November was another bumper month for big cyber attacks. There was something for everyone, with new mobile malware in the form of the Gooligan campaign, new distributed denial of service (DDoS) attacks through the Mirai malware and standard data breaches in the cases of Three and the National Lottery.
When we left off at the end of October, the Mirai malware had taken major websites such as Reddit and Twitter offline after being deployed against hosting provider Dyn. Mirai is encoded with a list of default passwords and trawls the net, looking for passive internet-connected devices such as routers and camera.
It inputs these passwords into the devices to try and take them over.
The outages at Deutsche Telekom shows a novel result of the Mirai malware: what happens when it doesn’t succeed could be just as damaging.
CBR looks at some of the big breaches and what happened in them.
1. Gooligan
Millions of Google accounts were compromised in this attack campaign that uses Android credentials to access Google services.
The Gooligan malware is downloaded to smartphone devices through third-party app stores, according to security firm Check Point. The apps could also be downloaded if the user clicks on a malicious link in a phishing message.
From there, it downloads a rootkit which exploits vulnerabilities in the user’s device to take it over. This then downloads a malicious module from a command and control (C&C) server which allows Gooligan to steal credentials for email and other services.
The control can be used to install apps from Google Play and rate them using the user’s Google account or install adware on the user’s device to generate revenue.
Devices running Android 4 and Android 5 are vulnerable.
Google said that there is no evidence that user data has been accessed, and the credentials have been used to promote apps by using the victim’s account to leave an automated positive review and a high rating.
Next Page: Which politicians had their websites DDoS’d in November and which sadly failed to bring them down to give us all a break?
2. Trump and Clinton websites
November saw the election of real estate mogul and reality TV star Donald Trump to the most powerful elected office in the world, the US Presidency.
This event, unforeseen by most pundits, meant that a distributed denial of service (DDoS) attack on the websites of both Trump and rival Hillary Clinton went largely unnoticed.
The security firm Flashpoint detected the attacks between 6 and 7 November.
The Mirai malware was unleashed on both the Trump and Clinton websites in the days leading up to the election on 8 November.
However, both sites remained online during the attack. Flashpoint said that this was because the Mirai botnet has got weaker.
Trump vs Clinton 2016: 5 cyber attacks that defined the election
Next Page: A European telco giant attack took 5% of customers offline and off the phone in what is being called one of the first major IOT attacks.
3. Deutsche Telekom
In what is likely another instance of the Mirai malware, the attack hit Deutsche Telekom customers on 27 and 28 November 2016, hitting over 900,000 customer connections with internet and telephony failures, or nearly 5 percent of users.
Deutsche Telekom is working with the German Federal Office for Information Security (BSI) to investigate the incident. According to the BSI, the failure was due to a worldwide attack on selected remote management ports of DSL routers in order to infect them with malicious software.
According to Sophos, the most likely outcome was that the Mirai software had been deployed to take over the routers to co-opt them into the botnet.
Since the devices were not susceptible to being taken over by Mirai, they caused the router to be cut off from the internet, “unable to pass traffic in either direction and possibly unable to reconnect to the internet until it is rebooted.”
Next Page: When dreams can turn into nightmares – more UK accounts breached, exactly who’s? It’s a lottery.
4. The National Lottery
This hack saw details of 26,500 accounts accessed.
Camelot, which operates the lottery, became aware of the issue on Sunday 27 November.
The impact of the attack was limited by the fact that full debit and bank account details are not stored in the online accounts.
This meant that some personal information of the players was accessed but no money was stolen.
“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details,” it said in a statement.
Next Page: Fancy an upgrade? The criminals are becoming more and more inventive. Who was hit?
5. Three UK
Three saw suspicious activity on the system used to upgrade customers to new devices.
The fraudsters upgraded users to devices that they did not want with the plan of intercepting and selling these devices. This affected 8 customers.
In addition, customer information was stolen from 133,827 accounts on the upgrade system.
Three’s CEO Dave Dyson said in a statement that no bank details, passwords, pin numbers, payment information or credit/debit card information were obtained.
“We believe the primary purpose of this was not to steal customer information but was criminal activity to acquire new handsets fraudulently,” he said.
Three began a process to contact directly all affected customers, as well as put additional security in place for the account.
At the time of writing three arrests had been made.
Next Page: Lurching from crisis to crisis the once almight retail brand suffered another blow – probably the most high profile successful attack in the UK to date?
6. Tesco Bank
On 5 November, several customers complained that money had been withdrawn from their Tesco Bank accounts without permission. They also complained that cards had been blocked and there being long delays in being able to contact the bank on the phone.
UK Home Secretary: Cyber attacks on banks are “shaking public confidence”
Tesco Bank suspended online payments after it detected ‘suspicious activity’. Service had resumed by 10 PM on 8 November.
Around 9,000 customers were affected by the fraudulent transactions, according to Tesco. It cost £2.5 million. All customers affected had been fully reimbursed.
The bank also said that no customer personal data had been compromised.
The bank is working with the National Cyber Security Centre, a division of GCHQ on the investigation.
Next Page: Looking for a particular type of friend? Maybe they already got your details from this hack
7. Adult Friendfinder
The attack on adult dating and entertainment company FriendFinder Networks reportedly exposed account details of its 412 million users.
It affected AdultFriendFinder, Cams.com, Penthouse, Stripshow and/or iCams.com, which are all owned by FriendFinder Networks.
339 million accounts from AdultFriendFinder.com were exposed in the attack, 62 million from Cams.com and 7 million from Penthouse.com.
Also exposed were over 15 million “deleted” accounts that had not been removed from the databases.
LeakedSource, which obtained the data, the breach accounted for two decades’ of accumulated data from the company’s largest sites.
Friend Finder Networks confirmed the site vulnerability to ZDNet, but did not confirm the attack.
Next Page: When the fun stops. Stop. Which Online gambling site got hit?
8. William Hill
The website of the UK bookmaker was hit by a major DDoS that took some of its services offline.
The technical team for the website worked to restore service, with the bookmaker offline for around 24 hours. Estimates of the company’s losses reached the millions of pounds.
The first use of a DDoS against the gambling industry was in 2004, when hackers attacked betting sites during the Cheltenham races.
Next Page: An entire country taken offline. Next time it could be us….
9. Liberia
Kevin Beaumont, a security architect, claimed in a piece on blog site Medium.com that Liberia’s entire internet network had been knocked offline.
Although much is unclear, the attack seems to have impacted a local telecoms operator.
Brian Krebs, security expert and blogger at KrebsOnSecurity, questioned how widespread the attack was. Also sceptical was Graham Cluley, another security blogger based in Britain.
The ACE submarine cable monitoring systems and servers hosted in Liberia Internet Exchange Point showed no downtime during the period, Krebs discovered after speaking with Daniel Brewer, general manager for the Cable Consortium of Liberia.
This would suggest the attack hit a mobile operator.