Hackers Cause World's First Power Outage with Malware

SCADA system has always been an interesting target for cyber crooks, given the success of Stuxnet malware that was developed by the US and Israeli together to sabotage the Iranian nuclear facilities a few years ago, and "Havex" that previously targeted organizations in the energy sector.

Now once again, hackers have used highly destructive malware and infected, at least, three regional power authorities in Ukraine, causing blackouts across the Ivano-Frankivsk region of Ukraine on 23rd December.

The energy ministry confirmed it was investigating claims a cyber attack disrupted local energy provider Prykarpattyaoblenergo, causing the power outage that left half of the homes in Ivano-Frankivsk without electricity just before Christmas.

According to a Ukrainian news service TSN, the outage was the result of nasty malware that disconnected electrical substations.

First Malware to Cause Power Outage

On Monday, researchers from antivirus provider ESET confirmed that multiple power authorities in Ukraine were infected by "BlackEnergy" trojan.

BlackEnergy Trojan was first discovered in 2007 as a relatively simple tool to conduct Distributed Denial of Service (DDoS) attacks but was updated two years ago to add a host of new features, including the ability to render infected computers unbootable.

The malware was launched by "Russian security services" with it being used against industrial control systems and politically sensitive targets, the SBU state intelligence service said in a statement on Monday.

According to ESET, the malware was recently updated again to add a new component called KillDisk and a backdoored secure shell (SSH) utility that gives hackers permanent access to infected computers.

The KillDisk module enables the BlackEnergy malware to destroy critical parts of a computer hard drive and to sabotage industrial control systems, the same used in attacks against Ukrainian news media companies and the electrical power industry.

"The first known case where the KillDisk component of BlackEnergy was used was documented by CERT-UA in November 2015," Anton Cherepanov of ESET wrote in a blog post. "In that instance, a number of news media companies were attacked at the time of the 2015 Ukrainian local elections. The report claims that a large number of video materials and various documents were destroyed as a result of the attack."

How Did Hackers Cause Blackouts?

Researchers said hackers had used backdoors to spread the KillDisk wiper module through booby-trapped macro functions embedded in Microsoft Office documents across the Ukrainian power authorities.

Therefore, it is believed that the initial point of infection with BlackEnergy caused after employees opened Microsoft Office files containing malicious macros.

It is really disturbing that industrial control systems used to supply power to Millions of homes could be infected using such a simple social-engineering trick.

Moreover, the most concerning part is that the BlackEnergy malware is now being used to create power failures that can even have life-and-death consequences for large numbers of people.

Ukrainian authorities are investigating the hacking attack on its power grid. For more technical details about the latest BlackEnergy package, you can read on ESET blog.

Read more

602 Gbps! This May Have Been the Largest DDoS Attack in History

Cyber attacks are getting evil and worst nightmare for companies day-by-day, and the Distributed Denial of Service (DDoS) attack is one of the favorite weapon for hackers to temporarily suspend services of a host connected to the Internet.

Until now, nearly every big website had been a victim of this attack, and the most recent one was conducted against the BBC's websites and Republican presidential candidate Donald Trump's main campaign website over this past holiday weekend.

Out of two, the largest DDoS attack in the history was carried out against the BBC website: Over 600 Gbps.

Largest DDoS Attack in the History

The group calling itself New World Hacking claimed responsibility for taking down both the BBC's global website and Donald Trump's website last week.

The group targeted all BBC sites, including its iPlayer on-demand service, and took them down for at least three hours on New Year's Eve.

At the moment, the BBC news organization announced that the outage was caused due to some "technical" fault, but later it stated that "New World Hacking" group had claimed responsibility for launching a DDoS attack against BBC, as a "test of its capabilities."

BangStresser DDoS Attack Tool

One of the members of the New World Hacking group, identified himself as Ownz, claimed that the group allegedly used their own tool called BangStresser to launch a DDoS attack of up to 602 Gbps on the BBC's website.

As a proof, the group provided ZDNet a screenshot of a web interface that was allegedly used to attack the BBC website.

Although the authenticity of the screenshot has not been verified, if the attack size is proven true, it would vastly surpass the largest DDoS attack record of 334 Gbps, recorded by Arbor Networks last year.

The recent massive DDoS attack apparently utilizes two Amazon Web Services servers that employ a large number of automated detection and mitigation techniques in order to prevent the misuse of the services, Amazon previously claimed.

"We have our ways of bypassing Amazon," said Ownz. "The best way to describe it is we tap into a few administrative services that Amazon is use to using. The [sic] simply set our bandwidth limit as unlimited and program our own scripts to hide it."

More details about the attack have yet not disclosed, but Ownz claimed that their main purpose behind the development of the BangStresser DDoS tool is to unmask ISIS and possibly end its online propaganda.

"We have been taking down ISIS websites in the past," said Ownz, "this is just the start of a new year."

A similar group named Lizard Squad, conducted a marketing campaign for promoting their DDoS tool, known as the Lizard Stresser, using which the group took down Sony's PlayStation Network and Microsoft's Xbox Live last year on Christmas Eve.

Read more

What is Threat Intelligence and How It Helps to Identify Security Threats

Simply put, threat intelligence is knowledge that helps you identify security threats and make informed decisions. Threat intelligence can help you solve the following problems:

• How do I keep up to date on the overwhelming amount of information on security threats…including bad actors, methods, vulnerabilities, targets, etc.?
• How do I get more proactive about future security threats?
• How do I inform my leaders about the dangers and repercussions of specific security threats?

Threat Intelligence: What is it?

Threat intelligence has received a lot of attention lately. While there are many different definitions, here are a few that get quoted often:

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. –Gartner 

The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators – SANS Institute

Why is everyone talking about it?

Verizon’s 2015 DBIR estimated a financial loss of $400 million from 700 million compromised records, which resulted from 79,790 security incidents!

As long as security threats and breaches occur, every business will look for ways to protect their data. The threat landscape is always changing and the business risk is increasing because of our dependence on IT systems.

Threats come from internal as well as external sources. Bottom line is, organizations are under tremendous pressure to manage threats. Though information in the form of raw data is available abundantly, it is hard and time-consuming to get meaningful information based on which proactive measures can be set.

This naturally pulls more and more users towards threat intelligence as it helps to prioritize threats within the deluge of data, alerts, and attacks and provides actionable information.

The table below presents several common indicators of compromise that can be identified with threat intelligence feeds:

Category	Indicators of Compromise	Examples
Network	IP addresses URLs Domain names	Malware infections targeting internal hosts that are communicating with known bad actors
Email	Sender’s email address and email subject Attachments Links	Phishing attempts where internal hosts click on an unsuspecting email and “phone home” to a malicious command and control server
Host-Based	Filenames and file hashes (e.g. MD5) Registry keys Dynamic link libraries (DLLs) Mutex names	External attacks from hosts that might be infected themselves or are already known for nefarious activity

Threat Intelligence capabilities

Attacks can be broadly categorized as user based, application based and infrastructure based threats. Some of the most common threats are SQL injections, DDoS, web application attacks and phishing. 

It is important to have an IT security solution that provides threat intelligence capabilities to manage these attacks by being both proactive and responsive.

Attackers are constantly changing their methods to challenge security systems. Therefore, it becomes inevitable for organizations to get threat intelligence from a variety of sources.

One of the proven methods to stay on top of attacks is to detect and respond to threats with a (Security Information & Event Management system).

A SIEM can be used to track everything that happens in your environment and identify anomalous activities. Isolated incidents might look unrelated, but with event correlation and threat intelligence, you can see what is actually happening in your environment.

Nowadays, IT security professionals must operate under the assumed breach mentality. Comparing monitored traffic against known bad actors sourced from threat intelligence would help in identifying malicious activities.

However, this could be manual and time-consuming. Integrating indicator based threat intelligence to a SEIM security solution would help in identifying compromised system and possibly even prevent some attacks.

Best Practices

Integrating threat intelligence and responding to attacks is not enough to combat the ever-changing threat landscape. You need to analyze the situation and determine threats you are likely to face, based on which you can come up with precautionary measures.

Here is a list of several best practices:

• Have an application whitelist and blacklist. This helps in preventing execution of malicious or unapproved programs including, .DLL files, scripts and installers.
• Check your logs carefully to see if an attempted attack was an isolated event, or if the vulnerability had been exploited before.
• Determine what was changed in the attempted attack.
• Audit logs and identify why this incident happened – reasons could range from system vulnerability to an out-of-date driver.

What will threat intelligence enabled SIEM solve

A SIEM, like SolarWinds Log & Event Manager, collects and normalizes log data from monitored traffic and automatically tags suspicious events.

With integrated threat intelligence mechanism and built-in rules, the monitored events can be compared against the list of constantly updated known bad actors.

You can quickly search & monitor for hits from the bad actors against the log data in real time and identify common indicators of compromise.

You can automatically respond with actions like blocking known bad IP addresses, in case of malicious attack attempts.

Read more

Someone Just Tried to Take Down Internet's Backbone with 5 Million Queries/Sec

Someone just DDoSed one of the most critical organs of the Internet anatomy – The Internet's DNS Root Servers.

Early last week, a flood of as many as 5 Million queries per second hit many of the Internet's DNS (Domain Name System) Root Servers that act as the authoritative reference for mapping domain names to IP addresses and are a total of 13 in numbers.

The attack, commonly known as Distributed Denial of Service (DDoS) attack, took place on two separate occasions.

The first DDoS attack to the Internet's backbone root servers launched on November 30 that lasted 160 minutes (almost 3 hours), and the second one started on December 1 that lasted almost an hour.

Massive Attacks Knocked Many of the 13 Root Servers Offline

The DDoS attack was able to knock 3 out of the 13 DNS root servers of the Internet offline for a couple of hours.

The request queries fired at the servers were valid DNS messages addressed towards a single domain name in the first DDoS attack, and the second day's DDoS attack addressed towards a different domain name.

According to the analysis published by the root server operators on Tuesday, each attack fired up to 5 million queries/second per DNS root name server that was enough to flood the network and cause timeouts on the B, C, G, and H root servers.

There is no indication of who or what was behind the large-scale DDoS attacks because the source IP addresses used in the attacks were very well distributed and randomized across the entire IPv4 address space.

However, the DDoS attacks did not cause any serious damage to the Internet, but a mere delay for some of the Internet users who made DNS queries through their web browser, FTP, SSH, or other clients.

This Smart Design Defends DNS Protocol Infrastructure

The motive for such attacks is still unclear because disabling or knocking down a root server won't have a severe impact on the Internet as there are several thousand of other DNS servers managing DNS queries.

"The DNS Root Name Server system functioned as [it's] designed, demonstrating overall robustness in the face of [massive] traffic floods observed at numerous DNS Root Name Servers," Root Server Operators says (PDF), referring to the backup system employed by DNS servers.

Like the Internet, DNS is constructed on a mesh-like structure, so if one server doesn't respond to a request, other servers step in and provide a DNS query result.

According to the DNS root server operators, the attack was not the result of a reflective DDoS attack in which open and misconfigured DNS is used to launch high-bandwidth DDoS attacks on the target.

Despite all the facts, any attack on the critical infrastructure of the Internet is taken extremely seriously.

The DNS root server operators recommended the Internet Service Providers (ISPs) to implement Source Address Validation and BCP 38, an Internet Engineering Task Force standard that helps defeat IP address spoofing.

Read more