Tag Archives: DDoS

Security News for the Week Ending January 28, 2022

Biden May Use China Rule on Russia if it Invades Ukraine

This COULD be a bluff, but the administration may use the foreign direct product rule on Russia, like they did on Huawei, if Russia invades Ukraine. Depending on how it is used, it could have crushing implications on anything in Russia that uses microchips. When used against one company in China, Huawei, it reduced their revenue by 30 percent. If it used against a country, it could be worse. This could be a threat, but no one knows if a threat could be real. Credit: WaPo

The Donald Trump Virus

No, this has nothing to do with Covid. The Donald Trump Packer malware delivers both remote access trojans (RATs) and other infostealers. It gets its name from a hard coded password named after Trump. The malware is called DTPacker. The campaign is active and has used fake British football web sites, among others, to deliver its malware. Credit: Threat Post

Let’s Encrypt to Revoke 2 Million Certificates Today

Let’s Encrypt found two bugs in their certificate issuing software and as a result, they will revoke about 2 million certificates on Friday the 28th. That number represents about 1 percent of the active Let’s Encrypt certificates so, while it is a large number, it is a small percentage. Users who are affected will get an email and will have to renew their certificates. This is NOT the result of a breach or a hack, just them being extra cautious. Credit The Register

Microsoft Mitigates Largest DDoS Attack Ever Reported

Microsoft says its Azure DDoS protection platform stopped a 3.47 terabit per second attack last November. This translated to 340 million packets per second. The attack came from about 10,000 computers in multiple countries and used multiple techniques. Can your infrastructure handle this? Credit: Bleeping Computer

World Economic Forum Says it Takes 9 Months to Identify and Respond to a Cyberattack

In 2021 ransomware attacks rose by 151%. Each successful attack cost the company $3.6 million, on average. The Forum says that even after 6 month of a breach becoming public, company share price underperforms the NASDAQ by -3%. More concerning, on average, companies need NINE MONTHS to identify and respond to a cyberattack. Read the details at Cybernews

Security News for the Week Ending Jan 1, 2021

Happy New Year. May 2021 be more sane than 2020.

Microsoft Says Goal of Solar Winds Attack Was Your Cloud Data

Microsoft says that the objective of the Solar Winds Hackers was to get into a number of organizations and then pick and choose which ones to attack, leaving the back door in place at the others for future operations. One way to do that was to generate SAML login tokens from inside the network and then use those tokens to gain access to cloud resources, including, but not limited to email. The article also provides more information on how to detect if the hackers did compromise your cloud resources. Credit: Bleeping Computer

“Swatting” Moves to the Next Level

Swatting, the practice of calling in a fake 911 call so that SWAT teams are deployed to the victim’s location based on, say, a fake kidnapping, are moving to the next level. As if having the police show up unexpected with lots of guns and breaking down your door isn’t bad enough, now the perpetrators are taking advantage of the fact that people choose crappy passwords and are watching and listening to the police assault on the victim’s own smart devices. On occasion, the situation becomes deadly when the police, not really knowing what to believe, shoot the victim. On rare occasions, the swatters, as they are called, are caught and prosecuted. Credit: Bleeping Computer

I Think The Wasabi Got a Little Too Hot

Wasabi, the cloud storage competitor to Amazon S3 that claims that it is significantly cheaper than Amazon and 99.999999999% reliable just got a little less reliable. Their domain registrar notified them of some malware hosted on one of their domains. Only they sent the email to the wrong email address. The registrar, following normal procedures, suspended their domain for not responding to an email they never got, knocking many of their customers offline.

After Wasabi discovered they had been DDoSed by their domain registrar, they suspended the offending customer and asked to get their domain back. That process took over 13 hours. Are you ready for this kind of attack from your suppliers?

That attack probably knocked several of those 9’s off their reliability, depending on how the mess with the data.

Credit: Bleeping Computer

Solar Winds Troubles Are Not Over

A second piece of malware called SUPERNOVA and a zero-day vulnerability that it exploited makes it look like there may have been a second attack against Solar Winds. This appears to be a separate attack from the Russian attack. The attack vector is different too – this is not an attack against Solar Winds code base. This spells additional trouble for Solar Winds. Credit: Security Week

Security News for the Week Ending June 19, 2020

Akamai Sees Largest DDoS Attack Ever

Cloudflare says that one of its customers was hit with a 1.44 terabit per second denial of service attack. A second attack topped 500 megabits per second. The used a variety of amplification techniques that required some custom coding on Akamai’s part to control, but the client was able to weather the attack. Credit: Dark Reading

Vulnerability in Trump Campaign App Revealed Secret Keys

Trump’s mobile campaign app exposed Twitter application keys, Google apps and maps keys and Branch.io keys. The vulnerability did not expose user accounts, it would have allowed an attacker to impersonate the app and cause significant campaign embarrassment. This could be due to sloppy coding practices or the lack of a secure development lifecycle. Credit: SC Magazine

FBI and Homeland Use Military-Style Drones to Surveil Protesters

Homeland Security has been using a variety of techniques, all likely completely legal, to keep track of what is going on during the recent protests.

Customs (part of DHS) has Predator drones, for example. Predator drones have been used in Iraq and other places. Some versions carry large weapons such as missiles. These DHS drones likely only carry high resolution spy cameras (that can, reportedly, read a license plate from 20,000 feet up) and cell phone interception equipment such as Stingrays and Crossbows. Different folks have different opinions as to whether using the same type of equipment that we use to hunt down terrorists is appropriate to use on U.S. soil, but that is a conversation for some other place. Credit: The Register

Hint: If You Plan to Commit Arson, Wear a Plain T-Shirt

A TV news chopper captured video of a masked protester setting a police car on fire. Two weeks later, they knocked on her door and arrested her for arson.

How? She was wearing a distinctive T-Shirt, sold on Etsy, which led investigators to her LinkedIn page and from there to her profile on Poshmark. While some are saying that is an invasion of privacy, I would say that the Feds are conducting open source intelligence (OSINT). The simple solution is to wear a plain T-Shirt. If you are committing a felony, don’t call attention to yourself. Credit: The Philly Inquirer

Ad-Tech Firm BlueKai has a bit of a Problem

BlueKai, owned by Oracle, had billions of records exposed on the Internet due to an unprotected database. This data is collected from an amazing array of sources from tracking beacons on web pages and emails to data that they buy from a variety of sources. Apparently the source of the breach is not Oracle it self but rather two companies Oracle does business with. They have not said whether those companies were customers, partners or suppliers and they haven’t publicly announced the breach. If there were California or EU residents in the mix, it could get expensive. The California AG has refused to say whether Oracle has told them, but this will not go away quietly or quickly. Credit: Tech Crunch

Minneapolis City Web Sites Hit by Denial of Service Attacks

Last Thursday, early in the morning, a number of City of Minneapolis web sites were disabled by denial of service attacks. The attacks are short lived and the city was able to restore most of the services within a few hours. It is certainly possible that we will see more cyberattacks as a way to continue civil disobedience. Credit: The Hill

GA Gov. Kemp’s (R) Claims that Dems Hacked his SoS Web Site In 2018 Are False

Two days before the 2018 election, then GA Secretary of State Kemp opened an investigation into what he said was a failed hacking attempt of voter registration systems by the Democratic Party.

Newly released case files from the GBI says that there was no such hacking attempt. The report says that Kemp got confused by an authorized and planned security test by HOMELAND SECURITY with a hack. Kemp’s CIO approved the scan by DHS.

The GBI did say that there were significant security holes in the web site at the time, even though Kemp said that patches to the web site two days before the election were standard practice. No one in their right mind would make changes to critical election systems two days before the election unless it was an emergency. Credit: Atlanta Journal Constitution

Chinese and Iranians Hacking Biden and Trump

Google’s Threat Analysis Group (TAG) warned the campaigns that the were seeing the Chinese targeting Biden and the Iranians targeting Trump. Currently, there is no sign of compromise, but we still have months to go before the election. Not only is there lots of information to steal, but they have the possibility of impacting the election or causing a loss of trust by voters in the process. Credit: SC Magazine

FBI Says Big Business Email Compromise Attacks on the Upswing

The FBI has reports of multiple fraudulent invoice BEC attacks in April and May. In on case hackers used a trusted vendor relationship and a transportation company to steal $1.5 Million. They are reporting multiple incidents in different industries, so caution is advised. Credit: FBI Liaison Information Reports 200605-007, security level GREEN.

DDoS Attack Turns Off The Heat. In Finland. In the Winter.

The most recent distributed denial of service attack (DDoS) meant that most people could not get to Twitter.  While that was awful and may have forced a few people to actually work instead of tweeting, for the most part, that was not a big deal.  In fairness to the DYN attack, there were actually hundreds of web sites that were effectively offline, but still, in the grand scheme of things, a small problem.

The Metropolitan, an English language newspaper in Finland is reporting a much more serious issue and that is combining DDoS attacks with the Internet of Things (IoT).

In this case, two apartment buildings in the city of Lappeenranta lost heat and hot water due to a DDoS attack on the computer that controls the heating system.  The CEO of the company that manages these buildings said the heat and warm water were “temporarily disabled”.

By temporary, he means from late October to November 3rd, a period of over a week.  Remember, Finland is pretty chilly this time of year, so to have no heat or hot water for a week or two is, kind of, “a problem”.

The attack deluged the computers that control the system with traffic.  The system’s solution to this is to reboot, but that doesn’t make the traffic go away, so it is sort of “rinse and repeat”.  Since the systems were continuously rebooting, they could not turn on the heat or hot water.

Since the building maintenance engineers are not cyber security experts, they had no clue what was happening.  If they had replaced the “faulty” computers, they would have done the same thing because the computers were not faulty – just doing what they were programmed to do.

This is reminiscent of the attack on the Ukrainian power grid last year, with different results.  In Ukraine, the power grid is old and creaky.  What computers there are there are bolted on to the existing infrastructure.  If the computers fail, you have to drive to the substation and throw the switch by hand.  Which is why that attack, while it literally destroyed a lot of the power distribution infrastructure, only turned off the lights for less than a day.

Finland, however, is not a third world country.  They have a lot of modern technology.  I suspect, in this case, that there was no switch to throw in the apartment building to turn on the heat.

Like we see a lot in modern IoT devices, security is an afterthought.  Probably no one considered that someone might want to attack their controller so they didn’t harden it nor did they set up protocols to deal with an attack.

SCADA, the industrial version of IoT (I know that is an over simplification, but it will work for this piece), was also never designed with security in mind.  I used to work for one of the largest SCADA manufacturers in the world.  There was no security in those devices.  Not even a userid and password, never mind something more sophisticated.  SCADA devices were never designed to even be on the Internet, but people figured out that they could save money by doing that.

Unfortunately, water plants, sewage plants, power plants, chemical plants and a lot of other infrastructure is not a good place to experiment, but the money to be saved is too large to ignore.  So we are being guinea pigs.

The attack on DYN, I think, was an experiment.  How did people deal with it?  How did the experts respond?  Did the police do anything?

Now they have some data points and they will continue to experiment.

At some point they will decide it is time to take down the power grid.  While throwing the entire United States in the dark is probably more effort than even a nation state would want to take (although far from impossible), throwing Washington, DC or New York City into the dark might produce some interesting results.  If you could damage the infrastructure at the same time to make it harder, take longer and cost more to repair, that would be a “side benefit”.

You can believe me or not, but this will happen.  It is just a matter of when because the steps that need to be taken now are not being taken.  It is too expensive and too inconvenient.  Remember my mantra.  Security.  Convenience.  Pick one.  You could probably modify that to Security, convenience, cost, pick at most two.

Tell the utilities that all of their little controllers that connect by way of Wi-Fi have to be secured or all of their controllers in the field that live in a secure metal box by the side of the road have to be replaced by something that actually is secure.  They will tell you that it is too expensive to do.  Right now, secure means that there is a padlock on the box.  An attacker could cut the padlock and if that was too hard, they could smash the box to bits with a sledgehammer.

After 9-11, the Feds paid local utilities to put fences around water treatment plants and such.  Some even have fence shakers – cool little gizmos that detect if someone is shaking the fence by trying to climb over it.  And, maybe, that will improve the security of central infrastructure, but there is so much distributed infrastructure that is not effectively protected.

For example, is there a power substation near your house?  How about a gas main line?  How strongly are they protected?  Maybe – and only maybe – there is a fence around it.  For me, there is a fence around the substation but not around the gas main.  Of course, even with the fence, there is no one there to physically disable the attacker and by the time the police or utility got there, the damage would be done.

Maybe the attack in Finland is a warning. But are enough people and the right people listening?  I don’t know.

 

Information for this post came from the Metropolitan.

Yet Another Denial Of Service Attack

Denial of Service attacks are a big deal now.  Last week the attack against Dyn stopped people from accessing Twitter and hundreds of other busy web sites for hours.

These attacks, called denial of service or distributed denial of service (DDoS) attacks have many computers send a lot of data at a web server until it rolls over,sticks it’s little computer legs in the air and plays dead.

A critical part of these attacks is something called amplification.  If I have a 1 megabit internet connection and can amplify that attack by a factor of 20, that 1 megabit connection can hit the target web site with 20 megabits (per second) of traffic.  Multiply that by, say, 500,000 computers doing the attack and you can destroy a web site.  If I have a 100 megabit Internet connection, the problem is 100 times bigger.

So the hackers keep trying to come up with more powerful amplification attacks,  They have a new one.  It uses CLDAP, a protocol computers use to authenticate users.  Or destroy web servers.

The amplification factor for this attack was between 46 and 55, meaning that, on average, for every 1 character sent, the attack generated 46-55 bytes back to the site being attacked.

1 megabit of traffic from the attacker means at least 46 megabits of traffic that the site being attacked sees.  And with these attackers controlling hundreds of thousands to millions of devices – including Internet of Things devices, that adds up to a lot of traffic.

Even if the server didn’t crash, the Internet service provider probably doesn’t have enough bandwidth, so  they will take the server down by “blackholing” it, meaning that, at the very edge of the provider’s network, they will discard ALL traffic directed at the site being attacked.  The attacker wins.  They don’t have to kill the site, the Internet provider does that for them.

Many of – if not most of – these devices that the attackers are using to attack other sites are not configured correctly or do not have the current patches.  It is critical that you change default passwords and update devices regularly.

As a result of this most recent attack, the feds are trying to figure out what ISPs can do, but you can likely be much more effective – if you take security of all of your devices – webcams, DVRs, web based doorbells, smart TVs, smart refrigerators – all of it, seriously.

We need your help!

Information for this post came from Softpedia.