Russian bank Alfa Says it was Under DNS Botnet Attacks

The Russian banking giant Alfa announced, in a press statement, that hackers targeted its cyber infrastructure in a large-scale DNS Botnet attack. The purpose appears to have been to make it seem as though the bank had been communicating with the Trump Organization. The bank is now asking U.S. to assist it to uncover the culprits.

On Friday, the bank revealed that their servers were under three cyber attacks targeting the domain name server (DNS) since mid-February. It is unclear who was behind these attacks; the details show unknown hackers allegedly used Amazon and Google servers to send requests to a Trump Organization server posing to look like they came from Alfa Bank, pushing the Trump server to respond back to the bank.

An Alfa Bank spokesperson said: “The cyber attacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ’Trump servers’’.

Furthermore, Alfa Bank revealed that it is ready to work with the U.S. law enforcement agency to identify the individuals involved in the campaign. The bank has already hired Stroz Friedberg, a US-based cyber security firm to get into the depth of the matter.

“The cyber attacks are an attempt by unknown parties to manufacture the illusion of contact between Alfa Bank’s DNS servers and ‘Trump servers,” an Alfa Bank representative said in a statement. “We have gone to the U.S. Justice Department and offered our complete cooperation to get to the bottom of this sham and fraud.”

On February 18, 2017, the bank claims it experienced suspicious cyber activity from an unidentified third-party. Specifically, the unidentified third-party repeatedly sent suspicious DNS queries from servers in the U.S. to a Trump Organization server. The unidentified individuals made it look as though these queries originated from variants of MOSCow.ALFAintRa.nET.

The use of upper and lower case indicated the human intervention in the process. Moreover, Alfa Bank says it received more than 1,340 DNS responses containing

Last week, CNN reported that the FBI’s counterintelligence team was investigating if there was a computer server connection between the Trump Organization and Alfa Bank during the U.S. election, according to sources close to the investigation. The bank has now denied that there was ever a conversation between both parties.

Mark McArdle, CTO at cyber security company eSentire commented on the issue and said that:

“A botnet is typically associated with an attack that leverages scale, as it can employ thousands (potentially millions with IoT devices) of devices and use them to coordinate an attack on a target. We’ve seen this with some big DDoS attacks. We also see botnets being used as platforms for large-scale spamming. However, the number of DNS connections reported in the Alfa Bank attacks (1,340 in once case) don’t indicate massive scale. A botnet, however, can be used to add another layer of obfuscation between you and your attacker. Following the breadcrumbs back could bring you to a PVR that has been hacked and is now part of a botnet. I suspect in this case, the botnet is being used more for obfuscation of identity than scale. The attackers may be using a botnet to send spoofed DNS requests to a legitimate Trump server using a spoofed “reply-to” address inside Alfa-Bank’s infrastructure.

Spoofing DNS lookups is not very difficult since DNS is not authenticated, and the ability to spoof source addresses is unfortunately still available – all you need is a system to launch your attack from that is connected to the Internet via an ISP that doesn’t filter out spoofed source addresses. While this type of attack has been around for a while, what’s new in this case is that someone is using it to try and contrive evidence of a relationship where neither party sought one.

Additionally, there is also reference in Alfa Bank’s statement about Spam messages from It’s also possible to spoof email (spammers do this all the time). A spoofed email could include a reference to a legitimate Trump Org server and a real connection would be established if a user clicked on it (or selected “show images” in the email). Again, this does not mean the email came from Trump Org, just that it was sent in order to attempt to solicit “a connection” between Trump Org and Alfa-Bank.”

Either way, identity is difficult to determine unless cryptographic certificates are used, and ultimate hack attribution is even more difficult.

This is not the first time that allegations surrounding Trump’s relations with Russia have emerged. Some believe Russia hacked the US election to give Trump a way to win the presidency while some believe that Russian media was involved in spreading fake news against Trump’s opponent Hillary Clinton. Either way, nothing has been proven yet.


  • 0

Taiwan high-tech industry hardest hit by DDoS attacks in last 30 days

TAIPEI (Taiwan News)—Most denial-of-service (DDoS) attacks launched by hackers from Feb. 15 to March 14, 2017 in Taiwan targeted the high-tech industry, according to statistics compiled by leading global content delivery network provider Akamai Technologies.

Industries in Taiwan that were most severely attacked by hackers were the high technology industry (61.8 percent), manufacturing industry (17.6 percent) and the financial services industry (7 percent), according to statistics compiled by Akamai’s intelligent platform that delivers 30 percent of the global Internet traffic.Screen Shot 2017-03-15 at 11.45.27

Industries in Taiwan under DDoS attacks from February 15 to March 14, 2017. (Taiwan News)

The majority of the hacks were launched from IP addresses in Taiwan, followed by Alabama in the U.S., and Brazil.

“It is often a misconception that most attacks are launched from abroad,” said Akamai’s Security Business Unit director Amol Mathur. “Attacks are coming both domestic and outside.”

The premium CDN provider works customizes solutions for clients from different industries in Taiwan, including hospitality, banking, travel and airline services.

Taiwan’s financial institutes are still recovering from a cybersecurity scare last month,  in which 15 banks received threats from an anonymous hacker group to shell out 10 Bitcoins each (equivalent to US$10,466), or brace themselves for DDoS attacks that would compromise their server systems.

DDoS attacks launched by hackers often compromise institute’s servers data processing capacity by delivering a sudden deluge of data that overtakes bandwidth resources, for instance if the company server bandwidth only allows 10 Gigabyte per second (Gbps) of capacity it can be paralyzed by a 100 Gbps attack.

Hackers might use DDoS as a distraction to conceal other malign operations, such as stealing personal information or credential theft, added Mathur.

Industries affected by hacker attacks vary monthly, depending on whether there is a major geopolitical event, said Mathur. For instance global hacker group Anonymous took down the London Stock Exchange system for two hours as part of its campaign against global central banks in June 2016.

Mathur advised banks should not heed hacker demands to pay ransom.

“In real life you would not pay ransom, so why would you pay hackers,” he said.

The cybersecurity expert noted a rise in DDoS attacks globally during the fourth quarter of 2016, and pointed out DDoS attacks data size was increasing exponentially every quarter.

Globally, attacks over 100 Gbps jumped 140 percent year-on-year during 4Q16, with the largest-size attack recorded reaching 517 Gbps, according to the Akamai “Fourth quarter 2016 State of the Internet/Security Report.”

Mathur noted the cause of increased DDoS attacks was partly due to easy access for people to rent bots online, for as cheap as US$10 by going to a site and simply keying in the website address.

Hackers can generate a monthly income of US$180,000 to US$200,000 from bot rentals.

It remains extremely difficult for law enforcement agencies from a single country to track down hackers that spread the attacks launched by rented bots around the globe, and hide behind the protection of anonymity offered by the dark web. Additionally, the preferred Bitcoin currency used for business transactions by hackers is hard to trace to an IP address, explained Mathur.

Introduction of mobile devices, mobile payment, IP surveillance cameras and emerging Internet of Things (IoT) trends introduce new cybersecurity vulnerabilities as hackers can utilize attacks through large number of connected devices.

The Mirai bot for instance exposed vulnerabilities in the default user administrator name and passwords used by thousands of connected IP surveillance cameras and their DVR worldwide, said Mathur.

He urged the IoT industry to form a joint standard, and for countries to start implementing regulations that set cybersecurity standards for connected devices.

Hackers are also finding ways to target vulnerabilities in smartphone application programming interface (API) to obtain credentials, and data from mobile transactions.

Apple Pay and some other mobile payment technologies periodically publish white papers announcing how it is securing data, but are mostly for tech savvy readers, said Mathur.

One way consumers can safeguard credit card transactions is to check if the online shopping sites or App they use have The Payment Card Industry Data Security Standard (PCI DSS), noted Mathur.

The proprietary information security standard launched nearly a decade ago by major credit card companies Visa, MasterCard, American Express, JCB and others follows a stringent standard and heavily fines companies that do not follow its compliance.


  • 0

IoT DDoS Reaches Critical Mass

In the wake of the Mirai botnet activity that dominated the end of last year, the “DDoS of Things (DoT)”, where bad actors use IoT devices to build botnets which fuel colossal, volumetric DDoS attacks, has become a growing phenomenon. 

According to A10 Networks, the DoT is reaching critical mass—recent attacks have leveraged hundreds of thousands of IoT devices to attack everything from large service providers and enterprises to gaming services, media and entertainment companies. In its research, it uncovered that there are roughly 3,700 DDoS attacks per day, and the cost to an organization can range anywhere from $14,000 to $2.35 million per incident.

In all, almost three quarters of all global brands, organizations and companies (73%) have been victims of a DDoS attack. And, once a business is attacked, there’s an 82% chance they’ll be attacked again: A full 45% were attacked six or more times.

There were 67 countries targeted by DDoS attacks in Q3 2016 alone, with the top three being China (72.6%), the US (12.8%) and South Korea (6.3%). A10 found that 75% of today’s DDoS attacks target multiple vectors, with a 60/40 percentage split of DDoS attacks that target an organization’s application and network layers, respectively.

Meanwhile, DDoS-for-hire services are empowering low-level hackers with highly damaging network-layer bursts of 30 minutes or less. This relentless attack strategy systemically hurts corporations as colossal DDoS attacks have become the norm too; 300 Gbps used to be considered massive, but today, attacks often push past 1 Tbps thanks to the more than 200,000 infected IoT devices that have been used to build global botnets for hire.

No industry is immune: While 57% of global DDoS attacks target gaming companies, any business that performs online services is a target. Software and technology were targeted 26% of the time; financial services 5%; media and entertainment, 4%; internet and telecom, 4%; and education, 1%.


  • 0

How Homeland Security plans to end the scourge of DDoS attacks

The agency is working on a multimillion dollar effort to protect the country’s most critical systems from distributed denial of service attacks, which are among the simplest digital assaults to carry out and the toughest to fight.

MARCH 8, 2017 In late October, in Surprise, Ariz., more than 100 phone calls bombarded the police department’s emergency dispatch line. Calls also overwhelmed the nearby city of Peoria’s 911 system and departments across California and Texas.

But each time a dispatcher picked up, no one was on the line – and there was no emergency.

The Arizona district attorney’s office says the calls clogging 911 lines resulted from a digital prank, which triggered a distributed denial of service, or DDoS, attack on critical emergency communication systems. The prosecutor’s office tracked the torrent of calls to 18-year-old hacker Meetkumar Hiteshbhai Desai. Now, he’s facing four counts of felony computer tampering.

While Mr. Desai said he didn’t intend to cause any harm, according to the Maricopa County Sheriff’s Office, he did surface a potentially devastating glitch in smartphone software that could exact damage on any number of sensitive and critical targets. Whenever anyone clicked a certain link on his webpage via a mobile device, their phone automatically dialed 911.

While this kind of DDoS targeting 911 systems is unprecedented, it’s exactly the type of attack that national law enforcement officials have been concerned about for years. In fact, the Homeland Security Department (DHS) has been working on technology to protect 911 centers from DDoS and telephone-based, or TDoS, attacks for three years.

The Arizona incident proved someone can “cause a large number of phones or a large number of computers or a large number of whatever connected device to start generating these calls,” says Dan Massey, program manager in the cybersecurity division of the DHS Science and Technology Directorate. “It went from how much damage can I do from my phone” to a situation where, with just a handful of people, “if all of our phones started calling some victim, whether that’s 911 or a bank or a hospital, that can get very fast and very big.”

DDoS attacks are both among the simplest forms of cyberattacks to carry out and the most difficult to defend against. They are designed to direct an overwhelming amount of digital traffic – whether from robocalls or web traffic – at targets to overwhelm them so they can’t handle legitimate business. Writ large, there has been an exponential increase in the intensity and frequency of DDoS attacks over the past six months and critical infrastructure components are possible future targets, according to DHS.

For a sense of the scale of today’s DDoS attacks, compare the 100 megabits per second Internet speed at a typical company to the more than 1 million megabits (1 terabit) per second speed of a DDoS attack against Web hosting company Dyn in October. The attack, which drew power from insecure webcams and other internet-connected devices, knocked out widely used online services like Netflix, Twitter, and Spotify for hours.

Such massive web DDoS assaults may also become a problem for 911, as the country moves toward a next generation 911 system that uses mapping services to locate callers and can support voice, text, data, and video communication. “What you’re seeing is a convergence of the traditional internet with the phone system and next generation 911 is a great example of that,” says Massey. “DDoS attacks and/or TDoS attacks kind of blend together a little bit there.”

To help combat the problem, the department has given out $14 million in grants for DDoS prevention studies, including phone-based attacks. Some of that funding is piloting initiatives to stop phone-based attacks at 911 centers in Miami/Dade County and the City of Houston, as well as at a large bank that the department wouldn’t identify.

So far, DHS efforts have yielded, among other things, a DDoS early warning system to flag organizations that an attack may be coming, and alerting them to adjust internet network settings to defend against an onslaught of traffic.

Additionally, DHS-funded research from tech firm SecureLogix produced a prototype that can thwart phony telephone calls sent to a 911 system or other critical phone operation. The model attempts to detect bogus calls by monitoring for clues that indicate an incoming call is fake.

“As we have seen, it is simple to flood a 911 center, enterprise contact center, hospital, or other critical voice system with TDoS calls,” says Mark Collier, SecureLogix chief technology officer. “The research is essential to get ahead” because the assailants “are generating more attacks, the attacks are more sophisticated, and the magnitude of the attacks is increasing. “

To be sure, the race to keep digital adversaries out of the country’s 911 system faces obstacles, some of which are outside the jurisdiction of Homeland Security and dispatch centers.

The DHS DDoS defense program is “a good start,” but one “challenge in defending certain types of critical infrastructure is the fact that emergency services like 911 must serve anyone – immediately,” per Federal Communications Commission rules, “due to their life saving nature,” said Mordechai Guri, research and development head at Israel’s Ben-Gurion University Cyber-Security Research Center. “The approach of blocking the DDoS originators must be backed by a change in the laws and regulations.”

Before the October attacks on the Arizona 911 systems, he and fellow Ben-Gurion researchers warned that DDoS attacks launched from cellphones could pose a significant threat to emergency services. During one experiment, it took fewer than 6,000 hacked phones to clog emergency services in a simulated US state, the academics wrote in a September 2016 paper. Such an attack can potentially last for days.

The very nature of the 911 system makes shutting out any callers potentially dangerous, and some alternatives, like requiring a person in distress to authenticate themselves for assistance, are not viable, says Massey of DHS.

“We really need to make sure that we’re not missing a critical 911 call,” he says. “So that’s a challenge for the project to make sure that we’re not misclassifying people.”


  • 0

7 Security Steps To Defend Your Company Fram A DDoS Attack

Of all the cybersecurity threats today’s businesses face, distributed denial-of-service (DDoS) attacks are among the most complex and devastating. This type of breach involves multiple compromised systems that work in conjunction to shut down service.

Although security technology is becoming more sophisticated, so are hackers, and you don’t want to be caught unprepared if (or more likely, when) your company’s data gets compromised. Below, a few members of Forbes Technology Council each offer one important prevention measure to help your IT department defend against a DDoS attack.

1. Continue To Add Layers Of Defense

Remain vigilant, continuing to add layers of security as they become available. Also provide your department with signs to look for so they have a better idea of potential threats. This provides for a much more proactive approach to security. – Chalmers Brown, Due

 2. Practice Your Response Plan

Have a plan on what to do and who should do it, then do a dry run against it a few times a year. Go further than just your IT team – involve your vendors, executive team, etc. and ask for feedback on what would help them help you in the face of a DDoS attack. Update your plan each time. This practice helps your team execute fast and has the added benefit of showing those around you that you’re prepared. – Brian Fritton, Patch of Land

3. Use A Web Application Firewall (WAF)

A Web Application Firewall (WAF) is your best line of defense against a DDoS attack. It acts like an antivirus that blocks all malicious attacks on your website. It sits above your application at the network level to provide protection before the attacks reach your server. Using a WAF not only protects you against DDoS attacks, but also improves application performance and enhances user experience. – Thomas Griffin, OptinMonster

4. Leverage Cloud Services And Educate Yourself Continually

Cloud providers will handle security better than you can do in-house — especially if you’re a target. Even the U.S. government leverages cloud providers to consult and augment security. Amazon has DDoS mitigation services, and their DNS is both inexpensive and secure. Educate yourself to stay aware of the potential threats and mitigation services that are available to you. – Tim Maliyil, AlertBoot

5. Help Employees Educate Each Other

Since our inception, we’ve had a personal ‘buddy’ assigned to any new team member. They are responsible for teaching the new person all of the dos and don’ts of the department, and also get them more culturally aligned with the team/company. – Pin Chen, ONTRAPORT

6. Get Senior Management Involved In Security Planning

It is critical for companies to include senior management in DDoS prevention planning. Most attacks are due to poor ongoing security practices or setups. Ransomware attacks alone cost over $1B in 2017. Companies should consider cloud solutions that offer cost-effective managed security solutions, with ongoing security and maintenance updates, so that they can focus on building their core business. – Cristina Dolan, Trading Screen

 7. Segment Your IoT Devices Behind A Firewall

While DDoS attacks are difficult to prevent, you can minimize the impact by enabling DDoS and flood protection on your organization’s firewalls. To restore order quickly in the event of an attack, develop a DDoS response plan. To minimize the chance of your IoT infrastructure being used in a DDoS attack, make sure all IoT devices are segmented on a dedicated safe zone behind a firewall. – Bill Conner, SonicWall


  • 0

Businesses blame rivals for DDoS attacks

Industrial sabotage is considered to be the most likely reason behind a distributed denial of service attack, a study has revealed

More than 40% of businesses hit by a distributed denial of service (DDoS) attack worldwide believe their competitors were behind it, research by Kaspersky Lab and B2B International has revealed.

Rival firms are considered more likely culprits than cyber criminals, which were cited as suspects by just 38% of DDoS victims on average.

Industrial sabotage is considered to be the most likely reason behind a DDoS attack, coming out higher than political conspiracy and personal vendettas against a business.

Typically, DDoS attacks target web servers and aim to make websites unavailable to users. Although no data is stolen, the interruption to the service can be costly in terms of lost business damage to reputation.

For example, a massive DDoS attack on Luxembourg’s government servers that started on 27 February 2017 reportedly lasted more than 24 hours, and affected more than a hundred websites.

The joint Kaspersky Lab, B2B International study, which polled 4,000 businesses in 25 countries, found that only 20% of DDoS victims overall blamed foreign governments and secret service organisations, with the same proportion suspecting disgruntled former employees.

Companies in Asia Pacific are the most suspicious of competitors, with 56% blaming their rivals for DDoS attacks and 28% blaming foreign governments. Personal grudges also carry more suspicion in the region too, with 33% blaming former staff.

In Western Europe, only 37% of companies suspect foul play by their competitors, with 17% blaming foreign governments.

Looking at attitudes by business size, businesses at the smaller end of the scale are more likely to suspect their rivals of staging an experienced DDoS attack.

The study found that 48% of small and medium business representatives believe this to be the case compared with only 36% of enterprises. In contrast, respondents from big companies put more blame on former employees and foreign governments.

“DDoS attacks have been a threat for many years, and are one of the most popular weapons in a cyber criminals’ arsenal,” said Russ Madley, head of B2B at Kaspersky Lab UK.

“The problem we face is that DDoS attacks can be set up cheaply and easily, from almost anyone, whether that be a competitor, a dismissed employee, socio-political protesters or just a lone wolf with a grudge.

“It’s therefore imperative that businesses find an effective way to safeguard themselves from such attacks,” he said.

Significant advances in DDoS attacks

There were significant advances in DDoS attacks in the last quarter of 2016, according to Kaspersky, with the longest DDoS attack in lasting 292 hours or 12.2 days, which set a record for 2016 and was significantly longer than the previous quarter’s maximum of 184 hours.

The last quarter of 2016 also saw the first massive DDoS attacks using the Mirai IoT (internet of things) botnet technology, including attacks on Dyn’s Domain Name System (DNS) infrastructure and on Deutsche Telekom, which knocked 900K Germans offline in November.

There were also similar attacks on internet service providers (ISPs) in Ireland, the UK and Liberia, all using IoT devices controlled by Mirai technology and partly targeting home routers in an attempt to create new botnets.

Stakeholders recognise lack of security in IoT devices

According to Kaspersky, stakeholders worldwide, in particular in the US and EU, recognise the lack of security inherent in the functional design of IoT devices and the need to set up a common IoT security ecosystem.

Kaspersky expects to see the emergence of further Mirai botnet modifications and a general increase in IoT botnet activity in 2017.

Researchers at Kaspersky Lab also believe that the DDoS attacks seen so far are just a starting point initiated by various actors to draw up IoT devices into the actors’ own botnets, test drive Mirai technology and develop attack vectors.

First, they demonstrate once again that financial services like the bitcoin trading and blockchain platforms CoinSecure of India and BTC-e of Bulgaria, or William Hill, one of Britain’s biggest betting sites, which took days to come back to full service, were at the highest risk in the fourth quarter and are likely to remain so throughout 2017.

Second, cyber criminals have learnt to manage and launch very sophisticated, carefully planned, and constantly changing multi-vector DDoS attacks adapted to the mitigation policy and capacity of the attacked organisation.

Kaspersky Lab’s analysis shows that the cybercriminals in several cases tracked in 2016 started with a combination of various attack vectors gradually checking out a bank’s network and web services to find a point of service failure. Once DDoS mitigation and other countermeasures were initiated, researchers said the attack vectors changed over a period of several days.

DDoS enters its next stage of evolution

Overall, they said these attacks show that the DDoS landscape entered the next stage of its evolution in 2016 with new technology, massive attack power, as well as highly skilled and professional cyber criminals.

However, the Kaspersky researchers note that unfortunately, this tendency has not yet found its way into the cyber security policies of many organisations that are still not ready or are unclear about the necessary investments in DDoS protection services.


  • 0

Luxembourg government servers forced offline by DDoS attack

Authorities in Luxembourg have said that government servers had come under a DDoS attack on Monday.

According to reports from the Luxemburger Wort, the attack started at 9.30 am, forcing the web servers of many state authorities offline or difficult to reach. Just over an hour later, the state-owned IT operator “Centre des Techniques de l’information de l’Etat” (CTIE) sent a message via Twitter, to confirm that the network was the victim of a DDoS attack.

Reports by Luxemburg publication Paperjam said that over a hundred servers had been affected by the attack and that the attack impacted servers for more than 24 hours.

Gilles Feith, chief of the CTIE government IT centre, said that this was the first-time Luxembourg authorities had been targeted to such an extent but could not confirm the origin of the attack.

“Before it gets back to normal, it may take some time to wait,” said Feith, adding it may take “a few hours or even days.”

Stephanie Weagle, VP, Corero Network Security, told SC Media UK that DDoS attacks have become many things over the last decade; weapons of cyberwarfare, security breach diversions and service impacting strategies.

“The motivations for these attack campaigns are endless – financial, political, nation-state, extortion and everything in between,” she said.

Weagle added: “Continuing to rely on traditional IT security solutions, and or human intervention to deal with the growing DDoS epidemic will continue to prove devastating to businesses. As recent events have confirmed once again, proactive, automated protection is required to keep the Internet connected business available in the face of DDoS attacks.”

Pascal Geenens, Radware EMEA security evangelist, told SC Magazine that these days anyone has access to booter or stresser services or DDoS-for-hire.

“Services are available on the Darknet as well as on the Clearnet and for just a couple of Euros one can launch a DDoS attack by a click of the mouse,” he said.

Geenens added the release of the Mirai source code last October was a turning point. “We saw a huge rise in the number of botnets leveraging IoT devices (mostly IP cams and residential routers) and attacks grew in size. A 1Tbps attack should not come as a surprise today, the potential certainly is there.”

He said the motivation behind DDoS attacks can be many things, combined with the user-friendly experience and low price provided by the services to perform them, the spectrum of motivations is only widening.

“The main drive of most cyber-crime is still money, we have witnessed countless cyber-ransoms leveraging DDoS. This attack could be precursor of a larger RDoS. Attackers typically provide some proof they have the ability to interrupt the service, which is typically followed by a message with a demand for ransom and if the victim does not pay there will be an ultimatum followed by a much larger and longer attack.”

Geenens said the number and size of DDoS attacks is growing and we do not predict this trend will slow in the near future.

“My advice to any online business or government, it is five past 12, everybody is a potential target. Make DDoS protection a priority. UEBA is another technology that should be part of the strategy for organisations that carry important or sensitive information.”


  • 0

Security Company CloudFlare leaks sensitive customer information for tens of thousands of websites

cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory

(It took every ounce of strength not to call this issue "cloudbleed")

Corpus distillation is a procedure we use to optimize the fuzzing we do by analyzing publicly available datasets. We've spoken a bit about this publicly in the past, for example:

On February 17th 2017, I was working on a corpus distillation project, when I encountered some data that didn't match what I had been expecting. It's not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data...but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.

It became clear after a while we were looking at chunks of uninitialized memory interspersed with valid data. The program that this uninitialized data was coming from just happened to have the data I wanted in memory at the time. That solved the mystery, but some of the nearby memory had strings and objects that really seemed like they could be from a reverse proxy operated by cloudflare - a major cdn service.

A while later, we figured out how to reproduce the problem. It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I'll explain later). My working theory was that this was related to their "ScrapeShield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.

We fetched a few live samples, and we observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users. Once we understood what we were seeing and the implications, we immediately stopped and contacted cloudflare security.

This situation was unusual, PII was actively being downloaded by crawlers and users during normal usage, they just didn't understand what they were seeing. Seconds mattered here, emails to support on a friday evening were not going to cut it. I don't have any cloudflare contacts, so reached out for an urgent contact on twitter, and quickly reached the right people.

After I explained the situation, cloudflare quickly reproduced the problem, told me they had convened an  incident and had an initial mitigation in place within an hour.

"You definitely got the right people. We have killed the affected services"

  • 0

Cloudflare bug data leak exposed

Private messages exchanged on dating sites, hotel bookings and frames from adult videos were among the data inadvertently exposed by a bug discovered in the Cloudflare network.

The firm protects websites by routing their traffic through its own network, filtering out hack attacks.

It has 4 million clients, including banks, governments and shopping sites.

Customers wouldn’t necessarily know which of the online services they use run on Cloudflare as it is not visible.

The bug came to light while Cloudflare was migrating from older to newer software between 13 – 18 February.

Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom.

He told the BBC there was no evidence yet that the data had been used maliciously.

“I can’t tell you it’s zero probability that nobody saw something and did something mischievous,” he said.

“I am not changing any of my passwords. I think the probability that somebody saw something is so low it’s not something I am concerned about.”

‘Ancient software’

Mr Graham-Cumming has written a blog about what went wrong and how Cloudflare fixed it.

“Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it,” he wrote.

The firm, whose strapline is “make the internet work the way it should”, has also been working with the major search engines to get the data scrubbed from their caches – snapshots taken of pages at various times.

It was discovered by Google engineer Tavis Ormandy, who compared it to the 2014 Heartbleed bug.

“We keep finding more sensitive data that we need to clean up,” he wrote in a log of the discovery.

“The examples we’re finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to clean up.”

Dodged bullet

Cybersecurity expert Prof Alan Woodward said the bug had been caused by “a few lines of errant code”.

“When you consider the millions of lines of code that are protecting us out there on the web, it makes you realise that there are bound to be other problems likely to be waiting to be found,” he said.

“It’s too soon to tell exactly what damage may have been done, but because of the way in which this was found the chances of individuals being compromised is relatively small.

“What it shows, bigly, is that we may have just dodged a bullet.”


  • 0

Deutsche Telekom Cyber Attack ‘Mastermind’ Arrested At London Airport

The police plan to extradite him to Germany where he could face up to ten years in prison

A 29-year-old British man suspected of being behind the cyber attack which affected 900,000 Deutsche Telekom customers has been arrested at Luton Airport.

The German telecoms giant was forced to roll out a software update in November after nearly a million of its customers across the country were either cut off, or had issues with their broadband service.

The UK’s National Crime Agency (NCA) today said it has arrested the man under charges of computer sabotage on behalf of Germany’s federal criminal police force (BKA).

Attack suspect

Cologne public prosecutor Dr Daniel Vollmert said the man is “accused of being the mastermind behind the attack”, with the police planning to extradite him to Germany where he could face up to ten years in prison

He supposedly planned to hack the Deutsche Telekom router in order to integrate in to a networked “botnet” for cyber criminal activities and prosecutors allege that he tried to sell the botnet on the dark web “attack scenarios like so-called DDoS attacks”.

At the time, Deutsche Telekom was able to mitigate the attack by instructing customers to disconnect their routers and only restart them after carrying out a software update.

Attacks such as this were extremely prevalent throughout 2016, as businesses struggled to come to terms with a growing attack surface and the increased sophistication of cyber attacks, emphasising a need for next generation security products.

DDoS attacks in particular are a serious threat to businesses. Earlier this month a suspected DDoS attack took down the Austrian Parliament website and the same type of attack was deemed responsible for an outage at Lloyds Banking Group in January that left customers unable to access online banking services for three days.

Corero Network Security warned businesses to prepare for bigger and badder DDoS attacks in 2017 and, if the first two months of the year are anything to go by, this prediction looks set to come true.


  • 0