these skills, plus how this insight can help businesses.

“The guides provide unique insights into how cybercriminals think, talk, and operate on the Dark Web,” says Emily Wilson, vice president of research, in a statement. By evaluating the content of these guides, companies can better defend against their techniques.

The resulting report sheds light on the types of data fraudsters value most. Email addresses are the single most valuable data type, the researchers concluded, based on mentions of this data type that most often appear in isolation. Email addresses give hackers a reliable, unique identifier for phishing campaigns, account takeover, and other attacks intended to commit fraud.

Payment cards, cited in 36% of guides analyzed, are the most common financial data type. Cybercriminals prefer credit to debit cards 85% of the time; debit cards often come with limitations that make it difficult to defraud their owners. Social Security numbers are also valuable but less in demand than usernames, passwords, and email addresses.

Keywords related to personal data appeared in 55.7% of fraud guides, more so than financial information keywords, which appeared in 44.3% of guides. Researchers note personal data is most often used in relation to existing financial accounts or as a means to open new accounts.

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/inside-the-dark-webs-how-to-guides-for-teaching-fraud/d/d-id/1334458?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Websites increasingly have to watch out for automated programs posing as human visitors — in other words, bots, which continue to become more sophisticated, according to a new report from bot mitigation firm Distil Networks.

While bot traffic has fallen as an overall percentage of visits to websites, the automated programs have become more sophisticated in their attempts to appear human. Financial firms, ticketing services, and educational sites see anywhere from 38% to 42% of their traffic come from bots, and both ticketing and healthcare top the industries targeted by the most sophisticated bots, according to the “2019 Bad Bot Report,” based on data Distil collected during 2018.

“Bots are moving from the traditional scraping and ticketing and airlines bots, which are the industries that have been the most victimized up to now,” says Edward Roberts, senior director of product marketing at Distil. “They are now moving to these other industries, and we have seen a lot of fraud cases in those markets.”

Automated programs have been a key component of the Internet economy, albeit inhabiting a gray area of information collection. From automating port scanning, to collecting price information from e-commerce hubs, to the site indexing and scannings done by Google, bots have become the basis for many Internet firms’ business models. 

Good bots do not harm the business models of those companies from which they scrape data. But bad bots are collecting information on behalf of competitors or, worse, are the vehicle for outright fraud. Criminals can use bots, for example, to test usernames and passwords, fraudulently boost product ratings, or conduct ad fraud. 

“Many companies are finally recognizing that they are under attack,” says Amy DeMartine, principal analyst for application security at market research firm Forrester. “They go from not caring whatsoever to needing a solution right now. The problem is that they were under attack all along and didn’t realize that until a specific incident.”

There are some indications of improvement. Over the past year, humans have taken back a significant portion of Web visits, accounting for 62% of all traffic (up from 55% in 2017). The gains represent a flip flop from five years ago, when bots made up about 60% of all traffic, according to Distil’s report.

Yet the sophistication of bots continues to increase. In November, for example, bot detection firm White Ops announced it had found a large-scale ad fraud operation, dubbed 3ve, powered by compromised PCs that drove billions of daily ad requests and netted between $3 million and $5 million per day. The investigation led to the arrests of three men and criminal charges against five more people.

More than 21% of all bad bots are considered sophisticated, according to Distil.

In another recent report, Internet infrastructure firm Akamai also warned of the increasing sophistication of bots and the operations behind them. The company found that bad bots are increasing trying to appear human or, at least, mask their origins by changing Internet addresses and modifying their digital fingerprints to match known-good applications.

“The complexity of attacking bots, rather than the volume, should be what concerns defenders most,” says Martin McKeay, security researcher and editorial director at Akamai. “Bot development has moved from being an individual working on her own tools into a methodology that would’t be unfamiliar to many teams in the DevOps world. The organizations selling bots are actively looking for developers with skills related to individual businesses and overcoming defenses by name.”

The most sophisticated bots are impacting the ticketing business and healthcare, according to Distil. Nearly 28% of the bad bots scraping ticketing sites and reserving tickets are programs that use mouse movements, browser automation software, and malware-infected PCs to camouflage themselves as human traffic, according to Distil.

The existence of a great deal of sensitive personally identifiable information (PII) makes healthcare potentially lucrative, Distil’s Roberts says. 

“Once you gather the PII, you can get a good profile of that person,” he says. “If you are in healthcare, someone can get information on insurance and health conditions or fulfill a prescription that way. It is an area ripe for abuse.”

While relatively new, it is a popular target for more advanced techniques, with 24% of bad bots considered “sophisticated,” according to Distil’s report.

Related Content

• Bots Plague Ticketing Industry
• Some Airline Flight Online Check-in Links Expose Passenger Data
• Google, White Ops, Industry Players Dismantle 3ve Ad Fraud Operation
• Bad Bots Increasingly Hide Out in Cloud Data Centers
• Bad Bots Up Their Human Impersonation Game

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/advanced-threats/ever-sophisticated-bad-bots-target-healthcare-ticketing/d/d-id/1334453?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple