Information Technology

A ransomware gang going by the of Egregor has leaked data it claims to have obtained from the internal networks of two of today’s largest gaming companies — Ubisoft and Crytek.
Data allegedly taken from each company has been published on the ransomware gang’s dark web portal on Tuesday.
Image: ZDNet
Details about how the Egregor gang obtained the data remain unclear.
Ransomware gangs like Egregor regularly breach companies, steal their data, encrypt files, and ask for a ransom to decrypt the locked data.
However, in many incidents, ransomware gangs are also get caught and kicked out of networks during the data exfiltration process, and files are never encrypted. Nevertheless, they still extort companies, asking victims for money to not leak sensitive files.
Usually, when negotiations break down, ransomware gangs post a partial leak of the stolen files on so-called leak sites.
On Tuesday, leaks for both Crytek and Ubisoft were posted on the Egregor portal at the same time, with threats from the ransomware crew to leak more files in the coming days.
For the Ubisoft leak, the Egregor group shared files to suggest they were in possession of source code from one of the company’s Watch Dogs games. On its web portal, the group touted they were in possession of the source code for the Watch Dogs: Legion game, scheduled to be released later this month. It was, however, impossible to verify that these files came from the new game, rather than an existing release.

Image: ZDNet
For the past year, security researchers have tried to reach out and notify Ubisoft about several of its employees getting phished, with no results, which may provide a clue of how the hackers might have got it.
But while hackers leaked only 20 MB from Ubisoft, they leaked 300 MB from Crytek, and this data contained a lot more information.
The Crytek files included documents that appeared to have been stolen from the company’s game development division. These documents contained resources and information about the development process of games like Arena of Fate and Warface, but also Crytek’s old Gface social gaming network.

Image: ZDNet

Image: ZDNet

Image: ZDNet
Neither Ubisoft nor Crytek responded to emails seeking comment on the leaks. None of the companies reported major security incidents weeks, nor any abnormal and prolonged downtimes, suggesting the Egregor intrusion didn’t likely impact cloud and gaming system, but merely backend office and work networks, where most ransomware incidents usually incur damages.
However, in an email interview with ZDNet, the Egregor gang provided more details about the two incidents. The ransomware operators said they breached the Ubisoft network, but only stole data, and did not encrypt any of the company’s files.
On the other hand, “Crytek has been encrypted fully,” the Egregor crew told ZDNet.
The Egregor group said that neither company engaged in discussions, despite their intrusions, and no ransom has been officially requested yet.
“In case Ubisoft will not contact us we will begin posting the source code of upcoming Watch Dogs and their engine,” the group threatened, promising to publish more data in a press release tomorrow. More

Image: SWIFT
The US Department of Justice has unsealed today charges against 14 members of an international money laundering group known as QQAAZZ.

US authorities said the group has been active since 2016 and operated by advertising its services on Russian-speaking hacker forums.
There, the group established connections with some of today’s largest malware operations, including the likes of operators of malware botnets like Dridex, Trickbot, and GozNym.
According to the DOJ, QQAAZZ members operated a large network of bank accounts and money mules that allowed malware gangs to funnel money from hacked accounts to new, clean destinations.
QQAAZZ members were organized on a business-like hierarchy. Leaders would handle customer communications, mid-level managers recruited money mules, and money mules opened bank accounts and picked up money from ATMs, when needed.
US officials said the group managed a huge network of bank accounts around the world using fake identities and shell companies.
These accounts would serve as landing spots for funds received from hacks, malware infections, and other cybercrime operations. The money would travel through the QQAAZZ accounts and get converted into cryptocurrency.
In a digital form, the cryptocurrency would then be passed through a “tumbling” service to anonymize transactions even more, and then the funds would be returned back to the cybercrime groups, with QQAAZZ operators retaining a cut varying from 40% to 50% for their efforts.
20 arrests made in a transnational operation
Besides the 14 suspects charged today [indictment PDF], the DOJ said it also charged five others in October 2019 [indictment PDF].
US authorities said that while charges were filed in the US, this was an international crackdown against the QQAAZZ group, and other criminal prosecutions were initiated in other countries, such as Portugal, Spain, and the US.
Sixteen countries were involved in an international operation against QQAAZZ, which Europol named “Operation 2BaGoldMule.”
As part of this crackdown, Europol said participant countries carried out more than 40 house searches across Latvia, Bulgaria, the United Kingdom, Spain and Italy, and made 20 arrests.

Image: Europol More

Security researchers said they found clues linking recent attacks with the Thanos ransomware to a group of Iranian state-sponsored hackers.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

While investigating security incidents at several Israeli prominent organizations, security researchers from ClearSky and Profero said they linked the intrusions to MuddyWater, a known Iranian state-sponsored hacking group.
The intrusions followed similar patterns, with two tactics being recorded.
MuddyWater would use phishing emails carrying malicious Excel or PDF documents that, when opened, would download and install a malware strain from the hackers’ servers.
In the second scenario, MuddyWater would scan the internet for unpatched Microsoft Exchange email servers, exploit the CVE-2020-0688 vulnerability, install a web shell on the server, and then download and install the same malware seen before.
But ClearSky says this second-stage malware wasn’t just any piece of malicious code, but a strain that has been seen and documented only once before.
Named PowGoop, this PowerShell-based threat has been seen only once in early September and was used to install the Thanos ransomware, according to a report from fellow security firm Palo Alto Networks. Other Thanos (or Hakbit) ransomware attacks have used other malware strains to deploy the ransomware, namely the ubiquitous GuLoader, a completely different malware strain, written in Visual Basic 6.0.
In a report shared with ZDNet today, ClearSky says they stopped the intrusions before attackers could have done any harm, but the company is now raising a sign of alarm in regards to all past Thanos ransomware incidents.
In an interview this week, ClearSky security researchers told ZDNet they believe MuddyWater would have tried to install the Thanos ransomware as a means to hide their attacks and destroy evidence of intrusions by encrypting files on hacked networks.
The tactic of deploying ransomware to hide intrusions has been used before by other state-sponsored operations and has been well documented.
Past Thanos ransomware attacks now need to be revisited and searched for evidence in a new light. Was the attack a cybercrime group, or was it Iranian hackers?
The question needs to be asked because Thanos, which is offered as a Ransomware-as-a-Service, is rented on Russian-speaking hacker forums and is believed to be employed by multiple threat groups.

But recent versions of the Thanos ransomware also come with a component that rewrites the computer’s MBR and prevents systems from booting. These types of attacks can be extremely disruptive, as systems could be temporarily bricked and might need to be restored from scratch.
ClearSky researcher Ohad Zaidenberg told ZDNet that he believes MuddyWater dipping its toe into ransomware deployments might also be related to the recent mounting political tensions and back-and-forth cyberattacks between Iran and Israel.
MuddyWater has a long history of hacks, but most past operations were geared towards very stealthy intelligence collection. Ransomware, in any form, is not stealthy and can be very destructive, especially when threat actors chose not to honor ransom payments and deliver decryption keys, something that Zaidenberg says could be a possibility, especially when viewed in the current political context. More

Microsoft has just completed a study of an experimental architecture that it now thinks would have mitigated about two-thirds of the memory-safety vulnerabilities fixed in 2019.  
As Microsoft has previously outlined, 70% of all security bugs over the past decade have been memory-safety bugs, which happen when software accesses system memory beyond its allocated size and memory addresses.   

The abundance of memory-safety bugs is one reason Microsoft is exploring the Rust programming language as a potential replacement for some Windows components written in C++. As Microsoft recently explained, it’s exploring Rust and other avenues because it’s reaching the limits of what it can do to prevent memory issues. 
“We need to look out to the industry to see what the best alternative to C++ is. And it turns out that language is a language called Rust,” Microsoft Rust expert Ryan Levick said earlier this year in a talk about systems programming.
Rewriting old code in another language like Rust is one option. Another option in Microsoft’s “quest to mitigate memory-corruption vulnerabilities” is CHERI or Capability Hardware Enhanced RISC (reduced instruction set computer) Instructions.
Work on the CHERI Instruction-Set Architectures (ISAs) is underway at Cambridge University in partnership with RISC chip-designer Arm and Microsoft. CHERI has similar goals to Project Verona, Microsoft’s experimental Rust-inspired language development for safe infrastructure programming.
CHERI “provides memory-protection features against many exploited vulnerabilities, or in other words, an architectural solution that breaks exploits”, said Nicolas Joly, Saif ElSherei, Saar Amar of the Microsoft Security Response Center (MSRC). 
The group assessed the “theoretical impact” of CHERI on all the memory-safety vulnerabilities that Microsoft received in 2019 and concluded that it would have “deterministically mitigated” at least two-thirds of all those issues. 
Cambridge University explains that “CHERI extends conventional hardware Instruction-Set Architectures (ISAs) with new architectural features to enable fine-grained memory protection and highly scalable software compartmentalization”.
Its memory-protection features allow historically memory-unsafe programming languages such as C and C++ to be adapted for protection against widely exploited vulnerabilities.  
CHERI ISA has the potential to save Microsoft a lot of money in delivering security patches in each month’s Patch Tuesday update, which regularly exceed 100 patches a month.    
Microsoft is open to the possibility that even when enabling CHERI’s strictest protections, it could be cheaper to make existing code CHERI-compatible than rewriting existing code in a memory-safe language, such as Rust or Project Verona’s Rust-inspired variant.  
The Microsoft team reviewed the seventh version of CHERI ISA, the latest version of CHERI. The researchers also used CheriBSD, based on the FreeBSD operating system with memory protection and software compartmentalization features supported by the CHERI ISA.
“We conservatively assessed the percentage of vulnerabilities reported to the Microsoft Security Response Center in 2019 and found that approximately 31% would no longer pose a risk to customers and therefore would not require addressing through a security update on a CHERI system based on the default configuration of the CheriBSD operating system,” the Microsoft researchers wrote in the research paper. 
With additional mitigations recommended in its research paper, Microsoft also estimates the CHERI protections could have deterministically mitigated nearly half the vulnerabilities the MSRC addressed through a security update in 2019.
More on Microsoft, programming language Rust and Project Verona More

In today’s cyber-security landscape, the Emotet botnet is one of the largest sources of malspam — a term used to describe emails that deliver malware-laced file attachments.
These malspam campaigns are absolutely crucial to Emotet operators.
They are the base that props up the botnet, feeding new victims to the Emotet machine — a Malware-as-a-Service (MaaS) cybercrime operation that’s rented to other criminal groups.
To prevent security firms from catching up and marking their emails as “malicious” or “spam,” the Emotet group regularly changes how these emails are delivered and how the file attachments look.
Emotet operators change email subject lines, the text in the email body, the file attachment type, but also the content of the file attachment, which is as important as the rest of the email.
That’s because users who receive Emotet malspam, besides reading the email and opening the file, they still need to allow the file to execute automated scripts called “macros.” Office macros only execute after the user has pressed the “Enable Editing” button that’s shown inside an Office file.

Image: Microsoft
Tricking users to enable editing is just as important to malware operators as the design of their email templates, their malware, or the botnet’s backend infrastructure.
Across the years, Emotet has developed a collection of boobytrapped Office documents that use a wide variety of “lures” to convince users to click the “Enable Editing” button.
This includes:
Documents claiming they’ve been compiled on a different platform (i.e., Windows 10 Mobile, Android, or iOS) and the user needs to enable editing for the content to appear.
Documents claiming they’ve been compiled in older versions of Office and the user needs to enable editing for the content to appear.
Documents claiming to be in Protected View and asking the user to enable editing. (Ironically, the Protected View mechanism is the one blocking macros and showing the Enable Editing button/restriction.)
Documents claiming to contain sensitive or limited-distribution material that’s only visible after the user enables editing.
Documents showing fake activation wizards and claiming that Office activation has been completed and the user only needs to click enable editing to use Office; and many more.
But this week, Emotet arrived from a recent vacation with a new document lure.
File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button (don’t press it).

Image: @catnap707/Twitter
According to an update from the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.
Per this report, on some infected hosts, Emotet installed the TrickBot trojan, confirming a ZDNet report from earlier this week that the TrickBot botnet survived a recent takedown attempt from Microsoft and its partners.
These boobytrapped documents are being sent from emails with spoofed identities, appearing to come from acquaintances and business partners.
Furthermore, Emotet often uses a technique called conversation hijacking, through which it steals email threads from infected hosts, inserts itself in the thread with a reply spoofing one of the participants, and adding the boobytrapped Office documents as attachments.
The technique is hard to pick up, especially among users who work with business emails on a daily basis, and that is why Emotet very often manages to infect corporate or government networks on a regular basis.
In these cases, training and awareness is the best way to prevent Emotet attacks. Users who work with emails on a regular basis should be made aware of the danger of enabling macros inside documents, a feature that is very rarely used for legitimate purposes.
Knowing how the typical Emotet lure documents look like is also a good start, as users will be able to dodge the most common Emotet tricks when one of these emails lands in their inboxes, even from a known correspondent.
Below is a list of the most popular Emotet document lures, according to a list shared with ZDNet by security researcher @ps66uk.

Image: Cryptolaemus

Image: Sophos

Image: @pollo290987/Twitter

Image: @ps66uk/Twitter

Image: Cryptolaemus

Image: Cryptolaemus

Image: @JAMESWT_MHT/Twitter

Image: @ps66uk/Twitter

Image: @ps66uk/Twitter

Image: @ps66uk/Twitter

Image: @Myrtus0x0/Twitter

Image: Cryptolaemus

Image: @catnap707/Twitter

Image: @ps66uk/Twitter

Image: @ps66uk/Twitter More

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services.
Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.

More on privacy

“The attack is continuing to have a significant impact on council services and we ask residents to not contact us unless absolutely necessary,” it said.
SEE: Security Awareness and Training policy (TechRepublic Premium)
In an update on the situation the council said that its staff are working with the National Cyber Security Centre, National Crime Agency, external experts and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the cyberattack on its servers. It has also reported the incident to the Information Commissioner’s Office.
“We understand that residents will be anxious about the risk to their data, and we are working closely with the ICO, police agencies and other experts. We are committed to sharing further information about this as soon as we can, including what, if any, actions residents may need to take,” the council said.
The nature of the cyberattack, when it happened and what services are affected, is still unclear.
The council said that it was learning more about the attack but said it had decided not to share any more information at this stage “in order to make sure we do not inadvertently assist the attackers”. 
Earlier this year, a cyberattack on Redcar & Cleveland Borough Council cause significant problems and costs for the authority. More

What is a DDoS attack?
A distributed denial-of-service attack (DDoS attack) sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all.
While a DDoS attack is one of the least sophisticated categories of cyberattack, it also has the potential to be one of the most disruptive and most powerful by taking websites and digital services offline for significant periods of time that can range from seconds to even weeks at a time.

More on privacy

How does a DDoS attack work?
DDoS attacks are carried out using a network of internet-connected machines – PCs, laptops, servers, Internet of Things devices – all controlled by the attacker. These could be anywhere (hence the term ‘distributed’) and it’s unlikely the owners of the devices realise what they are being used for as they are likely to have been hijacked by hackers.
Common ways in which cyber criminals take control of machines include malware attacks and gaining access by using the default user name and password the product is issued with – if the device has a password at all. 
Once the attackers have breached the device, it becomes part of a botnet – a group of machines under their control. Botnets can be used for all manner of malicious activities, including distributing phishing emails, malware or ransomware, or in the case of a DDoS attack, as the source of a flood of internet traffic.
SEE: Security Awareness and Training policy (TechRepublic Premium)
The size of a botnet can range from a relatively small number of zombie devices, to millions of them. Either way the botnet’s controllers can turn the web traffic generated towards a target and conduct a DDoS attack.
Servers, networks and online services are designed to cope with a certain amount of internet traffic but, if they’re flooded with additional traffic in a DDoS attack, they become overwhelmed. The high amounts of traffic being sent by the DDoS attack clogs up or takes down the systems’ capabilities, while also preventing legitimate users from accessing services (which is the ‘denial of service’ element).
A DDoS attack is launched with the intention of taking services offline in this way, although it’s also possible for online services to be overwhelmed by regular traffic by non-malicious users – for example, if hundreds of thousands of people are trying to access a website to buy concert tickets as soon as they go on sale. However, this is usually only short, temporary and accidental, while DDoS attacks can be sustained for long periods of time.

DDoS attacks can be extremely powerful online weapons.
What is an IP stresser and how does it relate to DDoS attacks?
An IP stresser is a service that can be used by organisations to test the robustness of their networks and servers. The goal of this test is to find out if the existing bandwidth and network capacity are enough to handle additional traffic. An IT department using a stresser to test their own network is a perfectly legitimate application of an IP stresser.
However, using an IP stresser against a network that you don’t operate is illegal in many parts of the world – because the end result could be a DDoS attack. However, there are cyber-criminal groups and individuals that will actively use IP stressers as part of a DDoS attack.
What was the first DDoS attack?
What’s widely regarded as the first malicious DDoS attack occurred in July 1999 when the computer network at the University of Minnesota was taken down for two days.
A network of 114 computers infected with Trin00 malware all directed their traffic at a computer at the university, overwhelming the network with traffic and blocking legitimate use. No effort was made to hide the IP address of the computers launching the traffic – and the owners of the attacking systems had no idea their computers were infected with malware and were causing an outage elsewhere.
Trin00 might not have been a large botnet, but it’s the first recorded incident of cyber attackers taking over machines that didn’t belong to them and using the web traffic to disrupt the network of an particular target. And in the two decades since, DDoS attacks have only become bigger and more disruptive.
Famous DDoS attacks: MafiaBoy – February 2000
The world didn’t have to wait long after the University of Minnesota incident to see how disruptive DDoS attacks could be. By February 2000, 15-year-old Canadian Michael Calce – online alias MafiaBoy – had managed to take over a number of university networks, roping a large number of computers into a botnet.
He used this for a DDoS attack that took down some of the biggest websites at the start of the new millennium, including Yahoo! – which at the time was the biggest search engine in the world – eBay, Amazon, CNN, and more. 
Calce was arrested and served eight months in a youth detection centre after pleading guilty to charges against him. He was also fined C$1,000 ($660) for conducting the attacks – which it’s estimated caused over $1.7 billion in damages – and went on to become a computer security analyst.
Famous DDoS attacks: Estonia – April 2007
By the mid 2000s, it was apparent that DDoS attacks could be a potent tool in the cyber-criminal arsenal, but the world was about to see a new example of how disruptive DDoS attacks could be; by taking down the internet services of an entire country.
In April 2007, Estonia was – and still is – one of the most digitally advanced countries in the world, with almost every government service accessible online to the country’s 1.3 million citizens through an online ID system.
But from 27 April, Estonia was hit with a series of DDoS attacks disrupting all online services in the country, as well as parliament, banks, ministries, newspapers and broadcasters. People weren’t able to access the services they needed on a daily basis.
SEE: Network security policy (TechRepublic Premium)
Attacks were launched on multiple occasions, including during a particularly intense period of 24 hours on 9 May – the day Russia celebrates Victory in Europe day for World War II, before eventually falling away later in the month.
The DDoS campaigns came at a time when Estonia was involved in a political dispute with Russia over the relocation of a Soviet statue in Tallinn. 
Some members of Estonian leadership have accused Russia of orchestrating the attacks, something that the Kremlin has always denied.

Estonia was the victim of a massive DDoS attack.
Image: Getty Images/iStockphoto
Famous DDoS attacks: Spamhaus – March 2013
The Spamhaus Project’s goal is to track the activity of spammers on the web in order to help internet providers and email services with a real-time list of common spam emails, posts and messages in order to prevent users from seeing them and potentially being scammed.
But in March 2013, Spamhaus itself fell victim to cyber criminals when 300 billion bits of data a second was launched at it in what was at the time the biggest DDoS attack ever, and one that lasted for almost two weeks.
Cloudflare dubbed it ‘The DDoS’ attack that almost broke the internet’ after the web infrastructure and web-security company stepped in to mitigate the attack against Spamhaus – and then found cyber attackers attempting to take Cloudflare itself offline. But the impact of the attack was much greater because the sheer scale of the attack caused congestion across the internet.
Famous DDoS attacks: Mirai – October 2016
In probably the most famous DDoS attack to date, the Mirai botnet took down vast swathes of online services across much of Europe and North America. News websites, Spotify, Reddit, Twitter, the PlayStation Network and many other digital services were either slowed down to a crawl or completely inaccessible to millions of people. Fortunately, the outages lasted for less than one day.
Described as the biggest online blackout in history, the downtime was caused by a DDoS attack against Dyn, the domain name system provider for hundreds of major websites. The attacks was explicitly designed to overload its capability.
What helped make the attack so powerful was the Mirai botnet had taken control of millions of IoT devices, including cameras, routers, smart TVs and printers, often just by brute-forcing default credentials, if the devices had a password at all. And while the traffic generated by individual IoT devices is small, the sheer number of devices in the botnet was overwhelming to Dyn. And Mirai still lives on.

The Mirai botnet attack took down a large number of online services. 
Image: Level 3
How do I know if I’m under DDoS attack?
Any business or organisation that has a web-facing element needs to think about the regular web traffic it receives and provision for it accordingly; large amounts of legitimate traffic can overwhelm servers, leading to slow or no service, something that could potentially drive customers and consumers away.
But organisations also need to be able to differentiate between legitimate web traffic and DDoS attack traffic.
Capacity planning is, therefore, a key element of running a website, with thought put into determining what’s an expected, regular amount of traffic and what unusually high or unanticipated volumes of legitimate traffic could look like, so as to avoid causing disruption to users – either by taking out the site due to high demands, or mistakenly blocking access due to a DDoS false alarm.
SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)
So how can organisations differentiate between a legitimate increase in demand and a DDoS attack?
In general, an outage caused my legitimate traffic will only last for a very short period of time and often there might be an obvious reason for the outage, such as an online retailer experiencing high demand for a new item, or a new video game’s online servers getting very high traffic from gamers eager to play.
But in the case of a DDoS attack, there are some tell-tale signs that it’s a malicious and targeted campaign. Often DDoS attacks are designed to cause disruption over a sustained period of time, which could mean sudden spikes in malicious traffic at intervals causing regular outages.
The other key sign that your organisation has likely been hit with a DDoS attack is that services suddenly slow down or go offline for days at a time, which would indicate the services are being targeted by attackers who just want to cause as much disruption as possible. Some of these attackers might be doing it just to cause chaos; some may be paid to attack a particular site or service. Others might be trying to run some kind of extortion racket, promising to drop the attack in exchange for a pay-off.
What do I do if I’m under DDoS attack?
Once it’s become clear that you’re being targeted by DDoS attack, you should piece together a timeline of when the problems started and how long they’ve been going on for, as well as identifying which assets like applications, services and servers are impacted – and how that’s negatively impacting users, customers and the business as a whole.
It’s also important that organisations notify their web-hosting provider – it’s likely that they will have also seen the DDoS attack, but contacting them directly may help curtail the impacts of a DDoS campaign – especially if it’s possible for the provider to switch your IP address. Switching the IP to a new address will mean that the DDoS attack won’t have the impact it did because the attack will be pointing in the wrong direction.
If your security provider provides a DDoS mitigation service, it should help reduce the impact of the attack, but as seen with attacks like Mirai, especially large attacks that can still cause disruption despite the presence of preventative measures. The unfortunate thing about DDoS attacks is that while they’re very simple to conduct, they’re also very effective, so it’s still possible that even with measures in place that services could be taken offline for some time.
It’s also important to notify users of the service about what is happening, because otherwise they could be left confused and frustrated by a lack of information. Businesses should consider putting up a temporary site explaining that there are problems and provide users with information they should follow if they need the service. Social-media platforms like Twitter and Facebook can also be used to promote this message.
How do I protect against DDoS attacks?
What makes DDoS attacks effective is the ability to direct a large amount of traffic at a particular target. If all of an organisations’ online resources are in one location, the attackers only need to go after one particular target to cause disruption with large amounts of traffic. If possible, it’s therefore useful to spread systems out, so it’s more difficult – although not impossible – for attackers to direct resources towards everything at once.

Monitoring web traffic and having an accurate idea about what regular traffic looks like, and what is abnormal traffic, can also play a vital role in helping to protect against or spotting DDoS attacks. Some security personnel recommend setting up alerts that notify you if the number of requests is above a certain threshold. While this might not necessarily indicate malicious activity, it does at least provide a potential early warning that something might be on the way.
It’s also useful to plan for scale and spikes in web traffic, which is something that using a cloud-based hosting provider can aid with.
Firewalls and routers can play an important role in mitigating the potential damage of a DDoS attack. If configured correctly, they can deflect bogus traffic by analysing it as potentially dangerous and blocking it before it arrives. However, it’s also import to note that in order for this to be effective, firewall and security software needs to be patched with the latest updates to remain as effective as possible.
Using an IP stresser service can be an effective way of testing your own bandwidth capability. There are also specialist DDoS mitigation service providers that can help organisations deal with a sudden large upsurge in web traffic, helping to prevent damage by attacks.
What is a DDoS mitigation service?
DDoS attack mitigation services protect the network from DDoS attacks by re-routing malicious traffic away from the network of the victim. High profile DDoS mitigation service providers include Cloudflare, Akamai, Radware and many others.
The first job of a mitigation service is to be able to detect a DDoS attack and distinguish what’s actually a malicious event from what’s just a regular – if unusually high – volume of traffic.
Common means of DDoS mitigation services doing this include judging the reputation of the IP the majority of traffic is coming from. If it’s from somewhere unusual or known to be malicious, it could indicate an attack – while another way is looking out for common patterns associated with malicious traffic, often based on what’s been learned from previous incidents.
Once an attack has been identified as legitimate, a DDoS protection service will move to respond by absorbing and deflecting the malicious traffic as much as possible. This is helped along by routing the traffic into manageable chunks that will ease the mitigation process and help prevent denial-of-service.
How do I choose a DDoS mitigation service?
Like any IT procurement, choosing a DDoS mitigation service isn’t as simple as just selecting the first solution that appears. Organisations will need to choose a service based on their needs and circumstances. For example, a small business probably isn’t going to have any reason to fork out for the DDoS mitigation capabilities required by a global conglomerate.
However, if the organisation looking for a DDoS mitigation service is a large business, then they’re probably correct to look at large overflow capacities to help mitigate attacks. Looking at a network that has two or three times more capacity than the largest attacks known to date should be more than enough to keep operations online, even during a large DDoS attack.
While DDoS attacks can cause disruption from anywhere in the world, the geography and location of a DDoS mitigation service provider can be a factor. A European-based company could have an effective US DDoS protection provider, but if that provider doesn’t have servers or scrubbing centres based in Europe, the latency of the response time could prove to be a problem, especially if it causes a problem for re-routing traffic.
When deciding on a service provider, organisations should, therefore, consider if the DDoS protection network will be effective in their region of the world. For example, a European company should probably consider a DDoS mitigation provider with a European scrubbing centre to help remove or redirect malicious traffic as quickly as possible.  
However, despite all the ways to potentially prevent a DDoS attack, sometimes attackers will still be successful anyway – because if attackers really want to take down a service and have enough resources, they’ll do their best to be successful at it. But if an organisation is aware of the warning signs of a DDoS attack, it’s possible to be prepared for when it happens.   More

Barnes & Noble has confirmed a cyberattack impacting Nook services and potentially exposing customer data. 

The US bookseller stocks over one million titles at any one time for distribution worldwide. As ebooks emerged as an alternative to traditional literature, in 2009, the company launched the Nook service, an ebook reader and storage platform. 
Over the weekend, as reported by Bleeping Computer, Barnes & Noble customers complained across social media of outages. Some customers were unable to access their Nook libraries, their previous purchases had vanished into thin air, others were not able to log in to the firm’s online platform, and connectivity issues between sending or loading new books ran rampant. 
See also: Today’s ‘mega’ data breaches now cost companies $392 million to recover from
As noted by The Register, the outage also spread to physical outlets, where it appeared that some cash registers were also “briefly” unable to function. 
This prompted speculation that the disruption could be due to a malware infection, as when Point-of-Sale (PoS) systems become involved, the issue may not merely be due to a backend or server glitch. 
The bookseller partially restored its systems by Tuesday, but it was not until Wednesday that Nook publicly acknowledged customer access and Nook service issues.  
Nook said at the time that a “system failure” was at fault and engineers were working hard to “get all Nook services back to full operation.”
“Unfortunately, it has taken longer than anticipated,” Nook continued. “We sincerely apologize for this inconvenience and frustration.”
Now, Barnes & Noble has confirmed to customers that cyberattackers caused the service disruption. 
In an email, the bookseller said that on October 10, Barnes & Noble was the victim of intrusion, leading to “unauthorized and unlawful access to certain Barnes & Noble corporate systems.”
Customer email addresses, billing and shipping addresses, telephone numbers, and transaction histories may have been exposed during the breach.
CNET: Microsoft takes down hacking network with potential to disrupt election
“We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility,” the company added. 
However, the bookseller emphasizes that no financial data, “encrypted and tokenized” as a security measure, was taken or available to the threat actors.
The firm has not disclosed how many customers may be impacted by the suspected data breach. Barnes & Noble warns that as email addresses have been leaked, they may be used in phishing campaigns.
TechRepublic: IoT security: University creates new labels for devices to increase awareness for consumers
While the details of the cyberattack are yet to be made public, it is possible that ransomware could be at the heart of the incident. Bad Packets told BleepingComputer that the bookseller’s VPN servers were previously vulnerable to CVE-2019-11510, an arbitrary read vulnerability.
Security flaws like this can be used to compromise corporate networks and deploy payloads, including ransomware. In recent months, AG and the Duesseldorf University Hospital have experienced severe ransomware attacks. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More