Re: Hackers Exploiting Vulnerability In Smart Doors To Launch DDoS Attacks

[Anastacia Iacono]

Linear eMerge E3 devices [1, 2, 3] fall in the hardware category of "access control systems." They are installed in corporate headquarters, factories, or industrial parks. Their primary purpose is to control what doors and rooms employees and visitors can access based on their credentials (access codes) or smart cards.

Despite the fact that six of the ten vulnerabilities had a vulnerability severity (CVSSv3) score of 9.8 or 10 out of a maximum of 10, NSC failed to provide patches, according to an Applied Risk security advisory.

Hackers exploiting vulnerability in smart doors to launch DDoS attacks

Download Zip https://xiuty.com/2yM1iG

The vulnerability they are using is CVE-2019-7256. Applied Risk described this vulnerability as a command injection flaw. It is one of the two that received a severity score of 10/10, meaning it can be exploited remote, even by low-skilled attackers without any advanced technical knowledge.

"This issue is triggered due to insufficient sanitizing of user-supplied inputs to a PHP function allowing arbitrary command execution with root privileges," SonicWall said in a security alert published last week. "A remote unauthenticated attacker can exploit this to execute arbitrary commands within the context of the application, via a crafted HTTP request."

This number is far lower than the millions of security cameras and home routers that are also available online. However, the small number of vulnerable devices has not dissuaded attackers so far, and exploitation attempts they're likely to continue.

But while having your smart building door system launch DDoS attacks on Steam or the PlayStation Network is one issue, a bigger threat is that these vulnerable systems can also be used as entry points into an organization's internal networks.

In August last year, Microsoft reported that it observed a Russian state-sponsored hacking crew using Internet of Things (IoT) smart devices as launching points for other attacks on corporate networks.

The Russian hackers tried to exploit a VOIP phone, an office printer, and a video decoder, Microsoft said, but the NSC Linear eMerge E3 devices are just as attractive targets, primarily due to the high severity of the ten security bugs disclosed last year.

System administrators managing networks were NSC Linear eMerge E3 devices are installed are advised to take these systems off the internet, or at least limit access to these devices using a firewall or VPN.

In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.[1] The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.[2]

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. More sophisticated strategies are required to mitigate this type of attack; simply attempting to block a single source is insufficient as there are multiple sources.[3] A DoS or DDoS attack is analogous to a group of people crowding the entry door of a shop, making it hard for legitimate customers to enter, thus disrupting trade and losing the business money. Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks or credit card payment gateways. Revenge and blackmail,[4][5][6] as well as hacktivism,[7] can motivate these attacks.

Panix, the third-oldest ISP in the world, was the target of what is thought to be the first DoS attack. On September 6, 1996, Panix was subject to a SYN flood attack, which brought down its services for several days while hardware vendors, notably Cisco, figured out a proper defense.[8] Another early demonstration of the DoS attack was made by Khan C. Smith in 1997 during a DEF CON event, disrupting Internet access to the Las Vegas Strip for over an hour. The release of sample code during the event led to the online attack of Sprint, EarthLink, E-Trade and other major corporations in the year to follow.[9] The largest DDoS attack to date happened in September 2017, when Google Cloud experienced an attack with a peak volume of 2.54 Tb/s, revealed by Google on October 17, 2020.[10] The record holder was thought to be an attack executed by an unnamed customer of the US-based service provider Arbor Networks, reaching a peak of about 1.7 Tb/s.[11]

In February 2020, Amazon Web Services experienced an attack with a peak volume of 2.3 Tb/s.[12] In July 2021, CDN Provider Cloudflare boasted of protecting its client from a DDoS attack from a global Mirai botnet that was up to 17.2 million requests per second.[13] Russian DDoS prevention provider Yandex said it blocked a HTTP pipelining DDoS attack on Sept. 5. 2021 that originated from unpatched Mikrotik networking gear.[14] In the first half of 2022, the war in Ukraine significantly shaped the cyberthreat landscape, with an increase in cyberattacks attributed to both state-sponsored actors and global hacktivist activities. The most notable event was a DDoS attack in February, the largest Ukraine has encountered, disrupting government and financial sector services. This wave of cyber aggression extended to Western allies like the UK, the US, and Germany. Particularly, the UK's financial sector saw an increase in DDoS attacks from nation-state actors and hacktivists, aimed at undermining Ukraine's allies.[15]

In February 2023, Cloudflare faced a 71 million/requests per second attack which Cloudflare claims was the largest HTTP DDoS attack at the time.[16] HTTP DDoS attacks are measured by HTTP requests per second instead of packets per second or bits per second. On July 10, 2023, the fanfiction platform Archive of Our Own (AO3) faced DDoS attacks, disrupting services. Anonymous Sudan, claiming the attack for religious and political reasons, was viewed skeptically by AO3 and experts. Flashpoint, a threat intelligence vendor, noted the group's past activities but doubted their stated motives. AO3, supported by the non-profit Organization for Transformative Works (OTW) and reliant on donations, is unlikely to meet the $30,000 Bitcoin ransom.[17][18] In August 2023, the group of hacktivists NoName057 targeted several Italian financial institutions, through the execution of slow DoS attacks.[19] On 14 January 2024, they executed a DDoS attack on Swiss federal websites, prompted by President Zelensky's attendance at the Davos World Economic Forum. Switzerland's National Cyber Security Centre quickly mitigated the attack, ensuring core federal services remained secure, despite temporary accessibility issues on some websites.[20] In October 2023, exploitation of a new vulnerability in the HTTP/2 protocol resulted in the record for largest HTTP DDoS attack being broken twice, once with a 201 million requests per second attack observed by Cloudflare,[21] and again with a 398 million requests per second attack observed by Google.[22]

Denial-of-service attacks are characterized by an explicit attempt by attackers to prevent legitimate use of a service. There are two general forms of DoS attacks: those that crash services and those that flood services. The most serious attacks are distributed.[23]

Multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and the behavior of each attack machine can be stealthier, making it harder to track and shut down. Since the incoming traffic flooding the victim originates from different sources, it may be impossible to stop the attack simply by using ingress filtering. It also makes it difficult to distinguish legitimate user traffic from attack traffic when spread across multiple points of origin. As an alternative or augmentation of a DDoS, attacks may involve forging of IP sender addresses (IP address spoofing) further complicating identifying and defeating the attack. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.[citation needed] The scale of DDoS attacks has continued to rise over recent years, by 2016 exceeding a terabit per second.[28][29] Some common examples of DDoS attacks are UDP flooding, SYN flooding and DNS amplification.[30][31]

A yo-yo attack is a specific type of DoS/DDoS aimed at cloud-hosted applications which use autoscaling.[32][33][34] The attacker generates a flood of traffic until a cloud-hosted service scales outwards to handle the increase of traffic, then halts the attack, leaving the victim with over-provisioned resources. When the victim scales back down, the attack resumes, causing resources to scale back up again. This can result in a reduced quality of service during the periods of scaling up and down and a financial drain on resources during periods of over-provisioning while operating with a lower cost for an attacker compared to a normal DDoS attack, as it only needs to be generating traffic for a portion of the attack period.

An application layer DDoS attack (sometimes referred to as layer 7 DDoS attack) is a form of DDoS attack where attackers target application-layer processes.[35][26] The attack over-exercises specific functions or features of a website with the intention to disable those functions or features. This application-layer attack is different from an entire network attack, and is often used against financial institutions to distract IT and security personnel from security breaches.[36] In 2013, application-layer DDoS attacks represented 20% of all DDoS attacks.[37] According to research by Akamai Technologies, there have been "51 percent more application layer attacks" from Q4 2013 to Q4 2014 and "16 percent more" from Q3 2014 to Q4 2014.[38] In November 2017; Junade Ali, an engineer at Cloudflare noted that whilst network-level attacks continue to be of high capacity, they were occurring less frequently. Ali further noted that although network-level attacks were becoming less frequent, data from Cloudflare demonstrated that application-layer attacks were still showing no sign of slowing down.[39]

7fc3f7cf58