Customer Records

2.4 Customer Records

Target, the major retailer, was hacked on Black Friday in 2013. Over 40 million debit card accounts were scooped up. The data was not encrypted. Groups of Target customers filed suit claiming that “Target failed to implement and maintain reasonable security procedures and practices.” Roll forward to 2015 when Target paid out $10 million to customers as a result of lawsuits. This $10 million does not include costs to notify, legal costs, loss of good will among existing customers, and the effect on Target’s reputation in the marketplace.

Go back

Human Resources Records

2.3 Human Resources (HR) Records

The largest HR or personnel records breach (break in with theft/manipulation of data) in history occurred in 2015 at the United States Office of Personnel Management or OPM for short. The breach involved the theft of 21.5 million US government employee records along with 5.6 million fingerprint records. Keep in mind that these records contain the contents of the SF86 a questionnaire completed when applying for a security clearance and include information not only about the applicant, but also about their extended families and neighbour’s. It is rumoured that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them.

This breach was a classic case of risk versus reward. Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.

Access was obtained through a breach of a US Government contractor who had access, and, unfortunately, less security to go through. We the defensive team, the good guys failed to encrypt the records, disperse the records (so they’re not all in one place), and keep non-current records offline. To make matters worse, the intrusion was not detected for a long period of time.

Go back

Medical Records

2.2 Medical Records

Medical records are worth about ten times what credit card numbers are on the black market. “Why?” you ask. Because medical records can be used to file fraudulent claims. It takes much longer to realize your medical records have been compromised than to notice a problem with your credit card number. This time differential combined with the relatively poor cyber security of hospitals provides hackers with a very lucrative market.

Note that medical records fall under HIPAA. HIPAA is the Health Insurance Portability and Accountability Act—you probably signed a form at your doctor’s office. Health providers are legally obligated to take reasonable steps to protect your healthcare information. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation. This is capped at $1.5 million per year for violations of each HIPAA provision.

Go back

Exim software Vulnerability

Vulnerability in Exim software allows hackers to gain control of your mail server

Target: Exim users

Attack Vector: Remote code execution


A new critical vulnerability has been discovered in Exim, a widely developed mail transfer agent (MTA) used on Unix based operating systems. An attacker can exploit an off-by-one buffer overflow with a precisely constructed mail message. It is possible for attackers to exploit remotely without any authentication due to the nature of the vulnerability in relation to how SMTP transactions are conducted.

Risk assessment summary:

The threat is assessed as 3e MODERATE and the likelihood has been rated as POSSIBLE. If successful, by sending specially manipulated input to a server running Exim, attackers may be able to remotely execute code and take control of mail servers. Although a patch has been released, it may take weeks or even months for the vulnerability to be fully mitigated as users may not update their servers, leaving them at risk.

Annabelle Ransomware

New Annabelle Ransomware discovered

Target: Potentially high profile companies, as the threat actor want to primarily advertise their skills

Attack Vector: Ransomware tool which first disables processes that may interfere with its actions

Summary: During March 2018 a new type of ransomware was observed. Discovered by security researcher @bartblaze, the tool is based on the horror movie Annabelle and seems to be designed to show off the skill and capability of the threat actor behind it rather than to be used maliciously. The ransomware has extensive capabilities which combine many different features usually observed individually in separate ransomware tools.

In addition, Annabelle appears to carry out several pre-operations which make it easier to carry out its goals, a tactic observed more often in ransomware tools.

Risk assessment summary: The threat is assessed as 4d LOW. There are clear risks such as theft of sensitive information or inaccessibility of important files. The malware has not yet been observed in any mass distribution campaigns with its infrequent use lowering this possibility.

Additionally, the ransomware can be decrypted by a user following the correct process which suggests there may not be any long-term damage. However, the fact it can disable interfering programs and configure a target system to make a ransomware attack easier, does mean Annabelle remains a plausible threat.

Memcache DDoS

1. Risk Assessment

Risk Rating: 2c

Impact: High

Likelihood: Likely

This threat is currently assessed as 2c HIGH. A new DDoS attack vector has been identified as targeting Memcached servers that have UDP port 11211 exposed on the internet. The impact to businesses is considered to be HIGH in most cases, particularly if any services have poorly configured Memcache servers. This new attack vector has been seen in the wild over the past week and is therefore deemed an active threat. The likelihood of this threat should be considered LIKELY, particularly with media-wide news reporting in relation to the type of attack, and the considerable amplification that can be achieved.

2. Technical Analysis

Over the past week, we observed a number of DDOS attacks crafted using the latest amplification and reflection method, which is known as ‘memcached’. Memcached, which uses UDP port 11211, is an open source distributed memory object caching system that is designed for use with dynamic web applications to speed up retrieval of objects and data and alleviate database load. Much in the same way that web content is cached within an ISP network so that further requests for that same content can be delivered locally via the cache, memcached can cache objects and strings for a web application to reduce dependence on external DB/API calls. However, this application has very poor security out of the box, and by default, will allow connections on UDP as well as TCP. In addition, attackers can ‘prime’ the server by first inserting their own key/value pairs and then requesting that data as part of the attack, spoofing their source address to be the address of the intended target, and therefore redirecting any responses from open memcached severs to the intended DDOS target.

What makes memcached a highly effective DDOS attack vector is the extremely large amplification factor. All amplification attacks rely on a UDP protocol that on request of a small query, can return a large response. For example, DNS may be used by sending a simple ‘dig’ for some domain that then returns a large response in the form information from zone files that may include A/MX/NS/PTR/TXT records, or an attacker might locate open NTP servers that allow a simple ‘monlist’ command to generate a response in the form of a full list of IPs that have interacted with that server. The attacker’s aim is to generate as large a response as possible to a given query that is sent with a spoofed source IP address. The amplification factor is the ratio of the size of the request to the size of the response.

As an illustration, the following amplification factors are detailed below:

  •  SSDP 30x
  •  DNS 54x
  •  NTP 500x
  •  Memcached 10,000 to 51,000x

This shows that a 15 byte request may result in a 750kB response. The maximum size for any object in the cache is 1MB. Because of the large amplification factor, an attacker only needs a relatively small number of open servers to generate a large attack. It is estimated that there are currently around 80,000 to 90,000 open memcached servers currently on the internet.

This attack vector has only been reported as being used by a number of networks over the last few days, and attacks have been reported by Cloudflare and Akamai with the latter reporting an attack against one of their customers that reached 1.3Tbps, and today, a 1.7Tbps attack aimed at an unnamed ‘US service provider’ has been published.

3. Additional Analysis

There is currently little intelligence that identifies or indicates the origin of these attacks, neither are there any reports of any adversary or collective claiming responsibility specifically for memcached attributed activity.

Often social media is used as the preferred medium in which to claim responsibility by those supposedly carrying out the attacks, which is a very common tactic with hacktivists who do so to promote their own motivated activities and ideologies. There is, as yet, no claims of responsibility, for either the 1.3Tbps or the 1.7Tbps attack. This could indicate that the actor(s) behind the attacks may have realised the huge potential and value of their activity, therefore, to prevent any potential disruptions they may be keeping it quiet in order to carry out further attacks.

Another reason that may result in no claims of responsibility may be that the DDoS attacks could be leveraged against gaming servers, which could result in significant collateral impact. DDoS attacks used by gamers against gamers are a common tactic, and with the existence of DDoS-for-hire-Services, it is very easy for gamers to get a hold of the tools necessary to carry out such activity.

With the large media reports on this new attack vector, focusing on the considerable 1.3Tbps and 1.7Tbps attacks, this is likely to raise interest, with many actors and groups involved in DDoS-related activity and hacktivism. This could potentially lead, if not already, to DDoS-for-hire-Services incorporating the attack vector in to their services, which then increases the reach of the capability to more low-level actors. The more actors or groups that gain access to such DDoS services, the higher the risk that this attack vector will be leveraged against numerous businesses, crossing multiple industries worldwide. Akamai have already seen a noticeable increase in active scanning for open memcached servers since the media broke news of the new attack vector several days ago.

Imperva also reported on 1 March 2018, that they had observed two massive DDoS amplification attacks on 28 February, which was the same day as the 1.3Tbps attack. These two attacks were targeted against a cryptocurrency exchange, as well as e-commerce websites.

4. Recommendations

General recommendations for overall DDoS protection:

An organisation can help to protect themselves in the event of a DDoS incident by considering the following recommendations:

  •  The use of a third party DDoS mitigation tool or service.
  •  Have a well-established DDoS playbook to call upon when an incident occurs. Appropriately skilled personnel should be called upon to ensure the best level of protection and mitigation.
  •  Conducting a review of current DDoS mitigation tools with a view to assessing whether they are currently fit for purpose.
  •  Ensure your network has been target hardened.

Specific technical recommendations for this attack vector are as follows:

  • To reduce the impact of UDP/11211 implement one of the following at your network edge (or ask your service provider):

o Rate limiting

o Access Control Lists

  •  Other approaches such as deploying Flowspec at the edge to block this traffic to the target address may be considered, but there is a significant delay in deploying this option as it is a manual process.


2.1 Ransomware

Ransomware is software that encrypts all the contents of a hard drive and then extorts payment, usually in bitcoins, in order to get the unlock code. Some ransomware can even encrypt any attached backup drives. Ransomware can and has been used against many individuals and was recently used against several hospitals. The use of ransomware is a very lucrative area for the bad actors—the offensive team. Some bad actors have capitalized even more on their investments by running ransomware help desks. To pay or not to pay, that will be the dilemma when ransomware strikes you or your company.

Go back

Why Should I Care About Cyber Security?

Good cyber security is tedious and expensive. For businesses, though, the alternative is loss of customer good will and potential closing of the business. On the personal side, the inconvenience of identity theft, data loss, and invasion of privacy exact a heavy toll on your finances and your time. The result is an unfair burden on small businesses and individuals. It is important to recognize that this is the way it is, this is the world we live in, and accept a personal, even if limited, role in being a good data steward and protector. This article discusses a select few of the cyber security incidents of the last couple of years in various categories to help you understand the magnitude and variety of what’s out there.

By being aware of the targets, potential attacks, and the defensive tools you have, you can diminish the hacker’s perceived relative gain for the time spent on you. For example, if a hacker determined that the profit was only a few cents per hour for the time spent, the hacker would find something more lucrative to do. In time, if we (the defensive team, the good guys) diligently protect ourselves, the sheer number of hackers and attacks will be reduced. The rest of the battle will become easier to defend against and we might even be able to track down those few remaining bad actors.

Go back

Post Attack

1.5 Post Attack

After a successful attack, there is work to be done in the areas of forensics, legal, insurance (hopefully purchased before the attack), damage assessment, and target cleanup/validation. In addition, policies and defences must be examined to figure out what went wrong and how to do a better job next time.

It might be hard to get motivated and started on your defensive measures, if you don’t know why cyber security matters. Read on!

Go back


1.4 Defensive

You or your team (the home team, the good guys) need to stop the offensive, otherwise the bad actors will win. The defensive has tactics that can be used to prevent a cyber security breach:

  1. Training and education
  2. Policies and procedures
  3. Law enforcement agreements
  4. Information sharing
  5. Threat intelligence
  6. Counter intelligence
  7. Hardware and software
  8. Current patches and techniques to improve security
  9. Encrypted data and hard drives on anything mobile—those things that are easily lost or stolen, such as phones, tablets, and laptops

Go back