Security Newsletter

23 November 2020

Network-layer DDoS attack trends for Q3 2020

DDoS attacks are surging — both in frequency and sophistication. After doubling from Q1 to Q2, the total number of network layer attacks observed in Q3 doubled again — resulting in a 4x increase in number compared to the pre-COVID levels in the first quarter.

Here are other key network layer DDoS trends we observed in Q3:

Majority of the attacks are under 500 Mbps and 1 Mpps — both still suffice to cause service disruptions

We continue to see a majority of attacks be under 1 hr in duration

Ransom-driven DDoS attacks (RDDoS) are on the rise as groups claiming to be Fancy Bear, Cozy Bear and the Lazarus Group extort organizations around the world. As of this writing, the ransom campaign is still ongoing. See a special note on this below.

Short burst attacks may attempt to cause damage without being detected by DDoS detection systems. DDoS services that rely on manual analysis and mitigation may prove to be useless against these types of attacks because they are over before the analyst even identifies the attack traffic. Alternatively, the use of short attacks may be used to probe the cyber defenses of the target. In other cases, attackers generate small DDoS attacks as proof and warning to the target organization of the attacker’s ability to cause real damage later on. It’s often followed by a ransom note to the target organization, demanding payment so as to avoid suffering an attack that could more thoroughly cripple network infrastructure. Whatever their motivation, DDoS attacks of any size or duration are not going away anytime soon. Even short DDoS attacks cause harm, and having an automated real-time defense mechanism in place is critical for any online business.

 

Cisco Webex bugs allow attackers to join meetings as ghost users

Now patched by Cisco, three flaws in Webex would have given intruders full access to a meeting without being seen, says IBM.When successfully exploited, IBM researchers said that the bugs would have allowed attackers to: Join a Webex meeting as a ghost without being seen on the participant list with full access to audio, video, chat, and screen sharing capabilities (CVE-2020-3419) Stay in a Webex meeting as a ghost after being expelled from it, maintaining audio connection (CVE-2020-3471) Gain access to information on meeting attendees – including full names, email addresses, and IP addresses – from the meeting room lobby, even without being admitted to the call (CVE-2020-3441)

The researchers were able to successfully demonstrate attacks abusing these Webex bugs on Windows, macOS, and the iOS version of Webex Meetings applications and Webex Room Kit appliance. Mitigating circumstances include the fact that the vulnerabilities can only be exploited if attackers know the URLs of scheduled Webex meetings with unique meeting URLs and Webex Personal Rooms. However, IBM researchers say that "personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner's name and organization name."

Cisco has patched the cloud-based services for Webex, where no user action is required. For customers who run an on premises version of Webex software, the company has issued patches for Webex Meetings Server. Webex users should view the following Common Vulnerabilities and Exposures (CVEs): CVE-2020-3441; CVE-2020-3471; CVE-2020-3419.

 

Ticketmaster Fined $1.7 Million for Data Security Failures

Ticketmaster UK has been fined 1.25 million pounds ($1.7 million) by Britain's privacy watchdog for its "serious failure" to comply with the EU's General Data Protection Regulation. Regulators say the company failed to properly secure chatbot software that it opted to run on a payments page, which attackers subverted, allowing them to steal payment card information. After being alerted to suspected card fraud that traced to its site, Ticketmaster UK allegedly failed to mitigate the problem for nine more weeks.

Ticketmaster UK says it plans to appeal the ruling. The company is a subsidiary of ticket sales and distribution giant Ticketmaster, owned by Live Nation Entertainment, which is based in Beverly Hills, California. The ICO, which launched its investigation in June 2018, says the fine only applies to Ticketmaster's failures following GDPR going into full effect in May 2018. As the investigation concluded before the U.K. left the EU, the ICO says it served as the lead supervisory authority for the EU and that the penalty represents a consensus decision by all data protection authorities across Europe.

The fine announced by the ICO traces to a breach that began in February 2018. Ultimately, the breach exposed personal details - including names, payment card numbers, expiration dates and CVV numbers - for approximately 9.4 million European Ticketmaster customers, including 1.5 million in the U.K. At least 60,000 Barclays Bank cards have been tied to known fraud, the ICO says, while Monzo Bank replaced 6,000 cards after it detected signs of fraudulent use. Security experts say the breach appears to have been tied to groups of attackers - collectively known as Magecart - that implant code on websites that allows them to steal payment card data.

 

More #News

#Breach Log

 

#Patch Time!

 

#Tech and #Tools

This content was created by Kindred Group Security. Please share if you enjoyed!

Kindred Group in brief

Kindred is one of the largest online gambling companies in the world with a diverse team of 1,600 people serving over 26 million customers across Europe, Australia and the US. We offer pre-game and live Sports betting, Poker, Casino and Games through 11 brands across our markets. We are committed to offer our customers the best deal and user experience possible, while ensuring a safe and fair gambling environment. Kindred is a pioneer in the online gambling industry and is an innovation driven company that builds on trust.