Welcome to this week’s edition of the Threat Source newsletter.
Distributed denial-of-service attacks (DDoS) have been around since before I even knew how to turn a computer on.
These types of attacks, I feel, have the same vibe as the term “computer virus” — something we used to talk about in the days of LAN parties and Netscape. But recently, they’ve had a major comeback with adversaries enhancing the ways in which they can launch DDoS attacks and actors targeting high-profile services and organizations that have made headlines.
“Diablo IV,” one of the biggest video games going right now, suffered a DDoS attack over the weekend of June 25, leaving players unable to access the game’s servers and affecting other games developed by Blizzard, such as “World of Warcraft” (another throwback to the days of LAN parties).
Microsoft also recently confirmed that Layer 7 DDoS attacks were responsible for outages in June affecting Azure, Outlook and OneDrive. Anonymous Sudan — a group that may or may not be related to Russia but also claims to be working in the interest of the country of Sudan — claimed responsibility for those attacks.
These recent major DDoS attempts led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an advisory last week warning about the dangers of DDoS attacks. It advises that anyone who suspects they’re the target of a DDoS or DoS attack should “identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.”
There seem to be a few reasons why DDoS attacks are on the rise, despite them being looked at as “outdated” attacks.
For starters, the fact that they are simple attacks that date back to the development of the internet is the whole point — DDoS attacks are relatively easy to carry out compared to something like a sophisticated big game-hunting ransomware attack. Any actor with a base level of networking knowledge could start a DDoS attack.
Dark Utilities, which is an “as-a-service" platform Talos discovered last year, is a good example of this. Even though their C2-as-a-service and cryptocurrency mining offerings are the platform’s bread-and-butter, there is Layer 4 and Layer 7 DDoS tooling within their kit available to anyone willing to pay into their business model.
There also seems to be an uptick in funding behind these attacks, and money can frankly make any threat actor more powerful. Whether Russia directly, or Russian state-sponsored actors, are behind these attacks, the sign that these groups seem to be associated with major APTs show that there is a drive to carry out DDoS attacks and make sure they’re successful and send a message to the target.
The economic damage of DDoS attacks is tough to measure — who can really say how much money Blizzard missed out on by not having players in “Diablo IV” for a few hours spending money on microtransactions or choosing to buy the game? So it’s not as concrete of an argument as you could make for why an organization should be prepared for a ransomware attack that explicitly can cost a certain amount of time and money to recover, re-install backups or pay the requested ransom.
DDoS can be a punchline sometimes, but recent weeks have shown that it’s not to be slept on as a tool that actors with a range of motivations and resources can turn to.
The one big thing
Commercial spyware is still a going concern despite efforts from governments around the world to curb its use. Though the NSO Group started out as the most notorious example of a spyware creator, other “Mercenary Groups” are popping up like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream. And there are likely more companies operating covertly today.
Why do I care?
Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.
So now what?
For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.
If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:
- Reboot your device regularly.
- Use lockdown mode if your device is an iPhone.
- Don’t click on links from dubious sources.
- Don’t accept private messages from unknown persons.
- If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
- Keep your devices up-to-date.
Top security headlines of the week
Microsoft is denying that it was the victim of a data breach after the alleged hacktivist group Anonymous Sudan said they stole credentials belonging to more than 30 million users. The threat actor says it’s willing to sell the stolen information for $50,000 and interested parties could engage the group’s Telegram bot to arrange the sale. However, a Microsoft representative told reporters that “our analysis of the data shows that this is not a legitimate claim and an aggregation of data. We have seen no evidence that our customer data has been accessed or compromised.” Anonymous Sudan gained notoriety over the past few months for a DDoS attack against Microsoft and recently admitted it was connected to the Russian state-sponsored actor Killnet, though its true goals and affiliations are unclear. (Bleeping Computer, TechRadar)
Representatives from the White House publicly warned that any attempt by a U.S. entity to purchase the NSO Group or its spyware tools would prompt serious review over national security concerns. A recent report connected a group of American financiers to being interested in acquiring the infamous NSO Group, known for the creation of the Pegasus spyware. However, it’s recently fallen on financial difficulties after international governments took steps to restrict the use and purchase of spyware. The NSO Group is already on a White House banned list, and the National Security Council said that any mergers or transactions involving the NSO Group would “prompt a review of whether the acquisition gives rise to a counterintelligence threat to the US government and its systems and information, whether other US equities may be at risk, and to what extent a foreign entity or government retains a degree of access or control.” (The Guardian)
The Clop ransomware gang continues to be one of the top threat actors in the world as the list of victims of the MOVEit zero-day vulnerability grows. Two U.S. colleges announced last week that they were affected by a data breach at the Teachers Insurance and Annuity Association of America that resulted from the exploitation of the it vulnerability. The mass hack has now affected about 160 different organizations and companies. Security researchers say that Clop’s recent attacks could represent a new era for threat actors who may opt to move away from the execution of ransomware while still relying on the tools they traditionally use for ransomware campaigns. The scope and success of the MOVEit attack is also likely to influence other threat actors. (TechCrunch, Dark Reading)
Can’t get enough Talos?
- Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain
- The Future of Ransomware: Inside Cisco Talos Threat Hunters
- Talos Takes Ep. #145: The various ways attackers can mess with URLs, TLDs and DNS
Upcoming events where you can find Talos
BlackHat (Aug. 5 - 10)
Las Vegas, Nevada
Grace Hopper Celebration (Sept. 26 - 29)
Orlando, Florida
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Most prevalent malware files from Talos telemetry over the past week
SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91
MD5: 7bdbd180c081fa63ca94f9c22c457376
Typical Filename: c0dwjdi6a.dll
Claimed Product: N/A
Detection Name: Trojan.GenericKD.33515991
SHA 256: 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1
MD5: 3e10a74a7613d1cae4b9749d7ec93515
Typical Filename: IMG001.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Coinminer::1201
SHA 256: 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa
MD5: df11b3105df8d7c70e7b501e210e3cc3
Typical Filename: DOC001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c
MD5: a087b2e6ec57b08c0d0750c60f96a74c
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Tool.Kmsauto::1201
SHA 256: 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725
MD5: d47fa115154927113b05bd3c8a308201
Typical Filename: mssqlsrv.exe
Claimed Product: N/A
Detection Name: Trojan.GenericKD.65065311