Month: January 2022

Microsoft says it encountered and successfully mitigated the largest Distributed Denial of Service (DDoS) attack on record in November 2021, when an adversary tried to take down a customer’s Azure services.

The incident involved an unnamed customer in Asia, who uses Microsoft’s Azure cloud computing service. The hacker harnessed 10,000 computers across the globe, including in the US, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan, to generate a massive 3.47Tbps DDoS attack, at a packet rate of 340 million packets per second (pps). The attack lasted for 15 minutes.

“Attack vectors were UDP reflection on port 80 using Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP) comprising one single peak”, Microsoft added.

The amount of traffic exceeds two other DDoS attacks that occuured in December 2021, both in Asia. One was over 2.5 Tbps, and the other was 3.25 Tbps.

Microsoft seems to have defended all attacks without an incident.

Read more about it here.

Researchers from security firm Avanan uncovered in December 2020 a phishing campaign with a new technique that abuses the commenting feature of Google Docs to send out malicious emails. Google Docs is used by many users working or collaborating remotely, so most recipients of these emails are familiar with these Google notifications.

Hackers use their Google account to create a Google Document, and then add a comment to it, mentioning the target with an @. Google then sends an email notification to the target’s inbox, informing them that another user has commented on a document and mentioned them. The comment on the email notification can contain malicious links that lead to a malicious or phishing web site. The phishing emails bypass email security checkpoints, because they are coming from a trusted source, Google. To make matters worse, the hackers’ email address isn’t shown in the email notification, and the recipient only sees a name. This makes impersonation very easy, and raises the chances of success for the hackers.

The researchers reported the same outcome when attempting to exploit Google Slides, Google Suite’s presentation app.

What users can do:

• Avoid clicking on links that arrive via email and are embedded on comments
• Confirm that the sender’s email address matches your colleague’s (or claimed person)
• If unsure, reach out to the sender and confirm they meant to send that document
• Deploy additional security measures that apply stricter file sharing rules on Google Suite

Read more about it here.

The US Federal Trade Commission issued a warning that it will take legal action against companies that fail to remediate the recent Log4j vulnerability.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

The post adds: “According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers… The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

The FTC recommends companies use the Cybersecurity and Infrastructure Security Agency (CISA) guidance, and:

• Update the Log4j software package to the most current version found here.
• Consult CISA guidance to mitigate this vulnerability.
• Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. 
• Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. 

Read more about it here.