October saw the ominous predictions of Resilient CTO Bruce Schneier in September coming true as a number of major internet infrastructure providers fell victim to cyber attack.
Schneier had warned that the companies that operated the nuts and bolts of the internet were being tested in major DDoS attacks by what he believed to be a state actor.
This is a major theme across CBR’s monthly attack round-up; but perhaps as concerning as who the attacks are targeting is the way that they are being carried out.
Again, the DDoS methodology that is being deployed here was observed in September in the attack on blogger Brian Krebs’s website KrebsOnSecurity.
These developing trends happen against the usual background of data breaches and phishing scams.
Read on to find out about Dyn, StarHub, Weebly and the Red Cross.
1. Dyn
Believed to be one of the largest distributed denial of service (DDoS) attacks of all time, the attack on hosting provider took down several major sites such as Twitter, Reddit and Spotify which use Dyn’s infrastructure.
Starting at 11:10 AM UTC (12:10 PM BST) on 21 October, the DDoS hit the Dyn Managed DNS infrastructure. DDoS attacks flood an internet service with traffic, meaning that the server cannot cope with the demand.
Dyn began to monitor and mitigate the attack and restored service to normal around two hours later.
The attack mainly impacted customers in the US East region.
The attack could have reached a magnitude in the 1.2 Tbps range, although Dyn said that this was not confirmed.
The Dyn attack follows DDoS attacks last month on OVH and KrebsOnSecurity. According to OVH’s founder, posting on Twitter, the combined brunt of the attack amounted to around 1.1 Tbps, while the Krebs attack apparently reached 620 Gbps.
Underpinning these attacks is the malware Mirai, which Dyn confirmed as the source of the attack.
Mirai is encoded with a list of a few default passwords, including obvious words and phrases such as ‘password’ or ‘password123’. It trawls the net, looking for passive internet-connected devices such as routers and camera and inputting these passwords into the devices to try and take them over.
The size of the Dyn attack is impressive, but also interesting is the number of endpoints involved in the attack: according to Dyn, it involved up to 100,000 malicious endpoints.
This is a worrying trend, especially with the number of internet-connected devices set to increase over the coming years, and shows the need for the Internet of Things (IoT) to be properly secured.
2. StarHub
Less widely reported in the West, but demonstrating the same worrying trend, was an attack in Singapore on the StarHub domain name system (DNS).
The attack came in two waves, leaving some subscribers unable to surf the web for up to two hours.
The Singaporean authorities warned other telecoms companies to put in place systems to detect and mitigate such attacks.
The StarHub attack used the same mechanism as the Dyn one, using a captured botnet of devices to ramp up traffic.
3. Red Cross
Moving on from the menace of IoT-power DDoS attacks, the Australian wing of the Red Cross blood donation service was impacted by a large data breach that saw the registration information of 550,000 donors.
According to the Red Cross, a file containing donor information was placed in an insecure environment by the third party that develops and maintains the Blood Service’s website.
The details were from people who had made donations between 2010 and 2016, and including information such as names, addresses and dates of birth.
The online forms do not connect to our secure databases which contain the more sensitive medical information.
The Red Cross said that a third party cyber support service had assessed the information as of low risk of future direct misuse.
Jim Birch, Chair of the service, expressed the company’s deep disappointment, saying that “we take full responsibility for this mistake and apologise unreservedly.”
4. Weebly
Weebly, a web hosting service that provides a drag-and-drop website builder, saw details of over 43.4 million accounts stolen.
Each record in the database contained a username, email address, password and IP address.
The database was provided to the hack site LeakedSource, which said that Weebly has sent out password reset emails to its users after collaborating with LeakedSource.
The attack was believed to have been carried out in February.
5. Sainsburys
It is unclear how many people have fallen for this cyber attack, but this phishing scam aims to entice users to provide details with the promise of a financial rewards.
People in the UK received messages through WhatsApp providing a link and promising £100 worth of gift cards.
This attack relies on people forwarding on the message, so it comes from a trusted contact.
However, the link provided is erroneous and merely designed to collect the unsuspecting recipient’s information.