Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for January 2017

Leet IoT Botnet Bursts on the Scene with Massive DDoS Attack

Leet IoT Botnet Bursts on the Scene with Massive DDoS Attack

Just 10 days before the end of 2016, researchers from Imperva uncovered a massive 650Gbps DDoS attack generated by a new internet of things (IoT) botnet, dubbed “Leet” after a character string in the payload. It’s the first that can rival Mirai.

The attack—the largest on record for the firm’s network—began around 10:55 a.m. on December 21, targeting several anycasted IPs on the Imperva Incapsula network. The first DDoS burst lasted roughly 20 minutes, peaking at 400Gbps. Failing to make a dent, the offender regrouped and came back for a second, 17-minute round. This time enough botnet “muscle” was used to generate a 650Gbps DDoS flood of more than 150 million packets per second (Mpps).

Though this particular attack was mitigated, things are about to get much worse, researchers said. A payload analysis showed that the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised IoT devices—meaning that the Mirai IoT botnet now has competition.

Imperva determined that the culprit behind the offensive was not Mirai, which uses hard-coded SYS file sizes. This attack’s traffic was generated by two different SYN payloads: Regular ones, and abnormally large SYN packets ranging from 799 to 936 bytes in size. The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.

“Attacks that combine the use of small and large payloads have become increasingly common since we first reported them in the spread their odds by trying to both clog network pipes and bring down network switches,” researchers said in an analysis. They added, “While some [of the large] payloads were populated by seemingly random strings of characters, others contained shredded lists of IP addresses. These shredded IP lists hinted … that the malware we faced was programmed to access local files and scramble their content to generate its payloads.”

Also, Mirai payloads are generated from random strings, while the payloads in this attack were structured from the content of system files.

This all points to a new botnet, identified by the signature the malware’s author left in the TCP header: “1337.” This is hacker code for “Leet,” a.k.a. “Elite.”

Ominously, the attack is a sign of things to come, the researchers said.

“So far, all of the huge DDoS attacks of 2016 were associated with the Mirai malware,” the researchers said. “However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants was used for this assault.”

They added, “With 650Gbps under its belt, the Leet botnet is the first to rival Mirai’s achievements. However, it will not be the last. This year we saw DDoS attacks escalate to record heights and these high-powered botnet are nothing more than a symptom of the times.”

Source: Information Security Magazine

US Law Firms Hacked by Chinese Nationals for $4M in Insider Trading Profits

US Law Firms Hacked by Chinese Nationals for $4M in Insider Trading Profits

Three Chinese nationals face US federal charges for allegedly hacking into two major law firms in a bid for insider trading information.

Iat Hong, Bo Zheng and Hung Chin have been charged with infiltrating the servers of two law firms in 2014 and 2015 and accessing nonpublic information about pending mergers and acquisitions. The three allegedly pilfered gigabytes upon gigabytes of documents with the use of malware on the firms’ web servers.

According to the indictment, the three then traded on that information about imminent deals in order to make $4 million in illegal profits.

They were also apparently incredibly tenacious: The indictment also alleges that the defendants launched at least 100,000 attacks on at least five other law firms between March and September 2015, trying to get unauthorized access.

“The attacks against law firms to gain secretive M&A information are going to become the next frontier of revenue generation for cybercriminals,” said Nathan Wenzler, principal security architect at AsTech Consulting, in an email. “While credit-card account theft has been big news in the past few years because of how it affects individuals at a very personal level, attacks aimed against intellectual property and proprietary financial dealings are becoming more popular with hackers due to the lucrative nature of exploiting this information.”

The indictment does not name the law firms, but details that Law Firm 1 advised Intel Corp. on its 2015 acquisition of Altera Corp. for $16.7 billion and represented a company that was in deal talks with InterMune Inc., which sold to Roche AG in 2014 for $8.9 billion. Law Firm 2 advised Pitney Bowes Inc. in the 2015 acquisition of New York-based e-commerce company Borderfree.

This information indicates that the hacked firms are likely to be Weil, Gotshal & Manges and Cravath, Swaine & Moore, according to Law.com. Both have so far had no comment on the situation.

Greg Reber, CEO at AsTech Consulting, said that the two have a history of security incidents.

“These two firms represent Wall Street banks and Fortune 500 companies—Pitney Bowes, Intel, Roche AG, etc.  In other words, very big deals are made with their counsel. The bad news that should be shouted from every rooftop garden on top of buildings inhabited by expensive M&A law firms is this: this is not the first time these firms have been breached,” he told us. “Earlier this year, Cravath told the Wall Street Journal that an incident involved a ‘limited breach; of its systems and that the firm was ‘not aware that any of the information that may have been accessed has been used improperly.’ They were wrong.”

He added, “Law firms that believe they are protected by those little disclaimers at the bottom of emails should take note: Hackers simply don’t care about contracts.”

US Attorney Preet Bharara of the Southern District of New York echoed the sentiment: “This case of cyber-meets-securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber-hacking, because you have information valuable to would-be criminals.”

Hong, 26, was arrested on the charges on Dec. 25 in Hong Kong and is now facing extradition to the United States. Both Hung and Zheng remain at large. Meanwhile, the Securities and Exchange Commission also filed a parallel civil enforcement action that seeks an asset freeze to prevent the three from cashing out on other stocks they may have purchased as part of the scheme.

Photo © photo.ua/Shutterstock.com

Source: Information Security Magazine

15,000 New Hampshire Patients Exposed in Social Media Breach

15,000 New Hampshire Patients Exposed in Social Media Breach

About 15,000 patients in the New Hampshire Department of Health and Human Services (DHHS) found themselves exposed when their information was shared on social media, including their names and Social Security numbers. Addresses and Medicaid ID numbers were in there too.

This is a tale of lacking a basic security posture: An investigation has uncovered that a former psychiatric patient was able to carry out a breach via an open computer in the hospital library.

DHHS announced last week that the breach occurred in October 2015, but that it did not learn of it until November 4, 2016. Yet the timeline is more complicated than that:

In October, “[the] individual was observed by a staff member to have accessed non-confidential DHHS information on a personal computer located in the New Hampshire Hospital library,” the department said in a statement. “The staff member notified a supervisor, who took steps to restrict access to the library computers. This incident, however, was not reported to management at New Hampshire Hospital or DHHS.”

The same person went on to post non-personal DHHS information on social media on August 2016, this time drawing attention from the New Hampshire Department of Information Technology, the State Police and other state officials.

So wherefore the confidential information? Our patient/offender surfaced again in November:

“On November 4, 2016, DHHS was informed by New Hampshire Hospital security that the same individual that day had posted confidential, personal information to a social media site. State officials and law enforcement were immediately informed, and the personal information was removed.”

The breached files contain protected health information and personal information for as many as 15,000 DHHS clients who received services from DHHS prior to November 2015.

“A criminal investigation is ongoing,” the department said. “DHHS and the New Hampshire Department of Information Technology (DoIT) have eliminated the source of the breach and the information can no longer be accessed by unauthorized individuals at New Hampshire Hospital.”

It added, “Safeguarding the personal, financial and medical information of DHHS clients is one of this Department’s highest priorities. DHHS will continue to work with state agency partners to make every effort to ensure that the Department’s data remains secure.”

Photo © Narin Nonthamand

Source: Information Security Magazine

LANDESK and Heat Software to Merge

LANDESK and Heat Software to Merge

LANDESK and Heat Software are to be merged into one company.

With private investment firm Clearlake Capital announcing that it has signed a definitive agreement to acquire LANDESK from Thoma Bravo, its existing security brand Heat Software will be merged into one brand and will operate under a new corporate name, which will be announced at a later date.

The acquisition of LANDESK is expected to close this month and the combined company will be led by LANDESK CEO Steve Daly with Heat Software CEO John Ferron serving as executive chairman of the company’s Board of Directors.

“This is an exciting day for LANDESK,” said Daly. “We are thrilled to work with Clearlake in this next phase of our growth trajectory, as they bring significant endpoint security software domain expertise and cloud experience that will be critical to continue to build our platform organically and through acquisition.

“HEAT’s products align well with our mission to help our customers build modern, user-centered IT organizations and will provide additional expertise and capabilities as we accelerate our investments in the cloud.”

Duncan Brown, research director of the European Security Practice at IDC EMEA, told Infosecurity that the benefit to users here was in the integration between IT Ops and security Ops.

“In big firms they are separate but in most mid-sized firms (and in many big firms that don’t specialize in security) there are combined, but poorly managed/integrated,” he said. “What we’re seeing here is better support for security in the IT Ops world.”

Brown said he believed that the new company will offer a more unified IT Security Ops product/service, and now users are choosing not to buy best of breed technology unless it integrates with what is deployed already.

He said: “The risk of too many security tools consuming too much management time, and the potential for poorly integrated systems missing threats or alerts, is now shifting behavior towards a more integrated security stack.

“In some cases this will be served by using a security platform approach, such as those on offer from Symantec and BT. In other cases, security will become a more integrated part of IT Ops, and served by the likes of HEAT/LANDESK.”

Bob Tarzey, analyst and director at Quocirca, said that the merger of Lumension and FrontRange to form Heat Software made sense as it brought asset management, endpoint and update management together and as LANDESK offered endpoint management, it was competing with Heat Software in many areas.

“This strikes me as Clearlake picking up a struggling LANDESK cheap and seeing the customer base LANDESK has built up over many years as the main asset to cross sell too,” he told Infosecurity.

Ferron called the merger a “marriage of two organizations with a shared vision”, while Clearlake partner Prashant Mehrotra and vice-president James Pade said: “There is a critical need for enterprise IT to better understand what is happening in the user environment, while securing critical assets and data, and to have the operations management tools to take action when needed.

“We believe this transformational combination with HEAT will further enhance LANDESK’s scale, breadth of capabilities, and resources to deliver comprehensive solutions to address these complex IT security challenges and risks.”

Source: Information Security Magazine

US Military Healthcare Pros Exposed in Privacy Snafu

US Military Healthcare Pros Exposed in Privacy Snafu

Healthcare professionals working in the US military, and those with top secret clearance, may have been put in potential danger after an IT error by their employer exposed highly sensitive personal details, a security researcher has revealed.

Mackeeper’s Chris Vickery discovered at least 11GB of publicly exposed files, including the names, locations, Social Security Numbers, salaries, and assigned units for scores of healthcare professionals working at the US military’s Special Operations Command (SOCOM).

The information was completely unprotected by a username or password, he claimed.

“Potomac Healthcare Solutions provides healthcare workers to the US Government through Booz Allen Hamilton (you know, Snowden’s old employer),” explained Vickery in a blog post.

“It is not presently known why an unprotected remote synchronization (rsync) service was active at an IP address tied to Potomac. I do know that when I called one of the company’s CEOs this past Thursday to report the exposure, he did not seem to take me seriously.”

The data eventually went offline but apparently not before Vickery was forced to call the company a second time to force the issue.

As well as healthcare workers, names and locations of Special Forces data analysts with top secret clearance were also exposed in the privacy snafu, he claimed.

“It’s not hard to imagine a Hollywood plotline in which a situation like this results in someone being kidnapped or blackmailed for information,” said Vickery. “Let’s hope that I was the only outsider to come across this gem. Let’s really hope that no hostile entities found it. Loose backups sink ships.”

For its part, Potomac Healthcare Solutions played down the severity of the incident, in a statement sent to Infosecurity:

"We are aware of the report from an independent security researcher alleging an unauthorized exposure of sensitive government information. Upon learning of the allegation, we immediately initiated an internal review and brought in an external forensic IT firm for additional support. While our investigation remains ongoing, based on our initial examination, despite these earlier reports, we have no indication that any sensitive government information was compromised. The privacy and security of information remains a top priority, and we will continue to work diligently to address any issues or concerns."

Booz Allen Hamilton was famously the employer of NSA whistleblower Edward Snowden when he leaked documents to the press in 2013, revealing the extent of US government spying.

Another employee, Harold Martin, is suspected of stealing an even bigger trove of documents – potentially more than 50TB over a two decade period.

Source: Information Security Magazine