During the second half of 2018, attackers bulked up existing tactics, rapidly evolvied new performance enhancements, and applied smart business techniques to vastly accelerate attack growth rate, according to the latest Threat Landscape Report by Netscout.

IoT’s countdown to attack

• Constant targets of DDoS malware, IoT devices come under attack within five minutes of being plugged in and targeted by specific exploits within 24 hours.
• IoT security is minimal to nonexistent on many devices, making this an increasingly dangerous and vulnerable sector, particularly as items ranging from medical devices to cars are IoT-equipped.

The ‘TerrorBit attack’ and beyond

• Overall, the number of DDoS attacks in 2018 was up 26 percent compared to the year previously, and attacks in the 100-400 Gbps range exploded, showing continued interest by bad actors in this attack vector and maturity of tooling in the mid-range of attacks.
• The global maximum DDoS attack size grew by 19 percent in the second half of 2018 versus the same period in the year previously, as threat actors launched strategic campaigns that compromised and used a vast array of devices related solely by internet connectivity. And “carpet bombing,” a new variant of the more common reflection or flooding DDoS attack, emerged, requiring different detection techniques.

Nation-state innovation

• DDoS attacks against the international affairs sector, which includes the United Nations, the International Monetary Fund and the State Department, increased by nearly 200 percent between 2H 2017 and 2H 2018.
• The volume of nation state APT group activity has increased in the space of the last year, as have the number of targets. Subsequently, NETSCOUT is now monitoring the activities of at least 35 groups across several countries, which include Iran, China, Russia, and North Korea.
• These groups are employing new techniques, combining custom-made tools with commodity crimeware as in the case of STOLEN PENCIL to extend their reach and impact.

Commercialization of crimeware

• The cybercriminal underground operates much like legitimate businesses using the conventional business practice of the affiliate model to rapidly generate profits. Increases in attack size reflect the continued monetization of the threat landscape.
• Campaigns like DanaBot increased distribution efficiency and cut labor costs by using an affiliate model to rapidly establish its presence across the globe, with 12 separate affiliates targeting financial institutions in many countries.
• However, collaborative crime fighting is also on the rise, illustrated by recent efforts with the ASERT team and the FBI during an investigation into MedusaHTTP DDoS, a botnet from a hacker known as stevenkings, that ultimately led to charges being filed.

Through telemetry on a massive scale, ATLAS delivers visibility into the backbone networks at the core of the internet. NETSCOUT gathers data shared by organizations around the world, including 90 percent of Tier 1 service providers, representing approximately one third of internet traffic.

Security researchers have discovered a new class of security vulnerabilities that impacts all major operating systems, including Microsoft Windows, Apple macOS, Linux, and FreeBSD, allowing attackers to bypass protection mechanisms introduced to defend against DMA attacks.

Known for years, Direct memory access (DMA)-based attacks let an attacker compromise a targeted computer in a matter of seconds by plugging-in a malicious hot plug device—such as an external network card, mouse, keyboard, printer, storage, and graphics card—into Thunderbolt 3 port or the latest USB-C port.

The DMA-based attacks are possible because Thunderbolt port allows connected peripherals to bypass operating system security policies and directly read/write system memory that contains sensitive information including your passwords, banking logins, private files, and browser activity.

That means, simply plugging in an infected device, created using tools like Interception, can manipulate the contents of the memory and execute arbitrary code with much higher privileges than regular universal serial bus peripherals, allowing attackers to bypass the lock screen or control PCs remotely.

To block DMA-based attacks, most operating systems and devices leverage Input/Output Memory Management Unit (IOMMU) protection technique to control which peripheral device (usually legitimate) can access memory and which region of the memory.

ThunderClap Flaws Bypass IOMMU to Re-Enable DMA Attacks

Now, a team of cybersecurity researchers from the University of Cambridge, Rice University, and SRI International has unveiled a set of new vulnerabilities in various major operating systems that could allow attackers to bypass IOMMU protection.

By mimicking the functionality of a legitimate peripheral device, an attacker can trick targeted operating systems into granting it access to sensitive regions of memory.

In a paper [PDF] published earlier this week, researchers detailed technical information of all new vulnerabilities that they claimed to have discovered using a hardware/software stack, called Thunderclap, which they build and also released in the open-source.

Besides this, the researchers also stressed that since IOMMU does not come enabled by default on most operating systems and since modern devices have USB-C, the attack surface of DMA attack has significantly increased which was earlier primarily limited to Apple devices with Thunderbolt 3 ports.

“The rise of hardware interconnects like Thunderbolt 3 over USB-C that combine power input, video output, and peripheral device DMA over the same port greatly increases the real-world applicability of Thunderclap vulnerabilities.”

“In particular, all Apple laptops and desktops produced since 2011 are vulnerable, with the exception of the 12-inch MacBook. Many laptops, and some desktops, designed to run Windows or Linux produced since 2016 are also affected – check whether your laptop supports Thunderbolt.”

How to Protect Against Thunderclap Vulnerabilities

Researchers have reported their findings to all major hardware and operating system vendors, and most of them have already shipped substantial mitigation to address the Thunderclap vulnerabilities.

“In macOS 10.12.4 and later, Apple addressed the specific network card vulnerability we used to achieve a root shell,” researchers said. “Recently, Intel has contributed patches to version 5.0 of the Linux kernel.”

“The FreeBSD Project indicated that malicious peripheral devices are not currently within their threat model for security response.”

Though not all software patches can entirely block DMA attacks, users are still advised to install available security updates to reduce the attack surface. According to the researchers, the best way to fully protect yourself is to disable the Thunderbolt ports on your machine, if applicable.

Additionally, researchers also developed a proof-of-concept attacking hardware that can execute the ThunderClap vulnerabilities on targeted systems, but they chose not to release it in public at this time.

Coinhive, a notorious in-browser cryptocurrency mining service popular among cybercriminals, has announced that it will discontinue its services on March 8, 2019.Regular readers of The Hacker News already know how Coinhive’s service helped cyber criminals earn hundreds of thousands of dollars by using computers of millions of people visiting hacked websites.

For a brief recap: In recent years, cybercriminals leveraged every possible web vulnerability [in Drupal, WordPress, and others] to hack thousands of websites and wireless routers, and then modified them to secretly inject Coinhive’s JavaScript-based Monero (XMR) cryptocurrency mining script on web-pages to financially benefit themselves.

Millions of online users who visited those hacked websites immediately had their computers’ processing power hijacked, also known as cryptojacking, to mine cryptocurrency without users’ knowledge, potentially generating profits for cybercriminals in the background.

Now, while explaining the reason to shut down in a note published on its website yesterday, the Coinhive team said mining Monero via internet browsers is no longer “economically viable.”

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the ‘crash’ of the cryptocurrency market with the value of XMR depreciating over 85% within a year,” the service said.

“This and the announced hard fork and algorithm update of the Monero network on March 9 has lead us to the conclusion that we need to discontinue Coinhive.”

So users who have an account on Coinhive website with above the minimum payout threshold balance can withdraw funds from their accounts before April 30, 2019.

Though Coinhive was launched as a legitimate service for website administrators to alternative generate more revenue from their websites, its extreme abuse in cyber criminals activities forced tech companies and security tools to label it as “malware” or “malicious tool.”

To prevent cryptojacking by browser extensions that mine digital currencies without users’ knowledge, last year Google also banned all cryptocurrency mining extensions from its Chrome Web Store.

Lockheed Martin and the University of Central Florida (UCF) celebrated the grand opening of a Cyber Innovation Lab on UCF’s campus that will help meet the growing local and national need for cybersecurity talent.

“This lab will serve as the campus’ primary hub for students to develop and expand their information security skills, preparing them to enter this high demand field and take on the cybersecurity threats of the future,” said UCF President Dale Whittaker. “We are grateful for Lockheed Martin’s longtime partnership and strong commitment to our students’ success.”

The National Institute of Standards and Technology estimates there are more than 13,000 unfilled cybersecurity jobs in Florida alone. That trend will continue, as the U.S. Bureau of Labor Statistics predicts jobs for information security analysts will grow 28 percent by 2026.

In 2018, Lockheed Martin donated $1.5 million to UCF to help create the Cyber Innovation Lab and encourage the next-generation of science, technology, engineering and math (STEM) talent to collaborate and solve today’s challenging cyber problems. The company’s donation will fund software and technology support to the lab, and employees will also provide cyber training and professional mentoring to engineering students.

“Having a centralized space will streamline the way we organize our meetings and practices,” said Hack@UCF President David Maria, a senior studying computer engineering.  “With this lab, we can practice for competitions, host workshops and speakers, provide cyber security tools and resources, and give our student members a sense of community and help get them ready for future careers. It’s not just a practice space. It’s a home for us.”

The 970-square-foot lab is located in UCF’s Engineering I building and will serve as a learning hub for the more than 350 students participating in cyber programs at UCF. Hack@UCF, a four-time national champion in competitions like the Collegiate Cyber Defense Competition and the U.S. Department of Energy CyberForce Competition, will also use the lab as its primary practice center.

In Orlando, Lockheed Martin employs approximately 2,500 UCF graduates, with plans to expand its cyber workforce. The company’s local Cyber Solutions business grew 400 percent over the past five years and expects that growth to continue as the nation seeks offensive and defensive cybersecurity capabilities to address the evolving cyber threats.

Aon’s 2019 Cyber Security Risk Report features eight risks that may impact organizations in the next 12 months, no matter where they are on their digital journey.

“In 2018 we witnessed that a proactive approach to cyber preparation and planning paid off for the companies that invested in it, and in 2019, we anticipate the need for advanced planning will only further accelerate,” said J. Hogg, CEO of Cyber Solutions at Aon. “Leaders must work to better insulate their companies and their processes, while simultaneously identifying the ways they can benefit from the opportunities offered through technology and digital transformation.”

Hogg continued: “Our 2019 report also shows that organizations must recognize the need to share threat intelligence across not only their own network but with others as well. While it may seem counter-intuitive when thinking about cybersecurity, collaboration within and across enterprises and industries can keep private data of companies and individuals alike safer. Working together can result in improved efforts to hunt bad actors, while also raising the bar and making all parties more prepared for the inevitable day when a disruption does happen.”

The “What’s Now and What’s Next” report focuses on eight specific risk areas that companies may face in 2019. The risks illustrate how, as organizations transition to a digital-first approach across all transactions, the attack surface of global business expands rapidly and sometimes in unexpected ways. In other words, thanks to the rapid enhancements and constant changes in technology, the number of touch points that cyber criminals can access within a business is growing exponentially.

The eight risks include:

1. Technology – While technology has revolutionized the way organizations today conduct business, broader and wider-spread use of technology also brings vulnerabilities. From publishing to automotive, industries are facing new, evolving services and business models. These new opportunities however, bring with them a radically different set of risks, which organizations will need to anticipate and manage as they continue the digital transformation process.
2. Supply Chain – Two prevailing supply chain trends will heighten cyber risks dramatically in the coming year: one is the rapid expansion of operational data exposed to cyber adversaries, from mobile and edge devices like the Internet of Things (IoT); and the other trend is companies’ growing reliance on third-party—and even fourth-party—vendors and service providers. Both trends present attackers with new openings into supply chains, and require board-level, forward-looking risk management in order to sustain reliable and viable business operations.
3. IoT – IoT devices are everywhere, and every device in a workplace now presents a potential security risk. Many companies don’t securely manage or even inventory all IoT devices that touch their business, which is already resulting in breaches. As time goes on, the number of IoT endpoints will increase dramatically, facilitated by the current worldwide rollouts of cellular IoT and the forthcoming transition to 5G. Effective organizational inventory and monitoring process implementation will be critical for companies in the coming year and beyond.
4. Business Operations – Connectivity to the Internet improves operational tasks dramatically, but increased connectivity also leads to new security vulnerabilities. The attack surface expands greatly as connectivity increases, making it easier for attackers to move laterally across an entire network. Further, operational shortcuts or ineffective backup processes can make the impact of an attack on business operations even more significant. Organizations need to be better aware of, and prepared for, the cyber impact of increased connectivity.
5. Employees – Employees remain one of the most common causes of breaches. Yet employees likely do not even realize the true threat they pose to an entire organization’s cybersecurity. As technology continues to impact every job function, from the CEO to the entry-level intern, it is imperative for organizations to establish a comprehensive approach to mitigate insider risks, including strong data governance, communicating cybersecurity policies throughout the organization, and implementing effective access and data-protection controls.
6. Mergers & Acquisitions (M&A) – Projections anticipate that M&A deal value will top $4 trillion in 2018, which would be the highest in four years. The conundrum this poses to companies acquiring other businesses is that while they may have a flawless approach to cybersecurity enterprise risk, there is no guarantee that their M&A target has the same approach in place. Dealmakers must weave specific cybersecurity strategies into their larger M&A plans if they want to ensure seamless transitions in the future.
7. Regulatory – Increased regulation, laws, rules and standards related to cyber are designed to protect and insulate businesses and their customers. The pace of cyber regulation enforcement increased in 2018, setting the stage for heightened compliance risk in 2019. Regulation and compliance, however, cannot become the sole focus. Firms must balance both new regulations and evolving cyber threats, which will require vigilance on all sides.
8. Board of Directors – Cybersecurity oversight continues to be a point of emphasis for board directors and officers, but recent history has seen an expanding personal risk raising the stakes. Boards must continue to expand their focus and set a strong tone across the company, not only for actions taken after a cyber incident, but also proactive preparation and planning.

Researchers are warning that hackers are exploiting a plug-in vulnerability to infect MSPs and their customers with GandCrab ransomware.

The bug, CVE-2017-18362, dates back to 2017, and is found in unpatched versions of the ConnectWise ManagedITSync integration plug-in tool, explains a Feb. 8 blog post by Chris Bisnett, security researcher at Huntress Labs. This plug-in is designed to sync data between the ConnectWise Manage professional services automation platform and the Kaseya remote monitoring and management system used by some MSPs.

Huntress Labs suspects that this exploit could be the culprit behind an attack reported on the MSP Reddit channel earlier this month. According to the Reddit user post, a mid-sized MSP had been recently attacked with ransomware that locked up 80 of its customers’ endpoints, including servers. “Owner of a company under the mentioned MSP came over to our shop to purchase a ‘clean’ system,” the post reads. “Seems the MSP is negotiating the ransom amount and will pay up.”

The NIST National Vulnerability Database’s entry for CVE-2017-18362 has been updated this month to reflect recent developments. “ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database,” the entry states. “In February 2019, attackers have actively exploited this in the wild to download and execute ransomware payloads on all endpoints managed by the VSA server. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run arbitrary SQL queries, both read and write, without authentication”

“In 2017, Connectwise announced a vulnerability in their Plugin that allows multiple operations to be performed on a Kaseya server without authentication. Upon discovery of this flaw, Connectwise released an update intended to patch this vulnerability,” says Connectwise in a security advisory that was last updated around Feb. 10. “Kaseya has detected that an extremely small number of customers either may not have installed the update from Connectwise or may have installed this update incorrectly.”