“Largest Ever” Attack is a Reminder to Test Your DDoS Defenses; Microsoft Flips and Moves to More Secure Power Apps Defaults; CISA: Patch ProxyShell Vulnerabilities Now

Cloudflare’s DDoS mitigation service is separate from their CDN offering. It leverages their presence around the globe to detect, measure, and stop these activities. Customer traffic has to be routed through their system, which then dynamically builds rules to stop the attack at layer 4, rather than layer 7. The top network layer attacks are Syn, Reset, and UDP floods, with an emerging trend in network protocol attacks, including UDP Portmap and Quote of the DAY (QOTD). There seems to be a trend for shorter and more intense DDOS attacks that reactive SOC monitoring and response are not well suited for; automation is key here. Work with your DDOS vendor to tune your mitigation system based on your threat model.

Lee Neely

The press loves “biggest DDoS attack ever” stories but many of the most damaging DDoS attacks weren’t brute force with high numbers of requests per second. The important point is where in your architecture have you put mitigation of denial-of-service attempts and do you regularly test your switchover to alternate connections or mitigation services?

John Pescatore

DDos attacks are now so commonplace that hosting an online service without DDoS protection is similar to not having spam filtering for your email. Criminals will continue to evolve their tools and techniques in this area which requires constant innovation by defenders.

Brian Honan

If the data is in the cloud, better make sure you have your authorization controls in place. People will find it. In this case, Microsoft warns of weak configurations, but does allow them with a single click. Power Apps are intended to be used by non-coders to write applications. This audience may not fully understand the implications of the warning.

Johannes Ullrich

There is an old joke about a badly written manual on how to defuse a bomb that said, “Cut the blue wire after you cut the red wire.” Yes, the instructions were correct but the way it was worded guaranteed a dangerous result and a loud boom. Good to see that Microsoft abandoned its original “not a vulnerability, it is by design” to making it easier for security to be the default position.

John Pescatore

Deny by default is a lesson we all need to learn, particularly as we move to the cloud. Verify access controls are as expected. As much as we trust large service and application suppliers such as Amazon, Microsoft, Oracle, Google, always verify and monitor the security is as described and remains so. At the end of the day, it matters more to detect and address insufficient access controls than to find out your data is exfiltrated and for sale.

Lee Neely

Developers exhibit a strong preference for convenient defaults over safe ones; they have been trained by users that are more likely to complain about “hard to use” than “risky to use.” Until and unless they can be retrained, users may not assume that products are “safe out of the box.”

William Hugh Murray

If you still find an unpatched and exposed Exchange server, walk away from it... who knows how many attackers are already fighting for it. “Cleaning it up” will be impossible. Or as they say, “nuke from orbit.”

Johannes Ullrich

The amount of abuse your organization will take for running something like Exchange in-house keeps going up. As Dr. Ullrich said in today's Stormcast, “If you haven't patched yet, don't bother - just move on.”

Christopher Elgee

All three vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) are fixed in Microsoft’s May security update. Make sure you’re applying the monthly updates. Updates for Windows 10 are cumulative, so August’s updates also include these fixes.

Lee Neely

Incident responders should add an investigation of locally installed Windows drivers to their playbooks (C:\Windows\System32\drivers). Privilege escalation through vulnerable drivers is a systemic problem for Windows, and one that requires significant re-architecting to prevent. We'll likely see a lot more of these vulnerabilities in the future.

Joshua Wright

This exploit leverages Window’s automatic installation of drivers and requires local access to the system to interact with the installer. By using the installer’s option to select where the software is installed, coupled with the Windows explorer option to ‘Open PowerShell window here,’ that shell is opened with the privileges of the installer; in this case System. Razer is publishing an update which addresses the vulnerability, as well as providing the researcher with a bug bounty, even though this was disclosed.

Lee Neely

First printer drivers, now mouse drivers. The ability of normal users to install code that will later be executed by a higher privileged user is very dangerous and I am sure this pattern will continue to provide interesting vulnerabilities in the future.

Johannes Ullrich

IoT Inspector found about a dozen vulnerabilities and their report lists about 200 types of affected devices including routers, IP cameras, Wi-Fi repeaters and gateways. They also include queries to discover the devices using Shodan. Restrict network access to only authorized devices/users, disallowing Internet access where possible to mitigate risks of exploiting default/hard-coded credentials as well as other attack vectors. Leverage the IOCs in the IoT Inspector report to augment your detection/response capabilities.

Lee Neely

In light of these supply chain attacks, buyers should demand information about the provenance of the software in products they might purchase. The provenance must include not only a “bill of materials” for the product but also information about the tools and processes used to build it. Only then are they in a position to assess and mitigate their exposure to these attacks.

William Hugh Murray

Earlier this month, an audit report was released citing State and six other agencies for having weak security practices, in effect a guide for the sorts of practices to target for a successful exploit. When you are the recipient of a negative report like that, you need to create a prioritized remediation plan and start closing findings well ahead of the publish/release date to get ahead of those inevitable attacks.

Lee Neely

The attacker returned the pilfered funds as well as the bounty Poly Network paid ($500,000) to their wallet. Poly also offered him the position of “Chief Security Advisor” although it’s not clear if the offer will be accepted. It’s not a bad idea to leverage the hacker’s skills and mindset to find ways to improve and maintain security. The trick will be finding a way to build and maintain trust. A risk-based decision is needed in this scenario to determine if the oversight needed to ensure the hacker doesn’t cause added harm is worth the offset in security to reduce the likelihood of further incidents.

Lee Neely

If one cannot spend it, one might as well return it to those who can. While we may not be able to regain control of funds in destination accounts, we can blacklist the accounts so that the money cannot be spent or transferred.

William Hugh Murray

For several years, the list of “cryptocurrency” compromises has grown much faster than the list of legitimate companies accepting them. I think a better way to describe most of these is to call them “dissolvable currencies” – the “crypto” term was worked in to imply strong levels of safety, which is almost never the case.

John Pescatore

In 2014, Tokyo-based Bitcoin exchange Mt. Gox lost over $400 million in a crypto heist, which resulted in Japan’s legislators passing a law to regulate Bitcoin exchanges. Japan also recognizes Bitcoin and other digital currencies as legal property under their Payment Services Act (PSA). This helps support the actions to freeze accounts and stop movement of pilfered assets. The attackers are then using decentralized exchanges, outside Japan, to avoid being frozen.

Lee Neely

When we use the expression “crypto” we imply “cryptographically” secure; the cryptography is working as intended. However, cryptography is never more secure than the environment in which the keys are stored and protected. Thus we see that the distributed ledger is working as intended but wallets and exchanges are being compromised. These are no stronger than the lockwords that are chosen by human beings to protect the private keys. Choose carefully. Prefer exchanges that offer strong authentication.

William Hugh Murray