norm. threat bulletin: 08th December 2022

DDoS trends and mitigation considerations

Distributed Denial of Service (DDoS) attacks remain a popular topic within IT security, with some reports stating that they are responsible for 1/3 of all downtime incidents. As such, norm. were interested to see NetScout, a vendor specialising in DDoS protections, recently release their 2022 Threat Report which covers some interesting attack trends that they have seen against their devices.

DDoS and trends

All DDoS attacks fall into 4 broad categories.

According to NetScout, volumetric attacks such as reflection/amplification attacks used to be the most common method of attacking specific hosts. However, now TCP State-Exhaustion attacks are responsible for 69% of single-target attacks.

That said, when targeting ranges of devices (carpet bombing), it is usually via the standard UDP flooding attacks. Compounding this is an increase in the number of incidents involving multiple different attack vectors simultaneously. This was attributed to the ease of access to effective DDoS services, which allow an attacker to perform a highly agile DDoS attack over 24 hours for $45 on average.

Upon reading the report, it was especially interesting to learn of two things. Firstly, 90% of attacks last less than an hour and secondly, 75% of attacks are less than 1 Gbps. Compared to historical values, these are staggeringly small and illustrates the improved precision of attacker techniques.

Important points

The trends discussed above highlight three important points:

1. Most DDoS attacks are concluded before a manual response can occur.
2. Traditional volumetric attacks are increasingly infrequent, with attackers relying more on attack vectors with much lower throughput. This means that simple threshold rules on edge devices become less effective and more prone to false positives.
3. DDoS services are becoming so cheap and effective, that the risk of being attacked is increasing.

Next steps

As ever, automation is a key ingredient. If attack patterns can be mitigated at the point of detection, DDoS attacks can be prevented from causing impact. This automation usually comes in the form of a stateless appliance or service that sits in front of the edge devices. Firewalls are not ideally suited for this role as they themselves are susceptible to TCP-State attacks and have other resource intensive tasks to manage. However, for an SMB this can be a very expensive option.

As an alternative or a supplement to this, norm. would highly recommend liaising with your ISP or MSP to understand what protections they have in place. They may already be mitigating some of the risk and are equally incentivised to reduce the amount of DDoS traffic running through their networks.

There are also some preparatory steps you can take to reduce the efficacy of DDoS attacks. Border Gateway Protocol (BGP) Flowspec rules on edge routers can massively reduce the risk of Volumetric attacks if properly configured. While they are not as common, they are still seen as part of the attack suit and are still relevant when protecting subnets from carpet bomb attacks.

Additionally, implementing rate limiting technologies can help reduce the number of malicious packets getting to your applications without being too interruptive for end users.

Finally, it is important to consider what the real term impacts of a successful DDoS are. Is your vulnerable infrastructure and application stack scalable enough to suffer an attack without impact? If these components do go down, do they gracefully fail such that attackers cannot gain additional capabilities on the network?  

For these types of questions, it is worth considering the potential benefits of penetration testing services, such as those offered by providers like norm.

References

Understanding DDoS: What is a DDoS Attack? – Digital Attack Map

Netscout Threat Report: DDoS Attack Vector Innovation | NETSCOUT DDoS Threat Report

NCSC Guidance: Preparing for DoS Attacks (ncsc.gov.uk)

Advice regarding ISPs: 4 Reasons to talk to your ISP about DDoS Protection | Corero Blog

Flowspec Configuration: IP Routing: BGP Configuration Guide – BGP FlowSpec Route-reflector Support [Cisco ASR 1000 Series Aggregation Services Routers] – Cisco

Rate Limiting: What is rate limiting? | Rate limiting and bots | Cloudflare

DDoS Black Market Pricing: Dark web price of malware/DDOS attacks 2022 | Statista

DDoS as a Diversion: A DDoS attack is often used as a smokescreen for a cyber-attack – Infosecurity Magazine (infosecurity-magazine.com)

LastPass breaches

There have been two reported breaches this year for popular password manager LastPass. In August this year, LastPass identified unusual activity within its development environment which, after investigation, was concluded to be a malicious actor. The extent of this attack was fortunately limited, no customer data or password vaults were accessed, the attacker did however have access to portions of source code and other propriety technical information.

Following on from this, LastPass has posted a new report that they have suffered another breach on 30^th November. They have reported the attack was made possible using data obtained in their initial breach this year.

From their report Karim Toubba, LastPass’s Chief Executive, has said that “an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

As of their last update (30/11/2022) there is still not a full understanding of the scope of breach nor knowledge of exactly what data has been compromised. Toubba did not say what specific customer information was taken, but said it was working to “understand the scope of the incident and identify what specific information has been accessed.”

Based off of LastPass’s claim there should be no risk to password data due to their encryption. This however is a story in progress and is too soon to give definitive conclusions and judgements.

As this story updates we will report back with its conclusion and potential risks.

These cases are good examples for ensuring MFA is established on all accounts, especially privileged ones. Whilst LastPass has claimed no password breaches have occurred the investigation has not concluded, and breaches occur to even the strongest of systems. Reliance on a single point of failure will inevitably fail and a secondary factor is essential to defend against this.

Further reading:

Notice of Recent Security Incident

LastPass Hacked for the Second Time in Six Months

LastPass’ latest data breach exposed some customer information

Microsoft report on attackers’ increasing use of token theft

As organisations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA.

The Microsoft Detection and Response Team (DART) has published a report which describes the increased use of token compromise and replay, to an identity that has already carried out MFA. This effectively ‘bypasses’ the MFA step, making it easier to conduct an attack. This poses to be a concerning tactic for defenders because the expertise needed to compromise a token is very low, is hard to detect, and few organisations have token theft mitigations in their incident response plan.

Because of this increase, an increase in adversary-in-the-middle techniques to steal tokens rather than passwords has been observed.

In the new world of hybrid work, users may be accessing corporate resources from personally owned or unmanaged devices which increases the risk of token theft occurring. These unmanaged devices likely have weaker security controls than those that are managed by organisations, and most importantly, are not visible to corporate IT. Users on these devices may be signed into both personal websites and corporate applications at the same time, allowing attackers to compromise tokens belonging to both.

As far as mitigations go, publicly available open-source tools for exploiting token theft already exist, and commodity credential theft malware has already been adapted to include this technique in their arsenal. Organisations can take a significant step towards reducing the risk of token theft by ensuring that they have full visibility of where and how their users are authenticating. To access critical applications like Exchange Online or SharePoint, the device used should be known by the organisation. Microsoft emphasises the continued importance of MFA, which can still prevent the majority of attacks.

Although tactics from threat actors are constantly evolving, it is important to note that multifactor authentication, when combined with products provided by norm. such as our Endpoint Protection and Response tool, our Vulnerability Management and Patching platform, along with basic security principles such as applying least privilege principals, and protecting data—still protects against 98% of all attacks.

References:

Microsoft Digital Defense Report 2022

Token tactics: How to prevent, detect, and respond to cloud token theft

Multi-factor authentication for online services

Android Malware apps

A series of apps have been found on the Google Play store, which culminated in over two million downloads, containing malware. This activity was identified at the beginning of October, and while they have all currently been removed, it appears to be an on-going and persistent threat.

Bleepingcomputer.com reports that the 4 apps had been identified during October and reported on at the beginning of November, were:

• Bluetooth Auto Connect, with over 1,000,000 installs
• Bluetooth App Sender, with over 50,000 installs
• Driver: Bluetooth, Wi-Fi, USB, with over 10,000 installs
• Mobile transfer: smart switch, with over 1,000 installs

These apps were subsequently removed, however then on 4^th December they published another article stating a new series of apps had been identified. These apps are:

• TubeBox (jiajiamaji) – 1,000,000 downloads
• Bluetooth device auto connect (bt autoconnect group) – 1,000,000 downloads
• Bluetooth & Wi-Fi & USB driver (simple things for everyone) – 100,000 downloads
• Volume, Music Equalizer (bt autoconnect group) – 50,000 downloads
• Fast Cleaner & Cooling Master (Hippo VPN LLC) – 500 downloads

These apps were confirmed to have been removed by Google on 6^th December 2022.

The malicious apps are often promising guaranteed investment profits, or they are designed to offer useful utilities or system optimisation. When, in reality, they are designed to keep a user in the app to generate ad revenue content, as well as direct them off app to a phishing site to collect their personal information.

Mobile Device Management can play a critical part in helping lower the risk profile by securing access to corporate information that is stored on a user’s device. If your organisation does not already have any MDM in place it should be high on your list of products to evaluate.

Further reading: 

Malicious Android apps with 1M+ installs found on Google Play

Android malware apps with 2 million installs spotted on Google Play

Device Security Guidance

05th December 2022 Data Protection Bulletin