Search This Blog

Showing posts with label Akamai. Show all posts

Akamai Sighted an Evolving DDoS attack in EU

 

The most recent DDoS attack record was set by Akamai in July, but it was surpassed on Monday, September 12, by a fresh attack. 

In a DDoS attack, cybercriminals flood servers with fictitious requests and traffic to block legitimate users from using their services.

According to the cybersecurity and cloud services provider Akamai, the recent attack looks to be the work of the same threat actor, indicating that the operators are now strengthening their swarm.

European businesses were the main targets of the current attack, according to Akamai. It peaked at 704.8 million packets per second, making it the second attack of this size against the same client in as few as three months and around 7% more powerful than the attack in July.

Prior to June 2022, this user primarily experienced attack traffic against the principal data center, as per Craig Sparling of Akamai. Six data center locations were hit by the threat actors' firepower in Europe and North America.

The day after it was discovered, the attack was stopped. This DDoS attack, while not the biggest ever, was notable because it was the biggest one on European organizations. The DDoS attack vector utilized by the attackers included UDP, along with ICMP, SYN, RESET floods, TCP anomaly, and PUSH flood.

The multidestination attack was immediately launched by the attackers' command and control system, increasing the number of active IPs per minute from 100 to 1,813 in just 60 seconds.

This expansion of the targeting area attempts to attack resources that aren't deemed essential and aren't effectively safeguarded, but whose absence will still be problematic for the company.

Published in July, the company saw 74 DDoS attacks, and 200 or more were added later. The business claimed that this campaign shows how hackers are always enhancing their attack methods to avoid detection. 

However, because the particular organization had safeguarded all 12 of its data centers in response to the July incident, 99.8% of the malicious traffic was already pre-mitigated.

The security company Akamai concluded, that having a solid DDoS mitigation platform and plan in place is essential for protecting your company from disruption and downtime.





Safeguarding From Container Attacks Inside the Cloud


As an alternative to virtualization, containerization has become a key trend in software development. It entails encapsulating or packaging software code and all of its dependencies so it may execute consistently and uniformly across any infrastructure. Containers are self-contained units that represent whole software environments that may be transported. They include everything a program needs to run, including binaries, libraries, configuration data, and references. Docker and Amazon Elastic, as an illustration, are two of the extra well-known choices. 

Although many containers can run on the same infrastructure and use the same operating system kernel, they are isolated from such a layer and have a little interface with the actual hosting elements, for instance, a public cloud occasion. The ability to instantly spin up and down apps  for users, is one of the many advantages of running cloud-based containers. Admins may utilize orchestration to centrally manage containerized apps and services at scale, such as putting out automatic updates and isolating any malfunctioning containers.

Container adoption is at an all-time high, worldwide businesses of all sizes are eager to jump on board. According to a poll conducted by the Cloud Native Computing Foundation (CNCF), 83 percent of respondents plan to use Kubernetes in production in 2020, up from 78 percent the year before and just 58 percent in 2018. As adoption grows, cybercriminals' interest grows as well. According to a June Red Hat study, 94 percent of respondents have experienced a Kubernetes security problem in the last 12 months. 

Larry Cashdollar, an Akamai security researcher, recently set up a basic Docker container honeypot to test what type of attention it would get from the larger web's cybercriminals. The results were alarming: in just 24 hours, the honeypot was used for four different nefarious campaigns. Cashdollar had integrated SSH protocol for encryption and developed a “guessable” root password. It wouldn't stick out as an obvious honeypot on the web because it was running a typical cloud container configuration, he explained. It would instead appear to be a vulnerable cloud instance. The assaults had a variety of objectives: one campaign aimed to utilize the container as a proxy to access Twitch feeds or other services, another attempted a botnet infection, a third attempted crypto mining, and the fourth attempted a work-from-home hoax. 

"Profit is still the key motivator for cybercriminals attacking containers," as these cases demonstrate, according to Mark Nunnikhoven, a senior cloud strategist at Lacework. "CPU time and bandwidth can be rented to other criminals for buried services, or even used to directly mine cryptocurrencies. Data can be sold or ransomed at any time. In an environment where containers are frequently used, these reasons do not change." 

According to a recent Gartner study, client misconfigurations or mistakes would be the primary cause of more than 99 percent of cloud breaches by 2025. As per Trevor Morgan, product manager at comfort AG, most businesses, particularly smaller businesses, rely on default configuration options rather than more advanced and granular setup capabilities: "Simple errors or selecting default settings  that are far less safe than customized options." The problems with configuration typically go beyond the containers themselves. Last July, for example, misconfigured Argo Workflows servers were detected attacking Kubernetes clusters. 

Argo Workflows is an open-source, container-native workflow engine for coordinating parallel activities on Kubernetes to reduce processing time for compute-intensive tasks such as machine learning and large data processing. 

According to an examination by Intezer, malware operators were using publicly available dashboards which did not require authentication for outside users to drop crypto miners into the cloud. Far above misconfiguration, compromised images or layers are the next most serious threat to containers, according to Nunnikhoven. "Lacework Labs has witnessed multiple instances of cybercriminals infiltrating containers, either through malware implants or pre-installed crypto mining apps," he said. "When a group deploys the pictures, the attacker has access to the victim's resources."

According to Gal Singer, an Aqua Security researcher, the flaw (CVE-2020-15157) was discovered in the container image-pulling process. Adversaries may take advantage of this by creating dedicated container images which stole the host's token when they were pulled into a project.  Similarly, a denial-of-service vulnerability in one of Kubernetes' Go libraries (CVE-2021-20291) was discovered to be exploited by storing a malicious picture in a registry. When the image was taken from the registry by an unwary user, the DoS condition was generated.

The second source of concern is vulnerabilities, both known and unknown. In 2021, several container flaws were discovered, but "Azurescape" was likely the most alarming. Within Microsoft's multitenant container-as-a-service offering, Unit 42 researchers found a chain of exploits that might allow a hostile Azure user to infect other customers' cloud instances. 

Containerized environments can provide unique issues in terms of observability and security controls, according to Nunnikhoven, but a comprehensive security approach can help. Researchers recommended that users apply a laundry list of best practices to secure their Kubernetes assets: 

  • Avoid using default settings; use secure passwords.
  • To prevent attackers from impersonating the token owner, do not send privileged service account tokens to anyone other than the API server. 
  • Enable the feature "BoundServiceAccountTokenVolume": When a pod ends, its token becomes invalid, reducing the risk of token theft.
  • Examine orchestrators for least-privilege settings to verify that CI/CD movements are authenticated, logged, and monitored. 
  • Be comprehensive: Create a unified risk picture that includes both cloud-based applications and traditional IT infrastructure. 
  • Have data-analysis software in place, as well as an automatic runbook that can react to the findings.

Amazon's Bogus Crypto Token Investment Scam Robs Bitcoin off Users.

 

Investors are being misled into turning over Bitcoin in a new cryptocurrency fraud (BTC). Scams involving cryptocurrency and digital tokens have become commonplace, posing a risk to potential buyers. 

Exit scams, rug pulls, and theft are still common, despite the fact regulators throughout the world are cracking down on fraud through tax laws, securities offering registration, tougher restrictions governing cryptocurrency advertisements, and a careful check on initial coin offers (ICOs). The popularity of cryptocurrencies and NFTs continues to rise, creating breeding soil for new frauds to emerge on a regular basis.

Utilizing Amazon's branding to promote a bogus scheme entitled "Amazon to produce its digital token," cyber-criminals are luring users to give away private credentials from the first step of the scam campaign. 

According to Akamai experts, the ongoing cyberattack attempts have profited from the cryptocurrency hype, including scammers using a range of phishing methods based on false rumors. "This particular fraud preyed on consumers' fear of missing out on a special offer to participate in a new cryptocurrency opportunity". Furthermore, in 2021, according to Chainalysis, fraudsters have received around $14 billion in deposits.

Visitors were asked to purchase for the pre-sale tokens with users cryptocurrencies, such as Bitcoin (BTC) or Ethereum (ETH). However, as the tokens aren't real, the funds ended up in the hands of criminals. 

Another enticement is a referral programme that allows the attackers to increase the scope of the token fraud with no further effort. In all, mobile devices were used by the majority of visitors to the phoney token landing pages (98 percent). The distribution of mobile operating systems, however, favors Android handsets (56 percent), with Apple iOS coming in second (42 percent). North America, South America, and Asia account for the vast majority of victims.

To avoid being a victim of fraud like this, users are advised to take the following precautions: 

  •  Be wary of bitcoin marketing and social media posts. 
  •  Before submitting information and making a purchase, double-check URLs and websites. 
  •  Don't be fooled by high-pressure techniques like "flash sales," "just a few left," or "buy now."
  •  Look for legitimate sources while researching what to buy. 
  •  When you see scam ads or postings, report them so they can be removed from social media. 
  •  Be alert, and therefore don't believe everything. 
It's essential to avoid chatting with random commentators or accepting unsolicited invitations from strangers, especially now when social media-based communication is at its most over-used in the pandemic.

Log4j Attack Target SolarWinds and ZyXEL

 

According to reports published by Microsoft and Akamai, cybercriminals are targeting SolarWinds devices with the Log4Shell vulnerability, and ZyXEL is known to use the Log4j library in their software.

Attacks have been reported on SolarWinds and ZyXEL devices using the log4j library, according to Microsoft and Akamai reports. CVE-2021-35247 has been assigned to the vulnerability, which has been paired with a zero-day in the SolarWinds Serv-U file-sharing service.

According to Microsoft's Threat Intelligence Center (MSTIC), the SolarWinds vulnerability, dubbed CVE-2021-35247, is a data validation hole that might allow attackers to compose a query based on some data and send it across the network without sanitizing. 

Jonathan Bar-Or, a Microsoft security researcher, is credited with identifying the flaw, which affects Serv-U versions 15.2.5 and earlier. In Serv-U version 15.3, SolarWinds patched the vulnerability. "A closer look helped discover the feed Serv-U data and it generates an LDAP query using the user unsanitized input!" he claimed. Not only might this be included in log4j attacks but it also is used for LDAP injection. 

SolarWinds claimed in its advisory, the Serv-U online log-in screen for LDAP authentication is  permitting symbols that are not appropriately sanitized and it had modified the input method "to do further validation and sanitization." The attacker cannot log in to Serv-U, according to a SolarWinds official, and the Microsoft researcher is referring to failed attempts because Serv-U doesn't use Log4J code. 

The unverified remote code execution (RCE) vulnerability in Log4j – identified as CVE-2021-44228 – has also been repurposed to infect and assist in the dissemination of malware used for the Mirai botnet by targeting Zyxel networking equipment, according to Akamai researchers. When researchers intended to access the Java payload class, the LDAP server in which the exploit was located was no longer active. It's claimed that Zyxel was particularly singled out since published an article claiming to have been hit by the log4j flaw. 

The scenario surrounding the Log4Shell breach has remained unchanged since last month, and threat actors looking to get access to corporate networks continue to target and exploit the vulnerability. Threat actors including ransomware gangs, nation-state cyber-espionage groups, crypto-mining gangs, initial access brokers, and DDoS botnets have all been reported to have exploited the vulnerability in the past. Although the Apache Software Foundation has issued patches for the Log4j library, threats against applications using it are likely to persist because not all of these apps have published a set of security updates, abandoning many systems vulnerable and creating a breeding soil for exploitation that will last for years.

Global Outage Disrupts the Services of Major Websites

 

Several major websites faced outages on Thursday due to a glitch in Akamai Technologies Inc's (AKAM.O) systems, the second widespread outage linked to the cloud company in two months. Affected websites included DraftKings, Airbnb, FedEx, Delta, Barclays, and the PlayStation network used for online games. 

"We have implemented a fix for this issue, and based on current observations, the service is resuming normal operations," Akamai tweeted. 

The disruption was caused by a vulnerability in the domain name system (DNS) service, designed to keep websites, apps, and services running smoothly and securely, that was triggered during a software update and lasted up to an hour.

DNS services play a vital role in the functioning of the internet, but are known to have bugs and can be easily exploited by threat actors. Companies like Akamai have designed their own DNS services that are meant to solve some of these problems for their users. But when things go south or there’s an outage, it can cause a knock-on effect to all of the customer websites and services that rely on it.

Akamai said it was “actively investigating the issue,” but when reached a spokesperson, he would not say if its outage was the cause of the disruption to other sites and services that are currently offline. However, a spokesperson for ThousandEyes, an internet monitoring company bought by Cisco in 2020, attributed the outage to Akamai.

Major internet companies such as Zomato, Paytm, Disney+ Hotstar, Sony LIV were also affected due to issues with Akamai Technologies. Other affected services reported by Internet outage monitoring platform DownDetector included Banks such as Lloyds, TSB, and Halifax, gaming services including Steam, Call of Duty, and EA, and streaming services on Channel 4 and ITV.

In June, cloud computing provider Fastly had an interrupted service that took down social media, government, and news websites across the globe. In that case, it later emerged that settings change by one customer had inadvertently affected the entire infrastructure. Last year Cloudflare, which also offers networking services to companies across the globe, had a similar outage following a vulnerability that caused major sites to stop loading, including Shopify, Discord, and Politico.