The Rapid Resurgence Of DDoS Extortion (That Didn't Take Long).

 

Just when we thought DDoS extortion was fading into the rear view mirror, it's time to circle up the trucks again. Starting last week and rapidly accelerating, we began seeing in our data and hearing firsthand from organizations about a new wave of extortion activity -- new Bitcoin demands; new threat actor names; and new attacker tactics, techniques, and procedures (TTPs).  

Perhaps the rapid resurgence in DDoS extortion attacks was spurred on and inspired by the massive Colonial Pipeline payout? It's possible. 

Whatever the attackers' motivations, we've seen a flurry of malicious activity with new customers needing emergency integration of DDoS defenses in numbers not seen since the campaign heated up last August.

Let's take a closer look at the latest threat actors hitting the scene, and what organizations need to do now to be prepared.

With Summer Around The Corner, May Attack Activity Heats Up.

While we have firsthand data on just two verified extortion attacks, we've caught wind of six others from customers and prospects doing emergency onboarding of their networks. We have yet to see these attacks target a customer with an always-on security posture, suggesting the attackers are focused on softer targets without in-line defense. Like previous extortion campaign activity, we've observed the latest round of attackers targeting organizations across a variety of industries such as travel and hospitality, retail/e-commerce, high-tech/software, and consumer packaged goods to name a few. Some industries, in particular, align well with attackers seeking to exploit the highly anticipated and pent up demand for summer travel as COVID-19 restrictions ease up.  

Based on our visibility into attack data, the first show-of-force assault was north of 150 Gbps and lasted an hour, while the second attack on a different customer upped the ante, coming in at over 250 Gbps and lasting for more than an hour. These attack sizes are consistent with previous extortion activity in terms of seeing bandwidth exceeding multiple hundreds of gigabits per second spread across multiple destination IPs: The first attack had 11 target destinations (roughly 10 Gbps on each) and the second attack had 7 target destinations.

Let's Start With A Little Context.

How does this campaign fit within the broader trend of DDoS extortion?  Since august 2020 we've tracked a few different waves of extortion campaigns, with attacker TTPs ebbing and flowing, overlapping and co-existing over time. We've even seen attackers combine names of notorious APTs to keep things fancy as they bring the extortion campaigns back to life. These most recent attacks align most closely with what we documented and mitigated in v2 attacks in terms of target spread, and bleeding over into v1 traits with tip-off DDoS attack vectors.

A Bit More About May 2021 Extortion Activity.

What is interesting about this latest extortion attack example is the shared traits of v2 and v3 with respect to the attack vector poker tells -- somewhat unusual DDoS vectors and the wide range of IP space targeted during v2 activity.  Both attacks featured the Apple Remote Management Service (ARMS) vector, while the second attack also leveraged a UDP Amplification technique known as WS-Discovery (WSD), which was first discovered and reported in the Fall of 2019 and also associated with previous DDoS extortion activity. Its sudden reemergence was a telltale sign that targeted customers most likely had received an extortion attempt. 

Additionally, and as an important side note, the attacks we've observed are not particularly sophisticated. Ninety-nine percent of malicious traffic was of two packet lengths and composed of easily blockable vectors. We believe this reflects the incredibly low barrier to launch an "entry-level" DDoS attack that still packs a punch in terms of bandwidth but lacks the complexity associated with other more advanced threat actors.  

We've been told that the cost to launch a DDoS attack from dark web toolkits recently dropped from $10 to $5 (looks like attack tools aren't being affected by inflation). Regardless of the increased access, the most recent extortion attacks consisted of some of our most frequently blocked DDoS vectors, with the vast majority mitigated consistently with our zero-second SLA once new customers had routed onto our platform.   

With respect to threat actor locations, traffic from the first attack was primarily sourced in Russia and Asia, though you can see European, Australian, and the North/South American sources were active in the latest round as well. While DDoS attack source IPs can be easily spoofed, we did observe a significant concentration of traffic originating from Russia, specifically.

 

DDoS Guidance And Runbook Reminders.

As was the case in late summer 2020, we continue to hear about more attacks than we see in the data, as attacked customers seek emergency integrations (we don't have visibility into customer traffic until they are onboarded). Attack attempts and follow-on attacks also lessen once subnets and IP spaces are routed onto Prolexic for protection, as threat actors tend to move on to other organizations that don't have adequate defenses in place. 

We advise organizations to consider DDoS protections for all critical assets -- both customer- and internal-facing -- as the campaign continues, and extortion as a top attack motivator shows no sign of letting up. And for companies that have put off updating run books and tabletop attack exercises due to COVID-19 , now is the time to ensure that incident response plans and processes are current -- not after you've experienced a DDoS event.

 

 

Crypto Threats Surge By 500%, And It's All About The Money.

 

Previously reserved for early adopters and tech-savvy consumers, cryptocurrencies have gone mainstream -- with tech entrepreneurs and prominent financial institutions leading the charge.

In the past year, rapidly increasing cryptocurrency rates, the introduction of new currencies, and the official trading of cryptocurrencies have called into question the threats posed by crypto mining abuse and cryptocurrency scams.

In this blog, we'll examine how escalating currency rates and the continued adoption of cryptocurrencies impact the threat landscape -- and what our data can tell us to expect in the future.

Malicious Crypto Mining Malware Traffic.

In the past few years, malware variants that infect both personal computers and corporate servers have become an increasing trend. Their objective is to utilize infected device computing resources for crypto mining activities. Sampled DNS traffic data between January 2020 and March 2021 shows a correlation in the surging increase in traffic from crypto mining malware and the price increases of both Bitcoin and Ethereum cryptocurrencies.
We believe the increase in malicious traffic is driven by the increase in cyber criminals' motivation to execute crypto mining activities. As cryptocurrency prices grow, and the potential benefit from malicious mining activities increases, cyber criminals gain momentum as well.

Phishing Attacks Abusing Crypto Consumers.

Because phishing is one of the most prominent and growing threats, we looked into phishing attack trends involving crypto exchange consumers. In such scams, cyber criminals will create fake websites that mimic the appearance and functionality of crypto exchange websites to deceive victims into giving away their credentials. Once credentials are stolen, cyber criminals own the victims' crypto wallets and execute fraudulent transactions.

Similar to malicious crypto mining activities, rapidly growing cryptocurrency rates have most likely increased the demand for compromised crypto exchange accounts in the dark market, leading to a surge in phishing attacks.

Ransomware And Cryptocurrency Affairs.

Ransomware has made headlines this past year by causing significant financial damage to organizations around the globe. One noticeable example, the recent attack on the Colonial pipeline, caused the company to temporarily shut down operations, and the incident once again garnered mainstream media attention.

As opposed to crypto exchange phishing or crypto mining attacks, cryptocurrency is not directly motivating cyber criminals to execute ransomware attacks. With ransomware attacks, cryptocurrency enables attacks that use cryptocurrency as a payment method because it gives cyber criminals a layer of anonymity.

Ransomware attacks have gained momentum in the past year, and we believe cryptocurrency has enabled and supported that trend. According to sampled DNS traffic, we saw an increasing trend in the volume of traffic to ransomware-associated malware websites between January and April 2021, with more than a 250% increase in traffic. 

Elon Musk Scam.

Another scam that has recently gained strong momentum includes a social engineering technique that convinces victims to send crypto coins to cyber criminals' wallets with the promise of repayment that is double the original amount.

We saw a good example of that in the wild with the Elon Musk scam, which abused Musk's reputation as an entrepreneur and Tesla as an organization that advocates for the use of cryptocurrencies. This scam presented a reliable and trustworthy airdrop event on a phishing website that appeared to be supported by Musk and Tesla. An airdrop event occurs when a cryptocurrency or organization decides to distribute tokens or coins to users for any reason.

According to the scam phishing website, Tesla HQ declares that, as a supportive action to the crypto community, it will give back each participant twice the amount that was initially sent by the user. Needless to say, when it's too good to be true, it probably is; victims did not get their coins back.

This scam used a variety of techniques to create a trustworthy and sustainable website, such as a newly registered domain that seems legit, giving the phishing website the look and feel of a well-known blogging platform, complete with fake comments from fake users indicating they just received repayment as promised. All these social engineering techniques helped gain victims' trust so they were more willing to take the risk and give away some of their coins.    

Summary

The same cryptocurrency technology that prevents users' identities from being exposed also motivates cyber criminals and explains why cryptocurrencies play a significant role in the modern cyber ecosystem. As a result, we can see more and more attack vectors, such as DDos extortions and ransomware, that request payment in the form of cryptocurrency.

As cryptocurrency becomes even more significant, the trends reported in this blog don't come as a surprise. Yet the strong correlation between crypto rates and level of attacks being reported is surprising and indicates that cyber criminals are motivated by commercial forces.

Because some crypto-associated threats, such as crypto mining and DDoS attacks, involve abusing servers or infected computational devices, the potential impact is relevant to both consumers and businesses. 

To apply proactive security monitoring and controls, we need to better understand the relationship between global events and what motivates cyber criminals to execute scams. Events that influence our lives, our economy, and our health will most likely trigger cyber criminals to target us by leveraging those events. Those attacks will happen when we're most vulnerable to lurking scams. 

As an InfoSec community, we need to increase awareness, evaluate our vulnerabilities, better understand cyber criminals' mindset, and as a result, try to predict what might come next -- and be ready for it.

 .

 

 

 

 

The Countdown Has Started -- The Move Toward Zero Trust and MFA.

 

In early May 2021, the President of the United States issued an executive order on cyber security and though it will take some time for executive branch agencies to develop formal rules, the order itself includes a lot of what I consider to be best practice in cybersecurity, including the use of multi-factor authentication (MFA) and Zero Trust, mentioned by name. 

The call for adoption of cybersecurity best practices makes a lot of sense. Recently, we broadly discussed how MFA can be leveraged to prevent increasing security risks. In the past six months alone, we've seen a substantial increase in headline-grabbing security incidents: Solar Winds in December 2020; Microsoft Exchange vulnerabilities in March 2021; and, most recently, the DarkSide ransomware attacks. Even the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released an alert on the exploitation of Pulse connect secure Vulnerabilities, drawing attention to the growing problem of increasing security threats.

 The movement away from a traditional network access model toward the powerful combination of Zero Trust bolstered by MFA can significantly limit the ability of malware to do harm. Unlike traditional tools like VPNs, a Zero Trust approach is designed to ensure that information assets remain dark to all except authorized users.

This means that data can be seen only by users who are strongly authenticated and who have been granted access. Effectively, this approach is a strong form of the principle of least privilege: verify, then trust. 

The move toward Zero Trust is in contrast with the traditional network access model -- a VPN, for example. Traditionally, once a user is on the network, they can see all assets that are routable on the network. 

This is dangerous. Although the user may not be able to get past the login, if they can get an application to present a login screen (or begin any other form of login challenge), then they can get that application to execute code, which means vulnerabilities can be exploited. That, right there, is a violation of least privilege.

Seriously, why would you ever grant visibility to non-authorized users? Such visibility could be exploited by malware. So, don't do it.

The Biden Administration, including the Department of Homeland Security's CISA, thinks it's dangerous too. The executive order urges the Federal government to secure cloud services using a Zero Trust architecture and mandates deployment of MFA and encryption within a specific period. The order outlines timelines for this implementation, giving 180 days to adopt an MFA solution. 

November 8th is fast approaching.

What Can You Do Right Now?.

Short of giving us a ring (which you're more than welcome to do), start by getting educated on what Zero Trust is, what that means for your agency, and how MFA helps alleviate the challenges.

Alleviating the cybersecurity challenges of today and moving fully toward Zero Trust with one simple tool isn't an option that exists just yet. But a good first step is an MFA tool. 

Akamai's MFA is a phish-proof authenticator that leverages FIDO2, the strongest standards-based authentication method available, via a smartphone app. It allows for end-to-end cryptography and a sealed MFA challenge/response flow to make the authentication process unphishable and confidential. Combined with Zero Trust access, it grants access only to those users who have been strongly authenticated and who actually need access. For all others, the assets remain dark, which means that they cannot be scanned for vulnerabilities or attacked.

 

Facebook Suffers A Data Breach About How It’s Hoping To Stop The Media Talking About Its Last Data Breach.

 

Facebook has suffered another data breach.

Hot on the heels of the revelation that the phone numbers and personal data of half a billion Facebook users had been leaked online, the social network has goofed again.

But this time it’s Facebook’s PR team rather than its users who have been left exposed.

Someone in Facebook’s EMEA Communications team seems to have accidentally forwarded an internal email to a journalist covering the story of the Facebook data breach.

Our guess is that a Facebook employee attempted to forward the internal communication to a colleague, and their email client accidentally auto-completed the recipient’s name to be that of an external journalist. Oops!

What makes matters worse for Facebook, is that the email reveals the company’s strategy for handling questions about the exposure of 533 million users’ data, painting the problem as an issue for the whole technology industry.

Belgian journalist Pieterjan Van Leemputten was the recipient of the accidental email from Facebook on 8 April.

In other words – hunker down, the media will stop writing about it, and the storm will pass.

Facebook’s communications team says it’s not planning to comment further on the breach as long as the media coverage continues to decline.

However, the social network says it is going to be revealing more data-scraping incidents in an attempt to normalize the issue as one that plagues the entire industry

To be clear, Facebook said that the problem was initially discovered and resolved in August 2019. But at least one researcher says that he first warned Facebook that the potential problem back in 2017.

Facebook has tried to downplay the incident, and pitched it as an industry-wide issue. But their arguments are unconvincing, and their failure to acknowledge that they failed to properly fix the problem in the past is telling us loud and clear about their transparency and openness.

Facebook knew there was a problem, and failed to do anything until half a billion users’ details were released. And even now it still hasn’t contacted affected users.

There’s only one way we’re likely to get answers (and, heaven forbid, an actual apology) from Facebook is if we keep talking about it.

 

 

 

Patch Your IPhones And Macs Against "Actively Exploited" Zero-Day Right Now.

 

If you're the owner of an iPhone, iPad, or Apple Mac you should update your system right now.

Apple has released a major security update for its devices, after finding a zero-day flaw that the company indicates has been the focus of in-the-wild attacks by hackers, and might have been used to plant malware.

As is its wont, Apple has not released any real details about the flaw, presumably in an attempt to reduce the chances of other parties exploiting the security vulnerability.

According to a security advisory published on Apple's website, the flaw - technically known as CVE-2021-30807-  was reported to the firm by an anonymous researcher, and involves a memory corruption flaw.
in the IO Mobile Frame Buffer kernel extension used for managing the screen frame buffer, that can be abused to execute arbitrary code on a device with kernel privileges.

If a malicious hacker's code successfully gains kernel privileges it seizes God-like control over the device.

What makes things all the more serious is Apple's warning that the security flaw has been used in real-world attacks:

Proof-of-concept code to exploit the flaw has been published on Twitter

Users are advised to update to the latest versions of iOS (14.7.1), IPadOS (14.7.1), and macOS (11.5.1) to protect against the issue.

Another security researcher, Saar Amar, claims to have also uncovered the vulnerability four months ago, although he had not yet reported it to Apple as he was still working on methods to exploit the flaw. Amar described the vulnerability as being "as trivial and straightforward as it can get."

With details of how to exploit the vulnerability published in the wild, and Apple's claims that it has been actively exploited, there really is no time to wait - everyone should update their Apple devices.

To update your Mac or MacBook, choose System Preferences from the Apple menu in the top-left of the screen. Then click Software Update to see if any updates are available and follow instructions.

If your iPhone or iPad has not yet installed the latest security update, open Settings, and choose General > Software Update and follow instructions.

 

 

The Difference Between A Vulnerability Assessment And A Penetration Test.

 There are many views on what constitutes a Vulnerability Assessment versus a Penetration Test. The main distinction, however, seems to be that some believe a thorough Penetration Test involves identifying as many vulnerabilities as possible, while others feel that Penetration Tests are goal-oriented and are mostly unconcerned with what other vulnerabilities may exist. We are in the latter group, and what follows is our argument for why you should be too.

Language Matters.

Language is important, and we have two terms for a reason. We already have a security test for compiling a complete list of vulnerabilities, i.e. a Vulnerability Assessment. If there isn’t a clear, communicable distinction between this test type and a penetration test then we shouldn’t be using separate terms. Such a distinction does exist, however, and it’s a crucial one.

 Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them. The more issues identified the better, so naturally a white box approach should be embraced when possible. The deliverable for the assessment is, most importantly, a prioritized list of discovered vulnerabilities (and often how to remediate).

Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system. The deliverable for a penetration test is a report of how security was breached in order to reach the agreed-upon goal (and often how to remediate).

A Physical Analog. 

A good analog for this is a Tiger Team working for the government, like Richard Marcinko used to run with Red Cell. Think about what his missions were: things like gain control of a nuclear submarine and bring it out into the bay. So imagine that he’s getting debriefed after a successful mission where he broke in through the east fence, and someone were to ask him about the security of the western side of the building. The answer would be simple: We didn’t even go to the west side. We saw an opening on the east-facing fence and we went after our target.

If the person doing the debrief were to respond with, “You didn’t check the other fences? What kind of security test is it where you didn’t even check all the fences?, the answer would be equally direct: Listen, man, I could have come in a million ways. I could have burrowed under the fences altogether, parachuted in, got in the back of a truck coming in–whatever. You told me to steal your sub, and that’s what I did. If you wanted a list of all the different ways your security sucks, you should have hired an auditor–not a SEAL team.

  

The Question Of Exploitation.

Another mistake people make when discussing vulnerability assessments vs. penetration tests is to pivot immediately to exploitation. The basic narrative is: Finding vulnerabilities is a vulnerability assessment, and exploiting them is a penetration test.

This is incorrect.

Exploitation can be imagined as a sliding bar between none and full, which can be leveraged in both vulnerability assessments and penetration tests. Although most serious penetration tests lean heavily towards showing rather than telling (i.e. heavy on the exploitation side), it’s also the case that you can often show that a vulnerability is real without full exploitation.

A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could. And vulnerability assessments can slide along this scale as well for any subset of the list of issues discovered. This could be time consuming, but exploitation doesn’t, by definition, move you out of the realm of vulnerability assessment. The only key attributes of a VA vs. PT are list-orientation vs. goal-orientation, and the question of exploitation is simply not part of that calculation.

The Notion That Penetration Tests Include Vulnerability Assessments.

It’s also inaccurate to say that penetration tests always include a vulnerability assessment. Recall that penetration tests are goal-based, meaning that if you achieve your goal then you are successful. So, you likely perform something like a vulnerability assessment to find a good vuln to attack during a pentest, but you could just as easily find a vuln within 20 minutes that gets you to your goal.

It is accurate to say, in other words, that penetration tests rely on finding a one or more vulnerabilities to take advantage of, and that people often use some sort of process to systematically discover vulns for that purpose, but because they stop when they have what they need, and don’t give the customer a complete and prioritized list of vulnerabilities, they didn’t actually do a vulnerability assessment.

In Summary.

Vulnerability Assessment.

• Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started.
• Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
• Focus: Breadth over depth.

Penetration Test.

• Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion.
• Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.
• Focus: Depth over breadth.

 

 

 

 

RANSOMWARE ATTACKS KEEP RISING EVERYDAY.

 

Since ransomware attacks have become a global menace by infecting businesses and governments alike, security experts have found that conventional defenses are falling short. Cloudian has released a report detailing some statistics on the current state of ransomware attacks.

 

Some Current Statistics.

• While 24% of ransomware attacks start with phishing attacks, it is 41% for organizations with fewer than 500 staff.
• In 49% of the cases, organizations had set up perimeter defenses as a result of prior successful attacks. 
• The most common entry point for ransomware attacks was the public cloud, accounting for 31% of total attacks.
• In 56% of cases, attackers were able to take control over all data and demand a ransom within 12 hours, while 30% took 24 hours.
  

The Cost Of These Attacks.

• The average financial cost of these attacks was $400,000.
• The average ransom payment was $223,000 while 14% paid a ransom of $500,000 or more.
• However, the payment of ransom doesn’t guarantee that an organization will get all its data back. Only 57% of victims got their entire data back.
  

 

Why This Matters.

Ransomware attacks do not just incur significant financial losses, they also impact customers, reputation, and operations. The results demonstrate that the conventional preventative measures are not enough to stop ransomware attacks from targeting organizations.

 

Bottom Line.

Gartner states that an immutable data backup copy is a necessity in these testing times. Data immutability impedes ransomware actors from deleting or encrypting data for a fixed period. This implies that, in case of a ransomware incident, organizations can recover unencrypted data without having to pay the ransom. In a nutshell, organizations need to accept the reality that ransomware attacks are ubiquitous and nobody is safe from them. Therefore, there is a need for a comprehensive cybersecurity strategy to defend and effectively respond to threats.

 

CYBER THREATS BREWING OVER TOKYO OLYMPICS.

 

Whenever a major event happens in the world, cyber criminals try to take advantage of it. The Tokyo Olympics is on the radar of cyber criminals for the same obvious reasons. Researchers and security agencies are already warning of the possible cyber attacks on the event. 

Current Ongoing Attacks.

A security firm from Japan found an Olympics-themed malware sample with wiper functionality. This malware can wipe files on infected systems and specifically target Ichitaro Japanese word processors.

• In another case, a government official from Japan disclosed that login IDs and passwords of the Olympic ticket portal got leaked online. However, the leak did not originate from Tokyo 2020's system.
• Last month, the Committee of Japanese Olympics disclosed being hit by a ransomware attack. However, the committee did not pay the ransom and removed all infected computers.

FBI Alerts.

The FBI has issued an alert about possible malicious activities that can disturb several events related to media broadcasting environments, hospitality, ticketing, transit, or security.

• Moreover, the agency warned about possible cyber attacks involving possible attempts to hijacking video feeds, ransomware, or DDoS attacks.
• This year’s broadcast-only Games involving ISPs and television networks are believed to be at the cross hairs of attackers, potentially leading to disturbing global audiences.

 

Our Conclusion.

The ongoing Tokyo Olympics will be a hotbed of cyber attacks and more attacks can be anticipated as the event progresses. It appears to be challenging for Tokyo to stay protected from these expected attacks. Defenses need to be amped up to the tee.

 

THE CONTINUOUS ATTACKS AND THREATS PENETRATING WINDOWS OS.

 

 Most  cyber attacks aiming at Windows OS are some of the most common threats in the current landscape. The rate of detection of such threats has increased drastically. Windows users are targeted, almost on a daily basis, with some new malware, vulnerability, or attack vector.

Cyber attacks on Windows.

In this month alone, multiple attacks have been observed on Windows-based machines. Some of the attacks are completely new and use simple and unique ways for infection.

• A new type of NTLM relay attack was discovered, which allows attackers to control domain controllers that eventually take control of the entire Windows domain. This attack is named as PetitPotam.
• Scammers are taking advantage of the buzz created for the new release of Windows 11. They are spreading fake installers laden with malware, adware, and other malicious tools.
• Microsoft warned its customers about a cryptomining malware, LemonDuck, targeting Windows and Linux systems. It propagates via exploits, USB devices, phishing emails, and brute-forcing.
• Last month, a suspected Pakistani group was found targeting government and energy firms in South/Central Asia. The attackers deployed ReverseRat on compromised Windows system.
  

 

Recent bugs in Windows.

A month ago, the National Cyber Security Centre (NCSC) warned about a dangerous flaw (CVE-2021-1675) in Windows. This flaw exposed several firms to large-scale attacks.

• A priviledge elevation bug dubbed SeriousSAM has been discovered in Windows 10 that enables attackers to access data. Further, the bug can be abused to create new accounts on systems that can be used for malicious actions.
• Microsoft asked Windows users to install the latest updates after a cybersecurity firm inadvertently posted a detailed guide on how to exploit flaws in Print Spooler service.

Our Conclusion.

Windows OS is one of the most used software in the entire world that makes it an obvious target for a large number of cyber criminals. It is plagued with several vulnerabilities and countless malware developed specifically to target it. Therefore, the best solution is to always stay updated and frequently install the latest patches.