Thought leadership. Threat analysis. Cybersecurity news and alerts.
What we Learned from the Biggest DDoS Attack to Date: 22 Million Requests Per Second
Russian internet giant Yandex recently announced that it was hit by a record-breaking distributed denial-of-service (DDoS) attack.
“Our experts did manage to repel a record attack of nearly 22 million requests per second,” Yandex said in a statement. “This is the biggest known attack in the history of the internet.”
In the blog post “Mēris botnet, climbing to the record,” DDoS mitigation service Qrator Lab reported that from August 7 to September 5 of this year, it recorded 5 DDoS attacks at Yandex from a botnet dubbed as "Mēris," which means "Plague" in the Latvian language. The five DDoS attacks at Yandex, Qrator Lab said, started from 5.2 million requests per second (RPS) and culminated at 21.8 million RPS.
In a DDoS attack, multiple internet-connected computers are operating as one to attack a particular target. In launching a DDoS attack, attackers often use a botnet – a group of hijacked internet-connected computers and controlled by attackers to conduct malicious activities such as DDoS attacks.
In a DDoS attack, the hijacked internet-connected computers are also attacked victims. The use of hijacked internet-connected computers results in exponentially increasing the attack power via voluminous requests sent to the target, and resulting in the initial hiding of the true source of the attack.
According to Qrator Lab, the number of infected internet-connected computers reached 250,000, and these infected internet-connected computers or devices come from only one manufacturer: Mikrotik, a Latvian network equipment manufacturer.
Qrator Lab added that the Mēris botnet used the HTTP pipelining technique in launching the DDoS attacks. “Requests pipelining (in HTTP 1.1) is the primary source of trouble for anyone who meets that particular botnet,” Qrator Lab said. “Because of the request pipelining technique, attackers could squeeze much more RPS than botnets usually do. It happened because traditional mitigation measures would, of course, block the source IP. However, some requests (about 10-20) left in the buffers are processed even after the IP is blocked.”
Based on the botnet’s attacking sources (IP addresses), Qrator Lab said that 10.9% came from Brazil, 10.9% from Indonesia, 5.9% from India, 5.2% from Bangladesh, 3.6 from Russia, and 3.3% from the United States.
In the last couple of weeks, Qrator Lab said that it has observed devastating DDoS attacks towards New Zealand, United States and Russia, which is attributed to the Mēris botnet species. “Now it can overwhelm almost any infrastructure, including some highly robust networks,” Qrator Lab said. “All this is due to the enormous RPS power that it brings along.”
Prior to the DDoS attack at Yandex, the record-breaking DDoS attack was launched by a powerful botnet, targeting a Cloudflare customer in the financial industry. The attack reached 17.2 million requests per second.
According to Cloudflare, the said DDoS attack came from more than 20,000 bots in 125 countries around the world. Based on the botnet’s attacking sources (IP addresses), almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined.
Cloudflare said the attack was launched via a Mirai botnet. The botnet Mirai, which means “future” in Japanese, was first discovered in 2016. The Mirai botnet infects Linux-operated devices such as security cameras and routers. This botnet infects Linux-operated devices such as security cameras and routers by brute forcing known credentials such as factory default usernames and passwords. Succeeding variants of the Mirai botnet took advantage of zero-day exploits.
According to Qrator Lab researchers, they haven’t seen the malicious code, and as such, they aren’t ready to tell yet if it’s somehow related to the Mirai botnet family or not.
Preventative measures against DDoS attacks
In order to prevent your organization’s internet-connected computers or devices from being hijacked as part of a botnet, it’s important to follow these cybersecurity best practices:
According to MikroTik, Mēris botnet compromised the same routers that were compromised in 2018 via a known security vulnerability that was quickly patched. The 2018 vulnerability that was referred to is CVE-2018-14847, a MikroTik RouterOS security vulnerability that allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
“Unfortunately, closing the vulnerability does not immediately protect these routers,” MikroTik said. “If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.”
DDoS attacks, even volumetric attacks, can now be prevented autonomously, without human intervention.
Top 3 Worst Cybersecurity Practices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently listed three cybersecurity practices as dangerous practices that can give rise to enhanced damages to technologies accessible from the internet.
Below are the three practices that CISA has deemed as “dangerous” practices. The presence of these bad practices in organizations, CISA said, “is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.”
1. Use of Unsupported (End-of-Life) Software
Security vulnerabilities in software are but normal. Software vendors, within a specified timeframe, are always on the lookout for these software security vulnerabilities. During this specified period, regular or unscheduled security updates, also known as patches, are released by security vendors to fix known security vulnerabilities.
After the specified timeframe, also known as the software’s end-of-life (EOL), software vendors will stop releasing patches. Attackers love to exploit software that have reached their end of life on the premise that many users still use software that have reached their EOL.
An example of software that has reached its end of life is Windows 7 operating system. On January 14, 2020, Microsoft ended its support for the Windows 7 operating system. Customers who purchased an Extended Security Update (ESU) plan can still receive support or security updates from Microsoft. In this case, the continued use of Windows 7 without ESU is a dangerous practice.
“In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems,” the Federal Bureau of Investigation (FBI) said in its Private Industry Notification (PDF File). “After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target.”
2. Use of Known/Fixed/Default Passwords and Credentials
The use of known/fixed/default passwords is another bad practice that’s disastrous in technologies accessible from the internet.
In July 2021, Microsoft Threat Intelligence Center reported that it observed new activity from the NOBELIUM threat actor using tactics such as password spray and brute-force attacks.
In the blog post "Protecting your organization against password spray attacks," Diana Kelley, Microsoft Cybersecurity Field CTO said that adversaries in password spray attacks “acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords.”
The Microsoft Cybersecurity Field CTO, meanwhile, said that brute-force attacks are targeted compared to password spray attacks, with attackers going after specific users and cycles through as many passwords as possible using dictionary words, common passwords, or conducting research to see if they can guess the user’s password, for instance, discovering family names through social media posts.
In July 2021 as well, UK’s National Cyber Security Centre reported that it observed an increase in activity as part of malicious email and password spraying campaigns against a limited number of UK organizations.
3. Use of Single-Factor Authentication
The use of single-factor authentication is another bad practice that’s disastrous in technologies accessible from the internet. Single-factor authentication is the simplest form of authentication. With single-factor authentication, a user matches one credential to verify oneself online. The most common credential is the password to a username.
“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA said. “This dangerous practice is especially egregious in technologies accessible from the Internet.”
Cybersecurity Best Practices
Below are the cybersecurity practices that best counter the above-mentioned bad practices:
"There are over 300 million fraudulent sign-in attempts to our cloud services every day,” Maynes said. “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.”
MFA, however, shouldn’t be your organization’s only defense against malicious actors as there are a handful known ways of bypassing MFA.
. Practice network segmentation. In network segmentation, your organization’s network is sub-divided into sub-networks so that in case of a disaster in one network, the other networks won’t be affected.
Modern Email Threat: Morse Code Used in Phishing Attacks
Microsoft has revealed that cybercriminals are changing tactics as fast as security and protection technologies do, with the latest tactic: The use of Morse code in phishing attacks.
In the blog post "Attackers use Morse code, other encryption methods in evasive phishing campaign," Microsoft 365 Defender Threat Intelligence Team said that a year-long investigation found a targeted, invoice-themed XLS.HTML phishing campaign in which the attackers changed obfuscation and encryption mechanisms every 37 days on average, showing high motivation and skill level in order to constantly evade detection and keep the malicious operation running.
The phishing campaign’s primary goal, Microsoft 365 Defender Threat Intelligence Team said, is to harvest sensitive data such as usernames, passwords, IP addresses, and location – information that attackers can use as an initial entry point for later infiltration attempts.
In a phishing attack, attackers masquerade as a trusted entity and trick a victim into opening an email with a malicious attachment. In the phishing campaign observed for a year by Microsoft 365 Defender Threat Intelligence Team, the attackers initially sent out emails to targeted victims about a bogus regular financial-related business transaction, specifically sending a vendor payment advice.
According to Microsoft 365 Defender Threat Intelligence Team, the malicious email contains HTML file attachment with “xls” file name variations. An attachment with xls file name ordinarily means it’s an Excel file. Opening this attachment, however, leads to a fake Microsoft Office 365 credentials dialog box, and lately to a legitimate Office 365 page.
Entering one’s username and password into the fake Microsoft Office 365 credentials dialog box or legitimate Office 365 page leads to the activation of the attackers’ phishing kit – harvesting the user’s username, password, and other information about the user.
Named after one of the inventors of the telegraph Samuel Morse, Morse Code is a code for translating letters to dots and dashes.
According to Microsoft 365 Defender Threat Intelligence Team, in place of the plaintext HTML code, the attackers used Morse code – dots and dashes – to hide the attack segments.
The use of Morse code in phishing attacks was first reported by u/speckz on Reddit last February. Lawrence Abrams of Bleeping Computer followed up the initial report of u/speckz. Abrams said Morse code was used by a threat actor to hide malicious URLs in their phishing campaign to bypass secure mail gateways and mail filters.
When viewing the HTML attachment in a text editor, Abrams said, instead of the plaintext HTML code, Morse code is placed instead with dots and dashes. For instance, the letter “a” is written in “.-” and the letter 'b' is written in “-…”.
Cybersecurity Best Practices
The changing tactics and speed that cybercriminals use to update their obfuscation and encoding techniques in launching their phishing campaigns via Office 365 environment call for the following cybersecurity best practices:
To better protect your organization against modern threats and mitigate cyber risks, schedule a consultation with one of our cybersecurity experts today.
What Is Kubernetes and How to Protect This Attack Surface
Kubernetes is fast becoming the target of attackers to steal data, steal computing power, or cause a denial of service.
What Is Kubernetes?
Kubernetes is an open-source system that’s often hosted in the cloud. It’s used to automate the deployment, scaling, and management of applications. Companies that use Kubernetes include Google and Tesla.
Google originally developed and released Kubernetes as open-source in 2014. Google Cloud is the known birthplace of Kubernetes. Kubernetes development drew inspiration from Google’s Borg.
“Google's Borg system is a cluster manager that runs hundreds of thousands of jobs, from many thousands of different applications, across a number of clusters each with up to tens of thousands of machines,” Google said. “It achieves high utilization by combining admission control, efficient task-packing, over-commitment, and machine sharing with process-level performance isolation. It supports high-availability applications with runtime features that minimize fault-recovery time, and scheduling policies that reduce the probability of correlated failures. Borg simplifies life for its users by offering a declarative job specification language, name service integration, real-time job monitoring, and tools to analyze and simulate system behavior.”
While Kubernetes offers users a way to automate the deployment, scaling, and management of applications, it presents complexities. "Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations,” the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency said in the advisory “Kubernetes Hardening Guidance.”
In February 2018, researchers at RedLock discovered that attackers had infiltrated Tesla’s Kubernetes console which wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said.
According to RedLock researchers, attackers in the Tesla case stole the computing power for crypto mining from within one of Tesla’s Kubernetes pods. The researchers added that the attackers used the following evasion techniques to hide the illicit crypto mining:
. The attackers didn’t use a well-known public “mining pool” in this attack, making it difficult for standard IP/domain-based threat intelligence feeds to detect the malicious activity.
. The attackers hid the true IP address of the mining pool server behind a free content delivery network (CDN) service, making IP address-based detection of crypto mining activity difficult.
. The mining software was configured to listen on a non-standard port, making it difficult to detect malicious activity based on port traffic.
. The attackers configured the mining software to keep the usage low to evade detection.
Common Sources of Compromise in Kubernetes
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, the three common sources of compromise in Kubernetes are malicious threat actors, supply chain risks, and insider threats.
Malicious Threat Actors
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, malicious threat actors often target the following Kubernetes architecture for remote exploitation: control plane, worker nodes, and containerized applications.
The Kubernetes control plane is used to track and manage the cluster. The agencies said the Kubernetes control plane lacking appropriate access controls is often taken advantage by attackers.
The Kubernetes worker nodes host the kubelet and kube-proxy service. According to the said agencies, worker nodes are potentially exploitable by attackers.
The agencies added that the containerized applications running inside the Kubernetes cluster are common targets. "An actor can then pivot from an already compromised Pod or escalate privileges within the cluster using an exposed application’s internally accessible resources,” the agencies said.
Supply Chain Risks
In supply chain risks, attackers may compromise a third-party software and vendors used to create and manage the Kubernetes cluster.
A malicious third-party application running in Kubernetes could provide attackers with a foothold. The compromise of the underlying systems (software and hardware) hosting Kubernetes could provide attackers with a foothold as well.
Insiders threats refer to individuals from within the organization who use their special knowledge and privileges against Kubernetes clusters. These individuals can be administrators, users, and cloud service or infrastructure provider.
According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, Kubernetes administrators have control over the Kubernetes environment, giving them the ability to compromise the Kubernetes environment.
Users who have knowledge and credentials to access containerized services in the Kubernetes cluster could compromise the Kubernetes environment as well. Cloud service or infrastructure provider, meanwhile, has access to physical systems or hypervisors managing Kubernetes nodes. This access could be used to compromise a Kubernetes environment.
Cybersecurity Best Practices
The U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency recommend the following best practices in order to protect your organization’s Kubernetes environment:
2021 Top 25 Most Dangerous Software Weaknesses
Software has weaknesses.
The most dangerous software weaknesses are those that are often easy to find, easy to exploit, and can allow attackers to completely take over a system, prevent an application from working, or steal data.
MITRE recently released the 2021 top 25 most dangerous software weaknesses – a demonstrative list of the most dangerous software weaknesses over the previous two calendar years. To create the 2021 list, MITRE used the Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record.
The Software Weaknesses List
Here are the top 25 most dangerous software weaknesses over the previous two calendar years:
1. Out-of-Bounds Write
Out-of-bounds write, also known as memory corruption, occurs when the software writes data past the end or before the beginning of the intended buffer. This software weakness can result in code execution, corruption of data, or a crash.
2. Improper Neutralization of Input During Web Page Generation
Improper neutralization of input during web page generation, also known as cross-site scripting (XSS), occurs when the software doesn’t neutralize or incorrectly neutralizes user-controllable input before it’s outputted as a web page.
3. Out-of-Bounds Read
Out-of-bounds read occurs when the software reads data past the end or before the beginning of the intended buffer. This software weakness can cause a crash or allow attackers to read sensitive information from other memory locations.
4. Improper Input Validation
Improper input validation occurs when the software receives input or data, but it doesn’t validate or incorrectly validates the input. When a software doesn’t validate input properly, attackers can craft the input in a form that isn’t expected by the rest of the application. This can result in altered control flow, arbitrary code execution, or arbitrary control of a resource.
5. Improper Neutralization of Special Elements used in an OS Command
Improper neutralization of special elements used in an OS command, also known as OS command injection or shell injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it’s sent to a downstream component. This can allow attackers to execute dangerous commands directly on the operating system.
6. Improper Neutralization of Special Elements used in an SQL Command
Improper neutralization of special elements used in an SQL command, also known as SQL injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that can modify the intended SQL command when it’s sent to a downstream component. This can allow attackers to alter query logic to bypass security checks, execute system commands, or insert additional statements that modify the back-end database.
7. Use After Free
Use after free occurs when the use of previously-freed memory can cause the software to crash, cause corruption of valid data, or result in the execution of arbitrary code.
8. Improper Limitation of a Pathname to a Restricted Directory
Improper limitation of a pathname to a restricted directory, also known as path traversal, occurs when the software doesn’t properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that’s outside of the restricted directory. This can allow attackers to escape outside of the restricted location to access files or directories that are elsewhere on the system.
9. Cross-Site Request Forgery (CSRF)
Cross-site request forgery occurs when the web application doesn’t or can’t sufficiently verify a valid request provided by the user. This can allow attackers to trick a client into making an unintentional request to the web server which will then be treated as a valid request.
10. Unrestricted Upload of File with Dangerous Type
Unrestricted upload of file with dangerous type occurs when the software allows the uploading or transferring of files of dangerous types which can be automatically processed within the software’s environment.
11. Missing Authentication for Critical Function
Missing authentication for critical function occurs when the software doesn’t perform any authentication for functionality that requires a valid user identity. This can allow attackers to read or modify sensitive data, access administrative or other privileged functionality, or execute arbitrary code.
12. Integer Overflow or Wraparound
An integer overflow or wraparound occurs when the software performs a calculation in which the logic assumes that the resulting value will always be larger than the original value. This can allow attackers to introduce other weaknesses when the calculation is used for execution control or resource management.
13. Deserialization of Untrusted Data
Deserialization of untrusted data occurs when the software deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An assumption that the code in the deserialized object is valid is susceptible to exploitation. Attackers can change unexpected objects or data that was assumed to be safe from modification.
14. Improper Authentication
Improper authentication occurs when the software doesn’t prove or insufficiently proves that the user’s identity is correct.
15. NULL Pointer Dereference
NULL pointer dereference occurs when the software dereferences a pointer that it expects to be valid, but is NULL, causing an exit or crash.
16. Use of Hard-coded Credentials
The use of hard-coded credentials creates a software weakness that allows attackers to bypass the authentication that has been configured by the software administrator.
17. Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper restriction of operations within the bounds of a memory buffer, also known as buffer overflow, occurs when the software performs operations on a memory buffer, but it can write to or read from a memory location that’s outside of the intended boundary of the buffer. This can allow attackers to change the intended control flow, execute arbitrary code, cause the system to crash, or read sensitive information.
18. Missing Authorization
Missing authorization occurs when a software doesn’t perform an authorization check when a user attempts to access a resource. This can allow attackers to read sensitive data, modify sensitive data, or gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.
19. Incorrect Default Permissions
Incorrect default permissions occur when during the installation of the application, installed file permissions are set to allow anyone to modify those files. This can allow attackers to read or modify application data.
20. Exposure of Sensitive Information to an Unauthorized Actor
Exposure of sensitive information to an unauthorized actor, also known as information leak, occurs when the software exposes sensitive information to a user that isn’t explicitly authorized to have access to that information.
21. Insufficiently Protected Credentials
Insufficiently protected credentials occur when the software transmits or stores authentication credentials, but it uses an insecure method. This can allow attackers to gain access to user accounts and access sensitive data.
22. Incorrect Permission Assignment for Critical Resource
Incorrect permission assignment for critical resource occurs when the software specifies permissions for a security-critical resource, allowing the resource to be read or modified by attackers.
23. Improper Restriction of XML External Entity Reference
Improper restriction of XML external entity reference occurs when the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control. Common consequences of this software weakness include attackers being able to access arbitrary files on the system, or can cause consumption of excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random.
24. Server-Side Request Forgery (SSRF)
According to MITRE, in server-side request forgery, the “web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.” A real-world example of server-side request forgery attack allowed attackers to request a URL from another server, including other ports, which allowed proxied scanning.
25. Improper Neutralization of Special Elements used in a Command
Improper neutralization of special elements used in a command occurs when data from an untrusted source enters the application and the data from an untrusted source is executed as a command by the application. This gives attackers privileges or capabilities that they would not otherwise have.
Anatomy of a Breach
The fallout of a breach is serious.
In recent months, the seriousness of a breach fallout has been shown in the cyber incidents at SolarWinds, Colonial Pipeline, and Kaseya.
In December 2020, in a SEC filing, SolarWinds said it was a victim of a supply chain attack in which the company’s Orion software build system was breached. The company said 18,000 customers were affected. In its First Quarter 2021 Preliminary Financial Results, SolarWinds said it spent between $18 million and $19 million in the first quarter of 2021 to investigate and remediate the breach incident.
In May 2021, Colonial Pipeline disclosed that it responded to a ransomware attack on its system by proactively taking certain systems offline and temporarily halting all pipeline operations. The company also paid the ransomware attackers $5 million.
Just this month, Kaseya disclosed that 60 customers, all of which were using the Kaseya VSA on-premises product and many of which provide IT services to multiple other companies, were impacted by the ransomware attack on Kaseya.
The ransomware attack on Kaseya affected 1,500 downstreambusinesses. Swedish supermarket Coop, one of the affected businesses, for a time, temporarily stopped its operation due to the attack on Kaseya.
In a breach, the turmoil that happens in the background doesn’t make it to the breached company’s press statement. These include staff confusion of what happened and a barrage of customers trying to get hold of the company representative of what actually transpired.
How Hackers Break In
In the case of the SolarWinds breach, SolarWinds CEO Sudhakar Ramakrishna said a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in technical and business roles. “By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment,” Ramakrishna said.
In the case of the Colonial Pipeline breach, Charles Carmakal, senior vice president at cybersecurity firm Mandiant told Bloomberg that attackers were able to initially compromise Colonial Pipeline systems through a dormant VPN account.
The VPN account, which has since been deactivated, didn’t use multi-factor authentication (MFA), Carmakal said. It isn’t clear how the attackers got hold of the VPN account password. The password, however, is part of the leaked passwords on the dark web.
In the case of the Kaseya breach, researchers at Cisco Talos Intelligence Group reported that the initial compromise of Kaseya VSA servers appears to have been the result of the successful exploitation of an unpatched software vulnerability CVE-2021-30116. This vulnerability in Kaseya VSA before 9.5.7 allows credential disclosure. In the case of the Kaseya breach, the attackers used the credential disclosure to gain privileged access to vulnerable Kaseya VSA servers for the purposes of ransomware deployment.
Stages of a Breach
Stage 1: Initial Foothold
As shown in the above-mentioned breaches, attackers used different initial entry tactics in gaining an initial foothold of their victim’s systems. In the case of the Solarwinds breach, the attackers gained initial entry to the company’s systems by compromising an email account.
In the case of the Colonial Pipeline breach, the attackers gained initial entry to the company’s systems through a dormant VPN account thatwas unprotected by MFA. In the case of the Kaseya breach, the attackers gained initial entry to the company’s systems through unpatched software vulnerability.
Stage 2: Gaining Elevated Control
Once attackers gain an initial foothold on the victim’s systems, they then aim to escalate their privilege. Attackers may take control of the local system, or look for other systems that offer a greater chance ofgaining greater access to valuable data or administrative privileges.
Keylogger and network scanning are two tactics used by attackers in gaining elevated control. Keylogger is a type of malicious software (malware) that records the keyboard keys that the user presses. Attackers capture user’s other usernames and passwords through keylogger.
In network scanning, attackers catalog the systems that can be accessed. These include services, host machines, and resources that are active on the victim’s network.
Stage 3: Expanding to the Network
After gaining elevated control, attackers install a permanent backdoor or alternate mechanism for long-term access to the systems. Botnet and living off the land are two of the tactics often used by attackers at this stage.
In the botnet tactic, the compromised computer is infected withmalware and made part of a group of infected computers controlled by the attackers for malicious activities such as distributed denial-of-service (DDoS) attacks. In living off the land, meanwhile, attackers utilize native resources, as opposed to malware, giving the attackersthe freedom to come and go and move around the networks undetected and staying off the radar of security systems.
Stage 4: Staying for the Short or Long Term
After expanding to the network, the attackers may stay either for short or long term. The length of the period depends on the attackers’ motivation, whether for fame, money, revenge, or political reasons.
For attackers who wish to stay for long term on the compromised network, a backdoor is often employed. A backdoor is an entry point into a network or system allowing the attackers continued access.
For attackers who wish to stay for short term only on the compromised network, attackers use the smash-and-grab technique, that is, after compromising the system, they steal data and quickly leave.
Growing SaaS Misconfiguration Threat
The 2021 SaaS Security Survey Report by Tel Aviv-based security company Adaptive Shield showed that SaaS misconfiguration is one of the top threats faced by today’s enterprises.
Adaptive Shield’s 2021 SaaS Security Survey, which surveyed 300 InfoSecurity professionals from North America and Western Europe in companies of 500+ employees, found that cybersecurity professionals recognize SaaS misconfiguration as the number 3 cloud risk, following account hijacking (number one) and data leakage (number two).
What is SaaS?
SaaS, short for software as a service, is a software that’s being delivered as a service over the internet. Traditional software needs to be bought, installed on the user’s computer, and must be maintained and updated.
SaaS, meanwhile, runs on the provider’s servers and the SaaS provider does all the maintenance required for security, making the software available to users, and improving the performance of the software. In SaaS, all that’s required from the user is to access the software over the internet.
SaaS misconfiguration is a product of human error: leaving the SaaS account accessible over the internet by everyone without authentication or adequate security.
Deeper Problems Behind SaaS Misconfiguration
SaaS misconfiguration threat is even greater as other cloud risks such as account hijacking and data leakage can also be the result of misconfiguration.
Adaptive Shield’s 2021 SaaS Security Survey showed that 85% of companies recognize SaaS misconfiguration as one of the top threats. The survey found that only 12% of companies with 50-99 applications check these apps on a weekly basis, showing that the more apps a company has, the less time they will check on security settings and permissions for misconfigurations.
The survey also found that 52% of companies delegate the task of securing the app to SaaS users, such as staff in the Sales, Marketing, or Product departments – individuals who are unlikely to be trained in SaaS security and compliance.
The survey also found that one in four companies reports that departments outside of IT security have access to SaaS app security settings. “Any human error by the SaaS owner, who is often not trained in security, can lead to an increase
in SaaS security misconfigurations,” Adaptive Shield said.
Prevalence of SaaS Misconfigurations
In a January 2019 disclosure, security researcher Avinash Jain found in NASA Jira a misconfiguration issue that caused the leakage of internal sensitive information of NASA, including internal user details, project details, employee names, and employees mail id.
Jira is a task tracking system/project management software used, not just by NASA but also by Fortune 500 companies and over a hundred thousand companies and organizations worldwide.
In an August 2019 disclosure, Jain said NASA wasn’t the only organization that leaked its data due to Jira misconfiguration. Jain said thousands of companies using JIRA inadvertently exposed their internal user data and internal project details.
“When the filters and dashboards for the projects/issues are created in JIRA, then by default the visibility is set to ‘All users’ and ‘Everyone’ respectively, which instead of sharing with everyone of the organizations (which people think and interpret), it shares them publically,” Jain said. “There is also a user picker functionality in Jira which gives a complete list of every user’s username and email address. This information disclosure is the result of an authorization misconfiguration in Jira’s Global Permissions settings.”
According to Jain, anyone with the link can access the exposed critical data over the internet and because said data are being indexed by all the search engines, anyone can easily search online these critical data with some simple search queries.
In another example of SaaS misconfiguration, in an April 2019 disclosure, Citrix said that it was contacted by the FBI, saying that they had reason to believe that cybercriminals gained access to the internal Citrix network.
Citrix added that the FBI has advised them that the hackers likely used a tactic known as password spraying. “Once they gained a foothold with limited access, they worked to circumvent additional layers of security,” Citrix said in a statement.
In password spraying, attackers acquire a list of usernames or accounts and attempt to sign into all of them using a set of the most popular or most likely passwords until they get the correct username and password combination. In the blog post "Protecting your organization against password spray attacks,” Diana Kelley Cybersecurity Field CTO at Microsoft said password spray is a popular tactic among attackers as they only need one successful password and username combination.
“Once they have it, they can access whatever the user has access to, such as cloud resources on OneDrive,” Kelley said. “Or use the exploited account to do internal reconnaissance on the target network and get deeper into the systems via elevation of privilege.”
Cybersecurity Best Practices
The COVID-19 restrictions imposed in different parts of the world prompted many companies and organizations to adopt SaaS with little consideration for security. Here are some of the cybersecurity best practices in preventing and mitigating the effects of SaaS misconfigurations:
Authorities Warn of Active Global Campaign Leveraging Brute Force Technique
Authorities in multiple countries, including Canada, the US and the UK have warned of an ongoing global campaign leveraging brute force technique targeting enterprise and cloud environments.
Cybersecurity centers in the UK (National Cyber Security Centre), Canada (Canadian Centre for Cyber Security), and the US (National Security Agency, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation) warned of the global brute force campaign that’s being carried out to gain access to enterprise and cloud environments of targeted organizations.
What Is Brute Force Attack?
Brute force is a type of cyberattack that uses the trial-and-error method in guessing the correct username and password combination.
Brute force is often used interchangeably with password spray. In the blog post "Protecting your organization against password spray attacks," Diana Kelley Cybersecurity Field CTO at Microsoft said that brute force is targeted, while password spray is the opposite.
In a brute force attack, a hacker goes after specific users and tries as many passwords as possible using either a full dictionary or one that’s edited to common passwords, Kelley said. In password spray, meanwhile, Kelley said a hacker acquires a list of accounts and attempts to sign into all of them using a small subset of the most popular, or most likely, passwords until a hit is made.
In a Joint Cybersecurity Advisory [PDF], UK’s National Cyber Security Centre and US security agencies (National Security Agency, Cybersecurity and Infrastructure Security Agency, and Federal Bureau of Investigation), said that since at least mid-2019 through early 2021, attackers used a Kubernetes cluster to conduct “widespread, distributed, and anonymized brute force access attempts” against hundreds of organizations worldwide. To hide the attacks’ true origin, the attackers’ Kubernetes cluster normally routes brute force authentication attempts through TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN.
Kubernetes is an open-source software that allows the deployment and management of containerized applications at scale. A Kubernetes cluster, meanwhile, contains a control plane and one or more compute machines or nodes.
According to the Joint Cybersecurity Advisory, what was being brute force attacked were organizations using Microsoft Office 365 cloud services, and targeted as well were other service providers and on-premises email servers using a variety of different protocols.
“This brute force capability allows the … actors to access protected data, including email, and identify valid account credentials,” the Joint Cybersecurity Advisory said. “Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion.”
The Joint Cybersecurity Advisory said the attackers collected email from Office 365 using a compromised valid service account with elevated Privileges, and that the attackers used certutil.exe, a known "Living Off the Land" technique, to transfer a file into a target environment.
Exploitation of Known Vulnerabilities
The Joint Cybersecurity Advisory pointed out that once the attackers obtained credentials through brute force, various other known vulnerabilities were exploited by the attackers to gain further access and move laterally through the target network. Publicly known vulnerabilities such as CVE 2020-0688 and CVE 2020-17144 were exploited by the attackers.
CVE 2020-0688 is a remote code execution vulnerability in Microsoft Exchange Server. This vulnerability exists when the server fails to properly create unique keys at install time. “Knowledge of a validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM,” Microsoft, in an advisory said.
CVE 2020-17144, meanwhile, is another remote code execution vulnerability in Microsoft Exchange. The vulnerability is caused by improper validation of cmdlet arguments.
The Joint Cybersecurity Advisory said that the exploitation of Microsoft Exchange servers occurred after valid credentials were identified through brute force campaign as these vulnerabilities CVE 2020-0688 and CVE 2020-17144 require authentication as a valid user.
Cybersecurity Best Practices
The Canadian Centre for Cyber Security, for its part, said it is highlighting the Joint Cybersecurity Advisory detailing the global brute force campaign to compromise enterprise and cloud environments as it’s important for system owners and operators responsible to defend their systems and networks from cyber threats.
Brute force attacks can be prevented or mitigated through the following cybersecurity best practices:
Microsoft’s security updates address the security vulnerabilities CVE 2020-0688 and CVE 2020-17144. It’s, therefore, important to keep all software, in this case, Microsoft Exchange, up to date to prevent further escalation of the malicious actors’ attack once they are able to break into your organization’s network through brute force campaign.
It’s also important to consider denying all inbound activity from known TOR nodes and other public VPN services to exchange servers or portals where this inbound activity isn’t associated with typical use.
Western Digital (WD) Hard Drives Remotely Wiped Clean Worldwide
Users worldwide of Western Digital (WD) hard drives, specifically My Book Live and My Book Live Duo devices, found their hard drives being wiped clean remotely last June 23.
Last June 24, a WD user named “sunpeak” started a thread on WD Community forum stating that all the data on his WD My Book Live device is gone. “Previously the 2T volume was almost full but now it shows full capacity,” sunpeak said.
Hundreds of WD My Book Live and My Book Live Duo devices echoed sunpeak, stating that their devices have been wiped clean remotely as well.
“It is very scary that someone can do factory restore the drive without any permission granted from the end user,” sunpeak said. The tread started said he found this user.log in the affected device:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Another WD user added this message to the thread: “All my data is gone too. Message in GUI says it was ‘Factory reset’ today! 06/23. I am totally screwed without that data … years of it.”
Western Digital Statement
Last June 25, US-based company Western Digital recommended to users to disconnect their My Book Live and My Book Live Duo devices from the internet to protect their data on these devices. My Book Live and My Book Live Duo devices were introduced to the market in 2010 and these devices received their final firmware update in 2015.
“Western Digital has determined that some My Book Live devices are being compromised by malicious software,” Western Digital said. “In some cases, this compromise has led to a factory reset that appears to erase all data on the device.”
According to Western Digital, the log files that they’ve reviewed show that the attackers directly connected to the affected My Book Live and My Book Live Duo devices from a variety of IP addresses in different countries. The company said this shows that the affected devices were directly accessible from the internet, via direct connection or port forwarding that was enabled either manually or automatically via UPnP.
“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” Western Digital said.
The specific remote command execution vulnerability referred to by Western Digital is CVE-2018-18472 – in which all versions of Western Digital (WD) My Book Live has a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. This security vulnerability can be triggered by anyone who knows the IP address of the affected device. A proof-of-concept on how to exploit CVE-2018-18472 is publicly available.
As the last firmware update of WD My Book Live and My Book Live Duo devices was in 2015, CVE-2018-18472 vulnerability, therefore, wasn’t answered by WD developers in 2015.
Other Cyberattacks Affecting Hard Drives/Backups
WD My Book Live and My Book Live Duo devices can be attached to the network, as such, they’re known as network-attached storage (NAS) devices. Other examples of NAS devices are those made by Taiwanese corporation QNAP Systems, Inc.
In the past few years, QNAP NAS devices have been the target of malicious actors. In 2019, researchers at Intezer detected the malicious software known as QNAPCrypt.
"QNAP is a well-known vendor for selling NAS servers, which the malware was intended to infect and encrypt the containing files for ransom,” researchers at Intezer said. “NAS servers normally store large amounts of important data and files, which make them a valuable target for attackers and especially a viable target for ransomware campaigns.”
In 2014, researchers at FireEye observed cyberattackers attempting to exploit the BASH remote code injection vulnerability against QNAP NAS devices.
"These attacks result in the hackers having a root level remote shell, gaining full access to the contents of the NAS,” FireEye researchers said. “NAS systems are used by enterprises to store large volumes of files and house databases, as well as by consumers for personal storage. This makes NAS an attractive target for attackers given the broad types of data they handle. In this case, the attackers can gain full access the NAS contents as well as execute other commands.”
Cybersecurity Best Practices
The deletion of enormous data in WD My Book Live and My Book Live Duo devices is a lesson learned for many users.
Network-attached storage (NAS) devices, including WD My Book Live and My Book Live Duo devices and QNAP devices are becoming the target of cyberattackers due to the wealth of data that these devices hold.
It is important to practice the time-honored 3-2-1 backup rule. This rule states that your organization needs to have 3 copies of critical data (one production data and 2 backup copies), with two copies in different media, and one copy kept offsite for disaster recovery.
Living off the land has become the standard in today’s cyberattacks intent on evading security solutions.
Living off the land attack takes its name from the “living off the land” way of life, that is, living by eating only the food that one produces from the land.
In the cybersecurity context, living off the land cyberattack refers to turning legitimate programs and processes to perform nefarious activities. Living off the land enables cyberattackers to blend into victims’ networks and hide among the legitimate programs and processes to carry out a stealth attack. Traditional security solutions often ignore living off the land attacks as these activities are considered legitimate activities coming from legitimate programs and processes.
Astaroth: Example of a Malware that Lives Off the Land
Astaroth is an example of a malicious software (malware) that completely lived off the land to avoid detection. Astaroth is an info-stealing malware that abuses various legitimate Windows processes in an attempt to run undetected on computers using Windows operating system.
In the blog post "Latest Astaroth living-off-the-land attacks are even more invisible but not less observable," Microsoft Defender Security Research Team said they started seeing the updated attack chain of Astaroth in late 2019. In mid-2019, Microsoft Defender Security Research Team observed an unusual spike in activities related to Windows Management Instrumentation Command-line (WMIC), prompting the team to investigate it and found out that the unusual spike in activities related to WMIC was part of the Astaroth attack chain.
WMIC provides a command-line interface for Windows Management Instrumentation (WMI) – referring to the infrastructure for management data and operations on Windows operating systems.
Microsoft Defender Security Research Team said that after the WMIC abuses were exposed, Astaroth now completely avoids the use of WMIC and instead introduced new living off the land techniques that make the attack chain even stealthier such as abusing Alternate Data Streams (ADS) and abusing the legitimate process ExtExport.exe.
Alternate Data Streams (ADS) is a feature in Windows operating system that contains metadata for locating a specific file by title or author. ExtExport.exe, meanwhile, is a feature that ships with Internet Explorer to run a file. Microsoft Defender Security Research Team said that Astaroth uses ExtExport.exe to load malicious payload, while ADS is used to hide malicious payloads.
Other Examples of Living Off the Land Attacks
In the report “The Active Adversary Playbook 2021,” Sophos found that PowerShell and PsExec are among the top 3 legitimate tools used by cyberattackers in 2020 and early 2021. PowerShell and PsExec are legitimate Windows operating system tools used by system administrators.
PowerShell is an interactive command-line interface and scripting environment included in the Windows operating system, while PsExec is a Windows tool that can be used to execute a program on another computer. Microsoft said, “PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.”
According to Mitre, PowerShell commands and scripts have been known to execute malicious payloads, create new tasks on remote machines, identify configuration settings, evade defenses, exfiltrate data, pull Active Directory information from the target environment, issue interactive commands over a network connection, and access credential data.
Mitre reported that PsExec has been abused to download or upload a file over a network share, write programs to the ADMIN$ network share to execute commands on remote systems, and execute binaries on remote systems using a temporary Windows service.
Windows legitimate features aren’t the only programs abused by attackers in living off the land attacks. Third-party programs are also abused by living off the land attackers.
In 2017, the Petya, also known as NotPetya, malware spread worldwide via a tainted accounting software of the Ukrainian-based company MeDoc. In 2020, researchers at Sophos reported that the group behind the ransomware called "RobbinHood" used the signed driver, part of a now-deprecated software package published by Taiwan-based motherboard manufacturer Gigabyte as a means so that the threat group could load a second, unsigned driver into Windows.
“This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference,” Sophos said.
Living off the land attackers recently tainted SolarWinds software affecting thousands of the customers of SolarWinds that downloaded the tainted version of SolarWinds software.
Cybersecurity Best Practices
Here are some of the cybersecurity best practices in preventing and mitigating the effects of living off the land attacks:
Switch off or remove unneeded programs
Steve E. Driz, I.S.P., ITCP