Category Archives: Cyber Security News

Facebook Plans to Build Its Own Chips For Hardware Devices

A new job opening post on Facebook suggests that the social network is forming a team to build its own hardware chips, joining other tech titans like Google, Apple, and Amazon in becoming more self-reliant.

According to the post, Facebook is looking for an expert in ASIC and FPGA—two custom silicon designs to help it evaluate, develop and drive next-generation technologies within Facebook—particularly in artificial intelligence and machine learning.

The social media company is seeking to hire an expert who can “an end-to-end SoC/ASIC, firmware and driver development organisation, including all aspects of front-end and back-end standard cell ASIC development,” reads the job listing on Facebook’s corporate website.

SoC (system-on-a-chip) is a processor typically used in mobile devices with all the components required to power a device, while ASIC (application-specific integrated circuit) is a customized piece of silicon designed for a narrow purpose that companies can gear toward something specific, like mining cryptocurrency.

FPGA (field programmable gate array) is an adaptable chip designed to be a more flexible and modular design that can be tuned to speed up specific jobs by running a particular piece of software.

First reported by Bloomberg, building its own processors would help the social media giant reduce dependency on companies such as Qualcomm and Intel, who hold the lion’s share of the processor market.

Reportedly Apple, who already makes its own A-series custom chips for iPhones, iPads and other iThings, has planned to use its custom-designed ARM chips in Mac computers starting as early as 2020, replacing the Intel processors running on its desktop and laptop hardware.

Google has also developed its own artificial intelligence chip, and Amazon is reportedly designing its custom hardware to improve Alexa-equipped devices.

The plan to invest in building its own processors could help Facebook to power its artificial intelligence software, servers in its data centers, as well as its future hardware devices, like Oculus virtual reality headsets and smart speakers (similar to Amazon Echo and Google Home).

Using its custom chips would also allow the social media company to gain more control over its own hardware roadmap better and eventual feature set to offer better performance to its users.

Facebook has not commented on the news yet, so at this time, it is hard to say where the company will deploy its in-house chips.

Maslow’s Pyramid Applied to Cyber Security

Ever heard of the ransomware Slammer?

It happened in 2003, when a computer worm infected 75,000 servers across the world. 13,000 of the Bank of America’s ATMs were unusable. 27 million people did not have access to mobile networks in South Korea. Computer sites were frozen in China. All of these happened in just 10 minutes.

More than a decade later, enterprises are still facing cyber attacks, and they are more deadly than ever. In fact, in 2017 we faced one of the largest ransomware – WannaCry – where more than 200,000 computers across 150 countries have fallen victim. According to cyber risk modeling firm Cyence, the WannaCry ransom attack losses could reach as high as US$4 billion.

Clearly, cyber security is no longer an IT issue. It is a concern for business leaders too. This is undeniably due to the growing sophistication of cyber threats.

Change in Paradigm

We used to build castles, with strong walls, one door, and few narrow windows. It is an air-tight security perimeter and was all about preventing attacks using strong walls.

However, cyber threats have evolved. They are increasing in volume and sophistication. Cyber criminals are also sharper and craftier. Crime-as-a-Service is a reality and a proven business model. According to Carbon Black’s Threat Analysis Unit report, the Dark Web Marketplace for Ransomware is growing at a rate of more than 2,500% per year.

The Cyber Security Agency of Singapore’s inaugural cyber landscape report also highlighted that an unnamed public organization here was hit by a state-sponsored advanced persistent threat in 2016.

Who can we trust these days?

Trust has been shattered by the very institutions that are supposed to guarantee it.

Cyber defense in Maslow’s Pyramid

At Orange Business Services, we believe in a tiered approach to cyber security.

Picture Maslow’s pyramid.

At the bottom, we have physiological and safety needs such as food, sleep, and shelter. These are the basics.

Likewise, for cyber security, the fundamentals need to be in place. Most organizations will already have the traditional cyber defense infrastructure, such as the firewall, implemented. However, the basics will not suffice. A single level of security for everything inside the castle is not enough.

Thus, we move on to the next layer of the pyramid – belonging. This means, preventing threats not only from the outside, but on the inside as well. There is a need for different levels of cyber defense, different levels of access control.

This is similar to how an airport operates. There is a public area where one can wander freely, a passenger area where one must show their boarding passes, and a restricted zone that only the airport and airlines staff, with badges and biometrics, can access.

It is also easy to imagine that the biggest threat to a company is external. However, companies are beginning to realize that trusted employees can also pose an enormous threat. It could be an innocent action by an employee falling for a phishing attempt, or it could be due to negligence. A good example is the recent Equifax data breach, where an internal email requested that the IT team fix a software. However, the message was not communicated to the right person to manually patch an application, which eventually resulted in the hack.

Once the right infrastructures are implemented, and employees are well-informed, the top layer of the pyramid is self-actualization. This is where organizations move away from a reactive security stance, to a proactive or event predictive stance. The right detection and mitigation measures are employed, and the holy grail is to be able to understand what and who is coming for you next.

And this is how we build a cyber defense network.

Implementing a robust cyber defense ecosystem may sound daunting and tedious. However, as cyber criminals and malicious state actors continue to evolve, business leaders cannot ignore the need to match them. On a positive note, IT teams are no longer fighting this alone. Now, they are finding staunch allies in the board room.

Russian Hacker Who Allegedly Hacked LinkedIn and Dropbox Extradited to US

A Russian man accused of hacking LinkedIn, Dropbox, and Formspring in 2012 and possibly compromising personal details of over 100 million users, has pleaded not guilty in a U.S. federal court after being extradited from the Czech Republic. Yevgeniy Aleksandrovich Nikulin, 30, of Moscow was arrested in Prague on October 5, 2016, by Interpol agents working in collaboration with the FBI, but he was recently extradited to the United States from the Czech Republic on Thursday for his first appearance in federal court.

Nikulin’s arrest started an extradition battle between the United States and Russia, where he faces significantly lesser criminal charges of stealing $3,450 via Webmoney in 2009. But the Czech Republic ruled in favor of the United States.

In the U.S., Nikulin is facing:

  • 3 counts of computer intrusion
  • 2 counts of intentional transmission of information, code, or command causing damage to a protected computer
  • 2 counts of aggravated identity theft
  • 1 count of trafficking in unauthorized access devices
  • 1 count of conspiracy
According to the maximum penalties for each count, Nikulin faces a maximum of 32 years in prison and a massive fine of more than $1 Million.
The U.S. Justice Department accused Nikulin of allegedly hacking into computers belonging to three American social media firms, including LinkedIn, the online cloud storage platform Dropbox and now-defunct social-networking firm Formspring.
Nikulin reportedly gained access to LinkedIn’s network between March 3 and March 4, 2012, Dropbox between May 14 and July 25, 2012, and Formspring between June 13 and June 29, 2012.

The hacker allegedly stole accounts of more than 117 Million LinkedIn users and more than 68 Million Dropbox users. Authorities also say that after stealing data from the three companies, Nikulin worked with unnamed co-conspirators to sell the stolen data.

Besides hacking into the three social media firms, the Justice Department also accused Nikulin of allegedly gaining access to credentials belonging to LinkedIn and Formspring employees, which helped him carry out the computer hacks.

Nikulin appeared in Federal District Court in San Francisco on Friday and pleaded not guilty to the charges against him, the New York times reported.

“This is deeply troubling behavior once again emanating from Russia,” said Attorney General Jeff Sessions in a statement. “We will not tolerate criminal cyber-attacks and will make it a priority to investigate and prosecute these crimes, regardless of the country where they originate.”

Judge Jacqueline Scott Corley scheduled Nikulin’s next court appearance for status on April 2, 2018, and scheduled a detention hearing for April 4, 2018.

Leader of Hacking Group Who Stole $1 Billion From Banks Arrested In Spain

Spanish Police has arrested the alleged leader of an organised Russian cybercrime gang behind the Carbanak and Cobalt malware attacks, which stole over a billion euros from banks worldwide since 2013.

In a coordinated operation with law enforcement agencies across the globe, including the FBI and Europol, Police detained the suspected leader of Carbanak hacking group in Alicante, Spain.

Carbanak hacking group started its activities almost five years ago by launching a series of malware attack campaigns such as Anunak and Carbanak to compromise banks and ATM networks, from which they swiped millions of credit card details from US-based retailers.

According to the Europol, the group later developed a sophisticated heist-ready banking malware known as Cobalt, based on the Cobalt Strike penetration testing software, which was in use until 2016.

“The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist,” Europol said.

In order to compromise bank networks, the group sent malicious spear-phishing emails to hundreds of employees at different banks, which if opened, infected computers with Carbanak malware, allowing hackers to transfer money from the banks to fake accounts or ATMs monitored by criminals.

According to the authorities, the criminal profits were also laundered via cryptocurrencies, through prepaid cards linked to the cryptocurrency wallets, which were used to buy goods such as luxury cars and houses.

In early 2017, the gang of financially-motivated cybercriminals was found abusing various Google services to issue command and control (C&C) communications for monitoring and controlling the machines of its victims.

In separate news, Ukraine Police announced today the arrest of another member of Cobalt group in Kiev, for developing malware and selling personal data from citizens worldwide.

The suspect was working with Cobalt group since 2016 and also involved in cyber-espionage activities. He allegedly sold a variety of malicious software in underground markets that allows anyone to access and control victims’ computers remotely.

“This global operation is a significant success for international police cooperation against a top-level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).

“This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top-level cyber criminality.”

Cyber attacks becoming No. 1 business risk

Cyber attacks are becoming the No. 1 risk to business, brands, operations and financials, according to the SonicWall “2018 Cyber Threat Report.”

SonicWall has recorded 9.32 billion malware attacks in 2017, an 18.4 percent year-over-year increase from 2016, and saw more than 12,500 new Common Vulnerabilities and Exposures (CVE) reported for the year, according to the report.

“The cyber arms race affects every government, business, organization and individual. It cannot be won by any one of us,” said SonicWall CEO Bill Conner. “Our latest proprietary data and findings show a series of strategic attacks and countermeasures as the cyber arms race continues to escalate. By sharing actionable intelligence, we collectively improve our business and security postures against today’s most malicious threats and criminals.”

“Enterprises across the board are going digital at an accelerated pace in Asia, but security still remains a top concern for them as cyber attacks become more prevalent and disruptive,” commented Wias Issa, Vice President and General Manager, Asia Pacific and Japan, SonicWall.

The annual threat report also revealed that ransomware attacks dropped from 638 million to 184 million between 2016 and 2017; Asia Pacific accounts for 7 percent of the attacks in 2017. Ransomware variants, however, increased 101.2 percent. In Asia Pacific, Nemucod accounts for 65 percent of the ransomware variant, followed by WannaCrypt at 14 percent, Locky at 13 percent, and Cereber at 4 percent. The report also revealed that ransomware against IoT and mobile devices is expected to increase in 2018.

Traffic encrypted by SSL/TLS standards increased 24 percent, representing 68 percent of total traffic. Without SSL decryption capabilities in place, the average organization will see almost 900 attacks per year hidden by SSL/TLS encryption. SonicWall identifies almost 500 new previously unknown malicious files each day

“The risks to business, privacy and related data grow by the day — so much so that cybersecurity is outranking some of the more traditional business risks and concerns,” said Conner.

Effectiveness of exploit kits impacted

With most browsers dropping support of Adobe Flash, no critical flash vulnerabilities were discovered in 2017. That, however, hasn’t deterred threat actors from attempting new strategies.

SonicWall provided protection against Microsoft Edge attacks, which it observed grew 13 percent in 2017 over 2016. SonicWall also protects the most popular Adobe products — Acrobat, Acrobat DC, Reader DC and Reader — and  observed attacks against these applications were down across the board. Meanwhile, new targeted applications (e.g., Apple TV, Microsoft Office) cracked SonicWall’s top 10 for the first time

Law enforcement turns the tide

Key arrests of cybercriminals continued to help disrupt malware supply chains and impact the rise of new would-be hackers and authors.

“Stabilizing the cyber arms race requires the responsible, transparent and agile collaboration between governments, law enforcement and the private sector,” said the Honorable Michael Chertoff, Chairman of the Chertoff Group, and former U.S. Secretary of Homeland Security. “Like we witnessed in 2017, joint efforts deliver a hard-hitting impact to cybercriminals and threat actors. This diligence helps disrupt the development and deployment of advanced exploits and payloads, and also deters future criminals from engaging in malicious activity against well-meaning organizations, governments, businesses and individuals.”

SSL encryption still hiding cyber attacks

Hackers and cybercriminals continued to encrypt their malware payloads to circumvent traditional security controls. For the first time ever, SonicWall has real-world data that unmasks the volume of malware and other exploits hidden in encrypted traffic.

Encryption was leveraged more than previous years, for both legitimate traffic and malicious payload delivery. SonicWall Capture Labs found, on average, 60 file-based malware propagation attempts per SonicWall firewall each day.

Without SSL decryption capabilities in place, the average organization will see almost 900 file-based attacks per year hidden by TLS/SSL encryption.

“Industry reports indicate as high as 41% of attack or malicious traffic now leverages encryption for obfuscation, which means that traffic analysis solutions and web transaction solutions such as secure web gateways each must support the ability to decrypt SSL traffic to be effective,” wrote Ruggero Contu and Lawrence Pingree of Gartner.

Malware cocktails mixing things up

While no single exploit in 2017 rose to the level of darknet hacker tools Angler or Neutrino in 2016, there were plenty of malware writers leveraging one another’s code and mixing them to form new malware, thus putting a strain on signature-only security controls. SonicWall Capture Labs uses machine-learning technology to examine individual malware artifacts and categorizes each as unique or as a malware that already exists.

SonicWall collected 56 million unique malware samples in 2017, a slight 6.7 percent decrease from 2016. Total volume of unique malware samples in 2017 was 51.4 percent higher than 2014.

Chip processors, IoT are emerging battlegrounds

Cybercriminals are pushing new attack techniques into advanced technology spaces, notably chip processors.

Memory regions are the next key battleground that organizations will battle over with cybercriminals. Modern malware writers implement advanced techniques, including custom encryption, obfuscation and packing, as well as acting benign within sandbox environments, to allow malicious behavior to remain hidden in memory.

Organizations will soon need to implement advanced techniques that can detect and block malware that does not exhibit any malicious behavior and hides its weaponry via custom encryption.

“Sandbox techniques are often ineffective when analyzing the most modern malware,” said SonicWall CTO John Gmuender. “Real-time deep memory inspection is very fast and very precise, and can mitigate sophisticated attacks where the malware’s most protected weaponry is exposed for less than 100 nanoseconds.”

Cloud Security – The Future of IDS?

I’ve been a car audio enthusiast my whole life. I remember my first car stereo system, a Pioneer receiver, JL Audio subwoofers, Rockford Fosgate amps, Alpine speakers, and a sweet Viper car alarm system to protect it all.

In the 1990s, I wasn’t the only one; people started putting expensive systems into their cars, and the rate of car theft went up significantly. We saw the rise, transformation, and fall of the bolted-on car alarm, which was supposed to detect and prevent car thefts.

Today I spend my time in the cybersecurity world and not the car audio world, but nevertheless, the lessons apply to both. Security in the Cloud continue to be a hot topic. More and more organizations are moving to the cloud, more sensitive data is moving to the cloud, and data theft is on the rise.

Some may argue that Intrusion Detection Systems (IDS) are the solution, but I believe that future security will be driven by the Cloud Service Providers (CSPs), and not the IDS companies of today.

A few months ago, the Cloud Security Alliance released “Improving Metrics in Cyber Resiliency,” a whitepaper that proposed key metrics designed to help measure security risks and response. They introduced two core metrics – how long it takes to identify a threat—Elapsed Time to Identify Threat (ETIT); and how long does it take to identify a failure—Elapsed Time to Identify Failure – ETIF.

When analyzing breaches in 2017, many ETIF rates have been up to a woefully inadequate year or more. Imagine that: many companies don’t even realize that there is an issue for a YEAR! Because these metrics have been tracked haphazardly and inconsistently by victim organizations, the paper further proposes that responsibility for tracking and publishing ETIF and ETIT befall upon IDS companies in the future to establish a superior and consistent reporting schema, while also putting the spotlight and pressure on these companies to ultimately arrive at reduced intervals. I disagree.

Putting the future of cloud security in the hands of IDS makers is like putting the theft of automobiles in the hands of the car alarm manufacturers. It is short sighted and will not scale at the pace of innovation of the CSPs. The solution is to accelerate the standardization, APIs, and nomenclature of the CSPs, not the IDS providers. Why? Let’s check out the lessons from car alarms.

Lesson 1: People break into cars to steal what’s in the cars, not just the cars themselves. If you want to prevent people from smashing your window, don’t buy stronger windows, put your items in the trunk. Cloud providers have known this and developed several ways to “hide” your valuable data including encryption, segmentation, and anonymization. These are not typical solutions from IDS vendors today.

Lesson 2: You have to be able to react to the alarm. It’s not helpful to get an alert that people are breaking in when you can do nothing about it because you are far away/out of town. For IDS systems to become valuable and turn into Intrusion Prevention Systems (IPS) systems, they must have access to the environment and the ability to make decisions (with human or automated rules) to stop an attack midway. Because every cloud environment is different and becoming more complicated every day, the IDS vendors have a losing battle.

Lesson 3: It’s going to be commoditized, and the value will be in future features. Nearly every car alarm today is also a remote unlocking system, remote engine starter, and GPS tracking device. To do what needs to be done to prevent the bad guys from getting in, you need access under the hood (hypervisor, code, etc.). Each CSP has certain IDS vendors that do a better job than others. These vendors (or a subset of them) will be the future of cloud security. There will be a massive consolidation, and people will just “expect” the Cloud to come with built-in IDS, just as you “expect” that most new cars have remote unlock and car alarms built in. It’s not a bolted-on solution; it will be baked in.

Consider, for example, highly publicized data exposures attributable to Amazon Web Services S3 Buckets data repository in 2017. Amazon got a bad rap in the news because customers were exposing millions of sensitive records to the world, and IDS systems were not working.

However, it wasn’t even AWS fault—they provided a locked down database and companies proactively re-configured the systems to the internet. AWS had to respond by updating their customer interfaces to figuratively shout at their customers, saying: “Are you REALLY sure you want to open this up to the world?” The solution, burden, and reputation relied on the Cloud provider, and not the IDS vendors.

There is no one “car alarm” for security, and today’s current IDS vendors will still be relevant for some time. However, over time the “IDS Enthusiasts” will diminish over time and will be replaced with increased security from the cloud providers. They will always have features and benefits that will differ from their cloud counterparts, but it’s a losing battle.

Car alarms of the past were useful for their intended purpose—keeping in mind what that purpose and scope truly were, just as IDS has a purpose, application and scope. Both, however, have their limits and future applications.

Hopefully, today’s cybersecurity experts can learn from the car audiophiles of the 1990s. Let’s focus our efforts on building better platforms, and less on the bolt-on solutions that are the stop gap.

Expedia’s Orbitz Says 880,000 Payment Cards Compromised in Security Breach

Chicago-based online travel booking company Orbitz, a subsidiary of Expedia, reveals that one of its old websites has been hacked, exposing nearly 880,000 payment card numbers of the people who made purchases online.

The data breach incident, which was detected earlier this month, likely took place somewhere between October 2016 and December 2017, potentially exposing customers’ information to hackers.

According to the company, hackers may have accessed payment card information stored on a consumer and business partner platform, along with customers’ personal information, including name, address, date of birth, phone number, email address and gender.

Orbitz worked closely with cybersecurity experts and law enforcement to investigate the breach and confirms that the social security numbers for U.S. customers were not exposed in this incident.

The company claims to have enhanced the security of its compromised platform, though it assures its customers that the current website Orbitz.com was not impacted.

“We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners,” Orbitz said in a statement.

Orbitz is currently working to notify the thousands of affected customers and plans to offer one year of free credit monitoring and identity protection service.

Since the payment card information is now in the hands of cybercriminals, customers are advised to closely monitor their credit card statements and report any unauthorised charges to the issuing bank.

Pre-Installed Malware Found On 5 Million Popular Android Phones

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.

Dubbed RottenSys, the malware that disguised as a ‘System Wi-Fi service’ app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.

All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.

Dubbed RottenSys, the malware that disguised as a ‘System Wi-Fi service’ app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.

All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.

At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.

“RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks,” researchers said.

According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to “something far more damaging than simply displaying uninvited advertisements.”

Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.

The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.

Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.

“Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices,” researchers noted.

This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.

Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.

 

The Shift in Security Operations in a Multi-Cloud World

As cybersecurity continues to become more complex and harder to manage, the role of security operations for organizations is also shifting across the board. Long gone are the days where firewalls or intrusion detection systems (IDS) could keep adversaries outside the perimeter. Instead, we are seeing increases in both size and frequency of attacks leading to more pronounced impacts to the business.

There are two primary factors that driving this change. To be successful today, modern security operations needs to understand these drivers and evolve their processes, procedures and tools to meet these new challenges.

The first driver has little to do with security as we think about it today. The modern IT organization is being required to deliver more business value at higher velocity with reduced costs. The most recent Rightscale State of the Cloud Report states that 85 percent of enterprises now rely on multiple clouds. This trend makes perfect sense as IT organizations reach for the best tools possible to meet their goals. However, the diversity of platforms and tools has driven more complexity in to the security operations than they were designed or resourced to accept. In my experience, most organziations have difficulty understanding where their data resides in the suite of platforms in use, let alone how that data is being protected.

The second driver is directly related to the security landscape. Over the past five years, we’ve seen the results from the investments adversaries have made in expertise. Modern attacks performed by advanced persistent threat (APT) groups rarely use sophisticated methods like zero-day attacks. Instead, these groups are characterized by the “persistent” component of their moniker. A consistent set of attacks, powered by cybersecurity expertise, is capable of breaching most organizations using traditional prevention or deterrence techniques.

Given these drivers, security operations must adapt to be successful. To handle the move to multi-cloud, teams must understand and support the business in their use of these services. This means having resources in the security operation that know these platforms and being willing to tailor their tooling and interaction models to the underlying technology and the teams using it. As always, this approach requires new skillsets, approaches and tools which will consume additional resources.

Most organizations I see have, on average, zero to six people on their security team with their time monopolized by compliance driven tasks like vulnerability management and patching. While these goals are important, defending against modern adversaries requires security operations teams to assume that a compromise will occur and actively hunt adversaries in the environment. This is a 24/7 job and requires significant security expertise and focus. Highly capable security operators able to perform active cyber-hunting missions successfully will not be fulfilled or retained by vulnerability management. Specializing the security operation will grant increased capabilities, but can consume more of security’s limited budget.

Most organizations shouldn’t dedicate the resources to build these types of operations. Building a modern security operation capable of defending against advanced threats across multiple clouds will cost a minimum of $3 million to $5 million per year. Instead, internal resources should be focused on the business, working closely with stakeholders to ensure the integration of security into day-to-day business operations. Security organizations should look to outsource operations to organizations capable of not only deploying and responding to tool alerts but performing cyber-hunting missions and actually respond to adversaries. If your partner isn’t actually evicting the adversary from the environment, then your business will stay at risk until someone does.

Once you’ve found a partner for 24/7 security operations, it’s time to tackle the other areas in security including compliance, data protection, identity and application security.

 

‘Kill Switch’ to Mitigate Memcached DDoS Attacks — Flush ‘Em All

Security researchers have discovered a “kill switch” that could help companies protect their websites under massive DDoS attack launched using vulnerable Memcached servers.

Massive Memcached reflection DDoS attacks with an unprecedented amplification factor of 50,000 recently resulted in some of the largest DDoS attacks in history.

To make matter even worse, someone released proof-of-concept (PoC) exploit code for Memcached amplification attack yesterday, making it easier for even script kiddies to launch massive cyber attacks.

Despite multiple warnings, more than 12,000 vulnerable Memcached servers with UDP support enabled are still accessible on the Internet, which could fuel more cyber attacks soon.

However, the good news is that researchers from Corero Network Security found a technique using which DDoS victims can send back a simple command, i.e., “shutdown\r\n”, or “flush_all\r\n”, in a loop to the attacking Memcached servers in order to prevent amplification.

Where, the flush_all command simply flush the content (all keys and their values) stored in the cache, without restarting the Memcached server.

The company said its kill-switch has efficiently been tested on live attacking Memcached servers and found to be 100% effective, and has already been disclosed to national security agencies.

Based on this finding, security researcher Amir Khashayar Mohammadi—who focuses on malware analysis, cryptanalysis, web exploitation, and other cyber attack vectors—has created and released a simple DDoS mitigation tool, dubbed Memfixed, that sends flush or shutdown commands to the vulnerable Memcached servers.

Written in Python, Memfixed automatically obtains a list of vulnerable Memcached servers using Shodan API to trigger shutdown/flush commands.

Stealing Sensitive Data From Memcached Servers

What’s more? Corero Researchers also claimed that the Memcached vulnerability (CVE-2018-1000115) is more extensive than initially reported, and can be exploited beyond leveraging it for a DDoS attack.

Without revealing any technical detail, the company said the Memcached vulnerability could also be exploited by remote attackers to steal or modify data from the vulnerable Memcached servers by issuing a simple debug command.

Dynamic database-driven websites use a Memcached application to improve their performance by caching data and objects in the RAM.

Since Memcached has been designed to be used without logins or passwords, attackers can remotely steal sensitive user data it has cached from its local network or host without requiring any authentication.

The data may include confidential database records, emails, website customer information, API data, Hadoop information and more.

“By using a simple debug command, hackers can reveal the ‘keys’ to your data and retrieve the owner’s data from the other side of the world,” the company said. “Additionally, it is also possible to maliciously modify the data and re-insert it into the cache without the knowledge of the Memcached owner.”

Server administrators are strongly advised to install the latest Memcached 1.5.6 version which disables UDP protocol by default to prevent amplification/reflection DDoS attacks.