homepage
Open menu
Contact Sales

SANS NewsBites

DDoS Azure Outages Highlight Need to Understand Many Levels of SLAs; More MOVEit Users Found to be Compromised; Windows App Isolation Will Require Tuning and Training but Can Raise the Security Bar

June 20, 2023  |  Volume XXV - Issue #49

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2023-06-19

Microsoft Says Cloud Portal Outages Were Due to DDoS Attacks

In a June 16 blog post, Microsoft revealed that recent cloud outages were caused by Layer 7 distributed denial-of-service (DDoS) attacks. Microsoft’s Outlook.com, OneDrive, and Azure Cloud portals suffered outages earlier this month. At the time, Microsoft said they were “applying load balancing processes in order to mitigate the issue.”

Editor's Note

It is very difficult to protect highly interactive web applications with a global user base from a DDoS attack. But it is somewhat surprising that a large provider like Microsoft can be impacted by a DDoS attack initiated by a rather "random/unknown" group.

Johannes Ullrich
Johannes Ullrich

Timely post, since Microsoft’s data shows July and August for some reason are the top months for DDoS attacks hitting Azure services. This is an area where cloud services and service-level agreements (SLAs) are quite complicated, especially for Infrastructure as a Service. An attack against Azure is one thing, an attack against your resources on Azure may be a totally different issue. For example, Microsoft’s guide to SLAs for its online services is 99 pages long; Azure SLAs take up 70 pages alone. There are add-on fee-based DDoS protection services at the IP address level and the overall network level, as well as fee-based Azure Web App Firewall services – and all those have their own SLAs. Some of the DDoS SLAs cover the costs of increasing resources to maintain performance, sometimes not. All SLAs essentially only provide some cost relief vs. any guarantee of uptime. Make sure your procurement and legal teams have researched applicable SLAs and that a conscious decision has been made about the need for backup/switchover capabilities vs. just living with any outage time.

John Pescatore
John Pescatore

Takes a lot of guts to publicly reveal a shortfall; kudos to Microsoft for sharing what happened and how to improve. Microsoft had DDoS protections dialed in for a layer 3 or 4 attack. Subsequently Microsoft turned up their protections at layer 7. There is no such thing as being completely immune to DDoS attacks, but the lessons learned from Microsoft can help you raise the bar and weather the storm. Make sure that both you and your CDN have protections in place, such as a WAF, configured with the latest DDoS configuration your provider offers.

Lee Neely
Lee Neely

Expect this to be the first of many in the news. This is bound to happen as we consolidate providers. You have to wonder if AWS ever has a DDoS against us-east-1.

Moses Frost
Moses Frost

No real surprise here: it was a DDoS attack on Azure applications. MSFT recommends using a web application firewall, at an additional cost, to mitigate this sort of attack. Given that additional costs are involved, probably a good time to review the service level agreement to adjudicate responsibility to maintain service uptime.

Curtis Dukes
Curtis Dukes

2023-06-16

More MOVEit Attack Victims Emerge

More organizations are disclosing that their networks have been compromised through vulnerabilities in Progress MOVEit file transfer software. Breaches have affected agencies that issue driver’s licenses and state ID cards in Louisiana and Oregon; the US Department of Energy; Aer Lingus; Ireland’s Health Service Executive; the BBC; British Airways. Nova Scotia’s government; and the American Board of Internal Medicine.

2023-06-17

Windows 11 Win32 App Isolation is in Preview

The Windows 11 Win32 App Isolation security feature is now in public preview. Microsoft writes, “Win32 app isolation is built on the foundation of AppContainers (and more). AppContainers are specifically designed to encapsulate and restrict the execution of processes, helping to ensure they operate with limited privileges, commonly referred to as low integrity levels.”

The Rest of the Week's News

2023-06-19

Hackers Exploited Another Telerik to Access US Federal Government Agency’s IIS Web Server

Hackers have exploited a six-year-old Telerik vulnerability to access a Microsoft Internet Information Services (IIS) web server at a federal civilian agency in April. The information was included in a US Cybersecurity and Infrastructure Security Agency (CISA) update to a March 2023 alert waring that multiple threat actors had been exploiting a different Telerik vulnerability to access a different agency’s IIS server.

Editor's Note

The successful exploit involved leveraging CVE-2019-18935 in conjunction with CVE-2017-11357 or CVE-2017-11317, which are flaws that should have been patched long ago. Whether or not you already have a robust patching process, make sure that you have an accurate inventory as well as ensuring that updates are applied in a timely fashion. Not a bad idea to conduct a vulnerability assessment, particularly on Internet facing servers and services regularly to be sure you're good to go.

Lee Neely
Lee Neely

The good news is that forensic analysis, looking for another Telerik vulnerability, found an exploit that had been lurking around for almost six years. The really, really bad news is that a patch for the underlying vulnerability had been available for … six years. This article highlights three core cybersecurity controls: 1) the importance of patch management; 2) maintaining, updating in this case, software applications; and, 3) continuous logging and monitoring of your network.

Curtis Dukes
Curtis Dukes

Why do you need to burn through a brand new 0-day, or very recently disclosed bug, ahem MoveIT, when a 6 year old bug does the trick?

Moses Frost
Moses Frost

2023-06-16

Polish Police Arrest Two in Connection with Booter Service

Police in Poland have conducted 10 searches and arrested two individuals in connection with a distributed denial-of-service (DDoS) attack for hire service. This particular service (also known as a booter or stressor service) has been active for at least a decade. The arrests are part of a larger operation involving Europol, the FBI, and law enforcement agencies in Belgium, the Netherlands, and Germany.

2023-06-19

Western Digital: Update NAS Firmware if You Want to Access Cloud Services

On June 15, Western Digital began blocking devices running unpatched firmware from accessing its cloud services. Western Digital released firmware updates to address multiple vulnerabilities in mid-May. Among the issues those updates address is a critical path traversal vulnerability that affects Western Digital’s My Cloud Home, My Cloud Home Duo, SanDisk ibi, and My Cloud OS 5 devices. Users are being urged to install firmware versions 5.26.202 / 9.4.1-101 or later.

2023-06-16

Johns Hopkins Health System Experiences Cyberattack

Johns Hopkins Health System says it “is investigating a recent cybersecurity attack targeting a widely used software tool that affected our networks, as well as thousands of other large organizations around the world.” The incident occurred on May 31; Johns Hopkins is working with law enforcement and third-party cyber experts to determine the effects of the breach.

2023-06-16

Genetic Testing Firm Faces FTC Action Over Inadequate Data Protection

Under a proposed US Federal Trade Commission (FTC) consent order, genetic testing company 1health.io, will make changes to the way it handles data and pay a $75,000 penalty. According to the FTC, 1health.io “left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected.”

2023-06-19

Des Moines (Iowa) Public Schools Says Data Stolen in Ransomware Attack

The largest school district in the US state of Iowa has disclosed that it was the victim of a ransomware attack that it detected in January 2023. The incident caused the district to cancel school for two days. Des Moines Public Schools also said that the attackers stole data from their systems. This week, the district will begin notifying the 6,700 affected individuals that their data were compromised.

2023-06-19

Fixes Available for ASUS Router Vulnerabilities

ASUS is urging users to update their devices with firmware that includes cumulative security updates to fix vulnerabilities in several of its router models. The new firmware addresses nine vulnerabilities, including a critical memory corruption issue and a critical out-of-bounds write issue. The latter vulnerability is nearly five years old. If installing the updates is not an option, ASUS “strongly recommend[s] disabling services accessible from the WAN side to avoid potential unwanted intrusions.”

Internet Storm Center Tech Corner