Image: Citrix
DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks, security firm Netscout said in an alert on Wednesday.
The company’s alert comes to warn owners of devices that ship with Plex Media Server, a web application for Windows, Mac, and Linux that’s usually used for video or audio streaming and multimedia asset management.
The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices.
Plex Media servers punch a hole in router NATs
Netscout says that when a server/device running a Plex Media Server app is booted and connected to a network, it will start a local scan for other compatible devices via the Simple Service Discovery Protocol (SSDP).
The problem comes when a Plex Media Server discovers a local router that has SSDP support enabled. When this happens, the Plex Media Server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414.
Since the SSDP protocol has been known for years to be a perfect vector to amplify the size of a DDoS attack, this makes Plex Media servers a juicy and untapped source of DDoS bots for DDoS-for-hire operations.
Netscout says that attackers only have to scan the internet for devices with this port enabled, and then abuse them to amplify web traffic they send to a DDoS attack victim.

According to Netscout, the amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to around 281 bytes, before sending the packet to the victim.
27K+ Plex Media servers are exposed on the internet
The security firm said it scanned the internet and found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks.
Furthermore, some servers have already been abused. Netscout said that not only did it saw DDoS attacks using Plex Media servers, but that this vector is now becoming common.
“As is routinely the case with newer DDoS attack vectors, it appears that after an initial period of employment by advanced attackers with access to bespoke DDoS attack infrastructure, PMSSDP has been weaponized and added to the arsenals of so-called booter/stresser DDoS-for-hire services, placing it within the reach of the general attacker population,” the company said.
According to Netscout, past PMSSDP attacks have reached around 2-3 Gbps, but the servers could be combined with other vectors for much larger attacks.
This is Netscout’s second warning about a new DDoS attack vector being discovered abused in the wild this year. In January, the company warned that Windows Remote Desktop Protocol (RDP) servers were also being abused for DDoS attacks. More

Kerry Wan/ZDNETFollow ZDNET: Add us as a preferred source More

Cyber-criminal hacking operations are now so skilled that nation-states are using them to carry out attacks in an attempt to keep their own involvement hidden.
A report by cybersecurity researchers at BlackBerry warns that the emergence of sophisticated cybercrime-as-a-service schemes means that nation states increasingly have the option of working with groups that can carry out attacks for them.

More on privacy

This cyber-criminal operation provides malicious hacking operations, such as phishing, malware or breaching networks, and gets paid for their actions, while the nation state that ordered the operation receives the information or access it requires.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 
It also comes with the added bonus that because the attack was conducted by cyber criminals who use their own infrastructure and techniques, it’s difficult to link the activity back to the nation state that ordered the operation.
“The emergence, sophistication, and anonymity of crimeware-as-a-service means that nation states can mask their efforts behind third-party contractors and an almost impenetrable wall of plausible deniability,” warns the BlackBery 2021 Threat Report.
Researchers point to the existence of extensive hacking operations like Bahamut as an example of how sophisticated cyber-criminal campaigns have become.

Originally detailed by BlackBerry last year, Bahamut uses uses phishing, social engineering, malicious apps, custom malware and zero-day attacks in campaigns targeting governments, private industry and individuals around the world – and had been doing so for years before being uncovered.
Researchers note how “the profiles and geography of their victims are far too diverse to be aligned with a single bad actor’s interests”, suggesting that Bahamut is performing operations for different clients, keeping an eye out for jobs that would make them the most money – and when it comes to funding, certain nation states have the most money to spend on conducting campaigns.
Not only does the client nation state end up gaining the access they require to hacked networks or sensitive information, it allows it to be done with a reduced chance of it being linked back to the nation state – meaning that it will potentially avoid consequences or condemnation for conducting attacks.
“Threat actor identification can be challenging for threat researchers due to several factors, such as overlapping infrastructure, disparate targeting, and unusual tactics. This is especially true when only part of a campaign is outsourced,” said the report.
SEE: Phishing: These are the most common techniques used to attack your PC
Bahamut has continued to be active since its initial disclosure last year, with campaigns targeting government agencies linked to foreign affairs and defence across the Middle East. The group has also been conducting campaigns against targets in South Asia, with a particular focus on smartphone attacks.
While protecting networks from determined cyber attackers can be difficult, there are cybersecurity practices that organisations can apply in order help keep intrusions out, such as only providing remote access to sensitive information to those who absolutely need it and constantly examining the network for unusual activity that would be classed as suspicious.
MORE ON CYBERSECURITY More

The number of cyber attacks attempting to exploit the coronavirus outbreak for their own gain continues to rise as both cyber criminal groups and nation-state backed hacking operations attempt to take advantage of the COVID-19 pandemic for their own gain. A joint advisory published by the UK’s National Cyber Security Centre (NCSC) and the US […] More

Almost half of all phishing attacks designed to steal login credentials like email addresses and passwords by imitating well-known brands are impersonating Microsoft.
Cybersecurity researchers at Check Point analysed phishing emails sent over the last three months and found that 43% of all phishing attempts mimicking brands were attempting to pass themselves off as messages from Microsoft.

More on privacy

Microsoft is a popular lure because of Office 365’s wide distribution among enterprises. By stealing these credentials, criminals hope to gain access to corporate networks.
SEE: Security Awareness and Training policy (TechRepublic Premium)
And with many organisations shifting towards remote working to ensure social distancing over the course of the last year, email and online messaging have become even more important to businesses – and that’s something cyber attackers are actively looking to exploit.
Not only are employees relying on emails for everyday communication with their team mates and bosses, they also don’t always have the same security awareness and protection while working from home.
With these attacks, even if the messages aren’t designed to look like they come from Microsoft itself, and they could claim to come from a colleague, HR, a supplier or anyone else the person might come into contact with, the phishing link or attachment will ask the user to enter their login details to ‘verify’ their identify.

If the email address and password are entered into these pages designed to look like a Microsoft login site, the attackers are able to steal them. Stolen credentials can be used to gain further access to the compromised network, or they can be sold on to other cyber criminals on dark web marketplaces.
The second most commonly imitated brand during the period of analysis was DHL, with attacks mimicking the logistics provider accounting for 18% of all brand-phishing attempts. DHL has become a popular phishing lure for criminals because many people are now stuck at home due to COVID-19 restrictions and receiving more deliveries – so people are more likely to let their guard down when they see messages claiming to be from a delivery firm.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
Other brands commonly impersonated in phishing emails include LinkedIn, Amazon, Google, PayPal and Yahoo. Compromising any of these accounts could provide cyber criminals with access to sensitive personal information that they could exploit.
“Criminals increased their attempts in Q4 2020 to steal peoples’ personal data by impersonating leading brands, and our data clearly shows how they change their phishing tactics to increase their chances of success,” said Maya Horowitz, director of threat intelligence and research at Check Point.
“As always, we encourage users to be cautious when divulging personal data and credentials to business applications, and to think twice before opening email attachments or links, especially emails that claim to from companies, such as Microsoft or Google, that are most likely to be impersonated,” she added.
It’s also possible to provide an extra layer of protection to Microsoft Office 365 and other corporate accounts by applying two-factor authentication, so that even if cyber criminals manage to steal the username and password, the extra layer of verification required by two-factor authentication will help to keep the account safe.
MORE ON CYBERSECURITY More