DDoS Attacks Hijack Windows RDP, SonicWall, 7-Zip, Google Forms, Airline Data Stolen– Cybersecurity News and Trends

1.   Latest Windows Cybersecurity News: RDP Servers Can be Exploited to Amplify DDoS Attacks

• Cybersecurity researchers have shown attackers are now capable of abusing RDP services to launch UDP reflection and amplification attacks, especially with services that are enabled on port UDP 3389.
• Attackers are able to send amplified attack traffic that consists of non-fragmented UDP packets, originating at the standard UDP port 3389. This tactic is aimed at targeting specific IP addresses and specific UDP ports on a corporate network.
• Security researchers realized that the amplified attack packets in this type of amplified DDoS attack are consistently 1260 bytes in length, padded with long strings of zeros.

SME Comments: Cybersecurity researchers reveal that attackers are amplifying DDoS attacks by increasing network packets from vulnerable ports, then redirecting the traffic to targeted IP addresses. This type of disruptive attack is often possible due to poor network security hygiene, and the lack of consistent (automated) network vulnerability scanning.

Link to article

2.   SolarWinds Threat Actors used 7-Zip Code to Hide Raindrop Cobalt Strike Loader

• A fourth malware tool, Raindrop, has been discovered by cybersecurity researchers in the ongoing analysis of the SolarWinds supply-chain attack. Raindrop is used as a mechanism to deploy Cobalt Strike beacons to select victims of interest, who already installed the compromised SolarWinds Orion software.
• The SolarWinds attackers used a modified version of the 7-Zip code to compile ‘Raindrop’ as a DLL file, allowing it to act as a cover. Thus, evading security detection.
• Additionally, the attackers used PowerShell to conduct lateral movement by creating new tasks on remote machines to spread the Raindrop malware.

SME Comments: In a dynamic effort to evade security detection, APT threat actors are now relying on the ‘living off of the land’ tactic, which involves them using everyday system applications as a platform to launch sophisticated attacks. In this case, the SolarWinds attackers used a 7-Zip code to hide their malicious functionalities. To mitigate such an attack trend, an automated zero-trust framework is critical.

Link to article

3.   Google Forms Used to Bypass Email Cybersecurity Filters

• Cybersecurity researchers shared news of an attack trend where attackers use Google Forms to facilitate credential phishing campaigns. This hybrid campaign combines the technique of leveraging Google Services and social engineering attacks to lure unsuspecting employees.
• To achieve credibility, the threat actors responsible for this attack methodology leverage unique names of C-level executives from a target organization. The social engineering emails display a sense of urgency, directing employees to a poisoned URL link which redirects the users to an untitled form hosted on Google Forms infrastructure.
• The primary attack goal of this credential phishing campaign is to elicit a response from targets. Meanwhile, the secondary attack goal is to unmask employees with poor cyber hygiene within target organizations, so as to deploy follow-up attacks to further exploit their poor security posture.

SME Comments: Google forms allow malicious actors to send malicious emails since it naturally bypasses output and input designations in most email filters. The malicious actors use these Google forms to disguise themselves as a trusted entity, thereby gaining quicker responses from users. Responding to or completing such forms could lead to data theft, (malicious software) driveby downloads, and other data manipulation antics.

Link to article

4.   Airlines Have Made Cybersecurity News as Passenger Data Stolen by Chinese-sponsored Threat Actors

• The Chinese state-sponsored threat actor, Chimera, was first sighted targeting the Taiwanese superconductor industry in April 2020. However, their target scope now appears to have expanded to targeting airline companies around the world.
• In this attack campaign, Chimera employed several custom DLL files to retrieve sensitive Passenger Name Records from the memory of secured airline servers, which hosts several sensitive passengers’ personally identifiable information (PII) such as travel destination, number of checked luggage, home address, full names, etc.
• Chimera’s TTPs usually begin with passively collecting user login credentials that were leaked in the public domains, then leveraging social engineering tactics and lateral movement to gain a foothold into an airline’s network. In some cases, Chimera threat actors have been known to remain hidden inside a target airline’s network for as long as three years in order to perform lateral movement and create backdoors for future attacks.
• With this stolen data, the Chinese state-sponsored threat actor is capable of launching multiple spear-phishing attacks, aimed at compromising specific targets.

SME Comments: Working in unison with China’s Ministry of State Security (MSS), Chimera is one of numerous advanced persistent threat (APT) actors whose tactics are aligned with the interests of the Chinese government. They almost always involve themselves with the monitoring of groups and/or individuals which the Chinese government has labeled as dissidents. Additionally, one of the primary purposes of this airline passenger data theft is to gather enough valuable information, to further strengthen the likelihood of success of future credential stuffing, and password spraying attacks against targeted entities.

Link to article

5.   Firewall Manufacturer, SonicWalls, Makes Cybersecurity News as it Suffers Major Compromise

• SonicWall builds network security tools, VPN gateways, and hardware firewalls for business. Earlier this week, the network security company recognized an organized attack on its internal system, targeting a zero-day vulnerability from its corporate (secure) remote access products.
• SonicWall made it clear that the patterns and attack tactics uncovered were that of a sophisticated and well-coordinated threat actor. Although the company did not provide many details about the zero-day vulnerability or the attack, they provided a list of all affected devices and advised users to apply temporary security fixes before an official patch becomes available to the public.
• Although SonicWall disclosed this attack, they are mostly concerned that several organizations will fail to apply the security fixes and patches that are required to assure the security posture of critical data.

SME Comments: Zero-day attacks are usually deployed by highly skilled threat actors, who often spend countless hours probing for very specific loops within a system. Therefore, whenever a zero day compromise occurs, it is almost never a coincidence. For device protection, SonicWall device users should be advised to block IP addresses that are not whitelisted, and then reinforce device security using multi-factor authentication (MFA).

Link to article