SecPro #20:Bandwidth.com DDoS-ed, Identifying Vulnerabilities with Nessus
- Bandwidth.com DDoS-ed – Why Is No-One Saying Anything?
- Identifying Vulnerabilities with Nessus: How to Perform Vulnerability Assessment with Nessus
- Checklist to Define Secure Access Inside Cloud Infrastructure
- Recent Security Issues
- Secret Knowledge: Building Your Security Arsenal
By Austin Miller
- A malware gang posing as REvil is suspected of launching attacks against VoIP giants over the past month.
- Disruption to VoIP.ms and Bandwidth.com’s service has affected in excess of 400,000 people over the USA, including Google Voice and Microsoft Teams Voice subscribers.
- The lack of news around the topic is quite unusual – some VoIP users expect that there is federal involvement in the case, so this gang seems to be getting a lot of attention from law enforcement.
For the growing number of VoIP users right now, you might have noticed that there have been severe disruptions over the last few weeks. In fact, there’s actually been two distinct DDoS attacks on two big players in the VoIP world – VoIP.ms and Bandwidth.com.
VoIP.ms is probably more familiar to people who are interested in VoIP and the attack was covered fairly publically throughout the catastrophic week-long DDoS takedown. But how has this other VoIP provider managed to stay out of the spotlight while suffering a similar outage this past week?
The Hidden Giant
Bandwidth is an enterprise-level VoIP provider, so you probably haven’t heard of it before. I’ll be honest with you, I hadn’t.
Bandwidth.com is a huge provider of VoIP services to some of the biggest players in the world market. Their client list includes Google, Microsoft, Twilio, Accent, 9-1-1 centers – the list goes on.
We are talking about a Tier-1 service provider here – there aren’t many of them in the grand scheme of things and they hold a lot of power. When one is taken down for an extended period of time, you know something big is happening.
The Hidden Adversary
Both the VoIP.ms and Bandwidth.com attacks seem to have come from threat actors who are impersonating the ransomware gang REvil, (in)famous for the JBS and Kaseya ransomware attacks in early 2021.
Because the adversaries are using DDoS attacks (instead of ransomware), it is strongly suspected that these aren’t the same people that were operating under the name REvil.
VoIP.ms ransom note
The malicious agents behind the VoIP.ms attacks sent the above ransom note with demands for 1BTC payment (later escalating to an eye-watering 100BTC!), but it is unknown at this stage if any victim has given into the pressure and pay up.
The Impact on the Ground
The Story As It Went Down
On Saturday 25th September, there was 4 hours of downtime which Bandwidth quickly rectified.
A similar attack happened the next day. Experts expected downtime to continue throughout the week but did not foresee Monday’s level of disruption.
The following Monday, all nodes were hit at once by the DDoS attacks at 9 am EST, causing almost 400,000 people to go without a VoIP connection. An overload of data stopped the This included The knock-on effects include:
- Total failure of VoIP calls
- Successful connections without CNAMEs
- Successful connections without any data transfer over the ports
- Extensive packet loss, causing jitter or distorted calls
In effect, SIP seems to be unaffected, but RTP is unable to send the information successfully. Clients can connect, but there is no information that’s getting through the wall of DDoS noise.
Snap, Crackle, and Dropped Lines
Chat support window from Bandwidth
It’s not been good for Bandwidth. A support worker jumped the gun on the nature of the attack, telling a VoIP operator who relies on Bandwidth for back-end support that it was a DDoS attack.
After initially staying quiet about the issue, Bandwidth’s CEO, David Morken, released a statement on Tuesday 26th confirmed that the attack was a DDoS.
“Bandwidth and a number of critical communications service providers have been targeted by a rolling DDoS attack. While we have mitigated much-intended harm, we know some of you have been significantly impacted by this event. For that, I am truly sorry. Thank you for your patience.”
Seeing that Bandwidth initially intended to stop leaks to the public, this news was both welcomed and caused some level of panic about the overall intentions of the attackers are.
Despite the calls that this may be a nation-state-backed attack on American infrastructure, there is nothing at this stage that implies the (not) REvil team is anything but a cyber-criminal gang going after a big fish.
There’s No End to (Not) REvil’s Campaign In Sight
Starting up at the opening hours for most businesses across America and then loosening the chokehold at closing shows this isn’t your average “flip the switch, attack until we’re stopped” DDoS attack – instead, we have malicious actors who know what they want to achieve and when to do it.
For people on the ground, there’s not much we can do besides turn to VoIP alternatives until everything is back online. This means using email, chat, and other communication means until Bandwidth and any other potential victims manage to find and stop the adversaries.
Identifying Vulnerabilities with Nessus: How to Perform Vulnerability Assessment with Nessus 🛡
By Glen D. Singh
Identifying Vulnerabilities with Nessus: Nessus is one of the most popular vulnerability scanners and is widely used by network and cybersecurity professionals. Nessus can help you not only identify security vulnerabilities but also provide solutions to help remediate and mitigate cyber-attacks. It also provides a vulnerability score for each security weakness which is used to help prioritize your workflow. Nessus is worth having in your arsenal as it can identify over 47,000 known vulnerabilities on systems.
Getting Started in Identifying Vulnerabilities with Nessus
Install and initialize Nessus by using the following instructions:
- Get an official copy of Kali Linux from https://www.kali.org/get-kali/.
- While Nessus is a commercial product, there is a free version known as Nessus Essential which allows scanning of up to 16 addresses. Go to https://www.tenable.com/products/nessus/nessus-essentials and register for an activation code.
- Next, head over to https://www.tenable.com/downloads/nessus where…
Checklist to Define Secure Access Inside Cloud Infrastructure
By Merlyn Shelley
Securing access to network components (say hardware instances, software modules, or people accessing them) is growing in complexity. Now, you might be wondering what the probable issues could be here. In terms of accessing a resource, there could be either a connectivity issue or authentication issue or authorization issue, or audit issue. So how can we establish secure access between them is the point of discussion. For that, we have listed here a few ways you can implement at your end to secure accessibilities.
Identity Aware Authentication
User access should be authenticated in every access point or the network socket. To do this we need to enable identity awareness in every network security gateway or browser-based authentication. Solutions like single sign-on help the way out in establishing a secured authentication process.
Multi-Protocol Identity-Aware Access Proxy (IAP)
This establishes a unified authentication or authorization mechanism that allows communication between various protocols like Kubernetes, PostgreSQL, SSH, and so on. That way it secures the organization’s platform identity.
Unified Identity Audit Log
This unified interface provides maximum visibility of all the network components that are present in the cloud infrastructure. It gives real-time information on what’s happening around the network. And more importantly, every operation across the cloud environment is logged for future reference.
Native Resources or Protocol-Aware Sidecar Proxy for your Service Mesh
This is an automatic process that helps with implementing authorization and records all the activities of the supported resource associated with the organization’s platform. It could be MongoDB, an SSH machine, or a Kubernetes cluster.
- GitHub – gravitational/teleport: Certificate authority and access plane for SSH, Kubernetes, web applications, and databases
- GitHub – pomerium/pomerium: Pomerium is an identity-aware access proxy
Recent Security Issues
- Remote code execution vulnerability in VMWare Center: A remote code execution vulnerability for VMWare vCenter is being actively exploited in the wild. CVE-2021-22005 can allow an attacker to open a reverse shell on a vulnerable server, allowing them to remotely execute arbitrary code. Read more.
- Do you use Clubhouse? If yes, then your phone number associated with your Facebook account might be under sale on a dark web market! Cybernews reported that about 3.8 billion Clubhouse users’ phone numbers have been scraped and merged with 533 million Facebook profiles and kept under sale for $100,000.
- The top ransomware threats aren’t whom you think. A report from Bitdefender out this week looked at 19.8 million malware detections collected by its telemetry to find insights about the current ransomware threat landscape. The team of analysts were able to identify a total of 250 different ransomware families, but just three dominated the field in terms of sheer attack volume.
Secret Knowledge: Building Your Security Arsenal
Discover useful security resources, threat intel, cheatsheets, and open-source CLI/web tools.
Digital Forensics & Incident Response Cheatsheets
- Memory Forensics Cheat Sheet: You will find this cheatsheet useful for Memory Forensics, Advanced Digital Forensics, Incident Response, and Threat Hunting tasks.
- SIFT Workstation Cheat Sheet: DFIR forensic analysts are on the front lines of computer investigations. This cheatsheet aims to support forensic analysts in their quest to uncover the truth.
- Tips for Reverse-Engineering Malicious Code: Cheatsheet for reversing malicious Windows executables via static and dynamic code analysis.
- Analyzing Malicious Documents: This cheatsheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF, and Adobe Acrobat (PDF) files.
Threat Signature Packages
- ESET’s Malware IoCs – Indicators of Compromises (IOCs) derived from ESET’s various investigations.
- FireEye’s Red Team Tool Countermeasures – Collection of Snort and YARA rules to detect attacks carried out with FireEye’s own Red Team tools, first released after FireEye disclosed a breach in December 2020.
- FireEye’s Sunburst Countermeasures – Collection of IoC in various languages for detecting backdoored SolarWinds Orion NMS activities and related vulnerabilities.
- YARA Rules – Project covering the need for IT security researchers to have a single repository where different Yara signatures are compiled, classified, and kept as up-to-date as possible.
Tackling Email Spoofing and Phishing
A nice overview of how DMARC, DKIM, and SPF can be used to protect against email spoofing and phishing. Cloudflare has also released an Email Security DNS Wizard that aims to make configuring them easy.
Introducing k8s-lab-plz: A modular Kubernetes Lab that provides an easy and streamlined way to deploy a test cluster (on minikube or baremetal), by Marco Lancini. Existing support for: Vault, ELK, Prometheus, Grafana, Kafka, and Cartography.