DDoS Attacks and How You Can Protect Yourself From Joining the Bot Army

If you were online last Friday, chances are you encountered a slowdown across the internet as a Distributed Denial of Services (DDoS) attack launched against Dyn, a company that manages domain registrations.

The attack, according to Dyn, enlisted “up to 100,000 malicious endpoints.” It slowed down access to many popular websites including Amazon, Twitter, Spotify, and more.

While research continues to determine who was behind the attack, Dyn says it happened across multiple vectors and internet locations. Dyn confirms a “significant volume of the attack traffic originated from Mirai-based botnets,” malware that facilitates large-scale network attacks like the one encountered last week.

Denial of service attacks typically occur when a single computer tries to consume the resources a target computing resource needs to perform its job. The malicious behaviors often seek to consume all available bandwidth, attack timing or session-based conditions, attack vulnerabilities in software that cause crashes, or consume so much processing power the target can no longer perform its function.

DDoS attacks enlist tens, hundreds, thousands, even millions or billions of devices as attackers. With the advent of Internet of Things (IoT) and existing low-security devices like VoIP phones, printers, DVRs, home routers, and other IP-connected devices, this creates a rich environment for unknowing targets to join the “bot army.”

Since DNS is part of the core infrastructure that makes the internet work the way we use it today, attacks like the Dyn DNS DDoS impact the entire internet.

A DDoS attack doesn’t just make it difficult to resolve a website’s hostname (the reason you may have timed out trying to access sites during the attack). Today’s applications dynamically load content from third-party sites using DNS to locate resources. This may include third-party javascripts, resource lookups, ad networks, or other capabilities that can impact a web application’s functionality.

Mobile apps consume APIs that use DNS to communicate with web services. Many security protections prohibit direct IP connections because this is frequently a sign of an attack. It also locks in specific IP communication in an ever changing IP system. When DNS fails, there is often no way to communicate.

DNS DDoS attacks primarily work in two ways (although there are others):

DNS Amplification

DDoS attackers can spoof a requesting IP for DNS resolution, which then results in a flood of responses directed to the intended target server. Although the target server never requested a lookup, it suddenly has to deal with a large volume of responses. To further amplify the attack, requests can use DNS protocol extensions or Domain Name System Security Extensions (DNSSEC) to increase the message size. That makes it even more difficult for the target to process the request.

DNS Flood

DDoS attackers use scripts to automate large numbers of queries to exhaust server resources. Since these are User Datagram Protocol (UDP) packets, they are easily spoofed and never need to rely on a response to consume the DNS server resources.

An alternate form of this attack is the NXDOMAIN attack, which intentionally creates malformed requests or requests for nonexistent resources. This makes the DNS server spend computing cycles on lookups that may never resolve or it fills the cache with bad data, preventing legitimate lookups.

It is currently unknown which technique attackers used in the recent Dyn DNS attack, but Mirai malware that created DDoS bots in recent attack against Brian Krebs (a security journalist and blogger), was likely involved in some of the hosts in this attack. This further showcases the need for enhanced IoT security because these devices are typically not designed for security and are frequently not updated when vulnerabilities are discovered.

So what can you do to protect your network? F5 Networks has robust DDoS protections:

  • Local Traffic Manager (LTM) and Advanced Firewall Manager (AFM) provide robust layer 3 and layer 4 protections
  • F5 DNS, previously known as Global Traffic Manager (GTM), can help mitigate DNS-based DDoS attacks by providing greater flexibility in request forwarding and caching, and is several times faster than a BIND server
  • Application Security Manager (ASM) can help with layer 7 attacks
  • The new F5 Hybrid DDoS Defender creates an integration with F5’s Silverline Content Delivery Network (CDN) scrubbing service to offload local DDoS conditions to the F5 Silverline cloud where a larger set of resources and purpose-built protections can help mitigate, or Silverline can be used as a standalone solution.

GuidePoint has several F5 Certified Technology Specialists available to help your team secure your environment from potential DDoS attacks. Our team can help you maximize your installs potential and secure your resources.

For more information about F5’s BIG-IP DNS solution, check out our previous blog.

Other hardware solutions are available from Radware, Arbor Networks, A10, Fortinet and others. They have comprehensive solutions for your organization’s data center as well.

DDoS is one of the primary use cases for cloud-based inline protections like Incapsula, Silverline, Akamai, Cloudflare, and others. GuidePoint Security’s technology professionals have extensive experience in DDoS attack prevention and CDN solutions.

If you’re a GuidePoint client and have questions about CDN solutions and how we can help, please reach out directly to your representative or email us at info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Hack to the Basics: Patch Vulnerabilities Before Attackers Exploit Them

victorbmc

White hat hacker illustrates how vulnerabilities can give unwanted access into your environment

While patching vulnerabilities may seem like a basic component of any organization’s information security plan, many often overlook this important step.

Hackers know this and are quick to search for exploits not long after vulnerabilities are discovered. Did you know that while it takes an average organization almost 200 days to patch a vulnerability, nearly half of all exploits happen 10 to 100 days after a vulnerability is published?

A recent co-presentation between GuidePoint Security and BMC takes a look at challenges vulnerabilities create for operations and security teams, explores how attackers use these vulnerabilities to exploit their way into environments, and discusses tools to quickly prioritize remediation and build a defense.

In “Hack to the Basics,” Brian Brush, regional partner with GuidePoint, says operations and security teams must do more work to bridge the gap between them.

“Most organizations still struggle with this,” he said.

Among the challenges are manual processes teams often use to find vulnerabilities.

“Hackers are already automated,” Brian said.

Seth Corder, automation specialist with BMC, emphasized Brian’s point by saying known vulnerabilities are often how attackers get into environments.

“They are looking for the easy stuff,” Seth said, adding that 80 percent of the potential attack surface is known vulnerabilities, even though 99.9 percent of the time there is a solution to fix it.

Automation tools like BMC’s BladeLogic Threat Detector can do just that.

Brian and Seth encourage operations and security teams to remember the value of fundamentals. Patch both internal and external vulnerabilities and focus on remediation. With a solid strategy for vulnerability hunting and patching, teams can direct their attention on making it harder for attackers to enter an environment and cause damage.

To see the full presentation and learn more about how vulnerabilities are a risk to your organization’s overall security, check out the video on BMC’s YouTube channel.

When an attacker breaches the perimeter

Victor Wieczorek, GuidePoint managing security consultant, is a white hat hacker who knows firsthand how easy it is to exploit systems where vulnerabilities are not patched and remediated.

In the same presentation with BMC, Victor demonstrates how quickly attackers can gain access to vulnerable systems.

“Hackers look for openings,” he said, clarifying they go after the easy things, like known vulnerabilities, first.

In a hands-on demonstration, Victor explains how, with a few scripts and automated tools, he can access a system where a vulnerability remains unpatched, long after a fix is available.

Attackers use the same vulnerability and automated scanning tools as security teams, Neil Parisi, BMC principal software consultant said. Playing the role of the “good guy” in the demonstration, Neil says it’s a race to the finish line between security/operations teams and attackers.

“Can you patch before they penetrate?”

In part two of the video series, “Hacker Breaches the Perimeter,” Victor uses easily downloadable and free tools to successfully access the demo environment, while Neil shows how BladeLogic can quickly patch and repair the vulnerability.

But, like most tenacious hackers, Victor doesn’t give up. Using information obtained before detection of the vulnerability, he moves on to secure a username and credentials for part three, “Breached! Hacker Moves on to Exploit the Center.”

In the fourth and final part of the video series, “Hacker Goes for Admin Rights,” Victor continues to move around in the environment undetected. How does he do it? By using the username he detected in the previous exploit and rolling the dice on his gamble the user had the same password for multiple systems. The result? Victor gains admin credentials and masks his malicious activities like an approved user. Watch the full video to find out how much access Victor gets as he exposes vulnerabilities and how the BMC team uses BladeLogic to stop the attack.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About BMC

BMC is a global leader in innovative software solutions that enable businesses to transform into digital enterprises for the ultimate competitive advantage. Its digital enterprise management solutions make digital business fast, seamless, and optimized from mainframe to mobile to cloud and beyond. BMC digital IT transforms 82 percent of the Fortune 500 and serves more than 10,000 customers worldwide. For more information, visit www.bmc.com.

TMM Vulnerability Compromises F5 BIG-IP Availability

GuidePoint urges clients to resolve issue ASAP

Earlier this week, F5 Networks released a security advisory, SOL19784568, alerting users to a network traffic vulnerability involving virtual servers on BIG-IP appliances using TCP profiles.

F5 is classifying this as a high severity issue. Because of the potential risk of a complete outage, GuidePoint Security is heavily urging our clients to resolve this issue as soon as possible.

In a nutshell, because of the vulnerability, an attacker, without being authenticated, can craft a malicious packet and send it to a virtual server using a transmission control protocol (TCP) profile. The result can cause the underlying Traffic Management Operating System (TMOS) to reset and cause an outage for the entire device, not just the targeted application. Once compromised, an attacker can continue this attack and cause total outage for as long as the BIG-IP will accept traffic.

Based on the information provided from F5, this can only be completely mitigated by upgrading to a version that this has already been fixed. As of today there has not been engineering hotfix issued to mitigate.  

F5 has provided some instructions for reducing the overall likelihood of encountering the problem. However this is not a full mitigation method only a vast reduction to a potential threat. Updating the TMOS version is the only supported full mitigation method at this time.  We are working with our F5 peers on this matter to better assist our customers.

There is a CVE reserved for this also, CVE-2016-5023, but no content is currently published on Mitre’s site.

Vulnerable versions:

  • 12.0.0
  • 11.6.0 HF5-HF7
  • 11.5.3 – 11.5.4
  • 11.4.1 HF4-HF10
  • 11.2.1 HF11-HF15

Versions NOT considered vulnerable:

  • 12.1.0
  • 12.0.0 HF3
  • 11.6.1
  • 11.6.0-11.6.0 HF4
  • 11.5.4 HF2
  • 11.5.0-11.5.2
  • 11.4.0-11.4.1 HF3
  • 11.2.1 HF16
  • 11.2.1-11.2.1 HF10
  • 10.2.1-10.2.4

GuidePoint Security acknowledges this is a critical vulnerability and will follow it closely. We will continue to disseminate information going forward, and we welcome questions or concerns you might have. For help, please reach out directly to your GuidePoint Security contact, call 877-889-0132, or email info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

The Boy Who Cried “Badlock”

Introduction

On March 11, 2016 the domain badlock.org was registered by German consultancy SerNet in order to create a brand for a series of vulnerabilities discovered by Stefan Metzmacher. 11 days later, on March 22, the InfoSec community on Twitter started to circulate the site’s ominous warnings for a “crucial security bug in Windows and Samba,” with major tech news sites such as Wired and The Register adding to the buzz shortly after. Details slowly trickled out over the following weeks, and the affected versions of Samba were listed on April 2nd. Apparently, SerNet began to feel the pushback against the over-branded hype, and they added a response to the Badlock site saying, “It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it.”

On April 12, the full details of Badlock, which are really a collection of several interrelated vulnerabilities, were released and timed specifically to align with Microsoft’s regular “Patch Tuesday” announcement. Reaction to the disclosure has been mixed. The relevant Windows patch is rated “Important” by Microsoft, not critical. That along with Badlock’s overall CVSS 3.0 score of 7.1 (high) does not reflect the three weeks of blockbuster-style marketing and PR as “crucial” that rivaled the far more critical and ubiquitous Heartbleed and Shellshock vulnerabilities.

Overview

Badlock consists of eight separate vulnerabilities, all detailed in separate CVE’s:

CVE-2015-5370 – Multiple errors in DCE-RPC code: Errors that prevent proper validation of specially crafted DCE-RPC packets can result in denial-of-service (DoS) for Samba.

CVE-2016-2110 – Man-in-the-middle attacks possible with NTLMSSP: It is possible under certain conditions to remove required encryption related flags to disable encryption and allow a man-in-the-middle (MitM) attack against the Samba service.

CVE-2016-2111 – NETLOGON Spoofing Vulnerability: When Samba is configured as a Domain Controller, it allows an attacker to spoof the computer name of a client without the need for authentication. This allows the attacker to intercept potentially sensitive information.

CVE-2016-2112 – The LDAP client and server don’t enforce integrity protection: An attacker who has already obtained MitM status can remove integrity checks that are communicated between an LDAP client and server.

CVE-2016-2113 – Missing TLS certificate validation allows man-in-the-middle attacks: While, TLS/SSL are supported in vulnerable versions of Samba, certificates are never validated, which facilitate MitM attacks.                                                                                          

CVE-2016-2114 – “server signing = mandatory” not enforced: A bug in Samba prevents SMB signing, even if explicitly set, which again, facilitates MitM attacks.

CVE-2016-2115 – SMB client connections for IPC traffic are not integrity protected: SMB signing was again not enforced, this time for IPC traffic, and once more facilitating MitM attacks.

CVE-2016-2118 – SAMR and LSA man-in-the-middle attacks possible: Typically available on all Windows systems, this vulnerability allows an attacker positioned as a MitM to impersonate any user against the Security Account Manager (SAM) database and Local Security Authority (LSA). As a result, the attacker is able to get read/write access to the Security Account Manager Database, which reveals all passwords and any other potential sensitive information.

Impact

The vulnerabilities disclosed under the Badlock name affect multiple versions of Samba and corresponding components found in the most recent versions of Windows and amount to either a MitM or DoS-style attacks.

Under the MitM scenario, a local attacker can intercept an authenticated session and perform Samba network calls under the current session context. Samba.org lists the following examples in their write-up:

  • Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
  • Standard Samba server – modify user permissions on files or directories.

It is important to note that the attacker would need to already have local access to the affected systems to properly execute this attack.

The DoS vulnerability is exploitable by a remote attacker and could bring down systems or services that rely on the Samba service.

No publicly available exploits have been identified for Badlock yet. SerNet has insinuated that they have proof-of-concepts, but no additional details have been released. Furthermore, while Microsoft has assigned Badlock an “Important” severity rating, they have assessed its exploitability at its lowest level: “3 – Exploitation Unlikely”.

Identification

The following versions of Samba are affected: 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, 4.4.0 (earlier versions have not been assessed).

Microsoft lists most of its latest Windows operating systems as being affected by Badlock, specifically: Windows Vista, Server 2008, Windows 7, Server 2008 R2, Windows 8.1, Server 2012, Server 2012 R2, Windows RT 8.1, and Windows 10. They have also specifically noted that this vulnerability does not affect SMB, only the SAM and LSAD remote protocols.

Remediation

The officially patched versions of Samba are: 4.2.10/4.2.11, 4.3.7/4.3.8 and 4.4.1/4.4.2. Versions earlier than 4.2.x have been discontinued and are no longer supported. It is recommended that organizations running older versions upgrade as soon as possible. Samba.org warns that due to the patch and related fixes, new options and defaults are present in the patched versions that might impact compatibility with older third-party software. Hints and workarounds for these scenarios are listed on the Samba.org site here.

Microsoft has released security bulletin MS16-047 to address this issue as part of April 12th’s regular “Patch Tuesday”.

Summary Opinion

While Badlock is certainly a concerning vulnerability that no doubt impacts an extremely large number of organizations and should be patched as soon as possible, the overblown hype and speculation it received leading up to its disclosure likely did more harm than good. For example, there were thirteen bulletins released on April 12th as part of Microsoft’s “Patch Tuesday.” Four of them had a “critical” severity, and one of those four (MS16-039) already has known remote command execution exploits in the wild. Despite this, discussions are focused on Badlock, a named vulnerability, where even according to SerNet, the name is arbitrary, as was the decision for it to be named in the first place.

Information security professionals need to tread carefully when it comes to creating awareness and not cross the line into generating unproductive fear, uncertainty, and doubt (FUD). As a penetration tester, I value the specific benefit that the branding gives to Heartbleed and Shellshock because it facilitates easier communication with our clients and brings awareness to truly critical issues. There will certainly be a future need for similar levels of awareness, and information security professionals should be much more calculated in these types of campaigns in order to retain our roles as trusted advisors.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Attackers DROWN TLS Security with SSLv2 Vulnerabilities

Decrypting RSA using Obsolete and Weakened eNcryption (DROWN) attacks allow attackers to decrypt intercepted Transport Layer Security (TLS) traffic by abusing vulnerabilities in the obsolete Secure Socket Layer Version 2 (SSLv2) protocol. A successful DROWN attack can provide the attacker with the encryption keys used to secure client-to-server communications. The attack works by making repeated requests to a server using the deprecated SSLv2 protocol instead of the recommended TLS protocol. Each SSLv2 connection request allows the attacker to decipher a few bits of the encryption key. With enough requests, attackers can piece together the entire encryption key, allowing interception and decryption of TLS-protected traffic encrypted with the same keys.

SSLv2 was deprecated in 1996 due to serious security flaws in its implementation. TLS is the current recommended protocol for protecting client-to-server communications; all versions of SSL have been rendered obsolete by significant security flaws in the protocols. Unfortunately, SSLv2 and SSLv3 are still prevalent due to the need to maintain backward compatibility with legacy systems, the lack of adequate vulnerability management and patching, and most significantly, the lack of proper configuration for public-facing server resources and applications that rely on encrypted client-to-server communications. The most recent estimates indicate that SSLv2 is directly supported by approximately:

  • 5.9 million Web servers (17% of all HTTPS-protected machines)
  • 81,000 of the top 1 million most popular web sites
  • 936,000 e-mail servers

Even though SSLv2 has been deprecated for more than 20 years, it is still available as an option for negotiating encryption during client-to-server communications in many applications and servers. Modern applications will attempt to use the more secure TLS protocol, but attackers can manually request to use SSLv2 on a vulnerable server to force the insecure protocol to be used, giving them the opportunity to conduct a DROWN attack. An attacker that successfully conducts a DROWN attack against a vulnerable server can use the deciphered encryption keys to intercept and decrypt TLS-encrypted network traffic if the same compromised key is used to encrypt the data. This also means that an attacker that successfully uses DROWN on one server could use the compromised keys to decrypt traffic from any other server that uses the same keys. For these reasons, these vulnerabilities should be addressed, or adequate workarounds implemented immediately, until vendor patching is made publically available.

Public-facing servers can be scanned using the free Qualys SSL Labs SSL Server Test to determine if the SSLv2 protocol is available to be used to encrypt communications. The scanner can be found at https://www.ssllabs.com/ssltest/.

Preventing the exploitation of these vulnerabilities and subsequent DROWN attacks can be achieved by removing SSLv2 support from your servers and then immediately updating any keys that could have been exposed by successful DROWN attacks to ensure that future TLS encrypted communications cannot be intercepted or decrypted by attackers.

About GuidePoint Security

GuidePoint Security, LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, and with offices in Georgia, Massachusetts, Michigan, Minnesota, Missouri, Florida, Texas, and North Carolina, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.