Shadow Talk Update – 03.12.2018March 12, 2018
This week’s Shadow Talk features more distributed denial of service (DDoS) attacks using Memcached servers, how disinformation is more than just a political concern, updates on the Spectre vulnerability following the release of a new proof of concept (POC) exploit, and more reporting on the historical network intrusion against the German government.
Memcached DDoS attacks break peak volume records
Attackers using Memcached reflection, a type of DDoS attack, have twice achieved the highest recorded peak volumes since 27 February. An attack on the code-sharing website GitHub reached 1.35Tbps, and a subsequent attack on an unnamed company in the United States peaked at 1.7Tbps. The peak was helped by the availability of internet-facing Memcached servers listening on user datagram protocol (UDP) port 11211 without traffic filtering. The media attention garnered by these attacks likely prompted opportunistic extortion attempts reported in the past week. Efforts have been made to reduce the number of internet-facing Memcached servers susceptible to this attack method, but the threat is unlikely to disappear in the next month.
Disinformation campaign aimed at Persian speakers
A disinformation campaign intended to influence Persian speakers and discredit Western media outlets has been in operation for approximately seven years. The campaign implicated some legitimate media outlets, such as the BBC, by establishing fake websites impersonating them. No malware was delivered in this campaign. Despite the use of disinformation campaigns for political objectives, the wide availability of tools and relatively low costs associated with performing these operations means that disinformation is also a threat to businesses in a variety of industries. Download a copy of our research report, The Business of Disinformation: A Taxonomy, to see tools actors can turn to when waging disinformation campaigns and what it means for organizations in the next year.
Researchers publish PoC exploit for SgxPectre
Researchers at the University of Ohio, in the United States, released PoC code for a vulnerability dubbed SgxPectre, a claimed variation of the “Spectre” vulnerability. SgxPectre enables unauthorized access to sensitive data protected by Intel’s Software Guard eXtensions (SGX). The vulnerability affects runtime libraries, meaning any program using SGX is potentially vulnerable. Release of any PoC code has previously encouraged threat actors to attempt exploitation of vulnerabilities, but in this case no such attempts have yet been detected. It is not known which types of information can be accessed by exploiting this vulnerability, or how easy it is to exploit.
Historical compromise of German government now linked to Turla
Attackers infected 17 computers in the German Federal Foreign Office with an undisclosed malware variant. The malware exfiltrated data and received commands using Microsoft Outlook. The intrusion, first reported 28 February 2018, affected the Foreign Office from March 2017 to December 2017. Attribution was initially made to the threat group “APT-28” (aka Fancy Bear), but journalists later cited the threat group “Turla”. The attack was said to be part of a wider campaign affecting multiple geographies and was likely conducted by a well-resourced group.
Subscribe to our weekly newsletter to get the latest podcast and other research by Digital Shadows.