Netizen Cybersecurity Bulletin: 29 August 2018 Edition

In this issue:

In this week’s issue, you’ll find information regarding the most current critical threats and preventative measures to lessen the chances of a breach.

  • DoS Attack Vectors
  • Unpatched Windows Zero-Day Released
  • Attackers Continue to Phish
  • Bonus: How Not to Manage Passwords
  • How can Netizen Help?

DoS Attack Vectors

Denial of Service attacks (DoS) are a type of attack in which a hacker/threat actor wants to make a machine, network resource, or service unavailable those that use them. these interruptions can be just a temporary annoyance, or more severely, a permanent reality to internet connected devices. Almost all DoS attacks target infrastructure services as opposed to application services. Denial of Service can take shape in many different ways: volumetric flooding, processing consumption, and RANGE attacks.

Volumetric Flooding: Attackers can overwhelm applications by flooding them with repeated HTTP/HTTPS requests. In order to achieve this goal an attacker would need to drum up a high enough level of traffic to target a victim with; this is usually done using bots in a botnet or what is known as a “booter service” which is basically DoS attack capabilities on demand.

Processing Consumption: Attackers can also attack a target’s Central Processing Unit (CPU) and Random Access Memory (RAM) allocations on and Application Programming Interface (API) server instead of the usual method of attacking network bandwidth. For each web request made, like that of JSON requests, the API has to allot a certain amount of CPU/RAM  for processing of which there are limits on concurrent availability. Hash collisions are a popular method of attack for processing consumption.

RANGE Attacks: Attackers can use and abuse ability to quickly access data for bulk extractions of information. Web scraping campaigns, in which attackers “scrape” for information, can cause a real problem for websites and create denial-of-service conditions. With RANGE attacks, a submitted web request includes a range of data do be extracted. Setting an egregious range can prove overwhelming for a system.

Recommendations:

Denial-of-Service attacks are a common issue and is used avidly by threat actors want to disrupt or completely cut off service. We recommend the following to the above listed attacks:

  • Network Controls – this allows for blacklisting of IP addresses and CIDR ranges
  • Rate Controls – which is specific to volumetric flooding attacks as the KSD customer can specify different criteria for thresholds.
  • Slow Posts – Kona Site Defender (KSD) has protections against attacks that try to consume application resources by opening an HTTP connection and then sending data very slowly.
  • DoS Risk Group – many web DoS tools and scripts have tell-tale fingerprints and be easily identified and blocked using WAF protections.
  • Set a max limit on requests to web pages  (JSON, HTTP, etc.)

Unpatched Windows Zero-Day Released

Recently a security researcher has publicly disclosed a previously unknown zero-day vulnerability in Microsoft Windows operating systems that allows a user or malicious program to obtain administrator privileges on a targeted computer. The flaw has been confirmed working on fully-patched Windows 10 systems and is currently unaddressed by Microsoft at this time. The vulnerability leverages a Windows protocol called Advanced Local Procedure Call (ALPC) in order to obtain privilege escalation via the Windows task scheduler program.

This zero-day was released via Twitter by a user who posted a link to a Github page that provided a proof-of-concept exploit to allow the privilege escalation vulnerability. The vulnerability has been verified by several other security researchers as well. Since Microsoft was not notified of this vulnerability, all Windows users are vulnerable to this exploit until a security patch is created and released by Microsoft.

Recommendations:

Until this vulnerability is patched by Microsoft, it’s recommended to maintain an increased security posture in regards to scrutinizing suspicious email attachments or websites. Also, it’s recommended to pay particular attention to Windows event logs looking for unexpected privilege escalations.

Attackers Continue to Phish

Phishing continues to be a problem for all businesses and users. Netizen, itself, has seen the increased activity of emails purporting to contain Microsoft Office login screens.  MS Office is frequently used in these attacks, as it is one of the most popular suites in use, which increases the chances of the crooks gaining legitimate login credentials.

Phish emails often try to scare the user.   This is one of the examples that arrived at our office this week:

phishingcharlie

Other attempts sound too good to be true, sometimes suggesting an embedded link will lead to payroll information.

Everyone should be cautious when clicking on links in emails, and to contact their managers or IT department if they have concerns regarding their account deactivation.

Bonus: How Not to Manage Passwords

lockcharlie

How can Netizen help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.  We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management) certified company.

ISO

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s