Daily Archives: July 2, 2018

ProtonMail / ProtonVPN DDoS Attacks Are a Case Study of What Happens When You Mock Attackers

Posted on by

For the past two days, secure email provider ProtonMail has been fighting off DDoS attacks that have visibly affected the company’s services, causing short but frequent outages at regular intervals.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes,” a ProtonMail spokesperson said describing the attacks.

The email provider claims to “have traced the attack back to a group that claims to have ties to Russia,” a statement that some news outlets took at face value and ran stories misleading readers into thinking this was some kind of nation-state-planned cyber-attack.

But in reality, the DDoS attacks have no ties to Russia, weren’t even planned to in the first place, and the group behind the attacks denounced being Russian, to begin with.

Small hacker group behind ProtonMail DDoS attacks

Responsible for the attacks is a hacker group named Apophis Squad. In a private conversation with Bleeping Computer today, one of the group’s members detailed yesterday’s chain of events.

The Apophis member says they targeted ProtonMail at random while testing a beta version of a DDoS booter service the group is developing and preparing to launch.

The group didn’t cite any reason outside “testing” for the initial and uncalled for attack on ProtonMail, which they later revealed to have been a 200 Gbps SSDP flood, according to one of their tweets.

“After we sent the first attack, we downed it for 60 seconds,” an Apophis Squad member told us. He said the group didn’t intend to harass ProtonMail all day yesterday or today but decided to do so after ProtonMail’s CTO, Bart Butler, responded to one of their tweets calling the group “clowns.”

Tweet

This was a questionable response on the part of the ProtonMail CTO, as it set the hackers against his company even more.

“So we then downed them for a few hours,” the Apophis Squad member said. Subsequent attacks included a whopping TCP-SYN flood estimated at 500 Gbps, as claimed by the group…

Tweet

…and NTP and CLDAP floods, as observed by a security researcher at NASK  and confirmed by another Apophis Squad member.

Tweet

The attacks also continued today when the group launched another DDoS attack consisting of a TCP-SYN flood estimated at between 50 and 70 Gbps…

Tweet

… and another CHARGEN flood estimated at  2 Gbps.

Tweet

Radware, the company which was involved in mitigating the attacks on ProtonMail’s infrastructure, could not confirm the 500 Gbps DDoS attack at the time of writing but confirmed the multi-vector assault.

“We can’t confirm attack size as it varied at different points in the attack,” a Radware spokesperson said. “However we can confirm that the attack was high volumetric, multi-vector attack. It included several UDP reflection attacks, multiple TCP bursts, and Syn floods.”

In addition to targeting ProtonMail, the group also targeted Tutanota, for unknown reasons, but these attacks stopped shortly after. Tutanota execs not goading the hackers might have played a role.

Hackers deny Russian connection

The Apophis Squad group is by no means a sophisticated threat. They are your typical 2018 hacker group that hangs out in Discord channels and organizes DDoS attacks for, sometimes, childish reasons.

The group is currently developing a DDoS booter service, which they were advertising prior to yesterday’s attacks on Twitter and on Discord, claiming to be able to launch DDoS attacks using protocols such as NTP, DNS, SSDP, Memcached, LDAP, HTTP, CloudFlare bypass, VSE, ARME, Torshammer, and XML-RPC.

Their Twitter timeline claims the group is based in Russia, and so does their domain, but in a private conversation the group said this wasn’t accurate.

“We aint russian [sic],” the group told us.

“We believe the attackers to be based in the UK,” a Radware spokesperson told Bleeping Computer via email today.

If the ProtonMail DDoS attack later proves to have been of 500 Gbps, it will be one of the biggest DDoS attacks recorded, following similar DDoS attacks of 1.7 Tbps (against a yet to be named US service provider) and 1.3 Tbps (against GitHub).

Source: ProtonMail DDoS Attacks Are a Case Study of What Happens When You Mock Attackers

Every Android Device Since 2012 Impacted by RAMpage Vulnerability

Posted on by

Almost all Android devices released since 2012 are vulnerable to a new vulnerability named RAMpage, an international team of academics has revealed today.

The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack.

Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on nearby memory.

In the following years, researchers discovered that Rowhammer-like attacks affected personal computers, virtual machines, and Android devices. Through further researcher, they also found they could execute Rowhammer attacks via JavaScript code, GPU cards, and network packets.

RAMpage is the latest Rowhammer attack variation

The first Rowhammer attack on Android devices was named DRammer, and it could modify data on Android devices and root Android smartphones. Today, researchers expanded on that initial work.

According to a research paper published today, a team of eight academics from three universities and two private companies revealed a new Rowhammer-like attack on Android devices named RAMpage.

“RAMpage breaks the most fundamental isolation between user applications and the operating system,” researchers said. “While apps are typically not permitted to read data from other apps, a malicious program can craft a RAMpage exploit to get administrative control and get hold of secrets stored in the device.”

“This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents,” the research team said.

RAMpage may also impact Apple devices, PCs, and VMs

Research into the RAMpage vulnerability is still in its early stages, but the team says the attack can take over Android-based smartphones and tablets.

The researcher team also believes RAMpage may also affect Apple devices, home computers, or even cloud servers.

Source: Every Android Device Since 2012 Impacted by RAMpage Vulnerability

This popular Facebook app publicly exposed your data for years

Posted on by

Nametests.com, the website behind the quizzes, recently fixed a flaw that publicly exposed information of their more than 120 million monthly users — even after they deleted the app. At my request, Facebook donated $8,000 to the Freedom of the Press Foundation as part of their Data Abuse Bounty Program.

[…]

While loading a test, the website would fetch my personal information and display it on the webpage. Here’s where it got my personal information from:

http://nametests.com/appconfig_user

In theory, every website could have requested this data. Note that the data also includes a ‘token’ which gives access to all data the user authorised the application to access, such as photos, posts and friends.

I was shocked to see that this data was publicly available to any third-party that requested it.

In a normal situation, other websites would not be able to access this information. Web browsers have mechanisms in place to prevent that from happening. In this case however, the data was wrapped in something called javascript, which is an exception to this rule.

One of the basic principles of javascript is that it can be shared with other websites. Since NameTests displayed their user’s personal data in javascript file, virtually any website could access it when they would request it.

o verify it would actually be that easy to steal someone’s information, I set up a website that would connect to NameTests and get some information about my visitor. NameTests would also provide a secret key called an access token, which, depending on the permissions granted, could be used to gain access to a visitor’s posts, photos and friends. It would only take one visit to our website to gain access to someone’s personal information for up to two months.

Video proof:

An unauthorised website getting access to my Facebook information

As you can see in the video, NameTests would still reveal your identity even after deleting the app. In order to prevent this from happening, the user would have had to manually delete the cookies on their device, since NameTests.com does not offer a log out functionality.

Source: This popular Facebook app publicly exposed your data for years

All-Radio 4.27 Portable Can’t Be Removed? Then Your PC is Severely Infected

Posted on by

Starting yesterday, there have been numerous reports of people’s Windows computers being infected with something called “All-Radio 4.27 Portable”. After researching this, it has been determined that seeing this program is a symptom of a much bigger problem on your computer.

All-Radio 4.27 Portable
All-Radio 4.27 Portable

If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.

Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help at this time. Due to this and the amount of malware installed, if you are infected I suggest that you reinstall Windows from scratch if possible.

If that is not an option, you can create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer.

Furthermore, some of the VirusTotal scans associated with this infection have indicated that an information stealing Trojan could have been installed as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected.

Source: All-Radio 4.27 Portable Can’t Be Removed? Then Your PC is Severely Infected

Adidas Reports Data Breach of a few million customers

Posted on by

Adidas AG ADDYY 2.03% said Thursday that a “few million” customers shopping on its U.S. website may have had their data exposed to an unauthorized party.

Neither the specific number of users affected nor the time frame of the potential breach were immediately disclosed, but the German sportswear maker said it became aware of the issue on Tuesday and has begun a forensic review.

Adidas said they are alerting “certain customers who purchased on adidas.com/US” and that, according to the company’s preliminary examination, data affected include contact information, usernames and encrypted passwords.

“Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted,” the company said.

Source: Adidas Reports Data Breach – WSJ

The International Space Station’s has a New AI-Powered Bot: CIMON

Posted on by

Once aboard, CIMON—short for Crew Interactive MObile companioN—will assist the crew with its many activities. The point of this pilot project is to see if an artificially intelligent bot can improve crew efficiency and morale during longer missions, including a possible mission to Mars. What’s more, activities and tasks performed by ISS crew members are starting to get more complicated, so an AI could help. CIMON doesn’t have any arms or legs, so it can’t assist with any physical tasks, but it features a language user interface, allowing crew members to verbally communicate with it. The bot can display repair instructions on its screen, and even search for objects in the ISS. With a reduced workload, astronauts will hopefully experience less stress and have more time to relax.

CIMON with its development team prior to launch.
Image: DLR

CIMON was built by Airbus under a contract awarded by the German Aerospace Center (DLR). It has 12 internal fans, which allows the bot to move in all directions as it floats in microgravity. CIMON can move freely, and perform rotational movements such as shaking its head back-and-forth in disapproval. CIMON’s AI language and comprehension system is derived from IBM’s Watson Technology, and it responds to commands in English. CIMON cost less than $6 million to build, and less than two years to develop.

The pilot project will be led by DLR astronaut Alexander Gerst, who arrived on the ISS about a month ago. CIMON is already familiar with Gerst’s face and voice, so the bot will work best with him, at least initially. The German astronaut will use CIMON to see if the bot will increase his efficiency and effectiveness as he works on various experiments.

Indeed, with CIMON floating nearby, the ISS astronauts could easily call upon the bot for assistance, which they can do by calling out its name. They can request that CIMON display documents and media in their field of view, or record and playback experiments with its onboard camera. In general, the bot should speed up tasks on the ISS that require hands-on work.

The round robot features no sharp edges, so it poses no threat to equipment or crew. Should it start to go squirrely and use it’s best HAL-9000 imitation to say something like, “I’m sorry, Alexander, I’m afraid I can’t do that,” the bot is equipped with a kill switch. But hopefully it won’t come to that; unlike HAL, CIMON has been programmed with an ISTJ personality, meaning “introverted, sensing, thinking, and judging.” Its developers chose a face to make it more personable and relatable, and it can even sense the tone of the crew’s conversation. CIMON smiles when the mood is upbeat, and frowns or cries when things are sad. It supposedly behaves like R2D2, and can even quote famous sci-fi movies like E.T. the Extra-Terrestrial.

Source: The International Space Station’s New AI-Powered Bot Is Actually Pretty Cool

Why you should not use Google Cloud – it just turns your project off with no warning and no customer support!

Posted on by

We have a project running in production on Google Cloud (GCP) that is used to monitor hundreds of wind turbines and scores of solar plants scattered across 8 countries. We have control centers with wall-to-wall screens with dashboards full of metrics that are monitored 24/7. Asset Managers use this system to monitor the health of individual wind turbines and solar strings in real time and take immediate corrective maintenance. Development and Forecasting teams use the system to run algorithms on data in BigQuery. All these actions translate directly to revenue. We deal in a ‘wind/solar energy’ — a perishable commodity. If we over produce, we cannot store and sell later. If we under produce, there are penalties to be paid. For this reason assets need to be monitored 24/7 to keep up/down with the needs of the power grid and the power purchase agreements made.

What happened.

Early today morning (28 June 2018) i receive an alert from Uptime Robot telling me my entire site is down. I receive a barrage of emails from Google saying there is some ‘potential suspicious activity’ and all my systems have been turned off. EVERYTHING IS OFF. THE MACHINE HAS PULLED THE PLUG WITH NO WARNING.

[…]

Customer service chat is off. There’s no phone to call. I have an email asking me to fill in a form and upload a picture of the credit card and a government issued photo id of the card holder. Great, let’s wake up the CFO who happens to be the card holder.

We will delete project within 3 business days.

“We will delete your project unless the billing owner corrects the violation by filling out the Account Verification Form within three business days. This form verifies your identity and ownership of the payment instrument. Failure to provide the requested documents may result in permanent account closure.”

What if the card holder is on leave and is unreachable for three days? We would have lost everything — years of work — millions of dollars in lost revenue.

I fill in the form with the details and thankfully within 20 minutes all the services started coming alive. The first time this happened, we were down for a few hours. In all we lost everything for about an hour. An automated email arrives apologizing for ‘inconvenience’ caused. Unfortunately The Machine has no understanding of the ‘quantum of inconvenience’ caused.

[…]

This is the first project we built entirely on the Google Cloud. All our previous works were built on AWS. In our experience AWS handles billing issues in a much more humane way. They warn you about suspicious activity and give you time to explain and sort things out. They don’t kick you down the stairs.

I hope GCP team is listening and changes things for better. Until then i’m never building any project on GCP.

Source: Why you should not use Google Cloud. – Punch a Server – Medium

Over 10,000 troops from nine nations ready to meet global challenges in Joint Expeditionary Force led by UK

Posted on by

With the UK at the forefront as the framework nation, the JEF can now deploy over 10,000 personnel from across the nine nations.

Speaking at the event at Lancaster House today Defence Secretary Gavin Williamson said:

Our commitment today sends a clear message to our allies and adversaries alike – our nations will stand together to meet new and conventional challenges and keep our countries and our citizens safe and secure in an uncertain world.

We are judged by the company we keep, and while the Kremlin seeks to drive a wedge between allies old and new alike, we stand with the international community united in support of international rules.

Launched in 2015, the joint force has continued to develop so that it’s able to respond rapidly, anywhere in the world, to meet global challenges and threats ranging from humanitarian assistance to conducting high intensity combat operations.

The JEF, made up of nine northern European allies Denmark, Estonia, Finland, Latvia, Lithuania, The Netherlands, Norway and Sweden, is more than a simple grouping of military capabilities. It represents the unbreakable partnership between UK and our like-minded northern European allies, born from shared operational experiences and an understanding of the threats and challenges we face today.

In May this year, the JEF demonstrated it readiness with a live capability demonstration on Salisbury Plain. It featured troops from the nine JEF nations, including troops from the UK Parachute Regiment, the Danish Jutland Dragoon Regiment, the Lithuanian “Iron Wolf” Brigade and the Latvian Mechanised Infantry Brigade, which conducted urban combat operations with air support provided by Apaches, Chinooks, Wildcats and Tornados.

Source: Over 10,000 troops from nine nations ready to meet global challenges – GOV.UK

This is not a standing force, but one where each time it is deployed is created by the countries deciding whether to (or not) add earmarked forces to the structure.