Attacks/Breaches
6/10/2014
11:30 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Zeus Being Used In DDoS, Attacks On Cloud Providers

The popular Zeus RAT is being used for more than just financial fraud and data theft.

The Prolexic Security Engineering and Response Team (PLXSert) has released a threat advisory outlining new payloads from the Zeus toolkit that it has seen in the wild. In addition to the data theft and financial fraud Zeus is known for, PLXSert has discovered Zeus being used in crypto-currency mining, spam, distributed denial-of-service (DDoS) attacks, and attacks customized for specific PaaS and SaaS infrastructure.

According to the report, "Although Zeus/Gameover version reportedly introduced DDoS capabilities, PLXSert has no evidence that the Zeus framework kit can orchestrate significant DDoS campaigns by itself, but if combined with other DDoS toolkits, the capabilities of the Zeus framework would enable malicious actors to use it as a powerful DDoS botnet builder."

PLXSert has already seen Zeus being used in tandem with popular DDoS kits, including Drive, a variant of Dirt Jumper. The researchers have also seen attackers targeting cloud-based applications through PaaS and Saas infrastructures. They say that "well-known SaaS/PaaS vendors" have been targeted, but they do not name those vendors.

"By targeting SaaS/PaaS," the report reads, "cybercriminals take advantage of the resources of both the end users and the providers. The providers' defense technologies allow the attackers the advantage of gaining anonymity behind the providers' cloud-based infrastructure."

See the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/11/2014 | 10:02:45 AM
Re: Zeus Impact
This probably isn't earth shattering news for anyone but the best way to combat Zeus is to avoid initial infection.  Zeus primarily propagates via email and drive by downloads, therefore a combination of spam filtering, user education, web filtering,  and updated security patches are the best defense.

Spam filtering (ProofPoint, Barracuda, etc) is great at stopping the vast majority of Zeus emails however not all of them.  This is where user education comes into play.  Enterprises must educate their users on what to look for in their emails to prevent them from clicking links or opening infected attachments.

Just as with spam filtering web filtering will block the majority of Zeus compromised sites, however not all.  Since most drive by download infections take advantage of known security vulnerabilities, this is where having up to date security patches will save you.

As with anything, there are exceptions, but this recipe should prevent a large number of Zeus and other infections.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/11/2014 | 7:03:49 AM
Re: Zeus Impact
@Robert McDougal -- How are you dealing with Zeus today? Any practical suggestions you care to share with the Dark Reading community?
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/10/2014 | 5:09:00 PM
Re: Zeus Impact
I wish that the disruption effort would have a positive effect, but I highly doubt it will in the long run.  Zeus has been around in one form or another since 2007.  Since that time it has evolved and forked into the thorny creation we have to deal with today.  I suspect that it will continue to do so for the foreseeable future.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 3:14:55 PM
Re: Zeus Impact
@Sara Peters

I tend to agree with the comments on the Tovar article that while optimism is ideal, this may be a test bed for future initiatives.  I admire the tactics and strategy, but here is the one flaw I see in this, and that is the need to be more like the cyber criminals in question. 

Like guerilla warfare, when turning the predictability off and removing public access to strategy details, I think we could do with some government and state law enforcement "black hatting".  That is, writing software that is vicious and destructive to the cyber criminals resources, getting on the offensive and attacking first.

It may sound more like a novel setup, but destroying access to money, to systems, to networks and other resources repeatedly - as often as they are obtained - is as valid a challenge to their activity as a defense against their attacks on our end is.  I often feel we aren't hard enough on cyber crime because many of the folks that write the laws and initial responses aren't tech savvy. 

But all one has to do is look at the result of how it can devastate the average person's livelihood, and then we realize we simply can't allow it to happen.  The drain on our economy is massive - the global drain even more so.  Money aside, attacking our power infrastructure and nuclear programs?  Unforgivable.  We need to fight harder and fight dirty.

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/10/2014 | 1:25:53 PM
Re: Zeus Impact
@christianabryant  Thanks for the info. Do you think that the big effort to disrupt GOZeus will make any dent on the Zeus business, or is it basically going to return to business as usual?
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 12:27:43 PM
Zeus Impact
Zeus is definitely one of the more concerning kits.  Microsoft led a few attacks on Zeus servers  (2012 and 2013 saw some great news items, including MS teaming with US Marshalls to bring down a Zeus operation) and Zeus was named by Microsoft as one of the more troubling kits out there, calling it out in papers related to last year's MS cybercrime initiatives.  It also has some deadly variants, one of which is the mobile variant ZitMo (born roughly 2010) which I expect to see much more on in the news this year.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.