Akamai Security Roundtable for Financial Services - slide deck

Slide 1

Slide 1 text

Slide 69

Slide 69 text

©2016 AKAMAI | FASTER FORWARDTM Emerging Trends Changes in several metrics indicated changes in the tools that booter/ stressor sites and botnets are using. Multi-vector attacks dropped 10 percentage points from the previous quarter, accounting for 49% of all attacks The increase in single-vector attacks seems to be the result of rogue attackers, with a single malicious actor running a particular attack tool alone. This trend is expected to revert to a greater instance of multi-vector attacks. Single-vector attacks observed so far typically carry a smaller punch than a multi-vector combination run from a booter framework. We also identified a trend in attacks greater than 300 Gbps. Where in the past these attacks were composed primarily of padded SYN And UDP flood payloads, the latest attacks contained other vectors, including reflection attacks. These attacks could indicate a new hybrid botnet that combines traditional attack tools spread on a wider scale. Web application attacks shifted this quarter. For the first time since this data was reported, the US fell to second as an attack source country. Instead, Brazil took the top spot due to a 197% increase in attacks. This quarter also posted new highs for sql injection (SQLi) and remote file inclusion (rfi) attacks with 7% and 57% increases over last quarter respectively. These web application attacks were also higher than in Q2 2015. DDoS Extortion Attempts / In recent months, there have been many news reports generated about attackers making extortion threats. It was a simple recipe. First, the attackers launched a burst of DDoS traffic. Then, they contacted the victim via email and demanded payment in exchange for a promise not to attack again. This demand was almost exclusively a request for bitcoins, in an attempt to avoid the money being traced back to the attackers. Shortly thereafter, copycats began making threats without launching any attacks. In a cursory examination of several extortion-related emails, we found the associated bitcoin wallets in each case had no recorded transactions. It appears that the targets were getting wise and not paying up. For the sake of clarity, this is not to say that all extortion attempts will be hand-waving actions with no substance — quite the contrary. Other attackers followed through on their extortion-related threats, making it difficult for any targeted organization to discern whether a threat is legitimate. This uncertainty reinforces the need for security controls to mitigate DDoS attacks.

Slide 73

Slide 73 text

©2016 AKAMAI | FASTER FORWARDTM DDoS Attack Spotlight On June 20, Akamai mitigated one of the largest confirmed DDoS attacks of the year on our routed network. The attack targeted a European media organization and was comprised of six DDoS attack vectors: SYN, UDP fragment, PUSH, TCP, DNS, and UDP floods. It peaked at 363 Gbps and 57 Mpps. The attack analysis identified a DNS reflection technique that abused a dnssec- configured domain. This attack technique generates an amplified response due to the requirements of the dnssec. During the past few quarters, Akamai observed and mitigated a large number of dns reflection and amplification DDoS attacks that abuse dnssec- configured domains. As with other DNS reflection attacks, malicious actors continued to use open DNS resolvers for their own purposes, effectively using these resolvers as a shared botnet.. The source domain was observed in DDoS attacks against customers in multiple industries. It was likely the work of malicious actors making use of a DDoS-for-hire service with purchased virtual private server (vps) services, public proxies, and legacy botnets. It appeared to have the ability to launch multiple simultaneous attack vectors, such as the ones used in this attack. Part of the SYN flood matched a signature from the Kaiten std botnet. Akamai SIRT has been investigating a malware variant of Kaiten std that specifically targets networking devices used in small-office and home-office (soho) environments and Internet of Things (IoT) devices. The malware has an extensive list of attack vectors and the capability to execute arbitrary commands and take full control of an infected system. The Kaiten std malware is packed with a custom packer/encoder to hinder analysis. It is compiled to run on multiple architectures (mips, arm, PowerPC, x86, x86_64) and uses a custom Internet relay chat (irc)-like communication protocol for command and control (C2) communications. The UDP flood could also have been generated by the Kaiten std botnet, a similar variant, or an entirely different botnet. The payload was too generic to draw a strong conclusion. This SYN flood can be identified by the length of its TCP headers and options.

Slide 83

Slide 83 text

©2016 AKAMAI | FASTER FORWARDTM Extortion Email --expert from the ransom letter-- "We'll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!!" "EXS" Attack!!! "EXS" We are a HACKER TEAM - Armada Collective 1 - We have checked your information security systems, setup is poor; the systems are very vulnerable and obsolete. 2 - We'll begin attack on Tuesday 06-09-2016 8:00 p.m.!!!!! 3 - We'll execute some targeted attacks and check your DDoS servers by the 10-300 Gbps attack power 4 - We'll run a security breach test of your servers through the determined vulnerability, and we'll gain the access to your databases. 5 - All the computers on your network will be attacked for Cerber - Crypto-Ransomware 6 - You can stop the attack beginning, if payment 1 bitcoin to bitcoin ADDRESS: 1BMfGb5r7jJCq685ijN5GKyXWByRKn8wHh 7 - If you do not pay before the attack 1 bitcoin, the price will increase to 20 bitcoins 8 - You have time to decide! Transfer 1 bitcoin to ADDRESS: 1BMfGb5r7jJCq685ijN5GKyXWByRKn8wHh Bitcoins e-money https://en.wikipedia.org/wiki/Bitcoin Bitcoins are very easy to use. Instruction: 1.You have to make personal bitcoin wallet. It is very easy. You can download and install bitcoin wallet to your PC. There are lots of reliable wallets, such as: https://multibit.org/ https://xapo.com/ But there are much easier options as well. You can make bitcoin wallet online, for example blockchain.info or coinbase.com and many others. You may also transfer money directly from exchanger or bitcoin ATM to the decryption address provided to you. 2. You can top up the credit on your bitcoin wallet in most convenient way: - To buy bitcoins in the nearest bitcoin ATM; refer to the address on a website: coinatmradar.com/countries/ - by means of credit card or different payment systems such as PayPal, Skrill, Neteller and others or by cash, for example: https://localbitcoins.com/buy_bitcoinshttps://exchange.monetago.comhttps://hitbtc.com/exchange How to make bitcoin wallet with Google for the additional information --------------------   

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Slide 39

Slide 39 text

Slide 40

Slide 40 text