Innofactor Cybersecurity Studio – Week 39

Innofactor’s Cybersecurity Consultants Janne Nevalainen and Marcus Söderblom discuss the most topical cybersecurity news from all over the globe in our monthly Cybersecurity Studio. This week’s episode covers news from week 39.

For your convenience, Cybersecurity Studio is available in three formats: video, podcast, and blog post. Here’s a look at the cybersecurity topics to be covered this time:

• A record-breaking DDoS attack
• Hackers tire out victims with MFA fatigue
• Domain shadowing is very sneaky
• Russia is planning massive cyberattacks
• A 15-year-old Python vulnerability
• Future of ransomware: corrupting files?

2022 has been a year of DDoS attacks – and this one was record-breaking!

Cybersecurity company Imperva has disclosed a record-breaking DDoS attack, which lasted for four hours! The attack resulted in 25 billion requests. DDoS stands for Distributed Denial of Service. In these types of attacks, the perpetrator makes a machine or network resource unavailable to its intended users by disrupting services of a host connected to a network.

What’s unusual about this particular attack is the length of it. A DDoS attack usually lasts for a few seconds or minutes, not hours.

Controlled by a massive botnet, the attack was spread across 180 countries and included over 170,000 IP addresses. Generally, DDoS attacks have been growing in number during 2022.

Hackers tire out their victim with MFA Fatigue

In order to make logging in processes as secure as possible, many businesses have adopted MFA (multifactor authentication) – which is great news! Less surprisingly, hackers have created various methods for bypassing MFA, such as stealing cookies through malware, or man-in-the-middle phishing attack frameworks.

But there is an even easier way for bypassing MFA: a social engineering technique called 'MFA Fatigue', aka 'MFA push spam'. This method has been growing more popular, as it doesn’t require any malware or phishing infrastructure.

The logic behind MFA fatigue is truly simple: to obtain log-in credentials for a target account, by one way or another, and then tire out the owner by sending out an endless stream of MFA push requests, hoping that the owner gets overwhelmed and approves one of the requests. In some of the attacks, the hacker even contacts the user, for example over the phone, pretending to be IT support and trying to convince the user to accept the MFA prompt.

Domain shadowing is very sneaky

Domain shadowing is a stealthier – and sneakier – version of DNS hijacking, and it has become more popular among cybercriminals.

In a nutshell, the trick goes like this: The criminal compromises the DNS of a legitimate domain to host its own subdomains for malicious activity without modifying the existing, legitimate DNS entries. The newly created subdomains are then used to create malicious pages, such as phishing pages, on the cybercriminals' servers.

The original domain's web pages and DNS records remain unchanged, and the owner doesn’t have a clue that they have been breached – unless they specifically check their DNS.

Russia prepares massive cyberattacks against the West

According to the Ukrainian military intelligence service, Russia is planning significant cyberattacks against Ukraine and its Western allies. The attacks will be aimed at critical infrastructure, such as electric grids and facilities of the energy industry.

The Kremlin is also said to be increasing the intensity of DDoS (Distributed Denial of Service) attacks on the critical infrastructure of Poland and the Baltic states, which are Ukraine’s closest allies.

As such, Russia initiating cyberattacks is nothing new. However, the scale of the expected attacks is something to beware of.

“It’s not a bug, it’s a feature” – A 15-year-old Python vulnerability rediscovered

A security flaw in a Python module has potentially endangered up to 350,000 open source projects. A particularly disturbing factor with this vulnerability is that it was originally found in 2007, disclosed as “a feature”, and then left unpatched for 15 years!

The vulnerability can be exploited when a victim untars a specifically named file, which, in turn, allows the attacker to overwrite arbitrary files, such as password files, in the target system. Luckily – and perhaps somewhat surprisingly – the vulnerability hasn’t been exploited, even though cyberattacks were given more than enough time to conduct any criminal activity.

The research team who found the bug have now been working on a fix.

Future of ransomware: corrupting instead of encrypting files?

For many years now, ransomware has been the most significant and widespread type of cyberattack out there. Originally, ransomware attacks started out as scams where individual users were being tricked into paying fictitious fines, but nowadays the attacks have evolved into organized criminal activity which impacts all types of organizations and even entire nations.

Recently, a new wave of ransomware attacks was discovered by cybersecurity experts where known ransomware actors chose to destroy files instead of encrypting them. Destroying files might sound odd, but at least few possible explanations can be reasoned:

• Data encryption can be detected by EDRs (endpoint protection tools)
• Encrypting files is more resource-intensive than destroying them

However, one question remains to be answered: how do criminals monetize this?

We don’t have any actual data, but further blackmailing is definitely one possible scenario. The attacker might, for instance, announce that they will destroy another 100,000 files on top of the lost ones – unless a compensation is paid. It remains to be seen if these kinds of attacks evolve into a wider trend.

The full episode of Cybersecurity Studio – Week 39 is available.

Interested in the latest trends, topics, and techniques in the world of cybersecurity? Learn more by watching our webinars or dig deep into our cybersecurity offering by visiting our website!