Security News

In a coordinated International law enforcement operation, Europol today announced to shut down the global organized cybercrime network behind Imminent Monitor RAT, yet another hacking tool that allows cybercriminals to gain complete control over a victim’s computer remotely.

The operation targeted both buyers and sellers of the IM-RAT (Imminent Monitor Remote Access Trojan), which was sold to more than 14,500 buyers and used against tens of thousands of victims across 124 countries.

The infrastructure and front-end sale website of the Imminent Monitor have also been seized as part of this operation, making the Trojan unusable for those who already bought it, as well as unavailable for the new users.

Read more »

Microsoft announced that it’s working on adding support for the privacy-focused DNS over HTTPS (DoH) protocol in a future Windows 10 release, while also keeping the addition of DNS over TLS (DoT) on the table.

DoH is designed to allow DNS resolution over encrypted HTTPS connections, while DoT encrypts and wraps DNS queries via the Transport Layer Security (TLS) protocol instead of using plain text DNS lookups.

By adding DoH to the Windows 10 Core Networking, Microsoft wants to boost its customers’ security and privacy on the Internet by encrypting all the DNS queries they make and thus removing the plain-text domain names normally appearing in unsecured web traffic.

“There is an assumption by many that DNS encryption requires DNS centralization. This is only true if encrypted DNS adoption isn’t universal,” Microsoft said.

“To keep the DNS decentralized, it will be important for client operating systems (such as Windows) and Internet service providers alike to widely adopt encrypted DNS.”

Read more »

When it comes to open source software security, nobody could accuse Microsoft-owned development platform GitHub of not thinking big when it came up with the idea for Security Lab.

Launched last week at its GitHub Universe developer conference, the idea sounds simple enough – create a global platform for reporting and fixing security vulnerabilities in open source projects before they do serious damage.

It sounds so obvious, it’s surprising that nobody’s thought of it before. That might have something to do with the size of the job, admitted GitHub’s vice president of security product management in Security Lab’s launch blog:

The JavaScript ecosystem alone encompasses more than a million projects, not helped by the dauting 500:1 ratio of developers to security experts with the knowledge of how to fix things.

Lots of developers crank out vulnerable code, leaving a tiny clean-up squad to pick up the mess of a problem that sprawls across thousands of companies.

Feeling depressed yet? Don’t be – that’s where GitHub’s Security Lab steps in.

To boost credibility, GitHub has already signed up big companies – namely Google, Oracle, Mozilla, Intel, Uber, VMWare, J.P. Morgan, F5, NCC Group, IOActive, Trail of Bits, HackerOne, as well as Microsoft and LinkedIn.

This has already borne fruit, with these companies collectively finding more than 100 CVE-level security vulnerabilities in open source code. Anyone who joins them will qualify for bug bounties of up to $3,000, GitHub said.

Read more »

Throughout 2019, Radware’s Threat Research Center (TRC) and Emergency Response Team (ERT) have been monitoring and defending against an increasing number of TCP reflection attacks.

TCP reflection attacks, such as SYN-ACK reflection attacks, have been less popular among attackers until recently. The lack of popularity was mainly due to the wrong assumption that TCP reflection attacks cannot generate enough amplification compared to UDP-based reflections. In general, TCP attacks are low bandwidth and less likely to saturate an internet link. Instead, TCP attacks are leveraged to generate high packet rates (increased volumes of Packets Per Second – PPS) that require large amounts of resources from network devices to process the traffic and cause outages.


Over the last two years, there has been a steady growth in attackers leveraging TCP reflection attacks. In a TCP SYN-ACK reflection attack, an attacker sends a spoofed SYN packet, with the original source IP replaced by the victim’s IP address, to a wide range of random or pre-selected reflection IP addresses. The services at the reflection addresses reply with a SYN-ACK packet to the victim of the spoofed attack. While your typical three-way handshake might assume for a single SYN-ACK packet to be delivered to the victim, when the victim does not respond with the last ACK packet the reflection service will continue to retransmit the SYN-ACK packet, resulting in amplification.

The amount of amplification depends on the number of SYN-ACK retransmits by the reflection service, which is typically governed by a configurable parameter. The default setting for Linux systems (net.ipv4.tcp_synack_retries kernel variable) is five while the documentation advises against settings higher than 255. Independent research in the behavior of a multitude of systems and devices on the internet exposed more than 4.8 million devices vulnerable to an average amplification factor of 112x and thousands of hosts that could be abused for amplification up to a factor of almost 80,000x, respectively, reflect more than 5,000 packets within 60 seconds, causing a serious impact on a victim’s network.

Read more »

A ransomware attack hitting several computer systems at the Brooklyn Hospital Center in New York caused permanent loss of some patient’s data.

The hospital tried to recover the data but all efforts were in vain. This indicates that a ransom for decrypting the files was not paid.

Medical records unrecoverable

The attack occurred in late July but the hospital acknowledged it publicly only last week, following what the institution calls “an exhaustive investigation,” and after undertaking “diligent remediation efforts.”

Attempts to recover the encrypted records, however, remained fruitless, the hospital informs in a public notification. Not all patients are impacted by the incident but there is no estimation on how many are.

“On September 4, 2019, the investigation confirmed that due to the malware, and despite exhaustive efforts by the Hospital to recover the data, certain patient data was unrecoverable.”

The unrecoverable information includes names and certain dental or cardiac images. The hospital highlights that the investigation did not find any evidence that the data was exfiltrated from its systems or otherwise misused.

Ransomware attacks are about encrypting information, not stealing it, and asking for money in exchange for the decryption key.

In this case, the hospital did not provide any details about the ransomware strain used in the attack or the money demanded by cybercriminals.

Read more »