Two top cybersecurity experts with Juniper Networks offers insight into reports (Reuters link) that global news distribution service BusinessWire (owned by Warren Buffett’s Berkshire Hathaway Inc.) was hit with a sustained distributed denial of service (DDoS) cyber-attack, and the new tools that make such attacks easier to launch.
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
“Cryptocoins like Bitcoin and Monero are the top motivation for cyber attacks. Many cybercriminals choose to deploy “ransom DDoS” or “RDoS” attacks to obtain cryptocoins, extorting companies for money under the threat of a DDoS attack. We saw several hacking groups use this approach in 2017, including Lizard Squad, Phantom Squad, Fancy Bear, and XMR Squad.
“Since the introduction of AutoSploit, a mass exploitation tool that was released on Jan 30, it’s been easier than ever for hackers to recruit new devices to their own botnet that could be used to perform DDoS attacks.
“Botnets are getting larger and more powerful. In fact, the Pentagon recently reported DDoS attacks as large as 600 Gbps on their internet access points, and they anticipate the size of DDoS attacks to grow, warning of what they call the “terabyte of death.”
“DDoS attackers recently started to shift their focus from the network and transport layers to the application layer, where DDoS protection is harder to maintain. They most often target DNS, HTTP and HTTPS. The 2017 Global DDoS Threat Landscape Report showed application layer DDoS attacks are rising 23 percent per quarter.
“Organizations under a targeted DDoS attack such as the one on BusinessWire are advised to not pay the ransom, report the attack to authorities and use DDoS mitigation solutions. It is also good practice to use large hardened cloud hosting providers and use multiple site mirrors, distributed across multiple service providers in multiple geographies. Firewall filtering policies can also be used against some DDoS attacks.”
Laurence Pitt, Director of Security Strategy at Juniper Networks:
On the night of Sunday 4th February 2018, the hacker group AnonPlus took responsibility for breaking into servers owned by the Democratic Party of Firenza in Italy. The result of this breach appears to have been the online publication of a list containing names, addresses, telephone numbers and other personally identifiable information related to 2,653 party members. The data is not new, it is dated from 2015, but for anyone who has not moved or changed telephone numbers in the last three years, it is effectively current.
From external analysis it is being reported that the attack was potentially carried out using an SQL injection attack – a common method where malicious code is injected into an online form that allows the hackers to gain access and modify, extract or prevent access to stored data. However, with this attack, there are a few areas that point toward a likely lack of best-practice allowing the breach to succeed – and no discovery of a zero-day attack.
When the attack occurred, the IT team was able to see that the servers were under attack and block them, but by this time the hackers had already accessed and retrieved the PDF file with the membership data. For the Democratic Party of Florence, it is too late for preventative measures – its data has been published and the damage is done – but hopefully we can all learn from what has happened.
- A number of servers were attacked, but only the server with 2015 data – an older file – was breached. This could indicate that the vulnerability that allowed the attack was not present on all of their servers, so a patch could have fixed this. Just because data is old, or even redundant, this does not mean it loses value. Servers with accessible data must be patched and managed to the same level as servers with current data. Patching is still one of the most critical security activities organizations must undertake regularly.
- Why was the stolen PDF file not encrypted? When protecting data, we have to assume that it might be stolen at some point and consider the damage that this would cause. If the file had been fully encrypted, then the data would have been useless to the hackers.
The bottom line to help protect your organization from a similar situation is this: Make sure that you have an effective patching program in place, with regular maintenance windows for software updates and security testing of those updates, and all data needs to be encrypted so that if stolen it is useless.
Under GDPR, this breach would need to be notified to the Italian Data Protection Authority within 72 hours of awareness, resulting in a possible fine; at the very least, anyone affected will have to be notified. If the data had been encrypted and non-accessible, then although the breach would still have to be reported, the negative impact would likely be lessened.