Singapore faced cyber attacks during Trump-Kim summit

[Matrix]

Russian attackers allegedly scanned IP phones in the city-state for vulnerabilities although it was unclear what they were after or whether they were successful

Russian hackers were hard at work during the Trump-Kim summit in Singapore last week, scanning internet-of-things (IoT) devices such as IP phones in the city-state for loopholes to be exploited, according to research by F5’s threat intelligence team.

From June 11 and June 12, the period immediately preceding and following the closely watched meeting between US president Donald Trump and North Korean leader Kim Jong Un, 92% of the incursions were reconnaissance scans looking for vulnerable devices while the remaining 8% were exploit attacks.

Russian IP addresses made up 34% of the attack sources, followed by China, US, France and Italy – all of which launched between 2.5 to 3 times fewer attacks than Russia.

Nearly all attacks launched from Russia during this period were targeted at Singapore which received 4.5 times more attacks than the US or Canada. It was unclear what the attackers were after or whether they were successful.

In a blog post, the F5 researchers said the attackers targeted the non-encrypted SIP (session initiation protocol) port 5060, which received 25 times more attacks than port 23, the second-most targeted port. No malware was associated with the attacks against Singapore.

“It is unusual to see port 5060 as a top attack destination port. Our assumption is that the attackers were trying to gain access to insecure phones or perhaps the VoIP [voice over IP] server. Attacks against this port haven’t been in the news since 2011 when the SIPVicious VoIP tool was popular,” they added.

The attackers also took aim at port 7547, a network port used by internet service providers to remotely manage routers using a protocol that was also used by the Mirai malware.

The researchers said if devices in Singapore had this port open, and were protected with default administrator credentials, it is likely the attackers could have accessed those devices and used man-in-the-middle attacks to collect data and redirect traffic.

While F5 could not ascertain if the attacks were state sponsored, the researchers noted that “it is common knowledge that the Russian government has many contractors within Russia doing their bidding, and that a successful attack on a target of interest would make its way through to the Kremlin”.

The security of IoT devices has been under the spotlight following major attacks unleashed by the Mirai and Satori botnets that exploited security vulnerabilities of internet-connected devices such as routers and gateways.

Some security experts are advocating the use of blockchain to secure IoT devices, by enabling device networks to protect themselves in other ways – such as allowing devices to form group consensus about what is normal within a network, and to quarantine any nodes that behave unusually.

Others have called for a multi-layer approach towards IoT security – by encrypting data at-rest and in-transit, profiling connections between an IoT device and its gateway, and using tokens to enable specific uses, among other measures.

Amid rising concerns over IoT security, Singapore’s minister in charge of the country’s smart nation initiative Vivian Balakrishnan had recently called for the need to build security into IoT products and services from the onset, rather than as an afterthought.

“Having smart cooling systems and manufacturing systems also makes them extremely vulnerable. You lose privacy and security, and worse, they become available to both state and non-state actors to sabotage critical public infrastructure,” he said at IoT Asia in March 2018. “This is a deep field which requires intimate knowledge of technology, programming and design.”

source

 

[Rickta]

4 hours ago, DonyMach1 said:

Russian IP addresses made up 34% of the attack sources, followed by China, US, France and Italy – all of which launched between 2.5 to 3 times fewer attacks than Russia

 

LOL Like no one can change their IP addresses  its no wonder @knowledge gets sick of Russians being blamed for everything 

[knowledge-Spammer]

16 minutes ago, Rickta said:

 

LOL Like no one can change their IP addresses  its no wonder @knowledge gets sick of Russians being blamed for everything 

is sad people think russia do all wrong things 

i use things like connect to remote computers  in uk us and more  y russia not hide its ip  ?

y russia attacks during Trump-Kim summit ? i think Trump-Kim summit was good thing   seemed fine ? this most be lies maybe its 1st time i seen this

 

 

[Rickta]

2 minutes ago, knowledge said:

is sad people think russia do all wrong things

 

Just more fake fake news it all getting tiresome for me too have a nice day brother 

[knowledge-Spammer]

17 minutes ago, Rickta said:

 

LOL Like no one can change their IP addresses  its no wonder @knowledge gets sick of Russians being blamed for everything 

what is real

Russian IP addresses made up 34%

fox news say it was 88.%  of russian ips ?

https://www.msn.com/en-us/video/news/cyberattacks-in-singapore-amidst-noko-summit/vi-AAyHzks

seems  all made up things i think ?

[Rickta]

2 minutes ago, knowledge said:

seems  all made up things i think ?

Agreed

[knowledge-Spammer]

1 minute ago, Rickta said:

Agreed

one say 34% and one say 88% who real no this info  seems noone   they all must keep to the same story

[tao]

1 hour ago, Rickta said:

its no wonder @knowledge gets sick of Russians being blamed for everything 

Why don't we all?  

 

Thank you. 

1 hour ago, knowledge said:

is sad people think russia do all wrong things 

Of course.  Name one country that'll be happy being blamed for everything -- day in day out.  

[knowledge-Spammer]

it is interesting topic i think  when  look at the countries

June 12, 2018 Attacks

Approximately 40,000 attacks were launched between 3:00 p.m. UTC on 6/11/2018, and lasted through 12:00 p.m. UTC on 6/12/2018. That translates to 11:00 p.m. through 8:00 p.m. Singapore time on June 12, the day President Trump met with Kim Jong-un in Singapore.²

Figure 1. Timeline of Singapore attacks

Ninety-two percent of the attacks collected were reconnaissance scans looking for vulnerable devices; the other 8% were exploit attacks. Thirty-four percent of the attacks originated from Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer attacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks alongside Russia.

Figure 2: Top 10 attack source countries worldwide, June 12, 2018 — Singapore time

Singapore was the top destination of the attacks by a large margin, receiving 4.5 times more attacks than the U.S. or Canada. Singapore is not typically a top attack destination country; this anomaly coincides with President Trump’s meeting with Kim Jong-un.

Figure 3. Top 10 attack destination countries, June 12, 2018 — Singapore time

Russia was the primary source of the attacks against Singapore during this period, launching 88% of the attacks. Brazil was the number two attacker, launching 8% of the attacks against Singapore, and Germany was number three with 2% of the attacks. No attempt appears to have been made to conceal the attacks launched from Russia. There was also no malware associated with the attacks against Singapore from Russia.

Figure 4. Top 10 source countries of Singapore attacks, June 11, 2018 through June 12, 2018

Top Attacking Russian IP Address

The majority of the attacks coming from Russia were reconnaissance scans coming from one IP address: 188.246.234.60. The IP is owned by ASN 49505, operated by Selectel. The recon scans were preceded by the actual attacks against port 5060 that came primarily from Brazil.

Attack Destination Ports

The following ports in order of prevalence were targeted in the Singapore attacks:

1. 5060 — clear text Session Initiation Protocol (SIP)
2. 23 — Telnet remote management
3. 1433 — Microsoft SQL Server database
4. 81 — Alternate web server port for host-to-host communication
5. 7547 — TCP port used by ISPs to remotely manage routers via the TR-069 protocol
6. 8291 — Remote management port commonly used by MikroTik routers
7. 8080 — Alternate web server port often used for a proxy server or caching

The SIP port 5060 received 25 times more attacks than port 23 in the #2 position. SIP is an IP phone protocol, and port 5060 is specifically the non-encrypted port versus port 5061, which is encrypted. It is unusual to see port 5060 as a top attack destination port. Our assumption is that the attackers were trying to gain access to insecure phones or perhaps the VoIP server. Attacks against this port haven’t been in the news since 2011 when the SIPVicious VoIP tool was popular.³

Telnet is the most commonly attacked remote administration port by IoT attackers. It’s very likely these attackers were looking for any IoT device they could compromise that could provide them access to targets of interest, which would then enable them to spy on communications and collect data.

Port 7457 is used by ISPs to remotely manage their routers. This protocol is targeted by Mirai and Annie, a Mirai spinoff that caused millions of dollars of damage to European ISPs in late 2016.⁴ If any devices in Singapore had this port open and were protected with default admin credentials, it is likely the attackers gained access and used man-in-the-middle attacks to intercept traffic through those devices, collecting data, redirecting traffic, and so on.

Port 8291 was recently attacked by Hajime,⁵ the vigilante thingbot created to PDoS devices that would otherwise be infected by Mirai.⁶ If any devices in Singapore were listening on this port, and protected with vendor default credentials, it is likely the attackers could have gained access.

[steven36]

4 hours ago, Rickta said:

 

LOL Like no one can change their IP addresses  its no wonder @knowledge gets sick of Russians being blamed for everything 

Too get a Russian ip  is easy i have a vpn  and you can use tor but  not so easy to find a NK  ip . But most of the time you can do a reverse check on and ip and if it's a well known VPN  or Tor node you can tell .. some sites ban most all vpn/tor ips .but if you know how to change tor ips you can get around the ban because tor gets new ips everyday. For a state hacker trying make it look like they was from Russia or NK  they may would have such tools but for a conman hacker they most of the time just use stuff that can be detected  as tor /vpn/proxy. Why you think the FBI  always be having VPNs up in court? 3 in the last 2 years we know of. Using vpn/tor  don't make you truly anonymous as most of the time they can tell  you are masking you're ip and if you drop the ball  and  use your real isp or get exploited they will get your real ip. 

 

Trying to say the there is no state hackers in Russia or NK  is like trying say there is no NSA or CIA in the  USA  most all countries have them,  but i think most of them would have sense enough to hide there ip to look like they was from somewhere else unless they just don't care if we know. So its always questionable about  tracking ips back to a certain country in this age of vpn/tor  because and ip is not a person.  i never post these post about they blame such and such country because there is no way they really know were hackers are from. i don't even see no list of ips i can check for vpn/or tor  so i it's hard to believe, but someone is trying to ease drop i guess  and if it's not Russia  ,Russia needs to figure who it is and stop them because  they have a enemy out there tiring to place the blame on them. So its a bad problem ether way. And we all know there are countries that  there governments don't like Russia and would sink that low. They been blaming Russia,  NK and others for years for cyber attacks so it's nothing new but strange you never hear the left winged media say they just found state hackers from USA ips. By the time we heard the NSA or CIA done something  was years after it happen.

[tao]

58 minutes ago, steven36 said:

Why you think the FBI  always be having VPNs up in court? 3 in the last 2 years we know of.

Almost negligible.

59 minutes ago, steven36 said:

Russia needs to figure who it is and stop them because  they have a enemy out there tiring to place the blame on them.

Why should Russia spend its resources in fighting a "fake battle" they cannot fight?  Aren't there bigger issues?

 

As the saying goes:

[Indian:] The elephant keeps walking as the dogs keep barking.

[Global:] An elephant never minds barking dogs.

[steven36]

11 minutes ago, sva said:

Almost negligible.

Not really  back in 2012 they used Hide My ASS and VPN Book to take down Anonymous. Even Anonymous came on the internet and told us what VPN Book done.  Its very easy for most anyone to tell if you're using a vpn if they can see you're ip.

[knowledge-Spammer]

with no proof y russia have to do things  show real proof

found that cyber-attacks targeting Singapore skyrocketed, 88% of which originated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted Singapore.( We cannot prove) they were nation-state sponsored attacks, however the attacks coincide with the day President Donald Trump met with North Korean

 

i am sure putin keep saying to usa not fight with kim and talk  so now usa and kim talk russia hack  ok real  sounds funny real   plus the meeting with trump and kim was on rt and is seen as good thing  so y russia want to hack or attacks ?  the hole thing sound off

[steven36]

The USA Government didn't say this no way ,  f5 labs did and they give and ip it's coming from

Quote

The majority of the attacks coming from Russia were reconnaissance scans coming from one IP address: 188.246.234.60. The IP is owned by ASN 49505, operated by Selectel. The recon scans were preceded by the actual attacks against port 5060 that came primarily from Brazil.

it says most of the attacks came primarily from Brazil. 

 

They was hackers from ips from everywhere attacking IOT in Singapore  at the time of the summit.
 

Quote

 

Russian IP addresses. China, US, France, and Italy round out the top 5 attackers in this period

 

 

 

 

Even ips from the USA  were present so it looks like the summit may have drawed  attention to hackers but it's hard to say because hackers attack IOT  all the time anyway  .Most likely just  f5 lab trying make a name for themselves in the security industry. Companies have  done much worse things to make a name for themselves like posting proof of exploits out in the wild before patched. One thing is for sure security researchers would be more likely be looking for hackers during a big event than they would be on a normal day to make a name for themselves. 

[steven36]

54 minutes ago, knowledge said:

 cyber-attacks targeting Singapore skyrocketed, 88%

That's kind of hard to chew that they skyrocketed considering Singapore is one of the worse places for IOT attacks anyway.

Quote

 

Singapore is in the top five destinations globally for IoT attacks, the latest installment of F5 Networks’ The Hunt for IoT series shows.

 

The report, The Growth and Evolution of Thingbots Ensures Chaos, suggests the island nation has a sizable and vulnerable IoT deployment.

 

The other destinations in the top five are United States, Spain, Italy, and Hungary. However, the top 5 destinations collectively only received 27% of China’s attacks; the other 73% were globally dispersed to countries that didn’t even account for more than 1% of the total attack volume.

 

With 8.4 billion devices currently in use, and over 30 billion devices projected to be deployed by 2020, unprotected devices are a goldmine for hackers, as they find new ways to exploit numerous protocols beyond telnet (an underlying TCP/IP protocol for accessing remote computers) to ensure they capture as many vulnerable IoT devices as possible.

 

Thingbots are botnets compromising of infected IoT devices which are typically unmanaged, providing a low likelihood of being discovered by their owner and remediated.

 

Thingbots are capable of globally destructive attacks, and the worrying fact is that the security industry has only started discovering them with increasing frequency. Massive, well known thingbots such as Mirai and Persirai have been wreaking havoc around the world, and show no signs of slowing down.

 

A new variant of the notorious Mirai malware is exploiting kit with ARC processors. Dubbed the Okiru, is the first capable of infecting devices powered by ARC CPUs which is responsible for running a variety of internet-connected products including cars, mobiles, TVs, cameras and more.

 

In fact, despite broad awareness of their existence and threat, it is reported that Persirai infected IP cameras still exist all across Asia with the heaviest concentrations in Thailand, China, South Korea, Japan, Taiwan and Malaysia. There is even a website that collects the streaming footage from over 73,000 hacked IP cameras worldwide. These live feeds range from parking lots and store surveillance to the bedrooms of unknown individuals.

 

While China, the US and Russia are clearly the top three attacking countries, the report suggests that because vulnerable IoT devices are deployed globally without bias, there is no standout IoT attack destination.

 

https://www.telecomramblings.com/2018/04/singapore-among-top-five-destinations-iot-attacks/

 

 

[knowledge-Spammer]

maybe someone need to tell foxnews is of with the numbers then ?

Fox News @ Night' host Shannon Bream has the latest.

https://www.msn.com/en-us/video/news/cyberattacks-in-singapore-amidst-noko-summit/vi-AAyHzks

 

[steven36]

31 minutes ago, knowledge said:

maybe someone need to tell foxnews is of with the numbers then ?

Fox News @ Night' host Shannon Bream has the latest.

Fox News post some crap on there site just like all the others do ..Just like they was downing the repeal of Net Neutrality and they suppose to be a right winged news service and every one knows the right are on the side of the isps  and the left or on the side of big tech.  It's best to not believe everything you read in the news . Because at the end of the day only the media stands to get a fat paycheck from a story like  this and conspiracy theorist benefit . It's just like they blame Russia for those CIA leaks and it was a CIA agent who leaked all that stuff all along  they caught him  .

 

its like they said that Russian hackers were trying to knock out the power in the USA  but that not what the government said when they investigated it they said

Quote

An official with the Department of Homeland Security indicated there was no evidence that, having gained access to the control system for that turbine, or hackers did anything to manipulate the system in the real world.