With so much cybersecurity news flying around, it is hard to keep track of the bigger stories that emerged. Here is the GFI security round-up of the three top cybersecurity stories of March 2018.
GitHub: Biggest DDoS attacks ever hit targets with epic floods of traffic
The month opened with news of a massive Distributed Denial of Service (DDoS) attack, on popular code repository Github. The attack directed up to 1.35 terabits per second of traffic to the site, knocking it offline for a short period on February 28.
Within a few days this record was reportedly broken, as a second attack targeted customers of an unnamed US service provider with 1.7 Tbps.
The unprecedented scale of the attacks was largely due to the use of “amplification attack” techniques. Leveraging weak default settings in widely-deployed memcached software, the attackers were able to bounce traffic off servers around the world, increasing its size enormously in the process and focusing the resulting deluge directly on their targets.
Amplification techniques have been a growing trend for a while now, and found an ideal conduit in memcached. The open-source software is widely used to accelerate web databases by caching data in memory, hence the name.
Sending the right requests to servers running the software can result in much larger responses, over 50,000 times larger in some cases. For comparison, the largest amplification attacks previously seen, using NTP servers, achieved amplification of around 550 times. By spoofing the IP address the requests appear to come from, these large responses can be used to amplify and direct an attack.
An updated version of the memcached software, addressing the problem by turning off all UDP traffic by default, was released the same day, but with thousands of servers running memcached and many of them clearly not as carefully configured as they should be, it looks likely to remain a useful component of attackers’ toolkits for some time to come.
Facebook gets grilled for privacy problems
Perhaps the biggest story of March, thanks to the media collaboration between the New York Times in the US and the Guardian and the Observer in the UK, was how the sensitive data of 50 million people collected by Facebook was shared with so-called “research firm” Cambridge Analytica.
Cambridge Analytica analyzes social network data in order to create personality profiles for voters.
Cambridge Analytica allegedly used this vast coffer of private info to target specific groups of people with ads designed to sway political opinion.
The accusation is that this data, most of which was snaffled up off Facebook without user consent, was used in the 2016 US presidential election.
And it all started with an online Facebook quiz.
Only a few hundred thousand people took part in the quiz issued on Facebook by Cambridge Analytica. The fine print at the time indicated that the app would scoop up the personal data of the participant in exchange for access to the quiz.
The major problem here is that Cambridge Analytica was somehow able to leverage security loopholes, which allowed the so-called research firm not only to harvest all the information of each Facebook quiz participant, but also every single person that participant was “friends” with, all without the “friend’s” permission.
The story got very big very quickly, grabbing headlines everywhere, and was followed up with further articles featuring users complaining that the process for deleting accounts was obfuscated, or revelations that Android users who installed the Facebook app could have been sharing call data with Facebook on every single call they made.
Unsurprisingly, Facebook has been dealing with a lot of heat from this massive privacy problem. Stock prices have been plummeting, Facebook investors are suing the social goliath, and users are deleting the app in droves.
And the biggest irony of all, as Facebook’s main man Mark Zuckerberg tries to acknowledge “numerous mistakes” that led this mess, the company is also funding a campaign to block a California data-privacy measure.
While not a breach exactly, it has raised huge issues of what individuals should expect when using online services.
Atlanta and the SamSam ransomware attack
At the end of March, a cyberattack on Georgia’s capital city of Atlanta caused widespread problems and outages. The city continues to deal with the massive aftermath left by this attack.
Reports say that malicious attackers installed SamSam ransomware on city systems in order to hold municipal services hostage. The intrusion started in the early hours of March 22, and many city computer systems remained out of action for a week.
City services affected by the outage included everything from water service requests to prison inmate processing, court fee payments and online payment systems. Multiple city departments were affected, reported Reuters. Police and other officials have had to turn to hand-written reports.
The SamSam attack differs from other common ransomware infiltration methods, which tend to use social engineering tricks on staff members to get the initial foot in the door, usually by luring victims to web pages booby-trapped with malware.
SamSam, first seen in 2015, is a more sophisticated, targeted threat, in which the malicious operators first find a foothold in their victim’s networks using vulnerabilities in out-of-date network software. Once inside, they explore the network and spread out to control any systems they can find and hijack.
Atlanta’s mayor urged anyone with personal information stored in city information systems to check their financial records, as an investigation continues into the ransomware attack on the city.
City staff have told reporters that the attackers were demanding 6 bitcoins, around $51,000, to unlock the encrypted data. Atlanta mayor Keisha Lance Bottoms, who took office in January, told a press conference “This is really an attack on our government, which means it’s an attack on all of us.”
The Federal Bureau of Investigation, Department of Homeland Security and Secret Service are involved in investigating the cyberattack on Atlanta, assisted by private security firms, and local university Georgia Tech is also said to be lending a hand.
Ransomware brings whole companies to a halt so it is very important to have solutions in place to stop it in its tracks. In the case of SamSam, a patch management solutions such as GFI LanGuard would have prevented a lot of headaches by keeping software up to date. Other GFI solutions such as GFI WebMonitor which monitors all downloads and prevents malicious downloads to make their way into the victim’s systems, and an email hygiene solution such as GFI MailEssentials are the best way to keep ransomware at bay. With GFI Unlimited you would be able to have all thee solutions from one affordable price per unit. The price will also include all other GFI solutions. Check out GFI Unlimited today and see how this new era of software subscription can help save you time and money.