The FBI’s Cyber Division has issued two recent cybersecurity alerts, the first following an increase in destructive Distributed Denial of Service (DDoS) on U.S. companies and the second concerns the risk of malware infections when installing Chinese tax software.
Increase in Destructive DDoS Attacks on US Networks
Cybercriminals have been exploiting new built-in network protocols to conduct amplified destructive DDoS attacks on US networks. Three network protocols have been developed for use in devices such as smartphones, Macs, and IoT devices, which are being leveraged by cybercriminals in the DDoS attacks. The protocols – CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), and ARMS (Apple Remote Management Service) have already been leveraged to conduct massive real-world DDoS attacks. The alert also covers the built-in network protocol used by Jenkins servers, which could also potentially be used in similar attacks, although the vulnerability has not currently been exploited in the wild. Jenkins is an open source server used by software developers to automate tasks.
“A DDoS amplification attack occurs when an attacker sends a small number of requests to a server and the server responds with more numerous responses to the victim,” explained the FBI in the alert. “Typically, the attacker spoofs the source Internet Protocol (IP) address to appear as if they are the victim, resulting in traffic that overwhelms victim resources.”
Vulnerable Jenkins servers could amplify DDoS attack traffic 100 times, ARMS could be used in attacks with an amplification factor of 35:5:1, and CoAP could be used in attacks with an amplification factor of 34. WS-DD has been used to launch more than 130 DDoS attacks, some of which were in excess of 350 Gigabits per second (Gbps).
The FBI has seen an increase in attacks using these amplification techniques since February 2020. “In the near term, cyber actors likely will exploit the growing number of devices with built-in network protocols enabled by default to create large-scale botnets capable of facilitating devastating DDoS attacks,” warned the FBI.
The network protocols have been developed to reduce the computational overhead of day-to-day system and operational functions in devices, and since they are essential to the correct functioning of those devices, the protocols are unlikely to be disabled by device makers. The FBI therefore recommends that organizations implement mitigations.
Those mitigations include using a Denial of Service mitigation service, working with an ISP prior to an attack to control network traffic in the event of an attack, blocking unauthorized IP addresses with a firewall and disabling port forwarding, and ensuring all network devices are fully patched.
Backdoors Introduced by Chinese Tax Software
The FBI also issued a private industry alert about the risk of malware in Chinese tax software after the discovery of two backdoors introduced by tax software mandated by the Chinese government. Backdoor malware was discovered in the software developed by two Chinese companies to handle value-added tax (VAT) payments to the Chinese government. The two tech firms – Aisino and Baiwang – are the only two companies authorized by the Chinese government to provide VAT software. The software is a requirement for any company doing business in the PRC.
The alert follows the publication of two reports from Trustwave about backdoor malware variants named GoldenHelper and GoldenSpy. These malware programs provide a backdoor into corporate networks, elevate privileges to admin, allow the operators to steal intellectual property, remotely execute code, and download additional malware payloads.
At least two Western companies have been infected with the backdoors after receiving tax software updates, which were released following changes to Chinese VAT laws in 2018. One company was a U.S. pharmaceutical firm, which discovered the GoldenHelper backdoor in its network in April 2019. An employee had downloaded Baiwang Tax Control Invoicing software in July 2018 and the backdoor is believed was introduced in March 2019 when the software was updated. In addition to the software updating the main tax program, a driver was installed that created the backdoor.
The second company had downloaded the tax software program Intelligent Tax from Aisino Corporation. A private cybersecurity firm concluded that the GoldenSpy backdoor was likely introduced by the software and suggests GoldenSpy was a new iteration of GoldenHelper.
According to the FBI, the businesses most at risk are those in the finance, chemical, and healthcare sectors, as state-sponsored hackers have previously targeted those companies. The FBI has not accused China of planting the malware in the software, but has pointed out that the two companies are overseen by a private, state-owned enterprise called NISEC (National Information Security Engineering Center) which has links to China’s People Liberation Army.
The alert comes after several companies came forward following the publication of the two Trustwave reports stating they too had been infected with the malware.