Tag Archives: discovered

New ‘Thanos’ ransomware weaponizes RIPlace evasion technique

Threat researchers at Recorded Future discovered a new ransomware-as-a-service tool, dubbed “Thanos,” that is the first to utilize the evasion technique known as RIPlace.

Thanos was put on sale as a RaaS tool “with the ability to generate new Thanos ransomware clients based on 43 different configuration options,” according to the report published Wednesday by Recorded Future’s Insikt Group.

Notably, Thanos is the first ransomware family to advertise its optional utilization of RIPlace, a technique introduced through a proof-of-concept (PoC) exploit in November 2019 by security company Nyotron. At its release, RIPlace bypassed most existing ransomware defense mechanisms, including antivirus and EDR products. But despite this, the evasion wasn’t considered a vulnerability because it “had not actually been observed in ransomware at the time of writing,” Recorded Future’s report said.

As reported by BleepingComputer last November, only Kaspersky Lab and Carbon Black modified their software to defend against the technique. But since January, Recorded Future said, “Insikt Group has observed members of dark web and underground forums implementing the RIPlace technique.”

According to its report on RIPlace, Nyotron discovered that file replacement actions using the Rename function in Windows could be abused by calling DefineDosDevice, which is a legacy function that creates a symbolic link or “symlink.”

Thanos RIPlace
Recorded Future shows how the RIPlace proof-of-concept exploit was adopted by a new ransomware-as-a-service tool known as Thanos.

Lindsay Kaye, director of operational outcomes for Recorded Future’s Insikt Group, told SearchSecurity that threat actors can use the MS-DOS device name to replace an original file with an encrypted version of that file without altering most antivirus programs.

“As part of the file rename, it called a function that is part of the Windows API that creates a symlink from the file to an arbitrary device. When the rename call then happens, the callback using this passed-in device path returns an error; however, the rename of the file succeeds,” Kaye said. “But if the AV detection doesn’t handle the callback correctly, it would miss ransomware using this technique.”

Insikt Group researchers first discovered the new Thanos ransomware family in January on an exploit forum. According to the Recorded Future report, Thanos was developed by a threat actor known as “Nosophoros” and has code and functions that are similar to another ransomware variant known as Hakbit.

While Nyotron’s PoC was eventually weaponized by the Thanos threat actors, Kaye was in favor of the vendor’s decision to publicly release RIPlace last year.

“I think at the time, publicizing it was great in that now antivirus companies can say great, now let’s make sure it’s something we’re detecting because if someone’s saying here’s a new technique, threat actors are going to take advantage of it so now it’s something that’s not going to be found out after people are victimized. It’s out in the open and companies can be aware of it,” Kaye said.

Recorded Future’s report noted that Thanos appears to have gained traction within the threat actor community and will continue to be deployed and weaponized by both individual cybercriminals and collectives through its RaaS affiliate program.

Go to Original Article
Author:

Intel CSME flaw deemed ‘unfixable’ by Positive Technologies

An underlying flaw in Intel chipsets, which was originally disclosed in May of 2019, was recently discovered by Positive Technologies to be far worse than previously reported.

Researchers from the vulnerability management vendor discovered a bug in the read-only memory of the Intel Converged Security and Management Engine (CSME) could allow threat actors to compromise platform encryption keys and steal sensitive information. The Intel CSME vulnerability, known as CVE-2019-0090, is present in both the hardware and the firmware of the boot ROM and affects all chips other than Intel’s 10th-generation “Ice Point” processors.

“We started researching the Intel CSME IOMMU [input-output memory management unit] in 2018,” Mark Ermolov, lead specialist of OS and hardware security at Positive Technologies, said via email. “We’ve been interested in that topic especially because we’ve known that Intel CSME shares its static operative memory with the host (main CPU) on some platforms. Studying the IOMMU mechanisms, we were very surprised that two main mechanisms of CSME and IOMMU are turned off by default. Next, we started researching Intel CSME boot ROM’s firmware to ascertain when CSME turns on the IOMMU mechanists and we found that there is a very big bug: the IOMMU is activated too late after x86 paging structures were created and initialized, a problem we found in October.”

The bug, which Positive calls “unfixable,” can be found in most Intel chipsets released in the last five years, according to Positive Technologies. 

“Intel CSME is responsible for initial authentication of Intel-based systems by loading and verifying all other firmware for modern problems,” Ermolov said. “It is the cryptographic basis for hardware security technologies developed by Intel and used everywhere, such as DRM, fTPM [firmware Trusted Platform Module] and Intel Identity protection. The main concern is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”

Although Intel has issued patches and mitigations that complicate the attack, Positive Technologies said fully patching the flaw is impossible because firmware updates can’t fully address all of the vectors.

“In the CVE-2019-0090 patch, Intel blocked ISH [Integrated Sensors Hub], so now it can’t issue DMA transactions to CSME. But we’re convinced there are other exploitation vectors and they will be found soon. To exploit a system that has not patched for CVE-2019-0090, an attacker doesn’t need to be very sophisticated,” Ermolov said.

In addition, Positive Technologies said extracting the chipset key is impossible to detect.

“The chipset key being leaked can’t be detected by CSME or by the main OS,” Ermolov said. “You’re already in danger, but you don’t know it. The attack (by DMA) also doesn’t leave any footprint. When an attacker uses the key to compromise the machine’s identity, this might be detected by you and you only, but only after it’s happened when it is too late.”

Once they’ve breached the system, threat actors can exploit this vulnerability in several ways, according to Positive Technologies.

“With the chipset key, attackers can pass off an attacker computer as the victims’ computer. They can gain remote certification into companies to access digital content usually under license (such as videos or films from companies like Netflix),” the company said via email. “They can steal temporary passwords to embezzle money. They can pose as a legitimate point-of-sale payment terminal to charge funds to their own accounts. Abusing this vulnerability, criminals can even spy on companies for industrial espionage or steal sensitive data from customers.”

Positive Technologies recommended disabling Intel CSME-based encryption or completely replacing CPUs with the latest generation of Intel chips.

This is the second vulnerability disclosed regarding Intel chips since January, when computer science researchers discovered a speculative execution attack that leaks data from an assortment of Intel processors released before the fourth quarter of 2018.

Go to Original Article
Author:

January Patch Tuesday fixes cryptography bug found by NSA

Microsoft closed a flaw in a key cryptographic feature it discovered with help from the National Security Agency as part of the January Patch Tuesday security updates.

Microsoft issued fixes for Windows, Internet Explorer, Office, several .NET technologies, OneDrive for Android and Microsoft Dynamics for January Patch Tuesday to close 49 unique vulnerabilities, with eight rated as critical. Microsoft said there were no exploited or publicly disclosed vulnerabilities. This month’s updates were the last free security fixes for Windows 7 and Windows Server 2008/2008 R2 as those operating systems left extended support.

Windows cryptographic library flaw fixed

The bug that drew the most attention from various security researchers on January Patch Tuesday is a spoofing vulnerability (CVE-2020-0601), rated important, that affects Windows 10 and Windows Server 2016 and 2019 systems. The NSA uncovered a flaw in the crypt32.dll file that handles certificate and cryptographic messaging functions in the Windows CryptoAPI. The bug would allow an attacker to produce a malicious program that appears to have an authenticated signature from a trusted source.

A successful exploit using a spoofed certificate could be used to launch several types of attacks, such as deliver a malicious file that appears trustworthy, perform man-in-the-middle campaigns and decode sensitive data. An unpatched system could be particularly susceptible because the malicious file could appear legitimate and even skirt Microsoft’s AppLocker protection.

“The guidance from us would be, regardless of Microsoft’s ‘important’ classification, to treat this as a priority one and get the patch pushed out,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

Goettl noted that companies might not be directly attacked with exploits that use the CryptoAPI bug, but could be at risk from attacks on the back-end system of a vendor or another outside entity, such as when attackers embedded the NotPetya ransomware in tax software to slip past defenses.

Chris Goettl, director of product management and security, IvantiChris Goettl

“It’s not a very common occurrence because good code-signing certificates can establish a level of trust, while this [vulnerability] invalidates that trust and allows an attacker to try and spoof that. It introduces a lot of potential for risk, so we recommend people close [CVE-2020-0601] down as quickly as possible,” he said.

Bugs in Windows remote connection technology patched

January Patch Tuesday also closed three vulnerabilities related to Remote Desktop Services rated critical.

CVE-2020-0609 and CVE-2020-0610 are both remote code execution vulnerabilities in the Remote Desktop Gateway that affect server operating systems on Windows Server 2012 and newer. Microsoft said both CVEs can be exploited pre-authentication without any interaction from the user. Attackers who use the exploit can run arbitrary code on the target system, then perform other tasks, including install programs, delete data or add a new account with full user rights.

CVE-2020-0611 is a remote code execution vulnerability in the Remote Desktop Client that affects Windows 7 and newer on desktops, and Windows Server 2008 R2 and newer on server systems, when the attacker tricks a user to connect to a malicious server. The threat actor could then perform a range of actions, such as install programs, view or change data, or make a new account with full user rights.   

Legacy operating systems reach end-of-life

January Patch Tuesday marks the last time Microsoft will provide security updates and other fixes for the Windows 7, Windows Server 2008 and 2008 R2 operating systems unless customers pay to enter the Extended Security Updates (ESU) program. Companies must also have Software Assurance coverage or subscription licenses to purchase ESU keys for the server operating systems. Users will need to add the ESU key to systems they want to keep protected. ESU for those systems will end in three years.

Companies that plan to keep these legacy operating systems and have signed up for the ESU program should install the servicing stack updates Microsoft released for all three operating systems on January Patch Tuesday, Goettl said. Administrators also need to deploy and activate the ESU key using Microsoft’s instructions.

ESU is an expensive option. For on-premises server workloads, organizations will need either Software Assurance or a subscription license at a cost of about 75% of the license cost each year.  

ESU does not add new or updated features, just security fixes.

For organizations that plan to keep these operating systems running without the safety net of ESU, there are a few ways to minimize the risk around those workloads, including adding more security layers and removing the workload from a direct connection to the internet, Goettl said.

“If there’s an application or something that needs to run on Windows 7, then virtualize that environment. Get the users on the Windows 10 platform and have them connect into the Windows 7 environment to access that critical app. You will it spend more money doing it that way, but you will reduce your risk significantly,” he said.

Go to Original Article
Author:

Session cookie mishap exposed HackerOne private reports

A researcher discovered a session cookie risk that could have exposed private bugs on HackerOne, and questions remain about if data may have been taken.

The risk for vulnerability coordination and bug bounty site HackerOne stemmed from a HackerOne security analyst accidentally including a valid session cookie in a communication with community member haxta4ok00. According to the HackerOne incident report attached to the original bug report, which was first reported by Ars Technica, the session cookie was disclosed due to human error and revoked exactly two hours and three minutes after the company learned of the issue.

“Session cookies are tied to a particular application, in this case hackerone.com. The application won’t block access when a session cookie gets reused in another location. This was a known risk. As many of HackerOne’s users work from mobile connections and through proxies, blocking access would degrade the user experience for those users,” HackerOne wrote in the incident report. “A short-term mitigation of this vulnerability is to bind the user’s session to the IP address used at initial sign-in. If an attempt is made to utilize the session from a different IP address, the session is terminated.”

HackerOne added that longer-term mitigations will include detecting session cookies and authentication tokens in user comments and blocking submission, binding sessions to devices rather than IP addresses, improving employee education, and overhauling the permission model for HackerOne security analysts.

Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team, told SearchSecurity, “The first rule of session cookies is don’t share your session cookies.”

“That being said, accidents and oversights can happen. The general idea here is to bind the session cookies with some other identifying attribute of the expected client. This is commonly done by associating session cookies with some additional fingerprint of the authorized user,” Young said. “This can be as simple as restricting session cookies based on IP address or region. More sophisticated methods might involve client-side scripting to fingerprint a specific client browser.”

After seeing “the amount of sensitive information that could have been accessed” as a result of the session cookie account takeover, HackerOne decided the submission was a critical vulnerability and awarded a $20,000 bug bounty.

Data access still in question

Haxta4ok00 wrote in the report that they had “HackerOneStaff Access” and could “read all reports” and edit private programs. However, they asserted multiple times that all actions were in the spirit of white hat hacking.

In the discussion about the issue in the bug report, Reed Loden, director of security at HackerOne, asked haxta4ok00 to “delete all screenshots, exports, etc.” and confirm they had “no other copies of vulnerability data” captured as part of the report submission. While haxta4ok00 claimed they only took screenshots, they admitted they didn’t understand how to prove such data was deleted. Even so, Loden thanked the member “for confirming your removal of all screenshots and other data you may have downloaded as part of your report submission.” 

Following this exchange, Jobert Abma, co-founder of HackerOne, joined the conversation to ask why haxta4ok00 had “opened all the reports and pages in order to validate you had access to the account,” noting the HackerOne team found the extent of the member’s actions unnecessary.

Again, the member claimed they meant no harm and that answer seemed to be accepted by HackerOne staff. The member went on to claim they had previously reported the session cookie risk and nothing was done.

Katie Moussouris, founder and CEO of Luta Security, pointed out on Twitter that the discussion between haxta4ok00 and HackerOne staff raised more questions.

Loden told SearchSecurity that “asking the reporting hacker to validate what we are seeing on our end is one of many steps in our investigation process.”

“HackerOne always conducts comprehensive investigations for all vulnerabilities reported to our own bug bounty program. In this case HackerOne’s bug bounty program operated exactly as intended, it gave us a way to identify an unknown risk fast so we could safely eliminate it,” he wrote via email. “Less than 5% of programs were impacted by this issue, the risk was eliminated within two hours of receipt and long-term fixes were pushed within days.”

Loden also clarified why action was not taken on the first report about session cookie issues.

“HackerOne’s bug bounty program is focused on identifying real-world vulnerabilities impacting the Platform, and we require hackers to provide a valid proof of concept with submissions,” Loden said. “The report in question from three years ago was a purely theoretical scenario focused on older browsers that were not, and are still not, supported by the HackerOne Platform.”

Go to Original Article
Author:

USBAnywhere vulnerabilities put Supermicro servers at risk

Security researchers discovered a set of vulnerabilities in Supermicro servers that could allow threat actors to remotely attack systems as if they had physical access to the USB ports.

Researchers at Eclypsium, based in Beaverton, Ore., discovered flaws in the baseboard management controllers (BMCs) of Supermicro servers and dubbed the set of issues “USBAnywhere.” The researchers said authentication issues put servers at risk because “BMCs are intended to allow administrators to perform out-of-band management of a server, and as a result are highly privileged components.

“The problem stems from several issues in the way that BMCs on Supermicro X9, X10 and X11 platforms implement virtual media, an ability to remotely connect a disk image as a virtual USB CD-ROM or floppy drive. When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass,” the researchers wrote in a blog post. “These issues allow an attacker to easily gain access to a server, either by capturing a legitimate user’s authentication packet, using default credentials, and in some cases, without any credentials at all.”

The USBAnywhere flaws make it so the virtual USB drive acts in the same way a physical USB would, meaning an attacker could load a new operating system image, deploy malware or disable the target device. However, the researchers noted the attacks would be possible on systems where the BMCs are directly exposed to the internet or if an attacker already has access to a corporate network.

Rick Altherr, principal engineer at Eclypsium, told SearchSecurity, “BMCs are one of the most privileged components on modern servers. Compromise of a BMC practically guarantees compromise of the host system as well.”

Eclypsium said there are currently “at least 47,000 systems with their BMCs exposed to the internet and using the relevant protocol.” These systems would be at additional risk because BMCs are rarely powered off and the authentication bypass vulnerability can persist unless the system is turned off or loses power.

Altherr said he found the USBAnywhere vulnerabilities because he “was curious how virtual media was implemented across various BMC implementations,” but Eclypsium found that only Supermicro systems were affected.

According to the blog post, Eclypsium reported the USBAnywhere flaws to Supermicro on June 19 and provided additional information on July 9, but Supermicro did not acknowledge the reports until July 29.

“Supermicro engaged with Eclypsium to understand the vulnerabilities and develop fixes. Supermicro was responsive throughout and worked to coordinate availability of firmware updates to coincide with public disclosure,” Altherr said. “While there is always room for improvement, Supermicro responded in a way that produced an amicable outcome for all involved.”

Altherr added that customers should “treat BMCs as a vulnerable device. Put them on an isolated network and restrict access to only IT staff that need to interact with them.”

Supermicro noted in its security advisory that isolating BMCs from the internet would reduce the risk to USBAnywhere but not eliminate the threat entirely . Firmware updates are currently available for affected Supermicro systems, and in addition to updating, Supermicro advised users to disable virtual media by blocking TCP port 623.

Go to Original Article
Author:

Capital One breach suspect may have hit other companies

A new report looking into the attacker accused in the Capital One breach discovered references to other potential victims, but no corroborating evidence has been found yet.

The FBI accused Paige Thompson, who allegedly went by the name “Erratic” on various online platforms, including an invite-only Slack channel. The Slack channel was first reported on by investigative cybersecurity journalist Brian Krebs, who pointed out that file names referenced in the channel pointed to other organizations potentially being victims of similar attacks.

A new report by cybersecurity firm CyberInt, based in London, regarding the Capital One breach built on the information discovered by Krebs. Jason Hill, lead cybersecurity researcher at CyberInt, said the company was able to gain access to the Slack channel via an open invitation link.

“This link was obtained from the now-offline ‘Seattle Warez Kiddies’ Meetup group (Listed as ‘Organized by Paige Thomson’),” Hill wrote via email. “Based on the publicly available information at the time of report completion, such as Capital One’s statement and the [FBI’s] Criminal Complaint, we were able to conduct open source intelligence gathering to fill in some of the missing detail and follow social media leads to gain an understanding of the alleged threat actor and their activity over the past months.”

According to Hill, CyberInt researchers followed the trail through a GitHub account, GitLab page and a screenshot of a file archival process shared in the Slack channel.

“The right-hand side of the screen appears to show the output of the Linux command ‘htop’ that lists current processes being executed. In this case, under the ‘Command’ heading, we can see a number of ‘tar –remove-files -cvf – ‘ processes, which are compressing data (and then removing the uncompressed source),” Hill wrote. “These files correlate with the directory listing, and potential other victims, as seen later within the Slack channel.”

Between the files named in the screenshot and the corresponding messages in the Slack channel, it appeared as though in addition to the Capital One breach, the threat actor may have stolen 485 GB of data from various other organizations. Some organizations were implied by only file names, such as Ford, but others were named directly by Erratic in messages, including the Ohio Department of Transportation, Michigan State University, Infoblox and Vodafone.

Hill acknowledged that CyberInt did not directly contact any of the organizations named, because the company policy is normally to “contact organizations when our research detects specific vulnerabilities that can be mitigated, or threats detected by our threat intelligence platform.

“However in this case, our research was focused on the Capital One breach to gain an understanding of the threat actor’s tactics, techniques and procedures (TTP) and resulted in the potential identification of additional victims rather than the identification of any specific vulnerability or ongoing threat,” Hill wrote. “Our report offered general advice for those concerned about the TTP based on these findings.”

We contacted some of the organizations either directly named or implied via file name in Erratic’s Slack channel. The Ohio Department of Transportation did not respond to a request for comment. Ford confirmed an investigation is underway to determine if the company was the victim of a data breach.

A spokesperson for Michigan State University also confirmed an investigation is underway and the university is cooperating with law enforcement authorities, but at this point there is “no evidence to suggest MSU was compromised.”

Similarly, an Infoblox spokesperson said the company was “continuing to investigate the matter, however, at this time, there is no indication that Infoblox was in any way involved with the Capital One breach. Additionally, there is no indication of an intrusion or data breach causing Infoblox customer data to be exposed.”

A Vodafone spokesperson claimed the company takes security seriously, but added, “Vodafone is not aware of any information that relates to the Capital One security breach.”

Go to Original Article
Author:

Intel disclosed Spectre-like L1TF vulnerabilities

A new set of Spectre-like flaws that can, theoretically, be exploited to steal sensitive information was discovered in Intel products.

Two separate teams of researchers discovered the new vulnerabilities within a few weeks of each other in January and reported it to Intel. Intel was then able to identify two closely related variants and disclosed them publically this week, calling them L1 Terminal Fault (L1TF) vulnerabilities.

The three varieties of the L1TF vulnerabilities include CVE-2018-3615, which affects Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which affects operating systems and System Management Mode memory; and CVE-2018-3646, which affects hypervisors and virtual machines.

The flaw affecting Intel SGX — the Foreshadow vulnerability — has caused more of an uproar than the others. Since the discovery of the Meltdown and Spectre vulnerabilities in January, Intel SGX had mostly remained untouched. While Meltdown and Spectre targeted program instructions, Foreshadow targets program data.

As a speculative execution side-channel vulnerability, Foreshadow can enable an attacker to “steal sensitive information stored inside personal computers and third-party clouds,” according to the researchers who discovered the flaws.

In a blog post about the L1TF vulnerabilities, Google explained that in order to exploit Foreshadow, an attacker would need “control of hardware resources that are accessible only with operating system level control of the underlying physical or virtual processors.” The vendor noted that unpatched operating systems could also allow for exploitation.

“Defending against this method of attack is particularly challenging for virtualized environments, as a virtual machine exposes the state necessary to construct an attack,” Google explained. “Specifically, an attacker could intentionally configure their own page tables to direct these faults and probe the cache of the core on which they are currently executing.”

Foreshadow vulnerabilityForeshadow vulnerability

Intel has already released mitigations for the L1TF vulnerabilities and said the new patches work best in conjunction with the microcode updates the company released earlier this year in response to the Meltdown and Spectre vulnerabilities.

“When coupled with corresponding updates to operating system and hypervisor software released starting today by our industry partners and the open source community, these updates help ensure that consumers, IT professionals and cloud service providers have access to the protections they need,” Intel’s executive vice president and general manager of product assurance and security, Leslie Culbertson, said. “Once systems are updated, we expect the risk to consumer and enterprise users running non-virtualized operating systems will be low.”

In other news:

  • President Donald Trump has reversed an Obama-era memorandum on how and when the U.S. government can use cyberattacks against adversaries, according to The Wall Street Journal. Trump signed an order to undo Presidential Policy Directive 20, which outlined a complex interagency process that had to be followed before the government could target a cyberattack at foreign adversaries. Presidential Policy Directive 20 was signed by then-President Barack Obama in 2012. Trump has yet to issue a replacement for the memorandum, though The Wall Street Journal reported “a number of current U.S. officials confirmed the directive had been replaced, but declined to comment further,” because it’s classified.
  • August’s Patch Tuesday brought five Flash patches from Adobe and 17 updates to fix at least 60 vulnerabilities — including two actively exploited zero-day vulnerabilities — from Microsoft. The first zero-day flaw Microsoft patched was a critical vulnerability in Internet Explorer that would target users with malware. The other zero-day was a vulnerability in the Windows 10 shell that would enable an attacker to run code remotely. Microsoft also patched the Foreshadow vulnerability. Another 23 patches were for critical flaws in Internet Explorer, Edge and Chakra Scripting. Adobe patched Flash vulnerabilities with a new version of it for macOS, Chrome and Linux.
  • The NIST Small Business Cybersecurity Act — formerly called the MAIN STREET Cybersecurity Act — became a law this week. The law requires the National Institute of Standards and Technology to provide informational resources to small businesses to help them with cybersecurity. The law is the result of a bipartisan effort from U.S. Sens. Brian Schatz (D-Hawaii) and James Risch (R-Idaho), and co-sponsored by Sens. John Thune (R-S.D.), Maria Cantwell (D-Wash.), Bill Nelson (D-Fla.), Cory Gardner (R-Colo.), Catherine Cortez Masto (D-Nev.), Maggie Hassan (D-N.H.), Claire McCaskill (D-Mo.), and Kirsten Gillibrand (D-N.Y.). The resources NIST provides to small businesses must be applicable to a wide variety of small businesses, vary based on the size of the company and the sensitivity of the data it deals with, include basic ways to promote a cybersecurity-aware environment, include case studies, are technology- and vendor-neutral and be based on international standards as much as possible.

BGP hijacking attacks target payment systems

Researchers discovered BGP hijacking attacks targeting payment processing systems and using new tricks to maximize the attackers hold on DNS servers.

Doug Madory, director of internet analysis at Oracle Dyn, previously saw border gateway protocol (BGP) hijacking attacks in April 2018 and has seen them continue through July. The first attack targeted an Amazon DNS server in order to lure victims to a malicious site and steal cryptocurrency, but more recent attacks targeted a wider range of U.S. payment services.

“As in the Amazon case, these more recent BGP hijacks enabled imposter DNS servers to return forged DNS responses, misdirecting unsuspecting users to malicious sites.  By using long TTL values in the forged responses, recursive DNS servers held these bogus DNS entries in their caches long after the BGP hijack had disappeared — maximizing the duration of the attack,” Madory wrote in a blog post. “The normal TTL for the targeted domains was 10 minutes (600 seconds).  By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped.”

Madory detailed attacks on telecom companies in Indonesia and Malaysia as well as BGP hijacking attacks on U.S. credit card and payment processing services, the latter of which lasted anywhere from a few minutes to almost three hours. While the payment services attacks featured similar techniques to the Amazon DNS server attack, it’s unclear if the same threat actors are behind them.

Justin Jett, director of audit and compliance for Plixer, said BGP hijacking attacks are “extremely dangerous because they don’t require the attacker to break into the machines of those they want to steal from.”

“Instead, they poison the DNS cache at the resolver level, which can then be used to deceive the users. When a DNS resolver’s cache is poisoned with invalid information, it can take a long time post-attacked to clear the problem. This is because of how DNS TTL works,” Jett wrote via email. “As Oracle Dyn mentioned, the TTL of the forged response was set to about five days. This means that once the response has been cached, it will take about five days before it will even check for the updated record, and therefore is how long the problem will remain, even once the BGP hijack has been resolved.”

Madory was not optimistic about what these BGP hijacking attacks might portend because of how fundamental BGP is to the structure of the internet.

“If previous hijacks were shots across the bow, these incidents show the internet infrastructure is now taking direct hits,” Madory wrote. “Unfortunately, there is no reason not to expect to see more of these types of attacks against the internet.”

Matt Chiodi, vice president of cloud security at RedLock was equally as worried and warned that these BGP hijacking attacks should be taken as a warning.

“BGP and DNS are the silent warriors of the internet and these attacks are extremely serious because nearly all other internet services assume they are secure. Billions of users rely on these mostly invisible services to accomplish everything from Facebook to banking,” Chiodi wrote via email. “Unfortunately, mitigating BGP and DNS-based attacks is extremely difficult given the trust-based nature of both systems.”

Yale data breach discovered 10 years too late

Yale University discovered it suffered a data breach — 10 years ago.

The Yale data breach occurred at some point between April 2008 and January 2009, but officials are unsure exactly when. The Yale data breach included sensitive data such as names, Social Security numbers and birth dates on an unknown number of people, as well as some email addresses and physical addresses.

Because the Yale data breach happened so long ago, the University claimed it did not have much information on how it occurred. In its announcement of the breach, Yale noted that in 2011, the school’s IT “deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time.”

The Yale data breach was not discovered until June 2018 when the school’s IT was “testing its servers for vulnerabilities and discovered a log that revealed the intrusion.”

Ryan Wilk, vice president at NuData Security, said the data included in the breach was more than enough to put users at risk.

“Although financial information was not exposed, even having your Social Security number, name, address and date of birth stolen can still cause problems,” Wilk wrote via email. “Cybercriminals can use this information to create a complete profile of students. Add a bit of social engineering, and they can start cracking all types of accounts and even open up new accounts in the students’ names.”

The school said it notified those students, alumni, faculty and staff memers affected by the breach and has offered identity monitoring services.

Zach Seward, CPO and executive editor at Quartz, was one victim in the Yale data breach, and he relayed his story on Twitter.

Wilk said it might not be Yale’s fault for not discovering the breach sooner.

“Malicious actors are learning not only to access a system but also to do it without leaving a trace. This extreme sophistication results in hard-to-uncover breaches that can take a long to reveal. We encourage companies and organizations to monitor their security system constantly and to stay alert for any unusual activity,” Wilk wrote. “Even if they’ve checked unusual activity thousands of times and it turned out to be nothing risky, the next time that anomaly may just be your cybercriminal at work.”