DDoS attacks and Botnets

Mirai variant turns IoT devices into proxy servers

Fortinet has identified a variant botnet of Mirai, the famous botnet responsible for attacks to DynDNS and KrebsOnSecurity, in addition to DDoS attacks turns infected IoT devices into proxy servers.
The botnet, called Mirai OMG, installs a malware on the victim systems that generates two random ports, adds the appropriate firewall rules, then installs 3proxy, a minimal proxy server.
Fortinet has not detected botnet attacks, analyzed in a quiescent state, and the authors are supposed to sell access to IoT proxy servers.

DDoS attacks exploit malconfigured memcached servers

memcached servers are exposed to a vulnerability of UDP protocol support that makes them perfect for hackers to launch record-breaking DDoS attacks.
GitHub recorded a 1.35Tbps DDoS attack and 126.9 million packets per second which made the service inaccessible for about 10 minutes on February 28th.
A few days later, Arbor Networks detected an even larger attack, 1.7Tbps, addressed to an unidentified American provider.
Both attacks were possible by exploiting a vulnerability of memcached.

Hijame-variant botnet scans for MikroTik devices

Netlab 360 researchers have identified a possible scan activity performed by a variant of the Hijame botnet aimed at routers and MikroTik network devices, a prelude to a possible attack that exploits vulnerable devices found.
The botnet scans available devices on the network and in particular looks for port 8921; if this is open, additional ports are probed and the "Chimay Red" vulnerability that allows remote code execution is exploited.

As a prevention, MikroTik recommends users to block requests on port 8921 and to upgrade RouterOS to version 6.41.3.

The Encapsula report on DDoS attacks in Q4 2017 is now available

Incapsula has published an interesting report about DDoS attacks recorded in the fourth quarter of 2017.
Among the most significant results, we point out a drop in attacks aimed at the network level, while those at the application level have doubled; the USA is not, as you might think, the most targeted country (27%), but Hong Kong (33%) is, with the APAC area affected by almost 70% of total attacks; the internet providers sector (58%) is the most targeted, followed by betting and gambling (24%) and IT & software; about 68% of victims suffer repeated attacks.

Ransomware

AVCrypt first uninstalls antivirus, then encrypts files

MalwareHunter team researchers have identified a ransomware, called AVCrypt, that before encrypting files, it uninstalls the antivirus of the operating system.
AVCrypt uses commands that stop the services needed by Windows Defender and Malwarebytes, two of the most common AV solutions, to work; then using Windows Security Center uses WMIC tries to uninstall the antivirus on your computer.
Finally, it encrypts data without any AV to stop it.

New decryption tools are available

Despite every month the list of ransomware grows, fortunately some researchers and volunteers bless us with decryption tools: if you happen to get hit by a ransomware and don’t have a backup, then don’t despair and store encrypted files somewhere, as a decryption tool might be available sooner or later.
Relentless researcher Michael Gillespie released a tool for TearDr0p, a tool for Pendor and another one for WhiteRose (which can also be decrypted with Dr.Web’s service), Jakub Kroustek discovered that RaruCrypt can be decrypted easily, NioGuard Security Labs’ Alexander Adamov created a tool for MoneroPay, BitDefender released a tool for GandCrab, South-Korean AhnLab released a tool for Magniber (however the website is available in Korean only, so you need an online translation tool), the “File Decrypters” blog released a tool for BansomQare Manna (and other for Annabelle, Cryakl, GandCab and others).
MalwareBytes discovered how to break the LockCrypt encryption scheme, which is a ransomware that is installed manually by exploiting insecure RDP connections.

MalwareHunter Team’s Ransomware ID service identifies which ransomware encrypted your files, then head to the dedicated NoMoreRansom page and look for an encryption tool: most of them are listed here. The NoMoreRansom Project is the point of reference.

Vulnerabilities

UDP vulnerability exposes memcached to DDoS attacks

Cloudflare has detected several attacks originating from memcached installations, from UDP port 11211. Memcached is a server-side cache system used by web servers to improve performance.
The attacks are of the "amplification" type; the general idea is that an attacker sends crafted requests to a UDP server which, not knowing that the request is false, promptly prepares the answer. A victim host is overwhelmed by traffic when he receives an unmanageable amount of those responses.
Memcached supports and enables UDP by default; Cloudflare noted that a 15 byte request can result in a 750KB response, with a multiplicative factor of 51,200. Unfortunately, UDP is not supported securely, and port 11211 is directly reachable from abroad if the server is not protected by a firewall.
Version 1.5.6 disables the UDP protocol by default.

Malware is distributed via YouTube

Dr.Web discovered that a malware distributed via videos on YouTube.
The malware is a Trojan written in Python, called Trojan.PWS.Stealer.23012, which intercepts cookies and passwords saved in different browsers including Opera and Chrome and copies the files on the desktop and then send them to the C&C servers.
The infection starts when the user clicks a link posted in video comments, especially videos about video game tricks. The link refers to fake tools that are actually self-extracting archives that place the trojan on the victim's computer.

A backdoor in macOS has been identified

Trend Micro announces the discovery of a backdoor in macOS, the operating system of Apple computers.
The backdoor, called OSX_OCEANLOTUS.D, is thought to be spread by OceanLotus, a group of Vietnamese hackers and responsible for attacks on non-profit companies, media and research institutes.
OSX_OCEANLOTUS.D affects macOS systems with the Perl programming language installed; the backdoor is distributed through a Word document distributed via email and activated when enabling a macro.
The threat is limited to the users of Vietnam (the email refers to the registration at an event organized by the Vietnamese HMDC association), yet it clearly shows that even MacOS is an operating system that can be exploited by hackers and therefore not free from risks.

Java and SSH bugs exposes Cisco devices

Cisco has recently released updates for two bugs related to Java and SSH that can expose its devices.
The first one is about Java and is found in Cisco Secure Access Control System (ACS) prior to version 5.8 patch 9; it allows an unauthenticated remote user to execute code with root permissions on the device. This is due to an incorrect deserialization of the Java code of user input.
The second is about SSH and is present in the Cisco Prime Collaboration Provisioning software (PCP) version 11.6; it allows logging through hard-coded credentials as a regular user, that can be then elevated to root.
Both vulnerabilities have been solved with ACS and PCP updates.

Cacti vulnerability exposes Linux servers

TrendMicro researchers identified a vulnerability in Cacti's WeatherMap plugin, an open source network monitoring solution. This plugin allows you to create a graphical map view the elements of the network
CVE-2013-2618 is used to install the XMRig Miner (MXR is a crypto-currency) miner in infected Linux systems with the XSS vulnerability that allows the injection of code using the map_title parameter.
There are currently no updates for the plugin.

News from the vendors

Office 365 adds anti-ransomware features

Office 365 introduces several features to fightransomware. File Restore by OneDrive allows the restore of previous versions of files up to 30 days before; the function is also useful in case of corruption, accidental (or voluntary) deletion or other events that make the current version of the file unusable. Ransomware detection & recovery intercepts ransomware attacks and alerts users via email, also providing instructions to use the File Restore function. Other features include file sharing with passwords, email encryption, copy prevention and forwarding of encrypted emails and links check in Word, Excel and PowerPoint, and links and attachments in Outlook.

Starting next July, Chrome will mark HTTP sites as unsafe

As previously announced, Chrome 68, whose release is scheduled for July, will mark HTTP sites as unsafe, so all those who have a website will have to adapt for that date with the adoption of an SSL certificate, if they do not want to incur the penalization of Google.

The adoption of SSL certificates is quite satisfactory: 81 of the top 100 sites are on HTTPS, as well as 78% of Chrome traffic on Chrome OS and macOS and 68% of Chrome traffic on Android and Windows.

Symantec certificates will no longer be recognized by Chrome from April

The next version of Chrome, 66 (scheduled for April), will not support SSL certificates released by Symantec before June 1, 2016, a decision taken following the September incident in which the CA was discovered released over the years of 30 thousand invalid certificates. Symantec has therefore sold its PKI structure.

New features in Chrome 65

Google released Chrome 65, the new version of its browser.
The most important news is the blocking of "tab under" redirects, ie those that occur on the old page when a link to a new page opens from it, as it often happens with malvertising strategies.
New APIs are also introduced and 45 vulnerabilities have been corrected, including 9 high-level ones.

New features in Firefox 59

The new version of Mozilla's browser is now available.
Firefox 59 introduces some news as performance improvements (homepage loading time, loading from network or disk cache, support to OTMP for graphic rendering on macOS operating system), drag & drop in the "customizer" that allows to customize the browser graphics, new functions for the screenshot capture tool (annotations and cropping), WebExtensions API and Real-Time Communications (RTC) functions improved and more.
Several vulnerabilities have also been resolved, including a critical one.

VirusTotal launches Droidy, an Android sandbox

VirusTotal, the service that allows you to scan suspicious files via multiple virus scanning engines, announces Droidy.
Droidy is a sandbox that simulates a specific Android environment to analyze the behavior of Android apps and provide reports for users and researchers. The function is already live on the site and allows you to add the results (including: network and SMS activity, filesystem activity, SQLite database usage, service activities, permissions control, cryptographic activity and others) of this behavioral analysis technique to the “classic” analysis of uploaded files. A similar sandbox is available for macOS.

Firefox tests DNS-over-HTTPS

Mozilla announced that the Nightly version of Firefox experiments the DNS-over-HTTPS protocol (DoH).
The protocol, currently in draft phase, basically allows to perform DNS queries in an encrypted way; in fact, today the web addresses are resolved in IP addresses without any form of encryption, similar to the clear communication via HTTP. DoH, which is being tested by Google, Cloudflare and Mozilla, resolves this problem by encrypting DNS queries.
In Firefox 60 (beta) and Nightly you can enable DoH, enter the address of a server that supports DoH (such as Google DNS or Cloudflare) and test the function.

Firefox too will soon have anti-ads tool

In the wake of Chrome and Opera, which already have dedicated tools, Firefox will also have a tool to block invasive ads (ads). The function is scheduled for the third quarter of 2018, as stated in the roadmap.

Let's Encrypt introduces free SSL wildcard certificates

Let's Encrypt now supports SSL Wildcard certificates, which can be associated with multiple subdomains of the same domain. This is made possible by the release of the ACME (Automated Certificate Management Environment) client v2 that generates and manages certificates. The release is based on the DNS-01 challenge, which consists in proving the possession of the domain by modifying a certain DNS record of TXT type according to specific instructions.

In the first 48 more than 10,000 certificates were issued, a tweet celebrates.

Microsoft Patch Tuesday

As every second tuesday of the month, Microsoft released the cumulative package of systems updates for Windows OS that is known as Patch Tuesday.
It’s installed automatically if automatic updates are enabled, otherwise it’s available with Windows Update.
This month features several updates, including ones related to Internet Explorer e Microsoft Edge, Microsoft Windows, Microsoft Office, Microsoft Office Services and Web Apps, SQL Server, ChakraCore, .NET Framework and .NET Core, ASP.NET Core and Adobe Flash. Vulnerabilities have not been exploited.
This GFI blog post recaps the updates container in Patch Tuesday.
You can also download single updates and find further information in the Security Update Guide.

banner eng

fb icon evo twitter icon evo

Word of the Day

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>

The acronym GDPR indicates the new General Data Protection Regulation, which will come into force on 25 May 2018. This...

>

The acronym DPO (Data Protection Officer) indicates the person or persons who, within the company context, are responsible for the...

>

InfiniBand is an input / output architecture for the transmission of data between high performance systems composed of CPUs, processors...

>

A Zero Day Exploit describes a situation in which specific and unknown vulnerabilities are disclosed to the public simultaneously with...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • GURU advisor: issue 13 - March 2017

    GURU advisor: issue 13 - March 2017

  • GURU advisor: issue 12 -  January 2017

    GURU advisor: issue 12 - January 2017

  • GURU advisor: issue 11 -  October 2016

    GURU advisor: issue 11 - October 2016

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1