Web App Security Firm Netsparker Raises $40 Million
8.3.2018 securityweek IT

Web application scanner company Netsparker announced on Thursday that it has raised $40 million from San Francisco-based growth and private equity firm Turn/River.

Netsparker was founded by Ferruh Mavituna, Peter Edgeler and Mark Lane in London, England in 2009, with Mavituna's working proof-of-concept for a new approach to finding web vulnerabilities without false positives. This involves first locating the vulnerability and then exploiting it to provide proof: it combines the related but different concepts of vulnerability scanning and penetration testing to eliminate false positives. The first commercial version of the product was launched in 2010.

Now with offices in London, Austin TX, and Turkey, Netsparker will use the new funding for further product development, sales growth and new marketing initiatives.

“Netsparker’s solution combines unique Proof-Based Scanning Technology with enterprise workflow tools, making it the only scalable web security solution on the market," comments Mavituna, now CEO at Netsparker. "With overwhelming market demand for this solution in the face of increasing security and compliance regulations, such as Europe’s GDPR, Netsparker aims to become the de facto solution for enterprises that need to secure thousands of web applications at scale.

"Turn/River Capital’s expertise in growing similar companies," he continued, "such as website security platform Sucuri, makes them a perfect match for this market expansion."

"Netsparker’s industry-leading vulnerability detection rates have won over a rapidly expanding, loyal base of thousands of enterprises that trust Netsparker with a mission-critical part of their security," added Dominic Ang, Turn/River Capital's founder and Managing Partner.

In January 2018, test results of independent researcher and analyst Shay Chen's Web Application Vulnerability Scanner Evaluation Project (WAVSEP) were published. "Netsparker was the only scanner that identified all the vulnerabilities and one of two that did not report any false positives," announced Netsparker.


Sophisticated False Flags Planted in Olympic Destroyer Malware
8.3.2018 securityweek
Virus  APT

Hackers Behind Olympic Destroyer Malware Used Sophisticated False Flag to Trick Researchers

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The hackers behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malware in an effort to trick researchers, Kaspersky Lab revealed on Thursday.

The Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyberattack that caused temporary disruption to IT systems, including the official Olympics website, display monitors, and Wi-Fi connections. The attack involved Olympic Destroyer, a piece of malware designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. Compromised credentials are used to spread to other machines on the network.

Kaspersky has also spotted infections at several ski resorts in South Korea. The malware, which leverages a leaked NSA exploit known as EternalRomance to spread via the SMB protocol, temporarily disrupted ski gates and lifts at the affected resorts.

Several cybersecurity firms launched investigations into the Olympic Destroyer attack shortly after the news broke, and while they mostly agreed on the malware’s functionality, they could not agree on who was behind the operation. Some pointed the finger at North Korea, while others blamed China or Russia, leading some industry professionals to warn against this type of knee-jerk attribution.

Kaspersky researchers also analyzed the Olympic Destroyer worm in an effort to determine who was behind the attack. While they have’t been able to identify the culprit, experts have found some interesting clues.

The security firm has found a unique “fingerprint” associated with the notorious Lazarus Group, which has been linked to North Korea and blamed for high profile attacks such as the one on Sony, the WannaCry campaign, and various operations targeting financial organizations.

This fingerprint was a 100% match to known Lazarus malware components and it did not appear in any other files from Kaspersky’s database. While this piece of evidence and the type of attack suggested that Olympic Destroyer could be the work of North Korea, other data gathered by researchers as a result of an on-site investigation at a South Korean target revealed inconsistencies.

Experts determined that the unique fingerprint was likely a sophisticated false flag planted by the attackers to throw investigators off track.

“To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artifact is very hard to prove,” explained Vitaly Kamluk, head of the APAC research team at Kaspersky. “It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are willing to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.”

In addition to this apparent link to North Korea, Kaspersky has found evidence that would suggest the involvement of the notorious group known as Sofacy, Fancy Bear, APT28 and Pawn Storm, which is widely believed to be sponsored by the Russian government.

One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its campaigns on Russian actors. It’s also possible that the false flag used in the Olympics attack is part of the hackers’ efforts to improve their deception techniques.

Links to China have been found by Intezer, which specializes in recognizing code reuse. Its analysis led to the discovery of numerous code fragments uniquely linked to threat groups tracked as APT3, APT10 and APT12.


CCleaner Incident Investigation Reveals Possible Stage 3 Payload
8.3.2018 securityweek Incindent

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The investigation into the September 2017 CCleaner incident has revealed what appears to be a stage three payload that attackers supposedly intended to deliver to infected users.

The attack was disclosed on September 18, when security firm Avast revealed that 2.27 million users worldwide had downloaded an infected CCleaner installation file between August 15 and September 12. Hackers had added a backdoor to the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases, Avast revealed.

What led to this was the compromise of the distribution servers of Piriform, the company developing CCleaner, in the months before Avast purchased the software firm. The code in the modified installers could collect non-sensitive information from the infected machines, and could also deliver a second stage binary.

This revealed that the incident was in fact a highly targeted attack, as the second-stage payload was delivered to only 40 computers out of the millions that downloaded stage one. While no stage three binary was found on the affected systems, Avast now says that the attackers, the Chinese hacking group Axiom (also known as APT17 or DeputyDog), apparently had plans to deliver such malware as well.

During its investigation of the Piriform infrastructure, the security firm discovered not only stage one and stage two binaries on the network, but also evidence of a third stage on four computers. Dubbed ShadowPad, this is a specialized tool that provides cybercriminals with remote control capabilities.

In an August 2017 report, Kaspersky revealed that the ShadowPad backdoor was found in NetSarang’s products, which are used by hundreds of companies in the financial, software, media, energy, electronics, insurance, industrial, construction, manufacturing, retail, telecoms, pharmaceutical, and transportation sectors.

“The tool was installed on the four Piriform computers on April 13h, 2017, while the preliminary version of the second stage had been installed on the computers March 12th, 2017,” Avast says.

The command and control (C&C) server the older second stage variant was attempting to connect to was no longer up during the investigation and the researchers don’t know exactly what it was supposed to download. However, given the timeline of events, they assume that it “had downloaded and installed ShadowPad on the four Piriform computers.”

The fact that ShadowPad is believed to have been developed by the Axiom group, the same actor behind the CCleaner attack, is also a strong indicator that this malware was intended to become the third stage payload, Avast says.

The ShadowPad version used in the attack was custom-built, leading investigators to suspect it was explicitly created for Piriform.

The security firm also discovered ShadowPad log files containing encrypted key strokes from a keylogger that became active on the infected machines on March 12, 2017. Other tools were also installed on the four computers, including a password stealer, along with tools that could install more software and plugins on the infected machines.

“While ShadowPad was installed on the Piriform network itself and, as far as we can tell through our investigations today, not on any of the CCleaner customers’ computers, we believe that this tool was the intended third stage for the CCleaner customers,” Avast says.

The second-stage malware deployed to only 40 computers of the millions that downloaded the infected CCleaner versions, but Avast couldn’t determine whether the third stage payload was meant for all of them or only a few, if any.


Cortana Can Expose Enterprises to Attacks, Researchers Warn
8.3.2018 securityweek
Attack

Malicious actors may be able to abuse voice-based virtual assistants to hack into enterprise systems and researchers proved it through an attack that targets Microsoft Cortana.

Independent researchers Amichai Shulman, former CTO and co-founder of Imperva, and Tal Be’ery, former VP of research at Microsoft-acquired security firm Aorato, have found a way to conduct an evil maid attack that abuses the Cortana voice assistant to install malware onto a locked computer. The researchers are detailing their findings on Friday at Kaspersky Lab’s Security Analyst Summit (SAS) in Cancun, Mexico.

In Windows 10, if default settings are not changed, any user can interact with Cortana by saying “Hey Cortana,” and it works even if the device is locked.

Shulman and Be’ery explained that when the device is locked, the screen is locked and the keyboard cannot be used to control applications, but apps can still run in the background.

In an attack scenario they described, an evil maid (i.e. a hacker who has physical access to the targeted machine) can install malware on a locked device by telling Cortana to access a website, intercepting traffic to that site using a device attached to the PC, and injecting malicious code into the connection.

One of the voice commands accepted by Cortana from the lock screen is “go to [website domain].” If the user tells Cortana to access any site, Windows launches a browser process and sends a query for the domain name to Bing. In the case of “privileged” websites, such as cnn.com, Windows would launch a browser process and navigate to the site directly. After being notified by the researchers of the potential for abuse, Microsoft has decided to make some changes and no longer allow direct browsing from a locked machine.

The first step in the attack scenario described by Shulman and Be’ery involves plugging in a rogue USB network card or network cable into the targeted machine. The attacker then instructs Cortana to access a privileged website that does not use a secure HTTPS connection (e.g. cnn.com).

Since the connection is not protected, the hacker’s network card can be used to conduct a man-in-the-middle (MitM) attack and replace normal traffic with malicious code, such as a web browser exploit designed to deliver a piece of malware. The malware then provides a remote backdoor to the compromised system.


If the attacker already had access to a system, they could have conducted a remote attack where a piece of malware played an audio file that instructed Cortana to navigate to an arbitrary website. This could have been used to hack other devices on the targeted enterprise network.

“The attacker uses the infected computer speakers to send the Cortana commands as before (plays ‘Go to CNN.com'). The attacker gets network access to the next victim computer (the equivalent of the network cable USB network card) through a known network attack (e.g. ARP poisoning) and replaces the content of cnn.com with malicious content,” Be’ery told SecurityWeek.

Microsoft made some server-side changes in August 2017 in order to prevent abuse, but Shulman and Be’ery believe there could be other Cortana commands that can be leveraged for similar attacks, and noted that the research can be extended to other voice assistants, such as Apple’s Siri.

As part of their research, the experts also developed a tool, named Newspeak, that acts as a proxy for communications between Cortana and Microsoft servers.

“The Newspeak tool enables its user to monitor Cortana requests (user says ‘go to cnn.com' and Cortana cloud sends that interpreted text back) and results (Cortana cloud commands the Cortana client to perform the action of ‘browse to cnn.com') and therefore create an audit log of Cortana. It can be used to detect malicious and abnormal usage and block/alert,” Be’ery explained.

“Another use of the Newspeak tool can be to alter the commands for fun/malicious purposes (user request cnn, let's give him fox news), or for defensive use cases (instead of going to the HTTP version of CNN go to the HTTPS version),” he added.

The researchers told SecurityWeek that they will make the Newspeak tool available at some point.

 


Smoke Loader Backdoor Gets Anti-Analysis Improvements
8.3.2018 securityweek
Virus

The infamous Smoke Loader backdoor now has more complex anti-analysis techniques that allow it to remain a potent malware delivery mechanism, PhishLabs security researchers warn.

Also known as Dofoil, Smoke Loader has been advertised on dark web forums since at least mid-2011. Packing a modular design, the malware can receive secondary execution instructions and/or download additional functional modules. Lately, the loader has been used in the distribution of malware such as the TrickBot banking Trojan and GlobeImposter ransomware.

The Smoke Loader installer, the security researchers explain, spawns an EnumTools thread to detect and evade analysis tools, and uses an API to enumerate running analysis utilities. The malware checks for twelve analysis processes via a hash-based method, and terminates itself if one is found running. As part of an anti-VM check, it also queries the name and the volume information of the infected machine, along with a registry key.

“There are two main paths of execution in Smoke Loader, the installer and the loader. The installer path runs prior to spawning and injects into a new instance of a Windows Explorer process. Post injection, the loader runs and executes the core functionality of the module. Before injection occurs, Smoke Loader performs several checks to determine information about the system on which it is running,” PhishLabs says.

Smoke Loader was observed leveraging the VirtualProtect API call to change the protection of the allocated memory region, the security researchers reveal. Toward the end of the loader execution path, the malware also checks whether injection should occur, and execution continues if injection has not yet been performed.

The malware was observed performing networking checks to ensure the loader has Internet access (it can generate fake traffic for that). The security researchers also noticed that, unlike previous versions, the latest Smoke Loader variant uses a custom XOR-based algorithm to decode strings within the sample. Previously, the strings weren’t encoded.

“While Smoke Loader’s distribution is not as wide spread as other malware families, it is under continued development and very effective at what it does. The loader’s longevity indicates that the developers are committed to persistence and protection of their loader from the latest analysis techniques. Even though it dates back to 2011, the loader has undergone several transformations that allow it to continue to be a potent malware delivery mechanism in 2017,” PhishLabs concludes.


Group-IB supported law enforcement in dismantling Ukrainian DDoS crime gang
8.3.2018 securityaffairs
Attack

Ukrainian Police supported by security firm Group-IB and other security firms dismantled a DDoS crime gang that blackmailed numerous companies worldwide.
Another example of successful collaboration between law enforcement agencies and security firms in the fight against cybercrime, the case sees Ukrainian Police supported by security firm Group-IB and other security firms dismantling a DDoS crime gang that had been launching distributed denial-of-service (DDoS) attacks with extorsive intents against companies for over two years.
“The investigation department of Group-IB, an international company focused on cyber-attack prevention and data security products development, has helped to suppress the criminal activity of an organized group that had been involved in launching DDoS attacks and extortion for over two years.” reads the announcement published by Group-IB.
The investigation started in September 2015, after the group launched a DDoS attack on international online dating service AnastasiaDate demanding $10,000 for stopping the assault. The site of the company was taken down for hours.

“Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services.” continues Group-IB.

“In particular, the victims of the Ukrainian fraudsters included Stafford Associated, an American company leasing data center and hosting facilities, and PayOnline online payment service. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000.”
The cybersecurity experts at Group-IB identified the attackers and linked the group to another attack powered by two Ukrainian individuals, Gayk Grishkyan and Inna Yatsenko. According to the investigators the duo had also previously targeted American leasing company Stafford Associated and the PayOnline payment service.

The two suspects later contacted the online dating service to demand ransom and threaten new DDoS attacks.

“In March 2017, the hackers’ apartments and offices were searched, and their computers and mobile phones confiscated. The forensic analysis that the data stored on the confiscated devices constituted an irrefutable evidence of Yatsenko and Grishkyan’s involvement in the extortion cases of 2015 and 2016.” concluded the announcement.

Now a court pleaded guilty to the crimes the two members of the DDoS crime gang and sentenced them to a five-year conditional sentence.

“We are satisfied with the successful outcome of the prosecution and the blow we have struck against cybercrime in Ukraine. The collaboration with our security partners has guaranteed the integrity of our services and helped reinforce our defenses for the future.” said AnastasiaDate’s US-based director, Lewis Ferro.

“It has been of the utmost importance to our international partners. It is another example of AnastasiaDate’s trustworthiness and diligence when it comes to member security, tackling fraud, and preventing criminal activity.”


Hardcoded password and Java deserialization flaws found in Cisco products
8.3.2018 securityaffairs
Vulnerebility

The set of security updates recently released by Cisco also includes two advisories for critical vulnerabilities, a hardcoded password, and a Java deserialization flaw.
The lasters set of security updates released by Cisco also includes two advisories for critical vulnerabilities.

The first issue is a hardcoded password, tracked as CVE-2018-0141, that affects Cisco’s Prime Collaboration Provisioning (PCP) and that can be exploited by local attackers to gain full control over a vulnerable equipment.

The Cisco’s Prime Collaboration Provisioning application allows admins to remotely install and maintain Cisco voice and video solutions.

A local attacker just has to connect to the affected system via Secure Shell (SSH) using the hardcoded password, the

“A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software could allow an unauthenticated, local attacker to log in to the underlying Linux operating system.” reads the security advisory published by CISCO.

“The vulnerability is due to a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials. “

The hardcoded password can grant to a local attacker the access to a low-privileged user account, but chaining the vulnerability with other issues there is the risk that the attacker would elevate privileges to root.

The vulnerability has received a Common Vulnerability Scoring System (CVSS) Base score of 5.9, a score normally assigned to medium-severity flaws.

“Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.” continues Cisco.

Currently, there are no workarounds to address the vulnerability in PCP software, but Cisco has already released patches.

The second critical vulnerability, tracked as CVE-2018-0147, is a Java deserialization flaw that affects Cisco Access Control System (ACS) that can be exploited by an unauthenticated, remote attacker to execute arbitrary commands with root privileges on an affected device.

“A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.” reads the security advisory.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges.”

Cisco has released software updates to fix the flaw.


Exploiting the User PII Held in Everyone's Web Browser
7.3.2018 securityweek 
Exploit

Browsers are the single most used application today. Everyone uses at least one browser, whether in the office or at home. But not everyone realizes just how much personal data is left hanging around inside their browsers; nor how easy it is for third-parties to extract it.

Ryan Benson, formerly a forensic analyst with both Mandiant and Stroz Friedberg and now senior threat researcher at San Mateo, CA-based Exabeam, decided to examine just how much data is available, and how readily it can be harvested.

Benson used a modified version of OpenWPM (a web privacy measurement framework) and Firefox to visit the Alexa Top 1000 websites, navigating to three links on each site to simulate normal user browsing. The purpose here was to look for evidence of device identification and geolocation — and Benson found evidence that 56 websites recorded geolocation details, and 56 websites recorded the user's IP address.

The second phase of the research involved interaction with websites. “In order to do this,” writes Benson in a blog account of the research, “we needed to create accounts on these sites, log in, perform a relevant action (e.g., send an email on a webmail server, view a document on a cloud storage platform, etc.), and see what traces could be found.”

The services chosen were typical of normal Internet usage — Google, Youtube, Facebook, Reddit, Amazon, Twitter, Live and so on — and did not seek to reflect any more exotic use of the Web. The results here become more interesting, because traces of the interactions were left within the browser. These include the browsing history (where and when different sites are visited), email addresses, search queries, and files viewed and downloaded.

This provides a rich source for both user identification and profiling that could be leveraged for targeted spear-phishing for more secure and confidential company accounts.

The picture gets worse with the details held by the browser for automatic form completion, and the passwords held in the browser's internal password manager. Both of these services offer huge productivity gains for the user; but huge PII value for the attacker.

The password manager stores passwords in encrypted form; but they are automatically decrypted for use, and can be easily accessed by software — such as the free NirSoft tool that dumps saved passwords — and various malwares. “The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games,” writes Benson, “reportedly took advantage of user credentials saved in the browser.”

The available data, unless direct action is taken to exclude it from the browser, can include passwords (including email passwords), location history, user interests, employer and company position, and device details.

All of this data is easily available to any attacker that has access — physical or virtual — to any desktop, laptop or mobile device that uses a browser. Anti-malware controls cannot prevent all malware, while malware detection systems often look for signs of large scale data exfiltration. It is easy to picture stealthy malware getting through defenses and lying almost totally dormant, just extracting small amounts of data from the user's browser.

A physical attack, using the evil maid scenario, is even simpler. “If a machine is unlocked,” warns Benson, “extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialized software or click of a web link to insert malware.”

Benson describes the data held by the browser as the user's 'web dossier,’ and describes ways in which it could be exploited; often by inferring extensions to the data discovered. “Criminals can learn who in a company has access to the financial or payroll application,” he warns, “and compile a list of usernames to use to break in.” Details surmised from the browsing history can help craft compelling phishing emails targeted at senior personnel, or designed to persuade users to reset company account passwords which can then be harvested.

The best way to prevent web dossier details being harvested by attackers is to exclude them from the browser. Methods could include increased use of the browser's incognito mode, which excludes session details from being saved and potentially exploited. The internal password manager should be abandoned and replaced by third-party separate managers.

In reality, even locking down the browser and using incognito browsing, will not prevent all access to personal data — much of it will still be available to ISPs. In some countries, such as the UK, this data can be accessed by a range of law enforcement and government offices. In other countries, including the U.S., third parties can buy this data from the ISPs.

The solution here depends upon both personal and company risk appetites. “If this is a concern,” Benson told SecurityWeek, “the solution is to use a VPN. Not only will the ISP not know where you are going, the website visited won't even know what country you come from.”

Exabeam raised $10 million in a Series A funding round led by Norwest Venture Partners, with participation from Aspect Ventures and angel investor Shlomo Kramer, in June 2014. This was followed by a further $25 million Series B in 2015, and $30 million Series C in 2017.


Memcached DDoS Attack 'Kill Switch' Found
7.3.2018 securityweek 
Attack

Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.

The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.

Memcached is a free and open source memory caching system that can work with a large number of open connections. Memcached servers allow connections via TCP or UDP on port 11211, with access requiring no authentication, which is why the system wasn’t designed to be accessible from the Internet.

In late February, however, web protection companies warned that the protocol can be abused for DDoS amplification, after the first attacks using it started to emerge. Within days, record-setting 1.3Tbps and 1.7Tbs DDoS attacks were observed.

“The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic,” Corero explains.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

In fact, Corero claims that vulnerable Memcached servers can also be coaxed into divulging data cached from the local network or host, including confidential database records, website customer information, emails, API data, Hadoop information and more.

With no authentication required, an attacker can issue a simple debug command to retrieve the data. What’s more, the weakness can also be exploited to maliciously “modify the data and reinsert it into the cache,” the security company says.

The ‘kill switch’ that Corero has discovered would send a command back to an attacking server to suppress the DDoS exploitation. The countermeasure, the company explains, invalidates a vulnerable server’s cache, meaning that any potentially malicious payload that attackers might have planted will become useless.

The security firm claims it has tested the countermeasure quench packet on live attacking servers and that it proved fully effective, without causing collateral damage.

“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes,” Ashley Stephenson, CEO at Corero Network Security, commented.

The root cause of the problem, of course, is the poor security practices when setting up Memcached servers. Exposing them to the Internet is like leaving the front door open and expecting burglars not to barge in.

In a blog post last week, DigitalOcean pointed out that one option to mitigate attacks is “to bind Memcached to a local interface, disable UDP, and protect your server with conventional network security best practices.”

According to Victor Gevers, chairman of the GDI Foundation, upgrading or firewalling vulnerable Memcached servers on port 11211 should also prevent attacks.

Poorly secured Memcached servers don’t represent a new problem and many security experts, Gevers included, have long issued warnings in this regard. And while the problem might have been ignored until now, it becomes imperative to address it, as proof-of-concept (PoC) code for Memcached-based DDoS attacks has already been published online.

One of them, supposedly released for “educational and/or testing purposes only,” ended up on Pastebin, along with a list of around 17,000 hosts that can be abused for amplification. Another is a Python script that can leverage Shodan to scan for IPs of vulnerable Memcached servers.


Corero Network discovered a Kill Switch for Memcached DDoS attacks
7.3.2018 securityaffairs
Attack

Corero network security discovers a “kill switch” for memcached DDoS attacks and also reveals memcached exploit can be used to steal or corrupt data
Memcached DDoS attacks made the headlines due to the magnitude observed in recent offensives. While two PoC exploits for Memcached DDoS attacks have been released online, experts at security firm Corero Network announced they have discovered a ‘kill switch’ to address the Memcached vulnerability.

The firm revealed that the exploitation of the issue in Memcached servers could also allow attackers to modify or steal data from (i.e. including confidential database records, website customer information, emails, API data, Hadoop information and more.).

The most interesting discovery made by the researchers is the kill switch, the company reported it to national security agencies.

We first read about memcached DDoS attacks when on February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

Arbor Networks reported that earlier this month a US service provider suffered a 1.7 Tbps memcached DDoS attack.

Memcached DDoS attacks

“Corero Network Security has today disclosed the existence of a practical “kill switch” countermeasure for the Memcached vulnerability, responsible for some of the largest DDoS attacks ever recorded, to national security agencies.” reads the announcement published by Corero Network Security.

“At the same time, the company has revealed that the vulnerability is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable Memcached servers.”

According to the experts, there are currently over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the internet, an army of machines that could be involved in memcached DDoS attacks.

“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes.” said Ashley Stephenson.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

Corero researchers pointed out that the Memcached protocol was designed to be used without logins or passwords, the attacker can trigger the vulnerability to “modify the data and reinsert it into the cache.”

The “flush_all” countermeasure invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers, it is effective in any attack scenario.

The ‘kill switch’ discovered by Corero would allow sending a command back to an attacking server to halt the DDoS attack, no side effects have been observed.

“This week, Corero discovered an effective ‘kill switch’ to the Memcached vulnerability that sends a command back to an attacking server to suppress the current DDoS exploitation.” continues the Corero.

“The “flush_all” countermeasure has been disclosed to national security agencies for action. It invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers. The countermeasure quench packet has been tested on live attacking servers and appears to be 100% effective. It has not been observed to cause any collateral damage.”

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

The popular expert Victor Gevers, chairman of the GDI Foundation, highlighted that firewalling flawed Memcached servers on port 11211 should repel the attacks.


Victor Gevers
@0xDUDE
Although there were 107,431 Memcached servers in Shodan this morning. The population Memcached is slowly but steadily shrinking. Servers which where vulnerable this morning are now closed 8 hours later. We still have a long way to go but progress is being made. 👍

11:39 PM - Mar 7, 2018 · The Hague, The Netherlands