In case you missed our coverage this week in ThreatWatch, Nextgov’s regularly updated index of cyber breaches:
Security news blog KrebsOnSecurity.com experienced what it called “an extremely large and unusual” distributed denial-of-service attack that eventually took the site down when Akamai removed it from its network.
KrebsOnSecurity reported its site was attacked Tuesday with attack traffic that measured 620 to 665 gigabits, almost twice the largest attack Akamai researchers encountered before. Unique aspects of the attack include a large amount of traffic coming from a communication protocol called generic routing encapsulation and a botnet made of various internet-of-things devices.
Thursday afternoon, Brian Krebs tweeted that Akamai, which had been providing free services, removed the site from its networks:
It's looking likely that KrebsOnSecurity will be offline for a while. Akamai's kicking me off their network tonight.— briankrebs (@briankrebs) September 22, 2016
Krebs said the attack could be related to his coverage of a DDoS-for-hire service vDOS because of a string that referenced one of the vDOS owner’s nicknames.
As of Friday, the site is still offline.
Yahoo released a statement Sept. 22 announcing that the details of 500 million accounts were compromised in 2014 by a state-sponsored actor.
The stolen information includes names, email addresses, telephone numbers, birth dates, hashed passwords, and some security questions and answers. The statement also encourages the use of a Yahoo Account Key, a system that uses a mobile app to allow account access.
Yahoo is in the middle of selling off its core business to Verizon Communications for $4.8 billion. Verizon said it was notified of the breach two days ago.
Earlier Recode reported Yahoo would confirm a data breach that resulted in 200 million stolen user credentials. News of that breach broke in August when a cyber criminal known as Peace offered to sell 200 million alleged Yahoo user credentials for three bitcoins (or a little more than $1,800 at the time). A Motherboard analysis of the sample data found usernames, hashed passwords, birth dates and some backup email addresses from accounts from 2012.
Recode reports that Yahoo didn’t confirm whether the accounts were legitimate nor require users to reset passwords.
Yahoo’s breach is the largest of a long list of mega-breaches that recently came to light. Others include 33 million Russian instant messenger accounts, 68 million Dropbox accounts and 43 million Last.FM accounts.
Cisco Systems’ security team announced Friday some of the company’s firewall customers have been hacked using a vulnerability exposed by the Shadow Brokers group.
The Shadow Brokers group in August published “cyber weapons” it claimed to be from the National Security Agency-linked Equation Group. The data dump included previous undisclosed zero-day flaws, including an exploit called BENIGNCERTAIN that could potentially be used to exploit legacy Cisco firewalls.
“Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms,” said the company’s security advisory.
An internal security team investigated other products that could be exploited in a similar way and found vulnerabilities in Cisco IOS, Cisco IOS XE, and Cisco IOS XR products, the advisory said.
According to a Motherboard report, this is the “first real-world cyberattack” using the information from the Shadow Brokers data dump.