CyberBakery Chronicles

Your Weekly Cybersecurity Update (24 Jan 2025)

• DDoS Attack Hits Record Breaking 5.6Tbps

• MasterCard DNS Misconfiguration Exposed for Years

• U.K. has proposed a ban on ransom payments made by government entities.

• CISA has issued a series of security guidance documents.

• The Tesla EV charger was hacked two times on the second day of the Pwn2Own Tokyo event.

DDoS Attack Hits Record Breaking 5.6Tbps

Cloudflare has mitigated the largest DDoS attack ever recorded, peaking at a staggering 5.6 terabits per second (Tbps).1 This UDP-based attack, launched by a Mirai-based botnet of over 13,000 compromised devices, targeted an internet service provider (ISP) in Eastern Asia on October 29th, 2024.2

While the attack lasted only 80 seconds, it highlights the growing trend of hyper-volumetric DDoS attacks.3 These attacks, exceeding 1 Tbps, surged in the fourth quarter of 2024, with a quarter-over-quarter growth of 1,885%.4

Cloudflare observed a significant increase in short-lived attacks, with 72% of HTTP and 91% of network layer DDoS attacks lasting less than 10 minutes. This trend favours "blitz" attacks designed for maximum impact during peak usage periods.

Ransom DDoS attacks also increased notably, peaking during the holiday season.5 Cloudflare emphasises the need for automated DDoS protection services to effectively mitigate these rapid and powerful attacks.6

The most targeted sectors included telecommunications, service providers, internet services, and marketing/advertising. China, the Philippines, and Taiwan were the most frequently targeted regions.

MasterCard DNS Misconfiguration Exposed for Years

A critical error in MasterCard's domain name system (DNS) configuration went unnoticed for nearly five years. This misconfiguration could have allowed attackers to intercept or divert internet traffic for a portion of the mastercard.com network.

The issue stemmed from a typo in one of the five DNS server names MasterCard uses at Akamai, a major internet infrastructure provider. These servers translate website names into numeric addresses for computers. Instead of ending in "akam.net" like the others, this particular server was named "akam.ne."

Philippe Caturegli, a security researcher, discovered the typo and registered the corresponding domain "akam.ne" for $300 to prevent malicious actors from exploiting it. Caturegli observed hundreds of thousands of DNS requests hitting his server daily, indicating others might have made similar typos.

Had Caturegli set up malicious services on "akam.ne," he could have potentially intercepted emails or even obtained website encryption certificates for affected domains. However, he responsibly reported the issue directly to MasterCard.

MasterCard downplayed the security risks, claiming there was "not a risk to our systems." Caturegli disputed this, highlighting the potential for attackers to leverage public DNS resolvers and long-lasting cached data to reroute a significant portion of traffic.

The incident underscores the importance of robust DNS configurations and responsible vulnerability disclosure practices. MasterCard has since corrected the error, but the episode raises concerns about potential security weaknesses in critical infrastructure.

U.K. has proposed a ban on ransom payments made by government entities.

The U.K. government plans to stop all public sector bodies and critical services—like the NHS, local councils, and schools—from paying ransoms during ransomware attacks. This effort aims to reduce the financial incentives for such attacks. The government said, "This expands the current ban on payments by government departments." They also want to make it mandatory to report ransomware incidents. This will improve the information available to police and help them stop more attacks.

The UK Government has announced forward-thinking measures to strengthen the country’s cybersecurity defences. These proposals are designed to safeguard businesses, protect data, and reinforce national resilience against digital threats.

Key Highlights of the Proposals

1. Mandatory Cybersecurity Requirements for Businesses
   The proposals suggest introducing robust standards for Managed Service Providers (MSPs) that often oversee IT systems for businesses. This ensures they maintain top-tier cybersecurity practices, reducing vulnerabilities across industries.

2. Increased Reporting Obligations
   Businesses may soon be required to report cybersecurity incidents promptly. This would enable the government and industry leaders to respond swiftly and mitigate widespread damage.

3. Greater Accountability in Cybersecurity Practices
   The government aims to hold organisations accountable for negligence in safeguarding critical digital assets by establishing new legal frameworks.

4. Focus on International Collaboration
   Cybercrime is a global issue, and the UK intends to strengthen international partnerships to share insights, tools, and strategies for tackling online threats.

Cyberattacks can cripple businesses, leading to financial losses, reputational damage, and compromised customer trust. By adopting these proposals, the government is taking decisive action to create a safer digital environment for businesses to thrive.

The UK Government’s proposed measures mark a significant step toward reducing cybercrime's impact on businesses. By staying proactive and adopting these changes, businesses can not only protect themselves but also contribute to a more secure digital landscape.

CISA has issued a series of security guidance documents. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is encouraging owners and operators of Operational Technology (OT) systems to incorporate secure-by-design principles into their procurement processes. This involves selecting manufacturers that prioritise security and comply with various standards. CISA also advises companies to enhance their detection and defence capabilities against advanced intrusion techniques by utilising Microsoft's newly expanded cloud logs in Purview Audit (Standard).

Additionally, the agency has updated its Product Security Bad Practices guide to include three new bad practices: the use of known insecure or deprecated cryptographic functions, reliance on hard-coded credentials, and insufficient clarity regarding product support periods. CISA states that "software manufacturers should clearly communicate the support period for their products at the time of sale" and "should provide security updates throughout the entire support period."

Furthermore, CISA is calling on the U.S. government to strengthen cybersecurity by addressing the software understanding gap. This gap, combined with the lack of secure-by-design software, can lead to the exploitation of vulnerabilities. This guidance comes as the European Union's Digital Operational Resilience Act (DORA) took effect on January 17, 2025, requiring financial services firms and their technology suppliers to enhance their cybersecurity measures.

The Tesla EV charger was hacked two times on the second day of the Pwn2Own Tokyo event.

On the second day of the Pwn2Own Tokyo 2023 hacking competition, security researchers successfully breached Tesla’s EV chargers twice. The event, hosted by Trend Micro’s Zero Day Initiative (ZDI), challenges participants to find vulnerabilities in various devices for significant monetary rewards. Researchers from two separate teams, Team Viettel and Team Fluoroacetate, exploited distinct vulnerabilities in Tesla’s Wall Connector EV chargers.

• Team Viettel successfully bypassed security mechanisms to display custom messages on the EV charger’s screen.

• Team Fluoroacetate executed a more advanced attack that allowed them to take over the charger and control its functionalities remotely.

Both exploits earned the teams $100,000 and $50,000, respectively, along with Tesla Model 3 vehicles as prizes.

The breaches highlight potential weaknesses in IoT (Internet of Things) devices, particularly in critical infrastructure like EV charging networks. Tesla's chargers are integrated with cloud services and vehicles, so such vulnerabilities could potentially lead to broader attacks, such as energy grid disruptions or remote surveillance of EV users' charging habits.

• Broader Trend: This underscores a growing issue in IoT security, where devices often prioritise functionality over robust protection. As more devices connect to the internet, attack surfaces expand, making events like Pwn2Own critical for identifying and mitigating flaws before malicious actors exploit them.

• Practical Implications: Organisations should conduct regular penetration testing of their IoT devices and adopt secure-by-design principles during development. For Tesla and similar manufacturers, integrating real-time monitoring for anomalies in device activity could prevent future breaches.