DDoS attacks have always been a problem in the past, and to no one’s surprise, are still a big problem today. Recently, hackers have begun to amplify their DDoS attacks by weaponizing TCP Middlebox Reflections. This made it easier for hackers to do a lot more damage using DDoS attacks, causing lots of problems for tech companies.

What is a DDoS attack?

A distributed denial-of-service (DDoS) attack is a method used by cybercriminals to slow down or stop networks from operating. This is done by flooding a network with malicious traffic to the point that it cannot operate normally. DDoS attacks are usually used to stop people from being able to use a website, causing problems for both the owner and users of the website.

What is a Middlebox and TCP?

Before talking about why weaponizing TCP middle box reflections is such a big deal, lets take a look at what it is exactly. A middlebox is a device that is in between two communicating end hosts. It is used to inspect, filter, and transform packet streams being transported. Middleboxes are widely used all over the world, and often used by countries who wish to censor the internet. Transmission Control Protocol (TCP) is used to organize data such that there is a secure transmission between a server and a client.

How are TCP Middlebox Reflections being used to attack?

TCP Middlebox Reflections are being used to abuse the Middlebox filtering system, and reflect traffic created by the Middlebox to a victim. The way that these attacks work is that an attacker sends requests containing an IP spoofed as the target victim to a server. The request is usually an HTTP address for blocked content. When the request reaches the middlebox, usually the connection would be blocked, however, many middlebox systems don’t take into account TCP streams when filtering content. Because they don’t take TCP streams into account, when a request is received through a TCP stream that would normally be blocked, the middlebox assumes that some packets got through. In order to prevent the user from accessing the restricted content that was not blocked, the middlebox will flood the client’s browser to prevent the user from getting to the restricted content. Since the attacker spoofed the IP on the request as the IP of a victim, all of the traffic is reflected to the victim’s browser, hence the use of reflection in the name. The middlebox floods the victims address in an amplified way that causes all the bandwidth to be exhausted. This is the reason that the attack can be so detrimental.

Researchers from Akamai claim that “This type of attack dangerously lowers the bar for DDoS attacks, as the attacker needs as little as 1/75th (in some cases) the amount of bandwidth from a volumetric standpoint.” This shows how much easier it is to DDoS using a TCP middlebox reflection than other methods such as a UDP attack.

Who is being targeted, and how can it be stopped?

While there have not been many observed attacks, researchers believe that the number of attacks using a TCP middlebox reflection are going to greatly increase since these attacks are easy and effective. In the past few days, the main targets for this attack so far have been against banks, medias, and web-hosting companies, however, this list is likely to increase in the future.

There are many methods that could be used to stop this type of attack, such as removing all censorship of the internet everywhere. However, that might not be the most practical method (although I’m sure many people would like that). Some more realistic ways to mitigate attacks would be to use methods like anti-spoofing. That way, the middlebox would not flood the browser of the victim associated to the spoofed IP, since the spoof will get removed. Other DDoS mitigation methods can also be used since, although new, this is still a DDoS attack, so using specially designed networks to counteract DDoS attacks can be helpful.

References:

https://thehackernews.com/2022/03/hackers-begin-weaponizing-tcp-middlebox.html

https://www.akamai.com/blog/security/tcp-middlebox-reflection

https://usa.kaspersky.com/resource-center/preemptive-safety/how-does-ddos-attack-work

THE ELECTRON-BOT MALWARE

With the sharp rise in the gaming industry, it was certain that malicious actors would prey on the naivety of the players on the other end of the screen. While in 2022, these sorts of instances are well known, it’s unusual to hear that the attackers use the video games to access the social media accounts of the user instead.

Enter Electron-bot, named by check point research, it’s a new malware that is actively being distributed through the Microsoft store itself, Electron-bot has the capacity to control accounts on Facebook, google, and SoundCloud.

A first of the malware’s abilities is a technique called SEO poisoning. This is a technique where malicious websites are created by the criminals themselves, and by optimizing the search engine, allows these malicious websites to be shown at the top of the user’s search results

Another ability it has is the ability to connect the user’s device to advertisements, as an easier way to generate revenue, through the illusion that the user had interacted with an advertisement many times, thereby increasing the revenue generated. It also can promote social media accounts as well as online products, to increase revenue once more.

Finally, it appears that the payload is dynamically loaded, giving the actors the permission to utilize the malware as a backdoor, and can potentially gain access to the victim entire system, while modifying the functionality of the malware every time it is run.

At first glance, Electron-bot appears nonexistent to the user, while they are navigating their way through the Microsoft store. The malware masks itself using games that appear as legitimate, and the user has no second thoughts about what’s just been installed.

After installation, the attacker immediately downloads files and executes scripts, and the malware executes various commands sent from the attacker. It also appears that it evades detection by imitating human browsing behaviour to bypass website protections

Analysis has shown that most of the evidence points to the malware being originated in Bulgaria. It appears that the malware versions were uploaded to a cloud storage from Bulgaria, and the accounts promoted by the bot are of a Bulgarian wrestler/soccer player

It appears that most of the victims affected reside in Sweden, Bermuda, Israel, and Spain. Although it’s worth noting that over 5000 users have been affected in 20 countries.

A POWDER KEG?

Obviously, it’s not surprising that online forms of entertainment can be used as a way for malicious actors to take advantaged of the average person. It’s often the area where most of us lower our guards. In this case, the methods used by the malware to take advantage of the victim appear to be comparatively tame,  such as remotely accessing advertisements, etc. What I believe we should be wary of however, is the possibility that this could spiral out of control. If breaches of this level are possible, what’s to stop the next malicious actor to implement a malware that can commit heinous crimes in the victim’s name, all by the download of what is perceived to be a regular game? It’s also important to keep in mind that the intended target audience for games are typically children, leaving a dangerous opportunity for activities that can take advantage of children, and more

It was stated above that the malware was able to gain access to the victim’s device, and perhaps when implemented by an even more malicious actor, may be used to gain access to the user’s personal information, and it’s quite clear where it could lead from here. Things like fraud, identity theft, money laundering, etc, are more commonplace than we’d like to acknowledge, and using methods that minimize the amount of work required by the attacker, such as the victim downloading a corrupted game on their own accord, maximize the possibility of events such as these.

WHAT CAN BE DONE?

So, with such potential for danger, how can we protect ourselves? Well, there’s no one definitive solution, but it’s always important to never download any game that you’re not completely sure about yourself, unless you know fully where it comes from, it’s always safe to assume that it’s been compromised in some aspect. However, this may be too restrictive of an option to follow day to day. Luckily, there are verifiable sources such as check point research above, whose main goal is to keep up to date with any potential cybersecurity issues in the community. Then again, all you just want to do is play some games, right? Well, in that case, it’s best not to download those that aren’t completely checked and approved by the vendor themselves, as those reviewed by the vendor will have to meet the required standard before sale, reducing the risk of compromise by 3^rd parties.

References:

https://thehackernews.com/2022/02/social-media-hijacking-malware.html

https://securitybrief.asia/story/bot-malware-uncovered-using-gaming-applications-on-microsoft-store#:~:text=Dubbed%20Electron%2Dbot%20by%20CPR,up%20prominently%20in%20search%20results.

https://research.checkpoint.com/

What happened in NVIDIA?

NVIDIA, the inventor of the GPU, which creates interactive graphics on laptops, workstations, mobile devices, notebooks, and PCs, announced that they had suffered a cyber-attack on February 25, some important information has been stolen, and hackers are currently leaking the stolen data on the Internet.

Some people speculated that this attack may be caused by the recent conflict between Ukraine and Russia. However, there’s no evidence to support this inference.

Nvidia said in a statement that according to the company’s current investigation, external hackers obtained employee account password information and entered the system. They stole some proprietary confidential information from the company’s system.

Nvidia first discovered the hack on February 23, quickly strengthened the cyber security then contacted cyber security experts and notified the police. Nvidia’s team analyzed the stolen information, preliminary estimates showed that the hack will not disrupt the company’s business or ability to serve customers.

Who launch the attack？

Early Saturday morning, Dark Web intelligence company DarkTracer announced that Lapsus$, the ransomware gang, claimed responsibility for this cyber-attack, leaked what it says was a password hash to Nvidia employees, and noted that it contained other data including source code and information related to RTX GPUs. The size of stolen data is around 1TB. Lapsus$ threatened to release the data if its demands, namely an unspecified sum of money, aren’t met.

A person familiar with the matter reported that the hack was part of a so-called “ransomware attack.” In this type of attack, a hacker may install encryption software on the attacked system so that the data cannot be read by the other party, and then the hacker will make a ransom demand to remove the encryption software.

However, Nvidia said that no malware has been deployed on the internal network so far. Instead, the hackers stole vital data outright, and they offered conditions that required Nvidia to lift restrictions on some graphics card products that affected how efficiently they could use graphics cards to “mine” cryptocurrencies.

what is the consequence？

Nvidia turned down the hackers’ extortion, and they started disclosing the stolen data. Because of Nvidia’s actions, Lapsus$ has announced that they are already shipping unlock codes that can bypass Nvidia’s official LHR(Lite Hash Rate) installed on the GA102 and GA104 chips. He also claimed that among the 1TB of data he stole, there were Nvidia’s product drawings, drivers, firmware data, proprietary tools, software developer tools, and more. There’s also “All About Falcon.” Falcon is a special microcontroller architecture found in all of Nvidia’s graphics cards, used in a wide range of functions from program security to memory replication to video decoding.

If the Lapsus$ threat is successful, it means that all Nvidia 3000 series graphics cards can once again perform at 100% mining performance. However, in addition to benefiting miner owners who have installed NVIDIA graphics cards, it is not clear what impact this will have on the future cryptocurrency market and graphics card market. Considering that the upgrade of Ethereum’s proof-of-stake mechanism will be completed in the first half of 2022, any investor who buys NVIDIA graphics cards for mining hardware will not have much time to earn its cost. Taking into account the virtual prosperity and plummeting volatility of the cryptocurrency market in the past two years, any miners with long-term plans may not spend a lot of money because of the short promises of hacker organizations.

Conclusion

According to Nvidia’s official reply email, it is impossible to confirm which Nvidia technology was stolen. When the media contacted Nvidia’s internal staff privately, the responses they got were surprisingly consistent with the official statement: the damage was limited and controllable. However, judging from the drama, back-and-forth, and twists and turns of the matter, the impact of the stolen data on Nvidia should not be underestimated. There is no doubt that the cyber attack on Nvidia has taught all companies a lesson. In order to ensure business interests and technological advantages, it is necessary to pay attention to cyber security.

Reference

• https://portswigger.net/daily-swig/cyber-attack-on-nvidia-linked-to-lapsus-ransomware-gang
• https://www.chamberlainsun.com/nvidia-confirms-it-is-investigating-an-incident-said-to-be-a-cyber-attack/
• https://metro.co.uk/2022/02/28/nvidia-hit-by-cyberattack-so-they-hack-the-hackers-as-revenge-16187846/
• https://hothardware.com/news/lapsus-claims-nvidia-hacked-back-after-its-attack
• https://www.pcmag.com/news/nvidia-confirms-company-data-was-stolen-in-hack
• https://www.blackhatethicalhacking.com/news/cyber-attack-on-nvidia-linked-to-lapsus-ransomware-gang/

Invaded on three sides by Russia in a pitched battle to defend their sovereignty, Ukraine has enlisted an unexpected ally: big tech corporations.

Meta, the parent company of Facebook Inc., recently announced that they would be restricting Russian state-controlled media on their platforms, including Facebook and Instagram. The move comes as public pressure was mounting on the social media giant and others to reign in disinformation related to Ukraine [2].

They aren’t alone. Twitter Inc. announced that it was temporarily suspending all advertisements in Russia and the Ukraine. Reddit responded to the conflict by quarantining r/Russia and r/RussiaPolitics, citing a high degree of disinformation from the subreddits [REF]. Alphabet Inc., the parent company for Google, also joined the fray by suspending Russian state-media channels on YouTube and pausing their access to Google ad-services.

Russian authorities have responded by accusing Facebook of censoring its news outlets. According to NPR, Russian regulators first demanded that Facebook stop the independent fact-checking of their news agencies [2]. When Facebook refused, they proceeded to throttle the company’s operations in Russia, slowing the site considerably. Twitter was also targeted by the restrictions [6].

ARE WE SURE THIS IS A GOOD THING?

On its own merit, corporate participation in a national war effort is hardly new. Volkswagen, the worlds largest automaker by sales, famously got their start in Nazi Germany, eventually producing military vehicles for the Wehrmacht and even going as far as using Jewish slave labour to meet production goals. What’s different in 2022 is that the weapons of choice are no longer limited to hardware. Today’s big tech firms are waging war with something far less tangible: the truth.

At first glance, the intervention is seemingly positive. Much of the world is united in opposition to Moscow’s land grab, and efforts to intervene in the conflict by big tech enjoy broad support in the public. But outside the Ukrainian theatre, the level of influence corporations exercise on the public discourse – especially on topics as serious as open warfare – warrants closer attention from all stakeholders in democracy.

Russia is not the first nation to use social media to spread propaganda. From 2016-2017 Myanmar conducted a brutal ethnic cleansing campaign against the Rohingya Muslim minority living there. Widely condemned as a genocide, it left the Rohingya stateless, and forced most of them to flee to neighbouring Bangladesh. Facebook was a key vector for the hateful propaganda that was leveled at the Rohingya, and the company was castigated for their perceived failure in moderating the content on their platform [9]. Disinformation campaigns on social media were also prevalent in lead up to both the UK’s 2016 Brexit vote, and the 2016 presidential election in the United States [10,11]. One might argue that the rapid response from Meta and other big tech firms in this conflict was a direct response to past criticisms of inaction. However, there are real drawbacks to these platforms being shut down in Russia.

Despite rampant propaganda from state media, much of Russia’s population is staunchly opposed to the invasion of Ukraine. Since Russian forces first moved in on Ukraine on February 24^th, many Russian citizens have taken to the streets to voice their opposition to Putin’s Soviet revivalism. Dissidents and protesters have been arrested en-masse at these demonstrations, and the unrest has only grown as sanctions have destabilized the Russian monetary system [13]. Social media was a crucial tool in the organization of these demonstrations, and many Russian dissenters were left in the cold without access to the platforms [5].

The corporate response also begs another question: should we leave the task of deciding what is true and what isn’t in the hands of profit-motivated companies? Sure, most agree (myself included) that the response was appropriate in this conflict, but what about other conflicts that are more obscure to the western media ecosystem, or where the fault of the combatants is less readily prescribed? What about when platforms have a conflict of interest in telling the truth – say, for example, when their host nation is the aggressor? Could we rely on them to stop the spread of disinformation if doing so compromised their bottom lines?

One could also conceive of a scenario where a platform founded in a foreign state gained significant popularity within another nation. If a conflict were to then break out between those nations, the platform might have a vested interest in perpetuating the spread of disinformation in the non-host nation. Such influences could potentially wreak havoc on their ability to mount a unified response. While you can argue that such scenarios are far-fetched, concerns of external destabilization such as these were precisely what motivated China to develop its “intranet”, wherein western social media platforms are barred from providing services to the Chinese public [14].

IT’S MORE THAN JUST THE TRUTH.

Beyond policing truth, big tech is also influencing the Ukraine conflict in more conventional ways. In compliance with sanctions levied by the U.S. and others in the west, VISA and Mastercard suspended their services in Russia. Chip manufacturers Intel and AMD have announced that they are halting all sales to Russia, and Apple Inc. has also stopped the sale of their products in Russia. Elon Musk announced that Starlink was activating its services in Ukraine, bolstering the embattled nations flagging internet services as Russia targets its telecommunications infrastructure [19]. Together these actions are crippling Russia’s technological capacity and have severely weakened the flow of capital in their country.

A CONCLUSION.

Ultimately, though big tech has made important contributions to the conflict in Ukraine, the jury’s out on whether it will have a deciding influence on its outcome. The digital theatre of war, for all its prominence in the 21^st century, remains a distant afterthought for the average Ukrainian, sifting through the rubble of once sturdy buildings by day, and anxiously awaiting the next round of bombs by night. They know a different truth: that wars are decided not by what happens on the internet, but by the resolve of a people undeterred by the imperialistic ambitions of a demagogue intent on upending their peace for a piece of their land. In the end, perhaps that truth will be the only one that matters.

REFERENCES:

1. https://www.itsecurityguru.org/2022/02/28/meta-restricts-russian-state-controlled-media/
2. https://www.npr.org/2022/02/26/1083291122/russia-ukraine-facebook-google-youtube-twitter
3. https://www.msn.com/en-us/news/technology/reddit-becomes-latest-platform-to-act-against-russias-spread-of-misinformation/ar-AAUtgzx
4. https://www.reuters.com/technology/google-blocks-russias-rt-app-downloads-ukrainian-territory-says-rt-2022-02-27/
5. https://www.nytimes.com/2022/02/25/world/europe/russia-facebook-access.html
6. https://vnexplorer.net/analysis-as-russia-invades-ukraine-moscow-battles-big-tech-to-control-the-narrative-s455986.html
7. https://www.nytimes.com/1998/06/13/world/world-news-briefs-volkswagen-faces-suit-over-jewish-slave-labor.html
8. https://www.forbes.com/sites/alisondurkee/2022/03/01/americans-want-companies-to-take-action-not-just-make-statements-against-russia-for-invading-ukraine-poll-finds/?sh=56a8d6394195
9. https://www.cnn.com/2021/12/07/tech/facebook-myanmar-rohingya-muslims-intl-hnk/index.html
10. https://www.theguardian.com/technology/2017/may/07/the-great-british-brexit-robbery-hijacked-democracy
11. https://knightfoundation.org/articles/seven-ways-misinformation-spread-during-the-2016-election/
12. https://apnews.com/article/russia-ukraine-vladimir-putin-europe-arrests-moscow-cf5dda5528937de907f8916820cfab75
13. https://apnews.com/article/russia-ukraine-business-europe-moscow-perm-9789398569c54f5ed3062410845dff06
14. https://www.cnet.com/tech/services-and-software/chinas-national-intranet/
15. https://www.reuters.com/business/mastercard-blocks-multiple-russian-financial-institutions-network-2022-03-01/
16. https://www.msn.com/en-us/money/other/semiconductor-sales-to-russia-banned-but-that-shouldn-e2-80-99t-hurt-intel-amd-and-other-chip-makers/ar-AAUqQmW?pfr=1
17. https://www.theguardian.com/technology/2022/mar/01/apple-russia-ukraine-facebook
18. https://www.itsecurityguru.org/2022/02/28/starlink-activated-to-keep-ukraines-internet-running/
19. https://www.cnbc.com/2022/02/28/ukraine-updates-starlink-satellite-dishes.html

Amidst a military invasion by Russian forces, Ukraine has taken a surprising (and some might say ironic) step: enlisting the aid of hackers and cyber vigilantes. As reported by Reuters, Ukrainian government officials have put forth requests for independent contractors to apply through a google document[1] in the hopes of enlisting their help in the defense of their country. In hiring these internet-paramilitaries, the Ukrainian government allegedly hopes to protect critical infrastructure and conduct spying and intelligence gathering operations against the invading Russian army.

More specifically, the InfoSecurity group reports that the hackers are to be divided into two groups: offensive and defensive hackers. Those in the defensive group are tasked with ensuring that Ukraine’s water and power systems are safe, whereas offensive unit volunteers will attempt digital espionage on Russian troop movements and plans[2].

This call for what is essentially vigilante justice has raised an important legal and ethical question: are states responsible, or should states be held responsible for the cyber attacks committed by those they sponsor?

A New Paradigm?

Cyberattacks, particularly those committed by state actors against other state actors, are rapidly becoming a commonplace tool of international conflict.[3] And in certain cases they are truly that: states attempting to gain access to other states. See for instance the United States considering retaliating against Russia with cyber-attacks of their own[4]. Such attacks would be organized and performed by United States Government groups

By contrast, examine next the history of cyber attacks as committed by Russian actors. These attacks started as far back as 2007, with Russia being accused of targeting Estonia[5]. From there a pattern emerged, with allegations surfacing of Russian cyber interference with everything from leaking the French president’s private emails[6] to attempting to influence the results of the United States presidential election[7]. A common thread emerges from almost every allegation of Russian hacking: they are committed by private groups. Sure, there are “strong links” or “reasonable suspicions”, but ultimately there is also plausible deniability for the state in question. So why not attempt to go after states for it anyways?

The Hydra of State-Sponsored Hacking

The hydra is a legendary Greek creature who is said to have nine heads, and each time you cut one head off another two grow back in its place. It’s an apt metaphor for the problems that arise when you try to assign blame to countries for state sponsored hacking. Consider the current attempts by Ukraine to enlist vigilante hackers. They clearly have some modicum of popular support, yet what happens if they go too far and target a Russian field hospital for instance, leading to injured soldiers dying. Does this truly help the Ukraine, or cause further injury to soldiers already out of the fight? If not, then are they any different from the widely condemned Russian cyber-attacks? And, assuming they do go too far, is Ukraine now liable for war crimes for employing them in the first place? Don’t forget, they’re not Ukrainian hackers, just hackers employed by the Ukraine.

Jurisdiction is another can of worms. Who takes whom to court over state sponsored hacking? And to which court? And for what crimes? Sure, you could make an argument for the precautionary principle of international law (i.e. it’s your responsibility to handle things that cause cross-border damage), but this is a stretch, frankly, and difficult to enforce for any country that doesn’t want to play ball. Some solutions have been posited, such as the WTO or ICJ[8], but insofar none have come forth to take on the responsibility of handling state-sponsored hacking.

An Utterly Unsatisfying Conclusion

So what is the answer? Should states be held accountable for state-sponsored hacking attempts or not? At this point, not even NATO or the European Union know the answer[9]. And while this article has raised several issues to be considered, that is not to say that the whole endeavor is fated to be fruitless. As cyber attacks continue, perhaps a solution will show itself to the world at large. Or perhaps this is simply another step in the long history of warfare waged by mankind. Either way, at this point all anyone can do is wait.

References:

[1] Joel Schectman & Christopher Bing, “Ukraine calls on hacker underground to defend against Russia” (2022), online: Reuters <www.reuters.com/world/exclusive-ukraine-calls-hacker-underground-defend-against-russia-2022-02-24/>.

[2] Sarah Coble, “Ukraine Asks for Hackers’ Help” (2022), online: InfoSecurity Group <www.infosecurity-magazine.com/news/ukraine-asks-for-hackers-help/>.

[3] “Significant Cyber Incidents” (2022), online: Center for Strategic & International Studies <www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents>.

[4]Ken Dilanian & Courtney Kube, “Biden has been presented with options for massive cyberattacks against Russia” (2022), online: NBC News <www.nbcnews.com/politics/national-security/biden-presented-options-massive-cyberattacks-russia-rcna17558>.

[5]Kenneth Geers, “Cyberspace and the changing nature of warfare” (2008), online: SC Magazine <web.archive.org/web/20081203191412/http://www.scmagazineus.com/Cyberspace-and-the-changing-nature-of-warfare/article/115929/>.

[6]Patrick Howell O’Neill “Researchers link Macron hack to APT28 with ‘moderate confidence'” (2017), online: Cyberscoop <web.archive.org/web/20180116135134/https://www.cyberscoop.com/researchers-link-macron-hack-to-apt28-with-moderate-confidence/>.

[7] Ellen Nakashima “Cybersecurity firm finds evidence that Russian military unit was behind DNC hack” (2016), online: The Washington Post <www.washingtonpost.com/world/national-security/cybersecurity-firm-finds-a-link-between-dnc-hack-and-ukrainian-artillery/2016/12/21/47bf1f5a-c7e3-11e6-bf4b-2c064d32a4bf_story.html?postshare=9631482406341944&tid=ss_fb-bottom>.

[8]Delbert Tran, “The Law of Attribution: Rules for Attributing the Source of a Cyber Attack” (2018) 20 Yale J. L. & Tech 376.

[9]Camino Mortera-Martinez “Game over? Europe’s Cyber Problem” (2018), online (pdf): Centre For European Reform <www.cer.eu/publications/archive/policy-brief/2018/game-over-europes-cyber-problem>.