AppSec News Roundup for January 2019: WebStresser, Mirai, reCAPTCHA, and more

Application security news never stops, and it can be hard to follow all of the incidents that are #AppSec related.  In this roundup, I've picked a handful of the most significant news items from January 2019.  

Credential Stuffing Attacks are increasing, and free raw material is abundant

Credential stuffing attacks are becoming increasingly common and visible. Two especially visible examples occurred in the last couple of months - Warby Parker and DailyMotion.  For more information on credential stuffing attacks, including anatomy of an attack and a diagram, visit the OWASP site here.

A “megabreach” was also discovered this month. As with most such “megabreach” credential dumps, this one seems to be a merged list of multiple older breaches, with a few million newer credentials in the mix.

Troy Hunt’s HaveIBeenPwned has integrated this list, in case you want to check on your credentials.

The UK government is working with several other nations to track and apprehend WebStresser users

The National Crime Agency, working with law enforcement partners from 14 countries, has taken action against a number of cybercriminals website users linked to four million attacks across the globe.

This latest action is part of Operation Power Off, which pursues those individuals and services responsible for committing or facilitating DDoS (Distributed Denial of Service) attacks.

Mirai is back with as a new variant primarily exploiting a ThinkPHP vulnerability

The Mirai bot is back as a new variant called Yowai. Cybercriminals use websites created using the PHP framework to breach web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial of service attacks.  Here's SC Media how Hakai and Yowai botnets work:

Once the Yowai botnet infects the router it uses dictionary attack in an attempt to infect other devices while the affected router becomes part of a botnet that enables its operator to use the affected devices for launching DDoS attacks.

Mirai is a piece of malware that turns IoT devices into a network that can be controlled by a central administrator.  Here's more from CSO on the original Mirai Botnet.

Automated attacks against 2FA implementations and reCATPCHA bypass PoC’s

Two new PoC’s came out in the last month, that show the limitations of Two Factor Authentication and reCAPTCHA.

A Polish researcher, Piotr Duszyński, released Modlishka, a tool that acts as a reverse proxy. Modlishka sits between the user and website, and proxies all the traffic to the website. The victim receives authentic content from the legitimate site --let's say for example Google-- but all traffic and all the victim's interactions with the legitimate site passes through and is recorded on the Modlishka server.

A group of MIT researchers released unCaptcha v2, a tool that can defeat reCAPTCHA with 90% accuracy. This was an update to the original unCaptcha tool. The tool is built to defeat reCAPTCHA by using the audio captcha feature – it downloads the audio captcha and runs it through multiple online speech-to-text services, processes the resulting output and uses the output to solve the CAPTCHA.

Phishing with Modlishka (bypass 2FA) from Piotr Duszynski on Vimeo. 

 

Get protection for websites and applications from cyber-threats with the Barracuda Web Application Firewall.  Visit our corporate site here to learn more and get a free 30-day trial.