In the days leading up to #OpUSA, security professionals were busy making preparations for the supposed flood of new attacks coming on 7 May 2013. As we mentioned on 1 May 2013, publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. By 4 May 2013, speculation arose that #OpUSA was a trap; this likely caused some potential participants to rethink their plans to join. Posts similar to the one below were made on Twitter, Facebook, and YouTube. Read More »
On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin Timm, Joseph Karpenko, Panos Kampanakis, and the Cisco TRAC team.
If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOIC, HOIC, and Slowloris.
Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens. Read More »
Tags: advisories, ASA, botnet, botnets, Cisco Security, Cloud Computing, cloud security, data center security, DDoS, exploits, firewall, incident response, IPS, IPS signatures, malware, mitigations, security, targeted attacks, TRAC, vulnerability
Around 12:00 GMT March 16, 2013, a distributed denial of service (DDoS) attack took offline both the spamhaus.org website and a portion of its e-mail services. SpamHaus was able to restore connectivity by March 18; however, SpamHaus is still weathering a massive, ongoing DDoS attack. The DDoS attacks have also had less severe but measurable consequences for the Composite Block List (CBL) as well as Project Honey Pot.
The attackers appear to have hijacked at least one of SpamHaus’ IP addresses via a maliciously announced BGP route and subsequently used a Domain Name System (DNS) server at the IP to return a positive result for every SpamHaus Domain Name System-based Block List (DNSBL) query. This caused all SpamHaus customers querying the rogue nameserver to erroneously drop good connections.
The attacks against South Korean media and banking organizations last week severely disrupted a handful of organizations with a coordinated distribution of “wiper” malware designed to destroy data on hard drives and render them unbootable. At 14:00 KST on March 20, 2013, the wiper was triggered across three media organizations and four banks, setting off a firestorm of speculation and finger-pointing and that which continues as of this writing. In this post, I’ll share a perspective no one else seems to be talking about, but may be the real motivation behind these attacks.
The What and the Possible Why
Let’s start with what we know:
- The attack was highly targeted
- The malware was specifically designed to distribute the wiper payload throughout the impacted organizations
- The malware was timed to deploy its destructive payload simultaneously across all affected organizations
- The resulting loss of data and downtime has been severe
While the “what” of the attack is well established, the “why” and “how” are still a matter of debate. Theories postulated include an outright act of warfare from North Korea designed to economically disrupt South Korea, or an act of sabotage to cover the tracks of data exfiltration allegedly wrought by China. But what if there were an explanation that was less about countries and politics and more about that all-time motivator of crime: money? Consider, if you will, the following timeline. Read More »
Recently, I spent time with some of our customers discussing recent security events and the threat landscape. As a leader for vulnerability handling, we often have to deliver news regarding our products that can cause significant disruption for patching and remediation. I always appreciate the time that customers take to provide feedback on our products and services.
The dominant topic during conversations with customers was the threat landscape, specifically the Distributed Denial of Service (DDoS) attacks that have and are currently taking place. While DDoS attacks are certainly not new territory for our industry, there were some interesting observations we discussed regarding the nature and impact of such activities. Read More »