DDoS attacks are back, stronger than ever 

According to recent annual reports from different content delivery networks and DDoS mitigation providers, 2020 was a record-breaking year for DDoS attacks, both in number of attacks as well as size of attacks and the number of attack vectors used. According to Akamai, this resurgence likely driven by the COVID-19 pandemic lockdown, saw three of the six biggest volumetric DDoS attacks in history during February and more attacks that exceeded 50Gbps in the first three months of 2021 than the whole of 2019. The company estimates that attacks over 50 Gbps can take down most online services that don’t have anti-DDoS mitigation.

(CSO Online)

Proof of concept exploit released for wormable Windows vulnerability

The flaw, tracked as CVE-2021-31166 and rated critical severity, was discovered internally by Microsoft and it was patched as part of its May 2021 Patch Tuesday updates. It affects the HTTP Protocol Stack (http.sys) and does not require authentication or user interaction. It also only impacts recent versions of Windows 10 and Windows Server. Researcher Axel Souchet announced the release of a PoC exploit last weekend. However, his PoC does not achieve remote code execution — it shows how an attacker can leverage the flaw to cause a DoS condition on the targeted system by sending it specially crafted packets.

(Security Week)

Tech audit of Colonial Pipeline found ‘glaring’ problems in 2018

An outside audit three years ago found “atrocious” information management practices and “a patchwork of poorly connected and secured systems,” according to The Associated Press. Consultant Robert F. Smallwood, stated in his 89-page report in January 2018 after a six-month audit, “an eighth-grader could have hacked into that system.” Colonial said last Wednesday that since 2017, it has hired four independent firms for cybersecurity risk assessments and increased its overall IT spending by more than 50%, although it would neither specify an amount nor identify the firms involved.

In a brief follow-up to the Colonial story, its internal server that runs the communication system that shippers use to track fuel shipments experienced intermittent disruptions on Tuesday. Colonial blamed this on “hardening efforts that are ongoing and part of our restoration process. These issues were not related to the ransomware or any type of reinfection.”

(Associated Press and Bloomberg)

Thanks to our episode sponsor, Trend Micro

Want to discover new ways to simplify and strengthen your security? Join Trend Micro Perspectives on June 16, where industry experts and practitioners will share deep insights and real-world examples on how security can play a pivotal role in accelerating your digital transformation. Featuring speakers from Gartner, Forrester, ESG, AWS, and Microsoft. Visit TrendMicro.com/Perspectives today to register.

Amazon’s Ring: the largest civilian surveillance network the US has ever seen

One in ten US police departments can now access videos from millions of privately owned home security cameras without a warrant. This is thanks to the fact that since Amazon bought Ring in 2018, it has brokered more than 1,800 partnerships with local law enforcement agencies and the number of partnerships continues to grow. Data collected from Ring’s quarterly reported numbers shows that in the past year through the end of April 2021, law enforcement agencies have placed more than 22,000 individual requests to access content captured and recorded on Ring cameras. An estimated 400,000 Ring devices were sold in December 2019 alone, and that was before the across-the-board boom in online retail sales during the pandemic.

(The Guardian)

Magecart goes server-side in latest changeup

Magecart Group 12, known for skimming payment information from online shoppers, is still “very active,” according to a new research report from Malwarebytes Labs’ Threat Intelligence Team. The credit-card skimmer group is now using PHP web shells to gain remote administrative access and steal credit-card data. Their attacks use a mimicked favicon, also known as a shortcut icon to load the PHP web shell, which is harder to detect and block because it injects the skimmer code on the server-side, rather than the client side.

(Threatpost)

70 European and South American banks under attack by Bizarro malware

The campaign tricks users into entering two-factor authentication codes in fake pop-up windows that are then sent to the attackers, and also uses social engineering lures to convince visitors of banking websites into downloading a malicious smartphone app. Bizarro uses compromised WordPress, Amazon, and Azure servers to host the malware. Researchers at Kaspersky said, “the threat actors are adopting various technical methods to complicate malware analysis and detection, as well as tricks that can help convince victims to provide personal data related to their online banking accounts.”

(The Hacker News)

Russian spy chief places SolarWinds blame on US and Britain

In an interview with the BBC broadcast yesterday, Sergei Naryshkin, head of the SVR spy agency said he was flattered by the accusation of Russian involvement in SolarWinds, due to the sophistication of the hack, but referred to articles by Edward Snowden that “proved” that American spies deliberately weakened a default random number generation algorithm used in RSA products about a decade ago. Observers of the interview suggest this is more a practice of disinformation techniques. Kaspersky Lab made findings after the SolarWinds attack that the Turla malware crew, which is thought to have links to SVR sister agency the FSB, might have been involved. On top of that, FireEye itself made public some of Russia cyber unit’s tactics, techniques, and procedures, a move echoed post-attribution by the UK’s National Cyber Security Centre.

(The Register)