Today, the OpenSSL project has issued an advisory for two high-severity vulnerabilities CVE-2021-3449 and CVE-2021-3450 lurking in OpenSSL products.

OpenSSL is a commonly used software library for building networking applications and servers that need to establish secure communications.

These flaws include:

  • CVE-2021-3449: A Denial of Service (DoS) flaw due to NULL pointer dereferencing which only impacts OpenSSL server instances, not the clients.
  • CVE-2021-3450: An improper Certificate Authority (CA) certificate validation vulnerability which impacts both the server and client instances.

DoS vulnerability fixed by a one-liner

The DoS vulnerability (CVE-2021-3449) in OpenSSL TLS server can cause the server to crash if during the course of renegotiation the client sends a malicious ClientHello message.

“If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” states the advisory.

The vulnerability only impacts OpenSSL servers running versions between 1.1.1 and 1.1.1j (both inclusive) that have both TLSv1.2 and renegotiation enabled.

However, because this is the default configuration on these OpenSSL server versions, many of the active servers could be potentially vulnerable. OpenSSL clients are not impacted.

Fortunately, all it took to fix this DoS bug was a one-liner fix, which comprised setting the peer_sigalgslen to zero.

One line fix for CVE-2021-3449
One line fix for NULL pointer issue leading to DoS, CVE-2021-3449
Source: GitHub

The vulnerability was discovered by engineers Peter Kästle and Samuel Sapalski of Nokia, who also offered the fix shown above.

Non-CA certificates cannot issue certificates!

The Certificate Authority (CA) certificate validation bypass vulnerability, CVE-2021-3450, has to do with the X509_V_FLAG_X509_STRICT flag.

This flag is used by OpenSSL to disallow use of workarounds for broken certificates and strictly requires that certificates be verified against X509 rules.

However, due to a regression bug, OpenSSL versions 1.1.1h and above (but excluding the fixed release 1.1.1k) are impacted by this vulnerability, as this flag is not set by default in these versions.

“Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check.”

“An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten,” states the advisory.

In effect, this means OpenSSL instances fail to check that non-CA certificates must not be the issuers of other certificates, therefore opening up the possibilities for attackers to exploit this miss.

On March 18th, 2021, Benjamin Kaduk from Akamai reported this flaw to the OpenSSL project.

The vulnerability was discovered by Xiang Ding and others at Akamai, with a fix having been developed by Tomáš Mráz.

Neither vulnerabilities impact OpenSSL 1.0.2.

Both vulnerabilites are fixed in OpenSSL 1.1.1k and users are advised to upgrade to this version to protect their instances.

As reported by BleepingComputer, DHS-CISA had urged system administrators in December 2020 to patch another OpenSSL DoS vulnerability.

Users should therefore protect themselves from security flaws like these by applying timely updates.



Reports say a ransomware gang has given Acer until March 28 to pay, or it will double the ransom amount.

 The REvil/Sodinokibi ransomware group has reportedly targeted computer manufacturer Acer with a $50 million ransomware attack — and its ransom demand may grow, investigators say.
News of the double-extortion ransomware campaign surfaced late last week, when attackers claimed on their data leak website to have breached Acer, Bleeping Computer reported. At the time, attackers published some reportedly stolen files as evidence of a successful intrusion. The documents included bank balances, financial spreadsheets, and financial communications.

Further investigation by LeMagIT and SearchSecurity revealed a ransom demand of $50 million. The former reports that attackers offered Acer a 20% discount on their initial ransom demand if it was paid by March 17, and the company reportedly offered $10 million. As of March 22, the attackers have given Acer a new payment deadline of March 28 or they’ll double the demand.

When contacted for a comment on the attack, Acer responded with the following statement to ComputerWeekly: “Acer routinely monitors its IT systems, and most cyber attacks are well defenced. Companies like us are constantly under attack, and we have reported recent abnormal situations observed to the relevant law enforcement and data protection authorities in multiple countries.”

REvil is known for its high ransomware demands, notes Ivan Righi, cyber-threat intelligence analyst at Digital Shadows, though it’s unknown if any previous victims have paid up in full.

“The large demand suggests that REvil likely exfiltrated information that is highly confidential, or information that could be used to launch cyberattacks on Acer’s customers,” he says.


REvil ransomware developers say that they made more than $100 million in one year by extorting large businesses across the world from various sectors.

They are driven by profit and want to make $2 billion from their ransomware service, adopting the most lucrative trends in their pursuit of wealth.

Affiliates do the heavy lifting

A REvil representative that uses the aliases “UNKN” and “Unknown” on cybercriminal forums talked to tech blog

Russian OSINT offering some details about the group’s activity and hints of what they have in store for the future.

Like almost all ransomware gangs today, REvil runs a ransomware-as-a-service (RaaS) operation. Per this model, developers supply file-encrypting malware to affiliates, who earn the lion’s share from the money extorted from victims.

With REvil, the developers take 20-30% and the rest of the paid ransom goes to affiliates, who run the attacks, steal data, and detonate the ransomware on corporate networks.

“Most work is done by distributors and ransomware is just a tool, so they think that’s a fair split,” REvil representative, Unknown, told Russian OSINT.

This means that the developers set the ransom amount, run the negotiations, and collect the money that is later split with affiliates.

Long list of victims

The cybercriminal operation has encrypted computers at big-name companies, among them Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, and GEDIA Automotive Group.

Unknown says that REvil affiliates were able to breach the networks of Travelex and GSMLaw in just three minutes by exploiting a vulnerability in Pulse Secure VPN left unpatched for months after the fix became available [1, 2].

source: Bad Packets

REvil’s public-facing representative says that the syndicate has hit the network of a “major gaming company” and will soon announce the attack.

They also say that REvil was responsible for the attack in September against Chile’s public bank, BancoEstado. The incident prompted the bank to close all its branches for a day but did not affect online banking, apps, and ATMs.

Along with managed services providers (MSPs) that have access to networks of multiple organizations, the most profitable targets for REvil are companies in the insurance, legal, and agriculture sectors.

As for initial access, Unknown mentioned brute-force attacks as well as remote desktop protocol (RDP) combined with new vulnerabilities.

One example are vulnerabilities tracked as CVE-2020-0609 and CVE-2020-0610 bugs and known as BlueGate. These allow remote code execution on systems running Windows Server (2012, 2012 R2, 2016, and 2019).

New money-making avenues

REvil initially made its profit from victims paying the ransom to unlock encrypted files. Since the attackers also locked backup servers, victims had few options to recover, and paying was the quickest way.

The ransomware business changed last year when operators saw an opportunity in stealing data from breached networks and started to threaten victims with damaging leaks that could have a much worse impact on the company.

Even if it takes longer and causes a significant setback, large businesses can recover encrypted files from offline backups. Having sensitive data in the public space or sold to interested parties, though, can be synonymous with losing the competitive advantage and reputation damage that is difficult to rebuild.

This method proved to be so lucrative that REvil now makes more money from not publishing stolen data than from decryption ransom.

Unknown says that one in three victims are currently willing to pay the ransom to prevent the leaking of company data. This could be the next step in the ransomware business.

REvil is also thinking to adopt another tactic designed to increase their odds of getting paid: hitting the victim with distributed denial-of-service (DDoS) attacks to force them to at least (re)start negotiating a payment.

SunCrypt ransomware used this tactic recently on a company that had stopped negotiations. The attackers made it clear that they launched the DDoS attack and terminated it when negotiations resumed. REvil plans to implement this idea.

REvil’s model for making money is working and the gang already has plenty in their coffers. In their search for new affiliates, they deposited $1 million in bitcoins on a Russian-speaking forum.

The move was designed to show that their operation generates plenty of profit. According to Unknown, this step is to recruit new blood to distribute the malware, as the ransomware scene is full to the brim with professional cybercriminals.

Although they have truckloads of money, REvil developers are confined to the borders of the Commonwealth of Independent States (CIS, countries in the former Soviet Union) region.

A reason for this is attacking a large number of high-profile victims that prompted investigations from law enforcement agencies from all over the world. As such, traveling is a risk REvil developers are not willing to take.

REvil built on older code

This ransomware syndicate is also referred to as Sodin or Sodinokibi but the name REvil is inspired by the Resident Evil movie and stands for Ransomware Evil.

Their malware was first spotted in April 2019 and the group started looking for skilled hackers (elite penetration testers) shortly after GandCrab ransomware closed shop.

Unknown says that the group did not create the file-encrypting malware from scratch but bought the source code and developed on top of it to make it more effective.

It uses elliptic curve cryptography (ECC) that has a smaller key size than the RSA-based public-key system, with no compromise on security. Unknown says that this is one reason affiliates choose REvil over other RaaS operations like Maze or LockBit.

Before shutting their business, GandCrab developers said they made $150 million, while the entire operation collected more than $2 billion in ransom payments.

Clearly, REvil developer’s ambitions are greater.

BleepingComputer was told that Unknown confirmed that the interview (in Russian) was real.


The Federal Bureau of Investigation has released a security notice that specifically warns emergency call centers against a new threat. FBI investigators have noticed that there is a high probability that telephony denial of service (TDoS) attacks are going to flood these centers with the intention of taking them offline. A TDoS attack is quite simple in its execution. Much like how a distributed denial-of-service (DDoS) attack floods a computer server with too many requests from multiple locations, a telephony denial-of-service attack floods a target that uses telephones in the same manner.

The security notice speaks of the threat as follows:

Public Safety Answering Points (PSAPs) are call centers responsible for connecting callers to emergency services, such as police, firefighting, or ambulance services. PSAPs represent key infrastructure that enables emergency responders to identify and respond to critical events affecting the public.

TDoS attacks pose a genuine threat to public safety, especially if used in conjunction with a physical attack, by preventing callers from being able to request service. The public can protect themselves if 911 is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area.

As for sources and motives of the potential TDoS attacks, the FBI does not single out specific sources. The notice states that hacktivists may use the TDoS to push their agenda, whereas cybercriminals may seek financial gain by holding the emergency call center hostage.

The FBI advises civilians to prepare for 911 outages by following these steps: See if text-to-911 is available in your area: save non-emergency contact numbers for fire, rescue, and law enforcement, sign up for automated emergency notifications from where you live (county, city, etc.) to be kept aware of incidents, and finally, find social media and other websites of emergency services in your area for potential point-of-contact.


Cybercriminals had a busy year in 2020, with rapidly increasing numbers of distributed denial of service (DDoS) weapons, widespread botnet activity, and some of the largest DDoS attacks ever recorded. As COVID-19 drove an urgent shift online for everything from education and healthcare, to consumer shopping, to office work, hackers had more targets available than ever—many of them under protected due to the difficulty of maintaining security best practices in an emergency scenario. At the same time, the ongoing rollout of 5G technologies has accelerated the proliferation of IoT and smart devices around the world, making unsuspecting new recruits available for botnet armies to launch crushing attacks on a massive scale.

In our ongoing tracking of DDoS attacks, DDoS attack methods, and malware activity, A10 Networks has observed a steady increase in the frequency, intensity, and sophistication of these threats, most recently in our State of DDoS Weapons Report for H2 2020, which covers the second half of the past year. During this period, we saw an increase of over 12% in the number of potential DDoS weapons available on the internet, with a total of approximately 12.5 million weapons detected. The good news is that proven methods of protection continue to be effective even as threat levels rise.

So how can organizations defend against this common and highly damaging type of attack?

Botnets drive DDoS attack levels to new heights

While organizations of all sizes fell victim to DDoS last year, two of the world’s largest companies made headlines for suffering unprecedented attacks. In June 2020, Amazon revealed a DDoS attack on its public cloud earlier that year that peaked at 2.3 Tbps, almost twice the size of the previous largest recorded attack. Soon afterwards, Google revealed details of an even larger DDoS attack that peaked at 2.5 Tbps. A10 Networks has also been privately notified of even larger attacks, underscoring the perennial threat and growing impact of this type of cybercrime.

Unlike other types of cyberattacks that depend on concealment, DDoS attacks aim to simply overwhelm an organization’s defenses with a massive flood of service requests delivered from a large number of sources. The distributed nature of the attack makes it especially difficult to repel, as the victim can’t simply block requests from a single illicit source.

In recent years, hackers have evolved their methods and broadened their base of attack by using malware to hijack vulnerable compute nodes such as computers, servers, routers, cameras, and other IoT devices and recruit them as bots. Assembled into botnet armies under the attacker’s control, these weapons make it possible for attacks to be sourced from different locations across the globe to suit the attacker’s needs. In the second half of 2020, the top locations where botnet agents were detected include India, Egypt, and China, which together accounted for approximately three-quarters of the total. Activity sourced from DDoS-enabled bots in India spiked in September 2020, with more than 130,000 unique IP addresses showing behavior associated with the Mirai malware strain. A10’s most recent State of DDoS Weapons Report explores our findings about the largest contributor to this botnet activity, a major cable broadband provider, which accounted for more than 200,000 unique sources of Mirai-like behavior.

Blocking botnet recruiters

The identification of IP addresses associated with DDoS attacks gives organizations a way to defend their systems against questionable activity and potential threats. To protect services, users and customers from impending DDoS attacks, companies should block traffic from possibly compromised IP addresses unless it is essential for the business, or to rate-limit it until the issue is resolved. Automated traffic baselining, artificial intelligence (AI), and machine learning (ML) techniques can help security teams recognize and deal with zero-day attacks more quickly by recognizing anomalous behavior compared with historical norms.

Another important step is to make sure that your organization’s own devices are not being recruited as bots. All IoT devices should be updated to the latest version to alleviate infection by malware. To detect any pre-existing infections, monitor for unrecognized outbound connections from these devices, and check whether BitTorrent has ever been seen sourced or destined to these devices, which can be a sign of infection. Outbound connections should be blocked as well. This will prevent the device from making the call required for the installation of malware such as mozi.m or mozi.a as part of the bot recruitment process.

Amplification attacks and how to prevent them

The scope of a DDoS attack can be vastly expanded through amplification, a technique that exploits the connectionless nature of the UDP protocol. The attacker spoofs the victim’s IP address and uses it to send numerous small requests to internet-exposed servers. Servers configured to answer unauthenticated requests, and running applications or protocols with amplification capabilities, will then generate a response many times larger than the size of each request, generating an overwhelming volume of traffic that can devastate the victim’s systems. Capable of leveraging millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services, amplification reflection attacks have resulted in record-breaking volumetric attacks and account for the majority of DDoS attacks.

The SSDP protocol, with more than 2.5 million unique systems, led the list of amplification attack weapons exposed to the internet in 2020. With an amplification factor of over 30x, SSDP is considered one of the most potent DDoS weapons. The most straightforward blanket protection against such attacks is to simply block port 1900 traffic sourced from the internet unless there is a specific use case for SSDP usage across the internet. Blocking SSDP traffic from specific geo-locations where a high-level botnet activity has been detected can also be effective for more surgical protection.

As recent trends make clear, the DDoS threat will only continue to grow as rising online activity across sectors, a rapidly expanding universe of IoT devices, and increasingly sophisticated methods offer new opportunities for cybercriminals. Organizations should take an active approach to defense by closing unnecessary ports, using AI and ML to monitor for signs of compromise or attack, and blocking traffic from IP addresses known to have exhibited illicit behavior.