Thought leadership. threat analysis, news and alerts.
Extent of the Supply Chain Attack on SolarWinds Orion Platform Software
In the past few days, details about the supply chain attack on the SolarWinds Orion Platform software have slowly unfolded, highlighting the dangers of this type of cyberattack.
What Is a Supply Chain Attack?
Supply chain attack is a type of cyberattack in which attackers maliciously change the source code of a software with the goal of compromising the end users of the said software.
In a statement, SolarWinds said it was a victim of a supply chain attack in which a still unknown attacker inserted a malicious software (malware) dubbed as “Sunburst” within SolarWinds Orion Platform software. According to SolarWinds, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 of its Orion Platform software were compromised with the Sunburst malware.
Customers of SolarWinds that downloaded and installed the company’s Orion Platform software versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are at risk. If present and activated, the Sunburst malware, according to SolarWinds, “could potentially allow an attacker to compromise the server on which the Orion products run.”
The effects of a compromised server hosting the Sunburst malware is far and wide as SolarWinds Orion Platform software is specifically meant as a centralized monitoring and management software to keep track of all IT resources, including servers, workstations, mobile devices, and IoT devices.
Cybersecurity firm FireEye first discovered the Sunburst malware. The company is also responsible for naming this malware as “Sunburst.” Microsoft, meanwhile, refers to this malware as “Solorigate.” FireEye and Microsoft both admitted that they have been part of the victims of the supply chain attack on SolarWinds Orion Platform software.
Microsoft, in a statement, said: “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
In the case of FireEye, the attacker stole the company’s “Red Team assessment tools.” According to FireEye, the stolen Red Team assessment tools are used to test its customers’ security.
“These tools [Red Team assessment tools] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” FireEye said. “None of the tools contain zero-day exploits.”
According to FireEye, the Sunburst malware campaign may have started as early as Spring 2020 and is currently ongoing. In analyzing the Sunburst malware, FireEye said that after this malware is installed on the victim’s server, it stays dormant for up to two weeks. After this dormant period, the malware retrieves and executes commands, called “Jobs,” enabling transfer files, execute files, profile the system, reboot the machine, and disable system services.
FireEye added that the Sunburst malware hides its network traffic as the Orion Improvement Program (OIP) protocol “stores reconnaissance results within legitimate plugin configuration files,” allowing this malware to blend in with legitimate SolarWinds activity.
According to FireEye, victims of Sunburst malware include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. “We anticipate there are additional victims in other countries and verticals,” FireEye said.
In analyzing the Solorigate malware, Microsoft said that the malicious code inserted into SolarWinds Orion Platform software consists of nearly 4,000 lines of code. “The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline,” said Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center in the blog post "Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers."
“Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes,” Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center added. “Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions – and keep a low profile.”
Mitigating Measures Against Supply Chain Attack
In the case of the SolarWinds Orion Platform software supply chain attack, it’s important to apply the update released by SolarWinds. The company offers more details on how to apply the update here.
In case the Sunburst/Solorigate malware is suspected to be inside your organization’s network, it’s important to isolate and block internet access to IT infrastructure where SolarWinds software was installed for further review and investigation.
If isolation isn’t possible, the following mitigating measures should be taken:
Cyberattack Surface Widens As World Sees Increase in Remote Work
With much of the world now working remotely and likely to remain this way after the COVID-19 pandemic, the attack surface that could be exploited by cyberattackers has widened, a new study showed.
A new study by RiskIQ showed that with much of the global economy being run from homes, attackers now have far more access points to probe and exploit. Attack surface, as defined in the study, refers to everything that needs defending, starting from inside the corporate network and extending all the way to the internet and into the homes of workers working from home. RiskIQ identified the following attack areas:
Web-Based Attack Surface
Across the internet in just over two weeks, RiskIQ observed 2,959,498 new domains (equivalent to 211,392 per day) and 772,786,941 new unique hosts to the web (equivalent to 55,199,067 per day). New domains, also known as new websites, and new unique hosts to the web, according to RiskIQ, represent as possible targets for threat actors.
RiskIQ found that 2,480 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component, and 8,121 potentially vulnerable web components in total were found in the Alexa top 10,000.
To highlight the attack surface faced by organizations, RiskIQ conducted a study on the companies that comprise the FTSE-30 – a group of 30 large-cap organizations in the UK. RiskIQ found that on average, each FTSE-30 organization has 324 expired certs, 25 SHA-1 certs, 743, potential test sites, 28 insecure login forms, 385 total insecure forms, 46 web frameworks with known vulnerabilities, 80 PHP 5.x instances with end of life (EOL) end of the year, and 664 web servers at release levels with known vulnerabilities.
In addition, last March, with the spike of online shopping due to COVID-1, RiskIQ reported that it detected a 30% increase in Magecart skimmers – a type of cyberattack that involves digital credit card theft by skimming online payment forms.
Modern websites are made up of common features such as underlying operating systems, frameworks, third-party applications, plugins, and trackers. "This commonality of approach is attractive to malicious actors, as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites," RiskIQ said.
A recent report from Verizon Data Breach Report, showed that external-facing web applications, in which network security tools have no visibility, were exploited the most by cyberattackers.
Remote Access Attack Surface
According to RiskIQ, the rush to stand up new systems outside the firewall to enable a remote workforce has expanded attack surfaces quicker, with virtual private network (VPN) usage surged 112% over just six weeks, and a 26.11% increase in Microsoft Remote Access Gateway instances, peaking around March 20 when stay-at-home orders took full effect.
RiskIQ found that on average, each FTSE-30 organization has 45 mail servers, 7,790 cloud-hosted apps (Amazon and Azure), 26 potentially vulnerable Citrix Netscaler instances, 8 potentially vulnerable Palo Alto GlobalProtect instances, 9 potentially vulnerable Pulse Connect instances, 25 potentially vulnerable Fortinet instances, and 1,464 remote access service instances.
Mobile Attack Surface
There's more to mobile apps than Apple and Google Play Mobile App Stores as there are hundreds of online stores in which threat actors sell their mobile apps. RiskIQ said malicious actors compromise legitimate apps and launch fake apps in other app store ecosystem and the open internet.
In 2019, RiskIQ found 170,796 blacklisted mobile apps across 120 mobile app stores and the open internet. Eighty-six percent of the blacklisted apps, RiskIQ said, claimed the READ_SMS permission, which allows the app to read messages and can be used for nefarious activities such as circumventing two-factor authentication.
Social Engineering Attack Surface
Social engineering refers to the impersonation of domains, subdomains, landing pages, websites, mobile apps, and social media profiles to trick employees and consumers in installing malicious software (malware) or into giving up login credentials and other personal information.
In the first quarter of 2020, RiskIQ identified 21,496 phishing domains impersonating 478 unique brands. For the same period, it also identified 720,188 instances of domain infringement across 170 unique brands. RiskIQ noted that 317,000 new websites related to “COVID-19” or “coronavirus” in the two weeks between March 9 and 23.
Cybersecurity Best Practices in Securing Your Organization's Attack Surface
Traditional cybersecurity measure uses a firewall that acts as a barrier between a trusted internal network and untrusted external network such as the internet. The COVID-19 pandemic and the resulting government-mandated stay-at-home measure leaving organizations no option but to allow workers to work from home, has widened the attack surface as the boundaries of what are inside the firewall and what are outside the firewall are no longer clear.
Here are some cybersecurity best practices in securing your organization's attack surface:
Whether it's for the web, mobile or operating systems, all software used for these platforms should be kept up to date. Failure to apply the latest software update leaves this attack surface vulnerable for attack.
Malicious actors can simply probe into your organization's vulnerable internet-connected assets by conducting a simple internet scan. It's important to conduct a regular full inventory of these internet-connected assets, determining, for instance, what assets need software update.
Early detection of social engineering attempts that impersonate your organization's domains, subdomains, landing pages, websites, mobile apps, and social media profiles that target your employees and customers and letting them know about these social engineering attempts is one of the effective measures in disrupting
Microsoft Reports Growing Web Shell Attacks
An average of 77,000 web shell attacks are detected each month on an average of 46,000 distinct computers, this according to the latest report released by Microsoft.
What Is a Web Shell?
Web shell is a malicious code that cybercriminals implant on internet-facing servers to remotely access server functions. This malicious code allows criminals to steal data on the compromised internet-facing server or used this compromised server as a stepping stone for further attacks against their victims.
China Chopper is an example of a web shell. It was first discovered in 2012. After nearly a decade after its discovery, China Chopper remains as the most widely used web shell. Researchers at Cisco Talos Intelligence Group said that as China Chopper is widely available, it’s nearly impossible to attribute this form of attack to a particular group.
Analysis of the China Chopper by researchers at Cisco Talos showed that this web shell allows attackers to retain access to an already compromised web server using a client-side application. This client-side application, the researchers said, contains all the logic needed to control the target, making it handy for threat actors to use. The researchers added that China Chopper only targets systems that run a web server application.
Web Shell Attacks
According to Microsoft, a victim of a web shell attack – an organization in the public sector that Microsoft refused to name – enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct full incident response and remediate the said attack before it could cause further damage.
DART’s investigation showed that the unnamed organization’s attackers implanted a web shell in multiple folders of the organization’s web server. This implanted web shell allowed the attackers to compromise the service accounts and domain admin accounts. DART’s investigation also showed that the initial implanted web shell allowed the attackers to look for additional target systems and install web shells on these additional targeted systems.
Threat groups ZINC, KRYPTON, and GALLIUM are known to have used web shells in their cyber-attacks. According to Microsoft, web shell attackers exploit the security vulnerabilities in web applications or web servers, including the lack of the latest security updates, as well as the lack of antivirus tools, lack of network protection, lack of proper security configuration and lack of informed security monitoring. Attacks typically happen during off-hours or weekends, when attacks are likely not immediately spotted and responded to, Microsoft said.
Security vulnerabilities referred to as CVE-2019-16759 and CVE-2019-0604 are some of those exploited by attackers, Microsoft added. Both CVE-2019-16759 and CVE-2019-0604 had been patched by their respective software vendors.
CVE-2019-16759 is a security vulnerability in vBulletin, a proprietary forum software used by more than 100,000 websites, including websites used by major companies and organizations. CVE-2019-0604, meanwhile, is a security vulnerability in Microsoft SharePoint – a web-based platform that integrates with Microsoft Office. Successful exploitation of CVE-2019-0604 allows an attacker to run malicious code in the context of the SharePoint application pool and the SharePoint server farm account.
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, warning Canadian organizations of the on-going cyber-attacks that first exploit the security vulnerability of Microsoft SharePoint, in particular, CVE-2019-0604, leading to the deployment of the China Chopper web shell. The following unpatched versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2010 SP2, Microsoft SharePoint Foundation 2013 SP1 and Microsoft SharePoint Enterprise Server 2016.
"The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
An internal confidential document from the United Nations (U.N.) dated September 20, 2019 and leaked to The New Humanitarianshowed that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019. The internal confidential document from the U.N., seen by the Associated Press, showed that the U.N. attackers were able to access the public organization’s servers by exploiting the security vulnerability of Microsoft’s SharePoint software, in particular, CVE-2019-0604 – a vulnerability that was patched by Microsoft in February and March 2019 but the U.N. failed to update its systems.
Preventive and Mitigating Measures Against Web Shell Attacks
It’s worthy to note that web shells are only deployed on the victims’ internet-facing servers after attackers find an initial loop-hole on the victims’ servers. As shown in the above-mentioned examples, initial entry of the attackers, include unpatched vBulletin (CVE-2019-16759) and unpatched SharePoint (CVE-2019-0604). It’s important, therefore, to patch all your organization’s software in a timely manner as attackers are quick to exploit unpatched software.
In the case of CVE-2019-0604 vulnerability, Microsoft’s March 12, 2019 update should be applied. In the case of CVE-2019-16759, vBulletin’s version 5.5.2/3/4 Patch Level 1 update should be applied. To mitigate vBulletin’s exposure, disable PHP, Static HTML, and Ad Module rendering setting in the administration panel.
It’s also important to practice network segmentation. In network segmentation, your organization’s network is divided into sub-networks. For instance, servers that housed your organization’s critical information and are strictly meant for on-premise use should be part of one sub-network and be kept offline. This way, if attackers manage to infect other sub-networks, this critical sub-network won’t be affected.
You don’t have to face cybercriminals alone. Our experts will help you assess the current state of your cybersecurity posture, and develop a plan to proactively mitigate cyber threats.
Contact us today and protect your most valuable digital assets and your brand’s reputation.
Latest to Admit Cyber-Attack: The UN
The United Nations (U.N.) recently admitted that it was a victim of a cyber-attack. The admission came months after the cyber incident.
U.N. spokesman Stephane Dujarric told reporters in New York that U.N. offices in Geneva and Vienna were targeted by an “apparently well-resourced” cyber-attack in the middle of 2019. In Geneva, Switzerland, several U.N. offices are based, including the World Health Organization (WHO), World Trade Organization (WTO), Human Rights Council (UNHRC), Office of the High Commissioner for Human Rights (OHCHR), the High Commissioner for Refugees (UNHCR). Vienna, Austria, meanwhile, is home to other U.N. offices, including the International Atomic Energy Agency (IAEA) and the Office on Drugs and Crime (UNODC).
“The attribution of any attack is very uncertain and fuzzy, but this was apparently a well-resourced attack,” Dujarric said. “The attack resulted in a compromise of core infrastructure components at both [Geneva] and [Vienna], and was determined to be serious.”
The cyber-attack admission of U.N. spokesman Dujarric came hours after The New Humanitarian exposed the 2019 cyber-attack at the U.N. The New Humanitarian reported that it obtained a confidential U.N. report, dated September 20, 2019, which found that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019.
According to The New Humanitarian, key findings of the confidential U.N. report revealed that staff records and commercial contract data were compromised by the attackers. The U.N. confidential report also revealed that the cyber-attack could have been avoided with a simple patch or update to fix a software security vulnerability.
Security Vulnerability CVE-2019-0604
The Associated Press said that it also viewed the confidential U.N. report. Based on the report, the Associated Press said that the attackers initially gained access to the U.N. networks by exploiting the security vulnerability in Microsoft’s SharePoint software. This security vulnerability designated as CVE-2019-0604 was patched in February 2019 but the U.N. reportedly didn’t update its systems.
"A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package,” Microsoft describes the security vulnerability CVE-2019-0604. “An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.”
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, saying that it’s aware of an ongoing campaign compromising several versions of Microsoft SharePoint Server in order to deploy the China Chopper web shell. The following versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 SP1, Microsoft SharePoint Server 2010 SP2 and Microsoft SharePoint Server 2019.
China Chopper is a publicly available web shell that was first discovered in 2012. "The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
Analysis of the China Chopper Web Shell by researchers at FireEye found that this web shell is flexible enough to run on both Windows and Linux. "This OS and application flexibility makes this an even more dangerous Web shell,” researchers at FireEye said.
In the case of the U.N. cyber-attack, however, it wasn’t mentioned by The New Humanitarian and the Associated Press whether the China Chopper Web Shell was deployed on the compromised servers.
Active Directory Compromise
“As part of the compromised infrastructure, lists of user accounts would have been exposed,” Dujarric told The New Humanitarian.
The Office of the High Commissioner for Human Rights (OHCHR), for its part, in a statement, said, “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices.” The OHCHR added that the malicious actors didn’t succeed in accessing the passwords, preventing them in gaining access to other parts of OHCHR’s IT system.
Active Directory is built into most Windows Server operating systems and has become the popular approach in managing Windows domain networks. As Active Directory is used in connecting different computers within a network, this has become a prime target of attackers as well.
A senior U.N. IT official, meanwhile, told The New Humanitarian that approximately 400 GB of data was exfiltrated from the U.N. servers and part of the exfiltrated data was the “user lists”, a key component to the network, which, the source said “once you’ve got privileged access, you’ve got into everything”. The New Humanitarian added that the U.N. confidential report about the cyber-attack found that some administrator accounts were breached.
Lack of Transparency
It’s worthy to note that the cyber-attack at the U.N. in 2019 was only admitted by the organization a few hours after The New Humanitarian exposed the said attack.
The UN spokesperson Dujarric told The New Humanitarian that the reason for the lack of transparency is that the “exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”
In a data breach, the lack of transparency could have negative results as individuals and organizations affected aren’t made aware of the situation, preventing them to seek measures to lessen the impact of the data breach. In Canada, data breach reporting is mandatory under the federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data
LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.
Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.
Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.
"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.
While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.
How the LifeLabs Data Breach Unfolded?
The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.
In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.
“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”
"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."
“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."
While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.
Cyber Attackers New Modus Operandi
While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.
Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.
In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”
The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.
The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.
Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.
Recent DDoS Attacks Leverage TCP Amplification
A recent report from Radware showed that attackers over the past month have been leveraging TCP amplification in launching distributed denial-of-service (DDoS) attacks.
What Is TCP Amplification?
TCP amplification is one of the lesser-known ways attackers perform DDoS attacks. In a DDoS attack, multiple computers are operating together to attack a particular target, for instance, a website.
TCP is a set of rules that’s applied whenever computers connected to the internet try to communicate with one another, enabling them to transmit and receive data. With TCP, connection is only established with a three-way-handshake, also known as SYN, SYN-ACK, and ACK. During the three-way-handshake, the IP addresses of both communication parties are veriﬁed via random sequence numbers.
1. SYN (Synchronize)
This first handshake happens when computer X, for instance, sends a message containing a random sequence number to another computer, let’s call this computer Z.
2. SYN-ACK (Synchronize-Acknowledge)
This second handshake happens when computer Z responds via an acknowledgment number and a random sequence number.
3. ACK (Acknowledge)
This third handshake happens when computer X completes the connection setup by sending a ﬁnal acknowledgment to computer Z via a sequence number and acknowledgment number.
Ampliﬁcation DDoS attack, meanwhile, refers to an attack in which an attacker doesn’t directly send trafﬁc to the ultimate target but rather sends spoofed network packets to a large number of devices, also known as reflectors or ampliﬁers. Attackers often use ampliﬁers that send back responses that are significantly larger than the requests, resulting in an increased or ampliﬁed attack volume. TCP was initially thought to be immune from amplification attacks due to its three-way-handshake.
TCP’s vulnerability to amplification attacks was reported back in 2014. In the paper “Exit from Hell? Reducing the Impact of Ampliﬁcation DDoS Attacks”, researchers at Ruhr-University Bochum demonstrated that even with the three-way-handshake TCP is still vulnerable to ampliﬁcation DDoS attacks. According to the researchers, TCP is vulnerable to ampliﬁcation DDoS attacks as SYN/ACK segments are resent until connection is successfully established, connection times out, or connection is manually closed.
Resending of SYN/ACK segments, the researchers said, overloads the capacity of the victim’s network. “In face of ampliﬁcation attacks, this is problematic, as the client’s IP address is not validated until the handshake is complete,” the researchers said.
In this 2014 study, the researchers showed that hundreds of thousands of devices, mostly business and consumer routing devices, were vulnerable to be abused for ampliﬁcation DDoS attacks as these devices repeatedly sent up to 20 SYN/ACK packets in response.
In the follow-up paper "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks", researchers at Ruhr-University Bochum identified thousands of TCP-based protocols that allow amplification of factor 50 times and higher. In this follow-up paper, the researchers also identified more than 4.8 million devices vulnerable to an average ampliﬁcation factor of 112 times. They also identiﬁed thousands of devices that can be abused for ampliﬁcation up to a factor of almost 80,000 times, reﬂecting more than 5,000 packets within 60 seconds and causing a serious impact on a victim’s network.
From the viewpoint of the attackers, the researchers said, abusing TCP brings multiple beneﬁts as there are millions of potential TCP ampliﬁers out there and ﬁxing them is an “infeasible operation”. According to the researchers, the root cause of the ampliﬁcation DDoS attacks is IP address spooﬁng which "enables attackers to specify arbitrary targets that are ﬂooded with reﬂected trafﬁc”.
TCP Amplification Attacks + Carpet Bombing
Radware reported that last month, European sports gambling website Eurobet experienced TCP amplification attacks that lasted for nearly 30 days. Radware also reported that last month, Turkish financial services company Garanti experienced TCP amplification attacks.
In the case of TCP amplification attacks on Garanti, Radware said, "In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of AS12903 (Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.) were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”
According to Radware, TCP amplification attacks are combined with a technique called “carpet bombing”. Carpet bombing attack is a type of DDoS attack where instead of focusing the attack on a single IP, random IP addresses of the victim’s network are attacked. Radware reported that over the last few months, carpet bombing has been used in a number of attacks against South African internet service providers (ISPs).
Impacts, Preventive and Mitigating Measures
By leveraging carpet bombing technique, attackers increase the attack surface; and by leveraging TCP amplification, attackers increase the hit rate onto the victim’s services. For now, however, carpet bombing has been predominantly used against ISPs.
While the recent TCP amplification attacks targeted large organizations, the victims of these attacks also include small organizations and homeowners who owned devices used for the TCP amplification attacks. As the main targets of TCP amplification attacks were overwhelmed by traffic and suffered outages as a consequence, the devices used in the TCP amplification attacks – those that processed the spoofed requests and legitimate replies from the main target of the DDoS – also experienced spikes in traffic, resulting in outages.
IP blacklisting is one of the options in preventing DDoS attacks. In the case of TCP amplification attacks that rely on IP address spooﬁng, IP blacklisting has some pros and cons.
One of the disadvantages of IP blacklisting in TCP amplification attacks is that legitimate users could be affected by this blacklisting as malicious actors could mimic their IP address.
Speak with our expert team today and prevent and mitigate denial of service attacks with iron-clad guarantees. No equipment to purchase, install or maintain.
Schedule a consultation today and protect your organization.
What Are Watering Hole Attacks & How to Prevent Such Attacks
Watering hole attacks are becoming more and more popular as these allow malicious actors to compromise intermediary targets to gain access to their intended final targets.
What Is Watering Hole Attack and How It Works
In a watering hole attack, a malicious actor compromises a third-party service, such as a publicly available website, in order to get access to the intended final target. There are various reasons why threat actors attack third-party services instead of the intended final targets. It could be that the intended final targets have stronger cyber defences, while third-party services lack the necessary cyber defences.
In watering hole attacks, threat actors study the employees of the intended final targets, such as finding out what sites these employees often visit. These sites are then analysed.
Sites with weak defences are often targeted, injecting these sites with malicious software (malware) or redirecting visitors to sites controlled by the attackers, leading to the downloading of the malware when these employees visit these sites. Attackers may also nudge an employee into visiting the compromised website or the URL they control by tricking the employee to click on the malicious link contained in a phishing email.
Once inside an employee’s device, threat actors then move toward the intended final target.
Examples of Watering Hole Attacks
The recent disclosure by researchers at Google's Threat Analysis Groupabout a small collection of compromised websites used in watering hole attacks which ultimately targets site visitors using certain versions of iPhones highlights the growing danger of watering hole attacks.
Researchers at Google's Threat Analysis Group revealed that over a period of at least two years, almost every version of iOS 10 through iOS 12 was potentially vulnerable when users visit a small collection of compromised websites. Simply visiting the compromised site, the researchers said, was enough for the exploit server to attack the vulnerable iPhones and install a malicious code that monitors the users’ activities.
The researchers estimated that the compromised sites receive thousands of visitors each week. In attacking the specific versions of iPhones, researchers at Google's Threat Analysis Group said, they identified a total of 14 security vulnerabilities: 7 for the iPhone’s web browser, 5 for the kernel and 2 separate sandbox escapes.
Other Cases of Legitimate Sites Used for Watering Hole Attacks
In late February and early March this year, reports came out that the website of International Civil Aviation Organization (ICAO) was used as an intermediary target for a watering hole attack where the intended final targets were ICAO members. Montreal, Canada-based ICAO is a specialized agency of the United Nations that codifies the principles and techniques of international air navigation.
In November 2018, researchers at ESETreported that 21 distinct websites in Vietnam and Cambodia, including Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper websites, were used as intermediary targets in watering hole attacks.
According to the researchers, the modus operandi is similar on all compromised websites in which the attackers add a small piece of malicious code on the compromised websites. While not applicable in all cases, the researchers reported that the code injected into the compromised websites checks for the visitor’s location, and only visitors from Vietnam and Cambodia actually receive the malware. The researchers added that the server controlled by the attackers can send additional payload – referring to the malware that performs the actual malicious actions.
Researchers at ESET said they weren’t able to identify examples of payloads sent by the attackers as these payloads were only delivered to specific targets and it wasn’t possible to get them using a test machine. In November 2017, researchers at Volexityfound a similar set of compromised websites of individuals and organizations tied to the government, the media, human rights and civil society groups. The researchers, in these cases, found that the payloads downloaded unto the site visitor’s computer include a pop-up asking to approve OAuth access to the victim’s Google account. This tactic allows attackers to get access to the victim’s contacts and emails.
The recent watering hole attacks are reminiscent of the cyber-espionage campaign called “Epic Turla”. In August 2014, Kaspersky observed 100 compromised websites for watering hole attacks.
Once a computer is infected with the Epic malware, Kaspersky reported that the malware immediately connects to the command-and-control (C&C) server to deliver pre-configured series of commands for execution and custom lateral movement tools such as a keylogger – a malicious program aimed at stealing data by recording every keystroke made by a computer user.
Prevention and Mitigating Measures
Here are some cyber security measures in order to prevent or mitigate the effects of watering hole attacks:
How to Find Out If Your Organization’s Resources Are Illicitly Used for Crypto Mining
Ukraine’s National Nuclear Energy Generating Company, also known as Energoatom, a state enterprise operating all four nuclear power plants in Ukraine disclosed that a recent search carried out inside one of Ukraine’s nuclear power plants revealed that a power plant employee had installed his own computer equipment inside the plant for cryptocurrency mining. This incident shows the danger of employees stealing their employers’ resources for cryptocurrency mining.
What Is Cryptocurrency Mining?
Cryptocurrency mining, also known as crypto mining, is the process of validating transactions and for these transactions to be added to the list of all transactions known as the blockchain. Anyone with a computer and an internet connection can become a cryptocurrency miner.
Some cryptocurrencies can be mined using small and low processing power computers such as Raspberry Pi. Other cryptocurrencies such as Bitcoin can only be mined using specialized computers with high computing power. In exchange for the computing power and electricity used for mining, miners get rewarded with cryptocurrency.
As cryptocurrency mining is power-hungry, especially the top cryptocurrencies like Bitcoin, high electricity bill is one of the obstacles why many don’t venture into this field. To remedy this high electricity bill hurdle, malicious actors illicitly steal power from their employers and even from strangers. Aside from stealing electricity, malicious actors also steal from employers or strangers computing power of computers that can process a significant amount of data faster than ordinary computers.
The illicit stealing of electricity at one of Ukraine’s nuclear power plantsisn’t the first time that an employee has been caught stealing an employer’s resources for cryptocurrency mining. In February 2018, nuclear weapons engineers at the All-Russian Research Institute of Experimental Physics were arrested for mining cryptocurrencies at the workplace.
Unlike the cryptocurrency mining at one of Ukraine’s nuclear power plants which only stole the plant’s electricity as the accused installed his own computer equipment, the crypto mining incident at the All-Russian Research Institute of Experimental Physics used not only the facility’s electricity but the office computer as well. Tatyana Zalesskaya, head of the research institute’s press service confirmed to Interfaxthat there had been an unauthorized attempt to the institute’s “computing power for personal purposes, including for the so-called mining”.
Employees aren’t the only one interested in your organization’s computer power for crypto mining, unknown external attackers are also after your organization’s computer power. Attackers steal computing power in the process called “cryptojacking”.
In cryptojacking, malicious actors, which could be either be insiders or outsiders, in order to earn cryptocurrency, install a crypto mining software into vulnerable systems, including websites, operating systems or public cloud accounts.
In February 2018, researchers at RedLockreported that Tesla was once a victim of cryptojacking. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” researchers at RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
In May this year, researchers at Guardicore Labsreported that over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors were compromised for crypto mining.
Illicit crypto mining isn’t only a threat to large organizations or businesses. This type of attack also threatens small and medium-sized organizations. In late 2018, a school principal in China was fired after stealing the school’s electricity to mine cryptocurrency. The South China Morning Postreported that the fired school principal deployed inside the school 8 computers used for mining the cryptocurrency Ethereum for about a year, racking up an electricity bill of 14,700 yuan, equivalent to US$2,120.
Ways to Monitor Crypto Mining and Preventive Measures
Here are some security measures in order to monitor crypto mining activities within your organization’s premises and also ways to prevent this threat to occur in your organization:
An unusual increase of electric bill is a sign that computers operating within your organization’s premises are being used for cryptocurrency mining.
Somewhere lurking in your organization’s premises could be computers used for cryptocurrency mining and racking up your organization’s electricity bill.
If your organization’s computers are functioning a bit slower than usual, this could be a sign that your organization’s computers are being used for illicit cryptocurrency mining.
Malicious actors in recent months have learned how to be stealthy in their crytojacking activities, such as mining only cryptocurrencies that use less computer power and electricity to deflect suspicion. For instance, the crytojacking incident which compromised 50,000 servers reported by Guardicore Labs in May this year, mined a relatively new cryptocurrency called “Turtlecoin”, a cryptocurrency that can be mined even in small and low processing computers such as Raspberry Pi.
Monitoring network traffic is one of the ways in discovering this type of stealth crytojacking activities. Access to your organization's network from unknown locations and during non-working hours are telltale signs of a network compromise and possible illicit cryptocurrency mining.
Lastly, practice basic cyber hygiene such as keeping your organization’s operating systems up-to-date and using multi-factor authentication as gate-keepers to these computers and servers. In many cases, computers and servers are compromised for illicit cryptocurrency mining by the mere failure of applying the latest security update and the used of weak login details and lack of multi-factor authentication.
When you need help, contact our teamof experts to mitigate the cybersecurity risks for your organization.
Threat Actors Continue to Target Websites
The European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites.
ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers.
ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work.
This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits.
The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen.
In the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks.
The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database.
One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database.
In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet.
SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool.
Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website.
According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers.
As shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen.
One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities.
At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain.
Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data.
How to Prevent Account Takeover Attacks
Account takeover attacks – accessing someone else’s online account for malicious purposes – continue to be one of the fastest-growing security threats faced by organizations today.
Account takeover happens as a result of inadvertently exposing account login details or through malicious account takeover via botnets. The account takeover of an account owned by SSL certificate issuer Comodo is an example of account takeover as a result of inadvertently exposing account login details.
Netherlands-based security researcher Jelle Ursem told TechCrunchthat Comodo’s email address and password were inadvertently left exposed in a public GitHub repository owned by a Comodo software developer. This enabled Ursem to login to Comodo’s Microsoft-hosted cloud services containing sensitive information of the company. The said account wasn’t protected with two-factor authentication. Ursem said he contacted Comodo about the exposed account.
When contacted by TechCrunch, Comodo said, “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.” Ursem, however, told TechCrunch, “This account has already been hacked by somebody else, who has been sending out spam.”
Account Takeover Botnets
While many malicious actors are opportunistic, that is, while many abused inadvertently exposed account login details, many just don’t wait for these opportunities to come. Many of today’s malicious actors are aggressively taking over accounts through botnets.
In the Sixth Annual Fraud Attack Index, Forter found that there had been a 45% increase in account takeover attacks by the end of 2018 compared to the beginning of 2017. One of the means by which malicious actors perpetuated account takeover attacks is thorough bots, Forter found.
“Fraudsters often try to hide their activities behind these devices [bots], flying under the radar of detection for most legacy fraud prevention systems, which are simply not equipped with sophisticated enough technology to pick up on the nuances of these behavioural indicators and the personas hiding behind them,” Forter said.
Botnet, also known as bot, refers to a group of computers infected with malicious software (malware) that allows an attacker to control this group of infected computers as one army for malicious activities. Many of these botnets have been used by attackers as an army for distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining. Malicious actors are increasingly using these botnets for account takeover attacks.
An account takeover botnet works by installing a credential cracking malware on compromised computers. These infected computers are then controlled by an attacker or attackers to login into an account of banking site, social network or email. Once the correct username and password combination is cracked, the account taken over is then used by attackers to steal money (in case of a banking site), steal confidential information such as credit card information, or purchase goods and services.
Between April 7th to April 22nd this year, Impervaobserved the account takeover attacks carried out by a botnet, composed of an enslaved army of 2,500 infected computers – with a corresponding 2,500 IPs overall – that attacked more than 300 sites while active. Each day during the attack period, 800 IPs were actively attacking 30 sites with 150,000 login attempts, Imperva found.
From the victim site perspective, each site was attacked for 7 hours by 500 IPs sending 7,000 login attempts with 7,000 different login details (usernames and passwords); and from a single site perspective, each botnet-controlled IP was responsible for approximately 14 login attempts during the attack time, or approximately 2 login attempts per hour, Imperva found.
The above-mentioned method of attack is called a “low and slow” attack – whereby the botnet enslaves a lot of computers, each sending only a small number of requests, to cover-up the attack as legitimate traffic. Distributing the account takeover attacks across many infected computers or IP addresses makes these attacks go without being detected.
The usernames and passwords used in the login attempts for account takeover attacks often come from credential cracking and credential stuffing. In credential cracking, every word in the dictionary is tried to crack the correct username and password combination. In credential stuffing, the attackers exploit users’ tendency to reuse passwords across multiple sites.
Credential stuffing was cited by StubHubas the reason why a “small number” of users’ accounts had been illegally taken over by fraudsters. In the StubHub case, attackers illegally took over 1,000 StubHub users’ accounts and used these compromised accounts to buy thousands of high-value tickets, including tickets to Justin Timberlake and Elton John concerts, Yankees baseball games, U.S. Open tennis matches and Broadway shows. The account takeover attackers then resold these tickets for a profit of more than a million dollars.
Traditional security solutions have proven to be ineffective in “low and slow” account takeover attacks using botnets. By using account takeover botnets, malicious actors spread the attack via thousands of compromised computers or IPs, making them go undetected for a long period of time.
Choosing a strong username and password combination via eliminating the use of dictionary words, using a unique username and password combination for every account and the use of multi-factor authentication are some of the best cyber security practices in preventing account takeover attacks.
Malicious actors, however, are always finding creative ways to crack those unique and strong usernames and passwords and even multi-factor authentication. An automated security solution that monitors abnormal access to these accounts is one of the mitigating measures against account takeover attacks.
When you need help minimizing cybersecurity risks, our team of experts will answer the questions you have and will help you protect your data. Contact ustoday.
Steve E. Driz, I.S.P., ITCP