WME Security Briefing 15 July 2024

WME Cybersecurity Briefings No. 018

OVHcloud Mitigates Record-Breaking 840 Million PPS DDoS Attack

Overview

In April 2024, OVHcloud, a top French cloud computing firm, successfully stopped a massive DDoS attack. The attack hit a record-breaking rate of 840 million packets per second (Mpps). It beat the previous record of 809 million Mpps set by Akamai in June 2020, which targeted a large European bank.

The attack was a mix of a TCP ACK flood from about 5000+ source IPs and a DNS reflection attack to boost the traffic. Interestingly, two-thirds of the packets came from just four points of presence, all in the U.S., with three on the west coast. This shows the attacker’s ability to create a huge packet rate with limited peerings.

Impact

Since 2023, OVHcloud has seen a big rise in DDoS attacks. Many of these attacks exceed one terabit per second (Tbps). The highest recorded bit rate was about 2.5 Tbps.

Typical DDoS attacks flood bandwidth with junk traffic. But packet rate attacks target the packet processing engines of devices near the destination, like load balancers. Many of these attacks come from compromised MikroTik Cloud Core Router (CCR) devices. These routers, often running outdated software, have known security flaws.

Hackers exploit the RouterOS Bandwidth test feature to launch these attacks. If just 1% of the 99,382 exposed MikroTik routers were hijacked, adversaries could launch attacks reaching up to 2.28 billion packets per second (Gpps). MikroTik routers have been used to create powerful botnets like Mēris and to run botnet-as-a-service operations. This poses a severe threat to anti-DDoS infrastructures.

Recommendation

✔️ Ensure all MikroTik routers and other networking devices run the latest firmware.

✔️ Implement network segmentation to limit the impact of compromised devices.

✔️ Deploy advanced DDoS mitigation solutions to handle high bit rates.

✔️ Monitor unusual patterns and conduct regular security assessments.

GootLoader Malware Continues to Evolve

Overview

The GootLoader malware is still a big threat because it keeps evolving. GootLoader, linked to the Gootkit banking trojan, is being used by hackers to deliver different kinds of malware to compromised systems.

Recently, the ongoing use of GootLoader and its latest versions, including GootLoader 3, has been reported. Even though the payload specifics have changed, the infection strategies and core functions of GootLoader have stayed the same since it came back in 2020.

Impact

GootLoader is linked to threat actor Hive0127 (UNC2565) and it uses JavaScript to download post-exploitation tools. It spreads mainly through SEO poisoning, where compromised sites host malicious JavaScript posing as legal documents. When downloaded, GootLoader establishes persistence via scheduled tasks. Then, it runs scripts to gather system data and await commands.

Recent updates show GootLoader distributing familiar malware like Cobalt Strike, IcedID, Kronos, REvil, SystemBC, etc. They also used the command-and-control (C2) and lateral movement tool, GootBot. This suggests the threat group is expanding strategically to target greater financial gain.

Recommendation

To mitigate the risks posed by GootLoader, WME recommends:

✔️ Ensure your security solutions can block GootLoader and associated malware.

✔️ Monitor web traffic for signs of SEO poisoning.

✔️ Use strong endpoint protection and conduct regular system scans.

✔️ Regularly review and secure your websites.

Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies

Overview

The recent supply chain attack on the Polyfill[.]io JavaScript library has expanded significantly. As of July 2024, 380,000+ hosts have been compromised. The attack involves embedding a malicious polyfill script that links to compromised domains in HTTP responses. Ultimately, it’s impacting numerous major companies and prominent networks globally.

Impact

237,700+ compromised hosts have been reported in Hetzner’s German network. It’s a popular web hosting service. Affected domains include WarnerBros, Hulu, Mercedes-Benz, Pearson, all referencing malicious endpoints.

The attack was detected in late June 2024. It altered code on the Polyfill domain to redirect users to inappropriate websites. These time-specific redirects targeted specific visitors. The domain and its GitHub repository were sold to Funnull, a Chinese company, in February 2024. This development led to these malicious changes.

Recommendation

The Polyfill[.]io attack is a stark reminder of the vulnerabilities in supply chain dependencies and the importance of quick response to emerging threats. To mitigate the risk, domain registrar Namecheap has suspended the Polyfill domain. On the other hand, Cloudflare and other CDNs are automatically replacing Polyfill links with safe mirror sites. Google has also blocked ads for sites embedding the malicious domain.

However, attackers have tried to relaunch the service under new domains like polyfill[.]com ( Namecheap has taken it down as well).

Admins should immediately review their systems for any references to the compromised domains.

New Golang-Based Zergeca Botnet Threatens with Powerful DDoS Attacks

Overview

On July 5, 2024, cybersecurity researchers found a new botnet called Zergeca. It’s written in Golang and poses a big threat with its ability to launch DDoS attacks. It uses advanced techniques to avoid detection and keep running smoothly.

Impact

Zergeca isn’t just a typical DDoS botnet. It supports six attack methods and extras like proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, gathering device info, and whatnot. The botnet uses DNS-over-HTTPS (DoH) and Smux for secure C2 server communication. Evidence suggests ongoing development, adding new commands and features. The C2 IP, 84.54.51[.]82, previously linked to Mirai, hints at prior botnet experience.

From early to mid-June 2024, Zergeca launched ACK flood DDoS attacks in Canada, Germany, and the U.S. It’s divided into four modules: persistence, proxy, silivaccine, and zombie. These modules ensure persistence, handle proxying, remove competing malware, and control x86-64 devices.

Zergeca employs UPX packing, XOR encryption, DoH for C2, showing adept evasion tactics.

Recommendation

✅ Update Security Protocols

✅ Use intrusion detection systems and intrusion prevention systems (IPS) to block malicious activities.

✅ Limit access to critical systems and use firewalls.

✅ Develop an incident response plan to quickly mitigate the impact of a botnet attack.

Critical Flaws Uncovered in Rockwell Automation PanelView Plus by Microsoft

Overview

Microsoft finds two major security flaws in Rockwell Automation PanelView Plus systems. Remote attackers could exploit these to run arbitrary code or cause a denial-of-service. The vulnerabilities show the dangers of mishandling input data in the system’s software.

Impact

Two vulnerabilities were identified:

CVE-2023-2071 (CVSS score: 9.8): Allows unauthenticated attackers to execute remote code via crafted packets. Exploiting it lets attackers upload malicious DLLs, to potentially compromise entire systems.

CVE-2023-29464 (CVSS score: 8.2): This vulnerability also allows unauthenticated actors to read memory data via crafted packets due to improper input validation. Sending oversized packets can cause a DoS condition, making the device unresponsive.

Both vulnerabilities can result in severe consequences i.e. Remote code execution, information disclosure, complete denial-of-service, etc.

Recommendation

✅ Update Software. Specifically, upgrade FactoryTalk View Machine Edition to a version beyond 13.0 and FactoryTalk Linx to a version later than 6.30.

✅ Monitor for Unusual Activity.

✅ Isolate critical systems to reduce the potential attack surface available to threat actors.

✅ Regularly apply security best practices as recommended by Rockwell Automation and cybersecurity entities like CISA.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=