DoS Attacks Archive

Researcher exploits design flaws in Web caching to take control of popular websites, frameworks – and the Mozilla Firefox browser infrastructure.

A newly discovered attack forces Web cache servers to deliver malicious content to website visitors – and also exposes a major security hole in Mozilla’s Firefox browser infrastructure.

James Kettle, head of research at PortSwigger Web Security, exploited security weaknesses in the design of website infrastructure to hack the Web caches of major sites and platforms: a US government agency, a popular cloud platform provider, a hosting platform provider, a software product, a video game, an investment firm’s investor information, and some online stores.

“It’s sort of a design flaw in the way caching and websites work,” Kettle says of the security issues. “It’s not specific to any given technology or any given cache.”

In his research, Kettle also stumbled on a flaw in an API used in Firefox’s infrastructure that allowed him to take partial control of tens of millions of browsers using his cache-attack method. “I call it a low-fat botnet because I didn’t have complete control over Firefox, but I had a bit of control,” he says.

Kettle is holding back much of the secret sauce of the Web-caching hack as well as his Web targets until his Black Hat USA talk in August. But he does say that with his attack, he can force a cache into behaving in an unsavory way without directly targeting it.

It basically works like this: Kettle sends a request to the website with his payload. “The website then replies with something potentially dangerous … and the cache takes that, so then anyone who visits after that gets hit by the exploit,” he says.

Web caches sit in front of websites and serve up stored content rather than all of the delivery coming via the live website. Kettle says the complexity of those caches and content-delivery networks built around many of today’s Web applications can actually leave them open to abuse.

Previous research in Web cache security has encompassed injecting headers, or tricking the cache into saving and sharing sensitive data, Kettle says. His attack differs because it forces the cache to serve up exploits to website visitors, he notes.

An attacker could use it to plant malware that steals passwords or payment-card information from a website when visitors came to the site. The attack could also be employed to deface a website or redirect a visitor to a malicious site.

Firefox Botnet
With Firefox, Kettle employed his cache-poisoning attack against the infrastructure behind the browser that checks for and sends application and plug-in updates as well as URLs of dangerous websites to block, for example. “I found by accident … that I was able to use cache poisoning to effectively input” some limited commands to Firefox browser users worldwide, he says. “If you opened Firefox, I got control of it.”

Mozilla fixed the flaw within 24 hours of his reporting it, in a Jan. 25 update.

When Firefox starts up, it sends a request to the Mozilla infrastructure for updates and other information. “By using cache poisoning, I could control the response to that message,” Kettle says. That could allow an attacker to install certain extensions and corral Firefox browsers into a botnet to wage distributed denial-of-service (DDoS) attacks, for example.

Kettle says abusing the Firefox flaw alone would be less useful to an attacker than chaining an attack with another exploit and gaining full control of the browsers.

As of this posting, Mozilla had not responded to a request for comment on Kettle’s research.

At Black Hat Kettle plans to release the open-source utility he created for his research, an adapted Burp Suite tool that scans Web infrastructures for cache-poisoning weaknesses, he says.

Source: https://www.darkreading.com/vulnerabilities—threats/new-hack-weaponizes-the-web-cache/d/d-id/1332027

 

An Akron man is facing federal charges after he was arrested Thursday morning for allegedly hacking the city of Akron and Akron Police Department websites last year.

According to an FBI spokesperson, 32-year-old James Robinson was charged with knowingly causing the transmission of a program, information, code and command, and intentionally causing damage to a protected computer.

Authorities say Robinson carried out the cyber attacks on Aug. 1, 2017. The distributed denial of service (DDoS) attack overwhelmed both websites and took them down for a period of time.

On the day of the attack, a Twitter user named @AkronPhoenix420 tweeted a link to a YouTube video claiming credit for taking the websites out of service. The tweets included the hashtags #Anonymous and #TangoDown, authorities said.

The video showed a person in a Guy Fawkes mask and the statements “it’s time to teach the law a lesson,” and “Akron PD abuses the law.” The video also stated, “this week the city of Akron experienced system failures on multiple domains including their emergency TCP ports.”

Evidence linked the attack’s point of origin to an internet connection registered to Robinson. Additional evidence showed his phone was associated with the @AkronPhoenix420 Twitter account, police said.

The same Twitter account also claimed responsibility for numerous other DDoS attacks targeted at the Ohio Department of Public Safety, Department of Defense, and others. Police said the characteristics of those attacks had similarities with the one carried out in Akron.

Police executed a search warrant on Robinson’s home on May 9. Inside, they found a Guy Fawkes mask and a cell phone with a cracked screen that was seen in the video. Authorities said Robinson told them he was responsible for the Akron cyber attack as well as the DDoS attacks against the Department of Defense.

Source: https://www.news5cleveland.com/news/local-news/akron-canton-news/man-charged-in-federal-court-for-ddos-attack-on-akron-police-department

A crowdfunding initiative run by Together for Yes has suffered a DDoS attack.

The digital campaigning element of the imminent referendum in Ireland has seen a massive amount of change in a relatively short time.

Only this week did Facebook and Google place curtailments on digital advertising around the referendum, as Google banned all online ads relating to the Eighth Amendment from its platforms, while Facebook restricted advertising to registered Irish organisations and groups. As the online advertisements mention abortion, they would be restricted by Twitter’s existing ad policies.

Crowdfunding site hit

In another twist, a crowdfunding website for the national civil society group campaigning for a Yes vote was hit by a DDoS attack yesterday evening (9 May). The website, hosted by CauseVox, experienced a DDoS attack from within Ireland. It momentarily disrupted service and brought down CauseVox’s security infrastructure. The attack took place at 5.45pm, which would ordinarily have been a peak time for donations, and the website shut down for 30 minutes.

CauseVox also hosts crowdfunding pages for Amnesty International Ireland and Terminations for Medical Reasons – both groups that are campaigning for a Yes vote later in the month. Amnesty Ireland director Colm O’Gorman confirmed its website was down for approximately 45 minutes.

Sarah Monaghan, Together for Yes spokesperson, said: “We are continuing to investigate this extremely serious incident and are actively consulting security experts in the field to help identify the specific source of the attack, and have made a report to Gardaí.

“Together for Yes is a national grassroots movement which relies on small donations from large numbers of people. Our crowdfund initiative is a core element of the manner in which we resource our campaign and therefore we would take extremely seriously any attempt to undermine it.”

A spokesperson for Amnesty International explained the issue further to Siliconrepublic.com: “We were informed by CauseVox, the hosting platform, that there was a DDOS attack originating from Ireland. The website was interrupted at 5.45pm for around 45 minutes.

“This is obviously a serious issue, but also an indication of the lengths some will go to try shut down our efforts to counter such misinformation. We will continue our online campaign to counter misinformation across as many platforms as possible.”

The spokesperson noted that CauseVox is a reputable platform and that the site was up and running soon after the initial attack. They added that CauseVox had assured them that steps to mitigate such attacks in future were being taken. The incident is still under investigation.

DDoS explained

A DDoS (distributed denial of service) attack’s main aim is to make a target website, machine or network resource unavailable.

Usually, this type of cyberattack is accomplished by drowning a system (a server, for example) with data requests. This can then cause the website to crash. A database could also be hit with a massive volume of queries. In this particular case, the result is an overwhelmed website.

Impact from DDoS attacks can vary from mild disruption to total denial of service to entire websites, apps or even businesses.

DDoS attacks have grown exponentially in scale, and occur quite often in the cybercrime world. In the 1990s, a DDoS incident would have typically involved 150 requests per second, but attacks these days can exceed 1,000Gbps.

The Mirai botnet is a prime example of a modern DDoS attack. A massive attack also occurred on GitHub earlier in 2018, using a new technique called ‘memcaching’.

Updated, 4.28pm, 10 May 2018: This article was updated to include comments from an Amnesty International spokesperson.

Updated, 6.21pm, 10 May 2018: A correction has been made to clarify that individual websites hosted by CauseVox, and not the entire platform, were affected by this attack.

Source: https://www.siliconrepublic.com/enterprise/referendum-ddos-attack-ireland

The development of the cyber environment is articulated through new digital scenarios — from the technological development of smartphone apps to the Internet of Things, from the sharing economy to social networks — the circulation of personal data has expanded extensively and rapidly. In particular, I recognize a slow but decisive transition from a material, utilitarian and free sharing typical of the sharing economy, for which self-regulation was sufficient, to today’s atmosphere of social sharing. If the services of the sharing economy technologies seemed to put the privacy of users at risk, the new system seems to be even more saturated with issues. In fact, the social sharing of photographs, thoughts and confidential information risks endangering the privacy of internet users and, considering that much of this personal data is also transported overseas where the discipline and the protection provided is profoundly different, the question becomes extremely complex.

This shift is characterized by the diffusion and horizontal expansion of increasingly sophisticated and integrated social engineering methods and techniques, and through the release and sharing of technologically persuasive applications. These scenarios are found in the profile of cyber ttacks and are significant characterizations in terms of behavioral matrixes and operational creativity.

Inevitably, the concepts of knowledge and information management have been redefined and are now almost completely digitalized, with significant relapses in terms of security. In today’s cyber scenario, a new multidimensional concept of security has emerged, deriving from the interpenetration of the paradigms of social change and digital-media convergence — both understood as multipliers of instances coming in particular from the underground. This underground becomes ever more reticular, competent and cohesive, from a digital point of view, until it’s the “cartilage” of the system exoskeleton, not only in infrastructural terms but also in terms of cultural identity.

As a result, open society, right-to-know and digital info sharing become the pillars of contemporary democratic architecture. It is necessary to explore cyberspace in a deep and scientific way — to understand it as a human space, one which needs to be identified and analyzed dynamically, with scientific rigor, avoiding any reductionist simplicity dictated by the fashions of the moment. The specificities and the socio-cultural differences between activism and hacktivism are also worth examining in the transition process toward fully digital models of politics and diplomacy.

As an example, Bitcoin should not be considered mere virtual currency, but also as an instrument, product and modality of self-construction. It’s an identity-based dissemination of digital exchange communities and an interactive process through which all the subjects involved create information, innovation and resources.

It is essential to direct operational research into the elaboration and anticipation of scenarios that are no longer futuristic or even too far in the future — ones in which we imagine the impact and dynamics of the cybercriminals who use distributed denial of service (DDoS) or botnet attacks. These attacks might be a self-legitimized form of cyber-protest or a revisitation, in a cyber environment, of protest sit-ins that animated most of the 20th century and which often caused paralysis not only of viability but also of the vital functions of important institutions.

The unknown journey that leads humanity toward post-globalization is strongly marked by some pieces of evidence including the conflicts arising from the frictions between the development of the metropolitan institutional environment and the organizational dynamics of transnational digital communities and the advent of new sexual-digital identities.

We are witnessing the progressive emergence of organized and globalized criminals, above all at the level of the media. These criminals are born from the necessity of evolution through the web, pre-existing local and internationalized structures, and by long processes of criminal hybridization. This hybridization has connected them through the web. This evolution requires a resetting of operational missions based on full integration between social sciences and computational technologies in order to uncover qualitative and quantitative strategies that can be used to attain a deep understanding of the organized and now digitized criminal complex.

The triangulation of big data, web intelligence and information assurance turns out to be the key to managing the complexity and the centrality of information, which is now the regulating essence of every aspect of life. Today, it’s important to focus not just on the internet of things but also on the sometimes obscure internet of thoughts, which requires equal amounts of analytical attention. This emphasizes that today cyber can no longer be considered an object external to mankind, and should instead be seen as pervasively connected to it. Therefore, in firmly considering cybersecurity as a dynamic process and not a static product, it is evident that it is not possible to guarantee the security of the globalized citizen in relation to the relationship between freedom and democracy, without using appropriate conceptual tools to understand and manage the complexity that turns out to be unquestionably human, cultural and social.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/05/07/from-the-internet-of-things-to-the-internet-of-thoughts/#67a7651c736f

Botnet uses compromised systems to spread infection. Security researchers have discovered a large botnet that is using a severe flaw in the Drupal CMS in order to infect other systems.

Security researchers have discovered a large botnet that is using a severe flaw in the Drupal CMS in order to infect other systems.
According to a blog post by researchers at Qihoo 360 Netlab, bots have been scanning for systems with the  CVE-2018-7600 vulnerability, AKA Drupalgeddon 2 bug. The vulnerability exists in multiple drupal versions, which may be exploited by an attacker to take full control of the target.
Researchers said that scanning started on 13 April this year and they believed that at least three groups of malware campaigns are exploiting this bug. One group has worm-propagation behaviour and was dubbed Muhstik, as this name kept appearing in binary file names and a communications IRC channel. The malware is also an update of the Tsunami malware that has been used in the past to infect tens of thousands of Unix and Linux servers since 2011.
They said that Muhstik uses the following two sets of attack payloads, which contributes around 80 percent of all the payloads observed. The botnet can install multiple malicious payloads, including cryptocurrency miners (such as the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency) and software to launch DDoS attacks. The botnet uses 11 separate command-and-control domains and IP addresses to keep online as much as possible. It also uses the IRC protocol to communicate sending different instructions via different channels.
Muhstik is also exploiting flaws in other applications such as Webdav, WebLogic, Webuzo, and WordPress. It scans ports 80, 8080, 7001, and 2004.The worm propagates by scanning for susceptible server apps and searching servers for weak secure-shell, or SSH, passwords.
The security team at Drupal patched up Drupalgeddon2 last month when it released Drupal 7.58 and Drupal 8.5.1. Sites running the CMS have been advised to update to these versions as soon as possible.
Dr Kevin Curran, senior IEEE member and professor of Cyber-security at Ulster University, told SC Media UK that we are likely to see other Content Management Systems compromised in the future, in part, simply due to their popularity.
“Hackers have accumulated many CMS vulnerabilities and there exists a host of CMSs which have neglected to update to more secure versions – thus leaving them susceptible to these well known flaws. Weak admin passwords can also be brute forced. The other main weakness in CMSs which lead to hacks is the plugin ecosystem. Here there are, again, well known attacks in the wild for plugins which also lead to full system hack,” he said.
Paul Ducklin, senior technologist at Sophos, told SC Media UK that the good news about the Drupal CVE-2018-7600 vulnerability is that it isn’t a zero-day because there are already patches available. “If you’ve applied the patches, you can’t be exploited. The bad news is that if you haven’t patched, or if you think you’ve patched but didn’t do it properly, then it might as well be a zero-day, because the crooks can and will attack you. Don’t make yourself an easy target: patch early, patch often!” he said.
Source: https://www.scmagazineuk.com/iot-botnet-actively-exploiting-drupal-cms-bug/article/760331/