Security roundup: APTs, account abuse and DDoS attacks

Australia is significantly more exposed to advanced persistent threats (APTs) than the global average, research from FireEye shows.

The vendor’s latest Advanced Threat Report shows that the exposure rate for Australian organisations grew 30% in the first six months of the year.

The APT exposure rate in Australia was measured at 35%, up from 27% in the last threat report, which was published in March.

When ranked globally, Australia’s APT exposure rate is 15 percentage points higher than the global average of 20%, but also 15 points lower than the exposure rate in Hong Kong, the most targeted region in APAC.

Across the APAC region telecom, federal governments and the education, high-tech and financial services sectors are the industries most likely to be the target of APTs. In addition to these threats, ransomware is among the top 10 most common malware families aimed at APAC organisations.

“The first half of 2015 was a highly eventful period for cybersecurity in the Asia Pacific region,” the report states.

“Since the start of the year, FireEye has seen a significant increase in the number of attacks across the region, [and] 96% of global organizations are unknowingly breached as threat actors of all kinds increasingly evade traditional security products.”

Attackers posing as insiders are a top threat

Separate research from CyberArk indicates that attackers who pose as legitimate insiders represent one of the greatest threats to enterprise security.

A survey of IT security and C-level executives in the US suggests that the majority (61%) believe privileged account takeover is the most difficult state of a cyber attack to attempt to mitigate.

In addition, 38% identified stolen privileged or admin accounts as the attack vector that represents the greatest security concern, while 27% cited phishing attacks.

CyberArk said the results also show an overconfidence in their corporate security strategies. While research suggests it takes an average of 200 days for an organisation to discover attackers on their networks, 55% of respondents believe they can detect a breach in a matter of days.

The majority (57%) expressed confidence in the security strategies devised by their CEO or board, and 44% believe they can keep attackers off a targeted network.

CyberArk CMO John Worrall commented that these beliefs are unfounded. “It is no longer acceptable for organisations to presume they can keep attackers off their network,” he said. “The most damaging attacks occur when privileged and administrative credentials are stolen, giving the attacker the same level of access as the internal people managing the systems.”

The Australian Cyber Security Centre just recently published a guide designed to help organisations protect privileged access accounts.

Akamai issues alert over 150 Gbps+ DDoS botnet

Akamai has warned organisations to be on the lookout for a botnet capable of mounting DDoS attack campaigns involving a whopping 150 Gpbs or higher worth of traffic.

The attackers are using the XOR DDoS trojan malware to mount the botnet campaign. XOR DDoS infects Linux systems, instructing them to launch DDoS attacks on command.

The attack uses brute force methods to discover the password to a Linux machine’s Secure Shell services and use the login’s root privileges to run a Bash shell script to download and execute the malicious binary.

Research from Akamai’s security incident response team suggests that the gaming sector is the most frequent target of the botnet, followed by educational institutions. Attacks conducted by the botnet have been detected at up to 179 Gbps.

“Over the past year, the XOR DDoS botnet has grown and is now capable of being used to launch huge DDoS attacks,” Akamai Senior Vice President and General Manager for Security Stuart Scholly said.

“XOR DDoS is an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks. This happens much more frequently now than in the past, when Windows machines were the primary targets for DDoS malware.”

Akamai said XOR DDoS can be detected by scanning for communications between a bot and its command and control centre or by pattern-matching strings attached to malicious binaries.

Image courtesy of Intel Free Press under CC