Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Table of Contents
UK becomes first country to ban default bad passwords on IoT devices.
(TLP: CLEAR) The U.K. National Cyber Security Centre (NCSC) has recently urged all smart device manufacturers to adhere to new regulations that ban the use of default passwords. This legislation, making the U.K. the first country in the world to outlaw default usernames and passwords from Internet of Things (IoT) devices, will be effective beginning April 29, 2024. According to the NCSC, the Product Security and Telecommunications Infrastructure Act (or PSTI Act) will assist consumers in deciding on smart devices that have been designed to provide ongoing protection against potential cyber-attacks. It was further stressed that manufacturers must ensure their devices are not deployed with easily guessable default passwords, provide a contact point for reporting security vulnerabilities, and clearly communicate the length of time devices will receive crucial security updates. The following reporting concluded by listing various key insights from the first quarter of 2024, such as DNS-based distributed denial-of-service (DDoS) attacks increasing by 80% year-over-year and highlighting the continued exploitation of the Mirai botnet’s source code.
(TLP: CLEAR) Analyst Comments: By mandating that manufacturers remove predictable default passwords and implement measures like a vulnerability reporting contact point and clear communication about the lifespan of security updates, the Product Security and Telecommunications Infrastructure (PSTI) act targets a foundational aspect of device security. Furthermore, the rise in DNS-based DDoS attacks and the ongoing exploitation of the Mirai botnet underscore the urgency for such regulations. As attackers continue to exploit weak default credentials to enlist IoT devices into botnets, the PSTI Act’s provisions could significantly disrupt these malicious efforts by closing widely exploited security gaps.
(TLP: CLEAR) Recommended Best Practices/Regulations: UK NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://thehackernews.com/2024/04/new-uk-law-bans-default-passwords-on.html
Palo Alto Networks outlines remediation for PAN-OS flaw under Attack.
(TLP: CLEAR) Palo Alto Networks recently released remediation guidance for a critical vulnerability, CVE-2024-3400, in PAN-OS, which is currently being exploited in the wild. This security flaw allows for unauthenticated remote execution of shell commands to versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with Palo Alto Networks’ GlobalProtect gateway or GlobalProtect portal. The exploit, known as “Operation MidnightEclipse,” deploys a Python-based backdoor called UPSTYLE, which executes commands via specially crafted requests. Although the attacks have not been attributed to any specific threat actor, the sophisticated nature of the intrusions suggests state-backed involvement. Reporting indicates that remediation strategies depend on the level of system compromise, ranging from applying the latest hotfix for minor breaches to conducting factory resets for systems showing signs of interactive command execution, followed by private data resets if there’s a potential risk of data misuse.
(TLP: CLEAR) Analyst Comments: Following the recent revelation and active exploitation of CVE-2024-3400, it is crucial for organizations using Palo Alto Networks software to quickly adopt the recommended remediation measures. It should be noted that if your organization is not using Palo Alto Networks software, they are not vulnerable to this specific vulnerability.
(TLP: CLEAR) Recommended Best Practices/Regulations: It is advised that the organization’s security policy includes routine reviews of all IT infrastructure, including applications, to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing outdated systems or establishing extra security-in-depth measures to protect non-updated systems.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a complement to anti-virus and Endpoint Detection and Response (EDR) agents to reduce the total amount of malware infections.
Source: https://thehackernews.com/2024/04/palo-alto-networks-outlines-remediation.html
New “Goldoon” botnet targets D-Link routers with decade-old bug.
(TLP: CLEAR) A new discovered botnet dubbed, ‘Goldoon’, has been observed in the wild actively targeting D-Link routers by exploiting a critical vulnerability, CVE-2015-2051. This security bug, which carries a high CVSS score of 9.8, affects D-Link DIR-645 routers and permits attackers to remotely execute arbitrary commands through specially crafted HTTP requests. According to reporting, researchers have stressed the critical nature of this vulnerability, noting that successful exploitation allows attackers to take full control of the affected routers. Once under control, attackers can harvest sensitive system information, establish links with a command-and-control server, and use these compromised routers to conduct further malicious operations, such as distributed denial-of-service (DDoS) attacks. Furthermore, reporting highlights a significant increase in activity from the Goldoon botnet beginning around April 9, 2024. The attack typically begins by exploiting the vulnerability CVE-2015-2051, which enables the retrieval of a dropper script from a remote server. This script is crucial as it downloads the Goldoon malware onto compromised routers with a variety of Linux system architectures, including aarch64, arm, i686, m68k, mips64, mipsel, PowerPC, s390x, sparc64, x86-64, sh4, riscv64, DEC Alpha, and PA-RISC. After the malware is downloaded, the infected router then serves as a central hub to further download the Goldoon malware from another external source. In addition to securing its presence on compromised routers using various autorun techniques, Goldoon connects to a command and control (C2) server to receive further commands. The botnet is equipped to launch distributed denial-of-service (DDoS) flood attacks through an extensive array of 27 different methods, leveraging protocols such as DNS, HTTP, ICMP, TCP, and UDP.
(TLP: CLEAR) Analyst Comments: Recent reporting also indicates that threat actors are exploiting compromised routers not only to carry out their own malicious deeds but also for financial gain by renting them out to other cybercriminals. That said, routers continue to be prime targets for threat actors due to several factors: limited security monitoring, weak password practices, infrequent firmware updates, and robust operating systems that can support a wide range of malware. Lastly, the use of complex DDoS attacks and the exploitation of specific vulnerabilities (CVE-2015-2051 in D-Link routers) indicate that threat actors are advancing in terms of the technical sophistication and tactical precision of their operations.
(TLP: CLEAR) Recommended Best Practices/Regulations: It is advised that the organization’s security policy includes routine reviews of all IT infrastructure, including applications, to ensure they are up to date with the latest security patches. If no security patches are being released for known vulnerabilities, organizations should look at either replacing outdated systems or establishing extra security-in-depth measures to protect non-updated systems.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.
Source: https://thehackernews.com/2024/05/new-goldoon-botnet-targets-d-link.html
Politically motivated cyberattacks are putting our elections at risk.
(TLP: CLEAR) Netscout recently released intelligence reporting suggesting a 15% rise in distributed denial-of-service (DDoS) attacks in the second half of 2023 compared to the first. The report notes that many of these attacks were politically motivated and that a significant number were linked to a small group of malicious threat actors. According to the reported data, NoName057(016) emerged as the leading DDoS adversary in 2023, targeting 780 websites across 35 countries. Alongside Anonymous Sudan and Killnet, NoName057(016) has claimed responsibility for DDoS attacks in Ukraine, Russia, Israel, and Palestine, focusing on key targets such as communication infrastructures, hospitals, and banks. Additionally, ahead of Spain’s general election last year, NoName057(016) executed numerous DDoS attacks, severely disrupting traffic and affecting government platforms by targeting various Spanish websites. In a similar pattern, Poland saw an uptick in DDoS attacks from the same group following the appointment of a new prime minister, which was later attributed to his pro-Ukraine stance. Beyond these incidents in Ukraine, a global increase in cyberattacks was observed last year in response to major political or geopolitical events. For example, Peru experienced a 30% rise in cyberattacks related to protests against the release of former president Alberto Fujimori, despite widespread condemnation of human rights violations during his tenure. The report concludes by suggesting an anticipated rise in politically motivated cyberattacks as numerous elections are scheduled to take place around the world in the upcoming months.
(TLP: CLEAR) Analyst Comments: NoName057(016) continues to demonstrate its support for Russia, according to past observations. Additionally, Killnet has also been linked to Russia, further suggesting a coordinated effort among these groups to advance Russian interests through cyber activities. The involvement of state-backed or politically motivated groups like NoName057(016) highlights the ongoing trend of cyber operations being used as extensions of state policy and geopolitical strategies.
(TLP: CLEAR) Recommended Best Practices/Regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer’s internet circuit and mitigation service is high). Always-on can provide instant protection, but agencies should always validate the time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premise hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Vercara’s array of DDoS Protection services includes blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.
Source: https://www.netscout.com/threatreport
Muddling meerkat hackers manipulate DNS using China’s great firewall.
(TLP: CLEAR) Recent reporting has highlighted a new series of cyberattacks assessed to be linked to a Chinese state-sponsored threat actor dubbed, ‘Muddling Meerkat”. A distinctive feature of Muddling Meerkat’s operations is their manipulation of MX (Mail Exchange) records, where they inject fake DNS responses using the Great Firewall of China (GFW). This represents a novel and previously unrecorded tactic within the country’s internet censorship arsenal. Upon initial observations, Muddling Meerkat’s operations might easily go unnoticed or be misconstrued as benign or legitimate due to their subtlety. However, the group specifically manipulates DNS queries and alters the responses from resolvers that provide IP addresses. Notably, they trigger the GFW to produce false MX record responses, disrupting email routing and potentially misdirecting emails to unintended recipients. To further conceal their operations, Muddling Meerkat issues DNS requests for random subdomains of their target domains, which typically do not exist. According to reporting, when analyzing the traffic as a whole, this activity or potential tactic resembles a type of attack known as a “Slow Drip DDoS” attack, as the queries are limited in scale and appear to be more about probing defenses rather than causing outright disruption. Researchers have pointed out that while the objectives and motivations of Muddling Meerkat remain unclear, the activities exhibit a high level of sophistication and the capability to manipulate global DNS systems.
(TLP: CLEAR) Analyst Comments: The “slow drip” in the aforementioned attack refers to the methodical, low-volume flow of attack traffic, which is usually designed to be slow and persistent, thus making it harder to detect compared to more abrupt and massive DDoS attacks. Apart from degrading the performance of websites or services for an extended period of time, in some cases, these attacks serve as a diversion, drawing attention away from more stealthy, malicious activities occurring simultaneously, such as data breaches or infiltration of other parts of the targeted network.
(TLP: CLEAR) Recommended Best Practices/Regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.”
Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures.
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API triggering. The result is an incredibly fast response against DDoS trouble when you need it most. Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in realtime with previously-observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://cybersecuritynews.com/dns-muddling-meerkat-cyber-weapon/
New CuttleFish malware infects routers to monitor traffic for credentials.
(TLP: CLEAR) Researchers have recently uncovered a new malware strain that has been observed infecting both enterprise-grade and small office/home office routers, enabling it to monitor data traffic and harvest authentication credentials. Dubbed ‘Cuttlefish’, the malware is compatible with various router architectures, including ARM, i386, i386_i686, i386_x64, mips32, and mips64. A significant feature of Cuttlefish is its capability to establish a proxy or VPN tunnel on compromised routers. This allows it to discreetly exfiltrate data, effectively circumventing established security measures. Moreover, the malware can carry out DNS and HTTP hijacking within private networks, disrupting internal communications and potentially delivering additional malicious payloads. Specifically, it redirects DNS requests to a designated server and manipulates HTTP requests, directing traffic to hacker-controlled infrastructure through the use of HTTP 302 error codes. Once deployed, Cuttlefish monitors all device connections by passively sniffing data packets for specific ‘credential markers.’ Researchers have identified these markers, which include predefined strings such as “username,” “password,” “access_token,” “aws_secret_key,” and “cloudflare_auth_key.” These markers are linked to credentials used in various cloud-based services, including Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket, allowing the malware to potentially access sensitive information.
(TLP: CLEAR) Analyst Comments: The precise method of initial infection by Cuttlefish remains unclear, though it likely involves exploiting known vulnerabilities or brute-forcing access to routers. After compromising a router, a bash script is deployed that gathers host-based data such as directory listings, running processes, and active connections. This script then downloads and executes Cuttlefish, which runs directly from memory to avoid detection. Additionally, to thwart analysis by security professionals, the script erases the downloaded file from the system immediately after execution. Investigators have provided additional indicators of compromise (IOCs): https://github.com/blacklotuslabs/IOCs/blob/main/Cuttlefish_IOCs.txt
(TLP: CLEAR) Recommended Best Practices/Regulations: It is advised that organizations should conduct periodic network assessments to identify/close nonessential ports and protocols that expand their potential attack surface. If organizations require certain ports and protocols to be exposed to the internet for business operations, they should then establish security in depth as well as change all default usernames/passwords and create complex passwords that are harder to brute force.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them.
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
