Information Technology

Nokia Deepfield has discovered a 100% increase in daily DDoS peak traffic between Jan 2020 and May 2021.Nokia’s IP network and data analytics arm was able to conduct a fingerprint and origin analysis of network traffic through their work with global service providers, webscale companies and digital enterprises. Craig Labovitz, CTO of Nokia Deepfield, unveiled the findings of the global DDoS traffic analysis at NANOG82 this week. The analysis found that there has been a massive increase in high-bandwidth, volumetric DDoS attacks, the majority of which originate from just a few dozen hosting companies. Labovitz told ZDNet that conventional wisdom generally says that DDoS attacks originate from all over the Internet, and that DDoS is impossible to block at the source.”But conventional wisdom is wrong. We can stop the vast majority of DDoS within these 50 companies (e.g. if the hosting companies block bad customers) or by actions taken within the 10-15 internet service providers that connect these hosting companies to the Internet,” he said. Researchers also discovered evidence of DDoS attacks with a threat potential “over 10 Tbps, up to five times higher than the largest reported current attacks.” The largest reported DDoS attack, according to Labovitz, has been about 2 Tbps. Google said in October that in 2017, it dealt with a 2.54 Tbps attack launched by a state-sponsored group from China, the largest reported attack ever. 

The size of attacks was increasing, according to Nokia Deepfield, in part because of a “growing number of open and insecure internet services and IoT devices.” Just six weeks ago, a DDoS attack took down 200 government and university websites across Belgium.Labovitz added that the DDoS growth curve is exponential because of the explosive growth of IoT and Cloud, which are both dramatically increasing the number of servers and devices that can be co-opted into DDoS attacks. “The second main point of my presentation today is that the exponential DDoS growth curve represents an existential threat to the Internet. This is due to the expanding number of servers (that can be exploited for launching DDoS) and a large number of IoT devices with sub-standard or default security (therefore, open to hijacking and botnet-control),” Labovitz said. “My take is that it is just sheer luck, bugs in the attacks, etc., on why reported DDoS so far falls significantly below the 10+ Tbps (and perhaps much larger) DDoS potential.”The company also found that over the last 15 months, there has been an expansion of DDoS for hire services available to attacks looking to cause extensive damage to individual and large-scale connectivity and service availability.Throughout 2020, as communities across the world instituted lockdowns as part of the effort to contain COVID-19, Nokia Deepfield said there was a 50% increase in DDoS traffic.”The continued increases in intensity, frequency and sophistication of DDoS attacks have resulted in a 100% increase in the ‘high watermark level’ of DDoS daily peaks – from 1.5 Tbps (January 2020) to over 3 Tbps (May 2021),” the company said.It is important for every participant in the network security ecosystem — end users, vendors, service providers, cloud builders, regulators and governments — to understand the dangers DDoS poses to the availability of internet content, applications and critical connectivity services, Labovitz added. More

Linux is more secure than Windows. We all know that. But that doesn’t mean it has perfect security. Nothing does. CloudLinux is helping to improve Linux’s operational security with the release of UChecker. The company is best-known for its Red Hat Enterprise Linux (RHEL)/CentOS server clone, CloudLinux, and its CentOS fork.

This newly open-sourced program, part of the company’s TuxCare security services, scans Linux servers for out-of-date libraries both on disk and in memory. Unlike other such tools, it can also find false negatives by reporting on vulnerable libraries running in memory that might be missed by other scanners. It works with all modern Linux server distros and is licensed under the GPLv2. UChecker, which is an abbreviation for “userspace checker,” works with all modern Linux distributions, not just the RHEL family. It provides detailed actionable information on which application is using which vulnerable library. The program will also present you with the relevant process ID and process name. Armed with this information you can see which libraries need to be updated.This program can be integrated with tools like Nagios or other monitoring, logging, and management tools to provide better security defenses for your servers. UChecker got its start at kernelcare.com. This set of programs provides live patching for Linux kernels and its common shared libraries such as Glibc and OpenSSL.The program works with all modern Linux distributions under the GNU General Public License and can be downloaded here.After running UChecker from the shell, you have two options for updating your libraries. First, there’s the old-school way. In this, you’ll update your libraries with your packaging system and reboot the servers. Or, you can just restart all the processes since even with UCherker you can’t be sure which processes may still use the outdated libraries.

Or you can use TuxCare LibraryCare service’s live patching capability to apply security patches to OpenSSL and Glibc libraries without having to reboot the server. TuxCare services are CloudLinux’s umbrella security and support offering. It include live patching for Linux stack critical components from the kernel all the way to widely-used shared libraries. It eliminates the need for lengthy and costly service disruptions while servers or services are restarted to install the latest security patches, and no longer requires a disruptive maintenance window.TuxCare LibraryCare, of course, isn’t the only Linux program that enables you to live patch your Linux kernel or other important files. These include Oracle Ksplice; Red Hat and CentOS Kpatch; Canonical Livepatch; and SUSE Kgraft. All of these, however, only work with their vendor’s Linux distro. So, for example, you can’t use Livepatch on RHEL nor Kpatch on Ubuntu. CloudLinux’s programs, however, support CentOS, Red Hat, Oracle, Debian, Ubuntu, and others. You can run this Python/shell program to see if it will work with your favorite Linux. CloudLinux also promises that TuxCare Linux Support Services provides regular patches and updates for all components of enterprise Linux systems, as well as 24/7 incident support, even when systems are past their End-of-Life (EOL). So, if you run a variety of Linux distros and some of them are old, this service is well worth looking into.After all, as Jim Jackson, CloudLinux’s president, said ordinarily “some patches require reconfigurations and reboots of servers that are difficult to take offline for very long. Time is critical because hackers look to exploit vulnerabilities so it’s always a race for IT teams to apply security patches.” Anything that can help you spot and patch potentially insecure libraries as fast as possible is always a good thing.Related Stories: More

Deloitte has made another acquisition in the cybersecurity space, announcing Tuesday that it has scooped up Baltimore-based digital risk protection company Terbium Labs. The tax and auditing giant said Terbium Labs’ services — which include a digital risk protection platform that aims to helps organizations detect and remediate data exposure, theft, or misuse — will join Deloitte’s cyber practice and bolster its Detect & Respond offering suite.

Terbium Labs’ digital risk platform leverages AI, machine learning, and patented data fingerprinting technologies to identify illicit use of sensitive data online. Deloitte said that adding the Terbium Labs business to its portfolio would enable the company to offer clients another way to continuously monitor for data exposed on the open, deep, or dark web.”Finding sensitive or proprietary data once it leaves an organization’s perimeter can be extremely challenging,” said Kieran Norton, Deloitte Risk & Financial Advisory’s infrastructure solution leader, and principal. “Advanced cyber threat intelligence, paired with remediation of data risk exposure requires a balance of advanced technology, keen understanding of regulatory compliance and fine-tuning with an organization’s business needs and risk profile.” Terbium Labs is Deloitte’s third cyber-related acquisition in 2021 as the company aims to bolster its existing cybersecurity offerings that aid clients in threat management and intelligence. Deloitte previously bought cyber threat hunting provider Root9B and cloud security posture management provider CloudQuest. Deloitte stands as one of the largest private companies in the US, selling tax, auditing, consulting, and cybersecurity advisory services to major governments and large Fortune 500 multinationals. The financial terms of the Terbium Labs deal were not disclosed.

Digital transformation More

Researchers have warned that thousands of internet-facing VMWare vCenter servers still harbor critical vulnerabilities weeks after patches were released. 

The vulnerabilities impact VMWare vCenter Server, a centralized management utility.  VMWare issued patches for two critical bugs, CVE-2021-21985 and CVE-2021-21986, on May 25.  The first security flaw, CVE-2021-21985, impacts VMware vCenter Server and VMware Cloud Foundation and has been issued a CVSS score of 9.8. This bug was found in a vSAN plugin, enabled by default in the application, that allows attackers to execute remote code execution (RCE) if they have access to port 443. VMWare said in a security advisory that this severe bug can be exploited so threat actors can access “the underlying operating system that hosts vCenter Server” with “unrestricted privileges.” The bug impacts vCenter Server 6.5, 6.7, and v.7.0, alongside Cloud Foundation vCenter Server 3.x and 4.x. The second vulnerability, CVE-2021-21986, is present in the vSphere Client (HTML5) and the vSphere authentication mechanism for a variety of plugins: Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability. 

Considered less critical with a CVSS score of 6.5, this flaw still permits attackers with access to port 443 to “perform actions allowed by the impacted plug-ins without authentication.” It appears that thousands of internet-facing servers are still exposed and vulnerable to both CVE-2021-21985 and CVE-2021-21986.  On Tuesday, researchers from Trustwave SpiderLabs said an analysis of VMWare vCenter servers revealed 5,271 instances of VMWare vCenter servers that are available online, the majority of which are running versions 6.7, 6.5, and 7.0, with port 443 the most commonly employed. After using the Shodan search engine for further examination, the team was able to pull data from 4969 instances, and they found that a total of 4019 instances — or 80.88% — remain unpatched.  The remaining 19.12% are likely to be vulnerable, as they are old versions of the software, including versions 2.5x and 4.0x, that are end-of-life and unsupported.  At the time the vendor issued the security fixes, VMWare said the vulnerabilities demanded the “immediate attention” of users. As previously reported by ZDNet, the patches may break some third party plugins, and if applying the fixes aren’t possible, server owners are asked to disable VMWare plugins to mitigate the threat of exploit.  It is recommended that these types of critical bugs are tackled, or mitigated, as quickly as possible.  Proof-of-Concept (PoC) code has been released for CVE-2021-21985. The issue is severe enough that the US Cybersecurity and Infrastructure Security Agency (CISA) has alerted vendors to patch their builds. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

NATO has updated its stance on what cyberattacks mean and what response is warranted. The North Atlantic Treaty Organization (NATO) – the 30-nation military alliance between North America and Europe – issued a new communique at this week’s Brussels summit outlining how it should respond to national security threats. One of them is cyberattacks, as spotted by The Register. 

ZDNet Recommends

The new policy stance follows high-profile attacks on US fuel distribution network Colonial Pipeline – which paid $4 million to ransomware attackers, half of which was later seized by the FBI – and US meat packer JBS, which paid $11 million to ransomware attackers. MUST READ: What is cyberwar? Everything you need to know about the frightening future of digital conflictThe tech world is also still reeling from the SolarWinds hack, which compromised the West’s top cybersecurity firms, and was attributed to the Russian government. And not so long ago, Russia was blamed for the massive NotPetya ransomware outbreak, while North Korea was blamed for 2017’s WannaCry ransomware attack.In the wake of such attacks, NATO has endorsed its “Comprehensive Cyber Defence Policy”, which will see the alliance treat cyberattacks on a “case-by-case basis” and may consider them the same as an armed attack. “To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defence Policy, which will support NATO’s three core tasks and overall deterrence and defence posture, and further enhance our resilience,” the communique reads. 

“We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack.” NATO first updated its policies so that a cyberattack could lead to the invocation of Article 5, the collective defence rule, back in 2014 – as revealed by ZDNet at the time.The NATO alliance committed to “impose costs on those who harm us” if it’s deemed necessary. However, the policy of Western governments currently is in reality mostly limited to naming and shaming the country launching state-sponsored hacks. Joe Biden attended his first NATO meeting as US president and is set to meet with Russian president Vladimir Putin on Wednesday. Biden is expected to demand Russia does more to tackle cybercrime within its jurisdiction. The Colonial attack was blamed on a Russian-based ransomware-as-a-service operation. SEE: This new ransomware group claims to have breached over 30 organisations so farChina was also in the spotlight at the NATO summit for its cyber capabilities, disinformation campaigns and expansion of power across the globe.  “China’s growing influence and international policies can present challenges that we need to address together as an alliance,” the communique reads. “We will engage China with a view to defending the security interests of the Alliance. We are increasingly confronted by cyber, hybrid, and other asymmetric threats, including disinformation campaigns, and by the malicious use of ever-more sophisticated emerging and disruptive technologies.”   More

Business email compromise (BEC) is a huge and profitable scam, but Microsoft has put a dent in one operation by taking down its cloud infrastructure. To counter these scammers, Microsoft has enlisted its Digital Crimes Unit to tackle the infrastructure they use. Just like other businesses, BEC scammers have moved to the cloud to run operations, but Microsoft claims its investigators have disrupted one large BEC group that was using major cloud providers. 

While ransomware is grabbing headlines, BEC remains the single most expensive cybercrime problem for American business. The FBI recently reported that Americans lost over $4.2 billion to cyber criminals and scammers in 2020. BEC was by far the biggest cause of reported losses, totaling $1.8 billion across 19,369 complaints. SEE: Network security policy (TechRepublic Premium)In this case, the scammers used cloud-based infrastructure to compromise email accounts through phishing, and then added email-forwarding rules to those accounts, giving the attackers access to emails about financial transactions. The attackers also used several techniques to thwart investigators’ efforts to uncover their activities and infrastructure. “The use of attacker infrastructure hosted in multiple web services allowed the attackers to operate stealthily, characteristic of BEC campaigns. The attackers performed discrete activities for different IPs and timeframes, making it harder for researchers to correlate seemingly disparate activities as a single operation,” Microsoft security researchers explain. 

Microsoft notes that BEC attacks are difficult to detect because they generally don’t pop up on a defender’s alert list and instead blend in with legitimate network traffic. Microsoft is promoting its ability to detect BEC crimes because of its gigantic cloud business across Azure and Microsoft 365, which gives it visibility into email traffic, identities, endpoints, and cloud. “Armed with intelligence on phishing emails, malicious behavior on endpoints, activities in the cloud, and compromised identities, Microsoft researchers connected the dots, gained a view of the end-to-end attack chain, and traced activities back to the infrastructure,” Microsoft said. Microsoft correlated the targeted BEC campaign to a prior phishing attack, which gave the attackers credentials and access to victims’ Office 365 mailboxes. It notes that enabling multi-factor authentication can prevent these phishing attacks. Its researchers found that before the attackers created email-forwarding rules, the email accounts received a phishing email with a voice message lure and an HTML attachment. The emails came from an external cloud provider’s address space. The phishing campaign duped users by creating a false but realistic-looking Microsoft login page with the username already populated, and used a JavaScript script to capture and forward the stolen passwords. The forwarding rules were fairly simple. Basically, if the body of the email contained the words “invoice”, “payment”, or “statement”, the compromised accounts were configured to forward the emails to the attacker’s email address. SEE: This new ransomware group claims to have breached over 30 organisations so farWhile the attackers used different cloud infrastructure to conceal their activities, Microsoft found some common elements in the user agents, such as that the forwarding rules were created with Chrome 79 and that they used rules to not trigger an MFA notification when logging into a Microsoft account. “Credentials checks with user agent “BAV2ROPC”, which is likely a code base using legacy protocols like IMAP/POP3, against Exchange Online. This results in an ROPC OAuth flow, which returns an “invalid_grant” in case MFA is enabled, so no MFA notification is sent,” Microsoft notes. As its research uncovered that attackers abused cloud service providers to perpetrate this campaign, Microsoft reported its findings to the cloud security teams for these providers, who suspended the offending accounts, resulting in the takedown of the infrastructure. More

A year after the coronavirus pandemic kicked off, Western Australia has finally introduced legislation into state parliament that would keep the information used by contact tracers away from the state’s law enforcement authorities. The Protection of Information (Entry Registration Information Relating to COVID-19 and Other Infectious Diseases) Bill covers information obtained through contact registers and the SafeWA check-in app. The state currently lacks protections for such information, with WA Police having used it to investigate “two serious crimes”. “The system was introduced in the middle of the global pandemic and while access to this information was lawful, the WA Government’s intention was for contact registers to only be used for contact tracing purposes,” the government said. “Information collected through the SafeWA app has never been able to be used for commercial purposes. This will remain the case under the new legislation.” At the end of 2020, Western Australia mandated that check-in systems needed to be used. “Existing measures require businesses to confidentially and securely store written contact registers, and ensure recorded details are not easily disclosed to other customers,” the government said.

“Under the new legislation, businesses and venues will continue to be required to retain hardcopy contact registers for 28 days, unless they are required for longer for contact tracing purposes. After that period has passed, businesses and venues must destroy the records as soon as practicable.” Premier Mark McGowan claimed his government has “always been committed to protecting contact register information”. “This pandemic is a one in 100-year event and during these extraordinary times, we have acted quickly to introduce measures to keep WA safe in a rapidly changing and unpredictable environment,” he said. “We only have to look at previous cases here in WA, and outbreaks in other jurisdictions to see how critical contact registers are in reducing the spread of COVID-19 and the severity of restrictions and lockdowns.” In May 2020, the Commonwealth government agreed to modify its Privacy Amendment (Public Health Contact Information) Bill to ensure that the nation’s law enforcement authorities were unable to access the data stored as part of its COVIDSafe app. Related Coverage More

The COVID-19 pandemic has become a catalyst for a “boom” in the growth of online account ownership — but has potentially also undermined consumer security.  

COVID-19 has caused severe economic and societal disruption, not to mention the impact on both our physical and mental health. Lockdowns, shielding, and stay-at-home orders imposed worldwide forced many of us to turn to online sources for everything from our groceries to banking and entertainment, and this led to what IBM calls a “digital reliance” and the need to create more online accounts than ever before. In a new global study of 22,000 participants, conducted by Morning Consult for IBM, the technology vendor examined the impact of the pandemic on consumer security behaviors.  The results are in, and they aren’t good.  With so much else going on, little thought seems to have been given for personal security. As we signed up for account after account — with 15 new online accounts created during the main thrust of the pandemic, on average, per person — 82% of those surveyed admitted sometimes reusing the same passwords and credentials.  In total, 44% of respondents simply remembered their passwords, whilst 32% jotted their credentials down on pen and paper. 18% of those surveyed said they make use of a password manager, and a further 18% store passwords in the cloud — such as through Notes or Google Docs. 

Billions of new accounts, therefore, are now active across the Internet worldwide — and 44% of respondents said they do not plan to deactivate these new accounts, a trend IBM says will give consumers “an increased digital footprint for years to come, greatly expanding the attack surface for cybercriminals.” In addition, the report found that convenience often outweighs security concerns, perhaps due to how often we hear of data breaches and the knowledge that so much of our Personally identifiable information (PII) is already widely available.  Over 51% of the millennial age group, for example, would have rathered risk using an insecure app or website rather than visit a physical store or make a phone call when ordering products and services.   Think about a time when you’re trying to place an order online and it is most convenient to order online. Which of the followingstatements do you agree with more, even if neither perfectly applies to you?
IBM
Many online services now require strong passwords and a relatively high level of complexity when users sign up. However, passwords themselves are now not enough for popular platforms and the moment they are leaked, they can be used in tailored phishing campaigns and social engineering attempts — as well as for direct account hijacking.  It is recommended that you consider using a password manager that can generate strong passwords on your behalf, monitor for data leaks that have exposed them online, and for further security, enable two-factor authentication (2FA) or consider a physical key, such as Yubikey, for an additional layer of protection.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More