Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories.
NOTE: Except where indicated, this report is released as TLP: CLEAR, and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
New loop DoS attack may impact up to 300,000 vulnerable systems.
(TLP: CLEAR) Cybersecurity researchers have recently disclosed a new denial-of-service (DoS) attack known as ‘Loop DoS’, which targets application layer protocols and exploits a vulnerability in the UDP protocol. The attack itself can cause an indefinite communication loop between network services, resulting in a significant increase in traffic. The vulnerability, tracked as CVE-2024-2169, enables attackers to exploit IP spoofing and insufficient packet validation within the UDP protocol to trigger a self-sustaining mechanism that produces an overwhelming volume of traffic. This results in DoS condition, incapacitating the targeted system or network.
(TLP: CLEAR) Analyst Comments: According to recent reporting, the layer loop attack can be initiated from a single host and has the potential to impact an estimated 300,000 vulnerable hosts and their networks. The ramifications of exploiting this vulnerability include overloading services, inducing network backbone DoS attacks, and amplifying attack. The Loop DoS attack’s consequences are significant, as it affects both legacy and contemporary protocols essential for internet operations such as time synchronization, domain name resolution, and file transfer. While the attack can be executed with relative ease, there is presently no indication of it being actively exploited in the wild.
(TLP: CLEAR) Recommended Best Practices/Regulations: Organizations should update or deactivate vulnerable services and collaborate with impacted parties to determine if the affected hosts require access to these services. If not, take the services offline; if access is necessary, implement suitable access controls, such as firewalling. Additionally, restrict service access to clients using ephemeral source ports, as loop attacks typically occur between two servers without utilizing client (ephemeral) source ports. Communication in these attacks does not involve UDP source ports typically chosen by clients (ports >= 1024) but is limited to the ports of the respective services (port range 0-1023). Protect vulnerable protocols by filtering out non-ephemeral source ports directed towards the servers.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting.
Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://cispa.de/en/loop-dos
New BunnyLoader malware variant surfaces with modular attack features.
(TLP: CLEAR) Cybersecurity researchers have recently unveiled a new and enhanced version of BunnyLoader, a notorious information stealer and malware loader, dubbed “BunnyLoader 3.0”. This evolving variant of malware boasts the ability to pilfer cryptocurrency and other confidential data with heightened proficiency. According to recent reporting, BunnyLoader 3.0 exhibits superior stealth capabilities compared to its predecessors, owing to its minimized payload size and modular functions, enabling attackers to selectively deploy the tools they need. As a Malware-as-a-Service (MaaS), BunnyLoader facilitates the theft of information and was initially offered to affiliates for a monthly subscription fee of $250. Additionally, aside from its improved detection evading capabilities, this version can launch distributed denial-of-service (DDoS) attacks against a specified URL, with the DoS module being downloaded and injcted into notepad[.]exe. BunnyLoader has also elevated its level of sophistication by utilizing a newly documented dropper to deploy PureCrypter, a loader that delivers two distinct stealer malwares, PureLogs and Meduza. BunnyLoader has transitioned from a single-file structure to a base client with modular components available for download, resulting in its tools being divided into four separate binaries. The malware maintains communication with the C2 server every two seconds, poised to receive new commands that facilitate the download of additional malware onto the victim’s device.
(TLP: CLEAR) Analyst Comments: As organizations enhance their security frameworks, malware operators persistently refine and upgrade their tools to stay ahead. Loader malware such as BunnyLoader has seen active exploitation in the field over the past year. The Malware-as-a-Service (MaaS) industry is fiercely competitive, with information-stealing malware featuring innovative capabilities frequently emerging as operators vie for dominance in the market.
(TLP: CLEAR) Recommended Best Practices/Regulations: Signature-based detection can be used to identify and neutralize known malicious samples by utilizing a database of established malware signatures while URL filtering and further DNS security can restrict access to harmful URLs and IP addresses, thereby hindering communication with malicious entities and preventing the acquisition of malicious content. Additional in indicators of compromise can be found at the following link – https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/#post-132991-_2an8ryq91inv
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation. Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://thehackernews.com/2024/03/new-bunnyloader-malware-variant.html
After LockBit, ALPHV takedowns, RaaS startups go on a recruiting drive.
(TLP: CLEAR) The recent efforts by law enforcement and government agencies have resulted in the dismantling of notorious ransomware syndicates such as LockBit and ALPHV/BlackCat. According to recent reporting, this has sent shockwaves throughout the cybercriminal underworld. Leveraging coordinated initiatives, authorities in the US and EU have escalated their operations against ransomware-as-a-service (RaaS) networks, culminating in the unmasking of various threat actors responsible, the capture of critical infrastructure, and the appropriation of sensitive data, while also strategically inciting discord within hacker ranks. Despite these concerted efforts, the resurgence of these factions, often soon after being targeted, casts a shadow on the long-term impact of such interventions. Consequently, affiliates — the operatives launching assaults under these entities — are increasingly aligning with emerging RaaS outfits that seek to enhance trustworthiness and dependability.
(TLP: CLEAR) Analyst Comments: The latest dismantling of high-profile ransomware groups showcases a significant stride in the fight against cybercrime, revealing both achievements and obstacles. These interventions have jolted key figures in the ransomware circuit, yet they also underscore the enduring nature and flexibility of cybercriminal alliances. Law enforcement’s focus on dismantling operational networks and instigating dissension within threat actor ranks marks a tactical evolution, designed to erode the dependability and cohesion of these illicit groups.
(TLP: CLEAR) Recommended Best Practices/Regulations: In addition to routinely updating and patching systems, organizations must diligently backup system images and configurations, conducting regular tests and preserving these backups in an offline state. It’s imperative to verify the integrity and functionality of backups through regular testing, ensuring they remain disconnected from the corporate network. This practice is crucial as numerous ransomware strains are designed to seek out, encrypt, or eradicate any backups within their reach.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation.
Source: https://www.darkreading.com/threat-intelligence/after-lockbit-alphv-takedowns-raas-recruiting-drive
Updated version of malware that targeted U.S.-based satellite observed.
(TLP: CLEAR) Recent intelligence reporting has highlighted a new strain of malware named AcidPour, bearing resemblance to the AcidRain data wiper that targeted Viasat, a satellite communications provider, in 2022. Security researchers have recently shed light on the new data wiper malware strain, emphasizing its tailored design to compromise Linux x86 IoT and network devices. According to reporting, AcidPour shares 30% of its code with its predecessor AcidRain but introduces significant new features. Saade points out that AcidPour’s code references to the file path ‘/dev/ubiXX’ suggest its capability to erase data from unsorted block image (UBI) file systems, which are common in flash memory devices, including IoT and networking devices, and potentially Industrial Control Systems (ICS). Additionally, AcidPour targets virtual block devices linked with Logical Volume Management (LVM), which is employed by Network Attached Storage devices, such as QNAP and Synology systems, for managing RAID configurations.
(TLP: CLEAR) Analyst Comments: In the wake of Russia’s invasion into Ukraine, data wipers have emerged as a weapon of choice among cyber threat actors, prized for their capacity to terminate files and cripple essential systems. The deployment of AcidRain against Viasat, for example, incapacitated KA-SAT modems across Ukraine, with collateral disruptions extending to 5,800 Enercon wind turbines in Germany, severing their remote monitoring and control communications. Unlike AcidRain, which was tailored to MIPS architecture, the advent of AcidPour, an ELF binary crafted for x86 systems, broadens the horizons for attackers, allowing them to unleash havoc across a more extensive array of devices and infrastructures.
(TLP: CLEAR) Recommended Best Practices/Regulations: According to recent intelligence reporting, there are currently 32 security vendors that have the capability to identify the aforementioned wiper variant. Additionally, the operational use of this wiper in real-world attacks and its intended targets remain uncertain. Nevertheless, to fortify against potential threats, organizations are advised to consistently update their software, perform regular anti-virus sweeps, manage network traffic filtering, enforce multi-factor authentication, and secure backups of essential data.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.
UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting.
Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://cyberscoop.com/viasat-malware-wiper-acidrain/
New updated Govt guidance released on DDoS attacks.
(TLP: CLEAR) A recent advisory has recently been published by the US government concerning guidance on distributed denial-of-service (DDoS) attacks for public sector entities to assist in defending their networks from potential network disruption. This guide provides an in-depth resource tailored to the unique requirements and obstacles encountered by government agencies at the federal, state, and local levels in countering DDoS attacks. The guidance emphasizes that DDoS attacks, characterized by an overwhelming influx of traffic or requests from numerous compromised systems to overload the target and render it inaccessible, are becoming more challenging and difficult to identify and mitigate. Additionally, the joint document highlights three main types of DDoS attacks public sector entities must be prepared for: volume-based attacks (volumetric) which seek to deplete the target’s available bandwidth or system resources, protocol-based attacks that exploit vulnerabilities in the target’s protocol implementations to impair its performance and application later attacks which target specific applications or services operating on the target system, aiming to exhaust its processing capabilities or trigger malfunctions.
(TLP: CLEAR) Analyst Comments: Volumetric attacks commonly include UDP floods, ICMP floods, and amplification attacks. A typical protocol-based DDoS attack is the SYN Flood attack, where the attacker takes advantage of the TCP handshake, a crucial component of the TCP/IP protocol for creating connections between network devices. Lastly, an example of an application-layer DDoS attack is the HTTP Flood attack, wherein the attacker bombards the target’s web server with a multitude of HTTP requests, with the intention of depleting the server’s resources.
(TLP: CLEAR) Recommended Best Practices/Regulations: Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real-time such as Vercara’s UltraDDoS Protect.
(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. Source: https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-release-update-joint-guidance-distributed-denial-service-techniques
Cybercriminals are taking advantage of APIs.
(TLP: CLEAR) A newly released report sheds light on the role of Application Programming Interfaces (APIs) in shaping the cybersecurity landscape. APIs, integral to digital transformation, enable smooth communication between applications and databases. The report in question, “State of API Security in 2024”, reveals that API calls constituted an impressive 71% of internet traffic in 2023. Additionally, the average enterprise site processed approximately 1.5 billion API calls in the same year, underscoring the pivotal function of APIs in the contemporary digital ecosystem. Reporting indicates that the significant portion of internet traffic handled by APIs should raise concerns for all security professionals. Despite efforts to implement shift-left frameworks and integrate security into the Software Development Life Cycle (SDLC), APIs frequently enter production without proper cataloging, authentication, or auditing. Additionally, on average, organizations deploy 613 API endpoints in production, and this number is swiftly increasing due to the demand for faster and more efficient digital service delivery to customers. As time passes, these APIs can evolve into risky and vulnerable endpoints, posing potential security threats for organizations. Lastly, the report named the three common types of mismanaged API endpoints that create security risks for organizations: shadow, deprecated, and unauthenticated APIs.
(TLP: CLEAR) Analyst Comments: Shadow APIs, Deprecated APIs, and Unauthenticated APIs are different types of APIs that can pose security risks to an organization’s digital infrastructure. Shadow APIs refer to APIs that are created or used within an organization without proper approval or oversight from the IT or security team. These APIs can emerge from various sources, such as development projects, third-party integrations, or employee-initiated tools, and they often lack proper security controls and documentation, making them vulnerable to attacks. Deprecated APIs, on the other hand, are APIs that are no longer supported or maintained by their developers. They may have been replaced by newer versions or discontinued altogether.
(TLP: CLEAR) Recommended Best Practices/Regulations: Organizations should inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, development), who should have network access to the host (e.g. public, internal, partners) and the API version. (TLP: CLEAR) Vercara: Vercara UltraAPI offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively. Source: https://thehackernews.com/2024/03/apis-drive-majority-of-internet-traffic.html
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.