Neu Cyber Threats – 11th November 2021
DDoS attacks continue to grow in Q3 2021
The third quarter saw the sheer volume of distributed denial-of-service (DDoS) attacks surge to several thousand hits per day. This signalled a re-distribution of tactics by cyber criminals towards the use of DDoS as a tool of intimidation, disinformation and extortion.
Kaspersky researchers discussed the record-breaking frenzy of activity by threat actors in a recent report. They stated: “July started off quietly, but towards the middle of the month the average daily count of DDoS attacks exceeded 1,000, with a whopping 8,825 attacks on 18th August, while on the 21st and 22nd August, the daily count of five thousand was exceeded.”
But, while the volume of DDoS attacks spiked, their duration declined, the researchers found: “This may be due to the decreasing number of attacks lasting 50 hours or more and a rise in relatively short attacks.”
During Q3, researchers figured out how to exploit TCP protocol to attack security devices like firewalls, deep packet inspection (DPI) tools and network address translators (NAT). VoIP providers in Britain, Canada, and the U.S were attacked, as well as a number of other high value companies across the world in different industries.
Researchers have seen an increase in threat actors combining DDoS attacks with extortion demands over the past two years, which could be a sign of more to come. They added: “Cyber criminals typically conduct DDoS operations to temporarily disrupt a target’s infrastructure or act as a decoy for more dangerous activity, but companies affected by high-intensity DDoS attacks may experience long-time disruption of business, which in turn may cause financial loss, brand or reputational damage, and influence customer trust.”
With predictions indicating more DDoS attacks on the way, it’s up to businesses to mount a defence and protecting any internet of things (IoT) devices that are connected to public networks from being hijacked and turned into botnets. Companies can protect themselves by applying intermediate tooling at network boundaries, while most cloud services include security tools to mitigate or prevent DDoS attacks.
Researcher breaks 70% of WiFi passwords in study
A security researcher was able to crack over 70% of WiFi passwords using relatively simple, cheap equipment. The researcher’s experiment illustrated just how easily an attacker could hack into home and enterprise networks, by simply walking around a city with the right equipment in hand.
For his experiment, the researcher used an AWUS036ACH ALFA Network card, which costs around £36, and provides both monitoring and packet injection capabilities. He then connected it to an Ubuntu system, and walked around the centre of a city with the system in a backpack, to discover WiFi networks. The initial research was concerned with capturing the PMKID hash from the WiFi networks.
After successfully sounding out 5000 networks, the researcher moved to cracking the passwords, using the ‘hashcat’ password recovery tool, which supports dictionary and rules and mask attacks. The report states that the researcher was able to successfully crack roughly 3,600 of the passwords, which in turn meant that they were able to hack all of the corresponding WiFi networks.
A further discovery found that the majority of these passwords were 10-digit numbers, with most of the WiFi networks protected with the owners’ phone numbers. Hundreds of passwords contained eight or nine digits, with hundreds more having eight lower case letters. The researcher explained: “Not all routers support roaming features and are, therefore, not vulnerable to the PMKID attack. However, we found that routers manufactured by many of the world’s largest vendors are vulnerable.”
It was also pointed out that the roaming feature should not be enabled on routers meant for personal/private use (WPA2-personal), as there is no need for roaming on these networks. Additionally, the success rate of cracking passwords longer than 10 letters/numbers was lower.
The conclusions drawn were that the researcher was able to crack more than 70% of the WiFi networks in the sample. This raises alarm bells when it comes to the potential implications of a larger-scale malicious attack employing the same technique, as well as the importance of using strong, long passwords. The threat of compromised WiFi networks present serious risk to businesses. Neuways advises users to look into endpoint security to help mitigate the problems highlighted. While using longer, more complex passwords will help, endpoint security will add to your business’ cyber security complete defences.
Millions of Android users scammed by SMS fraud
Threat actors have been using malicious Android applications to scam users into signing up for a bogus premium SMS subscription service, which results in big charges accruing on their phone bills.
Security firm Avast uncovered the campaign, which has been dubbed UltimaSMS, because one of the first apps discovered as being used to scam people was called Ultima Keyboard Pro. Researchers said: “The fake apps found feature a wide range of categories such as custom keyboards, QR code scanners, video and photo editors, spam call blockers, camera filters, and games, among others”.
Essentially, the campaign comprises of at least 151 apps that at one point or another have been available on the Google Play Store – and collectively they’ve been downloaded over 10.5 million times. Google has since removed some of flagged apps from the store, but there are likely others. Of course, this isn’t the first time that Google Play has been plagued by fake apps which are spreading malware.
All of the offerings are, “essentially copies of the same fake app used to spread the premium SMS scam campaign”, which indicates that one set of cyber criminals are behind the attack.
The threat actor behind the campaign is spreading UltimaSMS through “numerous catchy video advertisements” posted on advertising channels of social media sites such as Facebook, Instagram and TikTok. If an Android user takes the bait and installs one of the apps, it checks their location, International Mobile Equipment Identity (IMEI), and phone number to determine which country area code and language to use for the scam
Once a user enters their details, the app subscribes them to a premium SMS service which sends texts to a short-coded number — each text results in a charge for the user. These charges can total upwards of £30 per month depending on the country and mobile carrier. And, instead of unlocking the apps’ advertised features, the apps will either display further SMS subscriptions options or stop working altogether
In fact, some of the apps describe this intention to users in fine print; however, not all of them extend this courtesy, “meaning many people who submitted their phone numbers into the apps might not even realize the extra charges to their phone bill are connected to the apps,” he explained.
The apps collect premium SMS charges from subscribers typically to the maximum limit possible for their particular country, according to Avast. To avoid being defrauded by the UltimaSMS scam, users should follow the same common-sense vigilance and protocols for downloading and purchasing new apps:
- Check reviews first
- Read the fine print
- Don’t enter a phone number unless you trust the app
- Only use official app stores
Businesses and users can disable premium SMS with their network carrier so cyber criminals can’t abuse the service.
Firefox updated to mitigate add-on flaws
Mozilla’s Firefox team has blocked a number of add-ons that were abusing the proxy API in order to prevent around 455,000 users from updating their browsers.
The add-ons were misusing the proxy API, which controls how Firefox connects to the internet. Add-ons are powerful snippets of software that can be added to Firefox to customise the browser by doing things like preventing tracking, blocking ads, downloading videos from websites or providing content translation.
On the flip side, they can be used for nefarious purposes that install malware, like the 28 add-ons for Facebook, Vimeo, Instagram and others that researchers found in commonly used browsers from Google and Microsoft last year.
The add-ons siphoned off sensitive data, as well as having the ability to enable further malware downloads. Threat actors were tweaking links victims clicked on in order to redirect them to phishing sites and ads.
The Firefox team said that the misbehaving Firefox add-ons found in June – Bypass and Bypass XM – were misusing the API to intercept and redirect users from downloading updates, accessing updated blocklists and updating remotely configured content.
This story highlights the importance of installing updates and security patches as soon as they are made available by the developers – this helps your business to be as secure as possible, especially when using Firefox, in this instance.