Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, April 13, 2023, 12:54 PM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


VPS's Replace IoT for DDoS Attackers, Says Cloudflare

In its first DDoS threat report for 2023, web acceleration and DDoS mitigation company Cloudflare reports a shift away from the use of compromised Internet of Things devices by attackers. Instead, the threat actors are making use of virtual private servers (VPS's) hosted by cloud computing service providers. The reason is simple: IoT devices are typically low-powered and connected to low-bandwidth consumer networks, while VPS's, located in large data centers, are much more powerful devices and are connected to the Internet by fat pipes.

The threat actors take over these servers by compromising unpatched servers and also hacking the management consoles using leaked API credentials. Cloudflare has been addressing this by setting up a free botnet threat feed for cloud service providers which will alert the firms to attacks originating within their own networks, so that they can be brought down promptly.

In other highlights from the DDoS threat report:

  • The year began with a series of campaigns against Western targets such as banking, airports, healthcare and universities, mostly led by the pro-Russian Telegram-organized group Killnet and more recently by AnonymousSudan
  • Hyper-volumetric attacks increased significantly, with the largest one peaking at over 71 million requests per second (the previous world record was 'only' 46 million rps)
  • 16% of Cloudflare customers reported a Ransom DDoS attack - holding steady in comparison with the previous quester, but a 60% year-on-year increase
  • The most-targeted country for HTTP DDoS traffic is Israel, which displaced the US from the top spot (followed by Canada and Turkey).
  • The most-targeted country for network-layer DDoS attack traffic was China, closely followed by Singapore.

Yoachimik, Omer and Jorge Pacheco, DDoS threat report for 2023 Q1, blog post, 11 April 2023. Available online at https://blog.cloudflare.com/ddos-threat-report-2023-q1/.

Don't Charge from Public USB Outlets, Says FBI

The FBI's Denver office has tweeted a warning against the use of free USB charging stations:

Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead.

We'd generally agree, but also add that a USB condom - an inline connector which connects only the power lines and blocks data transfer - is a useful alternative, especially for international travelers who want to avoid carrying lots of power adapters. However, they may disable the fast charging capabilities of some devices. In any case, leaving your high-end phone plugged in on a shelf while you queue for a coffee nearby is an invitation to theft. Better to carry a power pack and recharge inside your locked hotel room (but even then . . .).

FBI Denver, Avoid using free charging stations ..., tweet, 6 April 2023. Available online at https://twitter.com/FBIDenver/status/1643947117650538498.

New Google API Helps to Secure the Supply Chain

Google has announced a new online API - the deps.dev API - which provides free access to a dataset of security metadata including dependencies, licenses, advisories and other security-related infor for over 50 million open source software package versions. The dataset is continuously updated from a range of sources, including package registries, the Open Source Vulnerability Database, development repositories such as GitHub and GitLab, and the packages themselves. There are over 5 million packages from the Go, Maven, PyPI, npm, and Cargo ecosystems.

The API will allow the development of tools which will support analyses of software packages and the updating of configuration management databases. This will allow operations and security staff to answer questions such as

  • What dependencies does this package have?
  • What are the licences for the packages this application uses?
  • Will moving to the latest version of this package change dependencies or the licences?
  • What versions of what packages contain this file?

The impact of vulnerabilities such as Log4Shell has really brought home the lesson that we need tools that can answer these and even more basic questions, such as "A new vulnerability is being exploited - are we affected?".

Sarnesjo, Jesper and Nicky Ringland, Announcing the deps.dev API: critical dependency data for secure supply chains, blog post, 11 April 2023. Available online at https://security.googleblog.com/2023/04/announcing-depsdev-api-critical.html.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: