Today is D-Day for for banks and the City of Johannesburg to pay ransom demands that were sent through by hackers last week. It is alleged that two separate groups of hackers are threatening to close down the finance sector and local government at a time when South Africans would be paying municipal bills and gaining access to their bank accounts.
Last Wednesday, one group sent a ransom note to a number of banks, claiming if it was not paid two Bitcoins (R219,000), it would launch a Distributed Denial of Service (DDoS) attack.
Meanwhile, another group of hackers is threatening to release City of Joburg customer information if it was not paid four Bitcoins by today (Monday).
Bryan Hamman, Regional Director at NETSCOUT, which offers NETSCOUT Arbor, specialising in advanced DDos protection solutions, has offered offers this explanation of DDoS attacks in the broader cybersecurity landscape.
Cyberattacks have been around since the dawn of the Internet. What initially started off as curiosity or bragging rights, quickly escalated to monetising the activity. In a world where every piece of personal data is of value, the more you have, the more you can bank.
Historically, internet service providers would merely ‘blackhole’ any attack traffic. This rudimentary tactic would drop the attack traffic but also any valid traffic towards the intended target. In many cases this would merely achieve what the attacker wanted, which was to take the target offline.
In around 2000, a team of students from the University of Michigan began working on a better way to tackle the problem. In the coming years, the company they formed, namely Arbor Networks, pioneered the fight against cyberattacks and quickly became the leading provider of attack mitigation for service providers globally.
The idea, although simple in principle, was far more challenging in execution as attackers constantly evolved as well. The goal of the solution was to clean all attack traffic without any impact to the valid traffic to one or more victims of cyberattacks. Using a non-inline device, Arbor pioneered the local scrubbing of malicious traffic within service provider environments.
This became a game changer and today Arbor (now a part of NETSCOUT) actively works with, and is the vendor of choice for, over 90% of the top Tier 1 and Tier 2 ISPs in the world.
Later in 2007, a collaborative effort began between Arbor and its ISP customers to share data on the type of malicious traffic seen across the globe. The idea was to reverse- engineer, curate and create unique ‘fingerprints’ of the bad traffic and share it with other providers, so that as a group they could more easily identify and block this traffic at the edge of their respective networks.
Today, ATLAS boasts over 380 ISPs who are sharing data. This unique collaboration is translated into the intelligence feed that Arbor sends back into its products as the real-world visibility of what is happening. NETSCOUT enterprise and ISP customers use the cybersecurity intelligence feed from Arbor to keep their networks and customers safe. This value proposition is unmatched in the fight against cyberattacks.
With the rise of the Internet of Things (IOT), the rapid increase in last mile connectivity and the shift to global ecommerce, enterprises have more frequently become the targets of various forms of cyberattacks. The problem, however, is that traditional vendors of firewalls, IPS, WAF and such are ill-equipped to handle these new and emerging threats.
Firstly, they are often the victim of the attack, as state and application-based attacks are frequently used to target security appliances that by design have to track sessions. These devices have a limited amount of memory and CPU, which translates to a fixed number of sessions or packets the device can handle. Attacks can be crafted to expose those weaknesses. A far simpler method would be to just saturate the last mile of connectivity.
Regardless of dropping traffic on the customer side, the entire customer site would be affected.
NETSCOUT | Arbor has a globally unique solution in not only blocking both inbound and outbound connections that are deemed to be suspicious, but it also has the ability to work with Arbor-enabled service providers to facilitate automated local ‘cloud’ scrubbing for the enterprise customers, with no changes required to the infrastructure or routing.
This is of major benefit over the use of DNS or BGP methods used with cloud scrubbing, as there is no additional latency not only to the valid traffic to the attack victim, but also as regards all other traffic that would be affected when using BGP due to the /24 minimum block requirement. Enterprise customers can procure the device themselves or, in the majority of cases, as part of a managed service from their upstream ISP.
The AED is an inline layer 2 transparent device that by design is stateless in nature. It has the ability to block both inbound attacks and outbound dubious communications. The AED is backup by a near real-time intelligence feed from the ATLAS research team, allowing the device is identify and stop new and emerging threats. Insertion into existing networks requires no changes to the underlying architecture.
Looking at the local footprint we have seen a drastic increase in cyberattacks, and this is something that local companies have historically not given much consideration to. The publicly-documented cases at Cool Ideas, Cybersmart and various South African public services illustrate that more and more attacks can be expected. The growing level and frequency of attacks are not only limited to local ISP and enterprises, but even global giants have been taken down in recent weeks with successful attacks against Google and AWS.
NETSCOUT | Arbor releases a Cyber Threat Intelligence report every six months based on the work done by ASERT, the Arbor Security Engineering and Research Team. The statistics over the past six months compared to 2018 show a clear and dangerous trend in both the size and frequency of attacks.
Overall, there was an increase in attacks in the first six months of 2019, with a slight drop in the maximum size of the attack compared with the first half of 2018.
Meanwhile, Matt Walmsley, Head of EMEA Marketing at Vectra, says extortion is a well-established approach for cyber criminals and is used through tactics that include threatening denial of service, doxing, and ransomware.
“In the reported case of the city of Johannesburg, the four Bitcoin ransom (circa US$30,00) is meaningful but not particularly high and so may be pitched at that level to encourage a decision to pay.
“Cyber criminals are increasingly making rational economic decisions around targeting organisations and demand ransom levels that they believe will have a higher likelihood of payment.
“Cybersecurity teams supporting the city will undoubtedly be working flat out to confirm the extent of any attack to aid officials in deciding if they should pay. The same learning needs to be applied to their future risk mitigation of any techniques the attackers used.
“All too often we are reminded that defensive controls are imperfect, and the ability to quickly detect and respond to live attacks that have successfully penetrated an organisation can make the difference between a contained incident and damaging breach.”
Craig Freer, Executive Head: Cloud and Managed Services at Vox Telecom, says that security ‘is no longer a luxury’ and is something that must take top priority at every organisation.
“Cybersecurity must be addressed at a board level and not left being ‘relegated’ to an IT decision-maker,” he said.
“Companies need to conduct an extensive audit of their entire IT environment, invest in getting the right cybersecurity infrastructure in place and ensure their systems are updated to factor in emerging threats.
“They also need to continually assess their ability to effectively deal with attacks. In our experience, most companies are not geared to repel any type of attack, much less recover effectively from one. It has become a case of businesses being sitting ducks.
“Very few SMEs really understand their vulnerabilities and it can be quite complex for them to secure themselves as best as possible. It really is a case of they do not know what they do not know.
“Cybersecurity at an organisation is not a snapshot in time but evolves as the threat landscape changes. Businesses must do more to educate themselves about the threats they face and take the necessary steps to protect themselves.”
Anna Collard, Managing Director at Popcorn Training, a KnowBe4 company, says breaches occur on a regular basis.
“While large ones hit the headlines, small ones are continuous like a dripping tap,” she said.
“This is mainly because a lot of the breaches occur at small companies or merchants. The full scale of these breaches can’t be fully appreciated until looked at in totality as this breach shows.
“For companies of all sizes, having good security control is absolutely vital. For the most part, this would mean having the fundamental security controls which can prevent, protect, and respond to threats.
“Beyond that, companies should look at what the biggest threats to them are, and how those threats materialise. In the majority of cases, this will boil down to social engineering attacks, taking advantage of unpatched software, or authentication attacks. By investing in these controls, most companies can reduce the likelihood of being successfully compromised.”
Anton Ivanov, Security Researcher at Kaspersky, says that the threat of ransomware remains as powerful as ever and the company’s detection data shows that larger organisations, such as city authorities and enterprises, are the fastest-growing target.
“According to our data, attacks on employees of large organisations have gone up 17.9% in the last 12 months (from 198,334 in the period June 2017 to end May 2018, to 233,763 for June 2018 to end May 2019), compared to an increase of just 3% in attacks on individual consumers,” said Ivanov.
“Attacks on urban infrastructure are often worryingly successful, with far reaching impact on essential systems and processes, affecting not just the authority itself but local businesses and citizens. What makes cities a target? It could be the fact that they run vast networks of connected technology that can be hard to update, manage and patch effectively, or because the attackers believe they may be more inclined to pay the ransom to avoid recovery costs that can be many times higher than the ransom fee.
“To protect city infrastructure against the threat of ransomware, Kaspersky recommends securing all data, devices and networks with robust security software.
“But with many non-technical employees, located across many different sites, employee training and awareness is probably the greatest priority.
A useful checklist could be:
- Implement security awareness training to teach all staff to treat email attachments, or messages from people they don’t know, with caution
- Back up data regularly and ensure you have full visibility of all devices on the network – and ensure they are all protected
- At the very least, enhance your security solution with a free anti-ransomware tool, for example the Kaspersky Anti-Ransomware Tool for Business
- For superior protection use an endpoint security solution that is powered by behaviour detection and able to roll back malicious actions
- Carry out regular security audits of your corporate network for anomalies
- Don’t overlook less obvious targets, such as queue management systems, POS terminals, and even vending machines. Outdated embedded systems often have old protection, or may not have any protection at all, and they require a solution against modern threats that has been developed taking into account the specific needs and characteristics of such devices, for example, Kaspersky Embedded System Security
- Always use an endpoint security solution that is powered by behaviour detection and able to roll back malicious actions, as well as application control to track malicious activity in legitimate applications. Specialised devices should be in Default Deny mode. All these functions are included in Kaspersky Endpoint Security for Business
- For endpoint level detection, investigation and timely remediation of complex incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response. In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform
- Provide your security operation team with access to the latest threat intelligence, o keep them up to date with the new tools, techniques and tactics used by threat actors