Security News

Throughout 2019, Radware’s Threat Research Center (TRC) and Emergency Response Team (ERT) have been monitoring and defending against an increasing number of TCP reflection attacks.

TCP reflection attacks, such as SYN-ACK reflection attacks, have been less popular among attackers until recently. The lack of popularity was mainly due to the wrong assumption that TCP reflection attacks cannot generate enough amplification compared to UDP-based reflections. In general, TCP attacks are low bandwidth and less likely to saturate an internet link. Instead, TCP attacks are leveraged to generate high packet rates (increased volumes of Packets Per Second – PPS) that require large amounts of resources from network devices to process the traffic and cause outages.

 

Over the last two years, there has been a steady growth in attackers leveraging TCP reflection attacks. In a TCP SYN-ACK reflection attack, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a wide range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. While your typical three-way handshake might assume for a single SYN-ACK packet to be delivered to the victim, when the victim does not respond with the last ACK packet the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification.

The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which is typically governed by a configurable parameter. The default setting for Linux systems (net.ipv4.tcp_synack_retries kernel variable) is five while the documentation advises against settings higher than 255. Independent research in the behavior of a multitude of systems and devices on the internet exposed more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, respectively, reflect more than 5,000 packets within 60 seconds, causing a serious impact on a victim’s network.

Read more »

A ransomware attack hitting several computer systems at the Brooklyn Hospital Center in New York caused permanent loss of some patient’s data.

The hospital tried to recover the data but all efforts were in vain. This indicates that a ransom for decrypting the files was not paid.

Medical records unrecoverable

The attack occurred in late July but the hospital acknowledged it publicly only last week, following what the institution calls “an exhaustive investigation,” and after undertaking “diligent remediation efforts.”

Attempts to recover the encrypted records, however, remained fruitless, the hospital informs in a public notification. Not all patients are impacted by the incident but there is no estimation on how many are.

“On September 4, 2019, the investigation confirmed that due to the malware, and despite exhaustive efforts by the Hospital to recover the data, certain patient data was unrecoverable.”

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Ransomware attacks are about encrypting information, not stealing it, and asking for money in exchange for the decryption key.

In this case, the hospital did not provide any details about the ransomware strain used in the attack or the money demanded by cybercriminals.

Read more »

Data Breach

Data breach lookup site Have I Been Pwned has added the stolen data from the StreetEasy and Sephora data breaches to their engine so that users can check if their information was exposed.

According to HIBP, StreetEasy was hit with a data breach in June 2016 that disclosed the information for close to 1 million users. This information included email addresses, names, passwords, and usernames,

“In approximately June 2016, the real estate website StreetEasy suffered a data breach. In total, 988k unique email addresses were included in the breach alongside names, usernames and SHA-1 hashes of passwords, all of which appeared for sale on a dark web marketplace in February 2019. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.”

HIBP also stated that Sephora Southeast Asia was breached in January 2017 and the data for 780,073 customers was stolen. The data stolen included customer’s dates of birth, email addresses, ethnicities, genders, names, and physical attributes

“In approximately January 2017, the beauty store Sephora suffered a data breach. Impacting customers in South East Asia, Australia and New Zealand, 780k unique email addresses were included in the breach alongside names, genders, dates of birth, ethnicities and other personal information. The data was provided to HIBP by a source who requested it be attributed to “JimScott.Sec@protonmail.com”.”

The data for both of these breaches has been seen being sold and traded on online hacker forums.

Using this data, attackers can attempt to gain access to an affected user’s other accounts through the use of credential stuffing. Credential stuffing is when attackers try to access accounts at sites using the credentials disclosed in data breaches from other sites.

Due to this, it is strongly advised that everyone use unique passwords at every site they register an account. This way if one site is hacked and customer information is stolen, it won’t impact other sites that you have an account.

Checking if you are in the breaches

If you are a customer of either of these companies and did not receive a notification or you are concerned your information is part of the breach, you can now check on the Have I Been Pwned site.

To do this, simply go to https://haveibeenpwned.com and enter your email address in the search field and click on the pwned? button.

HIBP Search

The site will check its databases for your email address and list any data breaches that are being monitored for your information.

Malware or computer virus can infect your computer in several different ways, but one of the most common methods of its delivery is through malicious file attachments over emails that execute the malware when you open them.

Therefore, to protect its users from malicious scripts and executable, Microsoft is planning to blacklist 38 additional file extensions by adding them to its list of file extensions that are blocked from being downloaded as attachments in Outlook on the Web.

Previously known as Outlook Web Application or OWA, “Outlook on the Web” is Microsoft’s web-based email client for users to access their emails, calendars, tasks and contacts from Microsoft’s on-premises Exchange Server and cloud-based Exchange Online.

The list of blocked file extensions currently has 104 entries, including .exe, .url, .com, .cmd, .asp, .lnk, .js, .jar, .tmp, .app, .isp, .hlp, .pif, .msi, .msh, and more.

Read more »