Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
How MFA failures are fuelling a 500% surge in ransomware losses.
(TLP: CLEAR) The cyber threat landscape has experienced a disturbing escalation in ransomware attacks, evidenced by sharp increases in both average payments and ransom demands. Recent intelligence reporting indicates a 500% surge in average ransom payments, rising from $400,000 in 2023 to $2 million in 2024. Similarly, media-sourced reporting has highlighted that ransom demands have increased from $1.4 million in 2022 to $20 million in 2023. This uptrend is likely driven by cybercriminals’ refined targeting methodologies and the utilization of Generative AI to assist in crafting highly sophisticated phishing attacks, which exploit vulnerabilities in outdated Multi-Factor Authentication (MFA) systems. These developments underscore the critical need for enhanced security measures and updated MFA protocols to counter the evolving threat landscape. Furthermore, MFA methods, developed over two decades ago, are becoming increasingly inadequate against contemporary cyber threats. These outdated systems are particularly vulnerable to phishing attacks, SIM swapping, malware, and other social engineering tactics.
(TLP: CLEAR) Comments: In order to mitigate the aforementioned vulnerabilities, the adoption of next-generation MFA solutions is imperative. For example, integrating biometric authentication into these solutions offers significant advantages, including heightened security against credential theft and phishing, enhanced user convenience, and improved operational efficiency.
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.3: “Anti-malware mechanisms and processes are active, maintained, and monitored
“The anti-malware solution(s) is kept current via automatic updates.
“The anti-malware solution(s):
• Performs periodic scans and active or real-time scans.
OR
• Performs continuous behavioral analysis of systems or processes.
“If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”
Regular updating of anti-malware definitions and performing periodic scans requires processing and disk input/output. As a result, most updates and scans happen overnight, resulting in a detection gap of up to several days, depending on the type of device. Protective DNS solutions are able to update their detection rules in real time and provide support for network-based behavioral analytics.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://thehackernews.com/2024/07/how-mfa-failures-are-fueling-500-surge.html
Over 380k hosts still referencing malicious Polyfill domain.
(TLP: CLEAR) Recent intelligence reporting indicates over 380,000 internet-exposed hosts are still referencing JavaScript scripts from the recently suspended polyfill[.]io domain. Originally employed to enhance functionality in older browsers, polyfill[.]io was suspended after redirecting users to betting and adult sites. The suspension occurred following its acquisition by the Chinese CDN company “Funnull” in February 2024, affecting over 100,000 websites, including significant platforms such as Hulu and Mercedes-Benz. Additionally, a majority of the impacted hosts are within Germany’s Hetzner network, but domains associated with prominent entities like Hulu and Warner Bros are also significantly affected. Analysts have identified 182 affected hosts with .gov domains, indicating extensive use across various sectors, including government. Despite mitigation efforts, investigators have cautioned of broader associations, highlighting parallels with other suspicious domains such as bootcdn[.]net and bootcss[.]com. This may suggest an ongoing malicious campaign. These findings underscore the critical need for vigilant monitoring and proactive defense strategies to counter such evolving threats.
(TLP: CLEAR) Comments: Since modern browsers no longer require Polyfill, the original author advises discontinuing its use altogether. Websites should eliminate any references to polyfill[.]io immediately. Recommended alternatives include reliable CDNs such as Vercara’s UltraEdge
(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-20: “SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)”: “Control:
“a. Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
“b. Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains when operating as part of a distributed, hierarchical namespace.”
FIRST DNS Abuse Matrix V1.1: “Spoofing of a registered domain – In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.”
(TLP: CLEAR) Vercara: Vercara’s UltraDNS solutions, UltraDNS and UltraDNS2, include 2 separate and diverse authoritative resolution platforms for an aggregate 47 deployment nodes. UltraDNS provides resiliency, performance and advanced features such as load-balancing, monitored failover, automated DNSSEC signing and geographic resolution.
Vercara’s Content Delivery Network, UltraEdge, leverages a cutting-edge, global CDN powered by Edgio to supercharge every user interaction. It delivers industry-leading performance while safeguarding your infrastructure and users with an advanced, fully integrated security stack supported by our 24/7 Security Operations Center (SOC).
Source: https://www.securityweek.com/over-380k-hosts-still-referencing-malicious-polyfill-domain-censys/
CDK Global says all dealers will be back online by Thursday.
(TLP: CLEAR) Back on June 18th, CDK Global, a prominent software-as-a-service provider for over 15,000 car dealerships across North America, experienced a ransomware attack resulting in a significant IT outage. The attack severely impacted CDK Global’s dealer management system, compelling dealerships to revert to pen and paper, and leaving buyers unable to purchase cars or service existing vehicles. Amidst efforts to restore service, CDK suffered a second cyberattack the following day, necessitating a complete shutdown of its IT and login systems once again. In a recent update, reporting indicates a CDK spokesperson insinuated that the organization was “continuing their phased approach to the restoration process and is rapidly bringing dealers live on the Dealer Management System (DMS).” Furthermore, CDK Global anticipated that all dealer connections would be fully restored by late Wednesday, July 3 or early morning Thursday, July 4. This incident underscores the critical need for robust cybersecurity measures and rapid response strategies in the face of evolving cyber threats.
(TLP: CLEAR) Comments: Previous Vercara OSINT reporting have identified the BlackSuit group, the alleged perpetrators of the recent attack on CDK Global, as possessing advanced technical expertise and technical prowess. They are known for deploying custom malware and executing meticulously coordinated cyber-attacks, across the cyber threat landscape. Additional reporting on the BlackSuit group and similar factions has also been provided – https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION”
“Control:
“a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
“b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
“c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection; and
“d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”
NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defence-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Organizations are using outdated approaches to secure APIs.
(TLP: CLEAR) Recent reports highlight the intensifying risks associated with modern applications, underlining a surge in threats from Distributed Denial of Service (DDoS) attacks, malicious bots, botnets, and software supply chain vulnerabilities. These threats often overwhelm dedicated security tools and resources. Furthermore, the dependence on web applications and Application Programming Interfaces (APIs) has expanded the attack surface, exacerbated by the demand for rapid feature deployment while traditional security measures, such as web application firewalls, are frequently inadequate, while the rapid exploitation of zero-day vulnerabilities also remains a critical concern. The reliance on third-party software also increases risks, with organizations reportedly incorporating an average of 47.1 pieces of third-party code and establishing 49.6 outbound connections to external resources. This practice introduces significant supply chain vulnerabilities and compliance challenges. Finally, the reporting briefly touched on 2023 metrics, indicating an increase in zero-day exploits and a 15% rise in disclosed Common Vulnerabilities and Exposures (CVEs). Despite these critical threats, the average time to release a patch for severe vulnerabilities is 35 days.
(TLP: CLEAR) Comments: The aforementioned emphasizes the necessity for updated security practices and robust defenses to counter evolving threats effectively. Organizations often rely on fragmented security solutions, which expand their attack surface and complicate the protection of their network infrastructure, thereby increasing their vulnerability to cyber-attacks. To mitigate these risks, it is crucial to adopt integrated security strategies, streamline security operations, and ensure regular updates and patches.
(TLP: CLEAR) Recommended best practices/regulations: OWASP API Top 10, API6:2023, “Unrestricted Access to Sensitive Business Flows”:
“The mitigation planning should be done in two layers:
“Business – identify the business flows that might harm the business if they are excessively used.
“Engineering – choose the right protection mechanisms to mitigate the business risk.
“Some of the protection mechanisms are more simple while others are more difficult to implement. The following methods are used to slow down automated threats:
“Device fingerprinting: denying service to unexpected client devices (e.g headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them
“Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns)
“Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the ‘add to cart’ and ‘complete purchase’ functions in less than one second)
“Consider blocking IP addresses of Tor exit nodes and well-known proxies
“Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don’t implement all the required protection mechanisms.”
NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.”
(TLP: CLEAR) Vercara: Vercara UltraAPI, API Security/UltraAPI, sets the standard for API security with minimal setup, providing a complete view of your API landscape without agents or changes to your application. Our cloud-based, agentless proxy streamlines deployment and blocking, reducing risk and promoting higher productivity and ROI through its simple yet effective approach.
Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.
Source: https://www.helpnetsecurity.com/2024/07/04/modern-applications-risks/
Mirai-like Botnet targets Zyxel NAS devices in Europe for DDoS attacks.
(TLP: CLEAR) A newly identified botnet, reminiscent of the infamous Mirai botnet, has been observed targeting two discontinued Zyxel Network Attached Storage (NAS) devices across Europe. Back in March 2024, three critical vulnerabilities in Zyxel’s NAS were reported to be exposed in the wild. Recently, investigators discovered that a Mirai-like botnet is exploiting these vulnerabilities, potentially allowing attackers to gain root access, execute malicious code, steal data, and install malware. These vulnerabilities, with a CVSS score of 9.8, affect the outdated Zyxel NAS models NAS326 and NAS542. Additional threat monitoring reporting Despite being end-of-life, Zyxel has issued patches due to extended warranties for some organizations. Additional intelligence reporting indicates active scanning for CVE-2024-29973 to incorporate vulnerable endpoints into a botnet and a remote code injection flaw following Zyxel’s patching of CVE-2023-27992. These vulnerabilities allow command injection through crafted HTTP POST requests and arbitrary code execution via crafted configuration files.
(TLP: CLEAR) Comments: The three vulnerabilities are currently being tracked as CVE-2024-29973 (Python Code Injection Vulnerability), CVE-2024-29972 (NsaRescueAngel Backdoor Account), and CVE-2024-29974 (Persistent Remote Code Execution Vulnerability) present significant risks, particularly in Europe, where 1,194 Zyxel devices are exposed. Countries with notable exposure include Italy, Russia, Hungary, and Germany. Typically, compromised devices are integrated into botnets, potentially facilitating DDoS attacks against critical infrastructure and businesses.
(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://hackread.com/mirai-botnet-zyxel-nas-devices-europe-ddos-attacks/
OVHcloud blames record-breaking DDoS attack on MikroTik botnet.
(TLP: CLEAR) Recent reporting indicates a trend of increasing attack sizes since 2023, with those exceeding 1 Tbps becoming frequent and escalating to weekly or daily occurrences in 2024. Over the past 18 months, several attacks were observed to have sustained high bit rates and packet rates for extended periods, with the highest bit rate recorded at 2.5 Tbps on May 25, 2024, based on reporting. Analysis revealed an extensive use of core network devices, particularly Mikrotik models, making the attacks more impactful and difficult to detect and mitigate. According to reporting, compromised MikroTik Cloud Core Router (CCR) devices, specifically models CCR1036-8G-2S+ and CCR1072-1G-8S+, contributed to these high packet rate attacks. Furthermore, nearly 100,000 MikroTik devices were later identified as vulnerable and exposed to the internet. Investigators later suggested that compromising even 1% of these devices could result in a botnet capable of generating billions of packets per second, posing a substantial threat. Despite multiple warnings from MikroTik to upgrade RouterOS to secure versions, many devices remain vulnerable, risking enlistment in DDoS botnets.
(TLP: CLEAR) Comments: MikroTik devices, often operating with outdated firmware, are susceptible to known exploits. Attackers can exploit MikroTik’s RouterOS “Bandwidth Test” feature to generate high packet rates, exacerbating their vulnerability. The ability to leverage these features makes these devices particularly attractive for malicious activities, including DDoS attacks.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”
Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect.
(TLP: CLEAR) Vercara: Vercara’s DDoS Protection solution, UltraDDoS Protect, is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premise hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Vercara’s array of DDoS Protection services includes blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
