Germany Accuses Russia of Hybrid Warfare

Russia has been accused of waging its own brand of cyber hybrid warfare against Germany, with specific focus on next year's elections. In particular, the APT28 (Fancy Bear) hacking group -- thought to be linked to the Russian government -- is accused of spreading propaganda and disinformation under the guise of 'hacktivists'.

The recent attack on Deutsche Telekom routers is thought by some experts to have emanated from Russia, but there is no proof. Last year's attack against the German parliament, and attacks against German politicians in August, are also blamed on Russia. Speaking earlier this week, Chancellor Angela Merkel commented, "Such cyber-attacks, or hybrid conflicts as they are known in Russian doctrine, are now part of daily life and we must learn to cope with them."

Now both the heads of the German foreign intelligence agency (BND), Bruno Kahl, and the domestic intelligence agency (BfV), Hans-Georg Maassen, have warned about increasing Russian cyber activity in Germany. 

Last week Kahl told the Süddeutsche Zeitung, "There are findings that cyber-attacks take place which have no other meaning than to create political uncertainty. There is a kind of pressure on public discourse and on democracy, which is unacceptable." He added that there are indications of Russian involvement. "Attribution to a state actor is technically difficult, but there is some evidence that it is at least tolerated or desired by the state."

Yesterday, however, a statement issued by the BfV was more forthright. "Since the start of the Ukraine crisis," it started, "we have seen a significant increase in Russian propaganda and disinformation campaigns in Germany." It warns of a broad spectrum of instruments and "an enormous use of financial resources on Russia's part" designed to strengthen extremist groups in order to shape political discourse in Germany.

The statement names APT28 as using a campaign that is often executed as 'false flags'. "This approach represents a previously unseen methodology in campaigns that are controlled by Russia." Note however, that many experts believe that the attack against French television company TV5  was also a 'false flag': in reality APT28 pretending to be ISIS.

The statement goes on to say, "Spear-phishing against political parties and parliamentary groups have increased dramatically. They are attributed to the APT28 campaign, which was also responsible for the DNC hack. APT28 successfully exfiltrated data from the German Bundestag in 2015."

Maassen describes the method and motivation behind the APT28 campaign. "Propaganda, disinformation, cyber-attacks, cyber espionage and cyber sabotage are part of hybrid threats against western democracies." He points to social networks as the new way for people to share and consume information, adding that it provides the perfect entry point for disinformation and campaigns designed to reshape public opinion.

He also warns of an "increase in cyber espionage within the political arena". Government officials, members of the Bundestag, and party workers all face a potential threat. "Stolen information could be used in the election campaign to discredit German politicians."

The political theory is that Russia will benefit from a weakened European Union -- already wounded by Brexit. By playing to European concerns over uncontrolled immigration and refugee support, and by fostering nationalism within individual member states -- in this instance Germany -- Russia will be able to weaken the existing European sanctions.

Russia denies involvement in hacking.

Yahoo Pays Out $10,000 Bounty for Critical Mail Flaw

A researcher has earned $10,000 for finding a critical Yahoo! Mail vulnerability that could have been exploited simply by getting the targeted user to open a specially crafted email.

Nearly one year ago, Jouko Pynnönen of Finland-based software company Klikki Oy discovered a stored cross-site scripting (XSS) vulnerability in the web version of the Yahoo! Mail service that could have allowed an attacker to execute malicious JavaScript code hidden in emails.

The researcher said the flaw could have been used to forward the victim’s emails, change their account settings and even create an email worm that attached itself to all outgoing emails.

The vulnerability, which earned Pynnönen $10,000, existed due to Yahoo’s failure to properly sanitize code in HTML emails.

The expert recently decided to take another look at Yahoo’s Mail service and discovered a similar flaw, but this time it was related to code inserted when certain type of content is attached to an email.

The “Share files from cloud providers" attachment option allows users to attach files from their cloud storage accounts, such as Dropbox or Google Drive. While analyzing the code inserted into an email when this option was used, Pynnonen noticed some HTML attributes named data-* (e.g. data-url, data-category, data-embed-url). Further analysis showed that these attributes are also used when a YouTube video is added to an email.

The researcher found a way to abuse these attributes in YouTube video attachments to get arbitrary JavaScript code executed. There was no need for the user to click on a link or open an attachment – the code would get executed as soon as the email was opened.

Similar to the flaw discovered one year ago, this security hole could have been exploited to steal a user’s emails and create a worm that spreads by attaching itself to outgoing emails, the expert said.

Pynnönen told SecurityWeek that he did not get a chance to test the attack method using the Google Drive and Dropbox attachment options. Yahoo was informed about the vulnerability on November 12 and fixed it by the end of November.

Yahoo awarded the expert a $10,000 bounty for the flaw. The company reported in May that it had paid out more than $1.6 million since the launch of its public bug bounty program in 2013.

Cyber Insurance Market to Top $14 Billion by 2022: Report

The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report published by Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022.

North America constituted the largest cyber insurance market share in 2015, which is expected to dominate the market during the forecast period.

"Increase in awareness about cyber risks from boardroom to data centers owing to the rising number of cyber-attacks in the past 2-3 years is the prime factor that drives the market," the report explains. "However, complex and changing nature of cyber risks limits cyber insurance market growth. Low market penetration of cyber insurance policies in developing countries offers promising business opportunity for market players."

In terms of verticals, healthcare organizations currently generate roughly one-third of the total premiums, the report said, noting that in the United States approximately 78% of hospitals do have a cyber insurance policy.

In terms of orgaziational size, large companies generated approximately 70% of the overall cyber insurance market revenue in 2015, with North America dominating the industry with around 87% of the overall cyber insurance market last year.

“Mandatory legislation regarding cyber security in several U.S. states has led to higher penetration of cyber liability insurance policies,” AMR explained. “The U.S. cyber 

insurance industry has become mature, and growth of the cyber insurance industry is projected to decrease owing to rising adoption of cyber liability insurance policies. Europe has very less penetration of cyber insurance liability policies as compared to that of the U.S. The European council has recently passed regulations regarding data protection and security, which are projected to be brought into effect in 2018. These regulations would oblige companies to purchase cyber insurance policies. Though Asia-Pacific accounts for negligible percentage share, it is expected to grow at a significant CAGR during the forecast period owing to a significant increase in ransomware attacks.”

By comparison, a report (PDF) from PwC estimate that annual gross written premiums are set to increase from around $2.5 billion in 2015 to $7.5 billion by 2020.

“The cyber insurance market will Cyber insurance is a potentially huge, but still largely untapped, opportunity for insurers and reinsurers,” PwC said. 

“Many insurers face considerable cyber exposures within their technology, errors & omissions, general liability and other existing business lines,” PwC cautioned. “The immediate priority is to evaluate and manage these ‘buried’ exposures.”

"Cybercrime is still a serious threat and no longer is considered as a risk covered under traditional network security insurance product," Yogiata Sharma, Research Analyst, Consumer Goods Research at AMR, said in a statement. "Organizations from all industries need coverage for liability and property exposure which is a result of cyber-attacks. This is an opportunity for insurers and reinsurers to innovate cyber insurance products that manage various degrees of risks and cover cost-associated data breaches, credit monitoring, forensic investigations, reputation management, and business interruption." 

Key players in the cyber insurance market include American International Group (AIG), Chubb, Zurich Insurance, XL Group Ltd (Ireland), Berkshire Hathaway (U.S.), Allianz Global (Germany), Munich Re Group (Germany), Lloyd's (U.K.), Lockton (U.S.), and AON PLC (U.K.).

While cyber insurance can help companies cover costs associated with damaging cyber attacks and data loss, it’s important to remember what cannot be covered, such as theft of intellectual property and remediation of a breach, reminds SecurityWeek contributor Joshua Goldfarb.

“It’s easy to cynically view cyber insurance as yet another fad creating noise in the already crowded security market,” Goldfarb writes. “What’s harder is truly understanding all of the necessary components in a sound and strategic risk mitigation strategy. Cyber insurance, like any tool, will not solve all of an organization’s problems. But it can help an organization round out its risk mitigation strategy.

Russia Says Thwarted Fresh Cyber Attacks on Major Banks

Russia's telecom operator on Friday said that it had blocked a series of cyber attacks on the country's leading banks this week, the latest to target the country's financial sector.

Rostelecom said in a statement that it "successfully thwarted DDoS (distributed denial of service) on the five biggest banks and financial organisations in Russia" on December 5.

"The most sustained attack lasted more than two hours," it said.

Russia's FSB security service last week said it had uncovered plans by foreign intelligence services to carry out massive cyber attacks targeting the country's financial system from December 5.

State-controlled Russian bank VTB said Monday that its websites had been hit by a cyber attack but insisted its systems were still working "as normal".

The FSB did not say which countries' secret services were involved in the latest plot against Russian banks but alleged the attacks would use servers and "command centres" located in the Netherlands belonging to Ukrainian hosting company, BlazingFast.

Russia has been embroiled in a hacking scandal with the US over allegations from Washington that Moscow was behind the theft and leaking of documents online during the run-up to the US presidential election aimed at influencing the outcome.

Vice President Joe Biden warned that the US would respond to the suspected Russian hacking "at the time of our choosing and under the circumstances that have the greatest impact".

The latest attacks comes after Moscow-based security giant Kaspersky said in November that a massive DDoS cyber attack had hit at least five of Russia's largest banks.

DDoS attacks involve flooding websites with more traffic than they can handle, making them difficult to access or taking them offline entirely.

Kaspersky said those attacks used devices located in 30 countries including the United States.

Floki Bot Developer Imports Cybercrime Tools to Brazil

Cisco Talos and Flashpoint have teamed up to conduct an in-depth analysis of Floki Bot, a Zeus-based banking Trojan that has been sold on cybercrime marketplaces since September 2016.

Floki Bot, offered by its developers for $1,000 worth of bitcoins, is based on the Zeus source code that was leaked in 2011. However, researchers determined that the malware includes some new capabilities, including anti-detection features. Talos also spotted new code that allows the Trojan to use the Tor network, but the functionality is currently not active.

Flashpoint analysts believe that “flokibot,” the online moniker used by the threat actor behind the Floki Bot malware, is based in Brazil. Researchers determined that the actor communicates in Portuguese, it targets Brazilian IPs and domains, and it’s mainly interested in devices with the default language set to Portuguese. The actor appears to be most active on underground forums during hours within Brazil’s UTC -3 timezone.

Flashpoint has named the flokibot actor a “connector”, as they are present on several major underground communities outside of Brazil, particularly Russian- and English-speaking dark web communities.

Researchers believe that through their presence on these foreign websites, the cybercriminals import knowledge and tools into the Brazilian community.

“While Brazilian cybercriminals are not typically as technically sophisticated as their Russian counterparts, they will often solicit new forms of malware (to include point of sale [PoS] ransomware and banking Trojans), or offer their own services,” Vitali Kremez, senior intelligence analyst at Flashpoint, said in a blog post. “It appears that a presence on Russian [Deep and Dark Web] communities may be a likely factor in flokibot’s progression.”

In addition to the banking Trojan functionality borrowed from Zeus, researchers noticed that Floki Bot includes hooking methods designed to capture payment card data from memory. In one campaign analyzed by Flashpoint, 225 Floki bots appeared to have collected a total of 1,375 card dumps.

“For connectors like flokibot, reaching across language barriers into predominantly English- and Russian-language communities enables them to to advance criminal schemes through new markets: it is not particularly difficult or expensive for botnet newcomers in short time to build their own botnets leveraging Floki Bot and start attacking corporate networks,” Kremez said.

Talos has published a detailed analysis of how Floki Bot works and released a tool designed to make it easier for analysts to examine the malware.

Cryptography Expert to Audit OpenVPN

VPN service provider Private Internet Access has contracted cryptography expert Matthew Green to conduct a comprehensive audit of the open-source VPN application OpenVPN.

Green, who is a professor of computer science and researcher at Johns Hopkins University in Baltimore, was also involved in auditing the file and disk encryption software TrueCrypt as part of the Open Crypto Audit Project (OCAP).

The expert has been tasked with finding vulnerabilities in OpenVPN 2.4, which is currently a release candidate (rc1). Green will analyze the source code available on GitHub and the results will be compared to the final version of OpenVPN 2.4.

Private Internet Access will make the results of the audit public, but not before ensuring that OpenVPN patches the vulnerabilities discovered by Green.

“The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect,” explained Caleb Chen of Private Internet Access.

“Instead of going for a crowdfunded approach, Private Internet Access has elected to fund the entirety of the OpenVPN 2.4 audit ourselves because of the integral nature of OpenVPN to both the privacy community as a whole and our own company,” Chen added.

In the case of TrueCrypt, auditors determined that it does not contain any backdoors or severe design flaws, but the software’s anonymous developers decided to abandon the project before the completion of the audit.

Experts Propose Cybersecurity Strategy for Nuclear Facilities

Institutionalizing cybersecurity, reducing complexity, active defenses and transformative research should be a priority in reducing the risk of damaging cyberattacks at nuclear facilities, according to the Nuclear Threat Initiative (NTI).

While the Stuxnet attacks aimed at Iran are the most well-known, nuclear facilities in Germany and South Korea have also been hit by cyberattacks. European Union officials have also raised concerns about the possibility of attacks against Belgium’s nuclear plants.

Reports published in the past months warned that countries are not prepared to handle attacks targeting their nuclear facilities, and the nuclear industry still underestimates cyber security risk.

A report published on Wednesday by the NTI provides a set of recommendations for improving cyber security at nuclear facilities based on a 12-month analysis conducted by an international group of technical and operational experts.

One of the most important priorities involves institutionalizing cybersecurity. Specifically, nuclear facilities should learn from their safety and physical security programs and integrate these practices into their cybersecurity programs.

Governments and regulators can also contribute by prioritizing the development and implementation of regulatory frameworks and by attracting skilled people into this field. International organizations have been advised to provide guidance and training, and support cooperation and an increased focus on cybersecurity through dialog and best practices.

Another priority should be active defenses. Experts pointed out that a determined adversary will likely be capable of breaching the systems of a nuclear facility and organizations must be prepared to efficiently respond to such incidents.

Sharing threat information, incident response exercises, more resources from governments, and the development of active defense capabilities are some of the recommendations for addressing this issue, but experts admit that it’s not an easy task due to the global shortage of technical experts.

SAVE THE DATE: ICS Cyber Security Conference | Singapore - April 25-27, 2017

Reducing the complexity of digital systems should also be a priority for nuclear facilities. Experts recommend minimizing the complexity of digital systems and even replacing them with non-digital or secure-by-design products.

Finally, the NTI recommends conducting transformative research with the goal of developing hard-to-hack systems for critical applications. The list of actions includes governments investing in transformative research, the nuclear industry supporting the cybersecurity efforts of relevant organizations, and international organizations encouraging creativity for mitigating cyber threats.

“Today’s defenses are no longer adequate, and a fresh look at how to best protect nuclear facilities from cyberattack is needed,” experts wrote in the NTI report. “The threat is too great, and the potential consequences are too high, to remain comfortable with the status quo.”

HDDCryptor Ransomware Variant Used in San Francisco Rail System Attack

News broke last week of a ransomware attack targeting the San Francisco Municipal Transport Authority (SFMTA, or 'Muni'), and security researchers have now taken a closer look at the malware used.

The malware, known as HDDCryptor or Mamba, was spotted for the first time at the beginning of 2016, though it was first detailed only in September. The main characteristic of the threat was the use of open source tools to encrypt the entire hard drive by rewriting the MBR (Master Boot Record).

The malware supposedly spreads through a targeted attack or exploit and doesn’t use automated tools such as exploit kits or other installers to instantly compromise and infect victims, researchers say. The installation and execution of the malware are supposedly performed manually, and the attackers supposedly used scheduled jobs to ensure that the ransomware will run on SFMTA’s 2,000 machines.

The malware variant used in the attack against Muni was seen dropping the tools it needed in a “C:\Users\WWW” folder, which was the main differentiator from the previously spotted variants, which created a new user for that. Once the needed components are downloaded, the ransomware tries to encrypt remote network shares, after which it reboots the system to prepare for local encryption.

According to Trend Micro researchers, the ransomware then reboots the system one more time to show the modified MBR as the ransom note. While this process remained unchanged from one variant to the other, the email address and phrasing did change between versions.

To encrypt files on remote systems, the malware uses mount.exe, with each drive to be encrypted sent in as an argument to this executable. The password that was passed in as an original argument to HDDCryptor is also included. Interestingly though, the mount.exe file doesn’t use the DiskCryptor methods for encryption, although it does employ the open source tool for encrypting the main hard drive.

Another interesting fact is that mount.exe was found to be dropped onto the infected machine encrypted, with the malware never actually attempting to decrypt it. Instead, Fortinet researchers say, the malware continued to try and execute the file as it is, which didn’t return the expected result.

Because the log message about network share encryption was removed too, the security researchers believe that the ransomware’s operators might have considered removing this feature altogether. Another issue spotted in this malware variant was its attempt to find the %/Users/ABCD directory that was used in a previous variant.

The malware’s strings are encoded by Base64 algorithm, which is a simple obfuscation method, most probably meant to be effective only against signatures based on the strings included in the previous versions.

According to Trend Micro, there are changes in the PDB strings of mount.exe, which show a different number compared to that used in previous variants. Moreover, the researchers say that HDDCryptor’s authors decided not to recompile DiskCryptor for their nefarious purposes, but merely patched the dcapi.dll file to add the ransom note.

“Previous versions had all dropped files as clear PE resources of the main dropper. Since v2, HDDCryptor actors use a simple decryption scheme to decrypt the binaries in its .rsrc (resource) section,” Trend Micro researchers say.

Other improvements spotted in the latest HDDCryptor variants include basic anti-sandbox and anti-debugging features, along with simple resources encryption. This shows that the malware’s authors are focusing on antivirus evasion and other detection techniques. Just as before, however, the actors are believed to have prior access to the compromised systems and to manually execute HDDCryptor.

“It is believed that this is done over RDP that is exposed to the internet directly, apart from exploiting tools. Given the fact is easy to buy access to compromised servers within the underground. HDDCryptor actors may be using this technique, too,” Trend Micro says.

According to Fortinet, HDDCryptor operators might have been exploiting a vulnerability related to an unpatched Oracle server program to gain access to the Muni system. “It’s an old vulnerability, and a simple update to patch the system could have saved them a lot of money, along with a great deal of inconvenience and public embarrassment,” Fortinet notes.

Windows 10 Creators Update Brings New Security Capabilities

Microsoft Introduces New Enterprise Security Capabilities With Windows 10 Creators Update

Microsoft announced on Tuesday that the Windows 10 Creators Update, which it plans on releasing free of charge next spring, will include several new security capabilities designed to help IT teams protect their networks and devices.

In its initial announcement on the Windows 10 Creators Update, Microsoft focused on the creativity aspect, including productivity and gaming. However, the tech giant revealed on Tuesday that the update will also include significant security enhancements.

One of these improvements will make it easier for IT teams to monitor and act on security events by centralizing them in the Windows Security Center, a portal first released in the Windows 10 Anniversary Update. By linking the Security Center to Office 365 Advanced Threat Protection (ATP), administrators will be able to track a threat across endpoints and email (e.g. determine which users received a malicious email).

In Creators Update, the Windows Defender ATP will also provide enhanced detection, intelligence and remediation capabilities. ATP sensors will be expanded to detect kernel-level exploits and threats that persist only in memory. Once a threat has been identified, defenders will be able to select from a wider range of remediation actions, such as isolating machines, collecting forensics, quarantining files, and killing processes.

As for intelligence, FireEye recently announced that iSIGHT has become available to Microsoft enterprise users through Windows Defender ATP. Starting with Creators Update, users will be able to feed their own intel into the Security Center.

Microsoft said the new Windows 10 release will also provide an enhanced Windows Analytics dashboard that will help administrators manage their devices better, and a mobile application management feature designed to protect data on personal devices without the need to enroll them in an MDM solution.

Up until now, users who installed Windows 7 using a legacy BIOS and wanted to take advantage of new Windows 10 security features that required UEFI (e.g. Device Guard) had to manually configure the firmware. Creators Update will include a simple conversion tool that will automate the task.

Saudi Aviation Agency Downplays Impact of Shamoon Attack

Saudi Arabia’s General Authority of Civil Aviation (GACA) has confirmed that several government agencies, including its own systems, have been hit by the recent Shamoon 2.0 attacks, but downplayed the impact of the incident.

Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to national petroleum and natural gas company Saudi Aramco.

Security firms noticed recently that a new version of the malware, dubbed Shamoon 2.0, has been used in attacks aimed at Arab states of the Persian Gulf, but little is known about the victims.

Bloomberg reported last week that several government agencies were targeted and named GACA. Sources told the publication that the attackers erased critical data and brought operations to a halt for several days. Thousands of computers were reportedly “destroyed” at the agency, but only office administration systems were affected.

In a statement published on its website, the aviation agency said the attack targeted various sectors, including the country’s transportation sector. GACA has confirmed that its systems were targeted, but claims its website and critical aviation systems were not impacted thanks to “security measures.”

According to the organization, the hackers did not breach air navigation systems or any major airport networks, including HR, financial, aviation permit and security badge, and airport support and operations systems.

“From the beginning of the attack in the past few days, GACA have noticed its impact on some of employees desktop pcs and their official emails, requiring us to immediately implement some necessary measures to deal with such incidents, where a complete isolation of the infected devices from the main network,” the agency stated.

“Work have already started to restore the infected data in a secure fashion. Efforts to provide employees with virus free and sound equipment was implemented immediately to enable them to carry on their workloads. Service was restored to the affected systems after a temporary injunction on the device was implemented as a precautionary measure for some time,” it added.

Shamoon 2.0 is similar to the original malware and the attack method suggests that the new campaign was carried out by the same threat actor that breached Saudi Aramco in 2012. A group calling itself the “Cutting Sword of Justice” took credit for the 2012 attack, but many believe the Iranian government was behind the operation.

State-owned Russian Bank VTB Says Sites Hit by Cyberattack

State-controlled Russian bank VTB said Monday that its websites had been hit by a cyberattack but insisted its systems were still working "as normal".

"A DDoS (distributed denial of service) attack was carried out against VTB Group internet sites," Russia's second largest bank said in a statement carried by Russian news agencies.

"Our IT infrastructure is working as normal and the bank's clients are not experiencing any difficulties."

Russia on Friday said it had uncovered plans by foreign intelligence services to carry out massive cyberattacks this month targeting the country's financial system.

The FSB security service said in a statement that it had received information on "plans by foreign secret services to carry out large-scale cyberattacks from December 5".

The FSB did not say which countries' secret services were involved in the latest plot against Russian banks but alleged the attacks would use servers and "command centres" located in the Netherlands belonging to Ukrainian hosting company BlazingFast.

Russia has been embroiled in a hacking scandal with the US over allegations from Washington that Moscow was behind the theft and leaking of documents online during the run-up to the US presidential election aimed at influencing the outcome.

Vice President Joe Biden warned that the US would respond to the suspected Russian hacking "at the time of our choosing and under the circumstances that have the greatest impact".

The latest attack on VTB comes after Moscow-based security giant Kaspersky said in November that a massive DDoS cyberattack had hit at least five of Russia's largest banks.

DDoS attacks involve flooding websites with more traffic than they can handle, making them difficult to access or taking them offline entirely.

Kaspersky said those attacks used devices located in 30 countries including the United States.

Russia's largest lender, state-controlled Sberbank, acknowledged it had been hacked but said its operations had not been interrupted. 

10 Days of DDoS: an Actor’s "Working" Hours

Threat actors working on a schedule similar to that of legitimate businesses recently launched large distributed denial of service (DDoS) attacks for ten days in a row, CloudFlare researchers warn.

Starting on Nov. 23 and running through Dec. 2, the actor behind a DDoS-capable tool has been launching large-scale attacks for roughly eight hours each day, seemingly during specific working hours. CloudFlare, which observed and mitigated several of the attacks, says that the actor started work at around 18:00 UTC (13:00 EST) each day and ended shift eight hours later, at around 02:00 UTC (21:00 EST).

Day after day, with only slight variations of half an hour or so, the actor would employ this pattern when launching DDoS attacks, as if they “'worked' a day and then went home,” CloudFlare says. On the last day, the attacks continued for 24 hours straight, either because the attacker no longer took the night off, or because multiple operators worked in shifts to keep the floods going.

The attacks, the security researchers say, were quite large: they peaked at 172Mpps (Million packets per second) and 400Gbps (Gigabits per second) on the first day, but went over 200Mpps and 480Gbps on the third day.

“And the attacker just kept this up day after day. Right through Thanksgiving, Black Friday, Cyber Monday and into this week. Night after night attacks were peaking at 400Gbps and hitting 320Gbps for hours on end,” CloudFlare’s John Graham-Cumming reveals.

One of the most interesting aspects of these attacks is that they are not launched by the famous Internet of Things (IoT) botnet Mirai, but by a different tool, CloudFlare reveals. The attacker is sending very large L3/L4 floods aimed at the TCP protocol, a technique different from what Mirai uses.

The security researchers also note that the attacks they witnessed were highly concentrated in a small number of locations mostly on the United States west coast. This doesn’t come too much as a surprise, considering that DDoS bots have been long abusing cloud services offered by Amazon and other companies.

What this incident also reveals is how trivial it has become for a DDoS actor to launch attacks peaking above the 400Gbps mark. In fact, as Akamai’s Q3 State of the Internet report reveals (PDF), the number of attacks over 100Gbps went up 138% in the third quarter of this year compared to the same period in 2015, while DDoS attacks registered an overall increase of 71% since Q3 2015.

Implantable Cardiac Defibrillators Easily Hacked: Researchers

The communication protocol used by some of the latest generation of Implantable Cardioverter Defibrillators (ICDs) is weak enough to allow even attackers without advanced knowledge to reverse-engineer it and exploit vulnerabilities such as denial of service (DoS), security researchers have discovered.

In a paper (PDF) titled On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them, a group of six researchers from Leuven, Belgium, and Birmingham, UK, explain that Implantable Medical Devices (IMDs) use proprietary protocols for communication, and that limited or no security features are employed for wireless communication.

Because the protocols are used to carry out critical functions such as changing the IMD’s therapy or collecting telemetry data, an attacker capable of tapping into these communication protocols can perform privacy and Denial-of-Service (DoS) attacks. What’s more, the researchers explain that reverse-engineering the protocols is highly feasible even for attackers with limited knowledge and resources and without physical access to devices.

The research was conducted on the latest generation of a widely used ICD, which uses a long-range RF channel (from two to five meters) for communication, using a black-box approach and inexpensive Commercial Off-The-Shelf (COTS) equipment. While analyzing the protocols, the security researchers discovered weaknesses in them and in their implementations, and they also managed to conduct several attacks against the vulnerable devices.

These attacks, which include replay and spoofing, can put patients’ safety at risk, especially since they can be performed without being in close proximity to the patient. The security researchers suggest that the discovered issues affect at least 10 types of ICDs currently on the market and say that manufacturers have been contacted before the publication of the paper.

The researchers started their analysis with an attempt to intercept the wireless transmissions between the device programmer and the ICD, and focused on reverse-engineering the proprietary protocol used to communicate over the long-range channel. Next, they looked into ways to activate the ICD before carrying out attacks and discovered several ways to bypass the current activation procedure.

After fully reverse-engineering the proprietary protocol, the researchers focused on discovering vulnerabilities that an attacker could exploit, and revealed that active and passive software radio-based attacks such as privacy, DoS, and spoofing and replay attacks are possible. They also say that adversaries might not even need to be in the proximity of the vulnerable devices because sophisticated equipment and directional antennas could allow them to extend the attack distance by several orders of magnitude.

Some of the countermeasures that could mitigate or solve the discovered vulnerabilities include jamming the wireless channel when the ICD is in standby mode, sending a shutdown command so that the device would enter a sleep mode, and adding standard symmetric key authentication and encryption between the ICD and the programmer.

“We want to emphasize that reverse-engineering was possible by only using a black-box approach. Our results demonstrated that security-by-obscurity is a dangerous design approach that often conceals negligent designs. Therefore, it is important for the medical industry to migrate from weak proprietary solutions to well-scrutinized security solutions and use them according to the guidelines,” the security researchers say.