Cloudflare rushes to repair nasty bug

Data lost

Cloudflare got its skates on to fix a bug which could have exposed shedloads of user data.

For those not in the know, Cloudflare helps optimise the security and performance of more than 5.5 million websites so when it warned customers that a recently fixed software bug exposed a range of sensitive information that could have included passwords and cookies and tokens used to authenticate users.

The leak may have been active since September 22, nearly five months before it was discovered, although the most significant period of impact was from February 13 and February 18. Google cached some sensitive data, so can be found on a search. Hackers could access the data in real-time by making Web requests to affected websites and to obtain some of the leaked data later by crafting queries on search engines.

Cloudflare CTO John Graham-Cumming wrote in his bog that the bug was severe because the leaked memory could contain private information and because search engines had cached it.

“We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.”

Apparently, there was a bug in an HTML parser chain Cloudflare uses to modify webpages as they pass through the service’s edge servers. The parser performs a variety of tasks, such as inserting Google Analytics tags, converting HTTP links to the more secure HTTPS variety, obfuscating e-mail addresses, and excluding parts of a page from malicious Web bots.

When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side excludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random data.

Within an hour of the bug coming to Cloudflare’s attention early last Saturday morning, engineers had already disabled e-mail obfuscation, a measure that mostly plugged the memory leak. It took another six hours for Cloudflare to identify and fix the underlying bug in the HTML parser.


  • 0

PyeongChang Winter Games hit by cyber attack

Although critical operations were not affected by the incident, event organisers at the PyeongChang Winter Olympics had to shut down servers and the official games website to prevent further damage.

The ongoing Winter Olympics in South Korea was hit by a cyber attack that affected internet and TV services last Friday, according to the International Olympic Committee (IOC).

After the attack was detected, event organisers had to shut down servers and take the official PyeongChang Winter Olympics website offline to prevent further damage.

During a press briefing on the sidelines of the global sporting event, IOC spokesperson Mark Adams declined to reveal the source of the attack, noting that the issue had been resolved the next day, according to a Reuters report.

“We are not going to comment on the issue. It is one we are dealing with. We are making sure our systems are secure and they are secure,” he told reporters.

Cyber security experts had warned of an increase in cyber attacks on the Winter Games using spear phishing e-mails loaded with suspicious links to lure victims into downloading malware in targeted campaigns, such as GoldDragon which took place in December 2017.

According to threat analysts from McAfee, GoldDragon – directed at organisations affiliated with the Winter Olympics – lets attackers access end-user systems and collect data stored on devices and the cloud. The data may include customer and employee financial or personal data, Winter Games related details and trade secrets.

Although critical operations were not affected by last week’s incident, similar attacks had been launched against critical and non-critical systems in past Olympics games.

During the summer Olympics in London, there were reportedly six major cyber attacks against critical systems, including distributed denial of service attacks on power systems that lasted for 40 minutes. Hacktivists also made calls on social media to launch similar attacks at specific times.

And during the Rio Olympics in 2016, the IOC said it was under regular attack. Phishing emails were also sent to athletes in attempts to steal credentials that could be used to access a World Anti-Doping Agency database.

Japan is already bracing itself for more cyber attacks aimed at the Tokyo Olympics in 2020. For one, the Tokyo 2020 organising committee has been conducting cyber security exercises to simulate potential attacks, both in cities and rural areas.

Cyber security drills would be conducted up to six times a year, rising to 10 in the run-up to Tokyo 2020. The drills, which involve local governments, would also include simulated attacks on mock ticketing websites. Between 300 and 500 people took part in similar exercises in Rio and London.


  • 0


ABN Amro, ING, Rabobank and the Tax Authority again faced DDoS attacks on Tuesday, though this time the financial services managed to deter them better than over the weekend. The attacks caused a short disruption in payment system iDeal, but the problems were quickly restored, NOS reports.

ABN Amro was troubled by attacks all day long, but they were mostly successfully fought off, a spokesperson said to the broadcaster. Around 5:30 p.m. the bank faced a short disruption.

ING reported a disruption on Twitter, and then reported that the problems were solved a short time later. “Due to a short-lived DDoS attack, our services were temporarily inaccessible. The problems have been solved: our services are again available for use. We apologize for the inconvenience.”

Rabobank faced an attack around 5:00 p.m. that lasted around 8 minutes. “Customers experienced a delay, opening the app took longer and there were errors. It is not comparable with [Monday]”, a spokesperson said to the broadcaster.

The Tax Authority’s website was offline for about 7 minutes on Tuesday. The DDoS attack lasted about half an hour after the site was restored, but did not affect the website’s performance, according to a spokesperson. The attack happened around 7:00 p.m.

SNS also faced a DDoS attack, but customers experienced no problems, NOS reports.

ABN Amro, ING, Rabobank and the Tax Authority all had problems with DDoS attacks between Saturday and Monday. In a DDoS attack, a website is bombarded with huge amounts of data, overloading the server and crashing the site. Security company ESET determined that the attacks that targeted the banks came from servers in Russia.

Screen Shot 2018-01-31 at 10.34.40

Screen Shot 2018-01-31 at 10.34.50

Screen Shot 2018-01-31 at 10.35.02


  • 0

If you have satellite TV, hackers have access to your network

Imagine if every single gadget in your life was “smart.” Your self-driving car could let your house know you’re on the way home so it can adjust the thermostat and kick on the lights.

Your fridge could detect that you’re out of milk and order more online before you even wake up. A drone delivers the milk just in time for your morning bowl of cereal. These are all super helpful features, but they do come with some digital risks.

Now, something as simple as satellite television can be targeted by hackers.

Who’s at risk?

If you are one of the millions of people with AT&T’s DirecTV service, you could be at risk of attack by hackers. That’s due to a vulnerability recently discovered by security researcher Ricky Lawshae.

He said the flaw was found in DirecTV’s Genie digital video recorder (DVR) system. More specifically, Linksys WVBRo-25 model. The vulnerability is located in the wireless video bridge that lets DirecTV devices communicate with the DVR.

Lawshae said that he discovered the flaw when trying to browse to the web server on the Linksys WVBRo-25. He was expecting to find a login page, but instead found a wall of text. It contained output of diagnostic scripts dealing with information about the bridge, including the WPS pin, connected clients, processes that were running, and more.

That means anyone who accesses the device can obtain sensitive information about it. Not only that but the device is able to accept commands as the “root” user.

Lawshae said, “It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability. It was at this point that I became pretty frustrated. The vendors involved here should have had some form of secure development to prevent bugs like this from shipping.”

If a hacker has root access, they can steal data or even turn the device into a botnet. Cybercriminals are not always trying to steal personal and banking information. Sometimes they are trying to create havoc.

Cybercriminals can use an army of internet of things (IoT) gadgets to disrupt services or shut down websites. This is called a distributed denial of services (DDoS) attack.

DDoS attacks occur when servers are overwhelmed with more traffic than they can handle. These types of attacks are performed by a botnet.

A botnet is a group of gadgets that hackers have taken over without the owner’s knowledge. The hackers seize control of unwitting gadgets with a virus or malware and then use the network of infected computers to perform large-scale hacks or scams.

How to resolve this issue

A spokesperson for Linksys told “Forbes” earlier this week that it had “provided the firmware fix to DirecTV and they are working to expedite software updates to the affected equipment.”

The good news is, once the software is pushed out, the flaw should be fixed. The bad news is, we don’t know how long it will take for DirecTV to send the updates.

As a DirecTV customer, you don’t need to do anything to receive the updates. As long as your satellite receiver is connected to the internet updates that are automatically installed behind the scenes.


  • 0

Bitcoin industry enters top 10 DDoS targets

The bitcoin industry has become one of the top 10 industries most targeted by distributed denial of service attacks, a report has revealed

A spike in the number of bitcoin-related sites targeted by distributed denial of service (DDoS) attacks coincided with a spike in the value of the cryptocurrency of $4,672 in the third quarter, according to Imperva’s latest global DDoS report.

The report is based on data from 3,920 network layer and 1,755 application layer DDoS attacks on websites using Imperva Incapsula services between 1 July and 30 September 2017.

The data shows that 73.9% of all bitcoin exchanges and related sites on the Imperva Incapsula service were attacked during the quarter, ahead of the cryptocurrency’s meteoric rise to more than $11,600 in the first week of December.

As a result of the third-quarter spike, the relatively small and young bitcoin industry made it into the top 10 most attacked industries during the three-month period, taking eighth spot above the transport and telecoms sectors.

The most-attacked sector was gambling (34.5%), followed by gaming (14.4%) and internet services (10.8%).

Igal Zeifman, director at Imperva Incapsula, said the large number of attacks on bitcoin exchange sites is a clear example of DDoS attackers following the money.

“As a rule, extortionists and other cyber criminals are commonly drawn to successful online industries, especially emerging ones that are less likely to be well-protected,” he said.

“Specifically for bitcoin, the DDoS attacks we mitigated could also have been attempts to manipulate the price of bitcoin and other cryptocurrency, something we know offenders have tried in the past.”

According to the report, organisations targeted by DDoS campaigns in the third quarter spent an average of 12 hours under attack, half of network layer targets were hit at least twice, and almost 30% were attacked more than 10 times.

Nearly one-third of DDoS targets in the third quarter were attacked 10 or more times, with an interval of at least an hour between assaults.

Hong Kong topped Imperva’s list of the most targeted countries for network layer assaults during the quarter, mainly because of a persistent attack on a local hosting service that was hit hundreds of times in the quarter.

The largest application layer assault targeted a financial services company headquartered in Europe, which was hit multiple times with attacks above 100,000 requests per second.

The quarter also saw high packet rate attacks, in which the packet forwarding rate escalates above 50 million packets per second (Mpps), becomes more common, with 5% of all network layer assaults above 50 Mpps, and the largest attack peaking at 238 Mpps.

This is a cause for concern, the report said, because many mitigation systems are ill-equipped to process packets at such a high rate.

In November 2017, Harshil Parikh, director of security at software-as-a-service platform firm Medallia, told the IsacaCSX Europe 2017 conference in London that any business dependent on the internet should use tried and tested ways of detecting and mitigating DDoS.

He said it is important that such organisations take time and effort to build their DDoS defence capabilities because DDoS attacks are fairly easy and cheap for attackers to carry out.

“With the advent of botnet-based DDoS attack services that will be effective against most companies, anyone can target an organisation for just a few bitcoins,” said Parikh.


  • 0

Rutgers suffers “data breach,” of 1,700 students’ info

NEW BRUNSWICK, NJ – The ​academic information of 1,700 Rutgers students was exposed during a “data security incident” on November 8 and 9, university officials confirmed.

No one’s Social Security number, address or financial information was leaked, according to university spokesperson Neal Buccino.

Instead, the affected students, all in the Department of Computer Science, had their academic data leaked, including Rutgers ID numbers, cumulative GPA’s and Spring 2018 class schedules, Buccino said.

University officials notified those students affected that their data was exposed, but that it hadn’t been altered, according to Buccino.

Officials determined that 18 students accessed the data “in error,’ and notified those students th​a​t​ information they viewed was confidential.

The leak was the result of an “administrative error,” according to Buccino, who added that the university was updating its relevant security policies to ensure such an error doesn’t happen again.

Internet issues are nothing new to Rutgers. Over the course of 2015, Rutgers suffered half a dozen distributed denial of service (DDOS) attacks which crippled the internet on campus for days at a time.

The attacks were perpetrated by the so-called “exfocus” hacker, who during the course of the attacks posted a series of taunting messages on various Twitter pages.

Two of the major attacks took place in the Spring 2015 semester; one during midterms and the other during finals period, preventing many students from working on projects and papers, or preparing for exams.


  • 0

How Big is Your DDoS Mitigation Gap?

The DDoS mitigation industry is scaling up capacity following a consistent increase in the number of DDoS attacks and recent indications that IoT-based DDoS attacks are expected to grow significantly.

The DDoS attack vector continues to wreak havoc in 2017, with a reported 380% spike in the number of DDoS attacks identified in Q1, compared to the same period last year. A recent study shows a year on year increase of 220% in the number of different types of malware designed to hijack IoT devices.

DDoS Mitigation providers are taking heed, with Arbor dedicated to quadrupling their capacity to 8Tbps by the end of 2017, and both Neustar and OVH committing to capacities of over 10Tbps.

A DDoS mitigation Gap occurs whenever DDoS traffic bypasses a company’s DDoS mitigation defenses, and penetrates the target network.

The reasons for such gaps vary from some types of DDoS attacks that are completely unnoticed by DDoS mitigation, to a range of configuration issues that let through traffic that should be mitigated.

However the problem is that visibility of DDoS mitigation gaps is currently nonexistent to those cybersecurity practitioners who are responsible for production uptime.

Companies do not know how well their mitigation is performing, or where their configuration problems are, leaving them and their vendors to troubleshoot issues at the very worst possible time, that is, when systems are down at the height of a DDoS attack.

Results from over 500 DDoS tests run by MazeBolt on companies from a wide range of industries, shows that on their first test, companies failed 41% (on average) of DDoS tests – simulations of real DDoS attacks conducted in a highly controlled manner to help companies understand their mitigation gap so they can strengthen their mitigation proactively.

This means that after a company has deployed their DDoS mitigation strategy, on average it will stop only six out of ten attacks.

To solve this, with insight about where their DDoS mitigation posture was leaking, companies could go back to vendors to reconfigure settings and harden their DDoS mitigation posture.

As depicted in the bar chart below, by repeating the testing cycle only three times, companies were able to reduce their mitigation gap from an average of 41% in the first test to an average of 25% in the second and only 15% in the third – reflecting a 65% strengthening of their DDoS mitigation.

Paraphrasing Heraclitus one might say you can never test the same DDoS mitigation twice, but our data clearly shows that testing it three times will strengthen it considerably.


  • 0

DDoS protection, mitigation and defense: 7 essential tips

Protecting your network from DDoS attacks starts with planning your response. Here, security experts offer their best advice for fighting back.

DDoS attacks are bigger and more ferocious than ever and can strike anyone at any time. With that in mind we’ve assembled some essential advice for protecting against DDoS attacks.

1. Have your ddos mitigation plan ready

Organizations must try to anticipate the applications and network services adversaries will target and draft an emergency response plan to mitigate those attacks.

IBM’s Price agrees. “Organizations are getting better at response. They’re integrating their internal applications and networking teams, and they know when the attack response needs to be escalated so that they aren’t caught off guard. So as attackers are becoming much more sophisticated, so are the financial institutions,” she says.

“A disaster recovery plan and tested procedures should also be in place in the event a business-impacting DDoS attack does occur, including good public messaging. Diversity of infrastructure both in type and geography can also help mitigate against DDoS as well as appropriate hybridization with public and private cloud,” says Day.

“Any large enterprise should start with network level protection with multiple WAN entry points and agreements with the large traffic scrubbing providers (such as Akamai or F5) to mitigate and re-route attacks before they get to your edge.  No physical DDoS devices can keep up with WAN speed attacks, so they must be first scrubbed in the cloud.  Make sure that your operations staff has procedures in place to easily re-route traffic for scrubbing and also fail over network devices that get saturated,” says Scott Carlson, technical fellow at BeyondTrust.

2. Make real-time adjustments

While it’s always been true that enterprises need to be able to adjust in real-time to DDoS attacks, it became increasingly so when a wave of attacks struck many in the financial services and banking industry in 2012 and 2013, including the likes of Bank of America, Capital One, Chase, Citibank, PNC Bank and Wells Fargo. These attacks were both relentless and sophisticated. “Not only were these attacks multi-vector, but the tactics changed in real time,” says Gary Sockrider, solutions architect for the Americas at Arbor Networks. The attackers would watch how sites responded, and when the site came back online, the hackers would adjust with new attack methods.

“They are resolute and they will hit you on some different port, protocol, or from a new source. Always changing tactics,” he says. “Enterprises have to be ready to be as quick and flexible as their adversaries.”

3. Enlist DDoS protection and mitigation services

John Nye, VP of cybersecurity strategy at CynergisTek explains that there are many things enterprises can do on their own to be ready to adjust for when these attacks hit, but enlisting a third-party DDoS protection service may be the most affordable route. “Monitoring can be done within the enterprise, typically in the SOC or NOC, to watch for excessive traffic and if it is sufficiently distinguishable from legitimate traffic, then it can be blocked at the web application firewalls (WAF) or with other technical solutions. While it is possible to build a more robust infrastructure that can deal with larger traffic loads, this solution is substantially costlier than using a third-party service,” Nye says.

Chris Day, chief cybersecurity officer at data center services provider Cyxtera, agrees with Nye that enterprises should consider getting specialty help. “Enterprises should work with a DDoS mitigation company and/or their network service provider to have a mitigation capability in place or at least ready to rapidly deploy in the event of an attack.”

“The number one most useful thing that an enterprise can do — if their web presence is that critical to their business — is to enlist a third-party DDoS protection service,” adds Nye. “I will not recommend any particular vendor in this case, as the best choice is circumstantial and if an enterprise is considering using such a service they should thoroughly investigate the options.”

4. Don’t rely only on perimeter defenses

Everyone we interviewed when reporting on the DDoS attacks that struck financial services firms a few years ago found that their traditional on-premises security devices — firewalls, intrusion-prevention systems, load balancers —were unable to block the attacks.

“We watched those devices failing. The lesson there is really simple: You have to have the ability to mitigate the DDoS attacks before it gets to those devices. They’re vulnerable. They’re just as vulnerable as the servers you are trying to protect,” says Sockrider, when speaking of the attacks on banks and financial services a few years ago. Part of the mitigation effort is going to have to rely on upstream network providers or managed security service providers that can interrupt attacks away from the network perimeter.

It’s especially important to mitigate attacks further upstream when you’re facing high-volume attacks.

“If your internet connection is 10GB and you receive a 100GB attack, trying to fight that at the 10GB mark is hopeless. You’ve already been slaughtered upstream,” says Sockrider.

5. Fight application-layer attacks in-line

Attacks on specific applications are generally stealthy, much lower volume and more targeted.

“They’re designed to fly under the radar so you need the protection on-premises or in the data center so that you can perform deep-packet inspection and see everything at the application layer. This is the best way to mitigate these kinds of attacks,” says Sockrider.

“Organizations will need a web protection tool that can handle application layer DoS attacks,” adds Tyler Shields, VP of Strategy, Marketing & Partnerships at Signal Sciences. “Specifically, those that allow you to configure it to meet your business logic. Network based mitigations are no longer going to suffice,” he says.

Amir Jerbi, co-founder and CTO is Aqua Security, a container security company, explains how one of the steps you can take to protect against DDoS attacks is to add redundancy to an application by deploying it on multiple public cloud providers. “This will ensure that if your application or infrastructure provider is being attacked then you can easily scale out to the next cloud deployment,” he says.

6. Collaborate

The banking industry is collaborating a little when it comes to these attacks. Everything they reveal is carefully protected and shared strictly amongst themselves, but in a limited way, banks are doing a better job at collaborating than most industries.

“They’re working among each other and with their telecommunication providers. And they’re working directly with their service providers. They have to. They can’t just work and succeed in isolation,” says Lynn Price, IBM security strategist for the financial sector.

For example, when the financial services industry was targeted, they turned to the Financial Services Information Sharing and Analysis Center for support and to share information about threats. “In some of these information-sharing meetings, the [big] banks are very open when it comes to talking about the types of attacks underway and the solutions they put into place that proved effective. In that way, the large banks have at least been talking with each other,” says Rich Bolstridge, chief strategist of financial services at Akamai Technologies.

The financial sector’s strategy is one that could and should be adopted elsewhere, regardless of industry.

7. Watch out for secondary attacks

As costly as DDoS attacks can be, they may sometimes be little more than a distraction to provide cover for an even more nefarious attack.

“DDoS can be a diversion tactic for more serious attacks coming in from another direction. Banks need to be aware that they have to not only be monitoring for and defending the DDoS attack, but they also have to have an eye on the notion that the DDoS may only be one aspect of a multifaceted attack, perhaps to steal account or other sensitive information,” Price says.

8. Stay vigilant

Although many times DDoS attacks appear to only target high profile industries and companies, research shows that’s just not accurate. With today’s interconnected digital supply-chains (every enterprise is dependent on dozens if not hundreds of suppliers online), increased online activism expressed through attacks, state sponsored attacks on industries in other nations, and the ease of which DDoS attacks can be initiated, every organization must consider themselves a target.

So be ready, and use the advice in this article as a launching point to build your organization’s own anti-DDoS strategy.


  • 0

Apache Struts Vulnerabilities and The Equifax Hack, What Happened?

In the wake of the Equifax breach, a lot of people are wondering how the theft of personal information occurred and how it could have been prevented.

Equifax initially reported that a vulnerability in Apache Struts was used to infiltrate their public-facing web server. Apache Struts has faced its fair share of vulnerabilities with 21 having been discovered since the start of 2016.

Which Apache Struts vulnerability was used in the Equifax hack?

At DOSarrest we researched current and past Apache Strut vulnerabilities and determined that they likely were not hacked using the new CVE-2017-9805 but likely CVE-2017-5638.

Equifax released additional details on Sept 13th 2017 confirming that the vulnerability involved was CVE-2017-5638. The CVE-2017-5638 vulnerability dates back to March 2017, which is why people in the security industry are now questioning how they could be so far behind in patching this well-known exploit.

The two vulnerabilities, CVE-2017-5638 and the recently revealed CVE-2017-9805 are very similar in nature and are both considered Remote Code Execution (RCE) vulnerabilities .

How does a RCE vulnerability work and how can they be prevented?

A RCE vulnerability is exploited when an attacker crafts a packet or request containing arbitrary code or commands. The attacker uses a method to bypass security that causes a vulnerable server to execute the code with either user or elevated privileges.

Such vulnerabilities can be prevented with a two-fold approach to web application security:

1) New vulnerabilities will continually be discovered in any web application framework, and it is the duty of IT teams to keep the software patched. This requires regular audits and patches to vulnerable software. Even the most proactive IT teams will not be able to prevent a so-called zero-day attack by patching alone so more must be done to protect the web server from zero-day vulnerabilities.

2) Since there is always a delay between the time a vulnerability is discovered and when a patch is developed by the maintainer of that product, a means to protect your website from undiscovered zero-day vulnerabilities is needed. Web Application Firewall’s (WAF) that typically rely on signatures are unfortunately at a disadvantage because signatures for existing vulnerabilities in most cases do not match newer zero-day vulnerabilities.

If I cannot rely on signature-based WAF options, what can I rely on to protect my business?

At DOSarrest our WAF is different. The problem with relying on signatures is that it requires constant updates as new vulnerabilities become known. Instead our WAF looks for sets of characters (such as /}/,/“/, and /;/) or phrases (like “/bin/bash” or “cmd.exe”) that are known to be problematic for some web applications.

What makes DOSarrest’s WAF even more appealing is that it is fast. Much faster than signature-based solutions that require high CPU use to match signatures–such matching could result in a measurable impact on latency. With DOSarrest’s WAF there is no increase in latency, and vulnerabilities not yet discovered will still be mitigated.

Examples of how the Apache Strut vulnerabilities are performed:

For the benefit of more technical users, some sample requests will be analyzed below. The first example represents a normal non-malicious request sent by millions of people everyday and the following two exploit RCE vulnerabilities in Apache Struts:

We can note the following characteristics in the exploit of CVE-2017-5638:

1. The Content-Type Header starts with %{(, an incorrect format.

2. The payload contains a java function call, java.lang.ProcessBuilder, that is normally regarded as dangerous.

3. The payload contains both windows and Linux command line interpreters: “cmd.exe” (Windows Command Prompt) and “/bin/bash” (Linux Bash shell/terminal).

The RCE vulnerability used to infiltrate Equifax, CVE-2017-5638 exploits a bug in the way Apache Struts processes the “Content-Type” HTTP header. This allows attackers to run an XML script with elevated user access, containing the java.lang.ProcessBuilder is required to execute the commands the attacker has placed within the XML request.

CVE 2017-9805, announced September 2017, is very similar to the previous RCE vulnerability.

With CVE-2017-9805, we can note the following characteristics:

1. The Content-Type is application/xml with the actual content in the request body matching that of the Content-Type.

2) The payload also contains the java function call java.lang.ProcessBuilder.

3) The payload in this case is Linux specific and calls “/bin/bash -c touch ./CVE-2017-9805.txt” to confirm that the exploit works by creating a file, “CVE-2017-9805.txt”.

Are the payloads shown the exact ones used by attackers to obtain data from Equifax?

Although some of the commands may have been used together as part of the information gathering process, the actual commands used to obtain the data from Equifax may only be known by the attackers and possibly Equifax or an auditing security team directly involved in the case. The examples show how the vulnerability could be exploited in the wild and what methods might be used, e.g., setting Content-Type and sending an XML file with a payload. These examples do not represent the actual payload used to obtain the data from Equifax.

Since the payload itself can be completely arbitrary, an attacker can run any commands desired on the victim’s server. Any action the web server software is capable of could be performed by an attacker, which could allow for theft of information or intellectual property if it is accessible from the hacked server.

In the case of Equifax, there was likely an initial vulnerability scan that the attackers used to expose Equifax’s vulnerability to this particular attack. This would have been followed by an effort to determine what files were available or what actions could be performed from the Equifax public-facing web server.At some point the attackers came across a method for accessing personal credit details on millions of Americans and citizens from other countries who had credit checks performed on their identities within the United States.

If Equifax had been using the DOSarrest WAF, they could have avoided a costly mistake. Don’t let your business suffer a damaging security breach that could result in you being out of business for good. Talk to us about our services.

For more information on our services including our Web Application Firewall, see DOSarrest for more information on Security solutions.


  • 0

Critical infrastructure not ready for DDoS attacks: FOI data report

The UK’s critical infrastructure is vulnerable to DDoS attacks due to failure to carry out basic security defence work –  39 percent of respondents to a recent survey had not completed the government’s ’10 Steps to Cyber Security’ programme, which was first issued in 2012.

New data was obtained by Corero Network Security under the Freedom of Information Act surveying 338 critical infrastructure organisations in the UK, including fire and rescue services, police forces, ambulance trusts, NHS trusts, energy suppliers and transport organisations; it also showed  that 42 percent of NHS Trusts had not completed the programme.

More than half  (51 percent) of these critical infrastructure organisations were described by Corero as ignoring the risk of short, stealth DDoS attacks on their networks – which typically account for around 90 percent of DDoS attacks and are used by attackers to plant malware or ransomware, or engage in data theft.  Corero reports that these stealth attacks are typically  less than 30 minutes in duration, and 98 percent of those stopped by the company were less than 10Gbps in volume, hence they often go unnoticed by security staff, but are frequently used by attackers in their efforts to target, map and infiltrate a network.

In a statement issued today, Sean Newman, director of product panagement at  Corero, comments: “Cyber-attacks against national infrastructure have the potential to inflict significant, real-life disruption and prevent access to critical services that are vital to the functioning of our economy and society. These findings suggest that many such organisations are not as cyber resilient as they should be, in the face of growing and sophisticated cyber threats.”

Newman adds, “ By not detecting and investigating these short, surgical, DDoS attacks on their networks, infrastructure organisations could also be leaving their doors wide-open for malware or ransomware attacks, data theft or more serious cyber attacks.”

It was also pointed out that in the event of a breach, these organisations could be liable for fines of up to £17 million, or four percent of global turnover, under the UK government’s proposals to implement the EU’s Network and Information Systems (NIS) directive, from May 2018.

In an email to SC, David Emm, principal security researcher, Kaspersky Lab observed, “The world isn’t ready for cyber -threats against critical infrastructure – but criminals are clearly ready and able to launch attacks on these facilities. We’ve seen attempts on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – and these are cases where organisations have spotted attacks and acknowledged them. However, many more companies do neither, and the lack of reporting these incidents hampers risk assessment and response to the threat.”

Edgard Capdevielle, CEO of Nozomi Networks, also emailed SC to comment: “This report emphasises the impact of DDoS attacks and how they are often used as a cover to distract security teams while infecting systems with malware or stealing data. Such initiatives are often the first step in “low and slow” attacks that provide the perpetrators with the information and access they need to carry out system disruptions. Examples of this are the Ukraine power outages of 2015 and 2016, both of which involved cyber-attacks which persisted for many months before culminating in shutdowns.

“In light of this information, CNI organisations should give a high priority to re-assessing their cyber-security programmes, evaluate where they are in relation to government recommendations, and inform themselves about current technologies available for protection….The right approach is to both shore up defenses and be able to quickly respond when attacks do occur.”

Previously, when talking about the new UK legislation targetting CNI, Eldon Sprickerhoff, founder and chief security strategist at eSentire commented in an email to SC, “Although cyber-security regulations will require significant effort for the companies that are affected, this new legislation by the UK government demonstrates that they understand the severity of cyber-threats in today’s digital world and the destruction they can cause, if undeterred.  Even if you’re not a CNI, cyber-threats should concern you. With cyber-criminals constantly adjusting their tactics, it is imperative that companies never stop defending themselves by constantly improving and expanding their cyber-security practices. Managed detection and response and incident response planning are common ways companies can stay ahead of their attackers.”

Sprickerhoff recommended the same measures be taken by CNI organisations to improve cyber-security as for other enterprises, namely:

  • Encryption – store sensitive data that is only readable with a digital key
  • Integrity checks – regularly check for any changes to system files
  • Network monitoring – use tools to help you detect for suspicious behaviour
  • Penetration testing – conduct controlled cyber-attacks on systems to test their defences and identify vulnerabilities
  • Education – train your employees in cyber-security awareness and tightly manage access to any confidential information


  • 0