Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Dos Attacks. Show all posts

Paris 2024 Olympics Faced Over 140 Cyberattacks, No Disruptions Reported

 

During the Paris 2024 Olympics, French authorities reported over 140 cyberattacks, but none of these incidents disrupted the sporting events. The French government’s cybersecurity agency, Anssi, maintained a high state of alert throughout the games, anticipating potential threats to the organizing committee, ticketing systems, and transportation infrastructure. Given the scale and visibility of the Olympics, cybercriminals often see such events as prime targets for malicious activities. 

From July 26 to August 11, Anssi recorded 119 reports of low-impact “security events.” In addition, there were 22 more serious incidents where “a malicious actor” successfully infiltrated a victim’s information system. These attacks targeted government entities, as well as infrastructure related to sports, transportation, and telecommunications. Despite these incidents, the overall impact on the Olympic Games was minimal. Anssi noted that about one-third of the incidents involved system downtime, with half of these caused by denial-of-service (DoS) attacks. 

These attacks are designed to overwhelm servers with traffic, rendering them inaccessible. Other cyber incidents included attempted system compromises, data breaches, and other forms of malicious activity. However, Anssi emphasized that all cyber events during the Olympics were generally of low impact, highlighting the effectiveness of the cybersecurity measures in place. A significant cyberattack occurred in early August, when ransomware targeted the Grand Palais, an Olympic venue, along with approximately 40 other museums across France. 

Ransomware attacks typically exploit security flaws to encrypt and block access to computer systems, demanding a ransom payment to restore access. Despite the attack, Anssi confirmed that none of the information systems critical to the Olympic Games were affected. While the Paris Olympics experienced fewer cyberattacks than the Tokyo 2021 Games, which reported 450 million cyber operations, the threat level remained high. In fact, Marie-Rose Bruno, director of technology and information systems for the Paris Games, had anticipated “eight to ten times more” cyberattacks than those seen in Tokyo. 

The Paris 2024 Olympics faced a considerable number of cyber incidents, but thanks to robust cybersecurity measures, these attacks had little to no impact on the events. The proactive efforts of French authorities and cybersecurity experts ensured that the games proceeded smoothly, without major disruptions to the athletes or spectators.

5G Vulnerabilities Expose Mobile Devices to Serious Threats

 


Researchers from Penn State University have uncovered critical vulnerabilities in 5G technology that put mobile devices at risk. At the upcoming Black Hat 2024 conference in Las Vegas, they will reveal how attackers can exploit these weaknesses to steal data and launch denial of service (DoS) attacks. These findings highlight a pressing need for improved security measures in 5G networks.

Step 1: Fake Base Station Setup

The first step in the attack involves setting up a fake base station. When a mobile device attempts to connect to a network, it undergoes an authentication and key agreement (AKA) process with the base station. However, while the base station verifies the device, the device does not initially verify the base station. This oversight allows attackers to exploit the system.

Base stations continuously broadcast "sib1" messages to announce their presence. These messages are transmitted in plaintext without any security mechanisms, making it impossible for devices to distinguish between legitimate and fake towers. According to Syed Rafiul Hussain, an assistant professor at Penn State, these messages lack authentication, which is a significant security flaw.

Creating a fake tower is surprisingly easy. Attackers can use a software-defined radio (SDR) to mimic a real base station. Kai Tu, a research assistant at Penn State, notes that SDRs are readily available online for a few hundred dollars. While high-end SDRs can cost tens of thousands of dollars, inexpensive models are sufficient for setting up a fake base station. 

Step 2: Exploiting AKA Vulnerabilities

Once the fake tower attracts a device, attackers can exploit vulnerabilities in the AKA process. In one widely-used mobile processor, researchers discovered a mishandled security header that allows attackers to bypass the AKA process entirely. This processor is found in many devices produced by two major smartphone manufacturers, whose names have been withheld for confidentiality reasons.

After bypassing AKA, attackers can send a malicious "registration accept" message to establish a connection with the victim's device. This connection allows the attacker to monitor unencrypted internet activity, send spear phishing SMS messages, and redirect the victim to malicious websites. Additionally, attackers can determine the device's location and execute DoS attacks.

Securing 5G Networks

The Penn State researchers have reported these vulnerabilities to mobile vendors, who have since released patches. However, a more comprehensive solution involves securing 5G authentication. Hussain suggests using public key infrastructure (PKI) to ensure the authenticity of broadcast messages. Implementing PKI is challenging and expensive, requiring updates to all cell towers and addressing non-technical issues like establishing a root certificate authority.

Despite these challenges, the lack of authentication for initial broadcast messages remains a critical vulnerability in 5G systems. As Hussain explains, these messages are sent in milliseconds, and adding cryptographic mechanisms would increase computational overhead and potentially slow down performance. Consequently, performance incentives often outweigh security concerns.

The Penn State research deems how pivotal the need for improved security in 5G networks is. Until such measures are in place, mobile devices will remain vulnerable to data theft and DoS attacks through fake base stations and other means. As Hussain aptly puts it, the lack of authentication in initial broadcast messages is "the root of all evil" in this context.


Prototype Pollution-like Bug Variant Found in Python


Prototype Pollution

Prototype pollution is a severe vulnerability class associated with prototype-based languages, the most popular among them being JavaScript. 

However, a researcher has discovered Python-specific variants of prototype pollution, and other class-based programming languages may also be exposed to similar threats. 

With prototype pollution, a threat actor may access and control the default values of an object’s properties. In addition to allowing the attacker to alter the application's logic, this can also result in denial-of-service attacks or, in severe cases, remote code execution. 

From Prototype Pollution to Class Pollution 

In JavaScript, each object inherits the ‘prototype’ of the parent object, which includes all the functions and characteristics of that object. JavaScript objects can access the functionality of their parents by traversing their prototypes. 

In the course of runtime, the prototype could as well be modified, making JavaScript dynamic and flexible but also dangerous. Prototype pollution attacks utilize and exploit this characteristic in order to modify the behavior of JavaScript applications and to conduct malicious activities. It is claimed that class-based languages like Python are resistant to such manipulations. 

However, security researcher Abdulraheem Khaled has come across a coding scheme that can enable threat actors to conduct prototype pollution-like attacks on Python programs. He has labeled it as ‘class pollution’ in a blog post documenting his findings. 

In regards to the findings, he told The Daily Swig that he discovered the attack while attempting to translate the concepts of JavaScript prototype pollution to Python. 

Manipulating Python Classes 

In order to exploit Python objects, the attacker is required to have an entry point that utilizes the user input to set the attributes of an object. If the user input succeeds in determining both the attribute name and value, the attacker can then exploit it to alter the program’s behavior. 

“The key factor to look for is whether the application uses unsanitized user-controllable input to set attributes of an object (controlling the attribute name to be set and its value) or not,” states Khaled to The Daily Swig. 

Attackers may be able to access parent classes, global variables, and more if the target method employs recursive loops to traverse over the object's characteristics. This merge is deemed "unsafe" by Khaled. 

An attacker could, for instance, alter command strings that the system executes, manipulate the value of important variables, or start denial of service (DoS) attacks by rendering crucial classes dysfunctional.

All Python Applications are Vulnerable 

According to the security researcher, all types of Python applications are vulnerable to these exploits as long as they continue accepting contaminated user input and implement a form of object attribute assignment that is ‘unsafe’. 

In his investigation, he came across various instances where popular Python libraries had an unsafe merge function, which then exposed them to class pollution attacks.

The simplest of all impacts of class pollution would be DoS. Although, these attacks may have much greater and more severe impacts on Python online apps. 

“Prototype pollution is definitely one of the topics that deserve more attention from the community, and we started to see more focus on it recently […] Class pollution might be a new vulnerability that has just come to light, [but] I expect to see it in other programming languages soon,” Khaled concluded.  

Latest Cobalt Strike Vulnerability Allows Takedown of Hacker Servers

 

Cybersecurity experts have found Cobalt Strike (DoS) exploit that allows Beacon blocking C2 (Command and Control) communication deployments and new channels. Cobalt Strike is a genuine penetration testing tool built to work as an attack framework by red teams. Red team is a group of cybersecurity analysts that work as threat actors to attack their own organization's to find security vulnerabilities and exploits. But, Cobalt Strike is also used by hackers, that generally use it for post-hacking tasks after planting the beacons, which allows them unlimited remote access to hacked devices. With the help of these beacons, the threat actors can later use the compromised servers to deploy second-stage malware payloads or harvest data. 

The cybersecurity team at SentinelOne, SentinelLabs found about the DoS vulnerabilities, termed as CVE-2021-36798 and called "Hotcobalt" in the most recent versions of the Cobalt Strike server. SentinelLabs reports "when a Beacon stager runs, it gathers information about the computer it is running on (CPU architecture, keyboard layout, internal IP, etc.), encrypts that info using the public key, and sends it to the server in an HTTP GET request. Receiving tasks generally happens over HTTP GET requests and the Beacon replies with the task data over HTTP POST requests. Tasks are encrypted using an AES key sent by the Beacon in the registration request." 

The research revealed that one can plant fake beacons with a particular Cobalt Strike server installations by giving out fake tasks or screenshots with high file sizes to the server. The hacker could crash the server and exhaust available memory using the help of this process. The crashed server renders pre-installed beacons, not being able to communicate with the C2 servers, it restricts new beacons from getting installed on compromised systems. 

Besides this, it also interferes with the red team and malicious attacks which used the planted beacons. "One of the most famous features of Cobalt Strike is its Malleable C2. In short, this feature lets the attacker encode (“transform” in Cobalt’s language) all the beacon’s HTTP communications. The entire process described above is wrapped in the chosen Malleable profile’s transformation steps, which are also embedded in the stager itself," said SentinelLabs in its blog.

Juniper Bug Allows RCE and DoS Against Carrier Networks

 

Juniper Networks' Steel-Belted Radius (SBR) Carrier Edition has a severe remote code-execution vulnerability that leaves wireless carrier and fixed operator networks vulnerable to tampering. By centralizing user authentication, giving the proper level of access, and verifying compliance with security standards, telecom carriers utilize the SBR Carrier server to manage policies for how subscribers use their networks. It enables carriers to distinguish service tiers, diversify revenue models, and manage network resources. 

Juniper Networks, Inc. is a multinational technology company based in Sunnyvale, California. Routers, switches, network management software, network security solutions, and software-defined networking technology are among the networking products developed and sold by the company. Pradeep Sindhu started the company in 1996, with Scott Kriens serving as the original CEO until September 2008. Juniper Networks began by specializing in core routers, which are used by internet service providers (ISPs) to execute IP address lookups and route internet traffic. 

SBR Carrier versions 8.4.1, 8.5.0, and 8.6.0 that use the extensible authentication protocol are affected by the bug (CVE-2021-0276). It was on Wednesday, Juniper released a patch. On the CVSS vulnerability-severity rating scale, it gets a 9.8 out of 10. According to Juniper's advisory, it's a stack-based buffer-overflow vulnerability that an attacker can exploit by sending specially designed packets to the platform, causing the RADIUS daemon to crash. This can cause RCE as well as denial-of-service (DoS), which prevents phone subscribers from having a network connection. 

The flaw is one of the dozens that the networking giant patched this week across its carrier and corporate product lines, including multiple high-severity flaws that could be used to launch DoS assaults. Juniper claims that one of these can also be used for RCE. CVE-2021-0277 is an out-of-bounds read vulnerability that affects Junos OS (versions 12.3, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3 and 20.4), as well as Junos OS Evolved (all versions). 

The problem occurs when the Layer 2 Control Protocol Daemon (l2cpd) processes specially designed LLDP frames (l2cpd). On a local area network (usually over wired Ethernet), network devices utilize LLDP to advertise their identification, capabilities, and neighbors. “Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper said in its advisory, issued on Thursday.

Cryptojacking Spree: Targeting Washington State Educational Institutions

 

According to a new advisory released by Palo Alto Network's Unit 42 team, recently, cryptojacking incidents have taken place against educational institutions in Washington State. Threat actors are targeting educational institutions in the United States intending to compromise their networks and mine cryptocurrency covertly. 

Otherwise known as cryptojacking attacks, this is a form of cyberattack in which attackers use deception tactics to install cryptocurrency mining components that leech off of computational power without being noticed or detected. 

On February 16, cybersecurity researchers discovered the first attack, which consisted of a malicious HTTP request sent to a domain owned by an educational institution. Security teams initially mistook it for a trivial command injection flaw, but it turned out to be a command for a web shell backdoor that attackers used to gain access to the institution's network. 

In this form of attack, attackers use various types of miner software to try to generate cryptocurrencies such as Monero, Litecoin, Bitcoin, and Ethereum. Attackers typically compromise a large number of systems to make the attacks lucrative and bring in more cryptocurrency. 

The researchers say that a UPX-packed cpuminer -- used to mine LTC and BTC -- has been delivered by way of malicious traffic. 

If deployment is successful, the backdoor is then able to call and execute the crypto mining payload. Besides, the malware will download a mini shell that pretends to be a wp-load.php file. "Since the mini shell is not moved elsewhere, we speculate that the current directory of the mini shell, as well as the backdoor, is a web directory exposed to the internet," the report states. 

Cryptocurrency mined on infected systems is sent to two wallets owned by the operators (1,2). In two other incidents, there were some differences when it came to user agent strings, pass values, and algorithms, but the general attack method remained the same. 

"The malicious request [...] exhibits several similarities," Unit 42 noted. "It's the same attack pattern delivering the same cpuminer payload against the same industry (education), suggesting it's likely the same perpetrator behind the cryptojacking operation."

An analysis of K-12 schools across the United States revealed in March that 2020 is a "record-breaking" year for cybersecurity incidents. Over 400 incidents were reported in the study, including ransomware, phishing attempts, website defacement, and denial-of-service (DoS) attacks.