DDoS, Macros and APIs – three formerly popular means of infiltrating and attacking have been reimagined in ways that is bringing them back in new and even more dangerous forms.
Welcome to Cyber Security Today, for Friday August 5th I’m Jim Love, CIO of ITWC – IT World Canada sitting in for the vacationing Howard Solomon.
A long, detailed and fascinating look at the Distributed Denial of Service (DDos) attacks was published on security firm Kaspersky’s – Secure List blog.
With so much attention devoted to Ransomware and other breaches, DDoS rarely makes the news. But it’s still a potent threat.
A disturbing revelation is that hackers are finding ways to bypass geoblocking, a technique that companies have heavily relied on to thwart DDoS attacks. Attackers are using VPN, proxy servers and increasingly, infected devices in the same region, which makes blocking the attack by geolocation almost useless. The US remains not only the most frequently attacked area but it’s also home to almost half the botnets used world wide.
Kaspersky reports that their DDoS Protection Group repelled two and a half times more attacks than last year. It’s a huge number, but it was only half as many attacks as in the first quarter of 2022. But if there is drop in attacker activity, the overall DDoS situation, in the words of the researchers, “might have deteriorated.”
The number of possible devices that can be infected grows constantly extending from corporate servers to consumer devices.
But it’s the sophistication and power of the attacks that are drawing the most attention. At one time, DDoS attacks were frequently done by hacktivists and lasted a relatively short period of time. In the last quarter, according to Kaspersky, some of these lasted for days and even weeks. One attack lasted 29 days. The level of sophistication required to create and sustain this type of effort is monumental.
The report notes numerous examples of attacks on government services and infrastructure – much of which appears to be related to conflict between Russia and Ukraine. They list a number of attacks on both Russian and Ukrainian sites and infrastructure.
But the attacks have spilled over into all of Europe. For example, the pro-Russian hacktivists Killnet, which first surfaced in January 2022, was reported to be claiming responsibility for DDoS attacks on the websites of various European organizations from April through June. They attacked the Czech government and public transportation websites including rail authority and airports. The hackers targeted Romanian government sites including Border Police, the National Railway Transport Company in May. They attacked German websites, including the German federal parliament, the Bundestag as well as the Federal Police . In Italy, the websites of the senate, the National Health Institute and the Automobile Club d’Italia were also attacked in May.
Another tried and true hacking technique is also being reengineered to bypass safeguards that vendors have adopted. At one point, macros in documents were a popular way of delivering an attack. Macros, as you probably know, are used to automate commands in a variety of programs. When a user opens an attachment, it triggered the macro code which delivered the malicious payload.
In response, Microsoft started blocking macros by default in its Office suite.
The use of macro enabled macros plummeted decreasing by almost 66% according to a blog from Proofpoint, a large international security firm.
But now, threat actors are finding creative ways around Microsoft’s default blocking of macros in its Office suite. They are using using alternative approaches.
To bypass macros blocking, attackers are increasingly use file formats including ISO (.iso), RAR (.rar), ZIP (.zip), and IMG (.img) files to send macro-enabled documents, researchers said. The researchers also note that these will still require the user to give permission for the macro to be executed.
Alternatively, researchers say hackers are using container files as a means of distribution, by adding additional content such as LNKs, DLL’s or executable (.exe) files that run a malicious payload.
According to a post by researchers from the Proofpoint Threat Research Team this represents “one of the largest email threat landscape shifts in recent history.”
Finally, researchers have uncovered a list of 3,207 mobile apps that are exposing Twitter API keys some of which can be utilized to gain unauthorized access to Twitter accounts associated with them according to a report in the Hacker News.
Access to the Twitter API is done by generating secret keys and access tokens, which act as the usernames and passwords for the apps as well as the users on whose behalf the API requests will be made
A leak of legitimate Consumer Key and Consumer Secret information has made it possible to get full authentication credentials from at least 230 of the apps identified.
According to researchers, this can allow a threat actor to take control of someone’s Twitter account and take actions ranging “from reading direct messages to carrying out arbitrary actions such as retweeting, liking and deleting tweets, following any account, removing followers, accessing account settings, and even changing the account profile picture.”
It would even allow a malicious attackers to create a Twitter “bot army” that could be leveraged to hijack communication or spread disinformation on the platform.
That’s Cyber Security Today for Friday, August 5th.
Follow Cyber Security Today where ever you get your podcasts – Apple, Google or other sources. You can also have it delivered to you via your Google or Alexa smart speaker.
Links from today’s podcast will be posted in an article on itworldcanada.com on our podcast page.
I’m Jim Love, CIO of ITWC, publishers of IT World Canada and creators of the ITWC podcasting network. I’m also host of Hashtag Trending, the Weekend Edition where I do an in depth interview on a topics related to information technology, security, data analytics and a host of other topics. If you’ve got some extra time after you’ve listened to Howard’s great weekend interview, check up out at itworldcanada.com podcasts or anywhere you get your podcasts.
Thanks for sharing your week with me – it’s been a pleasure sitting in for Howard – he’s got a great interview for this weekend and he’ll be back on Monday with the morning edition of Cyber Security Today. Til then, stay safe.