Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Incident Response for DDoS
DDoS attacks are unique cyber threats, and require a focused approach to successfully manage and mitigate. The Canadian Centre for Cyber Security (CCCS) suggests a four-step approach of identify, contain, recover, and review. See their DDoS post for more details, an eight-point mitigation strategy, and other helpful tips to understand and defend against this serious cyber attack vector.
CloudFlare defends against largest DDoS attack in history
In an August 19 blog post, security firm CloudFlare announced that it had faced the largest distributed denial of service (DDoS) attack ever recorded. During the July attack, Cloudflare reported that it was hit with a burst of a staggering 17.2 million HTTP requests per second (rps), about three times bigger than any attack ever previously recorded.
To provide a sense of proportion, Cloudflare says that the number of HTTP requests it was hit with during the attack represented about 68% of the total average number of legitimate rps seen in Q2 of this year.
In all, traffic contributing to the attack originated from 125 different countries around the world. According to a report in SCMagazine, “These new attacks appear to be directed through a massive, 20,000 IoT device botnet, with a disproportionate amount of devices, more than a combined 30 percent, located in Indonesia and Brazil. While the location of hacked devices obviously does not speak to the attacker, it may speak to the type of device or component being hijacked for the botnet.”
Nearly 2000 Microsoft Exchange servers hacked using ProxyShell exploit
A report in BleepingComputer reveals that a set of vulnerabilities in Microsoft Exchange known collectively as ProxyShell is being aggressively exploited. A new ransomware gang called LockFile is targeting unpatched servers; some estimates suggest nearly 2000 servers have been compromised in just a few days.
The attacks escalated after proof-of-concept exploit code was published online on August 6. The Lockfile gang appears to have seized on this information, and began scanning for vulnerable systems in mid-August.
ProxyShell comprises a collection of three different security flaws in of Microsoft Exchange email servers; patches were published for each of the vulnerabilities in April and May 2021. The vulnerabilities and fixes include:
+ CVE-2021-34473, which provides a mechanism for pre-authentication remote code execution, enabling threat actors to remotely execute code on affected systems. It was patched in April by KB5001779.
+ CVE-2021-34523, which enables threat actors to execute arbitrary code, post-authentication, on Microsoft Exchange servers due to a flaw in the PowerShell service not properly validating access tokens. It was also patched in April by KB5001779.
+ CVE-2021-31207, which enables threat actors to execute arbitrary code in the context of SYSTEM and write arbitrary files. It was patched in May by KB5003435.
A scan performed on August 8 – two days after the ProxyShell proof-of-concept code was published – found over 30,000 Exchange servers were unpatched and vulnerable to attacks targeting ProxyShell bugs.
If your system has not been patched, it is essential that you take steps to protect your system. ProxyShell exploits. Individual vulnerabilities may be patched as outlined above, or a cumulative service packs may be applied to address all of the fixes.
Australian COVID-19 vaccination certificates easily hackable
News outlet ABC in Australia reports that the new COVID-19 digital vaccination certificate system used by the federal government is susceptible to fraud. In fact, Richard Nelson, a Sydney-area software developer, believes that he can create a near-perfect copy of the certificate in about ten minutes, using free software easily found online.
Launched in June 2021, the digital system was intended to provide a reliable way to prove coronavirus vaccination, but has already faced multiple security criticisms. In early August, an Australian senator successfully created a fake PDF simulating the certificate, using a few basic graphics tools and an exported copy of the digital certificate.
Nelson has reported the issues in detail to the government, but has not received a response as yet.
“I don’t think it’s a good idea to get it out there among the anti-vax crowd,” he said. “People who don’t have a valid certificate can fairly easily present one — the implications of that are left up to the imagination.”
Australia has seen rising COVID-19 case numbers in recent weeks, and has struggled to roll out vaccines countrywide, with only 42.4% of the population with at least one dose, and just 23.9% with two doses as of August 21, according to ourworldindata.org.
Japanese crypto-exchange Liquid hacked for $94 million
Security news outlet The Record reports that Japanese crypto-exchange Liquid has been hacked for $94 million (all figures USD) on August 19. The theft occurs just days after the Poly Network security breach, which saw $611M stolen. The Poly Network funds were eventually returned; however, the news is not as good for Liquid. The thieves who hacked into the system have already started converting the stolen funds into “Ether” using decentralized crypto exchanges. “This enables the hacker to avoid having these assets frozen – as is possible with many Ethereum tokens.
The company’s Japanese language blog indicates that “the MPC [Multi-Party Computation] wallet (used for warehousing / delivery management of cryptographic assets) used by our Singapore subsidiary QUOINE PTE was damaged by hacking.” The hackers reportedly took control over Liquid’s “warm wallets”, which are cryptocurrency accounts where Liquid and other exchange platforms keep funds for daily transactions.