The Biggest Internet Attack In History Is Not Over (Yet)

This week on DIY Cyber Guy:img_4479

  • Massive attack briefly shut down several popular sites, I’ll tell you what happened and why you need a little patience this week. Bottom line -News of the death of Internet is premature!
  • Update on Intel, and why I am still recommending that you avoid buying computers with certain intel chips inside. But that could change soon
  • Microsoft will facilitate Intel Code Update! Great news – easier for Windows users – BUT BACKUP!!
  • Flash is declining faster than we expected! Great news!

My guest is Charles Givre.

Intel coming along

Hair on Fire 1 of 5

Advice – don’t buy an Intel computer yet. If you must, be sure that it does not have an Intel chip in the “planning” stage!

Microcode updates: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf

Progress Update: Intel has released microcode update:

“…we have now released production microcode updates to our OEM customers and partners for Kay Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms. This represents our 6th, 7th and 8th Generation Intel® Core™ product lines as well as our latest Intel® Core™ X-series processor family. …

The new microcode will be made available in most cases through OEM firmware updates. I (author: Navin Shenoy) continue to encourage people to always keep their systems up-to-date. There is also a comprehensive schedule and current status for planned microcode updates available online.”

https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/

Microcode updates: https://newsroom.intel.com/wp-content/uploads/sites/11/2018/03/microcode-update-guidance.pdf 

Microsoft has decided to include Intel’s Update Microcode Update!

Hair on Fire 1 of 5

Much easier for listeners b/c you don’t have to go to MANUFACTURER for update.

(Apple is manufacturer and software producer. MS is just software vendor.)

https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates

Currently supporting the following chip sets:

  • Skylake H/S, 6th Generation Intel Core Processor Family, 506E3
  • Skylake U/Y & Skylake U23e, 6th Generation Intel Core m Processors, 406E3

Caution!

Make a full system backup! Hair on Fire 5 of 5

Windows: https://support.microsoft.com/en-us/help/17127/windows-back-up-restore

Apple systems – no word yet how Apple is handling Intel’s latest update.

https://support.apple.com/mac-backup

 

Flash phase-out is accelerating!

Still Hair on fire 5 of 5

The percentage of daily Chrome users who’ve loaded at least one page containing Flash content per day has gone down from around 80% in 2014 to under 8% in early 2018.

These statistics on Flash’s declining numbers were shared with the public by Parisa Tabriz, Director of Engineering at Google, during a keynote speech at Network and Distributed System Security Symposium (NDSS) held in San Diego last week.

Flash’s demise was to be expected, though. Adobe announced last year plans to stop supporting the Adobe Flash Media Player by the end of 2020.

But while Chrome, Firefox, Edge, and all major browsers have already moved from a Flash-enabled-by-default to a Flash-click-to-play policy since last year, the massive drop in Flash usage numbers is a huge surprise for most industry experts.

This big drop could, at least in theory, be explained by the fact that most advertising networks and video streaming portals have moved away from Flash to HTML5, meaning most people can go days before encountering a website that still loads some kind of Flash object.

Source: https://www.bleepingcomputer.com/news/security/google-chrome-flash-usage-declines-from-80

-percent-in-2014-to-under-8-percent-today/

Again – Hair on Fire 5 of 5: UNINSTALL FLASH!

If you see an auto-update, then UNINSTALL FLASH!

Questions from Listeners:

Steve from Michigan:

I heard the internet was going extinct because of a new kind of attack. Seriously. What’s going on?

Nothing to worry about; this will get fixed.

Attack called “Memcache Distributed Denial of Service attack”

Main factors:

  • UDP not designed to be ‘exposed’ to public internet; easily spoofed
  • Small request = big response
  • Titanic result:

Mar2018_Peak DDOs

Source:

https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/

 

  • Easy fix – disable UDP on Memecache servers.

  • Before 24th February, the day when Memcached-based DDoS attacks were first spotted, the daily average was less than 50 attacks.

  • Between 24th and 28th February, when Memcached as a new amplification attack vector was not publicly disclosed and known to a small group of people, the attacks raised to an average of 372 attacks per day.

  • Soon after the first public report came on 27th February, between 1st and 8th March, the total number of attacks jumped to 13,027, with an average of 1,628 DDoS attack events per day.

Article Continues:

The list of famous online services and websites which were hit by massive DDoS attacks since 24th February includes Google, Amazon, QQ.com, 360.com, PlayStation, OVH Hosting, VirusTotal, Comodo, GitHub (1.35 Tbps attack), Royal Bank, Minecraft and RockStar games, Avast, Kaspersky, and Pinterest.

 

https://thehackernews.com/2018/03/memcached-ddos-attack.html

This issue is already fixed! (kill UDP)

What’s the problem? ~17k servers worldwide to patch.

So, this is a hair-on-fire 1 of 5, because all you can do is have a little patience because you may not be able to access site.

Thanks, Steve.

 

Next Question:

Roland from California,

“I recently completed a bitcoin transaction. I hade a small donation to a non-profit. I cut and pasted the Etherium account key they they sent me, but the donation never made it. But, my Etherium account was definitely debited the amount. Am I being scammed by the non-profit, or did my Etherium just get lost on the way?”

Evrial and CryptoShuffler and Combojack.

Click here for article – great explanation:

https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

…ComboJack enters into an infinite loop. Every half second it checks the contents of the clipboard. The contents of the clipboard are checked for various criteria to determine if the victim has copied wallet information for various digital currencies. In the event a wallet of interest is discovered, ComboJack will replace it with a hardcoded wallet that the attacker presumably owns in an attempt to have the victim accidentally send money to the wrong location. This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors. If any potential currency addresses are found, they are replaced following the criteria in the table below:

Checks for this criteria Replaces with Wallet Type
Length of 42 and starts with a ‘0’ 0xE44598 AB744254 50692F7b 3a9f89811 9968da8Ad Ethereum
Length of 106 and starts with ‘4’ 4BrL51JCc 9NGQ71kW hnYoDRffsD Zy7m1HUU7 MRU4nUMX AHNFBE Monero. It’s important to note that this replacement string is not long enough, as Monero wallet addresses are either 95 or 106 characters in length. This was likely a mistake made by the author.
Length of 34 and starts with ‘1’ 1LGskAycx vcgh6iAoig cvbwTtFjSfd od2x Bitcoin
Length of 34 and starts with ‘L’ LYB56d6Te Mg6Vmahc gfTZSALAQ  RcNRQUV Litecoin
Length of 11 and starts with ‘8’ 79965017478 Qiwi
Length of 13 and starts with ‘R’ R064565691369 WebMoney (Rubles)
Length of 13 and starts with ‘Z’ Z152913748562 WebMoney (USD)
Length of 13 and starts with ‘E’ 888888888 888888888 888888888 888888888 888888888 88888 Unknown
Length of 15 and starts with ‘4100’ 4100144741 25403 Yandex Money

Table 1. Replacement address lookup table hardcoded into ComboJack.

Source:

https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

Creative Commons License

 

This work is licensed under a Creative Commons License: Attribution required if you republish or reuse this material. For details, see:

https://creativecommons.org/licenses/by/4.0/

 

Published by

David W. Schropfer

David W. Schropfer is the CEO of AnchorID, Incorporated, a cybersecurity company in New York (www.AnchorID.com).  Every day, he and his team of professionals keep the people who use AnchorID safe from some of the most common traps, hacks and attacks that target computer systems of all sizes. David’s previous books, including The Smartphone Wallet and three industry whitepapers, predicted some of the biggest trends in the payments, mobile, and security industries.  Since graduating Boston College, David earned an Executive MBA from the University of Miami.

One thought on “The Biggest Internet Attack In History Is Not Over (Yet)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.