STE WILLIAMS

Having badgered website owners to implement HTTPS privacy, it looks as if Google now wants to do something similar for DNS (Domain Name System) queries.

The evidence is a small submit to the AOSP development site that mentions adding Android support for DNS-over-TLS, an emerging industry standard for encrypting DNS queries, originally submitted for Internet Engineering Task Force (IETF) discussion in 2015.

DNS, of course, is the system through which an easily readable internet domain (such as example.org) is resolved to the underlying IP address that computers care about (93.184.216.34 in this case). It happens every time you email somebody or type a URL into a web browser, and it usually happens so swiftly nobody notices it.

Unfortunately, DNS queries are sent out onto the internet in the clear, which means that they can be tracked and altered by Man-in-the-Middle (MitM) attacks, and that every website visit you make can be logged by your ISP or VPN provider and, through them, by advertisers and governments.

In the UK, ISPs are legally required to keep 12 months of records of which websites customers have visited under the Investigatory Powers Act (IPA), which came into force in November 2016 so this lack of privacy is more than theoretical.

Over the years, there have been no shortage of ideas about how DNS requests could be secured, including DNSCurve, Confidential DNS, DNS-over-DLTS (DNSoD), DNSCrypt and, more recently, DNS-over-TLS (none of which should be confused with DNSSEC, a separate DNS security initiative aimed at making sure you get a DNS response you can trust).

The obvious problem with these is that there are too many of them, which is why the IETF decided to back DNS-over-TLS in order to get things moving.

The attraction of DNS-over-TLS is that it is very similar in its workings to HTTPS, the secure web browsing protocol, in that it uses the same TCP Transport Layer Security (TLS) protocol, albeit on port 853 rather than 443. Like HTTPS, all that is needed to make it work is that both you and the DNS server you’re talking to support it.

Of course, it’s possible to defeat ISP surveillance by using a VPN (Virtual Private Network) to create an encrypted network “tunnel” that your ISP can’t peer into. These do offer a secure connection but with limitations. First, the VPN provider can still see the DNS queries (and may pass them on, if asked to) so you’re simply moving your trust from the ISP to the VPN provider and, second, DNS data can still “leak” for a variety of technical reasons.

Even if your DNS lookups are protected by DNS-over-TLS the domains you’re connecting to can still leak thanks to Server Name Identification (SNI), a technology used by servers hosting multiple HTTPS websites. SNI sends the domain name during the TLS ‘handshake’ that allows an HTTPS connection to be established, during which the domain name is sent in the clear. Unless a VPN is being used, ISPs can see this.

The good news is that the IETF is working on a way of encrypting this too but the issue underlines how closing a door can open a smaller one that eventually needs closing too.

Right now, the only servers that support DNS-over-TLS are test systems – even Google’s DNS service doesn’t support it yet. Until support improves, full implementation in smartphones could be some way off.

But the mere fact it is in Android at all is a powerful signal to the industry that DNS privacy now has a powerful backer. The company’s stated ambition is an entirely-encrypted web and DNS has become a glaring hole in that coverage.

As with SNI, closing that hole still leaves a smaller one unclosed.

Tunnelling your DNS requests through DNS-over-TLS will hide your lookups from both your ISP and your VPN provider, but not your DNS provider.

One of the most popular third-party DNS providers is Google, via its public IPv4 servers at 8.8.4.4 and 8.8.8.8. If you connect to them using DNS-over-TLS you are sharing the information you’re keeping from your ISP with Google.

It took years for HTTPS to  reach its current level of popularity, partly because companies moaned about the overhead it imposed (a myth that quickly exploded when companies knuckled down to doing it). For a while it looked as if DNS-over-TLS could turn into a similar slog but Google’s backing in Android has surely changed the calculation.

Follow @NakedSecurity
Follow @JohnEDunn

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QqbpdhR95UQ/

Honolulu is legislating survival of the fittest by fining the oblivious up to $99 for texting while crossing the street.

That’s right: the Hawaiian city wants gadget-distracted pedestrians to actually look up from their phones instead of being turned into past-tense pancakes.

The bill (PDF), which went into effect on Wednesday, states that “no pedestrian shall cross a street or highway while viewing a mobile electronic device.”

That includes all you gamers, anybody who’s rigged up their laptop so they can stare at it and walk (how do you even do that? Does it involve a harness? Where does your coffee go?), any text messaging device, pagers, personal digital assistants or digital cameras. Audio equipment is OK. And yes, you can keep yammering on the phone. You just can’t look down at it while simultaneously walking in front of a screaming wall of metal.

If you do, the first fine will cost you up to $35 (£26.41), up to $75 for your second, and $99 if you still haven’t reformed your eyeballs before police catch you a third time. Emergency responders are off the hook with this one: they can look at devices while in the line of duty.

What business do we have writing about this at a cybersecurity blog? Oh, this is computer security, all right. It’s just a moister variety of computer security: less ones and zeros, more what Naked Security’s Mark Stockley described as “I pondered upon the unfathomable nature of my iPhone’s encrypted bits as it split asunder, squeezed between the blunt end of a Humvee and my suddenly much wider and shallower rib cage.”

Honolulu wasn’t the first to give this a go. And its fines are nothing. Another bill was introduced last year in Hawaii that would fine someone $250 for crossing the street while using an electronic device. New Jersey tried to ban distracted walking last year, and it was ready to not only fine the guilty but to throw them in jail for 15 days.

The tiny Idaho city of Rexburg has banned texting or using a cell phone while crossing a street and will fine offenders $50 for the first offense and $150 for each subsequent offense. Boston Globe has others on its list: Fort Lee, New Jersey; and the Utah Transit Authority (you can’t distracted-walk across the train tracks).

The look-up-for-cripe’s-sake movement is snowballing for a good reason: it’s funny in a cartoony way until it’s very not funny at all.

Preliminary 2016 data from an annual study (PDF) by the Governors Highway Safety Association found that an estimated 5,997 pedestrian fatalities occurred during 2016, compared with 5,376 in 2015 and 4,910 in 2014.

A report from the National Safety Council found that distracted walking incidents involving mobile phones accounted for an estimated 11,101 injuries from 2000 through 2011.

Most people were talking on the phone when they were injured. Twelve percent were texting. Nearly 80% of these pedestrians hurt themselves by falling, and 9% by walking into something.

Short of outlawing the palm-warmers of the phone-addicted, some places have tried to get creative: Antwerp in Belgium, Utah Valley University, and the Chinese city of Chongqing have all painted lanes on sidewalks for the Walking Dead.

Other places, such as London, have tried padded lamp posts to soften seemingly inevitable collisions between distracted pedestrians and inanimate objects.

Why can’t we stop? What do we get out of that screen? A hit of dopamine?

There’s got to be a better way to get our jollies: a less crunchy way, preferably, with no fines attached. I’d say “the warm smile of a child” or “birds singing on the phone wires overhead,” but I don’t want you to look up instead of where you’re going. That gets us back to cartoony.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Cp4ujPcgCbg/

The Reaper IoT botnet is nowhere near as threatening as previously suggested, according to new research.

Check Point Software Technologies warned last week that a new IoT botnet might have already infected “an estimated million organisations”.

Boffins at Arbor Networks, however, estimate that the actual size of the Reaper botnet tends to fluctuate between 10,000-20,000 bots, but warn that this number could change at any time.

An additional 2 million hosts have been identified by the botnet scanners as potential Reaper nodes, but these have not been subsumed into the zombie network for reasons unclear.

Possible explanations include misidentification due to flaws in the scanning code, scalability/performance issues in the Reaper code injection infrastructure, or a deliberate decision by the botmasters to throttle the propagation mechanism.

Do fear the Reaper: Huge army of webcams, routers raised from ‘one million’ hacked orgs

READ MORE

Arbor researchers reckon Reaper is likely intended for use as a booter/stresser service primarily serving the “intra-China DDoS-for-hire market”.

The malware was first spotted in September by Qihoo 360 Netlab. In the weeks since, the botnet agent has been developed and refined to exploit vulnerabilities in wireless IP-based cameras, routers, storage boxes and Wi-Fi points from vendors including D-Link, TP-Link, Avtech, Netgear, MikroTik, Linksys, and Synology.

In a statement received by The Register late on Thursday, Netgear urged customers to update the software on their devices.

NETGEAR is aware of the IoT Reaper Botnet that is spreading by exploiting vulnerabilities in network-connected products and we are actively monitoring the situation. To protect our customers, NETGEAR does continuously update our products’ software to address potential security vulnerabilities that could be exploited by this type of malware.

The most effective defense against this type of malware is to ensure that the software on your network-connected products are up to date. We strongly recommend that customers visit the NETGEAR support site to check they have the latest update and to follow the instructions for upgrading the firmware/software of their NETGEAR products.

NETGEAR appreciates having security concerns brought to our attention and are constantly monitoring our products to get in front of the latest threats. Being proactive rather than reactive to emerging security issues is a fundamental belief at NETGEAR.

Numbers aren’t everything. It’s estimated that only around 100,000 infected IoT devices serving as part of the Mirai botnet were needed to take out DNS provider Dyn and render many high-profile sites inaccessible as a result of the October 2016 attack. Arbor’s research does, however, suggest that the Reaper IoT botnet is less of a threat than initially believed. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/27/reaper_iot_botnet_follow_up/

The UK government has joined Microsoft in blaming North Korea for the WannaCry ransomware attack.

Security minister Ben Wallace appeared on BBC Radio4’s flagship Today programme on Friday morning to blame North Korea for the infamous ransomware attack that disrupted the operation of one in three NHS Trusts in England as well as numerous other organisations worldwide. Wallace began by accepting a National Audit Office report that that the outbreak could have been prevented by the application of missed patches and adequate firewall defences by NHS Trusts.

“North Korea was the state that we believe was involved in this worldwide attack on our systems,” Wallace said, before adding (when challenged on this attribution by presenter John Humphries): “We can be as sure as possible… I can’t go into the details of our intelligence.”

He added: “It is widely believed across the community and in a number of countries that North Korea had taken this role.”

Wallace went on to say that North Korea had linked to other attacks aimed at raising foreign currency, a possible reference to either recent attacks on Asian digital currency exchanges or Pyongyang’s counterfeit currency manufacturing operations.

Brad Smith, Microsoft’s president and chief legal officer, also blamed North Korea for the devastating WannaCry ransomware attack in a recent interview with commercial news outlet ITV.

Smith said “all observers in the know” now think Kim Jong-un’s regime used exploits created by and leaked from the US National Security Agency to create the malware [a reference to the Equation Group leak and Shadow Brokers].

Redmond’s president went on to that Microsoft was not to blame for the infection of systems using older operating systems, such as Windows XP, he told ITV.

Continued use of Windows XP within the NHS, while initially suspected, was not a factor in the spread of WannaCry. Windows XP machines crashed rather than becoming infected when subjected to WannaCry. Unpatched Windows 7 machines were a far more important factor, it transpired. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/27/uk_gov_wannacry_blame_north_korea/

Analysis A computer at the center of a lawsuit digging into woeful cyber-security practices during the US presidential election has been wiped.

The server in question is based in Georgia – a state that narrowly backed Donald Trump, giving him 16 electoral votes – and stored the results from the state’s voting systems. The deletion of its data makes analysis of whether the computer was compromised impossible to ascertain.

There is good reason to believe that the computer may have been tampered with: it is 15 years old, and could have be harboring all sorts of exploitable software and hardware vulnerabilities. No hard copies of the votes are kept, making the electronic copy the only official record.

It is feared the machine may have been hacked by Russian agents, who have taken a keen interest in the 2016 White House race, or potentially any miscreant on the planet.

While investigating the Kennesaw State University’s Center for Election Systems, which oversees Georgia’s voting system, last year, security researcher Logan Lamb found its system was misconfigured, exposing the state’s entire voter registration records, multiple PDFs with instructions and passwords for election workers, and the software systems used to tally votes cast.

“You could just go to the root of where they were hosting all the files and just download everything without logging in,” he said. He also noted the files had been indexed by Google, making them readily available to anyone looking in the right place.

Despite Lamb letting the election center knows of his findings, the security holes were left unpatched for seven months. He later went public after the US security services announced there had been a determined effort by the Russian government to sway the presidential elections, including looking at compromising electronic voting machines.

Let’s have a look

In an effort to force the state to scrap the system, a number of Georgia voters bandied together and sued. They asked for an independent security review of the server, expecting to find flaws that would lend weight to their argument for investment in a more modern and secure system.

But emails released this week following a Freedom of Information Act request reveal that technicians at the election center deleted the server’s data on July 7 – just days after the lawsuit was filed.

The memos reveal multiple references to the data wipe, including a message sent just last week from an assistant state attorney general to the plaintiffs in the case. That same email also notes that backups of the server data were also deleted more than a month after the initial wipe – just as the lawsuit moved to a federal court.

It is unclear who ordered the destruction of the data, and why, but they have raised yet more suspicions of collusion between the Trump campaign team, the Republican Party, and the Russian government.

So far, everyone is claiming ignorance of the event. A spokesperson for Georgia’s secretary of state, Brian Kemp, who is in overall charge, denied having anything to do with the decision. And the election center’s director, Michael Barnes, is refusing to comment.

Since the server was not under a court protection order, the destruction of its data is not illegal but it is extremely suspicious.

As for the information itself, there is one more avenue to recover it: the FBI took a copy of the server’s filesystem contents when it opened an investigation into the system back in March. So far the Feds have refused to say whether they still have that copy. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/voting_server_georgia_wiped/

The NHS could have fended off WannaCry “if only it had taken simple steps to protect its computers”, but failed to heed warnings about falling victim to a cyber attack a full year before that incident happened.

This was among the findings of an investigation by the National Audit Office, which today published a report, WannaCry cyber attack and the NHS in England, focused on the impact on Britain’s health service and its patients; why some parts of the NHS were affected; and the effectiveness of the response.

WannaCry hit 34 per cent of health trusts in England, although the full extent of the disruption and financial impact is unknown. Thousands of appointments and operations were cancelled and in five regions of the UK patients had to travel further to accident and emergency departments.

The watchdog found that the health service did not formally respond to the cyber attack warning from early 2016 until July 2017.

Meg Hillier, chair of the Public Accounts Committee, said:

“The NHS could have fended off this attack if it had taken simple steps to protect its computers and medical equipment. Instead, patients and NHS staff suffered widespread disruption, with thousands of appointments and operations cancelled.

“The Department of Health failed to agree a plan with the NHS locally for dealing with cyber attacks so the NHS response came too late in the day.

“The NHS and the Department need to get serious about cyber security or the next incident could be far worse.”

All NHS organisations infected by WannaCry had unpatched or unsupported Windows operating systems so were susceptible to the ransomware.

However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection, it said.

“NHS Digital told us that the majority of NHS devices infected were unpatched but on supported Microsoft Windows 7 operating systems.”

Unsupported devices, those on XP, were in the minority of identified issues.

Fending off cyber attacks as important as combatting terrorism, says new GCHQ chief

READ MORE

NHS Digital has also confirmed that the ransomware spread via the internet, including through the N3 network, the broadband network connecting all NHS sites in England. There were no instances of the ransomware spreading via NHSmail, the heakth service’s email system.

Back in 2014, the Department of Health and Cabinet Office wrote to trusts saying it was essential they had “robust plans” to migrate from old software, such as Windows XP, by April 2015.

In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry. However, before May 12, the Department had no formal mechanism for assessing whether local NHS organisations had complied with their guidance and whether they were prepared for a cyber attack.

Amyas Morse, head of the National Audit Office, said today:

“The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice.

“There are more sophisticated cyber threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”

In order to mitigate risks, the NHS pledged to learn from WannaCry and is taking action.

These include developing a response plan setting out what the NHS should do in the event of a cyber attack; ensuring organisations implement critical CareCERT alerts (emails sent by NHS Digital providing information or requiring action); and ensuring that organisations are taking the cyber threat seriously. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/27/nhs_could_have_fended_off_wannacry_says_nao_report/

A computer at the center of a lawsuit digging into Russian interference in the US presidential election has been wiped.

The server in question is based in Georgia – a state that narrowly backed Donald Trump, giving him 16 electoral votes – and stored the results of the state’s vote-management system. The deletion of its filesystem data makes analysis of whether the system was compromised impossible to ascertain.

There is good reason to believe that the computer may have been tampered with: it is 15 years old, and could be harboring all sorts of exploitable software and hardware vulnerabilities. No hard copies of the votes are kept, making the electronic copy the only official record.

While investigating the Kennesaw State University’s Center for Election Systems, which oversees Georgia’s voting system, last year, security researcher Logan Lamb found its system was misconfigured, exposing the state’s entire voter registration records, multiple PDFs with instructions and passwords for election workers, and the software systems used to tally votes cast.

“You could just go to the root of where they were hosting all the files and just download everything without logging in,” he said. He also noted the files had been indexed by Google, making them readily available to anyone looking in the right place.

Despite Lamb letting the election center knows of his findings, the security holes were left unpatched for seven months. He later went public after the US security services announced there had been a determined effort by the Russian government to sway the presidential elections, including looking at compromising electronic voting machines.

Let’s have a look

In an effort to force the state to scrap the system, a number of Georgia voters bandied together and sued. They asked for an independent security review of the server, expecting to find flaws that would lend weight to their argument for investment in a more modern and secure system.

But emails released this week following a Freedom of Information Act request reveal that technicians at the election center deleted the server’s data on July 7 – just days after the lawsuit was filed.

The memos reveal multiple references to the data wipe, including a message sent just last week from an assistant state attorney general to the plaintiffs in the case. That same email also notes that backups of the server data were also deleted more than a month after the initial wipe – just as the lawsuit moved to a federal court.

It is unclear who ordered the destruction of the data, and why, but they have raised yet more suspicions of collusion between the Trump campaign team, the Republican Party, and the Russian government.

So far, everyone is claiming ignorance of the event. A spokesperson for Georgia’s secretary of state, Brian Kemp, who is in overall charge, denied having anything to do with the decision. And the election center’s director, Michael Barnes, is refusing to comment.

Since the server was not under a court protection order, the destruction of its data is not illegal but it is extremely suspicious.

As for the information itself, there is one more avenue to recover it: the FBI took a copy of the server’s filesystem contents when it opened an investigation into the system back in March. So far the Feds have refused to say whether they still have that copy. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/26/voting_server_georgia_wiped/

Telegram, Discord, Whatsapp grow in popularity as criminals look for more alternatives to fly under the radar.

In the wake of government shake-ups and high-profile compromises of several very popular marketplaces on the Dark Web, criminals are continuing to pivot, looking for easy but under-the-radar alternatives for connecting buyers and sellers on the cyber black market.

According to several new research reports out this week, mobile messaging apps are rising in favor as the newest Dark Web alternatives that crooks have landed upon to do business with one another. Researchers posit that increased popularity in these tools can at least partially be attributed to market disruption due to government action to take down AlphaBay’s $500,000 per day marketplace and infiltrate the other heavy-hitting Hansa Marketplace in the aftermath of that takedown.

“With all this turmoil, the dark net community is clearly now looking for different platforms to continue promoting their business,” write security researchers with threat intelligence firm Sixgill in a recent report on next-generation Dark Web markets. Their analysis shows that criminals may be trending toward some of the more decentralized peer-to-peer marketplaces that were once the mainstay of the Dark Web at its inception, depending once again upon IRC channels and individual vendor sites more heavily. Where things may be changing compared to bygone days is an increased reliance on mobile venues. Sixgill specifically cited the increased use of the messaging app Telegram as an example of this.

“With the promise of end to end encryption and secrecy, the instant messaging platform is flourishing with illegal trade,” they write. “Regional and international groups across the world are using the application to spread their merchandise with P2P sales. Users can find illegal drugs that can be delivered within hours all the way to stolen credit card information for sale.” 

Another report from IntSights confirms Telegram’s surge in popularity and offers up evidence that it is just one of several mobile messaging apps being co-opted by the criminal element to facilitate stealthy communication and commerce. Overall, IntSights says that it has witnessed a 30x increase in mobile dark web activity over the last year and it believes that as many as several hundred thousand users are taking advantage of these channels for illegal purposes.

IntSights researchers say the app rising most quickly in popularity is Discord, which is signing up Dark Web users nine times as fast as other apps such as Telegram and Whatsapp. They say that these trends in mobile apps is part of an ongoing push that has the Deep Web going shallower but which presents challenges to the security community in monitoring activity due to the use of a more distributed system of communication.

“As hackers seek distributed networks over the existing more centralized platforms, more advanced solutions are required for collecting and analyzing the abundance of data,” they write.

Of course, all of this is part of the ongoing evolution of the very organic cybercrime economy. Regardless of the takedown of AlphaBay and Hansa and regardless of the shift to mobile, the Dark Web itself is still a thriving and chaotic miasma of illegal activity. One estimate from Trend Micro research earlier this year pegged the Dark Web–a subset of which is referred to as the Deep Web–as containing 550 times as much data as the Surface Web.  And another piece of research earlier this month from Carbon Black’s Threat Analysis Unit (TAU) found that the Dark Web marketplace for ransomware alone is growing at an annual rate of more than 2,500%.

“The availability of these services has allowed underground ransomware to hide effectively, making attribution and takedowns by law enforcement extremely difficult,” wrote Rick McElroy and Sean Blanton of Carbon Black. “If takedowns do happen, they happen over months or years of hard work.”

Related Content:

• 10 Ways to Prevent Your Mobile Devices from Becoming Bots
• ATM Machine Malware Sold On Dark Web
• Cybercriminals Mostly Prefer Skype Messaging
• Decrypting the Dark Web: Patterns Inside Hacker Forum Activity

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/mobile/dark-web-marketplaces-new-home-mobile-messaging-apps-/d/d-id/1330238?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Turns out the fast and furious ransomware campaign in Eastern Europe this week employed the so-called ‘BadRomance’ tool to help it spread.

The fast and furious Bad Rabbit ransomware campaign on Oct. 24 had security researchers frantically studying their telemetry and malware to discern the anatomy of the attack. The initial take was that although it uses retooled code from predecessors Petya and NotPetya, it didn’t spread via any exploits like WannaCry, for example.

But today, Cisco Systems’ Talos research group said it now can confirm that the ransomware attack used a version of the so-called EternalRomance exploit to spread. This exploit, which comes from a stolen and leaked trove of NSA tools, was the tool Nyetya (aka Petrwrap and Goldeneye) ransomware attacks this summer employed to spread laterally within a victim organization.

The ransomware campaign hit hundreds of government, media, transportation, and other targets in 15 nations, including Russia’s Interfax Agency and Fontanka, and Ukraine’s Kiev Metro, its Odessa International Airport, and various ministries of infrastructure and finance. Russian victims were the biggest targets, accounting for 71% of detections by security firm Avast.

Security researchers from all over the world are still performing postmortems on the attack, and there’s still some debate over who was behind the attack as well as over the malware’s roots. 

As of yesterday, researchers had pinpointed a hardcoded credentials list and Mimikatz password-extraction method as the method of Bad Rabbit’s spread, wormlike, via SMB local networks. 

EternalRomance was yet another method of spreading Bad Rabbit, directly via the SMB hole, according to Cisco’s newest finding.

“This is still an active investigation,” says Nick Biasini, a threat researcher with Cisco’s Talos team. “During analysis by some of our reverse engineers we were able to identify that an exploit was included in Bad Rabbit … Initially there was no indication it was being used and no one had publicly observed the exploit being utilized in the wild.  It wasn’t until the discovery by one of our reverse engineers that it was uncovered.”

Meanwhile, Group IB, a Russian security firm studying the attacks, today noted that Bad Rabbit was first dropped via drive-by downloads onto victim machines via various media websites in Russia and Ukraine. The researchers also say it’s “highly likely” the attackers behind Bad Rabbit are the same ones who launched NotPetya in June of 2017 against Ukraine energy, financial, and telecommunciations organizations.

“BadRabbit has same functions for computing hashes, network distribution logic and logs removal process, etc.,” as NotPetya, they wrote in an update today.

Related Content:

• 10 Social Engineering Attacks Your End Users Need to Know About
• Here Comes Locky, A Brand New Ransomware Threat
• Ransomware Authors Break New Ground With Petya
• NotPetya: How to Prep and Respond if You’re Hit

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/bad-rabbit-used-pilfered-nsa-exploit-/d/d-id/1330237?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Latest IoT botnet commandeers 10,000 to 20,000 devices with an additional 2 million hosts identified.

The IoT botnet IoTroop has amassed 10,000 to 20,000 devices and has another 2 million hosts that have been identified as potential botnet nodes, according to Arbor’s Security Engineering Response Team (ASERT), which refers to the botnet as Reaper.

Although it’s not clear why the 2 million hosts have not yet been absorbed into the Reaper botnet, Arbor Network’s ASERT speculates that the botnet will likely be used as a booter/stresser service for China’s internal DDoS-for-hire market.

Reaper contains a hint of code from the infamous IoT botnet Mirai and has the ability to launch SYN, ACK, and http floods, as well as DNS reflection/amplification attacks, according to the researchers.

Read more about Reaper here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/mobile/reaper-iot-botnet-likely-a-ddos-for-hire-tool/d/d-id/1330235?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple