This Week in Cyber 03rd June 2024

Analyst Insight

DDoSing might be back in style with the CatDDoS Botnet being identified as a significant threat, featuring a new technique dubbed “DNSBomb”. On top of that, a colossal botnet known as “911 S5” has had its owner arrested and services taken down. The botnet operated devices over nearly 19 million unique IP addresses. The infamous BreachForums we talked about recently has inexplicably reappeared on the clearweb after a US led seizure of its infrastructure, sparking rumours of a law enforcement honey pot. A sophisticated gift card cyber crime group features in a Microsoft advisory for their extensive gift card fraud, which was launched through email and SMS. Finally, we saw concerns of credential stuffing raised by Okta. Okta has issued an advisory to mitigate the threats to its services.

CatDDoS Botnet and DNSBomb DDoS Attack Technique

Cybersecurity researchers have identified a significant threat from the CatDDoS botnet, which has exploited over 80 known security flaws in various software over the past three months. This botnet, documented as a Mirai variant, has co-opted vulnerable devices from vendors like Cisco, Huawei, and NETGEAR to launch distributed denial-of-service (DDoS) attacks. The CatDDoS malware, known for its cat-themed command-and-control (C2) domains, primarily targets regions such as China, the U.S., and Europe. Notably, it uses the ChaCha20 algorithm for encrypted C2 communications, sharing key/nonce pairs with other DDoS botnets like hailBot and VapeBot. The botnet's source code was sold in late 2023, leading to the emergence of new variants such as RebirthLTD and Komaru.

In addition to the CatDDoS threat, a new "pulsing" denial-of-service (PDoS) attack technique, dubbed DNSBomb (CVE-2024-33655), has been uncovered. DNSBomb leverages legitimate DNS features to amplify queries by up to 20,000 times, creating periodic bursts of high-volume traffic that overwhelm target systems. This technique involves IP-spoofing multiple DNS queries to a controlled domain, then aggregating responses to unleash a concentrated flood. 

Wing Security Research into Concerns over Weak Offboarding

A recent study by Wing Security has raised concerns about weak offboarding practices, revealing that 63% of businesses may still allow former employees to access organizational data and retain login information. In an era of increasing SaaS application use, ineffective offboarding poses significant insider threats, including data breaches, intellectual property theft, and regulatory non-compliance.

This issue is exacerbated by recent mass layoffs affecting over 80,000 tech employees. With each employee using an average of 29 different SaaS applications, manual offboarding has become increasingly time-consuming. While automated safeguards can alleviate some of these problems, errors will still occur. Effective oversight and monitoring of decommissioned accounts are crucial for identifying these errors and detecting potential security incidents.

BreachForums: Back Already?

We recently covered how the infamous criminal marketplace and forum was recently taken down by a US led seizure of its infrastructure. BreachForums was a spin off site after the well-known RaidForums, which filled a similar purpose was also taken down by law enforcement. The site only displayed a banner explaining seizure of the forum. In the space of only 2 weeks, the site has returned to what seems to be normal operation.

What differs this time is that users of the site are required to sign up before viewing posts. This has led to speculation that this is resurrection is not legitimate, and instead a law enforcement honeypot. No official comments have been made about either the takedown or the re-emergence, which has led to considerable speculation as to what's happening.

Microsoft Warns of Sophisticated Gift Card Focused Cybercrime Group

Microsoft has spotlighted a cybercrime group, Storm-0539, behind extensive gift card fraud and theft through advanced email and SMS phishing attacks. This group uses adversary-in-the-middle (AitM) phishing techniques to steal credentials and session tokens, enabling them to compromise gift card services and steal up to $100,000 daily from certain companies.

Active since late 2021, Storm-0539 targets large retailers, luxury brands, and fast-food chains, exploiting cloud infrastructure to bypass multi-factor authentication (MFA) and conduct reconnaissance. The U.S. FBI has warned about their sophisticated phishing attacks, emphasizing the need for robust security measures. Microsoft urges companies to treat gift card portals as high-value targets and implement strong security practices to mitigate these risks

Concerns of Credential Stuffing, Raised by Okta

Okta has issued a warning about credential stuffing attacks targeting its Customer Identity Cloud (CIC) via a cross-origin authentication feature. The attacks, observed since April 15, 2024, involve threat actors using lists of stolen usernames and passwords to attempt logins. Okta has advised users to review tenant logs for unexpected login events, rotate credentials, and consider disabling the vulnerable feature.

Additional recommended mitigations include enabling breached password detection, enforcing strong password policies, and adopting passwordless, phishing-resistant authentication methods.

World's Largest Botnet: The Bigger They Are, The Harder They Fall

On May 24, 2024, the owner of a residential proxy service known as 911 S5 has been arrested for creating and acting as the primary administrator of the illegal platform from 2014 to July 2022. The operation saw the seizure of assets valued at approximately $30 million, seized 23 domains, and over 70 servers. The platform is estimated to have managed an infrastructure encompassing 150 servers worldwide. The owner has been charged with conspiracy to commit computer fraud, substantive computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. If convicted on all counts, they face a maximum penalty of 65 years imprisonment.

The botnet, thought to be the largest known, is reported to have been used to carry out cyber-attacks, financial fraud, identity theft, harassment, bomb threats, and export violations. Cybercriminals then used proxied IP addresses purchased from 911 S5 to conceal their true originating IP addresses and locations which led them to anonymously commit a wide array of offenses.

911 S5 is known to have affected millions of residential Windows computers worldwide with 19 million unique IP addresses associated with it. This was accomplished by distributing malware through various pop-up VPN services, such as “ProxyGate” and “MaskVPN,” and by embedding viruses in files distributed via peer-to-peer networks.