It’s that time of year again...when consumers, retailers and manufacturers need to understand and be alert to the latest cyber attacks that threaten to dampen the spirit and excitement of the holidays. This year we’re seeing two twists on some tried and true tactics that are cause for concern among the online gaming industry and retailers.
Gaming industry and DDoS
The use of botnets comprised of compromised IoT devices (cameras, DVRs, routers or other internet-connected hardware) is not a new development. But the recently discovered Mirai malware involved in attacks that targeted Krebs on Security, the French Internet Service Provider OVH, DynDNS and a mobile telecommunications provider in Liberia, have been some of the largest distributed denial of service (DDoS) attacks measured to date.
These attacks highlight the inherent vulnerability of basing network infrastructure around centralized DNS providers and the potential power of large IoT botnets to enable low capability actors to launch high impact attacks. Mirai spreads by scanning for IoT devices operating Telnet – a network protocol that allows a user on one computer to log onto another computer that is part of the same network – and then uses the default credentials in an attempt to brute-force access to the device.
The attacks on DynDNS caused major disruption and prevented users based in the U.S. from accessing a large number of high profile online services hosted on DynDNS infrastructure. These included major news websites, payment platforms, online games and video on demand (VOD) services.
The gaming industry has been targeted by DDoS attacks in the past. For example, when the hacker group dubbed “Lizard Squad” brought down Xbox Live and PlayStation Network (PSN) Service in December, 2014. With the holidays approaching, gaming sites worldwide need to be on the alert for similar attacks and mitigate vulnerabilities or risk having users unable to access their services. Here are a few tips for how the gaming industry can protect itself and its customers:
• Change access credentials for devices and implement complex passwords.
• Evaluate your dependence on DNS, specifically for your most critical domains, and investigate the use of multiple DNS providers.
• Develop a DDoS process and review monitoring capabilities; to minimize downtime it is important to quickly identify the attack, characterize the attack traffic and take the appropriate action.
• Consider disabling all remote access to devices and perform administrative tasks internally – instead of Telnet, FTP and HTTP, use SSH, SFTP and HTTPS.
FastPOS malware aimed at retailers
Point-of-Sale (POS) malware is also nothing new. The largest breaches in retail history have been as a result of this type of malware. POS threats follow a common process – collecting, storing and sporadically exfiltrating data. Antivirus could potentially detect the physical file on the infected device, giving retailers the opportunity to mitigate damage from these attacks.
However, a new POS malware variant emerging this busy retail period is different. Rather than storing stolen card data for later extraction, FastPOS malware captures credit card data and exfiltrates it directly to its command and control (C&C) servers. The latest update to this malware is harder for antivirus to detect in part because it eliminates the use of a physical file to store the stolen data. Not only is expedited exfiltration harder to detect, but it also accelerates the potential for profit since the stolen data can be used or sold almost immediately.
POS malware is clearly under active development. To prevent and mitigate damage from such attacks retailers can:
• Conduct audits, penetration testing, assessments and red teaming exercises to understand your risk posture and attack surface.
• Consider PoS systems and networks as vital extensions of your enterprise environments; the technology that is used to protect the enterprise should be leveraged on PoS systems and networks where possible and, if not possible, comparable alternates should be sought out.
• Adopt technologies that are becoming more commonplace, such as chip and pin.
• Share intelligence with peers, for example in the form of an ISAC, for the betterment of the industry.
Threat actors will continue to evolve their methods of attacks, improving upon previously successful methods to steal data and cause disruption, particularly during busy periods when the impact is magnified. By being aware of the latest tactics, techniques and procedures (TTPs), organizations can understand how to mitigate damage and thwart cyber criminals’ attempts to wreak havoc during the holidays.