Cyber Pulse: Edition 118 | 29 June 2020

Here is our cyber security round-up of the week:

European bank hit by huge distributed denial-of-service (DDoS) attack

A bank in Europe was the target of a huge distributed denial-of-service (DDoS) attack that sent a flood of 809 million packets per second (PPS) to its networking gear. In all, the attack lasted less than 10 minutes, Akamai says in a blog post. The attack can easily be a contender for the largest DDoS incident to date, despite not being a bandwidth-intensive attack, with a footprint of just 418Gbps.

DDoS attacks differentiate according to the method used to bring down the target. Their intensity is measured in bits per second (BPS), packets for second (PPS), or requests per second (RPS). BPS attacks aim to exhaust the internet pipeline, PPS are directed at network devices or apps in a datacentre or cloud, and RPS attacks an edge server that runs a web application.

The record DDoS attack was mitigated by Akamai on Sunday June 21. The company did not disclose the name of the customer defended against the takedown, referring to them as a large European bank. The incident lasted for a short time and increased in intensity in just a couple of minutes. It took seconds to get from normal traffic levels to 418 Gbps. About two minutes passed until the flood grew to its peak of 809 million packets per seconds.

Suspected of this operation is a new botnet emerging from the underground. This conclusion is based on the high number of IP addresses seen for the first time – 96.2% of them were unknown to Akamai until now. The platform recorded more than 600 times the normal amount of IP addresses normally seen for the customer. Akamai believes that this is a new industry record in terms of PPS-focused attacks. Compared to a previous largest attack recorded by the platform, which was 385 million PPS, this incident was more than double.

Attackers hide malicious code implants in the metadata of image files

In what's one of the most innovative hacking campaigns, cybercrime gangs are now hiding malicious code implants in the metadata of image files to covertly steal payment card information entered by visitors on hacked websites.

Researchers found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another interesting variation to exfiltrate stolen credit card data. Once again, criminals used the disguise of an image file to collect their loot.

The evolving tactic of the operation, widely known as web-skimming or a Magecart attack, comes as bad actors are finding different ways to inject JavaScript scripts, including misconfigured AWS S3 data storage buckets, and exploiting content security policy to transmit data to a Google Analytics account under their control. Jumping on the growing trend of online shopping, these attacks typically work by inserting malicious code into a compromised site, which surreptitiously harvests and sends user-entered data to a cybercriminal's server, thus giving them access to shoppers' payment information.

Researchers found that the skimmer was not only discovered on an online store running the WooCommerce WordPress plugin, but was contained in the EXIF (short for Exchangeable Image File Format) metadata for a suspicious domain's (cddn.site) favicon image. Every image comes embedded with information about the image itself, such as the camera manufacturer and model, date and time the photo was taken, the location, resolution and camera settings, among other details. Using this EXIF data, the hackers executed a piece of JavaScript that was concealed in the "Copyright" field of the favicon image.

“As with other skimmers, this one also grabs the content of the input fields where online shoppers are entering their name, billing address, and credit card details," the researchers said. Aside from encoding the captured information using the Base64 format and reversing the output string, the stolen data is transmitted in the form of an image file to conceal the exfiltration process. Back in May, several hacked websites were observed loading a malicious favicon on their checkout pages and subsequently replacing the legitimate online payment forms with a fraudulent substitute that stole user card details.

1.3 million Stalker Online gamers' records are for sale on dark web forums

Security researchers are warning players of a popular MMO game that over 1.3 million user records are being sold on dark web forums. Usernames, passwords, email addresses, phone numbers and IP addresses belonging to players of Stalker Online were found by researchers. The firm explained that the passwords were stored only in MD5, which is one of the less secure encryption algorithms around.

Two databases were found on underground sites as part of a dark web monitoring project undertaken by the research outfit, one containing around 1.2 million records and another 136,000 records. It appears a hacker compromised a Stalker Online web server before stealing the user data and posting a link on its official website as proof. After confirming the data for sale was genuine, the researchers tried and failed to get in touch with Australian developer BigWorld Technology and its parent company, Cyprus-based Wargaming.net.

Both databases were hosted on legitimate e-commerce site Shoppy.gg, which removed the content when advised by the white hats within a day. “However, the fact that the storefront was operational for almost a month may suggest that copies of the database containing 1.2 million user records may have been sold on the black market to multiple buyers,” they explained. “In addition, the removal of the databases from the e-commerce platform does not preclude the hacker from putting them up for sale someplace else. This means that all Stalker Online players should consider their records to still be compromised.”

Although the stolen information didn’t contain any financial data, there’s plenty that cyber-criminals could do with the haul, including credential stuffing, follow-on phishing attacks, email and phone spam, cracking open the email passwords and even holding the gaming accounts themselves ransom. “Since Stalker Online is a free-to-play game that incorporates micro-transactions, malicious actors could also make a lot of money from selling hacked player accounts on the grey market,” the researchers said.

Cryptojacking malware can launch DDoS attacks

A recently identified piece of cryptojacking malware includes functionality that enables its operators to launch distributed denial of service (DDoS) attacks, researchers report. Dubbed Lucifer, the malware was first observed on May 29, as part of a campaign that is still ongoing, but which switched to an upgraded variant on June 11.

The threat was designed to drop XMRig for mining Monero, and it can propagate on its own by targeting various vulnerabilities, is capable of command and control (C&C) operations, and drops and runs EternalBlue, EternalRomance, and the DoublePulsar backdoor on vulnerable targets for intranet infections. Lucifer targets a long list of critical and high-severity vulnerabilities in software such as Rejetto HTTP File Server, Jenkins, Oracle Weblogic, Drupal, Apache Struts, Laravel, and Windows.

Successful exploitation of these bugs provides attackers with the ability to execute code on the target machines. Although software updates to address these issues have been available for some time, many systems remain unpatched and exposed to attacks. The malware contains three resource sections, each containing a binary for a specific purpose: x86 and x64 UPX-packed versions of XMRig 5.5.0, and Equation Group exploits (EternalBlue and EternalRomance, and the DoublePulsar backdoor implant).

Once it has infected a machine, Lucifer proceeds to gain persistence by setting specific registry key values. The malware enables itself with debug privilege and begins operation by launching several threads. For propagation, the malware scans for open TCP ports 135 (RPC) and 1433 (MSSQL) and attempts to gain access by trying commonly used credentials, and uses Equation Group exploits or HTTP requests to probe for external, exposed systems. The payloads delivered to the identified vulnerable systems fetch a replica of the malware via certutil. After all worker threads are launched, the malware enters an infinite loop to handle C&C operation. Based on commands received from the server, it can launch TCP/UDP/HTTP DoS attacks, download and execute files, execute commands, enable/disable the miner’s status report functionality, enable flags related to the miner, or reset the flags and terminate the miner. The Stratum protocol on port 10001 is used for communication between the cryptojacking bot and its mining server.

The upgraded version of the malware has the same capabilities and behavior as its predecessor, but also includes an anti-sandbox capability by checking the username and the computer name of the infected host against a predefined list, as well as for the presence of specific device drivers, DLLs and virtual devices, and halting operation if a match is found.

Thousands of printers leaking data online

Experts found tens of thousands of printers that are exposed online and leaking device names, organisation names, WiFi SSIDs, and other info. It’s not a mystery that a printer left exposed online without proper security could open the doors to hackers.

The researchers scanned the internet for printers that are exposing their Internet Printing Protocol (IPP) port online. The Internet Printing Protocol (IPP) is a specialised internet protocol for communication between client devices (computers, mobile phones, tablets, etc.) and printers (or print servers). It allows clients to submit one or more print jobs to the printer or print server, and perform tasks such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs.

Unlike other printer management protocols, the IPP protocol supports multiple security features, including authentication and encryption, but evidently organisations and individual device owners don’t use them. Experts discovered an average of 80,000 printers exposed online via IPP on a daily bases, and were able to query the devices for local details via the “Get-Printer-Attributes” function.

“We scan by sending an IPP Get-Printer-Attributes request to TCP port 631. We started regular scanning of all 4 billion routable IPv4 addresses on the 5th of June 2020 and added Open IPP reporting as part of our daily public benefit remediation network reports on the 8th of June 2020. Our IPP scans uncover around 80,000 open devices (printers) per day,” reads the report published by the researchers. “Obviously, these counts only represent devices that are not firewalled and allow direct querying over the IPv4 Internet.”

New ransomware from Evil Corp

Researchers have been tracking a new ransomware strain called "WastedLocker" that's been active since May 2020. The researchers say the malware was developed by Evil Corp, a criminal group best known for creating the Dridex banking trojan and the BitPaymer ransomware. WastedLocker's emergence appears to be part of Evil Corp's efforts to switch out its tactics, techniques, and procedures following the indictment of two of the group's leaders by the US Justice Department in December 2019. Interestingly, Evil Corp doesn't seem to engage in the type of data theft and extortion that's become a common feature of other targeted ransomware operations. Fox-IT suspects this is due to the group's desire to avoid attracting needless attention from law enforcement and others.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber security courses.