New wave of DDoS Attacks that employ TCP Amplification

Researchers have noticed a new wave of DDoS attacks that are using TCP amplification. This is a unique approach, and most attackers reportedly avoid it because of inefficiency. The victims of such attacks include Korea Telecom, Eurobet, Turkish-based Garanti, and South Korean SK Broadband. DDoS attacks generate an amplified volume of attack traffic by the compromised system. In attacks that use TCP amplification, a SYN packet pretending to be from the target’s IP address is sent to a number of random IP addresses or reflection services. These IP addresses respond by sending a SYN-ACK packet that is sent to the target network. If the target network does not respond as expected, the SYN-ACK packet will continue to be retransmitted by the IP to establish a three-way handshake. The number of times the reflection IP sends SYN-ACK packets to the IP determines the amplification. These attacks impact the targeted networks as well as the networks that were used to generate the flood of requests. The networks used as reflection services are flooded with SYN traffic, causing congestion. The intended targets may also be blacklisted by network administrators because of spoofed SYN requests.

 

New Javascript skimmer ‘Pipka’ found targeting e-commerce websites

Security researchers have spotted a new and unique JavaScript payment card-skimmer named Pipka. The malware has been found to have infected at least 16 e-commerce websites so far. In a security alert, researchers described the self-cleaning mechanism as something unique to Pipka. The malware tries to evade detection by removing itself from the HTML code of a compromised website after it successfully executes. Visa’s alert notes that threat actors are injecting Pipka directly into different locations on e-commerce sites. Just like Inter and other electronic card skimmers, Pipak is designed to steal payment card details of users from the check out pages of e-commerce sites. The details include cardholder numbers, payment card account numbers, expiration dates, CVV numbers, and other several sensitive data. Attackers can further configure Pipka to captures data from specific fields that individuals enter when making a purchase on an e-commerce site. The malware is designed in such a way that one sample is customized to target two-step checkout pages that collect billing data on one page and payment account data on another. The harvested data is base64 encoded and encrypted using a cipher ROT13. This encrypted data is then stored in a cookie for later exfiltration to a remote command and control server. Researchers claim that Pipka will continue to be used by threat actors to compromise e-commerce merchant websites and harvest payment account data. Thus online retailers should regularly scam and test their websites for vulnerabilities or malware. They should also limit access to the administrative portal as well as implement best security practices on the website. Users, on the other hand, should regularly ensure that shopping cart, other services, and all software are upgraded or patched. They should also enable two-factor authentication as an added protection layer.

 

Public cloud infrastructures suffer from serious security loophole 

Researchers found that cloud APIs' accessibility over the Internet opens new possibilities for adversaries to plan their attack. The researchers note that current security practices and controls are not sufficient to mitigate the risk posed by the misconfiguration of the public cloud. Getting API access can be easy if the account credentials of those who manage cloud resources (typically the members of the DevOps, development, and IT teams) is compromised. Obtaining credentials won’t be a highly challenging task since members also use different software development kits and dedicated command-line tools to get access to APIs. In case an organization’s private subnet is not open to the Internet, according to researchers, cloud APIs can still be accessed from the Internet with the right API key. Cloud provider tools—for example, the command-line interface (CLI) tools — save the user credentials inside a file, which is typically locally stored on the individual's workstation. Traditional protections primarily focus on network, application, and operating system defense. Protection and mitigation techniques of companies are, in essence, reactive and not predictive. Many popular defense techniques focus on specific attack vectors, such as brute force protection for cloud apps against password spray tools or AWS reconnaissance tools. Post-breach defense is usually based on different user activities and machine learning algorithms. Organizations can protect themselves from such attacks by following best practice guides from cloud providers. Large and complex organizations need to constantly monitor attack paths since they often have trouble tracking and monitoring permissions in large cloud infrastructures.

 

Officials have warned about USB charger scam

Travelers have been advised to refrain from using public USB charging ports because they may contain malware. Known as ‘juice jacking’, the USB charger scam involves criminals injecting malware in charging cables or stations they leave plugged in at public USB ports. USB chargers are said to be originally designed to transfer data as well as power. Attackers exploit this to load malware to devices when the victim believes that only electrical power is being transferred. Over the years, many proof-of-concept exploits have been presented by researchers. In the Black Hat 2013 security conference, a malicious USB wall charger that could deploy malware on iOS devices was presented. This proof-of-concept malicious charger was named Mactans. Another proof-of-concept involves an Arduino-based device called KeySweeper that pretends to be a USB wall charger. It can sniff, decrypt, and log keystrokes from any Microsoft wireless keyboard in the vicinity. There are several other ways to exploit a legitimate USB device to launch cyberattacks. Instead of a USB charging station, use an AC power outlet. Carry AC and car chargers for devices when traveling. Consider investing in a portable charger for emergencies. Apart from these, you can also invest in a USB cable that allows only power transmission and not data transmission.

 

Edited and compiled by cyber security specialist James Aguilan.