- Github hit by the biggest-ever DDoS attack that peaked 1.35 Tbs
- Equifax confirmed additional 2.4 Million identifies affected by security breach
- CannibalRAT, a RAT entirely written in Python observed in targeted attacks
- European Commission requests IT firms to remove ‘Terror Content’ within an hour
Posted: 02 Mar 2018 11:13 AM PST
On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack that peaked at 1.35 Tbps
On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack.
The DDoS attack peaked at record 1.35 Tbps by abusing the memcached protocol to power a so-called memcached DDoS attacks.
Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.
Clients communicate with memcached servers via TCP or UDP on port 11211.
Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.
Chinese experts warned about abuses of memcached DDoS attacks in November.
The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.
Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.
The Github website is protected by the anti-DDoS service provided by the firm Akamai that confirmed the impressive magnitude of the attack that hit its client.
“At 17:28 GMT, February 28th, Akamai experienced a 1.3 Tbps DDoS attack against one of our customers, a software development company, driven by memcached reflection. This attack was the largest attack seen to date by Akamai, more than twice the size of the September, 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed.” reads the analysis published by Akamai.
“Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.”
According to GitHub, the attack was widespread, it originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.
“On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack.” states an advisory post published by GitHub.
“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack.
The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”
Github routed the traffic to Akamai service to mitigate the ongoing DDoS attack.
“Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai.” continues Github.
“Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge.”
GitHub confirmed that the first portion of the attack peaked at 1.35Tbps, while a second part peaked 400Gbps after 18:00 UTC.
Github said it plans to expand its edge network and mitigate new attack vectors.
Researchers believe that threat actors in the wild will abuse misconfigured Memcached servers in future attacks, unfortunately, many of them are still exposed on the Internet.
Cloudflare recommends disabling UDP support unless it's needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.
“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.
“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing
(Security Affairs – memcached DDoS Attacks, Github)
The post Github hit by the biggest-ever DDoS attack that peaked 1.35 Tbs appeared first on Security Affairs.
Posted: 02 Mar 2018 05:25 AM PST
The results of the forensic investigation on the massive Equifax hack revealed additional 2.4 Million identities were involved in the security incident.
The massive Equifax hack made the headlines again, new revelations about the security breach emerge in the last hours.
The credit bureau company announced this week it identified an additional 2.4 million American consumers affected by 2017 hack.
In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK.
Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.
The vulnerability was fixed back in March, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.
Compromised records include names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers.
A couple of weeks ago, experts argued the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.
Now the results of the forensic investigation revealed additional 2.4 Million identities were involved in the security incident.
“This is not about newly discovered stolen data,” explained Paulino do Rego Barros, ad interim chief executive at Equifax.
“It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”
The US company still hasn’t notified the newly identified consumers because their social security numbers were not exposed in the hack, hackers only accessed their partial driver’s license information.
Equifax announced it would notify the newly identified consumers and will offer them identity theft protection and credit file monitoring services.
The company is now facing federal investigations as well as class-action lawsuits over the massive hack.
(Security Affairs – Equifax, hacking)
The post Equifax confirmed additional 2.4 Million identifies affected by security breach appeared first on Security Affairs.
Posted: 02 Mar 2018 12:08 AM PST
Security researchers from Cisco Talos discovered a new remote access Trojan (RAT) dubbed CannibalRAT that has been written entirely in Python.
The CannibalRAT RAT is being used in highly targeted attacks. the experts explained that even if it isn’t very sophisticated it exhibits signs of code cannibalisation from other open-source projects.
“The RAT itself is not very sophisticated, and exhibits signs of code cannibalisation from other open-source projects, which contrasts with the command-and-control, using fast flux to keep hidden, even if the endpoints are not very diversified.” reads the analysis published by Talos.
The researchers observed the involvement of at least two variants (versions 3.0 and 4.0) in targeted attacks.
The two samples were written using Python and packed into an executable using the popular tool py2exe.
According to the researchers, the version 4.0 is a stripped-down version, this means that vxers removed from the main code some features, anyway authors have attempted to add obfuscation techniques in order to avoid detection.
The version 4.0 includes a function that will generate random strings in memory in the attempt to make memory string analysis harder.
“The malware main script bytecode is stored in a portable executable (PE) section called PYTHONSCRIPT, while the Python DLL is stored in a section called PYTHON27.DLL. All the remaining modules’ bytecode is compressed and stored in the executable overlay.” continues the analysis.
The first variant of the malware was spotted on Jan. 8, anyway, Cisco Talos observed a significant increase in the activities of the CannibalRAT after the variant 4.0 appeared in the wild on February 5, 2018
Both variants use base16 encoding scheme to obfuscate command and control (C&C) hostnames and data exchanged with the server, they gain persistence by using “CurrentVersion\Run” registry key with the service name “Java_Update“,
Once executed, the CannibalRAT version 4.0 creates a PDF file with HTML code embedded that loads an image hosted at imgur.com and launches Chrome to open the PDF.
The two versions share the same C&C servers, but while the variant 3.0 uses standard web requests, the newer version uses a REST-based API.
“The command-and-control infrastructure attempts to use the fast flux technique to hide, although the name servers are changing with high frequency, and the end points tend to be the same, all belonging to a telecom provider in Brazil with the autonomous system number AS 7738 and shared among all four command-and-control hostnames.” states Cisco Talos.
CannibalRAT borrows the credential-stealer modules form the Radium-Keylogger, which has the source code published on Github, the experts also noticed that the VM detection feature was copied from a different Github repository.
“The malware's modules have self-explanatory names: runcmd, persistence, download, upload, screenshot, miner, DDoS, driverfind, unzip, ehidden, credentials, file, zip, python, update, and vm.” continues the analysis.”All are present in version 3.0, while version 4.0 lacks the distributed denial of service, miner, Python and update modules, as well as the ability to steal credentials from Firefox (it only works with Chrome).”
Experts noticed that the version 4.0 doesn’t use modules, instead, all the code is included in the main script. Furthermore.
Talos team provided details of a campaign involving the CannibalRAT Version targeting the INESAP, a Brazilian school for public administration
The campaign is highly targeted at this specific geographic region, attackers targeted only Chrome users.
“the RAT was hosted at inesapconcurso.webredirect.org and filebin.net, while the second domain is a popular file-sharing platform, the first domain was clearly created as part of the campaign.” continues the analysis.
“The subdomain inesapconcurso is the aggregation of two words; inesap and concurso. The first word is the school name, the second can be translated into competition, this is part of the social engineering of this campaign, as this Institute helps the management the application of workers to public sector vacancies.”
Further info about the malware including IoCs are reported in the analysis.
(Security Affairs – Russian hackers, Pyeongchang Olympic Games)
The post CannibalRAT, a RAT entirely written in Python observed in targeted attacks appeared first on Security Affairs.
Posted: 01 Mar 2018 10:07 PM PST
The UE issued new recommendations to tackle illegal content online, it asked internet companies to promptly remove terror content from their platforms within an hour from notification.
On Thursday, the UE issued new recommendations to internet companies to promptly remove “harmful content,” including terror content, from their platforms.
“As a follow-up, the Commission is today recommending a set of operational measures accompanied by the necessary safeguards – to be taken by companies and Member States to further step up this work before it determines whether it will be necessary to propose legislation.” reads the fact sheet published by the European Commission.
“These recommendations apply to all forms of illegal content ranging from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement.”
It is a call to action for the tech firms and social media giants to take down “terrorist content” within an hour of it being reported, the recommendation is directed to major services including YouTube, Facebook, and Twitter.
These platforms are daily abused by terrorist organizations like Islamic State group, the EU’s recommendations follow the demands of the nations participant at the 2017 G7 Summit held in Taormina, Italy, that urged action from internet service providers and social media giants against extremist content online.
The European Commission is teaming up with a group of US internet giants to adopt additional measures to fight web extremism, but at the same time, it warned it would adopt consider legislation if the Internet firms will not follow the recommendations.
“While several platforms have been removing more illegal content than ever before — showing that self-regulation can work — we still need to react faster against terrorist propaganda and other illegal content,” said the commission’s vice-president for the Digital Single Market Andrus Ansip.
“This content remains “a serious threat to our citizens’ security, safety, and fundamental rights,”
The European Commission recognized the results achieved by internet firms in combatting illegal content, but the adversaries are very active and there is still a lot of work to do.
“significant scope for more effective action, particularly on the most urgent issue of terrorist content, which presents serious security risks”.
The European Commission pretends that terrorist content should be taken down within one hour of being reported by the authorities, it also urges more strictly monitoring and proactive actions against the illegal content.
The EU suggests the adoption of automated detection systems that could support tech firms to rapidly identify harmful content and any attempt to re-upload removed illegal content.
The new recommendations specifically address also other types of harmful illegal content such as hate speech and images of child sexual abuse.
“Illegal content means any information which is not in compliance with EU law or the law of a Member State. This includes terrorist content, child sexual abuse material (Directive on combating sexual abuse of children), illegal hate speech (Framework
According to the commission, internet firms removed 70 percent of illegal content notified to them in the preceding few months.
(Security Affairs – European Commission, terror content)
The post European Commission requests IT firms to remove ‘Terror Content’ within an hour appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|