DOCSLIB.ORG

Maze & Ryuk Ransomware Threat Assessment Report

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

WHITEPAPER MAZE & RYUK RANSOMWARE THREAT ASSESSMENT REPORT TRU THREAT RECONAISSANCE UNIT Where we are right now INTRODUCTION Ransomware first entered the scene as a serious and categorical threat in May 2017. Since then, the new category has been an incredible money-maker for threat actors and multiple variations have been iterating non stop ever since. Chief Information Security Officers (CISO’s) and security teams across the globe have focused their efforts on detecting and deterring these destructive attacks. One trend, however, appears to be certain: Ransomware is here to stay, and both the virulence and velocity of these attacks are on the rise. Two new strains of Ransomware appear particularly troubling. Security On-Demand’s Threat Reconnaissance Unit (TRU) has published this Threat Assessment Report in an effort to help educate our community on better identifying indicators and providing guidance on a strategy to counter-act this threat. Unlike typical ransomware, which contain many behavioral commonalities in terms of how it proliferates, the Ryuk and Maze Ransomware strains are changing the landscape and we believe it to be a cause for concern as a new chapter unfolds. Let us examine the Ryuk Ransomware first. Ryuk Proliferation At this point in the lifecycle of a traditional THE RYUK ransomware attack, the ransomware would generally execute and immediately start encrypting folders and files. Such rapid execution decreases the likelihood of detection and this RANSOMWARE encryption process may be as quick as 30 seconds or multiple minutes. Regardless, Ryuk Security researchers have attributed Ryuk to is most successful when the device’s antivirus or the Wizard Spider threat group operating out of endpoint protection services failed to identify and Russia and Eastern Europe, which was first quarantine the threat on the endpoint or target observed in October 2018. Prior to Ryuk, this system. group of hackers operated the “TrickBot” banking Trojan designed to steal credit card Ryuk’s biggest differentiator is its ability to install and banking information to commit wire fraud. and evade detection while making advances on The group’s transition from the “TrickBot” to the victimized machine as it attempts to ransomware confirms that cybercriminals are propagate itself across the network. In some evolving and adopting new tactics to collect attacks, similar to the NotPetya destructive even greater profits from cybercrime. malware attack in 2017, Ryuk spreads internally by exploiting the MS17-010 SMB vulnerability How Ryuk Works that was made famous in the WannaCry The Wizard Spider group first acquired a ransomware attack in the same year. In other commoditized ransomware called Hermes*, cases, Ryuk spreads by exploiting Network then modernized and updated the code to Shares, PSExec, or compromising devices or make it more unique. The Ryuk ransomware servers via stolen credentials. As additional was designed to specifically target enterprise insurance to ensure that the target cannot systems, ranging from national governments to recover, the Ryuk program looks specifically for healthcare companies and media giants. The data backups and attempts to encrypt those as initial attack is perpetrated in a variety of ways. well. Thus, Ryuk manages to negate typical Similar to most other ransomware attacks, it mitigation strategies that many companies has propagated via well-crafted spear-phishing employ by backing their systems up and then attacks, however, it has also been equally restoring in the event of such an attack. effective through traditional vulnerability exploitation and drive-by-download attacks The Wizard Spider hackers are known to be using “click-bait” ads and websites. Following a patient. The entire preparation phase may last successful initial stage execution, a first stage several months, allowing them to both steal vast malware is downloaded and installed, usually amounts of information and maximize the the Trickbot or Emotet Trojans. These Trojans damage to increase the likelihood of a paid do the introductory “investigative” work on the ransom. In some of the Ryuk Program’s most infected system by looking for and stealing recent advancements, the ransomware is credentials stored on the victim’s web reported to actually avoid encrypting Linux virtual browsers and cached credential areas, then it machines (VM) operating on Windows 10 downloads and installs the Ryuk ransomware. computers, because the encryption essentially destroys the VM, making a ransom impossible to obtain; and so the hackers lose their ability to provide a recovery mechanism. *Hermes has been used in ransomware attacks across the globe by a variety of threat groups and individuals. Most are non-targeted attacks carried out through bulk phishing email campaigns. The Ransom Part Once all the files are encrypted, a ransom note takes over the screen which is typical for all ransomware. The message informs the victim of what has occurred, and that they will be unsuccessful if they try to decrypt their devices with their existing tools, leaving them no option, but to pay the required bitcoin amount on the screen. Another significant way Ryuk differs from a typical ransomware is the exorbitant ransom requirement. For example, the WannaCry attack in 2017 that impacted over 200,000 devices in a 24-hour period resulted in the hackers only making about $150,000 USD in total. That is less than $1000 per compromised device. Conversely, during the onslaught of Ryuk attacks in August 2018, Ryuk reportedly made over $3M despite compromising far THE MAZE fewer devices and organizations. One Ryuk attack was against the City of New Bedford Massachusetts, in which the Wizard RANSOMWARE Spider hackers demanded bitcoin payment Though the Maze ransomware is not as valued at $5.3M dollars. The Mayor noted that common or prolific as Ryuk, Maze and the other ransomware attacks against hackers behind it are changing the game as municipalities usually asked for about an we know it by operating very differently than average of $300,000, so he attempted to typical ransomware. Like Ryuk, the Maze negotiate with the hackers offering to pay Ransomware was initially identified in late $300K instead of the $5.3M. The offer was 2018 and uses a variety of attack vectors to rejected, but fortunately for the city, their solid get into the victims' networks, most commonly network architecture meant that only 4% of phishing, vulnerability exploitation, or RDP their devices were impacted. The malware also exploitation. The exploitation mechanism of failed to encrypt data backups, so the Mayor the Remote Desktop Protocol (RDP) is fairly refused to pay the ransom and they restored unique to Maze. During the reconnaissance the systems with minimal disruption to phase, it specifically looks for devices that services. have TCP port 3389 open (a very common open port), then it crafts an attack to exploit it. While this was a win for the City of New With this tactic, Maze has been successful Bedford, most other targets are not as with many of their most prominent victims. fortunate. The current trend is that most organizations are actually paying the ransom Impact from Maze rather than risk the destructiveness and The most unique aspect of Maze—a game recovery involved with ignoring the demands. changer in the ransomware world—is the Most organizations that do not have a backup threat to “publicly shame” the victim if they or easily accessible copy of their data available have not contacted the exploiter or paid the feel they have no choice but to pay them. ransom. The Maze creators have introduced a website that openly shares samples of the information stolen from the victims and proceeds to publicize the compromise as an additional incentive to pay the ransom. The message on the web site reads as follows: “Represented here companies don't wish to cooperate with us, and trying to hide our successful attack on their resources. Wait for their databases and private papers here. Follow the news!”* The hackers also emphasize that the published information only acts as leverage for getting paid and that they don’t care about the actual data or have any intention of selling it, but they will send all of the stolen information to WikiLeaks should the victim not pay. Shaming the victim in public puts the victim in a challenging position psychologically and legally. First, the psychological game instills fear or anxiety causing the victim to be more inclined to pay the ransom rather than have more of their proprietary information leaked onto the internet— where competitors or other undesirable entities could access it. Second, it puts them in a difficult position regarding disclosure laws and requirements. Each state and country has various laws for breach disclosure and every company approaches it differently. The hackers normally disclose the breach for the victim before the victim really has much time to investigate, Incident Preparedness - We suggest that you remediate, and determine the true scope of the build protocols around Ransomware attack as breach. part of your IR plan. You should also incorporate a Ransomware attack in an upcoming table-top exercise. We recommend that you test your processes and war game (simulate) ransomware RECOMMENDATIONS attacks to test your recovery scenarios. These evolutions in ransomware tactics suggest several conclusions and recommendations. Improve your Threat Detection - Catching the attack in the early stages can prevent significant Protect Your Backups - Cybercriminals are financial impact and limit the potential damage. aware that you will likely not pay the ransom if Many SEIM solutions today do not have the you have a robust and ready backup capability. ability to detect advanced threats or correlate That’s why they will want to target your backup Ransomware indicators that can be detected system, disable it or encrypt your backups or easily. Ensure that your monitoring is 24x7 in other copies of data.
Recommended publications
  • Stuxnet Under the Microscope

    Stuxnet Under the Microscope

    Stuxnet Under the Microscope Revision 1.31 Aleksandr Matrosov, Senior Virus Researcher Eugene Rodionov, Rootkit Analyst David Harley, Senior Research Fellow Juraj Malcho, Head of Virus Laboratory 2 Contents 1 INTRODUCTION ................................................................................................................................. 5 1.1 TARGETED ATTACKS ............................................................................................................................. 5 1.2 STUXNET VERSUS AURORA ..................................................................................................................... 7 1.3 STUXNET REVEALED............................................................................................................................ 11 1.4 STATISTICS ON THE SPREAD OF THE STUXNET WORM ................................................................................ 15 2 MICROSOFT, MALWARE AND THE MEDIA ....................................................................................... 17 2.1 SCADA, SIEMENS AND STUXNET .......................................................................................................... 17 2.2 STUXNET TIMELINE............................................................................................................................. 19 3 DISTRIBUTION ................................................................................................................................. 24 3.1 THE LNK EXPLOIT .............................................................................................................................
  • Applying a Framework to Assess Deterrence of Gray Zone Aggression for More Information on This Publication, Visit

    Applying a Framework to Assess Deterrence of Gray Zone Aggression for More Information on This Publication, Visit

    C O R P O R A T I O N MICHAEL J. MAZARR, JOE CHERAVITCH, JEFFREY W. HORNUNG, STEPHANIE PEZARD What Deters and Why Applying a Framework to Assess Deterrence of Gray Zone Aggression For more information on this publication, visit www.rand.org/t/RR3142 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0397-1 Published by the RAND Corporation, Santa Monica, Calif. © 2021 RAND Corporation R® is a registered trademark. Cover: REUTERS/Kyodo Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report documents research and analysis conducted as part of a project entitled What Deters and Why: North Korea and Russia, sponsored by the Office of the Deputy Chief of Staff, G-3/5/7, U.S.
  • Ransoming Government What State and Local Governments Can Do to Break Free from Ransomware Attacks About the Authors

    Ransoming Government What State and Local Governments Can Do to Break Free from Ransomware Attacks About the Authors

    A report from the Deloitte Center for Government Insights Ransoming government What state and local governments can do to break free from ransomware attacks About the authors Srini Subramanian | [email protected] Srini Subramanian is a principal in Deloitte & Touche LLP’s Cyber Risk Services practice and leads the Risk & Financial Advisory practice for the State, Local Government and Higher Education (SLHE) sector. He has more than 30 years of technology experience, and more than 20 years of cyber risk services experience in the areas of information security strategy, innovation, governance, identity, access management, and shared services. Subramanian is a member of the National Association of State CIOs (NASCIO) Security and Privacy subcommittee. He is an active participant in the National Governors Association (NGA) Policy Council for State Cybersecurity formed in February 2013. Subramanian is the coauthor of the biennial Deloitte—NASCIO Cybersecurity Study publication with NASCIO since 2010. The recent two publications include the 2016 Deloitte-NASCIO Cybersecurity Study—State governments at risk: Turning strategy and awareness into progress and the 2018 Deloitte-NASCIO Cybersecurity Study—State governments at risk: Bold plays for change. Pete Renneker | [email protected] Pete Renneker is a managing director in Deloitte & Touche LLP’s Cyber practice and serves as the Technical Resilience Offering leader. In this capacity, his focus is on the development and delivery of cross-industry services which help clients develop the ability to withstand disruptions to critical business technology. This work includes helping clients respond to cyberattacks, accelerate business recovery from these events, and transform cyber and resiliency programs in anticipation of emerging threats.
  • COVID-19 Critical Infrastructure Cyber Threat Brief

    COVID-19 Critical Infrastructure Cyber Threat Brief

    Digital Intelligence Securing the Future COVID-19 Critical Infrastructure Cyber Threat Brief CLIENT CONFIDENTIAL Cyjax Purpose This Cyber Threat Brief is intended to help mitigate the risk of cyberattacks against UK critical infrastructure during the coronavirus pandemic. We have defined critical infrastructure as: food supplies, medical supplies, transportation, security services, telecommunications, utilities and financial services. This report provides a broad overview of all relevant coronavirus-related digital threats, alongside more general vulnerabilities that attackers could exploit. We at Cyjax hope this will help organisations and their staff protect themselves from digital threats during this national crisis. If you require any further assistance or advice, please contact us. Overview of malicious cyber activity We have witnessed a significant uptick in cyberattacks exploiting fear of the coronavirus to compromise victims. Notably, however, there has not been a surge in the total number of attacks. Instead, existing cybercriminal operations have been rethemed with COVID-19 lures. Attackers have not gained more resources, but are instead repurposing their existing phishing, ransomware, and malware infrastructure to include COVID-19-themed keywords in a bid to infect more users. [1] All sectors are being targeted with COVID-19-themed attacks, including those operating in the critical infrastructure space. Attacks have ranged from generic “spray and pray” attacks to highly targeted advanced persistent threat (APT) operations. A broad array of nation-state actors have been involved from China, Russia, North Korea and Iran, among others. Sophisticated cybercriminals are also staging coronavirus-themed attacks. Most notably, organised ransomware gangs, who have continued to compromise, encrypt and leak data from a diverse group of organisations.
  • The Cyberpeace Institute Foreword 2 Acknowledgements 5

    The Cyberpeace Institute Foreword 2 Acknowledgements 5

    March 2021 The CyberPeace Institute Foreword 2 Acknowledgements 5 Part 1: Setting the Scene 7 Disclaimer Introduction 9 The opinions, findings, and conclusions and recommendations in Signposting – How to read the Report 11 this Report reflect the views and opinions of the CyberPeace Institute Key Findings 15 alone, based on independent and discrete analysis, and do not indicate Recommendations 19 endorsement by any other national, regional or international entity. Part 2: Understanding the Threat Landscape 27 The designations employed and the presentation of the material in this publication do not express any opinion whatsoever on the part of the Chapter 1 Background 29 CyberPeace Institute concerning the legal status of any country, territory, 1.1 A convergence of threats to healthcare 29 city or area of its authorities, or concerning the delimitation of its 1.2 Healthcare as a target of choice 30 frontiers or boundaries. 1.3 Cybersecurity in the healthcare sector 32 Copyright Notice Chapter 2 Victims, Targets and Impact 35 2.1 A diversity of victims – the people 36 The concepts and information contained in this document are the 2.2 A typology of targets – healthcare organizations 38 property of the CyberPeace Institute, an independent non-profit 2.3 A variety of impacts on victims and targets 41 foundation headquartered in Geneva, unless otherwise indicated within the document. This document may be reproduced, in whole or in part, Chapter 3 Attacks 51 provided that the CyberPeace Institute is referenced as author and 3.1 Disruptive attacks – ransomware’s evolving threat to healthcare 52 copyright holder. 3.2 Data breaches – from theft to cyberespionage 57 3.3 Disinformation operations – an erosion of trust 59 © 2021 CyberPeace Institute.
  • For More Information Support RAND

    For More Information Support RAND

    CHILDREN AND FAMILIES The RAND Corporation is a nonprofit institution that helps improve policy and EDUCATION AND THE ARTS decisionmaking through research and analysis. ENERGY AND ENVIRONMENT HEALTH AND HEALTH CARE This electronic document was made available from www.rand.org as a public service INFRASTRUCTURE AND of the RAND Corporation. TRANSPORTATION INTERNATIONAL AFFAIRS LAW AND BUSINESS Skip all front matter: Jump to Page 16 NATIONAL SECURITY POPULATION AND AGING PUBLIC SAFETY Support RAND SCIENCE AND TECHNOLOGY Browse Reports & Bookstore TERRORISM AND Make a charitable contribution HOMELAND SECURITY For More Information Visit RAND at www.rand.org Explore the RAND National Security Research Division View document details Limited Electronic Distribution Rights This document and trademark(s) contained herein are protected by law as indicated in a notice appearing later in this work. This electronic representation of RAND intellectual property is provided for non- commercial use only. Unauthorized posting of RAND electronic documents to a non-RAND website is prohibited. RAND electronic documents are protected under copyright law. Permission is required from RAND to reproduce, or reuse in another form, any of our research documents for commercial use. For information on reprint and linking permissions, please see RAND Permissions. This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity. C O R P O R A T I O N Markets for Cybercrime Tools and Stolen Data Hackers’ Bazaar Lillian Ablon, Martin C.
  • Society's Genome.Indb

    Society's Genome.Indb

    Society’s Genome Genetic Diversity’s Role in Digital Preservation By Nathan Thompson with Bob Cone and John Kranz Copyright © 2016 by Spectra Logic Corporation All rights reserved. No part of this book may be reproduced in any form or by any electronic or mechanical means, including storage and retrieval systems—except in the case of brief quotations embodied in critical articles or reviews—without permission in writing from Spectra Logic Corporation. All product names, logos, and brands mentioned in this book are the property of their respective owners. Neither the authors nor publisher claim any right of ownership to such names, logos, and brands. Cover design by Kristen Coats Back cover image: Detail of “Ptolemy World Map,” from Ptolemy’s the Geography, redrawn by Francesco di Antonio del Chierco (15th century). Housed in the British Library, London. Image retrieved from https:// commons.wikimedia.org/wiki/File:PtolemyWorldMap.jpg. Published by Spectra Logic Corporation 6285 Lookout Road Boulder, Colorado 80301-3580 Tel.: 1.800.833.1132 Fax: 1.303.939.8844 www.spectralogic.com ISBN: 978-0-9975644-0-2 Second Printing Printed and bound in the United States of America 10 9 8 7 6 5 4 3 2 1 This book is printed on acid-free paper. “We are survival machines—robot vehicles blindly programmed to preserve the selfish molecules known as genes. This is a truth that still fills me with astonishment.” —Richard Dawkins, The Selfish Gene Chapter 6 Wolves at the Door Just a few years after the 9/11 attacks, the digital world began showing signs of sudden, profound change.
  • S:\FULLCO~1\HEARIN~1\Committee Print 2018\Henry\Jan. 9 Report

    S:\FULLCO~1\HEARIN~1\Committee Print 2018\Henry\Jan. 9 Report

    Embargoed for Media Publication / Coverage until 6:00AM EST Wednesday, January 10. 1 115TH CONGRESS " ! S. PRT. 2d Session COMMITTEE PRINT 115–21 PUTIN’S ASYMMETRIC ASSAULT ON DEMOCRACY IN RUSSIA AND EUROPE: IMPLICATIONS FOR U.S. NATIONAL SECURITY A MINORITY STAFF REPORT PREPARED FOR THE USE OF THE COMMITTEE ON FOREIGN RELATIONS UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION JANUARY 10, 2018 Printed for the use of the Committee on Foreign Relations Available via World Wide Web: http://www.gpoaccess.gov/congress/index.html U.S. GOVERNMENT PUBLISHING OFFICE 28–110 PDF WASHINGTON : 2018 For sale by the Superintendent of Documents, U.S. Government Publishing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512–1800; DC area (202) 512–1800 Fax: (202) 512–2104 Mail: Stop IDCC, Washington, DC 20402–0001 VerDate Mar 15 2010 04:06 Jan 09, 2018 Jkt 000000 PO 00000 Frm 00001 Fmt 5012 Sfmt 5012 S:\FULL COMMITTEE\HEARING FILES\COMMITTEE PRINT 2018\HENRY\JAN. 9 REPORT FOREI-42327 with DISTILLER seneagle Embargoed for Media Publication / Coverage until 6:00AM EST Wednesday, January 10. COMMITTEE ON FOREIGN RELATIONS BOB CORKER, Tennessee, Chairman JAMES E. RISCH, Idaho BENJAMIN L. CARDIN, Maryland MARCO RUBIO, Florida ROBERT MENENDEZ, New Jersey RON JOHNSON, Wisconsin JEANNE SHAHEEN, New Hampshire JEFF FLAKE, Arizona CHRISTOPHER A. COONS, Delaware CORY GARDNER, Colorado TOM UDALL, New Mexico TODD YOUNG, Indiana CHRISTOPHER MURPHY, Connecticut JOHN BARRASSO, Wyoming TIM KAINE, Virginia JOHNNY ISAKSON, Georgia EDWARD J. MARKEY, Massachusetts ROB PORTMAN, Ohio JEFF MERKLEY, Oregon RAND PAUL, Kentucky CORY A. BOOKER, New Jersey TODD WOMACK, Staff Director JESSICA LEWIS, Democratic Staff Director JOHN DUTTON, Chief Clerk (II) VerDate Mar 15 2010 04:06 Jan 09, 2018 Jkt 000000 PO 00000 Frm 00002 Fmt 5904 Sfmt 5904 S:\FULL COMMITTEE\HEARING FILES\COMMITTEE PRINT 2018\HENRY\JAN.
  • ESET THREAT REPORT Q3 2020 | 2 ESET Researchers Reveal That Bugs Similar to Krøøk Affect More Chip Brands Than Previously Thought

    ESET THREAT REPORT Q3 2020 | 2 ESET Researchers Reveal That Bugs Similar to Krøøk Affect More Chip Brands Than Previously Thought

    THREAT REPORT Q3 2020 WeLiveSecurity.com @ESETresearch ESET GitHub Contents Foreword Welcome to the Q3 2020 issue of the ESET Threat Report! 3 FEATURED STORY As the world braces for a pandemic-ridden winter, COVID-19 appears to be losing steam at least in the cybercrime arena. With coronavirus-related lures played out, crooks seem to 5 NEWS FROM THE LAB have gone “back to basics” in Q3 2020. An area where the effects of the pandemic persist, however, is remote work with its many security challenges. 9 APT GROUP ACTIVITY This is especially true for attacks targeting Remote Desktop Protocol (RDP), which grew throughout all H1. In Q3, RDP attack attempts climbed by a further 37% in terms of unique 13 STATISTICS & TRENDS clients targeted — likely a result of the growing number of poorly secured systems connected to the internet during the pandemic, and possibly other criminals taking inspiration from 14 Top 10 malware detections ransomware gangs in targeting RDP. 15 Downloaders The ransomware scene, closely tracked by ESET specialists, saw a first this quarter — an attack investigated as a homicide after the death of a patient at a ransomware-struck 17 Banking malware hospital. Another surprising twist was the revival of cryptominers, which had been declining for seven consecutive quarters. There was a lot more happening in Q3: Emotet returning 18 Ransomware to the scene, Android banking malware surging, new waves of emails impersonating major delivery and logistics companies…. 20 Cryptominers This quarter’s research findings were equally as rich, with ESET researchers: uncovering 21 Spyware & backdoors more Wi-Fi chips vulnerable to KrØØk-like bugs, exposing Mac malware bundled with a cryptocurrency trading application, discovering CDRThief targeting Linux VoIP softswitches, 22 Exploits and delving into KryptoCibule, a triple threat in regard to cryptocurrencies.
  • Understanding the Mirai Botnet

    Understanding the Mirai Botnet

    Understanding the Mirai Botnet Manos Antonakakis Tim April‡ Michael Bailey† Matthew Bernhard/ Elie Bursztein◦ Jaime Cochran. Zakir Durumeric/ J. Alex Halderman/ Luca Invernizzi◦ Michalis Kallitsis§ Deepak Kumar† Chaz Lever Zane Ma†∗ Joshua Mason† Damian Menscher◦ Chad Seaman‡ Nick Sullivan. Kurt Thomas◦ Yi Zhou† ‡Akamai Technologies .Cloudflare Georgia Institute of Technology ◦Google §Merit Network †University of Illinois Urbana-Champaign /University of Michigan Abstract of factors—efficient spreading based on Internet-wide The Mirai botnet, composed primarily of embedded scanning, rampant use of insecure default passwords in and IoT devices, took the Internet by storm in late 2016 IoT products, and the insight that keeping the botnet’s when it overwhelmed several high-profile targets with behavior simple would allow it to infect many hetero- massive distributed denial-of-service (DDoS) attacks. In geneous devices—all played a role. Indeed, Mirai has this paper, we provide a seven-month retrospective anal- spawned many variants that follow the same infection ysis of Mirai’s growth to a peak of 600k infections and strategy, leading to speculation that “IoT botnets are the a history of its DDoS victims. By combining a variety new normal of DDoS attacks” [64]. of measurement perspectives, we analyze how the bot- In this paper, we investigate the precipitous rise of Mi- net emerged, what classes of devices were affected, and rai and the fragile IoT ecosystem it has subverted. We how Mirai variants evolved and competed for vulnerable present longitudinal measurements of the botnet’s growth, hosts. Our measurements serve as a lens into the fragile composition, evolution, and DDoS activities from Au- ecosystem of IoT devices.
  • The Democratization of Censorship — Krebs on Security

    The Democratization of Censorship — Krebs on Security

    The Democratization of Censorship — Krebs on Security https://krebsonsecurity.com/2016/09/the-democratization-of-cens... Krebs on Security In-depth security news and investigation About the Author Blog Advertising 25 Sep 16 The Democratization of Censorship John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it.” This notion undoubtedly rings true for those who see national governments as the principal threats to free speech. However, events of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation- states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach. More than 20 years after Gilmore first coined that turn of phrase, his most notable quotable has effectively been inverted — “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.” Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor. Let me be clear: I do not fault Akamai for their decision.
  • North Korean Cyber Activity 03/25/2021

    North Korean Cyber Activity 03/25/2021

    North Korean Cyber Activity 03/25/2021 TLP: WHITE, ID# 202103251030 Agenda • DPRK National Interests • Timeline of Recent Activity • Overview of DPRK APT Groups • APT Threat Actor Profiles o HIDDEN COBRA o Andariel o APT37 o APT38 o TEMP.Hermit o TEMP.Firework o Kimsuky o Bureau 121 Bureau 325 o Slides Key: • Recommendations Non-Technical: Managerial, strategic and high- • Outlook level (general audience) Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT) 2 DPRK National Interests • North Korea, officially the Democratic People’s Republic of Korea (DPRK) • Supreme leader: Kim Jong-un (since 2011) • Primary strategic goal: perpetual Kim family rule via development of economy and nuclear weapons • Primary drivers of security strategy: o Deterring foreign intervention by obtaining nuclear capabilities o Eliminating perceived threats to Kim regime o Belief that North Korea is entitled to respect as a world power • “Cyberwarfare is an all-purpose sword that guarantees the North Korean People’s Armed Forces ruthless striking capability, along with nuclear weapons and missiles.” – Kim Jong-un (2013) • Reportedly has 7,000 cyber warriors • 300% increase in the volume of activity to and from North Korean networks since 2017 3 Timeline of Recent Activity Jan 2020 Feb 2021 Two distinct Aug 2020 Nov 2020 South Korean Feb 2021 clusters of USG exposed North Korean Intelligence North Korean DPRK cyber DPRK hackers claims DPRK Lazarus activity begin malware used targeted a targeted Group targeting in fake job major COVID- COVID-19