How to Implement Best Cyber Defense Against BlackMatter Ransomware Attacks

Three U.S. government agencies, the Cybersecurity, and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA), recently issued a cyber security alert and defense tips against BlackMatter ransomware attacks.

What Is BlackMatter Ransomware?

BlackMatter is a relatively new ransomware. It was first observed in the wild in July 2021. This new ransomware exhibits the typical features of a modern-day ransomware, including the double extortion modus operandi.

In double extortion, the ransomware group steals data from victims. After stealing data, the attackers then encrypt victims’ data, preventing victims from accessing their data. After data encryption, attackers demand from victims ransom payment in exchange for a decryption tool that purportedly would unlock the encrypted data.

In double extortion, failure on the part of the victims to pay the ransom payment for the decryption tool leads to the activation of the second ransom demand, that is, victims are named on a leak site as victims of ransomware attacks. These victims are then threatened that their data will be published in case they won’t pay ransom.

Some ransomware actors still demand the second ransom payment – for the non-publication of the stolen data – despite the payment of the first ransom payment, that is, payment for the decryption tool.

Like other modern-day ransomware, BlackMatter ransomware is operated under the scheme called ransomware-as-service (RaaS). In RaaS, the ransomware developer (the one who creates the ransomware custom exploit code) works with affiliates – a different kind of cyberattackers who have existing access to corporate networks.

In a public advertisement posted on the underground forum Exploit, BlackMatter said it wants to buy access to corporate networks in the U.S., Canada, Australia, and Great Britain.

The group further said that it’s willing to pay $3,000 to $100,000 per network, provided the network passed the following criteria:

• Corporate revenue is $100 million or more
• Corporate network contains 500-15,000 devices
• Network hasn’t been previously targeted by other threat actors.

To signify that it's serious about its offer, BlackMatter has deposited 4 bitcoins ($256,000) on the forum Exploit.

“The [BlackMatter] ransomware is provided for several different operating systems versions and architectures and is deliverable in a variety of formats, including a Windows variant with SafeMode support (EXE / Reflective DLL / PowerShell) and a Linux variant with NAS support: Synology, OpenMediaVault, FreeNAS (TrueNAS). According to BlackMatter, the Windows ransomware variant was successfully tested on Windows Server 2003+ x86/x64 and Windows 7+ x64 / x86,” Recorded Future reported. “The Linux ransomware variant was successfully tested on ESXI 5+, Ubuntu, Debian, and CentOs. Supported file systems for Linux include VMFS, VFFS, NFS, VSAN.”

On BlackMatter website, the group said it doesn't attack hospitals, critical infrastructure, oil and gas industry, defense industry, non-profit companies, and government sector.

According to the joint cybersecurity advisory by CISA, FBI, and NSA, since July 2021, BlackMatter ransomware has targeted multiple U.S. critical infrastructure entities, including two food and agriculture sector organizations in the U.S., and have demanded ransom payments ranging from $80,000 to $15,000,000 in cryptocurrencies Bitcoin and Monero.

In September 2021, BlackMatter attacked the U.S. farmers cooperative NEW Cooperative and demanded from the victim $5.9 million for the decryptor and for the non-publication of the stolen data. 

"Your website says you do not attack critical infrastructure,” a NEW Cooperative representative told BlackMatter during a negotiation chat (screenshots of the said negotiation chat were shared online). “We are critical infrastructure... intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain."

BlackMatter Ransomware Tactics, Techniques, and Procedures

The CISA, FBI, and NSA advisory said that sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting showed that BlackMatter ransomware uses the following tactics, techniques, and procedures:

• BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon.
• BlackMatter uses Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to discover all hosts in the Active Directory (AD).
• BlackMatter uses NtQuerySystemInformation to enumerate running processes.
• BlackMatter uses EnumServicesStatusExW to enumerate running services on the network.
• BlackMatter uses srvsvc.NetShareEnumAll MSRPC function to enumerate and SMB to connect to all discovered shares, including ADMIN$, C$, SYSVOL, and NETLOGON.
• BlackMatter uses legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks.
• BlackMatter exfiltrates data.
• BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory.
• Rather than encrypting backup systems, BlackMatter wipes or reformats backup data stores and appliances.

Cybersecurity Best Practices

The CISA, FBI, and NSA advisory recommends the following cybersecurity defense tips against BlackMatter ransomware attacks:

• Use strong passwords for service account, admin accounts, and domain admin accounts.
• Use multi-factor authentication (MFA) for vital services, including webmail, virtual private networks (VPNs), and accounts that access critical systems.
• Keep all software up to date.
• Eliminate unnecessary access to administrative shares.
• Use a host-based firewall – a firewall installed on a server to monitor and control incoming and outgoing network traffic.
• Implement network segmentation to prevent the spread of ransomware.
• Disable command-line and scripting activities and permissions.
• Keep all backup data offline, encrypted, and immutable.
• Disable the storage of clear text passwords in LSASS memory.
• Disable or limit New Technology Local Area Network Manager (NTLM) and WDigest Authentication.

Microsoft recently revealed that one of its Azure customers was hit by a 2.4 Tbps distributed denial-of-service (DDoS) attack last August.

In the blog post “Business as usual for Azure customers despite 2.4 Tbps DDoS attack,” Amir Dahan Senior Program Manager at Microsoft’s Azure Networking said the 2.4 Tbps DDoS attack is 140 percent higher than 2020’s 1 Tbps attack and higher than any network volumetric event previously detected on Azure.

Dahan said the 2.4 Tbps DDoS attack on Azure infrastructure originated from approximately 70,000 sources and from multiple countries in the Asia-Pacific region, including Malaysia, Vietnam, Taiwan, Japan, and China, as well as from the United States.

“The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes,” Dahan said. “In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.”

With the adoption of cloud services, Dahan said, “Bad actors, now more than ever, continuously look for ways to take applications offline.’

In the blog post "Azure DDoS Protection—2021 Q1 and Q2 DDoS attack trends," Alethea Toh Program Manager at Microsoft’s Azure Networking reported that the first half of 2021 saw a sharp increase in DDoS attacks on Azure resources per day. Toh said Microsoft’s Azure mitigated an average of 1,392 DDoS attacks per day in the first half of 2021, the maximum reaching 2,043 attacks on May 24, 2021.

“In total, we mitigated upwards of 251,944 unique [DDoS] attacks against our global infrastructure during the first half of 2021,” Toh said.

Toh added that in the first half of 2021, the average DDoS attack size was 325 Gbps, with 74 percent of the attacks being 30 minutes or less and 87 percent being one hour or less.

In 2020 Google, meanwhile, revealed a 2.5 Tbps DDoS attack on its infrastructure. In the blog post “Exponential growth in DDoS attack volumes,” Damian Menscher, Security Reliability Engineer at Google, said that Google’s infrastructure was hit by a 2.5 Tbps DDoS attack in September 2017. This 2.5 Tbps DDoS attack on Google infrastructure, Menscher said, was a culmination of a six-month campaign that utilized multiple methods of attack, simultaneously targeting Google’s thousands of IPs.

“The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SNMP servers, which would then send large responses to us,” Menscher said.

Top Attack Vectors

DDoS is a type of cyberattack that floods targets with gigantic traffic volumes with the aim of choking network capacity.

“While UDP attacks comprised the majority of attack vectors in Q1 of 2021, TCP overtook UDP as the top vector in Q2,” Toh of Microsoft's Azure said. “From Q1 to Q2, the proportion of UDP dropped from 44 percent to 33 percent, while the proportion of TCP increased from 48 percent to 60 percent.”

According to Toh, in Q1 of 2021, a total of 33% attack vectors came from UDP flood, 24% from TCP other flood, 21% from TCP ACK flood, 11% from UDP amplification, 7% from IP protocol flood, 3% from TCP SYN flood.

For Q2 of 2021, Toh said, a total of 23% attack vectors came from UDP flood, 29% from TCP other flood, 28% from TCP ACK flood, 10% from UDP amplification, 6% from IP protocol flood, and 3% from TCP SYN flood.

In January, Toh said, Microsoft Windows servers with Remote Desktop Protocol (RDP) enabled on UDP/3389 were being abused to launch UDP amplification attacks, with an amplification ratio of 85.9:1 and a peak at approximately 750 Gbps.

In February, Toh said, video streaming and gaming customers were getting hit by Datagram Transport Layer Security (D/TLS) attack vector which exploited UDP source port 443.

In June, Toh said, reflection attack iteration for the Simple Service Delivery Protocol (SSDP) emerged. SSDP normally uses source port 1900. The new mutation, Toh said, was either on source port 32414 or 32410, also known as Plex Media Simple Service Delivery Protocol (PMSSDP).

Cybersecurity Best Practices

Organizations with internet-exposed workloads are vulnerable to DDoS attacks. Some DDoS attacks focus on a specific target from application layer (web, DNS, and mail servers) to network layer (routers/switches and link capacity). Some DDoS attackers may not focus on a specific target, but rather, attack every IP in your organization’s network.

Microsoft and Google have their own DDoS mitigating measures that can absorb multi-terabit DDoS attacks. On the part of Google, the company said it reported thousands of vulnerable servers to their network providers, and also worked with network providers to trace the source of the spoofed packets so they could be filtered.

Small and medium-sized organizations can now avail of a DDoS protection solution that can absorb multi-terabit DDoS attacks. Today’s DDoS protection solution operates autonomously, without human intervention. Failure to protect your organization’s resources from DDoS attacks can lead to outages and loss of customer trust.

We can also help in preventing DDoS attacks from happening by ensuring that our computers and IoT devices are patched and secured.

2 ‘Prolific’ Ransomware Operators Arrested in Ukraine

Europol has announced the arrest of two “prolific” ransomware operators known for extorting ransom demands between $6 million to $81 million.

In a statement, Europol said that the arrest of the two ransomware operators last September 28th in Ukraine was a coordinated strike by the French National Gendarmerie, the Ukrainian National Police, and the United States Federal Bureau of Investigation (FBI), with the coordination of Europol and INTERPOL.

The arrest of the two ransomware operators, Europol said, led to the seizure of $375,000 in cash, seizure of two luxury vehicles worth $251,000, and asset freezing of $1.3 million in cryptocurrencies.

The arrested individuals, Europol said, are part of an organized ransomware group suspected of having committed a string of ransomware attacks targeting large organizations in Europe and North America from April 2020 onwards.

The group’s modus operandi, Europol said, includes deployment of malicious software (malware), stealing sensitive data from target companies before encrypting these sensitive files.

After data encryption and stealing of data, Europol further said, the group then offers a decryption tool in exchange for a ransom payment. When ransom demand isn’t met, Europol added, the group threatens to leak the stolen data on the dark web.

Authorities refused to give the names of the two arrested individuals. The name of the ransomware group wasn’t disclosed as well.

Disrupting Ransomware Operations

In June 2021, the Cyber Police Department of the National Police of Ukraine arrested six members of the Clop ransomware group. Computer equipment, cars, and about $185,000 in cash were confiscated by the authorities.

“Together, law enforcement has managed to shut down the infrastructure from which the virus spreads and block channels for legalizing criminally acquired cryptocurrencies,” the Cyber Police Department of the National Police of Ukraine said in a statement.

According to the Cyber Police Department of the National Police of Ukraine, the Clop ransomware group is responsible for $500 million worth of damages worldwide. The arrest of the six members of the Clop ransomware group was a joint operation from law enforcement agencies in Ukraine, South Korea, and the United States.

A few days after the arrest of the six members of the Clop ransomware group, the group claimed other victims, showing that the arrest of the members didn’t disrupt the operation of the Clop ransomware group. 

In February 2021, French and Ukrainian law enforcement agencies arrested in Ukrain several members of the Egregor ransomware group. Trend Micro, in a statement, said that the arrest of several members of the Egregor ransomware group was made possible, in part, of its assistance.

“Since its first appearance in September 2020, Egregor ransomware has been involved in high-profile attacks against retailers, human resource service companies, and other organizations,” Trend Micro said. “It operated under the ransomware-as-a-service (RaaS) model where groups sell or lease ransomware variants to affiliates, making it relatively easier even for inexperienced cybercriminals to launch attacks. Like some prominent ransomware variants, Egregor employs a ‘double extortion’ technique where the operators threaten affected users with both the loss and public exposure of the encrypted data.”

Ransomware

Ransomware is a persistent and rapidly evolving cybersecurity problem. Ransomware, in general, is a malware that’s traditionally meant to encrypt victim files – preventing victims from accessing their files. After data encryption, attackers then demand from victims ransom payment in exchange for the decryption tool that purportedly could unlock the encrypted files.

Early ransomware attackers demand from their victims to pay only one ransom payment, that is, for the decryption tool. Today’s ransomware attackers demand from their victims two ransom payments, also known as double extortion, one for the decryption tool and the second for the non-publication of the stolen data exfiltrated prior to data encryption.

Clop ransomware enters the victims’ networks through any of the following methods:

. Phishing emails sent to employees of the target organization

. Remote Desktop Protocol (RDP) compromise via brute-force attacks

. Exploitation of known software security vulnerabilities

Similar to Clop ransomware, Egregor ransomware enters the victims’ networks through phishing emails sent to employees of the target organization and RDP compromise. Egregor ransomware has also been known to access victims’ networks through VPN exploits.

Many of today’s notorious ransomware programs are operated under the ransomware-as-a-service (RaaS) model. In a RaaS model, the ransomware developer sells or leases the ransomware program to affiliates who are responsible for spreading the ransomware and generating infections. The developer takes a percentage of the ransom payment and provides the affiliates share of the ransom payment. 

Cybersecurity Best Practices

Here are some of the cybersecurity best practices in preventing or mitigating the effects of ransomware attacks:

. Avoid clicking on links and downloading attachments in emails from questionable sources

. Keep all software up to date

. Protect RDP servers with strong passwords, multi-factor authentication (MFA), virtual private networks (VPNs), and other security protections

. Implement the 3-2-1 backup rule: Make three copies of sensitive data, two copies should be in different formats, and keep one duplicate should be kept offsite.

DDoS Attackers Target VoIP Providers

Over the past few weeks, Voice over Internet Protocol (VoIP) providers have been targeted by distributed denial-of-service (DDoS) attackers.

DDoS is a form of cyberattack that often uses a botnet to attack one target. A botnet is a group of infected computers, including Internet of Things (IoT), and controlled by attackers for malicious activities such as DDoS attacks.

VoIP, meanwhile, refers to a technology that allows voice calls over an Internet connection instead of the traditional analog phone line. As VoIP uses the Internet and requires servers, portals, and gateways to be publicly accessible, this technology is a prime target of DDoS attackers.

In DDoS attacks against VoIP providers, attackers will flood VoIP servers, portals, and gateways with requests, making VoIP services unavailable to legitimate users.

Recent Attacks Against VoIP Providers

On August 31, 2021, London-based Voipfone disclosed that it was under DDoS attack.

"We have identified a further DDoS attack, we will post updates as the situation develops,” Voipfone said in a statement. “Our team is working extremely hard to address the ongoing issues that are currently affecting our network. We sincerely apologize for the disruption this must be causing you, and fully understand how frustrating this must be.”

A week after the intermittent DDoS attacks, Voipfone said it has fully resolved the DDoS attacks.

On September 16, 2021, Montreal-based VoIP.ms became the victim of a DDoS attack. On its website, VoIP.ms said it serves 80,000 customers in 125 countries.

“We have identified a large-scale Distributed Denial of Service (DDoS) attack which has been directed at our DNS and POPs,” VoIP.ms said in a statement posted on its website. “Our team is deploying continuous efforts to profile incoming attacks and mitigate them as best they can. We apologize for the inconvenience caused and thank you for your patience while we work on resolving the issue.”

The DDoS attack against VoIP.ms targeted the company’s DNS name servers. In the absence of DNS, VoIP.ms advised customers to configure their HOSTS file to point the domain at their IP address to bypass DNS resolution. In response, the attackers launched DDoS attacks directly at that IP address. To mitigate the DDoS attacks, VoIP.ms moved their website and DNS servers to Cloudflare.

As of September 28th, VoIP.ms said on its Twitter account that it’s advancing towards a more stable and secure network. The company, however, said that its main US carrier is still experiencing issues in their network which is impacting their clients all across North America.

On September 28, 2021, another VOIP provider admitted that it’s under DDoS attack. “Bandwidth and a number of critical communications service providers have been targeted by a rolling DDoS attack,” Bandwidth CEO David Morken, in a statement, said. “While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry.”

North Carolina-based Bandwidth said on its website that it provides local VoIP phone numbers together with outbound and inbound calling, powering popular platforms including Microsoft Teams/Skype for Business, Zoom Phone, and Google Voice. Bandwidth also serves as an upstream provider for VoIP vendors such as Accent.

“The upstream provider continues to acknowledge the DDoS attack is impacting their network and they are actively working to mitigate its effects,” Accent said in a statement. “Accent is seeing a limited impact to inbound calling for our services for certain phone numbers. We will continue to monitor the situation and update the status as appropriate.”

Ransom DDoS Attacks

A threat actor using the name “REvil” claimed responsibility in the VoIP.ms DDoS attack. The ransom note to VoIP.ms was posted on Pastebin. This ransom note has since been removed from Pastebin. REvil also posted updates about VoIP.ms DDoS attack on Twitter. These updates have since been removed from Twitter.

REvil demanded one bitcoin from VoIP.ms. After a failed negotiation, REvil raised the ransom demand to 100 bitcoins.

REvil originally refers to a threat group behind a number of high-profile ransomware attacks. On July 13, 2021, this group stopped its operation. In September 2021, the group resumed its ransomware operations. The original REvil group, however, hasn’t been known to launch DDoS attacks and publicly demanding ransom out of DDoS attacks.

To date, there’s no report of whether Voipfone and Bandwidth received a ransom demand similar to the one received by VoIP.ms.

Ransom DDoS (DDoS) attacks have been around for years. RDDoS attack occurs when a malicious actor extorts money from a target by threatening the target with a DDoS attack.

Threat actors may carry out a DDoS attack first and then followed by a ransom note. Another approach by threat actors is giving the ransom note first and then followed by a DDoS attack. In the last approach, the ransom note may be an empty threat with the threat actor not really capable of launching an actual DDoS attack. However, there’s a possibility that the DDoS threat is a real thing.

Paying the ransom gives ransom DDoS victims false hope that the attack will stop. Paying the ransom can only make your organization the subject of future DDoS attacks as the attackers know that your organization is willing to pay ransom. 

What Is Phishing-As-A-Service and How to Protect Your Organization

Microsoft 365 Defender Threat Intelligence Team recently published their findings on a large-scale phishing-as-a-service operation called “BulletProofLink.”

What Is Phishing-as-a-Service?

Phishing-as-a-service follows the software-as-a-service model in which cybercriminals pay an operator to launch an email-based phishing campaign. 

In an email-based phishing campaign, the target receives an email from a seemingly legitimate origin. The email, however, is a malicious one, masquerading as coming from a legitimate source. Clicking a link on this malicious email will lead to a compromised or fake website. The login details entered by the target who believes he or she is logging into a legitimate website will then be harvested for criminal activities.

BulletProofLink

BulletProofLink, also known as BulletProftLink and Anthrax, is an example of a phishing-as-a-service. This phishing-as-a-service was first reported by OSINT Fans in October 2020. According to OSINT Fans, the phishing campaign launched by BulletProofLink started with a phishing email impersonating a Sydney-based accounting firm. The email looked legitimate, with no sign of broken English or a spoofed email sender.

Inside this email is the Remittance Advice receipts.pdf link. Clinking this link, OSINT Fans said, leads to a pixel-perfect clone of the Microsoft 365 login page. “If a victim enters their password on this page, the login credentials are sent straight to the criminals rather than Microsoft,” OSINT Fans said.

In the blog post “Catching the big fish: Analyzing a large-scale phishing-as-a-service operation,” Microsoft 365 Defender Threat Intelligence Team said BulletProofLink offers phishing-as-a-service at a relatively low cost, offering a wide range of services, including email templates, site templates, email delivery, site hosting, credential theft, credential redistribution, and "fully undetected" links/logs.

Microsoft 365 Defender Threat Intelligence Team said BulletProofLink has over 100 available phishing templates that mimic known brands and services. The BulletProofLink operation, the Team said, is responsible for many of the phishing campaigns that impact enterprises today.

The Team also reported that BulletProofLink used a rather high volume of newly created and unique subdomains – over 300,000 in a single run. The Team added that BulletProofLink is used by multiple attacker groups in either one-off or monthly subscription-based business models, creating a steady revenue stream for BulletProofLink’s operators.

BulletProofLink’s monthly service costs as much as $800, while the one-time hosting link costs about $50 dollars. The common mode of payment is Bitcoin.

Infinite Subdomain Abuse

According to Microsoft 365 Defender Threat Intelligence Team, the operators behind BulletProofLink use the technique, which the Team calls “infinite subdomain abuse.” The Team said infinite subdomain abuse happens when attackers compromise a website’s DNS or when a compromised site is configured with a DNS that allows wildcard subdomains.

Microsoft 365 Defender Threat Intelligence Team said infinite subdomain abuse is gaining popularity among attackers for the following reasons:

“It serves as a departure from previous techniques that involved hackers obtaining large sets of single-use domains. To leverage infinite subdomains for use in email links that serve to redirect to a smaller set of final landing pages, the attackers then only need to compromise the DNS of the site, and not the site itself.

“It allows phishing operators to maximize the unique domains they are able to use by configuring dynamically generated subdomains as prefix to the base domain for each individual email.

“The creation of unique URLs poses a challenge to mitigation and detection methods that rely solely on exact matching for domains and URLs.”

Double Theft

Microsoft 365 Defender Threat Intelligence Team said that BulletProofLink's phishing-as-a-service is reminiscent of the ransomware-as-a-service model. Today’s ransomware attacks involve, not just data encryption, but exfiltrating or stealing data as well. In a ransomware-as-a-service scenario, the ransomware operator doesn’t necessarily delete the stolen data even if the ransom has already been paid.

In both ransomware and phishing, Microsoft 365 Defender Threat Intelligence Team said that operators supplying resources to facilitate attacks maximize monetization by assuring stolen data are put to use in as many ways as possible. Victims’ credentials, the Team said, are likely to end up in the underground economy. “For a relatively simple service, the return of investment offers a considerable motivation as far as the email threat landscape goes,” Microsoft 365 Defender Threat Intelligence Team said.

Cybersecurity Best Practices

To protect Microsoft 365 users from phishing-as-a-service operations, Microsoft 365 Defender Threat Intelligence Team recommends the following cybersecurity best practices:

• Use anti-phishing policiesto enable mailbox intelligence settings
• Configure impersonation protection settings for specific messages and sender domains
• Enable SafeLinksto ensure real-time protection by scanning at time of delivery and at time of click
• Secure the Azure AD identity infrastructure
• Enable multifactor authentication
• Block sign-in attempts from legacy authentication

 

What we Learned from the Biggest DDoS Attack to Date: 22 Million Requests Per Second

Russian internet giant Yandex recently announced that it was hit by a record-breaking distributed denial-of-service (DDoS) attack.

“Our experts did manage to repel a record attack of nearly 22 million requests per second,” Yandex said in a statement. “This is the biggest known attack in the history of the internet.”

Mēris Botnet

In the blog post “Mēris botnet, climbing to the record,” DDoS mitigation service Qrator Lab reported that from August 7 to September 5 of this year, it recorded 5 DDoS attacks at Yandex from a botnet dubbed as "Mēris," which means "Plague" in the Latvian language. The five DDoS attacks at Yandex, Qrator Lab said, started from 5.2 million requests per second (RPS) and culminated at 21.8 million RPS.

In a DDoS attack, multiple internet-connected computers are operating as one to attack a particular target. In launching a DDoS attack, attackers often use a botnet – a group of hijacked internet-connected computers and controlled by attackers to conduct malicious activities such as DDoS attacks.

In a DDoS attack, the hijacked internet-connected computers are also attacked victims. The use of hijacked internet-connected computers results in exponentially increasing the attack power via voluminous requests sent to the target, and resulting in the initial hiding of the true source of the attack.

According to Qrator Lab, the number of infected internet-connected computers reached 250,000, and these infected internet-connected computers or devices come from only one manufacturer: Mikrotik, a Latvian network equipment manufacturer.

Qrator Lab added that the Mēris botnet used the HTTP pipelining technique in launching the DDoS attacks. “Requests pipelining (in HTTP 1.1) is the primary source of trouble for anyone who meets that particular botnet,” Qrator Lab said. “Because of the request pipelining technique, attackers could squeeze much more RPS than botnets usually do. It happened because traditional mitigation measures would, of course, block the source IP. However, some requests (about 10-20) left in the buffers are processed even after the IP is blocked.”

Based on the botnet’s attacking sources (IP addresses), Qrator Lab said that 10.9% came from Brazil, 10.9% from Indonesia, 5.9% from India, 5.2% from Bangladesh, 3.6 from Russia, and 3.3% from the United States.

In the last couple of weeks, Qrator Lab said that it has observed devastating DDoS attacks towards New Zealand, United States and Russia, which is attributed to the Mēris botnet species. “Now it can overwhelm almost any infrastructure, including some highly robust networks,” Qrator Lab said. “All this is due to the enormous RPS power that it brings along.”

Mirai Botnet

Prior to the DDoS attack at Yandex, the record-breaking DDoS attack was launched by a powerful botnet, targeting a Cloudflare customer in the financial industry. The attack reached 17.2 million requests per second.

According to Cloudflare, the said DDoS attack came from more than 20,000 bots in 125 countries around the world. Based on the botnet’s attacking sources (IP addresses), almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined.

Cloudflare said the attack was launched via a Mirai botnet. The botnet Mirai, which means “future” in Japanese, was first discovered in 2016. The Mirai botnet infects Linux-operated devices such as security cameras and routers. This botnet infects Linux-operated devices such as security cameras and routers by brute forcing known credentials such as factory default usernames and passwords. Succeeding variants of the Mirai botnet took advantage of zero-day exploits.

According to Qrator Lab researchers, they haven’t seen the malicious code, and as such, they aren’t ready to tell yet if it’s somehow related to the Mirai botnet family or not.

Preventative measures against DDoS attacks

In order to prevent your organization’s internet-connected computers or devices from being hijacked as part of a botnet, it’s important to follow these cybersecurity best practices:

• Keep these computers or devices up to date
• Use strong passwords and regularly change these passwords
• Use firewall to prevent remote access to unknown parties

According to MikroTik, Mēris botnet compromised the same routers that were compromised in 2018 via a known security vulnerability that was quickly patched. The 2018 vulnerability that was referred to is CVE-2018-14847, a MikroTik RouterOS security vulnerability that allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

“Unfortunately, closing the vulnerability does not immediately protect these routers,” MikroTik said. “If somebody got your password in 2018, just an upgrade will not help. You must also change password, re-check your firewall if it does not allow remote access to unknown parties, and look for scripts that you did not create.”

DDoS attacks, even volumetric attacks, can now be prevented autonomously, without human intervention.

Top 3 Worst Cybersecurity Practices

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently listed three cybersecurity practices as dangerous practices that can give rise to enhanced damages to technologies accessible from the internet.

Below are the three practices that CISA has deemed as “dangerous” practices. The presence of these bad practices in organizations, CISA said, “is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.”

1. Use of Unsupported (End-of-Life) Software

Security vulnerabilities in software are but normal. Software vendors, within a specified timeframe, are always on the lookout for these software security vulnerabilities. During this specified period, regular or unscheduled security updates, also known as patches, are released by security vendors to fix known security vulnerabilities.

After the specified timeframe, also known as the software’s end-of-life (EOL), software vendors will stop releasing patches. Attackers love to exploit software that have reached their end of life on the premise that many users still use software that have reached their EOL.

An example of software that has reached its end of life is Windows 7 operating system. On January 14, 2020, Microsoft ended its support for the Windows 7 operating system. Customers who purchased an Extended Security Update (ESU) plan can still receive support or security updates from Microsoft. In this case, the continued use of Windows 7 without ESU is a dangerous practice.

“In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems,” the Federal Bureau of Investigation (FBI) said in its Private Industry Notification (PDF File). “After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target.”

2. Use of Known/Fixed/Default Passwords and Credentials

The use of known/fixed/default passwords is another bad practice that’s disastrous in technologies accessible from the internet.

In July 2021, Microsoft Threat Intelligence Center reported that it observed new activity from the NOBELIUM threat actor using tactics such as password spray and brute-force attacks.

In the blog post "Protecting your organization against password spray attacks," Diana Kelley, Microsoft Cybersecurity Field CTO said that adversaries in password spray attacks “acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords.”

The Microsoft Cybersecurity Field CTO, meanwhile, said that brute-force attacks are targeted compared to password spray attacks, with attackers going after specific users and cycles through as many passwords as possible using dictionary words, common passwords, or conducting research to see if they can guess the user’s password, for instance, discovering family names through social media posts.

In July 2021 as well, UK’s National Cyber Security Centre reported that it observed an increase in activity as part of malicious email and password spraying campaigns against a limited number of UK organizations.

3. Use of Single-Factor Authentication

The use of single-factor authentication is another bad practice that’s disastrous in technologies accessible from the internet. Single-factor authentication is the simplest form of authentication. With single-factor authentication, a user matches one credential to verify oneself online. The most common credential is the password to a username.

“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA said. “This dangerous practice is especially egregious in technologies accessible from the Internet.”

Cybersecurity Best Practices

Below are the cybersecurity practices that best counter the above-mentioned bad practices:

• Never use unsupported or end-of-life software. The use of unsupported software gives attackers the opportunity to exploit known security vulnerabilities that haven’t been fixed by software vendors due to end-of-life status.
• Don’t use known/fixed/default passwords.
• Use multi-factor authentication. In a blog post, Melanie Maynes Senior Product Marketing Manager at Microsoft Security said that the one simple action you can take to prevent 99.9 percent of attacks on your accounts is the use of multi-factor authentication (MFA) – a security measure that requires multiple methods of authentication from different categories of credentials.

"There are over 300 million fraudulent sign-in attempts to our cloud services every day,” Maynes said. “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.”

MFA, however, shouldn’t be your organization’s only defense against malicious actors as there are a handful known ways of bypassing MFA.

. Practice network segmentation. In network segmentation, your organization’s network is sub-divided into sub-networks so that in case of a disaster in one network, the other networks won’t be affected.

Modern Email Threat: Morse Code Used in Phishing Attacks

Microsoft has revealed that cybercriminals are changing tactics as fast as security and protection technologies do, with the latest tactic: The use of Morse code in phishing attacks.

In the blog post "Attackers use Morse code, other encryption methods in evasive phishing campaign," Microsoft 365 Defender Threat Intelligence Team said that a year-long investigation found a targeted, invoice-themed XLS.HTML phishing campaign in which the attackers changed obfuscation and encryption mechanisms every 37 days on average, showing high motivation and skill level in order to constantly evade detection and keep the malicious operation running.

The phishing campaign’s primary goal, Microsoft 365 Defender Threat Intelligence Team said, is to harvest sensitive data such as usernames, passwords, IP addresses, and location – information that attackers can use as an initial entry point for later infiltration attempts.

In a phishing attack, attackers masquerade as a trusted entity and trick a victim into opening an email with a malicious attachment. In the phishing campaign observed for a year by Microsoft 365 Defender Threat Intelligence Team, the attackers initially sent out emails to targeted victims about a bogus regular financial-related business transaction, specifically sending a vendor payment advice.

According to Microsoft 365 Defender Threat Intelligence Team, the malicious email contains HTML file attachment with “xls” file name variations. An attachment with xls file name ordinarily means it’s an Excel file. Opening this attachment, however, leads to a fake Microsoft Office 365 credentials dialog box, and lately to a legitimate Office 365 page.

Entering one’s username and password into the fake Microsoft Office 365 credentials dialog box or legitimate Office 365 page leads to the activation of the attackers’ phishing kit – harvesting the user’s username, password, and other information about the user.

According to Microsoft 365 Defender Threat Intelligence Team, the malicious HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. “Some of these code segments are not even present in the attachment itself,” Microsoft 365 Defender Threat Intelligence Team said. “Instead, they reside in various open directories and are called by encoded scripts. In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show.”

Morse Code

Named after one of the inventors of the telegraph Samuel Morse, Morse Code is a code for translating letters to dots and dashes.

According to Microsoft 365 Defender Threat Intelligence Team, in place of the plaintext HTML code, the attackers used Morse code – dots and dashes – to hide the attack segments.

The use of Morse code in phishing attacks was first reported by u/speckz on Reddit last February. Lawrence Abrams of Bleeping Computer followed up the initial report of u/speckz. Abrams said Morse code was used by a threat actor to hide malicious URLs in their phishing campaign to bypass secure mail gateways and mail filters.

When viewing the HTML attachment in a text editor, Abrams said, instead of the plaintext HTML code, Morse code is placed instead with dots and dashes. For instance, the letter “a” is written in “.-” and the letter 'b' is written in “-…”.

“The script then calls a decodeMorse() function to decode a Morse code string into a hexadecimal string,” Abrams said. “This hexadecimal string is further decoded into JavaScript tags that are injected into the HTML page. These injected scripts combined with the HTML attachment contain the various resources necessary to render a fake Excel spreadsheet that states their sign-in timed out and prompts them to enter their password again. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials.”

According to the Microsoft 365 Defender Threat Intelligence Team, Morse code was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves. In the February phishing campaign, the Team said links to the JavaScript files were encoded using ASCII then in Morse code. In May, the Team added that the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.

Cybersecurity Best Practices

The changing tactics and speed that cybercriminals use to update their obfuscation and encoding techniques in launching their phishing campaigns via Office 365 environment call for the following cybersecurity best practices:

• Use Office 365 Group Policy or mail flow rules for Outlook to clean .htm or .html or other file types that aren’t needed for business operation.
• Enable Safe Attachments policies to check attachments to inbound email.
• Turn on Safe Links protection for users with zero-hour auto purge to remove emails in case attackers weaponized a URL post-delivery.
• Use multi-factor authentication (MFA).
• Avoid password reuse between accounts.
• Make consent phishing tactics as part of security or phishing awareness training.
• Enable network protection to block connections to malicious domains and IP addresses.

To better protect your organization against modern threats and mitigate cyber risks, schedule a consultation with one of our cybersecurity experts today.

What Is Kubernetes and How to Protect This Attack Surface

Kubernetes is fast becoming the target of attackers to steal data, steal computing power, or cause a denial of service.

What Is Kubernetes?

Kubernetes is an open-source system that’s often hosted in the cloud. It’s used to automate the deployment, scaling, and management of applications. Companies that use Kubernetes include Google and Tesla.

Google originally developed and released Kubernetes as open-source in 2014. Google Cloud is the known birthplace of Kubernetes. Kubernetes development drew inspiration from Google’s Borg.

“Google's Borg system is a cluster manager that runs hundreds of thousands of jobs, from many thousands of different applications, across a number of clusters each with up to tens of thousands of machines,” Google said. “It achieves high utilization by combining admission control, efficient task-packing, over-commitment, and machine sharing with process-level performance isolation. It supports high-availability applications with runtime features that minimize fault-recovery time, and scheduling policies that reduce the probability of correlated failures. Borg simplifies life for its users by offering a declarative job specification language, name service integration, real-time job monitoring, and tools to analyze and simulate system behavior.”

While Kubernetes offers users a way to automate the deployment, scaling, and management of applications, it presents complexities. "Kubernetes clusters can be complex to secure and are often abused in compromises that exploit their misconfigurations,” the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency said in the advisory “Kubernetes Hardening Guidance.”

Tesla Case

In February 2018, researchers at RedLock discovered that attackers had infiltrated Tesla’s Kubernetes console which wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said.

According to RedLock researchers, attackers in the Tesla case stole the computing power for crypto mining from within one of Tesla’s Kubernetes pods. The researchers added that the attackers used the following evasion techniques to hide the illicit crypto mining:

. The attackers didn’t use a well-known public “mining pool” in this attack, making it difficult for standard IP/domain-based threat intelligence feeds to detect the malicious activity.

. The attackers hid the true IP address of the mining pool server behind a free content delivery network (CDN) service, making IP address-based detection of crypto mining activity difficult.

. The mining software was configured to listen on a non-standard port, making it difficult to detect malicious activity based on port traffic.

. The attackers configured the mining software to keep the usage low to evade detection.

Common Sources of Compromise in Kubernetes

According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, the three common sources of compromise in Kubernetes are malicious threat actors, supply chain risks, and insider threats.

Malicious Threat Actors

According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, malicious threat actors often target the following Kubernetes architecture for remote exploitation: control plane, worker nodes, and containerized applications.

The Kubernetes control plane is used to track and manage the cluster. The agencies said the Kubernetes control plane lacking appropriate access controls is often taken advantage by attackers.

The Kubernetes worker nodes host the kubelet and kube-proxy service. According to the said agencies, worker nodes are potentially exploitable by attackers.

The agencies added that the containerized applications running inside the Kubernetes cluster are common targets. "An actor can then pivot from an already compromised Pod or escalate privileges within the cluster using an exposed application’s internally accessible resources,” the agencies said.

Supply Chain Risks

In supply chain risks, attackers may compromise a third-party software and vendors used to create and manage the Kubernetes cluster.

A malicious third-party application running in Kubernetes could provide attackers with a foothold. The compromise of the underlying systems (software and hardware) hosting Kubernetes could provide attackers with a foothold as well.

Insider Threats

Insiders threats refer to individuals from within the organization who use their special knowledge and privileges against Kubernetes clusters. These individuals can be administrators, users, and cloud service or infrastructure provider.

According to the U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency, Kubernetes administrators have control over the Kubernetes environment, giving them the ability to compromise the Kubernetes environment.

Users who have knowledge and credentials to access containerized services in the Kubernetes cluster could compromise the Kubernetes environment as well. Cloud service or infrastructure provider, meanwhile, has access to physical systems or hypervisors managing Kubernetes nodes. This access could be used to compromise a Kubernetes environment.

Cybersecurity Best Practices

The U.S. Cybersecurity and Infrastructure Security Agency and U.S. National Security Agency recommend the following best practices in order to protect your organization’s Kubernetes environment:

• Scan Kubernetes containers and pods for security vulnerabilities or misconfigurations.
• Run Kubernetes containers and pods with the least privileges possible.
• Practice network separation to control the damage in case of a compromise.
• Use firewalls to limit unnecessary network connectivity.
• Use strong authentication and authorization to limit user and administrator access as well as to limit the attack surface.
• Use log auditing to monitor potential malicious activity.
• Periodically review all Kubernetes configurations.
• Use vulnerability scans to ensure that risks are accounted for and security patches are applied.

2021 Top 25 Most Dangerous Software Weaknesses

Software has weaknesses.

The most dangerous software weaknesses are those that are often easy to find, easy to exploit, and can allow attackers to completely take over a system, prevent an application from working, or steal data.

MITRE recently released the 2021 top 25 most dangerous software weaknesses – a demonstrative list of the most dangerous software weaknesses over the previous two calendar years. To create the 2021 list, MITRE used the Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record.

The Software Weaknesses List

Here are the top 25 most dangerous software weaknesses over the previous two calendar years:

1. Out-of-Bounds Write

Out-of-bounds write, also known as memory corruption, occurs when the software writes data past the end or before the beginning of the intended buffer. This software weakness can result in code execution, corruption of data, or a crash.

2. Improper Neutralization of Input During Web Page Generation

Improper neutralization of input during web page generation, also known as cross-site scripting (XSS), occurs when the software doesn’t neutralize or incorrectly neutralizes user-controllable input before it’s outputted as a web page.

3. Out-of-Bounds Read

Out-of-bounds read occurs when the software reads data past the end or before the beginning of the intended buffer. This software weakness can cause a crash or allow attackers to read sensitive information from other memory locations.

4. Improper Input Validation

Improper input validation occurs when the software receives input or data, but it doesn’t validate or incorrectly validates the input. When a software doesn’t validate input properly, attackers can craft the input in a form that isn’t expected by the rest of the application. This can result in altered control flow, arbitrary code execution, or arbitrary control of a resource.

5. Improper Neutralization of Special Elements used in an OS Command

Improper neutralization of special elements used in an OS command, also known as OS command injection or shell injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it’s sent to a downstream component. This can allow attackers to execute dangerous commands directly on the operating system.

6. Improper Neutralization of Special Elements used in an SQL Command

Improper neutralization of special elements used in an SQL command, also known as SQL injection, occurs when the software doesn’t neutralize or incorrectly neutralizes special elements that can modify the intended SQL command when it’s sent to a downstream component. This can allow attackers to alter query logic to bypass security checks, execute system commands, or insert additional statements that modify the back-end database.

7. Use After Free

Use after free occurs when the use of previously-freed memory can cause the software to crash, cause corruption of valid data, or result in the execution of arbitrary code.

8. Improper Limitation of a Pathname to a Restricted Directory

Improper limitation of a pathname to a restricted directory, also known as path traversal, occurs when the software doesn’t properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that’s outside of the restricted directory. This can allow attackers to escape outside of the restricted location to access files or directories that are elsewhere on the system.

9. Cross-Site Request Forgery (CSRF)

Cross-site request forgery occurs when the web application doesn’t or can’t sufficiently verify a valid request provided by the user. This can allow attackers to trick a client into making an unintentional request to the web server which will then be treated as a valid request.

10. Unrestricted Upload of File with Dangerous Type

Unrestricted upload of file with dangerous type occurs when the software allows the uploading or transferring of files of dangerous types which can be automatically processed within the software’s environment.

11. Missing Authentication for Critical Function

Missing authentication for critical function occurs when the software doesn’t perform any authentication for functionality that requires a valid user identity. This can allow attackers to read or modify sensitive data, access administrative or other privileged functionality, or execute arbitrary code.

12. Integer Overflow or Wraparound

An integer overflow or wraparound occurs when the software performs a calculation in which the logic assumes that the resulting value will always be larger than the original value. This can allow attackers to introduce other weaknesses when the calculation is used for execution control or resource management.

13. Deserialization of Untrusted Data

Deserialization of untrusted data occurs when the software deserializes untrusted data without sufficiently verifying that the resulting data will be valid. An assumption that the code in the deserialized object is valid is susceptible to exploitation. Attackers can change unexpected objects or data that was assumed to be safe from modification.

14. Improper Authentication

Improper authentication occurs when the software doesn’t prove or insufficiently proves that the user’s identity is correct.

15. NULL Pointer Dereference

NULL pointer dereference occurs when the software dereferences a pointer that it expects to be valid, but is NULL, causing an exit or crash.

16. Use of Hard-coded Credentials

The use of hard-coded credentials creates a software weakness that allows attackers to bypass the authentication that has been configured by the software administrator.

17. Improper Restriction of Operations within the Bounds of a Memory Buffer

Improper restriction of operations within the bounds of a memory buffer, also known as buffer overflow, occurs when the software performs operations on a memory buffer, but it can write to or read from a memory location that’s outside of the intended boundary of the buffer. This can allow attackers to change the intended control flow, execute arbitrary code, cause the system to crash, or read sensitive information.

18. Missing Authorization

Missing authorization occurs when a software doesn’t perform an authorization check when a user attempts to access a resource. This can allow attackers to read sensitive data, modify sensitive data, or gain privileges by modifying or reading critical data directly, or by accessing privileged functionality.

19. Incorrect Default Permissions

Incorrect default permissions occur when during the installation of the application, installed file permissions are set to allow anyone to modify those files. This can allow attackers to read or modify application data.

20. Exposure of Sensitive Information to an Unauthorized Actor

Exposure of sensitive information to an unauthorized actor, also known as information leak, occurs when the software exposes sensitive information to a user that isn’t explicitly authorized to have access to that information.

21. Insufficiently Protected Credentials

Insufficiently protected credentials occur when the software transmits or stores authentication credentials, but it uses an insecure method. This can allow attackers to gain access to user accounts and access sensitive data.

22. Incorrect Permission Assignment for Critical Resource

Incorrect permission assignment for critical resource occurs when the software specifies permissions for a security-critical resource, allowing the resource to be read or modified by attackers.

23. Improper Restriction of XML External Entity Reference

Improper restriction of XML external entity reference occurs when the software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control. Common consequences of this software weakness include attackers being able to access arbitrary files on the system, or can cause consumption of excessive CPU cycles or memory using a URI that points to a large file, or a device that always returns data such as /dev/random.

24. Server-Side Request Forgery (SSRF)

According to MITRE, in server-side request forgery, the “web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.” A real-world example of server-side request forgery attack allowed attackers to request a URL from another server, including other ports, which allowed proxied scanning.

25. Improper Neutralization of Special Elements used in a Command

Improper neutralization of special elements used in a command occurs when data from an untrusted source enters the application and the data from an untrusted source is executed as a command by the application. This gives attackers privileges or capabilities that they would not otherwise have.