Akamai Diversity
Home > Web Security

Recently in Web Security Category

This month we'll release the Q2 2015 State of the Internet Security Report. Tomorrow, we'll begin previewing sections of that report in this blog.

But before we begin, a look back at the previous quarter's report is in order. Such a review will better position readers to digest the new report and do some comparing and contrasting. Every report highlights a new trend, but we also see things that don't change much from one quarter to the next. The challenge is in finding activity that bucks normal trends.

Defending Against DD4BC Cyber Attacks

To date, over a dozen Akamai customers have been the targets of DD4BC, a group of cyber attackers who use a series of politely worded, yet increasingly threatening email messages to extort a 25 Bitcoin ransom (approximately $5,750 in US dollars) in exchange for stopping attacks on the victims' sites and number if victims is increasing. DD4BC starts out with what they call "small demonstrative attacks" that will not crash the site and last for one hour "just to prove that we are serious." Those companies that continue to ignore DD4BC's 24-hour ransom demand receive subsequent emails upping the ransom to 50-100 Bitcoins and threatening long-term UDP flood attacks at 400 to 500 Gbps - which they warn will not be easy to mitigate.


Earlier today (Aug 6, 2015) at the Black Hat Security Conference in Las Vegas, Bishop Fox, a security research and penetration testing firm, announced the discovery of a vulnerability that allows an outside actor to conduct a cross-site request forgery (CSRF)/Server-Side Request Forgery (SSRF) attack using a combination of exploits. This vulnerability relied on the Akamai platform in two ways: specially-crafted legacy resource locators (also called v1 ARLs) in combination with specific versions of Flow Player.

I was ready for a relaxing vacation on the Mexican Riviera Maya where the warm waters and cool drinks would provide the backdrop for a great week.  Making the Internet fast, reliable and secure every day is demanding work so I was happy to temporarily leave my thoughts about Akamai at home, spend quality time with family, and sneak in a book that I've been wanting to read for a while.

Last night I watched an On Demand episode of The American Experience titled Blackout, which recounted the 1977 power failure in New York City and its lasting impact on city due to widespread looting and destruction. With the power completely out, the operators at Con Ed got to work restoring power using a manual that was last updated after another massive blackout - in 1965.

Akamai is aware of a talk scheduled for Black Hat USA 2015 this week that will discuss some potential issues with platforms like ours.

Mike Brooks and Matthew Bryant, security analysts at Bishop Fox, will give the following talk on Aug. 6:

BYPASS SURGERY ABUSING CONTENT DELIVERY NETWORKS WITH SERVER-SIDE-REQUEST FORGERY (SSRF) FLASH AND DNS

BIND DoS Vulnerability (CVE-2015-5477)

Akamai is aware of a recently disclosed critical vulnerability in BIND (CVE-2015-5477) that can be exploited to cause a denial of service.


How does the attack work?

An attacker can cause BIND to exit by using a constructed packet to trigger a REQUIRE assertion via defective handling of a TKEY query.


How is Akamai affected?

Akamai's Fast DNS / EDNS authoritative name servers do not run BIND and as such are not impacted by this CVE.

Further, Akamai continuously evaluates CVEs as they appear, and we continue to evaluate and patch relevant systems as necessary.


What can you do to protect yourself?

If you run BIND anywhere in your environment, upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads.

OurMine Team Attack Exceeded 117 Gbps

A new hacking group has landed on the Akamai's PLXsert and CSIRT radar for taking responsibility for launching DDoS attacks against several of our customers in the financial services sector.


The entity calls itself the "OurMine Team" and if it is to be believed, it has gained access to one customer's $500,000 account. The group has announced it will give that money to the poor.


How to Tell a Landscaper From a Thief

If I can see a person standing in front of a neighboring house inspecting the windows and the doors, should I call the police?

Maybe it is the air-condition technician looking for the best place to install a new air-condition unit, or maybe it is a robber doing reconnaissance and checking what is the easiest way to get into the house. It is hard to tell!

Now what if I can see a user sending requests to non-existing pages in my application?

Maybe these are broken links created mistakenly by that user, or maybe these are attack reconnaissance, pre-attack activity done by a malicious user. It is also hard to tell!

Continue reading on InfoSec Island!

A roundup of attack activity, vectors and those responsible, based on PLXSert/CSIRT advisories issued in recent weeks:

DD4BC: Operation Update and FAQ
DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.

RIPv1 Reflection DDoS Making a Comeback
Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.