Microsoft thwarts record‑breaking DDoS attack

The attack, which clocked in at 2.4 Tbps, targeted one Azure customer based in Europe

 Amer Owaida

Microsoft has revealed that it thwarted a Distributed Denial-of-Service (DDoS) attack that clocked in at a whopping 2.4 terabytes per second (Tbps). The onslaught, which targeted an Azure customer in Europe, surpasses the previous record holder – a 2.3 Tbps attack that was mitigated by Amazon Web Services (AWS) last year. It also dwarfs the previously largest DDoS attack (1 Tbps) on Azure from 2020.

According to Microsoft, the latest attack originated from some 70,000 sources and from several countries in the Asia-Pacific region, including Malaysia, Vietnam, Taiwan Japan, and China, as well as from the United States.

“The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes. In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps,” said Senior Program Manager at Azure Networking Amir Dahan in a blog post describing the incident.

“The pace of digital transformation has accelerated significantly during the COVID-19 pandemic, alongside the adoption of cloud services. Bad actors, now more than ever, continuously look for ways to take applications offline,” Dahan added.

Traditional DDoS attacks overwhelm a target with bogus web traffic that comes from a large number of devices that have been corralled into a botnet. The aim of the attack is to take the victim’s servers offline and denying access to their services. If the attackers utilize a reflection amplification attack, they can amplify the volume of malicious traffic while obscuring its sources.

Historically, DDoS attacks have been used as a smokescreen for other, even more damaging onslaughts, or as a means to demand massive ransom fees from the targeted companies. While the victims could stand to lose millions of dollars in revenue from the reputational damage combined with the cost of downtime caused by these attacks, there is no guarantee that the attackers would cease their onslaught even if the ransoms are paid.

 

Ransomware cost US companies almost $21 billion in downtime in 2020

The victims lost an average of nine days to downtime and two-and-a-half months to investigations, an analysis of disclosed attacks shows

 

Amer Owaida

An analysis of 186 successful ransomware attacks against businesses in the United States in 2020 has shown that the companies lost almost US$21 billion due to attack-induced downtime, according to technology website Comparitech. Compared to 2019, the number of disclosed ransomware attacks skyrocketed – by 245%.

“Our team sifted through several different resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US businesses. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to businesses,” Comparitech said explaining its approach. However, it did concede that the figures may be merely a scratch on the surface of the ransomware problem.

On average, the affected companies lost nine days in downtime and it took them about two-and-a-half months to investigate the attacks and their impact on the company’s data and its systems. To put into context, Comparitech estimates that, when combined, ransomware attacks caused 340.5 days of downtime and a whopping 4,414 days of investigation. However, the downtimes varied, ranging from recovery efforts taking several months to minimal disruptions especially thanks to solid backup plans.

Cybercriminals usually requested ransoms ranging from half a million dollars all the way up to US$21 million. Some attackers also upped the ante by carrying out double-extortion attacks, where they pilfer data from the victims’ systems before going on to encrypt them with ransomware … which would lead to embarrassment and stock devaluation at best, and to huge regulation penalties at worst. With researchers estimating that the average cost per minute of downtime is US$8,662 and adding in the reputational damage, it’s no wonder some companies are willing to pay the ransoms as a way to fix the problem quickly. Based on the estimate, the cost of downtime to American business was US$20.9 billion. The analysis also found that the ransomware attacks resulted in over 7 million individual records being pilfered or/and abused, an almost 800% increase compared to the previous years.

RELATED READING: 5 essential things to do before ransomware strikes

Additionally, the researchers noted a shift in the targets of ransomware attacks. While previously cybercriminals would target educational institutions and government entities, during 2020 they shifted their focus towards businesses and healthcare organizations. This could be chalked up to the pandemic since many schools and governmental organizations were closed and their systems were down. Meanwhile, healthcare providers had to power through in order to tend to patients, and the pandemic forced a lot of businesses to transition to remote work probably making them easier targets to hack.

What about 2021?

Based on the trends and events of this year, it is little wonder that Comparitech estimates the costs to businesses will rise further. “If the second half of 2021 sees the same number of attacks as the first half (91), 2021’s figures will be in line with 2020s–over 180 individual ransomware attacks. However, with many attacks often revealed weeks or months after they’ve happened, these figures are likely to rise even higher over the coming months, suggesting 2021 will be a record-breaking year for ransomware attacks on US businesses,” the company warned.

To find out why ransomware remains one of the top threats and how businesses can defend against it, we suggest reading up on our recent white paper, Ransomware: A criminal art of malicious code, pressure and manipulation.

 

To the moon and hack: Fake SafeMoon app drops malware to spy on you

Cryptocurrencies rise and fall, but one thing stays the same – cybercriminals attempt to cash in on the craze

 

Martina López

Cybercriminals are trying to capitalize on “the next big thing” in the turbulent cryptocurrency space in an attempt to take remote control of people’s computers and then steal their passwords and money. A campaign spotted recently impersonates the SafeMoon cryptocurrency app and uses a fake update to lure Discord users to a website that distributes a well-known remote access tool (RAT).

SafeMoon is one of the latest altcoins to, well, shoot for the moon. Ever since its inception six months ago, SafeMoon has been highly popular (and duly volatile), with the craze propelled by influencers and numerous enthusiasts on social media. The buzz hasn’t escaped the notice of scammers, as swindles targeting cryptocurrency users – including fraud that namedrops celebrities to give it some extra allure – have been running rampant for years.

Houston, we have a problem

The ruse exploiting SafeMoon’s sudden popularity begins with a message (Figure 1) that scammers have sent to a number of users on Discord, where they pose as the official SafeMoon account on the site to promote a new version of the app.

 

https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

 

Google to turn on 2FA by default for 150 million users, 2 million YouTubers

Two-factor authentication is a simple way to greatly enhance the security of your account

 

Amer Owaida

Google has announced that by the end of 2021 it plans to automatically enroll 150 million users into two-step verification (2SV), a security measure also commonly known as two-factor authentication (2FA).

“For years, Google has been at the forefront of innovation in two-step verification (2SV), one of the most reliable ways to prevent unauthorized access to accounts and networks. 2SV is strongest when it combines both “something you know” (like a password) and “something you have” (like your phone or a security key),” the tech titan announced in a blog marking Cybersecurity Awareness Month.

In order to make 2SV as user-friendly as possible, Google allows user devices to double as security keys. It rolled out the feature for Android devices in 2019 before making it also available for iOS users with an update of the Google Smart Lock app in 2020.

In addition, starting from November 1^st two million YouTube creators will need to have 2SV turned on in order to access Studio, a move announced on the TeamYouTube Twitter account recently. Let’s recall that YouTube accounts are often hijacked by cybercriminals who use them to peddle all kinds of scams, including fake cryptocurrency giveaways.

https://www.welivesecurity.com/2021/10/06/google-turn-on-2fa-default-150-million-users-2-million-youtubers/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

What is a cyberattack surface and how can you reduced it?

 Discover the best ways to mitigate your organization’s attack surface in order to maximize cybersecurity

 By Phil Muncaster

 In almost all coverage of modern breaches you’ll hear mention of the “cyberattack surface” or something similar. It’s central to understanding how attacks work and where organizations are most exposed. During the pandemic the attack surface has grown arguably further and faster than at any point in the past. And this has created its own problems. Unfortunately, organizations are increasingly unable to define the true size and complexion of their attack surface today—leaving their digital and physical assets exposed to threat actors.

Fortunately, by executing a few best practices, these same defenders can also improve their visibility of the attack surface, and with it, gain enhanced understanding of what’s necessary to minimize and manage it.

What is the corporate attack surface?

At a basic level, the attack surface can be defined as the physical and digital assets an organization holds that could be compromised to facilitate a cyber-attack. The end goal of the threat actors behind it could be anything from deploying ransomware and stealing data to conscripting machines into a botnet, downloading banking trojans or installing crypto-mining malware. The bottom line is: the bigger the attack surface, the larger the target the bad guys have to aim at.

Let’s take a look at the two main attack surface categories in more detail:

The digital attack surface

This describes all of an organization’s network-connected hardware, software and related components. These include:

Applications: Vulnerabilities in apps are commonplace, and can offer attackers a useful entry point into critical IT systems and data.

Code: A major risk now that much of it is being compiled from third-party components, which may contain malware or vulnerabilities.

Ports: Attackers are increasingly scanning for open ports and whether any services are listening on a specific port (ie TCP port 3389 for RDP). If those services are misconfigured or contain bugs, these can be exploited.

Servers: These could be attacked via vulnerability exploits or flooded with traffic in DDoS attacks.

Websites: Another part of the digital attack surface with multiple vectors for attack, including code flaws and misconfiguration. Successful compromise can lead to web defacement, or implanting malicious code for drive-by and other attacks (ie formjacking).

Certificates: Organizations frequently let these expire, allowing attackers to take advantage.

This is far from an exhaustive list. To highlight the sheer scale of the digital attack surface, consider this 2020 research into firms on the FTSE 30 list. 

Full article on www.welivesecurity.com

BladeHawk group: Android espionage against Kurdish ethnic group

ESET researchers have investigated a targeted mobile espionage campaign against the Kurdish ethnic group. This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps. These profiles appeared to be providing Android news in Kurdish, and news for the Kurds’ supporters. Some of the profiles deliberately spread additional spying apps to Facebook public groups with pro-Kurd content. Data from a download site indicates at least 1,481 downloads from URLs promoted in just a few Facebook posts. The newly discovered Android 888 RAT has been used by the Kasablanka group and by BladeHawk. Both of them used alternative names to refer to the same Android RAT - LodaRAT and Gaza007 respectively.

BladeHawk Android espionage The espionage activity reported here is directly connected to two publicly disclosed cases published in 2020. QiAnXin Threat Intelligence Center named the group behind these attacks BladeHawk, which we have adopted. Both campaigns were distributed via Facebook, using malware that was built with commercial, automated tools (888 RAT and SpyNote), with all samples of the malware using the same C&C servers.

Distribution

We identified six Facebook profiles as part of this BladeHawk campaign, sharing these Android spying apps. We reported these profiles to Facebook and they have all been taken down. Two of the profiles were aimed at tech users while the other four posed as Kurd supporters. All these profiles were created in 2020 and shortly after creation they started posting these fake apps. These accounts, except for one, have not posted any other content besides Android RATs masquerading as legitimate apps.

These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers.

Read full article on www.welivesecurity.com

 

Faille dans la preuve vaccinale québécoise : analyse

Les chercheurs d’ESET expliquent les détails d’une faille découverte dans VaxiCode Vérif, l’application mobile permettant la vérification des preuves vaccinales québécoises.

Marc-Etienne M.Léveillé

La sortie d’applications mobiles permettant le stockage et la vérification du passeport vaccinal par le gouvernement du Québec (VaxiCode et VaxiCode Vérif) a fait couler beaucoup d’encre la semaine dernière. C’est avec raison; l’application VaxiCode Vérif sera utilisée par tous les commerçants de services non essentiels dès le 1er septembre 2021.

Comme plusieurs autres, j’ai analysé le contenu du code QR dès que je l’ai reçu lors de mon premier vaccin en mai dernier. La semaine dernière, j’ai aussi analysé les deux applications établies par le gouvernement du Québec et développées par Akinox.

Ce blog explique comment fonctionne le système de passeport vaccinal mis sur pied par le gouvernement du Québec d’un point de vue technique, ainsi que les détails sur la vulnérabilité que nous avons trouvée dans l’application VaxiCode Vérif qui permettait de forcer l’application à reconnaître comme étant valides des codes QR non émis par le gouvernement. À l’heure actuelle, il est impossible de confirmer qu’il s’agit de la même faille trouvée par « Louis » telle que rapportée par Radio-Canada vendredi dernier, puisqu’aucun détail technique n’a encore été publié.

Nous avons nous-mêmes rapporté la vulnérabilité que nous avons trouvée à Akinox dimanche, et nous avons confirmé que la mise à jour de VaxiCode Vérif 1.0.2 pour iOS publiée dans les derniers jours corrige la faille. La version Android des applications n’a pas encore été analysée, mais VaxiCode et VaxiCode Vérif utilisent le cadriciel Expo qui permet de produire des applications iOS et Android en utilisant le même code source. Les applications sur les deux platformes sont donc probablement équivalentes.

Détaillons le contenu du passeport vaccinal québécois

Lisez la suite de l’article sur :

https://www.welivesecurity.com/2021/08/31/faille-preuve-vaccination-quebec-vaxicode-verif/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29