RuNet is the Russian internet infrastructure created to provide internet services in the territory of Russia. Also known as the Russian-language Internet, RuNet provides a unified country-wide Internet and communications and shields the country from foreign adversaries.

“Yandex did indeed undergo a DDoS attack, which was repelled by our network infrastructure and system for filtering unwanted requests. The attack did not affect the operation of the services, user data was not affected,” Yandex said in a media statement.

Meris Botnet

In a DDoS attack, cybercriminals make a targeted network or service unavailable to its users by flooding it with unwanted incoming traffic from different sources. Joint research from Yandex and Qrator Labs revealed that the DDoS attack power was more than 20 million requests per second (RPS), affecting over 30,000 host devices. Yandex observed that the attack on its servers relied on 56,000 attacking hosts, which might have compromised over 250,000 devices.

“We suppose the number to be higher – probably more than 200,000 devices, due to the rotation and absence of will show the ‘full force’ attacking at once. Moreover, all those being competent devices, not your typical IoT blinker connected to Wi-Fi – here we speak of a botnet consisting of, with the highest probability, devices connected through the Ethernet connection – network devices, primarily,” the research stated.

The DDoS mitigation services provider Cloudflare also mentioned that the attack reached over 17 million requests per second.

Features of Meris Botnet:

• Socks4 proxy at the affected device
• Use of HTTP pipelining technique to launch DDoS attacks
• Making the DDoS attacks themselves RPS-based
• Open port 5678 enabled

It is found that several Meris botnet–based DDoS attacks are primarily reported in New Zealand, the U.S., and Russia.

Timeline of Botnet Attacks on Yandex

This is not the first time for Yandex to suffer an attack from Meris botnet. The history of attacks from the same botnet against Yandex were reported on:

• 2021-08-07 – 5.2 million RPS
• 2021-08-09 – 6.5 million RPS
• 2021-08-29 – 9.6 million RPS
• 2021-08-31 – 10.9 million RPS
• 2021-09-05 – 21.8 million RPS

DDoS Attacks on Rise

From small businesses to the largest enterprises, all kinds of industries encounter DDoS attacks once in a while and are growing at a rapid pace. The Meris botnet could grow in force to cause even more severe disruptions via various kinds of attacks exploiting the vulnerabilities in the system.

Alexander Lyamin, CEO of Qrator Labs, said, “The victims of these attacks are different, but the perpetrator, apparently, is the same, and he operates a botnet that has recently appeared in the industry. Some industry players have already announced that the Mirai botnet, which made a splash five years ago and was built on the basis of video cameras, has returned. Having devoted the last few weeks to studying the new botnet, we can say that a completely new botnet has appeared and it is built on the network equipment of a very popular vendor from the Baltic States. It spreads through a vulnerability in firmware and already numbers up to hundreds of thousands of infected devices.”

The post Meris Botnet Hits Russian Search Engine Yandex Again with 21.8 Mn RPS appeared first on CISO MAG | Cyber Security Magazine.

CERT NZ is aware of a DDoS attack targeting a number of New Zealand organisations. We are monitoring the situation and are working with affected parties where we can.

— CERT NZ (@CERTNZ) September 7, 2021

New Zealand’s Computer Emergency Response Team (CERT) stated that it identified a Distributed Denial of Service (DDoS) attack that temporarily affected the operations of several organizations in the country. In DDoS attacks, threat actors make a targeted system or service unavailable to its users by flooding their systems with unwanted incoming traffic from different sources.

While the criminals behind the attack are unknown, the agency stated that it is investigating the incident and working with affected parties to explore more details.

One Attack, Multiple Victims

The DDoS attack has affected multiple organizations in New Zealand, including Australia and New Zealand banking group (ANZ), New Zealand Post (NZ Post), and Kiwibank.

Also Read: New Zealand’s Reserve Bank Data System Hacked; Critical Data at Risk

ANZ has apologized its customers for the service outage. “We are experiencing an outage with our Internet Banking and goMoney app at the moment, we’re really sorry for any inconvenience that this may cause! Our tech teams are working hard to get things fixed asap,” ANZ said.

Kia ora everyone
We’re experiencing an outage with our Internet Banking and goMoney app at the moment, we’re really sorry for any inconvenience that this may cause!
Our tech teams are working hard to get things fixed asap!

— ANZ New Zealand (@ANZ_NZ) September 7, 2021

Several other victim organizations took to social media to apologize to its customers and provide update on the security incident.

We are currently experiencing intermittent disruptions with our website and our team are working hard to fix it as quickly as possible. We are otherwise operating normally, but our Customer Care team are experiencing high volumes so please only contact us if it is urgent. pic.twitter.com/UiJOFMmuZ1

— NZ Post (@nzpost) September 8, 2021

“Apologies for the inconvenience while we work to fix intermittent access to our App, Internet Banking, Phone Banking, and Website,” Kiwibank said in a post.

Apologies for the inconvenience while we work to fix intermittent access to our App, Internet Banking, Phone Banking, and Website. Our Contact Centre is experiencing high call volumes. Please consider this if calling. Thanks again for your patience while we work through this.

— Kiwibank (@KiwibankNZ) September 7, 2021

DDoS Attacks Rise in New Zealand

This is not the first time organizations in New Zealand have sustained a DDoS attack. Recently, New Zealand stock exchange NZX Ltd. went offline for three consecutive days after a DDoS attack impacted its network connectivity systems, including NZX websites and the markets announcement platform. Read More Here…

The post New Zealand Banks and Postal Service Under DDoS Attack appeared first on CISO MAG | Cyber Security Magazine.

What’s an RDDoS Attack?

A ransom DDoS attack is an extortion scheme in which malicious actors demand organizations or individuals pay the ransom by threatening the victims with a DDoS attack. In an RDDoS attack, cybercriminals either launch a DDoS attack and then demand ransom to stop, or they may ask for the ransom first by threatening with a DDoS attack if not paid.

Ransomware Operators Turning to RDDoS Attacks

NISC highlighted that several cybercriminal groups are leveraging RDDoS attack techniques to target various industries, including financial services, telecommunications, and government agencies. The research revealed that only 24% of organizations said they know how to respond to RDDoS attacks. Over 56% of organizations stated they outsource their DDoS mitigation to third parties. The research findings indicate that threat actors are using RDDoS as an effective ransom extortion technique.

“Rather than spending a lot of time and careful planning on infecting an organization’s network with malware or ransomware, cybercriminals are taking an easier approach and using DDoS as a ransom vector. For bad actors, launching a DDoS attack is relatively simple and has the added benefit of being harder to trace back to its origin,” said Rodney Joffe, Chairman of NISC, SVP and Fellow.

“It’s common for organizations to feel pressure to pay to get their website back up and running and avoid disruption. However, with attackers targeting the same company multiple times, paying the ransom only makes it more likely that you will fall victim again. Instead, businesses must take an ‘always on’ approach to DDoS security, ensuring that their site remains protected even in the event of an attack.”

The post Threat Actors Turning to RDDoS Attacks as a New Ransom Vector appeared first on CISO MAG | Cyber Security Magazine.

Cybersecurity Strategy 2.0: Six Strategic Areas of Focus

Belgium’s various industrial sectors and even SMEs are taking huge strides towards cutting-edge technological adoptions. The country’s cyberspace is continuously evolving and thus the challenges that come with it have evolved too. However, the country has always paid attention to this and invested in securing its cyber front. Cybersecurity is one of the main pillars of their National Plan for Recovery and Resilience, which the government submitted to the European Commission at the end of April.

Cyberthreats are dynamic and require evolving countermeasures. Thus, to take its cyber defenses a notch higher, Belgium’s National Security Council has approved adding and adopting a new and more refined cybersecurity strategy based on six specific objectives:

• Strengthen the digital environment and confidence in it.
• Protect the computers and networks of both, end-users and service providers.
• Protect critical organizations from cyberthreats.
• Raise awareness and educate all stakeholders to tackle all possible cyberthreats.
• Improve partnerships and sharing of expertise between government, industry, and academic institutions.
• Make a clear international commitment concerning cybersecurity.

Miguel De Bruycker, Director of the Center for Cybersecurity Belgium (CCB), who will be responsible for the implementation of this new strategy, said,

The outlined cybersecurity strategy 2.0 aims to make Belgium one of the least vulnerable countries in Europe in terms of cybersecurity by 2025.

The CCB will work closely with various government services for which cybersecurity is of central importance. A brief overview of Belgium’s cybersecurity governance can be seen in the image below.

Alexander De Croo, the Prime Minister of Belgium, said, “Cybersecurity is not only a priority for Belgium, but also represents a huge opportunity for our companies and SMEs, which have a lot of expertise in this field. We will continue to invest in the protection of our citizens and our systems against cybercriminals and at the same time, we will do everything in our power to develop an ecosystem that promotes innovation in cybersecurity in Belgium.”

Related News:

DDoS Attack on Belnet Takes Down Belgian Government Websites

The post Belgium’s National Security Council Approves Cybersecurity Strategy 2.0 appeared first on CISO MAG | Cyber Security Magazine.

DDoS Attack on Belnet

According to Belnet’s security update, the first wave of attacks hit the ISP company around 11 a.m. The security teams immediately sprang into action “to mitigate the attack and to build alternate paths for the traffic” to normalize the situation. Additionally, they contacted the Center for Cybersecurity Belgium (CCB) for teaming up with their resources to quickly contain the attack. However, its ripple effects were soon felt elsewhere as nearly 200 organizations, including universities, public administrations, and research institutes reported: “complete or partial cut off from the Internet.”

Related News:

What is DDoS and How Can I Better Defend My Business Against this Threat?

The Known Casualties

One such incident was reported in the parliament of the Wallonia-Brussels Federation. It was forced to suspend its committee meeting on “the situation of Uyghurs in China,” as the parliamentarians working remotely via the Cisco Webex were unable to continue their debate because of the internet outage. Similarly, the online reservation systems for COVID-19 vaccinations in Belgium also went down, temporarily halting the vaccination program for a while.

Around 4:30 p.m, Belnet gave another update saying, “The attack is still in progress and takes place in successive waves.” But exactly two hours later, Belnet’s security team was finally able to contain it and saw the effect of the attack “diminishing.”

Dirk Haex, Technical Director at Belnet, said,

We are fully aware of the impact on the organizations connected to our network and their users and we are aware that this has profoundly disrupted their functioning. Belnet continually invests in cybersecurity. However, yesterday’s DDoS attack was of such a scale that our entire network was saturated. The fact that the perpetrators of the attack constantly changed tactics made it even more difficult to neutralize it.

Belnet stated that the attack did not seem like a data breach or theft of data attempt. No networks were infiltrated during the attack and the attack was probably initiated with the sole intent of “saturating” Belnet’s network.

The investigation is still ongoing and the culprit behind the targeted DDoS attack on Belnet is yet to be identified. However, MP Wouter De Vriendt suggested that China may well be behind the attack.

Related News:

U.K.’s Crypto Exchange EXMO Halted Operations After DDoS Attack

The post DDoS Attack on Belnet Takes Down Belgian Government Websites appeared first on CISO MAG | Cyber Security Magazine.

Why Ukraine accused Russia of the recent cyberattacks

Moscow has always denied Ukraine’s previous claims of targeted cyberattacks, but Ukraine persists that the former is using “hybrid war” tactics against their country. The recent wave of attacks, which was triggered on February 18, 2021, was specifically targeted towards Ukraine’s security services, other governmental offices, the Defence Council, and much more strategic in nature enterprises.

Related News:

Binance and Ukraine Police Arrest Crypto Hackers in a “Bulletproof Exchanger Project”

The Council stated that distributed-denial-of-services (DDoS) attacks were used to intrude and infect vulnerable backend servers of their targets with a virus. A formal statement from the council said, “It was revealed that addresses belonging to certain Russian traffic networks were the source of these coordinated attacks.” The Council however did not mention the success, impact, or the exact names of the attackers who attempted intrusion.

Ukraine’s Largest Commercial Bank Breached

Call it a connection or a mere coincidence, but Ukraine’s largest commercial bank – PrivatBank – suffered a data breach earlier in the month that affected nearly 40 million of its customers. The breach was discovered when an unknown cybercriminal was selling the PrivatBank’s hacked database on an underground forum for a mere $3,400 worth of Bitcoins. If confirmed, the data breach can go down as one of the worst in Ukraine’s history as it affects nearly 93% of the country’s population which is just over 44 million. Read the complete story here.

Related News:

Ukraine Police Busts “Megabreach” Cybercriminal, Sanix

The post Russian Networks Accused of Carrying Out Massive Cyberattack on Ukraine appeared first on CISO MAG | Cyber Security Magazine.

The Need for New Web Application Firewall

Attacks on web applications are becoming common these days. As more businesses shift their services online, web applications will increasingly become an easier target for threat actors. Additionally, web attacks are a huge threat to data security and compliance standards. They can lead to a wide range of devastating consequences from service disruptions and shutdowns to information theft and data manipulation.

Thus, to save the business from a cyber failure, an advanced web application firewall is needed. The collaboration of the two giants is offering a new WAF that will help protect the critical workload of businesses with a unique defense-in-depth approach. It provides real-time protection against both bots-based (DDoS) and application, API, user, or infrastructure threats.

The WAF from BOTS/CSG is a comprehensive, layered protection stack that proactively prevents bot-based volumetric attacks, as well as threats that target the application layer, such as SQL, XSS, CSRF, session hijacking, data exfiltration and zero-day vulnerabilities.”

What the BOT Says…

Paul Rosenberg, CEO of BOTS Inc., stated, “Even though DDoS attacks are still the most known threat, application-level threats have become just as destructive, as they are the hardest to detect and almost impossible to prevent before they damage any mission-critical applications. We analyzed these trends and in collaboration with the CSG have developed a new WAF. It will combine the availability and load monitoring with the detection and prevention of web application attacks using signatures and heuristics analysis. This ensures continuous protection of applications, users, infrastructures, and security compliance.”

Related News:

MicroWorld and CERT-In Collaborate to Enhance Overall Cybersecurity in India

Tanium and Google Cloud Partnership Marks the Beginning of a New “Chronicle”

The post BOTS Inc. Enters Global Partnership with Cyber Security Group LLC appeared first on CISO MAG | Cyber Security Magazine.

By David Hillman, Senior Security Consultant, Securicon

Criticality of Cyber Resilience for Remote Workforce

According to a March 2020 Gartner’s pandemic preparedness study, many organizations and their leaders are unsure whether their risk mitigation strategy is sufficient. One area of particular concern is operational resilience. Many security leaders are getting even less sleep because they are thinking of the potential fallout if a critical piece of network or VPN technology fails and their people are cut off from the resources they require to do their jobs remotely. Not being able to access the systems which keep an eye on security could spell disaster.

COVID-19 is now amusingly being referred to as the greatest change agent in the history of the internet. It is the straw that breaks the camel’s back for those that are unprepared.

In a recent survey conducted by industry group YL Ventures, VPNs and DDoS mitigation have come up as issues that CISOs are very concerned about. This is a justifiable concern because the shift to work from home (or anywhere) has now placed many enterprises in the unenviable position of being service providers to their own workforce. DDoS vulnerabilities that would have impacted business continuity are now being proactively looked at. Non-critical network activities are now being cut off. The business continuity concern is so great that organizations such as the Department of Defense (DoD) have had to block YouTube and other social media activities from their networks. COVID-19 is now amusingly being referred to as the greatest change agent in the history of the internet. It is the straw that breaks the camel’s back for those that are unprepared. Change is hard, but inaction can be deadly, both from a network resiliency and a health standpoint. So, what should organizations focus their energies and investments on?

Integrative Problem Solving is the New Norm

How about a better response system based on a combination of best practices and training?  Until a few years ago, only backups and disaster recovery were considered as integral parts of the response system that would help the business maintain or recover normal business operations. COVID-19 has added an extra dimension to this problem. However, this should come as no surprise because according to the Center for Financial Professionals (CeFPro), the operational risk landscape has changed tremendously over the last ten years.

Collaboration is in and silos are out.

Smart organizations that are reporting no significant impact during the coronavirus pandemic have already shifted to more holistic risk management practices and are paying closer attention to emerging trends. Collaboration is in and silos are out. Infrastructure groups are now encouraged to learn from software development groups. Integrative problem solving is the new norm. Terms like automation and DevOps are being whispered in boardrooms. Even regulatory bodies are placing more focus on enhanced standards for operational resilience through better network intelligence, problem identification, and mitigation.

How to Improve Operational Resiliency

Some organizational leaders have expressed concern there is not enough guidance from the regulatory bodies on how to deal with resiliency from an operations perspective. In that case, an approach that could work is to create an action plan which consists of taking high-level best practices from something like the NIST Cyber Security Framework and combining them with vendor-provided recommendations to create a hybrid organizational framework for dealing with the problem of operational resiliency. Vendors such as Cisco have published their Service Provider Infrastructure Security whitepaper. Utilizing a six-phase approach to service provider security, the whitepaper talks about a framework for deploying edge security systems in a resilient way. These six phases are:

1. Preparation
2. Detection
3. Classification
4. Traceback
5. Mitigation
6. Post-mortem

Designed specifically to counter DDoS attacks in service provider type networks, the framework provides a “good overall approach to securing service provider environments.”  Despite being geared towards Cisco edge equipment, these recommendations can be adapted to vendors such as Palo Alto Networks and Juniper Networks. Some surveys suggest that organizations are only utilizing 20% of the total capabilities of their network equipment when it comes to guarding against DDoS attacks. Most of this is due to the lack of training and unfamiliarity with these features. That must change if critical networks are to become more resilient.

Q’s to Ask for Becoming a Hero in Operational Resiliency

When the features are already available, even a modest increase in spending on training and awareness can result in huge gains – sometimes up to 30% – in operational resiliency.

Going from zero to operational resiliency hero does not have to involve ripping out what is already in place to replace it with something bigger. It just takes security leaders to ask the right questions, such as:

• Does our current equipment have features such as Packet Buffer Protection to guard against DDoS attacks?
• What would it take to enable those features?
• What are the risks involved if we do enable the extra protection features?
• Why haven’t those features been enabled before?

Nine out of ten times, security leaders will find these advanced features not been enabled because their operations people either are not aware of them or have not been properly trained on how to make use of those features. In the same 2020 Gartner study, it was mentioned security leaders are putting training on the back burner to focus on network availability and VPN connectivity instead. This will not work in the new era of holistic, integrative network security, and cyber resiliency – continuous training and skills development must be part of the prescription.

About the Author

David Hillman, who is currently working as a Senior Security Consultant with Securicon, has more than five years of experience in designing, testing, and deploying network security solutions.  Mr. Hillman has led and/or participated in the development of security architecture and policy framework solutions for many complex projects. That includes experience in implementing information technology (IT) solutions to ensure compliance with audit requirements, deployment of Supervisory Control and Data Acquisition (SCADA) firewalls for segmentation, and he has also built, tested, and installed large-scale packet capture solutions.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and our publication does not assume any responsibility or liability for the same.

The post Cyber Resilience is a Fork in the Road for Remote Workforce appeared first on CISO MAG | Cyber Security Magazine.

According to the report, attackers leveraged “bit-and-piece attacks to launch various amplification and elaborate UDP-based attacks to flood target networks with traffic.”

Key Findings

• 515% increase in DDoS attacks overall, compared to the same quarter last year
• 51% of bit-and-piece attacks were smaller than 30Mbps
• Bit-and-piece DDoS attacks increased more than 310% compared to the previous quarter

The analysts from Nexusguard also stated that unlike the often seen attacks the newfound ones were using much smaller sizes, where more than 51% of bit-and-piece attacks were smaller than 30Mbps. Due to this, the communications service providers (CSPs) were forced to subject entire networks of traffic to risk mitigation. The entire processes are too much for CSPs to handle making typical threshold-based detection difficult and even more difficult to pinpoint the specific attacks to apply the correct mitigation.

One of the best methods for CSPs to handle these fiascos is to switch to deep learning-based predictive models to quickly identify malicious patterns and mitigate them at the earliest.

“Increases in remote work and study mean that uninterrupted online service is more critical than ever,” said Juniman Kasman, Chief Technology Officer for Nexusguard. “Cyberattackers have rewritten their battlefield playbooks and craftily optimized their resources so that they can sustain longer, more persistent attacks. Companies must look to deep learning in their approaches if they hope to match the sophistication and complexity needed to effectively stop these advanced threats.”

Blending Multiple Attack Vectors

Earlier, hackers used bit-and-piece attacks only with single attack vectors making the attacks based on that vector and easier in mitigation. Lately, hackers are blending multiple attack vectors to launch a wider range of UDP-based attacks making them harder for CSPs to detect. In scenarios like these, CSPs also find it difficult to differentiate between malicious traffic and legitimate traffic.

The post 570% Increase in Bit-and-Piece DDoS Attacks: Research appeared first on CISO MAG | Cyber Security Magazine.

Describing the incident as one of the biggest attacks in Hungary, Magyar Telekom stated that the frequency of data traffic in the current attack was 10 times higher than the amount normally seen in DDoS attacks.

“Russian, Chinese and Vietnamese hackers tried to launch a DDoS attack against Hungarian financial institutions, but they tried to overwhelm the networks of Magyar Telekom as well,” Magyar Telekom said.

DDoS Scare for Banks

DDoS attacks on financial institutions have been on rise. Recently, Australian banking and financial institutions received extortion emails threatening them of possible DDoS attacks against them. The extortioners demanded a ransom that needs to be paid in the form of Monero (XMR) cryptocurrency. The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) is aware of this extortion campaign and issued threat advice to all Australian organizations. The Silence Hacking Crew claimed the responsibility of this threat campaign, however, ACSC was not able to confirm these claims until going to print.

Weaponizing Documents for DDoS Attacks

Many industry experts stressed that DDoS attacks have evolved into weaponized instruments used to disseminate ransomware, as well as launch disruptive attacks against their targets. Attack vectors targeted for weaponization include mobile devices, documents, browsers, with the current favorite being IoT devices. The researchers from Sophos discovered a weaponized document serving the dual purpose of delivering ransomware to the system, as well as exploiting it for potential DDoS attacks. The weaponized document was sent as a spear phishing email which upon opening launched Microsoft Word and initiated embedded macros, which enabled elevated privileges for the malicious document to execute an encoded VBscript.

The post Multiple Banks and Telecoms in Hungary Affected in a DDoS Attack appeared first on CISO MAG | Cyber Security Magazine.