Akamai Diversity
Home > Web Security

Recently in Web Security Category

Akamai is aware of a talk scheduled for Black Hat USA 2015 this week that will discuss some potential issues with platforms like ours.

Mike Brooks and Matthew Bryant, security analysts at Bishop Fox, will give the following talk on Aug. 6:

BYPASS SURGERY ABUSING CONTENT DELIVERY NETWORKS WITH SERVER-SIDE-REQUEST FORGERY (SSRF) FLASH AND DNS

BIND DoS Vulnerability (CVE-2015-5477)

Akamai is aware of a recently disclosed critical vulnerability in BIND (CVE-2015-5477) that can be exploited to cause a denial of service.


How does the attack work?

An attacker can cause BIND to exit by using a constructed packet to trigger a REQUIRE assertion via defective handling of a TKEY query.


How is Akamai affected?

Akamai's Fast DNS / EDNS authoritative name servers do not run BIND and as such are not impacted by this CVE.

Further, Akamai continuously evaluates CVEs as they appear, and we continue to evaluate and patch relevant systems as necessary.


What can you do to protect yourself?

If you run BIND anywhere in your environment, upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads.

OurMine Team Attack Exceeded 117 Gbps

A new hacking group has landed on the Akamai's PLXsert and CSIRT radar for taking responsibility for launching DDoS attacks against several of our customers in the financial services sector.


The entity calls itself the "OurMine Team" and if it is to be believed, it has gained access to one customer's $500,000 account. The group has announced it will give that money to the poor.


How to Tell a Landscaper From a Thief

If I can see a person standing in front of a neighboring house inspecting the windows and the doors, should I call the police?

Maybe it is the air-condition technician looking for the best place to install a new air-condition unit, or maybe it is a robber doing reconnaissance and checking what is the easiest way to get into the house. It is hard to tell!

Now what if I can see a user sending requests to non-existing pages in my application?

Maybe these are broken links created mistakenly by that user, or maybe these are attack reconnaissance, pre-attack activity done by a malicious user. It is also hard to tell!

Continue reading on InfoSec Island!

A roundup of attack activity, vectors and those responsible, based on PLXSert/CSIRT advisories issued in recent weeks:

DD4BC: Operation Update and FAQ
DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.

RIPv1 Reflection DDoS Making a Comeback
Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.

DD4BC: Operation Update and FAQ

DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.

In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That's up from the high of 15-20 Gbps observed in early May. (A full history of the group's exploits and firepower can be found in this advisory from April.)

 

Below are the most commonly asked questions we've received from customers, along with some answers.

What is new since the last update?

The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company's reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack. 

As a professional marketer, it can be a little ironic how often you're frustrated when people you care about are influenced by marketing in ways that can't possibly be good for them. Everybody knows that marketers do nothing but lie all day - or "spin" as they call it. And as far as the profession goes, there's probably some truth to that. But there are plenty of marketers out there that have a good deal of integrity, and there are few things more frustrating than when people fall for marketing "spin".

OpenSSL Vulnerability (CVE-2015-1793)

Akamai is aware of the OpenSSL vulnerability addressed in OpenSSL versions 1.0.2d and 1.0.1p on Thursday, July 9, 2015. Akamai does not use the vulnerable versions of OpenSSL and is therefore not affected.

The OpenSSL team advisory outlines the vulnerability and fixes. The advisory states:

During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This issue impacts any application that verifies certificates including SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.

The vulnerability was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project, and released by OpenSSL on July 9th, 2015.

Though Akamai is not affected, we recommend that if you run OpenSSL in your origin infrastructure, you consult your security advisory team to review the vulnerability and upgrade your software and/or address the vulnerability as necessary.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject. You may also contact your Akamai Representative, or call Customer Care at 1.877.4.AKATEC or 1.617.444.4699.

RIPv1 Reflection DDoS Making a Comeback

Akamai's Prolexic Security Engineering & Research Team (PLXsert) has been monitoring an uptick in a form of DDoS reflection thought to be mostly abandoned. This attack vector, which involves the use of an outdated routing protocol in RIPv1, began showing up in active campaigns again on May 16th after being dormant for more than a year. The latest attacks observed, as described later, are apparently making use of only a small number of available RIPv1 source devices.

RIPv1 was first introduced in 1988 under RFC1058, which is now listed as a historic document in RFC1923. The historic designation means the original RFC is actively deprecated. One main reason for this is that RIPv1 only supports classful networks. So if the network advertised by RIPv1 happens to be a class A network such as 10.1.2.0/24, this will be sent in an advertisement as 10.0.0.0/8. This among other things, further limits the usefulness for RIPv1 as a viable option for internal networks much less the internet.

Akamai is aware of a recently disclosed vulnerability in OpenSSL that can be exploited to perform denial of service attacks against any system which processes public keys, certificate requests, or certificates.

The announcement for CVE-2015-1788 (discovered by Joseph Barr-Pixton and fixed by Andy Polyakov of the OpenSSL development team) and CVE-2015-1789 (discovered independently by Robert Swiecki and Hanno Böck) can be found here. The fix was developed by Emilia Käsper of the OpenSSL development team.