The Biggest Internet Attack In History Is Not Over (Yet)

This week on DIY Cyber Guy:img_4479

  • Massive attack briefly shut down several popular sites, I’ll tell you what happened and why you need a little patience this week. Bottom line -News of the death of Internet is premature!
  • Update on Intel, and why I am still recommending that you avoid buying computers with certain intel chips inside. But that could change soon
  • Microsoft will facilitate Intel Code Update! Great news – easier for Windows users – BUT BACKUP!!
  • Flash is declining faster than we expected! Great news!

My guest is Charles Givre; here is his bio:

Mr. Charles Givre CISSP currently is a lead data scientist in the CISO for Deutsche Bank. Prior to joining Deutsche Bank, Mr. Givre worked as a Senior Lead Data Scientist for Booz Allen Hamilton for the last seven years where he works in the intersection of cyber security and data science. For the last few years, Mr. Givre worked on one of Booz Allen’s largest analytic programs where he led data science efforts and worked to expand the role of data science in the program. Mr. Givre is passionate about teaching others data science and analytic skills and has taught data science classes all over the world at conferences, universities and for clients. Most recently, Mr. Givre taught a data science class at the BlackHat conference in Las Vegas and the Center for Research in Applied Cryptography and Cyber Security at Bar Ilan University. He is a sought-after speaker and has delivered presentations at major industry conferences such as Strata-Hadoop World, BlackHat, Open Data Science Conference and others. One of Mr. Givre’s research interests is increasing the productivity of data science and analytic teams, and towards that end, he has been working extensively to promote the use of Apache Drill in security applications and has contributed to the code base. Mr. Givre teaches online classes for O’Reilly about Drill and Security Data Science and is a coauthor for the forthcoming O’Reilly book about Apache Drill. Prior to joining Booz Allen, Mr. Givre, worked as a counterterrorism analyst at the Central Intelligence Agency for five years. Mr. Givre holds a Masters Degree in Middle Eastern Studies from Brandeis University, as well as a Bachelors of Science in Computer Science and a Bachelor’s of Music both from the University of Arizona. He speaks French reasonably well, plays trombone, lives in Baltimore with his family and in his non-existant spare time, is restoring a classic British sports car. Mr. Givre blogs at thedataist.com and tweets @cgivre.

Intel coming along

Hair on Fire 1 of 5

Advice – don’t buy an Intel computer yet. If you must, be sure that it does not have an Intel chip in the “planning” stage!

Microcode updates: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf

Progress Update: Intel has released microcode update:

“…we have now released production microcode updates to our OEM customers and partners for Kay Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. …

The new microcode will be made available in most cases through OEM firmware updates. I (author: Navin Shenoy) continue to encourage people to always keep their systems up-to-date. There is also a comprehensive schedule and current status for planned microcode updates available online.”

https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/

Microcode updates: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf 

Microsoft has decided to include Intel’s Update Microcode Update!

Hair on Fire 1 of 5

Much easier for listeners b/c you don’t have to go to MANUFACTURER for update.

(Apple is manufacturer and software producer. MS is just software vendor.)

https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

Currently supporting the following chip sets:

  • Skylake H/S, 6th Generation Intel Core Processor Family, 506E3
  • Skylake U/Y & Skylake U23e, 6th Generation Intel Core m Processors, 406E3

Caution!

Make a full system backup! Hair on Fire 5 of 5

Windows: https://support.microsoft.com/en-us/help/17127/windows-back-up-restore

Apple systems – no word yet how Apple is handling Intel’s latest update.

https://support.apple.com/mac-backup

 

Flash phase-out is accelerating!

Still Hair on fire 5 of 5

The percentage of daily Chrome users who’ve loaded at least one page containing Flash content per day has gone down from around 80% in 2014 to under 8% in early 2018.

These statistics on Flash’s declining numbers were shared with the public by Parisa Tabriz, Director of Engineering at Google, during a keynote speech at Network and Distributed System Security Symposium (NDSS) held in San Diego last week.

Flash’s demise was to be expected, though. Adobe announced last year plans to stop supporting the Adobe Flash Media Player by the end of 2020.

But while Chrome, Firefox, Edge, and all major browsers have already moved from a Flash-enabled-by-default to a Flash-click-to-play policy since last year, the massive drop in Flash usage numbers is a huge surprise for most industry experts.

This big drop could, at least in theory, be explained by the fact that most advertising networks and video streaming portals have moved away from Flash to HTML5, meaning most people can go days before encountering a website that still loads some kind of Flash object.

Source: https://www.bleepingcomputer.com/news/security/google-chrome-flash-usage-declines-from-80

-percent-in-2014-to-under-8-percent-today/

Again – Hair on Fire 5 of 5: UNINSTALL FLASH!

If you see an auto-update, then UNINSTALL FLASH!

Questions from Listeners:

Steve from Michigan:

I heard the internet was going extinct because of a new kind of attack. Seriously. What’s going on?

Nothing to worry about; this will get fixed.

Attack called “Memcache Distributed Denial of Service attack”

Main factors:

  • UDP not designed to be ‘exposed’ to public internet; easily spoofed
  • Small request = big response
  • Titanic result:

Mar2018_Peak DDOs

Source:

https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/

 

  • Easy fix – disable UDP on Memecache servers.

  • Before 24th February, the day when Memcached-based DDoS attacks were first spotted, the daily average was less than 50 attacks.

  • Between 24th and 28th February, when Memcached as a new amplification attack vector was not publicly disclosed and known to a small group of people, the attacks raised to an average of 372 attacks per day.

  • Soon after the first public report came on 27th February, between 1st and 8th March, the total number of attacks jumped to 13,027, with an average of 1,628 DDoS attack events per day.

Article Continues:

The list of famous online services and websites which were hit by massive DDoS attacks since 24th February includes Google, Amazon, QQ.com, 360.com, PlayStation, OVH Hosting, VirusTotal, Comodo, GitHub (1.35 Tbps attack), Royal Bank, Minecraft and RockStar games, Avast, Kaspersky, and Pinterest.

 

https://thehackernews.com/2018/03/memcached-ddos-attack.html

This issue is already fixed! (kill UDP)

What’s the problem? ~17k servers worldwide to patch.

So, this is a hair-on-fire 1 of 5, because all you can do is have a little patience because you may not be able to access site.

Thanks, Steve.

 

Next Question:

Roland from California,

“I recently completed a bitcoin transaction. I hade a small donation to a non-profit. I cut and pasted the Etherium account key they they sent me, but the donation never made it. But, my Etherium account was definitely debited the amount. Am I being scammed by the non-profit, or did my Etherium just get lost on the way?”

Evrial and CryptoShuffler and Combojack.

Click here for article – great explanation:

https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

…ComboJack enters into an infinite loop. Every half second it checks the contents of the clipboard. The contents of the clipboard are checked for various criteria to determine if the victim has copied wallet information for various digital currencies. In the event a wallet of interest is discovered, ComboJack will replace it with a hardcoded wallet that the attacker presumably owns in an attempt to have the victim accidentally send money to the wrong location. This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors. If any potential currency addresses are found, they are replaced following the criteria in the table below:

Checks for this criteria Replaces with Wallet Type
Length of 42 and starts with a ‘0’ 0xE44598 AB744254 50692F7b 3a9f89811 9968da8Ad Ethereum
Length of 106 and starts with ‘4’ 4BrL51JCc 9NGQ71kW hnYoDRffsD Zy7m1HUU7 MRU4nUMX AHNFBE Monero. It’s important to note that this replacement string is not long enough, as Monero wallet addresses are either 95 or 106 characters in length. This was likely a mistake made by the author.
Length of 34 and starts with ‘1’ 1LGskAycx vcgh6iAoig cvbwTtFjSfd od2x Bitcoin
Length of 34 and starts with ‘L’ LYB56d6Te Mg6Vmahc gfTZSALAQ  RcNRQUV Litecoin
Length of 11 and starts with ‘8’ 79965017478 Qiwi
Length of 13 and starts with ‘R’ R064565691369 WebMoney (Rubles)
Length of 13 and starts with ‘Z’ Z152913748562 WebMoney (USD)
Length of 13 and starts with ‘E’ 888888888 888888888 888888888 888888888 888888888 88888 Unknown
Length of 15 and starts with ‘4100’ 4100144741 25403 Yandex Money

Table 1. Replacement address lookup table hardcoded into ComboJack.

Source:

https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

Creative Commons License

 

This work is licensed under a Creative Commons License: Attribution required if you republish or reuse this material. For details, see:

https://creativecommons.org/licenses/by/4.0/

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: