Threat actors have discovered a way to bounce and amplify junk web traffic against Citrix ADC networking equipment to launch DDoS attacks.
While details about the attackers are still unknown, victims of these Citrix-based DDoS attacks have mostly included online gaming services, such as Steam and Xbox, sources have told ZDNet earlier today.
The first of these attacks have been detected last week and documented by German IT systems administrator Marco Hofmann.
Hofmann tracked the issue to the DTLS interface on Citrix ADC devices.
DTLS, or Datagram Transport Layer Security, is a more version of the TLS protocol implemented on the stream-friendly UDP transfer protocol, rather than the more reliable TCP.
Just like all UDP-based protocols, DTLS is spoofable and can be used as a DDoS amplification vector.
What this means is that attackers can send small DTLS packets to the DTLS-capable device and have the result returned in a many times larger packet to a spoofed IP address (the DDoS attack victim).
How many times the original packet is enlarged determines the amplification factor of a specific protocol. For past DTLS-based DDoS attacks, the amplification factor was usually 4 or 5 times the original packet.
But, on Monday, Hofmann reported that the DTLS implementation on Citrix ADC devices appears to be yielding a whopping 35, making it one of the most potent DDoS amplification vectors.
Citrix confirms issue
Earlier today, after several reports, Citrix has also confirmed the issue and promised to release a fix after the winter holidays, in mid-January 2021.
The company said it’s seen the DDoS attack vector being abused against “a small number of customers around the world.”
The issue is considered dangerous for IT administrators, for costs and uptime-related issues rather than the security of their devices.
As attackers abuse a Citrix ADC device, they might end up exhausting its upstream bandwidth, creating additional costs and blocking legitimate activity from the ADC.
Until Citrix readies officials mitigations, two temporary fixes have emerged.
The first is to disable the Citrix ADC DTLS interface if not used.
If the DTLS interface is needed, forcing the device to authenticate incoming DTLS connections is recommended, although it may degrade the device’s performance as a result.
Google Cloud: We do use some SolarWinds, but we weren’t affected by mega hack
Google Cloud’s first chief information security office (CISO) has revealed that Google’s cloud venture does use software from vendor, SolarWinds, but says its use was “limited and contained”.
Google Cloud announced the hire of its first CISO, Phil Venables, in mid-December, just as the US was beginning to understand the scope of the Russian government’s software supply chain malware attack.
The hack affected US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Justice, Microsoft’s source code and many more.
But Venables, a Goldman Sachs veteran, insists that no Google systems were affected by the attack. It’s an important message from Google at a time when hacks have undermined trust in known software suppliers, which in turn threatens Google’s $12bn-a-year cloud business. Google is set to announce its Q4 2020 FY financial results on Tuesday, February 2.
“Based on what is known about the attack today, we are confident that no Google systems were affected by the SolarWinds event,” Venables said in a blogpost.
“We make very limited use of the affected software and services, and our approach to mitigating supply chain security risks meant that any incidental use was limited and contained. These controls were bolstered by sophisticated monitoring of our networks and systems.”
Venables also shared some top tips that Google uses to protect itself and customers from software supply chain threats. This particular attack exposed how connected the entire software industry is, and how vulnerable the ecosystem is because of assumptions built into the systems that are used to receive updates from known and trusted suppliers.
Hackers breached SolarWinds and planted malware inside software updates for Orion, which offered a beachhead from where attackers could move within networks of companies and government agencies.
Researchers at Crowdstrike last week revealed a third piece of malware was used in the attack on SolarWinds’ customers via official software updates. SolarWinds last week disclosed that the attackers were testing malware distribution through Orion updates from at least September 2019, indicating the planning that went into the attack.
Other organizations affected by this breach included the Department of Health’s National Institutes of Health (NIH), the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Agency (CISA), the US Department of State, the National Nuclear Security Administration (NNSA), the US Department of Energy (DOE), several US state governments, and Cisco, Intel, and VMWare.
According to Venables, Google uses secure development and continuous testing frameworks to detect and avoid common programming mistakes.
“Our embedded security-by-default approach also considers a wide variety of attack vectors on the development process itself, including supply chain risks,” he says.
He goes on to explain what trusted cloud computing means at Google Cloud, which comes down to control over hardware and software.
“We don’t rely on any one thing to keep us secure, but instead build layers of checks and controls that includes proprietary Google-designed hardware, Google-controlled firmware, Google-curated OS images, a Google-hardened hypervisor, as well as data center physical security and services,” says Venables.
“We provide assurances in these security layers through roots of trust, such as Titan Chips for Google host machines and Shielded Virtual Machines. Controlling the hardware and security stack allows us to maintain the underpinnings of our security posture in a way that many other providers cannot. We believe that this level of control results in reduced exposure to supply chain risk for us and our customers.”
Google also verifies that software is built and signed in an approved isolated build environment from properly checked-in code that has been reviewed and tested.
The company then enforces these controls during deployment, depending on the sensitivity of the code.
“Binaries are only permitted to run if they pass such control checks, and we continuously verify policy compliance for the lifetime of the job. This is a critical control used to limit the ability of a potentially malicious insider, or other threat actor using their account, to insert malicious software into our production environment,” says Venables.
Finally, Google ensures that at least one person beyond the author provably reviews code and configuration changes submitted by its developers.
“Sensitive administrative actions typically require additional human approvals. We do this to prevent unexpected changes, whether they’re mistakes or malicious insertions.”
iOS 14.4 kicks off crackdown on non-genuine iPhone cameras
iOS is already flagging non-genuine batteries and displays, and now it seems that iOS 14.4 will add non-genuine cameras to the list.
According to reports by MacRumors, and confirmed by ZDNet, iOS 14.4 developer beta 2 now throws up an error message when it detects a non-genuine camera fitted to an iPhone.
The message, which reads “Unable to verify this iPhone has a genuine Apple camera,” can be dismissed and does not seem to affect the use or operation of the camera.
This appears to be yet another step forward (or backward) by Apple, as it continues its fight against user-repairable iPhones.
Interestingly, according to tech repair site iFixit, cameras can now be swapped between iPhone 12 units without any problems. However, before you start celebrating that, iFixit believes that Apple will soon start flagging any camera replacements that have not been followed up with by running Apple’s proprietary, cloud-linked System Configuration app as non-genuine.
This basically means that this warning will be present any time a repair is not carried out by Apple or an Apple Authorized Service Provider.
Is this a money-making ploy by Apple? In response to US politicians investigating anti-competitive practices asking about repair revenue, Apple responded that “each year since 2009, the costs of providing repair services has exceeded the revenue generated by repairs.”
However, according to iFixit’s Kay-Kay Clapp, ” there’s no way to fact check Apple’s accounting on repairs because of the vagaries of revenue reporting.”
“Knowing how much we pay for parts and the general labor costs of the repair industry, it seems unbelievable that they’re not making money from repair services.”
Ongoing ransomware attack leaves systems badly affected, says Scottish environment agency
The Scottish Environment Protection Agency (SEPA) has confirmed that it was hit by a ransomware attack last month and is continuing to feel the impact.
SEPA’s contact centre, internal systems, processes and internal communication have all been affected by the attack, which hit on Christmas Eve. The organisation, which is Scotland’s government regulator for protecting the environment, has also confirmed that 1.2GB of data has been stolen as part of the attack – including personal information relating to SEPA staff.
Despite the ransomware attack, SEPA’s ability to provide flood forecasting and warning services, as well as regulation and monitoring services, has continued.
But while the infected systems have been isolated, SEPA’s latest update on the ransomware attack says that recovery will take a “significant period” and that a number of systems will “remain badly affected for some time” with entirely new systems required. SEPA has blamed the ransomware attack on “serious and organised” cyber criminals.
“Whilst having moved quickly to isolate our systems, cybersecurity specialists, working with SEPA, Scottish Government, Police Scotland and the National Cyber Security Centre, have now confirmed the significance of the ongoing incident,” said Terry A’Hearn, Chief Executive of SEPA.
“Partners have confirmed that SEPA remains subject to an ongoing ransomware attack likely to be by international serious and organised cyber-crime groups intent on disrupting public services and extorting public funds.”
While the organisation itself hasn’t confirmed what form of ransomware it has fallen victim to, the cyber-criminal group behind Conti ransomware has published what it claims to be data stolen from the Scottish government agency.
Stealing data has become increasingly common for ransomware gangs. They use the stolen data to double-down on attempts at extortion by threatening to leak the information if the victim doesn’t give into the ransom demand of hundreds of thousands, or even millions, of dollars in bitcoin in exchange for the decryption key.
SEPA hasn’t yet detailed how cyber criminals were able to break into the network to deploy ransomware and the investigation into the incident is still ongoing.
“We are aware of this incident affecting the Scottish Environment Protection Agency and are working with law enforcement partners to understand its impact,” an NCSC spokesperaon told ZDNet.
Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and cyber criminals show no signs of slowing down ransomware campaigns because, for now at least, ransomware gangs are still successfully extorting large payments out of victims.
MORE ON CYBERCRIME
UK police warn of sextortion attempts in intimate online dating chats
As politicians play whack-a-mole withinfection rates and try to balance the economic damage caused by lockdowns, stay-at-home orders have also impacted those out there in the dating scene.
No longer able to meet up for a drink, a coffee, or now even a walk in the park, organizing an encounter with anyone other than your household or support bubble is banned and can result in a fine in the United Kingdom — and this includes both dates and overnight stays.
Therefore, the only feasible option available is online connections, by way of social networks or dating apps.
Dating is hard enough at the best of times but sexual desire doesn’t disappear just because you are cooped up at home. Realizing this, a number of healthcare organizations worldwide have urged us not to contribute to the spread of COVID-19 by meeting up with others for discreet sex outside of our social bubbles, bringing new meaning to the phrase, “You are your safest sex partner.”
This doesn’t mean, however, that we’ve abandoned the search in the time of a pandemic; instead, dating apps — such as Tinder, eHarmony, and the new Quarantine Together — are signing up users in record numbers.
Apps and chats over Zoom, however, can only go so far and after you’ve made your way through remote small talk, what’s next?
If you’re not careful, it’s blackmail.
In a recent case documented by the UK’s Thames Valley police, a sextortion scam started innocently enough: a young man was contacted over Facebook by a woman who wanted to video chat.
They talked twice online and the woman asked him to show off his body. While no “intimate” acts took place in the first online session, the police say, the second chat was another story — and the intimate footage he provided was then covertly recorded by the scam artist.
She then told her victim that their online session had been recorded and demanded £200 ($270) on pain of it being sent to all of his family and friends, now available to her through the Facebook connection.
The man refused, but over the next two hours, he received over 100 demands for payment. Eventually, he appeared to cave in — but instead blocked her and deactivated all of his accounts before contacting law enforcement.
Thames Valley asks for us to “not do anything silly” online, but this case — as it goes, a small fish in a large phishing pond and one in which the young man escaped from the net — still highlights how careful we need to be now about sharing intimate footage or allowing the opportunity for it to be taken online without our permission.
Sextortion is not a new concept, and unfortunately, the internet has provided a lucrative arena for people trying to extort money, sexual acts, services, or images from others. Some of the most common forms of sextortion are:
- Phishing emails: Messages claim to have seen your web history or pornographic website visits, and may also say that ‘hackers’ accessed your webcam and recorded you.
- Phishing emails containing known passwords: The same, but with the addition of passwords used by you to access online accounts that may have been leaked in a data breach to try and appear more legitimate.
- Revenge porn: Threats to release intimate photos or videos online, sometimes by ex-partners or other people you know.
- Internet of Things: Nest and Ring devices have been compromised to recycle old tactics and convince victims that hackers have illicit recordings of them.
Emotional triggers are the key: humiliation, fear, worry of friends, family, or co-workers finding out or viewing footage, and the concern of the future impact such material could have on your life.
A report conducted by Thorn and the Crimes Against Children Research Center (CCRC) estimates that in 45% of cases where a perpetrator has access to sensitive material, they will carry out their threat.
After all, it’s not them who face humiliation.
With this in mind, it’s time to reconsider just what risks we are comfortable taking online, lockdown or not. Sextortion can be devastating but there’s no guarantee that a scammer will delete footage they have obtained after you’ve paid up — and may simply demand more and more from you.
“Anybody who is threatened with this type of blackmail by an online contact is advised to contact the police and should refuse to send the scammer any money,” commented Ray Walsh, Digital Privacy Expert at ProPrivacy. “Once a scammer knows that a victim is willing to pay they will only double down and ask for more. For this reason, it is vital that you contact the police and refuse to pay.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Critical Cisco SD-WAN Bugs Allow RCE Attacks
Buying the Bitcoin Dip: MicroStrategy Scoops $10M Worth of BTC Following $7K Daily Crash
TA: Ethereum Starts Recovery, Why ETH Could Face Resistance Near $1,250
Intel Chairman Gets Medtronic Backing for $750 Million SPAC IPO
Bitcoin Correction Intact While Altcoins Skyrocket: The Crypto Weekly Recap
Canadian VR Company Sells $4.2M of Bitcoin Following the Double-Spending FUD
Monero, OMG Network, DigiByte Price Analysis: 23 January
MicroStrategy CEO claims to have “thousands” of executives interested in Bitcoin
Chainlink Price Analysis: 23 January
Payments Startup Payoneer in Merger Talks With SPAC
Popular analyst prefers altcoins LINK, UNI, others during Bitcoin & Eth’s correction phase
Bitcoin Cash, Synthetix, Dash Price Analysis: 23 January
Michael Moe, fresh from raising $225M for education-focused SPAC, set for another free Startup Bootcamp
Bitcoin Cash Analysis: Strong Support Forming Near $400
Why has Bitcoin’s brief recovery not been enough
Goldman CEO Says SPAC Explosion ‘Unsustainable’
Take a Ride With Helicopter SPAC Experience Investment
Clear Aligners Market Size Worth $6.0 Billion By 2027 | CAGR: 23.1%: Grand View Research, Inc.
OIO Holdings Appoints Rudy Lim as CEO of Blockchain Business Subsidiary
Tesla Powerwalls selected for first 100% solar and battery neighborhood in Australia
Amb Crypto1 week ago
Ethereum, Dogecoin, Maker Price Analysis: 15 January
Amb Crypto1 week ago
How are Chainlink’s whales propping up its price?
Amb Crypto1 week ago
NavCoin releases its new privacy protocol, one day after Binance adds NAV to its staking program
Blockchain1 week ago
The Countdown is on: Bitcoin has 3 Days Before It Reaches Apex of Key Formation
Blockchain1 week ago
Litecoin, VeChain, Ethereum Classic Price Analysis: 17 January
Blockchain1 week ago
Is Ethereum Undervalued, or Polkadot Overvalued?
Cannabis1 week ago
Subversive Capital Acquisition Corp. Closes The Largest Cannabis SPAC In History
Blockchain1 week ago
Tether (USDT) January 15th Deadline on iFinex Case: Everything You Need to Know
Blockchain6 days ago
5 Best Bitcoin Alternatives in 2021
SPAC Insiders6 days ago
Churchill Capital IV (CCIV) Releases Statement on Lucid Motors Rumor
Cyber Security5 days ago
Critical Cisco SD-WAN Bugs Allow RCE Attacks
Blockchain1 week ago
Here’s why Bitcoin or altcoins aren’t the best bets