Xann Posted October 23, 2016 Share Posted October 23, 2016 On Friday's net shenanigans... Quote At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai. Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users. According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products. KrebsOnSecurity Link to comment Share on other sites More sharing options...
Tegis Posted October 23, 2016 VT Supporter Share Posted October 23, 2016 The Swedish Civil Contingencies Agency and the National website for emergency information both had their services at DYN with no backup services for DNS. Plonkers! Link to comment Share on other sites More sharing options...
Genie Posted October 24, 2016 Share Posted October 24, 2016 I found it odd how the main media outlets didn't really cover the story? Link to comment Share on other sites More sharing options...
snowychap Posted November 29, 2016 Share Posted November 29, 2016 Quote Ransomware locks up San Francisco public transportation ticket machines Black Friday was a dark day for San Francisco's Municipal Transportation Agency, as an apparent crypto-ransomware infection spread across the Muni system's networks, taking down ticketing for Muni's train stations and systems used to manage the city's buses. The operator of the ransomware demanded $73,000 in exchange for restoration of Muni's data, according to a report from the San Francisco Examiner. The malware's effects were visible on screens in station agents' booths at multiple Muni train stations, which displayed the message, "You Hacked, ALL Data Encrypted." The ransom message gave an e-mail address (cryptom27@yandex.com) that has been tied to ransomware attacks with variants of malware known as Mamba and HDDCryptor, a class of crypto-ransomware first identified from different samples in September by Morphus Labs and Trend Micro. A mash-up of some basic malware code with open source and freeware Windows software, HDDCryptor goes after the entire network of its victims—encrypting entire local and networked drives. The malware uses an open source disk encryption tool called DiskCryptor and identifies physical and network shares to encrypt using Windows' "GetLogicalDrives" volume management function. It also uses code from the free network password recovery software Netpass.exe. HDDCryptor then overwrites the Master Boot Record of the infected machine—in some cases forcing a reboot of the system—to display its message. On Friday and Saturday (November 25 and November 26), Muni train stations' gates were open—with ticket machines displaying "out of order" messages, passengers were allowed to ride for free. The Examiner reports that bus drivers were given hand-written route assignments. By Sunday, many of Muni's systems were apparently restored. In a statement issued Sunday, SFMTA spokesperson Kirsten Holland wrote, "Transit service was unaffected and there were no impacts to the safe operation of buses and Muni Metro. Neither customer privacy nor transaction information were compromised. The situation is now contained, and we have prioritized restoring our systems to be fully operational." It isn't clear if SFMTA paid the ransom demanded or if systems were restored from a backup. "As this is an ongoing investigation," Holland responded, "it wouldn't be appropriate to provide additional details at this time." Link to comment Share on other sites More sharing options...
Xann Posted November 29, 2016 Author Share Posted November 29, 2016 They really don't want to be be paying ransoms. It'll just fuel the fire. 2 Link to comment Share on other sites More sharing options...
Xann Posted December 3, 2016 Author Share Posted December 3, 2016 Quote More than 100,000 people in the UK have had their internet access cut after a string of service providers were hit by what is believed to be a coordinated cyber-attack, taking the number affected in Europe up to about a million. TalkTalk, one of Britain’s biggest service providers, the Post Office and the Hull-based KCom were all affected by the malware known as the Mirai worm, which is spread via compromised computers. The Post Office said 100,000 customers had experienced problems since the attack began on Sunday and KCom put its figure at about 10,000 customers since Saturday. TalkTalk confirmed that it had also been affected but declined to give a precise number of customers involved. Earlier this week, Germany’s Deutsche Telekom said up to 900,000 of its customers had lost their internet connection as part of the same incident. No one has claimed responsibility for the attack, which both Deutsche Telekom and KCom said was part of a worldwide effort. Security experts said the hackers may have been Russian but they had no proof. The speculation led the German chancellor, Angela Merkel, to say that, while she could not be sure who was responsible for the strike, “such cyber-attacks, or hybrid conflicts as they are known in Russian doctrine, are now part of daily life and we must learn to cope with them”. The Mirai worm takes control of devices running the Linux operating system and uses them to knock services offline. This attack has targeted certain types of broadband routers, damaging their internet connection. Grauniad New buzzwords right there, 'hybrid conflicts'. Link to comment Share on other sites More sharing options...
limpid Posted December 3, 2016 Administrator Share Posted December 3, 2016 11 minutes ago, Xann said: Quote The Mirai worm takes control of devices running the Linux operating system and uses them to knock services offline. NB. This is why embedded devices which don't update themselves are a bad thing. The Linux kernel on these embedded devices has a vulnerability which is what is being exploited. There will be many, many more of these before manufacturers of internet devices realise that they have to deal with security. There are a lot of insecure routers out there and usually they are the only thing protecting your home network. Of course, no-one here would ever turn on upnp on their routers as that's the same as turning almost all the security off. This won't affect users of Linux with normal software updates. Even if they've installed Linux on their Macbook. Link to comment Share on other sites More sharing options...
Xann Posted December 22, 2016 Author Share Posted December 22, 2016 Quote It’s December — that time of the year when many industry experts make all sorts of predictions for the year ahead. But one prophecy caught Business Insider’s eye: the whole internet will shut down for 24 hours. The dire forecast comes from US technology security vendor LogRhythm. According to the company’s chief information security officer and vice president James Carder, it won’t just be a technical issue stopping people from uploading their selfies on Instagram. “In 2017, we’re going to see it hit big sometime, somewhere. If the internet goes down, financial markets will tank,” he said. The security expert told Business Insider that all the signs were there this year, with criminals “testing missiles by shooting them into the ocean”. “We saw the massive [distributed denial of service] against DynDNS just a couple of months ago. That DDoS attack took down sites like Twitter and Spotify for a few hours. We saw a similar DDoS hit Brian Krebs before the attack against Dyn. These were really just tests,” he said. Business Insider AU As it's someone in the business of internet security, it wouldn't be entirely surprising that there's some over egging going on. Link to comment Share on other sites More sharing options...
limpid Posted December 22, 2016 Administrator Share Posted December 22, 2016 28 minutes ago, Xann said: Business Insider AU As it's someone in the business of internet security, it wouldn't be entirely surprising that there's some over egging going on. I was speaking to him about this in October (no shit). It's a real possibility. Too many people think the internet "just works". The Internet of Things and its complete lack of security will cause damage. Unfortunately people don't react to warnings (cf climate change) and we'll probably need a major incident before things start to get fixed. Fixing it will cost money. Link to comment Share on other sites More sharing options...
Xann Posted December 9, 2020 Author Share Posted December 9, 2020 Quote US cybersecurity firm FireEye says it has recently been attacked by a "highly sophisticated threat actor", believing the hacking was state-sponsored. In a blog, FireEye CEO Kevin Mandia said company tools used for testing customers' security had been stolen. "The attacker primarily sought information related to certain government customers," he wrote. The blog did not say who might have carried out the attack. The firm and the FBI are investigating the hack. FireEye share price plunged following the company's acknowledgement of the hack. What did FireEye say? "Based on my 25 years in cyber security and responding to incidents, I've concluded we are witnessing an attack by a nation with top-tier offensive capabilities," Mr Mandia said in Tuesday's blog, adding that the hack was "different from the tens of thousands of incidents we have responded to throughout the years". "The attackers tailored their world-class capabilities specifically to target and attack FireEye. "They used a novel combination of techniques not witnessed by us or our partners in the past," the blog said. California-based FireEye was set up in 2004. It specialises in investigating attacks in cyberspace against companies throughout the world. It is being described as one of the fastest-growing firms in the industry. Mr Mandia began his career in the US Air Force investigating the first major cyber attack on America's defence secrets by another state, the BBC's security correspondent Gordon Corera reports. In that case, our correspondent says, the Russians were responsible and, even though Mr Mandia does not name names, Russia may well be the prime suspect this time... ... FireEye says its hacking tool chest has been plundered meaning that the thieves now have a potent collection of new techniques to draw upon. This has also happened before in the infamous Shadow Broker leaks in which hackers stole and shared cyber weapons developed by the US National Security Agency. This resulted in successful and devastating attacks on businesses and civilians all over the world. BBC Link to comment Share on other sites More sharing options...
Recommended Posts